ctfshow wp——信息搜集(web01-web20)
web1
web1:where is flag?
F12查看源代码
<!--
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-01 13:45:32
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-02 03:12:48
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
-->
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>CTFshow 新手入门题目 </title>
<script type="text/javascript">
</script>
</head>
<body>
<h3>web1:where is flag?</h3>
<!-- ctfshow{9f6f5c41-03aa-4042-9104-41213bc6e21f} -->
</body>
</html>
|
得到flag:
ctfshow{9f6f5c41-03aa-4042-9104-41213bc6e21f}
|
web2
无法查看源代码
ctrl+u查看网页源代码
<!--
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-01 13:45:32
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-02 03:20:04
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
-->
<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title>CTFshow 新手入门题目 </title>
<script type="text/javascript">
window.oncontextmenu = function(){return false};
window.onselectstart = function(){return false};
window.onkeydown = function(){if (event.keyCode==123){event.keyCode=0;event.returnValue=false;}};
</script>
</head>
<body>
<h3>无法查看源代码</h3>
<!-- ctfshow{1479640a-73e2-41c6-b759-bd17cb1daa38} -->
</body>
</html>
|
得到flag
ctfshow{1479640a-73e2-41c6-b759-bd17cb1daa38}
|
web3
web3:where is flag?
F12,查看网络项
access-control-allow-credentials
true
access-control-allow-headers
DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,x-auth-token,Cookies,Aaa,Date,Server,Content-Length,Connection
access-control-allow-methods
GET,POST,PUT,DELETE,OPTIONS
access-control-expose-headers
Content-Type,Cookies,Aaa,Date,Server,Content-Length,Connection
access-control-max-age
1728000
connection
keep-alive
content-encoding
gzip
content-type
text/html; charset=UTF-8
date
Mon, 30 Jun 2025 13:31:48 GMT
flag
ctfshow{91bf4b26-5e76-43b7-a694-9970908eae96}
server
nginx/1.20.1
transfer-encoding
chunked
x-powered-by
PHP/7.3.11
|
得到flag
ctfshow{91bf4b26-5e76-43b7-a694-9970908eae96}
|
web4
总有人把后台地址写入robots,帮黑阔大佬们引路。
|
web4:where is flag?
根据题目提示,查看robots.txt
User-agent: *
Disallow: /flagishere.txt
|
查看url//flagishere.txt
得到flag
ctfshow{78888822-0dce-47fc-b6c2-1f7b69302800}
|
web5
查看url/index.phps
<?php
/*
# -*- coding: utf-8 -*-
# @Author: h1xa
# @Date: 2020-09-01 14:14:17
# @Last Modified by: h1xa
# @Last Modified time: 2020-09-01 14:34:53
# @email: h1xa@ctfer.com
# @link: https://ctfer.com
*/
//ctfshow{1b4b42ee-d038-433d-8639-1a24fbb4a22b}
echo "web5:where is flag ?"
|
得到flag
ctfshow{1b4b42ee-d038-433d-8639-1a24fbb4a22b}
|
web6
使用dirsearch工具扫描
C:\Users\reze>cd dirsearch
C:\Users\reze\dirsearch>python dirsearch.py -u https://f360c7dc-a7bb-45bd-b817-976fafd54ca1.challenge.ctf.show/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://f360c7dc-a7bb-45bd-b817-976fafd54ca1.challenge.ctf.show/
[21:39:29] Scanning:
[21:40:11] 200 - 486B - /www.zip
Task Completed
|
查看url//www.zip
压缩包内有两项,提示我flag在fl000g.txt
查看url/fl000g.txt
得到flag
ctfshow{2a987e6b-6f7b-4c8a-9ee3-5709f9579f00}
|
web7
web7:where is flag?
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://c1117d39-2102-4589-bb57-a93d1868f6af.challenge.ctf.show/
[21:45:28] Scanning:
[21:45:32] 301 - 169B - /.git -> http://c1117d39-2102-4589-bb57-a93d1868f6af.challenge.ctf.show/.git/
[21:45:32] 200 - 46B - /.git/
|
查看url/.git
得到flag
ctfshow{147711f6-e831-4c04-bdfc-67a3f3d079fc}
|
web8
web8:where is flag?
扫描url
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://ea06a964-c13c-46f6-8f34-692761ba5ff1.challenge.ctf.show/
[21:47:32] Scanning:
[21:47:38] 301 - 169B - /.svn -> http://ea06a964-c13c-46f6-8f34-692761ba5ff1.challenge.ctf.show/.svn/
[21:47:38] 200 - 46B - /.svn/
|
查看url/.svn
得到flag
ctfshow{970a109e-cace-4ac4-bbf5-a3fad8a2694c}
|
web9
发现网页有个错别字?赶紧在生产环境vim改下,不好,死机了
|
web9:where is flag?
查看url/index.php.swp
得到flag
ctfshow{8d17cc96-d8c3-4907-bb90-e7a3d87384f0}
|
web10
F12查看网络选项,找到cookie
cookie
flag=ctfshow%7B6d5fcbf9-ade6-4f26-bece-63809cfccca3%7D
|
得到flag
ctfshow{6d5fcbf9-ade6-4f26-bece-63809cfccca3}
|
web11
域名其实也可以隐藏信息,比如flag.ctfshow.com 就隐藏了一条信息
|
使用指令扫描
nslookup -q=txt flag.ctfshow.com
|
得到flag
web12
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://e8f7fb3f-cc4e-4b23-9cf1-05e5f553b39d.challenge.ctf.show/
[21:59:26] Scanning:
[22:00:18] 301 - 169B - /admin -> http://e8f7fb3f-cc4e-4b23-9cf1-05e5f553b39d.challenge.ctf.show/admin/
[22:00:21] 401 - 42B - /admin/
[22:00:23] 401 - 42B - /admin/index.php
|
查看url/admin,显示需要用户名和密码,用户名尝试admin,嗯句题目提示,在最底部看到了一串数字:372619038,作为密码尝试,得到flag
ctfshow{bf0af490-344e-4dec-af4d-523d29132b41}
|
web13
技术文档里面不要出现敏感信息,部署到生产环境后及时修改默认密码
|
在网页的底部,看到了documents一项,点击去后发现
⚫ 登陆
默认后台地址:http://your-domain/system1103/login.php
默认用户名:admin
默认密码:admin110
|
登录后得到flag
ctfshow{935e116b-f16f-4541-a30a-805c4c67b287}
|
web14
有时候源码里面就能不经意间泄露重要(editor)的信息,默认配置害死人
|
根据题目提示,查看url/eidtor
在提交文件中,可查看服务器文件,找到flag
ctfshow{0c6d851d-36df-4203-a237-7f8aa1419c8c}
|
web15
公开的信息比如邮箱,可能造成信息泄露,产生严重后果
|
用dirsearch扫描url
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://fd633af2-e216-4deb-9707-ef6482a1063a.challenge.ctf.show/
[22:21:05] Scanning:
[22:21:25] 200 - 8KB - /about.html
[22:21:28] 301 - 169B - /admin -> http://fd633af2-e216-4deb-9707-ef6482a1063a.challenge.ctf.show/admin/
[22:21:29] 200 - 1KB - /admin/
[22:21:30] 200 - 1KB - /admin/index.php
|
进入url/admin
后台登录选项,点击忘记密码
在原页面中,透露了qq邮箱
用qq找到了本人,显示是西安人,输入西安后密码被重置为admin7789
用其登录后拿到flag
ctfshow{6a8cea05-5a2d-43f8-bde0-c8f3bdc8be5e}
|
web16
对于测试用的探针,使用完毕后要及时删除,可能会造成信息泄露
|
查看探针url/tz.php
点进后查看phpinfo
找到flag
FLAG ctfshow{35c5c564-a0b8-445e-b928-311cedd8863c}
|
web17
用dirsearch扫描
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292
Target: https://e15c4b4f-7842-4f09-a974-5262d44209fa.challenge.ctf.show/
[22:30:15] Scanning:
[22:30:30] 200 - 934B - /backup.sql
[22:30:37] 301 - 185B - /images -> http://e15c4b4f-7842-4f09-a974-5262d44209fa.challenge.ctf.show/images/
[22:30:37] 403 - 571B - /images/
|
查看url/backup.sql
得到flag
ctfshow{b6dab5f3-a3b3-457e-a558-3512f442a316}
|
web18
不要着急,休息,休息一会儿,玩101分给你flag
|
F12查看源代码,得到了
if(score>100)
{
var result=window.confirm("\u4f60\u8d62\u4e86\uff0c\u53bb\u5e7a\u5e7a\u96f6\u70b9\u76ae\u7231\u5403\u76ae\u770b\u770b");
}
|
解码后发现是
查看url/110.php,得到flag
ctfshow{e5fa4ecb-d807-4f12-ba14-727328dbe3fa}
|
web19
F12查看源代码,发现
</script>
<!--
error_reporting(0);
$flag="fakeflag"
$u = $_POST['username'];
$p = $_POST['pazzword'];
if(isset($u) && isset($p)){
if($u==='admin' && $p ==='a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04'){
echo $flag;
}
}
-->
|
使用burpsuit抓包
POST / HTTP/1.1
Host: 44b39150-c659-466f-95a3-6a21e89743f8.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: https://44b39150-c659-466f-95a3-6a21e89743f8.challenge.ctf.show
Referer: https://44b39150-c659-466f-95a3-6a21e89743f8.challenge.ctf.show/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
username=admin&pazzword=a599ac85a73384ee3219fa684296eaa62667238d608efa81837030bd1ce1bf04
|
得到flag
ctfshow{38547630-0ea1-4d66-9923-44b98a926d0b}
|
web20
mdb文件是早期asp+access构架的数据库文件,文件泄露相当于数据库被脱裤了。
|
扫描发现url/db/db.mdb
下载后查看,找到flag
flag{ctfshow_old_database}
|
至此,完结
