练练
BACKUP
This company has an interesting approach to backuping their routers. I sniffed the network traffic while they conducted a backup. Check if you find something interesting.
流量分析TCP流,有个密码sup3rs3cur3
![image-20230710222532662](http://img.hzy2003628.top/image-20230710222532662.png)
后面又找到个压缩包,解密得到flag
![image-20230710222603898](http://img.hzy2003628.top/image-20230710222603898.png)
![image-20230710222811487](http://img.hzy2003628.top/image-20230710222811487.png)
flag{TelnetAndFTPAreSoVErySecure}
CHAPGPYT
I’ve made ChatGPT implemented a challenge. I hope you can solve this verry hard challenge
![image-20230710203823307](http://img.hzy2003628.top/image-20230710203823307.png)
抓包,一共有俩包
![image-20230710203909535](http://img.hzy2003628.top/image-20230710203909535.png)
![image-20230710203920778](http://img.hzy2003628.top/image-20230710203920778.png)
POST的这个包每次传参之后会回显一堆hash值
![image-20230710203955051](http://img.hzy2003628.top/image-20230710203955051.png)
解密
![image-20230710204048008](http://img.hzy2003628.top/image-20230710204048008.png)
然后这里就是需要猜一下了,GET传参尝试把post_message改成get_message,然后跟上密文发包发现就是可以解密
![image-20230710204415830](http://img.hzy2003628.top/image-20230710204415830.png)
尝试很多次,发现就是传的值明文是1的情况下成功输出flag,就是md5加密构造1输出即可
![image-20230710204611096](http://img.hzy2003628.top/image-20230710204611096.png)
CSR{GrindingChatGPTUntilItGivesYOuAChallangeLol}
A GOOD VUE
Check out my cool artworks over there: goodvue.rumble.host If you want an Admin to check out your cool stuff: goodvue-bot.rumble.host
题目提示有bot,应该就是XSS
![image-20230710204810460](http://img.hzy2003628.top/image-20230710204810460.png)
VUE框架
![image-20230710204829190](http://img.hzy2003628.top/image-20230710204829190.png)
点击EXPLOIT弹框
![image-20230710204853507](http://img.hzy2003628.top/image-20230710204853507.png)
一直抓包拦截发现有个有用的数据包
![image-20230710205227136](http://img.hzy2003628.top/image-20230710205227136.png)
寻找路由发现有个传参点,构造一下
![image-20230710210825632](http://img.hzy2003628.top/image-20230710210825632.png)
Accept: application/json, text/plain, /
Content-Type: application/json
![image-20230710221605124](http://img.hzy2003628.top/image-20230710221605124.png)
![image-20230710221634568](http://img.hzy2003628.top/image-20230710221634568.png)
尝试是否解析
![image-20230710221922817](http://img.hzy2003628.top/image-20230710221922817.png)
![image-20230710221933140](http://img.hzy2003628.top/image-20230710221933140.png)
直接用远程XSS平台带出来管理员的cookie,base64解码得到flag
CSR{3v3n_vu3_c4n_h4v3_XSS}