标签: HTB

该网站是一个可以发布帖子的网站，同时可以上传图片，所以在源码中关注一下图片上传的地方有没有漏洞

观察源码我们可以发现，这里对每张上传的图片都用 convert 函数进行了处理

router.post(
    "/post",
    AuthRequired,
    fileUpload({
        limits: {
            fileSize: 2 * 1024 * 1024,
        },
    }),
    ValidationMiddleware("post", "/forum"),
    async function (req, res) {
        const { title, message, parentId, ...convertParams } = req.body;
        if (parentId) {
            const parentPost = await db.getPost(parentId);

            if (!parentPost) {
                req.flashError("That post doesn't seem to exist.");
                return res.redirect("/forum");
            }
        }

        let attachedImage = null;

        if (req.files && req.files.image) {
            const fileName = randomBytes(16).toString("hex");
            const filePath = path.join(__dirname, "..", "uploads", fileName);

            try {
                const processedImage = await convert({
                    ...convertParams,
                    srcData: req.files.image.data,
                    format: "AVIF",
                });

                await fs.writeFile(filePath, processedImage);

                attachedImage = `/uploads/${fileName}`;
            } catch (error) {
                req.flashError(
                    "There was an issue processing your image, please try again."
                );
                console.error("Error occured while processing image:", error);
                return res.redirect("/forum");
            }
        }

        const { lastID: postId } = await db.createPost(
            req.session.userId,
            parentId,
            title,
            message,
            attachedImage
        );

        if (parentId) {
            return res.redirect(`/forum/post/${parentId}#post-${postId}`);
        } else {
            return res.redirect(`/forum/post/${postId}`);
        }
    }
);

H@yn3$2024年11月8日...大约 3 分钟

The Needle Writeup

拿到一个 .bin 文件，使用 binwalk 解压此固件

使用 nc 连接给的机子，发现需要登录一个 shell 才能进入，所以我们需要在固件中寻找用户名和密码

使用 grep 命令查找 login 关键字

H@yn3$2024年11月8日...大约 1 分钟

Diagnostic Writeup

题目描述

Our SOC has identified numerous phishing emails coming in claiming to have a document about an upcoming round of layoffs in the company. The emails all contain a link to diagnostic.htb/layoffs.doc. The DNS for that domain has since stopped resolving, but the server is still hosting the malicious document (your docker). Take a look and figure out what's going on.

H@yn3$2024年11月7日...大约 2 分钟

Insomnia Writeup

点击页面中的所有按钮，发现整个网站只有登录和注册两个功能，所以我们在源码中关注这两个功能。

在源码中全局搜索 flag 后，在 ProfileController 中发现了读取 flag 的代码。

public function index() {
    $token = (string) $_COOKIE["token"] ?? null;
    $flag = file_get_contents(filename: APPPATH . "/../flag.txt");
    if (isset($token)) {
        $key = (string) getenv("JWT_SECRET");
        $jwt_decode = JWT::decode($token, new Key($key, "HS256"));
        $username = $jwt_decode->username;
        if ($username == "administrator") {
            return view("ProfilePage", [
                "username" => $username,
                "content" => $flag,
            ]);
        } else {
            $content = "Haven't seen you for a while";
            return view("ProfilePage", [
                "username" => $username,
                "content" => $content,
            ]);
        }
    }
}

H@yn3$2024年11月7日...大约 2 分钟

ApacheBlaze Writeup

点击页面的按钮后发现提示 This game is currently available only from dev.apacheblaze.local.

在源码中搜索这个域名，找到对应处理函数

@app.route('/', methods=['GET'])
def index():
    game = request.args.get('game')

    if not game:
        return jsonify({
            'error': 'Empty game name is not supported!.'
        }), 400

    elif game not in app.config['GAMES']:
        return jsonify({
            'error': 'Invalid game name!'
        }), 400

    elif game == 'click_topia':
        print(request.headers)
        if request.headers.get('X-Forwarded-Host') == 'dev.apacheblaze.local':
            return jsonify({
                'message': f'{app.config["FLAG"]}'
            }), 200
        else:
            return jsonify({
                'message': 'This game is currently available only from dev.apacheblaze.local.'
            }), 200

    else:
        return jsonify({
            'message': 'This game is currently unavailable due to internal maintenance.'
        }), 200

H@yn3$2024年11月6日...大约 3 分钟