国外的CTF比赛,前面很简单,感觉很适合入门,地址:https://2018game.picoctf.com/

Forensics Warmup 1

压缩包解开就有

Forensics Warmup 2

反正我能直接打开emmm

General Warmup 1

进制转换,略…

General Warmup 2

进制转换,略…

General Warmup 3

进制转换,略…

Resources

视频下面有flag

Reversing Warmup 1

编辑器打开查找flag

Reversing Warmup 2

base64

Crypto Warmup 1

维吉尼亚密码

Crypto Warmup 2

rot13密码

grep 1

一样用编辑器打开找flag

net cat

nc一下喽

HEEEEEEERE’S Johnny!

通过passwd和shadow爆破密码,使用kali破解

1
2
3
root@kali:~/Desktop# unshadow passwd shadow > flag_passwd
root@kali:~/Desktop# john --wordlist=/usr/share/john/password.lst flag_passwd
root@kali:~/Desktop# john --show flag_passwd

参考:Kali Linux:使用John the Ripper破解密码

strings

strings一下,编辑器打开也找得到

pipe

payload
1
nc 2018shell2.picoctf.com 44310 >>1.txt

使用telnet也行,如果使用ssh会得到一个错误答案2333。

Inspect Me

留意页面提示,flag分别在index、js和css里

grep 2

payload
1
find /problems/grep-2_4_06c2058761f24267033e7ca6ff9d9144/files/.|xargs grep "picoCTF"

Aca-Shell-A

失败了n次,总算过了。。。

Payload
1
2
3
4
5
6
7
8
9
10
11
12
13
cd secret
ls
rm intel*
echo 'Drop it in!'
cd
cd executables
ls
./dontLookHere
whoami
cd
cp /tmp/TopSecret passwords
cd passwords
cat TopSecret

Client Side is Still Bad

源码js部分
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
function verify() {
   checkpass = document.getElementById("pass").value;
   split = 4;
   if (checkpass.substring(split*7, split*8) == '}') {
     if (checkpass.substring(split*6, split*7) == '17e9') {
       if (checkpass.substring(split*5, split*6) == 'd_91') {
        if (checkpass.substring(split*4, split*5) == 's_ba') {
         if (checkpass.substring(split*3, split*4) == 'nt_i') {
           if (checkpass.substring(split*2, split*3) == 'clie') {
             if (checkpass.substring(split, split*2) == 'CTF{') {
               if (checkpass.substring(0,split) == 'pico') {
                 alert("You got the flag!")
                 }
               }
             }
     
           }
         }
       }
     }
   }
   else {
     alert("Incorrect password");
   }
 }

Desrouleaux

最后一个问题没看懂,参考:https://medium.com/@anglee19/forensics-question-desrouleaux-solved-2a8b692d2425

Logon

打开代理,将admin=False改成admin=True

Reading Between the Eyes

Recovering From the Snap

用WinHex打开,可以看到在00009A00处有jpg的文件头,将前面的数据删除。

用bingwalk扫描发现多张图片,用foremost分离出来,flag在最后一张图里。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~/Desktop# binwalk animals.dd 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
30            0x1E            TIFF image data, big-endian, offset of first image directory: 8
632832        0x9A800         JPEG image data, JFIF standard 1.01
1126400       0x113000        JPEG image data, JFIF standard 1.01
1517568       0x172800        JPEG image data, JFIF standard 1.01
1773568       0x1B1000        JPEG image data, JFIF standard 1.01
1773598       0x1B101E        TIFF image data, big-endian, offset of first image directory: 8
2097152       0x200000        JPEG image data, JFIF standard 1.01
2097182       0x20001E        TIFF image data, big-endian, offset of first image directory: 8
2568192       0x273000        JPEG image data, JFIF standard 1.01
2568222       0x27301E        TIFF image data, big-endian, offset of first image directory: 8
2961408       0x2D3000        JPEG image data, JFIF standard 1.01
2961438       0x2D301E        TIFF image data, big-endian, offset of first image directory: 8

root@kali:~/Desktop# foremost animals.dd 
Processing: animals.dd
|*|
root@kali:~/Desktop#

admin panel

查找分组字节流

Mr. Robots

访问robots.txt文件