NISRA Final CTF write up

# NISRA Final CTF write up 抱歉這是邊打APEX邊寫的但還是感謝出題者們的努力平台開一周也很讚良政但可以給那個開題目連結的時候會開新的分頁的功能嗎謝謝 [官方write up](https://hackmd.io/@nisra-archived/Syp8623m1x) # MISC ## 0x0 一開始還想敘述這麼多幹嘛，原來是welcome啊 :::spoiler flag NISRA{1_4cc3Pt_tH3_cH4LL3nG3} ::: ## 弗瑞格的秘密文件弗瑞格好像有個 IG 帳號 ![image](https://hackmd.io/_uploads/SknNkTI4yg.png) 生日快樂!! ![image](https://hackmd.io/_uploads/SkyUkp8VJg.png) 密碼 1101 :::spoiler flag NISRA{h4_h4_1_4m_f1a9} ::: ## 0x1 這檔案的尾巴似乎不乾淨 ![image](https://hackmd.io/_uploads/S1Bhga841g.png) 真的欸有不乾淨的東西 base64decode :::spoiler flag NISRA{4ft3r_30I__} ::: # WEB ## cat😺 好運貓貓已造訪你的瀏覽器! 借助貓貓的運氣去找齊散落各處的flag碎片吧~ http://chall2.nisra.net:41034/ ### flag ![image](https://hackmd.io/_uploads/H1q3Vt2Xkx.png) ![image](https://hackmd.io/_uploads/HJ8REFh7Jl.png) ![image](https://hackmd.io/_uploads/BkRAEthQ1x.png) :::spoiler FLAG NISRA{c@t_1ik3_t0_pIay_w!th_u_Ou0b} ::: ## ψ(｀∇´)ψ http://chall2.nisra.net:41032/ ### flag ![image](https://hackmd.io/_uploads/HkliKF2QJx.png) 機器人? 那就是robots.txt ![image](https://hackmd.io/_uploads/rkEnKYhQyl.png) 看來要去/secret.html ![image](https://hackmd.io/_uploads/H1rFZ6LNkg.png) 有個連結可以點👉 ![image](https://hackmd.io/_uploads/Hkbhbp841l.png) f12 get flag :::spoiler flag NISRA{r0bots.tXt_i3_C00OOooooooOO00L} ::: ## Modifyyy No modify, no result. http://chall2.nisra.net:41025/ 這題一開始沒有讀懂，後來才想到原來是要修正程式碼在\<style>裡的第一段flag ![image](https://hackmd.io/_uploads/Sk6GfTUEyx.png) 附圖中的第二段 ![image](https://hackmd.io/_uploads/HkK7MpU4ye.png) ![image](https://hackmd.io/_uploads/BJquMaUV1g.png) base64decode後 > username:admin_password:nisra 但實際輸入後發現沒有觸發form ![image](https://hackmd.io/_uploads/Sky6z6U4yg.png) 來看看code 這句好可疑為甚麼要兩個button ```html! <input type="button" value="Login" class="button"> ``` 改成 ```html! <input type="submit" value="Login" class="button"> ``` 再次提交表單，拿到第三段了 ![image](https://hackmd.io/_uploads/HJWJEpI41x.png) :::spoiler flag NISRA{KaN_y0u_fIND_FIA9_a7_dIff3R3n7_5Pac32} ::: ## Invisible 在404的分頁 ![image](https://hackmd.io/_uploads/B1VvVT8V1g.png) 我看不到? 但原始碼應該看的到吧有欸用burp看到目錄應該要有 ![image](https://hackmd.io/_uploads/rk4hHpU4yg.png) 但只有 ![image](https://hackmd.io/_uploads/ByEaB6IE1e.png) 那應該就是他了 ![image](https://hackmd.io/_uploads/rk5lLaL4Je.png) head? 好喔我看看 ![image](https://hackmd.io/_uploads/r1nBITUEJe.png) 那個\<style>看起來很可疑把它刪掉 ![image](https://hackmd.io/_uploads/Hk4FI6UN1g.png) 出現一個qr 掃一下 ![Screenshot_2024-12-11-16-00-23-71_680d03679600f7af0b4c700c6b270fe7](https://hackmd.io/_uploads/r17kPpUV1g.jpg) 好欸 :::spoiler flag NISRA{ja^asCr1pt_w1th_qrC0de} ::: ## GET ![image](https://hackmd.io/_uploads/HJe4PaLE1l.png) 好有趣試試flag ![image](https://hackmd.io/_uploads/BkPHDp8Ekg.png) admin? ![image](https://hackmd.io/_uploads/BJQIPp8Vkl.png) 5534? ![image](https://hackmd.io/_uploads/rk1DP6LEJg.png) 好欸跟我裝傻是吧但他這個URL看起來好可疑改個試試 ![image](https://hackmd.io/_uploads/BybAtaI4kx.png) 好欸猜對了 :::spoiler flag NISRA{y0u_$GET_s3cReT} ::: ## Sign In 一個登入頁面登登看 ![image](https://hackmd.io/_uploads/rkkWqpUVyg.png) test/test ![image](https://hackmd.io/_uploads/Sy2ZqaIN1g.png) 他好像會把帳號密碼反射 XSS? ![image](https://hackmd.io/_uploads/rkcq2TLN1e.png) bingo :::spoiler flag NISRA{XsS_1s_NicE~} ::: ## Pick cat! 遇到沒有的貓貓會變這樣 ![image](https://hackmd.io/_uploads/ByzJT68Ekx.png) 那就是 `onerror=alert()` ![image](https://hackmd.io/_uploads/rJSzaa84Jl.png) :::spoiler flag NISRA{X55_1s_50_c0o0o01!} ::: ## Hello 一樣會輸入甚麼反射甚麼 ![image](https://hackmd.io/_uploads/rkHvp6INyl.png) 又是XSS? ![image](https://hackmd.io/_uploads/HkcOapIEkl.png) 看來方向不太對但按鈕也可以XSS `onclick="alert()"` ![image](https://hackmd.io/_uploads/r12saa8Eyl.png) :::spoiler flag NISRA{W31c0M3_t0_en1ight3n3D} ::: ## 結語打完WEB惹其他有點懶OuO