Press "Enter" to skip to content

[HKUSpaceCTF] Official Web Write-up

Web

Sanity Check - 25

Easy Black Flag (index page) - 50

The wired JavaScript can decrypt by

https://tool.lu/js/

After decrypt, we got:

You can paste this to the chrome console and call getFlag_10571305(), you will get the flag.

C00k13s 4 you - 50

NotHere - 50

Web3 - 75

View source, you will find that the website contains one image.
Access the folder of that image.
And you will find that there has an image which named dnRjdGZ7ZjB.jpg. This is the flag image.

m4TH - 100

All you need to do is answer the question 100 times. After that the website will give you the flag.

L0gic4l - 125

Hint:Oh forgot to say, backup is very important, so i zipped my website and put it in everywhere~

based on the hint, you may guess the whole website are zipped with name web125.zip in root of the website.

After have some review on the code, you may found that it use == to compare two md5 hash. So, based on the weak comparison  on php, we can use 240610708 and QNKCDZO as the password and super-secure-password.

Rough - 150

Just brute force the 4 digital number.

Null - 200

Just use union select to make a fake row to bypass the authentication.

Simple PHP Jail - 500

View source, you will find that

So, you can view the source code here: http://web1.polyu.work/spaceCTF/web300/terminal.php?code

You will found that the source will receive variable cmd and use as parameter of eval function. But the filter has filtered php tag.
But you can use But the filter has filtered ../ or / or /. So what should we do if we want to get the directory?
Here we can convert our payload to hex, and convert back to bypass the filter.
For example:

So, We can do this:

Output:

Output:

Comments

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *