這篇是從我之前HackMD搬過來的
我剛好是出題者,也負責部分靶機和整個CTFd平臺的維護和架設,總的來說蠻好玩的
哥布林保衞部公告(Web) #
link 查看原始碼就好了,在註釋裡面 Just check the source code, it’s in the comments
Democracy(Web) #
題目描述: Problem description:
The Republic of Frank National Assembly needs your participation!
Head over here
提示: hint:
FOSS-Its means Open for what?
index.html source
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>我們來修法</title> <!--flagNH{NC-ItsFake}-->
</head>
<body>
<h1>我們來修法</h1>
<h2>Frank共和國-刑法之讀書罪</h2>
<h2>
I 讀書者,處五年以下有期徒刑、拘役或一百萬元以下罰金。</br>
II 犯前項之罪,因而取得國民小學、國民中學或高級中等學校畢業證書者,處三年以上十年以下有期徒刑;取得學士學位或以上證書者,處無期徒刑或七年以上有期徒刑。 </br>
III 第一項之未遂犯罰之。</br>
IV 預備犯第一項之罪者,處二年以下有期徒刑。</h2>
<a href="/next.html">
<button>我要附議!</button>
</a>
<script></script>
</body>
</html>
next.html source
<!DOCTYPE html>
<html lang="en">
<head>
<title></title>
</head>
<body>
<script>
(function(_0x1530b2,_0x25eae5){const _0xdd1554=_0x1d5d,_0x42a37d=_0x1530b2();while(!![]){try{const _0x1d1179=parseInt(_0xdd1554(0x154))/0x1*(parseInt(_0xdd1554(0x14f))/0x2)+parseInt(_0xdd1554(0x158))/0x3+parseInt(_0xdd1554(0x14e))/0x4+-parseInt(_0xdd1554(0x150))/0x5+parseInt(_0xdd1554(0x155))/0x6*(parseInt(_0xdd1554(0x14d))/0x7)+parseInt(_0xdd1554(0x157))/0x8*(parseInt(_0xdd1554(0x153))/0x9)+-parseInt(_0xdd1554(0x152))/0xa;if(_0x1d1179===_0x25eae5)break;else _0x42a37d['push'](_0x42a37d['shift']());}catch(_0x295f65){_0x42a37d['push'](_0x42a37d['shift']());}}}(_0x26c6,0x8eacd));function _0x26c6(){const _0x493e29=['3627595ecwUvD','location','24409390imErtQ','1674eJftVF','744XYYQZd','18mJJWtU','https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s','47176PbUlsH','1796250tUXBLc','1051442HKnRWV','1936724tfzzCy','3012lhncSA'];_0x26c6=function(){return _0x493e29;};return _0x26c6();}const encryptedFlag=[0xef,0xdd,0xef,0xce,0x176,0x101,0x13d,0x128,0x161,0x7a,0x15e,0xd4,0x128,0x15e,0x170,0xfb,0x140,0x13a,0x13d,0x161,0xc2,0x17c];let flag='';function _0x1d5d(_0x2251e,_0x652fc3){const _0x26c671=_0x26c6();return _0x1d5d=function(_0x1d5dc4,_0x9d9d2d){_0x1d5dc4=_0x1d5dc4-0x14d;let _0x3d0f47=_0x26c671[_0x1d5dc4];return _0x3d0f47;},_0x1d5d(_0x2251e,_0x652fc3);}for(let t=0x0;t<encryptedFlag['length'];t++){const b=(encryptedFlag[t]-0x5)/0x3;flag+=String['fromCharCode'](b);}setTimeout(()=>{const _0x258376=_0x1d5d;window[_0x258376(0x151)]['href']=_0x258376(0x156);},0x1),setTimeout(()=>{console['log'](flag);},0x8);
//flagNHN{Cfake}
</script>
</body>
</html>
對上面的提供的next.html第8行(最長的)進行解混淆得到: Deobfuscate the provided line 8 (longest) of next.html to obtain:
const encryptedFlag = [
239,
221,
239,
206,
374,
257,
317,
296,
353,
122,
350,
212,
296,
350,
368,
251,
320,
314,
317,
353,
194,
380
];
let flag = '';
for (let t = 0; t < encryptedFlag.length; t++) {
const b = (encryptedFlag[t] - 5) / 3;
flag += String.fromCharCode(b);
}
setTimeout(() => {
window.location.href = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s';
}, 1);
setTimeout(() => {
console.log(flag);
}, 8);
拿下面那段掉然後看console.log Remove the following section then check console.log
setTimeout(() => {
window.location.href = 'https://www.youtube.com/watch?v=dQw4w9WgXcQ&t=0s';
}, 1);
或者直接計算ASCII Or directly calculate the ASCII
Example:
(380-5)/3 = 125
ASCII 125 = }
This carries a slight touch of malice(Forensics) #
題目描述: Problem description:
Identifying and promoting one's brand is a very serious matter
So, what form should it take? :)
提示: hint:
file at this website
and the route is /
在我們CTFd平臺主頁的源碼中檢查一下 (就是網站logo) Check the source code on the homepage of our CTFd platform (the website logo)
<img
class="img-responsive ctf_logo"
src="/files/8c857832a86f0f5178a9baf9b04177d8/hahaha.jpg"
alt="No Hack No CTF"
height="25"
>
然後就在strings裡面 Then, look in the strings
strings filename.jpg | grep NHNC