NSSCTF Round 18 Writeup
MISC
1. 温馨的酒吧
是一个互动视频,深度优先搜索分别得到三段flag,合并起来即可
NSSCTF{新年快乐_不要停下来啊_CTFer!}
2. Number 7
Inside No.9 or Inside No.7 ?
182A1918071C152E0A4737263A3E780A6F6A075A112742777C687D0700773F7D39560063487D
根据提示,猜测为Cisco Type7编码
解码得到flag:
NSSCTF{H4PPY_N3WY34r_4ND_N55CTF_18TH}
3. usersssssssss
这么多用户,总有一个用户拥有flag
(用户名取自附件中的字典,密码就是用户名的md5sum)
首先要得到用户名对应的密码,使用Powershell执行以下脚本
Get-Content -Path "C:\Users\Rosei\Desktop\wordlist.txt" | ForEach-Object {
$string = $_.Trim()
$md5 = [System.Security.Cryptography.MD5]::Create()
$hashBytes = $md5.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($string))
$hashString = [System.BitConverter]::ToString($hashBytes) -replace '-', ''
$hashString.ToLower()
}
得到密码后保存在 password.txt 中,然后就是ssh连接环节
方法一:
def generate_ssh_commands_with_passwords(usernames_file, passwords_file, hostname, port):
with open(usernames_file, 'r') as user_file, open(passwords_file, 'r') as password_file:
for user_line, password_line in zip(user_file, password_file):
username = user_line.strip()
password = password_line.strip()
ssh_command = f'ssh {username}@{hostname} -p {port}\n{password}'
yield ssh_command
def main():
hostname = 'node2.anna.nssctf.cn'
port = 28765
usernames_file = 'wordlist.txt'
passwords_file = 'password.txt'
for command in generate_ssh_commands_with_passwords(usernames_file, passwords_file, hostname, port):
print(command)
if __name__ == "__main__":
main()
执行python脚本,输出用户名和密码,逐个连接ssh,最终在 laminous 用户文件下发现flag
ssh laminous@node2.anna.nssctf.cn -p 28765
laminous@node2.anna.nssctf.cn's password:
laminous@4cdb23f99f054406:~$ ls
flag.txt
laminous@4cdb23f99f054406:~$ cat flag.txt
NSSCTF{873f3a80-97ef-493e-b571-4535798ee471}
方法二:
使用python脚本依次检查用户文件夹是否为空,若不为空则输出用户名
import paramiko
def read_usernames(filename):
with open(filename, 'r') as file:
return [line.strip() for line in file]
def read_passwords(filename):
with open(filename, 'r') as file:
return [line.strip() for line in file]
def list_files_and_folders(ssh, path):
command = f"ls -l {path}"
stdin, stdout, stderr = ssh.exec_command(command)
return stdout.read().decode()
def ssh_connect(username, password):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect('node2.anna.nssctf.cn', username=username, password=password, port=28765)
return ssh
except Exception as e:
print(f"Failed to connect with {username}: {e}")
return None
if __name__ == "__main__":
usernames_file = 'usernames.txt'
passwords_file = 'passwords.txt'
usernames = read_usernames(usernames_file)
passwords = read_passwords(passwords_file)
if len(usernames) != len(passwords):
print("Error: Number of usernames and passwords do not match!")
exit()
for username, password in zip(usernames, passwords):
ssh = ssh_connect(username, password)
if ssh:
print(f"Files in {username}: ")
root_contents = list_files_and_folders(ssh, f"/home/{username}")
print(root_contents)
ssh.close()