BSidesCF2020-Hurdles
Created At : 2025-05-08 16:21
Count:1.6k
Views 👀 :
BSidesCF2020-Hurdles 参考博客:https://blog.csdn.net/weixin_44037296/article/details/112298411
首先打开页面
提示我们访问/hurdles
-X参数 指定请求方式 需要我们使用PUT方式请求,使用curl命令,完成。也可以用bp
1 curl -X PUT http://node5.buuoj.cn:27219/hurdles
得到返回结果:
这里提示我们要在路径末尾填入!。
1 curl -X PUT http:// node5.buuoj.cn:27219 /hurdles/ !
返回结果:
告诉我们需要在查询字符串中存在get=flag
1 curl -X PUT http:// node5.buuoj.cn:27219 /hurdles/ !?get=flag
返回结果:
需要一个传参名为&=&=&,首先要先将其进行url编码,得到%26%3D%26%3D%26,构造传参
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =1"
注意:这里的链接需要用双引号包裹
返回结果:
需要&=&=&传参的值为%00(换行符),后面还跟了一个换行符,然后就是url编码:%2500%0a
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a "
返回结果:
-u参数 指定认证 需要指定认证,知道了用户名为player,但不知道密码,先随便猜测一个密码,使用-u参数指定:
构造:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:player"
返回结果:
这里告诉我们密码为字符串open sesame的十六进制MD5值:54ef36ec71201fdf9d1423fd26f97f6b。
构造:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b"
返回结果:
-A参数 修改user-agent 又告诉我们需要使用1337 Brower浏览器,这里需要使用curl命令的-A参数,构造
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser"
返回结果:
需要浏览器版本为v.9000,构造
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000"
返回结果:
-H参数 添加请求头 提示给出了Forwarded-For,猜测为修改X-Forwared-For为127.0.0.1,使用curl命令的-H参数添加HTTP请求头X-Forwarded-For:127.0.0.1:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:127.0.0.1"
返回结果:
修改代理 提示需要使用代理,需要额外的代理转发,尝试使用1.1.1.1,构造
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:1.1.1.1,127.0.0.1"
返回结果:
需要我们通过13.37.13.37这个地址的代理,把1.1.1.1替换:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1"
返回结果:
1 I ' m sorry , I was expecting a Fortune Cookie
-b参数 Cookie 需要Cookie ,猜测参数名为Fortune,使用curl命令的-b参数
构造传参:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=1"
返回结果:
1 I'm sorry, I was expecting the cookie to contain the number of the HTTP Cookie (State Management Mechanism) RFC from 2011.
需要Cookie 中包含2011年的RFC编号,通过查阅资料:Datatracker
了解到了2011版的RFC协议的值为6265,构造
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265"
返回结果:
1 I'm sorry, I expect you to accept only plain text media (MIME) type .
提示只接受纯文本(MIME)形式的请求,也是通过-H参数修改请求头信息Accept:text/plain,构造传参:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain"
返回结果:
1 I'm sorry, Я ожидал, что вы говорите по-русски.
是一句俄语,翻译成中文是
Accept-Language 猜测应该说的是Accept-Language请求头的属性,查阅资料:语言代码缩写表大全(用于Accept-Language) ru,构造传参:
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru"
返回结果:
1 I'm sorry, I was expecting to share resources with the origin https:
origin与Referer 需要我们的请求来自https://ctf.bsidessf.net,尝试添加请求头Referer属性,然后发现不行,用origin`请求头尝试
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net"
返回结果:
1 I ' m sorry , I was expecting you would be refered by https :// ctf . bsidessf . net / challenges ?
这次是就是Referer属性,添加请求头:Referer:https://ctf.bsidessf.net/challenges
1 curl -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"
返回结果:
-i参数 查看回显头部信息 提示祝贺结束。但是没有flag,猜测可能在返回的头部信息里,添加-i参数,查看回显的头部信息
1 curl -i -X PUT "http://node5.buuoj.cn:27219/hurdles/!?get=flag&%2 6%3D%2 6%3D%26 =%250 0%0a " -u "player:54ef36ec71201fdf9d1423fd26f97f6b" -A "1337 Browser v.9000" -H "X-Forwarded-For:13.37.13.37,127.0.0.1" -b "Fortune=6265" -H "Accept:text/plain" -H "Accept-Language:ru" -H "origin:https://ctf.bsidessf.net" -H "Referer:https://ctf.bsidessf.net/challenges"
返回结果:
1 2 3 4 5 HTTP /1 .1 200 OKX -Ctf-Flag: flag{8427 a2e3-2 f11-486 f-9 d32-c459f9147254}Date : Thu, 08 May 2025 09 :16 :55 GMTContent -Length: 16 Content -Type: text/plain; charset=utf-8
得到flag
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。
