Article Directory
- MISC
-
- 0x01 Sign-in question
- 0x02 2018 HEBTUCTF sign-in questions
- 0x03 2018 HEBTUCTF You may need a wireshark
- 2018 Nets Cup Late Sign-in Questions
- Traffic_Light
- Fix it
- Real CTFer
- Unsolvable secret
- memory
- Win the battle 2019
- The origin of 2020sdnisc-CTF
- 2020sdnisc-simple js
- 2020sdnisc-corrupted traffic package
- 2020sdnisc-past and present
- 2020sdnisc-the secret of the upper left corner
- Taihu Cup-MISC
- Coke with ice
- pcap
- pcap_analysis
- Wangding Cup 2020 boom
MISC
http://www.bmzclub.cn/challenges
decrypt
0x01 Sign-in question
Pay attention to the public account: white hat community, reply keyword: BMZCTF get flag
0x02 2018 HEBTUCTF sign-in questions
Download the compressed package. It is a file named zip without a suffix. Use to 010editor
open, look at the file header:
find it is a compressed package, add a suffix .zip
, and then open it with winrar.
It is found that it is another file without suffix, unzip it, and 010editor
open it again. It
seems to be a jpg file, and then look at the end of the file:
you can get the flag
0x03 2018 HEBTUCTF You may need a wireshark
Download the attachment, it is a flow package file, open it with wireshark:
trace the TCP flow and find it is a DVWA practice flow package.
Check the streams one by one, and found that a flag.txt file was uploaded on the 17th stream. The file content is a string of encrypted content.
Observe the ciphertext and see uppercase and lowercase letters, numbers, and "=". The preliminary judgment is base64 encryption. Use online decryption to try, then url decoding, and get the flag.
2018 Nets Cup Late Sign-in Questions
Download the attachment, after decompression, it is a text with a string of ciphertext:, the AAoHAR1TIiIkUFUjUFQgVyInVSVQJVFRUSNRX1YgXiJSVyJQVRs=
initial judgment is base64 ciphertext, after decrypting with base64, it is a string of garbled characters:
check the title in the compressed package. Tip: easy xor???
You can judge whether it is XOR before you get the flag . Write python script
import base64
str1 = 'AAoHAR1TIiIkUFUjUFQgVyInVSVQJVFRUSNRX1YgXiJSVyJQVRs='
str2 = base64.b64decode(str1)
for i in range(200):
tmp=''
for j in str2:
tmp += chr(j^i)
print (tmp)
After running, you can get the flag
Traffic_Light
Download is a picture
. Decompose the picture to
get 1688 pictures.
Observe the pictures.
1. It is found that the pictures with multiples of 2 are not illuminated. can be ignored.
2. When the sum of the green light and the red light is 8 or a multiple of 8, the next picture must be yellow.
It can be inferred to be binary. Green is 1
, red is 0
.
Write a script for coding:
# -*-coding: utf-8 -*-
from PIL import Image
binstr = ""
flag = ""
def decode(s):
return ''.join([chr(i) for i in [int(b, 2) for b in s.split(' ')]])
for i in range(1168):
image=Image.open(r'./202011/'+str(i)+'.jpg')
# print (image.getpixel((115,55)))#输出颜色值
# print (image.getpixel((115,145)))
tmp1 = image.getpixel((115,55))
tmp2 = image.getpixel((115,150))
# print (type(tmp1))
if(tmp1[0] > 250):
binstr += '1'
elif(tmp2[1] > 250):
binstr += '0'
else:
binstr += ''
print (binstr)
for i in range(len(binstr)):
if i%8==0:
flag +=decode(binstr[i:i+8])
print(flag)
Get flag
0110011001101100011000010110011101111011010100000110110000110011001101000111001100110011010111110111000000110100011110010101111100110100011101000111010000110011011011100111010000110001001100000110111001011111011101000011000001011111011101000111001000110100011001100110011000110001011000110101111101110011001101000110011000110011011101000111100101011111011101110110100000110011011011100101111101111001001100000111010101011111001101000111001000110011010111110011000001110101011101000111001100110001011001000011001101111101
flag{Pl34s3_p4y_4tt3nt10n_t0_tr4ff1c_s4f3ty_wh3n_y0u_4r3_0uts1d3}
Fix it
After downloading, it is a two-dimensional code picture, but there is only a black frame.
Use photoshop to repair and identify:
get flag: flag{easyQRcode}
Real CTFer
Download the attachment as a picture.
Modify the height:
you can see there is another picture below.
Zoom in the picture and you can see the flag: if you
look closely, you can see the flag
flag {d2b5543c2f8aa8229057872dd85ce5a9}
Unsolvable secret
After downloading, it is a compressed package with a file file and a flag.docx text.
Open the file file with a text tool. There are many numbers and a little English in it. It is suspected to be hexadecimal.
Put it in 010editor and
see a "=" at the end, which is suspected to be base64. Decode with base64:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\RealVNC]
[HKEY_CURRENT_USER\Software\RealVNC\vnclicensewiz]
"_AnlClientId"="8f5cc378-2e1d-4670-80e0-d2d81d882561"
"_AnlSelected"="0"
"_AnlInclRate"="0.0025"
[HKEY_CURRENT_USER\Software\RealVNC\vncserver]
[HKEY_CURRENT_USER\Software\RealVNC\VNCViewer4]
"dummy"=""
[HKEY_CURRENT_USER\Software\RealVNC\VNCViewer4\MRU]
"00"="127.0.0.1"
"Order"=hex:00,01
"01"="127.0.0.1:5900"
[HKEY_CURRENT_USER\Software\RealVNC\WinVNC4]
"Password"=hex:37,5e,be,86,70,b3,c6,f3
"SecurityTypes"="VncAuth"
"ReverseSecurityTypes"="None"
"QueryConnect"=dword:00000000
"PortNumber"=dword:0000170c
"LocalHost"=dword:00000000
"IdleTimeout"=dword:00000e10
"HTTPPortNumber"=dword:000016a8
"Hosts"="+,"
"AcceptKeyEvents"=dword:00000001
"AcceptPointerEvents"=dword:00000001
"AcceptCutText"=dword:00000001
"SendCutText"=dword:00000001
"DisableLocalInputs"=dword:00000000
"DisconnectClients"=dword:00000001
"AlwaysShared"=dword:00000000
"NeverShared"=dword:00000000
"DisconnectAction"="None"
"RemoveWallpaper"=dword:00000000
"RemovePattern"=dword:00000000
"DisableEffects"=dword:00000000
"UseHooks"=dword:00000001
"PollConsoleWindows"=dword:00000001
"CompareFB"=dword:00000001
"Protocol3.3"=dword:00000000
"dummy"=""
You can see the middle position there "Password"=hex:37,5e,be,86,70,b3,c6,f3
at the beginning [HKEY_CURRENT_USER\Software\RealVNC\vncserver]
there RealVNC. So use Vccx4.exe
to crack:
get the password: !QAZ2wsx
open flag.docx with the password, move the picture away, and select all to modify the font color, you can see the flag
memory
After downloading the attachment, use it volatility
for analysis
The topic is "Analyze the memory image, crack the administrator's login password, flag is the MD5 value of the plaintext password"
We analyze the hash value in the image:
get the ciphertext:
Administrator 500 0182bd0bd4444bf867cd839bf040d93b c22b315c040ae6e0efee3518d830362b
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
HelpAssistant 1000 132893a93031a4d2c70b0ba3fd87654a fe572c566816ef495f84fdca382fd8bb
Make changes and change the middle ""to":"
Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
HelpAssistant:1000:132893a93031a4d2c70b0ba3fd87654a fe572c566816ef495f84fdca382fd8bb
Save it as a file and blast it with john
You can get the password 123456789
and then md5 encryption, which is the flag:
but the submission error may be the problem.
Win the battle 2019
Download the attachment and
analyze the binwalk for a picture :
decompose two pictures .
Scan the QR code:
no useful information.
Then analyze the QR code picture:
you can see the
flag {You_ARE_SOsmart} in the lower left corner
to write all. Not within {}. . . .
The origin of 2020sdnisc-CTF
Download the attachment as a text.
Seeing that there
is basically == after each line, it is suspected to be base64 steganography. Decrypt with script:
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('flag.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)
def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str
if __name__ == '__main__':
solve_stego()
You can get the flag
to complete the braces
2020sdnisc-simple js
The download attachment is a js file.
Open:
Is a piece of code. Give the algorithm process and results. As long as the inverse operation is fine.
Write script:
s='19131e18041b1d4c47191d19194f1949481a481a1d4c1c461b4d484b191b4e474f1e4b1d4c02'
flag=''
for i in range(0,len(s),2):
tmp = int(s[i:i+2],16)
#print (tmp)
flag+=chr((255-128)-tmp)
print (flag)
Get the flag: flag{db38fbff0f67e7eb3c9d274fd180a4b3}
2020sdnisc-corrupted traffic package
The download attachment is a traffic package, but wireshark cannot be opened.
Open with 010editor.
Find the compressed package at the end of the file, extract it, and save it as a zip file. Open
is a base64 encryption, after decryption, it is the flag: flag{sdnisc_net_sQ2X3Q9x}
2020sdnisc-past and present
Download the attachment, it is a picture, analyze with binwalk:
Get several files and open them one by one.
Flag found in 21154
2020sdnisc-the secret of the upper left corner
The download attachment is a file and a script. Open script: It
is a piece of code that encrypts the content of the picture to get the file in the attachment. Write a script to perform the inverse operation:
flag_dec = open("flag.png","wb")
def file_decode(flag):
i = 1
while True:
byte_str = flag.read(1)
if (byte_str == b''):
exit()
byte_str = hex_decode(byte_str)
file_write(flag_dec, byte_str)
# print(byte_str, end="")
i = i + 1
def hex_decode(byte_str):
tmp = int.from_bytes(byte_str, byteorder="big")
tmp = tmp ^ 128
if (tmp % 2 == 0):
tmp = tmp + 1
else:
tmp = tmp - 1
tmp = bytes([tmp])
return tmp
def file_write(flag_dec, byte_str):
flag_dec.write(byte_str)
if __name__ == '__main__':
with open("./flag_enc.hex", "rb") as flag:
file_decode(flag)
flag_dec.close()
Restore the picture and
find a line on the upper left of the picture . Check the color:
Guess the secret in green
Use the script to get the cipher text:
from PIL import Image
image =Image.open('flag.png')
c=0
aa=''
for i in range(120):
aa+=chr(image.getpixel((c,c))[-2])
c+=1
print (aa)
Discover the secret:
ZmxhZ3tjNmU0Yzk5YTYzODhjNWQyYTlhZTZlZjZhODQzY2VhNn0=
Base64 decrypted to get flag:
flag{c6e4c99a6388c5d2a9ae6ef6a843cea6}
Taihu Cup-MISC
The download attachment is a compressed package, which contains a file and a compressed package.
After trying various methods to no avail, delete the fun.zip in the attachment.
Then repair the compressed package, you can find that the password is gone.
After opening, it is a section of ciphertext with the
suffix changed. And open it:
find multiple paragraphs of text:
test various passwords and find that the Hill password can solve the newly discovered two sentences:
get a new string:
love and peaceee
Use this sentence as a password, and use rabbit to decrypt the remaining paragraph:
Get:
LR2TMNLCGBOHKNDGGVRFY5JWGZTDAXDVMZTDCYK4OU4GCZRYLR2TSNTCHBOHKNJUMM4VY5JVGBSTOXDVHE3DIZC4OU2TIM3ELR2TQYLGHBOHKOJWGQYFY5JWGQ3DSXDVHE3GEOC4OU2TAZJXLR2TOZRTMROHKOBVME4VY5JVGRQTIXDVHAYDEOC4OU4GCZRYLR2TSNTCHBOHKNRRGY3VY5JVHA2WKXDVHAZDOMS4OU2WGMDBLR2TKNDDHFOHKODGMU3FY5JYMFSTMXDVG5QTOYK4OU3DENBQLR2TSNRUMROHKNRSGEYVY5JVMZTDKXDVHE3GEOC4OU3TSNJXLR2TQYLFGZOHKNLGMY2VY5JVGRRTSXDVHE3DIMC4OU2TMYRULR2TKNDDHFOHKNJWMM4VY5JUMZSWKXDVGU4TGN24OU4TMM3GLR2TMY3FGJOHKOBSG4ZFY5JYGM4GCXDVGVRGGMS4OU4GCZJWLR2TKOBVMVOHKNJUHEZFY5JYGM4GCXDVG43TGZK4OU3DEMJRLR2TKNDDHFOHKNRSGQYFY5JUMYYGMXDVHAYDKZK4OU4DKYJZLR2TSNTCHBOHKNRRGBSFY5JZGVRWIXDVGU2DGNS4OU3DENBQLR2TIZTFMVOHKNRWGJTFY5JYGI3TEXDVGY2DMOK4OU4GCMZWLR2TKNTCGROHKNJUMM4VY5JZHA2TQXDVGYYTAZC4OU2TIYZZLR2TKMZXGNOHKNDGMVSVY5JVGRRTSXDVG5QTOYK4OU4DOMLDLR2TSNRUGBOHKNJWMM4VY5JUMYYGMXDVGVTGMNK4OU2TIYZZLR2TMNBWHFOHKNJUMM4VY5JUMVQTMXDVHAZTQYK4OU2TIYZZLR2TONZTMVOHKNJUME2FY5JVHE4DEXDVHE4DKOC4OU2TSOBS
Decrypt base32
again : Decode Unicode
again : Decode the new Buddha's words:
Get a paragraph, decompress fun.zip with these words to
get the audio file.
After analyzing the frequency spectrum, you can get the flag
Coke with ice
Download the attachment, it is a picture:
use binwalk analysis:
Get some files.
Check one by one, and find regular characters in the 2AE96 file:
convert them to strings:
s='834636363695438346369595364383469595954383469595364383463636363643834636363695438346369595364383469595364334453443834636953636438346369536954383463636953643834636369543344534438346369595438346369536954383463636363643834636363643344534438346369595364383463695953643834636369543834695363643344534438346363695364383463695369543834636369536438346369595954383469595364383469536954383463636363643834636953643834636369543834695369543834636959543834636369536'
print (s)
for i in range(0,len(s),2):
print (chr(int(s[i:i+2])),end='')
get:
S.$$$_+S.$__$+S.___+S.__$+S.$$$$+S.$$$_+S.$__$+S.__$+"-"+S.$_$$+S.$_$_+S.$$_$+S.$$_+"-"+S.$__+S.$_$_+S.$$$$+S.$$$+"-"+S.$__$+S.$__$+S.$$_+S._$$+"-"+S.$$_$+S.$_$_+S.$$_$+S.$___+S.__$+S._$_+S.$$$$+S.$_$+S.$$_+S._$_+S.$__+S.$$_$
Much like jjcode. Replace "S" with "$"
plus a fixed switch and ending:
$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+这里放密文+"\"")())();
Use jjcode to decode: the existing
flag
pcap
The download attachment is a traffic package. Open with wireshark:
and trace the tcp stream:
you can see one of the streams as shown below:
you can see the flag. Observe the law of flow: It is
found that the length of the flow containing flag information is 91. Sort by length:
splicing stream by stream:
you can get flag:
flag{d989e2b92ea671f5d30efb8956eab1427625c}
pcap_analysis
Download the attachment as a traffic package.
Open with wireshark. And trace the tcp stream.
In one of the streams, we found the following picture:
spliced to get the flag: flag{323f986d429a689d3b96ad12dc5cbc701db0af55}
Wangding Cup 2020 boom
Download the attachment as an exe file and open it.
First, I gave a piece of Md5 code and blasted it online:
Get the pass code: en5oy The
second level is a ternary linear equation
Perform blasting:
for x in range(100):
for y in range (100):
for z in range(100):
if (3*x-y+z==185)&(2*x+3*y-z==321)&(x+y+z==173):
print (x,y,z)
Get the solution:
74
68
31 The
third level is a quadratic equation in one variable
Same blasting:
for x in range(1000000000):
if(x*x+x==7943722218936282):
print (x)
break
Get the solution: 89127561
Finally get the flag: flag{en5oy_746831_89127561}