CTF校队暑期练习2021.6.30
CTF题目 June. 30th 2021
[Easy] [Reverse] open-source
I wonder what this really is… enc
''.join([chr((ord(flag[i]) << 8) + ord(flag[i + 1])) for i in range(0, len(flag), 2)])
https://mercury.picoctf.net/static/77a2b202236aa741e988581e78d277a6/enc
Hint: You may find some decoders online
下载下来一个文本:env,用VSCode打开默认是UTF-8编码,内容是乱码。
用CyberChef的Magic功能处理内容,打开Intensive mode,在Encode_text(‘UTF-16BE (1201)')一行能看见flag。
也可以在VSCode中先以UTF-16BE保存文件,再用UTF-8打开。
[Easy] [Cryptography] Mind your Ps and Qs
In RSA, a small e value can be problematic, but what about N ? Can you decrypt this? values
https://mercury.picoctf.net/static/b9ddda080c56fb421bf30409bec3460d/values
Hint: Bits are expensive, I used only a little bit over 100 to save money
下载下来一个文本:values
文件内容:
Decrypt my super sick RSA:
c: 964354128913912393938480857590969826308054462950561875638492039363373779803642185
n: 1584586296183412107468474423529992275940096154074798537916936609523894209759157543
e: 65537
用factordb.com算出n的两个质因数。
p = 2434792384523484381583634042478415057961
q = 650809615742055581459820253356987396346063
运行pip install pycryptodome
安装依赖,之后运行这段代码得到flag:
|
|
[Medium] [Web] It is my Birthday
I sent out 2 invitations to all of my friends for my birthday! I’ll know if they get stolen because the two invites look similar, and they even have the same md5 hash, but they are slightly different! You wouldn’t believe how long it took me to find a collision. Anyway, see if you’re invited by submitting 2 PDFs to my website.
http://mercury.picoctf.net:63578/
Hint1: Look at the category of this problem.
Hint2: How may a PHP site check the rules in the description?
新建一个空的文本文档,改名1.pdf。
然后使用fastcoll,运行命令.\fastcoll.exe -p 1.pdf -o 1.pdf 2.pdf
得到两个相同MD5的pdf文件,上传得到flag。
[Medium] [Binary] Stonks
I decided to try something noone else has before. I made a bot to automatically trade stonks for me using AI and machine learning. I wouldn’t believe you if you told me it’s unsecure! vuln.c
nc mercury.picoctf.net 27912
https://mercury.picoctf.net/static/17ba7f9351aca192c45833c658742fe5/vuln.c
Hint: Okay, maybe I’d believe you if you find my API key
下载下来一个.c文件:vuln.c
主要的代码是62行的buy_stonks函数,漏洞在于函数中第93行没有指定printf参数,而我们又能指定user_buf是什么,那就让他把栈上的数据打印出来。
编译,运行,输入一堆%x打出栈上的信息:
|
|
利用CyberChef的From Hex功能解析打印出的结果,可以发现有一串pocip{FTC0l_I4_t5m_ll0m_y_y3n2fc10a10ÿ´.}
,看起来像flag。
因为%x一次打印四个字节,所以要每四个字节翻转一次。因为flag的格式是picoCTF{xxx},所以我们知道从第二个字符o开始翻转。之后得到flag。
[Hard] [Binary] Here’s a LIBC
I am once again asking for you to pwn this binary vuln libc.so.6 Makefile
nc mercury.picoctf.net 62289
https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/vuln
https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/libc.so.6
https://mercury.picoctf.net/static/2c327c6c08e9d1d8142dbdb85ae00574/Makefile
Hint: PWNTools has a lot of useful features for getting offsets.
参考资料:https://ctf-wiki.org/pwn/linux/stackoverflow/basic-rop/
下载下来三个文件:vuln、libc.so.6、Makefile
// TODO
- 原文作者:HuaHuaY
- 原文链接:https://www.huahuaorz.com/post/CTF%E6%A0%A1%E9%98%9F%E7%BB%83%E4%B9%A0/CTF%E6%A0%A1%E9%98%9F%E6%9A%91%E6%9C%9F%E7%BB%83%E4%B9%A02021.6.30/
- 版权声明:本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议进行许可,非商业转载请注明出处(作者,原文链接),商业转载请联系作者获得授权。