picoctf刷题

cookies
看提示是Welcome to my cookie search page. See how much I like different kinds of cookies!
先抓包发现cookies的值为-1
底下的框的内容是snickerdoodle,输入试试
发现页面上显示I love snickerdoodle cookies!
然后抓包发现cookie的值为0,猜测是爆破数字(只是加了个重定向),然后爆破到18的时候出了flag

GET aHEAD
又是文件协议,特容易被忽略
可使用协议如下:
GET: 请求指定的页面信息,并返回实体主体。
HEAD: 只请求页面的首部。
POST: 请求服务器接受所指定的文档作为对所标识的URI的新的从属实体。
PUT: 从客户端向服务器传送的数据取代指定的文档的内容。
DELETE: 请求服务器删除指定的页面。
OPTIONS: 允许客户端查看服务器的性能。
TRACE: 请求服务器在响应中的实体主体部分返回所得到的内容。
PATCH: 实体中包含一个表,表中说明与该URI所表示的原内容的区别。
MOVE: 请求服务器将指定的页面移至另一个网络地址。
COPY: 请求服务器将指定的页面拷贝至另一个网络地址
LINK: 请求服务器建立链接关系。
UNLINK: 断开链接关系。
WRAPPED: 允许客户端发送经过封装的请求。
Extension-mothed:在不改动协议的前提下,可增加另外的方法。

Insp3ct0r
直接查看源代码,发现获得1/3的flag,然后提示这是html,三个分别在html,css,js中,直接打开上面的css,js,获得完整的flag

Scavenger Hunt
方法和上一个差不多,只不过打开js发现是一句How can I keep Google from indexing my website?不是很理解应该怎么办,只能去扫目录,发现/robots.txt,/.DS_Store和/.htaccess/
出题人的意思应该是通过设置/robots.txt来阻止Google的索引,然后打开这个后提示I think this is an apache server… can you Access the next flag?
为了查看apache的配置而访问/.htaccess/,提示I love making websites on my Mac, I can Store a lot of information there.
然后通过mac的文件泄露联想到/.DS_Store,然后获取最后一部分flag

Some Assembly Required 1
感觉就是闲的
打开以后是一个文本框,检查源代码看见一个js,内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
const _0x402c=['value','2wfTpTR','instantiate','275341bEPcme','innerHTML','1195047NznhZg','1qfevql','input','1699808QuoWhA','Correct!','check_flag','Incorrect!','./JIFxzHyW8W','23SMpAuA','802698XOMSrr','charCodeAt','474547vVoGDO','getElementById','instance','copy_char','43591XxcWUl','504454llVtzW','arrayBuffer','2NIQmVj','result'];const _0x4e0e=function(_0x553839,_0x53c021){_0x553839=_0x553839-0x1d6;let _0x402c6f=_0x402c[_0x553839];return _0x402c6f;};(function(_0x76dd13,_0x3dfcae){const _0x371ac6=_0x4e0e;while(!![]){try{const _0x478583=-parseInt(_0x371ac6(0x1eb))+parseInt(_0x371ac6(0x1ed))+-parseInt(_0x371ac6(0x1db))*-parseInt(_0x371ac6(0x1d9))+-parseInt(_0x371ac6(0x1e2))*-parseInt(_0x371ac6(0x1e3))+-parseInt(_0x371ac6(0x1de))*parseInt(_0x371ac6(0x1e0))+parseInt(_0x371ac6(0x1d8))*parseInt(_0x371ac6(0x1ea))+-parseInt(_0x371ac6(0x1e5));if(_0x478583===_0x3dfcae)break;else _0x76dd13['push'](_0x76dd13['shift']());}catch(_0x41d31a){_0x76dd13['push'](_0x76dd13['shift']());}}}(_0x402c,0x994c3));let exports;(async()=>{const _0x48c3be=_0x4e0e;let _0x5f0229=await fetch(_0x48c3be(0x1e9)),_0x1d99e9=await WebAssembly[_0x48c3be(0x1df)](await _0x5f0229[_0x48c3be(0x1da)]()),_0x1f8628=_0x1d99e9[_0x48c3be(0x1d6)];exports=_0x1f8628['exports'];})();function onButtonPress(){const _0xa80748=_0x4e0e;let _0x3761f8=document['getElementById'](_0xa80748(0x1e4))[_0xa80748(0x1dd)];for(let _0x16c626=0x0;_0x16c626<_0x3761f8['length'];_0x16c626++){exports[_0xa80748(0x1d7)](_0x3761f8[_0xa80748(0x1ec)](_0x16c626),_0x16c626);}exports['copy_char'](0x0,_0x3761f8['length']),exports[_0xa80748(0x1e7)]()==0x1?document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)]=_0xa80748(0x1e6):document[_0xa80748(0x1ee)](_0xa80748(0x1dc))[_0xa80748(0x1e1)]=_0xa80748(0x1e8);}
先进行简单的分割,以及把正经的16进制转换出来以便于阅读(因为_0x4e0e这个函数过于常见,所以一起换掉):(sublime超级好用的js排版插件https://blog.csdn.net/waterdemo/article/details/38110863)
const _0x402c = ["value", "2wfTpTR", "instantiate", "275341bEPcme", "innerHTML", "1195047NznhZg", "1qfevql", "input", "1699808QuoWhA", "Correct!", "check_flag", "Incorrect!", "./JIFxzHyW8W", "23SMpAuA", "802698XOMSrr", "charCodeAt", "474547vVoGDO", "getElementById", "instance", "copy_char", "43591XxcWUl", "504454llVtzW", "arrayBuffer", "2NIQmVj", "result"];
const _0x4e0e = function(url, whensCollection) {
  /** @type {number} */
  url = url - 470;
  let _0x402c6f = _0x402c[url];
  return _0x402c6f;
};
(function(data, oldPassword) {
  const toMonths = _0x4e0e;
  for (; !![];) {
    try {
      const userPsd = -parseInt(toMonths(491)) + parseInt(toMonths(493)) + -parseInt(toMonths(475)) * -parseInt(toMonths(473)) + -parseInt(toMonths(482)) * -parseInt(toMonths(483)) + -parseInt(toMonths(478)) * parseInt(toMonths(480)) + parseInt(toMonths(472)) * parseInt(toMonths(490)) + -parseInt(toMonths(485));
      if (userPsd === oldPassword) {
        break;
      } else {
        data["push"](data["shift"]());
      }
    } catch (_0x41d31a) {
      data["push"](data["shift"]());
    }
  }
})(_0x402c, 627907);
let exports;
(async() => {
  const findMiddlePosition = _0x4e0e;
  let leftBranch = await fetch(findMiddlePosition(489));
  let rightBranch = await WebAssembly[findMiddlePosition(479)](await leftBranch[findMiddlePosition(474)]());
  let module = rightBranch[findMiddlePosition(470)];
  exports = module["exports"];
})();
/**
 * @return {undefined}
 */
function onButtonPress() {
  const navigatePop = _0x4e0e;
  let params = document["getElementById"](navigatePop(484))[navigatePop(477)];
  for (let i = 0; i < params["length"]; i++) {
    exports[navigatePop(471)](params[navigatePop(492)](i), i);
  }
  exports["copy_char"](0, params["length"]);
  if (exports[navigatePop(487)]() == 1) {
    document[navigatePop(494)](navigatePop(476))[navigatePop(481)] = navigatePop(486);
  } else {
    document[navigatePop(494)](navigatePop(476))[navigatePop(481)] = navigatePop(488);
  }
}
;

然后很容易发现,文本框调用了onButtonPress()函数,所以直接追这个函数就行
发现调用了大量的_0x4e0e函数(navigatePop)
阅读代码:

1
2
3
4
5
6
const _0x4e0e = function(url, whensCollection) {
  /** @type {number} */
  url = url - 470;
  let _0x402c6f = _0x402c[url];
  return _0x402c6f;
};

发现,逻辑是读取一个数字,减去470后在前面的_0x402c取字符串
所以导出对应关系:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
_0x4e0e(470)=value
'value' 470
'2wfTpTR' 471
'instantiate' 472
'275341bEPcme' 473
'innerHTML' 474
'1195047NznhZg' 475
'1qfevql' 476
'input' 477
'1699808QuoWhA' 478
'Correct!' 479
'check_flag' 480
'Incorrect!' 481
'./JIFxzHyW8W' 482
'23SMpAuA' 483
'802698XOMSrr' 484
'charCodeAt' 485
'474547vVoGDO' 486 
'getElementById' 487
'instance' 488
'copy_char' 489
'43591XxcWUl' 490
'504454llVtzW' 491
'arrayBuffer' 492
'2NIQmVj' 493
'result' 494
然后是会先调用function(data, oldPassword)函数,对上面的数组进行打乱:
函数内容为:
(function(data, oldPassword) {
  const toMonths = _0x4e0e;
  for (; !![];) {
    try {
      const userPsd = -parseInt('504454llVtzW') + parseInt('2NIQmVj') + -parseInt('1195047NznhZg') * -parseInt('275341bEPcme') + -parseInt('./JIFxzHyW8W') * 
-parseInt('23SMpAuA') + -parseInt('1699808QuoWhA') * parseInt('check_flag') + parseInt('instantiate') * parseInt('43591XxcWUl') + -parseInt('charCodeAt');
      if (userPsd === oldPassword) {
        break;
      } else {
        data["push"](data["shift"]());
      }
    } catch (_0x41d31a) {
      data["push"](data["shift"]());
    }
  }
})(_0x402c, 627907);

其中parseInt函数的作用是把字符串解析成数字:https://www.runoob.com/jsref/jsref-parseint.html
懒得手算,所以转换成JavaScript打印出转换的值,加入:

1
2
3
var arr = str.split(" ");
for(var key in _0x402c){
 document.writeln(arr[key]);

完善onButtonPress()函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(async() => {
  const findMiddlePosition = _0x4e0e;
  let leftBranch = await fetch("./JIFxzHyW8W");
  let rightBranch = await WebAssembly["instantiate"](await leftBranch["arrayBuffer"]());
  let module = rightBranch["instance"];
  exports = module["exports"];
})();
/**
 * @return {undefined}
 */
function onButtonPress() {
  const navigatePop = _0x4e0e;
  let params = document["getElementById"]("input")["value"];
  for (let i = 0; i < params["length"]; i++) {
    exports["copy_char"](params["charCodeAt"](i), i);
  }
  exports["copy_char"](0, params["length"]);
  if (exports["check_flag"]() == 1) {
    document["getElementById"]("result")["innerHTML"] = "Correct!";
  } else {
    document["getElementById"]("result")["innerHTML"] = "Incorrect!";
  }
};

然后我们发现:没什么卵用。
无非就是输对了代码以后会显示correct,输错了会显示incorrect
然后回去看题目,提到了Assembly,也就是混淆这玩意的东西,所以可能是让我们找混淆这玩意的代码,直接F12,调到source,发现有个wasm,那就是代码的混淆规则,在最后找到了flag

实际上:因为那一大堆字符串里面只有一个./JIFxzHyW8W像路径,按路径去试的话,一下子就出来了

More Cookies
因为涉及密码学的知识,所以完全是知识盲区

似乎是利用了AES CBC这种加密方法
简单了解了一下,发现这似乎并不完全算是“加密”,而是“生成”
这种算法是,假如我有一串字符串A
将A经过Base64加密,生成B
随机生成两个数a和b(a<=128,b<=128)
将B的第a个字符(换成ascii码)异或b(换成字符),生成C
然后C再进行一次base64加密,得到D,就是我们最后获取的cookie

所以,由p XOR q = r 推出 p XOR r = q 得逆运算:
cookie用base64解密得C
C的第a个字符异或b得到B
B再被base64解密得到A,就是需要的cookie

所以爆破脚本:
#!/usr/bin/python2
import requests
import base64

s=requests.Session()
s.get(“http://mercury.picoctf.net:43275/")
cookie=s.cookies[“auth_name”]
print(cookie)
unb64=base64.b64decode(cookie)
print(unb64)
unb64b=base64.b64decode(unb64)
for i in range (0,128):
pos=i//8
guessdec=unb64b[0:pos]+chr(ord(unb64b[pos])^(1<<(i%8)))+unb64b[pos+1:]
guessenc1 = base64.b64encode(guessdec)
guess=base64.b64encode(base64.b64encode(guessdec))
r=requests.get(“http://mercury.picoctf.net:43275/",cookies={"auth_name": guess})
if “pico” in r.text:
print(r.text)

where are the robots
估计是考robots.txt,试了试发现内容是User-agent: * Disallow: /1bb4c.html,直接访问拿到flag

login
离谱
先是用什么账号和密码都能登上去,提示是登录Joe的账号,事实上只有Joe登不上去
尝试sql注入失败,估计不会爆破就没试
结果正确方法是:
先随便用一个账号和密码登录,发现cookie的内容为
username=123
password=456
456=False
所以把username的值改为Joe,把False改成True后刷新,就出flag了

dont-use-client-side
打开后是个输入框,尝试输几个都失败了,看源码,发现前端代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
function verify() {
   checkpass = document.getElementById("pass").value;
   split = 4;
   if (checkpass.substring(0, split) == 'pico') {
     if (checkpass.substring(split*6, split*7) == '706c') {
       if (checkpass.substring(split, split*2) == 'CTF{') {
        if (checkpass.substring(split*4, split*5) == 'ts_p') {
         if (checkpass.substring(split*3, split*4) == 'lien') {
           if (checkpass.substring(split*5, split*6) == 'lz_b') {
             if (checkpass.substring(split*2, split*3) == 'no_c') {
               if (checkpass.substring(split*7, split*8) == '5}') {
                 alert("Password Verified")
                 }
               }
             }
     
           }
         }
       }
     }
   }
   else {
     alert("Incorrect password");
   }
   
 }

很明显,输入正确的字符串就是flag,所以这个时候最简单的方法就是:拿这一大堆字符串去爆破flag
picoCTF{ 和 5}都给了,要爆破的也就只有五个(开玩笑的)
直接看也不难,就是个拼接(数数)
pico
CTF{
no_c
lien
ts_p
lz_b
706c
5}

It is my Birthday
打开以后要上传两个文件,盲猜是要碰撞了,但不知道是什么碰撞
所以先传两个试试
发现需要传pdf,那就传
发现Files are not different! 那就传不一样的
回显MD5 hashes do not match!
猜的没错,md5碰撞
随便从网上找两个抄上去
然后就出答案了,而且非常贴心的给了源码!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
<?php

if (isset($_POST["submit"])) {
    $type1 = $_FILES["file1"]["type"];
    $type2 = $_FILES["file2"]["type"];
    $size1 = $_FILES["file1"]["size"];
    $size2 = $_FILES["file2"]["size"];
    $SIZE_LIMIT = 18 * 1024;

    if (($size1 < $SIZE_LIMIT) && ($size2 < $SIZE_LIMIT)) {
        if (($type1 == "application/pdf") && ($type2 == "application/pdf")) {
            $contents1 = file_get_contents($_FILES["file1"]["tmp_name"]);
            $contents2 = file_get_contents($_FILES["file2"]["tmp_name"]);

            if ($contents1 != $contents2) {
                if (md5_file($_FILES["file1"]["tmp_name"]) == md5_file($_FILES["file2"]["tmp_name"])) {
                    highlight_file("index.php");
                    die();
                } else {
                    echo "MD5 hashes do not match!";
                    die();
                }
            } else {
                echo "Files are not different!";
                die();
            }
        } else {
            echo "Not a PDF!";
            die();
        }
    } else {
        echo "File too large!";
        die();
    }
}

// FLAG: picoCTF{c0ngr4ts_u_r_1nv1t3d_aebcbf39}

?>
<!DOCTYPE html>
<html lang="en">

<head>
    <title>It is my Birthday</title>


    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">

    <link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">

    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>

    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>


</head>

<body>

    <div class="container">
        <div class="header">
            <h3 class="text-muted">It is my Birthday</h3>
        </div>
        <div class="jumbotron">
            <p class="lead"></p>
            <div class="row">
                <div class="col-xs-12 col-sm-12 col-md-12">
                    <h3>See if you are invited to my party!</h3>
                </div>
            </div>
            <br/>
            <div class="upload-form">
                <form role="form" action="/index.php" method="post" enctype="multipart/form-data">
                <div class="row">
                    <div class="form-group">
                        <input type="file" name="file1" id="file1" class="form-control input-lg">
                        <input type="file" name="file2" id="file2" class="form-control input-lg">
                    </div>
                </div>
                <div class="row">
                    <div class="col-xs-12 col-sm-12 col-md-12">
                        <input type="submit" class="btn btn-lg btn-success btn-block" name="submit" value="Upload">
                    </div>
                </div>
                </form>
            </div>
        </div>
    </div>
    <footer class="footer">
        <p>&copy; PicoCTF</p>
    </footer>

</div>

<script>
$(document).ready(function(){
    $(".close").click(function(){
        $("myAlert").alert("close");
    });
});
</script>
</body>

</html>

Who are you?
打开以后是一句话:Only people who use the official PicoBrowser are allowed on this site!
看来是检测浏览器信息了,应该是查的header的User-Agent,改成PicoBrowser就好
发现I don’t trust users visiting from another site.
那估计是referer吧,改成它自己的网址
发现Sorry, this site only worked in 2018.
Date参数2018
回:I don’t trust users who can be tracked.
DNT:dnt
回:This website is only for people from Sweden.
需要瑞典的ip,xff,找个ip填上去
回:You’re in Sweden but you don’t speak Swedish?
改Accept-Language:sv
拿到flag
感想:我那次出的还是保守了

login
又一个login
试出来admin是账号,但是似乎没法注释,以这个网站的尿性,应该不是sql,查看源码,发现js:

1
(async()=>{await new Promise((e=>window.addEventListener("load",e))),document.querySelector("form").addEventListener("submit",(e=>{e.preventDefault();const r={u:"input[name=username]",p:"input[name=password]"},t={};for(const e in r)t[e]=btoa(document.querySelector(r[e]).value).replace(/=/g,"");return"YWRtaW4"!==t.u?alert("Incorrect Username"):"cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ"!==t.p?alert("Incorrect Password"):void alert(`Correct Password! Your flag is ${atob(t.p)}.`)}))})();

用sublime排一下版:

1
2
3
4
5
6
7
8
9
10
11
12
(async () => {
	await new Promise((e => window.addEventListener("load", e))), document.querySelector("form").addEventListener("submit", (e => {
		e.preventDefault();
		const r = {
				u: "input[name=username]",
				p: "input[name=password]"
			},
			t = {};
		for (const e in r) t[e] = btoa(document.querySelector(r[e]).value).replace(/=/g, "");
		return "YWRtaW4" !== t.u ? alert("Incorrect Username") : "cGljb0NURns1M3J2M3JfNTNydjNyXzUzcnYzcl81M3J2M3JfNTNydjNyfQ" !== t.p ? alert("Incorrect Password") : void alert(`Correct Password! Your flag is ${atob(t.p)}.`)
	}))
})();

因为一开始爆出了admin,用base64加密后是YWRtaW4=,和对比的正好差一个=
发现貌似会base64加密后把=给去掉
本以为后面那个要试着加=,但是好像直接解码就出结果了

谢谢你请我吃糖果

扫一扫,分享到微信

微信分享二维码
本站总访问量 |

tag:

    缺失模块。
    1、请确保node版本大于6.2
    2、在博客根目录(注意不是yilia根目录)执行以下命令:
    npm i hexo-generator-json-content --save

    3、在根目录_config.yml里添加配置: 

      jsonContent:
    meta: false
    pages: false
    posts:
      title: true
      date: true
      path: true
      text: false
      raw: false
      content: false
      slug: false
      updated: false
      comments: false
      link: false
      permalink: false
      excerpt: false
      categories: false
      tags: true

很惭愧<br><br>只做了一点微小的工作<br>谢谢大家