over 9 years ago

內網探險 (Misc 200)

描述

為了收集更多參加 BCTF 大賽的中國黑客朋友的信息,米特尼克決定嘗試滲透進入 BCTF 的內網以獲取更多的信息。通過信息蒐集和網絡監聽,他發現了進入內部數據庫的一個入口代理,並且在代理入口處拿到了少量流量數據。正當他想繼續收集更多信息的時候,他的行跡被發現並被踢出了網絡。

http://bctf.cn/files/downloads/misc200_23633b6b34ccf6f2769d35407f6b2665.pcap

入口代理:218.2.197.236:12345

提示

  1. DNS
  2. 構造數據包

解法

下載存成 misc200.pcap,先來看看裡面有啥。

$ tshark -r misc200.pcap
  1   0.000000 202.112.50.172 -> 218.2.197.236 DNS 75 Standard query 0x1234  A shadu.baidu.com
  2   5.823182 202.112.50.172 -> 218.2.197.236 DNS 79 Standard query 0x4321  A bctf.secret.server1

看起來是個正常的 DNS 查詢,來連看看入口代理:

$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":

IP address of host "bctf.secret.server2":

IP address of host "bctf.secret.server3":

IP address of host "bctf.secret.server4":

Accessing secret servers, please wait ......
Proxy cannot access the secret servers. Please input IP addresses again

那就來問問看入口代理這幾台的 IP 吧:

$ nslookup bctf.secret.server1 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Name:   bctf.secret.server1
Address: 87.61.45.59

$ nslookup bctf.secret.server2 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Name:   bctf.secret.server2
Address: 87.4.98.152

$ nslookup bctf.secret.server3 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Name:   bctf.secret.server3
Address: 249.78.85.56

$ nslookup bctf.secret.server4 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Name:   bctf.secret.server4
Address: 13.228.21.29

看起來很不像內網 IP 呀,不過還是試試看吧:

$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":
87.61.45.59
IP address of host "bctf.secret.server2":
87.4.98.152
IP address of host "bctf.secret.server3":
249.78.85.56
IP address of host "bctf.secret.server4":
13.228.21.29
Accessing secret servers, please wait ......
Proxy cannot access the secret servers. Please input IP addresses again

失敗了嗚嗚,為什麼呢?讓我們試看看問它其他東西。

$ nslookup 1.1.1.1.xip.io 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Non-authoritative answer:
1.1.1.1.xip.io  canonical name = a105d.xip.io.
Name:   a105d.xip.io
Address: 78.61.44.27

$ nslookup 2.2.2.2.xip.io 218.2.197.236
Server:         218.2.197.236
Address:        218.2.197.236#53

Non-authoritative answer:
2.2.2.2.xip.io  canonical name = k20aq.xip.io.
Name:   k20aq.xip.io
Address: 79.62.45.28

有詐!1.1.1.1.xip.io 應該要解出 1.1.1.1 才對呀,從這兩次的回應看來這個入口代理應該是加上了 77.60.43.26 的偏移量。

根據這個偏移量修正一開始拿到的 IP:

def ip_sub(ip1, ip2)
  ip1 = ip1.split('.').map(&:to_i)
  ip2 = ip2.split('.').map(&:to_i)
  4.times
    .map {|i| (ip1[i] - ip2[i] + 256) % 256}
    .map(&:to_s)
    .join('.')
end

puts ip_sub(ARGV[0], ARGV[1])
$ ruby ip_diff.rb 87.61.45.59 77.60.43.26
10.1.2.33
$ ruby ip_diff.rb 87.4.98.152 77.60.43.26
10.200.55.126
$ ruby ip_diff.rb 249.78.85.56 77.60.43.26
172.18.42.30
$ ruby ip_diff.rb 13.228.21.29 77.60.43.26
192.168.234.3
$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":
10.1.2.33
IP address of host "bctf.secret.server2":
10.200.55.126
IP address of host "bctf.secret.server3":
172.18.42.30
IP address of host "bctf.secret.server4":
192.168.234.3
Accessing secret servers, please wait ......
Success!
BCTF{W31c0m3_70_0ur_53cr37_53rv3r_w0r1d}

耶比 BCTF{W31c0m3_70_0ur_53cr37_53rv3r_w0r1d}

← BCTF 地铁难挤 Writeup BCTF 黑客信息系统 Writeup →