NACTF 2020 writeup

General Skills

Basics

1
2
3
Tiffany no longer communicates in normal text. Weird, I know. She randomly sent me this message: bmFjdGZ7YmE1MzVfYXIzX3N3MzN0fQ==

Can you figure out what it means?

base64

1
nactf{ba535_ar3_sw33t}

Grep 0

1
Sophia created this large, mysterious file. She might have said something about grap.. grapes? Find her flag!

提示了用grep

1
2
cat flag-1.txt| grep ctf
nactf{gr3p_1s_r3ally_c00l_54a65e7}

Numbers

1
What do the numbers mean?
1
111 98 100 117 103 124 98 116 100 50 50 96 89 67 53 83 68 83 54 126

我们注意到nactf为110 97 99 116 102,对所有数字-1

1
110 97 99 116 102 123 97 115 99 49 49 95 88 66 52 82 67 82 53 125
1
nactf{asc11_XB4RCR5}

Hashbrowns

1
MD made 5 hashbrowns this morning and forgot to add salt and pepper. He took a bite out of one of them and found a piece of paper with this written on it: 5af554431d976fdc57ea02908a8e0ce6

md5解密

1
secure_password
1
nactf{secure_password}

Dr. J’s Vegetable Factory #1 🥕

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
After years of collecting plush vegetable toys, Dr. J decided to take on his true passion: starting a vegetable factory. Dr. J is incredibly organized, so he likes all of his vegetables to be in the proper order. In fact, he built a robot "Turnipinator-1000" to alphabetize his vegetables for him! Unfortunately, Dr. J doesn't know what instructions to give Turnipinator-1000. Can you help him out? 🥬🥕🌽🍆🥦🥒🥑🍄

nc challenges.ctfd.io 30267

Give instructions in the form of numbers separated by spaces. Entering the number x will swap the vegetable in position x with the vegetable in position x+1. Positions start at zero, not one. (Dr. J is a programmer after all.) For example, given the following vegetables: Avocado, Brocolli, Eggplant, Daikon Radish, Carrot, one possible solution is "3 2 3"

Avocado, Brocolli, Eggplant, Daikon Radish, Carrot

(swap 3 and 4)
Avocado, Brocolli, Eggplant, Carrot, Daikon Radish

(swap 2 and 3)
Avocado, Brocolli, Carrot, Eggplant, Daikon Radish

(swap 3 and 4)
Avocado, Brocolli, Carrot, Daikon Radish, Eggplant

The20thDuck

Zip Madness

1
Evan is playing Among Us and just saw an imposter vent in front of him! Help him get to the emergency button by following the directions at each level.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
import base64

s = 1000
for i in range(0,1000):
f = open('direction.txt', 'r')
result = f.read()
if result == 'left':
print('unzip '+ str(s) +'left.zip')
os.system('rm direction.txt')
os.system('unzip '+ str(s) +'left.zip')
os.system('rm '+ str(s) +'*.zip')
if result == 'right':
print('unzip ' + str(s) + 'right.zip')
os.system('rm direction.txt')
os.system('unzip ' + str(s) + 'right.zip')
os.system('rm '+ str(s) +'*.zip')
s = s-1
os.system('cat flag.txt')

Grep 1

1
Elaine hid a REGULAR flag among more than 1,000,000 fake ones! The flag was an EXPRESSION of her love for nactf, so the first 10 characters after "nactf{" only have the characters 'n', 'a', 'c', and the last 14 characters only have the characters 'c', 't' and 'f'. There are 52 characters in total, including nactf{}.

考正则表达式

1
2
cat flag.txt| grep "nactf{[nac]\{10\}[a-z]\{21\}[ctf]\{14\}}"
nactf{caancanccnxfynhtjlgllctekilyagxctftcffcfcctft}
1
nactf{caancanccnxfynhtjlgllctekilyagxctftcffcfcctft}

web

Inspect

1
Lola's new to website-building. Having just learned HTML and CSS, she built this site and embedded some dark secrets. I wonder where I could find them.

访问[css地址]http://inspect.challenges.nactf.com/style.css

1
nactf{1nspect1ng_sp13s_4_lyf3}

Missing Image

1
Max has been trying to add a picture to his first website. He uploaded the image to the server, but unfortunately, the image doesn't seem to be loading. I think he might be looking in the wrong subdomain...

发现路径是flag.png,访问之

1
nactf{h1dd3n_1mag3s}

Forms

1
Skywalker has created 1000 login forms and only managed to make one of them work. Find the right one and login! He also went a bit crazy with the colors for some reason.

登录在最下面发现提示

1
2
3
4
5
6
7
8
9
10
function verify() {
user = document.getElementById("username").value;
pass = document.getElementById("password").value;
if (user === "admin" && pass === "password123") {
document.getElementById("submit").value = "correct_login";
} else {
document.getElementById("submit").value = "false";
}
document.form.submit();
}


登录得flag

1
nactf{cl13n75_ar3_3v11}

Calculator

1
Kevin has created a cool calculator that can perform almost any mathematical operation! It seems that he might have done this the lazy way though... He's also hidden a flag variable somewhere in the code.

明显是命令执行

1
nactf{ev1l_eval}
1
Arjun owns a cookie shop serving warm, delicious, oven-baked cookies. He sent me his ages-old family recipe dating back four generations through this link, but, for some reason, I can't get the recipe. Only cookie lovers are allowed!

随便登录一个显示

1
Unfortunately, you don't have permission to see the recipe. You're not a cookie lover!


那么cookie就设置为cookie_lover吧

1
nactf{c00kie_m0nst3r_5bxr16o0z}

Login

1
Vyom has learned his lesson about client side authentication and his soggy croutons will now be protected. There's no way you can log in to this secure portal!

万能密码

1
nactf{sQllllllll_1m5qpr8x}

steg

Caesar’s Challenge

1
Zabelo wrote this message on a note he passed to me. anpgs{q3p1cu3e1at_e0px5!} He also told me his favorite number was 13. What could this mean?

直接凯撒爆

1
nactf{d3c1ph3r1ng_r0ck5!}

YAMS

1
2
3
Instead of turnips, Yavan loves YAMS. Day and night, he sings about YAMS, dreams about YAMS and runs to the store to catch the newest released batch of YAMS. Hes cryptic too. I wonder what this could mean.

Uexummq lm Vuycnqjc. Hqjc ie qmud xjas: fycfx{waY5_sp3_Y0yEw_w9vU91}

对整个一句话用yams解密

1
Welcome to Vigenere. Here is your flag: nactf{yaM5_ar3_Y0mMy_w9jC91}

Error 0

1
Rahul has been trying to send a message to me through a really noisy communication channel. Repeating the message 101 times should do the trick!

直接转ASCII发现头是nactf,提示重复101次,正好232个,应该是数据有噪点,数据分组,对每列统计频率,得到flag数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/python

with open('error0.txt','r') as f:
data = f.read()
enc = []
for i in range(0,101):
enc.append(data[i*232 : (i+1)*232])
result =' '
for i in range(232):
count = 0
for j in range(101):
if(enc[j][i] == '1'):
count += 1
if(count > 51):
result += '1'
else:
result += '0'
print(result)

得到结果

1
0110111001100001011000110111010001100110011110110110111000110000001100010111001101111001010111110110111000110000001100010011001101101010010111110111110001011100011111000010100000101001011111000010010000100111001011110111110100001010

转码得flag

1
nactf{n01sy_n013j_|\|()|$'/}

Oligar’s Tricky RSA

1
The crypto master Oligar just sent this file with three numbers. What do they mean?
1
2
3
4
5
6
7
8
9
n = 196284284267878746604991616360941270430332504451383
e = 65537
c = 97938185189891786003246616098659465874822119719049
p = 10252256693298561414756287
q = 19145471103565027335990409
phi = (p-1)*(q-1)
d = inverse_mod(e, phi)
m = pow(c, d, n)
print(bytes.fromhex(hex(m)[2:]))

1
nactf{sn3aky_c1ph3r}

Forensics

Gummies

1
Kylie is obsessed with gummies. With her collection of miscellaneous gummy bears, she took this incredible picture which is now her phone's wallpaper. Can you find her flag?

直接zsteg

1
nactf{5t3gan0graphy_rul35!}

Meta-morphosis

1
Mikey really likes Metamorphosis by Franz Kafka, so much so that he sent this meme to the class.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
exiftool meme-3.jpg
ExifTool Version Number : 12.00
File Name : meme-3.jpg
Directory : .
File Size : 52 kB
File Modification Date/Time : 2020:10:31 21:58:57+08:00
File Access Date/Time : 2020:10:31 21:59:07+08:00
File Inode Change Date/Time : 2020:10:31 21:59:06+08:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
X Resolution : 1
Y Resolution : 1
Exif Byte Order : Big-endian (Motorola, MM)
Resolution Unit : None
Artist : nactf{m3ta_m3ta_m3ta_d3f4j}
Y Cb Cr Positioning : Centered
Image Width : 500
Image Height : 461
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 500x461
Megapixels : 0.231
1
nactf{m3ta_m3ta_m3ta_d3f4j}

Turnips

1
Dr. J loves his ch0nky turnips, can you find his ch0nky flag?

strings查看

1
2
strings turnip-for-what.jpg | grep 'nactf'
nactf{turn1p_f0r_h3x_f3j52}

Secret Message

1
Monica loves inventing secret languages. So much so that she claims to be the only one to know the message in this recording. What does it say?

识别摩斯码

1
--.- ..- ...-- ...-- -. ----- ..-. .-.. ....- -. --. ..- ....- --. ...-- ...
1
QU33N0FL4NGU4G3S

平台还给了个提示要大写

1
nactf{QU33N_0F_L4NGU4G3S}

Turnips 2

1
Uh oh.. Parth's file seems to have been corrupted. Can you figure out how to find his flag?

观察发现是png文件,修复文件头


1
nactf{th3_turn1p5_ar3_tak17g_0v35_skf9}

Static

1
Juliet just airdropped me this really weird photo that looks like tv static. She said this would be easier than passing notes in class, but I can't understand what she's trying to say. I think Juliet said that the message text was black. Help!