qidao123.com技术社区-IT企服评测·应用市场

标题: 2025UCSC CTF之Misc [打印本页]
作者: 盛世宏图    时间: 2025-4-23 22:42
标题: 2025UCSC CTF之Misc
Misc
  1. 题目链接: https://pan.baidu.com/s/1Q8B8Di17TuB-fjTsj1mR_w?pwd=ziu8 提取码: ziu8
复制代码
1. No.shArk
  1. 打开流量包发现存在大量的01文本
复制代码
  1. 使用随波逐流工具将01转为图片
复制代码
  1. 发现是一个二维码, 补充定位块, 扫描得到密码:Y0U_Fi8d_ItHa@aaHH
复制代码
  1. 在流量包中选择导出对象HTTP, 保存w1.html, 该文本存在SNOW隐写, 密码为二维码扫出的结果
复制代码
  1. 得到后半段flag, 在导出对象FTP中发现next.jpg, 以及在HTTP中发现一个存在Arnold Cat map变化的202410191641147091.png图片, 都保存下来;
  2. 将202410191641147091.png拖入到随波逐流中, 发现存在key
复制代码
  1. 用silenteye解密next.jpg, 密码为: keykeyishere
复制代码

exp
  1. import matplotlib.pyplot as plt
  2. import cv2
  3. import numpy as np
  6. def arnold_decode(image, shuffle_times, a, b):
  7.     """ decode for rgb image that encoded by Arnold
  8.     Args:
  9.         image: rgb image encoded by Arnold
  10.         shuffle_times: how many times to shuffle
  11.     Returns:
  12.         decode image
  13.     """
  14.     # 1:创建新图像
  15.     decode_image = np.zeros(shape=image.shape)
  16.     # 2:计算N
  17.     h, w = image.shape[0], image.shape[1]
  18.     N = h  # 或N=w
  20.     # 3:遍历像素坐标变换
  21.     for time in range(shuffle_times):
  22.         for ori_x in range(h):
  23.             for ori_y in range(w):
  24.                 # 按照公式坐标变换
  25.                 new_x = ((a * b + 1) * ori_x + (-b) * ori_y) % N
  26.                 new_y = ((-a) * ori_x + ori_y) % N
  27.                 decode_image[new_x, new_y, :] = image[ori_x, ori_y, :]
  28.         image = np.copy(decode_image)
  30.     return image
  33. def arnold_brute(image, shuffle_times_range, a_range, b_range):
  34.     for c in range(shuffle_times_range[0], shuffle_times_range[1]):
  35.         for a in range(a_range[0], a_range[1]):
  36.             for b in range(b_range[0], b_range[1]):
  37.                 print(f"[+] Trying shuffle_times={c} a={a} b={b}")
  38.                 decoded_img = arnold_decode(image, c, a, b)
  39.                 output_filename = f"flag_decodedc{c}_a{a}_b{b}.png"
  40.                 cv2.imwrite(output_filename, decoded_img, [int(cv2.IMWRITE_PNG_COMPRESSION), 0])
  43. if __name__ == "__main__":
  44.     img = cv2.imread("cat.png")
  45.     arnold_brute(img, (1, 8), (1, 12), (1, 12))
复制代码
参考博客: https://www.cnblogs.com/alexander17/p/18551089
  1. #flag{46962f4d-8d29-11ef-b3b6-a4b1c1c5a2d2}
复制代码
2. three
  1. 该flag分为三部分, 首先看part1, 考察的是图片盲水印, 直接执行工具;
  2. 命令: java -jar BlindWatermark-v0.0.3.jar decode -c signwithflag.png res.png
  3. part1: 8f02d3e7
复制代码
  1. 对part2进行解密: bin --> base64 --> morse;
  2. part2: -ce89-4d6b-830e-
复制代码
  1. part3给了一个压缩包和流量包, 压缩包被加密了, 我们通过分析流量包得到密码字典
复制代码

  1. 得到压缩包密码为: thinkbell, 打开txt文本得到part3;
  2. part3: 5d0cb5695077
复制代码
  1. #flag{8f02d3e7-ce89-4d6b-830e-5d0cb5695077}
复制代码
3. 小套不是套
  1. 解压发现有三个文件, 首先看套.zip, 尝试crc爆破
复制代码
  1. 按顺序将字符串拼接起来
  2. R1JWVENaUllJVkNXMjZDQ0pKV1VNWTNIT1YzVTROVEdLVjJGTVYyWU5NNFdRTTNWR0ZCVVdNS1hNSkZXQ00zRklaNUVRUVRCR0pVVlVUS0VQQktHMlozWQ==
  3. 进行解密: Key is SecretIsY0u
复制代码
  1. 注意该密码不是另一个压缩包的解压密码, 发现存在一个二维码, 扫描结果为: PassW0rd is !@#QWE123987
复制代码
  1. 解压tess.zip, 发现里面还是个压缩包, 存在伪加密
复制代码
  1. 得到一个蘑菇图片, 拖入到010分析, 发现里面还存在一张照片
复制代码
  1. 补充一个png文件头89 50 4E 47
复制代码
  1. 发现存在Oursecret的特征
复制代码
  1. 直接用Oursecret工具, 密码为SecretIsY0u, 得到flag
复制代码
  1. #flag{6f6bf445-8c9e-11ef-a06b-a4b1c1c5a2d2}
复制代码
4. USB

  1. 使用tshark工具, 导出上图框选的数据;
  2. 命令: tshark -r flag.pcap -T fields -e usbhid.data | sed '/^\s*$/d' > 2.txt
复制代码

exp
  1. normalKeys = {
  2.     "04": "a", "05": "b", "06": "c", "07": "d", "08": "e",
  3.     "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
  4.     "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o",
  5.     "13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
  6.     "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y",
  7.     "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
  8.     "22": "5", "23": "6", "24": "7", "25": "8", "26": "9",
  9.     "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t",
  10.     "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\",
  11.     "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".",
  12.     "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>",
  13.     "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>",
  14.     "44": "<F11>", "45": "<F12>", "46": "[PRTSC]", "47": "[SCRLK]", "48": "[PAUSE]", "49": "[INSERT]",
  15.     "4a": "[HOME]", "4b": "[PGUP]", "4c": "[DEL]", "4d": "[END]", "4e": "[PGDN]", "4f": "→", "50": "←", "51": "↓",
  16.     "52": "↑", "53": "[NUM]", "54": "/", "55": "*", "56": "-", "57": "+", "58": "\n", "59": "1", "5a": "2", "5b": "3",
  17.     "5c": "4", "5d": "5", "5e": "6", "5f": "7", "60": "8", "61": "9", "62": "0", "63": ".", "64": "\", "65": "[APP]",
  18.     "66": "[POWER]", "67": "="
  19. }
  21. input_file_path = '2.txt'  # 替换为你的输入文件路径
  23. try:
  24.     with open(input_file_path, 'r', encoding='utf-8') as input_file:
  25.         result = [normalKeys.get(line.strip()[6:8], "") for line in input_file]
  26.         print(''.join(result))  # 直接打印拼接后的结果
  28. except FileNotFoundError:
  29.     print(f"错误:文件 {input_file_path} 不存在!")
  30. except Exception as e:
  31.     print(f"发生错误:{e}")
  33. #e<SPACE><DEL>bdfea9b-3469-41c7-9070-d7833ecc6102<SPACE>iss<SPACE>flag<SPACE>q
复制代码
  1. #flag{ebdfea9b-3469-41c7-9070-d7833ecc6102}
复制代码
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。



欢迎光临 qidao123.com技术社区-IT企服评测·应用市场 (https://dis.qidao123.com/) Powered by Discuz! X3.4