问鼎杯 CTF writeup

问鼎杯 CTF writeup

队伍：Ph0en1x

1.1

http://sec2.hdu.edu.cn/84cdc76cabf41bd7c961f6ab12f117d8/?year=2016.999999999999999

得到flag：

WDFLAG={9c318582f7d864a9b4f9fcaab71657ce}

1.2

返回的页面头里有一个账号信息，用户名为：Voldemort，密码为：123456。

登陆后有个management。点击后跳转到：http://sec2.hdu.edu.cn/c8bbe67803085b9e51b69b6d6cff821c/admin.php
查看源代码，有个js：http://sec2.hdu.edu.cn/c8bbe67803085b9e51b69b6d6cff821c/js/wdctffunction.js

f12打开，控制台下getSecret():

flag:

wdctf{rev3aled_j3_funct10ns}

2.1

后台地址： http://sec5.hdu.edu.cn/fuckme/login.php

社工后，用户名：847085251@qq.com ，密码：NB51A5

登陆后在未审核邮箱处找到：

访问：http://sec5.hdu.edu.cn/b7010bcfcdb62922d4e4a5ec8d79fb33.php
跳转到：http://sec1.hdu.edu.cn/web/ww9ebmxnf1tlkn1d

得到flag：

WDFLAG={b3057d3283090fc160d999d272f20e44}

3.1

题目提供了一个 ++__++文件，在kali下自动显示为一个压缩包，提取后得到一个++__++文件，发现是pcap。用wireshark打开。通过自带的导出功能，得到三个文件。

但flag.rar被加密了无法直接解开。追踪一下tcp流，发现一个奇怪的字符串，直接用base64解是乱码。在它下面有一个py脚本。

经过一番调试，最后解密脚本修正如下：

from Crypto import Random
from Crypto.Cipher import AES
import sys
import base64
IV = 'QWERTYUIOPASDFGH'

def decrypt(encrypted):
  aes = AES.new(IV, AES.MODE_CBC, IV)
  return aes.decrypt(encrypted)

def encrypt(message):
  length = 16
  count = len(message)
  padding = length - (count % length)
  message = message + '\0' * padding
  aes = AES.new(IV, AES.MODE_CBC, IV)
  return aes.encrypt(message)

print(decrypt(base64.b64decode("19aaFYsQQKr+hVX6hl2smAUQ5a767TsULEUebWSajEo=")))

运行后得到：passwd={No_One_Can_Decrypt_Me}。用于flag.rar的解密，得到最后的flag：

WDCTF{Seclab_CTF_2017}

3.2

给了一张gif图片。https://ezgif.com/ 分解出四帧，然后ps将其拼接。得到：

扫描后得到：

03f30d0ab8c1aa596300000000000000000200000040000000732e0000006400006401006c00005a00006402005a01006403005a02006404008400005a03006405008400005a040064010053280600000069ffffffff4e7403000000637466733d0000003138362c39382c3138302c3135342c3133392c3139322c3131342c31342c3130322c3136382c34332c3133362c35322c3231382c38352c3130302c3433630200000004000000070000004300000073610000007400006a01007c0100830100016401007d02007838007c0000445d30007d03007c02007402007403007c03008301007400006a04006402006403008302004183010064040017377d0200711a00577c02006a05006404008301007d02007c02005328050000004e7400000000690000000069ff00000074010000002c2806000000740600000072616e646f6d740400000073656564740300000073747274030000006f7264740700000072616e64696e7474050000007374726970280400000074040000007374723174030000006b65797404000000737472327401000000632800000000280000000073100000002f686f6d652f6374662f6262622e7079740500000066756e633107000000730c00000000010d0106010d012e010f016302000000040000000700000043000000735d0000007400006a01007c0100830100016401007d02007843007c00006a0200640200830100445d32007d03007403007c03008301007d03007c02007404007c03007400006a050064030064040083020041830100377d0200712300577c02005328050000004e52010000005202000000690000000069ff000000280600000052030000005204000000740500000073706c69747403000000696e74740300000063687252070000002804000000520b000000520a00000052090000007401000000692800000000280000000073100000002f686f6d652f6374662f6262622e7079740500000066756e63320f000000730c00000000010d01060116010c01240128050000005203000000520a000000740400000073747272520d000000521200000028000000002800000000280000000073100000002f686f6d652f6374662f6262622e707974080000003c6d6f64756c653e0100000073080000000c02060106030908

用hex编辑器保存为pyc文件，反汇编后得到py：

#!/usr/bin/env python
# encoding: utf-8
# 访问 http://tool.lu/pyc/ 查看更多信息
import random
key = 'ctf'
strr = '186,98,180,154,139,192,114,14,102,168,43,136,52,218,85,100,43'

def func1(str1, key):
    random.seed(key)
    str2 = ''
    for c in str1:
        str2 += str(ord(c) ^ random.randint(0, 255)) + ','

    str2 = str2.strip(',')
    return str2



def func2(str2, key):
    random.seed(key)
    str1 = ''
    for i in str2.split(','):
        i = int(i)
        str1 += chr(i ^ random.randint(0, 255))

    return str1

最后一行添上：print(func2(strr,key))

得到flag：

U_r_Greatt!

4.1

给了一张图片，用binwalk -e分解后得到day2’s secret.zip和tips.txt。

tips.txt的内容如下：

Although two days doing the same things, but day2 has a secret than day1

考虑盲水印。

提交：

My_c4t_Ho

4-2

古典密码，然后放到 quipqiup.com 解一下

得到flag。

5-1

用xortool测试一下；

root@chybeta:~/Desktop# xortool cipher -c 20
The most probable key lengths:
   2:   12.2%
   5:   11.9%
   9:   9.8%
  13:   22.2%
  20:   6.8%
  22:   6.2%
  26:   12.8%
  30:   4.6%
  39:   7.8%
  52:   5.7%
Key-length can be 3*n
1 possible key(s) of length 13:
Good\tuckToYou
Found 1 plaintexts with 95.0%+ printable characters
See files filename-key.csv, filename-char_used-perc_printable.csv

猜测key为 GoodLuckToYou，写出脚本如下：

import random
# from secret import FLAG

key  = "GoodLuckToYou"
text = open("cipher","rb").read()
def xor_str(x, y):
    if len(x) > len(y):
        return ''.join([chr(ord(z) ^ ord(p)) for (z, p) in zip(x[:len(y)], y)])
    else:
        return ''.join([chr(ord(z) ^ ord(p)) for (z, p) in zip(x, y[:len(x)])])

# flag, key = FLAG.encode('hex'), KEY.encode('hex')

enc = xor_str(key * (len(text) // len(key) + 1), text)

ef = open('flag.txt', 'w')
ef.write(enc)
ef.close()

得到flag：

wdflag{You Are Very Smart}