1.2024浙江省赛复现

1.real signin

得到一张out.png,用zsteg跑一下发现:

2024-12-08 135507

得到

1
dEFfc1dGq1pxMgMWnihrMx9mewNgdvIWMvctrc

1
ABCDEFGHIJKLMNabcdefghijklmnopqrstuvwxyzOPQRSTUVWXYZ0123456789+/

猜测是换表的base64,解密得到flag:DASCTF{We1C0me_2_ZJCTF2024!}

2.机密文档

得到一个加密的压缩包,发现加密方式是store,猜测为明文攻击

2024-12-08 140955

[!NOTE]

将一个名为flag.txt的文件打包成ZIP压缩包后,发现文件名称会出现在压缩包文件头中,且偏移固定为30

且默认情况下,flag.zip也会作为该压缩包的名称

已知的明文片段有:

“flag.txt” 8个字节,偏移30

ZIP本身文件头:50 4B 03 04 ,4字节

满足12字节的要求

其中 -C 后面跟的是原本的zip,-c 后面跟的是里面需要解密出来的zip,-x 后面是已知的明文,30 表示偏移量,7468655F7365637265745F796F755F6E657665725F657665725F6B6E6F775F6861686168616861是the_secret_you_never_ever_know_hahahaha的16进制转换,即用010打开后看到的。下一个 -x 0 是zip的偏移量,504B0304是zip的16进制表示。

可以看到解压出来的keys是

1
b8edf1ff c1f93a7e f93d08e0

得到三段密钥就可以修改压缩包密码了:

2024-12-08 141849

修改了密码为123

解压后得到一个docm文档,猜测是跟宏有关的,wps打开发现

2024-12-08 142113

这里可以使用wps里查看宏,也可以olevba看

wps 里查看如下:

2024-12-08 142319

olevba 查看如下:

2024-12-08 143620

反正最后得到如下宏代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Sub key()
    Dim decValues As Variant
    Dim str As String
    Dim result As String
    Dim i As Integer
    Dim xorValue As Integer
    
    decValues = Array(26, 25, 28, 0, 16, 1, 74, 75, 45, 29, 19, 49, 61, 60, 3)
    str = "outguess"
    result = ""

    For i = LBound(decValues) To UBound(decValues)
        xorValue = decValues(i) Xor Asc(Mid(str, (i Mod Len(str)) + 1, 1))
        result = result & Chr(xorValue)
    Next i

End Sub

可以发现是一个异或代码,可以手搓脚本解密,也可以cyberchef

cyberchef得到如下:

2024-12-08 144013 
1
ulhged98BhgVHYp

由于之前提示了是outguess加密,将docm后缀改为zip后在 word / media 里拿到图片 image1.jpeg

由于outguess不认识jpeg,需要我们修改后缀名为jpg

![2024-12-08 144645](./2024浙江省省赛复现/2024-12-08 144645.png)

得到flag:DASCTF{B1g_S3CR3t_F0R_Y0u}

3.EZtraffic

拿到流量分析一下就可以在SMB里发现有传输流量包,导出一下

2024-12-16 225216

发现有三个压缩包,但是只有其中一个是final_out,即最后的zip

这里最好不要用foremost和binwalk,因为你会发现导出的压缩包里面会少东西。

打开压缩包发现

2024-12-16 225430

注释

1
NTLM v2 plaintext + \d{5}

这里后来才知道需要提取 NTLMv2 哈希值并破解,可以看lunatic师傅的博客 这里

而且这里 + \d{5} 提示后面再跟五位数字爆破。

这里可以用tshark导出(tshark是kali自带的)

1
tshark -n -r eztraffic.pcapng -Y 'ntlmssp.messagetype == 0x00000003' -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmv2_response.ntproofstr -e ntlmssp.auth.sesskey -e smb2.sesid

得到

2024-12-16 230745

这里我们需要的是username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response并且需要以这个形式保存到txt里

1
2
3
4
5
rockyou #username
MicrosoftAccount #domain
db12ced50faf52f141636e80205e8f28 #ServerChallenge
66aa2c3634e34e6e330949b82d4d2a64 #NTproofstring
而modifiedntlmv2response需要我们回到流量里找一下

先过滤

1
ntlmssp

可以看到很多流,其中有一个是NTLMSSP_AUTH

在里面找NTLMv2 Response,可以看到

2024-12-16 235130

除了NTProofStr以外的就是我们要找的modifiedntlmv2response了(注意这里复制hex值)

最后得到

1
rockyou::MicrosoftAccount:4936df20962cae6d:db12ced50faf52f141636e80205e8f28:01010000000000003604281b951fdb017b4045aa008508eb0000000002001e00440042004500440036004200350041002d0035003100430032002d00340001001e00440042004500440036004200350041002d0035003100430032002d00340004004800640062006500640036006200350061002d0035003100630032002d0034003100650063002d0061006400380034002d0064006400320062003500370030006400350030003900360003004800640062006500640036006200350061002d0035003100630032002d0034003100650063002d0061006400380034002d00640064003200620035003700300064003500300039003600070008003604281b951fdb01060004000200000008003000300000000000000001000000002000008029a5d8256e5c2762f439df5c06f3bc411fb0faeb3a6fa52d9273c57b09f2d10a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e0031002e00380031000000000000000000

将以上的内容保存到hash.txt中,用hashcat爆破,命令

1
2
3
.\hashcat -m 5600 hash.txt rockyou.txt
# 5600 表示NetNTLMv2模式
# rockyou是github上找的字典,还挺大
2024-12-17 002646

得到密码

1
haticehatice

接下来就是5位掩码爆破了,ARP秒出

2024-12-17 003142

得到密码haticehatice12580,解压压缩包,看到有100张图片碎片,猜测是拼图

2024-12-17 133927

猜测图片应该是有顺序的,不然也太难拼了

在stegsolve的rad0里看到

2024-12-17 134555

QCR扫一下,看到

2024-12-17 135101

这里需要我们按照顺序一个个的把图片更改一下

利用脚本拼接一下(脚本抄的。)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
from PIL import Image
from pyzbar.pyzbar import decode
import os

def extract_lsb(imgname):
    r = []
    img = Image.open(imgname)
    width,height = img.size
    for x in range(width):
        for y in range(height):
            pixel = img.getpixel((x,y))
            r.append(str(pixel[0] & 1))
            # print(pixel)
    bin_data = ''.join(r)
    return bin_data  
            
def bin2img(bin_data):
    imgname = "tmp.png"
    pixels = []
    img = Image.new("RGB",(50,50))
    for item in bin_data:
        if item =='0':
            pixels.append((0,0,0))
        else :
            pixels.append((255,255,255))
    img.putdata(pixels)
    # img.show()
    img = img.resize((500,500)) 
    # 这里调整一下图片的大小,便于后面pyzbar的识别
    img.save(imgname)
    return imgname
    
    
def read_qrcode(imgname):
    img = Image.open(imgname)
    decode_data = decode(img)
    # print(decode_data)
    res = decode_data[0].data.decode()
    os.remove(imgname)
    return res
        
def rename_img():
    filenames = os.listdir("./final_out")
    for filename in filenames:
        try:
            src_img = "./final_out/"+filename
            bin_data = extract_lsb(src_img)
            imgname = bin2img(bin_data)
            res = read_qrcode(imgname)
            dst_img = f"./final_out/{res}.png"
            os.rename(src_img,dst_img)
            print(f"[+] {src_img} ===> {dst_img} down!!!")
        except:
            print(f"[-] {src_img} Error!!!")

def merge_img():
    cols = 10
    rows = 10
    img_list = []
    new_img = Image.new("RGB",(500,500))
    
    for i in range(1,101):
        img = Image.open(f"./final_out/{i}.png")
        img_list.append(img)
        
    for y in range(rows):
        for x in range(cols):
            idx = y * cols + x
            img = img_list[idx]
            x_offset = x * 50
            y_offset = y * 50
            new_img.paste(img,(x_offset,y_offset))
            
    # new_img.show()
    new_img.save("flag.png")
        
if __name__ == "__main__":
    # rename_img()
    merge_img()

最后得到

2024-12-17 135936

4.FinalSign

文章能看到的:

1
2c243f2f3b3114345d0a0909333f06100143023b2c55020912

可以发现文章里有雪隐写,里面隐写了xor的密码:

2024-12-10 110816

接下来cyberchef就能出了

2024-12-10 111131

5.非黑即白

得到一个没有后缀的文件,010打开发现是逆序的gif

利用puzzlesolver逆序回来,得到gif,再拆分一下发现全是黑白图片:

2024-12-10 113100

这里应该是二进制,脚本提取一下(脚本借鉴的。。):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import hashlib
from PIL import Image

flag = ''
hash_lst = {}
pixel_list = {}
data_list = ""
for i in range(1536):
    filename = f"{i}.png"
    tmp_img = Image.open(filename)
    tmp_pixel = tmp_img.getpixel((0,0))[0]
    # print(tmp_pixel)
    if tmp_pixel < 200:
        data_list += '0'
    else:
        data_list += '1'

print(data_list)

这个需要放在文件同目录下,得到

1
010100000100101100000011000001000001010000000000000000010000000000000000000000001110101101011000010110010101100110011101110010111100011110011010001010100000000000000000000000000001111000000000000000000000000000001000000000000000000000000000011001100110110001100001011001110010111001110100011110000111010011110111100011000101111101011100101100011111010111101011001110111011111100000011011000010010111010010100010101110011110000101000000001011101110000101101101111111111010011001000001111111101001010100111110011110011101001100011011000001110111001110001011101111111101100000110101011010110101110101100001001100000100010101011010111100001000001010000010010110000000100000010001111110000000000010100000000000000000100000000000000000000000011101011010110000101100101011001100111011100101111000111100110100010101000000000000000000000000000011110000000000000000000000000000010000000000000100100000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000011001100110110001100001011001110010111001110100011110000111010000001010000000000010000000000000000000000000000000000000000000000000000100000000000110000000000001011000011101010101010000000001100010110010011011011011000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001010000010010110000010100000110000000000000000000000000000000000000000100000000000000010000000001011010000000000000000000000000010100000000000000000000000000000000000000000000

放在cyberchef里可以看到是一个压缩包,下载下来

2024-12-10 113656

gif的帧间隔里隐藏了密码

2024-12-10 113936

要删除最后一个0,使用 cyberchef 转 ascii 码得到:

2024-12-10 114346

用密码解压zip得到flag:DASCTF{H3r3_1s_C0L0rful_W0rld}

6.天命人

得到zip里面是6个文件,解压之后用010打开发现是一个zip打乱了顺序分成了6个

脚本使其重新成为一个zip:(这里需要我们手动重命名顺序)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
with open("1","rb") as f:
    data1 = f.read()
with open("2","rb") as f:
    data2 = f.read()
with open("3","rb") as f:
    data3 = f.read()
with open("4","rb") as f:
    data4 = f.read()
with open("5","rb") as f:
    data5 = f.read()
with open("6","rb") as f:
    data6 = f.read()
print(len(data1))
print(len(data2))
print(len(data3))
print(len(data4))
print(len(data5))
print(len(data6))

res = []
for i in range(387797):
    try:
        res.append(data1[i])
        res.append(data2[i])
        res.append(data3[i])
        res.append(data4[i])
        res.append(data5[i])
        res.append(data6[i])
    except:
        pass
print(len(res))
with open("1.zip","wb") as f:
    f.write(bytes(res))

得到一个zip,解压出来是两个有密码的zip文件

2024-12-10 154544

可以发现根器里面的txt很小,只有4字节,利用crc爆破一下(注意要重命名,不能出现中文

2024-12-10 154750

得到:C0M3_4ND_Get_S1X_R00TS!!

解压未竟zip,发现金箍棒图片是要我们手提像素点,利用脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import os
import re
import cv2
import argparse
import itertools
import numpy as np


parser = argparse.ArgumentParser()
parser.add_argument('-f', type=str, default=None, required=True,
                    help='输入文件名称')
parser.add_argument('-p', type=str, default=None, required=True,
                    help='输入左上顶点和右下顶点坐标 (如:-p 220x344+3520x2150)')
parser.add_argument('-n', type=str, default=None, required=True,
                    help='输入宽度间隔和高度间隔 (如:-n 44x86)')
parser.add_argument('-size', type=str, default='1x1', required=False,
                    help='输入截取图像的大小 (如:-size 7x7)')
parser.add_argument('-resize', type=int, default=1, required=False,
                    help='输入截取图像放大倍数 (如:-resize 1)')
args  = parser.parse_args()

if __name__ == '__main__':
    if re.search(r"^\d{1,}x\d{1,}\+\d{1,}x\d{1,}$", args.p) and re.search(r"^\d{1,}x\d{1,}$", args.n) and re.search(r"^\d{1,}x\d{1,}$", args.size):
        x1, y1 = map(lambda x: int(x), args.p.split("+")[0].split("x"))
        x2, y2 = map(lambda x: int(x), args.p.split("+")[1].split("x"))
        width, height = map(lambda x: int(x), args.n.split("x"))
        width_size, height_size = map(lambda x: int(x), args.size.split("x"))

        img_path = os.path.abspath(args.f)
        file_name = img_path.split("\\")[-1]

        img = cv2.imread(img_path, cv2.IMREAD_COLOR)
        row, col = img.shape[:2]

        r, c = len(range(y1, y2 + 1, height)), len(range(x1, x2 + 1, width))
        new_img = np.zeros(shape=(r * height_size * args.resize, c * width_size * args.resize, 3))
        for y, x in itertools.product(range(r), range(c)):
            for y_size in range(height_size):
                for x_size in range(width_size):
                    # new_img[y * height_size + y_size, x * width_size + x_size] = img[y1 + y * height + y_size, x1 + x * width + x_size]
                    pt1 = ((x * width_size + x_size) * args.resize, (y * height_size + y_size) * args.resize)
                    pt2 = ((x * width_size + x_size) * args.resize + args.resize, (y * height_size + y_size) * args.resize + args.resize)
                    color = img[y1 + y * height + y_size, x1 + x * width + x_size].tolist()
                    cv2.rectangle(new_img, pt1=pt1, pt2=pt2, color=color, thickness=-1)
            
        # cv2.imshow(new_img)
        cv2.imwrite(f"_{file_name}", new_img)
        print("已保存到运行目录中...")
    else:
        print("参数-p或参数-n或参数-size, 输入错误!")
1
python get_pixels.py -f 1.png -p 5x5+1915x1075 -n 10x10

得到:

2024-12-10 155835

这个是veracrypt加密的磁盘文件,需要我们挂载

挂载需要密钥。密钥文件

2024-12-12 162453

然后点加载,就能在z盘里看到flag

2024-12-12 162657