一、阳光开朗大男孩

1.题目给出了secret.txt和flag.txt两个文件，secret.txt内容如下：

法治自由公正爱国公正敬业法治和谐平等友善敬业法治富强公正民主法治和谐法治和谐法治法治公正友善敬业法治文明公正自由平等诚信平等公正敬业法治和谐平等友善敬业法治和谐和谐富强和谐富强和谐富强平等友善敬业公正爱国和谐自由法治文明公正自由平等友善敬业法治富强和谐自由法治和谐法治和谐法治和谐法治法治和谐富强法治文明公正自由公正自由公正自由公正自由

在 http://www.atoolbox.net/Tool.php?Id=850 进行社会主义核心价值观解密后可以得到：

this_password_is_s000_h4rd_p4sssw0rdddd

得到一个Key，结合flag.txt中的emoji表情可以推断出flag.txt使用了emoji-AES加密。

在 https://aghorler.github.io/emoji-aes/ 进行emoji-AES解密，key为s000_h4rd_p4sssw0rdddd，得到Flag：

二、大怨种

1.题目给出gif图片，编写一个脚本提取出gif的每一帧图片：

from PIL import Image
import os

def extract_frames(gif_path, output_dir):    
    gif = Image.open(gif_path)    
    os.makedirs(output_dir, exist_ok=True)    
    try:        
        while True:            
            current_frame = gif.tell()            
            output_path = os.path.join(output_dir, f"frame_{current_frame}.png")            				             gif.save(output_path, "PNG")            
            gif.seek(current_frame + 1)    
        except EOFError:        
            pass    

        print("提取完成！")

gif_path = "1.gif"
output_dir = "./res/"
extract_frames(gif_path, output_dir)

其中有一帧图像是这样的：

左上角的是汉信码，可以在 https://tuzim.net/hxdecode/ 在线扫描，扫描后得到Flag：

三、2-分析

题目描述如下：

1.Flag由三个信息构成：登录用户名、存在漏洞的文件名、写入的WebShell文件名。

根据我们的常识，一般登录请求都是POST方式的请求，因此可以先过滤出所有的POST请求：

http && http.request.method == POST

可以看到有一个发送给/api/action/login.php的POST请求中有username和password字段：

由此推断出登录的用户名为best_admin。

2.其次是存在漏洞的文件名和WebShell文件名，可以看到有大量的目录扫描流量，先使用WireShark过滤器过滤掉响应状态码为404的响应：

http && http.response.code != 404

对剩下的流量进行分析，关注到1267号流量响应比较奇怪：

很明显存在WebShell，追踪该流。

由此可以得到剩下的两个信息，index.php文件的page参数存在任意文件包含漏洞，攻击者通过这个漏洞包含pearcmd.php向服务器中写入了名为wh1t3g0d.php的WebShell。

而后续的流量也可以看到攻击者是利用wh1t3g0d.php这个Shell执行了一些系统命令：

由此得到Flag明文：best_admin_index.php_wh1t3g0d.php

整体md5后包裹flag{}得到最终flag：flag{4069afd7089f7363198d899385ad688b}

四、键盘侠

1.打开题目发现是USB流量，结合题目名猜测是键盘流量，使用WireShark过滤器过滤出所有的键盘流量，然后导出保存为res.pcapng：

usb.src =="1.15.1"

使用tshark命令对流量数据进行提取并去除空行：

tshark -r res.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

导出后使用以下脚本进行按键信息提取：

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
nums = []
keys = open('usbdata.txt')
for line in keys:
    if len(line)!=17:
        continue
    nums.append(line[0:2]+line[4:6])
keys.close()
output = ""
for n in nums:
    if n[2:4] == "00" :
        continue
    if n[2:4] in normalKeys:
        if n[0:2]=="02":
            output += shiftKeys [n[2:4]]
        else :
            output += normalKeys [n[2:4]]
    else:
        output += '[unknown]'
print('output :n' + output)

得到如下结果：

nw3lc0m3<SPACE>to<SPACE>newstar<SPACE>ctf<SPACE>2023<SPACE>flag<SPACE>is<SPACE>here<SPACE>vvvvbaaaasffjjwwwwrrissgggjjaaasdddduuwwwwwwwwiiihhddddddgggjjjjjaa1112333888888<ESC><ESC>2hhxgbffffbbbnnat<CAP><CAP>ff<DEL>lll<DEL><DEL>aaa<DEL><DEL>gggg<DEL><DEL><DEL>{999<DEL><DEL>999<DEL><DEL>11<DEL>9aaa<DEL><DEL><SPACE><SPACE><DEL><DEL>eb2---<DEL><DEL>a450---<DEL><DEL>2f5f<SPACE><SPACE><SPACE><DEL><DEL><DEL>--<DEL>7bfc[unknown][unknown][unknown]-8989<DEL><DEL>dfdf<DEL><DEL>4bfa4bfa<DEL><DEL><DEL><DEL>85848584}}}<DEL><DEL><DEL><DEL><DEL><DEL><DEL>}]<SPACE><SPACE><SPACE><SPACE>nice<SPACE>work!1yyoou<SPACE>ggot<SPACE>tthhis<SPACE>fllag

<DEL>表示删除，<SPACE>表示空格，根据这个按键顺序对数据进行处理后得到flag：

flag{9919aeb2-a450-2f5f-7bfc-89df4bfa8584}

五、滴滴滴

1.题目给出一个wav文件和一个jpg文件，其中wav文件听起来像是拨号音，利用dtmf2num工具进行拨号音识别：

得到拨号音的内容为：

52563319066

结合题目简介的提示，这串数字应该是某处使用的密码，因此可以尝试steghide工具来对jpg图片进行隐写内容提取：

得到一个txt文件，打开即是Flag：

六、Include

标签：__,NewStarCTF,url,thirdweek,3A%,public,flag,22%
From： https://www.cnblogs.com/sbhglqy/p/18106467