2022CodeMonster-CTF(CMCTF-4)Misc出题人Writeup

今年校赛Misc出了几题比较好玩的(套)

Music

考点:流量分析能力、洞察能力、音频隐写、密码学(?)

简介:黑客很喜欢音乐,为此他找了一些音游网站,想要借此下载一些谱面来游玩,但是黑客发现其中一个网站存在命令执行漏洞,于是他下了一些奇怪的东西。

出题人:IceCliffs
题目名称:Music
预估难度:简单-易
出题时间:2022/4/11

流量抓包,分析HTTP流量,得知下载了一张图片(k448.jpg)

img

把图片提取后,分离得到压缩包(Staff.zip)和(music.mp3)

img

(music.mp3)查看频域得到(Staff.zip)压缩包的密码 Diana!aLove8

img

(Staff.zip)压缩包解压后得到加密的压缩包(whatthisis.zip)和一个需要密码的文档(flag.docx)还有一个(pass.txt)文本文件

img

文本文件(pass.txt)里的内容发现关键信息REVERSE,得知要REVERSE 0A 0A 00 00 00 00 后边的值,也可以把整个文本逆转一下,能看到关键信息

1
93632393439383139313D34696F376E6F637F232F2D6F636E2336313E236963757D6F2F2A33707474786

逆转一下得到

1
68747470733A2F2F6D757369632E3136332E636F6D2F232F736F6E673F69643D31393138393439323639

然后还原成字符串得到链接

1
https://music.163.com/#/song?id=1918949269

密码为评论区里的作者留言

img

1
T0JRWEc0WjJNWkFHU1kzUElCVkVRWVRQTU5HRzZRQT0=

解密为:base64->base32

得到

pass:f@ico@jHbocLo@

文档(whatthisis.zip)密码为:f@ico@jHbocLo@

打开文档后,Ctrl+A后Ctrl+D把隐藏文本的勾去掉,这时候会发现屏幕没有任何变化

img

再次Ctrl+A发现一小块文本,放大后得到压缩包(flag.zip)密码0llo00llllO0o0o0lOo0l0IolIlIIolO0llO00ll0lIO0IIo0lIoO0I00OOOlIIO

img

解压压缩包后会得到osu文件,运行OSU谱面后发现假的flag,但仔细查看发现最上面有提示,”Look at your MAP Settings”

img

打开Osu Editor(右键->编辑)后,F4或导航栏查看->地图设置,发现Tag里有东西

img

一串音频加密,复制黏贴下来解密即可

1
‖♬♩‖¶♯‖♬♭‖♬♫‖♫♪♭♯♩‖‖‖‖♩♬‖♬♪‖♩♫♭♭♭‖‖♭‖♩♫♭♭♭♭‖♯‖♬♪‖♩♩‖♩¶‖♫§♭♭♭♭♭♬‖♩¶♭♯♩♭♯♩‖♫§♭♭♭‖¶♬‖‖♭‖♬♫‖♬♬♭‖‖‖♫♫§=

也可以直接解压osz文件(osu谱面osz本身就一压缩包),查看*.osu文件发现Tag信息

img

最后flag

flag{N0tes_1s_Veruy_FuNNy_R1ghT}

Diana

考点:Aztec、基础隐写、编码、无线电,部分来自北大CTF,感谢pkucc

简介:小嘉然转啊转啊

出题人:IceCliffs
题目名称:Diana
预估难度:简单-易
出题时间:2022/4/11

首先题目给出 Aztec Code 的01数据,写脚本还原成Aztec,中间补上Aztec的定位标

img

img

扫码得到下载链接

https://share.weiyun.com/ZKP1Di9S/52XMUT

密码为52XMUT

解压后得到图片

img

binwalk分离得到音频,SSTV慢扫描得到(flag.zip)压缩包密码

dMP1c2mZ6n

img

flag解压后,给出一堆SMS PDU数据,排除掉脏(嘉然)数据后,写脚本提取关键数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
0791FEFFFCFFEFFF01000D91683110400805F000084600480069002C0020004400690061006E0061002E00200048006F0077002000610072006500200079006F007500200064006F0069006E006700200074006F006400610079003F
0791FEFFFCFFEFFF21000D91683110400805F0000826633A4E0D95197684FF0C4ECA592964AD4E8651E053415206949FFF0C8D5A4E865F88591A94B1
0791FEFFFCFFEFFF01000D91681603018450F0000814662F561BFF0C8D5A4E865F88591A94B15BF95427
0791FEFFFCFFEFFF01000D91681603018450F000080A67658BA96211770B770B
0791FEFFFCFFEFFF21000D91681603018450F00008084E0D89815566FF0C
0791FEFFFCFFEFFF01000D91681603018450F000080E542C8BDDFF0C8BA962115EB75EB7
0791FEFFFCFFEFFF010008916811544100081A6B384F605E72561B5566FF0C597D597D597DFF0C7ED94F60770B
0891681119191154F101000D91681154419191F800086400380039003500300034004500340037003000440030004100310041003000410030003000300030003000300030004400340039003400380034003400350032003000300030003000300030003400430030003000300030003000300031004100300038
0891681119191154F101000D91681154419191F80008025609
0891681119191154F101000D91681154419191F800086400300033003000300030003000300030003200410039004500340041004600330030003000300030003000300033004600350030003400430035003400340035004600460046004600460046004600460043003000430030004600460046004600430030
0891681119191154F101000D91681154419191F80008027136
0891681119191154F101000D91681154419191F800086400430030004600460043003000430030004600460046004600430030004300300046004600460046004300300046004600460046003000300030003000460046004600460030003000300030004600460030003000300030004600460046004600300030
0891681119191154F101000D91681154419191F8000802FF0C
0891681119191154F101000D91681154419191F800086400300030004600460046004600300030004600460043003000300030003000300043003000430030003000300030003000430030003000300030003000430030004300300030003000300030004300300043003000300030004300300046004600460046
0891681119191154F101000D91681154419191F80008026211
0891681119191154F101000D91681154419191F800086400460046003000300030003000300030004300430034003400450046004600320030003000300030003000320031003900340039003400340034003100350034003300380038004400410044003500340044003900390032004500340032003000300043
0891681119191154F101000D91681154419191F8000802771F
0891681119191154F101000D91681154419191F800086400330033003400370038003000370030003800370045004100460046004600460044003600330035004200310039003300390038003900450039004500390044004400440041004100440031003400420032003700390030003300360034003200390032
0891681119191154F101000D91681154419191F80008027684
0891681119191154F101000D91681154419191F800086400300044003100450035003100350034003600420038003600420030004400420038004400390030003900430031004100360033004200380039004300300037004300310039003500340041004400300041004400450046003200370044004100300039
0891681119191154F101000D91681154419191F8000802597D
0891681119191154F101000D91681154419191F800086400420033004600330039004200350031003100310030003800420036003300340035004300300038004300350031003300430030004600360031004500360033004200340038003800310034003100420037004600460045004500430045003200350045
0891681119191154F101000D91681154419191F8000802559C
0891681119191154F101000D91681154419191F800086400300044003700410034003200320043004500320032003300310037004600330031003000300039003300440036003500360034003400350033003800300038004400420032003800370039003600320033003800390037003000390043003300300037
0891681119191154F101000D91681154419191F80008026B22
0891681119191154F101000D91681154419191F800086400450030003100410032003500450043003300410045003400300036003000460046003400350031003900380030004500390045003700390037003400340033003100370036003800350035003100350038003200300037003800370031003700430044
0891681119191154F101000D91681154419191F800086400360035003600430035004300460046004600450036003400330037003100450045003600420036003200380032003600340039003100300035003400300035003100460031003400380034003800390041004100370035003200300044003400330044
0891681119191154F101000D91681154419191F80008024F60
0891681119191154F101000D91681154419191F800086400340041003400360046003700420032003000360039004600320041004400370036004100330039004300300034003900300044004300390031003900440032003400320045004200310041003400300035003700410033003300440044004300410032
0891681119191154F101000D91681154419191F800086400440034004500320044003800380043004500430034004500430043003400370045003500310032003300420043003600430035003600380043004200360035004100350038004200320032003400380034003100360043004500430030003400370042
0891681119191154F101000D91681154419191F800086400380043003400350041003900310041004500460039004400310038003000450037003100350031003700320039003300450033004500310032003100360044003300390037003500420036003000340038003400360033004500380036004600450037
0891681119191154F101000D91681154419191F800086400370035003900300034004500460036004100360034003500330031004100390030003400360041003800310036003900320032003000340036003300300039003700310037003300350033004400330034004400430041003000420042003700360036
0891681119191154F101000D91681154419191F800086400360045003100370042003500430030003800430038004100410042003600380035004100450045003900460045004400320034003300450036004200460030004100450038004200410038004500300038003700320043004600360030003400450038
0891681119191154F101000D91681154419191F800086400460036004300440039003800330033004400370031004600310041004300330032004400460045003700320033004500410044003400450036003700410035003900410033004300340043003100330042003100350037003100360046004200460030
0891681119191154F101000D91681154419191F800086400380035003000440039003900340042003000410030003900380030004200440045003800380038004500460039003400340041004400420036004500450032003400450045003100420038003000450045003500440043003600370032003000450035
0891681119191154F101000D91681154419191F8000802554A
0891681119191154F101000D91681154419191F800086400410045004500330038003500370045003800420039004200370032004100420030004500460033004100350030003700420043004200300030004500460035003900410034004200440032004200340033004200380033004600350046004400310032
0891681119191154F101000D91681154419191F800086400350041003600350044003900300033004300430043004100390046003800390036003300300035003700390035004500300030003700320039004100360033003800350045003700340034003300330035004400370034004500440037003800420037
0891681119191154F101000D91681154419191F800086400390034003700390036004400380037004300430031003700360037003200320042004300340044003800360038003700460037003600390033003300450032004500390038004300330037003500450034004200440043003500300030004200360030
0891681119191154F101000D91681154419191F800086400410042004500450042003000440044004300440030003200440045003400440035003600460035003600420044003800360045004300390034003400460030004600390046003000460035004500430043003300370032003000370046003100340034
0891681119191154F101000D91681154419191F800086400390033003800320035004500360031003500420032003400370042003500330041004300450030003000300037003100360034003600330039003100350044004600420033003800420042003500380038003900320038003700310034004500300032
0891681119191154F101000D91681154419191F800086400420034004500370044003300430038003400320045003000450046003300330035003000310034003400460030004400370037004300440030004600390046003900370036003200390038004100300046003200430044004200390037003300420030
0891681119191154F101000D91681154419191F800086400320044004100330045003400390041003700380038004400430035004300320034003600350045003600370045004400330046003600300034004500420044004300390031003200410033004300450039004100410033004300380038003300330035
0891681119191154F101000D91681154419191F800086400370031004500450045003700300032003100320041003800440042004500420046004600460045004600310037003700460043003600320042003500390037004600460034004400360041004100460039004600360041004600440030003100340045
0791FEFFFCFFEFFF01000C9168115441919100084C00340044003300320037003100440043003200460044003500330031003000300030003000300030003000300034003900340035003400450034003400410045003400320036003000380032
0791FEFFFCFFEFFF01000C9168115441919100082254C7FF0C004400690061006E0061FF016211771F7684597D559C6B224F60554AFF01

解开得到

Hi, Diana. How are you doing today?

挺不错的,今天播了几十分钟,赚了很多钱

是嘛,赚了很多钱对吧

来让我看看

不要啦,

听话,让我康康 欸你干嘛啦,好好好,给你看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
89504E470D0A1A0A0000000D494844520000004C0000001A08
030000002A9E4AF30000003F504C5445FFFFFFFFC0C0FFFFC0
C0FFC0C0FFFFC0C0FFFFC0FFFF0000FFFF0000FF0000FFFF00
00FFFF00FFC00000C0C00000C00000C0C00000C0C000C0FFFF
FF000000CC44EFF20000021949444154388DAD54D992E4200C
3347807087EAFFFFD635B193989E9E9DDDAAD14B2790364292
0D1E51546B86B0DB8D909C1A63B89C07C1954AD0ADEF27DA09
B3F39B511108B6345C08C513C0F61E63B488141B7FFEECE25E
0D7A422CE22317F310093D6564453808DB287962389709C307
E01A25EC3AE4060FF451980E9E7974431768551582078717CD
656C5CFFFE64371EE6B62826491054051F148489AA7520D43D
4A46F7B2069F2AD76A39C0490DC919D242EB1A4057A33DDCA2
D4E2D88CEC4ECC47E5123BC6C568CB65A58B2248416CEC047B
8C45A91AEF9D180E71517293E3E1216D3975B6048463E86FE7
75904EF6A64531A9046A816922046309717353D34DCA0BB766
6E17B5C08C8AAB685AEE9FED243E6BF0AE8BA8E0872CF604E8
F6CD9833D71F1AC32DFE723EAD4E67A59A3C4C13B15716FBF0
850D994B0A0980BDE888EF944ADB6EE24EE1B80EE5DC6720E5
AEE3857E8B9B72AB0EF3A507BCB00EF59A4BD2B43B83F5FD12
5A65D903CCCA9F896305795E00729A6385E744335D74ED78B7
94796D87CC176722BC4D8687F76933E2E98C375E4BDC500B60
ABEEB0DDCD02DE4D56F56BD86EC944F0F9F0F5ECC37207F144
93825E615B247B53ACE000716463915DFB38BB588928714E02
B4E7D3C842E0EF3350144F0D77CD0F9F976298A0F2CDB973B0
2DA3E49A788DC5C2465E67ED3F604EBDC912A3CE9AA3C88335
71EEE70212A8DBEBFFFEF177FC62B597FF4D6AAF9F6AFD014E
4D3271DC2FD5310000000049454E44AE426082
哇,Diana!我真的好喜欢你啊!

最后提取出来一张图片

img

把图片放到编译器npiet里编译成程序即可回显flag

img

flag{3n8Gyn3_928cv1ms1X8HibH4aN6B5A1_19ZceX4nnPq7}

WOW!

考点:Ook!、LSB、隐水印

简介:

对着摄像头跳宅舞就行,人越多越好。

这里我推荐幸运星的《拿去吧!水手服》

PS:这题非常好玩(,灵感来源于ROIS 2019国赛WP

出题人:IceCliffs
题目名称:WOW!
预估难度:简单-易
出题时间:2022/4/11

https://share.weiyun.com/8w7wfyDw,密码:6pbgzv

识别人头==6后在本地生成一份gift,gift为docx文件,里边藏有mp3隐写文件(header4)和LSB隐写图片(header5)

img

也可以直接py反编译(主要针对打不开的师傅)

写这个人脸识别是为了增加娱乐性🥰,祝各位师傅玩的开心

wav文件(header4)modem数据流解码后,得到一串base64后的Ook!数据

波特率为300

img

1
2
3
4
5
+++++ ++[-> +++++ ++<]> ..<++ +++[- >++++ +<]>+ +++++ ++++. --.<+ ++++[
->+++ ++<]> .<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++[- >++++ +<]>+
.<+++ ++[-> +++++ <]>+. <++++ +++[- >---- ---<] >---. +++++ .<+++ ++[->
+++++ <]>++ +++++ +++.< +++++ +[->- ----- <]>-. .<+++ +++[- >++++ ++<]>
+++++ +++++ ++.++ ++.<+ +++++ [->-- ----< ]>--- .---- ----- .<

Ook!解开得到LSB隐写图片(header5)的密码

img

11TRk1Ke16Y44dhA8

LSB解开后得到一堆数据

https://github.com/livz/cloacked-pixel

img

ROT13转后

发现是jpg文件格式

img

得到图片

img

隐水印的图片

调好参数后显示出文字

img

flag{5Q8qP65U8zqMr}

Easy Disk

考点:数据修复、取证

简介:8c26ffa4ca12b34844628f6ab22b780c_cmctf.xmutsec.iloli.moe(没错,只给了个域名)

PS:flag{Part1+Hacker’s Password+Part2}

出题人:IceCliffs
题目名称:Easy Disk
预估难度:简单-易
出题时间:2022/4/11

首先 nslookup 查看 xxx.iloli.moe 得TXT数据,得到 base85

img

解码后得到 pikachu

1
pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu pikachu ka ka ka ka pikachu pi pi pi pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pikachu pipi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pichu pikachu pipi ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka pikachu pichu pi pikachu pipi ka ka ka ka ka ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pikachu pipi pi pi pikachu pichu ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pipi ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka pikachu

pikachu 解码后得到下载地址

https://share.weiyun.com/e6DMgEI5/xMuT52

密码:xMuT52

下载后根据readme.txt信息得知要让我们数据恢复跟取证。

readme.txt文件

img

直接挂载硬盘,发现第一个分区被破坏了

img

同时第二个分区存在 BitLocker

img

WinHex打开查看MBR,发现分区地址被删了

img

找到第一个分区地址

img

然后回到MBR

img

并把分区地址补到MBR,再补上类型,恢复成功,重新挂载磁盘,发现有两个分区

img

分区一

img

readme.txt内容

img

小彩蛋:

img

你懂我意思吧

ahahahah.png 通过 crc32 爆破发现高度不一样

img

修改高度后得到 BitLocker 的 Key

img

686224-303292-585959-348568-718696-444224-102377-435171

分区二

img

解锁后,得到 flag.raw 和 readme1.txt.

flag.raw

readme1.txt 文件内容

img

首先查看系统架构(Win7SP1x86_23418)

img

根据题目得知要获取黑客的密码,直接dump hash或用mimikatz

img

发现存在一个 hacker 用户,将 hash 值解密得到

img

黑客密码为

maggie

这里改成获取 Joe 得用户密码了,Joe明文解得pass.123

同时查看进程,看看关键信息,发现出题人开着 notepad.exe 和 mspaint.exe

img

把 mspaint.exe 给dump下来,得到

img

打开PS得到

img

然后调整大小,不断移位(4613436,739,1350),得到

img

把图片下载下来后,稍微处理下得到

img

得到一串字符串

Rr25957Q343H2y8f

查看桌面

img

发现存在 flag.jpg 和 hijack.zip,把俩者

flag.jpg(0x000000000faeb978)

hijack.zip(0x000000000faf4868)

都给 dump 下来,得到

img

flag.jpg 检测后发现使用 JPHS 隐写,密码为上面那张图片里的内容

seek 后得到 flag1

flag{gCXp4V4bQWKLy_

接着查看 notepad.exe 进程,发现奇怪的数据

img

另存为文本后发现字符串长度跟总长度不匹配,猜测是宽零隐写

img

得到

&HZjG9oecvkp~5IT=l

发现是 hijack.zip 的密码,解压缩后得到若干图片

img

查看图片宽度为 6 个像素,写脚本还原

img

发现是一张条形码,扫码得到

5f6d3531413675365a41315478357d

转字符串后得到后半段 flag

_m51A6u6ZA1Tx5}

flag{gCXp4V4bQWKLy_pass.123_m51A6u6ZA1Tx5}

Author

IceCliffs

Posted on

2022-03-29

Updated on

2024-11-19

Licensed under

Comments