湖湘杯2020misc
Hxb2020 misc
Misc1
用Wireshark打开 文件-导出对象-HTTP Save All
打开index-demo.html查看源代码,发现大段base64编码
KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==
KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==
KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK
......
base64解码
(。・∀・)ノ゙嗨Hi~
(@_@;)(@_@;)(@_@;)
(+_+)?(。>︿<)_θ(。>︿<)_θ
o(* ̄▽ ̄*)ブ゜
<(^-^)>(╯▽╰ )好香~~
ヽ(✿゚▽゚)ノ(@^0^)
......
以为是颜文字编码,aadecode解码无果
赛后才知道是base64隐写,将base64编码保存在txt,用脚本解密
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('E:\\Desktop\\1.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)
def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str
if __name__ == '__main__':
solve_stego()
运行结果:key:"lorrie"
还有一层snow 隐写
snow>SNOW.EXE -p lorrie D:\CTF\湖湘杯2020\Misc\1\index-demo.html
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_← →_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_ ←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}
# 商业转载请联系作者获得授权,非商业转载请注明出处。
# For commercial use, please contact the author for authorization. For non-commercial use, please indicate the source.
# 协议(License):署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)
# 作者(Author):Snowywar
# 链接(URL):http://snowywar.top/wordpress/index.php/2020/11/02/hxbwriteup/
# 来源(Source):魔法少女雪殇
# -*- coding:utf-8 -*-
res = []
import re
unit = 3
answer = '→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←'
tmp = ""
cnt = 0
answer = answer.split(" ")
print(answer)
for element in answer:
s = re.findall(r'.{3}', element)
for ele in s:
if ele == '→_→':
tmp += "-"
if ele == '←_←':
tmp += "."
tmp += '/'
print(tmp)
#['→_→←_←←_←←_←←_←', '→_→→_→←_←←_←←_←', '→_→←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '←_←', '←_←←_←←_←→_→→_→', '→_→→_→→_→→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←←_←', '←_←→_→→_→→_→→_→', '→_→→_→→_→→_→→_→', '←_←←_←←_←←_←←_←', '←_←←_←→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←→_→', '←_←→_→', '←_←←_←→_→→_→→_→', '→_→→_→→_→→_→←_←', '←_←←_←←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←→_→', '→_→→_→→_→→_→→_→', '→_→←_←→_→←_←', '←_←', '→_→→_→←_←←_←←_←', '→_→→_→→_→→_→←_←', '→_→←_←→_→←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '→_→→_→←_←←_←←_←', '→_→→_→→_→←_←←_←']
#-..../--.../-.../...--/...--/./...--/----./-.../...../.----/-----/...../..-./-.../....-/.-/..---/----./...../...--/.-/-----/-.-././--.../----./-.-./...--/...--/--.../---../
摩斯密码解密67B33E39B5105FB4A2953A0CE79C3378
flag: 67b33e39b5105fb4a2953a0ce79c3378
Misc2
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump
Volatility Foundation Volatility Framework 2.4
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
#最后两个字段 空密码:密码
0a640404b5c386ab12092587fe19cd02md5解密:qwer1234
flag:sha1(qwer1234)=db25f2fc14cd2d2b1e7af307241f548fb03c312a
Misc3
Winrar修复zip,将mingwen - 副本.txt提取出来,用winrar将mingwen - 副本.txt打包成zip,
删除修复后zip的flag.txt,用Archpr对修复后的zip进行明文攻击,明文选择mingwen - 副本zip
口令:123%asd!O (单独查看flag.txt,没能成功解压)
仅需5,跳过去
ffd5e341le25b2dcab15cbb}gc3bc5b{789b51
flag{febc7d2138555b9ebccb32b554dbb11c}
Misc4
volatility -f 1.vmem imageinfo
volatility -f 1.vmem --profile=Win2003SP1x86 hashdump
volatility -f 1.vmem --profile=Win2003SP1x86 filescan | grep .txt
volatility -f 1.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 --dump-dir=.
dump file.txt win下用记事本打开
什么?计算机又被不知名账户登录了?明明在计算机管理中没有这个用户,为什么还会被这个用户登录呢?电脑跟前的你能帮我找到原因吗?flag为该用户的用户名以及密码的md5值。
格式:md5(用户名:密码)
https://blog.csdn.net/q851579181q/article/details/109454629
参考链接:
