ciscn 2024
Article Summary
GPT 4
火锅链观光打卡
签到题
Power Trajectory Diagram
下载得到attachment.npz文件,发现有四部分数据,通过查看 input 和 index 后可以知道
题目是一共爆破了13个字符,每个字符爆破了40次,然后每次爆破都会有一条 trace
写一个 python 脚本读取 trace 数据并画折线图,发现每条 trace 都会有一个最小值
import numpy as np
data = np.load('attachment.npz')
trace = data['trace']
input = data['input']
# print(input) 十三组打印字符串,每组字符串个数是40个,一共5200个字符串
index = data['index']
# print(index) 内容是1-12.
# print(trace) 520个数组,每个数组应该是功耗变化值,对应input的字符,其中每组变化最大的就是密码中的字符
num_groups = 13
group_size = 40
for i in range(12):
res = []
table = input[:40]
for j in range(40):
min = np.argmin(trace[i*40+j])
res.append(min)
# print(res) 提取res中最大值来确定爆破字符的index
index = np.argmax(res)
char = table[index]
print(char,end='') #_ciscn_2024_
神秘文件
太难找了
part3 运用了宏编辑
alt+f11打开宏编辑页面
然后 base64 的RC4 解码 然后base64
通风机
STEP7 MicroWIN V4.0 SP9 软件打开然后在 symbol table 中发现 base64 编码后的 flag,CyberChef 解码即可得到 flag
Tough_DNS
题目内容:DNS的世界充满了多变的字符,接下来我将直接给你答案:56 16 26 93 66 53 16 56 d2 03 26 93 56
题目给了一个DNS流量包,发现有的包中有二进制数据,导出
tshark -r 1.pcapng -T fields -e dns.qry.name | sed '/^\s*$/d' | uniq > 1.txt然后将其转为二维码
from PIL import Image
# 新建一个列表来保存奇数行
odd_lines = []
# 打开文件并读取行
with open('1.txt', 'r') as file:
for index, line in enumerate(file):
# 如果行号是奇数(索引是偶数),则保留该行
if index % 2 == 1:
odd_lines.append(line.strip())
# 将处理后的奇数行合并为一个字符串
s = ""
for line in odd_lines:
s +=line # 使用 += 运算符来拼接字符串
# 然后继续按照原逻辑处理字符串s
MAX = 21
i = 0
pic = Image.new("RGB", (MAX, MAX))
for y in range(0, MAX):
for x in range(0, MAX):
if len(s) > i: # 确保索引没有超出字符串s的长度
if s[i] == '1':
pic.putpixel((x, y), (0, 0, 0))
else:
pic.putpixel((x, y), (255, 255, 255))
i += 1
pic.save('fl.png')扫码得到
15f9792dba5c
明显不是flag,继续看流量包,发现txt解析记录将其提取出来
tshark.exe -r Tough_DNS.pcapng -T fields -e dns.txt -Y "(dns.txt.length == 1) && (dns.id == 0x4500)"|tr -d "\n" >>2.txt
tshark.exe -r Tough_DNS.pcapng -T fields -e dns.txt -Y "(dns.txt.length == 1) && (dns.id == 0x6421)"|tr -d "\n" >>3.txt得到两个文件,2.条txt文件发现是一个zip,那么猜测二维码扫出来的是密码。
得到secret.gpg
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1
lQIGBGR0mdUBBACYjdQSFv/9VkDcH406ee9a01IpIYv2tJkTu4WuEzh3cb52B+vT
FRbgC3MMohKL41potPMTVM6U4cisg0gTPnQeIk37R5A47g03gPRJxO6SBrolsM7W
ibfPpqT2dyQnsW8xfU7gxoiPoDQ16OeJzzM8GFhMbkNccBOOETgo9yTTOwARAQAB
/gcDArSnU3JKy53PYEuZt6Ur4DafWuUXztAfuzKkNwJCwhE9xGFGSWlo4whjOhzy
JaUGRL2ToiihW1JPlkvW59/my2X5DuvblMnMDilMYVzQzHcg0C0rVRpD97FNeZJG
ZfQnzQomF1a4/kz5jc1IpmMAxKLjJjkptXcI6vf72Hb9Rs07lrOYmBE2dc8OC8Wj
P/2vsAhHUxywWAQEG4ATXklAvBdipERfCU4aHW2GMsvlV1ncnp0MBuXjQeqCWt7i
9RYgIkvptZWl2Y8AtK5NsXZ0kZvKv/4GxJUZ5tmRep3YEbBlK2EihqLxALiPvMd+
yUmYnht5SZB67ZwbnwBwAdKLTvV03Rm8ZoTeg+EzLBXH7kj0Pl4/pnXiKvDgCS/6
IwP4h0sIx1H/4/8AkJ/ivrOxPhm+FZ15ct64x54Ae27Hy7zjHwkCu5MMQ1smbQ/e
WbArOtJHJ6hKWI/CuA+0EBEQNNBUetx0dub+vazAyaQB1h8VXw7Y9aq0HmN0ZmVy
IChub25lKSA8Y3RmZXJAZ21haWwuY29tPoi4BBMBAgAiBQJkdJnVAhsDBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDNNPbFh+VSkJjJBACFSEjtR6BQg3MCkrpt
9vwW9Opb1BXBrUKUD5z4od2enZwOPw/fRaiC2npr+DiGQ4XyIQzwsyn6Gx62h1UQ
SgGk4MLy/9ffEIYJHJAgU+ouEu+OWsk+VUJND5dHimIxyePgjHm+7NTr6CgFnflN
Oe2PeqmsOEcRNDSk5LNQ/L9UQJ0CBgRkdJnVAQQA4my1wcQGuuJ6dKxg62QBFy7W
N/cJnnWm0W0l/3LWDfRZq/Lk1wMmp9hBj16yRoh9EBvgQCz1de2Rx6TjvvOVUw0j
LyumHVIzetbjnQbMHWA1xLXSarDu9u3ZT2zwXV/vo4VukIlDIEayOshVrmk9VOMf
bngf//aDmRwsgj6ZIQMAEQEAAf4HAwK0p1NySsudz2C4Whqn6GQ8PMIyoqV8Y94u
p9+Qq34FiOgquLqetKoNNaG2M5KJJB77W9Yzt8dM0A09wCpObA9mTCW0SI4N6MJF
OdvY6jpG844uHI6L2IKMFZQTdDwvfgMPpGjLHM7/ho3dpec9BKDihQDeCrWl3tfy
WAh68pHPXYyMmTu51iGfkNCEv+SEHlqq0PsLbGT9DxwDWGPzCzvjpY79Uv1cS5Iw
IwI6aaccUjsoobvdqD8HJY2B4JGj1XY2oHrZDPH/OwgPMwArbHtHqgd632BxN9Of
l0sNzas41LB731RUcP79M7wWQPIbhx61ubIZPtejqa/P5u0gRpFKyHo6tW9t/al5
OL9F2vFhl63Hm1Us6XScduWZM9pmd3tEwarHVsBt4z+BIgJJKDvKWs9dgw2aQhKp
rwNKErMUfhiVuw0uTJBS2F4JsPjKdF7hp3mk7wiVGloCy0+c4l0EL+U/9N1EGD7y
K2NKDZFB4i1srW2aiJ8EGAECAAkFAmR0mdUCGwwACgkQzTT2xYflUpBfEwP+I1x7
DspB3GnQAFvXVtkmpi1ASEMQtbCMgexx4+PuqbbUNKOFr83mBkzCQkuh5lrHEZfp
vKN/A1X8AvCxxZu/m9rS8nZQ/BNt7qAG6DjBXrWycWn2swYtMIzys/CsKkhg33hO
iHcehkCXX0Jd8TmE664iLs1WUVHzXK/v5h4XA1o=
=Izki
-----END PGP PRIVATE KEY BLOCK-----可以看出是一个pgp加密的公钥,那另一个是密文了,将其转为16进制导出。
然后题目给的是私钥了:56 16 26 93 66 53 16 56 d2 03 26 93 56
将其反转并转ascii
from string import printable
# for item in printable:
# print(ord(item), end=' ')
# 48 49 50 51 52 53 54 55 56 57 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 58 59 60 61 62 63 64 91 92 93 94 95 96 123 124 125 126 32 9 10 13 11 12
def solve():
passwd = ''
enc_passwds = ['56', '16', '26', '93', '66', '53',
'16', '56', 'd2', '03', '26', '93', '56']
# for item in enc_passwds:
# print(int(item, 16), end=" ")
# # 86 22 38 147 102 83 22 86 210 3 38 147 86
for item in enc_passwds:
item = item[::-1]
# print(int(item,16),end=" ")
# 101 97 98 57 102 53 97 101 45 48 98 57 101
passwd += chr(int(item, 16))
return passwd
if __name__ == "__main__":
passwd = solve()
print(passwd)
# eab9f5ae-0b9e然后进行解码即可得到flag
gpg --import secret.gpg
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 CD34F6C587E55290:公钥 “ctfer (none) <ctfer@gmail.com>” 已导入
gpg: 密钥 CD34F6C587E55290:私钥已导入
gpg: 处理的总数:1
gpg: 已导入:1
gpg: 读取的私钥:1
gpg: 导入的私钥:1 gpg -d out.txt
gpg: 由 1024 位的 RSA 密钥加密,标识为 51457644D5D8B1B5,生成于 2023-05-29
“ctfer (none) <ctfer@gmail.com>”
flag{79830a47-faf7-4067-b585-145776f833cd}
盗版软件
得到一个exe文件和一个dmp文件,运行exe文件后得到一张图片,发现其上方有点
在全红是可以看出有zip,但是中间有垃圾数据,提取
with open('output', 'rb') as f:
data = f.read()
res = []
i = 8
while i < len(data):
res.append(data[i])
i += 2
# print(res)
with open('flag.zip', 'wb') as f:
f.write(bytes(res))得到一个.b文件,进行base85解码
然后在云沙箱运行
https://s.threatbook.com/report/file/a97946c34d2d8642820f196a54a6e8d78cf4f58a97e417be9696d7fd19e7fc95
得到 IP : 39.100.72.235
但是dmp用vol提取不出来东西,使用010,utf-8编码
得到 winhack.com
This piece of writing is an original article, utilizing theCC BY-NC-SA 4.0Agreement. For complete reproduction, please acknowledge the source as Courtesy ofxiaocai
