问鼎杯决赛

决赛去水了一把

3-1 合格铲屎官

下载下来一张图片,用神奇stegsolve打开,随便按发现通道最低位有点奇怪,先用lsb提取一下。发现熟悉的pk,save bin为一个zip文件,打开后发现是一串base64加密后的字符串,先解码看一下是什么东西发现是png文件头,直接写脚本提取一下

1
2
3
4
5
6
import base64
f=open('flag.png','wb')
a='''
iVBORw0KGgoAAAANSUhEUgAAAPoAAAD6CAYAAACI7Fo9AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAAAVqSURBVHhe7d1bTuRGAEDRIftfK1tIxgNRJNINbpff9xzJmvlpP6q5KpeB5u3v334Bt/bX57/AjQkdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocLe39///zf9/xSCwSY0SFA6BAgdAgQOgQIHQKEDgGLv7329vb2+b/1PDqVZ8dZ67uCe13HV1sc95GRcRo9x7XeI8aZ0SFA6BAgdAgQOgR4GLdw/99d/5xz2/q61jD6Hp/pWuo2CX3NN3jrIJbuf/T6t76uNVzhHJnHrTsECB0ChM6fW/RHG/chdAgQOgQIHQJO8330Z6fx7DhrfYtni7XonHPb+rpe8eoYHHGOjDGjX9AU5twNJkLnzwz9aOM+hA4BQocAoUOA0CHAb68N7P+o1z7zaJ9r72+y1tizHzM6BAgdAoQOAZddo8/107mMrEO3eO3aRt6Lrcee/ZjRIUDoECB0CBA6BAgdAhY/dQeuw4wOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwAfJcVDI3+cgvMZCv3RF8PaXwhb/7WQO/81kpFY5772u/E789jUuHWHAKFDgNAhQOgQcMmHcWseY/Sh09rXexaj4zK569hckRmdIVPMzzbOQ+gQIHQIEPqNTevnRxs9t/7JuDnnssUX/lnWp8+ubY9xOcsY8MGMDgFChwChQ4DQIeD0D+PmWnouIw+sJmcag69Gr22uM48BH8zoECB0CBA6BKy+Rp/rLOvEkWt45izr09E1+lbv75L9nmVMr+rUoY9GuMcxHnllSJcef+Ta5p7fVu/vkv2+Mqb8n1t3CBA6BAgdAoTO7qb19qsbY4YexgHXYEaHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgT4NdWTOeoz7I46Lvswo0OA0CFA6BBw6jX62uvGK6wZrdHZwmF/wGHy06GFvo451/3suCPv0RXGu0LoJ3NUOEK/N2t0CBA6BAgdAlZfo6+5LhvZ/9bntpWj1rzPjvvTMY86X15jRocAoUOAW/eT+e5WeImR8Rp1hfGuMKNDwOqhTzPDnA3YjxkdAoQOAUKHAKFDwC6/j/7o4ducwy593WTktUf67kHlluf/7LhL36fJFca7wowOAUKHAKFDwOVCn9aDczbgP4sfxo3GNPKQZ6mfjrnW8UYeQu19zf96dtyR92lkHFiXW3cIEDoECB0ChA4Bu/xk3FJHPZiCuzl16MA63LpDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ8DQJ8yMftTTWT7c5tF1rH1uI2PlQ4AYdckZfYrm6wY859YdAoQOAUKHgNUfxu3x4Gjt4+5xHSPPEfYYU+5N6L8ddR2PnOlcuA+37hcwxf91g1cIHQKEDgGH/WTcmdbUa+9vxNwxPer8uKbbhL42oXMnbt0hQOgXMM3eXzd4hdAhYGiNPtfaD7tqa3QzOKMuGfpcV4xG6GzBrTsECB0ChA4Bi9foow/ESmv0K4wV92ZGhwChQ4DQIUDoELDLD8wcxcM4+HDr0IEPbt0hQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChQ4DQIUDoECB0CBA6BAgdAoQOAUKHAKFDgNAhQOgQIHQIEDoECB0ChA4BQocAoUOA0CFA6BAgdAgQOgQIHQKEDgFChwChw+39+vUPmuaZZgm+XxcAAAAASUVORK5CYII=
'''
f.write(base64.b64decode(a))

打开即是flag

3-2 easy_py

下载下来一个压缩包,先试试伪加密,用zipCenOp打开之后发现果然加密标志没了。然后把flag.pyc反编译一下,一个加密函数(队友说是rc4),不过需要个key。于是又打开了key文件,发现是一串熟悉的东西,懒得写脚本,直接用编辑器的替换功能,从9开始替换,把这么一串东西变成一个表达式

得到key之后替换掉加密算法中的key,然后根据加密算法写个解密算法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# uncompyle6 version 2.9.10
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [ MSC v.1500 64 bit (AMD64)]
# Embedded file name: /home/ctf/WDCTF2017/test.py
# d: 2017-09-08 19:54:01
import random
import base64
from hashlib import sha1
strCipher = 'Xw6aM5fbiQOkkezmbdLC7Gbnj5siJJc5DpzkVjtdKPKT3A=='
key = 'I_4m-k3y'
def crypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = y = 0
out = []
for char in data:
x = (x + 1) % 256
y = (y + box[x]) % 256
box[x], box[y] = box[y], box[x]
out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(out)
def decrypt(data, key):
x = 0
box = range(256)
for i in range(256):
x = (x + box[i] + ord(key[i % len(key)])) % 256
box[i], box[x] = box[x], box[i]
x = y = 0
data1=[]
for char in data:
x=(x+1)%256
y=(y+box[x])%256
box[x],box[y] = box[y], box[x]
data1.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
return ''.join(data1)
def encode(data, key, encode=base64.b64encode, salt_length=16):
salt = ''
for n in range(salt_length):
salt += chr(random.randrange(256))
#salt='11'
data = salt + crypt(data, sha1(key + salt).digest())
if encode:
data = encode(data)
return data
def decode(data, key, decode=base64.b64decode, salt_length=16):
salt = ''
if decode:
data=decode(data)
for n in range(salt_length):
salt += chr(random.randrange(256))
#salt='11'
salt=data[:16]
out=data[16:]
return decrypt(out,sha1(key + salt).digest())
print decode(strCipher,key)

得到flag

4-1 简单加密

py文件还是个加密函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from hashlib import sha256
def xor(a,b):
return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)])
def HASH(data):
return sha256(data).digest()[:8]
def bes_encrypt(subkeys, data):
i = 0
d1 = data[:8]
d2 = data[8:]
for i in subkeys:
d1 = xor(xor(HASH(d2),i),d1)
d1,d2 = d2,d1
print (d2+d1).encode('hex')
return d2 + d1
def key_schedule(key):
subKeys = []
subKey = key
for i in xrange(16):
subKey = HASH(subKey)
subKeys.append(subKey)
return subKeys
def bes(key,data):
subKeys = key_schedule(key)
return bes_encrypt(subKeys, data).encode('hex')
if __name__ == "__main__":
print bes('wdctfhhh','This_is_the_flag')
# 19714d622d75f32fd9bd98feaa93df0d

因为没有随机数什么的,根据加密函数稍微改改写个解密函数就好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from hashlib import sha256
def xor(a,b):
return ''.join([chr(ord(i)^ord(j)) for i,j in zip(a,b)])
def HASH(data):
return sha256(data).digest()[:8]
def bes_encrypt(subkeys, data):
i = 0
d1 = data[:8]
d2 = data[8:]
print d2.encode('hex')
for i in subkeys:
d1 = xor(xor(HASH(d2),i),d1)
d1,d2 = d2,d1
return d2 + d1
def bes_decrypt(subkeys,data):
i=0
d2= data[:16]
d2=d2.decode('hex')
d1= data[16:]
d1=d1.decode('hex')
subkeys=subkeys[::-1]
for i in subkeys:
d1,d2=d2,d1
d1 = xor(xor(HASH(d2),i),d1)
return d1+d2
def key_schedule(key):
subKeys = []
subKey = key
for i in xrange(16):
subKey = HASH(subKey)
subKeys.append(subKey)
return subKeys
def bes(key,data):
subKeys = key_schedule(key)
return bes_encrypt(subKeys, data).encode('hex')
def besdd(key,data):
subKeys = key_schedule(key)
return bes_decrypt(subKeys, data)
if __name__ == "__main__":
print besdd('wdctfhhh','19714d622d75f32fd9bd98feaa93df0d')
# 19714d622d75f32fd9bd98feaa93df0d

附加题:万里挑一

下载下来一个压缩包,里面1024个文件,随便点个进去都是一堆十六进制,想想万里挑一,感觉像是在里面找一个正常的东西,就随便点点。发现有点不正常的地方,,这个文件和前面的文件有很明显的时间差,像是前面是用什么脚本生成的,而从这里开始是加进去的东西。

那就点开这个文件,发现很标准的flag形式,WDFLAG{},那就是它了。
不过一开始并不知道什么加密方法,用ascii试了试发现不对,然后仔细观察发现每一位都小于10,而且都只有两位,第二位都小于等于4,再想到提示提到短信,那应该就是手机键盘加密了,解开之后再用凯撒加密解开就得到了flag。

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. 3-1 合格铲屎官
  2. 2. 3-2 easy_py
  3. 3. 4-1 简单加密
  4. 4. 附加题:万里挑一
,