2023SHCTF-MISC

Created2023-11-06Updated2023-11-08Visited

[WEEK1]也许需要一些py

hint:这flag怎么没大没小的捏
这个时候解压压缩包发现需要密码,此时使用010打开后发现尾部存在莫斯密码

解密后得到AHIS1SY0UKEN发现密码不对,根据提示转为小写this1sy0ukey;此时将flag拖入010发现是文件头损坏的png文件;补全文件头

得到一串MD5值

一眼为根据MD5爆破flag
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import hashlib

def md5(s):
    md5 = hashlib.md5()
    s = s.encode('utf-8')
    md5.update(s)
    return md5.hexdigest()
def check(k,s):
    ind = 0
    ss = ''
    for i in s:
        if i.isalpha():
            if k[ind] == '1':
                ss += i.upper()
            else:
                ss += i
            ind += 1
        else:
            ss += i
    return ss

ans = '63e62fbce22f2757f99eb7da179551d2'
s = 'pNg_and_Md5_SO_GreaT'.lower()

cnt = 0 #字母数量
for i in s:
    if i.isalpha():
        cnt += 1

for i in range(2**cnt):
    k = bin(i)[2:].zfill(cnt)
    out = check(k,s)
    if md5(out) == ans:
        print('flag{'+out+'}')
        break

[WEEK1]ez-misc

此时打开01game.txt发现是一串01字符;这个时候可能是进制转换,摩斯密码,二维码之类的;这个时候尝试二进制转二维码
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image

strings = open('D:/桌面/SHCTF/1.txt', 'r').read()
print(strings)

pic = Image.new("RGB", (29, 29))
num = 0

for x in range(29):
   for y in range(29):
       if strings[num] == '1':
           pic.putpixel((x, y), (0, 0, 0))
       else:
           pic.putpixel((x, y), (255, 255, 255))
       num += 1

pic.show()

扫描得hit_k1sme4_4_fun;解压压缩包得到flag;识别文件之后发现是一个压缩包

拖入010分析可以发现文件末尾存在01;此时进行进制转换得到rockyou

此时知道存在弱口令,直接进行爆破即可

打开之后一眼顶真-字频分析

[WEEK1]Jaeger lover

hint:do you know Pacific Rim?(all have 4 steg,every image file have 2 steg)
将图片拖入010发现文件末尾存在字符串

解码得到

you know the Windows is a system for PC,but do you know the what is thr Op. System for this Jaeger?要我们找jaeger的操作系统,这里考察搜索能力,可以找到一篇文章得到Tri-Sun Horizon Gate

此时发现并不为压缩包的密码;接下来考虑到该图片存在隐写并且根据hint可以猜测为steghide
根据命令steghide extract -sf Typhoon.jpg -p "Tri-Sun Horizon Gate" 得到.*+#1Ao/aeS
解压压缩包得到一张图片;此时发现与文章中的图片高度有些不同,使用工具进行梭哈得到key=K34-759183-191

根据图片名字secret;尝试oursecret解密,图片选择修复后的图片,密码:K34-759183-191

[WEEK1]Steganography



将密码组合得到12ercsxqwed909jk
flag{4d72e4f3-4d4f-4969-bc8c-a2f6f7a4292c}

[WEEK1]可爱的派蒙捏

hint:派蒙藏了一些东西,你能找到他们吗
根据提示使用foremost分离出一个压缩包,里面是两个txt文档并发现其内容十分相近,此时怀疑flag使其不一样的部分

[WEEK2]远在天边近在眼前

[WEEK2]奇怪的screenshot

hint:没想到残缺的截图也会泄露机密……
此时这题的考点和XCTF国际联赛*CTF2023的snippingTools考点是一样的;
使用的工具为https://github.com/frankthetank-music/Acropalypse-Multi-Tool

一眼为百家姓密码,直接解码即可

[WEEK2]表里的码

hint:细狗配粗人,j_0k3r配我 )
拿到附加之后看到这个格式就知道是xlsx的文件

后缀改为xlsx直接打开即可;此时发现是一个29*29的正方形,此时结合题目可以考虑是一个二维码;接下来随便点点表格可以发现有些字体是粗体有
些不是粗写;这个时候刚好对应两种情况黑色和白色,这个时候使用粗写替换为黑色看看

[WEEK2]图片里的秘密

hint:盲僧能出水银鞋吗?
些不是粗写;这个时候刚好对应两种情况黑色和白色,这个时候使用粗写替换为黑色看看

此时使用binwalk -e分离出尊嘟假嘟图片;

经过尝试多种图片隐写的方式最后得出是盲水印

[WEEK2]可爱的洛琪希

hint:把你的详细信息都交出来!
尝试之后发现是老生常谈的伪加密



此时将09改为00即可;解压完后发现出现大量的字符串经过尝试后发现是base64转图片

此时根据hint我们可以感觉此题的考点在于图片的exif信息;使用工具进行提取

将其转为ascii得到slno{Rbky_qiifhkv!};此时要么是凯撒要么就是维吉尼亚;经过尝试发现不是凯撒,这个时候可以试试维吉尼亚,看看还有什么
信息我们没有提取的;最终发现密钥确定是维吉尼亚

[WEEK2]喜帖街

hint:喜帖街里就得有“喜帖”,ok?

存在密钥的音频隐写无非就那几个,使用steghide进行提取steghide extract -sf music.wav -p LeeTung
提取之后发现是okk编码flag{w@v2txt_s0_Int3r3st1ng!}

[WEEK3]ez_usb

键盘流量的长度为8,可以使用usb.data_len == 8进行过滤;可以发现有2.8.1和2.10.1两个通道。分别提取即可

1
2
tshark -r "ez_usb.pcapng" -Y "usb.src==\"2.8.1\" && usb.dst==host" -T fields -e usbhid.data > a.txt
tshark -r "ez_usb.pcapng" -Y "usb.src==\"2.10.1\" && usb.dst==host" -T fields -e usbhid.data > b.txt


此时使用wp中的数据包转换脚本进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
mappings_a = {0x04: "a", 0x05: "b", 0x06: "c", 0x07: "d", 0x08: "e", 0x09: "f", 0x0a: "g", 0x0b: "h", 0x0c: "i",
             0x0d: "j", 0x0e: "k", 0x0f: "l", 0x10: "m", 0x11: "n", 0x12: "o", 0x13: "p", 0x14: "q", 0x15: "r",
             0x16: "s", 0x17: "t", 0x18: "u", 0x19: "v", 0x1a: "w", 0x1b: "x", 0x1c: "y", 0x1d: "z", 0x1e: "1",
             0x1f: "2", 0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0",
             0x28: "[enter]", 0x2a: "[del]", 0x2b: "[tab]", 0x2c: " ", 0x2d: "-", 0x2e: "=", 0x2f: "[", 0x30: "]",
             0x31: "\\",
             0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: ".", 0x39: "[cap]"}
mappings_A = {0X04: "A", 0X05: "B", 0X06: "C", 0X07: "D", 0X08: "E", 0X09: "F", 0X0A: "G", 0X0B: "H", 0X0C: "I",
             0X0D: "J", 0X0E: "K", 0X0F: "L", 0X10: "M", 0X11: "N", 0X12: "O", 0X13: "P", 0X14: "Q", 0X15: "R",
             0X16: "S", 0X17: "T", 0X18: "U", 0X19: "V", 0X1A: "W", 0X1B: "X", 0X1C: "Y", 0X1D: "Z", 0X1E: "1",
             0X1F: "2", 0X20: "3", 0X21: "4", 0X22: "5", 0X23: "6", 0X24: "7", 0X25: "8", 0X26: "9", 0X27: "0",
             0X28: "[ENTER]", 0X2A: "[DEL]", 0X2B: "[TAB]", 0X2C: " ", 0X2D: "-", 0X2E: "=", 0X2F: "[", 0X30: "]",
             0X31: "\\",
             0X32: "~", 0X33: ";", 0X34: "'", 0X36: ",", 0X37: ".", 0X39: "[CAP]"}
data = ""
with open("D:/桌面/SHCTF/a.txt", 'r') as f:
   for i in f:
       a = bytes.fromhex(i)
       if a[0] == 0:
           if a[2] != 0:
               data += mappings_a[a[2]]
       elif a[0] == 0x20:
           if a[2] != 0:
               data += mappings_A[a[2]]
print(data)

data = ""
with open("D:/桌面/SHCTF/b.txt", 'r') as f:
   for i in f:
       a = bytes.fromhex(i)
       if a[0] == 0:
           if a[2] != 0:
               data += mappings_a[a[2]]
       elif a[0] == 0x20:
           if a[2] != 0:
               data += mappings_A[a[2]]
print(data)
'''
[tab]526172211a0700[cap]c[cap]f907300000d000000000000002f507424943500200000002[cap] 0000000[cap]02a3021b4d577f06551d33080020080000666c61672e[cap][cap]747874[cap]7cc[ca p]34ada98d[cap]a[cap]7d[cap]020[cap]0f035680325f6866372[cap]47[cap]92af0b91c[cap]e8[cap ]6c1b46ed4b180d5a[cap]8a7[cap]c626ad[cap]b5ceb2f[cap]f8cf1[del]2[cap][cap][cap]4[cap][cap] a[del][cap][cap]8[del][cap][cap][cap][cap][cap][del]4[cap]104c43d7b0040070[cap][cap][cap][cap] [cap][cap][cap][cap][cap][cap][cap][cap][cap]0a[del]


### 526172211a0700cf907300000d000000000000002f507424943500200000002000000002a3021b4d577f06551d33080020080000666c61672e7478747cc34ada98da7d0200f035680325f68663724792af0b91ce86c1b46ed4b180d5a8a7c626adb5ceb2ff8cf24104c43d7b00400700

adabb04a5e9a6c33
'''

52 61 72 21为rar文件头,大小写不影响hex,忽略[cap],[tab]只在开头有一次,也可以忽略;[del]删除前一个键入
最终以16进制另存为rar文件,用另一串数据作为密码即可
flag{c6bd1c7bcfef89ffbf59d86ccaf97d3c}

[WEEK3]strange data

hint:android data、adb shell getevent、https://www.kernel.org/doc/html/v4.14/input/event-codes.html

[WEEK3]尓纬玛

hint:恏渏怪哋②惟犸,芣確萣,侢看看,還湜恏渏怪