这次开学打的第一个CTF,网站巨卡无比,挂了VPN也没用,甚至傍晚的时候整个学院教育网炸了。

cr4ck

拿到一个文件,用binwalk看一下文件的结构

1
2
3
4
5
6
7
8
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 64-bit LSB executable, AMD x86-64, version 1 (SYSV)
1536          0x600           PNG image, 640 x 400, 8-bit/color RGBA, non-interlaced
1659          0x67B           Zlib compressed data, best compression
122104        0x1DCF8         LZMA compressed data, properties: 0x89, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes
122296        0x1DDB8         LZMA compressed data, properties: 0xA3, dictionary size: 16777216 bytes, uncompressed size: 100663296 bytes
122488        0x1DE78         LZMA compressed data, properties: 0xBF, dictionary size: 16777216 bytes, uncompressed size: 33554432 bytes

明显能看到的是里面有个图片,就用dd直接分离出来

1
dd if=cr4ck of=test.png bs=1 skip=1536 count=120568

打开图片就能看到flag

flag{didin’tknowflagscouldbeinimages}

受这个意思印象,提交的时候还忘记加flag{}格式,以至于花了一节数据库的课来查后面的LZMA

malicious

zip压缩文件,直接解压的话,只会解压出一个README.txt
内容是

1
WE NEED TO GO DEEPER!!

用binwalk又能看到后面还藏着一个zip文件

1
2
3
4
5
6
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 25, uncompressed size: 23, name: README.txt
121           0x79            End of Zip archive
143           0x8F            Zip archive data, at least v2.0 to extract, compressed size: 44, uncompressed size: 52, name: flag.txt
279           0x117           End of Zip archive

还是用dd分离出来

1
dd if=malicious_0a5aca19667459c2b75c384d7a6af48f.zip of=flag.zip bs=1 skip=143

得到这个zip文件,然后解压出来是flag.txt
内容是

1
666c61677b6b3333705f75705f793075725f7a6970703372357d

十六进制的ascii转成字母就得到了flag

flag{k33p_up_y0ur_zipp3r5}

SimplyBlack

对于一张全黑的图片

直接用Stegsolve看就能看出flag

flag{LETHAL}

JS Security

在这个网站 https://grab-the-fwag.herokuapp.com
看一下网页源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<!doctype html>
<html>
    <head>
        <title>CodeFest '17 CTF</title>
        <script type="text/javascript" src="md5.js"></script>
        <script type="text/javascript" src="kernel.js"></script>
    </head>
    <body>
        <h3>Provide the granted username</h3>
        <form method="POST" onSubmit="return validateLogin(this)" action="secure_login.php">
            <table border=0 align="center">
                <tr>
                    <td><label for="user"><b>User:</b></label></td>
                    <td><input type="text" name="user" id="user"></td>
                </tr>
                <tr>
                    <td colspan="2" align="center"><p><input type="submit" value="Get Access"></p></td>
                </tr>
            </table>
        </form>
    </body>
</head>

可以看到主要是两个js,md5.jskernel.js,前者只是一个md5的加密的库,后者一开始没仔细看以为是没内容,结果学长提醒才发现前面全是空行,最下面是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// JS too insecure, re-implementing in PHP
function validateLogin(formToBeValidated) {
    if (formToBeValidated.user.value == null || formToBeValidated.user.value == "") {
        alert("Username must be filled out!");
    } else {
        if (md5(formToBeValidated.user.value) == "da61a45edbd65ef661a6108b39fc04b6")
            return true;
        else
            alert("User not granted!");
    }
    return false;
}

//function keyRetrieved() {
//    window.location = "secure_login.php";
//}

很显然就是一个md5的加密,这一串拿去解密就能得到表单应该填的14075064,提交表单之后就会得到

1
Congratulations! The key is flag{17_w45_hidd3n_in_p14in_5igh7}.

flag{17_w45_hidd3n_in_p14in_5igh7}

anonymous

对于一个网站/askauth
只有一个按钮,直接单击按钮没什么用会一直被重定向

看网站的源代码和其他的HTTP头都没什么信息,然后发现有个cookie是flag:True,尝试改成False,重定向到了一个新的页面/ask_username

需要一个新的Username,又想到题目描述是需要用root登录,又重定向到了一个新的页面/ask_password

发现又多了一个cookie,pass:7af32ff30622da6d6dafc8f5bd202ae6,用md5解码,得到aunty,尝试登录,就得到了flag

1
2
3
Congtraulations, You have entered the restricted section.

The flag is the password.

flag{aunty}