FHSH X AIS3 CTF 2024 Writeup

# FHSH X AIS3 CTF 2024 > team -- 忘記帶鼻子的小丑 > member -- ykc.17, qwerty # 紀錄 ![image](https://hackmd.io/_uploads/ByHpYET8C.png) ![image](https://hackmd.io/_uploads/SJqqKVa8C.png) # Writeup ## FORENSICS ### MitM 攻擊者用wireshark開啟找最不一樣的 ![image](https://hackmd.io/_uploads/H1hMW5dSA.png) `fhsfctf{w1ll_a1w4y5_pr3v4il}` --- ### Hex Dumb Dumb https://hexed.it/ 用16進位打開 flag在最後面(可以扭頭看一下) `FhCTF{H3xdump_n33d_m0r3_S3CUR3}` ## WEB ### 穿越檔案的旅人題目給的提示 `/images/` ![image](https://hackmd.io/_uploads/rkcx-MFrA.png) [參考資料](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf) ![image](https://hackmd.io/_uploads/HJgPGMtrR.png) ![image](https://hackmd.io/_uploads/rJg1zfYHR.png) 解法:https://travaling.fhh4ck3rs.taipei/img../flag.txt `FhCTF{how_1_tr4v3rs4l_7h3_w0rld!}` --- ### Information dirsearch暴力搜 ![image](https://hackmd.io/_uploads/BJAz_GYSC.png) https://information.fhh4ck3rs.taipei/redoc ![image](https://hackmd.io/_uploads/rk9AdMYSR.png) https://information.fhh4ck3rs.taipei/flag_MDAwMDAwMDA6IDBhICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLgo= ![image](https://hackmd.io/_uploads/SJAzKfFSA.png) `FhCTF{Y0u_r3411y_n33d_t0_l0ck_y0ur_API_d0cum3n75}` --- ### A Web dirsearch暴力搜 ![image](https://hackmd.io/_uploads/H1tLWN6IR.png) https://aweb.fhh4ck3rs.taipei/robots.txt ![image](https://hackmd.io/_uploads/BJC0WVa80.png) 用sql injection登入帳號密碼:`'or 1=1 -- #` ![image](https://hackmd.io/_uploads/HJ1fz468R.png) cookie的isadmin是用base64加密的解密後原文是False ![image](https://hackmd.io/_uploads/ByVQXEa8C.png) True加密後貼回去`VHJ1ZQ==` ![image](https://hackmd.io/_uploads/H1UM4NaIA.png) `FhCTF{1aSy_t0_f0UnD_A_f1AG_cAn_u_f1ND_1T}` --- ### Gotcha 先用dirsearch搜尋 ![image](https://hackmd.io/_uploads/rkU1r4TIA.png) git洩漏先用githack抓抓看 ![image](https://hackmd.io/_uploads/SklWINa8R.png) 下載下來是php檔flag就在裡面 `FhCTF{I_9iT_!7}` ## REVERSE ### BabyReverse 丟進ida 找print_flag ![image](https://hackmd.io/_uploads/HJwdkcuHR.png) 主要在迴圈解密(xor) :::spoiler code(c++) ``` #include <bits/stdc++.h> char s[41]; void print_flag() { char v3[42]; v3[0] = 57; v3[1] = 23; v3[2] = 60; v3[3] = 43; v3[4] = 57; v3[5] = 4; v3[6] = 38; v3[7] = 79; v3[8] = 10; v3[9] = 32; v3[10] = 30; v3[11] = 13; v3[12] = 76; v3[13] = 32; v3[14] = 29; v3[15] = 75; v3[16] = 29; v3[17] = 6; v3[18] = 32; v3[19] = 13; v3[20] = 76; v3[21] = 9; v3[22] = 76; v3[23] = 13; v3[24] = 74; v3[25] = 76; v3[26] = 32; v3[27] = 26; v3[28] = 17; v3[29] = 24; v3[30] = 78; v3[31] = 17; v3[32] = 76; v3[33] = 76; v3[34] = 13; v3[35] = 91; v3[36] = 90; v3[37] = 89; v3[38] = 2; v3[39] = 36; // Adding the 40th element to match the expected output length for (int i = 0; i < 39; i++) s[i] = v3[i] ^ 0x7F; s[40] = 0; } int main() { print_flag(); printf("%s\n", s); } ``` ::: `FhCTF{Y0u_ar3_b4by_r3v3r53_eng1n33r$%&}` ## OSINT ![image](https://hackmd.io/_uploads/rywRPVTUR.png) 地點:`剝皮寮` `FhCTF{108台北市萬華區康定路173巷}` ## MISC ### Welcome 直接輸入 `FhCTF{W3c0mE_ch4ll3nger_e8a898e5be97e58aa0e585a5e8999be693ace7a4bee59c98}` --- ### Survey 填表單 `FhCTF{G00d_G4m3}` --- #### INDEX 與 RULES 的差集 index ![image](https://hackmd.io/_uploads/Hk4Zc9_BA.png) rules ![image](https://hackmd.io/_uploads/S10V99OS0.png)