周末打了打RCTF和京东ctf,感觉题都还可以,就是量太少了,发个wp玩玩
RCTF
FindAHacker
(雪殇的天才想法
pslist发现idap64进程
dump下来拖gimp随便调调
猜测上下两个xor发现全是明文,最后包上RCTF{}
sec-image
每张图分40x40,然后中间的12*14是要注意的地方,每一张里面都写了四个字符,第一张图里可以模糊的看到RCTF字样
里面再分2x2,左上角代表第一个字符,右上角代表第二个,以此类推
Exp
from PIL import Image
ORIGINAL_WIDTH, ORIGINAL_HEIGHT = 800, 800
SUB_IMAGE_SIZE = 20
def check_left_top(sub_image):
box = (4, 4, 16, 18)
sub_sub_image = sub_image.crop(box)
result = ""
for yy in range(0, 14, 2):
for xx in range(0, 12, 2):
result += "1" if (sub_sub_image.getpixel((xx, yy)) %
2 == 0) else "0"
if ("0" not in result):
return True
return False
def check_right_top(sub_image):
box = (4, 4, 16, 18)
sub_sub_image = sub_image.crop(box)
result = ""
for yy in range(0, 14, 2):
for xx in range(0, 12, 2):
result += "1" if (sub_sub_image.getpixel((xx+1, yy)) %
2 == 0) else "0"
if ("0" not in result):
return True
return False
def check_left_bottom(sub_image):
box = (4, 4, 16, 18)
sub_sub_image = sub_image.crop(box)
result = ""
for yy in range(0, 14, 2):
for xx in range(0, 12, 2):
result += "1" if (sub_sub_image.getpixel((xx, yy+1)) %
2 == 0) else "0"
if ("0" not in result):
return True
return False
def check_right_bottom(sub_image):
box = (4, 4, 16, 18)
sub_sub_image = sub_image.crop(box)
result = ""
for yy in range(0, 14, 2):
for xx in range(0, 12, 2):
result += "1" if (sub_sub_image.getpixel((xx+1, yy+1)) %
2 == 0) else "0"
if ("0" not in result):
return True
return False
for pic in range(10):
img_left_top = Image.new("L", (40, 40), 'white')
img_right_top = Image.new("L", (40, 40), 'white')
img_left_bottom = Image.new("L", (40, 40), 'white')
img_right_bottom = Image.new("L", (40, 40), 'white')
image = Image.open(f'./test/flag{pic}.png').convert('L')
res = ""
for y in range(0, ORIGINAL_HEIGHT, SUB_IMAGE_SIZE):
for x in range(0, ORIGINAL_WIDTH, SUB_IMAGE_SIZE):
box = (x, y, x + SUB_IMAGE_SIZE, y + SUB_IMAGE_SIZE)
sub_image = image.crop(box)
if (check_left_top(sub_image)):
img_left_top.putpixel((x//20, y//20), 0)
if (check_right_top(sub_image)):
img_right_top.putpixel((x//20, y//20), 0)
if (check_left_bottom(sub_image)):
img_left_bottom.putpixel((x//20, y//20), 0)
if (check_right_bottom(sub_image)):
img_right_bottom.putpixel((x//20, y//20), 0)
img_left_top.save(f"./out/{pic}_0_0.png")
img_right_top.save(f"./out/{pic}_0_1.png")
img_left_bottom.save(f"./out/{pic}_1_0.png")
img_right_bottom.save(f"./out/{pic}_1_1.png")结果
gogogo
pslist发现一堆的firefox,于是去dump了places.sqlite并发现了里面的百度网盘地址,提取码则在剪切板里
https://pan.baidu.com/s/1ZllFd8IK-oHvTCYl61_7Kw
提取码:cwqs下载下来文件名是pwd=?,于是去内存里全局搜索pwd=,发现了一个b站用户的名字,然后密码为其uid
解开压缩包后再解键盘流量,结果如下
niuo ybufmefhui kjqillxdjwmi uizebuui
dvoo
udpn uibuui jqybdm vegeyisi
vemeuoll jxysgowodmnkderf dbmzfa hkhkdazi
zvjnybufme hkwjdeggma
na mimajqueviig
kyllda doqisl ba
pnynqrpn
qrxcxxzimu结合流量包名lqld进行“合理脑洞”后猜测可能是连起来打或者是连起来读,尝试后发现为双拼输入,手打结果如下
你说 有什么方式 看起来像加密
是这不是 对哦
双拼 是不是 就有点 这个意思
这么说来 借用过我电脑的人 都没法 好好打字
最近有什么 好玩的跟妈 那 密码就设置成
快来打 夺旗赛 吧
拼音全拼 全小写字母因此得到密码为kuailaidaduoqisaiba,解开压缩包拿到flag,可以说是很套题了
京东ctf
flag_video_version
udp12345端口传奇怪协议,和去年一样
开头传了个sdp.txt,简单了解一下,得知是sdp协议,并且这里是H264编码
对着udp流右键选decode as,然后选rtp就可以清晰的看到协议格式了
同时可以清楚的看到还分序列号
先全部提取出来
tshark -r challenge.pcapng -T fields -Y "udp" -e data.data | sed '/^\s*$/d' > 1.txt然后根据wireshark的解析提纯,再按照序列号进行排序
f = open("1.txt").readlines()
all = {}
for i in f:
ii = i.strip()
seq = int(ii[4:8], 16)
data = ii[24:]
all[seq] = data
with open("out.mp4", "wb")as out:
for i in range(1246):
out.write(bytes.fromhex(all[i]))就得到flag了
