[BSidesCF 2020]Hurdles

[BSidesCF 2020]Hurdles

打开题目，题目提示访问/hurdles

所以输入/hurdles，返回提示讲要使用PUT请求方法

提示要在路径后面加上！

提示URL中没有?get=flag

提示在寻找&=&=&参数，所以将其进行url编码，得到：%26%3D%26%3D%26，构造传参：

提示要使&=&=&的值为%00，%00后还包含了一个换行符，也是进行URL编码 %2500%0a，构造传参：

需要指定认证，知道了用户名为player，但不知道密码，先随便猜测一个密码，使用-u参数指定：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:player"

提示要求使用open sesame的MD5加密作为密码（54ef36ec71201fdf9d1423fd26f97f6b）

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b"

提示使用1337浏览器， 使用-A参数设置：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser"

提示希望浏览器的版本超过9000 ，加上v.9000

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000"

提示这个转发给我，提示给出了X-Forwared-For，猜测将X-Forwared-For修改为127.0.0.1，使用-H参数添加HTTP请求头 X-Forwared-For:127.0.0.1

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwared-For:127.0.0.1"

提示需要使用代理，需要额外的代理转发，尝试使用1.1.1.1，构造传参

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwared-For:1.1.1.1,127.0.0.1"

需要通过13.37.13.37这个地址代理，将1.1.1.1替换

>curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1"

提示要有cookie， 猜测参数名为Fortune，使用参数-b

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=1"

提示：抱歉，我原本期望Cookie中包含HTTPCookie(状态管理机制)RFC的编号，来自201

通过查看https://datatracker.ietf.org/doc/rfc6265/了解到2011版的RFC协议的值为6265，构造传参：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265"

提示：我期望您仅接受纯文本媒体 (MIME)类型， 依然通过-H参数添加请求头信息Accept:text/plain，构造传参：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain"

百度翻译

猜测其应该说的是Accept-Language请求头属性，查阅资料：语言代码缩写表大全（用于Accept-Language）

得到俄语的表示为ru，构造传参：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru"

提示：抱歉，我本希望与源站https://ctf.bsidessf.net共享资源。-H "origin:https://ctf.bsidessf.net"，构造传参

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net"

提示：很抱歉，我本以为你会通过https://ctf.bsidessf.net/challenges这条链接被引荐过来，使用Referer属性，添加请求头Referer:https://ctf.bsidessf.net/challenges，构造传参：

curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"

返回恭喜，但是没有flag， 猜测可能在返回的头信息中，添加-i参数，查看回显的头信息：

curl -i -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"

flag{a69de611-fec9-416d-be1c-7b4836ecafe9}