BMZCTF-MISC（一） WriteUp

MISC

http://www.bmzclub.cn/challenges
decrypt

0x01 Sign-in question

Pay attention to the public account: white hat community, reply keyword: BMZCTF get flag

0x02 2018 HEBTUCTF sign-in questions

Download the compressed package. It is a file named zip without a suffix. Use to 010editoropen, look at the file header:

find it is a compressed package, add a suffix .zip, and then open it with winrar.

It is found that it is another file without suffix, unzip it, and 010editoropen it again. It

seems to be a jpg file, and then look at the end of the file:

you can get the flag

0x03 2018 HEBTUCTF You may need a wireshark

Download the attachment, it is a flow package file, open it with wireshark:

trace the TCP flow and find it is a DVWA practice flow package.

Check the streams one by one, and found that a flag.txt file was uploaded on the 17th stream. The file content is a string of encrypted content.

Observe the ciphertext and see uppercase and lowercase letters, numbers, and "=". The preliminary judgment is base64 encryption. Use online decryption to try, then url decoding, and get the flag.

2018 Nets Cup Late Sign-in Questions

Download the attachment, after decompression, it is a text with a string of ciphertext:, the AAoHAR1TIiIkUFUjUFQgVyInVSVQJVFRUSNRX1YgXiJSVyJQVRs=initial judgment is base64 ciphertext, after decrypting with base64, it is a string of garbled characters:

check the title in the compressed package. Tip: easy xor???
You can judge whether it is XOR before you get the flag . Write python script

import base64
str1 = 'AAoHAR1TIiIkUFUjUFQgVyInVSVQJVFRUSNRX1YgXiJSVyJQVRs='

str2 = base64.b64decode(str1)
for i in range(200):
    tmp=''
    for j in str2:
        tmp += chr(j^i)
    print (tmp)

After running, you can get the flag

Traffic_Light

Download is a picture

. Decompose the picture to
get 1688 pictures.

Observe the pictures.
1. It is found that the pictures with multiples of 2 are not illuminated. can be ignored.
2. When the sum of the green light and the red light is 8 or a multiple of 8, the next picture must be yellow.
It can be inferred to be binary. Green is 1, red is 0.
Write a script for coding:

# -*-coding: utf-8 -*-
from PIL import Image
 
binstr = ""
flag = ""

def decode(s):
    return ''.join([chr(i) for i in [int(b, 2) for b in s.split(' ')]])

for i in range(1168):
    image=Image.open(r'./202011/'+str(i)+'.jpg')
    # print (image.getpixel((115,55)))#输出颜色值
    # print (image.getpixel((115,145)))
    tmp1 = image.getpixel((115,55))
    tmp2 = image.getpixel((115,150))
    # print (type(tmp1))
    if(tmp1[0] > 250):
        binstr += '1'
    elif(tmp2[1] > 250):
        binstr += '0'
    else:
        binstr += ''
print (binstr)

for i in range(len(binstr)):
    if i%8==0:
        flag +=decode(binstr[i:i+8])
print(flag)

Get flag

0110011001101100011000010110011101111011010100000110110000110011001101000111001100110011010111110111000000110100011110010101111100110100011101000111010000110011011011100111010000110001001100000110111001011111011101000011000001011111011101000111001000110100011001100110011000110001011000110101111101110011001101000110011000110011011101000111100101011111011101110110100000110011011011100101111101111001001100000111010101011111001101000111001000110011010111110011000001110101011101000111001100110001011001000011001101111101
flag{Pl34s3_p4y_4tt3nt10n_t0_tr4ff1c_s4f3ty_wh3n_y0u_4r3_0uts1d3}

Fix it

After downloading, it is a two-dimensional code picture, but there is only a black frame.

Use photoshop to repair and identify:

get flag: flag{easyQRcode}

Real CTFer

Download the attachment as a picture.

Modify the height:

you can see there is another picture below.

Zoom in the picture and you can see the flag: if you

look closely, you can see the flag
flag {d2b5543c2f8aa8229057872dd85ce5a9}

Unsolvable secret

After downloading, it is a compressed package with a file file and a flag.docx text.

Open the file file with a text tool. There are many numbers and a little English in it. It is suspected to be hexadecimal.
Put it in 010editor and

see a "=" at the end, which is suspected to be base64. Decode with base64:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\RealVNC]

[HKEY_CURRENT_USER\Software\RealVNC\vnclicensewiz]
"_AnlClientId"="8f5cc378-2e1d-4670-80e0-d2d81d882561"
"_AnlSelected"="0"
"_AnlInclRate"="0.0025"

[HKEY_CURRENT_USER\Software\RealVNC\vncserver]

[HKEY_CURRENT_USER\Software\RealVNC\VNCViewer4]
"dummy"=""

[HKEY_CURRENT_USER\Software\RealVNC\VNCViewer4\MRU]
"00"="127.0.0.1"
"Order"=hex:00,01
"01"="127.0.0.1:5900"

[HKEY_CURRENT_USER\Software\RealVNC\WinVNC4]
"Password"=hex:37,5e,be,86,70,b3,c6,f3
"SecurityTypes"="VncAuth"
"ReverseSecurityTypes"="None"
"QueryConnect"=dword:00000000
"PortNumber"=dword:0000170c
"LocalHost"=dword:00000000
"IdleTimeout"=dword:00000e10
"HTTPPortNumber"=dword:000016a8
"Hosts"="+,"
"AcceptKeyEvents"=dword:00000001
"AcceptPointerEvents"=dword:00000001
"AcceptCutText"=dword:00000001
"SendCutText"=dword:00000001
"DisableLocalInputs"=dword:00000000
"DisconnectClients"=dword:00000001
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectAction"="None"
"RemoveWallpaper"=dword:00000000
"RemovePattern"=dword:00000000
"DisableEffects"=dword:00000000
"UseHooks"=dword:00000001
"PollConsoleWindows"=dword:00000001
"CompareFB"=dword:00000001
"Protocol3.3"=dword:00000000
"dummy"=""

You can see the middle position there "Password"=hex:37,5e,be,86,70,b3,c6,f3
at the beginning [HKEY_CURRENT_USER\Software\RealVNC\vncserver]there RealVNC. So use Vccx4.exeto crack:

get the password: !QAZ2wsx
open flag.docx with the password, move the picture away, and select all to modify the font color, you can see the flag

memory

After downloading the attachment, use it volatilityfor analysis

The topic is "Analyze the memory image, crack the administrator's login password, flag is the MD5 value of the plaintext password"
We analyze the hash value in the image:

get the ciphertext:

Administrator   500     0182bd0bd4444bf867cd839bf040d93b        c22b315c040ae6e0efee3518d830362b
Guest   501     aad3b435b51404eeaad3b435b51404ee        31d6cfe0d16ae931b73c59d7e0c089c0
HelpAssistant   1000    132893a93031a4d2c70b0ba3fd87654a        fe572c566816ef495f84fdca382fd8bb

Make changes and change the middle ""to":"

Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
HelpAssistant:1000:132893a93031a4d2c70b0ba3fd87654a        fe572c566816ef495f84fdca382fd8bb

Save it as a file and blast it with john

You can get the password 123456789
and then md5 encryption, which is the flag:

but the submission error may be the problem.

Win the battle 2019

Download the attachment and

analyze the binwalk for a picture :

decompose two pictures .

Scan the QR code:

no useful information.
Then analyze the QR code picture:

you can see the
flag {You_ARE_SOsmart} in the lower left corner
to write all. Not within {}. . . .

The origin of 2020sdnisc-CTF

Download the attachment as a text.

Seeing that there
is basically == after each line, it is suspected to be base64 steganography. Decrypt with script:

def get_base64_diff_value(s1, s2):
    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    res = 0
    for i in xrange(len(s2)):
        if s1[i] != s2[i]:
            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
    return res


def solve_stego():
    with open('flag.txt', 'rb') as f:
        file_lines = f.readlines()
        bin_str = ''
        for line in file_lines:
            steg_line = line.replace('\n', '')
            norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
            diff = get_base64_diff_value(steg_line, norm_line)
            print diff
            pads_num = steg_line.count('=')
            if diff:
                bin_str += bin(diff)[2:].zfill(pads_num * 2)
            else:
                bin_str += '0' * pads_num * 2
            print goflag(bin_str)


def goflag(bin_str):
    res_str = ''
    for i in xrange(0, len(bin_str), 8):
        res_str += chr(int(bin_str[i:i + 8], 2))
    return res_str


if __name__ == '__main__':
solve_stego()

You can get the flag

to complete the braces

2020sdnisc-simple js

The download attachment is a js file.
Open:

Is a piece of code. Give the algorithm process and results. As long as the inverse operation is fine.
Write script:

s='19131e18041b1d4c47191d19194f1949481a481a1d4c1c461b4d484b191b4e474f1e4b1d4c02'
flag=''
for i in range(0,len(s),2):
    tmp = int(s[i:i+2],16)
    
    #print (tmp)
    flag+=chr((255-128)-tmp)
print (flag)

Get the flag: flag{db38fbff0f67e7eb3c9d274fd180a4b3}

2020sdnisc-corrupted traffic package

The download attachment is a traffic package, but wireshark cannot be opened.
Open with 010editor.

Find the compressed package at the end of the file, extract it, and save it as a zip file. Open

is a base64 encryption, after decryption, it is the flag: flag{sdnisc_net_sQ2X3Q9x}

2020sdnisc-past and present

Download the attachment, it is a picture, analyze with binwalk:

Get several files and open them one by one.

Flag found in 21154

2020sdnisc-the secret of the upper left corner

The download attachment is a file and a script. Open script: It
is a piece of code that encrypts the content of the picture to get the file in the attachment. Write a script to perform the inverse operation:

flag_dec = open("flag.png","wb")
def file_decode(flag):
    i = 1
    while True:
        byte_str = flag.read(1)
        if (byte_str == b''):
            exit()
        byte_str = hex_decode(byte_str)
        file_write(flag_dec, byte_str)
        # print(byte_str, end="")
        i = i + 1

def hex_decode(byte_str):
    tmp = int.from_bytes(byte_str, byteorder="big")
    tmp = tmp ^ 128
    if (tmp % 2 == 0):
        tmp = tmp + 1
    else:
        tmp = tmp - 1
    tmp = bytes([tmp])
    return tmp

def file_write(flag_dec, byte_str):
    flag_dec.write(byte_str)

if __name__ == '__main__':
    with open("./flag_enc.hex", "rb") as flag:
        file_decode(flag)
flag_dec.close()

Restore the picture and

find a line on the upper left of the picture . Check the color:

Guess the secret in green
Use the script to get the cipher text:

from PIL import Image
image =Image.open('flag.png')
c=0
aa=''
for i in range(120):
    aa+=chr(image.getpixel((c,c))[-2])
    c+=1
print (aa)

Discover the secret:
ZmxhZ3tjNmU0Yzk5YTYzODhjNWQyYTlhZTZlZjZhODQzY2VhNn0=
Base64 decrypted to get flag:
flag{c6e4c99a6388c5d2a9ae6ef6a843cea6}

Taihu Cup-MISC

The download attachment is a compressed package, which contains a file and a compressed package.

After trying various methods to no avail, delete the fun.zip in the attachment.

Then repair the compressed package, you can find that the password is gone.

After opening, it is a section of ciphertext with the

suffix changed. And open it:

find multiple paragraphs of text:

test various passwords and find that the Hill password can solve the newly discovered two sentences:

get a new string:
love and peaceee

Use this sentence as a password, and use rabbit to decrypt the remaining paragraph:

Get:

LR2TMNLCGBOHKNDGGVRFY5JWGZTDAXDVMZTDCYK4OU4GCZRYLR2TSNTCHBOHKNJUMM4VY5JVGBSTOXDVHE3DIZC4OU2TIM3ELR2TQYLGHBOHKOJWGQYFY5JWGQ3DSXDVHE3GEOC4OU2TAZJXLR2TOZRTMROHKOBVME4VY5JVGRQTIXDVHAYDEOC4OU4GCZRYLR2TSNTCHBOHKNRRGY3VY5JVHA2WKXDVHAZDOMS4OU2WGMDBLR2TKNDDHFOHKODGMU3FY5JYMFSTMXDVG5QTOYK4OU3DENBQLR2TSNRUMROHKNRSGEYVY5JVMZTDKXDVHE3GEOC4OU3TSNJXLR2TQYLFGZOHKNLGMY2VY5JVGRRTSXDVHE3DIMC4OU2TMYRULR2TKNDDHFOHKNJWMM4VY5JUMZSWKXDVGU4TGN24OU4TMM3GLR2TMY3FGJOHKOBSG4ZFY5JYGM4GCXDVGVRGGMS4OU4GCZJWLR2TKOBVMVOHKNJUHEZFY5JYGM4GCXDVG43TGZK4OU3DEMJRLR2TKNDDHFOHKNRSGQYFY5JUMYYGMXDVHAYDKZK4OU4DKYJZLR2TSNTCHBOHKNRRGBSFY5JZGVRWIXDVGU2DGNS4OU3DENBQLR2TIZTFMVOHKNRWGJTFY5JYGI3TEXDVGY2DMOK4OU4GCMZWLR2TKNTCGROHKNJUMM4VY5JZHA2TQXDVGYYTAZC4OU2TIYZZLR2TKMZXGNOHKNDGMVSVY5JVGRRTSXDVG5QTOYK4OU4DOMLDLR2TSNRUGBOHKNJWMM4VY5JUMYYGMXDVGVTGMNK4OU2TIYZZLR2TMNBWHFOHKNJUMM4VY5JUMVQTMXDVHAZTQYK4OU2TIYZZLR2TONZTMVOHKNJUME2FY5JVHE4DEXDVHE4DKOC4OU2TSOBS

Decrypt base32

again : Decode Unicode

again : Decode the new Buddha's words:

Get a paragraph, decompress fun.zip with these words to
get the audio file.
After analyzing the frequency spectrum, you can get the flag

Coke with ice

Download the attachment, it is a picture:

use binwalk analysis:

Get some files.
Check one by one, and find regular characters in the 2AE96 file:

convert them to strings:

s='834636363695438346369595364383469595954383469595364383463636363643834636363695438346369595364383469595364334453443834636953636438346369536954383463636953643834636369543344534438346369595438346369536954383463636363643834636363643344534438346369595364383463695953643834636369543834695363643344534438346363695364383463695369543834636369536438346369595954383469595364383469536954383463636363643834636953643834636369543834695369543834636959543834636369536'
print (s)
for i in range(0,len(s),2):
    print (chr(int(s[i:i+2])),end='')

get:

S.$$$_+S.$__$+S.___+S.__$+S.$$$$+S.$$$_+S.$__$+S.__$+"-"+S.$_$$+S.$_$_+S.$$_$+S.$$_+"-"+S.$__+S.$_$_+S.$$$$+S.$$$+"-"+S.$__$+S.$__$+S.$$_+S._$$+"-"+S.$$_$+S.$_$_+S.$$_$+S.$___+S.__$+S._$_+S.$$$$+S.$_$+S.$$_+S._$_+S.$__+S.$$_$

Much like jjcode. Replace "S" with "$"
plus a fixed switch and ending:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+这里放密文+"\"")())();

Use jjcode to decode: the existing

flag

pcap

The download attachment is a traffic package. Open with wireshark:
and trace the tcp stream:
you can see one of the streams as shown below:

you can see the flag. Observe the law of flow: It is

found that the length of the flow containing flag information is 91. Sort by length:
splicing stream by stream:


you can get flag:
flag{d989e2b92ea671f5d30efb8956eab1427625c}

pcap_analysis

Download the attachment as a traffic package.
Open with wireshark. And trace the tcp stream.
In one of the streams, we found the following picture:

spliced ​​to get the flag: flag{323f986d429a689d3b96ad12dc5cbc701db0af55}

Wangding Cup 2020 boom

Download the attachment as an exe file and open it.
First, I gave a piece of Md5 code and blasted it online:

Get the pass code: en5oy The
second level is a ternary linear equation

Perform blasting:

for x in range(100):
    for y in range (100):
        for z in range(100):
            if (3*x-y+z==185)&(2*x+3*y-z==321)&(x+y+z==173):
                print (x,y,z)

Get the solution:
74
68
31 The
third level is a quadratic equation in one variable

Same blasting:

for x in range(1000000000):
    if(x*x+x==7943722218936282):
        print (x)
        break

Get the solution: 89127561
Finally get the flag: flag{en5oy_746831_89127561}