前言
刚刚结束第二届陇剑杯预选赛,简单对HD的两道简单题写个WriteUp。
hacked_1
用wireshark打开Flash.pcap,找到第一个HTTP请求,右键追踪流
页面如下:
请求:
GET / HTTP/1.1
Host: 192.168.218.132:5000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
响应:
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1594
Server: Werkzeug/2.0.2 Python/3.9.12
Date: Sat, 28 May 2022 11:55:40 GMT
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Login</title>
<link rel="stylesheet" href="/static/css/login.css">
<script src="/static/js/aes_1.js"></script>
<script src="/static/js/jquery-3.2.0.min.js"></script>
<script language="javascript">
crypt_key = 'l36DoqKUYQP0N7e1';
crypt_iv = '131b0c8a7a6e072e';
var key = CryptoJS.enc.Utf8.parse(crypt_key);
var iv = CryptoJS.enc.Utf8.parse(crypt_iv);
function Encrypt(word){
srcs = CryptoJS.enc.Utf8.parse(word);
var encrypted = CryptoJS.AES.encrypt(srcs, key, { iv: iv,mode:CryptoJS.mode.CBC,padding: CryptoJS.pad.Pkcs7});
return encrypted.toString();
}
function print(){
var a = Encrypt(myform.username.value);
var b = Encrypt(myform.password.value);
$.post({
url:"/login",
data:'post',
dataType:'application/x-www-form-urlencoded',
data:"username="+a+"&password="+b,
success:function(data) {
alert(data)
if(data == 'aaa') {
alert("............")
window.location.href="/index";
} else {
alert("............")
}
}
})
}
</script>
</head>
<body>
<div class="box">
<h2>Login</h2>
<form name="myform"/>
<div class="inputbox">
<input type="text" name="username" required="">
<label>Username</label>
</div>
<div class="inputbox">
<input type="password" name="password" required="">
<label>Password</label>
</div>
<input type="button" name="" value="submit" onclick="print()" />
</form>
</div>
</body>
</html>
上述响应中可知登陆时将账户名密码均进行了AES加密
密钥:l36DoqKUYQP0N7e1
偏移量:131b0c8a7a6e072e
输入wireshark过滤语句:
ip.addr==192.168.218.132 and tcp.port==5000 and http.request.method ==POST
对每个登陆包进行查看,下图中数据包中表单的传输数据:
逐个对每个数据包中的用户名进行解密,发现加密后的字符串如下:
NQq5hKinIsaMmIZ7FCTC0Q==
对密码进行解密,成功拿到flag
flag{WelC0m5_TO_H3re}
hacked_2
右键用记事本打开Flash.pcap,ctrl+F即可找到答案,flag如下:
ssti_flask_hsfvaldb
wireshark追踪流截图如下:
原文始发于微信公众号(浪飒sec):【2023陇剑杯】数据分析HD-部分WriteUP
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论