TUCTF
前些日子打了一下TUCTF,很惭愧,又是几百名的成绩,不过YY一下自己在国际上能排三百多也还可以,咳咳,精神胜利法。
一直没有时间整理,再加上也没做出来多少。今天发现CTFtime上原来是有write up模块的,QAQ。
先说一下它的一道Web,Cookie Duty
Web-Cookie Duty
显然,从Cookie做文章了,testalert(document.cookie)
可以看到题目的意思是你身份成功了,但权限不对,不是admin。但看到not_admin=1,也就很容易联想到改这个http头了。
burp修改之,得flag。
Web-Git Gud
Git Gud
Jimmy has begun learning about Version Control Systems and decided it was a good time to put it into use for his person website. Show him how to Git Gud.
http://gitgud.tuctf.com
这题很有意思,国内还没遇到用git出题和解题的姿势。学习了。
那就是用git咯。
I have solved a challenge like this in SVATTT-2017 Qual Round , so to deal with this challenge, first we need to Dump the link/.git/ , then Extract it, then Grep for the flag
这是一个写wp老哥的思路。看样子国外还挺喜欢用git出题。
首先dump(转储) link/.git/,即
./gitdumper.sh http://gitgud.tuctf.com/.git/ Folder-To-Save
然后它没显示,此处是用ls -lia
去see this file.
最后,Extract it.
./extractor.sh git-saved-folder folder-to-save
然后就grep for flag了。
grep -rnw TUCTF
P.S.git泄露神器,GitHack
Crypto-The Never Ending Crypto
Challenge:
Welcome to the never ending crypto!
How quickly can you make it through?
nc neverending.tuctf.com 12345
我连上之后发现是输入一段字符,观察输出密文,然后它会给你一个密文,让你还原。
但时间不长,几秒钟,so,得用写算法。
Assume our send data is sdata
Our sdata when encrypted is s_encrypt
And the cipher they give us: cipher
To decrypt we need to find key = ord( s_encrypt[0] ) – sdata[0] )
Then cipher[i] = ( cipher[i] – key – 32 ) % (127 – 32) + 32
看看别人的解密思维。。。我怎么就混乱了呢。。。
可以说非常清晰了,写个脚本,一跑了事。
Crypto-Transporter
Challenge:
**We have discovered some hackers have infiltrated our mainframe and may have exfiltrated some highly classified data.
Can you help us figure out what they stole?
**
nc transporter.tuctf.com 54321
连上之后给了一个长base64,解开之后是两段base64,一个再解是给了一个enc_key和一个n一个e,另一个invalid。
Maybe it is encrypted with AES – DES ? Because we can see the IV, and with the view of this data in hex. We see that after the 69763a ( iv: ) is 16 bytes => which decode to 8 bytes ascii . and The IV is 8 bytes huh? should be DES.
而后,看wp里推断是DES。这点真的学到了,贴出了。
公钥(n,e)不算长到不能分解出p,q
再解enc_key
然后用pyDES解出。
VM-Gateway
是时候展现真正的技术了,这是我做的题目种类最优秀的ctf了,第一次见一次CTF出VM题的。涨姿势。
然而我连最初的进入vm都没有做到。。。。。
实在弱鸡。
This CTF provided a VM which encompassed a number of different challenges, the first part of which is to actually access it. When booting up the VM, we find that the drive it's accessing is encrypted and you need a passkey to decrypt it. Luckily there is an unencrypted drive that is accessible.
To access this, we need to add a live CD to the VM so that we can boot off that instead. I chose to use Kali Linux for this. Once we boot into Kali, we can access the unencrypted drive which is labeled "Boot".
Right away there is a file that stands out: "usefultool.exe"
Running this we discover that it is just a program that ROT13's whatever string you provide, so this is a pretty good indicator that our flag will be a ROT13 that needs to be decoded.Looking around the drive more, nothing of use was really found, so I took a closer look at the .exe. Running strings on it I found something interesting.
However, this turned out to only be part of the flag. Looking closer at the strings output, it seems that the exe has been packed with UPX. Using UPX to unpack it, we can finally get the full output of all the strings, as well as our full ROT13 flag.
大佬的解释如是,已经不容置喙了。。
只敢谈一下个人理解,我没做出来的点在于没找到an unencrypted drive that is accessible,这个是个突破口,我就死于老虎吃天,无从下口。然后就是 "usefultool.exe"解密
rot13,。
VM-Leap of Faith
题面很有意思,说这个题目已经在前面的题目里给出。flag里有秘密,因为当时没做到这儿,具体的flag也不得而知,很遗憾。不过很喜欢这种想象力。
把大佬的解释放出来吧。
This challenge utilized the same exe from the previous challenge. I overthought this one a lot, but looking at all the strings in GDB by accessing the function 'randomPaddingFunction' that I was told to ignore, I finally realized that the first letter of each string gave the flag!
第一次稍微做了下国际赛,果然很爽。。。
向活跃在这第四空间的全体CTFer致敬。
思维万岁。