Byte Bandits CTF 2023

web

Improper Error Handling


打开靶机是这样的

先看源代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
<html>
  <head>
    <title>Top Secret Project</title>
    <style>
      body {
        font-family: Arial, sans-serif;
        margin: 40px;
      }
      form {
        display: flex;
        flex-direction: column;
        align-items: center;
      }
      label {
        font-size: 1.2em;
        margin-bottom: 10px;
      }
      input[type="password"] {
        font-size: 1.2em;
        padding: 5px;
        width: 400px;
        margin-bottom: 20px;
      }
      button {
        font-size: 1.2em;
        padding: 5px 10px;
        background-color: #4CAF50;
        color: white;
        border-radius: 5px;
        cursor: pointer;
      }
      pre {
        background-color: #eee;
        padding: 20px;
        white-space: pre-wrap;
        margin-top: 20px;
        display: none;
      }
      .error {
        color: red;
      }
    </style>
  </head>
  <body>
    <h1>Top Secret Project</h1>
    <form>
      <label for="input">Enter the password:</label>
      <input type="password" id="input">
      <button type="button" onclick="sendRequest()">Submit</button>
    </form>
    <p class="error" id="error-message"></p>
    <pre id="debug-message"></pre>
  </body>
  <script>
    function sendRequest() {
      let length = document.getElementById("input").value;
      fetch("/api/error?length=" + length)
        .then(response => response.text())
        .then(text => {
          if (text.startsWith("Error")) {
            document.getElementById("error-message").textContent = text;
            document.getElementById("error-message").style.display = "block";
            document.getElementById("debug-message").style.display = "none";
          } else {
            document.getElementById("debug-message").textContent = text;
            document.getElementById("debug-message").style.display = "block";
            document.getElementById("error-message").style.display = "none";
          }
        });
    }
  </script>
  
</html>

定义了一个sendRequest()请求函数
访问:
/api/error?length=

试试传参

一步一步加长看看
当传任意参数到32位时,爆出了flag

Hi-Score


一秒点一百下就能拿flag
这种题,大概率跟js有关
先看看js

调试器打开,找到一个函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
function _0x59a2() {
	var _0x78411b = [
		"\x20cps",
		"clicks",
		"\x20Your\x20Reward\x20:\x20<a\x20href=\x22" +
			"2f2e736563726574696f6e2f666c6167"
				.match(/[\da-f]{2}/gi)
				.map((h) => String.fromCharCode(parseInt(h, 16)))
				.join("") +
			"\x22\x20download=\x22flag\x22>Reward</a>",
		"3526ccMajJ",
		"innerHTML",
		"4263236HVNRoh",
		"3656895VkgrIX",
		"503210VEeXpc",
		"toFixed",
		"5NfzyuJ",
		"8399912tBbEFu",
		"SCORE:\x20",
		"6379703kdfIqT",
		"getElementById",
		"getTime",
		"48bKPhCj",
		"14Xmxuhh",
		"reward",
		"9wOTYQU",
		"597OMUzhx",
		"2046510XnQiaG",
	];
	_0x59a2 = function () {
		return _0x78411b;
	};
	return _0x59a2();
}

看起来”\x20Your\x20Reward\x20:\x20<a\x20href=\x22” +
“2f2e736563726574696f6e2f666c6167”
这段是回显rewaard也就是flag的
一开始以为要解这个 2f2e736563726574696f6e2f666c6167
发现不行

1
2
3
4
5
_0x59a2 = function () {
		return _0x78411b;
	};
	return _0x59a2();
}

看到这,可以运行_0x59a2()这个函数

得到flag的地址/.secretion/flag
访问下载打开

CTF > 比赛Write Up
#比赛Write Up
Byte Bandits CTF 2023
http://example.com/2023/02/10/Byte Bandits CTF 2023/
作者
J_0k3r
发布于
2023年2月10日
许可协议
BY J_0K3R