省赛

省赛初赛

I am so vegetable

Posted by JBNRZ on 2022-09-27
Estimated Reading Time 16 Minutes
Words 2.9k In Total
Viewed Times

我好菜啊啊啊

Web

nisc_easyweb

题解

  1. 使用 dirsearch 扫描目录,发现 robots.txt
    web 1
    web 1
  2. 访问 /api/record/ ,得到 api_test.php
    web 1
    web 1
  3. 访问,查看源代码,找到 hint
    web 1
  4. get 参数,得到 flag
    web 1

吃豆人吃豆魂

题解

  1. 访问网站,查看源代码
  2. 在 index.js 中发现 alert 函数与 经过 base64 加密的 flag
    web 31
  3. base64 解码,得到 flag
    web 32

Misc

checkin_gift

题解

  1. 下载附件,010打开,文件结尾发现 base64 加密内容
    gift

FIWOIxqEZyIWJwIHG01FH0qEJyEUJyERE0ynE01AIRMUAQEHH05XJx1FHIESGIWEFRWGESSBEREAFyWRFH1RAD==

  1. 根据字符替换码表

N-ZA-Mn-za-m0-9+/=
base32
gift

  1. flag

DASCTF{722433fc22f2e79959da2208d84cbb40}

m4a

题解

  1. 打开音频文件,很明显是一串摩尔斯密码,转换为 MP3,拖入 Audacity 查看波形图
    m4a
    m4a

1000 01 00001 00011 1000 1010 0 0010 1010 00111 11111 00001
BA43BCEFC204

  1. 010 查看 m4a 文件
    m4a
  2. 文件结尾有倒置的 PK 文件,写脚本
1
2
3
4
5
6
7
8
9
10
11
with open('1.m4a', 'rb') as rb:
    content = rb.read().hex()
a = content[::-2]
b = ' ' + content[::-1]
b = b[::2].replace(' ', '')
c = ''
for i in range(len(a)):
    c += b[i]
    c += a[i]
with open('1.txt', 'w') as w:
    w.write(c)
  1. 导入 010,运行 zip 模板删除多余内容,用 key 解压

(+w)v&LdG_FhgKhdFfhgahJfKcgcKdc_eeIJ_gFN

  1. 看 wp 知道这是 rot47+atbash
    m4a

DASCTF{5e0f98a95f79829b7a484a54066cb08f}

Unkn0wnData

题解

  1. 010 打开,结尾有类似 base64 的文字,magic 爆破加密
    unknown
    unknown
    unknown
    unknown
  2. 图片存在 LSB 隐写,保存 bin
    unknown
  3. 一个 zip,解压得到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
data:
0000100000000000
00000c0000000000
00000e0000000000
00002a0000000000
0000100000000000
0000040000000000
0000080000000000
00002a0000000000
0000160000000000
00000b0000000000
00000c0000000000
00001c0000000000
00002a0000000000
00002c0000000000
0200340000000000
00002a0000000000
0200090000000000
00000c0000000000
0000110000000000
0000070000000000
0200170000000000
00002a0000000000
0200170000000000
00000b0000000000
0000080000000000
0000120000000000
00002a0000000000
0200150000000000
0000080000000000
0000040000000000
00000f0000000000
00000a0000000000
00002a0000000000
02000e0000000000
0000080000000000
00001c0000000000
00000a0000000000
00002a0000000000
0000040000000000
0000110000000000
0000070000000000
00000f0000000000
00002a0000000000
0200100000000000
0000040000000000
00000e0000000000
0000080000000000
0000080000000000
00002a0000000000
02000c0000000000
0000170000000000
02001e0000000000
0000070000000000
00002a0000000000
  1. 键盘流量(不会,先放个 0rays 的 wp
1
2
3
4
5
6
7
8
9
10
11
12
13
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

keys = open('key.txt')
output = ""
for line in keys:
    k = line[1]
    n = line[4:6]
    if k == '0':
        print(normalKeys[n], end='')
    elif k == '2':
        print(shiftKeys[n], end='')

mikmaeshiy:FindTTheoRealgKeygandlMakeeIt!d
mimashi FindTheRealKeyandMakeIt!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

keys = open('key.txt')
output = ""
for line in keys:
    k = line[1]
    n = line[4:6]
    if n == '2a':
        print(output[-1], end='')
    if k == '0':
        output += normalKeys[n]
    elif k == '2':
        output += shiftKeys[n]

key:Toggled

  1. emoji-aes 在线解码

https://aghorler.github.io/emoji-aes/#

  1. 0rays 手动解码
1
2
3
4
5
6
7
8
9
10
import base64
from Crypto.Cipher import AES
import string
emojisInit="🍎🍌🏎🚪👁👣😀🖐ℹ😂🥋✉🚹🌉👌🍍👑👉🎤🚰☂🐍💧✖☀🦓🏹🎈😎🎅🐘🌿🌏🌪☃🍵🍴🚨📮🕹📂🛩⌨🔄🔬🐅🙃🐎🌊🚫❓⏩😁😆💵🤣☺😊😇😡🎃😍✅🔪🗒"
alpha = string.ascii_lowercase+string.ascii_uppercase+string.digits+"+/="
a = "🙃💵🌿🎤🚪🌏🐎🥋🚫😆✅🍍🎤🐘🌏ℹ⌨😍🎈✉🤣🛩🍌🚪🍴ℹ☺🚹❓🍴🔬🌪🍵👣🔄☃👌😎👌🔄👌🔪🍌👁🍍🍌🌏🎃🚰🍵🐍🎅✅🍍🦓😎😊🤣🏹🍍💧🔄🔄🤣👁🥋🚫☺🍴😁🚫😇🚰⏩😍🌿💵🦓😇🛩✖🕹🐎📂📂💧🗒🗒"
base64data = ""
for i in a:
    base64data += alpha[emojisInit.index(i)]
print(base64data)

U2FsdGVkX1+psEGiQ9Bl3PbdKi4mYKSHJfRIoCoRo/bepbG8tJvD+pzC53ApwRR3ekX4K0X6tZ9F2z6PxNVOOw==

  1. aes 解密

DASCTF{ad15eecd2978bc5c70597d14985412c4}

好怪啊

题解

  1. 下载附件,010打开,发现结尾处存在 kp 怀疑是倒置的zip文件
    misc
  2. 写代码复原
1
2
3
4
5
6
7
a = ... # 复制的原 16进制编码
b = []
a = a.split()
for i in range(len(a)):
    b.append(a[len(a) - i - 1])
with open('a.txt', 'w') as w:
    w.write(''.join(b))
  1. 导入至010editor,保存为test.zip,解压得到 flag.png
    misc
  2. 发现文件头不对,修改文件头,得到正常图片
    misc
    misc
  3. 高度经过修改,将 25改为50,得到最终图片
    misc
    misc
  4. 得到flag
    misc

奇怪的棋盘

题解

  1. 给了一个棋盘,是典型的ADFGVX 密码所用到的棋盘,但是txt中只有11,14,21,22,51,53这六种情况,甚至没有6的出现,所以应该不是直接对应ADFGVX密码,而是对应了波利比奥斯方阵
1
2
3
4
5
a b c d e
f g h i/j k
l m n o p
q r s t u 
v w x y z
  1. 写一个脚本转化一下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
b = "11,22,11,53,53,14,11,22,22,51,22,22,51,14,51,11,14,11,51,53,14,22,11,14,51,22,14,51,11,11,14,14,14,14,21,53,11,21,11,21,14,22,14,51,53,53,14,22,22,14,22,22,14,53,14,14,21,14,14,53,51,22,53,11,14,22,51,14,21,53,51,51,11,11,14,14,53,14,53,53,11,14,14,51,22,22,22,53,22,53,53,53,53,22,53,53,22,22,53,22,14,51,51,51,22,22,22,11,22,11,11,11,11,22,11,11,22,22,11,22,14,14,14,11,22,11,22,22,22,11,22,22,11,22,11,22,11,11,11,51,11,11,11,53,22,53,22,22,22,53,22,22,53,22,53,22,53,53,53,51"
s = b.split(',')
print(s)
ans = ""
bns = ""
print(int(s[0][1]))
for i in range(len(s)):
    if s[i] == '11':
        ans = ans + 'A'
    if s[i] == '14':
        ans = ans + 'D'
    if s[i] == '22':
        ans = ans + 'G'
    if s[i] == '21':
        ans = ans + 'F'
    if s[i] == '51':
        ans = ans + 'V'
    if s[i] == '53':
        ans = ans + 'X'
print(ans)
  1. 对图片进行 LSB 隐写分析,得到 base32 加密的 keyword

LastKey{Yusayyds}

  1. 得到ADFGVX密码的密文,解密
1
2
3
4
key square:ph0qg64mea1yl2nofdxkr3cvs5zw7bj9uti8
key words:Yusayyds
密文:AGAXXDAGGVGGVDVADAVXDGADVGDVAADDDDFXAFAFDGDVXXDGGDGGDXDDFDDXVGXADGVDFXVVAADDXDXXADDVGGGXGXXXXGXXGGXGDVVVGGGAGAAAAGAAGGAGDDDAGAGGGAGGAGAGAAAVAAAXGXGGGXGGXGXGXXXV
解密:4441534354467b64383539633431633533306166633163316164393461626439326634626166387d
  1. 解密得到 flag

hex解密:DASCTF{d859c41c530afc1c1ad94abd92f4baf8}

感谢 Artone 学长的 WriteUp

SegmentFlow

题解

  1. 双击打开压缩包,发现里面包含了很多小文件,可以同 crc 爆破密码
    segmentFlow 1
  2. 写代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import binascii
import string

dic = string.printable  # 打印出字符表
crc1 = 0xCE70D424
crc2 = 0xC3F17511
crc3 = 0xF90C8A70
crc4 = 0xF8AB2771
crc5 = 0xC0CE8EE6
crc6 = 0xB2A6CDE9
crc7 = 0x8637FA85
print(dic)
for i in dic:
    for j in dic:
        for n in dic:
            for m in dic:
                s = (i + j + n + m).encode()
                if crc1 == (binascii.crc32(s)):  # python 2.x 需要加上  & 0xffffffff 转为 无符号整数
                    text1 = s
                if crc2 == (binascii.crc32(s)):
                    text2 = s
                if crc3 == (binascii.crc32(s)):
                    text3 = s
                if crc4 == (binascii.crc32(s)):
                    text4 = s
                if crc5 == (binascii.crc32(s)):
                    text5 = s
                if crc6 == (binascii.crc32(s)):
                    text6 = s
                if crc7 == (binascii.crc32(s)):
                    text7 = s


print(text1 + text2 + text3 + text4 + text5 + text6 + text7)

password is gZinflAte_BasE64

  1. 解压,得到流量包

如果您喜欢此博客或发现它对您有用,则欢迎对此发表评论。 也欢迎您共享此博客,以便更多人可以参与。 如果博客中使用的图像侵犯了您的版权,请与作者联系以将其删除。 谢谢 !

特色标签
省赛
链友
ESC