CTF-安恆19年二月月賽部分writeup
MISC1-來玩個游戲吧
題目:
第一關,一眼可以看出是盲文,之前做過類似題目
拿到在線網站解一下
??41402abc4b2a76b9719d911017c592,那么就奇怪了,這個??是什么東西,數一下加上??正好32位,應該是個MD5了,索性直接百度一下,
第一關答案出來了,試過了MD5值不對,hello是正確的,下一關。
第二關提示
沒見過這種的,還是百度一下,
下載了這個腳本后執行命令
fastcoll_v1.0.0.5.exe -p C:\windows\notepad.exe -o D:\notepad1.exe D:\notepad2.exe
(因為沒有規定文件名啥的就直接復制他的命令了)
直接將文件路徑復制到文本框即可
Dear Professional ; Especially for you - this cutting-edge intelligence ! If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our club . This mail is being sent in compliance with Senate bill 2216 , Title 9 ; Section 306 ! THIS IS NOT MULTI-LEVEL MARKETING . Why work for somebody else when you can become rich as few as 35 weeks . Have you ever noticed more people than ever are surfing the web and people will do almost anything to avoid mailing their bills . Well, now is your chance to capitalize on this ! WE will help YOU decrease perceived waiting time by 120% & decrease perceived waiting time by 140% . You can begin at absolutely no cost to you . But don't believe us ! Mrs Jones of Minnesota tried us and says "I was skeptical but it worked for me" . We assure you that we operate within all applicable laws . Because the Internet operates on "Internet time" you must act now ! Sign up a friend and your friend will be rich too . Warmest regards . Dear Cybercitizen , We know you are interested in receiving red-hot announcement ! We will comply with all removal requests ! This mail is being sent in compliance with Senate bill 1619 ; Title 2 ; Section 301 . This is NOT unsolicited bulk mail ! Why work for somebody else when you can become rich within 53 MONTHS ! Have you ever noticed more people than ever are surfing the web and more people than ever are surfing the web . Well, now is your chance to capitalize on this . We will help you use credit cards on your website plus decrease perceived waiting time by 150% . The best thing about our system is that it is absolutely risk free for you ! But don't believe us ! Mrs Simpson of Washington tried us and says "Now I'm rich, Rich, RICH" . We assure you that we operate within all applicable laws ! We beseech you - act now ! Sign up a friend and your friend will be rich too . Thank-you for your serious consideration of our offer ! Dear Friend ; This letter was specially selected to be sent to you ! If you no longer wish to receive our publications simply reply with a Subject: of "REMOVE" and you will immediately be removed from our mailing list . This mail is being sent in compliance with Senate bill 2716 , Title 2 ; Section 306 ! This is a ligitimate business proposal . Why work for somebody else when you can become rich inside 33 weeks . Have you ever noticed more people than ever are surfing the web plus more people than ever are surfing the web . Well, now is your chance to capitalize on this ! WE will help YOU SELL MORE and process your orders within seconds . You can begin at absolutely no cost to you . But don't believe us ! Mrs Jones of Kentucky tried us and says "I was skeptical but it worked for me" ! This offer is 100% legal ! We implore you - act now . Sign up a friend and you'll get a discount of 50% . God Bless .
題目提示了:需要一個在線的網站去解密,而這個網站使用了柵格密碼。
柵格密碼也沒聽說過,還是百度
搜索關鍵字Spam Mimic到網站 http://www.spammimic.com/解碼
flag為:flag{a0dd1e2e6b87fe47e5ad0184dc291e04}
MISC2-簡單的流量分析
題目:
過濾http協議,按照info排序一下
發現存在/xinhu/robots.txt
追蹤http流到/xinhu/robots.txt
發現abc.html,繼續跟進
發現MD5和兩串DES
md5 0x99a98e067af6b09e64f3740767096c96 DES 0xb19b21e80c685bcb052988c11b987802d2f2808b2c2d8a0d (129->143) DES 0x684a0857b767672d52e161aa70f6bdd07c0264876559cb8b (143->129)
繼續向下分析,發現都是IPSec加密后的流量,嘗試使用前面給的MD5和DES解密
wireshark進入Preference菜單下的Profile,找到ESP, 配置如下:
此時再次過濾http發現有部分響應包帶上了數字,102 108 轉換為ASCII碼則為f l 所以統一提取轉換。
a = [102,108,97,103,123,50,55,98,48,51,98,55,53,56,102,50,53,53,50,55,54,101,53,97,57,56,100,97,48,101,49,57,52,55,98,101,100,125] flag = '' for i in a: flag +=chr(i) print flag
flag:flag{27b03b758f255276e5a98da0e1947bed}
CRYPTO1-hahaha
題目:
壓縮包題目,其實看到這壓縮包里的短位CRC32應該就能猜出是CRC32爆破了
當然也可以一步一步排除一下
首先binwalk分析得出非偽加密,爆破的話沒有提示,不理想。
所以直接上腳本
所以加起來就是tanny_is_very_beautifu1_
哈哈
按照給的提示,flag應該是flag{1or! 2or@ sechn}
然后給了sha1值,應該是要爆破了。。。
當時做到這里就停了,因為不會寫腳本了
下面獻上一葉飄零大佬的腳本
import itertools import hashlib def sha1(str): sha = hashlib.sha1(str) encrypts = sha.hexdigest() return encrypts a1 = '1!' a2 = '2@' a3 = '{' a4 = '}' for str1 in itertools.combinations(a1,1): for str2 in itertools.combinations(a2,1): str3 = str1[0]+str2[0]+'sechn' for i in itertools.permutations(str3): tmp = (''.join(i)) res = 'flag{'+tmp+'}' # print sha1(res) if sha1(res) == 'e6079c5ce56e781a50f4bf853cdb5302e0d8f054': print res break
flag:flag{sh@1enc}
小結:web沒做出來太菜,pwn剛起步,壓根沒看,密碼2也沒做出來,需要的腦洞太大了,另外膜飄零師傅。
參考:https://www.anquanke.com/post/id/171543