{"id":294,"date":"2024-01-28T20:50:39","date_gmt":"2024-01-28T12:50:39","guid":{"rendered":"https:\/\/zysgmzb.club\/?p=294"},"modified":"2024-01-28T20:50:39","modified_gmt":"2024-01-28T12:50:39","slug":"realworldctf-6th-longrange2-%e9%a2%98%e8%a7%a3","status":"publish","type":"post","link":"https:\/\/zysgmzb.club\/index.php\/archives\/294","title":{"rendered":"RealWorldCTF 6th LongRange2 \u9898\u89e3"},"content":{"rendered":"
\n

\u7b97\u662f\u5f25\u8865\u4e86\u53bb\u5e74\u7684\u9057\u61be\u4e86<\/p>\n<\/blockquote>\n

\u53bb\u5e74\u7684Long Range 1 \u7684 wp<\/a><\/p>\n

\u62ff\u5230\u624b\u4e00\u4e2alora\u7684wav\u548c\u4e00\u4e2aflash_dump<\/p>\n

\u6839\u636e\u53bb\u5e74\u7684\u7ecf\u9a8c\u5148\u628alora\u79d2\u4e86<\/p>\n

SDRConsole\u6253\u5f00\u97f3\u9891<\/p>\n

\"\"<\/p>\n

\u57fa\u672c\u53c2\u6570\u76f4\u63a5\u5230\u624b\uff0c\u518d\u52a0\u4e0a\u6587\u4ef6\u540d\uff0c\u57fa\u7840\u53c2\u6570\u5982\u4e0b<\/p>\n

\u91c7\u6837\u7387: 1M\n\u9891\u6bb5:375M\n\u5e26\u5bbd: 375128.425k-374869.675k \u7ea6\u4e3a 250k<\/code><\/pre>\n
\u7136\u540e\u76f4\u63a5\u5c31\u662f\u4e00\u4e2agnuradio-companion\uff0c\u542f\u52a8<\/p>\n
\u7b80\u5355\u8d77\u4e2a\u89e3\u5bc6<\/p>\n
\"\"<\/p>\n
\u53c2\u6570\u5f80\u91cc\u4e00\u586b<\/p>\n
\u6269\u6563\u56e0\u5b506-12\u624b\u52a8\u8bd5\u8bd5\u8fd9\u91cc\u53ea\u670911\u7684\u65f6\u5019\u624d\u6709\u4e1c\u897f\u80fd\u89e3\u51fa\u6765<\/p>\n
\"\"<\/p>\n
\u524d\u9762repeat\u5c31\u4e0d\u7528\u5f00\u4e86\uff0c\u89e3\u5bc6\u5f97\u5230\u7684\u4fe1\u606f\u5982\u4e0b<\/p>\n
 2d 31 e0 bc 4b 6c fa c4 c0 6d fa 66 26 d2 02 0b 08 a7 92 b3 78 fb 63 77 d7 e0 54 d7 4f 67 1e c0 2d f1 8c 7d 04 66 c9 31 bb 22 40 0f c9 ec 25 c8 71 33 (Klmf&xcwTOg-}f1"@%q3)\n 1b 31 e0 c4 c0 6d fa bc 4b 6c fa 29 5d 91 38 03 08 a7 92 12 19 7e 5e 99 47 1a 63 33 0f d5 24 55 (mKl)]8~^Gc3$U)\n 49 31 20 c4 c0 6d fa bc 4b 6c fa a6 41 be 1e 0b 08 a7 92 b9 4d 99 11 17 1c a9 be 15 47 44 0f f1 d6 ce 46 02 e2 d2 a4 11 af e6 da e9 f2 0c db d0 5e e5 04 3b 82 cd 6c 79 47 31 94 f9 79 73 d9 0c 85 b3 09 8c c7 22 73 85 64 36 c8 be 0a de (mKlAMGDF^;lyG1ys"sd6)\n 1b 31 e0 bc 4b 6c fa c4 c0 6d fa 0f 21 39 44 03 08 a7 92 b8 56 c7 f0 c5 8e 43 63 70 27 c9 75 2d (Klm!9DVCcp'u-)\n 5f 30 00 ff ff ff ff c4 c0 6d fa a3 f3 0f 12 03 08 a7 92 aa c1 8d 79 d8 3c 56 bc 10 34 5a ea 0f cc 82 91 41 29 1c 63 01 cc 6e 23 15 f6 a1 0f 72 20 b9 5d f1 88 c5 e5 0b ec ec 89 cb 54 b5 40 6e c1 83 c1 b7 bf 77 5e 6b ff 15 0d aa 09 c8 3d 6c 98 4f 70 c9 e2 dc 26 97 2f 84 e0 5c ba e7 5a 89 51 d4 cd 2f (my<V4ZA)cn#r ]T@nw^k=lOp&\/\\ZQ\/)\n 5f 30 00 ff ff ff ff c4 c0 6d fa a3 f3 0f 12 02 08 a7 92 aa c1 8d 79 d8 3c 56 bc 10 34 5a ea 0f cc 82 91 41 29 1c 63 01 cc 6e 23 15 f6 a1 0f 72 20 b9 5d f1 88 c5 e5 0b ec ec 89 cb 54 b5 40 6e c1 83 c1 b7 bf 77 5e 6b ff 15 0d aa 09 c8 3d 6c 98 4f 70 c9 e2 dc 26 97 2f 84 e0 5c ba e7 5a 89 51 d4 d7 b3 (my<V4ZA)cn#r ]T@nw^k=lOp&\/\\ZQ)\n 2d 31 e0 ff ff ff ff bc 4b 6c fa ed bb 63 1c 03 08 a7 92 c9 4d 34 c5 67 d1 39 89 47 9d 37 6c 8a 0c ac dc 65 8d 12 56 4a 93 ef 74 00 25 44 37 ac 10 56 (KlcM4g9G7leVJt%D7V)\n 2d 31 e0 ff ff ff ff bc 4b 6c fa ed bb 63 1c 02 08 a7 92 c9 4d 34 c5 67 d1 39 89 47 9d 37 6c 8a 0c ac dc 65 8d 12 56 4a 93 ef 74 00 25 44 37 ac 39 d8 (KlcM4g9G7leVJt%D79)\n 1f 31 40 ff ff ff ff bc 4b 6c fa a6 20 df 2d 03 04 a7 92 5a fa cd 43 97 76 00 36 1b 8c c3 f5 0f bd 5d 65 2e (Kl -ZCv6]e.)\n 1f 31 40 ff ff ff ff bc 4b 6c fa a6 20 df 2d 02 04 a7 92 5a fa cd 43 97 76 00 36 1b 8c c3 f5 0f bd 5d 87 3e (Kl -ZCv6]>)\n 68 30 60 ff ff ff ff c4 c0 6d fa 88 99 c2 02 03 04 a7 92 50 01 50 2e 35 d7 3a b7 93 c3 e9 ad 6a cc 9d a6 a4 95 5b c5 6b 80 54 e9 98 9d 76 f5 35 5c f2 86 8b 90 bf fa e3 21 d5 10 77 be 4e 17 74 fc 07 4f 63 a4 c0 af 6b a3 8f 33 a8 29 b0 78 4b da db cc 73 8b 16 e9 30 e7 41 c4 8f 4d 6c 0c ab 01 2e 56 05 12 2d ce 40 ea eb 7b 76 26 (mPP.5:j[kTv5\\!wNtOck3)xKs0AMl.V-@{v&)\n 68 30 60 ff ff ff ff c4 c0 6d fa 88 99 c2 02 02 04 a7 92 50 01 50 2e 35 d7 3a b7 93 c3 e9 ad 6a cc 9d a6 a4 95 5b c5 6b 80 54 e9 98 9d 76 f5 35 5c f2 86 8b 90 bf fa e3 21 d5 10 77 be 4e 17 74 fc 07 4f 63 a4 c0 af 6b a3 8f 33 a8 29 b0 78 4b da db cc 73 8b 16 e9 30 e7 41 c4 8f 4d 6c 0c ab 01 2e 56 05 12 2d ce 40 ea eb 7b e2 d3 (mPP.5:j[kTv5\\!wNtOck3)xKs0AMl.V-@{)\n 22 31 70 ff ff ff ff c4 c0 6d fa 5f 8a 54 22 03 04 a7 92 53 1f 89 a3 6f ea 30 18 c9 ce b7 e7 1f a3 cd 72 71 ed 14 0f (m_T"So0rq)\n 22 31 70 ff ff ff ff c4 c0 6d fa 5f 8a 54 22 02 04 a7 92 53 1f 89 a3 6f ea 30 18 c9 ce b7 e7 1f a3 cd 72 71 ed a7 3a (m_T"So0rq:)\n 09 11 40 09 11 40 ff c4 c0 6d fa 5f 8a 54 (@m_T)\n 09 11 40 ff c4 c0 6d fa 5f 8a 54 (@m_T)<\/code><\/pre>\n
\u8fd9\u6b21\u5c31\u4e0d\u662f\u660e\u6587\u4e86\uff0c\u770b\u8d77\u6765\u50cf\u67d0\u79cd\u534f\u8bae<\/p>\n
\u7136\u540e\u6839\u636e\u4e0a\u6b21\u7684\u7ecf\u9a8c\uff0c\u5f00\u5934\u4e09\u4e2a\u548c\u7ed3\u5c3e\u4e24\u4e2a\u5e94\u8be5\u662f\u4ed6\u7684lora\u7684\u56fa\u6709\u683c\u5f0f\uff0c\u53bb\u6389\u5373\u53ef\uff0c\u4e8e\u662f\u62a5\u6587\u53ef\u4ee5\u5199\u6210\u4e0b\u9762\u8fd9\u6837<\/p>\n
bc4b6cfac4c06dfa6626d2020b08a792b378fb6377d7e054d74f671ec02df18c7d0466c931bb22400fc9ec25c8\nc4c06dfabc4b6cfa295d91380308a79212197e5e99471a63330fd5\nc4c06dfabc4b6cfaa641be1e0b08a792b94d9911171ca9be1547440ff1d6ce4602e2d2a411afe6dae9f20cdbd05ee5043b82cd6c79473194f97973d90c85b3098cc72273856436c8be\nbc4b6cfac4c06dfa0f2139440308a792b856c7f0c58e43637027c9\nffffffffc4c06dfaa3f30f120308a792aac18d79d83c56bc10345aea0fcc829141291c6301cc6e2315f6a10f7220b95df188c5e50becec89cb54b5406ec183c1b7bf775e6bff150daa09c83d6c984f70c9e2dc26972f84e05cbae75a8951d4\nffffffffbc4b6cfaedbb631c0308a792c94d34c567d13989479d376c8a0cacdc658d12564a93ef7400254437ac\nffffffffbc4b6cfaa620df2d0304a7925afacd43977600361b8cc3f50fbd5d\nffffffffc4c06dfa8899c2020304a7925001502e35d73ab793c3e9ad6acc9da6a4955bc56b8054e9989d76f5355cf2868b90bffae321d51077be4e1774fc074f63a4c0af6ba38f33a829b0784bdadbcc738b16e930e741c48f4d6c0cab012e5605122dce40eaeb7b\nffffffffc4c06dfa5f8a54220304a792531f89a36fea3018c9ceb7e71fa3cd7271ed<\/code><\/pre>\n
\u7136\u540e\u5c31\u662f\u5bf9\u4e8eflash_dump\u7684\u5206\u6790\u4e86<\/p>\n
\u76f4\u63a5\u5c31\u662f\u8bb0\u4e8b\u672c\u6253\u5f00\uff0c\u53ef\u4ee5\u53d1\u73b0\u91cc\u9762\u51fa\u73b0\u4e86\u51e0\u4e2a\u5947\u602a\u7684api<\/p>\n
\"\"<\/p>\n
google\u4e00\u4e0b\uff0c\u5f97\u77e5\u662fhttps:\/\/meshtastic.org\/\u8fd9\u4e2a\u73a9\u610f<\/p>\n
\u4e8e\u662f\u91cd\u70b9\u5c31\u53ef\u4ee5\u653e\u5728\u7ffb\u4ed6\u7684\u6587\u6863\u4ee5\u53ca\u6e90\u7801\u6765\u89e3\u6790\u62a5\u6587\u4e0a\u9762\u4e86<\/p>\n
\u5e76\u4e14\u6839\u636ehttps:\/\/meshtastic.org\/docs\/overview\/mesh-algo\uff0c\u53d1\u73b0\u683c\u5f0f\u4e5f\u786e\u5b9e\u5bf9\u7684\u4e0a<\/p>\n
\"\"<\/p>\n
\u6839\u636ehttps:\/\/meshtastic.org\/docs\/overview\/encryption\u53ef\u4ee5\u77e5\u9053\u4ed6\u5176\u5b9e\u7528\u7684\u5c31\u662faes-ctr\uff0c\u5bc6\u94a5\u662f128\u6216256\u4f4d\u7684<\/p>\n
\u7136\u540e\u5c31\u662f\u7ffb\u6e90\u7801\u7ffb\u4e86\u4e00\u6574\u5929\uff0c\u8fd9\u91cc\u4e0d\u518d\u591a\u8bf4\u4e86\uff0c\u76f4\u63a5\u8bf4\u4e0b\u5173\u952e\u4f4d\u7f6e<\/p>\n
\u9996\u5148\u662f\u9ed8\u8ba4psk\uff0c\u4e5f\u5c31\u662f\u52a0\u5bc6\u4f7f\u7528\u7684\u9ed8\u8ba4\u5bc6\u94a5<\/p>\n
\"\"<\/p>\n
d4f1bb3a20290759f0bcffabcf4e6901<\/code><\/pre>\n
\u7136\u540e\u662fiv\u7684\u751f\u6210\uff0c\u8fd9\u91cc\u7684iv\u5c31\u662fnonce\uff0c\u89c4\u5219\u5982\u4e0b<\/p>\n
\"\"<\/p>\n
\u4e0d\u96be\u770b\u51fa\uff0civ\u5c31\u662fid + \\x00 * 4 + from + \\x00 * 4<\/p>\n
\u800c\u6839\u636e\u4e0a\u9762\u7684\u56fe\uff0c\u53ef\u4ee5\u77e5\u9053\u62a5\u65875-8\u5b57\u8282\u4e3afrom-id\uff0c9-12\u5b57\u8282\u4e3a\u6570\u636e\u5305id<\/p>\n
\u90a3\u8fd9\u6837\u7684\u8bdd\u89e3\u5bc6\u5c31\u7b80\u5355\u4e86\uff0c\u5148\u89e3\u7b2c\u4e00\u6761<\/p>\n
\"\"<\/p>\n
\u7136\u540e\u5c31\u662f\u6574\u4e2a\u524d\u534a\u6bb5<\/p>\n
I've got news for you, a.\nIt's not safe here, talk to me on the channel, idiot!\nI've changed our studio's door key, i'm telling you now, don't let Bob know\nstop here, wrong channel!<\/code><\/pre>\n
\u6839\u636e\u5bf9\u8bdd\u53ef\u5f97\u77e5channel\u6539\u53d8\uff0c\u5373key\u4e5f\u6539\u53d8\uff0c\u90a3\u4e48\u8be5\u5982\u4f55\u5f97\u5230key\u5462\uff0c\u6211\u76f4\u63a5\u5c31\u662f\u4e00\u624b\u55ef\u641c\uff0c\u7ed9\u7684dump\u6587\u4ef6\u53ea\u67098m\uff0c\u8dd1\u7684\u5f88\u5feb\uff0c\u800c\u4e14\u8fd9\u4e2achannel\u4e0a\u7528\u4e86256\u4f4d\u7684\u5bc6\u94a5<\/p>\n
exp:<\/p>\n
from Crypto.Util import Counter\nfrom Crypto.Cipher import AES\nfrom tqdm import trange\n\nnonce = bytes.fromhex("8899c20200000000c4c06dfa00000000")\n\nf = open("flash_dump", 'rb').read()\nfor i in trange(len(f)):\n    key = f[i:i+32]\n    ctr = Counter.new(\n        128, initial_value=int.from_bytes(nonce, byteorder='big'))\n    cipher = AES.new(key, AES.MODE_CTR, counter=ctr)\n\n    encrypted_data = bytes.fromhex(\n        "5001502e35d73ab793c3e9ad6acc9da6a4955bc56b8054e9989d76f5355cf2868b90bffae321d51077be4e1774fc074f63a4c0af6ba38f33a829b0784bdadbcc738b16e930e741c48f4d6c0cab012e5605122dce40eaeb7b")\n    try:\n        decrypted_data = cipher.decrypt(encrypted_data)[4:].decode()\n        print(key.hex())\n        print(decrypted_data)\n    except:\n        continue<\/code><\/pre>\n
\u7ed3\u679c\u5982\u4e0b<\/p>\n
\"\"<\/p>\n
\u987a\u624b\u628a\u4e0b\u9762\u7684\u90fd\u89e3\u5bc6\u4e86<\/p>\n
here please\nalright alright. the key is rwctf{No_h0p_th1s_tim3_c831bcad725935ba25c0a3708e49c0c8}\nkeep it secret<\/code><\/pre>\n
\u5509\uff0c\u53bb\u5e74\u4ecelongrange1\u5165\u95e8gnuradio\u4ee5\u53ca\u5404\u79cd\u4fe1\u53f7\uff0c\u4eca\u5e74\u7ec8\u4e8e\u4f1a\u505a\u9898\u4e86\uff0c\u4ee4\u4eba\u611f\u53f9<\/p>\n","protected":false},"excerpt":{"rendered":"
\u7b97\u662f\u5f25\u8865\u4e86\u53bb\u5e74\u7684\u9057\u61be\u4e86 \u53bb\u5e74\u7684Long Range 1 \u7684 wp \u62ff\u5230\u624b\u4e00\u4e2alora\u7684wav\u548c\u4e00\u4e2aflash_dump \u6839\u636e\u53bb\u5e74\u7684\u7ecf\u9a8c\u5148\u628alora\u79d2\u4e86 SDRConsole\u6253\u5f00\u97f3\u9891 \u57fa\u672c\u53c2\u6570\u76f4\u63a5\u5230\u624b\uff0c\u518d\u52a0\u4e0a\u6587\u4ef6\u540d\uff0c\u57fa\u7840\u53c2\u6570\u5982\u4e0b \u91c7\u6837\u7387: 1M \u9891\u6bb5:375M \u5e26\u5bbd: 375128.425k-374869.675k \u7ea6\u4e3a 250k \u7136\u540e\u76f4\u63a5\u5c31\u662f\u4e00\u4e2agnuradio-companion\uff0c\u542f\u52a8 \u7b80\u5355\u8d77\u4e2a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-294","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/294","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/comments?post=294"}],"version-history":[{"count":1,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/294\/revisions"}],"predecessor-version":[{"id":295,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/posts\/294\/revisions\/295"}],"wp:attachment":[{"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/media?parent=294"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/categories?post=294"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zysgmzb.club\/index.php\/wp-json\/wp\/v2\/tags?post=294"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}