XCTF MISC advanced a few questions

XCTF MISC advanced a few questions

CTF did not play a long time, do a few misc play it

Small PDF

Direct binwalk look, found three pictures ,,,

binwalk -e it did not find anything ,,,,
directly using the dd command it: dd if=7e5ab2e7587d4a4abf9c705dfb935a92.pdf of=1 skip=82150 bs=1

get flag:

do not understand why the former can not write ,,,

Cephalopod

Download is a pcap file with strings Dafa take a look:

there are pictures? ? ? binwalk about:

binwalk -e useless, foremost also useless, uncomfortable
try dd command: dd if=1.pcap of=1 skip=82150 bs=1
emmmm, the picture came out but could not see, useless ,,,,,,
under windows wireshark also useless, can not see the files extracted ,,,
Finally, access to information that can be extracted from tcpxtract network traffic file, but not on kali, you need to install ,,,
install it directly Baidu others, installed directly with the command: tcpxtract -f 1.pcap
able to obtain flag images ,,,,,

HITB{95700d8aefdc1648b90a92f3a8460a2c}

misc 2 - 1

Download files found picture not open, drag winhex, find the file header does not modify header:

After modifying or open, suddenly found the place represents the width of the display to zero? ? ?
No wonder ,,, just modify the width of the open, and then found:

no use, the width of the blast is estimated to crc ,,,

import struct
import binascii
import os
 
m = open("1.png","rb").read()

for i in range(0,65535):
    c = m[12:16] + struct.pack('>i', i) + m[20:29]
    crc = binascii.crc32(c) & 0xffffffff
    if crc == 0x932f8a6b:
        print(hex(i))

Get flag picture:

John-the-Ripper

Download a compressed package after unpacking an unnamed file, look found PK:

renamed .zip, extract the required password,, found not a pseudo encryption
directly blasting tools, get the password: fish

thoroughly suspect that his past is not no band brain ,,,,

can_has_stdio?

Download unpack a file, we found:
trainfuck online decryption coding ,,,:

suspect again ,,,,

MISCall

Download the file into the file used in kali look at the file:

is a bzip2 compressed file directly using the command: tar -xvjf 123to file:

like .git directory? ? ? Look into the directory:

. "" Beginning of the document seems to have been hidden? ? ? flag.txt no flag, he reckoned .git hide something. . . .
See a bit .git list it does not seem nothing special ,,,,
last learned a git stash command,
modify the git stash will all uncommitted (including staging and non-staging of) are saved for subsequent recovery current working directory
to view existing stash: git stash list
to view the list: git stash show
recovery files: git stash apply

the emergence of a s.py file, run the get flag ,,,,,

Suitable as a desktop

Download file decompression found a picture! ! Stego put in check, found two-dimensional code:

two-dimensional code scanning tool to scan the contents:

buckle down:

03F30D0A79CB05586300000000000000000100000040000000730D0000006400008400005A000064010053280200000063000000000300000016000000430000007378000000640100640200640300640400640500640600640700640300640800640900640A00640600640B00640A00640700640800640C00640C00640D00640E00640900640F006716007D00006410007D0100781E007C0000445D16007D02007C01007400007C0200830100377D0100715500577C010047486400005328110000004E6966000000696C00000069610000006967000000697B000000693300000069380000006935000000693700000069300000006932000000693400000069310000006965000000697D000000740000000028010000007403000000636872280300000074030000007374727404000000666C6167740100000069280000000028000000007304000000312E7079520300000001000000730A0000000001480106010D0114014E280100000052030000002800000000280000000028000000007304000000312E707974080000003C6D6F64756C653E010000007300000000

Suspected to be a file like, look to see if the file header:

the original is pyc file header, directly winhex pyc file is saved as
the use of online tools to decompile Source:

def flag():
    str = [
        102,
        108,
        97,
        103,
        123,
        51,
        56,
        97,
        53,
        55,
        48,
        51,
        50,
        48,
        56,
        53,
        52,
        52,
        49,
        101,
        55,
        125]
    flag = ''
    for i in str:
        flag += chr(i)
    
    print flag

Directly run the get flag!

misc 3 - 1

Download the file he discovered a rar archive and extract to get one file, I found to be a pcap file
wireshark to open the file, did not find anything directly search string flag flag.rar find a file? ?

save he discovered that require a password? ? ? Uncomfortable, go back and continue to look at wireshark, emmmm
suspicious content was found in tcp.stream eq 6:

[root@localhost wireshark]# llss

1  2  3  test
[root@localhost wireshark]# ccaatt  11

Rar!....3...
.............TU..<..... .+......flag.txt0.....n.Kr..z....uEo.Bn&=i.S..>....4.B..~...xj.".
...u......3.....jWj..%m..!.+h...+s..q#.]...3Ks.y.....r.2...wVQ....[root@localhost wireshark]# ccaatt  22

19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=[root@localhost wireshark]# ppiinngg  bbaaiidduu..ccoomm

PING baidu.com (111.13.101.208) 56(84) bytes of data.
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=1 ttl=48 time=33.4 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=2 ttl=48 time=32.1 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=3 ttl=48 time=34.7 ms
64 bytes from 111.13.101.208 (111.13.101.208): icmp_seq=4 ttl=48 time=31.9 ms
...^C
--- baidu.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3037ms
rtt min/avg/max/mdev = 31.921/33.067/34.784/1.155 ms
[root@localhost wireshark]# ccaatt  33

# coding:utf-8
.

.
__author__ = 'YFP'
.

.
from Crypto import Random
.
from Crypto.Cipher import AES
.

.
import sys
.
import base64
.

.
IV = 'QWERTYUIOPASDFGH'
.

.
def decrypt(encrypted):
.
  aes = AES.new(IV, AES.MODE_CBC, IV)
.
  return aes.decrypt(encrypted)
.

.
def encrypt(message):
.
  length = 16
.
  count = len(message)
.
  padding = length - (count % length)
.
  message = message + '\0' * padding
.
  aes = AES.new(IV, AES.MODE_CBC, IV)
.
  return aes.encrypt(message)
.

.
str = 'this is a test'
.

.
example = encrypt(str)
.

.
print(decrypt(example))
.

A bunch of strings: 19aaFYsQQKr + hVX6hl2smAUQ5a767TsULEUebWSajEo =
there is a python script ,,,, emmmm, we reckon to decrypt! !
Directly modify the script:

# coding:utf-8
__author__ = 'YFP'
from Crypto import Random
from Crypto.Cipher import AES
import sys
import base64
IV = 'QWERTYUIOPASDFGH'

def decrypt(encrypted):
	aes = AES.new(IV, AES.MODE_CBC, IV)
	return aes.decrypt(encrypted)

def encrypt(message):
	length = 16
	count = len(message)
	padding = length - (count % length)
	message = message + '\0' * padding
	aes = AES.new(IV, AES.MODE_CBC, IV)
	return aes.encrypt(message)

example = base64.b64decode("19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=")
print(decrypt(example))

Run get:

get extract the password: No_One_Can_Decrypt_Me
unpack flag ,,,