2025UCSC CTF之Misc

Misc

1. 题目链接: https://pan.baidu.com/s/1Q8B8Di17TuB-fjTsj1mR_w?pwd=ziu8 提取码: ziu8

复制代码

1. No.shArk

1. 打开流量包发现存在大量的01文本

复制代码

1. 使用随波逐流工具将01转为图片

复制代码

1. 发现是一个二维码, 补充定位块, 扫描得到密码:Y0U_Fi8d_ItHa@aaHH

复制代码

1. 在流量包中选择导出对象HTTP, 保存w1.html, 该文本存在SNOW隐写, 密码为二维码扫出的结果

复制代码

1. 得到后半段flag, 在导出对象FTP中发现next.jpg, 以及在HTTP中发现一个存在Arnold Cat map变化的202410191641147091.png图片, 都保存下来;
2. 将202410191641147091.png拖入到随波逐流中, 发现存在key

复制代码

1. 用silenteye解密next.jpg, 密码为: keykeyishere

复制代码

exp

1. import matplotlib.pyplot as plt
2. import cv2
3. import numpy as np
6. def arnold_decode(image, shuffle_times, a, b):
7.     """ decode for rgb image that encoded by Arnold
8.     Args:
9.         image: rgb image encoded by Arnold
10.         shuffle_times: how many times to shuffle
11.     Returns:
12.         decode image
13.     """
14.     # 1:创建新图像
15.     decode_image = np.zeros(shape=image.shape)
16.     # 2：计算N
17.     h, w = image.shape[0], image.shape[1]
18.     N = h  # 或N=w
20.     # 3：遍历像素坐标变换
21.     for time in range(shuffle_times):
22.         for ori_x in range(h):
23.             for ori_y in range(w):
24.                 # 按照公式坐标变换
25.                 new_x = ((a * b + 1) * ori_x + (-b) * ori_y) % N
26.                 new_y = ((-a) * ori_x + ori_y) % N
27.                 decode_image[new_x, new_y, :] = image[ori_x, ori_y, :]
28.         image = np.copy(decode_image)
30.     return image
33. def arnold_brute(image, shuffle_times_range, a_range, b_range):
34.     for c in range(shuffle_times_range[0], shuffle_times_range[1]):
35.         for a in range(a_range[0], a_range[1]):
36.             for b in range(b_range[0], b_range[1]):
37.                 print(f"[+] Trying shuffle_times={c} a={a} b={b}")
38.                 decoded_img = arnold_decode(image, c, a, b)
39.                 output_filename = f"flag_decodedc{c}_a{a}_b{b}.png"
40.                 cv2.imwrite(output_filename, decoded_img, [int(cv2.IMWRITE_PNG_COMPRESSION), 0])
43. if __name__ == "__main__":
44.     img = cv2.imread("cat.png")
45.     arnold_brute(img, (1, 8), (1, 12), (1, 12))

复制代码

参考博客: https://www.cnblogs.com/alexander17/p/18551089

1. #flag{46962f4d-8d29-11ef-b3b6-a4b1c1c5a2d2}

复制代码

2. three

1. 该flag分为三部分, 首先看part1, 考察的是图片盲水印, 直接执行工具;
2. 命令: java -jar BlindWatermark-v0.0.3.jar decode -c signwithflag.png res.png
3. part1: 8f02d3e7

复制代码

1. 对part2进行解密: bin --> base64 --> morse;
2. part2: -ce89-4d6b-830e-

复制代码

1. part3给了一个压缩包和流量包, 压缩包被加密了, 我们通过分析流量包得到密码字典

复制代码

1. 得到压缩包密码为: thinkbell, 打开txt文本得到part3;
2. part3: 5d0cb5695077

复制代码

1. #flag{8f02d3e7-ce89-4d6b-830e-5d0cb5695077}

复制代码

3. 小套不是套

1. 解压发现有三个文件, 首先看套.zip, 尝试crc爆破

复制代码

1. 按顺序将字符串拼接起来
2. R1JWVENaUllJVkNXMjZDQ0pKV1VNWTNIT1YzVTROVEdLVjJGTVYyWU5NNFdRTTNWR0ZCVVdNS1hNSkZXQ00zRklaNUVRUVRCR0pVVlVUS0VQQktHMlozWQ==
3. 进行解密: Key is SecretIsY0u

复制代码

1. 注意该密码不是另一个压缩包的解压密码, 发现存在一个二维码, 扫描结果为: PassW0rd is !@#QWE123987

复制代码

1. 解压tess.zip, 发现里面还是个压缩包, 存在伪加密

复制代码

1. 得到一个蘑菇图片, 拖入到010分析, 发现里面还存在一张照片

复制代码

1. 补充一个png文件头89 50 4E 47

复制代码

1. 发现存在Oursecret的特征

复制代码

1. 直接用Oursecret工具, 密码为SecretIsY0u, 得到flag

复制代码

1. #flag{6f6bf445-8c9e-11ef-a06b-a4b1c1c5a2d2}

复制代码

4. USB

1. 使用tshark工具, 导出上图框选的数据;
2. 命令: tshark -r flag.pcap -T fields -e usbhid.data | sed '/^\s*$/d' > 2.txt

复制代码

exp

1. normalKeys = {
2.     "04": "a", "05": "b", "06": "c", "07": "d", "08": "e",
3.     "09": "f", "0a": "g", "0b": "h", "0c": "i", "0d": "j",
4.     "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o",
5.     "13": "p", "14": "q", "15": "r", "16": "s", "17": "t",
6.     "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y",
7.     "1d": "z", "1e": "1", "1f": "2", "20": "3", "21": "4",
8.     "22": "5", "23": "6", "24": "7", "25": "8", "26": "9",
9.     "27": "0", "28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t",
10.     "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[", "30": "]", "31": "\",
11.     "32": "<NON>", "33": ";", "34": "'", "35": "<GA>", "36": ",", "37": ".",
12.     "38": "/", "39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>",
13.     "3e": "<F5>", "3f": "<F6>", "40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>",
14.     "44": "<F11>", "45": "<F12>", "46": "[PRTSC]", "47": "[SCRLK]", "48": "[PAUSE]", "49": "[INSERT]",
15.     "4a": "[HOME]", "4b": "[PGUP]", "4c": "[DEL]", "4d": "[END]", "4e": "[PGDN]", "4f": "→", "50": "←", "51": "↓",
16.     "52": "↑", "53": "[NUM]", "54": "/", "55": "*", "56": "-", "57": "+", "58": "\n", "59": "1", "5a": "2", "5b": "3",
17.     "5c": "4", "5d": "5", "5e": "6", "5f": "7", "60": "8", "61": "9", "62": "0", "63": ".", "64": "\", "65": "[APP]",
18.     "66": "[POWER]", "67": "="
19. }
21. input_file_path = '2.txt'  # 替换为你的输入文件路径
23. try:
24.     with open(input_file_path, 'r', encoding='utf-8') as input_file:
25.         result = [normalKeys.get(line.strip()[6:8], "") for line in input_file]
26.         print(''.join(result))  # 直接打印拼接后的结果
28. except FileNotFoundError:
29.     print(f"错误：文件 {input_file_path} 不存在！")
30. except Exception as e:
31.     print(f"发生错误：{e}")
33. #e<SPACE><DEL>bdfea9b-3469-41c7-9070-d7833ecc6102<SPACE>iss<SPACE>flag<SPACE>q

复制代码

1. #flag{ebdfea9b-3469-41c7-9070-d7833ecc6102}

复制代码

免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！更多信息从访问主页：qidao123.com:ToB企服之家，中国第一个企服评测及商务社交产业平台。