0x01 Wechall writeup

0x01 Wechall writeup

目录

• 0x01 Wechall writeup
  • Limited Access
  • Training: Crypto - Caesar II
  • Impossible n'est pas français
  • Training: Crypto - Substitution I
  • Limited Access Too
  • PHP 0818
  • Training: Net Ports
  • Training: Encodings I
  • Training: Baconian
  • Training: Crypto - Digraphs
  • Training: Regex
  • Training: MySQL II
  • Training: Warchall - The Beginning

Limited Access

权限限制，限制了GET方法，改用POST或其他请求方式绕过限制

Plaintext code for .htaccess
AuthUserFile .htpasswd

AuthGroupFile /dev/null

AuthName "Authorization Required for the Limited Access Challenge"

AuthType Basic

<Limit GET>

require valid-user

</Limit>

---

Training: Crypto - Caesar II

明显是ascii码的数字，直接编写脚本，观察输出即可找到password

if __name__ == '__main__':
    str = '''XXXXXXXXXXXXXX'''
    str = str.split()
    for j in range(0, 256):
        for i in str:
            print(chr((int(i,16)+j)%128), end='')
        print()

---

Impossible n'est pas français

分解质因数，6秒内分解数百位的数字几乎不能实现，但是发现提交错误答案后会返回正确的答案，直接写脚本提交一次错误答案然后获取正确答案再次提交

---

Training: Crypto - Substitution I

还是凯撒加密，直接用词频分析破解网站

---

Limited Access Too

还是限制请求方法，除了PATCH其余都被限制了，使用PATCH绕过限制

---

PHP 0818

考虑ord()函数返回字符串的首个字符的ASCII值，提交3735929054的十六进制

---

Training: Net Ports

使用curl中 --local-port [端口]命令，校园网可以成功，但是联通网始终无法生效，也许是运营商限制了端口使用

---

Training: Encodings I

全是0和1先想办法转换成ascii字符，441位除8除不尽，考虑七位分一组，最前加0构造ascii码

---

Training: Baconian

培根加密，密文只有a和b，一般使用斜体字母为a其余为b，此处可假设大写为a小写为b，每五个ab为一组对应一个字母，U\V和I\J有可能拥有相同编码,先用python解出培根密码再用培根解密

---

Training: Crypto - Digraphs

字母两两配对替换一个真实字母，猜测第一个单词是congratulations.然后得出一部分密码对应，再逐步解码

---

Training: Regex

正则表达式的应用，注意正则表达式的前后在这里要加上/再提交，最后一个/^(wechall4?).(?:jpg|gif|tiff|bmp|png)$/

---

Training: MySQL II

用union直接把构造的账户密码传入

1' union select 1,'admin',md5('123') -- &password=123&login=Login

---

Training: Warchall - The Beginning

level0 was the welcome text:
$ grep solution 0/README.txt //grep搜索获取匹配模式的一行字符
Oh .... and your solution to level0 is: "bitwarrior" without the quotes.

level1 was finding the solution out of various files
$ find 1
gave me a file called SOLUTION.txt
$ grep solution 1/blue/pill/hats/gray/solution/is/SOLUTION.txt
Your solution for this level is: LameStartup

level2 was a hidden file //获取隐藏文件ls -a(显示所有文件目录选项)
$ grep solution 2/.porb/.solution
The solution is HiddenIsConfig

level3 was finding the solution in the bash_history file //.bash_history文件包含了操作历史
$ grep solution 3/.bash_history
The solution to SSH3 is: RepeatingHistory

level4 was chmod the file in your home dir (~) //chmod改变文件的权限

level5 was protecting your home folder:
$ umask 0077 //umask修改初始化文件的默认权限
$ chmod -R 0700 ~