"Wechall.net Challenge" Anderson application Auditing

Source: Internet
Author: User

Wechall.net is a foreign use to practice CTF and offensive and defensive website, domestic data writeup, only a few. As a small white, recently played a few interesting topics, here to share

Title Address: http://www.wechall.net/challenge/Z/aaa/index.php

The main idea is to invade a network and give some known information

Find www.wechall.net/challenge/Z/aaa/partners.html in the source code

Then find the technical documentation: Http://www.wechall.net/challenge/Z/aaa/tech_spec.txt

Prompted the Administrator account password and several pages, found that only router_config.html can be logged in with the default password

Http://www.wechall.net/challenge/Z/aaa/router_config.html

According to the topic tip, set up routing policy hijacking communication:

Here are the information you have already gathered:

The Softmicro ' s network is 207.46.197.0

Your Public IP is 17.149.160.49

After the command is executed successfully, the following prompts

http://www.wechall.net/challenge/Z/aaa/upload_md5.php

Required to pass in two files, containing two strings, MD5 to equal, content to be different

The page has hidden Hint:search for MD5 collision.

Search gets used Fastcoll, where good.txt contains two strings as a prefix

Fastcoll_v1.0.0.5.exe-p Good.txt

Two files have a target string, upload

The result is the second part of the secret key

And then we got a new tip.

Go back to Router interface settings

http://www.wechall.net/challenge/Z/aaa/upload_ssh.php

The fingerprint check here is to check only the first 2 bits and the last 1 bits

Hidden Hint:search for fuzzy fingerprinting. You can find the tool with other search words, but thats the tool you really need.

Use Ssh-keygen to view fingerprint information

E:\Program files\git\usr\bin>ssh-keygen-l-E md5-f f:\vsa_public.pub

1024x768 md5:03:88:9c:36:41:50:39:15:04:95:89:a4:15:84:fb:b3 f:\vsa_public.pub (RSA)

Https://www.thc.org/papers/ffp.html

Use the Thc-fuzzyfingerprint tool to construct a private key consistent with the above fingerprint

Note 1: This is a Linux tool

NOTE 2: You need to comment out this part of the MAIN.C./configure->make->make Install

Note 3: To see if there is no/var/tmp/ffp.state this file, if there is to delete, otherwise the following may error

Fuzz fingerprint with instructions (-L is the number of stored fingerprints)

Ffp-f md5-k rsa-b 1024-l 1000-t 03:88:9c:36:41:50:39:15:04:95:89:a4:15:84:fb:b3

Run for a long time to see the first 2-bit verification, after the 1-bit check key,ctrl+c interrupted, with the FFP can continue to execute

You need to output the found key to the TMP directory using the instructions

Ffp-e-d/tmp

List keys with commands in the/tmp directory

[Email protected] tmp]# for I in/tmp/ssh-rsa??. Pub; Do ssh-keygen-f $i-l; Done

Too much, grep, find B3.

[Email protected] tmp]# for I in/tmp/ssh-rsa??. Pub; Do ssh-keygen-f $i-l; Done | grep ' B3 '

Then ssh-rsa00.pub is the public key, Ssh-rsa00 is the private key (thought to be 3) The result is one.

Www.wechall.net/challenge/Z/aaa/ssh_private_key_fingerprint.html

Prompt to go back to configure routing, clean traces

Route del-net 12.110.110.0 netmask 255.255.255.0 GW 17.149.160.49

Route del-net 207.46.197.0 netmask 255.255.255.0 GW 17.149.160.49

The secret string obtained at each stage is then submitted, done!

Routeevilmd5mitmfingerprintgameover

"Wechall.net Challenge" Anderson application Auditing

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.