Misc

Easy husky

Description

I found someone using my personal computer to do something shady. Fortunately, I have recorded these actions in time, you can check what he did on my computer. The reward is a flag for you.

Download

Solution

Analysis

注:这里采用的是windows取证,和Linux有一点点区别。

1.题目类型:内存取证

2.涉及工具:volatility,16进制查看器,python

3.解决思路:

​ a.先确定内存系统格式(WinXPSP2x86)

​ b.根据题目信息进行基于时间行为分析(timeliner)

​ c.发现flag.txt,里面可能就是flag,所以进行过滤。如图:

​ d.获得一个路径以及PID号:

1
C:/Documents and Settings/All Users/Start Menu/Programs/Games/Password hu5ky_4nd_f0r3n51c/Hello/flag.rar | PID: 1352/Cache type "URL " at 0x2795300 End: 2019-06-04 05:34:29 UTC+0000

​ e.使用memdump将flag.rar(PID 1352)提取出来,由上面路径分析可能需要密码,密码应该就是hu5ky_4nd_f0r3n51c

​ f.由于RAR文件是倒序存储在里面的,所以需要倒序一下,可以直接使用python进行。

​ g.解压RAR,输入密码,flag在flag.txt里面。

Payload
1
python vol.py -f husky_memory.raw imageinfo
1
python vol.py -f husky_memory.raw --profile=WinXPSP2x86 timeliner
1
python vol.py -f husky_memory.raw --profile=WinXPSP2x86 timeliner | find "flag"
1
python vol.py -f husky_memory.raw --profile=WinXPSP2x86 memdump -D . -p 1352
1
xxd 1352.dmp | grep raR -A 1 -B 100  > file.rar
1
a=a[::-1]
flag
1
ISITDTU{1_l0v3_huskyyyyyyy<3}

Acronym

Description

An acronym is a word or name formed as an abbreviation from the initial components of a phrase…
You will need that.

Detective Pi Output.png

Note: The flag is not in flag format, please wrap it in format when you submit.

Solution

Analysis

1.题目类型:图片隐写

2.涉及工具:PCRT(针对png),bluestego

3.解决思路:

a.使用PCRT提取隐藏图片(也可以手动操作)

b.使用PCRT把提取图片修复

c.使用Stegsolve查看各个色道,发现:

d.识别二维码,获得key——DIFF.

e.使用bluestego解密即可。

Payload

按照上面来即可。

flag
1
2


Poker game

Description

I know how to play cards but I’m not a professional player, you can https://www.youtube.com/watch?v=-nS1r-EwDnk
File: Poker

Solution

Analysis

直接谷歌即可

Payload
1
go run ante.go poker.txt

然后base64解密即可。

flag
1
2


PIKACHU

Description

basic steganography
pikachu

Hint: just look deepest as you can, you will see the magic thing

Solution

Analysis
Payload

Beautiful girls of DTU

Description

Decode to find beautiful girls of DTU :)
cipher

Solution

Analysis

1.题目类型:脑洞题 + 图片隐写

2.涉及工具:谷歌翻译,python

3.解决思路:

a.使用谷歌翻译发现结果只有两个类型的句子Welcome to DanangWelcome to Tour on Tour

b.一个为0,一个为1变为二进制,然后转为ASCII,得到:

1
https://mega.nz/#F!q0lRUC4A!y2Rz1qb5yYadO8Q-cdX-Ng

c.去往链接得到20张图片。

d.每张图片最后都有两个字符是flag的一部分。

f.用脚本获取即可。

Payload
1
2
3
4
flag = ‘’ 
for i in range(1,21):
flag += open(str(i)+”.jpg”).read()[-2:]
print flag
flag
1
ISITDTU{c0d3_w1th_b3autiful_g1rls_DTU!!!}

Programming

Do you like math?

Description

nc 104.154.120.223 8083

Solution

Analysis

1.题目类型:pwntools交互题

2.涉及工具:python2(安装pwntools)

3.解决思路:

a.一列全空格为字符分界线,逐个识别字符

b.使用eval函数计算出结果

Payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
from pwn import *
hgh = remote('104.154.120.223','8083')
while True:
count = []
try:
a = hgh.recvuntil('>>>')[:-3]
print(a)
except:
print hgh.recvuntil('}')
a = a.split('\n')[1:-2]
for i in range(len(a[0])):
if a[0][i] == ' ':
flag = 0
for j in range(1,7):
if a[j][i] != ' ':
flag = 1
break
if flag == 0:
count.append(i)
flag = ''

if count[0] != 1:
count = [-1] + count
print(count)
for i in range(len(count)-3):
tmp1 = count[i]
tmp2 = count[i+1]
if tmp1 + 1 == tmp2:
break
if tmp2-tmp1 == 6 and a[3][tmp1+1] != '#':
flag += '1'
#print flag,tmp1,tmp2
continue
if tmp2 - tmp1 == 6:
if a[2][tmp1+3] == '#':
flag += '+'
#print flag,tmp1,tmp2
continue
else:
flag += '-'
#print flag,tmp1,tmp2
continue
if tmp2 - tmp1 == 8:
if a[0][tmp1+1] == ' ' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == ' ' and a[3][tmp1+1] == ' ' and a[4][tmp1+1] == '#':
flag += '2'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == '#' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == '#' and a[4][tmp1+1] == '#':
flag += '4'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == ' ' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == ' ' and a[4][tmp1+1] == ' ' and a[5][tmp1+1] == '#' and a[6][tmp1+1] == ' ' :
flag += '9'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == ' ' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == ' ' and a[3][tmp1+1] == ' ' and a[4][tmp1+1] == ' ' and a[5][tmp1+1] == '#' and a[6][tmp1+1] == ' ' :
flag += '3'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == ' ' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == '#' and a[4][tmp1+1] == '#' and a[5][tmp1+1] == '#' and a[6][tmp1+1] == ' ' and a[2][tmp2-1] == ' ':
flag += '6'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == ' ' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == ' ' and a[4][tmp1+1] == '#' and a[5][tmp1+1] == '#' and a[6][tmp1+1] == ' ' and a[2][tmp2-1] == '#':
flag += '8'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == '#' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == ' ' and a[3][tmp1+1] == ' ' and a[4][tmp1+1] == ' ' and a[5][tmp1+1] == ' ' and a[6][tmp1+1] == ' ' :
flag += '7'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == '#' and a[1][tmp1+1] == '#' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == '#' and a[4][tmp1+1] == ' ' and a[5][tmp1+1] == '#' and a[6][tmp1+1] == ' ' :
flag += '5'
#print flag,tmp1,tmp2
continue
elif a[0][tmp1+1] == ' ' and a[1][tmp1+1] == ' ' and a[2][tmp1+1] == '#' and a[3][tmp1+1] == '#' and a[4][tmp1+1] == '#' and a[5][tmp1+1] == ' ' and a[6][tmp1+1] == ' ' :
flag += '0'
#print flag,tmp1,tmp2
continue
else:
flag += '*'
#print flag,tmp1,tmp2
continue
print flag
hgh.sendline(str(eval(flag)))
flag
1
ISITDTU{sub5cr1b3_b4_t4n_vl0g_4nd_p3wd13p13}

balls

Description

There are 12 balls, all of equal size, but only 11 are of equal weight, one fake ball is either lighter or heavier. Can you find the fake ball by using a balance scale only 3 times?

nc 34.68.81.63 6666

Solution

Analysis

1.题目类型:pwntools交互题

2.涉及工具:python2(安装pwntools)

3.解决思路:

a.如何解决上述问题,答案在这

b.按照链接的思路书写代码即可解决问题。

Payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
from pwn import *

hgh = remote('34.68.81.63', '6666')
while True:
try:
a = hgh.recvuntil('Weighting 1:')
print(a)
except:
print(hgh.recvuntil('}'))
hgh.sendline('1,2,3,4 5,6,7,8')
a = hgh.recvuntil('Weighting 2:')
print(a)
if 'The left is heavier than the right' in a:
hgh.sendline('1,2,5,9 3,4,10,11')
a = hgh.recvuntil('Weighting 3:')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('6 7')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('8')
elif 'The left is heavier than the right' in a:
hgh.sendline('7')
else:
hgh.sendline('6')
elif 'The left is heavier than the right' in a:
hgh.sendline('1 3')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' not in a:
hgh.sendline('1')
else:
hgh.sendline('2')
else:
hgh.sendline('3 4')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('5')
elif 'The left is heavier than the right' in a:
hgh.sendline('3')
else:
hgh.sendline('4')
elif 'Both are equally heavy' not in a:
hgh.sendline('5,6,1,9 7,8,10,11')
a = hgh.recvuntil('Weighting 3:')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('2 3')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('4')
elif 'The left is heavier than the right' in a:
hgh.sendline('3')
else:
hgh.sendline('2')
elif 'The left is heavier than the right' in a:
hgh.sendline('5 7')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' not in a:
hgh.sendline('5')
else:
hgh.sendline('6')
else:
hgh.sendline('7 8')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('1')
elif 'The left is heavier than the right' in a:
hgh.sendline('7')
else:
hgh.sendline('8')
else:
hgh.sendline('9,10 1,2')
a = hgh.recvuntil('Weighting 3:')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('11 1')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('12')
else:
hgh.sendline('11')
else:
hgh.sendline('9 1')
a = hgh.recvuntil('The fake ball is :\n')
print(a)
if 'Both are equally heavy' in a:
hgh.sendline('10')
else:
hgh.sendline('9')
print hgh.recvline()
flag
1
ISITDTU{y0u_hav3_200iq!!!!}

Cryptography

Easy RSA 1

Description

Let’s warm up with RSA
File: easy_rsa1

Solution

Chaos

Description

Could you help me solve this case? I have a tool but do not understand how it works.
nc 104.154.120.223 8085

Solution

Analysis

1.题目类型:pwntools交互题

2.涉及工具:python2(安装pwntools)

3.解决思路:

a.测试所有字符,如:

1
0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~`!@#$%^&*()_-+=<,>.?|

找到规律。

b.规律为:看代码就懂了。。。

Payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from pwn import *
import time

hgh = remote('104.154.120.223', '8085')
while True:
try:
a = hgh.recvuntil('Your choice: ')
print(a)
except:
print hgh.recvuntil('}')
a = a[a.find('Here is your cipher:') + 21:a.find('WELCOME TO CHAOS TOOL:') - 1]
a = a.split(' ')
key = ''
for i in range(64):
tmp = a[i]
if ord(tmp[3]) >= ord('0') and ord(tmp[3]) <= ord('9'):
key += tmp[0]
elif ord(tmp[6]) >= ord('A') and ord(tmp[6]) <= ord('Z'):
if len(tmp) == 14:
key += tmp[-1]
else:
key += tmp[6]
else:
key += tmp[3]
print(key)
hgh.sendline('2')
print hgh.recvuntil('Please enter the key to get flag:')
#print hgh.recvuntil('Enter your message:')
#hgh.sendline('0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~`!@#$%^&*()_-+=<,>.?|')
hgh.sendline(key)
# sleep(1)
flag
1
ISITDTU{Hav3_y0u_had_a_h3adach3??_Forgive_me!^^}

Old story

Description

This is an old story about wheat and chessboard, and it’s easy, right?
File: Old_story

Solution

decrypt to me

Description

decrypt to me?????
File: decrypt_to_me

Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
import os, sys
import msgpack
import gmpy2

N = 23927411014020695772934916764953661641310148480977056645255098192491740356525240675906285700516357578929940114553700976167969964364149615226568689224228028461686617293534115788779955597877965044570493457567420874741357186596425753667455266870402154552439899664446413632716747644854897551940777512522044907132864905644212655387223302410896871080751768224091760934209917984213585513510597619708797688705876805464880105797829380326559399723048092175492203894468752718008631464599810632513162129223356467602508095356584405555329096159917957389834381018137378015593755767450675441331998683799788355179363368220408879117131L

def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)

def modinv(a, m):
g, x, y = egcd(a, m)
assert g == 1
return x % m

def pad_even(x):
return ('', '0')[len(x)%2] + x

def encrypt(ms):
out = []
for i in range(0, len(ms), 256):
m = ms[i:i+256]
m = int(m.encode('hex'), 16)
out.append(m)
# r_s = pad_even(format(r, 'x')).decode('hex')
# assert m < N
# c = (pow(k, r, N) * m) % N
# c_s = pad_even(format(c, 'x')).decode('hex')
# out.append((r_s, c_s))
return out

def decrypt(c):
rr = []
cc = []
for r_s, c_s in msgpack.unpackb(c):
r = int(r_s.encode('hex'), 16)
rr.append(r)
c = int(c_s.encode('hex'), 16)
cc.append(c)
return rr,cc

def decrypt1(c, k):
out = ''
for r_s, c_s in msgpack.unpackb(c):
r = int(r_s.encode('hex'), 16)
c = int(c_s.encode('hex'), 16)
k_inv = modinv(k, N)
out += pad_even(format(pow(k_inv, r, N) * c % N, 'x')).decode('hex')
return out

f = open('msg.enc','r')
r,c = decrypt(f.read())
f.close()
t,a,b = egcd(r[0],r[1])
gg = gmpy2.invert(c[1],N)
hgh = (pow(c[0],a,N)*pow(gg,-b,N))%N
f = open('msg.txt','r')
msg = encrypt(f.read())
f.close()
mm = gmpy2.invert(msg[1],N)
hg = (pow(msg[0],a,N)*pow(mm,-b,N)%N)
k = (gmpy2.invert(hg,N)*hgh)%N
print(k)
f = open('flag.enc','rb')
flag = f.read()
print decrypt1(flag,k)

Easy RSA 2

Description

Let’s continue with RSA
File: easy_rsa2

Solution