ASCIS 2022 - warm up
Note : A JOURNEY TO GAIN KNOWLEDGE
Crypto
I came, I saw, I conquered
chall
Work-flow
Brute Decryt Caesar -> vแปi key bแบฑng 7 ta cรณ ฤฦฐแปฃc plaintext
ฤแป รฝ cรกc chแปฏ cรกi viแบฟt hoa
Viแบฟt mแปt ฤoแบกn script ngแบฏn nแปi chรบng lแบกi
solve
Checksum
Chall
Work-flow
Tแปซ code ta phรขn tรญch ฤฦฐแปฃc cแบงn tรฌm mแปt chuแปi cรณ crc32 trรนng vแปi crc32 cแปงa FLAG
Lรบc nร y ta nhแบญp bแปซa trฦฐแปc ฤแป cรณ crc32 cแปงa flag
Nhแบญp thแปญ nhiแปu lแบงn ฤแป chแบฏc rแบฑng flag khรดng bแป refresh
ฤแบฟn ฤรขy ta decode hex vร tรฌm ฤฦฐแปฃc crc32 cแบงn phแบฃi cรณ lร : 1706263782
Lรบc mแปi vร o nhรฌn bร i 1 mรฌnh hฦกi phรขn vรขn nรชn cรณ nhแบฃy sang bร i 2 scout trฦฐแปc, ai ngแป ฤแป cรณ lแปi do khรดng cรณ trฦฐแปng hแปฃp else ฤแป ra dแบกng crc32 cแปงa FLAG, lรบc ฤรณ mรฌnh hฦกi hoแบฃng vร tฦฐ duy theo hฦฐแปng brute force nhฦฐ thแบฟ nร o?
Search quanh mแปt xรญu ฤฦฐแปฃc vร i tร i liแปu hay ho, chuแบฉn bแป bแบฏt tay vร o code ... thรฌ BTC fix lแบกi ฤแป, cแบญp nhแบญp thรชm vแบฟ else uiiii thiรชn thแปi ฤแปa lแปฃi nhรขn hรฒa, ฤแบฟn ฤรขy thรฌ nhฦฐ cรก gแบทp ฤฦฐแปฃc nฦฐแปc rแปi :)).
Mรฌnh tรฌm ฤฦฐแปฃc doc nร y
Ngฦฐแปi ta ฤรฃ code sแบณn tool rแปi viแปc cรฒn lแบกi lร ฤแปi sแป target vร length string cแบงn tรฌm
solve
Kแป niแปm lรขu lรขu ฤฦฐแปฃc lแบงn solve thแปฉ 2 ๐
WEB
AscisStore1
chall
Work-flow
Chแปt phรก dรฒng quanh -> khai thรกc SQLi แป login
Khi thแปฑc hiแปn ฤฤng nhแบญp vร o mแปt user ฤรฃ register -> sแบฝ ฤฤng nhแบญp vร o tร i khoแบฃn vแปi tรชn user tฦฐฦกng แปฉng hiแปn แป gรณc trรชn bรชn trรกi
แป login phแบงn username, thแปญ ฤoแบกn payload quแปc dรขn:
Lรบc nร y nhแบญn thแบฅy server trแบฃ vแป vแปi user
flag
Thแปญ vแปi username nhฦฐ sau (cรณ khoแบฃng trแบฏng แป sau dแบฅu comment -- )
Nhฦฐ vแบญy cรณ thแป ฤoรกn ฤฦฐแปฃc khรก chแบฏc password cแปงa user flag chรญnh lร secret cแบงn tรฌm
Lรบc nร y ta chแปnh lแบกi query userser cho ฤรบng vแปi target, ฤแป trรกnh brute force sai
and แป ฤรขy ฤแป cแป ฤแปnh password cho username ฤรฃ biแบฟt lร :
flag
Nแบฟu dรนng or nhฦฐ แป trรชn sแบฝ dแบซn ฤแบฟn trฦฐแปng hแปฃp kแบฟt quแบฃ password query ฤฦฐแปฃc chรญnh lร cแปงa toร n bแป database -> brute sai
แป ฤรขy mรฌnh khรดng dรนng query แป dแบกng char ฤแป so sรกnh vรฌ SQL khรดng phรขn biแปt chแปฏ hoa hay chแปฏ thฦฐแปng, ฤรบng vแบญy 's' = 'S' lร true ฤแบฅy. Lรบc cรฒn 30' cuแปi mแปt thแบฑng trong team la lรชn mแปi nhแบญn ra chแป nร y, chuyแปn sang lแบกi dec ฤแป brute, nแบฟu khรดng hแบณn lร quแบฑng lแบฏm :)).
solve
AscisStore2
Chall
Work-flow
Chแบฅm mรบt quanh chแปฉc nฤng mแปi -> chแปฉc nฤng profile cho ฤฤng แบฃnh lรชn
Rแบฅt cรณ khแบฃ nฤng lร File up load to RCE hoแบทc path travesal
Up thแปญ tแบฅm แบฃnh nyc lรชn :
Sau khi up lรชn ta thแบฅy path trong ฤรณ cรณ file image.php thรฌ khรดng cรฒn nghi ngแป gรฌ nแปฏa -> path traversal for sure
solve
Lแบงn theo path rแปi thแปญ mแปi cรกch path traversal thoi, chรขn รกi is here:
Lแปi thรบ tแปi cแปงa mแปt ฤรก thแปง
Gแปญi lแปi cแบฃm ฦกn chรขn thร nh nhแบฅt ฤแบฟn vแปi cรกc ngฦฐแปi ae trong team
Lรขu rแปi mแปi cรณ cแบฃm giรกc thรบ vแป nhฦฐ nhแปฏng ngร y ฤแบงu tiรชn tham gia CTF
4 tiแบฟng thi ฤแบฅu - Mแปt ngร y vui vร hแปc ฤฦฐแปฃc nhiแปu thแปฉ, ฤแบฟn lรบc lui vแป แป แบฉn rแปi
Cแบฃm ฦกn ae.
Thanks for reading. Have a good day โค๏ธ !
Last updated