BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

admin 2022年5月15日01:26:13评论36 views字数 4677阅读15分35秒阅读模式

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解考点:

HTTP 请求中的Header 参数

curl命令的常用参数

启动环境:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

只给出了一句话:若要获得flag,需要克服些障碍,其中/hurdles猜测为URL路径,访问得到:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要使用PUT方式请求,使用curl命令,完成:

curl -X PUT http://node3.buuoj.cn:28174/hurdles

其中-X表示指定HTTP请求方式

得到返回结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

抱歉,若路径以!结尾,将更加刺激,所以在末尾填入!,也就是/hurdles/!:

curl -X PUT http://node3.buuoj.cn:28174/hurdles/!

得到返回结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要在查询字符串中存在get=flag:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag'

需要将请求链接以‘单引号包裹,访问后得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要传参的名为&=&=&,首先将其进行url编码,得到:%26%3D%26%3D%26,构造传参:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=1'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要将&=&=&的值等于%00(换行符),其后还包含了一个换行符,也是进行URL编码:%2500%0a,构造传参:


curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要指定认证,知道了用户名为player,但不知道密码,先随便猜测一个密码,使用-u参数指定:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

构造传参:


curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:player'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

提示密码为字符串open sesame的十六进制MD5值:54ef36ec71201fdf9d1423fd26f97f6b,构造传参:


curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要使用1377 Browser浏览器,使用-A参数设置:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

构造传参:


curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要浏览器版本为v.9000,构造传参:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

期待有人将这个转发给我,提示给出了Forwarded-For,猜测为修改X-Forwared-For为127.0.0.1,使用-H参数添加HTTP请求头X-Forwarded-For:127.0.0.1:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:127.0.0.1'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要使用代理,需要额外的代理转发,尝试使用1.1.1.1,构造传参:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:1.1.1.1,127.0.0.1'

得到回显:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要通过13.37.13.37这个地址代理,将1.1.1.1替换:

curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1'

得到回显:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要Cookie,猜测参数名为Fortune,使用参数-b:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

构造传参:


curl -X PUT 'http://node3.buuoj.cn:28174/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=1'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要Cookie中包含2011年的RFC编号,通过查阅资料:Datatracker

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

了解到2011版的RFC协议的值为6265,构造传参:

curl -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

只接受纯文本(MIME)形式的请求,依然通过-H参数添加请求头信息Accept:text/plain,构造传参:

curl -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265' -H 'Accept:text/plain'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

俄语看不懂了,使用百度翻译:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

猜测其应该说的是Accept-Language请求头属性,查阅资料:语言代码缩写表大全(用于Accept-Language)

得到俄语的表示为ru,构造传参:

curl -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265' -H 'Accept:text/plain' -H 'Accept-Language:ru;'


得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

需要使请求来自

https://ctf.bsidessf.net

,尝试添加了请求头Referer属性,但始终未能成功进入下一个,发现是

origin:https://ctf.bsidessf.net

,构造传参:

curl -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265' -H 'Accept:text/plain' -H 'Accept-Language:ru;' -H 'origin:https://ctf.bsidessf.net'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

这次才是Referer属性,添加请求头

Referer:https://ctf.bsidessf.net/challenges

,构造传参:

curl -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265' -H 'Accept:text/plain' -H 'Accept-Language:ru;' -H 'origin:https://ctf.bsidessf.net' -H 'Referer:https://ctf.bsidessf.net/challenges'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

终于结束了,但是没回显flag,猜测可能在返回的头信息中,添加-i参数,查看回显的头信息:

curl -i -X PUT 'http://node3.buuoj.cn:29486/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a' -u 'player:54ef36ec71201fdf9d1423fd26f97f6b' -A '1337 Browser v.9000' -H 'X-Forwarded-For:13.37.13.37,127.0.0.1' -b 'Fortune=6265' -H 'Accept:text/plain' -H 'Accept-Language:ru;' -H 'origin:https://ctf.bsidessf.net' -H 'Referer:https://ctf.bsidessf.net/challenges'

得到结果:

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

成功得到flag。

原文来自CSDN博主「Senimo_」|侵删




BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解


中电运行是专业专注培养能源企业IT工匠和提供IT整体解决方案的服务商,也是能源互联网安全专家。

为方便大家沟通,中电运行开通“中电运行交流群”,诚挚欢迎能源企业和相关人士,以及对网络安全感兴趣的群体加入本群,真诚交流,互相学习BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解。想加入我们就给我们留言吧BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

小白必读!寰宇卫士手把手教你栈溢出(上)

手把手教你栈溢出(中)

手把手教你栈溢出(下)

《信息安全知识》之法律关键常识汇总

CTF经验分享|带你入门带你飞!

BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

原文始发于微信公众号(寰宇卫士):BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年5月15日01:26:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   BUUCTF [BSidesCF 2020] Hurdles-解题步骤详解https://cn-sec.com/archives/1005225.html

发表评论

匿名网友 填写信息