DASCTFXFATE2022

​ 本次月赛是和校队的师傅一起参加的,学到不少东西。进行记录和复现。

MISC

SimpleFlow

​ 分离zip文件,将第50组左右的tcp流里的base进行解密找到压缩命令(-p后边就是压缩包密码),打开压缩包得到flag。

熟悉的猫

​ 关于kdbx文件,先了解一下参考资料。其为KeepPass的密码数据文件,所以用KeepPass来打开。但没有告诉密码,可以使用passware(windows密码恢复工具)恢复:

​ 用KeepPass打开查看密码为 jbRw5PB2kFmor6IeYYil ,用这个解压压缩包得到png和txt。题目为”熟悉的猫”,加上图片特征,显然是猫脸变换,简单学习了下,有几个关键点:

​ 1.通过对像素坐标多次乘上变换矩阵(乘一次就进行一次变换)得到变换以后的图像,即像素值不变,位置改变。

​ 2.猫脸变换具有周期性,对变换k次的图像再进行周期T-k次变换后可恢复原图。更好的做法是对变换矩阵求逆矩阵,左乘k次逆即可恢复。

​ 3.这样的变换类似于图像加密,变换次数为密钥key。

​ txt中有一串很长的k值,这里有两部分利用:

​ 1.零宽解出字符 22*160。

​ 2.k值很长,猜测是塔珀自指公式

​ 脚本改改参数即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image
def Tupper_self_referential_formula(k):
    aa = np.zeros((22, 160))
    def f(x, y):
        y += k
        a1 = 2 ** -(-22 * x - y % 22)
        a2 = (y // 22) // a1
        return 1 if a2 % 2 > 0.5 else 0
    for y in range(22):
        for x in range(160):
            aa[y, x] = f(x, y)
    return aa[:, ::-1]
k = 92898203278702907929705938676672021500394791427205757369123489204565300324859717082409892641951206664564991991489354661871425872649524078000948199832659815275909285198829276929014694628110159824930931595166203271443269827449505707655085842563682060910813942504507936625555735585913273575050118552353192682955310220323463465408645422334101446471078933149287336241772448338428740302833855616421538520769267636119285948674549756604384946996184385407505456168240123319785800909933214695711828013483981731933773017336944656397583872267126767778549745087854794302808950100966582558761224454242018467578959766617176016660101690140279961968740323327369347164623746391335756442566959352876706364265509834319910419399748338894746638758652286771979896573695823608678008814861640308571256880794312652055957150464513950305355055495262375870102898500643010471425931450046440860841589302890250456138060738689526283389256801969190204127358098408264204643882520969704221896973544620102494391269663693407573658064279947688509910028257209987991480259150865283245150325813888942058
aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15, 10))
plt.imshow(aa, origin='lower')
plt.savefig("tupper.png")
img = Image.open('tupper.png')
# 翻转
dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180)
plt.imshow(dst1)
plt.show()

​ 得到的图片中可见参数33,121,144,做一个arnold置乱(a=121,b=144),但33貌似没有用,因为第一轮就可以得到flag了:

​ 脚本:Arnold-Python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import numpy as np
import cv2
r = 800 # 图像宽高
a = 121
b = 144
img = cv2.imread("flag.png", 1)
p = np.zeros([r, r, 3], np.uint8)
def dearnold(img):
    for x in range(0, r):
        for y in range(0, r):
            xx = -((a * b + 1) * x - b * y) % r
            yy = -(-a * x + y) % r
            p[xx][yy] = img[x][y]
    return p
for i in range(0, 33):
    p = dearnold(img)
    img = p
    cv2.imwrite(str(i) + ".png",p)

冰墩墩

​ 脚本解压:

1
2
3
4
5
6
7
import zipfile

zipfilename = 'BinDunDun.zip'
z = zipfile.ZipFile(zipfilename, 'r') # r表示解压
name_list = z.namelist() # 压缩包内的文件名,这里就是BinDunDun
for i in name_list:
    z.extract(i, path='zip\\')

​ 有超级多个txt文件,每个txt中含有01序列和下一个txt文件名:

1
101000001001011 =>The txt you should view is m9312r95cr.txt # 01序列补成16位刚好是504b

​ 经过观察发现需要把每个txt中的01序列补成16位。用脚本批量处理(套宝的):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import re
flag = ''
next = 'zip/BinDunDun/start.txt'
i = 0

while len(next) != 0:
    try:
        # 正则过滤
        f = open(next).read()
        tmp = re.search('(.*) =>',f).group(0)
        flag += tmp[:-3].zfill(16)
        tmp = re.search('is (.*)',f).group(0)
        next = 'zip/BinDunDun/'+ tmp[3:]
        i += 1
        print(f,i,next)
    except:
        f2 = open('out.txt','w')
        f2.write(flag)
        exit(0)

​ 二进制序列转hex,发现是zip文件:

​ 存一下,解压得到pyc和jpg,pyc隐写得到payload:$BingD@nD@n_in_BeiJing_Winter_Olympics$

​ 最后利用这个作为密码进行jphs05隐写seek得到base64:$REFTQ1RGe0dvb2RfSm9kX0dpdmVfVGhlX0ZGRkZMQGdfVG9fWW91IX0=$

​ 解码得:$DASCTF{Good_Jod_Give_The_FFFFL@g_To_You!}$

CRYPTO

easy_real

​ 签到。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from hashlib import *
from gmpy2 import *
from Crypto.Util.number import *

# e_hash = '37693cfc748049e45d87b8c7d8b9aacd'
# for i in range(100):
#     if e_hash == md5(str(i).encode()).hexdigest():
#         print(i)

e = 23
n = 4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523
c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397
p = 64310413306776406422334034047152581900365687374336418863191177338901198608319
q = n//p

# 解crypto
phi = (p-1) * (q-1)
d = invert(e,phi)
cry = long_to_bytes(pow(c,d,n))
print(cry)
cry = b'ndios_;9kgE;WK8e;W?gWn<\\;k|nu'
flag = ''
for i in range(10):
    for j in cry:
        flag = flag + chr(j^i)
    print(flag)

# flag{W31coM3_C0m3_7o_f4T3ctf}

扫一扫,分享到微信

微信分享二维码
本站总访问量: 总访客次数:

tag:

梦想是成为全栈佬并养一只猫