Exploiting Java Tomcat With a Crazy JSP Web Shell - Real World CTF 2022
Вставка
- Опубліковано 5 жов 2024
- This was a hard web CTF challenge involving a JSP file upload with very restricted character sets. We had to use the Expression Language (EL) to construct useful primitives and upload an ascii-only .jar file.
Alternative writeups: github.com/voi...
Fuzzing log4j with Jazzer: • Fuzzing Java to Find L...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Wow! What a crazy technique, mad props to the folks who wrote the ASCII only jar, that's mental
Indeed - that's incredible. We could have had fun with that 25 years ago and not worried about uuencode! :)
I can explain part of this! The reason that your uploaded jar got corrupted is because of the way String works in Java. Unlike a string in e.g. C++ or Go, String in Java represents a sequence of Unicode codepoints, much like the str class in Python. When you uploaded your jar, the bytes of your query had to be converted to a String at some point before the «GARBAGE BEFORE + data + GARBAGE AFTER» step. So your input bytes got interpreted as UTF-8 sequences, but because most binary data is just going to be invalid UTF-8, it all got replaced with � (which is then encoded back to UTF-8 as EFBFBD when the file is written). The pure-ASCII zipfile is an ingenious workaround.
Nice explanation
AHA! FINALLY afters years understanding nothing but "Bahnhof" of your videos, I as a java dev, understand a tiny bit. Feels good.
What a genius guy,wish one day i could get even close to you
As a java developer, just ❤️ this one.
My first thought for that replace chat was that neck slash wasn't excluded, so maybe \u123 like tricks could play a role.
Did not see the ASCII only zip file coming. Just how do you create that... Magic 🤣
Auto correct and late night commenting made a mess of that, meant char and backslash.
10:16 "..and it was private static final anyways." This shouldn't be a problem.
First, the `final` only protects the reference to the array from changing, not the array itself. In C++ terms, `final` is the equivalent of `T * const`, Java has no concept of `T const *` or `T const * const` unless T is defined to be always immutable. Sure Strings are immutable in Java, but arrays are fair game.
Next, the fact that it's `static` could be helpful, not a hindrance. This means that there is no overall object reference for `ParamUtil` to find, there is only one instance of the `SPECIAL_CHARS` in the whole program. This should be findable with reflection.
Lastly, the `private` should be no problem if you're using reflection. Reflection does not care about member visibility.
I'm not sure what reflection you could have pulled off, given the challenge's constrained jsp; so maybe this would still end up being a dead end. I just wanted to share some Java technicalities. 😎
I have to watch your video multiple times just to appreciate all the details you give to audience. It's fenomenal
How are you creating content that will forcefully put the viewer to watch the whole video without skipping any part? Its 100% amazing. Superior content btw. Loved it😍
It took me an hour to complete this video 😂😂
@@secureitmania ha ha😁
insane, i would not figure this out in my entire life if you gave me that time
CTF challenge vids are one of my favorite types of videos on this channel!
this video was dope. thanks for taking the time to make this content, much love!
This is the kind of cyber security expert I aspire to become......just so much dedication
So what do we learn from this? Tomcat's applicationScope object is read-write instead of read-only, which is a bad idea.
Also, don't implement file upload in Java because Java will dynamically load code for any reason at all
This was the most interesting CTF video I've ever seen. Normally, I don't understand shit, but you explained everything so well.
Beautiful solution. I genuinely don't understand why Apache regularly does stupidly insecure things with class loading.
solving this must feel great, but creating such a challenge.... you must be a wizard...
That is a crazy exploit, well done!
The ascii only zip is really interesting
A bunch of this flew over my head but I loved it. Props to you and your team for the great work!
Just a note on the URL class and the "fix it plz java" note - there's nothing to fix, that's an immutable object and it's supposed to be like that. You want a new URL - you create a new instance of that class.
So cool…. As a web dev this scares me lol
13:11 Stupid Question: Couldn't you have just made a StringInterpreter Compatible class and then call do your arbitrary code execution from the constructor since its instantiated immediatly?
sure could have done that as well. But makes no difference if we execute the code in static section or in the constructor. Wouldn't have changed much.
@@LiveOverflow yeah, it just seemed easier to me at the moment
love the new glasses.
Hey what about the STÖK glasses? haha
the thing is i dont know any bit of coding , still I am watching it and having fun , and can safely say yeah this field is for me I need to take it in colleague as majours even if I need to compromise a better colleague for the subject.
This guy's a genius
I don't understand anything at all but this is interesting af! Thanks for uploading
Nice video - quick comment from my side: I have found JADX being superior to JD-GUI, since the latter has issues with a few class files and the other has not.
Why did you put angle brackets on your head and disable your glasses for the thumbnail? I'm confused. But great video!
Just wondering if the start was anything like that early scene in Blue Streak where he says "What is the first thing you do? You check if it's open." Only, in this case, you check if it's log4j vulnerable. ;)
I just know basics programming stuff but the video made me watch this like I knew everything what he said ... Magic ✨
On glasses in a stream nicee
Thats insane!!!
*me just nodding to everything he says with a wistful expression, whilst trying to understand it*
Great video!
About halfway through, my approach would be to upload a .class or jar file with remote shell in perhaps a static initializer field, then change the class path and execute the code from there. Let’s see if that’s the way you did it :D
Close! Nice find and very creative solution!
3:47 I thought the top file said something else for a second...
glassesOverflow
Thats a nice video.
Can you please make a video on exploitation on vulnerable version of jetty.
Very interesting video! I really like to watch your CTF videos. Aaaand ive got a question: how is your vscode theme called?
Pretty sure it's Solarized Dark
@@lebit01 thanks
im waiting for the minecraft log4j vid xd
Could you please describe how you make valid jar file with ascii-zip?
Java web challenges are always good !!!!
what a rollercoaster :D
Well done sir
If you click the number it will display on your video that video ended is ended like 51 minutes why ? Please can you explain and thanks
ASCII ONLY JAR?
WHAT.
HOW IS THAT POSSIBLE
compression dictionary
Some souls were consumed in the making
Maybe a dumb question, but would using a "
" worked to remove the garbage on the beginning of the string?
"GARBAGE" + "
something else" + "GARBAGE" ?
not a dumb question :)
only affects how text is displayed. It tells the computer "now move the cursor back at the start". And so in reality, that garbage at the start is still there, it was just overwritten when it was displayed. And so it has no effect for when the computer tries to read this data as a file.
@@LiveOverflow thanks! Makes sense!
looking closer and closer to vitalik buterin by the day.
I know little about the Java wepapp world. Decompille a class is regularly needed because the documentation is bad or fix a bug of a used software. A servlet to upload files gives actually control of OS running tomcat. What I dont understand how you get access to the .war file from a running Webapp in the net?
Ooh no. Jemes kittle explain how to exploit this bug in his template injection talk
Crazyyy technique! 😵
Thanks for the video
It's an amazing ctf!
How did you work out 0xfffff number of hashes ?
Okay, took me a little bit to figure this out, but it all come down to this:
A md5 hash is 32 hex characters.
One hex characters has 16 possible value [0-9] [a-f].
So if the hash has to start with 5 specific characters, the total possible variation of 5 hex characters is 16^5 or 1,048,576.
Now to explain what the python script does:
We are generating random md5 hashes keeping only the first 5 char and putting them in a dictionary as the key and the seed as the value. The top loop will run until we have generated all possible combinations.
Love your work but I fear your arms are going to snap in half
Dude,,, I understand only parts of what you were explaining... but I couldn't stop seeing....
great job.... and avoid Java!!!
;-)
this ascii-zip crafting made me cry ... #ctflife I think
all in >
I understand 1% of this, i think i learning 🌭
dark lighting makes you sad old dev, not the bright excited mind you were before
new video lets goo
Stupid question : In these CTF's do they provide the web-app source codess ? for you guys to figure the prblm on local machine.
In this video it looks like they provided just the compiled .class files. But decompilers work really well on Java (as long as it is not intentionally obfuscated) so the decompiled code was pretty ok. They were also using an open-source library so you can just grab the source code for that from github.
Hello please can you explain the doc exploit other thing I discover thing before when you type a
welcome to the blind gang
You are amazing
DO U USING KALE LUNIX BRO❓
You Joined My MC server without the web address or ip how did you do that ?
What system do you run in this video?
Video minute that it is even not in the video it display for you in example
🔥🔥🔥
badass
Hey man. Someone recently logged onto my Minecraft server under the name Zaafir_Zuberi. He ran some long command, apologized for spam, then left. He linked his channel which led me here. What exactly did you do, and should I be concerned? I tried to find the acc but they must have changed the name or deleted it. Would appreciate a response.
minecraft doenst use JSP
@@LiEnby I know Minecraft doesn't. It was just his most recent video, so, I thought it would be more likely that he sees the comment.
it was me, sorry for the spam. you don't need to be concerned. It's for an upcoming video series :) if you have any more questions, write me an email or DM me on twitter. sorry again!
@@LiveOverflow lol
@@LiveOverflow what are you doing to the poor guy lmao
Does this mean that Tomcat is not secure?
Not really. The way it's configured in the video is almost painful to watch as a Java dev. But Tomcat won't stop you from shooting yourself in your own foot either. There's so much stuff you can do in Java, there's a feature for everything. This kind of complexity can be dangerous.
Nice
Is it just me or is he really looking like Ed-Sheeran :D
🔥🤯🤯🤯🤯😱
on yaaaa
Let's fix what broken for 5 years now.
That’s for all genius hackers - you‘re the heros right now 🇺🇦❤️
uh oh
Nice i couldn't understand a shit:)
Yu gained weight! Good yu look gewd!
The way you pronounce "interpreter" drives me crazy
Oops you are right
first?
thumbnail makes me not want to watch this video sorry
bro use vim to sort, instead of VS code,
why?
56 secs ago???