PicoCTF Level2 WriteUp

Web

My First SQL

网页是一个登录界面,尝试万能密码。

1
2
admin
'or'1'='1

成功登陆。

分析sql查询语句如下
select * from users where user = 'admin' and pass = ''or'1'='1';

flag:be_careful_what_you_let_people_ask_1b3db77df6b116a38db8ceb7c81cb14c

TW_GR_E1_ART

1
2
3
4
5
TW_GR_E1_ART
Oh, sweet, they made a spinoff game to Toaster Wars! That last room has a lot of flags in it though. I wonder which is the right one...? Check it out here.
HINTS
I think this game is running on a Node.js server. If it's configured poorly, you may be able to access the server's source. If my memory serves me correctly, Node servers have a special file that lists dependencies and a start command; maybe you can use that file to figure out where the other files are?

题目是一个运行在node.js的js游戏,玩了一会,在第4层发现了好多flag,随便挑一个使用,发现所有的道具都被销毁了,可能这是一个假的flag。。。

看了一下writeup,所有node.js server都会有一个package.json储存配置信息,先访问看看。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
{
"name": "rogue-1",
"version": "1.0.0",
"main": "server/serv.js",
"dependencies": {
"beautiful-log": "^1.3.0",
"body-parser": "^1.16.0",
"callsite": "^1.0.0",
"clone": "^2.1.0",
"colors": "^1.1.2",
"cookie-parser": "^1.4.3",
"deep-diff": "^0.3.4",
"dequeue": "^1.0.5",
"express": "^4.14.1",
"mongodb": "^2.2.25",
"morgan": "^1.7.0",
"nconf": "^0.8.4",
"promise": "^7.1.1",
"socket.io": "^1.7.2",
"sprintf": "^0.1.5"
},
"devDependencies": {},
"scripts": {
"prestart": "node server/init.js",
"start": "node server/serv.js"
}
}

CRYPTOGRAPHY

SoRandom

题目:

1
2
3
4
5
We found sorandom.py running at shell2017.picoctf.com:37968. It seems to be outputting the flag but randomizing all the characters first. Is there anyway to get back the original flag?
Update (text only) 16:16 EST 1 Apr Running python 2 (same version as on the server)
HINTS
How random can computers be?

加密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/python -u
import random,string
flag = "FLAG:"+open("flag", "r").read()[:-1]
encflag = ""
random.seed("random")
for c in flag:
if c.islower():
#rotate number around alphabet a random amount
encflag += chr((ord(c)-ord('a')+random.randrange(0,26))%26 + ord('a'))
elif c.isupper():
encflag += chr((ord(c)-ord('A')+random.randrange(0,26))%26 + ord('A'))
elif c.isdigit():
encflag += chr((ord(c)-ord('0')+random.randrange(0,10))%10 + ord('0'))
else:
encflag += c
print "Unguessably Randomized Flag: "+encflag

在终端nc题目给出的端口,返回了BNZQ:jn0y1313td7975784y0361tp3xou1g44

加密脚本看似是生成的随机数,但是用了seed()函数,那么生成的随机数序列一定是固定的,那么只需要逆序就好了,这里注意python随机数在windows和linux下是不同的,这个脚本要放在linux下跑。

解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/usr/bin/python -u
import random,string
flag = ""
encflag = "BNZQ:jn0y1313td7975784y0361tp3xou1g44"
random.seed("random")
for c in encflag:
if c.islower():
#rotate number around alphabet a random amount
flag += chr((ord(c)-ord('a')+26-random.randrange(0,26))%26 + ord('a'))
elif c.isupper():
flag += chr((ord(c)-ord('A')+26-random.randrange(0,26))%26 + ord('A'))
elif c.isdigit():
flag += chr((ord(c)-ord('0')+10-random.randrange(0,10))%10 + ord('0'))
else:
flag += c
print flag

flag:FLAG:ac8c0490fb0508767f1625cb8cea8c34