2018铁三测评WP

1

根据提示拿到password.txt 

前端有输入限制，用burpsuite爆破

newpage字段 base64解码

之后留言时再改包 修改islogin=1 和 userlevel=root 即可

2

burp抓包改UA字段为

3

burpsuite抓包发现cookie字段base64+md5解密后为2699:2699，用1234567890:1234567890再加密发送即可

4

gpg john.tar.gz.gpg 输入公钥

tar -xzvf john.tar.gz.gpg 解出一个pcap包 wireshark导出http对象 内有一张logo.png  stegsolve即可

5

文本打开后发现提示

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAARgAAAEYCAIAAAAI7H7bAAAFRElEQVR4nO3dUW4bOxAAQSt497+ycwMi4GuNZ62q3yDyeq0GPwYkX9/f31/A//Pnpx8AfgMhQUBIEBASBIQEASFBQEgQEBIE/jv82+v1GnuO3GHQfPi98vH03Tu8e/j8A5e8jSXOb8OKBAEhQUBIEBASBIQEASFBQEgQEBIETgPZgyX7aicHfEt+1t2bzx8+f8Knf6OsSBAQEgSEBAEhQUBIEBASBIQEASFB4HIge5DP/paM6iYf4/AO7yah+ZbbSY/4RlmRICAkCAgJAkKCgJAgICQICAkCQoJAP5Ddb8mEd9LdGHf/rHYPKxIEhAQBIUFASBAQEgSEBAEhQUBIEPjEgWxu8hrWnKlrwooEASFBQEgQEBIEhAQBIUFASBAQEgT6gewHjiAnN5nmP2vJpbQH+79RX1YkSAgJAkKCgJAgICQICAkCQoKAkCBwOZD9rdsqHz1azX/WkmtzH8GKBAEhQUBIEBASBIQEASFBQEgQEBIEXo/YftjaP4Jccq/rB343rlmRICAkCAgJAkKCgJAgICQICAkCQoJAP5Ddv7szP9p3yYR30v658OT38MuKBAkhQUBIEBASBIQEASFBQEgQEBIETgPZyTnjkiHp5GPkljzGpMlZrYEsvJ2QICAkCAgJAkKCgJAgICQICAkCpztk82nX5Bg3/1n7x7j5DHrJuHPybVyzIkFASBAQEgSEBAEhQUBIEBASBIQEgcsdsrlHz2rvHuPOkhe1ZIx7MDlA/7IiQUJIEBASBIQEASFBQEgQEBIEhASB0w7ZgyVXo04OE98xxWt/1uSQdPIL8IiHtyJBQEgQEBIEhAQBIUFASBAQEgSEBIHRO2SXzE+XXIB7Z8nf6wPZIQtvJyQICAkCQoKAkCAgJAgICQJCgsDlDtm72d+SqevkXtfJE6GX/Mr7T2l+BysSBIQEASFBQEgQEBIEhAQBIUFASBA47ZC9/MQd87j9O2SXzBmXnEt8Z8/uaSsSBIQEASFBQEgQEBIEhAQBIUFASBAY3SG7/0zd/dPJJfPu3OSe63ewIkFASBAQEgSEBAEhQUBIEBASBIQEgdNA9m6kNfm/9szjNrh7G/tf1OR343oib0WCgJAgICQICAkCQoKAkCAgJAgICQKnI4snN7ROfuDkCHLJ/tOD/bf33hl+81YkCAgJAkKCgJAgICQICAkCQoKAkCBweWTxpMljhCdPTl4ynt4/Mp5khyz8JCFBQEgQEBIEhAQBIUFASBAQEgRGB7L57G/JQcd3v9dvnYQu2QY7PJ62IkFASBAQEgSEBAEhQUBIEBASBIQEgdORxb/V/ltT70z+KSe3LU9uJT6wQxbeTkgQEBIEhAQBIUFASBAQEgSEBIHTDtlHDy7zXZCTI8i7x9j/91pySvOBHbLwk4QEASFBQEgQEBIEhAQBIUFASBC4PLJ4yb7a/SPI3JL9p5NnO+fe8RhWJAgICQJCgoCQICAkCAgJAkKCgJAg0N8hmw9JH33z7JKNn5MefYfsNSsSBIQEASFBQEgQEBIEhAQBIUFASBDoB7IfaPIm07sPvDvA+dEXxQ5Prq1IEBASBIQEASFBQEgQEBIEhAQBIUHAQPZf5Uf7Th4IvGTL7d3v9Yi3YUWCgJAgICQICAkCQoKAkCAgJAgICQL9QHb/mbqTT7jkvOX8A5fsxt1zibAVCQJCgoCQICAkCAgJAkKCgJAgICQIvB4x7boweXnro7fBTj7GEu6QhaWEBAEhQUBIEBASBIQEASFBQEgQOA1kgX9kRYKAkCAgJAgICQJCgoCQICAkCAgJAkKCwF9sIhJFGPgGhQAAAABJRU5ErkJggg==

该文件是一个base64编码的图片，链接http://www.vgot.net/test/image2base64.php，扫码即可

6

x6ax0bx58x99x52x66x68x2dx63x89xe7x68x2fx73x68x00x68x2fx62x69x6ex89xe3x52xe8x34x00x00x00x65x63x68x6fx20x5a
x6dx78x68x5ax33x74x54x53x45x56x73x62x47x4ex76x5ax47x56x66x53x56x4ex66x63x32x39x66x51x32x39x76x62x48x30x4b
x7cx62x61x73x65x36x34x20x2dx64x00x57x53x89xe1xcdx80
hex to ascii :ZmxhZ3tTSEVsbGNvZGVfSVNfc29fQ29vbH0K|base64
base64解码即可