banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel

Cyber Earth Cup Industrial Internet Security Competition - Missing a Large Number of Device Reports (Signature Challenge) - Writeup

  • Why write a writeup for a question that has already ended for a long time: because I was doing a question on a certain CTF training platform

First, open the link, it is an industrial control management system:

image

Click all the buttons on the left side, only the report center can be accessed:

image

Select a time and there is no response, and the lower left corner reminds you that this is a question for free points. Hmm, seeing that the link is id=1, I thought of trying to run the id

Capture the package with Burp, send it to Intruder, and set the Payload type to Numbers:

image

From 1 to 5000, gradually increase it by 1, and set the threads to 999. If the setting is too small, it will be difficult to move halfway:

image

Then start running the package, after running it, you can actually see that the id 2333 is problematic:

image

Directly set id=2333 and get the flag:

image

Here we have another way, you can use a small tool: search and replace, click here to download, after capturing the package, save the data returned by the server:

image

Then open the file with the tool and search for the flag. Set the file filter to *.* and then search to get the flag:

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.