CTF题目 July. 8th 2021

vault-door-1

This vault uses some complicated arrays! I hope you can make sense of it, special agent. The source code for this vault is here: VaultDoor1.java

Hint: Look up the charAt() method online.

下载下来一个.java文件:VaultDoor1.java

把checkPassword中字符按charAt排好序,得到flag。

Insp3ct0r

Kishor Balan tipped us off that the following code may need inspection:

https://jupiter.challenges.picoctf.org/problem/44924/ (link) or http://jupiter.challenges.picoctf.org:44924

Hint1: How do you inspect web code on a browser?

Hint2: There’s 3 parts

flag被分成三段。

  1. 第一段在检查元素里。
  2. 第一段在css文件里。
  3. 第二段在js文件里。

fd

Mommy! what is a file descriptor in Linux?

ssh [email protected] -p2222 (pw:guest)

The flag IS NOT in the regular format

ssh连进去,ls后显示三个文件:fd、fd.c、flag。

cat flag无权限。cat fd.c查看fd的源码。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char buf[32];
int main(int argc, char* argv[], char* envp[]){
        if(argc<2){
                printf("pass argv[1] a number\n");
                return 0;
        }
        int fd = atoi( argv[1] ) - 0x1234;
        int len = 0;
        len = read(fd, buf, 32);
        if(!strcmp("LETMEWIN\n", buf)){
                printf("good job :)\n");
                system("/bin/cat flag");
                exit(0);
        }
        printf("learn about Linux file IO\n");
        return 0;

}

只要能让buf的值为LETMEWIN\n即可拿到flag。

buf内容是从文件描述符fd对应的文件中读取的,就让fd为0,就能从输入读了。

所以运行./fd 4660,输入LENMEWIN。其中4660是0x1234的十进制表示。

传回来两行:

good job :)
mommy! I think I know what a file descriptor is!!

第二行即为flag。