比赛时间 250322-250326

Benginner

REverse

OverAndOver - Crypto

直接丢进Cyberchef base64一直解密得到flag Pasted image 20250323215004.png

EtTuCaesar - Crypto

PicturePerfect - Forensics

右键查看图片的属性后在详细信息中可以看到flag

DigginDir - Forensics

解压后估计flag存在某个目录下的文本文件中,使用windows的findstr命令查找flag的开头wctf findstr /s "wctf" * Pasted image 20250323223019.png

p0wn3d - Pwn

题目代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#include <stdio.h>
#include <string.h>
#include <unistd.h>
struct __attribute__((__packed__)) data {
  char buf[32];
  int guard;
};
void ignore(void)
{
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stdin, NULL, _IONBF, 0);
}
void get_flag(void)
{
  char flag[1024] = { 0 };
  FILE *fp = fopen("flag.txt", "r");
  fgets(flag, 1023, fp);
  printf(flag);
}
int main(void)
{
  struct data first_words;
  ignore(); /* ignore this function */
  printf("Hello little p0wn3r. Do you have any first words?\n");
  fgets(first_words.buf, 64, stdin);
  sleep(2);
  puts("Man that is so cute");
  sleep(2);
  puts("I remember last year people were screaming at the little p0wn3rs.. like AAAAAAAAAAAAAAAAAAAAAAAAAAAAA!");
  sleep(2);
  puts("Don't worry little one. I won't let them do that to you. I've set up a guard");
  if (first_words.guard == 0x42424242) {
    get_flag();
  }
  return 0;
}

代码中,定义了一个结构体,前32位为buf,后面为guard,而在main函数中,由于给buf赋值时限制大小为,所以在给buf赋值32字节的A之后,加上4字节的B,会使多余的数据溢出至guard

Forensics

Passwords

下载到.kdbx文件,搜索后为KeePass的数据文件,遂使用keepass2john Database.kdbx >> hash.txt 得到keepass密码的hash Pasted image 20250323210647.png 再使用hashcat进行爆破(需要将前面的"Database:"删去) hashcat -m 13400 hash.txt -a 0 rockyou.txt 得到密码为: Pasted image 20250323211019.png 随后拿密码进入keepass中翻找一番即可得到flag

Active 1: Domain Access

第一段

dan用户的桌面上有木马文件以及一些输出文件,asreproast的输出中有第一段flag,还找到了emily用户密码的hash

Misc

Eval is Evil

题目如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import random
def main():
    print("Let's play a game, I am thinking of a number between 0 and", 2 ** 64, "\n")
    try:
        guess = eval(input("What is the number?: "))
    except:
        guess = 0
    correct = random.randint(0, 2**64)
    if (guess == correct):
        print("\nCorrect! You won the flag!")
        flag = open("flag.txt", "r").readline()
        print(flag)
    else:
        print("\nYou lost lol")
main()

发现是没有进行过滤的pyjail,直接__import__("os").system("cat flag.txt")秒了 Pasted image 20250323213334.png