DASCTF X CBCTF 2023|无畏者先行(Misc WP)
justpaint1、题目信息
FLAG被我弄丢了>_1.log得到密钥e63af7cc 55ef839d dc10b922,直接解压
import torch
import torch.nn as nn
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image
import cv2
class JBN(nn.Module):
def __init__(self):
super(JBN, self).__init__()
self.main = nn.Sequential(
nn.Linear(100, 256),
nn.ReLU(),
nn.Linear(256, 512),
nn.ReLU(),
nn.Linear(512, 452 * 280),
nn.Tanh()
)
def forward(self, x):
img = self.main(x)
img = img.view(-1, 452, 280)
return img
def watch_flag(img):
flag = cv2.imread('./data/data/flag.png')
gray_image = cv2.cvtColor(flag, cv2.COLOR_BGR2GRAY)
flag_tensor = torch.from_numpy(np.array(gray_image))
flag_tensor = flag_tensor.unsqueeze(0).transpose(1, 2)
img_tensor = img
flag_tensor = flag_tensor.unsqueeze(0)
img_tensor = img_tensor.unsqueeze(0)
loss_fn = torch.nn.MSELoss()
loss = loss_fn(flag_tensor.float(), img_tensor)
return loss
jbn = JBN()
g_optimizer = torch.optim.Adam(jbn.parameters(), lr=0.001)
min_loss = float('inf')
for epoch in range(10):
random_noise = torch.randn(1, 100)
jbn_img = jbn(random_noise)
g_optimizer.zero_grad()
g_loss = watch_flag(jbn_img)
g_loss.backward()
g_optimizer.step()
with torch.no_grad():
if g_loss < min_loss:
min_loss = g_loss
torch.save(jbn.state_dict(), 'jbn.pth')注意此时的zip是压缩之后的,需要解压一下,然后cyberchef里面使用raw inflate解一下
压缩包注释提示password is two bytes
直接zip2john和hashcat进行爆破,得到密码为$HEX
随便写个脚本解压,然后里面给了一串密钥,结合zpaq文件尾的提示,一眼丁真直接爆
import torch
import torch.nn as nn
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image
import cv2
class JBN(nn.Module):
def __init__(self):
super(JBN, self).__init__()
self.main = nn.Sequential(
nn.Linear(100, 256),
nn.ReLU(),
nn.Linear(256, 512),
nn.ReLU(),
nn.Linear(512, 452 * 280),
nn.Tanh()
)
def forward(self, x):
img = self.main(x)
img = img.view(-1, 452, 280)
return img
jbn = JBN()
jbn.load_state_dict(torch.load('jbn.pth'))
random_noise = torch.randn(1, 100)
jbn_img = jbn(random_noise)
jbn_img = jbn_img.squeeze().detach().numpy()
jbn_img = (jbn_img + 1) / 2# 将图像像素值范围从[-1, 1]转换为
jbn_img = (jbn_img * 255).astype(np.uint8)# 将图像像素值转换为的整数
jbn_img = cv2.resize(jbn_img, (280, 452))# 调整图像大小为452x280
flag_image = Image.fromarray(jbn_img)
flag_image.save('flag.png')得到密码
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022201921782-859668780.png
MD5再用bandizip解开zpaq压缩包即可。
justlisten
1、题目信息
听听这是什么
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022182801697-2088118706.png
2、解题方法
我们先扫一下hint.png
明显是汉信码,但在线工具扫不出来,然后发现还有一个可以扫“中国编码APP”下载一下APP扫就行了
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022184619505-401344161.jpg
得到密码“0urS3cret”我们利用ourSecret来解bmp文件,导入文件,输入密码得到txt文件。
这里为什么用这个工具,因为密码的提示以及文件的名字就可以想到。
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022184738326-806083297.png
打开txt得到
# 扫描单个文件
olevba file.doc
# 扫描单个文件 只显示VBA代码,不分析
olevba file.doc -c
# 扫描单个文件 显示解码之后的混淆字符串
olevba file.doc --decode
# 扫描单个文件 显示经过字符串反混淆之后的VBA宏代码
olevba file.doc --reveal像是某种表。。先不管它了看看WAV吧
音频的话试了好多发现使用Sonic Visualiser可以,下载官网:https://www.sonicvisualiser.org/
打开一看就是十进制,右上方是设置。
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022191330302-2098335917.png
我们需要提取十进制数据,左上角导出图片然后写脚本读像素
olevba attachment.doc然后得到十进制数据
Sub XOREncryptFile()
Dim numbers(8) As Integer
numbers(0) = 19
numbers(1) = 71
numbers(2) = 122
numbers(3) = 99
numbers(4) = 65
numbers(5) = 111
numbers(6) = 43
numbers(7) = 67
Dim CurrentDirectory As String
CurrentDirectory = ".\"
If Dir(CurrentDirectory & "abc") = "" Then
Exit Sub
End If
Dim FileNumber As Integer
FileNumber = FreeFile
Open CurrentDirectory & "abc" For Binary Access Read Write As #FileNumber
Dim FileContent As String
FileContent = Input$(LOF(FileNumber), #FileNumber)
Close #FileNumber
Dim EncryptedContent As String
For i = 1 To Len(FileContent)
EncryptedContent = EncryptedContent & Chr(Asc(Mid(FileContent, i, 1)) Xor numbers((i - 1) Mod 8))
Next i
FileNumber = FreeFile
Open CurrentDirectory & "enc" For Binary Access Write As #FileNumber
Put #FileNumber, , EncryptedContent
Close #FileNumber
End Sub根据我们第一步解出来的txt文件中的表猜测可能是每两位int一下后再去表里找相应的字符,如果超出范围就舍去。
table = "# 扫描单个文件
olevba file.doc
# 扫描单个文件 只显示VBA代码,不分析
olevba file.doc -c
# 扫描单个文件 显示解码之后的混淆字符串
olevba file.doc --decode
# 扫描单个文件 显示经过字符串反混淆之后的VBA宏代码
olevba file.doc --reveal"a = " Sub XOREncryptFile()
Dim numbers(8) As Integer
numbers(0) = 19
numbers(1) = 71
numbers(2) = 122
numbers(3) = 99
numbers(4) = 65
numbers(5) = 111
numbers(6) = 43
numbers(7) = 67
Dim CurrentDirectory As String
CurrentDirectory = ".\"
If Dir(CurrentDirectory & "abc") = "" Then
Exit Sub
End If
Dim FileNumber As Integer
FileNumber = FreeFile
Open CurrentDirectory & "abc" For Binary Access Read Write As #FileNumber
Dim FileContent As String
FileContent = Input$(LOF(FileNumber), #FileNumber)
Close #FileNumber
Dim EncryptedContent As String
For i = 1 To Len(FileContent)
EncryptedContent = EncryptedContent & Chr(Asc(Mid(FileContent, i, 1)) Xor numbers((i - 1) Mod 8))
Next i
FileNumber = FreeFile
Open CurrentDirectory & "enc" For Binary Access Write As #FileNumber
Put #FileNumber, , EncryptedContent
Close #FileNumber
End Sub"for i in range(len(a)//2): try: ii = a print(table,end='') except: continue但只得到了右半边的flag
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022192944885-30876533.png
脑洞一下,删掉第一个0再转一下,得到了另一半flag,为什么这么干呢?我们可以分析下第一次得到的结果“{Q2qSvkE?vqwPHvey_informat1on!!!}”,明显我们可以发现前面的“Q2qSvkE?vqwPHvey”肯定不全是flag,一般我们得到的flag都是有一定意义的(大部分形式上都可以翻译出来)为什么得到的不全是flag呢?因为我们刚才也说了两位一组超出范围就舍去所以肯定有出入。因此我们可以通过控制十进制前面数字的增减来查看情况,经检验发现把开头0删去可以得到flag前缀“DASCTF{”,那么也就是说这样做是正确的。
https://img2023.cnblogs.com/blog/3167109/202310/3167109-20231022193156067-1985317026.png
经过上面两次结果我们可以拼接出flag大概形式
.\bkcrack -C purezip.zip -c "secret key.zip" -p key -o 0 >1.log我们再根据意义来分析一下最终可得正确flag
.\bkcrack -C purezip.zip -c "secret key.zip" -k e63af7cc 55ef839d dc10b922 -d 1.zip
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]