picoCTF2018 解题报告(部分)

初学CTF,发现了picoCTF这个网站,我也是边学习边写了这篇文章,如果有疏漏的地方,还请多多谅解,享受寻找FLAG的乐趣吧。

Forensics Warmup 1 - Points: 50

只需要解压,并根据图片中的内容提交flag


Flag:picoCTF{welcome_to_forensics}

Forensics Warmup 2 - Points: 50

图片即为flag


Flag:picoCTF{extensions_are_a_lie}

General Warmup 1 - Points: 50

0x41表示16进制的41,查ASCII表可知为‘A’
ASCII 维基百科
ASCII 百度百科

Flag:picoCTF{A}

General Warmup 2 - Points: 50

进制转换:十进制的27转换为二进制:11011
CTF在线工具-ASCII与进制转换
或者直接用win自带的计算器也可以

Flag:picoCTF{11011}

General Warmup 3 - Points: 50

进制转换:16进制的3D转换为十进制:61

Flag:picoCTF{61}

Resources - Points: 50

点击链接在跳转的页面底端即可找到flag
也可以直接Ctrl+F直接搜索picoCTF字样

Flag:picoCTF{xiexie_ni_lai_zheli}

Reversing Warmup 1 - Points: 50

由题可知,是一个ELF文件,跳转到该文件的目录下打开即可

Flag:picoCTF{welc0m3_t0_r3VeRs1nG}

Reversing Warmup 2 - Points: 50

将base64转换成ASCII码即可
这里提供一个在线转换的网站:
CTF在线工具-在线base64密码加解密

Flag:picoCTF{th4t_w4s_s1mpL3}

Crypto Warmup 1 - Points: 75

下载文件后,发现是一个密文和密钥的对应表,一一对应,即可找出明文


Flag:picoCTF{SECRETMESSAGE}

Crypto Warmup 2 - Points: 75

根据题目可知,此密文是根据rot13加密而成的,查了一下这种加密规则:ROT13
提供一个在线解密工具:CTF在线工具-在线Rot13密码加解密
对了这个解出来之后全是小写,记着把ctf变成大写

Flag:picoCTF{this_is_crypto!}

grep 1 - Points: 75

此题直接在shell中用grep命令即可,grep pico *file就是在file文件中查找pico字样

Flag:picoCTF{grep_and_you_will_find_c709fa94}

net cat - Points: 75

NetCat使用指南-简书
NC(netcat)被称为网络工具中的瑞士军刀,体积小巧,但功能强大。使用netcat工具连接到2018shell.picoctf.com at port 36356

$ nc 2018shell.picoctf.com 36356

Flag:picoCTF{NEtcat_iS_a_NEcESSiTy_9454f3e0}

HEEEEEEERE'S Johnny! - Points: 100

John the Ripper免费的开源软件,是一个快速的密码破解工具,用于在已知密文的情况下尝试破解出明文的破解密码软件,在Linux下使用以下命令即可解出账号密码
Kali Linux:使用John the Ripper破解密码

$ john shadow
$ nc 2018shell3.picoctf.com 42165
Username: root
Password: hellokitty 

Flag:picoCTF{J0hn_1$_R1pp3d_5f9a67aa}

strings - Points: 100

strings命令-Linux命令大全
此题使用strings filename|grep "keyword"即可

Flag:picoCTF{sTrIngS_sAVeS_Time_d7c8de6c}

pipe - Points: 110

此题是nc后使用一下grep即可。

~$ nc 2018shell.picoctf.com 48696|grep "picoCTF"                                                    

Flag:picoCTF{almost_like_mario_f617d1d7}

Inspect Me - Points: 125

此题我原本以为打开源代码就能找到FLAG了,后来发现只有1/3,最后乱闯乱转,发现两个自己写的cssjs文件,点进去之后就可以看到另外那2/3的FLAG

    <title>My First Website :)</title>
    <link href="https://fonts.googleapis.com/css?family=Open+Sans|Roboto" rel="stylesheet">
    <link rel="stylesheet" type="text/css" href="mycss.css">
    <script type="application/javascript" src="myjs.js"></script>
  </head>

Flag:picoCTF{ur_4_real_1nspect0r_g4dget_402b0bd3}

grep 2 - Points: 125

此题依然是考验对于grep用法的掌握

$ grep "picoCTF" . -r -n
./files7/file25:2:picoCTF{grep_r_and_you_will_find_24c911ab}

Flag picoCTF{grep_r_and_you_will_find_24c911ab}

Aca-Shell-A - Points: 150

此题主要考察对于Linux命令的使用
$ nc 2018shell.picoctf.com 42334
首先nc到这个地址:2018shell.picoctf.com 42334

Sweet! We have gotten access into the system but we aren't root.
It's some sort of restricted shell! I can't see what you are typing
but I can see your output. I'll be here to help you along.
If you need help, type "echo 'Help Me!'" and I'll see what I can do
There is not much time left!

似乎需要我们echo
$ echo 'Help Me!'

You got this! Have you looked for any  directories?

按照提示需要我们看一看目录下有什么
$ ls

blackmail                                                                                                                  
executables                                                                                                                
passwords                                                                                                                  
photos                                                                                                                     
secret

secret目录很吸引人
$ cd secret

Now we are cookin'! Take a look around there and tell me what you find!

那我们就看看目录下有什么文件
$ ls
Sabatoge them! Get rid of all their intel files!
要求我们删掉所有intel文件
$ rm intel*

Nice! Once they are all gone, I think I can drop you a file of an exploit!
Just type "echo 'Drop it in!' " and we can give it a whirl!

$ echo 'Drop it in!'

Drop it in!                                                                                                                
I placed a file in the executables folder as it looks like the only place we can execute from!
Run the script I wrote to have a little more impact on the system!

我们返回上一级目录,然后进入executables目录下,发现只有一个文件,我们打开它,发现开始输出很多16进制信息(我就不贴出来了),在最后一行发现了我们要的东西。
$ cd ..
$ cd executables
$ ./dontLookHere

Looking through the text above, I think I have found the password. I am just having trouble with a username.
Oh drats! They are onto us! We could get kicked out soon!
Quick! Print the username to the screen so we can close are backdoor and log into the account directly!
You have to find another way other than echo!

要求我们打印出用户名,但是不能用echo,这就很奇怪了
Linux用户和权限管理-掘金
搜索了一下,在这篇文章中发现了

whoami:显示当前用户的名称

$ whoami

l33th4x0r                                                                                                                  
Perfect! One second!
Okay, I think I have got what we are looking for. I just need to to copy the file to a place we can read.
Try copying the file called TopSecret in tmp directory into the passwords folder.

按照要求复制tmp文件夹下的TopSecret文件到passwords的目录下
$ cp /tmp/TopSecret ../passwords

Server shutdown in 10 seconds...                                                                                           
Quick! go read the file before we lose our connection!

有时间限制了,看来要抓紧了,打开TopSecret文件即可找到FLAG
$ cd ..
$ cd passwords
$ cat TopSecret

Major General John M. Schofield's graduation address to the graduating class of 1879 at West Point is as follows: The disci
pline which makes the soldiers of a free country reliable in battle is not to be gained by harsh or tyrannical treatment.On
 the contrary, such treatment is far more likely to destroy than to make an army.It is possible to impart instruction and g
ive commands in such a manner and such a tone of voice as to inspire in the soldier no feeling butan intense desire to obey
, while the opposite manner and tone of voice cannot fail to excite strong resentment and a desire to disobey.The one mode 
or other of dealing with subordinates springs from a corresponding spirit in the breast of the commander.He who feels the r
espect which is due to others, cannot fail to inspire in them respect for himself, while he who feels,and hence manifests d
isrespect towards others, especially his subordinates, cannot fail to inspire hatred against himself.                      
picoCTF{CrUsHeD_It_d6f202f1}                                                                                               

Flag picoCTF{CrUsHeD_It_d6f202f1}

Client Side is Still Bad - Points: 150

乍一看是一个登录页面,随便输入了一串数字,发现提示错误,于是我们打开源代码,发现了如下的片段

  function verify() {
    checkpass = document.getElementById("pass").value;
    split = 4;
    if (checkpass.substring(split*7, split*8) == '}') {
      if (checkpass.substring(split*6, split*7) == 'ebbd') {
        if (checkpass.substring(split*5, split*6) == 'd_d0') {
         if (checkpass.substring(split*4, split*5) == 's_ba') {
          if (checkpass.substring(split*3, split*4) == 'nt_i') {
            if (checkpass.substring(split*2, split*3) == 'clie') {
              if (checkpass.substring(split, split*2) == 'CTF{') {
                if (checkpass.substring(0,split) == 'pico') {
                  alert("You got the flag!")
                  }
                }
              }
      
            }
          }
        }
      }
    }
    else {
      alert("Incorrect password");
    }
  }

在if的条件中,就可以看到FLAG了

FlagpicoCTF{client_is_bad_d0ebbd}

Desrouleaux - Points: 150

You'll need to consult the file `incidents.json` to answer the following questions.                                        
                                                                                                                                                                                                                                                    
What is the most common source IP address? If there is more than one IP address that is the most common, you may give any o
f the most common ones. 

要求我们找出出现次数最多的source IP address
打开json文件后,"src_ip"中45.238.158.24出现了4次

45.238.158.24                                                                                                              
Correct!                                                                                                                   
                                                                                                                                                                                                                                                     
How many unique destination IP addresses were targeted by the source IP address 45.238.158.24?

问src_ip为45.238.158.24且dst_ip不重复的ticket出现了几次

3                                                                                                                          
Correct!                                                                                                                   
                                                                                                                                                                                                                                                     
What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places.

这个似乎有些麻烦,但我不会写python,且数据不多,所以手动统计了一下,顺便也提供一下从picoCTF-2018 解题报告-闲言语找来的python脚本

import json
j=json.load(open('incidents.json'))
tickets=j['tickets']
hashes=dict()
for t in tickets:
    if t['file_hash'] not in hashes.keys():
        hashes[t['file_hash']]=[t['dst_ip']]
    else:
        hashes[t['file_hash']].append(t['dst_ip'])
print (hashes)

然后算一下平均数即可

1.25                                                                                                                       
Correct!                                                                                                                   
                                                                                                                                                                                                                                                  
Great job. You've earned the flag: picoCTF{J4y_s0n_d3rUUUULo_c74e3495} 

Flag:picoCTF{J4y_s0n_d3rUUUULo_c74e3495}

Logon - Points: 150

当我浏览网页时,发现输入任何非admin的用户名和密码都可以成功登录,但是网站只显示

Success: You logged in! Not sure you'll be able to see the flag though.
No flag for you

按照提示,我又使用admin的用户名登录,始终显示

I'm sorry the admin password is super secure. You're not getting in that way.

重新用非admin账号登录成功后,当我使用EditThisCookie时,发现了一个bug,admin的值是False,遂改为True,即可找到FLAG

Flag: picoCTF{l0g1ns_ar3nt_r34l_a280e12c}

Reading Between the Eyes - Points: 150

这题的信息隐藏在 RGB 三个通道的最低位中,借助 Stegsolve-->Analyse-->Data Extract 可以指定通道进行提取。Stegsolve.jar
也可以通过在线网站解决:Steganography Online

FlagpicoCTF{r34d1ng_b37w33n_7h3_by73s}

Recovering From the Snap - Points: 150

收到一个.dd结尾的文件,我们猜想有可能需要分离,用binwalk查看发现有多个文件,用foremost分离后得到8张照片,00005861.jpg即为FLAG
binwalk animals.dd

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
39424         0x9A00          JPEG image data, JFIF standard 1.01
39454         0x9A1E          TIFF image data, big-endian, offset of first image directory: 8
672256        0xA4200         JPEG image data, JFIF standard 1.01
1165824       0x11CA00        JPEG image data, JFIF standard 1.01
1556992       0x17C200        JPEG image data, JFIF standard 1.01
1812992       0x1BAA00        JPEG image data, JFIF standard 1.01
1813022       0x1BAA1E        TIFF image data, big-endian, offset of first image directory: 8
2136576       0x209A00        JPEG image data, JFIF standard 1.01
2136606       0x209A1E        TIFF image data, big-endian, offset of first image directory: 8
2607616       0x27CA00        JPEG image data, JFIF standard 1.01
2607646       0x27CA1E        TIFF image data, big-endian, offset of first image directory: 8
3000832       0x2DCA00        JPEG image data, JFIF standard 1.01
3000862       0x2DCA1E        TIFF image data, big-endian, offset of first image directory: 8

foremost animal.dd

Flag:picoCTF{th3_5n4p_happ3n3d}

admin panel - Points: 150

此题是一道流量分析,题目中有关于登录的提示
首先可以用strings data.pacp|grep picoCTF
可以直接查到以下的内容
user=admin&password=picoCTF{n0ts3cur3_13597b43}
也可以使用WireShark,在tcp.stream 5可以看到password username

POST /login HTTP/1.1
Host: 192.168.3.128
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.3.128/
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Connection: keep-alive
Upgrade-Insecure-Requests: 1

user=admin&password=picoCTF{n0ts3cur3_13597b43}
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,445评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 85,889评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,047评论 0 337
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,760评论 1 276
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,745评论 5 367
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,638评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,011评论 3 398
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,669评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 40,923评论 1 299
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,655评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,740评论 1 330
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,406评论 4 320
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 38,995评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,961评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,197评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,023评论 2 350
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,483评论 2 342

推荐阅读更多精彩内容

  • 取证类题目 在CTF中,取证赛题包括了文件分析、隐写、内存镜像分析和流量抓包分析。任何要求检查一个静态数据文件(与...
    查无此人asdasd阅读 1,329评论 0 2
  • 前言 最先接触编程的知识是在大学里面,大学里面学了一些基础的知识,c语言,java语言,单片机的汇编语言等;大学毕...
    oceanfive阅读 3,040评论 0 7
  • 题目链接:https://cgctf.nuptsast.com/challenges#Web 签到题 查看网页源...
    a2dd56f6ad89阅读 8,212评论 0 2
  • 首先,简单的描述一下何为java,java是一种程序设计语言,再者,何为程序设计语言,程序设计语言是我们使用计算机...
    大海_2545阅读 187评论 0 1
  • 人总是这样,处于眼下,观望未来,时不时的回忆过去。看到一些老照片,突然想念黄老师了,高二相识,高三毕业离开后便再没...
    l伊沁阅读 239评论 0 3