H4cking to the Gate .

梧桐杯决赛的awd题目，一共三台靶机，其中一台靶机上运行了两个java服务，这里做一下awd中java题目的总结 关于patch jar包可以参考 https://github.com/H4cking2theGate/JarPatcher actuator-testbed本题的依赖如下，springboot版本为2.0.5.RELEASE 123456789101112131415161718192021222324252627282930<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter ...

Simp1escape题目有一个curl路由，允许访问url，但只能用http或者https协议，这里可以用302来ssrf 123456789101112131415161718192021@RequestMapping({"/curl"})public String curl(@RequestParam String url, HttpServletRequest request, HttpServletResponse response) throws Exception { if (!url.startsWith("http:") && !url.startsWith("https:")) { System.out.println(url.startsWith("http")); return "No protocol: " + url; } else { ...

chain17agent17依赖如下，给了一个入口的hessian2反序列化，题目自己给了一个Bean，其中的getter可以触发原生反序列化，不过存在很多黑名单 123456789101112131415161718<dependency> <groupId>com.alibaba</groupId> <artifactId>hessian-lite</artifactId> <version>3.2.13</version></dependency><dependency> <groupId>cn.hutool</groupId> <artifactId>hutool-all</artifactId> <version>5.8.16</version></dependency><!-- https://mvnrepository.com/artifact/com.h2database/h ...

2741b02c3d329547ef81e21cfc3f87ca057b45f395de86174a8274c661e2f800e6ea3ff035727570ae522fb43dbd3d02009d2f4284e243f5e83ddc3dd191a15eb42a39c2f77e3369d280f4207b91ebbc15d6167d36e577174c7f940ed507d56e7795f8f54e9b7aec52d3e4507c276892160ce816d63ddbd3f417420fcede4ebe3ddf4bcf7cb40d8afc07e7e06d0439a2d2933a383d1aa6a3ebb57341d8578ac5417433526ff63b60c3a777c6f9861c015591e4b3cf6abea71170899f8a11ccf2de13ee879bde980e82bf13def78671e4ea369fe38fb9935996d526c7ebabb2390fb79b3dea96acac37bf7e31614a486fb62b21e28237e872e ...

Javolution A modern java challenge prepared for u, bypass it and achieve RCE ! 源码 https://github.com/H4cking2theGate/My-CTF-Challenges/tree/main/DubheCTF%202024/Javolution bypass/pal/cheat修改自己的defense为负数，让opponentPower溢出为负值，打败jetragon 升到50级后，传入localhost%00dubhe绕过host检测 123456789def levelup(): r = requests.get(url+"/pal/cheat?defense=-800000") print(r.text) r = requests.get(url+"/pal/battle/jetragon") print(r.text)def deser(): r = requests.post(url+&q ...

一个AWS EKS的靶场，正好学习一下EKS安全，地址https://eksclustergames.com/ Welcome To The ChallengeYou’ve hacked into a low-privileged AWS EKS pod. Use the web terminal below to find flags across the environment. Each challenge runs in a different Kubernetes namespaces with varying permissions. All K8s resources are crucial; challenges are based on real EKS misconfigurations and security issues. Click “Begin Challenge” on your desktop, and for guidance, click the question mark icon for useful cheat sheet. Good l ...

2741b02c3d329547ef81e21cfc3f87ca619ba595e21a074b28b62a6fa683d3d7 Hey, password is required here.

地址 https://bigiamchallenge.com/ WIZ IAM挑战赛包含了六个IAM配置错误引发的漏洞，想通过这个小练习来了解一下IAM漏洞的基本原理和aws cli的简单使用，参考了很多wp，记录一下学习的过程。 IAM（Identity and Access Management） IAM security consists of policies and technologies designed to ensure that only authorized individuals gain access to the relevant resources within an organization. AWS IAM（Identity and Access Management）是亚马逊云服务中的身份和访问管理服务，用于管理对AWS资源的访问权限和安全性。IAM允许用户与AWS进行交互，每个用户都被赋予一个唯一的凭证（Access Key ID和Secret Access Key），以便使用API或SDK调用与AWS服务进行交互。 我理解的IAM就是云服务 ...

Derby题目pom如下，依赖druid和derby，jdk版本为17 12345678910111213141516171819<properties> <java.version>17</java.version></properties><dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>com.alibaba</groupId> <artifactId>druid</artifactId> <version>1.2.21< ...