初赛

the_best_ctf_game

电脑被黑

根据题目描述,考察点为数据恢复,然后通过binwalk分离,得到一个demo执行文件和一个fakeflag.txt,另外又通过Linux数据恢复工具extundelete得到一个flag.txt文件,但是打开为乱码

于是想到是不是flag文件被加密了,便对demo文件逆向,果不其然,发现了加密算法,然后就写了脚本进行解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdio.h>
int main()
{  
    char v6;
    int v4=34;
    int v5=0;
    FILE *v7;
    FILE *stream;
    v7=fopen("flag.txt","rb");
    if (v7){
        stream=fopen("flag.txt","rb+");
        if (stream){
 
            while(1)
            {
                v6=fgetc(v7);
                if (v6==-1)
                    break;
                fputc((v6^v4)-v5,stream);
                v4+=34;
                v5 =(v5+2) & 0xf;
 
            }
        }
    }
    /* code */
    return 0;
}

EtnlBlu

根据题目描述,应该是要去分析msf木马,然后我就去谷歌搜索msf RC4加密,然后看到了下面这个

也就是进行RC4加密的话生成马的时候需要某个文件,然后我就去Kali搜该文件

然后根据该文件源码,得知传入的key地址最后会被压入堆栈

所以接下来去dump进程然后找该部分对应机器码就可以了,然后我就随便dump了一个进程,接着通过010editor查看dmp文件的hex编码,然后发现一段机器码重复出现

之后通过工具,将该段机器码转化为了可读格式,发现跟前面的源码刚好对应,E8 10 00 00 00即为call,然后根据前面源码,call后到pop rsi前即为key,pop rsi对应机器码为5e,所以flag即为10 00 00 00与 5E 间的hex编码

bd

d < (N/3)^-4或当e很大时,可使用Wiener Attack根据e和n破解出d,再根据d解出明文即可使用脚本rsa-wiener-attack,将n和e穿进去

华中赛区复赛

幸运饼干

给的图片跟压缩包内图片的CRC32一样,尝试明文攻击

得到解压密码

解压后得到mimikatz抓密码的记录admin.txt和sqlite数据库文件Cookies以及master key file,此题解法可参考HGAME2020-Week3-日常解题方式

根据密码抓取记录786515ed10d6b79e74c1739f72a158cc,解得key为54231

然后通过mimikatz得到flag,注意e5f8e386-7041-4f16-b02d-304c71040126文件解压后看不到,但是实际是存在的,通过Linux解压可以看到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
mimikatz # dpapi::masterkey /in:C:\Users\IM-A\Desktop\1\flag\S-1-5-21-726299542-2485387390-1117163988-1001\e5f8e386-7041-4f16-b02d-304c71040126 /password:54231
**MASTERKEYS**
dwVersion : 00000002 - 2
szGuid : {e5f8e386-7041-4f16-b02d-304c71040126}
dwFlags : 00000005 - 5
dwMasterKeyLen : 000000b0 - 176
dwBackupKeyLen : 00000090 - 144
dwCredHistLen : 00000014 - 20
dwDomainKeyLen : 00000000 - 0
[masterkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 878dd8440a0e80ff0ecfcc13da57d1ec
rounds : 00001f40 - 8000
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : a5fbc1213adb93e582b8cc53aaa107798e15041a497e644b2ef630f72855990d3f4cca62e967d80679e9903e64aaee91e82656b179dbbb25ff809f52b0b08a6458ba1337820ef34b0107ffc03a1481d26f5d627aa1607a17833f6fdf801c818f184fd7461bdd64e55c2d7844ee87f610945377c032d8334c82a780a5f253d65d9daa10d1096e1de44f81d440d8b5b5a4

[backupkey]
**MASTERKEY**
dwVersion : 00000002 - 2
salt : 8ff5a6cd081af8648c2d286a5818d26b
rounds : 00001f40 - 8000
algHash : 0000800e - 32782 (CALG_SHA_512)
algCrypt : 00006610 - 26128 (CALG_AES_256)
pbKey : e47dedb2912cf83ce3683410ea6d95bc4b19440840ef1398e4232dd62a7d0c6b5690e56ed2a33d8e872018574bf74789f4528a0463eeb322b0dc3b36ff855c207dd4392b7a0df71087b5eaba379aeb93fb635d1e589660c08c09d3abd1c4fa4d4db2e805e52621081629d9e6a8acd741

[credhist]
**CREDHIST INFO**
dwVersion : 00000003 - 3
guid : {70a2dbe6-bd4e-407b-86e1-744f01fb3833}


Auto SID from path seems to be: S-1-5-21-726299542-2485387390-1117163988-1001

[masterkey] with volatile cache: SID:S-1-5-21-726299542-2485387390-1117163988-1001;GUID:{70a2dbe6-bd4e-407b-86e1-744f01fb3833};MD4:786515ed10d6b79e74c1739f72a158cc;SHA1:f80e3e3d4c6321518cd2557e6cda7bd50a061864;
key : 7a4d2ffbb42d0a1ab46f0351260aef16cae699e03e9d6514b3bf10e2977c5d228fda4a48e39b7b8a06a443c39653c2a3c3656596e7edc84e1c9682511c8343ac
sha1: 0da593d6efa52b90e548a703de74359cf355703a

[masterkey] with password: 54231 (normal user)
key : 7a4d2ffbb42d0a1ab46f0351260aef16cae699e03e9d6514b3bf10e2977c5d228fda4a48e39b7b8a06a443c39653c2a3c3656596e7edc84e1c9682511c8343ac
sha1: 0da593d6efa52b90e548a703de74359cf355703a

mimikatz # dpapi::chrome /in:C:\Users\IM-A\Desktop\1\flag\Cookies /masterkey:7a4d2ffbb42d0a1ab46f0351260aef16cae699e03e9d6514b3bf10e2977c5d228fda4a48e39b7b8a06a443c39653c2a3c3656596e7edc84e1c9682511c8343ac

Host : www.baidu.com ( / )
Name : flag
Dates : 2020/8/27 20:56:59 -> 2030/1/1 8:00:01
* volatile cache: GUID:{e5f8e386-7041-4f16-b02d-304c71040126};KeyHash:0da593d6efa52b90e548a703de74359cf355703a;Key:available
* masterkey : 7a4d2ffbb42d0a1ab46f0351260aef16cae699e03e9d6514b3bf10e2977c5d228fda4a48e39b7b8a06a443c39653c2a3c3656596e7edc84e1c9682511c8343ac
Cookie: flag{mimikatz_is_bravo_1ds51x}

baby

RSA小明文攻击

http://www.manongjc.com/detail/13-ocdpchucqqpcmuj.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import gmpy2
from Crypto.Util.number import long_to_bytes

def small_msg(e, n, c):
for k in range(200000000):
if gmpy2.iroot(k*n + c, e)[1]:
return gmpy2.iroot(k*n + c, e)[0]
return False

e = 3

n = 691316677109436623113422493782665795857921917893759942123087462879884062720557906429183155859597756890896192044003240821906332575292476160072039505771794531255542244123516929671277306361467074545720823735806308003091983427678300287709469582282466572230066580195227278214776280213722215953097747453437289734469454712426107967188109548966907237877840316009828476200388327329144783877033491238709954473809991152727333616022406517443130542713167206421787038596312975153165848625721911080561242646092299016802662913017071685740548699163836007474224715426587609549372289181977830092677128368806113131459831182390520942892670696447128631485606579943885812260640805756035377584155135770155915782120025116486061540105139339655722904721294629149025033066823599823964444620779259106176913478839370100891213072100063101232635183636552360952762838656307300621195248059253614745118852163569388418086291748805100175008658387803878200034840215506516715640621165661642177371863874586069524022258642915100615596032443145034847031564356671559179212705466145609698475546210994748949121359853094247990533075004393534565421776468785821261291309463205314057882016266066365636018084499158806717036972590848458891019171583268920180691221168453612029698510271

cipher=3442467842482561323703237574537907554035337622762971103210557480050349359873041624336261782731509068910003360547049942482415036862904844600484976674423604861710166033558576921438068555951948966099658902606725292551952345193132973996288566246138708754810511646811362017769063041425115712305629748341207792305694590742066971202523405301561233341991037374101265623265332070787449332991792097090044761973705909217137119649091313457206589803479797894924402017273543719924849592070328396276760381501612934039653

msg = small_msg(3, n, cipher)

print(long_to_bytes(msg))

traffic

简单分析了一下为鼠标流量,

tshark提取

1
tshark -r capture.pcapng -T fields -e usb.capdata > usb.txt

手动将提取出的数据整理成标准格式(不知道是不是我提取有误,数据需要自己处理)

脚本恢复出坐标:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
nums = []
keys = open('usb.txt','r')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 1 :
print posx , posy
keys.close()

然后通过画图工具gnuplot画出原图Photoshop垂直旋转后得到flag

题目名忘了

附件是一张png图片,zsteg检测到LSB隐写了7z压缩包

1
zsteg flag.png -v

提取出压缩包

1
zsteg -E "b1,rgb,lsb,xy" flag.png > flag.7z

打开发现压缩包被加密了,共有六个文本文件,且大小均为3,所以得知此处考察点为CRC32碰撞

上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from zlib import crc32
import random

char='!"#$%&()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~'

def crc32_f(data):
return hex(crc32(data)&0xffffffff)[2:10]

length=input('length:')
crc32_=raw_input('crc32:').lower()

while True:
text=''
for i in range(length):
text+=char[random.randint(0,len(char)-1)]
if crc32_f(text)==crc32_:
raw_input('find it:'+text)
exit

似乎是因为flag含有特殊字符,比赛的时候有两部分flag没爆出来,血亏

全国总决赛

第一天打了一天AWD,成绩还算可以,晚上十点临时通知换赛制,有被惊到,第二天夺旗赛果然是干不过各位大师傅了,最终拿个国二,还算可以吧,不禁感叹:ylbnb!

BadPic

夺旗赛我们就做了两道web,这道题是比赛结束后手机开热点做的,有网的情况下直接把这题秒了…

图片尾部有两段字符串,拼接后,疑似base64,base64解密后发现并不是base64,猜测为AES,但是缺少密钥

另外发现图片损坏了,通过在线工具修复 https://online.officerecovery.com/cn/pixrecovery/

此时得到密钥apache

在线解密,得到01组成的字符串,依据经验,得知是二维码,通过脚本恢复

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image
from zlib import *

for i in range(60, 80):
MAX = i
pic = Image.new("RGB",(MAX,MAX))
str ="0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111110001111110001111111111100000001100111111111111111100000110000000000011000111111000001111101100000000110011100000000000110000010000000000001100011111100000111100010000001111001100000000000011000001000000000000110001111110000011110001000000111100110000000000001100000100011111100011000110011110000011000001111000110011000111111000110000010001111111001100010001111000001100000111100011001100011111100011000001000111111100110001100001100001111000000110001100110001111110001100000100011111110011000111100111001111110000011000110011000111111000110000010001111111001100000000000000001111100000000011001100011111100011000001000111111100110000000000000000111111100000001100110001111110001100000100001111100011000000000000000011111100000000100011000111111000110000010000000000001100010000001111001100000000001100001100000000000011000001000000000000110001000000111100110000000000100000110000000000001100000111111111111111000100011000110011000100011000110011111111111111110000011111111111111100010001100011001100011001100011001111111111111111000000000000000000000000000000001100000000000000000000000000000000000000000000000000000000000001100000110000010001100011000000000000000000000000000000000000000000000000000000000000000110001000000000000000000000000001111000001111110000000001110000000000011000110000000100011111111100000000000000110000000000000000000000000001100000000000010000011101110000000000000011000000000111100011111111111110000011111111111001100011000000000000001100000000011110001111111111111000001111111111100110001100000000000000111111110000000011110011111111100000110011000001111000110000000000000011111111000000001111001111111110000011001100000111100011000000000000000011000100000001110000000001111100011100000000011000001100000000011000001100010000011110000000000111111111110000010001100000110000000000000000110000000001110000000000001111011100000001000000000000000000011000001111110000000110001100000100011000110000000100000000000000000001100000111111000000001000100000010001100010000000010000000000000000011110011000000001000110000000111111111000000000111111111110000011000001111000100000000100011000000011111111000000000011111111111000001100000111100000000011000001100000000000010000001000111111000001111000110000011110000000001100000110000000000001000001100011111100000111100011000000011000000000000000000000000000001110000110000011000000011000001100000001111000111100000110011000110011111111111000001100010001100011110000000111100000000000000000000000000000000110000000000001000110001111000000011111100000111100000001110000000000011000111100000100011000111100000001110110000000110000000000000000000000000000000000000000000001110000011110001111110001000111100011001111111000000000111100011000000011000001111001111111000100011110001100111111100000000011110001100000001100000000000000001111000000011111110000010001100000111111000110000000110000000000000000111100000001111111000001000110000011111100011000000011000000000000000011000000000001110000000000111000001100000000000000000000000000011000111100000111100010000011000111111000110000010001100011000000000001100000000000011110000000000000011111000011000001000110001100000001111111100000111111111000001100000001111000111111111111111000110000000111111110000011111111100000100000000111100011111111111111100010000000000000000000000000011111100000000001111111111111000000011111100011000000000000000000000001111110000000000111111111111100000001111110001100000111111111111111000000011000000011111111100011110011000111100000110000011111111111111100000001100000001111111110001111001100011110000011000001100000000000110000000000000000110001111001111100000001111000000000000100000000000011000111100000110011000111111111110000000111100011000000010000000000001100011000000000001100000110011111000000011110000000000001000111111100110001000001110011111100011000111111111111111000001100000100011111110011000100000010001111110001100011111111111111100000110000010001111111001100000110000011001111110000000011110001000110000011000001000111111100110000011000001100111111100000001111000100011000001100000100011111110011000000001111111111110001100010001100000001111111110000010001111111001100000001111111111111000110001100110000000111111111000001000000000000110000000111110011000110011000000000000000011001111100000100000000000011000110011110001100011111111000110011000111100011110000010000000000001100011000111000110001111111100011000100011110001110000001111111111111110001111000001111000000011000001111000000011000110000000111111111111111000111100000111100000001100000111100000001100010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

i=0
for y in range(0,MAX):
for x in range(0,MAX):
if(str[i] == '1'):
pic.putpixel([x,y],(0,0,0))
else:pic.putpixel([x,y],(255,255,255))
i = i+1
pic.show()
pic.save("flag.png")

通过微信扫描即可得到flag