前言
本日進度:
Writeup
第一題:findme
用他的密碼 test / test!
登入,但這樣好像拿不到什麼,打開 Burp Suite 攔截
request,發現有下面這兩個請求,有一個
/next-page/id=cGljb0NURntwcm94aWVzX2Fs 試著把它用 Base64
解碼,然後他會再跳轉一次,有另一個 id ,一樣用 Base64
解碼之後合併再一起就得到 Flag 了
Image
Image
第二題:Secrets
點檢查發現 source 裡面有一個資料夾 secret ,所有就連過去看看
(記得最後面要加 / 不然會被 redirect 到
http://saturn.picoctf.net/secret/)
,然後到下一個頁面後又發現有個資料夾 hidden ,連過去又有個資料夾
superhidden ,再連過去之後就看到 Flag 了
Image
Image
Image
Image
第三題:Roboto Sans
這題看了好久才想到要去看 robots.txt ,裡面有一些看起來像
base64 編碼後過的東西,上下兩行不太知道是什麼,中間那行解出來是
js/myfile.txt ,所以就去看 js/myfile.txt
就得到 Flag 了
Image
Image
Image
第四題:Who are you?
這題很好玩,他是昨天把 User-Agent 改成
picobrowser
的進階版,這次要改的東西更多,但他都有給提示,慢慢查一個個加到 Header
裡面就完成了,分別是 User-Agent Referer
Date DNT X-Forwarded-For
Accept-Language ,這些都改成他想要的之後就能得到 Flag
了
Image
Image
Image
Image
Image
Image
Image
Image
第五題:It is my Birthday
這題是要上傳兩個 PDF,要滿足內容不相同,但是 MD5 Hash
相同,所以我先用 Burp Suite 把請求抓下來,然後上網找到兩個會碰撞的 MD5
Hash :
TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak
和
TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak,並分別把他們當成
PDF 的內容,上傳上去之後就能得到 Flag 了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 POST /index.php HTTP/1.1 Host : mercury.picoctf.net:57247Content-Length : 575Cache-Control : max-age=0Accept-Language : en-US,en;q=0.9Upgrade-Insecure-Requests : 1Origin : http://mercury.picoctf.net:57247Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryvOuQVRQUS71gBftBUser-Agent : Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36Accept : text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Referer : http://mercury.picoctf.net:57247/Accept-Encoding : gzip, deflate, brConnection : keep-aliveContent-Disposition: form-data; name ="file1"; filename="test.pdf" Content-Type : application/pdf TEXTCOLLBYfGiJUETHQ4hAcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak Content-Disposition: form-data; name ="file2"; filename="test.pdf" Content-Type : application/pdf TEXTCOLLBYfGiJUETHQ4hEcKSMd5zYpgqf1YRDhkmxHkhPWptrkoyz28wnI9V0aHeAuaKnak Content-Disposition: form-data; name ="submit" Upload
Image
Image
第六題:
網頁中的 js 被 obfuscation 了,有夠醜,先拿 prettier
格式化,再仔細看看,感覺跟之前有一題 dont-use-client-side
很像,但很多東西被打亂了,不過可以從
checkpass[_0x4b5b("0x2")](, ) 判斷出密碼的順序是
_0x4b5b("0x3") -> _0x4b5b("0x4") ->
_0x4b5b("0x6") ->
_0x4b5b("0x5"),把它印出來之後就是 Flag 了~
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 var _0x5a46 = [ "0a029}" , "_again_5" , "this" , "Password\x20Verified" , "Incorrect\x20password" , "getElementById" , "value" , "substring" , "picoCTF{" , "not_this" , ]; (function (_0x4bd822, _0x2bd6f7 ) { var _0xb4bdb3 = function (_0x1d68f6 ) { while (--_0x1d68f6) { _0x4bd822["push" ](_0x4bd822["shift" ]()); } }; _0xb4bdb3 (++_0x2bd6f7); })(_0x5a46, 0x1b3 ); var _0x4b5b = function (_0x2d8f05, _0x4b81bb ) { _0x2d8f05 = _0x2d8f05 - 0x0 ; var _0x4d74cb = _0x5a46[_0x2d8f05]; return _0x4d74cb; }; function verify ( checkpass = document [_0x4b5b ("0x0" )]("pass" )[_0x4b5b ("0x1" )]; split = 0x4 ; if (checkpass[_0x4b5b ("0x2" )](0x0 , split * 0x2 ) == _0x4b5b ("0x3" )) { if (checkpass[_0x4b5b ("0x2" )](0x7 , 0x9 ) == "{n" ) { if ( checkpass[_0x4b5b ("0x2" )](split * 0x2 , split * 0x2 * 0x2 ) == _0x4b5b ("0x4" ) ) { if (checkpass[_0x4b5b ("0x2" )](0x3 , 0x6 ) == "oCT" ) { if ( checkpass[_0x4b5b ("0x2" )](split * 0x3 * 0x2 , split * 0x4 * 0x2 ) == _0x4b5b ("0x5" ) ) { if (checkpass["substring" ](0x6 , 0xb ) == "F{not" ) { if ( checkpass[_0x4b5b ("0x2" )]( split * 0x2 * 0x2 , split * 0x3 * 0x2 , ) == _0x4b5b ("0x6" ) ) { if (checkpass[_0x4b5b ("0x2" )](0xc , 0x10 ) == _0x4b5b ("0x7" )) { alert (_0x4b5b ("0x8" )); } } } } } } } } else { alert (_0x4b5b ("0x9" )); } }
Image
參考資料
