Vocational school Panyun network security competition ----- exploration of hidden information

Hidden information exploration

Mission environment description ：

• Server scenario ：Web20200529
• Server scenario operating system ： Unknown （ Close links ）

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Find... In the login interface FLAG, And will FLAG Submit ;

Into the F12 see , find Sources Options , Find... In it class.css, Turn down and you'll find it flag

Flag：WELCOME TO CSS!

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Find... In the background of the login interface FLAG, And will FLAG Submit ;

Use burpsuite Capture the login interface , Then find the picture and copy the picture address , stay burpsuite Add the address of the picture to access

Flag：Picturemerge

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Login in the login interface , After the login is successful, find... In the successful interface FLAG And submit ;

Sqlmap A shuttle , Directly explode the database to obtain the account and password

Sqlmap -u http://172.16.101.250/index.html --forms --level 5 --risk 3 --batch –dbs

First click go Click again follow redirection

Flag：4C6F67696E207375636365737366756C

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , After successful login, find the moon in the page , Decrypt the information in the moon , And will After decryption Information about As FLAG Submit ;

After successful login , Jump to dlc.html page

Click the moon in the upper right corner , Pop up window , Guess it is base64 It's encoded , utilize base64 -d decode

Flag：Base64decryptedsuccessfully

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , After successful login, find the cross star in the page , Download the contents of the page in the cross star , Decrypt the downloaded file , And take the decrypted file content as FLAG Submit ;

utilize Ctrl+A, You can find a star in the lower right corner that can be clicked

Click to download one test.zip file , Then decompress

Extract one test file , One inside. flag.png, Then check it out flag.png

Flag：UF71K2TW5JM88QZ8WMNTWKUY4

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Login in the login interface , After the login fails, find the link in the page, access the connection and download the file , Use the full name of the hidden file as FLAG Submit ;

First click go Click again follow redirection

Access in Google browser treasure.html

Access link , Downloaded a bg.jpg file

utilize steghide Tools to crack pictures , The password is empty. , Get one a.txt file

Flag：a.txt

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Login in the login interface , After the login fails, find the link in the page, access the connection and download the file , Take the contents of the hidden information file in the file as FLAG Submit ;

open a.txt file , See the file header is PNG, This should be a png Pictures of the

Change the suffix to png, Get picture content

1. Via local PC Medium penetration test platform Kali For the server scenario Web20200529 Visit the web site in , Look for hidden information on each page , Merge each piece of information in order , As FLAG Submit ;

1：index.html

2：class.css

3：dlc.html

4：treasure.html

Flag：Please check every question