前言
刚刚结束第二届陇剑杯预选赛,简单对HD的两道简单题写个WriteUp。
hacked_1
用wireshark打开Flash.pcap,找到第一个HTTP请求,右键追踪流
页面如下:
请求:
GET / HTTP/1.1Host: 192.168.218.132:5000User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1
响应:
HTTP/1.0 200 OKContent-Type: text/html; charset=utf-8Content-Length: 1594Server: Werkzeug/2.0.2 Python/3.9.12Date: Sat, 28 May 2022 11:55:40 GMT<html lang="en"><head><meta charset="UTF-8"><title>Login</title><link rel="stylesheet" href="/static/css/login.css"><script src="/static/js/aes_1.js"></script><script src="/static/js/jquery-3.2.0.min.js"></script><script language="javascript">crypt_key = 'l36DoqKUYQP0N7e1';crypt_iv = '131b0c8a7a6e072e';var key = CryptoJS.enc.Utf8.parse(crypt_key);var iv = CryptoJS.enc.Utf8.parse(crypt_iv);function Encrypt(word){srcs = CryptoJS.enc.Utf8.parse(word);var encrypted = CryptoJS.AES.encrypt(srcs, key, { iv: iv,mode:CryptoJS.mode.CBC,padding: CryptoJS.pad.Pkcs7});return encrypted.toString();}function print(){var a = Encrypt(myform.username.value);var b = Encrypt(myform.password.value);$.post({url:"/login",data:'post',dataType:'application/x-www-form-urlencoded',data:"username="+a+"&password="+b,success:function(data) {alert(data)if(data == 'aaa') {alert("............")window.location.href="/index";} else {alert("............")}}})}</script></head><body><div class="box"><h2>Login</h2><form name="myform"/><div class="inputbox"><input type="text" name="username" required=""><label>Username</label></div><div class="inputbox"><input type="password" name="password" required=""><label>Password</label></div><input type="button" name="" value="submit" onclick="print()" /></form></div></body></html>
上述响应中可知登陆时将账户名密码均进行了AES加密
密钥:l36DoqKUYQP0N7e1
偏移量:131b0c8a7a6e072e
输入wireshark过滤语句:
ip.addr==192.168.218.132 and tcp.port==5000 and http.request.method ==POST对每个登陆包进行查看,下图中数据包中表单的传输数据:
逐个对每个数据包中的用户名进行解密,发现加密后的字符串如下:
NQq5hKinIsaMmIZ7FCTC0Q==
对密码进行解密,成功拿到flag
flag{WelC0m5_TO_H3re}
hacked_2
右键用记事本打开Flash.pcap,ctrl+F即可找到答案,flag如下:
ssti_flask_hsfvaldb
wireshark追踪流截图如下:
原文始发于微信公众号(浪飒sec):【2023陇剑杯】数据分析HD-部分WriteUP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论