"Everyone has their own moon"
?? Question ideas
This question assesses the WEB front-end encryption bypass. This scenario is often encountered in ordinary work. If the decryption operation is not completed, the next test cannot be performed. To solve the problem, players need to use tools or scripts to achieve encryption for blasting and unauthorized access. The password of the test account is encrypted using AES symmetric encryption, and the key is generated in the obfuscated javascript code. You can use Burpsuite plug-ins for encryption and blasting, such as AESKiller, Crypto Messages Handler, etc. In order to prevent everyone from not having the weak password, a dictionary directory is reserved in robots.txt, but the dictionary needs to be deduplicated. Have you learned it?
?? Problem solving skills
Visited the topic and found that there is a flag, and the flag submitted is incorrect. The topic is definitely not really no one's water. (Dog head)
Go to kali to scan the directory, use dirsearch to
find sensitive files robots.txt Access robots.txt, I have a password dictionary dddddddddddddd_password.txt, I think this will be easy to deal with soon, it must be blasted
There are duplicates in the dictionary. You need to deduplicate cat passwd.txt | sort -u. The result of deduplication is only 203 unique passwords.
Visit /Server to find the login page, enter admin/admin and drop it directly into BP
When something went wrong, it was found that the password was encrypted. F12 analyzed js and found the AES encryption feature.
Symmetric encryption requires a key. The analysis code finds that the key generation function is confusion, the key obtained by dynamic debugging is 3602879701896397, and the encryption mode is ECB.
Get the key and use the burp plugin AESKiller to configure the key.
After starting the plug-in, re-capture the package, you will get a modified data package
and send it to the intruder module, start blasting, with a password, load a username dictionary and run with
the username test, the password is 123987, after the login is successful, a query page.
Enter test to capture packets
to find the encryption parameters, and directly use the decryption function of the plug-in to decrypt.
Modify the userid and username to admin
, use the modified parameters to query, and get the flag as
flag{876fedc30e062a4667d2df26f75003cb}
?? Tools involved
- Background scanning tool dirsearch or Yujian
- BP blasting
- Burp plugin AESKiller encryption blasting
?? Summarize
- Scan the background to find sensitive files
- password blasting
- Use Burpsuite's plug-in to encrypt and blast the fixed key generated in the javascript code
- The difficulty of this question lies in the confusion of the key function generated by the js code and the discovery that the encryption mode is ECB, as long as there is a breakthrough in encryption and blasting