Ch3nyang's blog

home

home

person

about

hive

project

collections_bookmark

mindclip

rss_feed

rss

Try2Hack

calendar_month 2019-10
archive 安全
tag game

本文介绍了try2hack的部分通关方法(目前更新到level6,剩下的如果大家做出来了欢迎发在评论区)

level1

检查网页源代码

if (slp == "l4m3rz") {
    alert("Great! Go to the 2nd level...");
    location.href = "level2-room.htm";
}

passwd: l4m3rz

level2

右键被禁用,直接F12,看到

user="super_hacker";
password="dont_look_here";

不是这里,再看看

<input type="reset" value="Click if you want to continue" onclick="Tryi(testi.pass.value, testi.uzr.value)">

这里指向了名为 Tryi 的函数。我们看看这个函数

function Tryi(uzer,pswd){if(uzer=="ozzy" && pswd=="osburn"){alert("Great! Go to the 3d level...");location.href="level3-kbbe.htm";}else{alert("Wrong username and/or password. Go away...");location.href="about:blank";}}

这里是了好久都不对,最后发现用户名和密码是反过来的。。。

usr: osburn

passwd: ozzy

level3

先瞎输入一个,发现跳到了Disneyland😀

于是下载JavaScript文件,直接打开得到

PASSWORD = "try2hackrawks";
CORRECTSITE = "level4-kdnvxs.xhtml";
WRONGSITE = "http://www.disney.com";

level4

搜索passwd,找到

<object classid="java:PasswdLevel4.class" type="application/x-java-applet" height="370" width="330" >

下载PasswdLevel4.class,使用jd反编译,得到代码

import java.applet.Applet;
import java.awt.Button;
import java.awt.Font;
import java.awt.Label;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.MalformedURLException;
import java.net.URL;

public class PasswdLevel4 extends Applet implements ActionListener {
  private URL finalurl;
  
  String infile;
  
  String[] inuser = new String[22];
  
  int totno = 0;
  
  InputStream countConn = null;
  
  BufferedReader countData = null;
  
  URL inURL = null;
  
  TextField txtlogin = new TextField();
  
  Label label1 = new Label();
  
  Label label2 = new Label();
  
  Label label3 = new Label();
  
  TextField txtpass = new TextField();
  
  Label lblstatus = new Label();
  
  Button ButOk = new Button();
  
  Button ButReset = new Button();
  
  Label lbltitle = new Label();
  
  void ButOk_ActionPerformed(ActionEvent paramActionEvent) {
    boolean bool = false;
    for (byte b = 1; b <= this.totno / 2; b++) {
      if (this.txtlogin.getText().trim().toUpperCase().intern() == this.inuser[2 * (b - 1) + 2].trim().toUpperCase().intern() && this.txtpass.getText().trim().toUpperCase().intern() == this.inuser[2 * (b - 1) + 3].trim().toUpperCase().intern()) {
        this.lblstatus.setText("Login Success, Loading..");
        bool = true;
        String str1 = this.inuser[1].trim().intern();
        String str2 = getParameter("targetframe");
        if (str2 == null)
          str2 = "_self"; 
        try {
          this.finalurl = new URL(getCodeBase(), str1);
        } catch (MalformedURLException malformedURLException) {
          this.lblstatus.setText("Bad URL");
        } 
        getAppletContext().showDocument(this.finalurl, str2);
      } 
    } 
    if (!bool)
      this.lblstatus.setText("Invaild Login or Password"); 
  }
  
  void ButReset_ActionPerformed(ActionEvent paramActionEvent) {
    this.txtlogin.setText("");
    this.txtpass.setText("");
  }
  
  public void actionPerformed(ActionEvent paramActionEvent) {
    Object object = paramActionEvent.getSource();
    if (object == this.ButOk) {
      ButOk_ActionPerformed(paramActionEvent);
      return;
    } 
    if (object == this.ButReset)
      ButReset_ActionPerformed(paramActionEvent); 
  }
  
  public void destroy() {
    this.ButOk.setEnabled(false);
    this.ButReset.setEnabled(false);
    this.txtlogin.setVisible(false);
    this.txtpass.setVisible(false);
  }
  
  public void inFile() {
    try {
      this.countConn = this.inURL.openStream();
      this.countData = new BufferedReader(new InputStreamReader(this.countConn));
      String str;
      while ((str = this.countData.readLine()) != null) {
        if (this.totno < 21) {
          this.totno++;
          this.inuser[this.totno] = str;
          str = "";
          continue;
        } 
        this.lblstatus.setText("Cannot Exceed 10 users, Applet fail start!");
        destroy();
      } 
    } catch (IOException iOException) {
      getAppletContext().showStatus("IO Error:" + iOException.getMessage());
    } 
    try {
      this.countConn.close();
      this.countData.close();
      return;
    } catch (IOException iOException) {
      getAppletContext().showStatus("IO Error:" + iOException.getMessage());
      return;
    } 
  }
  
  public void init() {
    setLayout(null);
    setSize(361, 191);
    add(this.txtlogin);
    this.txtlogin.setBounds(156, 72, 132, 24);
    this.label1.setText("Please Enter Login Name & Password");
    this.label1.setAlignment(1);
    add(this.label1);
    this.label1.setFont(new Font("Dialog", 1, 12));
    this.label1.setBounds(41, 36, 280, 24);
    this.label2.setText("Login");
    add(this.label2);
    this.label2.setFont(new Font("Dialog", 1, 12));
    this.label2.setBounds(75, 72, 36, 24);
    this.label3.setText("Password");
    add(this.label3);
    add(this.txtpass);
    this.txtpass.setEchoChar('*');
    this.txtpass.setBounds(156, 108, 132, 24);
    this.lblstatus.setAlignment(1);
    this.label3.setFont(new Font("Dialog", 1, 12));
    this.label3.setBounds(75, 108, 57, 21);
    add(this.lblstatus);
    this.lblstatus.setFont(new Font("Dialog", 1, 12));
    this.lblstatus.setBounds(14, 132, 344, 24);
    this.ButOk.setLabel("OK");
    add(this.ButOk);
    this.ButOk.setFont(new Font("Dialog", 1, 12));
    this.ButOk.setBounds(105, 156, 59, 23);
    this.ButReset.setLabel("Reset");
    add(this.ButReset);
    this.ButReset.setFont(new Font("Dialog", 1, 12));
    this.ButReset.setBounds(204, 156, 59, 23);
    this.lbltitle.setAlignment(1);
    add(this.lbltitle);
    this.lbltitle.setFont(new Font("Dialog", 1, 12));
    this.lbltitle.setBounds(12, 14, 336, 24);
    String str = getParameter("title");
    this.lbltitle.setText(str);
    this.ButOk.addActionListener(this);
    this.ButReset.addActionListener(this);
    this.infile = new String("level4");
    try {
      this.inURL = new URL(getCodeBase(), this.infile);
    } catch (MalformedURLException malformedURLException) {
      getAppletContext().showStatus("Bad Counter URL:" + this.inURL);
    } 
    inFile();
  }
}

发现指向level4,故打开http://www.try2hack.nl/levels/level4,下载得到以下代码

level5-fdvbdf.xhtml
appletking
pieceofcake

level5

提示:

To pass this level, download this Visual Basic 3.0 program and enter the correct username/password to proceed to the next level.

我们按照提示下载文件,用专用的vb3.0反编译软件反编译(这软件只能在32位机上跑,只好VMware开个虚拟机)得到

Global Const gc0006 = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.,:;-*+=~|&!_$#@()[]{}<\/>"
Global Const gc000A = "http://www.try2hack.nl/levels/level6-ksghvb.xhtml"

If  edtUsername = Mid(gc0006, 56, 1) & Mid(gc0006, 28, 1) & Mid(gc0006, 35, 1) & Mid(gc0006, 3, 1) & Mid(gc0006, 44, 1) & Mid(gc0006, 11, 1) & Mid(gc0006, 13, 1) & Mid(gc0006, 21, 1) Then
  If  edtPassword = Mid(gc0006, 45, 1) & Mid(gc0006, 48, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 15, 1) & Mid(gc0006, 40, 1) & Mid(gc0006, 25, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 19, 1) Then
    MsgBox "Level 6 can be found at: " & Left$(gc000A, 37) & Mid(gc0006, 21, 1) & Mid(gc0006, 14, 1) & Mid(gc0006, 29, 1) & Mid(gc0006, 32, 1) & Mid(gc0006, 12, 1) & Mid(gc0006, 14, 1) & Mid(gc000A, 44, 6), 0, "Horray!"
    End
  End If
End If

输入http://www.try2hack.nl/levels/level6-ksghvb.xhtml

发现是错的

NOT LEVEL 6
Search harder.

看来上面那个网址是错误的,于是对照程序翻译下面的代码,得到

url: http://www.try2hack.nl/levels/level6-kdsvbd.xhtml usr: Try2Hack passwd: ILoveDodi

level6

提示:

To pass this level, download this Visual Basic 6.0 program and enter the correct username/password to proceed to the next level.

我们按照提示下载文件,用vbd反编译,结果发现软件加壳了,破解失败

于是打开改软件,看到是可以联网的,直接用wireshark抓包分析后得到

(ENCRYPTION TYPE)
B*C*N**N

(USERNAME)
aaabb aaaaa aaaab abbab ababb aaaab

(PASSWORD)
aabaa abbaa aaaba baaaa babba abbba baaba abaaa abbab abbaa baaaa aaaaa babaa abaab baaab

(PAGE)
babab aabab abaab abbab aabbb aaaba

这是培根加密,我们对照密码表解密得到

usr: dabomb passwd: encryptionrawks url: xfkohc

level7

提示:

Browser check: Sorry, but you must use Microsoft Internet Explorer 7.66

根据提示,我们用ie打开网页

Comments

Share This Post