《Catch Me If You Can》靶机实战教学文档<\/h1>

靶机概述<\/h2>
本靶机基于电影《Catch Me If You Can》设计，包含8个flag，形式为`flag{MD5 Hash}<\/code>。目标是通过各种渗透测试技术找到并解密这些flag。<\/p>`

环境配置<\/h2>

靶机下载地址<\/strong>: VulnHub链接<\/a><\/li>
网络配置<\/strong>: 使用VMware导入ova文件，NAT方式连接<\/li>
IP地址<\/strong>:

靶机IP: 192.168.128.138<\/li>
攻击机IP: 192.168.128.128<\/li>
<\/ul>
<\/li>
<\/ul>
Flag获取与解密流程<\/h2>
Flag #1: 十六进制解码<\/h3>
提示<\/strong>: Don't go Home Frank! There's a Hex on Your House.<\/p>

使用nmap扫描发现开放端口<\/li>
访问网站源码发现隐藏目录<\/li>
在文件中找到十六进制编码的flag:
666c61677b37633031333230373061306566373164353432363633653964633166356465657d
<\/code><\/pre>
<\/li>
使用xxd命令解码:
echo 666c61677b37633031333230373061306566373164353432363633653964633166356465657d | xxd -r -p
<\/span><\/span><\/code><\/pre><\/li>
获得flag: flag{7c0132070a0ef71d542663e9dc1f5dee}<\/code><\/li>
MD5解密线索: "nmap"<\/li>
<\/ol>
Flag #2: SSH端口发现<\/h3>
提示<\/strong>: Obscurity or Security?<\/p>

根据Flag1线索，使用nmap扫描所有65535端口<\/li>
发现22222端口运行SSH服务<\/li>
通过SSH连接获取flag: Flag{53c82eba31f6d416f331de9162ebe997}<\/code><\/li>
MD5解密线索: "encrypt"<\/li>
<\/ol>
Flag #3: SSL证书检查<\/h3>
提示<\/strong>: Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.<\/p>

检查SSL证书<\/li>
在证书中找到flag: flag3{f82366a9ddc064585d54e3f78bde3221}<\/code><\/li>
MD5解密线索: "personnel"<\/li>
<\/ol>
Flag #4: 用户代理欺骗<\/h3>
提示<\/strong>: A Good Agent is Hard to Find.<\/p>

发现\/oldIE\/html5.js<\/code>文件包含提示信息<\/li>
使用Burp修改User-Agent为IE4:
User-Agent: Mozilla\/4.0 (compatible; MSIE 4.0; Windows 95)
<\/code><\/pre>
<\/li>
访问FBI门户网站找到flag: flag{14e10d570047667f904261e6d08f520f}<\/code><\/li>
MD5解密线索: "evidence"<\/li>
<\/ol>
Flag #5: 目录爆破与认证<\/h3>
提示<\/strong>: The Devil is in the Details - Or is it Dialogue? Either Way, if it's Simple, Guessable, or Personal it Goes Against Best Practices<\/p>

访问\/newevidence<\/code>目录<\/li>
仍需要使用IE4用户代理<\/li>
使用电影相关用户名密码组合:

用户名: carl.hanratty<\/li>
密码: Grace<\/li>
<\/ul>
<\/li>
获取flag: flag{117c240d49f54096413dd64280399ea9}<\/code><\/li>
MD5解密线索: "panam"<\/li>
<\/ol>
Flag #6: 文件分析<\/h3>
提示<\/strong>: Where in the World is Frank?<\/p>

访问\/panam<\/code>目录下载image.jpg<\/li>
在图片中找到flag: flag{d1e5146b171928731385eb7ea38c37b8}<\/code><\/li>
MD5解密线索: "ILoveFrance"<\/li>
<\/ol>
Flag #7: SSH暴力破解<\/h3>
提示<\/strong>: Frank Was Caught on Camera Cashing Checks and Yelling - I'm The Fastest Man Alive!<\/p>

根据线索尝试SSH登录:

用户名: barry.allen 或 barryallen<\/li>
密码: iheartbrenda<\/li>
<\/ul>
<\/li>
成功登录获取flag: flag{bd2f6a1d5242c962a05619c56fa47ba6}<\/code><\/li>
发现security-system.data<\/code>大文件<\/li>
MD5解密线索: "theflash"<\/li>
<\/ol>
Flag #8: 内存取证分析<\/h3>
提示<\/strong>: Franks Lost His Mind or Maybe it's His Memory. He's Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!<\/p>

使用scp下载security-system.data<\/code>文件:
scp -P 22222<\/span> barryallen@192.168.128.138:\/home\/barryallen\/security-system.data ~\/
<\/span><\/span><\/code><\/pre><\/li>
使用Volatility工具分析内存映像<\/li>
在桌面发现code.txt<\/code>文件<\/li>
解码十六进制数据:
echo 66<\/span> 6c 61<\/span> 67<\/span> 7b 38<\/span> 34<\/span> 31<\/span> 64<\/span> 64<\/span> 33<\/span> 64<\/span> 62<\/span> 32<\/span> 39<\/span> 62<\/span> 30<\/span> 66<\/span> 62<\/span> 62<\/span> 64<\/span> 38<\/span> 39<\/span> 63<\/span> 37<\/span> 62<\/span> 35<\/span> 62<\/span> 65<\/span> 37<\/span> 36<\/span> 38<\/span> 63<\/span> 64<\/span> 63<\/span> 38<\/span> 31<\/span> 7d | xxd -r -p
<\/span><\/span><\/code><\/pre><\/li>
最终flag: flag{841dd3db29b0fbbd89c7b5be768cdc81}<\/code><\/li>
MD5解密线索: "Twolittlemice"<\/li>
<\/ol>
关键工具与技术<\/h2>

nmap<\/strong>: 端口扫描与发现<\/li>
xxd<\/strong>: 十六进制解码<\/li>
Burp Suite<\/strong>: 修改HTTP请求头<\/li>
Hydra<\/strong>: 密码爆破尝试<\/li>
Volatility<\/strong>: 内存取证分析<\/li>
scp<\/strong>: 文件传输<\/li>
MD5解密<\/strong>: 获取下一步线索<\/li>
<\/ol>
难点与解决方案<\/h2>


IE4用户代理要求<\/strong>:<\/p>

使用Burp修改User-Agent头<\/li>
关键User-Agent值: Mozilla\/4.0 (compatible; MSIE 4.0; Windows 95)<\/code><\/li>
<\/ul>
<\/li>

非标准SSH端口<\/strong>:<\/p>

全面端口扫描发现22222端口<\/li>
使用-P<\/code>参数指定端口连接<\/li>
<\/ul>
<\/li>

内存取证分析<\/strong>:<\/p>

识别security-system.data<\/code>为内存映像<\/li>
使用Volatility工具提取关键信息<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本靶机涵盖了多种渗透测试技术:<\/p>

信息收集与枚举<\/li>
隐蔽服务发现<\/li>
Web应用安全测试<\/li>
社会工程学密码猜测<\/li>
内存取证分析<\/li>
<\/ul>
特别强调了社会工程学在安全测试中的重要性，正如电影主题所示，人性的弱点往往是安全链中最薄弱的环节。<\/p>

《Catch Me If You Can》靶机实战教学文档<\/h1>

靶机概述<\/h2> 本靶机基于电影《Catch Me If You Can》设计，包含8个flag，形式为flag{MD5 Hash}<\/code>。目标是通过各种渗透测试技术找到并解密这些flag。<\/p>

Flag获取与解密流程<\/h2>

靶机概述<\/h2>
本靶机基于电影《Catch Me If You Can》设计，包含8个flag，形式为`flag{MD5 Hash}<\/code>。目标是通过各种渗透测试技术找到并解密这些flag。<\/p>`