H4cking to the Gate .

碰到一个xxl-job，版本是1.9.2，仅仅只暴露了9999端口，并且不出网 executor未授权我们可以从9999端口入手，com.xxl.job.core.rpc.netcom.jetty.server.JettyServerHandler是一个自己实现的jetty服务，明显可以打hessian反序列化 1234567891011121314151617181920212223242526272829303132333435363738394041@Overridepublic void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { // invoke RpcResponse rpcResponse = doInvoke(request); // serialize response byte[] r ...

Smartbi登陆绕过补丁分析下载补丁 利用脚本 解码获得本次 补丁信息 12345678910111213141516171819202122232425262728293031{ "url": "/smartbix/api/monitor/setServiceAddress", "rules": [{ "type": "RejectSmartbixSetAddress" }] }, { "url": "/smartbix/api/monitor/setServiceAddress/", "rules": [{ "type": "RejectSmartbixSetAddress" }] }, { "url": ...

old-loggroovy写的一个web服务，用的框架是Grails，依赖中存在log4j 2.14.1，并且有可控的log参数，那就变成了一个jndi的利用 jdk 1.8jdk 11jdk 17jdk 21

梧桐杯决赛的awd题目，一共三台靶机，其中一台靶机上运行了两个java服务，这里做一下awd中java题目的总结 关于patch jar包可以参考 https://github.com/H4cking2theGate/JarPatcher actuator-testbed本题的依赖如下，springboot版本为2.0.5.RELEASE 123456789101112131415161718192021222324252627282930<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter ...

Simp1escape题目有一个curl路由，允许访问url，但只能用http或者https协议，这里可以用302来ssrf 123456789101112131415161718192021@RequestMapping({"/curl"})public String curl(@RequestParam String url, HttpServletRequest request, HttpServletResponse response) throws Exception { if (!url.startsWith("http:") && !url.startsWith("https:")) { System.out.println(url.startsWith("http")); return "No protocol: " + url; } else { ...

chain17依赖如下，给了一个入口的hessian2反序列化，题目自己给了一个Bean，其中的getter可以触发原生反序列化，不过存在很多黑名单 123456789101112131415161718<dependency> <groupId>com.alibaba</groupId> <artifactId>hessian-lite</artifactId> <version>3.2.13</version></dependency><dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.16</version></dependency><!-- https://mvnrepository.com/artifact/com.h2database/h2 --> ...

2741b02c3d329547ef81e21cfc3f87ca057b45f395de86174a8274c661e2f800e6ea3ff035727570ae522fb43dbd3d02009d2f4284e243f5e83ddc3dd191a15eb42a39c2f77e3369d280f4207b91ebbc15d6167d36e577174c7f940ed507d56e7795f8f54e9b7aec52d3e4507c276892160ce816d63ddbd3f417420fcede4ebe3ddf4bcf7cb40d8afc07e7e06d0439a2d2933a383d1aa6a3ebb57341d8578ac5417433526ff63b60c3a777c6f9861c015591e4b3cf6abea71170899f8a11ccf2de13ee879bde980e82bf13def78671e4ea369fe38fb9935996d526c7ebabb2390fb79b3dea96acac37bf7e31614a486fb62b21e28237e872e ...

Javolution A modern java challenge prepared for u, bypass it and achieve RCE ! 源码 https://github.com/H4cking2theGate/My-CTF-Challenges/tree/main/DubheCTF%202024/Javolution bypass/pal/cheat修改自己的defense为负数，让opponentPower溢出为负值，打败jetragon 升到50级后，传入localhost%00dubhe绕过host检测 123456789def levelup(): r = requests.get(url+"/pal/cheat?defense=-800000") print(r.text) r = requests.get(url+"/pal/battle/jetragon") print(r.text)def deser(): r = requests.post(url+&q ...

一个AWS EKS的靶场，正好学习一下EKS安全，地址https://eksclustergames.com/ Welcome To The ChallengeYou’ve hacked into a low-privileged AWS EKS pod. Use the web terminal below to find flags across the environment. Each challenge runs in a different Kubernetes namespaces with varying permissions. All K8s resources are crucial; challenges are based on real EKS misconfigurations and security issues. Click “Begin Challenge” on your desktop, and for guidance, click the question mark icon for useful cheat sheet. Good l ...