MaidakeCTF2020: Write up
Web
爆速
get flagボタンを押すと一瞬でリダイレクトされて戻ってきたのでプロキシ挟んでburpでみる。
MaidakeCTF{Kirito_is_said_to_be_able_to_go_720km/h_when_he_uses_his_sword_skill}
低速
リロードするたびに値が変わります。
これを表示してる部分は
<p class="text-center my-5" id="flag"></p>
だけなので、javascriptをみてみると
function rot(str, num) {const _0x57c5=['map','join','split','call','charCodeAt','fromCharCode'];(function(_0x2715ea,_0x57c505){const _0x5c66c7=function(_0x36a3ac){while(--_0x36a3ac){_0x2715ea['push'](_0x2715ea['shift']());}};_0x5c66c7(++_0x57c505);}(_0x57c5,0x74));const _0x5c66=function(_0x2715ea,_0x57c505){_0x2715ea=_0x2715ea-0x0;let _0x5c66c7=_0x57c5[_0x2715ea];return _0x5c66c7;};const _0x2feb07=_0x5c66;let i=[];i=str[_0x2feb07('0x0')]('');return i[_0x2feb07('0x4')][_0x2feb07('0x1')](i,function(_0x36a3ac){const _0x25d8c5=_0x2feb07;x=_0x36a3ac[_0x25d8c5('0x2')](0x0);if(0x41<=x&&x<0x4e||0x61<=x&&x<0x6e)return String[_0x25d8c5('0x3')](x+num);else{if(0x4e<=x&&x<=0x5a||0x6e<=x&&x<=0x7a)return String[_0x25d8c5('0x3')](x-num);}return String[_0x25d8c5('0x3')](x);})[_0x2feb07('0x5')]('');return i;}
const _0x32f5=['forEach','floor','fromCharCode'];(function(_0x8b6703,_0x32f579){const _0x55c0f1=function(_0x213f5c){while(--_0x213f5c){_0x8b6703['push'](_0x8b6703['shift']());}};_0x55c0f1(++_0x32f579);}(_0x32f5,0x16c));const _0x55c0=function(_0x8b6703,_0x32f579){_0x8b6703=_0x8b6703-0x0;let _0x55c0f1=_0x32f5[_0x8b6703];return _0x55c0f1;};const _0x3d349f=_0x55c0,rgrigrjar=[0x4d,0x61,0x69,0x64,0x61,0x6b,0x65,0x43,0x54,0x46,0x7b,0x44,0x65,0x63,0x69,0x70,0x68,0x65,0x72,0x69,0x6e,0x67,0x5f,0x6f,0x62,0x66,0x75,0x73,0x63,0x61,0x74,0x65,0x64,0x5f,0x63,0x6f,0x64,0x65,0x5f,0x62,0x79,0x5f,0x79,0x6f,0x75,0x72,0x73,0x65,0x6c,0x66,0x5f,0x69,0x73,0x5f,0x61,0x5f,0x63,0x68,0x61,0x6c,0x6c,0x65,0x6e,0x67,0x65,0x7d];let frgtrghgdtha='';rgrigrjar[_0x3d349f('0x2')](_0x213f5c=>{const _0x305999=_0x3d349f,_0x222ace=Math[_0x305999('0x0')](Math['random']()*0xa)+0x1;frgtrghgdtha+=rot(String[_0x305999('0x1')](_0x213f5c),_0x222ace);});
$('#flag').text(frgtrghgdtha);
rgrigrjar=[0x4d,0x61,0x69,0x64,0x61,0x6b,0x65,0x43,0x54,0x46,0x7b,0x44,0x65,0x63,0x69,0x70,0x68,0x65,0x72,0x69,0x6e,0x67,0x5f,0x6f,0x62,0x66,0x75,0x73,0x63,0x61,0x74,0x65,0x64,0x5f,0x63,0x6f,0x64,0x65,0x5f,0x62,0x79,0x5f,0x79,0x6f,0x75,0x72,0x73,0x65,0x6c,0x66,0x5f,0x69,0x73,0x5f,0x61,0x5f,0x63,0x68,0x61,0x6c,0x6c,0x65,0x6e,0x67,0x65,0x7d]
これがflagっぽくてこれをいろいろ変化させて出力させてるっぽいです。あとは、asciiコードに対応させて変換するだけです。
MaidakeCTF{Deciphering_obfuscated_code_by_yourself_is_a_challenge}
社内用検索エンジン
適当に検索してみると
ただし、
https://aokakes.work/MaidakeCTF2020/shanai/?page=eyJpcCI6IjE4My4xODAuMTA1LjMwIiwidGFyZ2V0IjoidGVzdCJ9
のpageで指定されてるbase64でエンコードされた文字列でIPアドレスと検索したい文字を指定しているのでaokakes.workのIPアドレスをそこで指定すればいいと考えられます。
$ nslookup aokakes.work Server: 192.168.2.1 Address: 192.168.2.1#53 Non-authoritative answer: Name: aokakes.work Address: 18.177.12.46
$ echo -n '{"ip":"18.177.12.46","target":"test"}' | base64
eyJpcCI6IjE4LjE3Ny4xMi40NiIsInRhcmdldCI6InRlc3QifQ==
これをクエリ文字列で指定してGETするだけ。
Misc
SVG
$ cat flag.svg
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
sodipodi:docname="flag.svg"
inkscape:version="1.0 (4035a4fb49, 2020-05-01)"
id="svg8"
version="1.1"
viewBox="0 0 1058.3334 396.875"
height="396.875mm"
width="1058.3334mm"
flag="MaidakeCTF{SVG_images_are_composed_of_XML}">
焼き肉W
適当に押してたらflagがでたのでよくわかってない。
