某比赛Writeup

答应我,以后打比赛不要带着情绪打好吗?

-rYu1nser

时隔4个月又来打CTF了,啊,要死要死,菜的要死

decrypt_it

流量包抓大头,跟踪TCP协议,提取出脚本

脚本如下

脚本不难,具体加密流程就是enc随机数组选一个值然后index放在编码后的最前面

大概这个样子

  • 如果 enc = 1
    • 1base64en(str)
  • 或者 enc = 2
    • 2caesar(str)
  • 或者 enc = 3
    • 3rot13(str)
import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
# dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
	_rot13 = string.maketrans( 
    	"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", 
    	"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
	return string.translate(s, _rot13)

def b64e(s):
	return b64encode(s)

def caesar(plaintext, shift=3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def encode(pt, cnt=50):
	tmp = '2{}'.format(b64encode(pt))
	for cnt in xrange(cnt):
		c = random.choice(enc_ciphers)
		i = enc_ciphers.index(c) + 1
		_tmp = globals()[c](tmp)
		tmp = '{}{}'.format(i, _tmp)

	return tmp

if __name__ == '__main__':
	print encode(FLAG,

解码脚本如下

import string
import random
from base64 import b64encode, b64decode

FLAG = 'flag{xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx}'

enc_ciphers = ['rot13', 'b64e', 'caesar']
dec_ciphers = ['rot13', 'b64d', 'caesard']

def rot13(s):
	_rot13 = string.maketrans( 
    	"ABCDEFGHIJKLMabcdefghijklmNOPQRSTUVWXYZnopqrstuvwxyz", 
    	"NOPQRSTUVWXYZnopqrstuvwxyzABCDEFGHIJKLMabcdefghijklm")
	return string.translate(s, _rot13)

def b64e(s):
	return b64encode(s)

def b64d(s):
	return b64encode(s)

def caesard(plaintext, shift=-3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def caesar(plaintext, shift=3):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = string.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

def encode(pt, cnt=1):
	tmp = '2{}'.format(b64encode(pt))
	for cnt in xrange(cnt):
		c = random.choice(enc_ciphers)
		print(c)
		i = enc_ciphers.index(c) + 1
		print(i)
		_tmp = globals()[c](tmp)
		print(_tmp)
		tmp = '{}{}'.format(i, _tmp)
	return tmp
def decode(pt):
	if (str(pt).startswith("2")):
		pt = b64decode(pt[1:])
		return pt
	elif(str(pt).startswith("3")):
		pt = caesard(pt[1:])
		return pt
	elif(str(pt).startswith("1")):
		pt = rot13(pt[1:])
		return pt

for i in range(100):
    flag = decode(flag)
    print(flag)

跑一下就好了

shell

流量包分离 flag.zip 压缩包

密码在流浪包最后一个位置,密码为 VVvv__==++--

解压获得flag

注入分析

比较暴力,时间=1说明执行成功,时间=3说明执行失败,写个脚本跑一下

# -*- coding: utf-8 -*-
# @Author: rYu1nser
# @Date:   2023-04-11
# @Last Modified by:   rYu1nser
# @Last Modified time: 2023-04-11
from datetime import datetime
import urllib.parse
date_format = '%d/%b/%Y:%H:%M:%S %z'
with open('log', 'r') as f:
    last_line = None
    last_time = None
    for line in f:
        if last_time is not None:
            current_time_str = line.split('[')[1].split(']')[0]
            current_time = datetime.strptime(current_time_str, date_format)
            time_difference = current_time - last_time
            if time_difference.total_seconds() < 3:
                s= urllib.parse.unquote(last_line)
                print(s[143:])
        last_line = line
        last_time_str = line.split('[')[1].split(']')[0]
        last_time = datetime.strptime(last_time_str, date_format)

结果

flag{62f4ca6cf1654106e3555c4cc2cf4087}
文章《某比赛Writeup》采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: www.bilibili.com
Source: ななひら
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
嘉然
ななひら
小恐龙
花!
上一篇
下一篇