首页 > 其他分享 >第四届“安洵杯”网络安全挑战赛MISC-Writeup

第四届“安洵杯”网络安全挑战赛MISC-Writeup

时间:2023-06-19 22:00:57浏览次数:53  
标签:OK Writeup MISC flag NUM 安洵 https crc32 alternative



文章目录

  • 应该算是签到
  • CyzCC_loves_LOL
  • Cthulhu Mythos
  • lovemath



题目附件请自取
链接:https://pan.baidu.com/s/13TwadE6DenseIuRUNZlCKg 
提取码:rrpe

应该算是签到

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d


B站搜索直接搜索这个BV号

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_02


直接页面Ctrl+F没找出来

搜索引擎找一下有没有通过API查弹幕的方法:https://www.bilibili.com/read/cv7923601

第四届“安洵杯”网络安全挑战赛MISC-Writeup_python_03


F12点击Network,找到这个视频的cid

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_04


从当前时间2021-11-27开始往前找

https://api.bilibili.com/x/v2/dm/web/history/seg.so?type=1&oid=400438565&date=2021-11-27

将历史弹幕文件下载下来,选择UTF-8编码,然后查找关键字即可

第四届“安洵杯”网络安全挑战赛MISC-Writeup_python_05

D0g3{We1come_to_axbg0g0g0}

CyzCC_loves_LOL

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_06


D0g3_LOLteampassword

HAI D0g3 code
I HAS A CODE ITZ "D0g3isthepAssword"
I HAS A MSG ITZ ""
I HAS A COUNTER ITZ 0
I HAS A NUM
IM IN YR LOOP UPPIN YR COUNTER WILE COUNTER SMALLR THAN LEN OF CODE
I HAS A C ITZ CODE!COUNTER
NUM R ORD OF C
NUM R SUM OF NUM AN -3
IZ NUM SMALLR THAN 65?, NUM R SUM OF NUM AN 26, KTHX
NUM R CHR OF NUM
MSG R SMOOSH MSG AN NUM
IM OUTTA YR LOOP
VISIBLE MSG
KTHXBYE

看不懂什么东西,猜测某种编码,搜索引擎找一下

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_07

解码得到ez_misc.zip密码:AGdJfpqebmXpptloa

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_08

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_09


Program.png根据名称提示一开始以为是npiet,尝试直接编译发现不对

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_10


后来经过查阅资料才发现Brainfuck也有一种用像素颜色表示的语言:Brainloller

上传之后点击Play,得到密码:0MTTW CWZVN!

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_11


然后根据题目名称提示将密码中的空格换成下划线、以及jinx's_flag_in_silent.jpg的名称,直接尝试SilentEye解密

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_12

D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}

Cthulhu Mythos

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_13


hint.mp3听一下,发现前面是泰拉瑞亚的主题曲,后面部分很明显是SSTV

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_14


因为格式问题没法直接用QSSTVRX-SSTV的话又比较麻烦要调整电脑录音设备,就直接用Robot36听吧

网上随便找个地址:https://apkpure.com/cn/robot36-sstv-image-decoder/xdsopl.robot36

下载好传到手机上,安装,然后听就完事了,多听几遍确认信息

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_15

>>> from base64 import *
>>> b32decode('MRPVI4TZL5KGK4TSGRZGSYJBPU======')
b'd_Try_Terr4ria!}'

The Evil Watcher.wld

第四届“安洵杯”网络安全挑战赛MISC-Writeup_python_16

关于泰拉瑞亚地图编辑器

使用TerraMap打开The Evil Watcher.wldPlayers->All Spoilers

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_17


Sets->Chests找宝箱

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_18


在地面上找到四个Class Chest

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_19

IQYGOM33

第四届“安洵杯”网络安全挑战赛MISC-Writeup_python_20

JUYW4ZLD

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_21

KI2GM5C

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_22


总共四部分,前三部分为:IQYGOM33JUYW4ZLDKI2GM5C Base32

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_23


第四部分可以使用TEdit打开The Evil Watcher.wld

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_24


在这个位置找到第四部分

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_25

7I4YF6QLO

最终得到的base32为:IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLO

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_26


最终flag

D0g3{M1necR4ft_G0_And_Try_Terr4ria!}

lovemath

第四届“安洵杯”网络安全挑战赛MISC-Writeup_3c_27

hint: not blindwater but you can search it

crc32爆破

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_28

-------------Filename CRC Info-------------
[+] flag.zip: 0xc38199da
[+] flag_01.txt: 0xa430239a
[+] flag_02.txt: 0xf81abecd
[+] flag_03.txt: 0x2a75b14e
[+] flag_04.txt: 0x2d2c423c
[+] flag_05.txt: 0xd9e12803
-------------------------------------------
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xa430239a
4 bytes: {0x56, 0x34, 0xbc, 0x00}
verification checksum: 0xa430239a (OK)
alternative: 3RAsk0 (OK)
alternative: 5jYl3N (OK)
alternative: ANz4c9 (OK)
alternative: DViXxW (OK)
alternative: EJg5bZ (OK)
alternative: JE94EM (OK)
alternative: JYvhDY (OK)
alternative: O1YuZg (OK)
alternative: R3ix8v (OK)
alternative: _lAJB8 (OK)
alternative: dYZaCR (OK)
alternative: mOBoUw (OK)
alternative: pMrb7f (OK)
alternative: qlmCE3 (OK)
alternative: sq6Mub (OK)
alternative: th1s_I (OK)
alternative: uhpBDP (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xf81abecd
4 bytes: {0xf6, 0x44, 0x6a, 0xcc}
verification checksum: 0xf81abecd (OK)
alternative: 5XyM2J (OK)
alternative: 9kccWY (OK)
alternative: DdIyyS (OK)
alternative: MrQwov (OK)
alternative: ONTi6k (OK)
alternative: RLddTz (OK)
alternative: s_Y0ur (OK)
alternative: uZPcET (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0x2a75b14e
4 bytes: {0x39, 0x11, 0xcc, 0x5b}
verification checksum: 0x2a75b14e (OK)
alternative: 0njyYo (OK)
alternative: 4Wf40T (OK)
alternative: 7wmGsD (OK)
alternative: 8x3FTS (OK)
alternative: 9xrwOJ (OK)
alternative: Cn_SKk (OK)
alternative: KdI0GC (OK)
alternative: R_upLi (OK)
alternative: S3GlS4 (OK)
alternative: S_4AWp (OK)
alternative: UFrNfB (OK)
alternative: W7ZmRW (OK)
alternative: _pa33w (OK)
alternative: caljpn (OK)
alternative: d5Fi7M (OK)
alternative: dxkTZE (OK)
alternative: jwtdfK (OK)
alternative: ln2kWy (OK)
alternative: rPFIwl (OK)
alternative: w8iTiR (OK)
alternative: x77UNE (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0x2d2c423c
4 bytes: {0x78, 0x6b, 0xc3, 0x45}
verification checksum: 0x2d2c423c (OK)
alternative: 0rd_We (OK)
alternative: 1nj2Mh (OK)
alternative: BSNT74 (OK)
alternative: CrQuEa (OK)
alternative: DkVKoJ (OK)
alternative: FWSU6W (OK)
alternative: P2Suvv (OK)
alternative: Sbdw06 (OK)
alternative: Wfyv1U (OK)
alternative: ZIm5NK (OK)
alternative: dderTO (OK)
alternative: jkzBhA (OK)
alternative: rLHoyf (OK)
alternative: uUOQSM (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xd9e12803
4 bytes: {0x9f, 0x48, 0x0c, 0x36}
verification checksum: 0xd9e12803 (OK)
alternative: 1c0m3e (OK)
alternative: 2_tBqa (OK)
alternative: 3_5sjx (OK)
alternative: 98DoSQ (OK)
alternative: A_Ahce (OK)
alternative: FFFVIN (OK)
alternative: J8qEAU (OK)
alternative: K80tZL (OK)
alternative: NLP5Ef (OK)
alternative: PnkKdg (OK)
alternative: Rs0ET6 (OK)
alternative: WwluNL (OK)
alternative: YxsErB (OK)
alternative: ZD7j0F (OK)
alternative: ZXx61R (OK)
alternative: _a5JCp (OK)
alternative: fIuorK (OK)
alternative: hFj_NE (OK)
alternative: iZd2TH (OK)
alternative: o_madn (OK)
alternative: paXr_b (OK)
alternative: wx_LuI (OK)
PS D:\Tools\Misc\crc32>

得到密码:th1s_Is_Y0ur_pa33w0rd_We1c0m3e

blind.png存在LSB隐写PNG内容

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_29


保存下来使用010Editor将前面的几个干扰字节去掉,得到图片

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2021安洵杯MISC_30


图片OCR:https://www.onlineocr.net/zh_hant/

1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

根据题目给出的提示画出自己;需要用到一种叫塔珀自指公式(Tupper's self-referential formula)的公式


K的值换成上面的数字即可

"""
Plot Tupper's self-referential formula
"""
import textwrap
import matplotlib.pyplot as plt

K = 1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

H = 17
W = 106

if __name__ == "__main__":
    plt.figure(figsize=(6.8, 4), dpi=600)
    plt.axis("scaled")

    K_ = K//17
    for x in range(W):
        for y in range(H):
            if K_ & 1:
                plt.bar(x+0.5, bottom=y, height=1,
                        width=1, linewidth=0, color="black")
            K_ >>= 1

    plt.figtext(0.5, 0.8, r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$" % (H, H, H), ha="center", va="bottom", fontsize=18)
    plt.subplots_adjust(top=0.8, bottom=0.5)
    K_str = textwrap.wrap(str(K), 68)
    K_str[0] = f"K={K_str[0]}"
    for i in range(1, len(K_str)):
        K_str[i] = f"  {K_str[i]}".ljust(70)
    K_str = "\n".join(K_str)
    plt.figtext(0.5, 0.45, K_str, fontfamily="monospace", ha="center", va="top")

    plt.xlim((0, W))
    plt.ylim((0, H))
    xticks = list(range(0, W+1))
    xlabels = ["" for i in xticks]
    xlabels[0] = "0"
    xlabels[-1] = str(W)
    plt.xticks(xticks, xlabels)
    yticks = list(range(0, H+1))
    ylabels = ["" for i in yticks]
    ylabels[0] = "K"
    ylabels[-1] = f"K+{H}"
    plt.yticks(yticks, ylabels)
    plt.grid(b=True, linewidth=0.5)

    # plt.show()
    plt.savefig("Tupper-plot.png")
    # plt.savefig(fname="name", format="svg")

第四届“安洵杯”网络安全挑战赛MISC-Writeup_2d_31

D0g3{I_Lov3_math}


标签:OK,Writeup,MISC,flag,NUM,安洵,https,crc32,alternative
From: https://blog.51cto.com/u_16159500/6517899

相关文章

  • 第一届赣网杯网络安全大赛 2020GW-CTF Misc_Writeup
    目录签到CheckinfaceDestroyJavaHidepig签到Checkinflag{welc0me_to_ganwangbei}faceLennyfuckinterpreterhttps://github.com/Knorax/Lennyfuck_interpreter跟着对照表替换即可++++++++++[->++++++++++<]>++.++++++.<+++[->---<]>--.++++++.<++++[->++++<......
  • BUUCTF NewStarCTF 公开赛赛道Week2 Writeup
    文章目录WEEK2WEBWord-For-You(2Gen)IncludeOneUnserializeOneezAPIMISCYesecnodrumsticks2Coldwinds'sDesktop奇怪的二维码qsdz'sgirlfriend2WEEK2WEBWord-For-You(2Gen)题目描述哇哇哇,我把查询界面改了,现在你们不能从数据库中拿到东西了吧哈哈(不过为了调试的代码似乎忘......
  • 收录CTF MISC方向中使用的在线工具网站
    文章目录说明集成工具站编码/解码Base家族Base64Base62Base58Base32Base85Base91Base92Base100进制编码十六进制编码八进制编码二进制编码摩尔斯电码URL编码Unicode编码敲击码/Tapcode社会主义价值观编码与佛论禅&新佛曰论禅与熊论道Brainfuck&Ook!Jsfuck盲文编码Emoji&emoji-aes......
  • 2020祥云杯网络安全大赛 MISC Writeup
    文章目录签到进制反转到点了xixixi带音乐家CharlesSensor签到PSC:\Users\Administrator>php-r"var_dump(base64_decode('ZmxhZ3txcV9ncm91cF84MjY1NjYwNDB9'));"string(24)"flag{qq_group_826566040}"进制反转题目描述:电脑中到底使用的是什么进制呢?真是麻烦,有时候还是手机......
  • 2020全国大学生网安邀请赛暨第六届上海市大学生网安大赛Misc-Writeup
    文章目录签到pcappcapanalysis可乐加冰除了签到所有Misc题以上线到BMZCTF平台方便大家复现BMZCTF:http://bmzclub.cn/challenges签到{echo,ZmxhZ3t3MzFjMG1lNX0=}|{base64,-d}|{tr,5,6}Linux下直接运行即可flag{w31c0me6}pcapchallenge2.pcapng根据提示查看dnp3协议,以长度为排......
  • 2020 第四届强网杯 线上赛Misc_Writeup
    目录upload签到问卷调查miscstudyupload下载附件,打开是流量包文件,wireshark打开查看http的包,追踪一下很明显是POST上传的图片File->ExportObject->HTTP...将文件Saveall保存出来,得到如下:%5c有提示steghide隐藏steghide.php用notepad++打开去掉前面这四行,保存修改后缀为jpg或......
  • 2022DASCTF Apr X FATE 防疫挑战赛 Writeup
    文章目录[MISC]SimpleFlow[MISC]熟悉的猫[MISC]冰墩墩[MISC]SimpleFlow首先tcp.streameq50中分析传入的执行命令的变量是$s,也就是参数substr($_POST["g479cf6f058cf8"],2)找到对应的参数,然后去掉前面两位字符解码即可cd"/Users/chang/Sites/test";zip-PPaSsZiPWorDfl......
  • 第四届“强网”拟态防御国际精英挑战赛MISC-mirror
    题目附件请自取链接:https://pan.baidu.com/s/18K00ClgwJsqmKphPmqMpHw提取码:6r3jfull.png使用010Editor打开出现CRC校验报错,猜测需要修复宽高,其次发现了文件末尾附加了镜像翻转的png字节流数据将附加数据提取出来另存为png文件,通过分析不难发现将字节流数据逆序然后每十六个字......
  • BMZCTF:2018 安洵杯 boooooom
    http://bmzclub.cn/challenges#2018%20%E5%AE%89%E6%B4%B5%E6%9D%AF%20boooooomhappy.zip有密码使用ARCHPR尝试掩码爆破四位数字happy.zip密码:3862解压password.pyimportbase64importhashlibf=open("password.txt",'r')password=f.readline()b64_str=base64.b......
  • BMZCTF:misc_bbmpp
    http://bmzclub.cn/challenges#misc_bbmpp首先根据提示我们需要爆破压缩包的密码,6位纯数字得到压缩包密码:333520解压得到bbmppp观察整个文件头格式,判断这里应该只是去掉了文件头类型(2字节)和文件大小(4字节)根据当前整个文件大小为80736计算原文件大小为80742十六进制为13B66......