欢迎来到我的writeup分享！我希望大家不要只关注结果或答案，而是通过耐心阅读，尝试逆向工程理解背后的运作原理。在这里，你不仅能找到解题的思路，还能学到更多与Hack The Box等平台相关的技术和技巧，期待与你们一起成长为更优秀的黑客！

废话不多说，我们开始解题啦~

---

Objective | 目标

The goal of this task was to simulate user behavior, bypass the frontend interface, and interact directly with the backend to retrieve the flag by analyzing HTTP requests and responses.

目标是模拟用户行为，绕过前端界面，直接与后台交互，通过分析 HTTP 请求和响应获取 flag。

---

Environment Setup | 环境设置

1. Target URL | 目标地址:
   http://94.237.62.184:57129/
2. Credentials | 登录凭据:
   Username: admin
   Password: admin

---

Steps | 操作步骤

Step 1: Authentication via cURL | 使用 cURL 登录

Run the following command in the terminal to authenticate and verify the server is accessible:

在终端运行以下命令进行身份验证并确认服务器可访问：

curl -u admin:admin http://94.237.62.184:57129/

Explanation | 解释:

• curl: Command-line tool for making HTTP requests.
  用于发送 HTTP 请求的命令行工具。
• -u admin:admin: Sends the Basic Authentication credentials (admin and admin).
  使用 Basic Auth 方式发送用户名和密码。
• http://94.237.62.184:57129/: The target URL to test server access.
  目标服务器的 URL。

Result | 结果: This verifies that the credentials are valid and the server is accessible.

验证凭据有效，并确认服务器可以访问。

---

Step 2: Inspect script.js for Search Functionality | 在 script.js 中检查搜索功能

1. Open the browser and visit the target URL.
   打开浏览器并访问目标 URL：

   http://94.237.62.184:57129/
   

2. Open the Developer Tools in the browser (Ctrl+Shift+I or Cmd+Option+I) and navigate to the Sources tab.
   打开浏览器的 开发者工具，切换到 Sources 标签页。

3. Look for the file script.js. Search within it for search.
   找到 script.js 文件，并在其中搜索关键字 search。

Observation | 观察:
You will find the following code:

fetch(`/search.php?search=${input.val()}`);

This indicates that the backend search functionality is handled via the /search.php endpoint with a parameter search.

这说明后台搜索功能通过 /search.php 接口处理，参数为 search。

---

Step 3: Send the cURL Request | 发送 cURL 请求

Use the knowledge from the script.js file to directly construct a search query for flag:

根据 script.js 文件的信息，直接构造搜索 flag 的请求：

curl 'http://94.237.62.184:57129/search.php?search=flag' -H 'Authorization: Basic YWRtaW46YWRtaW4='

Explanation | 解释:

• 'http://94.237.62.184:57129/search.php?search=flag': Sends a request to the search.php endpoint with the flag parameter.

  发送带有 search=flag 参数的请求到 search.php。

• -H 'Authorization: Basic YWRtaW46YWRtaW4=': Adds an HTTP header for Basic Authentication, where YWRtaW46YWRtaW4= is the Base64 encoding of admin:admin.

  添加 HTTP 认证头，其中 YWRtaW46YWRtaW4= 是用户名和密码 admin:admin 的 Base64 编码。

Result | 结果: The command returns the flag in the response:

命令返回响应，其中包含 flag：

HTB{curl_g3773r}

---

Why This Works | 背后原理

1. Backend APIs Are Exposed | 后端接口暴露:
   The /search.php endpoint is directly accessible and processes input without strict validation or user restrictions.

   /search.php 接口可以直接访问，并处理输入，而没有严格的验证或用户权限限制。

2. Bypassing the Frontend | 绕过前端:
   Instead of interacting with the frontend (browser), we directly sent requests to the backend using curl. This allows us to bypass restrictions or additional checks imposed by the frontend.

   我们绕过浏览器前端的交互，直接使用 curl 向后端发送请求，从而绕过了前端的限制或额外验证。

3. Understanding HTTP Basics | HTTP 基础原理:
   By analyzing script.js, we identified how the application communicates with the backend. This is a common way to understand and exploit poorly protected APIs.

   通过分析 script.js，我们理解了应用如何与后端通信。这是理解并利用保护不当的 API 的常见方法。

---

Applications in Real Life | 实际应用

1. For Ethical Hacking and Penetration Testing | 用于道德黑客和渗透测试:

   • These techniques are used to identify and report security vulnerabilities in websites.
     这些技术用于识别并报告网站的安全漏洞。
   • For example, poorly protected APIs can expose sensitive user data or allow unauthorized access.
     例如，保护不当的 API 可能暴露敏感用户数据或允许未经授权的访问。

2. To Protect Your Own Website | 用于保护自己的网站:

   • Ensure all backend endpoints require authentication and validate user inputs.
     确保所有后端接口需要认证，并验证用户输入。
   • Avoid exposing sensitive APIs or debug functionalities to public access.
     避免向公众开放敏感 API 或调试功能。

---

Conclusion | 结论

1. We successfully retrieved the flag by directly interacting with the backend API.

   我们通过直接与后端 API 交互成功获取了 flag。

2. This process demonstrated how developers can unintentionally expose vulnerabilities, highlighting the importance of secure API design.

   此过程展示了开发者如何无意中暴露漏洞，强调了安全 API 设计的重要性。