决赛去水了一把
3-1 合格铲屎官
下载下来一张图片,用神奇stegsolve打开,随便按发现通道最低位有点奇怪,先用lsb提取一下。发现熟悉的pk,save bin为一个zip文件,打开后发现是一串base64加密后的字符串,先解码看一下是什么东西发现是png文件头,直接写脚本提取一下
1 2 3 4 5 6
| import base64 f=open('flag.png','wb') a=''' iVBORw0KGgoAAAANSUhEUgAAAPoAAAD6CAYAAACI7Fo9AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAVqSURBVHhe7d1bTuRGAEDRIftfK1tIxgNRJNINbpff9xzJmvlpP6q5KpeB5u3v334Bt/bX57/AjQkdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocLe39///zf9/xSCwSY0SFA6BAgdAgQOgQIHQKEDgGLv7329vb2+b/1PDqVZ8dZ67uCe13HV1sc95GRcRo9x7XeI8aZ0SFA6BAgdAgQOgR4GLdw/99d/5xz2/q61jD6Hp/pWuo2CX3NN3jrIJbuf/T6t76uNVzhHJnHrTsECB0ChM6fW/RHG/chdAgQOgQIHQJO8330Z6fx7DhrfYtni7XonHPb+rpe8eoYHHGOjDGjX9AU5twNJkLnzwz9aOM+hA4BQocAoUOA0CHAb68N7P+o1z7zaJ9r72+y1tizHzM6BAgdAoQOAZddo8/107mMrEO3eO3aRt6Lrcee/ZjRIUDoECB0CBA6BAgdAhY/dQeuw4wOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwAfJcVDI3+cgvMZCv3RF8PaXwhb/7WQO/81kpFY5772u/E789jUuHWHAKFDgNAhQOgQcMmHcWseY/Sh09rXexaj4zK569hckRmdIVPMzzbOQ+gQIHQIEPqNTevnRxs9t/7JuDnnssUX/lnWp8+ubY9xOcsY8MGMDgFChwChQ4DQIeD0D+PmWnouIw+sJmcag69Gr22uM48BH8zoECB0CBA6BKy+Rp/rLOvEkWt45izr09E1+lbv75L9nmVMr+rUoY9GuMcxHnllSJcef+Ta5p7fVu/vkv2+Mqb8n1t3CBA6BAgdAoTO7qb19qsbY4YexgHXYEaHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgT4NdWTOeoz7I46Lvswo0OA0CFA6BBw6jX62uvGK6wZrdHZwmF/wGHy06GFvo451/3suCPv0RXGu0LoJ3NUOEK/N2t0CBA6BAgdAlZfo6+5LhvZ/9bntpWj1rzPjvvTMY86X15jRocAoUOAW/eT+e5WeImR8Rp1hfGuMKNDwOqhTzPDnA3YjxkdAoQOAUKHAKFDwC6/j/7o4ducwy593WTktUf67kHlluf/7LhL36fJFca7wowOAUKHAKFDwOVCn9aDczbgP4sfxo3GNPKQZ6mfjrnW8UYeQu19zf96dtyR92lkHFiXW3cIEDoECB0ChA4Bu/xk3FJHPZiCuzl16MA63LpDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ8DQJ8yMftTTWT7c5tF1rH1uI2PlQ4AYdckZfYrm6wY859YdAoQOAUKHgNUfxu3x4Gjt4+5xHSPPEfYYU+5N6L8ddR2PnOlcuA+37hcwxf91g1cIHQKEDgGH/WTcmdbUa+9vxNwxPer8uKbbhL42oXMnbt0hQOgXMM3eXzd4hdAhYGiNPtfaD7tqa3QzOKMuGfpcV4xG6GzBrTsECB0ChA4Bi9foow/ESmv0K4wV92ZGhwChQ4DQIUDoELDLD8wcxcM4+HDr0IEPbt0hQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChw+39+vUPmuaZZgm+XxcAAAAASUVORK5CYII= ''' f.write(base64.b64decode(a))
|
打开即是flag
3-2 easy_py
下载下来一个压缩包,先试试伪加密,用zipCenOp打开之后发现果然加密标志没了。然后把flag.pyc反编译一下,一个加密函数(队友说是rc4),不过需要个key。于是又打开了key文件,发现是一串熟悉的东西,懒得写脚本,直接用编辑器的替换功能,从9开始替换,把这么一串东西变成一个表达式
得到key之后替换掉加密算法中的key,然后根据加密算法写个解密算法
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
| # uncompyle6 version 2.9.10 # Python bytecode 2.7 (62211) # Decompiled from: Python 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [ MSC v.1500 64 bit (AMD64)] # Embedded file name: /home/ctf/WDCTF2017/test.py # d: 2017-09-08 19:54:01 import random import base64 from hashlib import sha1 strCipher = 'Xw6aM5fbiQOkkezmbdLC7Gbnj5siJJc5DpzkVjtdKPKT3A==' key = 'I_4m-k3y' def crypt(data, key): x = 0 box = range(256) for i in range(256): x = (x + box[i] + ord(key[i % len(key)])) % 256 box[i], box[x] = box[x], box[i] x = y = 0 out = [] for char in data: x = (x + 1) % 256 y = (y + box[x]) % 256 box[x], box[y] = box[y], box[x] out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) return ''.join(out) def decrypt(data, key): x = 0 box = range(256) for i in range(256): x = (x + box[i] + ord(key[i % len(key)])) % 256 box[i], box[x] = box[x], box[i] x = y = 0 data1=[] for char in data: x=(x+1)%256 y=(y+box[x])%256 box[x],box[y] = box[y], box[x] data1.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) return ''.join(data1) def encode(data, key, encode=base64.b64encode, salt_length=16): salt = '' for n in range(salt_length): salt += chr(random.randrange(256)) #salt='11' data = salt + crypt(data, sha1(key + salt).digest()) if encode: data = encode(data) return data def decode(data, key, decode=base64.b64decode, salt_length=16): salt = '' if decode: data=decode(data) for n in range(salt_length): salt += chr(random.randrange(256)) #salt='11' salt=data[:16] out=data[16:] return decrypt(out,sha1(key + salt).digest()) print decode(strCipher,key)
|
得到flag
4-1 简单加密
py文件还是个加密函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
| from hashlib import sha256 def xor(a,b): return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)]) def HASH(data): return sha256(data).digest()[:8] def bes_encrypt(subkeys, data): i = 0 d1 = data[:8] d2 = data[8:] for i in subkeys: d1 = xor(xor(HASH(d2),i),d1) d1,d2 = d2,d1 print (d2+d1).encode('hex') return d2 + d1 def key_schedule(key): subKeys = [] subKey = key for i in xrange(16): subKey = HASH(subKey) subKeys.append(subKey) return subKeys def bes(key,data): subKeys = key_schedule(key) return bes_encrypt(subKeys, data).encode('hex') if __name__ == "__main__": print bes('wdctfhhh','This_is_the_flag') # 19714d622d75f32fd9bd98feaa93df0d
|
因为没有随机数什么的,根据加密函数稍微改改写个解密函数就好了
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
| from hashlib import sha256 def xor(a,b): return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)]) def HASH(data): return sha256(data).digest()[:8] def bes_encrypt(subkeys, data): i = 0 d1 = data[:8] d2 = data[8:] print d2.encode('hex') for i in subkeys: d1 = xor(xor(HASH(d2),i),d1) d1,d2 = d2,d1 return d2 + d1 def bes_decrypt(subkeys,data): i=0 d2= data[:16] d2=d2.decode('hex') d1= data[16:] d1=d1.decode('hex') subkeys=subkeys[::-1] for i in subkeys: d1,d2=d2,d1 d1 = xor(xor(HASH(d2),i),d1) return d1+d2 def key_schedule(key): subKeys = [] subKey = key for i in xrange(16): subKey = HASH(subKey) subKeys.append(subKey) return subKeys def bes(key,data): subKeys = key_schedule(key) return bes_encrypt(subKeys, data).encode('hex') def besdd(key,data): subKeys = key_schedule(key) return bes_decrypt(subKeys, data) if __name__ == "__main__": print besdd('wdctfhhh','19714d622d75f32fd9bd98feaa93df0d') # 19714d622d75f32fd9bd98feaa93df0d
|
附加题:万里挑一
下载下来一个压缩包,里面1024个文件,随便点个进去都是一堆十六进制,想想万里挑一,感觉像是在里面找一个正常的东西,就随便点点。发现有点不正常的地方,,这个文件和前面的文件有很明显的时间差,像是前面是用什么脚本生成的,而从这里开始是加进去的东西。
那就点开这个文件,发现很标准的flag形式,WDFLAG{},那就是它了。
不过一开始并不知道什么加密方法,用ascii试了试发现不对,然后仔细观察发现每一位都小于10,而且都只有两位,第二位都小于等于4,再想到提示提到短信,那应该就是手机键盘加密了,解开之后再用凯撒加密解开就得到了flag。