No Hack No CTF 2024 - write-up hsuan0223x's

Misc#

Blog 2#

貼文翻一翻會看到討論區

點進去會看到這個

進去 cyber-user-meow 就有 Flag 了

Where is this#

圖片放大可以看到

把店名丟到 google map 找找經緯度就有 flag 了

NHNC, but C0LoRfUl#

進去以後，看看東西，有身分組可以玩，把自己加上 staff

然後發現了flag頻道，也有發現base64編碼的flag

Forensics#

MagicButton#

apktools 解出來 assets/Lemontea.json裡就有flag

Crypto#

AES?#

1
Enter IV: 1234567890987654
2
Secret Key: 1234567890987654
3
output: TkdU8sqjliuakA+nj2aEmbDf+AaJwASfPuooaKadCqg=

直接餵隨便一個 AES 解密網站

Secret ROT13#

solved scripts:

1
def decrypt(encrypted_text, key):
2
    decrypted_text = ""
3
    for i, char in enumerate(encrypted_text):
4
        offset = ((i + 1 + key) * (i + 1)) % 26
5
        if 'A' <= char <= 'Z':
6
            new_char = chr((ord(char) - ord('A') - offset) % 26 + ord('A'))
7
        elif 'a' <= char <= 'z':
8
            new_char = chr((ord(char) - ord('a') - offset) % 26 + ord('a'))
9
        else:
10
            new_char = char
11
        decrypted_text += new_char
12
    return decrypted_text
13

14
key = 7
15
ciphertext = "VZRU{Y0k_yd0w_Z0o_ti_rsslyxli}"
16
plaintext = decrypt(ciphertext, key)
17
print("解密後的明文:", plaintext)

Web#

哥布林保衞部公告#

F12按下去翻一翻

EASY METHOD#

要送出 PUT requests 用 kali 然後打上　curl -X PUT http://23.146.248.227:60001/

I need to get the C00kies#

一進去看到有東西可以點，點看看

OK，我們不是 admin

之後按 F12 > Application > cookie 更改掉參數就會噴Flag了

SQL inject ‘or’1’=‘1

1 line php#

source code:

1
<?php system('# '.$_GET['cmd']); highlight_file('index.php'); ?>

一般來說，不管cmd帶什麼參數都會被#字號吃掉，所以要設法繞過這個限制 # 在 php 中代表單行註解 所以我們可以嘗試利用換行去繞過之後試一試發現 %0A 是關鍵，在URL編碼中代表著換行所以我們可以逐步地去追蹤根目錄然後找到flag了

Democracy#

按下去按鈕，發現跳轉順序是 index > next.html > rickroll(youtube) 所以可以利用 burp 去抓包，然後看到了神奇的東西

把它解密就有Flag了

Reverse#

easyyyyyyyyyy#

打開靜態分析工具，看到flag函式中的內容就是flag了

Here’s the sauce#

solve script:

1
#include <stdio.h>
2
#include <stdlib.h>
3

4
// 已知的密文
5
unsigned char encrypted[16] = {144, 235, 117, 99, 28, 117, 208, 251, 96, 9, 0, 118, 144, 77, 204, 222};
6
unsigned char flag[16];
7

8
unsigned int f() {
9
    unsigned int a = 0x001337AA;
10
    unsigned int b = 0xFF133700;
11
    unsigned int c = 0xAA1337FF;
12
    unsigned int d = 0xCC1337D5;
13
    return (a & b & c & d);
14
}
15

16
int main() {
17
    // 計算相同的種子
18
    unsigned int seed = f() >> 8;
19
    printf("Seed value: 0x%x\n", seed);
20

21
    // 設定相同的隨機種子
22
    srand(seed);
23

24
    // 解密過程
25
    printf("Decrypted flag: ");
26
    for(int i = 0; i < 16; i++) {
27
        // 生成相同的隨機數
28
        unsigned char rand_val = rand() % 0xff;
29
        // 解密：密文與隨機數做異或運算
30
        flag[i] = encrypted[i] ^ rand_val;
31
        printf("%c", flag[i]);
32
    }
33
    printf("\n");
34

35
    // 以十六進制顯示
36
    printf("\nHex values:\n");
37
    for(int i = 0; i < 16; i++) {
38
        printf("0x%02x ", flag[i]);
39
    }
40
    printf("\n");
41

42
    return 0;
43
}

Pwn#

Grading system#

看 source code

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <string.h>
4

5
void spawn_shell() {
6
  system("/bin/sh");
7
  return;
8
}
9

10

11
int main() {
12
  unsigned int *score;
13
  unsigned int index, length, value, number_of_students, i, is_admin = 1234;
14
  size_t size_of_array;
15
  char opcode;
16

17
  setvbuf(stdin, 0, _IONBF, 0);
18
  setvbuf(stdout, 0, _IONBF, 0);
19

20
  puts("Online grading system - management interface");
21
  printf("Number of students: ");
22
  scanf("%u", &number_of_students);
23
  puts("Notice: values must NOT be negative!");
24

25
  size_of_array = number_of_students * sizeof(unsigned int);
26

27
  score = alloca(size_of_array);
28
  memset(score, 0, size_of_array);
29

30
  while (1) {
31
    puts("Options:");
32
    puts("    (V)iew grade of a student");
33
    puts("    (D)ump grades of specific range");
34
    puts("    (K)ey in grade of a student");
35
    puts("    (Q)uit the system");
36

37
    printf("Your choice: ");
38
    scanf(" %c", &opcode);
39
    switch (opcode) {
40
    case 'V':
41
      printf("seat_number: ");
42
      scanf("%u", &index);
43
      printf("score = %u\n", score[index + 1]);
44
      break;
45
    case 'D':
46
      printf("seat_number,length: ");
47
      scanf("%u,%u", &index, &length);
48
      for (i = index;i < index + length; i++) {
49
        printf("%u\n", score[i + 1]);
50
      }
51
      break;
52
    case 'K':
53
      printf("seat_number,score: ");
54
      scanf("%u,%u", &index, &value);
55
      score[index + 1] = value;
56
      break;
57
    case 'Q':
58
      puts("Exiting...");
59
      return 0;
60
    /* Spawn a shell, for developers only */
61
    case 'S':
62
      if (is_admin) {
63
        spawn_shell();
64
        break;
65
      } else {
66
        puts("Contact admin if you a bug occurred");
67
        break;
68
      }
69
    default:
70
      puts("Invalid operation, ignored");
71
      break;
72
    }
73
  }
74
}

我們座號可以輸入1234 代表admin 然後選單輸入S 就可以Get shell

DOF#

~~手動輸入 payload 讚~~

心得#

這次原本想說抱著輕鬆的心情打，結果不太對勁 www 怎麼大家都這麼強，好像自己也要認真一下最後打成這樣ㄌ