After playing for several days, I ended up with only more than 80 people. I'm good at cooking.jpg
0x00 (╯°□°)╯︵ ┻━┻
topic:
(╯°□°)╯︵ ┻━┻
d4e8e1f4a0f7e1f3a0e6e1f3f4a1a0d4e8e5a0e6ece1e7a0e9f3baa0c4c4c3d4c6fbb9e1e6b3e3b9e4b9b3b7b7e2b6b1bbeb0eb2b3b3b3b9b7b7b7e2b6b1b1b0eb2b2b3
At first, I was misled by this (╯°□°)╯︵ ┻━┻ and thought it was jjencode. After trying for a long time, there was no result. Later, someone said it was flipping.
paste the script
1 s='d4e8e1f4a0f7e1f3a0e6e1f3f4a1a0d4e8e5a0e6ece1e7a0e9f3baa0c4c4c3d4c6fbb9e1e6b3e3b9e4b3b7b7e2b6b1e4b2b6b9e2b1b1b3b3b7e6b3b3b0e3b9b3b5e6fd' 2 ''' 3 s1='' 4 for x in range(len(s)/2): 5 s1+=chr((int(s[x*2:x*2+2],16))%128) 6 print s1 7 ''' 8 9 for j in range(20): 10 s1='' 11 for x in range(len(s)/2): 12 s1+=chr((int(s[x*2:x*2+2],16)-j)%128) 13 prints1 14
0x01 Fourth extended FS
Topic: Company D is investigating an internal data breach, targeting the suspect Xiao Ming, and the forensics officers obtained a picture from Xiao Ming's mobile phone, which aroused suspicion. This is a score-giving question, and the reminder is already in the question, and the frequency of daily violation audits is sometimes very important. https://pan.baidu.com/s/1DJpMFU2lajHGTo0yfzTHVQ Password: fpp4
There are many pits in this question. You can know that it is an ext4 file when you get the title and look at the title name. First open it with compression software and check it.
Because I haven't had much contact with the ext4 file system, I don't know what the journal file is used for. Baidu later said that it is a file system journal, so I considered mounting it on linux, but it was unsuccessful.
There is also an encrypted file.txt. I scanned the file with binwalk and found that these two files are the same.
In order to find the file.txt password, after opening the jpg with winhex, it is found that some pictures have sensitive information, and then directly view the picture properties and find the decompression password
Unzip and open file.txt
According to the prompt frequency, count the frequency of characters, paste the script, and get the flag
1 import collections 2 3 f=open('file.txt','r') 4 print collections.Counter(f.read())
0x02 Traffic Analysis
Topic: Hint 1: If you feel that there is an error-prone step in the middle, if you need to check whether it is correct, you can compare MD5: 90c490781f9c320cd1ba671fcb112d1c
Hint 2: Pay attention to complete the private key format
-----BEGIN RSA PRIVATE KEY--- --
XXXXXXX
-----END RSA PRIVATE KEY-----
The data packet given by this question is very large, and there are many pits. There are two encrypted compressed files fl-g.zip and sqlmap-dev.zip transmitted by ftp in front of the data packet. You will find the key ssl encrypted communication in this question.
The first two compressed packages may be Easter eggs in this question, but I really can't figure it out. . . So skip it and export the mail directly.
Import the exported mail into the qq mailbox to view, you can find this
Here is the key to this question. There is a large string of base64 in the data packet. After decryption, the rsa private key is obtained.
, decrypt the private key identification format with ssl to obtain
0x03 Secure Communication
Question: Please answer the nc XXXX.XXXX.XXXX.XXXX XXXXquestion, mission keyyes b9ba15b341c847c8beba85273f9b7f90, agent idyou can fill in at will
1 #!/usr/bin/env python 2 import sys 3 import json 4 from Crypto.Cipher import AES 5 from Crypto import Random 6 7 8 def get_padding(rawstr): 9 remainder = len(rawstr) % 16 10 if remainder != 0: 11 return '\x00' * (16 - remainder) 12 return '' 13 14 15 def aes_encrypt(key, plaintext): 16 plaintext += get_padding(plaintext) 17 aes = AES.new(key, AES.MODE_ECB) 18 cipher_text = aes.encrypt(plaintext).encode('hex') 19 return cipher_text 20 21 22 def generate_hello(key, name, flag): 23 message = "Connection for mission: {}, your mission's flag is: {}".format(name, flag) 24 return aes_encrypt(key, message) 25 26 27 def get_input(): 28 return raw_input() 29 30 31 def print_output(message): 32 print(message) 33 sys.stdout.flush() 34 35 36 def handle(): 37 print_output("Please enter mission key:") 38 mission_key = get_input().rstrip() 39 40 print_output("Please enter your Agent ID to secure communications:") 41 agentid = get_input().rstrip() 42 rnd = Random.new() 43 session_key = rnd.read(16) 44 45 flag = '<secret>' 46 print_output(generate_hello(session_key, agentid, flag)) 47 while True: 48 print_output("Please send some messages to be encrypted, 'quit' to exit:") 49 msg = get_input().rstrip() 50 if msg == 'quit': 51 print_output("Bye!") 52 break 53 enc = aes_encrypt(session_key, msg) 54 print_output(enc) 55 56 57 if __name__ == "__main__": 58 handle()
Analysis of the code shows that the title is aes ecb encryption, which is just mentioned in the cryptography class these days. ecb is a very insecure encryption, and there are good examples on the wiki. Let me talk about the method here, because I am a blaster who did not write a one-click script.
1. In this question, by entering agent_id, the structure is as follows
Connection for mission: {agent_id}, your mission's flag is: DDCTF{32位}的字符串,
Encrypted with a randomly generated 16-bit key, the key does not change during a connection
2. Because of the characteristics of aes, the length of the flag can be determined to be 32 bits by changing the length of the input agent_id, as shown in the following figure
3. Because the aes feature groups the strings in 16-bit groups, when 12345678 is input, there is one more string}, and the analysis script knows that it will be padded with 0.
4. The characteristics of aes_ecb, the last group of } is the same as the single input } after encryption, it is known that blasting can be performed, and blasting can be performed by changing the length of agent_id. get flag
