"Wechall.net Challenge" Anderson application Auditing

Wechall.net is a foreign use to practice CTF and offensive and defensive website, domestic data writeup, only a few. As a small white, recently played a few interesting topics, here to share

Title Address: http://www.wechall.net/challenge/Z/aaa/index.php

The main idea is to invade a network and give some known information

Find www.wechall.net/challenge/Z/aaa/partners.html in the source code

Then find the technical documentation: Http://www.wechall.net/challenge/Z/aaa/tech_spec.txt

Prompted the Administrator account password and several pages, found that only router_config.html can be logged in with the default password

Http://www.wechall.net/challenge/Z/aaa/router_config.html

According to the topic tip, set up routing policy hijacking communication:

Here are the information you have already gathered:

The Softmicro ' s network is 207.46.197.0

Your Public IP is 17.149.160.49

After the command is executed successfully, the following prompts

http://www.wechall.net/challenge/Z/aaa/upload_md5.php

Required to pass in two files, containing two strings, MD5 to equal, content to be different

The page has hidden Hint:search for MD5 collision.

Search gets used Fastcoll, where good.txt contains two strings as a prefix

Fastcoll_v1.0.0.5.exe-p Good.txt

Two files have a target string, upload

The result is the second part of the secret key

And then we got a new tip.

Go back to Router interface settings

http://www.wechall.net/challenge/Z/aaa/upload_ssh.php

The fingerprint check here is to check only the first 2 bits and the last 1 bits

Hidden Hint:search for fuzzy fingerprinting. You can find the tool with other search words, but thats the tool you really need.

Use Ssh-keygen to view fingerprint information

E:\Program files\git\usr\bin>ssh-keygen-l-E md5-f f:\vsa_public.pub

1024x768 md5:03:88:9c:36:41:50:39:15:04:95:89:a4:15:84:fb:b3 f:\vsa_public.pub (RSA)

Https://www.thc.org/papers/ffp.html

Use the Thc-fuzzyfingerprint tool to construct a private key consistent with the above fingerprint

Note 1: This is a Linux tool

NOTE 2: You need to comment out this part of the MAIN.C./configure->make->make Install

Note 3: To see if there is no/var/tmp/ffp.state this file, if there is to delete, otherwise the following may error

Fuzz fingerprint with instructions (-L is the number of stored fingerprints)

Ffp-f md5-k rsa-b 1024-l 1000-t 03:88:9c:36:41:50:39:15:04:95:89:a4:15:84:fb:b3

Run for a long time to see the first 2-bit verification, after the 1-bit check key,ctrl+c interrupted, with the FFP can continue to execute

You need to output the found key to the TMP directory using the instructions

Ffp-e-d/tmp

List keys with commands in the/tmp directory

[Email protected] tmp]# for I in/tmp/ssh-rsa??. Pub; Do ssh-keygen-f $i-l; Done

Too much, grep, find B3.

[Email protected] tmp]# for I in/tmp/ssh-rsa??. Pub; Do ssh-keygen-f $i-l; Done | grep ' B3 '

Then ssh-rsa00.pub is the public key, Ssh-rsa00 is the private key (thought to be 3) The result is one.

Www.wechall.net/challenge/Z/aaa/ssh_private_key_fingerprint.html

Prompt to go back to configure routing, clean traces

Route del-net 12.110.110.0 netmask 255.255.255.0 GW 17.149.160.49

Route del-net 207.46.197.0 netmask 255.255.255.0 GW 17.149.160.49

The secret string obtained at each stage is then submitted, done!

Routeevilmd5mitmfingerprintgameover

"Wechall.net Challenge" Anderson application Auditing