Last week participated in the CCTF, also was practiced for a period of time since the first formal play and finished the whole process, the final result took a 11, still satisfied, after all, is the first time. But this game is really not many strong teams, and the gap between our team and others is also very big, after all, also less than half a year, there are too many things to learn, slowly come, right before next year to play a line under the strength of the game.
First, put on the wp:http://bobao.360.cn/ctf/detail/159.html of the great God.
On the sticker our own WP put.
WEB 350
gave a static page, swept the sweep also did not find anything,
Then gave a hint, said is looking for a blog, OK, crazy looking for the group of Administrators blog, finally found on the github
Pocky Nya
, and then found the repositories
destination URL
Then the source code is also downloaded, after a simple read, most of the places have authentication, and get the parameters of the place is two, can not XSS, and then accidentally found the source of the background.py
'/kamisama/posts/add ' Here is no authentication, as follows:
class addposthandler(basehandler): @tornado. web.authenticated def get(self):Self.background_render (' add_post.html ', post=None) def post(self):title = Self.get_argument (' title ',None) content = Self.get_argument (' content ',None) tags = self.get_argument (' tags ',"'). Strip (). Split (', ')if notTitleor notContentreturnSelf.redirect ('/kamisama/posts/add ') post = Self.orm.query (Post.title). Filter (Post.title = = title). All ()ifPostreturnSelf.write (' <script>alert ("Title has already existed"); Window.history.go ( -1);</script> ') Self.orm.add (Post (Title=title, Content=content, Created_time=date.today ())) Self.orm.commit ()returnSelf.redirect ('/kamisama/posts ')
So you can forge the packet that adds the article, and then set the storage-type XSS to get the administrator's cookie. As shown below:
Because in the case of the content in the case of the administrator can not see it is not good, so I put the XSS in the title above, although a little cancer, but this way can be hundred percent get to the administrator's cookie, soon someone logged in, the result is not the first time to get the administrator, Is someone else to get logged in, although did get a cookie, but there is no flag, the result spent n long and the various code reread again, found in background.py
the inside SignInHandler
really is the flag in the cookie, So I submitted the above payload again, this time successfully obtained the correct cookie, as follows:
username=2|1:0|10:1461405568|8:username|12:cG9ja3lueWE=|2821528813698c6ee9c1650c8420cfb4da968ec97ae080e65c07542f0d249df0;flag=434354467b434f44455f41554449545f425553544552537d
And then turn it in ASCII code flag
.CCTF{CODE_AUDIT_BUSTERS}
WEB 300
After logging in with the previously acquired cookie, you pocky.loli.club:41293/diaries
can access the directory to see a new hint that a robot was placed on the telegram, and the LUA code for the robot was given, and then we went to the telegram
social worker and Pockynya the account.
And then, according to the LUA code given in its blog, the following:
DoLocal function run(msg, matches) ifmatches[1] ~='!minecraft ' ThenOperation = matches[1]Else return "!minecraft Start|stop|restart" End if string. Find (Operation,' & ')or string. Find (Operation,' | ')or string. Find (Operation," ") Then return "Invalid operation".. OperationEnd Localt = Io.popen (' Cd/home/telegram &&/mc '.. Operation)Local a= T:Read("*all")return aEndreturn{Description ="loli.club Minecraft bot!", usage ="!minecraft Start|stop|restart", patterns = {"^!minecraft$","^!minecraft (. *) $"}, run = run}End
So we can ;
break the previous command, then we can execute our command, as follows:
!minecraft ;xxx
xxx
You can insert our command line code at the back, and the last flag is ../wwwroot/flag
inside.
So flag is CCTF{TELEGRAM_BOT_AND_Lf}
.
MISC 1
Given a picture, the last 32 bits of the picture have a very continuous pile of letters, as follows
Base64 decode and get flag,ctf{we1c0me t0 anmactf!}
MISC 2
Here, in the No. 5560, we find something like this.
type s4cr4t.txt
So next this is the file content that we need, is a Base64 encoded thing, after decoding is this, CCTF{do_you_like_sniffer}
, according to its format, he also need is ms beginning of the vulnerability code, according to casually Google MS SMB 漏洞 溢出
a bit, After trying a few, I tried it out. The final and definitive vulnerability number is MS08067, so the final answer isMS08067CCTF{do_you_like_sniffer}
Re1:
Ida post-compilation review, found that the running requirements contain three parameters, and in which randomly selected one to test, here Note that the Md5_custom function is useless ....
Test by check function
Fetch in memory: Find string F2332291a6e1e6154f3cf4ad8b7504d8
Attempt to commit, success
FLAG:CCTF{F2332291A6E1E6154F3CF4AD8B7504D8}
Re2:
A. NET program that uses reflector to decompile and get the code
Found that this is a communication with the local port program, so first to shut down the firewall, the local loopback through the RAWPCAP to grab packets can be
Get flag::cctf{7eb67b0bb4427e0b43b40b6042670b55}
Re3:
A simple disassembly
Discovery is a comparison of two strings
Try to submit the string above and find the correct one.
flag:cctf{789101112131415123456}
True-or-false
Two Linux programs, through Ida disassembly, found that two programs will call system two at the beginning, through the ASCLL code to know that false will overwrite themselves to true, true will delete themselves.
Then in false found the Print_f function, Disassembly + Caesar encryption to get the result of the flag
Ppgs{yvahk-enva-ova}
\\\\\\\\\\
Cctf{linux-rain-bin}
Difffffffffffuse
The anti-compiled C language is observed through IDA.
There are a total of 3,000 functions, and 3 functions are one-week periods. But in some of the periods, the second function is to extract the data directly, and the third function shift has a slight difference. By extracting the assembly code to generate a TXT file, and then using Python to read the file to simulate the generation of C program, that is, the 3*1000 function of the second function is stripped out to generate SECOND.C file
The program finally compares the 40 bytes of these 3,000 functions to the existing 40 bytes, so we grab the 40 bytes in Ida
0x83 0xec 0x5f 0xa2 0x93 0xce 0xa3 0xfb 0x5a 0x17 0x06 0xff 0x13 0x2d 0xd7 0xc4 0xbe 0xce 0x8d 0x6a 0xb8 0x15 0x26 0xfc 0x84 0x01 0x94 0x44 0xf8 0xd7 0x23 0x1c 0x4b 0xc2 0x31 0x04 0xa6 0x33 0x08 0x57
Each character's encryption is run independently, which means that we can separate the explosion for each character, see if the encrypted data is the same, through a simple explosion, and finally get flag:
Cctf{1f_y0u_w4nna_r3ven93_____purpleroc}
Mystery file 1
Get forensic.7z after decompression to get Level1 and mem.vmem two files, observe the beginning of the file, after Baidu came to Level1 for hard disk files, mem for memory files
Happen I have an empty hard disk, so the hard disk format, with Bootice will level1 write to the hard disk,
Discovered that the hard disk was encrypted by BitLocker, and because of the possibility of a forgotten password, BitLocker provides a file recovery password mechanism with a password of 48-bit pure digits
After considering the possibility of recovering the password in memory, open mem with Winhex, in which the search for BitLocker was not found, remembered the recovery password ID hint for F2298561, and found the relevant content after searching
Found in-memory data in many cases separated by 00, so search F2298561 16 binary, every two numbers with 00 separated, finally found a 48-digit password
To 046409-191059-605495-680889-626109-111617-371668-451517
Unlock success! Get Flag cctf{u_m4st_g00d_4t_f0nr4n51c}
Best_ez_misc
Get the compressed package named Reverze.zip, with a winhex look, it is easy to think of the zip pseudo-encryption
The 5th byte after the PK 01 02 is changed to 00, found can be decompressed, get reverse
Opened to look, found that is mousse code, after decryption to get 0,9 string, the program ran a total of 2048 characters, because the title of the result is a picture, so try to observe the different pixels, and finally get the results
Although not very clear, but upside down it is easy to see Flag:ctf{pixelnice}
Misc100t2
Very simple traffic analysis, open later try to search CTF directly get results
Flag is Ctf{anma_qwe3_as34_gty6}
CCTF writeup (part)