2021年大学生网络安全邀请赛暨第七届上海市大学生网络安全大赛“东华杯”Misc（全）-Writeup

文章目录

MISC

checkin

project

JumpJumpTiger

where_can_find_code

MISC

checkin

题目：

+AGYAbABhAGcAewBkAGgAYgBfADcAdABoAH0-

Magic一把梭，UTF-7编码

flag{dhb_7th}

project

（脑洞题披上工控题的外衣）

附件解压打开，发现可疑压缩包

解压之后拿到疑似流量数据，共三段。

前两段：

Date: Sun, 19 Sep 2021 21:28:55 +0800
From: "mklkxxx@yeah.net" <mklkxxx@yeah.net>
To: mklkxxx <mklkxxx@yeah.net>
Subject: =?UTF-8?B?5L2g5p2l5LqGfg==?=
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.20.273[cn]
Mime-Version: 1.0
Message-ID: <202109192128112273138@yeah.net>
Content-Type: multipart/related;boundary="----=_001_NextPart057850482324_=----"This is a multi-part message in MIME format.------=_001_NextPart057850482324_=----
Content-Type: multipart/alternative;boundary="----=_002_NextPart832058858335_=----"------=_002_NextPart832058858335_=----
Content-Type: text/plain;charset="UTF-8"
Content-Transfer-Encoding: base646KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6
546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ
6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw
6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ
77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf
5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE
56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn
moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i
gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo
sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk
urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i
gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA
jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea
hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr
mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK
n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX
tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ
ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7
j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA
gg0K------=_002_NextPart832058858335_=----
Content-Type: text/html;charset="UTF-8"
Content-Transfer-Encoding: quoted-printable<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charse=
t=3DUTF-8"><style>body { line-height: 1.5; }body { font-size: 14px; font-f=
amily: "Microsoft YaHei UI"; color: rgb(0, 0, 0); line-height: 1.5; }body =
{ font-size: 14px; font-family: "Microsoft YaHei UI"; color: rgb(0, 0, 0);=line-height: 1.5; }</style></head><body>=0A<div><div>=E8=A1=A8=E6=83=85=
=E5=8C=85=E6=96=87=E5=8C=96=EF=BC=8C=E6=98=AF=E9=9A=8F=E7=9D=80=E7=BD=91=
=E7=BB=9C=E7=A4=BE=E4=BA=A4=E6=B2=9F=E9=80=9A=E7=9A=84=E5=A2=9E=E5=A4=9A=
=E5=87=BA=E7=8E=B0=E7=9A=84=E4=B8=80=E7=A7=8D=E4=B8=BB=E6=B5=81=E6=96=87=
=E5=8C=96=E3=80=82=E4=B8=80=E4=B8=AA=E4=BA=BA=E7=9A=84=E8=A1=A8=E6=83=85=
=E5=8C=85=E6=98=AF=E5=85=B6=E9=9A=90=E8=97=8F=E8=B5=B7=E6=9D=A5=E7=9A=84=
=E7=9C=9F=E6=88=91=EF=BC=8C=E4=B8=80=E4=B8=AA=E5=9B=BD=E5=AE=B6=E7=9A=84=
=E8=A1=A8=E6=83=85=E5=8C=85=E9=87=8C=E8=83=BD=E7=9C=8B=E5=88=B0=E8=BF=99=
=E4=B8=AA=E5=9B=BD=E5=AE=B6=E7=9A=84=E8=A1=A8=E6=83=85=E3=80=82=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=E2=80=AC=E2=80=AC=E2=80=8C=E6=9C=89=
=E6=97=B6=E5=80=99=EF=BC=8C=E8=A1=A8=E6=83=85=E5=8C=85=E8=A1=A8=E8=BE=BE=
=E7=9A=84=E6=98=AF=E4=B8=8D=E8=83=BD=E9=81=93=E7=A0=B4=E7=9A=84=E7=9C=9F=
=E5=AE=9E=E6=83=B3=E6=B3=95=E5=92=8C=E6=84=9F=E5=8F=97=EF=BC=8C=E8=AF=AD=
=E8=A8=80=E5=92=8C=E6=96=87=E5=AD=97=E7=9A=84=E5=B0=BD=E5=A4=B4=EF=BC=8C=
=E5=B0=B1=E6=98=AF=E8=A1=A8=E6=83=85=E5=8C=85=E6=96=BD=E5=B1=95=E7=9A=84=
=E7=A9=BA=E9=97=B4=E3=80=82</div><div>=E8=A1=A8=E6=83=85=E5=8C=85=E6=98=AF=
=E7=BD=91=E7=BB=9C=E8=AF=AD=E8=A8=80=E7=9A=84=E4=B8=80=E7=A7=8D=E8=BF=9B=
=E5=8C=96=EF=BC=8C=E5=AE=83=E7=9A=84=E4=BA=A7=E7=94=9F=E5=92=8C=E6=B5=81=
=E8=A1=8C=E4=B8=8E=E5=85=B6=E7=89=B9=E5=AE=9A=E7=9A=84=E2=80=9C=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8D=E2=80=8D=E7=94=9F=
=E5=AD=98=E7=8E=AF=E5=A2=83=E2=80=9D=E6=9C=89=E5=85=B3=E3=80=82=E5=85=B6=
=E8=BF=BD=E6=B1=82=E9=86=92=E7=9B=AE=E3=80=81=E6=96=B0=E5=A5=87=E3=80=81=
=E8=B0=90=E8=B0=91=E7=AD=89=E6=95=88=E6=9E=9C=E7=9A=84=E7=89=B9=E7=82=B9=
=EF=BC=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=
=E2=80=AC=E4=B8=8E=E5=B9=B4=E8=BD=BB=E4=BA=BA=E5=BC=A0=E6=89=AC=E4=B8=AA=
=E6=80=A7=E5=92=8C=E6=90=9E=E6=80=AA=E7=9A=84=E5=BF=83=E7=90=86=E7=9B=B8=
=E7=AC=A6=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=
=E2=80=AC=E3=80=82</div><div>=E8=A1=A8=E6=83=85=E5=8C=85=E4=B9=8B=E6=89=80=
=E4=BB=A5=E8=83=BD=E5=A4=9F=E5=A4=A7=E8=8C=83=E5=9B=B4=E5=9C=B0=E4=BC=A0=
=E6=92=AD=EF=BC=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=
=E2=80=AC=E2=80=8D=E6=98=AF=E5=9B=A0=E4=B8=BA=E5=85=B6=E5=BC=A5=E8=A1=A5=
=E4=BA=86=E6=96=87=E5=AD=97=E4=BA=A4=E6=B5=81=E7=9A=84=E6=9E=AF=E7=87=A5=
=E5=92=8C=E6=80=81=E5=BA=A6=E8=A1=A8=E8=BE=BE=E4=B8=8D=E5=87=86=E7=A1=AE=
=E7=9A=84=E5=BC=B1=E7=82=B9=EF=BC=8C=E6=9C=89=E6=95=88=E5=9C=B0=E6=8F=90=
=E9=AB=98=E4=BA=86=E6=B2=9F=E9=80=9A=E6=95=88=E7=8E=87=E3=80=82=E9=83=A8=
=E5=88=86=E8=A1=A8=E6=83=85=E5=8C=85=E5=85=B7=E6=9C=89=E6=9B=BF=E4=BB=A3=
=E6=96=87=E5=AD=97=E7=9A=84=E5=8A=9F=E8=83=BD=EF=BC=8C=E2=80=8C=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8D=E2=80=8D=E8=BF=98=E5=8F=AF=
=E4=BB=A5=E8=8A=82=E7=9C=81=E6=89=93=E5=AD=97=E6=97=B6=E9=97=B4=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=E2=80=8C=E3=80=82=
=E9=9A=8F=E7=9D=80=E6=99=BA=E8=83=BD=E6=89=8B=E6=9C=BA=E7=9A=84=E5=85=A8=
=E9=9D=A2=E6=99=AE=E5=8F=8A=E5=92=8C=E7=A4=BE=E4=BA=A4=E5=BA=94=E7=94=A8=
=E8=BD=AF=E4=BB=B6=E7=9A=84=E5=A4=A7=E9=87=8F=E4=BD=BF=E7=94=A8=EF=BC=8C=
=E8=A1=A8=E6=83=85=E5=8C=85=E5=B7=B2=E7=BB=8F=E9=AB=98=E9=A2=91=E7=8E=87=
=E5=9C=B0=E5=87=BA=E7=8E=B0=E5=9C=A8=E4=BA=BA=E4=BB=AC=E7=9A=84=E7=BD=91=
=E7=BB=9C=E8=81=8A=E5=A4=A9=E5=AF=B9=E8=AF=9D=E5=BD=93=E4=B8=AD=E3=80=82</=
div></div><img src=3D"cid:_Foxmail.1@e1a633df-2fe4-f85c-7270-ca78308ac1c5"=border=3D"0"></body></html>
------=_002_NextPart832058858335_=------

提取第一串base64解码，解密得到一段话，

表情包文化，是随着网络社交沟通的增多出现的一种主流文化。一个人的表情包是其隐藏起来的真我，一个国家的表情包里能看到这个国家的表情。‌‌‌‌‍‬‬‌有时候，表情包表达的是不能道破的真实想法和感受，语言和文字的尽头，就是表情包施展的空间。
表情包是网络语言的一种进化，它的产生和流行与其特定的“‌‌‌‌‍‍‍生存环境”有关。其追求醒目、新奇、谐谑等效果的特点，‌‌‌‌‍‌‬与年轻人张扬个性和搞怪的心理相符‌‌‌‌‍‌‬。
表情包之所以能够大范围地传播，‌‌‌‌‍‬‍是因为其弥补了文字交流的枯燥和态度表达不准确的弱点，有效地提高了沟通效率。部分表情包具有替代文字的功能，‌‌‌‌‍‍‍还可以节省打字时间‌‌‌‌‍‌‌。随着智能手机的全面普及和社交应用软件的大量使用，表情包已经高频率地出现在人们的网络聊天对话当中。

其中包含不可见字符，猜测零宽字符解密Unicode Steganography with Zero-Width Characters

直接默认配置，解密得到密文

hurryup

之后解码第二段密文，为quoted-printable，解密后与第一段完全相同。

解码第三段密文，为jpg图片的base64编码。

010Editor解码后，拿到一张图片，Miss Spider's（怪吓人的）

一段密文，一张图片，fuzz一下发现是OurSecret

拿到flag

flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}

JumpJumpTiger

ida打开，发现hint

int  main(int argc, const char **argv, const char **envp)
{int v4[100]; // [rsp+20h] [rbp-60h]int v5[101]; // [rsp+1B0h] [rbp+130h]int v6; // [rsp+344h] [rbp+2C4h]int v7; // [rsp+348h] [rbp+2C8h]int i; // [rsp+34Ch] [rbp+2CCh]printf("This is your hint!!!");v7 = 0;v6 = 0;for (i = 0; i <= 99; ++i){if (i & 1)v4[v6++] = i;elsev5[v7++] = i;}return 0;
}

大致意思是奇数位置和偶数位置分离。

010Editor打开查看到jump.exe里面含有大量疑似base64编码，并且在编码中可以搜索到两个=号，结合hint联想为两端编码奇偶交叉，提取出来进行分离。

file = open("in.txt")
file2 = open("out.txt","r+")
for line in file:tmp = lineprint(tmp)s = ''for i in range(len(tmp)):if i & 2 == 1:#if i % 2 == 1:s += tmp[i]file2.write(s)print(len(s))

去除第一串末尾大量0，刚好拿到两串base64编码均以=号结尾。base64解码后拿到一张jpg图片一张png图片，两张图片几乎完全相同。

直接尝试盲水印，以png作为加密图，jpg作为原图。

python3 b.py decode 1.jpg 2.png out.png

拿到盲水印图，flag直接就写在上面。

flag{72f73bbe-9193-e59a-c593-1b1cb8f76714｝

where_can_find_code

给了一个附件，名字叫code.asc，内容如下。

<main>Where can find code?</main>
<style>@font-face {src: url("https://www.axis-praxis.org/fonts/webfonts/MetaVariableDemo-Set.woff2")format("woff2");font-family: "Meta";font-style: normal;font-weight: normal;}body {box-sizing: border-box;margin: 0;padding: 0;display: flex;justify-content: space-evenly;align-items: center;background-color: #8357eb;width: 100vw;height: 100vh;}main {transition: all 0.5s;-webkit-text-stroke: 4px #d6f4f4;font-variation-settings: "wght" 900, "ital" 1;font-size: 15rem;text-align: center;color: transparent;font-family: "Meta", sans-serif;text-shadow: 10px 10px 0px #07bccc,15px 15px 0px #e601c0,20px 20px 0px #e9019a,25px 25px 0px #f40468,45px 45px 10px #482896;cursor: pointer;}main:hover {font-variation-settings: "wght" 100, "ital" 0;text-shadow: none;}
</style>
<font>
format("Translate the letter J into I");
dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}
</font>

fuzz一下发现是wb隐写，提取出一段数字。

20810842042108421

只由01248组成，云隐密码，上网搜脚本。

def de_code(c):dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]flag = []c2 = [i for i in c.split("0")]for i in c2:c3 = 0for j in i:c3 += int(j)flag.append(dic[c3 - 1])return flagdef encode(plaintext):dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]m = [i for i in plaintext]tmp = [];flag = []for i in range(len(m)):for j in range(len(dic)):if m[i] == dic[j]:tmp.append(j + 1)for i in tmp:res = ""if i >= 8:res += int(i / 8) * "8"if i % 8 >= 4:res += int(i % 8 / 4) * "4"if i % 4 >= 2:res += int(i % 4 / 2) * "2"if i % 2 >= 1:res += int(i % 2 / 1) * "1"flag.append(res + "0")print("".join(flag)[:-1])c = "20810842042108421"
t = de_code(c)
for i in t:print(i, end='')
# BINGO

得到密文BINGO，结合题目附件中

<font>
format("Translate the letter J into I");
dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}
</font>

联想Playfair Cipher，感谢雪姐姐提供的网站QAQ

拿到flag

flag{f58dc5f2-2d51-4ffa-5a5f-33539364efbf}