打开靶机,发现get方式不允许。然后用POST请求,返回
text ? pleas test teh follwing five roots
,
circle <sendkey(enter)>two I'm am making an a pea eye and its grate PHP is the best <php?>printf(hello world) squaretwo :pleasequithelpwww.google. com/seaerch how to exit vim/quit :wqwhy isnt it working:wq:wq:wq:qw?</php?></sendkey(enter)>
At this point you have to guess that the following endpoints are present:
/circle/one/
;/two/
;/square/
;/com/seaerch/
;/vim/quit/
.
For each endpoint, you have to try all HTTP verbs in order to discover the correct one to use.
The /circle/one/
endpoint will return a PDF file.
OPTIONS /circle/one/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
HTTP/1.0 200 OK
Content-Length: 3322704
Content-Type: application/pdf
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT
Cache-Control: public, max-age=43200
Expires: Sun, 15 Mar 2020 02:03:47 GMT
ETag: "1583871208.0-3322704-1012733123"
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 14:03:47 GMT
%PDF-1.3
The PDF says: Put Your Best Food Forward With HEINZ KETCHUP
. At this point I had no idea of what to do next.
Two different answers can be obtained on /two/
endpoint with PUT
and CONNECT
HTTP verbs.
PUT /two/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 15
Server: Werkzeug/1.0.0 Python/3.7.6
Date: Sat, 14 Mar 2020 10:55:40 GMT
Put the dots???
The CONNECT /two/
request will return a PNG image.
CONNECT /two/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
HTTP/1.0 200 OK
Content-Length: 67798
Content-Type: image/png
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT
Cache-Control: public, max-age=43200
Expires: Sat, 14 Mar 2020 22:56:58 GMT
ETag: "1583871208.0-67798-3337817112"
Server: Werkzeug/1.0.0 Python/3.7.6
Date: Sat, 14 Mar 2020 10:56:58 GMT
PNG
The image contains the string up_on<em>noodles</em>
, that is a part of the flag.
The /square/
endpoint will return a PNG image with a crossword puzzle.
DELETE /square/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
HTTP/1.0 200 OK
Content-Length: 211123
Content-Type: image/png
Last-Modified: Tue, 10 Mar 2020 20:13:28 GMT
Cache-Control: public, max-age=43200
Expires: Sat, 14 Mar 2020 23:12:50 GMT
ETag: "1583871208.0-211123-3343453223"
Server: Werkzeug/1.0.0 Python/3.7.6
Date: Sat, 14 Mar 2020 11:12:50 GMT
PNG
The solution is the following.
E
S
I
R
P
E R
C E
A T
E P N
TASTES
L A U
D U L
E A
R C
A O
A
N
The /com/seaerch/
endpoint will return the following webpage.
GET /com/seaerch/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 94
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 15:02:41 GMT
<htlm>
,,,,,,,,,<search> <-- comment for search --!>:
ERROR </> search=null</end>
</html>
At this point, you have to guess that an application/x-www-form-urlencoded
parameter must be used to perform the search operation
GET /com/seaerch/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 10
Content-Type: application/x-www-form-urlencoded
search=foo
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 142
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 20:02:46 GMT
<htlm>
,,,,,,,,,<search> <-- comment for search --!>:
<query> foo is not a good search, please use this one instead: 'flag' <try>
</html>
Using the flag
value will give you another part of the flag.
GET /com/seaerch/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
Comment: foo
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 11
Content-Type: application/x-www-form-urlencoded
search=flag
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 126
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 20:03:13 GMT
<htlm>
,,,,,,,,,<search> <-- comment for search --!>:
<query> good search</query>
results: <p>_good_in_s</p>:w
</html>
The /vim/quit/
endpoint will tell you to use a query parameter.
TRACE /vim/quit/ HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session=0
Upgrade-Insecure-Requests: 1
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 109
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 19:27:54 GMT
<hteeemel<body>>
<wrong>uh oh
?exit=null
</wrong>
</>
Passing a random value will let you to discover that a vim command must be used.
TRACE /vim/quit/?exit=foo HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 104
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 19:28:49 GMT
<hteeemel<body>>
<erroror><p>E492: Not an editor command: foo</p>
</errorror>
</flag>
</>
Considering that the name of the parameter is exit
, you have to discover that :wq
is the correct value to use.
TRACE /vim/quit/?exit=:wq HTTP/1.1
Host: web.ctf.b01lers.com:1003
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 102
Server: Werkzeug/1.0.0 Python/3.7.7
Date: Sat, 14 Mar 2020 19:30:59 GMT
<hteeemel<body>>
<flag> well done wait </flag>
<text> this one/> <flag>pace_too}</flag>
</>
Putting everything together will give you the following.
1 2 3 4 5
up_on_noodles_ tastes _good_in_s pace_too}
At this point you can easily guess the first part of the flag (referred to the PDF).
pctf{ketchup_on_noodles_tastes_good_in_space_too}