Press "Enter" to skip to content

Tag: CTF-Web

CTF question type – Web.

[HITCON]Are you rich 1/2 – 150pts

Solution We found that after we get the address by using this link , the btc are always zero. So we guess there are valid btc address or flag inside their database. In order to list out all the record and try to submit all the address in their database, we write this script to do that.

After that, we found that all the address in their database contains 0 BTC. It means we should find the address which has more than 5 btc. Finally i have found this website which listed out top 100 richest bitcoin addresses. Since the website do not accept the address which is not in their database , so we can made an fake result to bypass this limit.

hitcon{4r3_y0u_r1ch?ju57_buy_7h3_fl4g!!} hitcon{u51n6_07h3r_6uy5_b17c0n_70_byp455_ch3ck1n6_15_fun!!}  

Comments closed

[H4CK1T]Fucking russian programmers – 100pts

Description: The program has gone crazy and outputs completely unbalanced answers 🙁 Help to correct the error and send the correct data until they not obsolete… http://91.231.84.36:9200/ h4ck1t{} Solution: Open the web, we can see it: The main point is here:

If he gave you ])[[ , the answer should be []()[][] , ([])[[]] or [(])[][]. So you need to automatic complete the brackets if it has opened or closed. The most difficult point is that how to know the ([{ has been closed. So I write a loop to find if it has been closed put a “/” before ([{ and )]}, when I run the add function, ignore added when “/” before the ([{. )]} is the same way to make it. Take some times to write the java code:

We get back to the web: Put the question into the script Finally we got the flag: flag:

Comments closed

[H4CK1T]Mexico – Remote pentest – 150pts

Description: EN: Our foreign partners have some problems with qualified staffin the field of information technology, we decided to help them andto conduct remote testing of their new website. Your task is tofind a hole in the system and grab some information to confirm thehack .Good luck ! http://91.231.84.36:9150/ h4ck1t{} Solution: 連接上網頁後 , 發現index.php中有3個連結 , 分別是 index.php?page=about index.php?page=services index.php?page=contact 這個設計是將page中的value放進一個parameter 再進行include page 所以我們可以嘗試 http://91.231.84.36:9150/index.php?page=data:text/plaintext, 果然有代碼執行的漏洞 , 所以可以開始任意玩弄了 我的第一步是取得網頁的原始碼 http://91.231.84.36:9150/index.php?page=data:text/plaintext, 得到 算法跟一開始想的差不多 , 但是仍然沒有flag 那試試列出目錄下所有檔案好了 http://91.231.84.36:9150/index.php?page=data:text/plaintext, 所以得出flag http://91.231.84.36:9150/sup3r_$3cr3t_f1le.php

 

Comments closed

[IceCTF]Exposed! – 60pt

Question: John is pretty happy with himself, he just made hisfirst website! He used all the hip and cool systems,like NginX, PHP and Git! Everyone is so happy for him, but can youget him to give you the flag? Solution: 這是唯一一條很簡單 , 卻令我想破頭的題目 , 只怪自己經驗不夠 進到網站後 , 是一版純html的頁面寫著Hello World! 完全沒有利用的位置麻 這個時候我再看了下題目 , 發現這是使用Ngnix建設的 , 所以應該會有robots.txt吧? 所以查看了下 , 真的有!!! 而且有個檔案叫flag.php! 不過進去之前發現並沒有什麼用 那我們只好從git的方向中進手了 , 細看之下才發現/.git還沒有設置好權限! 所以我立馬把這個repository都clone下來再說 先看看flag.php是什麼東西 原來這頁面的作用是取得其目錄下的flag.txt , 然後再印在頁面上 可是我剛剛clone下來的目錄並沒有flag.txt呀? 這時候有必要看一下LOG了 原來flag.txt沒有的原因是被remove了.. 我們要做的只剩下restore flag.txt了 當我滿心歡喜拿去交的時候 , 竟然錯了 細看之下才發現被作者鄙視了 , 沒辦法之下我只好逐個試了 又被鄙視了.. 最後試到第5個的時候 , 終於得到flag了.. IceCTF{secure_y0ur_g1t_repos_pe0ple}

Comments closed

[IceCTF]Toke – 45pt

Question: I have a feeling they were pretty high when they madethis website… Solution: 進入到網頁後 , 在登入的位置沒有發現可以利用的東西 , 所以我就去註冊了一個帳號看看 在登入後則是如以下版面 在分析後發現網站設置了2個 cookies , 分別是 jwt_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJmbGFnIjoiSWNlQ1RGe2pXN190MEszbnNfNFJlX25PX3AxNENFX2ZPUl81M0NyRTdTfSIsInVzZXIiOiJibGFja3RyIn0.iBGoz4McIobEU5y3NHJa5b6AJwsZrdoquA8XmsWnL74 session: eyJ1c2VyIjoxODgzfQ.CpMTpA.8LVkhNz-nWm8A1tZSXZkEYKL4l8 我先拿其value去 base64 decode試試看 session: {“user”:1883}.VHMu me%ِF /| jwt_token: {“alg”:”HS256″,”typ”:”JWT”}.{“flag”:”IceCTF{jW7_t0K3ns_4Re_nO_p14CE_fOR_53CrE7S}”,”user”:”blacktr”}.σ”S4rZ往’*ŧ/ 結果答案就出來了 , 十分簡單

Comments closed

[IceCTF]Flag Storage – 50pt

Question: What a cheat, I was promised a flag and I can’t even login. Can you get in for me? flagstorage.vuln.icec.tf. They seem tohash their passwords, but I think the problem is somehow relatedto this. Solution: 提示是sql injection , 直接嘗試 ‘or 1=1 — IceCTF{why_would_you_even_do_anything_client_side}

Comments closed

[IceCTF2016]Move Along – 30pt

Question: http://move-along.vuln.icec.tf/ Solution: 進去後看源始碼發現只有一個目錄 , 裝著一張圖片 那只好去目錄看看啦 , 發現還有一個目錄 發現一張圖片

Comments closed

[IceCTF2016]Spotlight – 10pt

Question: http://spotlight.vuln.icec.tf/ Solution: 進去後發現光位會隨著mouse移動 , 所以直接view source , 發現有一js , 立即查看

Comments closed

[IceCTF2016]Miners! – 65pt

Question: The miners website has been working on adding a loginportal so that all miners can get the flag, but they haven’t madeany accounts! However, your boss demands the flag now! Can you getin anyway? miners.vuln.icec.tf Solution: 這個網頁是一個登入頁面 , 而且提供了源代碼 本來只是一條普通的sql injection題目 , 可是題目中說明了他們的database中沒有任何的record 所以我們只能自己偽造一條row出來了 在源碼中可以看見 , database中至少會有2個column , 分別是username和password, 所以得出以下sql query blacktr’ and 1=0 UNION SELECT ‘blacktr’,’blacktr’ — 但是還是登入失敗了 , 所以開始要猜有多少個column , 慢慢加上去 blacktr’ and 1=0 UNION SELECT’blacktr’,’blacktr’,’blacktr’ — 很好運氣 , 成功了 IceCTF{the_miners_union_is_a_strong_one}

Comments closed

[IceCTF2016]Kitty – 70pt

Question: They managed to secure their website this time and movedthe hashing to the server :(. We managed to leak this hash ofthe admin’s password though! c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a. Can you get the flag? kitty.vuln.icec.tf Solution: 題目給出了一個網址和一串sha256的加密字串 , 那先點進網頁看看源始碼 發現其密碼是有一定格式的 即是例如Aa00% 這樣 , 那我們完全可以寫一程式窮舉所有的可能性 故得出以下算法 運行效果: 1秒多就解出來了 然後拿著密碼去網頁登入 IceCTF{i_guess_hashing_isnt_everything_in_this_world}

Comments closed