本文介绍了try2hack的部分通关方法(目前更新到level6,剩下的如果大家做出来了欢迎发在评论区)
level1
检查网页源代码
if (slp == "l4m3rz") {
alert("Great! Go to the 2nd level...");
location.href = "level2-room.htm";
}
passwd: l4m3rz
level2
右键被禁用,直接F12,看到
user="super_hacker";
password="dont_look_here";
不是这里,再看看
<input type="reset" value="Click if you want to continue" onclick="Tryi(testi.pass.value, testi.uzr.value)">
这里指向了名为 Tryi 的函数。我们看看这个函数
function Tryi(uzer,pswd){if(uzer=="ozzy" && pswd=="osburn"){alert("Great! Go to the 3d level...");location.href="level3-kbbe.htm";}else{alert("Wrong username and/or password. Go away...");location.href="about:blank";}}
这里是了好久都不对,最后发现用户名和密码是反过来的。。。
usr: osburn
passwd: ozzy
level3
先瞎输入一个,发现跳到了Disneyland😀
于是下载JavaScript文件,直接打开得到
PASSWORD = "try2hackrawks";
CORRECTSITE = "level4-kdnvxs.xhtml";
WRONGSITE = "http://www.disney.com";
level4
搜索passwd,找到
<object classid="java:PasswdLevel4.class" type="application/x-java-applet" height="370" width="330" >
下载PasswdLevel4.class,使用jd反编译,得到代码
import java.applet.Applet;
import java.awt.Button;
import java.awt.Font;
import java.awt.Label;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;
public class PasswdLevel4 extends Applet implements ActionListener {
private URL finalurl;
String infile;
String[] inuser = new String[22];
int totno = 0;
InputStream countConn = null;
BufferedReader countData = null;
URL inURL = null;
TextField txtlogin = new TextField();
Label label1 = new Label();
Label label2 = new Label();
Label label3 = new Label();
TextField txtpass = new TextField();
Label lblstatus = new Label();
Button ButOk = new Button();
Button ButReset = new Button();
Label lbltitle = new Label();
void ButOk_ActionPerformed(ActionEvent paramActionEvent) {
boolean bool = false;
for (byte b = 1; b <= this.totno / 2; b++) {
if (this.txtlogin.getText().trim().toUpperCase().intern() == this.inuser[2 * (b - 1) + 2].trim().toUpperCase().intern() && this.txtpass.getText().trim().toUpperCase().intern() == this.inuser[2 * (b - 1) + 3].trim().toUpperCase().intern()) {
this.lblstatus.setText("Login Success, Loading..");
bool = true;
String str1 = this.inuser[1].trim().intern();
String str2 = getParameter("targetframe");
if (str2 == null)
str2 = "_self";
try {
this.finalurl = new URL(getCodeBase(), str1);
} catch (MalformedURLException malformedURLException) {
this.lblstatus.setText("Bad URL");
}
getAppletContext().showDocument(this.finalurl, str2);
}
}
if (!bool)
this.lblstatus.setText("Invaild Login or Password");
}
void ButReset_ActionPerformed(ActionEvent paramActionEvent) {
this.txtlogin.setText("");
this.txtpass.setText("");
}
public void actionPerformed(ActionEvent paramActionEvent) {
Object object = paramActionEvent.getSource();
if (object == this.ButOk) {
ButOk_ActionPerformed(paramActionEvent);
return;
}
if (object == this.ButReset)
ButReset_ActionPerformed(paramActionEvent);
}
public void destroy() {
this.ButOk.setEnabled(false);
this.ButReset.setEnabled(false);
this.txtlogin.setVisible(false);
this.txtpass.setVisible(false);
}
public void inFile() {
try {
this.countConn = this.inURL.openStream();
this.countData = new BufferedReader(new InputStreamReader(this.countConn));
String str;
while ((str = this.countData.readLine()) != null) {
if (this.totno < 21) {
this.totno++;
this.inuser[this.totno] = str;
str = "";
continue;
}
this.lblstatus.setText("Cannot Exceed 10 users, Applet fail start!");
destroy();
}
} catch (IOException iOException) {
getAppletContext().showStatus("IO Error:" + iOException.getMessage());
}
try {
this.countConn.close();
this.countData.close();
return;
} catch (IOException iOException) {
getAppletContext().showStatus("IO Error:" + iOException.getMessage());
return;
}
}
public void init() {
setLayout(null);
setSize(361, 191);
add(this.txtlogin);
this.txtlogin.setBounds(156, 72, 132, 24);
this.label1.setText("Please Enter Login Name & Password");
this.label1.setAlignment(1);
add(this.label1);
this.label1.setFont(new Font("Dialog", 1, 12));
this.label1.setBounds(41, 36, 280, 24);
this.label2.setText("Login");
add(this.label2);
this.label2.setFont(new Font("Dialog", 1, 12));
this.label2.setBounds(75, 72, 36, 24);
this.label3.setText("Password");
add(this.label3);
add(this.txtpass);
this.txtpass.setEchoChar('*');
this.txtpass.setBounds(156, 108, 132, 24);
this.lblstatus.setAlignment(1);
this.label3.setFont(new Font("Dialog", 1, 12));
this.label3.setBounds(75, 108, 57, 21);
add(this.lblstatus);
this.lblstatus.setFont(new Font("Dialog", 1, 12));
this.lblstatus.setBounds(14, 132, 344, 24);
this.ButOk.setLabel("OK");
add(this.ButOk);
this.ButOk.setFont(new Font("Dialog", 1, 12));
this.ButOk.setBounds(105, 156, 59, 23);
this.ButReset.setLabel("Reset");
add(this.ButReset);
this.ButReset.setFont(new Font("Dialog", 1, 12));
this.ButReset.setBounds(204, 156, 59, 23);
this.lbltitle.setAlignment(1);
add(this.lbltitle);
this.lbltitle.setFont(new Font("Dialog", 1, 12));
this.lbltitle.setBounds(12, 14, 336, 24);
String str = getParameter("title");
this.lbltitle.setText(str);
this.ButOk.addActionListener(this);
this.ButReset.addActionListener(this);
this.infile = new String("level4");
try {
this.inURL = new URL(getCodeBase(), this.infile);
} catch (MalformedURLException malformedURLException) {
getAppletContext().showStatus("Bad Counter URL:" + this.inURL);
}
inFile();
}
}
发现指向level4,故打开http://www.try2hack.nl/levels/level4,下载得到以下代码
level5-fdvbdf.xhtml
appletking
pieceofcake
level5
提示:
To pass this level, download this Visual Basic 3.0 program and enter the correct username/password to proceed to the next level.
我们按照提示下载文件,用专用的vb3.0反编译软件反编译(这软件只能在32位机上跑,只好VMware开个虚拟机)得到
Global Const gc0006 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.,:;-*+=~|&!_$#@()[]{}<\/>"
Global Const gc000A = "http://www.try2hack.nl/levels/level6-ksghvb.xhtml"
If edtUsername = Mid(gc0006, 56, 1) & Mid(gc0006, 28, 1) & Mid(gc0006, 35, 1) & Mid(gc0006, 3, 1) & Mid(gc0006, 44, 1) & Mid(gc0006, 11, 1) & Mid(gc0006, 13, 1) & Mid(gc0006, 21, 1) Then
If edtPassword = Mid(gc0006, 45, 1) & Mid(gc0006, 48, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 15, 1) & Mid(gc0006, 40, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 19, 1) Then
MsgBox "Level 6 can be found at: " & Left$(gc000A, 37) & Mid(gc0006, 21, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 29, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 12, 1) & Mid(gc0006, 14, 1) & Mid(gc000A, 44, 6), 0, "Horray!"
End
End If
End If
输入http://www.try2hack.nl/levels/level6-ksghvb.xhtml
发现是错的
NOT LEVEL 6
Search harder.
看来上面那个网址是错误的,于是对照程序翻译下面的代码,得到
url: http://www.try2hack.nl/levels/level6-kdsvbd.xhtml usr: Try2Hack passwd: ILoveDodi
level6
提示:
To pass this level, download this Visual Basic 6.0 program and enter the correct username/password to proceed to the next level.
我们按照提示下载文件,用vbd反编译,结果发现软件加壳了,破解失败
于是打开改软件,看到是可以联网的,直接用wireshark抓包分析后得到
(ENCRYPTION TYPE)
B*C*N**N
(USERNAME)
aaabb aaaaa aaaab abbab ababb aaaab
(PASSWORD)
aabaa abbaa aaaba baaaa babba abbba baaba abaaa abbab abbaa baaaa aaaaa babaa abaab baaab
(PAGE)
babab aabab abaab abbab aabbb aaaba
这是培根加密,我们对照密码表解密得到
usr: dabomb passwd: encryptionrawks url: xfkohc
level7
提示:
Browser check: Sorry, but you must use Microsoft Internet Explorer 7.66
根据提示,我们用ie打开网页
Comments