Author:颖奇L’Amore

Blog:www.gem-love.com


Typeracer(119pt)

题出的挺好,还特意打乱了每个单词的顺序

先获取到Element然后排序,再用js模拟键盘事件输入进去即可一秒搞定,exp:

/*
 * Author: 颖奇L'Amore
 * Blog: www.gem-love.com
*/ 

var obj = {}
for (var i in document.getElementById('Ym9iYmF0ZWEh').children) 
{
	try {
		var order = document.getElementById('Ym9iYmF0ZWEh').children[i].style.order
		var content = document.getElementById('Ym9iYmF0ZWEh').children[i].innerHTML.replace(" ","");
		obj[order] = content
	} catch {}
	
}

Object.keys(obj).sort()

str = ''
for ( var i in obj ) {
	(i < Object.keys(obj).length - 1 ) ? str += obj[i] + ' ' : str += obj[i];
}
console.log(str)

// event = document.createEvent("KeyboardEvent");
for ( var i in str ) {
	unicode = str[i].charCodeAt(0);
	keyprs = {
		char: str[i],
		keyCode: unicode, 
		bubbles : false,
    	cancelable : false,
    	shiftkey: false
	}
	// document.getElementsByTagName('textarea')[0].dispatchEvent(new KeyboardEvent('keypress', keyprs));
	document.dispatchEvent(new KeyboardEvent('keypress', keyprs));
}

Imitation Crab(448pt)

脑洞指数:★★★☆☆

题目是个键盘模拟器,用扫描器扫出来robots.txt,然后下载得到export.har,查询资料得知:

Chrome作为一代浏览器巨星,具有完备的网络调试功能,当然也可以抓取HTTP报文,它抓取的包可以被保存为HAR格式

分析发现似乎是在输入什么东西,但是记录的是字符的ascii

于是把这些ascii提取出来看看是什么

#!/usr/bin/ruby -w
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
har = File.read('export.har').split(/\"text\"\:\ \"\{/)
har.each do |ch|
	begin
		print Integer(ch[9..10]).chr
	rescue
		nil
	end
end

得到:RGBCTF H4R F1L3S 4R3 2UP3R US3FU1

flag:rgbCTF{H4R_F1L3S_4R3_2UP3R_US3FU1}


Countdown(455pt)

脑洞指数:★☆☆☆☆

弱智题,伪造flask session即可。主页写着Time is key所以secret就是Time

但是伪造了好几个,倒计时都在变化,没有找到规律,这里很迷惑

后来伪造了2020-07-14 12:59:59+0000,发现倒计时变成了2分钟,简单等待之后居然变成了负的秒数

刷新页面,得到flag:rgbCTF{t1m3_1s_k3y_g00d_j0k3_r1ght}


Keen Eye(490pt)

这题我根本不知道在干嘛,这是最难的一个web,或许我是直接非预期了,也或许是题出的有问题,因为我有一键扫描所有js、css、html的注释的Chrome插件,直接出了flag


Secure RSA(497pt)

脑洞指数:★★★★★

必须吐槽,这是最难的MISC,是最傻逼的题

Secure RSA (SRSA) is a new, revolutionary way to encrypt your data that ensures the original message is unrecoverable by hackers. Top scientists from around the world have confirmed this mathematically irrefutable fact. 3 of our very own RGBSec members have developed this method, and we present it to you here. Granted, the method is very simple, and we aren't quite sure why nobody has thought of it before. Levying the power of uninjectivity, we set e to a small number. 0, in fact. Let's calculate the cipher now: (anything)^0 = 1. Since the message before encryption could have been any number in the world, the ciphertext is uncrackable by hackers. 

n: 69696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969696969

e: 0

c: 1

这段英文的每句话首字母组成的就是flag:rgbCTF{ST3GL0LS}

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2501.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

分类: CTF

颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

2 条评论

xxxx · 2020年7月14日 21:59

所以一键扫描插件能分享一下嘛?_(•̀ω•́ 」∠)_

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image