CISCN2022初赛个人writeup

4144815
图片[1]-CISCN2022初赛个人writeup-魔法少女雪殇

又一年ciscn,,,啊,开摆,连续三次都是做到最后一步了,一二三血就都出了,哎呀急死我了呜呜呜,区块链一直没时间看,后续复现一下。该说不说,做题体验还行,跟往届比的话。至少不像去年那种嗯造高考了。

问卷

问卷

ez_usb

流量分析,可以看见是常规usb,直接提取发现rar不太行,然后发现

图片[2]-CISCN2022初赛个人writeup-魔法少女雪殇

存在两种usb的arr,所以猜测是两个键盘,分别提取 usb.addr == “2.10.1” && usbhid.data usb.addr == “2.8.1” && usbhid.data 然后导出csv。然后

cat 111.csv | cut -d "," -f 7 | sed ':a;N;$!ba;s/"//g' > HEXDUMP.txt
cat 222.csv | cut -d "," -f 7 | sed ':a;N;$!ba;s/"//g' > HEXDUMP2.txt

分别导出两个,然后屑exp

str_data = {0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F", 0x0A: "G", 0x0B: "H", 0x0C: "I",
            0x0D: "J", 0x0E: "K", 0x0F: "L", 0x10: "M", 0x11: "N", 0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R",
            0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X", 0x1C: "Y", 0x1D: "Z", 0x1E: "1",
            0x1F: "2", 0x20: "3", 0x21: "4", 0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0",
            0x28: "\n", 0x2a: "[DEL]", 0X2B: "    ", 0x2C: " ", 0x2D: "-", 0x2E: "=", 0x2F: "[", 0x30: "]", 0x31: "\\",
            0x32: "~", 0x33: ";", 0x34: "'", 0x36: ",", 0x37: ".", 0x38: "/", 0x57: "+", 0x5a: "2", 0x5b: "3", 0x5c: "4", 0x5d: "5",
            0x5e: "6", 0x5f: "7", 0x60: "8", 0x61: "9"}
nums = []
keys = open('HEXDUMP2.txt')
for line in keys:
    if int('0x' + line[4:6], 16) < 0x04 or int('0x' + line[4:6], 16) > 0xa0:
        continue
    nums.append(int(line[4:6], 16))
keys.close()
print(nums)
output = ""
flag = 0
for n in nums:
    if flag == 0:
        if n == 0x39:
            flag = 1
            continue
        else:
            output += str_data[n].lower()
    elif flag == 1:
        if n == 0x39:
            flag = 0
            continue
        else:
            output += str_data[n].upper()
    else:
        print('error')
        break
print('output:\n' + output)

跑两次就行了。

图片[3]-CISCN2022初赛个人writeup-魔法少女雪殇

上面的复制到010,是rar,下面的是密码,解压后获得flag

图片[4]-CISCN2022初赛个人writeup-魔法少女雪殇

补充:

图片[5]-CISCN2022初赛个人writeup-魔法少女雪殇

wireshark设置方式(

everlasting_night

一个图片,010打开发现最后有一串东西,暂时不知道是啥 然后图片a2通道发现一串隐写字符

图片[6]-CISCN2022初赛个人writeup-魔法少女雪殇

直接用stegsolve发现解不开,手工读一下罢,获得内容 f78dcd383f1b574b

不知道有啥用,fuzz了好久,发现用老python2 的lsb.py可以提取出一个zip。zip有密码。。。好套。 然后fuzz了一波,发现scmd5可以搞出来个密码,尝试解密

图片[7]-CISCN2022初赛个人writeup-魔法少女雪殇

解开了,一个flag文件,010打开内容比较混乱,猜测是需要修复的,改名为flag.data,导入gimp进行修复即可

图片[8]-CISCN2022初赛个人writeup-魔法少女雪殇

babydisk

取证大师一把梭,获取wav文件和secret, wav文件常规测试没有发现什么内容,再deepsound发现存在密码,但是没找到相关线索,猜测爆破 deepsound2join.py

#!/usr/bin/env python3
'''
deepsound2john extracts password hashes from audio files containing encrypted
data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).
This method is known to work with files created by DeepSound 2.0.
Input files should be in .wav format. Hashes can be recovered from audio files
even after conversion from other formats, e.g.,
    ffmpeg -i input output.wav
Usage:
    python3 deepsound2john.py carrier.wav > hashes.txt
    john hashes.txt
This software is copyright (c) 2018 Ryan Govostes <rgovostes@gmail.com>, and
it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without
modification, are permitted.
'''

import logging
import os
import sys
import textwrap


def decode_data_low(buf):
  return buf[::2]

def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out

def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out


def is_magic(buf):
  # This is a more efficient way of testing for the `DSCF` magic header without
  # decoding the whole buffer
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)


def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'


def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)

  # Check if it's a .wav file
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)

  # Scan for the marker...
  hdrsz = 104
  hdr = None

  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break

    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break

    f.seek(-hdrsz + 1, os.SEEK_CUR)

  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return

  # Check some header fields
  mode = hdr[4]
  encrypted = hdr[5]

  modes = {2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return

  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return

  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))


if __name__ == '__main__':
  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()

  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)

  convert_warn = False

  for f in args.files:
    process_deepsound_file(f)

  if convert_warn:
    print(textwrap.dedent('''
    ---------------------------------------------------------------
    Some files were not in .wav format. Try converting them to .wav
    and try again. You can use: ffmpeg -i input output.wav
    ---------------------------------------------------------------
    '''.rstrip()), file=sys.stderr)

爆破获得密码 feedback 解密获得key.txt,内容为e575ac894c385a6f,

图片[9]-CISCN2022初赛个人writeup-魔法少女雪殇

取证大师看见文件发现是truecrypt文件,

导出后用刚刚获得的key.txt解密 解密后导入,发现一个zip文件

图片[10]-CISCN2022初赛个人writeup-魔法少女雪殇

导出后无法直接打开,010查看可以发现整体文件时比较混乱的,结合spiral这个文件名,猜测是进行了螺旋加密,写脚本解密即可

from struct import pack

file = open('spiral.zip', 'rb').read()
rotate = 0
match = ((0, 1), (1, 0), (0, -1), (-1, 0))
wall = [0, 86, 86 ,0]
sets = (1, -1, -1, 1)
matrix = []
for i in range(87):
    list = []
    for o in range(87):
        list.append(0)
    matrix.append(list)

x = 0
y = 0

for i in file:
    matrix[y][x] = i
    x += match[rotate][1]
    y += match[rotate][0]
    
    if x > wall[1] or x < wall[3] or y > wall[2] or y < wall[0]:
        x -= match[rotate][1]
        y -= match[rotate][0]
        wall[rotate] += sets[rotate]
        rotate = (rotate + 1) % 4
        x += match[rotate][1]
        y += match[rotate][0]



file3 = open('out.zip', 'wb')
for i in matrix:
    for o in i:
        file3.write(pack('B', o))
file3.close()

导出结果后解压获得图片

图片[11]-CISCN2022初赛个人writeup-魔法少女雪殇

获得内容,当然肯定也要转到低了,由于数量没多少,这里手工转一下就行了,前面的ohhhhhh是给定位的,总共49个字符,开根号得7,7×7,获得最终结果

图片[12]-CISCN2022初赛个人writeup-魔法少女雪殇

flag{701fa9fe-63f5-410b-93d4-119f96965be6}

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
CTFWP
喜欢就支持一下吧
点赞15 分享
魔法少女雪殇的头像-魔法少女雪殇钻石会员
AntCTF x D^3CTF 个人Write Up-魔法少女雪殇
AntCTF x D^3CTF 个人Write Up
AntCTF x D^3CTF 个人Write Up
3年前 11.6W+
Goerli与Sepolia,mumbai测试币领取-魔法少女雪殇
Goerli与Sepolia,mumbai测试币领取
Goerli与Sepolia,mumbai测试币领取
2年前 5933
CISCN2021 初赛 Write UP-魔法少女雪殇
CISCN2021 初赛 Write UP
CISCN2021 初赛 Write UP
3年前 5754
开源CTF平台踩坑与评价(更新了两个平台)-魔法少女雪殇
开源CTF平台踩坑与评价(更新了两个平台)
开源CTF平台踩坑与评价(更新了两个平台)
3年前 4750
陇剑杯 个人 ’WriteUp‘-魔法少女雪殇
陇剑杯 个人 ’WriteUp‘
陇剑杯 个人 ’WriteUp‘
3年前 4536
红帽杯2021 Write UP-魔法少女雪殇
红帽杯2021 Write UP
红帽杯2021 Write UP
3年前 4188
相关推荐
AntCTF x D^3CTF 个人Write Up-魔法少女雪殇
AntCTF x D^3CTF 个人Write Up
AntCTF x D^3CTF 个人Write Up
3年前 11.6W+
CISCN2021 初赛 Write UP-魔法少女雪殇
CISCN2021 初赛 Write UP
CISCN2021 初赛 Write UP
3年前 5754
陇剑杯 个人 ’WriteUp‘-魔法少女雪殇
陇剑杯 个人 ’WriteUp‘
陇剑杯 个人 ’WriteUp‘
3年前 4536
红帽杯2021 Write UP-魔法少女雪殇
红帽杯2021 Write UP
红帽杯2021 Write UP
3年前 4188
首届网刃杯工控ctf WriteUp-魔法少女雪殇
首届网刃杯工控ctf WriteUp
首届网刃杯工控ctf WriteUp
3年前 2889
VNCTF2021 WriteUp-魔法少女雪殇
VNCTF2021 WriteUp
VNCTF2021 WriteUp
3年前 2360
评论 共4条
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称

请填写用户信息:

  • 昵称(必填)
  • 邮箱(必填)
表情
[aoman][baiyan][bishi][bizui][cahan][ciya][dabing][daku][deyi][doge][fadai][fanu][fendou][ganga][guzhang][haixiu][hanxiao][zuohengheng][zhuakuang][zhouma][zhemo][zhayanjian][zaijian][yun][youhengheng][yiwen][yinxian][xu][xieyanxiao][xiaoku][xiaojiujie][xia][wunai][wozuimei][weixiao][weiqu][tuosai][tu][touxiao][tiaopi][shui][se][saorao][qiudale][se][qinqin][qiaoda][piezui][penxue][nanguo][liulei][liuhan][lenghan][leiben][kun][kuaikule][ku][koubi][kelian][keai][jingya][jingxi][jingkong][jie][huaixiao][haqian][aini][OK][qiang][quantou][shengli][woshou][gouyin][baoquan][aixin][bangbangtang][xiaoyanger][xigua][hexie][pijiu][lanqiu][juhua][hecai][haobang][caidao][baojin][chi][dan][kulou][shuai][shouqiang][yangtuo][youling]
    只看作者
    • 头像charmersix4
      雪姐姐tql
      2年前回复
    • 头像tank0
      雪姐姐,小弟想要取证大师表情[ciya]-魔法少女雪殇
      2年前回复
    • 头像楠辞0
      雪姐姐太厉害啦
      2年前回复
    • 头像v2ish1yan1
      雪姐姐!表情[se]-魔法少女雪殇
      2年前回复
CF1.0 商城改gp-魔法少女雪殇

1CF1.0 商城改gp

魔法少女雪殇的头像-魔法少女雪殇钻石会员26天前
75
HOW TO START TEAMSPEAK-魔法少女雪殇

2HOW TO START TEAMSPEAK

魔法少女雪殇的头像-魔法少女雪殇钻石会员1个月前
82
2022祥云杯决赛 misc Twin Shadow题解-魔法少女雪殇

32022祥云杯决赛 misc Twin Shadow题解

魔法少女雪殇的头像-魔法少女雪殇钻石会员7个月前
619
StegLab QA and EXP-魔法少女雪殇

4StegLab QA and EXP

魔法少女雪殇的头像-魔法少女雪殇钻石会员8个月前
346
StegLab解答与心得记录以及问题反思-魔法少女雪殇

5StegLab解答与心得记录以及问题反思

魔法少女雪殇的头像-魔法少女雪殇钻石会员8个月前
713
LLM-CHATGLM-AI学习资料自用-魔法少女雪殇

6LLM-CHATGLM-AI学习资料自用(持续更新)

魔法少女雪殇的头像-魔法少女雪殇钻石会员9个月前
964