问鼎杯决赛

决赛去水了一把

3-1 合格铲屎官

下载下来一张图片,用神奇stegsolve打开,随便按发现通道最低位有点奇怪,先用lsb提取一下。发现熟悉的pk,save bin为一个zip文件,打开后发现是一串base64加密后的字符串,先解码看一下是什么东西发现是png文件头,直接写脚本提取一下

1
2
3
4
5
6
import base64
f=open('flag.png','wb')
a='''
iVBORw0KGgoAAAANSUhEUgAAAPoAAAD6CAYAAACI7Fo9AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAVqSURBVHhe7d1bTuRGAEDRIftfK1tIxgNRJNINbpff9xzJmvlpP6q5KpeB5u3v334Bt/bX57/AjQkdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocLe39///zf9/xSCwSY0SFA6BAgdAgQOgQIHQKEDgGLv7329vb2+b/1PDqVZ8dZ67uCe13HV1sc95GRcRo9x7XeI8aZ0SFA6BAgdAgQOgR4GLdw/99d/5xz2/q61jD6Hp/pWuo2CX3NN3jrIJbuf/T6t76uNVzhHJnHrTsECB0ChM6fW/RHG/chdAgQOgQIHQJO8330Z6fx7DhrfYtni7XonHPb+rpe8eoYHHGOjDGjX9AU5twNJkLnzwz9aOM+hA4BQocAoUOA0CHAb68N7P+o1z7zaJ9r72+y1tizHzM6BAgdAoQOAZddo8/107mMrEO3eO3aRt6Lrcee/ZjRIUDoECB0CBA6BAgdAhY/dQeuw4wOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwAfJcVDI3+cgvMZCv3RF8PaXwhb/7WQO/81kpFY5772u/E789jUuHWHAKFDgNAhQOgQcMmHcWseY/Sh09rXexaj4zK569hckRmdIVPMzzbOQ+gQIHQIEPqNTevnRxs9t/7JuDnnssUX/lnWp8+ubY9xOcsY8MGMDgFChwChQ4DQIeD0D+PmWnouIw+sJmcag69Gr22uM48BH8zoECB0CBA6BKy+Rp/rLOvEkWt45izr09E1+lbv75L9nmVMr+rUoY9GuMcxHnllSJcef+Ta5p7fVu/vkv2+Mqb8n1t3CBA6BAgdAoTO7qb19qsbY4YexgHXYEaHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgT4NdWTOeoz7I46Lvswo0OA0CFA6BBw6jX62uvGK6wZrdHZwmF/wGHy06GFvo451/3suCPv0RXGu0LoJ3NUOEK/N2t0CBA6BAgdAlZfo6+5LhvZ/9bntpWj1rzPjvvTMY86X15jRocAoUOAW/eT+e5WeImR8Rp1hfGuMKNDwOqhTzPDnA3YjxkdAoQOAUKHAKFDwC6/j/7o4ducwy593WTktUf67kHlluf/7LhL36fJFca7wowOAUKHAKFDwOVCn9aDczbgP4sfxo3GNPKQZ6mfjrnW8UYeQu19zf96dtyR92lkHFiXW3cIEDoECB0ChA4Bu/xk3FJHPZiCuzl16MA63LpDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ8DQJ8yMftTTWT7c5tF1rH1uI2PlQ4AYdckZfYrm6wY859YdAoQOAUKHgNUfxu3x4Gjt4+5xHSPPEfYYU+5N6L8ddR2PnOlcuA+37hcwxf91g1cIHQKEDgGH/WTcmdbUa+9vxNwxPer8uKbbhL42oXMnbt0hQOgXMM3eXzd4hdAhYGiNPtfaD7tqa3QzOKMuGfpcV4xG6GzBrTsECB0ChA4Bi9foow/ESmv0K4wV92ZGhwChQ4DQIUDoELDLD8wcxcM4+HDr0IEPbt0hQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChw+39+vUPmuaZZgm+XxcAAAAASUVORK5CYII=
'''
f.write(base64.b64decode(a))

打开即是flag

3-2 easy_py

下载下来一个压缩包,先试试伪加密,用zipCenOp打开之后发现果然加密标志没了。然后把flag.pyc反编译一下,一个加密函数(队友说是rc4),不过需要个key。于是又打开了key文件,发现是一串熟悉的东西,懒得写脚本,直接用编辑器的替换功能,从9开始替换,把这么一串东西变成一个表达式

得到key之后替换掉加密算法中的key,然后根据加密算法写个解密算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# uncompyle6 version 2.9.10
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.11 (v2.7.11:6d1b6a68f775, Dec  5 2015, 20:40:30) [                                                                                                                                  MSC v.1500 64 bit (AMD64)]
# Embedded file name: /home/ctf/WDCTF2017/test.py
# d: 2017-09-08 19:54:01
import random
import base64
from hashlib import sha1
strCipher = 'Xw6aM5fbiQOkkezmbdLC7Gbnj5siJJc5DpzkVjtdKPKT3A=='
key = 'I_4m-k3y'
def crypt(data, key):
    x = 0
    box = range(256)
    for i in range(256):
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        box[i], box[x] = box[x], box[i]
    x = y = 0
    out = []
    for char in data:
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        box[x], box[y] = box[y], box[x]
        out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
    return ''.join(out)
def decrypt(data, key):
    x = 0
    box = range(256)
    for i in range(256):
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        box[i], box[x] = box[x], box[i]
    x = y = 0
    data1=[]
    for char in data:
        x=(x+1)%256
        y=(y+box[x])%256
        box[x],box[y] = box[y], box[x]
        data1.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
    return ''.join(data1)
  
def encode(data, key, encode=base64.b64encode, salt_length=16):
    salt = ''
    for n in range(salt_length):
        salt += chr(random.randrange(256))
    #salt='11'
    data = salt + crypt(data, sha1(key + salt).digest())
    if encode:
        data = encode(data)
    return data
def decode(data, key, decode=base64.b64decode, salt_length=16):
    salt = ''
    if decode:
        data=decode(data)
    for n in range(salt_length):
        salt += chr(random.randrange(256))
    #salt='11'
    salt=data[:16]
    out=data[16:]
    return decrypt(out,sha1(key + salt).digest())
    
print decode(strCipher,key)

得到flag

4-1 简单加密

py文件还是个加密函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from hashlib import sha256
def xor(a,b):
    return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)])
def HASH(data):
    return sha256(data).digest()[:8]
def bes_encrypt(subkeys, data):
    i = 0
    d1 = data[:8]
    d2 = data[8:]
    for i in subkeys:
       d1 = xor(xor(HASH(d2),i),d1)
       d1,d2 = d2,d1
       print (d2+d1).encode('hex')
    return d2 + d1
def key_schedule(key):
    subKeys = []
    subKey = key
    for i in xrange(16):
        subKey = HASH(subKey)
        subKeys.append(subKey)
    return subKeys
def bes(key,data):
    subKeys = key_schedule(key)
    return bes_encrypt(subKeys, data).encode('hex')
if __name__ == "__main__":
    print bes('wdctfhhh','This_is_the_flag')
    # 19714d622d75f32fd9bd98feaa93df0d

因为没有随机数什么的,根据加密函数稍微改改写个解密函数就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from hashlib import sha256
def xor(a,b):
    return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)])
def HASH(data):
    return sha256(data).digest()[:8]
def bes_encrypt(subkeys, data):
    i = 0
    d1 = data[:8]
    d2 = data[8:]  
    print d2.encode('hex')  
    for i in subkeys:
       d1 = xor(xor(HASH(d2),i),d1)  
       d1,d2 = d2,d1
    return d2 + d1
def bes_decrypt(subkeys,data):
	i=0
	
	d2= data[:16]
	d2=d2.decode('hex')
	d1= data[16:]
	d1=d1.decode('hex')
	subkeys=subkeys[::-1]
	for i in subkeys:
		d1,d2=d2,d1
		d1 = xor(xor(HASH(d2),i),d1)
	return d1+d2
def key_schedule(key):
    subKeys = []
    subKey = key
    for i in xrange(16):
        subKey = HASH(subKey)
        subKeys.append(subKey)
    return subKeys
def bes(key,data):
    subKeys = key_schedule(key)
    return bes_encrypt(subKeys, data).encode('hex')
def besdd(key,data):
    subKeys = key_schedule(key)
    return bes_decrypt(subKeys, data)
if __name__ == "__main__":
    print besdd('wdctfhhh','19714d622d75f32fd9bd98feaa93df0d')
    # 19714d622d75f32fd9bd98feaa93df0d

附加题:万里挑一

下载下来一个压缩包,里面1024个文件,随便点个进去都是一堆十六进制,想想万里挑一,感觉像是在里面找一个正常的东西,就随便点点。发现有点不正常的地方,,这个文件和前面的文件有很明显的时间差,像是前面是用什么脚本生成的,而从这里开始是加进去的东西。

那就点开这个文件,发现很标准的flag形式,WDFLAG{},那就是它了。
不过一开始并不知道什么加密方法,用ascii试了试发现不对,然后仔细观察发现每一位都小于10,而且都只有两位,第二位都小于等于4,再想到提示提到短信,那应该就是手机键盘加密了,解开之后再用凯撒加密解开就得到了flag。

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

本文标题:问鼎杯决赛

文章作者:Err0rzz

发布时间:2017年09月24日 - 09时50分

最后更新:2017年11月10日 - 16时16分

原始链接:http://Err0rzz.github.io/2017/09/24/问鼎杯决赛/

许可协议: "署名-非商用-相同方式共享 3.0" 转载请保留原文链接及作者。

文章目录
  1. 1. 3-1 合格铲屎官
  2. 2. 3-2 easy_py
  3. 3. 4-1 简单加密
  4. 4. 附加题:万里挑一
,