over 9 years ago
內網探險 (Misc 200)
描述
為了收集更多參加 BCTF 大賽的中國黑客朋友的信息,米特尼克決定嘗試滲透進入 BCTF 的內網以獲取更多的信息。通過信息蒐集和網絡監聽,他發現了進入內部數據庫的一個入口代理,並且在代理入口處拿到了少量流量數據。正當他想繼續收集更多信息的時候,他的行跡被發現並被踢出了網絡。
http://bctf.cn/files/downloads/misc200_23633b6b34ccf6f2769d35407f6b2665.pcap
入口代理:218.2.197.236:12345
提示
- DNS
- 構造數據包
解法
下載存成 misc200.pcap
,先來看看裡面有啥。
$ tshark -r misc200.pcap
1 0.000000 202.112.50.172 -> 218.2.197.236 DNS 75 Standard query 0x1234 A shadu.baidu.com
2 5.823182 202.112.50.172 -> 218.2.197.236 DNS 79 Standard query 0x4321 A bctf.secret.server1
看起來是個正常的 DNS 查詢,來連看看入口代理:
$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":
IP address of host "bctf.secret.server2":
IP address of host "bctf.secret.server3":
IP address of host "bctf.secret.server4":
Accessing secret servers, please wait ......
Proxy cannot access the secret servers. Please input IP addresses again
那就來問問看入口代理這幾台的 IP 吧:
$ nslookup bctf.secret.server1 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Name: bctf.secret.server1
Address: 87.61.45.59
$ nslookup bctf.secret.server2 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Name: bctf.secret.server2
Address: 87.4.98.152
$ nslookup bctf.secret.server3 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Name: bctf.secret.server3
Address: 249.78.85.56
$ nslookup bctf.secret.server4 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Name: bctf.secret.server4
Address: 13.228.21.29
看起來很不像內網 IP 呀,不過還是試試看吧:
$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":
87.61.45.59
IP address of host "bctf.secret.server2":
87.4.98.152
IP address of host "bctf.secret.server3":
249.78.85.56
IP address of host "bctf.secret.server4":
13.228.21.29
Accessing secret servers, please wait ......
Proxy cannot access the secret servers. Please input IP addresses again
失敗了嗚嗚,為什麼呢?讓我們試看看問它其他東西。
$ nslookup 1.1.1.1.xip.io 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Non-authoritative answer:
1.1.1.1.xip.io canonical name = a105d.xip.io.
Name: a105d.xip.io
Address: 78.61.44.27
$ nslookup 2.2.2.2.xip.io 218.2.197.236
Server: 218.2.197.236
Address: 218.2.197.236#53
Non-authoritative answer:
2.2.2.2.xip.io canonical name = k20aq.xip.io.
Name: k20aq.xip.io
Address: 79.62.45.28
有詐!1.1.1.1.xip.io
應該要解出 1.1.1.1
才對呀,從這兩次的回應看來這個入口代理應該是加上了 77.60.43.26
的偏移量。
根據這個偏移量修正一開始拿到的 IP:
def ip_sub(ip1, ip2)
ip1 = ip1.split('.').map(&:to_i)
ip2 = ip2.split('.').map(&:to_i)
4.times
.map {|i| (ip1[i] - ip2[i] + 256) % 256}
.map(&:to_s)
.join('.')
end
puts ip_sub(ARGV[0], ARGV[1])
$ ruby ip_diff.rb 87.61.45.59 77.60.43.26
10.1.2.33
$ ruby ip_diff.rb 87.4.98.152 77.60.43.26
10.200.55.126
$ ruby ip_diff.rb 249.78.85.56 77.60.43.26
172.18.42.30
$ ruby ip_diff.rb 13.228.21.29 77.60.43.26
192.168.234.3
$ nc 218.2.197.236 12345
Welcome to proxy system. Pleas enter secret servers information to login.
IP address of host "bctf.secret.server1":
10.1.2.33
IP address of host "bctf.secret.server2":
10.200.55.126
IP address of host "bctf.secret.server3":
172.18.42.30
IP address of host "bctf.secret.server4":
192.168.234.3
Accessing secret servers, please wait ......
Success!
BCTF{W31c0m3_70_0ur_53cr37_53rv3r_w0r1d}
耶比 BCTF{W31c0m3_70_0ur_53cr37_53rv3r_w0r1d}