zoukankan      html  css  js  c++  java

  • 湖湘杯2020misc

    Hxb2020 misc

    Misc1

    用Wireshark打开 文件-导出对象-HTTP Save All

    打开index-demo.html查看源代码,发现大段base64编码

    KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==
KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==	      	 	      	    
KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK
......

    base64解码

    (。・∀・)ノ゙嗨Hi~ 
(@_@;)(@_@;)(@_@;)
(+_+)?(。>︿<)_θ(。>︿<)_θ
o(* ̄▽ ̄*)ブ゜
<(^-^)>(╯▽╰ )好香~~
ヽ(✿゚▽゚)ノ(@^0^)
......

    以为是颜文字编码,aadecode解码无果

    赛后才知道是base64隐写,将base64编码保存在txt,用脚本解密

    def get_base64_diff_value(s1, s2):
    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    res = 0
    for i in xrange(len(s2)):
        if s1[i] != s2[i]:
            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
    return res


def solve_stego():
    with open('E:\Desktop\1.txt', 'rb') as f:
        file_lines = f.readlines()
        bin_str = ''
        for line in file_lines:
            steg_line = line.replace('
', '')
            norm_line = line.replace('
', '').decode('base64').encode('base64').replace('
', '')
            diff = get_base64_diff_value(steg_line, norm_line)
            print diff
            pads_num = steg_line.count('=')
            if diff:
                bin_str += bin(diff)[2:].zfill(pads_num * 2)
            else:
                bin_str += '0' * pads_num * 2
            print goflag(bin_str)


def goflag(bin_str):
    res_str = ''
    for i in xrange(0, len(bin_str), 8):
        res_str += chr(int(bin_str[i:i + 8], 2))
    return res_str


if __name__ == '__main__':
    solve_stego()

    运行结果:key:"lorrie"

    还有一层snow 隐写

    snow>SNOW.EXE -p lorrie D:CTF湖湘杯2020Misc1index-demo.html
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_← →_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_ ←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}

    # 商业转载请联系作者获得授权,非商业转载请注明出处。
# For commercial use, please contact the author for authorization. For non-commercial use, please indicate the source.
# 协议(License):署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)
# 作者(Author):Snowywar
# 链接(URL):http://snowywar.top/wordpress/index.php/2020/11/02/hxbwriteup/
# 来源(Source):魔法少女雪殇

# -*- coding:utf-8 -*-
res = []
import re

unit = 3
answer = '→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←'
tmp = ""
cnt = 0
answer = answer.split(" ")
print(answer)
for element in answer:
    s = re.findall(r'.{3}', element)
    for ele in s:

        if ele == '→_→':
            tmp += "-"
        if ele == '←_←':
            tmp += "."

    tmp += '/'
print(tmp)

#['→_→←_←←_←←_←←_←', '→_→→_→←_←←_←←_←', '→_→←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '←_←', '←_←←_←←_←→_→→_→', '→_→→_→→_→→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←←_←', '←_←→_→→_→→_→→_→', '→_→→_→→_→→_→→_→', '←_←←_←←_←←_←←_←', '←_←←_←→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←→_→', '←_←→_→', '←_←←_←→_→→_→→_→', '→_→→_→→_→→_→←_←', '←_←←_←←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←→_→', '→_→→_→→_→→_→→_→', '→_→←_←→_→←_←', '←_←', '→_→→_→←_←←_←←_←', '→_→→_→→_→→_→←_←', '→_→←_←→_→←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '→_→→_→←_←←_←←_←', '→_→→_→→_→←_←←_←']

#-..../--.../-.../...--/...--/./...--/----./-.../...../.----/-----/...../..-./-.../....-/.-/..---/----./...../...--/.-/-----/-.-././--.../----./-.-./...--/...--/--.../---../

    摩斯密码解密67B33E39B5105FB4A2953A0CE79C3378

    flag: 67b33e39b5105fb4a2953a0ce79c3378

    神奇的 Base64 隐写 base64隐写

    Misc2

    volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump
Volatility Foundation Volatility Framework 2.4
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
#最后两个字段 空密码:密码
0a640404b5c386ab12092587fe19cd02md5解密:qwer1234
flag:sha1(qwer1234)=db25f2fc14cd2d2b1e7af307241f548fb03c312a

    Misc3

    Winrar修复zip,将mingwen - 副本.txt提取出来,用winrar将mingwen - 副本.txt打包成zip,

    删除修复后zip的flag.txt,用Archpr对修复后的zip进行明文攻击,明文选择mingwen - 副本zip

    口令:123%asd!O (单独查看flag.txt,没能成功解压)

    仅需5,跳过去
ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

    栅栏密码解密

    flag{febc7d2138555b9ebccb32b554dbb11c}

    misc压缩文件的明文攻击

    Misc4

    volatility -f 1.vmem imageinfo
volatility -f 1.vmem --profile=Win2003SP1x86 hashdump
volatility -f 1.vmem --profile=Win2003SP1x86 filescan | grep .txt
volatility -f 1.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 --dump-dir=.

dump file.txt win下用记事本打开
什么?计算机又被不知名账户登录了?明明在计算机管理中没有这个用户,为什么还会被这个用户登录呢?电脑跟前的你能帮我找到原因吗?flag为该用户的用户名以及密码的md5值。

格式:md5(用户名:密码)    

https://blog.csdn.net/q851579181q/article/details/109454629

    参考链接:

    内存取证之旅

    2020湖湘杯MISC全解-writeup

    其他题目:2020湖湘杯部分Writeup 湖湘杯 联合魔法少女WriteUp 2020湖湘杯部分WriteUp
  • 相关阅读:
    POJ 1700 过河坐船最短时间问题
    C++继承与派生上机记录
    POJ 1007 DNA Sorting
    大一C++语言程序设计6-20上机作业
    POJ 1006 Biorhythms
    对“C++添加一个头文件和extern以及全局变量和局部变量问题”的解释
    C++添加一个头文件和extern以及全局变量和局部变量问题(16.3.19上机的一小题)
    Node 中的模块化(module对象中的exports以及导入require方法)
    http 模块
    path 路径模块
  • 原文地址:https://www.cnblogs.com/qing123tian/p/13921522.html
Copyright © 2011-2022 走看看