清一下存货
Bookmarklet
web方向的签到题
打开以后能看到上图的代码
然后将其放到控制台运行就能出flag了
- javascript:(function() {
- var encryptedFlag = "àÒÆަȬëÙ£Ö–ÓÚåÛÑ¢ÕÓ–¡›ÒŤ›í";
- var key = "picoctf";
- var decryptedFlag = "";
- for (var i = 0; i < encryptedFlag.length; i++) {
- decryptedFlag += String.fromCharCode((encryptedFlag.charCodeAt(i) - key.charCodeAt(i % key.length) + 256) % 256);
- }
- alert(decryptedFlag);
- })();
打开f12查几个页面,在about.html的一个隐秘的地方发现了一串秘密字符串
放进赛博厨子就能解出来
Unminify
使用burp的内置欣赏器打开f12即可,大概将f12后的源码直接复制到vscode中:
IntroToBurp
抽象题
Trickster
简单的文件上传,使用.png.php即可绕过
再不行就加个PNG头
改一下用蚁剑连就好
No SQL Injection
抽象题目2
使用burp
Nosql 注入从零到一_nosql注入-CSDN博客
Elements
接下来我要向您审慎介绍本次PicoCTF的抽象集大成者题目:Elements!
赛时:
如果对手是elements这种题目的话,可能会有点棘手呢?
会ak的!
你(elements)才是挑战者!
赛后:
没有让elements大人使出全力真是歉仄
好了,看下这个b题是啥玩意
配景是一个在线合成网站,将两种元素放在一起就能合成新元素,而体系给了我们四种初始元素
其源码如下:
index.mjs
- import { createServer } from 'node:http';
- import assert from 'node:assert';
- import { spawn } from 'node:child_process';
- import { mkdir, mkdtemp, writeFile, rm, readFile } from 'node:fs/promises';
- import { tmpdir } from 'node:os';
- import { join } from 'node:path';
- const sleep = delay => new Promise(res => setTimeout(res, delay));
- const html = await readFile('static/index.html', 'utf-8');
- const js = await readFile('static/index.js', 'utf-8');
- const flag = await readFile('flag.txt', 'utf-8');
- let visiting = false;
- async function visit(state) {
- if (visiting) return;
- visiting = true;
- state = {...state, flag }
-
- const userDataDir = await mkdtemp(join(tmpdir(), 'elements-'));
- await mkdir(join(userDataDir, 'Default'));
- await writeFile(join(userDataDir, 'Default', 'Preferences'), JSON.stringify({
- net: {
- network_prediction_options: 2
- }
- }));
- const proc = spawn(
- '/usr/bin/chromium-browser-unstable', [
- `--user-data-dir=${userDataDir}`,
- '--profile-directory=Default',
- '--no-sandbox',
- '--js-flags=--noexpose_wasm,--jitless',
- '--disable-gpu',
- '--no-first-run',
- '--enable-experimental-web-platform-features',
- `http://127.0.0.1:8080/#${Buffer.from(JSON.stringify(state)).toString('base64')}`
- ],
- { detached: true }
- )
- await sleep(10000);
- try {
- process.kill(-proc.pid)
- } catch(e) {}
- await sleep(500);
- await rm(userDataDir, { recursive: true, force: true, maxRetries: 10 });
- visiting = false;
- }
- createServer((req, res) => {
- const url = new URL(req.url, 'http://127.0.0.1');
- const csp = [
- "default-src 'none'",
- "style-src 'unsafe-inline'",
- "script-src 'unsafe-eval' 'self'",
- "frame-ancestors 'none'",
- "worker-src 'none'",
- "navigate-to 'none'"
- ]
- // no seriously, do NOT attack the online-mode server!
- // the solution literally CANNOT use it!
- if (req.headers.host !== '127.0.0.1:8080') {
- csp.push("connect-src https://elements.attest.lol/");
- }
- res.setHeader('Content-Security-Policy', csp.join('; '));
- res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
- res.setHeader('X-Frame-Options', 'deny');
- res.setHeader('X-Content-Type-Options', 'nosniff');
- if (url.pathname === '/') {
- res.setHeader('Content-Type', 'text/html');
- return res.end(html);
- } else if (url.pathname === '/index.js') {
- res.setHeader('Content-Type', 'text/javascript');
- return res.end(js);
- } else if (url.pathname === '/remoteCraft') {
- try {
- const { recipe, xss } = JSON.parse(url.searchParams.get('recipe'));
- console.log(recipe);
- console.log(xss);
- assert(typeof xss === 'string');
- assert(xss.length < 300);
- assert(recipe instanceof Array);
- assert(recipe.length < 50);
- for (const step of recipe) {
- console.log(step)
- assert(step instanceof Array);
- assert(step.length === 2);
- for (const element of step) {
- assert(typeof xss === 'string');
- assert(element.length < 50);
- }
- }
- visit({ recipe, xss });
- } catch(e) {
- console.error(e);
- return res.writeHead(400).end('invalid recipe!');
- }
- return res.end('visiting!');
- }
- return res.writeHead(404).end('not found');
- }).listen(8080);
[code]// this entire thing is basically a knockoff of infinite craft
// https://neal.fun/infinite-craft/
const onlineHost = 'https://elements.attest.lol';
const buttons = document.getElementById('elements');
// these were all generated by ai, yes they have some really weird results
const recipes = [["Ash","Fire","Charcoal"],["Steam Engine","Water","Vapor"],["Brick Oven","Heat Engine","Oven"],["Steam Engine","Swamp","Sauna"],["Magma","Mud","Obsidian"],["Earth","Mud","Clay"],["Volcano","Water","Volcanic Rock"],["Brick","Fog","Cloud"],["Obsidian","Rain","Black Rain"],["Colorful Pattern","Fire","Rainbow Fire"],["Cloud","Obsidian","Storm"],["Ash","Obsidian","Volcanic Glass"],["Electricity","Haze","Static"],["Fire","Water","Steam"],["Dust","Rainbow"," owder"],["Computer Chip","Steam Engine","Artificial Intelligence"],["Fire","Mud","Brick"],["Hot Spring","Swamp","Sulfur"],["Adobe","Graphic Design","Web Design"],["Colorful Interface","Data","Visualization"],["IoT","Security","Encryption"],["Colorful Pattern","Mosaic","atterned Design"],["Earth","Steam Engine","Excavator"],["Cloud Computing","Data","Data Mining"],["Earth","Water","Mud"],["Brick","Fire","Brick Oven"],["Colorful Pattern","Obsidian","Art"],["Rain","Steam Engine","Hydropower"],["Colorful Display","Graphic Design","Colorful Interface"],["Fire","Mist","Fog"],["Exploit","Web Design","XSS"],["Computer Chip","Hot Spring","Smart Thermostat"],["Earth","Fire","Magma"],["Air","Earth","Dust"],["Cloud","Rainbow","Rainbow Cloud"],["Dust","Heat Engine","Sand"],["Obsidian","Thunderstorm","Lightning Conductor"],["Cloud","Rain","Thunderstorm"],["Adobe","Cloud","Software"],["Hot Spring","Rainbow","Colorful Steam"],["Dust","Fire","Ash"],["Cement","Swamp","Marsh"],["Hot Tub","Mud","Mud Bath"],["Electricity","Glass","Computer Chip"],["Ceramic","Fire","Earthenware"],["Haze","Swamp","Fog Machine"],["Rain","Rainbow","Colorful Display"],["Brick","Water","Cement"],["Dust","Haze","Sandstorm"],["Ash","Hot Spring","Geothermal Energy"],["Ash Rock","Heat Engine","Mineral"],["Electricity","Software","rogram"],["Computer Chip","Fire","Data"],["Colorful Pattern","Swamp","Algae"],["Fog","Water","Rain"],["Rainbow Pool","Reflection","Color Spectrum"],["Artificial Intelligence","Data","Encryption"],["Internet","Smart Thermostat","IoT"],["Cinder","Heat Engine","Ash Rock"],["Brick","Swamp","Mudbrick"],["Computer Chip","Volcano","Data Mining"],["Obsidian","Water","Hot Spring"],["Computer Chip","Thunderstorm","ower Surge"],["Brick","Obsidian","aving Stone"],["User Input","Visualization","Interactive Design"],["Mist","Mud","Swamp"],["Geolocation","Wall","Map"],["Air","Rock","Internet"],["Computer Chip","Rain","Email"],["Fire","Rainbow","Colorful Flames"],["Hot Spring","Mineral Spring","Healing Water"],["Ceramic","Volcano","Lava Lamp"],["Brick Oven","Wall","Fireplace"],["Glass","Software","Vulnerability"],["Fog","Mud","Sludge"],["Fire","Marsh","S'mores"],["Artificial Intelligence","Data Mining","Machine Learning"],["Ash","Brick","Brick Kiln"],["Fire","Obsidian","Heat Resistant Material"],["Hot Spring","Sludge","Steam Engine"],["Artificial Intelligence","Computer Chip","Smart Device"],["Fire","Steam Engine","Heat Engine"],["Ash","Earth","Cinder"],["Rainbow","Reflection","Refraction"],["Encryption","Software","Cybersecurity"],["Graphic Design","Mosaic","Artwork"],["Colorful Display","Data Mining","Visualization"],["Hot Spring","Water","Mineral Spring"],["Rainbow","Swamp","Reflection"],["Air","Fire","Smoke"],["rogram","Smart HVAC System","Smart Thermostat"],["Haze","Obsidian","Blackout"],["Brick","Earth","Wall"],["Heat Engine","Steam Locomotive","Railway Engine"],["Ash","Thunderstorm","Volcanic Lightning"],["Mud","Water","Silt"],["Colorful Pattern","Hot Spring","Rainbow Pool"],["Fire","Sand","Glass"],["Art","Web Design","Graphic Design"],["Internet","Machine Learning","Smart HVAC System"],["Electricity","ower Surge","Overload"],["Colorful Pattern","Computer Chip","Graphic Design"],["Air","Water","Mist"],["Brick Oven","Cement","Concrete"],["Artificial Intelligence","Cloud","Cloud Computing"],["Computer Chip","Earth","Geolocation"],["Color Spectrum","Graphic Design","Colorful Interface"],["Internet","rogram","Web Design"],["Computer Chip","Overload","Circuit Failure"],["Data Mining","Geolocation","Location Tracking"],["Heat Engine","Smart Thermostat","Smart HVAC System"],["Brick","Mud","Adobe"],["Cloud","Dust","Rainbow"],["Hot Spring","Obsidian","Hot Tub"],["Steam Engine","Volcano","Geothermal Power Plant"],["Earth","Fog","Haze"],["Brick","Steam Engine","Steam Locomotive"],["Brick","Colorful Pattern","Mosaic"],["Hot Spring","Steam Engine","Electricity"],["Ash","Volcano","Volcanic Ash"],["Electricity","Water","Hydroelectric Power"],["Brick","Rainbow","Colorful Pattern"],["Silt","Volcano","Lava"],["Computer Chip","Software","rogram"],["Hot Spring","Thunderstorm","Lightning"],["Ash","Clay","Ceramic"],["Cybersecurity","Vulnerability","Exploit"],["Ash","Heat Engine","Ash Residue"],["Internet","Smart Device","Cloud Computing"],["Magma","Mist","Rock"],["Interactive Design","rogram","Smart Device"],["Computer Chip","Electricity","Software"],["Colorful Pattern","Graphic Design","Design Template"],["Fire","Magma","Volcano"],["Earth","Obsidian","Computer Chip"],["Geolocation","Location Tracking","Real-Time Positioning"]];
const elements = new Map([["Sauna"," |
