梧桐杯 AWD 复现
梧桐杯决赛的awd题目,一共三台靶机,其中一台靶机上运行了两个java服务,这里做一下awd中java题目的总结
关于patch jar包可以参考 https://github.com/H4cking2theGate/JarPatcher
actuator-testbed本题的依赖如下,springboot版本为2.0.5.RELEASE
123456789101112131415161718192021222324252627282930<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator< ...
红明谷 赛题复现
Simp1escape题目有一个curl路由,允许访问url,但只能用http或者https协议,这里可以用302来ssrf
123456789101112131415161718192021@RequestMapping({"/curl"})public String curl(@RequestParam String url, HttpServletRequest request, HttpServletResponse response) throws Exception { if (!url.startsWith("http:") && !url.startsWith("https:")) { System.out.println(url.startsWith("http")); return "No protocol: " + url; } else { ...
AliyunCTF2024
chain17依赖如下,给了一个入口的hessian2反序列化,题目自己给了一个Bean,其中的getter可以触发原生反序列化,不过存在很多黑名单
123456789101112131415161718<dependency> <groupId>com.alibaba</groupId> <artifactId>hessian-lite</artifactId> <version>3.2.13</version></dependency><dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.16</version></dependency><!-- https://mvnrepository.com/artifact/com.h2database/h2 --> ...
qmb 线下java赛题复现
两道java题目,比较简单
expr原生反序列化入口,不过这里的SecureUtil重写了resolveClass,ban了TemplatesImpl
123456789101112131415161718192021@ResponseBody@RequestMapping({"/"})public String index(String data) throws IOException { if (data == null) { return "Hello World!"; } else { byte[] decode = CodingUtil.Base64Decode(data); String resp = ""; InputStream bis = new ByteArrayInputStream(decode); SecureUtil ois = new SecureUtil( ...
用友NC Cloud 审计笔记
2741b02c3d329547ef81e21cfc3f87ca619ba595e21a074b28b62a6fa683d3d7
Hey, password is required here.
Javolution出题小记
Javolution
A modern java challenge prepared for u, bypass it and achieve RCE !
源码 https://github.com/H4cking2theGate/My-CTF-Challenges/tree/main/DubheCTF%202024/Javolution
bypass/pal/cheat修改自己的defense为负数,让opponentPower溢出为负值,打败jetragon
升到50级后,传入localhost%00dubhe绕过host检测
123456789def levelup(): r = requests.get(url+"/pal/cheat?defense=-800000") print(r.text) r = requests.get(url+"/pal/battle/jetragon") print(r.text)def deser(): r = requests.post(url+&q ...
用友U8Cloud 审计笔记
2741b02c3d329547ef81e21cfc3f87ca619ba595e21a074b28b62a6fa683d3d7
Hey, password is required here.
EKS Cluster Games Walkthrough
一个AWS EKS的靶场,正好学习一下EKS安全,地址https://eksclustergames.com/
Welcome To The ChallengeYou’ve hacked into a low-privileged AWS EKS pod. Use the web terminal below to find flags across the environment. Each challenge runs in a different Kubernetes namespaces with varying permissions.
All K8s resources are crucial; challenges are based on real EKS misconfigurations and security issues.
Click “Begin Challenge” on your desktop, and for guidance, click the question mark icon for useful cheat sheet.
Good l ...
Smartbi 审计笔记
2741b02c3d329547ef81e21cfc3f87cadf4f60ecaddc3a31c5f5e34fabffc626f9ab30cfd0099e7805d1d619293e6ba318b9740ecfd83fe0c4ed8f74db8a6b9966bae2f44ec766e11d12ad122875a47ab74304705c47fe246ca02754cd23daea713356d27fdef28ba3e78c2cab2bb2e6d0eaac4f28a076c4deb6ab7d3ab18979829f6a9c520947d40fc18f995cb1038114a5dcec100c07f4d5e63b36da31980a778d8c1d4d87120e15b5e503147b73b6548f39e2491d1fe0cbb0dffa96e095117f2b484aa67b57330a6fc1e1e97a4a461aa5ba91bcba79498dda1f14c2ceb135b80188569d3a6ee553330559233d238d268bedafd7099716e ...