ACECTF 2025

web

Webrypto

I think we can all agree that most of us grew up watching the iconic cartoon Tom & Jerry. Every kid would feel that surge of adrenaline during the thrilling chases and chaotic conflicts between the mischievous mouse and the ever-determined cat. The excitement of those scenes—the heart-pounding moments of escape—sometimes felt almost real.

But then, I heard a little rumor: what if all those chases were fake? What if Tom and Jerry were actually friends all along? That revelation shook me. I had no one to ask about this mind-bending twist, so I decided to take matters into my own hands—I created a web app to settle this question once and for all.

I know the truth now. Do you think you can uncover it too?

<?php
include('flag.php');
highlight_file(__FILE__);

// Check if parameters 'tom' and 'jerry' are not equal
if ($_GET['tom'] != $_GET['jerry']) {
    echo "<br>Parameter 1 Met!<br>";

        if (md5('ACECTF' . $_GET['tom']) == md5('ACECTF' . $_GET['jerry'])) {
        echo $FLAG;  // If the condition is true, print the flag
    }
}
?>

进行数组绕过即可

/?tom[]=1&jerry[]=2

ACECTF{70m_4nd_j3rry_4r3_4ll135}

Token of Trust

At first, this web app seems straightforward, but there’s something more lurking beneath the surface. It relies on a token for user authentication, but not everything is as secure as it seems. Look closely, and you might discover that the system’s trust can be manipulated.

The secret is hidden within the way this token is used. Can you find the key to unlock what’s been concealed? The challenge is waiting for you to crack it.

Submit your answer in the following format: ACECTF{3x4mpl3_fl4g}

去login看一下发包，看一下robots.txt,之后在flag里发包

POST /flag HTTP/1.1
Host: 34.131.133.224:9999
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Origin: http://34.131.133.224:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Edg/133.0.0.0
Referer: http://34.131.133.224:9999/login
Content-Type: application/json
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Content-Length: 51

{"user":"admin","pass":"admin","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.xLtLdUxXsGB7EqP49a8xQziqpjkVKeJ9o2nix4xLf5M"}

ACECTF{jwt_cr4ck3d_4dm1n_4cce55_0bt41n3d!}

Bucket List

You know what's a bucketlist? In simple terms, it's just a list of wishes people want to achieve before the leavee this world. I found it to be very limiting & ironic because how can you know when you'll leave the world behind? It's better to enjoy every moment and take on every opportunity you can. One of my whishes though is to pet a cat, do you mind checking this one out. So cute.

给了网址

https://opening-account-acectf.s3.ap-south-1.amazonaws.com/fun/can_we_get_some_dogs/026.jpeg

直接看网址

https://opening-account-acectf.s3.ap-south-1.amazonaws.com/

有一处

cry-for-me/acectf/secret.txt

进行base64解密即可

ACECTF{7h3_4w5_15_m15c0nf16ur3d}

Buried Deep

"I’m not a hacker. I’m just someone who wants to make the world a little better. But the world isn’t going to change itself."

Submit your answer in the following format: ACECTF{3x4mpl3_fl4g}

The flag content should be in lowercase letters only.

# Hey there, you're not a robot, yet I see you sniffing through this file 😡
# Now get off my lawn! 🚫

Disallow: /secret/
Disallow: /hidden/
Disallow: /cryptic/
Disallow: /forbidden/
Disallow: /private/
Disallow: /buried/
Disallow: /underground/
Disallow: /secret_path/
Disallow: /hidden_flag/
Disallow: /buried_flag/
Disallow: /encrypted/

# http://34.131.133.224:9998/secret_path
# Morse code dictionary
MORSE_CODE_DICT = {
    '.-': 'A', '-...': 'B', '-.-.': 'C', '-..': 'D', '.': 'E',
    '..-.': 'F', '--.': 'G', '....': 'H', '..': 'I', '.---': 'J',
    '-.-': 'K', '.-..': 'L', '--': 'M', '-.': 'N', '---': 'O',
    '.--.': 'P', '--.-': 'Q', '.-.': 'R', '...': 'S', '-': 'T',
    '..-': 'U', '...-': 'V', '.--': 'W', '-..-': 'X', '-.--': 'Y',
    '--..': 'Z', '-----': '0', '.----': '1', '..---': '2', '...--': '3',
    '....-': '4', '.....': '5', '-....': '6', '--...': '7', '---..': '8',
    '----.': '9', '---...': ':', '..--..': '?', '-.-.--': '!', '.-.-.-': '.',
    '--..--': ',', '-....-': '-', '-..-.': '/', '.--.-.': '@', '..--.-': '_',
    '.-..-.': '"', '...---...': 'SOS'
}

# Function to decode Morse code
def decode_morse(morse_code):
    # Split into words
    words = morse_code.strip().split('   ')
    decoded_message = []

    for word in words:
        # Split into letters
        letters = word.split(' ')
        decoded_word = []

        for letter in letters:
            if letter in MORSE_CODE_DICT:
                decoded_word.append(MORSE_CODE_DICT[letter])
            else:
                decoded_word.append('')  # Handle unknown characters

        decoded_message.append(''.join(decoded_word))

    return ' '.join(decoded_message)

# Example Morse code input
morse_input = "..--- -. -..   .--. .- .-. -   --- ..-.   - .... .   ..-. .-.. .- --.   .. ...   ---...   .---- ..... ..--.- ...-- ....- ..... -.-- ..--.- .-- .... ...-- -. ..--.- -.-- ----- ..- ..--.- -.- -. ----- .-- ..--.- .-- .... ...-- .-. ...-- ..--.-"

# Decode the Morse code
decoded_text = decode_morse(morse_input)
print("Decoded Text:", decoded_text)
#Decoded Text: 2ND PART OF THE FLAG IS : 15_345Y_WH3N_Y0U_KN0W_WH3R3_

# http://34.131.133.224:9998/buried
49 115 116 32 80 97 114 116 32 111 102 32 116 104 101 32 70 108 97 103 32 105 115 32 58 32 65 67 69 67 84 70 123 49 110 102 49 108 55 114 52 55 49 110 103 95 55 104 51 95 53 121 53 55 51 109 95 32
from dec
1st Part of the Flag is : ACECTF{1nf1l7r471ng_7h3_5y573m_ 

HTTP/1.1 200 OK
Server: Werkzeug/3.0.6 Python/3.8.20
Date: Fri, 28 Feb 2025 02:30:19 GMT
Content-Disposition: inline; filename=flag11.txt
Content-Type: text/plain; charset=utf-8
Content-Length: 97
Last-Modified: Sat, 18 Jan 2025 16:36:15 GMT
Cache-Control: no-cache
ETag: "1737218175.0-97-2151483774"
Date: Fri, 28 Feb 2025 02:30:19 GMT
Connection: close

Sometimes the answers are hidden in plain sight. Or, in this case, styled just right. 🖋️👀

回到主页面看css

#flag {
    display: none;
    content: "bC5 !2CE @7 E96 u=28 :D i f9b0db4CbEd0cCb03FC`b5N"; 
}

进行rot47解码

3rd Part of the Flag is : 7h3_53cr3t5_4r3_bur13d}Q

ACECTF{1nf1l7r471ng_7h3_5y573m_15_345Y_WH3N_Y0U_KN0W_WH3R3_7h3_53cr3t5_4r3_bur13d}

Flag-Fetcher

Hey guys, I created a flag fetcher using some web stacks & technologies. It was supposed to fetch the flag.webp image file which contains the flag but there was some kind of error in doing that. Can you verify it? Maybe just get the flag I don't really care if you fix it or not.

重定向看到内容

ctf{r3d1r3ct10n}

crypto

Super Secure Encryption

I'm doing a big favour with this one... I'm handing out my super secure functionality to the outer world to stumble upon & explore. Though, I still remember one of my colleagues once saying that nothing in this world is secure nowadays but my script right here stands on the contrary. I'll give you the access to my arsenal and see if you can prove me wrong.

AES-CTR（Counter Mode）是一种流密码模式。它的核心思想是通过 AES 加密一个计数器（Counter）来生成一个密钥流（KeyStream），然后将密钥流与明文进行异或（XOR）操作，生成密文。

• C1 = msg XOR KeyStream

• C2 = flag XOR KeyStream

因为 KeyStream XOR KeyStream = 0，所以最终结果是 msg XOR flag。

flag = (C1 XOR C2) XOR msg

encrypted_msg = "d71f4a2fd1f9362c21ad33c7735251d0a671185a1b90ecba27713d350611eb8179ec67ca7052aa8bad60466b83041e6c02dbfee738c2a3"
encrypted_flag = "c234661fa5d63e627bef28823d052e95f65d59491580edfa1927364a5017be9445fa39986859a3"

c1 = bytes.fromhex(encrypted_msg)
c2 = bytes.fromhex(encrypted_flag)

p1 = b'This is just a test message and can totally be ignored.'

xor_ciphertexts = bytes([a ^ b for a, b in zip(c1, c2)])

p2 = bytes([a ^ b for a, b in zip(xor_ciphertexts, p1)])

print("Recovered flag:", p2.decode())
#ACECTF{n07h1n6_15_53cur3_1n_7h15_w0rld}

Custom Encoding Scheme

I wanted to create a custom encoding for a crypto challenge but turns out, I didn't have anough time on my hands. So, what I did here is - Well instead of explaining it to you why don't I give you the script?

1. 从输出文件中读取每一行的两个字符。
2. 使用 Base64 字符表 t1 找到每个字符对应的整数值。
3. 将整数值转换为二进制，并根据编码规则拼接回原始的 8 位二进制字符串。
4. 如果索引 x < 42，需要从 d 中分离出 c[x]（4 位）。
5. 最终将所有二进制字符串拼接起来，转换为原始数据。
6. 进行二进制的转化

def decode_e1(output_file, b_length=168):
    t1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
    t1_index = {char: idx for idx, char in enumerate(t1)}

    with open(output_file, "r") as f:
        lines = f.readlines()

    b = ""
    for x, line in enumerate(lines):
        r = line.strip()
        if len(r) != 2:
            raise ValueError("Invalid output format")

        e_char, g_char = r[0], r[1]
        e = t1_index[e_char]
        g = t1_index[g_char]

        a_bin = f"{e:06b}"
        if x < 42:
            d_bin = f"{g:06b}"
            z_bin = a_bin + d_bin[:2]
            c_bin = d_bin[2:]
            b += c_bin
        else:
            d_bin = f"{g:02b}"
            z_bin = a_bin + d_bin

        # Convert z_bin to character
        char = chr(int(z_bin, 2))
        print(char, end="")

    print("\nRecovered binary b:", b)
    if len(b) != b_length:
        raise ValueError("Invalid binary length")
    binary_list = [b[i:i + 8] for i in range(0, len(b), 8)]

    # 转换为 ASCII 字符
    ascii_string = ''.join([chr(int(binary, 2)) for binary in binary_list])

    # 输出结果
    print("Decrypted message:", ascii_string)

decode_e1("output.txt")
#ACECTF{7h47_w45_c00l}

Hexed and Squared

While developing these challenges, I kept in mind that some challenges should be made easy for the newbies who're gonna be playing in our CTF. But, I'm totally against using common encodings and just giving away a flag for free. There's just no learning in that, instead what we're gonna do, is that we'll use a custom encoding, where we just have the number 3. Let's see how good your math is.

得到一堆3，利用cyberchef一直hex反编

ACECTF{5uch_4_5qu4r3|
ACECTF{5uch_4_5qu4r3}