OS CTF Writeup

OS CTF

题目附件链接:https://pan.baidu.com/s/1dZfhK5cgkp6cm_0kqzpSPw?pwd=8pul

Forensics

The Hidden Soundwave

题目:

We’ve intercepted some signals which is allegedly transmitted by aliens…? Do aliens listen to Alan Walker? I don’t know, it’s up to you to understand but we are sure there’s something hidden in this song and we need to decrypt it!

解题:

Audacity打开 发现后面有段 波形比较高的

选择 频谱图 出flag

OSCTF{M3s54g3_1nt3Rc3p7eD}

PDF Puzzle

题目:

It took me so much time to write this pdf (for real, I’m not lying) but I have hidden the flag in this and you’re tasked with finding it. Prove your pdf knowledge here forensic people.

解题:

Adobe Acrobat DC 打开 -> 保护 -> 删除隐藏信息 在元数据中 查看作者 出flag

OSCTF{H3il_M3taD4tA}

Seele Vellorei

题目:

Seele Vollerei is an orphaned girl in Cocolia’s Orphanage. But the tragic event in her past made that she was gone forever, until then she returned like a mysterious butterfly. How is this related to the challenge though? You figure out for youself ;)

解题:

打开pdf

移走 图片 全选文字 设置字体颜色 出flag

OSCTF{V3l10n4_1s_Gr43t}

The Lost Image Mystery

题目:

In the bustling city of Cyberville, a crucial image file has been corrupted, and it’s up to you, a budding digital forensics expert, to recover it. The file appears to be damaged, can you recover the contents of the file?

解题:

010 Editor 打开 发现缺少文件头 其实文件不是png

找一个jpg 文件头 插入在前面保存出flag

OSCTF{W0ah_F1l3_h34D3r5}

qRc0dE

题目:

This is a QRCODE, but I can not scan it, whyyyyy????

.jpg)

解题:

Adobe Illustrator 重绘 二维

qrazybox 在线解码

OSCTF{r3c0w3R_qR_C0de_1S_s0_fUn} flag 不对

Mysterious Website Incident

题目:

In the heart of Cyber City, a renowned e-commerce website has reported suspicious activity on its servers. As a rookie digital investigator, you’ve been called in to uncover the truth behind this incident. Your journey begins with examining the server’s records, searching for clues that could shed
light on what transpired.

解题:

wps 分列;筛选 发现异常请求

访问地址 得到flag

OSCTF{1_c4N_L0g!}

Phantom Script Intrusion

题目:

In the realm of Cyberspace County, a notorious cybercriminal has planted a stealthy PHP malware script on a local server. This malicious script has been cunningly obfuscated to evade detection. As a novice cyber detective, you are called upon to unravel the hidden intentions behind this cryptic
code.

1
2
<?php
 goto Ls6vZ; apeWK: ${"\x76\141\x72\61"} = str_rot13("\x24\x7b\x22\134\x78\x34\x37\134\x78\x34\143\x5c\x78\64\x66\x5c\170\x34\x32\134\x78\64\61\x5c\170\x34\x63\134\x78\x35\x33\42\x7d"); goto G9fZX; Ls6vZ: ${"\x47\x4c\x4f\x42\101\114\123"} = "\150\x58\x58\x70\x73\72\x2f\57\163\150\x30\162\164\x75\x72\x6c\56\x61\164\x2f\x73\x31\146\x57\62"; goto apeWK; XT2kv: if (strlen(${"\x76\141\x72\x32"}) > 0) { ${"\166\x61\x72\x33"} = ${"\x76\x61\x72\x32"}; } else { ${"\166\141\x72\63"} = ''; } goto ZYamk; V2P3O: foreach (str_split(${"\166\141\x72\x33"}) as ${"\166\x61\x72\x35"}) { ${"\166\141\162\x34"} .= chr(ord(${"\166\141\162\65"}) - 1); } goto Ly_yq; G9fZX: ${"\x76\141\162\x32"} = base64_decode(${${"\166\x61\162\x31"}}); goto XT2kv; Ly_yq: eval(${${"\x76\x61\x72\x34"}}); goto IFMxz; ZYamk: ${"\166\141\162\64"} = ''; goto V2P3O; IFMxz: ?>

解题:

python 打印一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
a = '''
<?php
goto Ls6vZ;
apeWK:
${"\x76\141\x72\61"} = str_rot13("\x24\x7b\x22\134\x78\x34\x37\134\x78\x34\143\x5c\x78\64\x66\x5c\170\x34\x32\134\x78\64\61\x5c\170\x34\x63\134\x78\x35\x33\42\x7d");
goto G9fZX;
Ls6vZ:
${"\x47\x4c\x4f\x42\101\114\123"} = "\150\x58\x58\x70\x73\72\x2f\57\163\150\x30\162\164\x75\x72\x6c\56\x61\164\x2f\x73\x31\146\x57\62";
goto apeWK;
...'''

print(a)
'''
<?php
goto Ls6vZ;
apeWK:
${"var1"} = str_rot13("${"\x47\x4c\x4f\x42\x41\x4c\x53"}");
goto G9fZX;
Ls6vZ:
${"GLOBALS"} = "hXXps://sh0rturl.at/s1fW2";
goto apeWK;
...'''

发现一个 url hXXps://sh0rturl.at/s1fW2 把X 改为t 0 改为o 访问得到flag

OSCTF{M4lW4re_0bfU5CAt3d}

Misc

Weird Video

题目:

Hey! I’ve found this mp4 file lying around my computer, but weird I’m not able to open it? Here, have a look.

解题:

Notepad++ 打开mp4 文件 出flag

Find the Flag

题目:

There is a Flag hidden somewhere in the realms of code of this ctf server… but the question is, Where!?

解题:

F12 查询 OSCTF 出flag

Cryptic Pigeon

题目:

This pigeon left me some letter but I just can’t read it?

Note: Wrap what you decrypt in OSCTF{}. For example, if the decrypted text is: “hi” then the flag becomes OSCTF{hi}

解题:

猪圈密码在线解密

OSCTF{P1GE0NG0BRRRR}

Cyber Quiz

题目:

My teacher assigned me this quiz and told me that I have to answer each question correctly otherwise I won’t be able to pass the test. Can you help me? Pwease

解题:

问chatGPT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
C:\Users\jack>nc 34.16.207.52 12345
Answer the following cybersecurity questions to reveal the flag:
What is the default port for HTTP? 80
Correct! O____________________
Who invented the World Wide Web? Tim Berners-Lee
Correct! OS___________________
What does DNS stand for? Domain Name System
Correct! OSC__________________
What is the process of converting data into a coded format called? encryption
Correct! OSCT_________________
What protocol is commonly used for secure communication over the internet? HTTPS
Correct! OSCTF________________
What does SQL stand for? Structured Query Language
Correct! OSCTF{_______________
What is a common type of attack that involves injecting malicious code into a website? SQL Injection
Correct! OSCTF{L______________
What type of malware encrypts files and demands payment for their release? ransomware
Correct! OSCTF{L3_____________
What is the practice of disguising communication to appear as though it is coming from a trusted source? spoofing
Correct! OSCTF{L33____________
What is a file called that contains a digital certificate? pem
Incorrect. Try the next question.
What term describes the attempt to gain sensitive information by disguising as a trustworthy entity? phishing
Correct! OSCTF{L33____________
What is a network device that filters and monitors incoming and outgoing network traffic? firewall
Correct! OSCTF{L33__K_________
What type of attack involves overwhelming a system with traffic to disrupt service? ddos
Correct! OSCTF{L33__Kn________
What is the primary protocol used for sending email over the internet? SMTP
Correct! OSCTF{L33__Kn0_______
What does VPN stand for? Virtual Private Network
Correct! OSCTF{L33__Kn0w______
What is the name of the vulnerability that allows arbitrary code execution in software? rce
Incorrect. Try the next question.
What is the term for a software update that fixes bugs and vulnerabilities? patch
Correct! OSCTF{L33__Kn0w_3____
What does MFA stand for in cybersecurity? Multi-Factor Authentication
Correct! OSCTF{L33__Kn0w_3D___
What is a tool that scans a network for open ports and services? Nmap
Correct! OSCTF{L33__Kn0w_3Dg__
What is the name of the secure file transfer protocol that uses SSH? SFTP
Correct! OSCTF{L33__Kn0w_3Dg3_
What does XSS stand for in web security? Cross-Site Scripting
Correct! OSCTF{L33__Kn0w_3Dg3}

Final flag: OSCTF{L33__Kn0w_3Dg3}

问GPT两个没回答对 根据语义猜测 是 t 和 l
OSCTF{L33t_Kn0wl3Dg3}

Web

Introspection

题目:

Welcome to the Secret Agents Portal. Find the flag hidden in the secrets of the Universe!!!

解题:

查看js 文件 出flag

OSCTF{Cr4zY_In5P3c71On}

Style Query Listing…?

题目:

pfft.. Listen, I’ve gained access to this login portal but I’m not able to log in. The admins are surely hiding something from the public, but… I don’t understand what. Here take the link and be quiet, don’t share it with anyone

解题:

修改请求 报错 发现存在sql 注入 使用sqlmap 注入

OSCTF{D1r3ct0RY_BrU7t1nG_4nD_SQL}

Indoor WebApp

题目:

The production of this application has been completely indoor so that no corona virus spreads, but that’s an old talk right?

解题:

修改id 为2 出flag

OSCTF{1nd00r_M4dE_n0_5enS3}

Reversing

Avengers Assemble

题目:

The Avengers have assembled but for what? To solve this!? Why call Avengers for such a simple thing, when you can solve it yourself

FLAG FORMAT: OSCTF{Inp1_Inp2_Inp3} (Integer values)

解题:

1
2
3
4
5
num2 = 0x6f56df8d
num1 = 0xdeadbeef - num2
num3 = 2103609845 ^ num2

print("OSCTF{" + f"{num1}_{num2}_{num3}" + "}")

OSCTF{1867964258_1867964301_305419896}

Gophers Language

题目:

I know go is not a popular language, so I decided of creating a reversing challenge out of it. I’m sure now go will overtake java!!

解题:

OSCTF{Why_G0_S0_H4rd}

Crypto

The Secret Message

题目:

Bob was sending an encrypted message to Alice using a method known only to a few. But Bob seems to have messed something up in the code. Can you identify that mistake and leverage it to gain access to their conversations?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from Cryptodome.Util.number import getPrime, bytes_to_long

flag = bytes_to_long(b"REDACTED")
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 3

ciphertext = pow(flag, e, n)

print("n: ", n)
print("e: ", e)
print("ciphertext: ", ciphertext)

# n:  95529209895456302225704906479347847909957423713146975001566374739455122191404873517846348720717334832208112563199994182911677708320666162110219260456995238587348694937990770918797369279309985690765014929994818701603418084246649965352663500490541743609682236183632053755116058982739236349050530235419666436143
# e:  3
# ciphertext:  123455882152544968263105106204728561055927061837559618140477097078038573915018542652304779417958037315601542697001430243903815208295768006065618427997903855304186888710867473025125

解题:

低加密指数攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from gmpy2 import iroot
import libnum

e = 3
n = 95529209895456302225704906479347847909957423713146975001566374739455122191404873517846348720717334832208112563199994182911677708320666162110219260456995238587348694937990770918797369279309985690765014929994818701603418084246649965352663500490541743609682236183632053755116058982739236349050530235419666436143
c = 123455882152544968263105106204728561055927061837559618140477097078038573915018542652304779417958037315601542697001430243903815208295768006065618427997903855304186888710867473025125

k = 0
while 1:
    res = iroot(c + k * n, e)  # c+k*n 开3次方根 能开3次方即可
    if (res[1] == True):
        print(libnum.n2s(int(res[0])))  # 转为字符串
        break
    k = k + 1
# b'OSCTF{Cub3_R00Ting_RSA!!}'

OSCTF{Cub3_R00Ting_RSA!!}

Couple Primes

题目:

I have used RSA but I think I have made it faster by generating the primes in some different fashion. I bet you can’t decrypt my Super Secure Message! Haha!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from Crypto.Util.number import *
from sympy import nextprime

flag = b'REDACTED'

p = getPrime(1024)
q = nextprime(p)
e = 65537

n = p * q
c = pow(bytes_to_long(flag), e, n)

print(f"n = {n}")
print(f"c = {c}")
n = 20159884168863899177128175715030429666461733285660170664255048579116265087763268748333820860913271674586980839088092697230336179818435879126554509868570255414201418619851045615744211750178240471758695923469393333600480843090831767416937814471973060610730578620506577745372347777922355677932755542699210313287595362584505135967456855068550375989801913361017083952090117041405458626488736811460716474071561590513778196334141517893224697977911862004615690183334216587398645213023148750443295007000911541566340284156527080509545145423451091853688188705902833261507474200445477515893168405730493924172626222872760780966427
c = 18440162368010249375653348677429595229051180035668845001125855048750591059785630865891877031796050869136099359028540172514890273415892550857190509410541828375948243175466417949548148007390803680005616875833010137407850955608659023797782656930905693262770473679394796595557898347900786445803645539553815614140428316398058138450937721961593146082399553119578102712100359284788650328835784603011091312735813903241087475279011862693938914825685547337081335030237385061397899718079346063519325222861490101383929790275635381333028091769118083102339908694751574572782030287570280071809896532329742115422479473386147281509394

解题:

p 与 q 接近

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import gmpy2
from Crypto.Util.number import *

n = 20159884168863899177128175715030429666461733285660170664255048579116265087763268748333820860913271674586980839088092697230336179818435879126554509868570255414201418619851045615744211750178240471758695923469393333600480843090831767416937814471973060610730578620506577745372347777922355677932755542699210313287595362584505135967456855068550375989801913361017083952090117041405458626488736811460716474071561590513778196334141517893224697977911862004615690183334216587398645213023148750443295007000911541566340284156527080509545145423451091853688188705902833261507474200445477515893168405730493924172626222872760780966427
c = 18440162368010249375653348677429595229051180035668845001125855048750591059785630865891877031796050869136099359028540172514890273415892550857190509410541828375948243175466417949548148007390803680005616875833010137407850955608659023797782656930905693262770473679394796595557898347900786445803645539553815614140428316398058138450937721961593146082399553119578102712100359284788650328835784603011091312735813903241087475279011862693938914825685547337081335030237385061397899718079346063519325222861490101383929790275635381333028091769118083102339908694751574572782030287570280071809896532329742115422479473386147281509394
e = 65537
temp = gmpy2.iroot(n, 2)[0]
p = gmpy2.next_prime(temp)
q = n // p
phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
# b'OSCTF{m4y_7h3_pR1m3_10v3_34cH_07h3r?}'

OSCTF{m4y_7h3_pR1m3_10v3_34cH_07h3r?}

Efficient RSA

题目:

I have heard that the smaller, the more efficient (pun intended). But how well does that apply to Cryptography?

1
2
3
4
5
6
7
8
9
10
11
12
13
from Cryptodome.Util.number import *

Flag = bytes_to_long(b"REDACTED")

p = getPrime(112)
q = getPrime(112)
n = p * q
e = 65537

ciphertext = pow(Flag, e, n)

print([n, e, ciphertext])
# [13118792276839518668140934709605545144220967849048660605948916761813,65537,8124539402402728939748410245171419973083725701687225219471449051618]

解题:

yafu 分解

1
yafu-x64.exe factor(13118792276839518668140934709605545144220967849048660605948916761813)
1
2
3
4
5
6
7
8
9
10
n = 13118792276839518668140934709605545144220967849048660605948916761813
c = 8124539402402728939748410245171419973083725701687225219471449051618
p = 3058290486427196148217508840815579
q = 4289583456856434512648292419762447

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
print(long_to_bytes(m))
b'OSCTF{F4ct0r1Ng_F0r_L1f3}'

OSCTF{F4ct0r1Ng_F0r_L1f3}

OSINT

Vietnam Tourist 1

题目:

What a Mausoleum! It’s Ho Chi Minh Mausoleum or in Vietnamese is Lăng chủ tịch Hồ Chí Minh.

My tourist travel guide ask me some history questions, one of them is when was he born ? Would you mind finding the answer for me ?

Flag format: OSCTF{dd-mm-yyyy}

解题:

搜索 胡志明

OSCTF{19-05-1890}

Vietnam Tourist 2

题目:

Now I’m going back to my house, in my way back home, I found a building that look so huge. Do you know what is the name of that building

Flag format: OSCTF{name_of_the_building}

解题:

OSCTF{ministry_of_foreign_affairs}