Chybeta

问鼎杯 CTF writeup

问鼎杯 CTF writeup

队伍:Ph0en1x

1.1

http://sec2.hdu.edu.cn/84cdc76cabf41bd7c961f6ab12f117d8/?year=2016.999999999999999

得到flag:

1
WDFLAG={9c318582f7d864a9b4f9fcaab71657ce}

1.2

返回的页面头里有一个账号信息,用户名为:Voldemort,密码为:123456。

登陆后有个management。点击后跳转到:http://sec2.hdu.edu.cn/c8bbe67803085b9e51b69b6d6cff821c/admin.php
查看源代码,有个js:http://sec2.hdu.edu.cn/c8bbe67803085b9e51b69b6d6cff821c/js/wdctffunction.js

f12打开,控制台下getSecret():

flag:

1
wdctf{rev3aled_j3_funct10ns}

2.1

后台地址: http://sec5.hdu.edu.cn/fuckme/login.php

社工后,用户名:847085251@qq.com ,密码:NB51A5

登陆后在未审核邮箱处找到:

访问:http://sec5.hdu.edu.cn/b7010bcfcdb62922d4e4a5ec8d79fb33.php
跳转到:http://sec1.hdu.edu.cn/web/ww9ebmxnf1tlkn1d

得到flag:

1
WDFLAG={b3057d3283090fc160d999d272f20e44}

3.1

题目提供了一个 ++__++文件,在kali下自动显示为一个压缩包,提取后得到一个++__++文件,发现是pcap。用wireshark打开。通过自带的导出功能,得到三个文件。

但flag.rar被加密了无法直接解开。追踪一下tcp流,发现一个奇怪的字符串,直接用base64解是乱码。在它下面有一个py脚本。

经过一番调试,最后解密脚本修正如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto import Random
from Crypto.Cipher import AES
import sys
import base64
IV = 'QWERTYUIOPASDFGH'
def decrypt(encrypted):
aes = AES.new(IV, AES.MODE_CBC, IV)
return aes.decrypt(encrypted)
def encrypt(message):
length = 16
count = len(message)
padding = length - (count % length)
message = message + '\0' * padding
aes = AES.new(IV, AES.MODE_CBC, IV)
return aes.encrypt(message)
print(decrypt(base64.b64decode("19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=")))

运行后得到:passwd={No_One_Can_Decrypt_Me}。用于flag.rar的解密,得到最后的flag:

1
WDCTF{Seclab_CTF_2017}

3.2

给了一张gif图片。https://ezgif.com/ 分解出四帧,然后ps将其拼接。得到:

扫描后得到:

1
03f30d0ab8c1aa596300000000000000000200000040000000732e0000006400006401006c00005a00006402005a01006403005a02006404008400005a03006405008400005a040064010053280600000069ffffffff4e7403000000637466733d0000003138362c39382c3138302c3135342c3133392c3139322c3131342c31342c3130322c3136382c34332c3133362c35322c3231382c38352c3130302c3433630200000004000000070000004300000073610000007400006a01007c0100830100016401007d02007838007c0000445d30007d03007c02007402007403007c03008301007400006a04006402006403008302004183010064040017377d0200711a00577c02006a05006404008301007d02007c02005328050000004e7400000000690000000069ff00000074010000002c2806000000740600000072616e646f6d740400000073656564740300000073747274030000006f7264740700000072616e64696e7474050000007374726970280400000074040000007374723174030000006b65797404000000737472327401000000632800000000280000000073100000002f686f6d652f6374662f6262622e7079740500000066756e633107000000730c00000000010d0106010d012e010f016302000000040000000700000043000000735d0000007400006a01007c0100830100016401007d02007843007c00006a0200640200830100445d32007d03007403007c03008301007d03007c02007404007c03007400006a050064030064040083020041830100377d0200712300577c02005328050000004e52010000005202000000690000000069ff000000280600000052030000005204000000740500000073706c69747403000000696e74740300000063687252070000002804000000520b000000520a00000052090000007401000000692800000000280000000073100000002f686f6d652f6374662f6262622e7079740500000066756e63320f000000730c00000000010d01060116010c01240128050000005203000000520a000000740400000073747272520d000000521200000028000000002800000000280000000073100000002f686f6d652f6374662f6262622e707974080000003c6d6f64756c653e0100000073080000000c02060106030908

用hex编辑器保存为pyc文件,反汇编后得到py:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/env python
# encoding: utf-8
# 访问 http://tool.lu/pyc/ 查看更多信息
import random
key = 'ctf'
strr = '186,98,180,154,139,192,114,14,102,168,43,136,52,218,85,100,43'
def func1(str1, key):
random.seed(key)
str2 = ''
for c in str1:
str2 += str(ord(c) ^ random.randint(0, 255)) + ','
str2 = str2.strip(',')
return str2
def func2(str2, key):
random.seed(key)
str1 = ''
for i in str2.split(','):
i = int(i)
str1 += chr(i ^ random.randint(0, 255))
return str1

最后一行添上:print(func2(strr,key))

得到flag:

1
U_r_Greatt!

4.1

给了一张图片,用binwalk -e分解后得到day2’s secret.zip和tips.txt。

tips.txt的内容如下:

1
Although two days doing the same things, but day2 has a secret than day1

考虑盲水印

提交:

1
My_c4t_Ho

4-2

古典密码,然后放到 quipqiup.com 解一下

得到flag。

5-1

用xortool测试一下;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@chybeta:~/Desktop# xortool cipher -c 20
The most probable key lengths:
2: 12.2%
5: 11.9%
9: 9.8%
13: 22.2%
20: 6.8%
22: 6.2%
26: 12.8%
30: 4.6%
39: 7.8%
52: 5.7%
Key-length can be 3*n
1 possible key(s) of length 13:
Good\tuckToYou
Found 1 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv

猜测key为 GoodLuckToYou,写出脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import random
# from secret import FLAG
key = "GoodLuckToYou"
text = open("cipher","rb").read()
def xor_str(x, y):
if len(x) > len(y):
return ''.join([chr(ord(z) ^ ord(p)) for (z, p) in zip(x[:len(y)], y)])
else:
return ''.join([chr(ord(z) ^ ord(p)) for (z, p) in zip(x, y[:len(x)])])
# flag, key = FLAG.encode('hex'), KEY.encode('hex')
enc = xor_str(key * (len(text) // len(key) + 1), text)
ef = open('flag.txt', 'w')
ef.write(enc)
ef.close()

得到flag:

1
wdflag{You Are Very Smart}

点击赞赏二维码,您的支持将鼓励我继续创作!
chybeta WeChat Pay

微信打赏

chybeta Alipay

支付宝打赏

本文标题:问鼎杯 CTF writeup

文章作者:chybeta

发布时间:2017年09月16日 - 12:09

最后更新:2017年09月18日 - 13:09

原始链接:http://chybeta.github.io/2017/09/16/问鼎杯-CTF-writeup/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。