Big challenges of SYC: writeup

Welcome

Copy and paste the flag.

 

I believe that you are on the road to meeting me

Follow the work number and reply "I want to flag" to get the flag

 

The first act of the action codenamed geek: the first appearance of drug fog

Found that flag is the moers' password SYC {--... -. -. --. -. -.. ----...... -... -.... --... --.}

Translation website Baidu

Translation result: geekactionhasbegun

Corresponding flag: SYC {geekactionhasbegun}

 

2000-word review

On the submit page, open the universal checklist and prepare to copy and paste it for submission.

　　

The content cannot be copied. The F12 review elements are copied.

Paste it to the submit box. The flag is obtained successfully!

 

Lucky challenges

Click Submit to view the results. According to the question, only get10.00 can be used to obtain the MacBook Pro (FLAG)

Use burp to modify the value and then input

Successfully received the consolation prize flag an hhh

The third act of action codenamed geek: Dark network pursuit

If the image is not displayed as an administrator, some judgment may exist. Check the packet capture information of the burp.

The is_admin attribute value in the cookie is 0. Change it to 1.

Cool get flag!

 

Coming soon

Find the source code based on the question, open the page source code, CTRL + F to search for the flag

Act 2, codenamed geek: deprecated underground hacker forum

Come to a backend and try to get the returned results.

An SQL statement is returned, which is the logic judgment of background logon. It is known that this question should be a logical bypass.

The statement is analyzed to construct a statement with the final result

If you want to escape the statement in '', you must add 'single quotation marks before payload to close the quotation marks, and add or to the middle to judge the statement as a true statement, then add the # Or -- comment out the additional content at the end.

The constructed payload is as follows:

Username: 'or 1 = 1 # Or' or 1 = 1 --

Use the above statement and enter the password as needed.

Bypass successfully, get flag ~

Come and join the PHP ghost cat. (WP provided by the ghost wave QQ: 750358905 everyone will harass him)

First, analyze the PHP code in the source code

The audit shows the entire process of obtaining flag.

First, determine the existence of the P1 variable, the value is greater than 99999999, and so on. If it is true, continue to determine whether P2 exists and is not a number

The preceding parameters are all completed using the GET request. The payload constructed is as follows:

Input, and then get flag

Act 4, codenamed geek: Top Secret Intelligence (This question WP is provided by Yan Lang)

First, analyze the PHP source code:

<? PHP
Error_reporting (0); // close the error report
If (! Empty ($ _ Get) |! Empty ($ _ post) {If (preg_match ("syclover", $ _ Get ['id']) {
Echo ("<p> you're a gay, not allowed! </P> ");
Exit ();
}

$ _ Get ['id'] = urldecode ($ _ Get ['id']); // perform URL Decoding on the obtained value

If ($ _ Get ['id'] = "syclover") // you can run the following command to determine whether the value is "syclover" or not.
{
Echo "<p> Wow ~ , You're smart, access granted! </";

$ F = $ _ post [file]; // The parameter for receiving the variable for receiving post data is file.
$ STR = $ F. ". php"; // character concatenation. This is a suffix.
@ Require $ STR; // File Inclusion
}
Else
{
@ Require ('showpass. php'); // File Inclusion
}

}
Else {
Highlight_file ("index. php ");
}

?>

After reading the code, let's see what the file contains:

Http://intelligence.game.sycsec.com/showpass.php

We recommend that you use 360 to enable GBK encoding for garbled characters in Firefox.

 

It is here, but I cannot see it. We can use the following code to see what is written and use the following code.

$ F = $ _ post [file]; // The parameter for receiving the variable for receiving post data is file.
$ STR = $ F. ". php"; // character concatenation. This is a suffix.
@ Require $ STR; // File Inclusion

Payloads: file = PHP: // filter/read = convert. base64-encode/resource = showpass

It is a piece of base64. Go to the code to get the flag.

Master Jiang's secret

The question is that we can find study.txt in this C drive, which may be flag.

No error found after opening

After thinking for a while, you can think of constructing links to read local files.

As a result, I accidentally discovered Master Jiang's secret ~

Meng's platelet (WP provided by Yi Lang)

A picture can be either an image or a compressed package. How can we determine if it is a compressed package? use Notepad ++ to open the image.

Why don't we see the problem? Ctrl + F is there any flags or other keywords in quick search, because they store what we need?

Flag.txt + xxx.jpg think it is a compressed package, so I changed the suffix to .zip to find out how long it was !!! Actually feasible

If you see flag.txt, open it directly.

What am I about Nima ....

A little bit of thinking, looking at pictures and Buddhism, Baidu Yibo

You can use this encryption method to decrypt the address online:

Http://www.keyfc.net/bbs/tools/tudoucode.aspx

This stuff won't be used either. So I am confused. Finally, I have a tutorial on how to use it.

Then

Fo Yue: I was told that I was pregnant, even when I was pregnant, and when I was pregnant, I was told that I was always pregnant. if the death of Yi RuO passes away, all the neighborhood will be able to escape the curse without fear.

Click the true meaning of Shen wufo in the second sentence of the Buddhist family to get the flag.

 

 

Xiaoshuai is round and round. Do you want to either? (WP provided by xiaojinxing QQ: 2632041167 everyone is harassing him !)

# Sender

Binwalk, found to be a RAR

Change the suffix and decompress it directly to 666.jpg. Open it and find that there is a string of brainfuck statements above,

** 010 ** open it. If you do not use ** notepad **, an error will occur. After 010 is opened, copy the brainfuck statement at the end.

> '''
> ++ [-> ++ <]> ++. ++. <++ [-> ----<]> ------. <++
> ++ [-> ++ <]> ++. <++ + [-> -- <]> ---...... ---------. <
> ++ [-> -- <]> ----...... <++ [-> ++ <] ++. <+
> ++ [-> ---- <]> -. ++. ++. --------. <++ [-> ++ <]> ++ ..
> .. <++ + [-> ---- <]> --. ++. <++ [-> --- <]> ---. <++ [-> ++
> <]> +. <++ [-> --- ----- <]> ---------. <++ [-> ++ <]
> ++. <++ + [-> ---- <]> ------.. ++. ++. ++. <++ [
>-> ----<]> -----. <++ [-> ++ <]> +. <++ [-> ++ <]> ++. <++ [->-
> ----- --- <]> --. <++ [-> ++ <] ++. <
> '''

Get * SYC {hhhh_bbbbbbrainfuuuck_y0u _ got_it!} through online tool decoding !} *

Act 5, codenamed geek: damaged image (WP provided by xiaojinxing)

Run the same binwalk and find many things.
Then
'''
Foremost file name // restore the file in the image
'''
There is a flag.txt in the obtained file, and the flag is in it.

-*---------------------- Stop ------------------------*-

Rose CTF Team (RDBMS): A cainiao team composed of many CTF professionals, including various out-of-the-box features (many sisters)

GROUP: 814021502

Public Account of the studio: hawlgzs is responsible for designing logos and posters.

Welcome to join us for discussion and learning ~

 

Big challenges of SYC: writeup