2023羊城杯misc复盘

最新推荐文章于 2024-04-15 13:22:46 发布
最新推荐文章于 2024-04-15 13:22:46 发布
阅读量628 收藏 6
点赞数 1
分类专栏: misc 文章标签: 网络安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/cppuhsir/article/details/132819603
版权

下面是这次羊城杯的比赛misc复盘,在写这篇文章时,参考了部分战队师傅的代码和toto师傅的代码,学到了不少

1.ai和nia的交响曲

打开流量包,导出http

可以提取出里面有一个flag2.zip,然后看了一下流量包,发现upload.php里面上传了一个png图片,通过010提取出来

里面有一张这样的图片,当时试了各种方法都没get到他的点

这种情况下,就应该考虑提取像素点了

提取像素点之后,转换成伪二进制,然后再转为ascll码

注意这个图片提取像素的时候就只需要考虑黑白两种情况,因为只能看到黑白两种,然后根据提取出的红色通道的数值,赋给黑白为1,2

范围可以参考这个像素来决定范围

可以以200以上为白色,然后让他为1.

学习了一下别的师傅的脚本,然后修改了一下直接输出了二进制转换后的ascll码

from PIL import Image

im = Image.open('flag.png')
width,height = im.size

bin = ''

for x in range(width):
    for y in range(height):
        r,g,b = im.getpixel((x,y))
        if r > 127:
            bin += '1'
        else:
            bin += '0'

for i in range(0 ,len(bin) ,8):
    bin2 = int(bin[i:i+8] ,2)
    print(chr(bin2),end="")

给了一个bv号,和flag1的第一部分,bv号对应的是B站

flag2是一个伪加密,然后解压出来是一个txt,打开发现是零宽隐写,关于零宽隐写,打开发现实际长度比看到的要多,我当时是删除时发现删除键按了一下,但是没少东西,所以猜到的

然后猜想这可能对应的是视频中某个时刻出现的字母

再结合最后给出的hint

对应出来时CAOCAOGAIFAN,最后flag为@i_n1a_l0v3S_CAOCAOGAIFAN

还有一种比较搞心态的做法,用stegsolve看一下

随便找一个单通道分析一下,但要是高通道才行(4以上),也可以直接看到这个hint

2.EZmisc

拿到手是一张图片,先爆破一下高和宽

修改以后看到图片显示

然后怀疑这是一个截图,考虑cve

使用cve工具跑一下

指令:

python3 ./gui.py

其实当时看这道题的背景时就觉得这是win11记事本的背景,再联想到截图就很容易想到cve

3.Matryoshka

拿到手是一个镜像flag.img文件,我们用ftk挂载,可以看到几个文件,有用的是一个encrypt文件,两张相同的图片

这个encrypt文件20M还是很大的,考虑他可能是个容器,然后两张图片用python2的盲水印求解

这个是加密容器的密码,注意要用小写w

加密之后可以看到里面有个txt,是个零宽隐写

解密出了一个密码

把零宽字符给去掉

然后用base32解密

最后维吉尼亚出

4.GIFUCK

看到图片的第一感觉时brainfuck,然后逐帧解码gif

ffmpeg -i /root/桌面/新建文件夹/flag.gif /root/桌面/新建文件夹/%d.png

然后要提取这些图片里的内容,1791个肯定只能用脚本来跑了,学习了一下脚本发现可以通过计算哈希值(MD5)来打印这些内容

这个脚本是参考的toto师傅的,然后修改了一下md5

import os
import hashlib

current_directory = os.getcwd()

for root, dirs, files in os.walk(current_directory):
    for i in range(1,1791):
        file_name = str(i)+".png"
        file_path = os.path.join(root, file_name)
        if os.path.isfile(file_path):
            with open(file_path, 'rb') as file:
                md5_hash = hashlib.md5()
                while True:
                    data = file.read(4096)  # 每次读取4KB
                    if not data:
                        break
                    md5_hash.update(data)
                if md5_hash.hexdigest() == "a6680292f0fc8a9796121447574de6ec":
                    print("+",end='')
                elif md5_hash.hexdigest() == "04b5ae733105563b238777baff564e17":
                    print("[",end='')
                elif md5_hash.hexdigest() == "f041b11363a41c0c7e1b755e45d908a3":
                    print("-",end='')
                elif md5_hash.hexdigest() == "7514082f25355bc663e015e6d51763af":
                    print(">",end='')
                elif md5_hash.hexdigest() == "06df41b1b5eea0485269b7178093d1ff":
                    print("<",end='')
                elif md5_hash.hexdigest() == "d4884cc21151c6e90acc351bf371935b":
                    print("]",end='')
                elif md5_hash.hexdigest() == "a53ffccc32e0aab29201cc8984fa9c7b":
                    print(".",end='')
                else:
                    print(f"File: {file_path} MD5: {md5_hash.hexdigest()}")

最后将memory16进制解码就好了

DASCTF{Pen_Pineapple_Apple_Pen}

这道题还可以使用puzzlesolve来做

先用puzzle solve拆分一下间隔帧

但是提取出来发现不对,然后再看一下帧间隔

发现是60的倍数,然后用这个值除60再乘那个帧,就能出来真的brainfuck,这个地方我怀疑是他是好几个帧都是一张图片,然后他只区分了不同,然后kali中的工具是逐帧分析

times =['240', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '360', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '1860', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '120', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '120', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '540', '60', '60', '60', '540', '60', '60', '60', '120', '60', '60', '300', '60', '60', '60', '300', '60', '60', '60', '180', '60', '180', '120', '420', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '480', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '120', '60', '60', '240', '60', '60', '60', '240', '60', '60', '60', '180', '60', '60', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '180', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '480', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '60', '60', '360', '60', '180', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '60', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '360', '60', '360', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '120', '60', '360', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '420', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '540', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '60', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '120', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '840', '60', '60', '60', '300', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '180', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '480', '60', '180', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '420', '60', '60', '60', '420', '60', '60', '60', '360', '60', '60', '60', '60', '60']
strings ="+[->+<]>[->+<]>-[->+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+<]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]<+[->+<]>[->-<]>[-<+>]<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]<+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+<+[->+<]>[->+<]>[->+<]>[-<+>]<+[->+<]>+.<+[->+<]>+.+.+.<+[->-<]>-.<+[->+<]>+.<+[->+<]>+.-.<+[->-<]>-.<+[->+<]>+.<+[->-<]>-.+.-.<+[->-<]>-.<+[->+<]>+.+.<+[->-<]>-.+.<+[->-<]>-.<+[->+<]>+.<+[->+<]>+.<+[->-<]>-.<+[->+<]>+.+.+.<+[->-<]>-.<+[->+<]>+.-.<+[->+<]>+.<+[->-<]>-.<+[->-<]>-.[-]<"

out =''for i inrange(len(times)):
    out += strings[i]*((int(times[i]))//60)print(out)

上面是团队师傅的脚本 ,这个比我写的要简单得多,但要先提取出puzzlesolve分离出来的照片的内容

5.EZ_VMDK

题目说压缩后更大

打开看到压缩方式是store

这就是在提示明文攻击

去网上下载了bkcrack的明文爆破工具,学习了他的常用指令,下面附上

这里终端忘记截图了

后面4B444D的是vmdk的文件头,然后开始明文爆破

./bkcrack -C /root/桌面/Easy_VMDK.zip -c flag.vmdk -x 0 4B444D5601000000030000

爆破后拿到key,解压出内部文件flag.vmdk

./bkcrack -C /root/桌面/Easy_VMDK.zip -c flag.vmdk -k e6a73d9f 21ccfdbc f3e0c61c -d flag.vmdk

扔到火眼里面可以看到有两个文档

分别导出来分析

flag.zip里面的flag.txt就是flag,然后要通过key来拿到flag的密码

通过查看010发现flag.zip里面还存在一个压缩包,我们foremost把它分出来

通过发现他是key的加密脚本,我们给他逆一下

参考的战队师傅的脚本

import base64
import binascii
from PIL import Image


height = 137
width = 2494
im = Image.new("RGB", (width, height), 'white')
imglists=[]
with open("key.txt", "r") as f:
    lists=f.readlines()
    for i in lists:
        data = (binascii.b2a_uu(base64.b64decode(i))).decode().strip()
        imglists.append(data)

for y in range(height):
    for x in range(width):
        pixel = tuple(map(int, imglists[y * width + x].split(', ')))
        im.putpixel((x, y), pixel)

im.show()

最后解压拿到flag

6.程序猿Quby

打开是一个png,

是夏多加密,学习了一下夏多密码是怎么加密的,然后解密拿到了密码

HAVEANICEDAY

不知道有啥用,但应该是个压缩包密码,用010打开图片,搜了一下zip文件头没有,然后又搜了一下rar文件头,发下来有一个rar文件,导出后解密发现这并不是压缩包的密码,然后看了一下别的师傅的wp,这个图片使用了lsb隐写实际是,然后他给他搞了密码,要破解必须要使用cloacked-pixel

配置这个cloacker-pixel用了好长时间,python2和3的环境不一样最后成了

python3 lsb.py extract QUBY.png flag.txt HAVEANICEDAY

拿到了rar的密码

三个文件,查看两个xlsx发现都有隐藏行,

然后取消之后,把里面的隐藏文字加上颜色

替换,第一张表6.66换成1,其余换成0

第二张表5.53改成1,4.66改成0,然后把两张合并到一起,因为不好看,所以给他填充一下,设置为小与0.1的为红色填充,然后缩放

太难看了,最后读出来是

w0wyoudo4goodj0b

猜测这是另一个音频的key,它里面藏了东西,所以直接用deeepsound

拿到两个flag

解密是件非常麻烦的事,左面的txt先经过base85,然后再base32,拿到右边base64的Alphabet

然后base64

关于夏多解密可以看这个视频

犯罪大师本周解密 夏多密码解析_游戏攻略 (bilibili.com)

keNn9s
关注
专栏目录
2023羊城 DASCTF EZ-Misc
09-03
2023羊城 DASCTF EZ-Misc
2023羊城」DASCTF EZ_Misc Wirteup
zero;
09-03 614
Tips:一道简单的misc捏…
羊城2023misc方向完整wp
toto的博客
09-03 3041
misc孤狼~附件链接:https://pan.baidu.com/s/15vAxjMulb39hXfsomMH-pg?pwd=d00b。
[春秋2023]Misc sudo(记CVE-2023-22809)
Leaf_initial的博客
05-20 350
sudo使用用户提供的环境变量让用户选择他们所选择的编辑器。的内容其中一个变量扩展了传递给函数的实际命令。然而,后者依赖于--参数的存在来确定要编辑的文件列表。注入在一个已授权的环境变量中使用额外的--参数可以更改此列表并导致特权通过编辑具有RunAs用户权限的任何其他文件来升级。这个问题发生在sudoers之后。
2023羊城Crypto
m0_73550830的博客
09-07 396
2023羊城Crypto首发于more。
2022第三届网鼎白虎组misc830原题附件
09-03
2022第三届网鼎白虎组misc830原题附件
2022第三届网鼎白虎组misc034附件
09-03
【标题】"2022第三届网鼎白虎组misc034附件"涉及到的是一个网络安全竞赛的相关挑战。网鼎是中国网络安全领域的一项重要赛事,旨在提升参赛者的网络安全技能和实战能力。"misc"通常在网络安全竞赛中代表“杂项”...
2023 强网 Writeup
01-29
2023 强网 Writeup 是一篇关于 Capture The Flag(CTF)的 writeup,内容涵盖了多个挑战题目,涉及到 Python、 Cryptography、Reverse Engineering、Web 等多个领域。下面是对每个挑战题目的详细分析和知识点总结...
攻防世界miss-01,杂项misc太湖
11-01
标题 "攻防世界miss-01,杂项misc太湖" 暗示这是一个网络安全相关的挑战,特别是关于“攻防世界”平台上的一个名为“miss_01”的问题,该问题分类在“杂项”(misc)类别下,可能涉及多种技术技能。描述中提到的...
2023蓝帽半决赛misc题目复现
lulu001128的博客
09-24 637
解题过程
2020YCBCTF:2020羊城官方writeup及
03-24
2020年 2020羊城官方writeup及源码 各个过渡的分散的writeup后续会逐步上传,所有转移的writeup已经汇总在wp文件夹下的writeup文件里面了!
羊城总结
NYG694的博客
09-02 251
这是一个重定向网页题目,登陆指定网页到一个游戏界面,一开始以为是通关获得flag,但修改了相关参数,发现没有任何显示,然后想到题目让我们到网页p0p.php,但这实际是执行了一个PHP文件,自动跳转游戏界面,所以还是要从根本去寻找,这里题目给出了两个线索,B.第二种,我想到在原目录下进行扫描,扫到start.sh然后访问下载下来,发现是一个创建本地进程,但脚本里蕴含的变量在自己电脑是不存在的,所以通过文本打开寻找线索。
2023年“羊城网络安全大赛 Web方向题解wp 全
Jay17的博客
09-03 6153
2023年“羊城网络安全大赛 Web方向题解wp 全
羊城2023 部分wp
weixin_63231007的博客
09-04 2625
D0n't pl4y g4m3!!! & Serpent & Arknights & ez_misc
2023羊城决赛 pwn
qq_62172019的博客
09-18 438
因为库版本是2.23没有对top块大小做检查所以可以正应了题目的名字(house of force)发现第一次申请一个巨大的块泄露地址,第二次可以申请小于0x30的堆块修改top块的大小。第三次申请把malloc_got拿出来写上system第四次申请就成功getshell。注意:直接覆盖成后门地址会因为对齐出问题所以应该跳过push命令以后。没有开pie 堆地址存在固定位置上可以使用unlink攻击。-7的位置上面存在函数返回地址。成功getshell。成功getshell。成功getshell。
[羊城 2023 决赛]arrary_index_bank
最新发布
A13837377363的博客
04-15 626
有用的函数就是查询和更改,且index
【攻防世界-misc】pure_color
weixin_73625393的博客
11-23 790
1.方法一:用画图工具打开图片,将图片拷贝至虚拟机win7桌面,2.方法二:使用Stegsilve打开,分析图片。将图片打开,按左右键查找,出现flag值。点“属性”,颜色设置为“黑白”,
羊城2022 部分题解
weixin_51122085的博客
09-04 2513
羊城2022 部分题解
腾龙——MISC方向WP
ASD830的博客
03-19 2601
foremost分离得到新的zip文件(无密码),解压后得到新的镜像文件message.img,使用ftk挂载,在新磁盘root目录下发现hint.txt,内容如下,看着像是坐标,已经做好画图的准备了。还在root目录下的files目录下发现一个.message.swp(疑似被删除了),放入010查看,在尾部发现字符串:“yispywt!得到一个新的流量包:shujubao-dec.cap,首先查看其http流,发现上传了一个png,将其提取出来命名为flag.png。果然对了,解密后得到。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值