SCTF Misc

admin 2022年1月7日02:15:29CTF专场评论14 views13600字阅读45分20秒阅读模式

0x00 This_is_A_tree

dfs先序遍历树拿到一串看起来像base64的字符串

import os
import queue

class Node:
    def __init__(self,path:str,data:str) -> None:
        self.path = path
        self.data = data

q = queue.Queue()

cur:Node

def dfs(cur:Node):
    lpath = cur.path+"/letf/data"
    print(cur.data,end='')

    if os.path.exists(lpath):
        ldata= open(lpath,"r").read()
        dfs(Node(cur.path+"/letf",ldata))



    rpath = cur.path+"/Right/data"
    if os.path.exists(rpath):
        rdata = open(rpath,"r").read()
        dfs(Node(cur.path+"/Right",rdata))



dfs(Node("./root",open("./root/data","r").read()))
Q2hpbmVzZSB0cmFkaXRpb25hbCBjdWx0dXJlIGlzIGJyb2FkIGFuZCBwcm9mb3VuZCEgU28gSSBXYW50IEdpdmUgWW91IE15IEZsYWcgQnV0IFlvdSBOZWVkIERlY29kZSBJdC5FbmpveSBUaGUgRmxhZyEhOuW4iCDlhZEg5aSNIOaNnyDlt70g6ZyHIOaZiyDlp6Qg5aSn6L+HIOiuvCDlmazll5Eg6ZyHIOaBkiDoioIg6LGrIA==

解码拿到

和buuoj的某题类似,直接在网上找到脚本

def decrypt4(enc):
    temp=''
    offset=5
    for i in range(len(enc)):
        temp+=chr(ord(enc[i])+offset+i)
    return temp
def decrypt5(flag):
    for a in range(1,200):
        enc = ''
        for i in flag:
            for k in range(200):
                 if (ord(i) - 97 - 7+26*k)%a==0:
                    enc+= chr((ord(i) - 97 - 7 + 26 * k) // a + 97)
                    break
        print(enc)

s='师兑复损巽震晋姤大过讼噬嗑震恒节豫'
dic={'坤': '000000', '剥': '000001', '比': '000010', '观': '000011', '豫': '000100', '晋': '000101', '萃': '000110', '否': '000111', '谦': '001000', '艮': '001001', '蹇': '001010', '渐': '001011', '小过': '001100', '旅': '001101', '咸': '001110', '遁': '001111', '师': '010000', '蒙': '010001', '坎': '010010', '涣': '010011', '解': '010100', '未济': '010101', '困': '010110', '讼': '010111', '升': '011000', '蛊': '011001', '井': '011010', '巽': '011011', '恒': '011100', '鼎': '011101', '大过': '011110', '姤': '011111', '复': '100000', '颐': '100001', '屯': '100010', '益': '100011', '震': '100100', '噬嗑': '100101', '随': '100110', '无妄': '100111', '明夷': '101000', '贲': '101001', '既济': '101010', '家人': '101011', '丰': '101100', '离': '101101', '革': '101110', '同人': '101111', '临': '110000', '损': '110001', '节': '110010', '中孚': '110011', '归妹': '110100', '睽': '110101', '兑': '110110', '履': '110111', '泰': '111000', '大畜': '111001', '需': '111010', '小畜': '111011', '大壮': '111100', '大有': '111101', '夬': '111110', '乾': '111111'}
li=[]
k=0
for i in range(len(s)):
    if k ==1:
        k=0
        continue
    try:
        li.append(dic[s[i]])
    except:
        t=''
        t=t+s[i]+s[i+1]
        li.append(dic[t])
        k=1
ss=''.join(li)
print(ss)
enc=''
for i in range(0,len(ss),8):
    enc+=chr(eval('0b'+ss[i:i+8]))
import base64
print(enc)
x=base64.b64decode(enc).decode()
print(x)
x=decrypt4(x)
x=decrypt5(x)

解得

即为flag

0x01 fumo_xor_cli

当时微信公众号发的时候就有了题目想法,就提了缩略图
```python=
from PIL import Image
origin = Image.open('TpMSkq.png')
final = Image.new('RGB',(100,133))
_x=0
_y=0
for y in range(1,1190,9):
for x in range(1,893,9):
final.putpixel((_x,_y),origin.getpixel((x,y)))
if(_x%99==0 and _x!=0):
_x=0;
_y=_y+1
else:
_x=_x+1
final.save('key.bmp')

然后我们通过给定的命令行,能提出其中数据的颜色。
我们可以发现其中除了正常的Fumo还有2帧不太正常的帧,
我们把这两个手动提取下,发现图片的size (133,50)
然后我们提的缩略图是100x133
```python=
import re
from PIL import Image
result=[]
r=[]
g=[]
b=[]

file=open('data.txt','r').read()
res=re.findall("\[(.*?)[ESC]",file)
print(len(res))
print(len(res))
for i in res:
    tmp=i.split(";")
    r.append(tmp[2])
    g.append(tmp[3])
    b.append(tmp[4][:-2])
flag=Image.new(mode='RGB',size=(100,133),color=(0,0,0))
file=open('part2.txt','r').read()
res=re.findall("\[(.*?)?",file)
print(len(res))
print(len(res))
for i in res:
    tmp=i.split(";")
    r.append(tmp[2])
    g.append(tmp[3])
    b.append(tmp[4][:-2])
tot=0

for i in range(0,100):
    for j in range(0,133):
        flag.putpixel((i,j),(int(r[tot]),int(g[tot]),int(b[tot])))
        tot+=1
print(flag.size)

flag.save('ano.png')

然后xor一下就出flag了

0x02 easydsp

数字信号处理。通过数字信号恢复音频
```python=
import wave
import struct

f1 = open('data1.txt').read()
f2 = open('data2.txt').read()
f3 = open('data3.txt').read()
f4 = open('data4.txt').read()

data1 = [float(line) for line in f1.splitlines()]
data2 = [float(line) for line in f2.splitlines()]
data3 = [float(line) for line in f3.splitlines()]
data4 = [float(line) for line in f4.splitlines()]

count = len(data1)

data_all = [data1[i] + data2[i] + data3[i] + data4[i] for i in range(count)]
data_3_4 = [data1[i]-data2[i] for i in range(count)]

def to_wav(file, data):
nchannels = 1
sampwidth = 2
second = 5
sampling_rate = count // second
nframes = count
amplitude = 1900
wav_file = wave.open(file, 'w')
wav_file.setparams((nchannels, sampwidth, int(sampling_rate), nframes, 'NONE', 'not compressed'))
for i in data:
wav_file.writeframes(struct.pack('h', int(i * amplitude)))

to_wav('1-2.wav',data_3_4)

得到的音频就有了相关的波形图而且去除了噪点利用1-2的这个频谱
![](https://md.byr.moe/uploads/upload_9793d1e2661679dd83e0486fae58ab90.png)
手动读下flag就可以了 类似曼彻斯特

##0x03 low_re

测信道攻击通过枚举每一位的字符同时检测指令数目来找flag
利用pintools 手动逐位爆破
```python=
from subprocess import Popen, PIPE
from sys import argv
import string
import pdb
from multiprocessing import Process, Value, Manager
from time import ctime, sleep
from tqdm import tqdm
from ctypes import c_char_p
import random
import sys


pinPath = ".\pin.exe"
pinInit = lambda tool, elf: Popen([pinPath, '-t', tool, '--', elf], stdin=PIPE, stdout=PIPE)
alpha = []
for i in range(32, 128):
    alpha.append(chr(i))


def find(start, end):
    for i in range(start, end):
        print(i)
        pin = pinInit(".\\obj-intel64\\icount.dll", ".\low_re.exe")
        result = '[email protected]'.format(alpha[i])
        pin.stdin.write('[email protected]'.format(alpha[i]).encode('utf-8'))
        print(pin.communicate()[0].decode() + ":" + result)


def multi_work(iter_function, totalProcess=10, lenList=96, base=0):
    gap = lenList // totalProcess
    process_list = []
    print("Totally %d processes" % totalProcess)

    for i in range(totalProcess):
        process = Process(target=iter_function, args=(base + i * gap, base + (i + 1) * gap))
        process.start()
        process_list.append(process)

    for t in process_list:
        t.join()
    print("Exiting Main Process")


if __name__ == '__main__':
    multi_work(find)

0x04 in_the_vaporwaves

挺无语的题,好好看看频谱图就行了,能看到摩斯
SCTF Misc
[email protected]

0x05 August 10, 2021

Poly network的题,挺简单的
找一个哈希加参数 和 payforflag()哈希一样就完了,
```python=
"""
[+] contract address: 0xa9Ac4071925Ef7cDAC46B2FcbD3afF86A5b4fa32
[+] transaction hash: 0xf298c8b32451fe71c999594b634db485fa543a77d04ef1deb9a48caa718d2de8
"""
import web3
from web3 import Web3,HTTPProvider
from web3.auto import w3
import hashlib
import json
from Crypto.Util.number import *
web3=Web3(HTTPProvider("http://124.71.147.175:8545/"))
print(web3.isConnected())
"""key=web3.eth.account.create()
print(key.address)
print(hex(bytes_to_long(key.privateKey)))"""
acct= web3.eth.account.from_key('0x719e289ff8306c4e9ff66476bf35889e24eaa475c80878a2a42c760efaed2134')
print(acct.address)
def get_txn(src, dst, datad,nonce, value=0, ):
return {
"from": src,
"to": dst,
"gasPrice": web3.toWei(1,'gwei'),
"gas": 3000000,
"value": web3.toWei(value,'wei'),
"nonce": nonce,#web3.eth.getTransactionCount(src),
"data": datad,
"chainId": 7486
}

print(web3.eth.getCode("0xAe7dd2aAc652b3492326dB135D48844A8e08833a"))
to_addr="0xAe7dd2aAc652b3492326dB135D48844A8e08833a"
data=long_to_bytes(0x66fbe3940000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000001766756e6338363533393536353435393638393131313830000000000000000000).decode('utf-8')

nonce=web3.eth.getTransactionCount(acct.address)
signed_txn = web3.eth.account.signTransaction(get_txn(src=acct.address, dst=to_addr, datad=data, nonce=nonce), acct.privateKey)
txn_hash = web3.eth.sendRawTransaction(signed_txn.rawTransaction).hex()
print(txn_hash)
print(web3.eth.getTransactionReceipt("0xe4ff900301a55ae0e9b486c3add1aea4151d72f63055ecbe771c1bbd450a62d8"))

##0x06 Constructor?

预编译合约然后部署一个有initcode的合约就行了同时爆破create2满足地址大小就行了
```python=
"""
[+] contract address: 0xe8AB319dBCe2A2467e393FB6EA98A8A30e4974ac
[+] transaction hash: 0xe93e4fdd0d590f68bd186fad693f923470f32ebcf3b080dd0f787baba2214adb
"""
import web3
from eth_abi import encode_abi
from web3 import Web3,HTTPProvider
from web3.auto import w3
import hashlib
import json
from Crypto.Util.number import *
web3=Web3(HTTPProvider("http://124.71.147.229:8545/"))
print(web3.isConnected())
#print(hex(bytes_to_long(web3.eth.account.create().key)))
acct= web3.eth.account.from_key('0x719e289ff8306c4e9ff66476bf35889e24eaa475c80878a2a42c760efaed2134')
print(acct.address)

abi=[
    {
        "inputs": [],
        "name": "changesuccess",
        "outputs": [],
        "stateMutability": "payable",
        "type": "function"
    },
    {
        "inputs": [],
        "name": "isSolved",
        "outputs": [
            {
                "internalType": "bool",
                "name": "",
                "type": "bool"
            }
        ],
        "stateMutability": "nonpayable",
        "type": "function"
    },
    {
        "inputs": [],
        "name": "payforflag",
        "outputs": [],
        "stateMutability": "payable",
        "type": "function"
    },
    {
        "inputs": [
            {
                "internalType": "address",
                "name": "a",
                "type": "address"
            },
            {
                "internalType": "bytes",
                "name": "message",
                "type": "bytes"
            },
            {
                "internalType": "bytes32",
                "name": "salt",
                "type": "bytes32"
            }
        ],
        "name": "registContract",
        "outputs": [],
        "stateMutability": "nonpayable",
        "type": "function"
    },
    {
        "inputs": [],
        "name": "success",
        "outputs": [
            {
                "internalType": "bool",
                "name": "",
                "type": "bool"
            }
        ],
        "stateMutability": "view",
        "type": "function"
    },
    {
        "inputs": [
            {
                "internalType": "address",
                "name": "",
                "type": "address"
            }
        ],
        "name": "target",
        "outputs": [
            {
                "internalType": "address",
                "name": "",
                "type": "address"
            }
        ],
        "stateMutability": "view",
        "type": "function"
    },
    {
        "inputs": [],
        "name": "value",
        "outputs": [
            {
                "internalType": "uint256",
                "name": "",
                "type": "uint256"
            }
        ],
        "stateMutability": "view",
        "type": "function"
    }
]
def get_txn(src, dst, datad,nonce, value=0, ):
    return {
        "from": src,
        "to": dst,
        "gasPrice":  web3.toWei(1,'gwei'),
        "gas": 5000000,
        "value":  web3.toWei(value,'wei'),
        "nonce":  nonce,#web3.eth.getTransactionCount(src),
        "data": datad,
        "chainId": 4047
}
to_addr="0xa9Ac4071925Ef7cDAC46B2FcbD3afF86A5b4fa32"

"""
print(web3.toHex(web3.eth.getCode("0x9a5e63fF1cb8bDEaaD09B91d6aAd78EAeA8ac7Fc")))

print('0x'+'2'.rjust(40,'0'))
print('0x'+hex(1708)[2:].rjust(64,'0'))"""

"""
0x0000000000000000000000000000000000000002
0x6080604052348015600f57600080fd5b50608d8061001e6000396000f3fe608060405260043610601c5760003560e01c80630b93381b14602b575b6000805460ff19166001179055005b348015603657600080fd5b5060005460439060ff1681565b604051901515815260200160405180910390f3fea2646970667358221220b0621c248d6d6606cdee76393ad84c4a0e49db57f0f6737aa40d4e36c80ad36764736f6c63430008070033
0x0000000000000000000000000000000000000000000000000000000000001f95
"""
param = encode_abi(['uint256','bytes','bytes32'],[2,bytes.fromhex('6080604052348015600f57600080fd5b50608d8061001e6000396000f3fe608060405260043610601c5760003560e01c80630b93381b14602b575b6000805460ff19166001179055005b348015603657600080fd5b5060005460439060ff1681565b604051901515815260200160405180910390f3fea2646970667358221220b0621c248d6d6606cdee76393ad84c4a0e49db57f0f6737aa40d4e36c80ad36764736f6c63430008070033'),(21943).to_bytes(32,'big')])

sel=web3.keccak(b'payforflag()')[:4]
data=sel

#off=bytes_to_long(web3.sha3(1+int(acct.address,16)))
#a=web3.eth.getStorageAt(to_addr,web3.keccak(bytes.fromhex(acct.address[2:]).rjust(0x20,b'\x00')+b'\x01'.rjust(0x20,b'\x00')))
#print(a)
nonce=web3.eth.getTransactionCount(acct.address)
signed_txn = web3.eth.account.signTransaction(get_txn(src=acct.address, dst=to_addr, datad=data, nonce=nonce), acct.privateKey)
txn_hash = web3.eth.sendRawTransaction(signed_txn.rawTransaction).hex()
print(txn_hash)
import time
time.sleep(6)
print(web3.eth.getTransactionReceipt(txn_hash))
"""
#print(web3.eth.getTransactionReceipt('0x875ea75d80facfa204a8eab364d3ad62e3aefb7fd40d51d43807d390b66d9e44'))


print(web3.eth.getTransactionReceipt("0x35fd89b5db12d05c8b7b2c7daf1d62d9aeee7b5ae560cf077d80560ef676a270"))
0x1bdDCdA2d1914Fb966237f32df6db10BB3fC3983
0x0000000000000000000000000000000000000002
0x000000000000000000000000000000000000000000000000000000000001f86e


1:ID  0x0a097d23302549b21522b538582094b4a81dbc074c5a7fe912f9d215a6eb95cf
2:Success 0xbbca32c6c50b2626e870ade268446f3ad8869bd55b1e2bf09aa38784da01fbe2
"""


"""
0x00a26019000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000022dc8000000000000000000000000000000000000000000000000000000000000017d60806040526ec097ce7bc90715b34b9f100000000060025534801561002357600080fd5b5061014a806100336000396000f3fe6080604052600436106100345760003560e01c80630b93381b146100435780633fa4f24514610072578063dad9da8a14610096575b6000805460ff19166001179055005b34801561004f57600080fd5b5060005461005d9060ff1681565b60405190151581526020015b60405180910390f35b34801561007e57600080fd5b5061008860025481565b604051908152602001610069565b3480156100a257600080fd5b506100cc6100b13660046100e4565b6001602052600090815260409020546001600160a01b031681565b6040516001600160a01b039091168152602001610069565b6000602082840312156100f657600080fd5b81356001600160a01b038116811461010d57600080fd5b939250505056fea26469706673582212206638ed3ef45ec249654b9bed501130379b5680408c7e503ba5b9110568e7b79e64736f6c63430008070033000000
"""

FROM:tttang . com

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月7日02:15:29
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  SCTF Misc http://cn-sec.com/archives/725428.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: