比赛地址:WolvCTF 2025
比赛时间:22 Mar 2025 07:00 CST - 24 Mar 2025 07:00 CST
复现的题目用🔁标注
Beginner
PicturePerfect - Forensics
Challenge
PicturePerfect - Forensics
Author: carmengh
Wow what a respectful, happy looking lad! Hmmmmmmm, all I see is a snowman… maybe some details from the image file itself will lead us to the flag.
Unlock Hint for 0 points
Images have interesting information in their metadata!
Solution
直接看元信息即可
exiftool-13.25_64>exiftool hi_snowman.jpgExifTool Version Number : 13.25File Name : hi_snowman.jpgDirectory : .File Size : 4.1 MBZone Identifier : ExistsFile Modification Date/Time : 2025:03:23 22:34:32+08:00File Access Date/Time : 2025:03:23 22:57:47+08:00File Creation Date/Time : 2025:03:23 22:57:36+08:00File Permissions : -rw-rw-rw-File Type : JPEGFile Type Extension : jpgMIME Type : image/jpegJFIF Version : 1.01Resolution Unit : inchesX Resolution : 96Y Resolution : 96Exif Byte Order : Big-endian (Motorola, MM)Padding : (Binary data 268 bytes, use -b option to extract)XMP Toolkit : Image::ExifTool 11.88About : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1bTitle : wctf{d0_yOU_w@nt_t0_BUiLd_a_Sn0Wm@n}Image Width : 3024Image Height : 4032Encoding Process : Baseline DCT, Huffman codingBits Per Sample : 8Color Components : 3Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)Image Size : 3024x4032Megapixels : 12.2wctf{d0_yOU_w@nt_t0_BUiLd_a_Sn0Wm@n}DigginDir - Forensics
Challenge
DigginDir - Forensics
Author: carmengh
So I tripped on an uneven sidewalk today… and I dropped the flag somewhere (oops). It’s gotta be here somewhere… right?
Unlock Hint for 0 points
I wish there was a linux utility that let me search for stuff...
Solution
在Linux下搜索
grep -r "wctf{" .┌──(kali㉿kali)-[~/桌面/challenge]└─$ grep -r "wctf{" ../pics/WolvCTF2025/EUOlptwlpqPt5qrGlMnFpbat6/.secret:wctf{0h_WOW_tH@Nk5_yOu_f0U^d_1t_xD}或者在 VSCode 搜
wctf{0h_WOW_tH@Nk5_yOu_f0U^d_1t_xD}Misc
Eval is Evil
Challenge
Eval is Evil
Author: EmptyBytes
If eval is so bad, then why is it so easy to use?
import random def main(): print("Let's play a game, I am thinking of a number between 0 and", 2 ** 64, "\n") try: guess = eval(input("What is the number?: ")) except: guess = 0 correct = random.randint(0, 2**64) if (guess == correct): print("\nCorrect! You won the flag!") flag = open("flag.txt", "r").readline() print(flag) else: print(guess) print(correct) print("\nYou lost lol") main()Solution
这里使用了 random 库来生成随机数,并且将生成的随机数 correct 与输入 guess 进行了对比,只要想办法让这两者相等就会返回flag了(废话
这里的 eval() 就留下了可操作空间
去找了一下 random 库的用法,了解到当设定了 random.seed() 的值之后再用 random 库生成伪随机数将会是一个固定值
因此构造出下面这一个 payload,先设定 random.seed(0),然后像源码一样调用 random.randint(0, 2**64),最后再次设定 random.seed(0),这样一来在下一次生成的“随机数”就会是和这次的是一样的
(random.seed(0), random.randint(0, 2**64), random.seed(0))[1]E:\Desktop>ncat evalisevil.kctf-453514-codelab.kctf.cloud 1337== proof-of-work: disabled ==Let's play a game, I am thinking of a number between 0 and 18446744073709551616 What is the number?: (random.seed(0), random.randint(0, 2**64), random.seed(0))[1] Correct! You won the flag!wctf{Why_Gu3ss_Wh3n_Y0u_C4n_CH34T}wctf{Why_Gu3ss_Wh3n_Y0u_C4n_CH34T}Forensics
🔁Passwords
Challenge
Passwords
Author: dree
I heard you’re a hacker. Can you help me get my passwords back?
Solution
附件是一个 KeePass 数据库,尝试爆破
这里用到一个工具ivanmrsulja/keepass2john,它可以将 KeePass 数据库(kdbx)转换为 John the Ripper 的格式
python keepass2john.py Database.kdbx > hash.txt把得到的hash.txt开头的Database<SHOULD_BE_REMOVED_INCLUDING_COLON>:删掉,留下下面的部分
$keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea179b66978615917c39faf6edd98444928b*dec1f1a8a46d2257b1c536800ccea618d15523c983162f1a760d0f0e3f32bed6*02dc62f9e295c9a256e4e231b3102c1a*8ed6478291ac58151a98e7465f10a11e8cafc1706d048ef4f94fe51453f091bc*193dd9a5673c4a3f5b33dd59639f27760f03285044f14eacc652f4a441b45413然后用 hashcat 进行破解
hashcat -a 0 -m 13400 hash.txt ./pics/WolvCTF2025/wordlists/rockyou.txt这里的rockyou.txt是kali自带的字典/usr/share/wordlists/rockyou.txt.gz,我把它从虚拟机复制到了我的物理机上
下面是执行命令后的输出
hashcat (v6.2.6) starting * Device #1: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch* Device #2: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatchnvmlDeviceGetFanSpeed(): Not Supported CUDA API (CUDA 12.7)====================* Device #1: NVIDIA GeForce RTX 4060 Laptop GPU, 7099/8187 MB, 24MCU OpenCL API (OpenCL 3.0 CUDA 12.7.33) - Platform #1 [NVIDIA Corporation]=======================================================================* Device #2: NVIDIA GeForce RTX 4060 Laptop GPU, skipped Minimum password length supported by kernel: 0Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique saltsBitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotatesRules: 1 Optimizers applied:* Zero-Byte* Single-Hash* Single-Salt Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 1475 MB Dictionary cache built:* Filename..: ./pics/WolvCTF2025/wordlists/rockyou.txt* Passwords.: 14344392* Bytes.....: 139921507* Keyspace..: 14344385* Runtime...: 1 sec $keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea179b66978615917c39faf6edd98444928b*dec1f1a8a46d2257b1c536800ccea618d15523c983162f f1a760d0f0e3f32bed6*02dc62f9e295c9a256e4e231b3102c1a*8ed6478291ac58151a98e7465f10a11e8cafc1706d048ef4f94fe51453f091bc*193dd9a5673c4a3 3f5b33dd59639f27760f03285044f14eacc652f4a441b45413:goblue1 Session..........: hashcatStatus...........: CrackedHash.Mode........: 13400 (KeePass 1 (AES/Twofish) and KeePass 2 (AES))Hash.Target......: $keepass$*2*6000*222*5bd85bff1c654df5d8cb8f64b877ea...b45413Time.Started.....: Thu Mar 27 20:32:01 2025 (1 sec)Time.Estimated...: Thu Mar 27 20:32:02 2025 (0 secs)Kernel.Feature...: Pure KernelGuess.Base.......: File (./pics/WolvCTF2025/wordlists/rockyou.txt)Guess.Queue......: 1/1 (100.00%)Speed.#1.........: 181.7 kH/s (9.00ms) @ Accel:8 Loops:256 Thr:256 Vec:1Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)Progress.........: 98304/14344385 (0.69%)Rejected.........: 0/98304 (0.00%)Restore.Point....: 49152/14344385 (0.34%)Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:5888-6000Candidate.Engine.: Device GeneratorCandidates.#1....: truckin -> DonovanHardware.Mon.#1..: Temp: 49c Util: 28% Core:2535MHz Mem:8000MHz Bus:8 Started: Thu Mar 27 20:31:59 2025Stopped: Thu Mar 27 20:32:03 2025因此密码就是goblue1
用KeeWeb在线打开这个数据库
wctf{1_th0ught_1t_w4s_s3cur3?}🔁Breakout
Challenge
Breakout
Author: Sudojacob
Something fishy about that photo… What could be hidden in this game?
Solution
steghide extract -sf breakout.jpg用 steghide 提取,密码是空的
steghide extract -sf breakout.jpgEnter passphrase:wrote extracted data to "breakout.ch8".提取出一个文件breakout.ch8
在网上找了一下,发现 .ch8 文件是为 Chip-8 虚拟机设计的程序文件
然后找到了这个在线的模拟器CHIP-8 Emulator,该项目在GitHub开源eth-p/uni-chip8
通过这个简单的小游戏就能看到flag了
WCTF{GAME_OVER_VMASBKLTNUFMGS}OSINT
Wintery
Challenge
Wintery
Author: pradhamk
As the snow has once again started to fall, I spotted a flag afar. Can you find where this picture was taken? Truncate your coordinates to 3 decimal places.
Flag format: wctf{latitude,longitude}
查看提示
flag is in format wctf{##.##a,##.##b} where a+b == 4
no leading zero, no space
Solution
从图里的旗帜可以定位到密歇根大学(University of Michigan)
然后在谷歌街景可以找到这个地方530 S State St - Google 地圖
根据照片中的信息推测出拍照地点是这栋楼
选了个附近的点
符合题目条件
wctf{42.273,-83.741}