threst's Blog

hackagame2018

ctf
2018/11/22 Share

文章首发安全脉搏

签到

修改js中控制个数的位数,

word文档

直接打开就有flag.txt

黑曜石浏览器

请使用最新版黑曜石浏览器(HEICORE)打开。

搜索到这个浏览器,一看就是假的,无法直接查看源代码,在url前面添加view-source:,注意要看.html的源代码,不是.php的,因为这个是404页面

view-source:https://heicore.com/index.html

1
2
3
4
5
6
<script type="text/javascript">
      function isLatestHEICORE() {
          var ua = navigator.userAgent;
          var HEICORE_UA = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) HEICORE/49.1.2623.213 Safari/537.36";
          return ua === HEICORE_UA;
      }

回到过去

源文件如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
q
ed
a
flag{
.
a
44a2b8
a3d9b2c
c44039
f93345
}
.
2m3
2m5
2m1
2
s/4/t
q
q

开始一直用strings,cat之类的命令来查看,以为可以,尝试各种组合,结果一直答案错误,然后队长说按照他这个提示自己输入就可以了,

保存为新的文件,打开看看

1
2
3
4
5
6
flag{
t4a2b8
c44039
f93345
a3d9b2
}

真的和之前的flag不一样了

flag:flag{t4a2b8c44039f93345a3d9b2}

猫咪克星

题目就是连接nc,在30秒内算出所有的式子,写个脚本就可以全部解开,可是之后的式子就变了,变成下面的画风了
((int(6!=int(__import__('time').sleep(100)!=39))+(42*28))^((int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=13)&2)*(int(print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a')!=1)<<120)))

((int(17==55)|int(89!=int(18!=print('\x1b\x5b\x33\x3b\x4a\x1b\x5b\x48\x1b\x5b\x32\x4a'))))&((21|59)^(104&1)))

int(((16^60)&(3>>1))>=(int(1!=int(9!=__import__('os').system('find ~')))+(37-9)))

(int((138>>int(__import__('os').system('find ~')==76))<(int(15!=__import__('time').sleep(100))*int(12!=__import__('os').system('find ~'))))*((int(1==exit())<<2)+(5<<int(6!=__import__('os').system('find ~')))))

如果直接eval()的话会报错,直接退出连接了,看起来不能让他执行这些命令,仔细观察这些式子发现都是==!=来判断,所以把这些提取出来单独运行试试值为多少。再将这些结果替换为算出来的值就可以了,另外注意sleep(100)要改成sleep(0),因为题目只限30s.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#coding:utf-8
from pwn import *
import re
r = remote("202.38.95.46",12009)
r.recvline()
while True:
    task = r.recvline()
    print(task)
    if 'sleep'  in str(task):
        task = str(task)
        task = task.replace('sleep(100)','sleep(0)')#
        print "转换后:"+task
    if 'exit' in str(task):
        task = str(task)
        task = task.replace('exit()','0')
        print "转换后:"+task
    if 'print' in str(task):
        task = str(task)
        task = task.replace("print('\\x1b\\x5b\\x33\\x3b\\x4a\\x1b\\x5b\\x48\\x1b\\x5b\\x32\\x4a')",'0')#困扰很久,\x要转义\\x才可以替换
        print "转换后"+task
    if 'system' in str(task):
        task = str(task)
        task = task.replace("__import__('os').system('find ~')",'0')
        print "转换后"+task
    else:
        print ''
    c = eval(task)
    print str(c)
    r.sendline(str(c))

flag:flag{'Life_1s_sh0rt_use_PYTH0N'*1000}

游园会的集章卡片

拼图
flag{H4PPY_1M4GE_PR0CE551NG}

我是谁

哲学思考

一开始无论提交什么都是

I am not really sure whether your answer is right.
You should probably try again.

直到仔细看到发送的数据包

他问我是谁,我是TEAPOT,喜提一枚flagflag{i_canN0t_BReW_c0ffEE!}

Can I help me

点开刚才给的url

Brewing tea is not so easy.
Try using other methods to request this page.

翻译过来就是

泡茶不是那么容易。
尝试使用其他方法来请求此页面。

果断改成POST,结果提示

The method “POST” is deprecated.
See RFC-7168 for more information.

谷歌到rfc-7168,http://www.ietf.org/rfc/rfc2324.txt,http://hczhcz.github.io/2014/04/02/htcpcp-for-tea.html

修改成BREW,再添加Content-Type

请求:

1
2
3
4
5
6
7
8
9
10
11
12
BREW /the_super_great_hidden_url_for_brewing_tea/ HTTP/1.1
Host: 202.38.95.46:12005
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://202.38.95.46:12005/identity
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: message/teapot
Content-Length: 0

响应:

1
2
3
4
5
6
7
8
HTTP/1.0 300 MULTIPLE CHOICES
Content-Type: text/html; charset=utf-8
Content-Length: 19
Alternates: {"/the_super_great_hidden_url_for_brewing_tea/black_tea" {type message/teapot}}
Server: Werkzeug/0.14.1 Python/3.6.6
Date: Thu, 11 Oct 2018 14:18:20 GMT

Supported tea type:

把响应的url替换成brew的url,再发送

flag:flag{delivering_tea_to_DaLa0}

原文作者: threst

原文链接: https://threst.github.io/2018/11/22/hackagame2018/

发表日期: November 22nd 2018, 1:32:13

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 签到
  2. 2. word文档
  3. 3. 黑曜石浏览器
  4. 4. 回到过去
  5. 5. 猫咪克星
  6. 6. 游园会的集章卡片
  7. 7. 我是谁
    1. 7.1. 哲学思考
    2. 7.2. Can I help me
Total : 42
2019
2018
瞎记罢写 ctf CVE-2017-8464 apt BadUSB netcat CVE-2017-11882 git 系统 writeup kali docker php pwn 0day 安全客弃婴 CVE-2018-8174 writeup ctf