SICTF-2023 #Round2-WP-Crypto | Misc
💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌💌
🔗Crypto
一、[签到]古典大杂烩
附件信息:
🐩👃🐪🐼👅🐯🐩👈👇👭👟👝🐺🐭👉👙👤👋👚🐪🐫👍👢👮👱🐼👢👨👠👭🐽🐰🐻👚👂👧👠👥👛👮👯👮👬🐾👐👛👌👚👞🐨👏👉👆🐿👆👘👇🐺👦🐸👃🐭👟👑👪👃👁🐻🐻👜🐧👇👊🐧🐾🐼👇🐫🐺👐👆👪🐼👋👌👧🐻👐🐩🐺👥🐽👋👉🐰👎👠👠👣🐧🐫👧🐭👢🐯👑👑🐮👂👏🐻👥👚🐮👋👬👌👥👁👣👅👧👯👦👌👌👍👠👌🐽👉👃👊🐫👉🐨🐮👩👆🐪🐯👘👏👏🐼👩👍👊👍👡👀👰👋👣👨👧👍👜👐👛🐮👘👅👠🐿👂👰👄👈👝👠👤👃👛👘🐭👅👱👆👬👫👥👆🐽👁👐👥👊👇👉👊👩👌👭🐫🐫👬👱🐯👇🐺👁👞👑👙🐮👜👋👘👪👩👚👦👨👀👩👐👉👃🐾👥👀🐫👝👍🐩🐧👰👆👇👨🐪👃🐭👦🐫👱
很明显可以看出来是base100,密码工具箱一把梭:
SICTF{fe853b49-8730-462e-86f5-fc8e9789f077}
二、Radio
附件信息
查看代码
from Crypto.Util.number import *
from flag import flag
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
n1 = p * q
p = getPrime(1024)
q = getPrime(1024)
n2 = p * q
p = getPrime(1024)
q = getPrime(1024)
n3 = p * q
e = 17
c1 = pow(m,e,n1)
c2 = pow(m,e,n2)
c3 = pow(m,e,n3)
print("n1 =",n1)
print("n2 =",n2)
print("n3 =",n3)
print("c1 =",c1)
print("c2 =",c2)
print("c3 =",c3)
'''
n1 = 14628911682936716611458501697007036859460044243525290515096052103585430459755335375005202100114469571371360084664887335211277585652711111523095037589648375630146039444071400098427638768750755153219974194380355807078158427824557754939604018020265955042573660474772006646525311705184431094905718137297923127124517126579859336516891364853724635334011666814712424599592662398013241607855160919361308195967978220182785816761656927836373944699635667244275310680450562446433724968942835275279255823144471582249379035668825437133182865600026935116686574740844588839352146024513673500770611055698030333734066230166111140083923
n2 = 16756694748293603983474688536179571665757862433174984877308316444468003022266277794769268134195205510197588585566270416339902269736376811449830775290335951504698137924773942880807921752691668522662285163130340474205633998154849689387759453003838730282756734975490180702422176361373516245372635401939755527017589503572550811648345570775428936487145892225736625411540461653083957762795820510109891180906709827194217045059033312564525916136573856999724346161896146703174418039344166251503310869772735585554127509732135494936119159784702673291794381095696332128950979288440758815310482211285712819274848744478643590996499
n3 = 12023158079717019193506148537498877243668782424904061914991928068483879707115315968983829360560644394409575645736275352836086080024994045582242629571839276759393418303915955798990522990081795218822313146157773272844272865701134880180795342597049645358985187689813369428579614193015028249821853347208001645148169449968882591709833452960545988520048722323580338213590245476892223967673180144525106292453573842357322398199104132677638909964034937501684668442732786408572501007756270725934445316827054687741612177409932320532825182104820899546084015733164816993674100635828218335112393003462442685677115798304835391938681
c1 = 786426913645332991929803636719878643130489430090701482974255190570111407517277263761161970232982615374753982050075781017755721714929721429185828101898786972242994012456972241276851428750970754773002966788642795040933520662931514953660571657013642671173456750800960592586345219252277575624120271330470724245201080094330964145796872211627254805407394764183615099525852600855622089361965086460279057625205099471122036599934609091062009161119885692567925924978687256063116915630947838112126347748759078024890458539541208153526564434483654508834147071166870006117573542198238493913144419569943131642262575848786399020602
c2 = 14269311999815379511888097227418748728398011595172649708273598243317106830139061994801598925448165045032084910971094414749744701731066555194159863759072739031915833091715422787808666326235589236328864675164322734119047182014621724868200908222400504845559290620275973427127376594365043386362821355037781568524903149101953873768462097165128186788759111090267131443645126715520994688945363059795513931799317608292977574376954729552861360597103229877031117089231816770880909815561950691603994439997197261395452797893557057320175747162837857668062550646101714062365530246698404923128445182100334335447738834779014705114350
c3 = 3204718091370324153305164801961074660508922478706979436653573192321723216725523523538914956544950802616295043619768261075799875855502834749045520466140056621489305006966280527055668378303630674311102581232313032585389907028715671091914904062961720585667564982641321454541632782484415075257140508738041786400512095949826279576159569786734978545737717138115729502475357594151593143140355121154223614868465202149338507796306863351134218879326031985027900678671697876083351974546516576983143592764763925335805465720148057651958521255276602933604064541840892578409973858867533575728482926007556060584654853884046046420855
'''
广播攻击+中国剩余定理
exp:
import gmpy2
import libnum
# n1,n2,n3......两两互质
n1 = 14628911682936716611458501697007036859460044243525290515096052103585430459755335375005202100114469571371360084664887335211277585652711111523095037589648375630146039444071400098427638768750755153219974194380355807078158427824557754939604018020265955042573660474772006646525311705184431094905718137297923127124517126579859336516891364853724635334011666814712424599592662398013241607855160919361308195967978220182785816761656927836373944699635667244275310680450562446433724968942835275279255823144471582249379035668825437133182865600026935116686574740844588839352146024513673500770611055698030333734066230166111140083923
n2 = 16756694748293603983474688536179571665757862433174984877308316444468003022266277794769268134195205510197588585566270416339902269736376811449830775290335951504698137924773942880807921752691668522662285163130340474205633998154849689387759453003838730282756734975490180702422176361373516245372635401939755527017589503572550811648345570775428936487145892225736625411540461653083957762795820510109891180906709827194217045059033312564525916136573856999724346161896146703174418039344166251503310869772735585554127509732135494936119159784702673291794381095696332128950979288440758815310482211285712819274848744478643590996499
n3 = 12023158079717019193506148537498877243668782424904061914991928068483879707115315968983829360560644394409575645736275352836086080024994045582242629571839276759393418303915955798990522990081795218822313146157773272844272865701134880180795342597049645358985187689813369428579614193015028249821853347208001645148169449968882591709833452960545988520048722323580338213590245476892223967673180144525106292453573842357322398199104132677638909964034937501684668442732786408572501007756270725934445316827054687741612177409932320532825182104820899546084015733164816993674100635828218335112393003462442685677115798304835391938681
c1 = 786426913645332991929803636719878643130489430090701482974255190570111407517277263761161970232982615374753982050075781017755721714929721429185828101898786972242994012456972241276851428750970754773002966788642795040933520662931514953660571657013642671173456750800960592586345219252277575624120271330470724245201080094330964145796872211627254805407394764183615099525852600855622089361965086460279057625205099471122036599934609091062009161119885692567925924978687256063116915630947838112126347748759078024890458539541208153526564434483654508834147071166870006117573542198238493913144419569943131642262575848786399020602
c2 = 14269311999815379511888097227418748728398011595172649708273598243317106830139061994801598925448165045032084910971094414749744701731066555194159863759072739031915833091715422787808666326235589236328864675164322734119047182014621724868200908222400504845559290620275973427127376594365043386362821355037781568524903149101953873768462097165128186788759111090267131443645126715520994688945363059795513931799317608292977574376954729552861360597103229877031117089231816770880909815561950691603994439997197261395452797893557057320175747162837857668062550646101714062365530246698404923128445182100334335447738834779014705114350
c3 = 3204718091370324153305164801961074660508922478706979436653573192321723216725523523538914956544950802616295043619768261075799875855502834749045520466140056621489305006966280527055668378303630674311102581232313032585389907028715671091914904062961720585667564982641321454541632782484415075257140508738041786400512095949826279576159569786734978545737717138115729502475357594151593143140355121154223614868465202149338507796306863351134218879326031985027900678671697876083351974546516576983143592764763925335805465720148057651958521255276602933604064541840892578409973858867533575728482926007556060584654853884046046420855
e = 17
n = [n1, n2, n3]
c = [c1, c2, c3]
N = 1
for i in n:
N = N * i
m_e = 0 # m的e次方
for i in range(len(n)):
m_e = m_e + c[i] * N // n[i] * gmpy2.invert(N // n[i], n[i])
m_e = m_e % N
m, f = gmpy2.iroot(m_e, e)
flag = libnum.n2s(int(m))
print("🥇:",flag)
# 🥇:SICTF{fdc0afb5-1c81-46b9-a28a-241f5f64419d}
三、MingTianPao
题目信息:
这个题目名充分表现了作者由于学CTF导致吃不上饭,明天就打算跑路的心里想法。
附件信息:
import binascii
from Crypto.Util.strxor import strxor
from secret import flag, message
# message is a Classic English Story
for i in range(10):
tmp = (message[i*30:(i+1)*30].encode())
print(binascii.hexlify(strxor(tmp,flag)).decode())
# 1f2037202a1e6d06353b61263d050a0538493b3018544e14171d2b1c4218
# 3769373b66142f31297f291126410e042b01162d59103a0c005221075013
# 37242c202e1e3f743c36371130410c1e2b491a31574406014505291a550e
# 7f6922742e1a213270372e01264105193004532b1f554e120c1e2a145618
# 7d69143c23156d18392b35183141310e3b49213613590003453a291a555d
# 36273731341e297424372454230e0c0f2c49127f005f020245112718545d
# 26396320295b2531227161273c04430f360d533118444e0f0b1d31554615
# 323d6335660c24373b3a2554350f0a063e05533712101905165e66145f19
# 733e222766152220703e27063508074b300f53371e5d40444735291a555d
# 37283a7432146d2d3f2a6d541808171f330c530d12544e360c162f1b565d
典型的邮件传输协议题目,我们可以发现有提示:
# message is a Classic English Story
我们知道flag的前六个字符:“SICTF{“ ,因此我们可以使用第一串信息异或一下:
根据附件里的英文提示可以猜测这是一个Little开头的英语故事(我们可以百度搜索这些故事来进行测试),根据异或的可逆性,把密文和明文互换位置
经过尝试发现Little Red Riding Hood可行
看到快出结果了,只不过结尾缺了一点而已。。。猜测应该是wonderful的变形,那么再把flag换到上面来进行测试:(因为wonderful可以进行大小写、以及形近数字变化,所以我们需要一个字符一个字符进行测试,试几次就出来了):
SICTF{MTP_AtTack_is_w0nderFu1}
这题还是挺有意思的。。。。
四、Easy_CopperSmith
题目信息:
你知道CopperSmith吗?
附件信息:
查看代码
from Crypto.Util.number import *
from flag import flag
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
leak = p >> 230
m = bytes_to_long(flag)
c = pow(m,e,n)
print(n)
print(leak)
print(c)
'''
114007680041157617250208809154392208683967639953423906669116998085115503737001019559692895227927818755160444076128820965038044269092587109196557720941716578025622244634385547194563001079609897387390680250570961313174656874665690193604984942452581886657386063927035039087208310041149977622001887997061312418381
6833525680083767201563383553257365403889275861180069149272377788671845720921410137177
87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
'''
经典的p高位泄漏,首先还原p以及解出q。
n = 114007680041157617250208809154392208683967639953423906669116998085115503737001019559692895227927818755160444076128820965038044269092587109196557720941716578025622244634385547194563001079609897387390680250570961313174656874665690193604984942452581886657386063927035039087208310041149977622001887997061312418381
p4 = 6833525680083767201563383553257365403889275861180069149272377788671845720921410137177
c = 87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
e = 65537
pbits = 512
kbits=pbits - p4.nbits()
p4 = p4 << kbits
PR.<x> = PolynomialRing(Zmod(n))
f = x + p4
roots = f.small_roots(X=2^kbits,beta=0.4,epsilon = 0.01)
if roots:
p= p4 + int(roots[0])
q = n//p
print(p)
print(q)
11790815224554410800121104187905468470390194289969616547114051282402254164513760262526048229096923579410713190006883604069013303904509383122210101811900773
9669194018386129503300336046235270996644150320805133719133058178879526640870171636400065553651340295023059145408424451034627123286813490640124073749725897
得到p和q后直接梭即可exp:
#解密脚本:
import gmpy2
from Crypto.Util.number import long_to_bytes
p = 11790815224554410800121104187905468470390194289969616547114051282402254164513760262526048229096923579410713190006883604069013303904509383122210101811900773
q = 9669194018386129503300336046235270996644150320805133719133058178879526640870171636400065553651340295023059145408424451034627123286813490640124073749725897
c = 87627846271126693177889082381507430884663777705438987267317070845965070209704910716182088690758208915234427170455157948022843849997441546596567189456637997191173043345521331111329110083529853409188141263211030032553825858341099759209550785745319223409181813931086979471131074015406202979668575990074985441810
phi = (p-1) * (q-1)
e = 65537
n = p * q
d = gmpy2.invert(e, phi)
m = pow(c, d, n)
print('💌:',long_to_bytes(m))
💌: b'SICTF{3f9366ed-b8e4-412f-bbd0-62616a24115c}'
五、签到题来咯!
题目信息:
签到题来咯!
附件信息:
from secret import flag
from Crypto.Util.number import *
m = bytes_to_long(flag)
p = getPrime(1024)
q = getPrime(1024)
e = getPrime(10)
n = p*q
c1 = pow(114*m+2333,e,n)
c2 = pow(514*m+4555,e,n)
print(f'n = {n}')
print(f'c1 = {c1}')
print(f'c2 = {c2}')
'''
n = 18993579800590288733556762316465854395650778003397512624355925069287661487515652428099677335464809283955351330659278915073219733930542167360381688856732762552737791137784222098296804826261681852699742456526979985201331982720936091963830799430264680941164508709453794113576607749669278887105809727027129736803614327631979056934906547015919204770702496676692691248702461766117271815398943842909579917102217310779431999448597899109808086655029624478062317317442297276087073653945439820988375066353157221370129064423613949039895822016206336117081475698987326594199181180346821431242733826487765566154350269651592993856883
c1 = 3089900890429368903963127778258893993015616003863275300568951378177309984878857933740319974151823410060583527905656182419531008417050246901514691111335764182779077027419410717272164998075313101695833565450587029584857433998627248705518025411896438130004108810308599666206694770859843696952378804678690327442746359836105117371144846629293505396610982407985241783168161504309420302314102538231774470927864959064261347913286659384383565379900391857812482728653358741387072374314243068833590379370244368317200796927931678203916569721211768082289529948017340699194622234734381555103898784827642197721866114583358940604520
c2 = 6062491672599671503583327431533992487890060173533816222838721749216161789662841049274959778509684968479022417053571624473283543736981267659104310293237792925201009775193492423025040929132360886500863823523629213703533794348606076463773478200331006341206053010168741302440409050344170767489936681627020501853981450212305108039373119567034948781143698613084550376070802084805644270376620484786155554275798939105737707005991882264123315436368611647275530607811665999620394422672764116158492214128572456571553281799359243174598812137554860109807481900330449364878168308833006964726761878461761560543284533578701661413931
'''
典型的明文相关攻击,只不过稍微变化了一下。
解题思路:
首先需要列出两个多项式,因为明文m是两个模多项式的根,因此两个模多项式有公因子;构造出模n环下的两个多项式,并求公因式即可。至于e是多少,仅需要在指定范围内爆破一下就可以。
exp:
from gmpy2 import *
from Crypto.Util.number import *
n = 18993579800590288733556762316465854395650778003397512624355925069287661487515652428099677335464809283955351330659278915073219733930542167360381688856732762552737791137784222098296804826261681852699742456526979985201331982720936091963830799430264680941164508709453794113576607749669278887105809727027129736803614327631979056934906547015919204770702496676692691248702461766117271815398943842909579917102217310779431999448597899109808086655029624478062317317442297276087073653945439820988375066353157221370129064423613949039895822016206336117081475698987326594199181180346821431242733826487765566154350269651592993856883
c1 = 3089900890429368903963127778258893993015616003863275300568951378177309984878857933740319974151823410060583527905656182419531008417050246901514691111335764182779077027419410717272164998075313101695833565450587029584857433998627248705518025411896438130004108810308599666206694770859843696952378804678690327442746359836105117371144846629293505396610982407985241783168161504309420302314102538231774470927864959064261347913286659384383565379900391857812482728653358741387072374314243068833590379370244368317200796927931678203916569721211768082289529948017340699194622234734381555103898784827642197721866114583358940604520
c2 = 6062491672599671503583327431533992487890060173533816222838721749216161789662841049274959778509684968479022417053571624473283543736981267659104310293237792925201009775193492423025040929132360886500863823523629213703533794348606076463773478200331006341206053010168741302440409050344170767489936681627020501853981450212305108039373119567034948781143698613084550376070802084805644270376620484786155554275798939105737707005991882264123315436368611647275530607811665999620394422672764116158492214128572456571553281799359243174598812137554860109807481900330449364878168308833006964726761878461761560543284533578701661413931
a1 = 114
b1 = 2333
a2 = 514
b2 = 4555
elist = [521,523,541,547,557,563,569,571,577,587,593,599,601,607,613,617,619,631,641,643,647,653,659,661,673,677,683,691,701,709,719,727,733,739,743,751,757,761,769,773,787,797,809,811,821,823,827,829,839,853,857,859,863,877,881,883,887,907,911,919,929,937,941,947,953,967,971,977,983,991,997,1009,1013,1019,1021]
def attack(c1, c2, e, n):
PR.<x>=PolynomialRing(Zmod(n))
g1 = (a1*x + b1)^e - c1
g2 = (a2*x + b2)^e - c2
def gcd(g1, g2):
while g2:
g1, g2 = g2, g1 % g2
return g1.monic()
return -gcd(g1, g2)[0]
for e in elist:
m1 = attack(c1, c2, e, n)
if(b"SICTF" in long_to_bytes(int(m1))):
flag = long_to_bytes(int(m1))
print(flag)
SICTF{hhh!!franklin_reiter_is_easy}
六、small_e
题目信息:
这个低加密指数攻击为什么打不出来哇?是不是题有问题捏?差评!
附件信息:
import libnum
from Crypto.Util.number import *
import uuid
flag="SICTF{"+str(uuid.uuid4())+"}"
m=libnum.s2n(flag)
p=getPrime(1024)
q=getPrime(1024)
n=p*q
e=3
c=pow(m,e,n)
m1=((m>>60)<<60)
print("n=",n)
print("e=",e)
print("c=",c)
print("((m>>60)<<60)=",m1)
print(flag)
'''
n= 23407088262641313744603678186127228163189328033499381357614318160776774708961658114505773173784501557046914457908828086210961235530240151825359345210845219656000760996670856300710703016947799649686427460688236465568188205550456293373157997725204643414082796492333552579250010906010553831060540937802882205118399938918764313169385349293602085310111289583058965780887097301702677087443291977479125263301000328313103296364864396361278863921717374909215078711198899810620522933994481419395021233240234478331179727351050575360886334237633420906629984625441302945112631166021776379103081857393866576659121443879590011160797
e= 3
c= 1584727211980974717747362694412040878682966138197627512650829607105625096823456063149392973232737929737200028676411430124019573130595696272668927725536797627059576270068695792221537212669276826952363636924278717182163166234322320044764324434683614360641636360301452618063418349310497430566465329766916213742181
((m>>60)<<60)= 11658736990073967239197168945911788935424691658202162501032766529463315401599017877851823976178979438592
'''
小明文攻击,直接上脚本:
import gmpy2
from Crypto.Util.number import long_to_bytes
n =23407088262641313744603678186127228163189328033499381357614318160776774708961658114505773173784501557046914457908828086210961235530240151825359345210845219656000760996670856300710703016947799649686427460688236465568188205550456293373157997725204643414082796492333552579250010906010553831060540937802882205118399938918764313169385349293602085310111289583058965780887097301702677087443291977479125263301000328313103296364864396361278863921717374909215078711198899810620522933994481419395021233240234478331179727351050575360886334237633420906629984625441302945112631166021776379103081857393866576659121443879590011160797
e =3
c =1584727211980974717747362694412040878682966138197627512650829607105625096823456063149392973232737929737200028676411430124019573130595696272668927725536797627059576270068695792221537212669276826952363636924278717182163166234322320044764324434683614360641636360301452618063418349310497430566465329766916213742181
m = gmpy2.iroot(c,e)[0]
print('🛣️: ',long_to_bytes(m))
#🛣️:SICTF{2ca8e589-4a31-4909-80f0-9ecfc8f8cb37}
七、easy_math
题目信息:
其实数学很简单辣!
附件信息:
from secret import flag
from Crypto.Util.number import *
m = bytes_to_long(flag)
p = getPrime(512)
q = getPrime(512)
n = p * q
e = 65537
hint1 = getPrime(13)*p+getPrime(256)*q
hint2 = getPrime(13)*p+getPrime(256)*q
c = pow(m,e,n)
print(f'n = {n}')
print(f'hint1 = {hint1}')
print(f'hint2 = {hint2}')
print(f'c = {c}')
'''
n = 68123067052840097285002963401518347625939222208495512245264898037784706226045178539672509359795737570458454279990340789711761542570505016930986418403583534761200927746744298082254959321108829717070206277856970403191060311901559017372393931121345743640657503994132925993800497309703877076541759570410784984067
hint1 = 564294243979930441832363430202216879765636227726919016842676871868826273613344463155168512928428069316237289920953421495330355385445649203238665802121198919543532254290185502622234014832349396422316629991217252686524462096711723580
hint2 = 484307144682854466149980416084532076579378210225500554261260145338511061452958092407101769145891750844383042274498826787696953308289632616886162073232218214504005935332891893378072083589751354946391146889055039887781077066257013110
c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
'''
给出了hint1、hint2的生成过程:
p前的两个系数很小,因此可以先打印出所有13比特的素数存在一张表内,作为系数的所有可能取值,然后与n求gcd即可得到q,之后进行RSA解密即可。
exp:
from Crypto.Util.number import *
n = 68123067052840097285002963401518347625939222208495512245264898037784706226045178539672509359795737570458454279990340789711761542570505016930986418403583534761200927746744298082254959321108829717070206277856970403191060311901559017372393931121345743640657503994132925993800497309703877076541759570410784984067
hint1 = 564294243979930441832363430202216879765636227726919016842676871868826273613344463155168512928428069316237289920953421495330355385445649203238665802121198919543532254290185502622234014832349396422316629991217252686524462096711723580
hint2 = 484307144682854466149980416084532076579378210225500554261260145338511061452958092407101769145891750844383042274498826787696953308289632616886162073232218214504005935332891893378072083589751354946391146889055039887781077066257013110
c = 57751903193610662622957432730720223801836323458721550133101805763463060486486266309568004721657732742899781400754207249733137375171400440423755473421971160000575072519031824740691618617905549725344323721903857290320737224300672847773455169809689188843070599176261204013341324705808617411345132933937680951713
e = 65537
primelist = [i for i in range(2**12,2**13) if isPrime(i)]
for i in primelist:
for j in primelist:
if(GCD(hint1*i - hint2*j,n) != 1):
q = GCD(hint1*i - hint2*j,n)
p = n//q
d = inverse(e,(p-1)*(q-1))
m = pow(c,d,n)
print(long_to_bytes(m))
SICTF{452aebb6-9c16-441a-ac42-fc608bf6063f}
🔍Misc
一、[签到]Welcome
题目信息:
关注微信公众号并发送"SICTF2023"就可以获得flag辣!
解题方法:
关注公众号按要求来即可
SICTF{Welcome_to_SICTF2023_#Round2}
二、Pixel_art
题目信息:
这张颜色很奇怪的图片到底是干什么的呢?
解题方法:
下载附件,是一个zip压缩包,解密提示需要密码,010打开并未找到密码,因此想到是伪加密。修改对应位置进制即可:
将此处01改为00即可解压得到下面图片。
查看图片信息:
# 从Pillow库导入Image类
from PIL import Image
# 读取本地文件名为1.png的图片
img = Image.open('2.png')
# size 记录了图片的宽、高,单位为像素(px)
width, height = img.size
print(width, height) # 256 256
# mode 属性记录了图片使用的图片模式
mode = img.mode
print(img.mode) # RGBA
# getpixel()方法接受一个元组,元组中为要获取像素信息的像素点坐标
# PIL使用笛卡尔像素坐标系统,坐标(0,0)位于左上角
# X轴是从左到右增长的,Y轴是从上到下增长, 可以自己上手试试.
x, y = 100, 100
pix = img.getpixel((x, y))
print(pix) # (1, 67, 145, 235)
# 也可以使用load方法,该方法返回所有像素点的信息
pix = img.load()
print(pix[x, y]) # (1, 67, 145, 235)
1000 1000
RGBA
(42, 49, 53, 255)
(42, 49, 53, 255)
想到LSB隐写:
发现藏了东西,保存为png文件后查看:
这图好小嘿嘿嘿!!,查看其详细信息:
20*20的,想到flag被加密进了像素点里。脚本提取像素点:
from PIL import Image
image = Image.open('3.png') # 替换为你的图片文件路径
width, height = image.size
pixel_data = []
for y in range(height):
for x in range(width):
pixel = image.getpixel((x, y))
pixel_data.append(pixel)
print(pixel_data)
[(46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (63, 46, 63), (33, 46, 63), (46, 46, 46), (46, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 33), (63, 33, 33), (46, 63, 33), (33, 33, 33), (33, 33, 63), (46, 63, 33), (46, 63, 33), (33, 33, 46), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 33, 46), (63, 46, 46), (46, 46, 46), (46,
46, 33), (63, 33, 33), (46, 63, 33), (33, 33, 33), (33, 33, 63), (46, 63, 33), (46, 63, 33), (33, 33, 33), (33, 33, 33), (33, 33,
33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 63, 46), (63, 33, 46), (63, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (46, 46, 46), (33, 46, 46), (46, 46, 46), (46, 46, 33), (46, 33, 33), (33, 33, 33), (33, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (63, 33, 33), (46, 63, 46), (46,
46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46,
46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (46, 46, 46), (46, 46, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (63, 46, 63), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 46), (46, 46, 46), (33, 46, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 33, 46), (33,
33, 33), (33, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 33, 63), (33, 33, 46), (63, 33,
33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (63, 46, 63), (33, 46, 63), (33, 33, 33), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (33, 33, 33), (33, 33, 33), (63, 46, 63), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (63, 33, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 46, 46), (46, 46, 46), (33, 46, 33), (46, 63, 46), (46, 46, 46), (46,
46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (63, 33, 33), (46, 63, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33,
33), (33, 63, 46), (63, 33, 46), (63, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (63, 46, 63), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (46, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 46, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33,
33, 33), (33, 33, 33), (33, 33, 33), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (46, 33, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 46, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (33, 63, 33), (33, 46, 63), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 33), (46, 33, 33), (33, 33, 33), (46, 33, 33), (33, 33, 33), (46, 46, 46), (46, 46, 46), (46, 33, 46), (33, 33, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46),
(33, 63, 33), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (63, 46, 63), (33, 46, 63), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 33, 33), (33, 46, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 33, 63), (33, 33, 46), (63, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 63), (46, 63, 33), (46, 63, 46), (46, 46, 46), (46, 46, 46), (46, 46, 46), (46, 46, 33), (46, 63, 46), (0, 0, 0), (0, 0, 0), (0, 0, 0), (0, 0, 0), (0, 0, 0), (0, 0, 0), (0, 0, 0), (0, 0, 0)]
一共得到的三个数字显然有特殊含义,当作ASCII码打印出对应字符发现:
46-.
33-!
63-?
哈哈,一看就是Ook加密,写个完整脚本生成Ook密文:
from PIL import Image
image = Image.open('3.png') # 替换为你的图片文件路径
width, height = image.size
pixel_data = []
for y in range(height):
for x in range(width):
pixel = image.getpixel((x, y))
pixel_data.append(pixel)
count = 0
for i in range(len(pixel_data)):
if(pixel_data[i] == (0,0,0)):
break
for j in pixel_data[i]:
print("Ook"+chr(j),end = "")
得到:
Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook.Ook!Ook!Ook!Ook!Ook!Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook!Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook?Ook.Ook?Ook!Ook.Ook?Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook!Ook.Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook?Ook!Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook?Ook.Ook?Ook!Ook.Ook?Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook.Ook!Ook.Ook?Ook.
在线工具解密:
SICTF{0141ac35-ec19-4cee-a906-22805fdbed77}
三、一起上号不
题目信息:
你为什么还不上号啊?宝!
提示:你知道CobaltStrike吗?
解题方法:
题目给了一个流量包,导出http流对象,可以发现一个key.zip:
导出该压缩包并解压,得到一个key文件,我们需要提取出key中的信息,根据hint,我们直接搜索CobaltStrike,发现了一道类似流量分析题,照着一步一步做就行了:
https://blog.csdn.net/qq_43264813/article/details/120560209
最终得到flag:
SICTF{88a39373-e204-43b6-b321-33ac8972fde9}
四、baby_zip
题目信息:
攻破这个压缩包!
题目给了一个压缩包,首先检查出是真加密,然后尝试ziprello爆破无果,binwalk也没有分离出其他文件,那么猜测只能是深入明文攻击了。
相关方法可以参考:
https://hasegawaazusa.github.io/zip-crack-note.html#zip-%E7%A0%B4%E8%A7%A3
明文攻击需要至少12个已知字节。由于已知压缩包内为png文件,知道文件头:
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
因此,我们至少知道了16个准确的字节,超过了12个字节,已经满足深入明文攻击的条件了,(多的已知字节可以加快速度),接下来就使用工具即可。
首先生成明文文件:
随后进行密钥爆破:
bkcrack -C flag.zip -c flag.png -p key.txt -o 0
得到三段密钥后我们进行提取
bkcrack -C flag.zip -c flag.png -k 6424c164 7c334afd f99666e5 -d flag1.png
得到图片:
010打开拉到末尾即得flag:
SICTF{3a4998b8-345e-4943-a689-d01e8b08defb}
五、还不上号
题目信息:
一起上号不?来!我教你怎么写payload!
Hint1:四位爆破,多注意一下细节,除了CS还有一部分
Hint2:压缩包密码为we1l
其实这道题就是Easy_shark和一起上号不的结合,这两个都做出来的话,这题其实难度不大了。
题目给了两个流量包,由名字可以知道一个包对应一半flag。其中,包1形式对应Ez_shark,包2形式对应一起上号不。
从包1入手,可以发现对比起Ez_shark,唯一的区别就是他没有给出AES的key值,因此必须要想办法找出key。而包2正好有个key.zip,进行导出:
得到的key.zip不能直接解压,并且是真加密,同时也没法进行明文攻击,那么就ziprello爆破吧,最后得到密码是we1l(并且后来Hint给了)。
打开key文件发现有零宽字符,利用在线网站http://330k.github.io/misc_tools/unicode_steganography.html进行零宽字符解密:
这里要注意在网页下方勾选该文本中所有存在的零宽字符,不然解密会失败:
因此就得到了AES的key,可以按照Ez_Shark的方式对包1的流量依次进行解密,能得到两个有用信息:
flag.txt:
SICTF{79e1755e-08a8-4d
key:
如果做出来一起上号不那道题,那么对这串数据应该很熟悉,这就是.cobaltstrike.beacon_keys
形式的密钥文件,将这段内容保存成文件key1.txt,后续的步骤就和前面那道题就一模一样了。
下面详细记录一下步骤:
1、解析key1.txt文件得到private_key
import base64
import javaobj.v2 as javaobj
with open("key1.txt", "rb") as fd:
pobj = javaobj.load(fd)
privateKey = pobj.array.value.privateKey.encoded.data
publicKey = pobj.array.value.publicKey.encoded.data
privateKey = (
b"-----BEGIN PRIVATE KEY-----\n"
+ base64.encodebytes(bytes(map(lambda x: x & 0xFF, privateKey)))
+ b"-----END PRIVATE KEY-----"
)
publicKey = (
b"-----BEGIN PUBLIC KEY-----\n"
+ base64.encodebytes(bytes(map(lambda x: x & 0xFF, publicKey)))
+ b"-----END PUBLIC KEY-----"
)
print(privateKey.decode())
print(publicKey.decode())
# print(
# list(
# map(
# lambda x: list(map(lambda y: (y[0].name, y[1]), x.items())),
# a.field_data.values(),
# )
# )
# )
2、根据private_key以及流量包中cookie解析出AES key和HMAC key:(其他信息有需要,解除掉注释即可,这里只需要AES与HMAC的key)
import hashlib
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import base64
import hexdump
PRIVATE_KEY = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL0M6FR0Cb9dW52Nd5NTA1JUNAs1
thS8iXx6QB+UkN/vRJdfsKS8dnOfNuPuPDCtx26B2j8I1FuTJ1VrrfDkzN585sskmXYronFM98Dx
50vHaadOcDcDdBBqi8gC5/D3iKflX6T9pSL/5PVLfN1EIaFsyAS9jpWX2wGNi3C/QPSrAgMBAAEC
gYAdNhXeGtH4wkWqOhY8aurL+VvTUZjRanJ6C+/FkXCzUWbRVwVV5xMMeZEDNigRw4BZ2HGvJL+f
aMT+o3VMkCYBhGbi2/3RPRgigMG7Aa3LWWtYWsdbw8Mw6aqqbTjDUHrQ1kulMf1JvXJL5LBd+pBA
Q8kHaYJRMcmnLsT4NeXOFQJBAMNa2r+phrThTlagMB6bj6vl0IVbDy+TJT2VybCSJ76rPgVUQwtP
yX3z7UAjt27mE8KK+k7Jidi0drCEPv5Wo60CQQD3vQbO64fko1dlatkNn095GO9KoCuanrsLs+vY
Ohc0ltk4EhHHmP5hEE6dSMZNASKaN0wSYJ14xjnA+dJWOES3AkEApzyYF4vhLefTUIVBrHIvxFCw
+fjCP1AQiXA5gVcdfzTJm3ZPDtf2/kRbzpTE68M7F0gykFAoGcQj92i/JKy24QJAdyVbA+M07Ro9
qxHzJ+EJmMUMOMjFj8xtStiSQeDWTj2KZLQUBvmmxcnQ9UYN0PUNzjtwA5qhwXccSZoctcjECwJA
Zc0TZgGq/OwgnIyj/1+Q9D0A2eg3aw1k+6Vzkf/DdkuF6+XTkYTlBGiETIK/vm1rCH4NcOCL7eK5
qpA1grg+gg==
-----END PRIVATE KEY-----"""
encode_data = "j+ojKDVPlCr7lT9yzNinkj1DgdkcRaLMT2kL4U+9TvdFBZqGKk7/4WF/W7JhEieC3DoRfngRppMAVHa3yfhp4HZm/ZeNY4bc8rlYL11Q0dXDzpR5JjhqN+hGe9RBqPznoukShgQLhxT/DO7djxE5ROzi6NC52yZAaGPCSeLDyjg="
base64_key = """"""
private_key = RSA.import_key(PRIVATE_KEY.format(base64_key).encode())
cipher = PKCS1_v1_5.new(private_key)
ciphertext = cipher.decrypt(base64.b64decode(encode_data), 0)
def isFlag(var, flag):
return (var & flag) == flag
def toIP(var):
var2 = (var & -16777216) >> 24
var4 = (var & 16711680) >> 16
var6 = (var & 65280) >> 8
var8 = var & 255
return str(var2) + "." + str(var4) + "." + str(var6) + "." + str(var8)
def getName(var0):
if var0 == 37:
return "IBM037"
elif var0 == 437:
return "IBM437"
elif var0 == 500:
return "IBM500"
elif var0 == 708:
return "ISO-8859-6"
elif var0 == 709:
return ""
elif var0 == 710:
return ""
elif var0 == 720:
return "IBM437"
elif var0 == 737:
return "x-IBM737"
elif var0 == 775:
return "IBM775"
elif var0 == 850:
return "IBM850"
elif var0 == 852:
return "IBM852"
elif var0 == 855:
return "IBM855"
elif var0 == 857:
return "IBM857"
elif var0 == 858:
return "IBM00858"
elif var0 == 860:
return "IBM860"
elif var0 == 861:
return "IBM861"
elif var0 == 862:
return "IBM862"
elif var0 == 863:
return "IBM863"
elif var0 == 864:
return "IBM864"
elif var0 == 865:
return "IBM865"
elif var0 == 866:
return "IBM866"
elif var0 == 869:
return "IBM869"
elif var0 == 870:
return "IBM870"
elif var0 == 874:
return "x-windows-874"
elif var0 == 875:
return "IBM875"
elif var0 == 932:
return "Shift_JIS"
elif var0 == 936:
return "x-mswin-936"
elif var0 == 949:
return "x-windows-949"
elif var0 == 950:
return "Big5"
elif var0 == 1026:
return "IBM1026"
elif var0 == 1047:
return "IBM1047"
elif var0 == 1140:
return "IBM01140"
elif var0 == 1141:
return "IBM01141"
elif var0 == 1142:
return "IBM01142"
elif var0 == 1143:
return "IBM01143"
elif var0 == 1144:
return "IBM01144"
elif var0 == 1145:
return "IBM01145"
elif var0 == 1146:
return "IBM01146"
elif var0 == 1147:
return "IBM01147"
elif var0 == 1148:
return "IBM01148"
elif var0 == 1149:
return "IBM01149"
elif var0 == 1200:
return "UTF-16LE"
elif var0 == 1201:
return "UTF-16BE"
elif var0 == 1250:
return "windows-1250"
elif var0 == 1251:
return "windows-1251"
elif var0 == 1252:
return "windows-1252"
elif var0 == 1253:
return "windows-1253"
elif var0 == 1254:
return "windows-1254"
elif var0 == 1255:
return "windows-1255"
elif var0 == 1256:
return "windows-1256"
elif var0 == 1257:
return "windows-1257"
elif var0 == 1258:
return "windows-1258"
elif var0 == 1361:
return "x-Johab"
elif var0 == 10000:
return "x-MacRoman"
elif var0 == 10001:
return ""
elif var0 == 10002:
return ""
elif var0 == 10003:
return ""
elif var0 == 10004:
return "x-MacArabic"
elif var0 == 10005:
return "x-MacHebrew"
elif var0 == 10006:
return "x-MacGreek"
elif var0 == 10007:
return "x-MacCyrillic"
elif var0 == 10008:
return ""
elif var0 == 10010:
return "x-MacRomania"
elif var0 == 10017:
return "x-MacUkraine"
elif var0 == 10021:
return "x-MacThai"
elif var0 == 10029:
return "x-MacCentralEurope"
elif var0 == 10079:
return "x-MacIceland"
elif var0 == 10081:
return "x-MacTurkish"
elif var0 == 10082:
return "x-MacCroatian"
elif var0 == 12000:
return "UTF-32LE"
elif var0 == 12001:
return "UTF-32BE"
elif var0 == 20000:
return "x-ISO-2022-CN-CNS"
elif var0 == 20001:
return ""
elif var0 == 20002:
return ""
elif var0 == 20003:
return ""
elif var0 == 20004:
return ""
elif var0 == 20005:
return ""
elif var0 == 20105:
return ""
elif var0 == 20106:
return ""
elif var0 == 20107:
return ""
elif var0 == 20108:
return ""
elif var0 == 20127:
return "US-ASCII"
elif var0 == 20261:
return ""
elif var0 == 20269:
return ""
elif var0 == 20273:
return "IBM273"
elif var0 == 20277:
return "IBM277"
elif var0 == 20278:
return "IBM278"
elif var0 == 20280:
return "IBM280"
elif var0 == 20284:
return "IBM284"
elif var0 == 20285:
return "IBM285"
elif var0 == 20290:
return "IBM290"
elif var0 == 20297:
return "IBM297"
elif var0 == 20420:
return "IBM420"
elif var0 == 20423:
return ""
elif var0 == 20424:
return "IBM424"
elif var0 == 20833:
return ""
elif var0 == 20838:
return "IBM-Thai"
elif var0 == 20866:
return "KOI8-R"
elif var0 == 20871:
return "IBM871"
elif var0 == 20880:
return ""
elif var0 == 20905:
return ""
elif var0 == 20924:
return ""
elif var0 == 20932:
return "EUC-JP"
elif var0 == 20936:
return "GB2312"
elif var0 == 20949:
return ""
elif var0 == 21025:
return "x-IBM1025"
elif var0 == 21027:
return ""
elif var0 == 21866:
return "KOI8-U"
elif var0 == 28591:
return "ISO-8859-1"
elif var0 == 28592:
return "ISO-8859-2"
elif var0 == 28593:
return "ISO-8859-3"
elif var0 == 28594:
return "ISO-8859-4"
elif var0 == 28595:
return "ISO-8859-5"
elif var0 == 28596:
return "ISO-8859-6"
elif var0 == 28597:
return "ISO-8859-7"
elif var0 == 28598:
return "ISO-8859-8"
elif var0 == 28599:
return "ISO-8859-9"
elif var0 == 28603:
return "ISO-8859-13"
elif var0 == 28605:
return "ISO-8859-15"
elif var0 == 29001:
return ""
elif var0 == 38598:
return "ISO-8859-8"
elif var0 == 50220:
return "ISO-2022-JP"
elif var0 == 50221:
return "ISO-2022-JP-2"
elif var0 == 50222:
return "ISO-2022-JP"
elif var0 == 50225:
return "ISO-2022-KR"
elif var0 == 50227:
return "ISO-2022-CN"
elif var0 == 50229:
return "ISO-2022-CN"
elif var0 == 50930:
return "x-IBM930"
elif var0 == 50931:
return ""
elif var0 == 50933:
return "x-IBM933"
elif var0 == 50935:
return "x-IBM935"
elif var0 == 50936:
return ""
elif var0 == 50937:
return "x-IBM937"
elif var0 == 50939:
return "x-IBM939"
elif var0 == 51932:
return "EUC-JP"
elif var0 == 51936:
return "GB2312"
elif var0 == 51949:
return "EUC-KR"
elif var0 == 51950:
return ""
elif var0 == 52936:
return "GB2312"
elif var0 == 54936:
return "GB18030"
elif var0 == 57002:
return "x-ISCII91"
elif var0 == 57003:
return "x-ISCII91"
elif var0 == 57004:
return "x-ISCII91"
elif var0 == 57005:
return "x-ISCII91"
elif var0 == 57006:
return "x-ISCII91"
elif var0 == 57007:
return "x-ISCII91"
elif var0 == 57008:
return "x-ISCII91"
elif var0 == 57009:
return "x-ISCII91"
elif var0 == 57010:
return "x-ISCII91"
elif var0 == 57011:
return "x-ISCII91"
elif var0 == 65000:
return ""
elif var0 == 65001:
return "UTF-8"
if ciphertext[0:4] == b'\x00\x00\xBE\xEF':
# 16
raw_aes_keys = ciphertext[8:24]
# 2
var9 = ciphertext[24:26]
var9 = int.from_bytes(var9, byteorder='little', signed=False)
var9 = getName(var9)
# 2
var10 = ciphertext[26:28]
var10 = int.from_bytes(var10, byteorder='little', signed=False)
var10 = getName(var10)
# 4
id = ciphertext[28:32]
id = int.from_bytes(id, byteorder='big', signed=False)
#print("Beacon id:{}".format(id))
# 4
pid = ciphertext[32:36]
pid = int.from_bytes(pid, byteorder='big', signed=False)
#print("pid:{}".format(pid))
# 2
port = ciphertext[36:38]
port = int.from_bytes(port, byteorder='big', signed=False)
#print("port:{}".format(port))
# 1
flag = ciphertext[38:39]
flag = int.from_bytes(flag, byteorder='big', signed=False)
# print(flag)
if isFlag(flag, 1):
barch = ""
pid = ""
is64 = ""
elif isFlag(flag, 2):
barch = "x64"
else:
barch = "x86"
if isFlag(flag, 4):
is64 = "1"
else:
is64 = "0"
if isFlag(flag, 8):
bypassuac = "True"
else:
bypassuac = "False"
#print("barch:" + barch)
#print("is64:" + is64)
#print("bypass:" + bypassuac)
# 2
var_1 = ciphertext[39:40]
var_2 = ciphertext[40:41]
var_1 = int.from_bytes(var_1, byteorder='big', signed=False)
var_2 = int.from_bytes(var_2, byteorder='big', signed=False)
windows_var = str(var_1) + "." + str(var_2)
#print("windows var:" + windows_var)
# 2
windows_build = ciphertext[41:43]
windows_build = int.from_bytes(windows_build, byteorder='big', signed=False)
#print("windows build:{}".format(windows_build))
# 4
x64_P = ciphertext[43:47]
# 4
ptr_gmh = ciphertext[47:51]
# 4
ptr_gpa = ciphertext[51:55]
# if ("x64".equals(this.barch)) {
# this.ptr_gmh = CommonUtils.join(var10, this.ptr_gmh)
# this.ptr_gpa = CommonUtils.join(var10, this.ptr_gpa)
# }
#
# this.ptr_gmh = CommonUtils.bswap(this.ptr_gmh)
# this.ptr_gpa = CommonUtils.bswap(this.ptr_gpa)
# 4
intz = ciphertext[55:59]
intz = int.from_bytes(intz, byteorder='little', signed=False)
intz = toIP(intz)
if intz == "0.0.0.0":
intz = "unknown"
#print("host:" + intz)
if var9 == None:
ddata = ciphertext[59:len(ciphertext)].decode("ISO8859-1")
else:
# ??x-mswin-936
# ddata = ciphertext[59:len(ciphertext)].decode(var9)
ddata = ciphertext[59:len(ciphertext)].decode("ISO8859-1")
ddata = ddata.split("\t")
if len(ddata) > 0:
computer = ddata[0]
if len(ddata) > 1:
username = ddata[1]
if len(ddata) > 2:
process = ddata[2]
#print("PC name:" + computer)
#print("username:" + username)
#print("process name:" + process)
raw_aes_hash256 = hashlib.sha256(raw_aes_keys)
digest = raw_aes_hash256.digest()
aes_key = digest[0:16]
hmac_key = digest[16:]
print("AES key:{}".format(aes_key.hex()))
print("HMAC key:{}".format(hmac_key.hex()))
#print(hexdump.hexdump(ciphertext))
3、将流量包中数据写成base64形式:(数据指的是图中蓝色部分,每个tcp流中的流量均试一下即可)
转换为原始数据:
写成base64形式:
4、最终解密:
'''
Beacon任务执行结果解密
'''
import hmac
import binascii
import base64
import struct
import hexdump
from Crypto.Cipher import AES
def compare_mac(mac, mac_verif):
if mac == mac_verif:
return True
if len(mac) != len(mac_verif):
print
"invalid MAC size"
return False
result = 0
for x, y in zip(mac, mac_verif):
result |= x ^ y
return result == 0
def decrypt(encrypted_data, iv_bytes, signature, shared_key, hmac_key):
if not compare_mac(hmac.new(hmac_key, encrypted_data, digestmod="sha256").digest()[0:16], signature):
print("message authentication failed")
return
cypher = AES.new(shared_key, AES.MODE_CBC, iv_bytes)
data = cypher.decrypt(encrypted_data)
return data
#key源自Beacon_metadata_RSA_Decrypt.py
SHARED_KEY = binascii.unhexlify("2f793b0251bb6c09bda982cb159cd611")
HMAC_KEY = binascii.unhexlify("e5695e8bf533009cd4a3c950d447b032")
encrypt_data="AAAAwNR1s4ymDHA08b2cCeYKryK3UKJK0G2nKl/svxd3sD2WvktAWL1hS0gvdfXP7XmLpCd3CgYHRMvh9bWGrKW/2ANbWBQEYp1Lv+iIsuBpLdxanTNqAEOnre/71JK8hUKuJ32lY88IsDwgFFjvH0l3lwDOwgtXtOe6mhxvhuxUK8ourv/sii2KGiMOacqaRI2bOtOBcEal00/bBj85FcE+W6PmmGbF0Q9BvUvQmDT9C+J2H12SZqwwAbFGVJwntkDq7Q=="
encrypt_data=base64.b64decode(encrypt_data)
encrypt_data_length=encrypt_data[0:4]
encrypt_data_length=int.from_bytes(encrypt_data_length, byteorder='big', signed=False)
encrypt_data_l = encrypt_data[4:len(encrypt_data)]
data1=encrypt_data_l[0:encrypt_data_length-16]
signature=encrypt_data_l[encrypt_data_length-16:encrypt_data_length]
iv_bytes = bytes("abcdefghijklmnop",'utf-8')
dec=decrypt(data1,iv_bytes,signature,SHARED_KEY,HMAC_KEY)
counter = dec[0:4]
counter=int.from_bytes(counter, byteorder='big', signed=False)
print("counter:{}".format(counter))
dec_length = dec[4:8]
dec_length=int.from_bytes(dec_length, byteorder='big', signed=False)
print("任务返回长度:{}".format(dec_length))
de_data= dec[8:len(dec)]
Task_type=de_data[0:4]
Task_type=int.from_bytes(Task_type, byteorder='big', signed=False)
print("任务输出类型:{}".format(Task_type))
print(de_data)
#print(hexdump.hexdump(dec))
可以看到一串base32数据:
解密即得flag后半段:
SICTF{79e1755e-08a8-4d3d-9385-4c0541549995}
六、Easy_Shark
题目信息:
鲨鱼!嗷呜!
解题方法:
题目给了一个流量文件,追踪tcp流能发现一段php代码:
可以看出,在openssl扩展有效时,这段代码对数据的解密方式为AES_128后base64,并且给了key的值(之后了解到这是很明显的冰蝎的特征)。那么就可以使用cyberchef,对之后的每个tcp流里的base64数据进行恢复:
再把解密出来的密文内部的base64段提取出来,再进行解密,就可以在最底下发现:
可以看出,这段程序就是在执行最下方的cmd命令,然后对回复的数据也进行如上解密,就可以得到命令执行后的对应内容。如此一来,可以得到两个有用有用的信息:
GronKey.txt:
1,50,61,8,9,20,63,41
flag.txt:
TGLBOMSJNSRAJAZDEZXGHSJNZWHG
flag的内容直接提交上去是不对的,因此肯定还需要进行解密,而如何解密就需要用到GronKey.txt,并且按正常思路,GronKey这个名字肯定是个提示。最终搜索到了Gronsfeld密码,解密即可:
from Crypto.Util.number import *
from pycipher import Gronsfeld
t = [1,50,61,8,9,20,63,41]
temp = "TGLBOMSJNSRAJAZDEZXGHSJNZWHG"
print (Gronsfeld(t).decipher(temp))
得到:
SICTFSHUMUISAGOODBOYYYYYYYYY
七、fast_morse
题目信息:
你好快啊!(flag需要包含SICTF{})
解题方法:
题目给了一个音频,Audacity打开:
放大后一看就知道是摩斯电码,转换即可
..-. ..--- .- ----- ----. -... ..-. -....- --... ..-. ....- .- -....- ....- ..--- -.... ----. -....- ----. ...-- .- ..... -....- -.-. ---.. .- ....- ---.. ...-- -.... ----- -... ----- ...-- -.-.
在线工具解出来后,换成小写
SICTF{f2a09bf-7f4a-4269-93a5-c8a48360b03c}
八、QR_QR_QR
题目信息:
我就扫码而已啦!为什么要用pwntools?
解题方法:
题目给了一个端口,nc连接:
可以看出是二维码的定位符,那么思路就是把这些0、1转化为二维码并扫码得到数据,复制数据到VScode发现右侧直接出来了视图:
扫码即可
但是上传这串数据的时候发现:
超时了。。。那就需要写脚本进行自动交互,交互一次后发现靶机端还会发送二维码数据,那应该是要循环一定次数后才会给flag了。
exp:
from Crypto.Util.number import *
from pwn import *
import cv2
from PIL import Image
from pyzbar.pyzbar import decode
r=remote("210.44.151.51",10160)
count = 0
while(1):
count += 1
print(count)
data = list(r.recvuntil(b"P")[:-1])
# 定义图像的宽度和高度(根据数据长度调整)
width = 116
height = 116
# 创建一个空白图像
image = Image.new("1", (width, height), color=1) # 1表示单色(黑白)
# 获取图像的像素访问对象
pixels = image.load()
# 将01数据填充到图像中
for y in range(height):
for x in range(width):
index = y * width + x
if index < len(data) and data[index] == 48:
pixels[x, y] = 0 # 将0写为黑色像素点
else:
pixels[x, y] = 1 # 将0写为黑色像素点
# 保存图像为文件
image.save("1.png")
decocdeQR = decode(Image.open("1.png"))[0].data
r.sendline(decocdeQR)
temp = r.recvline()
print(temp)
temp = r.recvline()
print(temp)
循环1000次后,靶机端发送flag:
SICTF{d7d23552-d917-4ad4-962c-e415dd5b5b6e}
九、问卷调查
题目信息:
本问卷只有认真做的人才能拿到flag呦~(关注公众号并回复sictf领取问卷)
解题方法:
关注公众号按要求来即可,问卷里面就有flag。