BUUCTF-Misc(91-100)
CyberPunk运行一下,他说2020.9.17才开始
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124157436-476231207.png
然后改一下系统时间
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124156993-625644650.png
就拿到flag
flag{We1cOm3_70_cyber_security}[安洵杯 2019]Attack
参考:安洵杯 2019]Attack - 云千 - 博客园 (cnblogs.com)
找到了一个
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124156518-1084981501.png
formost分离一下,在压缩包找到了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124155794-1780064339.png
然后在导出对象发现了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124155193-1401304481.png
lsass是windows系统的一个进程,用于本地安全和登陆策略
然后用mimikatz去获取这个暗码
//提升权限
privilege::debug
//载入dmp文件
sekurlsa::minidump lsass.dmp
//读取登陆密码
sekurlsa::logonpasswords fullhttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124154674-393284623.png
拿到暗码解压
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124153901-224017790.png
basic-forensics
记事本打开,搜索flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124153340-1007679810.png
Game
参考:
SUCTF 2019]Game-CSDN博客
[SUCTF 2019]Game - 春告鳥 - 博客园 (cnblogs.com)
在index.html,记得F12,否则一直弹窗,找到一个flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124152675-989548868.png
同流合污解密发现是假的flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124152190-424738812.png
suctf{hAHaha_Fak3_F1ag}那我们再找一下吧,去看看图片有什么信息不
lsb隐写,试了试
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124151650-1852869301.png
U2FsdGVkX1+zHjSBeYPtWQVSwXzcVFZLu6Qm0To/KeuHg8vKAxFrVQ==然后base64解密出了salted
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124151120-168643240.png
然后我查了一下salted加密 - 什么是 U2FsdGVkX1?- 加密堆栈交换 (stackexchange.com)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124150576-1109192620.png
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124150030-51772325.png
和这一串字符特征值完全符合,然后3DES解密一下https://www.sojson.com/encrypt_triple_des.html
密文就是那一串Base64,密钥就是之前的假flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124149341-1058208134.png
zippy
追踪tcp流1发现了一个压缩包
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124148832-167732674.png
我们binwalk提取出
然后再tcp流0发现了解压缩的命令
unzip -P supercomplexpassword flag.ziphttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124148299-2080412119.png
那么暗码就是,然后解压
supercomplexpasswordhttps://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124147737-431524428.png
USB
参考:
BUUCTF:USB_buuctfusb-CSDN博客
010editor打开key.ftm,发现了zip文件头,然后binwalk提取
然后有个key.pcap的流量包
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124147343-2084636160.png
应该就是usb的流量,利用usb流量剖析工具,发现了关键词
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124146717-93848187.png
key{xinan}然后我就去搞了谁人233.rar解压一下,发现就flag.txt,但是不是真的,然后就开始看佬的wp
这边我们010editor打开233.rar,执行一下rar的模板,发现报错RAR文件格式学习(了解)_rar文件头-CSDN博客
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124145799-1374311802.png
然后应该将第三块的7A改成74
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124144757-2101201737.png
然后这次解压就获得了一个图片
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124144154-677894745.png
然后stegsolve换一下图片通道,在blue0找到一张二维码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124143674-1893942540.png
扫描一下得到一个
ci{v3erf_0tygidv2_fc0}然后结合关键词,看看是什么加密,直接丢同流合污工具箱,找到一串
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124143272-1991227353.png
fa{i3eei_0llgvgn2_sc0}然后是栅栏暗码解密
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124142861-640618803.png
flag{vig3ne2e_is_c00l}虚假的压缩包
参考:
[GUET-CTF2019]虚假的压缩包 - 跳河离去的鱼 - 博客园 (cnblogs.com)
010editor打开虚假的压缩包.zip,发现了其实是伪加密,改一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124142473-100999428.png
解压得到一个
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124141868-1305211994.png
利用RSA工具计算出5
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124141407-181800877.png
但是这里压缩包暗码是
答案是5我们010打开这个图片看看,发现是png文件头,改一下后缀,然后png宽高一把梭
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124140877-2053073949.png
也就是需要和5异或
写脚本(我这里用大佬的)
original = open("亦真亦假",'r').read()
flag = open("flag",'w')
for i in original:
tmp = int(i,16)^5
flag.write(hex(tmp))然后发现他应该是一个压缩包50 4b 03 04
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124140420-946714061.png
打开发现就是doc
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124140025-53384280.png
在word文件夹下的document.xml发现flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124139470-852235327.png
flag{_th2_7ru8_2iP_}draw
附件下载下来,是一串gdb代码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124138635-1648633108.png
然后给这一串代码复制到网站执行Logo解释器 (calormen.com)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124138001-1708024812.png
flag{RCTF_HeyLogo}明文攻击
010editor打开图片,发现末尾有个压缩包,只不过文件头少了50 4b
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124137435-1751274126.png
我们新建一个16进制文件,给这粘贴进去,然后加一个50 4B
解压出来一个flag.txt
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124136823-1919905481.png
因为题目说是明文攻击,我们看一下crc校验码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124136451-1121356962.png
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124136015-888996117.png
发现是一样的,那我们就可以用已知明文攻击,打开archpr
选取要破解的压缩包,明文文件路径就是你这个没暗码的压缩包,而且里面的flag.txt与这个加密过后的压缩包的flag.txt CRC校验码相同
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124135472-729560910.png
然后找到
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124134697-1256693325.png
然后给恢复的压缩包解压一下就得到flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124134104-362971790.png
Network
参考:
[SWPU2019]Network - 云千 - 博客园 (cnblogs.com)
[SWPU2019]Network(TTL隐写) | (guokeya.github.io)
打开这个文本,发现一串这个,直接天崩开局,真没见过
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124133649-1089800863.png
根据所说的是这个TTL隐写
IP报文在路由间穿梭的时候每经过一个路由,TTL就会减1,当TTL为0的时候,该报文就会被丢弃。
TTL所占的位数是8位,也就是0-255的范围,但是在大多数情况下通常只需要经过很小的跳数就能完成报文的转发,
远远比上限255小得多,所以我们可以用TTL值的前两位来进行传输隐藏数据。
如:须传送H字符,只需把H字符换成二进制,每两位为一组,每次填充到TTL字段的开头两位并把剩下的6位设置为1(xx111111),这样发4个IP报文即可传送1个字节。然后就是给这些数字转成二进制观察一下
63->00111111
127->01111111
191->10111111
255->11111111然后发现只有前两位不同 00 01 10 11,因为四个IP报文就可以传送1个字节,所以四个为一组,编写脚本
import binascii
f=open("attachment.txt","r")
f2=open("result.txt","wb")
num=''
res=''
for i in f:
if int(i)==63:
num+="00"
if int(i)==127:
num+="01"
if int(i)==191:
num+="10"
if int(i)==255:
num+="11"
for j in range(0,len(num),8):
res += chr(int(num,2))#转换为字符
res = binascii.unhexlify(res)#unhexlify:从十六进制字符串返回二进制数据
f2.write(res)得出来一个压缩包,其实是伪加密,改一下就行
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124132542-713402210.png
然后得出一大堆base64,base64套娃,我们写脚本
import base64
f = open(r'D:/pythonProject/result/flag.txt','rb').read()
while True:
f = base64.b64decode(f)
print(f);https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240603124131630-1369383264.png
flag{189ff9e5b743ae95f940a6ccc6dbd9ab}
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]