真正重要的东西,永远都是非常简单的。

Psst

究极套娃,没想到国外CTF套娃也这么六。
一个压缩包,简直了,每个文件夹下都有一个文件夹和readme_x.txt,在txt中有一个字母,拼起来即为flag。考验脚本能力。
Linux中解决此题目,在windows中会因为目录太多解压不出来

gzip -d psst.tar.gz
tar -xf psst.tar

然后就可以使用脚本进行解题了。

import os

os.chdir("Security")	#切换至Security目录


while True:		#循环进入目录直到最后一个
#列出所有目录,写入列表中
    items = os.listdir()

    for item in items:
        # 遍历
        if os.path.isdir(item):
            next_dir = item
      # 如果是文件夹,将其文件夹的名字重新赋值给next_dir变量储存起来,否则读取文件内容
        else:
            with open(item, 'r') as file:
                print(file.read().strip(), end='')

    # 如果只有一个文件,那么说明到最后一层了,读取文件后跳出循环
    if len(items) == 1:
        break

    # 到下一个文件夹中
    os.chdir(next_dir)

print("")
┌──(root💀m0re)-[~/桌面/CTF/chall]
└─# python3 solve.py                              
BSNoida{d1d_y0u_u53_b45h_5cr1pt1ng_6f7220737461636b6f766572666c6f773f}

Web Gauntlet

经过看了十几分钟英文writeups,菜鸡才明白这个题目是什么逻辑。

描述 Can you beat the filters? Log in as admin
http://jupiter.challenges.picoctf.org:29164/
http://jupiter.challenges.picoctf.org:29164/filter.php
Hints 不允许您使用有效凭据登录
如果您的 cookie 不断被重置,请尝试使用私人浏览器窗口
写下您使用的注射,以防您失去进展。
对于某些过滤器,可能很难看到字符,请始终(始终)查看响应中的原始十六进制。
sqlite

在第一个链接的是登录框,根据提示他是不可能登录成功的,所以这里是注入。
第二个链接是filter过滤器,里面显示每一关的过滤内容。

Round_one

SQL语句在第一关输入内容即可看见

SELECT * FROM users WHERE username='admin' AND password='pass'

第一关只过滤了or 所以可以使用万能密码进行尝试绕过。

user:admin'--
pass:随意
满足
	select * from users where username='admin'--' and password='pass'

image-20210809155502330

Round_two

第二关过滤器中显示Round2: or and like = --
测试发现#也失效了,还有过滤符/*,所以尝试admin'/*

image-20210809160103530

Round_three

第三关过滤器显示:Round3: or and = like > < --
仍然可以用上一关的注释/*

Round_four

过滤器:Round4: or and = like > < -- admin
使用连接符||,构造payload: a'||'dmin'/*

SELECT * FROM users WHERE username='a'||'dmin'/*' AND password='pass'

Round_five

过滤器:Round5: or and = like > < -- union admin
沿用上一关的payload即可

image-20210809160940183再看过滤器

<?php
session_start();

if (!isset($_SESSION["round"])) {
    $_SESSION["round"] = 1;
}
$round = $_SESSION["round"];
$filter = array("");
$view = ($_SERVER["PHP_SELF"] == "/filter.php");

if ($round === 1) {
    $filter = array("or");
    if ($view) {
        echo "Round1: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 2) {
    $filter = array("or", "and", "like", "=", "--");
    if ($view) {
        echo "Round2: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 3) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--");
    // $filter = array("or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round3: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 4) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "admin");
    // $filter = array(" ", "/**/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round4: ".implode(" ", $filter)."<br/>";
    }
} else if ($round === 5) {
    $filter = array(" ", "or", "and", "=", "like", ">", "<", "--", "union", "admin");
    // $filter = array("0", "unhex", "char", "/*", "*/", "--", "or", "and", "=", "like", "union", "select", "insert", "delete", "if", "else", "true", "false", "admin");
    if ($view) {
        echo "Round5: ".implode(" ", $filter)."<br/>";
    }
} else if ($round >= 6) {
    if ($view) {
        highlight_file("filter.php");
    }
} else {
    $_SESSION["round"] = 1;
}

// picoCTF{y0u_m4d3_1t_a3ed4355668e74af0ecbb7496c8dd7c5}
?>

Pitter, Patter, Platters

一个取证类题目,越做越菜。
我的思路:strings一下,看看有哪些明显的字符串,发现了一段
image-20210809184621106

然后使用010editor打开,寻找此部分,直接在数据中找到flag
image-20210809184707722

可以看出flag是逆序的,将其翻转过来即可。
大佬思路:

>_<# file suspicious.dd.sda1
suspicious.dd.sda1: Linux rev 1.0 ext3 filesystem data, UUID=fc168af0-183b-4e53-bdf3-9c1055413b40 (needs journal recovery)
>_<# fls suspicious.dd.sda1
d/d 11: lost+found
d/d 2009:       boot
d/d 4017:       tce
r/r 12: suspicious-file.txt
V/V 8033:       $OrphanFiles
>_<# icat suspicious.dd.sda1 12
Nothing to see here! But you may want to look here -->
>_<# strings -a -t x suspicious.dd.sda1 | grep "Nothing to see here! But you may want to look here"
┌──(root💀m0re)-[~/桌面/CTF]
└─# xxd -s 0x200400 -l 200 suspicious.dd.sda1
00200400: 4e6f 7468 696e 6720 746f 2073 6565 2068  Nothing to see h
00200410: 6572 6521 2042 7574 2079 6f75 206d 6179  ere! But you may
00200420: 2077 616e 7420 746f 206c 6f6f 6b20 6865   want to look he
00200430: 7265 202d 2d3e 0a7d 0036 0062 0037 0064  re -->.}.6.b.7.d
00200440: 0035 0034 0039 0062 005f 0033 003c 005f  .5.4.9.b._.3.<._
00200450: 007c 004c 006d 005f 0031 0031 0031 0074  .|.L.m._.1.1.1.t
00200460: 0035 005f 0033 0062 007b 0046 0054 0043  .5._.3.b.{.F.T.C
00200470: 006f 0063 0069 0070 0000 0000 0000 0000  .o.c.i.p........
00200480: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00200490: 0000 0000 0000 0000 0000 0000 0000 0000  ................
002004a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
002004b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
002004c0: 0000 0000 0000 0000                      ........

可以进行手动逆序。命令也行,命令如下:

┌──(root💀m0re)-[~/桌面/CTF]
└─# od --skip-bytes=0x200437 --read-bytes=66 suspicious.dd.sda1 --format=c --address-radix=n --width=100 | sed "s/\\\0//g" | tr -d " " | rev
picoCTF{b3_5t111_mL|_<3_b945d7b6}

或者使用python的方法

python -c "print(''.join(reversed('}.8.3.4.6.0.c.a.e._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p'.split('.'))))" 
picoCTF{b3_5t111_mL|_<3_b945d7b6}

Client-side-again

Can you break into this super secure portal?

思路:在源代码中没有找到任何的关于post提交什么东西的内容,比如:index.php或者login.php等等具有标志性的代码,只看到了js代码。这种题目往往是无需在登录处浪费时间的。

var _0x5a46=['f49bf}','_again_e','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];(function(_0x4bd822,_0x2bd6f7){var _0xb4bdb3=function(_0x1d68f6){while(--_0x1d68f6){_0x4bd822['push'](_0x4bd822['shift']());}};_0xb4bdb3(++_0x2bd6f7);}(_0x5a46,0x1b3));var _0x4b5b=function(_0x2d8f05,_0x4b81bb){_0x2d8f05=_0x2d8f05-0x0;var _0x4d74cb=_0x5a46[_0x2d8f05];return _0x4d74cb;};function verify(){checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];split=0x4;if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){if(checkpass['substring'](0x6,0xb)=='F{not'){if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){alert(_0x4b5b('0x8'));}}}}}}}}else{alert(_0x4b5b('0x9'));}}

找个在线网站进行美化

var _0x5a46 = ['f49bf}', '_again_e', 'this', 'Password\x20Verified', 'Incorrect\x20password', 'getElementById', 'value', 'substring', 'picoCTF{', 'not_this']; (function(_0x4bd822, _0x2bd6f7) {
	var _0xb4bdb3 = function(_0x1d68f6) {
		while (--_0x1d68f6) {
			_0x4bd822['push'](_0x4bd822['shift']());
		}
	};
	_0xb4bdb3(++_0x2bd6f7);
} (_0x5a46, 0x1b3));
var _0x4b5b = function(_0x2d8f05, _0x4b81bb) {
	_0x2d8f05 = _0x2d8f05 - 0x0;
	var _0x4d74cb = _0x5a46[_0x2d8f05];
	return _0x4d74cb;
};
function verify() {
	checkpass = document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];
	split = 0x4;
	if (checkpass[_0x4b5b('0x2')](0x0, split * 0x2) == _0x4b5b('0x3')) {
		if (checkpass[_0x4b5b('0x2')](0x7, 0x9) == '{n') {
			if (checkpass[_0x4b5b('0x2')](split * 0x2, split * 0x2 * 0x2) == _0x4b5b('0x4')) {
				if (checkpass[_0x4b5b('0x2')](0x3, 0x6) == 'oCT') {
					if (checkpass[_0x4b5b('0x2')](split * 0x3 * 0x2, split * 0x4 * 0x2) == _0x4b5b('0x5')) {
						if (checkpass['substring'](0x6, 0xb) == 'F{not') {
							if (checkpass[_0x4b5b('0x2')](split * 0x2 * 0x2, split * 0x3 * 0x2) == _0x4b5b('0x6')) {
								if (checkpass[_0x4b5b('0x2')](0xc, 0x10) == _0x4b5b('0x7')) {
									alert(_0x4b5b('0x8'));
								}
							}
						}
					}
				}
			}
		}
	} else {
		alert(_0x4b5b('0x9'));
	}
}

image-20210810143600817

在浏览器的控制台中直接运行JS代码,可以看到回显内容。由此,function verify()再次进行美化

function verify() {
	checkpass = document[getElemntById('pass')value];
	split = 0x4;
	if (checkpass ['substring'](0x0, split * 0x2) == 'picoCTF{') {
		if (checkpass['substring'](0x7, 0x9) == '{n') {
			if (checkpass['substring'](split * 0x2, split * 0x2 * 0x2) == 'not_this') {
				if (checkpass['substring'](0x3, 0x6) == 'oCT') {
					if (checkpass['substring'](split * 0x3 * 0x2, split * 0x4 * 0x2) == 'f49bf}') {
						if (checkpass['substring'](0x6, 0xb) == 'F{not') {
							if (checkpass['substring'](split * 0x2 * 0x2, split * 0x3 * 0x2) == '_again_e') {
								if (checkpass['substring'](0xc, 0x10) == 'this') {
									alert('Password Verified');
								}
							}
						}
					}
				}
			}
		}
	} else {
		alert('Incorrect password');
	}
}

得到信息

(0-8)      == "picoCTF{"
(7-9)      == "{n"
(8-16)     == "not_this"
(3-6)      == "oCT"
(24-32)    == "f49bf}"
(6-11)     == "F{not"
(16-24)    == "_again_e"
(12-16)    == "this"
#picoCTF{not_this_again_ef49bf}

拼也拼出来了。