ToB企服应用市场:ToB评测及商务社交产业平台

标题: PicoCTF2024 Web Writeup [打印本页]

---

作者: 悠扬随风    时间: 2024-6-14 22:26
标题: PicoCTF2024 Web Writeup
清一下存货
  Bookmarklet

web方向的签到题
打开以后能看到上图的代码
然后将其放到控制台运行就能出flag了

1. javascript:(function() {
2.   var encryptedFlag = "àÒÆަȬëÙ£Ö–ÓÚåÛÑ¢ÕÓ–¡›ÒŤ›í";
3.   var key = "picoctf";
4.   var decryptedFlag = "";
5.   for (var i = 0; i < encryptedFlag.length; i++) {
6.       decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256);
7.   }
8.   alert(decryptedFlag);
9. })();

复制代码

WebDecode

打开f12查几个页面，在about.html的一个隐秘的地方发现了一串秘密字符串

放进赛博厨子就能解出来
Unminify

使用burp的内置欣赏器打开f12即可，大概将f12后的源码直接复制到vscode中：

IntroToBurp

抽象题

Trickster

简单的文件上传，使用.png.php即可绕过
再不行就加个PNG头

改一下用蚁剑连就好
No SQL Injection

抽象题目2
使用burp
Nosql 注入从零到一_nosql注入-CSDN博客

Elements

接下来我要向您审慎介绍本次PicoCTF的抽象集大成者题目：Elements!
赛时：
如果对手是elements这种题目的话，可能会有点棘手呢？
会ak的！
你(elements)才是挑战者！
赛后：
没有让elements大人使出全力真是歉仄
好了，看下这个b题是啥玩意
配景是一个在线合成网站，将两种元素放在一起就能合成新元素，而体系给了我们四种初始元素
其源码如下：
index.mjs

1. import { createServer } from 'node:http';
2. import assert from 'node:assert';
3. import { spawn } from 'node:child_process';
4. import { mkdir, mkdtemp, writeFile, rm, readFile } from 'node:fs/promises';
5. import { tmpdir } from 'node:os';
6. import { join } from 'node:path';
8. const sleep = delay => new Promise(res => setTimeout(res, delay));
10. const html = await readFile('static/index.html', 'utf-8');
11. const js = await readFile('static/index.js', 'utf-8');
12. const flag = await readFile('flag.txt', 'utf-8');
14. let visiting = false;
16. async function visit(state) {
17.         if (visiting) return;
18.         visiting = true;
20.         state = {...state, flag }
21.        
22.         const userDataDir = await mkdtemp(join(tmpdir(), 'elements-'));
24.         await mkdir(join(userDataDir, 'Default'));
25.         await writeFile(join(userDataDir, 'Default', 'Preferences'), JSON.stringify({
26.                 net: {
27.                         network_prediction_options: 2
28.                 }
29.         }));
31.         const proc = spawn(
32.                 '/usr/bin/chromium-browser-unstable', [
33.                         `--user-data-dir=${userDataDir}`,
34.                         '--profile-directory=Default',
35.                         '--no-sandbox',
36.                         '--js-flags=--noexpose_wasm,--jitless',
37.                         '--disable-gpu',
38.                         '--no-first-run',
39.                         '--enable-experimental-web-platform-features',
40.                         `http://127.0.0.1:8080/#${Buffer.from(JSON.stringify(state)).toString('base64')}`
41.                 ],
42.                 { detached: true }
43.         )
45.         await sleep(10000);
46.         try {
47.                 process.kill(-proc.pid)
48.         } catch(e) {}
49.         await sleep(500);
51.         await rm(userDataDir, { recursive: true, force: true, maxRetries: 10 });
53.         visiting = false;
54. }
56. createServer((req, res) => {
57.         const url = new URL(req.url, 'http://127.0.0.1');
59.         const csp =  [
60.                 "default-src 'none'",
61.                 "style-src 'unsafe-inline'",
62.                 "script-src 'unsafe-eval' 'self'",
63.                 "frame-ancestors 'none'",
64.                 "worker-src 'none'",
65.                 "navigate-to 'none'"
66.         ]
68.         // no seriously, do NOT attack the online-mode server!
69.         // the solution literally CANNOT use it!
70.         if (req.headers.host !== '127.0.0.1:8080') {
71.                 csp.push("connect-src https://elements.attest.lol/");
72.         }
74.         res.setHeader('Content-Security-Policy', csp.join('; '));
75.         res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
76.         res.setHeader('X-Frame-Options', 'deny');
77.         res.setHeader('X-Content-Type-Options', 'nosniff');
79.         if (url.pathname === '/') {
80.                 res.setHeader('Content-Type', 'text/html');
81.                 return res.end(html);
82.         } else if (url.pathname === '/index.js') {
83.                 res.setHeader('Content-Type', 'text/javascript');
84.                 return res.end(js);
85.         } else if (url.pathname === '/remoteCraft') {
86.                 try {
87.                         const { recipe, xss } = JSON.parse(url.searchParams.get('recipe'));
88.                         console.log(recipe);
89.                         console.log(xss);
90.                         assert(typeof xss === 'string');
91.                         assert(xss.length < 300);
92.                         assert(recipe instanceof Array);
93.                         assert(recipe.length < 50);
94.                         for (const step of recipe) {
95.                                 console.log(step)
96.                                 assert(step instanceof Array);
97.                                 assert(step.length === 2);
98.                                 for (const element of step) {
99.                                         assert(typeof xss === 'string');
100.                                         assert(element.length < 50);
101.                                 }
102.                         }
103.                         visit({ recipe, xss });
104.                 } catch(e) {
105.                         console.error(e);
106.                         return res.writeHead(400).end('invalid recipe!');
107.                 }
108.                 return res.end('visiting!');
109.         }
111.         return res.writeHead(404).end('not found');
112. }).listen(8080);

复制代码

index.js (bot)
[code]// this entire thing is basically a knockoff of infinite craft
// https://neal.fun/infinite-craft/

const onlineHost = 'https://elements.attest.lol';

const buttons = document.getElementById('elements');

// these were all generated by ai, yes they have some really weird results
const recipes = [["Ash","Fire","Charcoal"],["Steam Engine","Water","Vapor"],["Brick Oven","Heat Engine","Oven"],["Steam Engine","Swamp","Sauna"],["Magma","Mud","Obsidian"],["Earth","Mud","Clay"],["Volcano","Water","Volcanic Rock"],["Brick","Fog","Cloud"],["Obsidian","Rain","Black Rain"],["Colorful Pattern","Fire","Rainbow Fire"],["Cloud","Obsidian","Storm"],["Ash","Obsidian","Volcanic Glass"],["Electricity","Haze","Static"],["Fire","Water","Steam"],["Dust","Rainbow","owder"],["Computer Chip","Steam Engine","Artificial Intelligence"],["Fire","Mud","Brick"],["Hot Spring","Swamp","Sulfur"],["Adobe","Graphic Design","Web Design"],["Colorful Interface","Data","Visualization"],["IoT","Security","Encryption"],["Colorful Pattern","Mosaic","atterned Design"],["Earth","Steam Engine","Excavator"],["Cloud Computing","Data","Data Mining"],["Earth","Water","Mud"],["Brick","Fire","Brick Oven"],["Colorful Pattern","Obsidian","Art"],["Rain","Steam Engine","Hydropower"],["Colorful Display","Graphic Design","Colorful Interface"],["Fire","Mist","Fog"],["Exploit","Web Design","XSS"],["Computer Chip","Hot Spring","Smart Thermostat"],["Earth","Fire","Magma"],["Air","Earth","Dust"],["Cloud","Rainbow","Rainbow Cloud"],["Dust","Heat Engine","Sand"],["Obsidian","Thunderstorm","Lightning Conductor"],["Cloud","Rain","Thunderstorm"],["Adobe","Cloud","Software"],["Hot Spring","Rainbow","Colorful Steam"],["Dust","Fire","Ash"],["Cement","Swamp","Marsh"],["Hot Tub","Mud","Mud Bath"],["Electricity","Glass","Computer Chip"],["Ceramic","Fire","Earthenware"],["Haze","Swamp","Fog Machine"],["Rain","Rainbow","Colorful Display"],["Brick","Water","Cement"],["Dust","Haze","Sandstorm"],["Ash","Hot Spring","Geothermal Energy"],["Ash Rock","Heat Engine","Mineral"],["Electricity","Software","rogram"],["Computer Chip","Fire","Data"],["Colorful Pattern","Swamp","Algae"],["Fog","Water","Rain"],["Rainbow Pool","Reflection","Color Spectrum"],["Artificial Intelligence","Data","Encryption"],["Internet","Smart Thermostat","IoT"],["Cinder","Heat Engine","Ash Rock"],["Brick","Swamp","Mudbrick"],["Computer Chip","Volcano","Data Mining"],["Obsidian","Water","Hot Spring"],["Computer Chip","Thunderstorm","ower Surge"],["Brick","Obsidian","aving Stone"],["User Input","Visualization","Interactive Design"],["Mist","Mud","Swamp"],["Geolocation","Wall","Map"],["Air","Rock","Internet"],["Computer Chip","Rain","Email"],["Fire","Rainbow","Colorful Flames"],["Hot Spring","Mineral Spring","Healing Water"],["Ceramic","Volcano","Lava Lamp"],["Brick Oven","Wall","Fireplace"],["Glass","Software","Vulnerability"],["Fog","Mud","Sludge"],["Fire","Marsh","S'mores"],["Artificial Intelligence","Data Mining","Machine Learning"],["Ash","Brick","Brick Kiln"],["Fire","Obsidian","Heat Resistant Material"],["Hot Spring","Sludge","Steam Engine"],["Artificial Intelligence","Computer Chip","Smart Device"],["Fire","Steam Engine","Heat Engine"],["Ash","Earth","Cinder"],["Rainbow","Reflection","Refraction"],["Encryption","Software","Cybersecurity"],["Graphic Design","Mosaic","Artwork"],["Colorful Display","Data Mining","Visualization"],["Hot Spring","Water","Mineral Spring"],["Rainbow","Swamp","Reflection"],["Air","Fire","Smoke"],["rogram","Smart HVAC System","Smart Thermostat"],["Haze","Obsidian","Blackout"],["Brick","Earth","Wall"],["Heat Engine","Steam Locomotive","Railway Engine"],["Ash","Thunderstorm","Volcanic Lightning"],["Mud","Water","Silt"],["Colorful Pattern","Hot Spring","Rainbow Pool"],["Fire","Sand","Glass"],["Art","Web Design","Graphic Design"],["Internet","Machine Learning","Smart HVAC System"],["Electricity","ower Surge","Overload"],["Colorful Pattern","Computer Chip","Graphic Design"],["Air","Water","Mist"],["Brick Oven","Cement","Concrete"],["Artificial Intelligence","Cloud","Cloud Computing"],["Computer Chip","Earth","Geolocation"],["Color Spectrum","Graphic Design","Colorful Interface"],["Internet","rogram","Web Design"],["Computer Chip","Overload","Circuit Failure"],["Data Mining","Geolocation","Location Tracking"],["Heat Engine","Smart Thermostat","Smart HVAC System"],["Brick","Mud","Adobe"],["Cloud","Dust","Rainbow"],["Hot Spring","Obsidian","Hot Tub"],["Steam Engine","Volcano","Geothermal Power Plant"],["Earth","Fog","Haze"],["Brick","Steam Engine","Steam Locomotive"],["Brick","Colorful Pattern","Mosaic"],["Hot Spring","Steam Engine","Electricity"],["Ash","Volcano","Volcanic Ash"],["Electricity","Water","Hydroelectric Power"],["Brick","Rainbow","Colorful Pattern"],["Silt","Volcano","Lava"],["Computer Chip","Software","rogram"],["Hot Spring","Thunderstorm","Lightning"],["Ash","Clay","Ceramic"],["Cybersecurity","Vulnerability","Exploit"],["Ash","Heat Engine","Ash Residue"],["Internet","Smart Device","Cloud Computing"],["Magma","Mist","Rock"],["Interactive Design","rogram","Smart Device"],["Computer Chip","Electricity","Software"],["Colorful Pattern","Graphic Design","Design Template"],["Fire","Magma","Volcano"],["Earth","Obsidian","Computer Chip"],["Geolocation","Location Tracking","Real-Time Positioning"]];

const elements = new Map([["Sauna","

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4