2023 浙江省大学生网络与信息安全竞赛 Misc Writeup

Lunatic Lunatic included in Writeup
 About 600 words 3 minutes 

全靠队友带飞。拿了省一

这里对赛中的部分Misc题进行一个简单的复盘

初赛

Easy_Cipher

题目如下:

1

["Kln/qZwlOsux+b/Gv0WsxkOec5E70dNhvczSLFs+0pkHaovEOBqUApBGBDBUrH08。RUNCIDAgMTI4IHNpeCBudW1iZXJz","Kln/qZwlOsux+b/Gv0WsxkOec5E70dNhvczSLFs+0pkHaovEOBqUApBGBDBUrH08"]

把中间的那段密文base64解码可以得到

1
2

RUNCIDAgMTI4IHNpeCBudW1iZXJz
ECB 0 128 six numbers

因此写个Python脚本爆破一下AES-ECB模式的密钥即可

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

import base64
from Crypto.Cipher import AES
def aes_decrypt(data, key):
    key = key.encode('utf-8')+b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
    # print(key)
    cipher = AES.new(key, AES.MODE_ECB)
    decrypted = cipher.decrypt(base64.b64decode(data))
    return decrypted
    
if __name__ == "__main__":
    data = 'Kln/qZwlOsux+b/Gv0WsxkOec5E70dNhvczSLFs+0pkHaovEOBqUApBGBDBUrH08'
    for i in range(100000,999999):
        key = str(i)
        res = aes_decrypt(data=data,key=key)
        res = str(res)
        if 'flag' in res or 'DASCTF' in res:
            print(f"key:{key}")
            print(f"flag:{res}")
            break
#key:515764
#flag:b'DASCTF{W0w_Y0u_Succ3s5ful1y_Cr4ck_Th1s_C1ph3r}\x00\x00'

Steins_Gate

解法一:根据像素点还原原图

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

from PIL import Image

def get_pixel():
    img = Image.open('Steins_Gate.png')
    width, height = img.size
    pixel = img.load()
    target_data = []
    # 从行开始取
    for i in range(0, width, 16):
        # 从列开始取
        for j in range(0, height, 16):
            # 统计每个区块的像素
            dic = {}
            for x in range(i, i+16):
                for y in range(j, j+16):
                    r, g, b = pixel[x, y]
                    if (r, g, b) in dic:
                        dic[(r, g, b)] += 1
                    else:
                        dic[(r, g, b)] = 1
            # sorted_data = sorted(dic.items(), key=lambda x: x[1], reverse=True)
            # print(sorted_data)
            # return 0
            # 按照字典中值来进行排序
            sorted_data = sorted(dic.items(), key=lambda x: x[1], reverse=True)
            if sorted_data[0][0] != (211, 211, 211):
                target_pixel = sorted_data[0][0]
            else:
                target_pixel = sorted_data[1][0]
            target_data.append(target_pixel)
    return target_data


def fix_image(width, height, target_data):
    # 创建一个新的图像对象
    img1 = Image.new("RGB", (width, height))
    for i in range(width):
        for j in range(height):
            index = i * height + j
            target_pixel = target_data[index]
            img1.putpixel((i, j), target_pixel)

    img1.show()
    img1.save("fixed.png")


if __name__ == "__main__":
    target_data = get_pixel()
    img = Image.open('Steins_Gate.png')
    width, height = img.size
    width = width // 16
    height = height // 16
    fix_image(width, height, target_data)

解法二:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

from PIL import Image
import libnum
import base64

def get_data():
    res = []
    base64_data = ''
    img = Image.open('Steins_Gate.png')
    f=open('lsb_low.txt','wb')
    width,height=img.size
    for i in range(6,height,16):
        try:
            bins = ""
            for j in range(2,width,16):
                tmp = img.getpixel((j,i))
                # 将每个通道的最低位(即最不重要的位)提取出来,并将其转换为字符串
                bins += str(tmp[0] & 1) + str(tmp[1] & 1) + str(tmp[2] & 1)
            # 将二进制字符串bins转换为字节数据data
            data = libnum.b2s(bins)
            data = data[:data.index(b"==")+2]
            # print(data)
            res.append(data.decode())
            # print(res)
        except:
            break
    base64_data = '\n'.join([item for item in res])
    # print(base64_data) # 这里的base64_data可以转为一张jpg图片
    return res

def decode_base64_steg(data):
    bin_str = ''
    b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    for stegb64 in data:
        rowb64 = str(base64.b64encode(base64.b64decode(stegb64)), "utf-8").strip("\n")
        offset = abs(b64chars.index(stegb64.replace('=', '')[-1]) - b64chars.index(rowb64.replace('=', '')[-1]))
        equalnum = stegb64.count('=')  # no equalnum no offset
        if equalnum:
            bin_str += bin(offset)[2:].zfill(equalnum * 2)
        print(''.join([chr(int(bin_str[i:i + 8], 2)) for i in range(0, len(bin_str), 8)]))  # 8位一组
        
if __name__ == "__main__":
    data = get_data()
    res = decode_base64_steg(data)
    # DuDuLu~T0_Ch3@t_THe_w0r1d
1
2
3
4
5
6
7

$ outguess -k 'DuDuLu~T0_Ch3@t_THe_w0r1d' -r flag.jpg flag.txt
Reading flag.jpg....
Extracting usable bits:   67087 bits
Steg retrieve: seed: 65, len: 40

$ cat flag.txt
DASCTF{699948e3ae1195f819b23b759684ac8e}

决赛

蝎子

Byxs20出的题,给了一个冰蝎webshell流量,最后一步套了一个光栅

最后是卡在了光栅上,没有解出来,这里就贴一下解光栅的脚本吧

1
2
3
4
5
6
7
8
9

from PIL import Image
import numpy as np

img = np.array(Image.open('flag.png'))
print(img.shape)
for i in range(5):
    z = np.zeros_like(img)
    z[:, i::5, :] = img[:, i::5, :]
    Image.fromarray(z).show()
Updated on 2023-11-07 
Read Markdown
CTFMiscWriteup
Back | Home
0%