분류 전체보기 (58) 썸네일형 리스트형 Union (Linux) 1. User 시작!Write-up 작성 시작분 부터 정리 ㅎㅎ Nginx 웹루트 설정 파일이 저기 있군ffuf 로 구한 config.php 파일 열기하도 ffuf ffuf 해서 써봄 ㅋㅋㅋㅋㅋㅋ┌──(root㉿P00075445-006)-[/home/surckers]└─# ffuf -t 1000 -w directory-list-2.3-big.txt -u http://union.htb/FUZZ -e .php /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \.. dbms 별 특징 Oracle: SELECT 'Hello, World!' FROM DUAL;SQL Server: DECLARE @msg NVARCHAR(50) = 'Hello, World!'; SELECT @msg;( FROM sysobjects; 사용 가능)MySQL: SELECT 'Hello, World!';PostgreSQL: SELECT 'Hello, World!';SQLite: SELECT 'Hello, World!';IBM DB2: SELECT 'Hello, World!' FROM sysibm.sysdummy1; pov (win) 팀으로 진행했던 pov! 역시 같이 해야 재밌엉~사이트 분석nmap: 80 포트만 외부로 열려있음┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]└─# nmap -sCV -p 80 10.129.230.183Starting Nmap 7.94SVN () at 2024-05-30 16:51 KSTNmap scan report for 10.129.230.183Host is up (0.33s latency).PORT STATE SERVICE VERSION80/tcp open http Microsoft IIS httpd 10.0|*http-title: pov.htb| http-methods:|*Potentially risky methods: TRACE|_http-server-h.. mark down (angstrom CTF) 1. 소스 분석index.jsconst crypto = require('crypto')const express = require('express')const app = express()const posts = new Map()//posts Map 객체 선언! (id, data) 같은app.use(express.urlencoded({ extended: false }))app.get('/', (_req, res) => { const placeholder = [ '# Note title', 'Content of the note. You can use *italics*!',// *italics* => 마크다운 사용가능 ].join('\n') res.type('text/h.. solarlab 1. 정찰#nmap┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]└─# nmap -sCV -p 80,135,139,445,6791 10.129.33.115Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-28 21:10 KSTNmap scan report for 10.129.33.115Host is up (0.28s latency).PORT STATE SERVICE VERSION80/tcp open http nginx 1.24.0|_http-server-header: nginx/1.24.0|_http-title: Did not follow redirect to http://solarlab.h.. Textbook-HMAC MD5, SHA256과 같은 해시에 사용 가능한 공격인 Length extension attack 에 대한 문제 1. 코드 분석import hashlibimport osK = os.urandom(500)flag = open("flag.txt", "r").read()def HMAC(M): return hashlib.md5(K + M).digest()m1 = b"Dreamhack"h1 = HMAC(m1)print(f"HMAC(\"Dreamhack\") = {bytes.hex(h1)}")m2 = bytes.fromhex(input("Your message: "))h2 = bytes.fromhex(input("Your hash: "))if m2 != m1 and h2 == HMAC(m2): print.. Stupid GCC 1. 소스 분석#include #include #include int main() { uint8_t v1 = 0; int v2 = 0; char v3[31]; uint16_t v4[10]={0,}; while (v4[v1] 10000) { FILE *fp = fopen("/flag.txt", "r"); fgets(v3, 31, fp); fclose(fp); fp = fopen("/home/stupid_gcc/flag.txt", "w"); fwrite(v3, 31, 1, fp); fclose(fp); return 0;.. Giddy 1. Reconnaissance1-1 nmap 실행┌──(root㉿DESKTOP-SQ6IV61)-[/home/surckers]└─# nmap -sT -p- --min-rate 10000 10.129.96.140Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-15 15:20 KSTNmap scan report for 10.129.96.140Host is up (0.28s latency).Not shown: 65531 filtered tcp ports (no-response)PORT STATE SERVICE80/tcp open http443/tcp open https3389/tcp open ms-wbt-server5985/tcp open w.. 이전 1 2 3 4 5 6 7 8 다음
