BB CTF2023 Write Up
CRYPTO
1. Crypto Masquerade
题目说明
The truth is hidden in the shadows, masked by a facade of deception. Peel back the layers and look deeper to reveal the truth.
解题思路
from pwn import *
from cryptography.fernet import Fernet
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
io = remote("localhost", 1234)
r = io.recv().decode().strip().split("\n")
io.close()
p = int(r[0].split(":")[1])
g = int(r[1].split(":")[1])
message = r[-1].split(":")[1].strip()
password = g.to_bytes((g.bit_length() + 7) // 8, "big")
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256,
length=32,
salt=b"\x00" * 8,
iterations=100000,
backend=default_backend(),
)
key = base64.urlsafe_b64encode(kdf.derive(password))
f = Fernet(key)
token = f.decrypt(message)
print(token.decode())
#flag{wA17_1tS_all_rs4?_Alw4ys_H4S_b33N}
2. Visionary Cipher
题目说明
It’s a new innovative kind of cipher.
解题思路
这个题和山石冬令营那个维吉尼亚类似,这里的表多了0,1,2,3,4,5,6,7,8,9
和_{}
from string import ascii_lowercase, digits
from random import choices
from hashlib import md5
import sys
dicts = ascii_lowercase + digits + "_{}"
#print(dicts)
def pos(ch):
return dicts.find(ch)
hash = '17382b1a9caad37bd127f2a7984ccbb9'
C = '9cvlbfuwe81{lcduhgv9cpsrhj0f13s_lsh9dy'
def known(idx, m):
p1 = pos(C[idx])
p2 = pos(m)
return (p1 - p2) % len(dicts)
flag = [known(0, 'f'), known(1, 'l'), known(2, 'a'), known(3, 'g'), known(4, '{'), 0, 0, known(-1, '}'), 0, 0]
def decode(text, flag):
n, k, l = len(text), len(flag), len(dicts)
return "".join([dicts[(pos(text[i]) - flag[i % k]) % l] for i in range(n)])
for a in range(len(dicts)):
flag[5] = a
sys.stdout.flush()
for b in range(len(dicts)):
flag[6] = b
for c in range(len(dicts)):
flag[8] = c
for d in range(len(dicts)):
flag[9] = d
res = decode(C, flag)
m = md5(res.encode("ascii")).hexdigest()
if m == hash:
print(res)
print(flag)
#flag{0h_n0_h3_ac7u41ly_me4nt_v1g3ner3}
MISC
1.Meaning of Life
题目说明
Senpai, what is the meaning of life ?
解题思路
一个很傻逼的题
端口输入数字会返回一段Base64 解码之后是《Never Gonna Give You Up》的YouTube的链接。
Google搜索Meaning of Life 可以得到42
输入42 得到另一个视频的链接
aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1GSVViUkprS2psRQ==
https://www.youtube.com/watch?v=FIUbRJkKjlE
是一段摩斯密码 识别一下就是flag捏
flag{CIC4D4FLI35}
2.Tree of Secrets
题目说明
The message is encoded in the whispers of the wind, buried deep in the roots of a tree. Uncover the secret by listening to the silence between the lines and exploring the branches.
解题思路
00011000110011110000000100110000101011001111100000111101011010101101000010111100110100101001101001010001101111111111111111010111010001001
很有意思的一道题 逻辑关系直接从文件路径来看就可以
写个脚本来还原flag
mapp={
"000": "R",
"0010":"3" ,
"0011": "U",
"01000":"m",
"01001":"Z",
"0101": "d",
"01100":"t",
"01101":"z",
"01110":"i",
"01111":"G",
"1000": "F",
"1001": "9",
"1010": "I",
"10110":"S",
"10111":"V",
"11000":"k",
"11001":"x",
"1101": "X",
"11100":"B",
"11101":"T",
"1111": "0" }
msg=["000","11000","11001","11100","000","0010","01100","0010","10110","01111","1000","0011","1101","01101","0101","1010","000","10111","1001","1010","0101","0011","01001","01000","1101","1111","1111","1111","11101","01110","1000","1001"]
flag=""
for i in msg:
flag+=mapp[i]
import base64
print(base64.b64decode(flag))
#b'FLAG{wHaT_7HE_HuFf_M4N!}'
3. Peer Pressure
题目说明
Don’t let them get into your mind
解题思路
打开靶机
看源码
当base64解码文本“aGVhZA==”为“head”尝试向 /aGVhZA== 发出 **HEAD **请求
回显base64 编码值的 png 标头
base64 解码文本并搜索“flag{”
**flag**{D0_N0T_G3T_PR355UR3D}
Forensics
1. Memory Dump
题目说明
I was learning powershell when my pc suddenly crashed. Can you retrieve my bash history?
解题思路
法一
之前长安杯做过PowerShell的取证题,PowerShell历史命令文件路径为
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
所以我们直接去filescanConsoleHost_history.txt
虽然报错了 但还是找出来了捏 dump一下
cat 一下下
AES解密即可
法二
因为ConsoleHost_history.txt
为文本形式,所以利用strings转换一下直接搜索flag{
即可
2. Vastness of Space
题目说明
Is space really that empty?
解题思路
查看图片exif信息
steghide隐写 password:BBCTF
somedata.txt
用matplotlib库还原一下
import numpy as np
import matplotlib.pyplot as plt
data = np.genfromtxt("somedata.txt", delimiter=",")
num = data[:,0]
data = data[:,1]
plt.plot(num,data, 'ro')
plt.xlabel('x')
plt.ylabel('y')
plt.show()
flag{qUiCk_R3sP0nse_c0d3}
3. Random Requests
题目说明
I captured these very random http requests. Can you help me decode them?
解题思路
过滤HTTP流量可以看到有很多GET请求 flag=0/flag=1,所以猜测flag就是由二进制数据组成
写脚本或者手撸或者用tshark提取一下,这里用tshark提取二进制数据
tshark -r random_requests.pcapng -Y "http.request.method == "GET"" | cut -d '/' -f2 | cut -d ' ' -f1 | cut -d '=' -f2 | tr -d '\n'
然后cyberchef一把梭
4. Imageception
题目说明
“The painter has the universe in his mind and hands.”
-Leonardo Da Vinci
解题思路
题目名称为imageception,所以直接FileScan搜索
python vol.py -f ./BBCTF/Imageception.raw windows.filescan.FileScan | grep "imageception"
发现有个imageception.png
把他dump下来
这里显示Error dumping file 但是文件夹里已经dump出来了。