Table of Contents
這篇是從我之前HackMD搬過來的
我剛好是出題者,也負責部分靶機和整個 CTFd 平臺的維護和架設,總的來說蠻好玩的
哥布林保衞部公告(Web)Link to heading
link 查看原始碼就好了,在註釋裡面 Just check the source code, it’s in the comments
Democracy(Web)Link to heading
題目描述: Problem description:
The Republic of Frank National Assembly needs your participation!Head over here提示: hint:
FOSS-Its means Open for what?index.html source
<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>我們來修法</title> <!--flagNH{NC-ItsFake}--></head><body> <h1>我們來修法</h1> <h2>Frank共和國-刑法之讀書罪</h2> <h2> I 讀書者,處五年以下有期徒刑、拘役或一百萬元以下罰金。</br> II 犯前項之罪,因而取得國民小學、國民中學或高級中等學校畢業證書者,處三年以上十年以下有期徒刑;取得學士學位或以上證書者,處無期徒刑或七年以上有期徒刑。 </br> III 第一項之未遂犯罰之。</br> IV 預備犯第一項之罪者,處二年以下有期徒刑。</h2>
<a href="/next.html"> <button>我要附議!</button> </a><script></script></body></html>next.html source
<!DOCTYPE html><html lang="en"><head> <title></title></head><body> <script> (function(_0x1530b2,_0x25eae5){const _0xdd1554=_0x1d5d,_0x42a37d=_0x1530b2();while(!![]){try{const _0x1d1179=parseInt(_0xdd1554(0x154))/0x1*(parseInt(_0xdd1554(0x14f))/0x2)+parseInt(_0xdd1554(0x158))/0x3+parseInt(_0xdd1554(0x14e))/0x4+-parseInt(_0xdd1554(0x150))/0x5+parseInt(_0xdd1554(0x155))/0x6*(parseInt(_0xdd1554(0x14d))/0x7)+parseInt(_0xdd1554(0x157))/0x8*(parseInt(_0xdd1554(0x153))/0x9)+-parseInt(_0xdd1554(0x152))/0xa;if(_0x1d1179===_0x25eae5)break;else _0x42a37d['push'](_0x42a37d['shift']());}catch(_0x295f65){_0x42a37d['push'](_0x42a37d['shift']());}}}(_0x26c6,0x8eacd));function _0x26c6(){const _0x493e29=['3627595ecwUvD','location','24409390imErtQ','1674eJftVF','744XYYQZd','18mJJWtU','https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s','47176PbUlsH','1796250tUXBLc','1051442HKnRWV','1936724tfzzCy','3012lhncSA'];_0x26c6=function(){return _0x493e29;};return _0x26c6();}const encryptedFlag=[0xef,0xdd,0xef,0xce,0x176,0x101,0x13d,0x128,0x161,0x7a,0x15e,0xd4,0x128,0x15e,0x170,0xfb,0x140,0x13a,0x13d,0x161,0xc2,0x17c];let flag='';function _0x1d5d(_0x2251e,_0x652fc3){const _0x26c671=_0x26c6();return _0x1d5d=function(_0x1d5dc4,_0x9d9d2d){_0x1d5dc4=_0x1d5dc4-0x14d;let _0x3d0f47=_0x26c671[_0x1d5dc4];return _0x3d0f47;},_0x1d5d(_0x2251e,_0x652fc3);}for(let t=0x0;t<encryptedFlag['length'];t++){const b=(encryptedFlag[t]-0x5)/0x3;flag+=String['fromCharCode'](b);}setTimeout(()=>{const _0x258376=_0x1d5d;window[_0x258376(0x151)]['href']=_0x258376(0x156);},0x1),setTimeout(()=>{console['log'](flag);},0x8); //flagNHN{Cfake} </script></body></html>對上面的提供的 next.html 第8行(最長的)進行解混淆得到: Deobfuscate the provided line 8 (longest) of next.html to obtain:
const encryptedFlag = [ 239, 221, 239, 206, 374, 257, 317, 296, 353, 122, 350, 212, 296, 350, 368, 251, 320, 314, 317, 353, 194, 380];let flag = '';for (let t = 0; t < encryptedFlag.length; t++) { const b = (encryptedFlag[t] - 5) / 3; flag += String.fromCharCode(b);}setTimeout(() => { window.location.href = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s';}, 1);setTimeout(() => { console.log(flag);}, 8);拿下面那段掉然後看 console.log Remove the following section then check console.log
setTimeout(() => { window.location.href = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s';}, 1);或者直接計算 ASCII Or directly calculate the ASCII
Example:(380-5)/3 = 125ASCII 125 = }This carries a slight touch of malice(Forensics)Link to heading
題目描述: Problem description:
Identifying and promoting one's brand is a very serious matterSo, what form should it take? :)提示: hint:
file at this websiteand the route is /在我們CTFd平臺主頁的源碼中檢查一下 (就是網站logo) Check the source code on the homepage of our CTFd platform (the website logo)
<img class="img-responsive ctf_logo" src="/files/8c857832a86f0f5178a9baf9b04177d8/hahaha.jpg" alt="No Hack No CTF" height="25">
然後就在 strings 裡面
Then, look in the strings
strings filename.jpg | grep NHNC