Burp Suite는 웹 애플리케이션의 침투 테스트에 사용되는 소프트웨어 보안 애플리케이션입니다.
-위키백과-
버프 슈트는 proxy의 형태로 웹 요청과 응답을 모니터링 및 변조할 수 있으며 그 외에도 다양한 유틸리티 기능이 있는 소프트웨어이다.
프록시 서버(영어:proxy server,문화어:대리봉사기)는클라이언트가 자신을 통해서 다른 네트워크 서비스에 간접적으로 접속할 수 있게 해 주는컴퓨터 시스템이나응용 프로그램을 가리킨다.서버와 클라이언트 사이에 중계기로서 대리로 통신을 수행하는 것을 가리켜 '프록시', 그 중계 기능을 하는 것을 프록시 서버라고 부른다.
-위키백과 -
즉 내 pc에서 요청을 proxy로 전달하고 proxy는 다시 원래의 목적지로 전달한다.
이러한 과정에서 요청과 응답을 변조 및 모니터링을 할 수 있는 구조다.
버프 슈트 사용법
상단의 Open browser 클릭 후 intercept is off를 클릭하여 -> on으로 변경한다.
The password for the next level is stored in the filedata.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!)
비밀번호는 data.txt에 있고 hexdump가 되어있다. 또한 그 파일은 압축되어 있다.
/tmp아래 폴더를 만들고 cp 하여 덤프파일을 바꾸고 압축을 풀어라
즉 data.txt 파일은 특정
비밀번호 파일 ------[압축] ---> 압축파일 -------> [hexdump] ------->data.txt 처리가 된 것
내가 할 것은 data.txt ------[hex 리버싱] ---->data.zip(? 확장자는 달라질수 있음) -------[압축풀기] ----> password.txt
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 02:25 ./
drwxrwx-wt 198 root root 405504 Nov 15 02:26 ../
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ pwd
/tmp/patrache123
HexDump는 데이터를 16진수(Hexadecimal) 형식으로 출력하는 것을 의미 이는 주로 컴퓨터 시스템에서 메모리 또는 파일의 내용을 표시할 때 사용됨.
bandit12@bandit:/tmp/patrache123$ xxd --help
Usage:
xxd [options] [infile [outfile]]
or
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
Options:
-a toggle autoskip: A single '*' replaces nul-lines. Default off.
-b binary digit dump (incompatible with -ps,-i,-r). Default hex.
-C capitalize variable names in C include file style (-i).
-c cols format <cols> octets per line. Default 16 (-i: 12, -ps: 30).
-E show characters in EBCDIC. Default ASCII.
-e little-endian dump (incompatible with -ps,-i,-r).
-g bytes number of octets per group in normal output. Default 2 (-e: 4).
-h print this summary.
-i output in C include file style.
-l len stop after <len> octets.
-o off add <off> to the displayed file position.
-ps output in postscript plain hexdump style.
-r reverse operation: convert (or patch) hexdump into binary.
xxd -r: 헥스 파일은 바이너리로 변환한다.
bandit12@bandit:/tmp/patrache123$ bandit12@bandit:/tmp/patrache123$ xxd -r data.txt >> a
bandit12@bandit:/tmp/patrache123$ ll
total 412
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:45 ./
drwxrwx-wt 225 root root 405504 Nov 15 03:45 ../
-rw-rw-r-- 1 bandit12 bandit12 606 Nov 15 03:45 a
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file a
a: gzip compressed data, was "data2.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 573
hex -> bin(바이너리)로 변환
file a: gzip으로 압축되어있다.
mv a a.gz로 확장자 변경 후 gzip -d a.gz 해보자
bandit12@bandit:/tmp/patrache123$ bandit12@bandit:/tmp/patrache123$ mv a a.gz
bandit12@bandit:/tmp/patrache123$ ll
total 412
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:47 ./
drwxrwx-wt 225 root root 405504 Nov 15 03:47 ../
-rw-rw-r-- 1 bandit12 bandit12 606 Nov 15 03:45 a.gz
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ gzip -d a.gz
bandit12@bandit:/tmp/patrache123$ ll
total 412
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:47 ./
drwxrwx-wt 225 root root 405504 Nov 15 03:47 ../
-rw-rw-r-- 1 bandit12 bandit12 573 Nov 15 03:45 a
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file a
a: bzip2 compressed data, block size = 900k
bandit12@bandit:/tmp/patrache123$
???????????????
that has been repeatedly compressed.
나는 힌트의 저 문장이 hexdump와 압축이라서 repeatedly인줄 알았는데 정말 압축이 여러번 되어있다.....
bzip의 확장자를 찾아보니 bz2라고한다 mv a a.bz2로 변경하고 압축을 풀어보자
bandit12@bandit:/tmp/patrache123$ mv a a.bz2
bandit12@bandit:/tmp/patrache123$ bzip
Command 'bzip' not found, but there are 20 similar ones.
bandit12@bandit:/tmp/patrache123$ bzip2
bzip2: I won't write compressed data to a terminal.
bzip2: For help, type: `bzip2 --help'.
bandit12@bandit:/tmp/patrache123$ bzip2 --help
bzip2, a block-sorting file compressor. Version 1.0.8, 13-Jul-2019.
usage: bzip2 [flags and input files in any order]
-h --help print this message
-d --decompress force decompression
-z --compress force compression
-k --keep keep (don't delete) input files
-f --force overwrite existing output files
-t --test test compressed file integrity
-c --stdout output to standard out
-q --quiet suppress noncritical error messages
-v --verbose be verbose (a 2nd -v gives more)
-L --license display software version & license
-V --version display software version & license
-s --small use less memory (at most 2500k)
-1 .. -9 set block size to 100k .. 900k
--fast alias for -1
--best alias for -9
If invoked as `bzip2', default action is to compress.
as `bunzip2', default action is to decompress.
as `bzcat', default action is to decompress to stdout.
If no file names are given, bzip2 compresses or decompresses
from standard input to standard output. You can combine
short flags, so `-v -4' means the same as -v4 or -4v, &c.
bandit12@bandit:/tmp/patrache123$ bzip2 -d a.bz2
bandit12@bandit:/tmp/patrache123$ ll
total 412
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:50 ./
drwxrwx-wt 225 root root 405504 Nov 15 03:50 ../
-rw-rw-r-- 1 bandit12 bandit12 431 Nov 15 03:45 a
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file
Usage: file [-bcCdEhikLlNnprsSvzZ0] [--apple] [--extension] [--mime-encoding]
[--mime-type] [-e <testname>] [-F <separator>] [-f <namefile>]
[-m <magicfiles>] [-P <parameter=value>] [--exclude-quiet]
<file> ...
file -C [-m <magicfiles>]
file [--help]
bandit12@bandit:/tmp/patrache123$ file a
a: gzip compressed data, was "data4.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 20480
bandit12@bandit:/tmp/patrache123$
아잇.... 또 gzip으로 압축되어있다...... a를 다시 a.gz로 변경후 압축풀자
total 428
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:52 ./
drwxrwx-wt 227 root root 405504 Nov 15 03:52 ../
-rw-rw-r-- 1 bandit12 bandit12 20480 Nov 15 03:45 a
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file a
a: POSIX tar archive (GNU)
bandit12@bandit:/tmp/patrache123$ cat a
data5.bin0000644000000000000000000002400014507452550011247 0ustar rootrootdata6.bin0000644000000000000000000000033114507452550011251 0J═!�1����&�═2i6��I�P2═���@═�@4═��k�╗╗ʀ@��8M|�V1@��P����2[j.�v'�1�s���T╗TI��V�*�A�^O
�⛝╗���5P�����a��'1�U^Gl~BH��rE8P�╝╚��bandit12@bandit:/tmp/patrache123$
실화인가... 이번엔 tar다....
bandit12@bandit:/tmp/patrache123$ tar -xvf a.tar
data5.bin
bandit12@bandit:/tmp/patrache123$ ll
total 440
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:57 ./
drwxrwx-wt 230 root root 405504 Nov 15 03:57 ../
-rw-rw-r-- 1 bandit12 bandit12 20480 Nov 15 03:45 a.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data5.bin
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file data
data: cannot open `data' (No such file or directory)
bandit12@bandit:/tmp/patrache123$ file data.5
data.5: cannot open `data.5' (No such file or directory)
bandit12@bandit:/tmp/patrache123$ file data.5
data.5: cannot open `data.5' (No such file or directory)
bandit12@bandit:/tmp/patrache123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@bandit:/tmp/patrache123$ ^C
bandit12@bandit:/tmp/patrache123$
또 tar 계속 반복하자
bandit12@bandit:/tmp/patrache123$ tar -xvf data5.tar
data6.bin
bandit12@bandit:/tmp/patrache123$ ll
total 444
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 03:59 ./
drwxrwx-wt 230 root root 405504 Nov 15 03:59 ../
-rw-rw-r-- 1 bandit12 bandit12 20480 Nov 15 03:45 a.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data5.tar
-rw-r--r-- 1 bandit12 bandit12 217 Oct 5 06:19 data6.bin
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bzip....
bandit12@bandit:/tmp/patrache123$ bzip2 -d data.bz2
bandit12@bandit:/tmp/patrache123$ ll
total 452
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 04:00 ./
drwxrwx-wt 231 root root 405504 Nov 15 04:00 ../
-rw-rw-r-- 1 bandit12 bandit12 20480 Nov 15 03:45 a.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data5.tar
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file data
data: POSIX tar archive (GNU)
tar
bandit12@bandit:/tmp/patrache123$ mv data a.tar
bandit12@bandit:/tmp/patrache123$ ll
total 432
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 04:01 ./
drwxrwx-wt 234 root root 405504 Nov 15 04:01 ../
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 a.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data5.tar
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ tar -xvf a.tar
data8.bin
bandit12@bandit:/tmp/patrache123$ file data8.bin
data8.bin: gzip compressed data, was "data9.bin", last modified: Thu Oct 5 06:19:20 2023, max compression, from Unix, original size modulo 2^32 49
bandit12@bandit:/tmp/patrache123$ ^C
gzip....
bandit12@bandit:/tmp/patrache123$ ll
total 436
drwxrwxr-x 2 bandit12 bandit12 4096 Nov 15 04:03 ./
drwxrwx-wt 235 root root 405504 Nov 15 04:03 ../
-rw-r--r-- 1 bandit12 bandit12 49 Oct 5 06:19 a
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 a.tar
-rw-r--r-- 1 bandit12 bandit12 10240 Oct 5 06:19 data5.tar
-rw-r----- 1 bandit12 bandit12 2582 Nov 15 02:25 data.txt
bandit12@bandit:/tmp/patrache123$ file a
a: ASCII text
bandit12@bandit:/tmp/patrache123$ cat a
The password is wbWdlBxEir4CaE8LaPhauuOo6pwRmrDw
bandit12@bandit:/tmp/patrache123$