# BxMCTF2023 - Writeup [TOC] ## Rank 最後解了五題,三百多名。 ![](https://hackmd.io/_uploads/ByPOwC9U3.png) ## General ### Survey 就提交問卷XD 順便抱怨 crypto (不是 ### Welcome to BxMCTF! 好喔,結果我看那麼久...... 想太多XD,直接輸入就行了 ## Bin ### Banking Issues 謝囉 python hint: 索引值問題,負向索引 #### 詳解 題目的程式 ``` #!/usr/local/bin/python import os balances = [10, 20, 50, 16, 29, 52, 100000] PERMS_ADMIN = { "MAX_INDEX": len(balances) - 1 } PERMS_AGENT = { "MAX_INDEX": len(balances) - 2 } def main(): perms = PERMS_AGENT wallet = 0 idx = int(input("Which account would you like to withdraw from? ")) if idx > perms["MAX_INDEX"]: print("Unauthorized") return wallet += balances[idx] balances[idx] = 0 print(f"You now have ${wallet} in your wallet.\n") if wallet >= 100000: print("Thanks for storing a lot of $$ at our bank.") print("You qualify for free wealth management services.") print(f"To access this service, please email {os.getenv('FLAG')}@bxmctf.bank.\n") print("Thank you for banking with BxMCTF Bank.") if __name__ == "__main__": main() ``` 1. 首先 ```os.getenv('FLAG')``` 是我們要的 flag,所以要想辦法讓 ```wallet >= 100000``` 2. 往上找到了 ```wallet += balance[idx]``` 這一行,所以找 ```balance[]``` ,可以看到上面宣告了 ```balances = [10, 20, 50, 16, 29, 52, 100000]```,滿足的 idx 應該要為 6 3. 然而 ```PERMS_ADMIN``` 和 ```PERMS_AGENT``` 限制了 ```MAX_INDEX``` 為 5,且 ```idx``` 不能大於```perms["MAX_INDEX"]``` 4. 但是 python 有一個從負向索引的功能 ```str[-1]``` 就能得到最後一位的值,因此輸入 -1 即可得到 flag ## Web ### Blank Space - I mean Page hint: 機器人 ### Repository Security hint: source code!! #### 詳解 python 寫成的 index.py 或是 app.py,可能扮演著應用程序的主要入口點和控制中心的角色 像是下面那一張圖: ![](https://hackmd.io/_uploads/H1ZpxaSU3.png) ![](https://hackmd.io/_uploads/S1Mmx6BUh.png) #### 吐槽: 哭啊,它本地端的帳密才不是這個,害我弄超久的QQ # 後記 看看別人的 write-up,Cry 超無言...... ## Cry ### I Can't Beelieve It 一個 poemtry.txt 檔案,內容如下: ``` Kings and queens, their roles well-defined, Nectar they gather, nature's sweetest find. Opulent honeycombs, a golden treasure, We marvel at their intricate measure. Nurturing their young, a family affair, Ending our exposition here, beware. Cautiously, bees buzz through the air, Together they work, a hive to share. Flowers they find, a vital mission, And in their flight, a colorful rendition. Life in motion, nature's great ballet, Let's explore the world of the Bee Movie today! ``` 然後答案是 : ``` ctf{allknown} ``` 有夠無言,我一直輸入 allknowne......爛透了 ## for ### Selfie 在 exiftool 檢查時,會發現 License 怪怪的,將那個字串用 base64 去解 哭了 ### Street View 在 exiftool 會發現 Latitude 和 Longitude 將他們放上 google map 就會出現該位置,檢查建築物的所有者就能獲取域名 沒那麼簡單 ## Web ### New Website 用 dig 檢查網站記錄,並將記錄存在 TXT,打開就會看到 flag ``` dig bxmgen2.jonathanw.dev TXT```