Docker escape
Docker逃逸的本质和硬件虚拟化逃逸的本质有很大的不同,容器逃逸的过程是一个受限进程获取未受限的完整权限,又或某个原本受Cgroup/Namespace限制权限的进程获取更多权限的操作,更趋近于提权。
前置知识
在开始之前,先看看docker和docker实现相关的技术基础
[D3CTF2021]记录
横向移动
[UnionCTF2021]Cr0wnAir
[UnionCTF2021]Cr0wnAir
最近天天被外国比赛暴打。。。。这次UnionCTF两个web,一个sqlite的union注入,零过滤,百度的payload都能打通,还有就是这个题,还蛮有意思的,后面这步利用感觉还比较实用,学习了
源码
贴一部分
checkin.js
const pattern = {
firstName: /^\w{1,30}$/,
lastName: /^\w{1,30}$/,
passport: /^[0-9]{9}$/,
ffp: /^(|CA[0-9]{8})$/,
extras: [
{sssr: /^(BULK|UMNR|VGML)$/},
],
};
function isSpecialCustomer(passport, frequentFlyerNumber) {
return false;
}
function createToken(passport, frequentFlyerNumber) {
var status = isSpecialCustomer(passport, frequentFlyerNumber) ? "gold" : "bronze";
var body = {"status": status, "ffp": frequentFlyerNumber};
return jwt.encode(body, config.privkey, 'RS256');
}
.....
if (jpv.validate(data, pattern, { debug: true, mode: "strict" })) {
if (data["firstName"] == "Tony" && data["lastName"] == "Abbott") {
var response = {msg: "You have successfully checked in! Please remember not to post your boarding pass on social media."};
} else if (data["ffp"]) {
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer."};
for(e in data["extras"]) {
if (data["extras"][e]["sssr"] && data["extras"][e]["sssr"] === "FQTU") {
var token = createToken(data["passport"], data["ffp"]);
var response = {msg: "You have successfully checked in. Thank you for being a Cr0wnAir frequent flyer. Your loyalty has been rewarded and you have been marked for an upgrade, please visit the upgrades portal.", "token": token};
}
}
DiceCTF2021
DiceCTF2021
好像比justCTF简单不少。。。起码有萌新能做出来的题了呜呜
但是怎么感觉外国比赛这么喜欢XSS
BabierCSP
对标justCTF的BabyCSP,确实更baby了,justCTF那个题完全不会。。。
因为设置了default-src,fetch这些函数的请求的源也受到CSP控制,fetch就发不出去,一开始在这卡了
然后用windows.location.href跳转就行了
这个题nonce是不变的,那不就是无过滤XSS吗。一开始以为是题写歪了想考参考链接里面先知那个吞下面nonce的点的,后来测了一下发现这个必须是可控点和有nonce的script连在一起才行,不然之间的任意一个右尖括号都能把你给闭合了而无法吞下正确的nonce