CTF题目 June. 30th 2021

[Easy] [Reverse] open-source

I wonder what this really is… enc

''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i in range(0, len(flag), 2)])

https://mercury.picoctf.net/static/77a2b202236aa741e988581e78d277a6/enc

Hint: You may find some decoders online

下载下来一个文本:env,用VSCode打开默认是UTF-8编码,内容是乱码。

CyberChef的Magic功能处理内容,打开Intensive mode,在Encode_text(‘UTF-16BE (1201)')一行能看见flag。

也可以在VSCode中先以UTF-16BE保存文件,再用UTF-8打开。

[Easy] [Cryptography] Mind your Ps and Qs

In RSA, a small e value can be problematic, but what about N ? Can you decrypt this? values

https://mercury.picoctf.net/static/b9ddda080c56fb421bf30409bec3460d/values

Hint: Bits are expensive, I used only a little bit over 100 to save money

下载下来一个文本:values

文件内容:

Decrypt my super sick RSA:
c: 964354128913912393938480857590969826308054462950561875638492039363373779803642185
n: 1584586296183412107468474423529992275940096154074798537916936609523894209759157543
e: 65537

factordb.com算出n的两个质因数。

p = 2434792384523484381583634042478415057961
q = 650809615742055581459820253356987396346063

运行pip install pycryptodome安装依赖,之后运行这段代码得到flag:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

from Crypto.Util.number import inverse, long_to_bytes

c = 964354128913912393938480857590969826308054462950561875638492039363373779803642185
n = 1584586296183412107468474423529992275940096154074798537916936609523894209759157543
e = 65537

p = 2434792384523484381583634042478415057961
q = 650809615742055581459820253356987396346063

fhi_n = (p - 1) * (q - 1)

d = inverse(e, fhi_n)

m = pow(c, d, n)

print(long_to_bytes(m))

[Medium] [Web] It is my Birthday

I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website.

http://mercury.picoctf.net:63578/

Hint1: Look at the category of this problem.

Hint2: How may a PHP site check the rules in the description?

新建一个空的文本文档,改名1.pdf。

然后使用fastcoll,运行命令.\fastcoll.exe -p 1.pdf -o 1.pdf 2.pdf得到两个相同MD5的pdf文件,上传得到flag。

[Medium] [Binary] Stonks

I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn’t believe you if you told me it’s unsecure! vuln.c

nc mercury.picoctf.net 27912

https://mercury.picoctf.net/static/17ba7f9351aca192c45833c658742fe5/vuln.c

Hint: Okay, maybe I’d believe you if you find my API key

下载下来一个.c文件:vuln.c

主要的代码是62行的buy_stonks函数,漏洞在于函数中第93行没有指定printf参数,而我们又能指定user_buf是什么,那就让他把栈上的数据打印出来。

编译,运行,输入一堆%x打出栈上的信息:

1

%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x

利用CyberChef的From Hex功能解析打印出的结果,可以发现有一串pocip{FTC0l_I4_t5m_ll0m_y_y3n2fc10a10ÿ´.},看起来像flag。

因为%x一次打印四个字节,所以要每四个字节翻转一次。因为flag的格式是picoCTF{xxx},所以我们知道从第二个字符o开始翻转。之后得到flag。

[Hard] [Binary] Here’s a LIBC

I am once again asking for you to pwn this binary vuln libc.so.6 Makefile

nc mercury.picoctf.net 62289

https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/vuln

https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/libc.so.6

https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/Makefile

Hint: PWNTools has a lot of useful features for getting offsets.

参考资料:https://ctf-wiki.org/pwn/linux/stackoverflow/basic-rop/

下载下来三个文件:vulnlibc.so.6Makefile

// TODO