Weekly CTF： Course :Weekly CTF( Hetian network security laboratory ) (hetianlab.com)

subject

experiment : The first week | Magic tape ( Hetian network security laboratory ) (hetianlab.com)

The background that

None in this experiment writeup, Students need to give full play to what they have learned , Take the ultimate goal .

Experimental environment

 Target machine ：Centos7  IP Address ：10.1.1.147:5001  
  
 attack ：Win7         IP Address ： Random allocation   
  
 requirement ： Get the target flag  
  
 Tips ：flag The format is Flag{}  
  
 notes ： Tool path ：C:\tools\  

Answer key

start

A lot of times CTF The title is not very clear , I didn't know what to do at first , So try to use the information given , Try anything you can think of .

The title gives the goal IP Address , First visit it in the browser .

Try to think

1、 Use SQL Inject ：123 or '1'='1', It's useless

2、 Use XSS sentence ：<script>alert('hello,gaga!');</script>, It's useless

3、 View source code of webpage ： There is a line of code at the bottom

<html><h1 style='font-size:0px;'>./Flag.txt</h1></html>

Try to visit http://10.1.1.147:5001/Flag.txt, False information ！

4、 Try viewing web requests in the browser developer tool , Find the following information ：

According to the suffix is = Guess it might be base64 code .

The above is a simple test , Then use professional tools burpsuite The official start of the .

Burp Suite

Burp Suite The tool is located in C:\tools\burpsuite\BurpLoader.jar

Use steps ：

1. Configure the proxy for the browser 127.0.0.1, Port is 8080
2. Burp Suite The tool Proxy > HTTP history The packet capture record will be displayed
   The currently intercepted requests will be displayed in Proxy > Intercept, Every time you intercept a web page, it gets stuck , Manual required Forward

You can also use this tool to capture packets Cokkie Information ：

Use this tool to access the Cookie Conduct Base64 Decoder： Get a string of data , Enter into the form

You can input directly in the web page , You can also directly use the Repeater To send a request ：

According to the new tips , Guess you should enter ：tape, Return information ：

Follow the prompts to visit ：10.1.1.147:5001/Flag-Win.txt：

Follow the prompts to continue sending requests ：btzhy

Follow the prompts to visit ：10.1.1.147:5001/Flag-K0r4dji.php：

The source code of the view page is as follows ：

According to the prompt, you should enter a 2 digit , Use it directly Burp Suite Of Intruder Blasting ：

stay Proxy -> HTTP history Middle right click the packet capture path , choice Send to Intruder

stay Intruder -> Positions Middle first Clear $, Then select the local point to add parameters dynamically in the box Add $

stay Intruder -> Positions Set dynamic parameter properties in ：

After setting up , Click... In the title bar Intruder -> Start attack Start attacking ：

Check out the attack results , Found when the parameter is 66 when ,Length Different from others , It is found that the information we need is returned

The result is ：Flag{ctf_victory_SecBug}