第四届“安洵杯”网络安全挑战赛MISC-Writeup
文章目录
- 应该算是签到
- CyzCC_loves_LOL
- Cthulhu Mythos
- lovemath
题目附件请自取
链接:https://pan.baidu.com/s/13TwadE6DenseIuRUNZlCKg
提取码:rrpe
应该算是签到
B站搜索直接搜索这个BV号
直接页面Ctrl+F没找出来
搜索引擎找一下有没有通过API查弹幕的方法:https://www.bilibili.com/read/cv7923601
F12点击Network,找到这个视频的cid
从当前时间2021-11-27开始往前找
https://api.bilibili.com/x/v2/dm/web/history/seg.so?type=1&oid=400438565&date=2021-11-27
将历史弹幕文件下载下来,选择UTF-8编码,然后查找关键字即可
D0g3{We1come_to_axbg0g0g0}
CyzCC_loves_LOL
D0g3_LOLteampassword
HAI D0g3 code
I HAS A CODE ITZ "D0g3isthepAssword"
I HAS A MSG ITZ ""
I HAS A COUNTER ITZ 0
I HAS A NUM
IM IN YR LOOP UPPIN YR COUNTER WILE COUNTER SMALLR THAN LEN OF CODE
I HAS A C ITZ CODE!COUNTER
NUM R ORD OF C
NUM R SUM OF NUM AN -3
IZ NUM SMALLR THAN 65?, NUM R SUM OF NUM AN 26, KTHX
NUM R CHR OF NUM
MSG R SMOOSH MSG AN NUM
IM OUTTA YR LOOP
VISIBLE MSG
KTHXBYE
看不懂什么东西,猜测某种编码,搜索引擎找一下
- lolcode-language:https://www.dcode.fr/lolcode-language
解码得到ez_misc.zip密码:AGdJfpqebmXpptloa
Program.png根据名称提示一开始以为是npiet,尝试直接编译发现不对
后来经过查阅资料才发现Brainfuck也有一种用像素颜色表示的语言:Brainloller
- https://minond.xyz/brainloller/
上传之后点击Play,得到密码:0MTTW CWZVN!
然后根据题目名称提示将密码中的空格换成下划线、以及jinx's_flag_in_silent.jpg的名称,直接尝试SilentEye解密
D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}
Cthulhu Mythos
hint.mp3听一下,发现前面是泰拉瑞亚的主题曲,后面部分很明显是SSTV
因为格式问题没法直接用QSSTV,RX-SSTV的话又比较麻烦要调整电脑录音设备,就直接用Robot36听吧
网上随便找个地址:https://apkpure.com/cn/robot36-sstv-image-decoder/xdsopl.robot36
下载好传到手机上,安装,然后听就完事了,多听几遍确认信息
>>> from base64 import *
>>> b32decode('MRPVI4TZL5KGK4TSGRZGSYJBPU======')
b'd_Try_Terr4ria!}'
The Evil Watcher.wld
关于泰拉瑞亚地图编辑器
- https://www.bilibili.com/read/cv275739?from=search
- https://www.binaryconstruct.com/downloads/
- https://www.bilibili.com/video/BV1Za4y1a7uN
- https://m33.wiki/extension/wld.html
使用TerraMap打开The Evil Watcher.wld;Players->All Spoilers
Sets->Chests找宝箱
在地面上找到四个Class Chest
IQYGOM33
JUYW4ZLD
KI2GM5C
总共四部分,前三部分为:IQYGOM33JUYW4ZLDKI2GM5C
Base32
第四部分可以使用TEdit打开The Evil Watcher.wld
在这个位置找到第四部分
7I4YF6QLO
最终得到的base32为:IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLO
最终flag
D0g3{M1necR4ft_G0_And_Try_Terr4ria!}
lovemath
hint: not blindwater but you can search it
crc32爆破
-------------Filename CRC Info-------------
[+] flag.zip: 0xc38199da
[+] flag_01.txt: 0xa430239a
[+] flag_02.txt: 0xf81abecd
[+] flag_03.txt: 0x2a75b14e
[+] flag_04.txt: 0x2d2c423c
[+] flag_05.txt: 0xd9e12803
-------------------------------------------
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xa430239a
4 bytes: {0x56, 0x34, 0xbc, 0x00}
verification checksum: 0xa430239a (OK)
alternative: 3RAsk0 (OK)
alternative: 5jYl3N (OK)
alternative: ANz4c9 (OK)
alternative: DViXxW (OK)
alternative: EJg5bZ (OK)
alternative: JE94EM (OK)
alternative: JYvhDY (OK)
alternative: O1YuZg (OK)
alternative: R3ix8v (OK)
alternative: _lAJB8 (OK)
alternative: dYZaCR (OK)
alternative: mOBoUw (OK)
alternative: pMrb7f (OK)
alternative: qlmCE3 (OK)
alternative: sq6Mub (OK)
alternative: th1s_I (OK)
alternative: uhpBDP (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xf81abecd
4 bytes: {0xf6, 0x44, 0x6a, 0xcc}
verification checksum: 0xf81abecd (OK)
alternative: 5XyM2J (OK)
alternative: 9kccWY (OK)
alternative: DdIyyS (OK)
alternative: MrQwov (OK)
alternative: ONTi6k (OK)
alternative: RLddTz (OK)
alternative: s_Y0ur (OK)
alternative: uZPcET (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0x2a75b14e
4 bytes: {0x39, 0x11, 0xcc, 0x5b}
verification checksum: 0x2a75b14e (OK)
alternative: 0njyYo (OK)
alternative: 4Wf40T (OK)
alternative: 7wmGsD (OK)
alternative: 8x3FTS (OK)
alternative: 9xrwOJ (OK)
alternative: Cn_SKk (OK)
alternative: KdI0GC (OK)
alternative: R_upLi (OK)
alternative: S3GlS4 (OK)
alternative: S_4AWp (OK)
alternative: UFrNfB (OK)
alternative: W7ZmRW (OK)
alternative: _pa33w (OK)
alternative: caljpn (OK)
alternative: d5Fi7M (OK)
alternative: dxkTZE (OK)
alternative: jwtdfK (OK)
alternative: ln2kWy (OK)
alternative: rPFIwl (OK)
alternative: w8iTiR (OK)
alternative: x77UNE (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0x2d2c423c
4 bytes: {0x78, 0x6b, 0xc3, 0x45}
verification checksum: 0x2d2c423c (OK)
alternative: 0rd_We (OK)
alternative: 1nj2Mh (OK)
alternative: BSNT74 (OK)
alternative: CrQuEa (OK)
alternative: DkVKoJ (OK)
alternative: FWSU6W (OK)
alternative: P2Suvv (OK)
alternative: Sbdw06 (OK)
alternative: Wfyv1U (OK)
alternative: ZIm5NK (OK)
alternative: dderTO (OK)
alternative: jkzBhA (OK)
alternative: rLHoyf (OK)
alternative: uUOQSM (OK)
PS D:\Tools\Misc\crc32> python .\crc32.py reverse 0xd9e12803
4 bytes: {0x9f, 0x48, 0x0c, 0x36}
verification checksum: 0xd9e12803 (OK)
alternative: 1c0m3e (OK)
alternative: 2_tBqa (OK)
alternative: 3_5sjx (OK)
alternative: 98DoSQ (OK)
alternative: A_Ahce (OK)
alternative: FFFVIN (OK)
alternative: J8qEAU (OK)
alternative: K80tZL (OK)
alternative: NLP5Ef (OK)
alternative: PnkKdg (OK)
alternative: Rs0ET6 (OK)
alternative: WwluNL (OK)
alternative: YxsErB (OK)
alternative: ZD7j0F (OK)
alternative: ZXx61R (OK)
alternative: _a5JCp (OK)
alternative: fIuorK (OK)
alternative: hFj_NE (OK)
alternative: iZd2TH (OK)
alternative: o_madn (OK)
alternative: paXr_b (OK)
alternative: wx_LuI (OK)
PS D:\Tools\Misc\crc32>
得到密码:th1s_Is_Y0ur_pa33w0rd_We1c0m3e
blind.png存在LSB隐写PNG内容
保存下来使用010Editor将前面的几个干扰字节去掉,得到图片
图片OCR:https://www.onlineocr.net/zh_hant/
1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352
根据题目给出的提示画出自己;需要用到一种叫塔珀自指公式(Tupper's self-referential formula)的公式
- https://zh.wikipedia.org/wiki/%E5%A1%94%E7%8F%80%E8%87%AA%E6%8C%87%E5%85%AC%E5%BC%8F
脚本参考:https://www.cnblogs.com/1024th/p/14418846.html
把K的值换成上面的数字即可
"""
Plot Tupper's self-referential formula
"""
import textwrap
import matplotlib.pyplot as pltK = 1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352H = 17
W = 106if __name__ == "__main__":plt.figure(figsize=(6.8, 4), dpi=600)plt.axis("scaled")K_ = K//17for x in range(W):for y in range(H):if K_ & 1:plt.bar(x+0.5, bottom=y, height=1,width=1, linewidth=0, color="black")K_ >>= 1plt.figtext(0.5, 0.8, r"$\frac{1}{2}<\left\lfloor \operatorname{mod}\left(\left\lfloor\frac{y}{%d}\right\rfloor 2^{-%d\lfloor x\rfloor-\operatorname{mod}(\lfloor y\rfloor, %d)}, 2\right)\right\rfloor$" % (H, H, H), ha="center", va="bottom", fontsize=18)plt.subplots_adjust(top=0.8, bottom=0.5)K_str = textwrap.wrap(str(K), 68)K_str[0] = f"K={K_str[0]}"for i in range(1, len(K_str)):K_str[i] = f" {K_str[i]}".ljust(70)K_str = "\n".join(K_str)plt.figtext(0.5, 0.45, K_str, fontfamily="monospace", ha="center", va="top")plt.xlim((0, W))plt.ylim((0, H))xticks = list(range(0, W+1))xlabels = ["" for i in xticks]xlabels[0] = "0"xlabels[-1] = str(W)plt.xticks(xticks, xlabels)yticks = list(range(0, H+1))ylabels = ["" for i in yticks]ylabels[0] = "K"ylabels[-1] = f"K+{H}"plt.yticks(yticks, ylabels)plt.grid(b=True, linewidth=0.5)# plt.show()plt.savefig("Tupper-plot.png")# plt.savefig(fname="name", format="svg")
D0g3{I_Lov3_math}
第四届“安洵杯”网络安全挑战赛MISC-Writeup相关推荐
- 2021 第四届安洵杯 MISC wp
心态炸裂杯 CyzCC_loves_LOL 拿到两个附件,其中一个附件是这样的,没有见过,上网搜索 HAI D0g3 code I HAS A CODE ITZ "D0g3isthepAss ...
- BUUCTF msic 专题(115)[安洵杯 2019]easy misc
下载附件,有三个文件,依次查看 图片中发现了两个IEND证明应该有两张图片拼成了这一张,进行foremost 发现有两张一样的图片,stegsolve查看分离出的图片 很明显的盲水印,用blindwa ...
- 2020祥云杯网络安全大赛 MISC Writeup
文章目录 签到 进制反转 到点了 xixixi 带音乐家 Charles Sensor 签到 PS C:\Users\Administrator> php -r "var_dump(b ...
- 2020安洵杯——EasyCM WriteUP
文章目录 概述 详细 反调 花指令 SMC 写脚本解密 最近犯懒,没看新题,想起来之前安洵杯做过一道 SMC + 反调试的题,当时是动调 + 瞎蒙做出来的,今天来整理一下里面的知识点 题目链接:htt ...
- BUUCTF [安洵杯 2019]easy_serialize_php
考点: 变量覆盖.反序列化中的对象逃逸 题目地址:BUUCTF在线评测 源码如下: <?php$function = @$_GET['f'];function filter($img){$fil ...
- BUUCTF:[安洵杯 2019]不是文件上传
这题和攻防世界XCTF:upload有点像,看似上传却都不是上传是上传图片的文件名注入 参考:安洵杯2019 官方Writeup 获取源码 在网站首页存在一些信息 在gihtub找得到源码 BUU也给 ...
- 【BUUCTF】[安洵杯 2019]吹着贝斯扫二维码
题目链接:[安洵杯 2019]吹着贝斯扫二维码. 下载压缩包解压得到这么一些文件,可以看到一堆未知类型文件和一个flag.zip 老规矩,把这些没有拓展名的文件用010Editor打开,发现都是jpg ...
- [安洵杯 2019]吹着贝斯扫二维码
[安洵杯 2019]吹着贝斯扫二维码 压缩包解压后得到一些无后缀文件,和一个flag.zip 查看flag.zip内容发现尾部有类似base32的数据,先不管去看那些文件(这题其实可以用不到其他文件) ...
- 安洵杯-crackme-wp
crackme 这是安洵杯2019的逆向题 链接:https://pan.baidu.com/s/16fb_-L-dE5knUPzkSFU5rQ 提取码:z405 文章目录 crackme 逆向分析 ...
- 安洵杯-game-wp
game 安洵杯2019逆向 链接:https://pan.baidu.com/s/1vICnEqYfSezXUiTJU6C9TA 提取码:d9m7 题目的文件和idb分析文件和写出的python文件 ...
最新文章
- qt webassembly 安装过程记录及注意事项
- 专题5 低级文件编程
- mac svn .a文件的上传方法
- Windows 10 下 Anaconda3 (Python 3.8) 配置 OpenCV-4.4.0
- SAP云平台上的Low Code Development(低代码开发)解决方案
- 音视频多媒体协议相关资料汇总
- 一款动态跑路html源码,简单实用,上传解压就完事了
- Dynamic Graph CNN for Learning on Point Clouds(DGCNN)论文阅读笔记——核心思想:EdgeConv细析
- docker导入与导出容器
- Google 产品的消亡史!
- JSK-127 进制转换【进制】
- EasyRecovery---视频文件恢复技巧
- VS2013 + Qt 提示 There‘s no Qt version assigned to this project for platform Win32
- iBase4J项目笔记
- BIOS 的详细介绍
- adadelta算法_机器学习中的优化算法(3)-AdaGrad, Adadelta(附Python示例)
- OpenCV3编程入门(毛星云)读书笔记(一)
- linux I2C驱动实验
- foobar2000_备份Foobar2000并将其传输到新计算机
- 前台获取model中的值,json数据,json字符串,双引号变为 ‘ quto;‘