Ctfhub information disclosure

Directory traversal

There are two levels of directories , And the names under the directory are consistent , Easy to mislead , Traverse according to the way of viewing layer by layer
Every time you start the environment ,flag The location of the file will change , Just look for it according to the idea of directory traversal

PHPINFO

Backup file download

Website source code

According to the prompt , Download the website source code zip

I found a file named flag Number

Check the text directly without flag, Go visit and try

< Add >

Common website source code backup file suffix ：

• tar
• tar.gz
• zip
• rar
  Common website source code backup file name
• web
• website
• backup
• back
• www
• wwwroot
• temp
  According to the tip , You can write test scripts , This is what I found on the Internet For reference only

import requests
url = "http://challenge-c3c711c8d7b491a2.sandbox.ctfhub.com:10800/"
back1 = ['web','website','backup','back','www','wwwroot','temp']
back2 = ['tar','tar.gz','zip','rar']
for i in back1:
    for j in back2:
        url_new = url + i + '.' + j
        r = requests.get(url_new)
        if (r.status_code == 200):
            print (url_new)

bak file

index.php Not in echo flag
download index.php.bak

< Add >

have access to dirsearch Scan catalog files

 install ：
git clone https://github.com/maurosoria/dirsearch.git

 Scan internal files ：
python3 dirsearch.py -u 'url' -e*

/**kali Bring it with you python3 So there is no need to install **/

When using this scanning tool , Want administrator rights , Otherwise, it will report a mistake

VIM cache

Scan directly

Access the directory , download

Binary file open
find flag

.DS_Store

windows no way , There is no valid information in the downloaded file
Switch to linux（ You can also drag the file directly to linux Check it out ）

Open after download

visit

< Add >

.DS_Store yes Mac OS A hidden file that saves the custom properties of a folder . adopt .DS_Store You can know the list of all the files in this directory .

SVN Let the cat out of the

Reference resources ：https://blog.csdn.net/tempulcc/article/details/108959901
Reference resources ：https://www.freesion.com/article/98721217183/

1. Configure the tool environment

git clone https://github.com/kost/dvcs-ripper

sudo apt-get install perl libio-socket-ssl-perl libdbd-sqlite3-perl libclass-dbi-perl libio-all-lwp-perl

2. recovery .svn

./rip-svn.pl -v -u http://challenge-a111d17ddfd2f7cb.sandbox.ctfhub.com:10800/.svn/
 perhaps 
perl rip-svn.pl -v -u http://challenge-a111d17ddfd2f7cb.sandbox.ctfhub.com:10800/.svn/ 

Tip the lack of SQLite
Install the module

 [ Execution requires root jurisdiction ]
perl -MCPAN -e shell
install DBD::SQLite
exit

Installation completed , To restore .svn

3. Get into .svn Directory search flag

flag The location of existence may be different , Just look for it in turn

HG Let the cat out of the

Also use dvcs-ripper Tools

./rip-hg.pl -v -u http://challenge-a111d17ddfd2f7cb.sandbox.ctfhub.com:10800/.hg/

Git Let the cat out of the

This is a little more , I proposed to record it separately