UNCTF2022misc复现

2024-06-20

CatchJerry-华中科技大学

下载附件

usb流量，tshark提取

tshark -r CatchJerry.pcapng -T fields -e usbhid.data > usbdata.txt

导出鼠标的数据

exp:

from textwrap import wrap

def convert_to_signed_char(c):
    if c > 127:
        return (256-c) * (-1)
    else:
        return c

# Transform to actual data lines
data_lines = (wrap(line.strip(), 2) for line in open("usbdata.txt").readlines())
data_packets = []
for l in data_lines:
    data_packets.append([convert_to_signed_char(int(a, 16)) for a in l])

# Remove trailing data
# data_packets = data_packets[:-1400]

# Write to file
with open("plot.txt", "w") as f:
    x = 0
    y = 0
    for packet in data_packets:
        try:
            x += packet[1] * 20     # Scale-up X-axis
            y -= packet[2]          # Invert Y-axis
            if packet[0] == 1:
                f.write(f"{x} {y}\n")
        except:
            pass

plot画图

导出键盘的数据

exp:

import os
# os.system("tshark -r test.pcapng -T fields -e usb.capdata > usbdata.txt")
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}


nums = []
keys = open('usbdata.txt')
for line in keys:
    if len(line)!=17: #首先过滤掉鼠标等其他设备的USB流量
         continue
    nums.append(line[0:2]+line[4:6]) #取一、三字节
keys.close()
output = ""
for n in nums:
    if n[2:4] == "00" :
        continue

    if n[2:4] in normalKeys:
        if n[0:2]=="02": #表示按下了shift
            output += shiftKeys [n[2:4]]
        else :
            output += normalKeys [n[2:4]]
    else:
        output += ''
print('output :' + output)
#<DEL><RET>andbest

运行得到

最后flag为UNCTF{TOM_AND_JERRY_BEST_FRIENDS}

In_the_Morse_Garden-陆军工程大学

下载附件

全选发现东西

粘贴内容为

UNCTF{5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2h546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm +WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6Qg5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+k5 46b5Y2h5be05Y2h546b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlO WPpOeOm+WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6Qg5L6d5Y+k5q+U5Y+k5L6d5Y+k 5q+U5Y+k546b5Y2h5be05Y2h546b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOeOm +WNoeW3tOWNoeeOm+WNoeW3tOWNoSDkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg546b5Y2h5be05Y 2h5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWNoSDkvp3 lj6Tmr5Tlj6Tkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg54 6b5Y2h5be05Y2h5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+k5L6d5Y+k5q+U5Y+kIOS+neWPpOavlOW PpOeOm+WNoeW3tOWNoSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaEg5L6d5Y+k5q+U5Y +k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWNoSDkvp3lj6Tmr5Tlj6Tnjpvlja Hlt7TljaEg5L6d5Y+k5q+U5Y+k546b5Y2h5be05Y2hIOS+neWPpOavlOWPpOeOm+WNoeW3tOWN oSDnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHkvp3lj6Tmr5Tlj6TnjpvljaHlt7TljaHnjpvljaHlt7T ljaE=}

中间部分解码

依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡玛卡巴卡依古比古依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡玛卡巴卡依古比古依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡玛卡巴卡玛卡巴卡依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡玛卡巴卡依古比古依古比古依古比古依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡玛卡巴卡依古比古玛卡巴卡依古比古玛卡巴卡玛卡巴卡

依古比古转为. 玛卡巴卡转为- 摩斯解密

最后flag为UNCTF{WAN_AN_MAKA_BAKAAAAA!}

magic_word-西南科技大学

下载附件

改后缀为zip，提取document.xml所有东西，零宽解密

最后flag为UNCTF{We1come_new_ctfer}

MY PICTURE-信阳师范大学

下载附件

010查看无后缀文件

加后缀.zip，解压压缩包

发现还有个无后缀文件，010查看

发现不是正常的压缩包文件，发现很多的8E字节，猜测是异或了8E

得到py文件

from PIL import Image as im

flag = im.open('flag.jpg','r')
l,h=flag.size
puzzle=im.new('RGB',(h,l))
print(puzzle)
for i in range(l):
    for j in range(h):
        r,g,b=flag.getpixel((i,j))
        r=r^g
        g=g^b
        b=b^r
        puzzle.putpixel(((i*787+j)//1200,(i*787+j)%1200),(b,g,r))
puzzle.save('flag.png')
flag.close()
puzzle.close()

根据源码写出解密脚本

exp:

from PIL import Image as im

flag = im.open('flag.png','r')
l,h=flag.size
puzzle=im.new('RGB',(h,l))
print(puzzle)
for i in range(l):
    for j in range(h):
        r,g,b=flag.getpixel((i,j))
        b = b ^ r
        g = g ^ b
        r = r ^ g
        puzzle.putpixel(((i*1200+j)//787,(i*1200+j)%787),(b,g,r))
puzzle.save('flag2.png')
flag.close()
puzzle.close()

运行得到新图片里的flag

最后flag为UNCTF{93bb442f-2a76-2b6f-c42f-c2297f5fdaf9}

syslog-浙江师范大学

下载附件

010查看压缩包发现尾部标识错误，修改一下

在无后缀文件用记事本打开，搜索关键词Password

base解密

得到压缩包密码，解压压缩包

最后flag为UNCTF{N1_sH3_D0n9_L0g_dE!}

zhiyin-中国人民公安大学

下载附件

010先看png文件，发现末尾有摩斯密码

摩斯解密

_UNC7F!!!

010查看jpg图片，发现文件十六进制被反转了

使用b神工具翻转

最后整理压缩包密码为Go_p1ay_unc7f!!!

解压压缩包得到flag

最后flag为UNCTF{M1sic_1s_greAt}

贝斯家族的侵略-中国地质大学武汉

下载附件，一眼明文攻击

明文攻击

查看文件，一眼base隐写

使用b神工具

hex解密

保存文件，用marco recorder打开mrd文件play一下,打开画图软件

最后flag为UNCTF{b4s3_1s_v3ry_g0od!!}

剥茧抽丝-内蒙古警察职业学院

下载附件

提示为密码，解压压缩包，查看文本

零宽解密

得到密码

打开加密压缩包之后发现里面有个txt和一个压缩包，结合该压缩包文件名为2.txt猜想和1.txt的关系，去掉零宽之后保存1.txt发现CRC值与2.txt的相同

明文攻击

利用

前面获得的密码：PAsS_w0rD解压压缩包得到flag

最后flag为unctf{d4a3a242-cd32-4dd5-bac6-84bdf13f527f}

峰回路转-内蒙古警察职业学院

下载附件

crc爆破

获得密码:P@SsW0RD

静默隐写

伪加密

打开文本查看

xor解密

最后flag为UNCTF{0C75726F-4609-DFA4-615F-17C7A1B7165D}

巨鱼-河南理工大学

下载附件

binwalk发现藏有其他东西

foremost提取文件

检查png文件，发现提示宽高有问题

宽高一把梭

得到压缩包密码

解压压缩包

查看文本发现flag，提交是假的

flagisnothere.zip是伪加密的

查看png文件

学过化学都知道，一眼六氯环己烷

简称666

打开ppt文件，输入密码666，在ppt最后一页找到隐藏的flag，添加颜色可以看到

最后flag为UNCTF{y0u_F1nd_1t!}

清和fan-江西警察学院

下载附件

看到提示:密码为清和B站uid下划线最高播放量视频发布日期，例123456_2020/01/01

搜索B站清和

最后压缩包密码为836885_2022/05/20

解压压缩包

lsb隐写得到压缩包密码:qq857488580

解压压缩包

神秘电波为SSTV隐写

得到压缩包密码为V@mpir3

解压压缩包

零宽隐写

最后flag为UNCTF{wha1e_wants_a_girlfriend_like_alicia}

社什么社-湖南警察学院

下载附件

缩小文档大小

看得出来是有古建筑，水中倒影，考虑出题人位置是在湖南

百度搜索湖南的古建筑

得知是湖南凤凰古城

最后flag为UNCTF{凤凰古城}

数独大挑战

下载附件

解数独

爆破last压缩包得到密码l0veSD

解压压缩包

根据hint提示

向上^

将解完的数独逐行异或得到

649187915

用该数字作为des密钥解key

得到flag8

最后flag为UNCTF{shuduzhenhaowan}

我小心海也绝非鳝类-中国计量大学现代科技学院

下载附件

发现一串奇怪编码:F#S<YIcHnAG;

随波逐流一把梭

010查看图片

发现文件末尾有base编码，解密

lsb隐写带密码想到cloacked-pixel工具隐写

长度为 672，以32个字符为一组刚好分为 21 组，挨个进行 md5 对比即为答案

解密脚本

exp:

from hashlib import md5

txt = "8FA14CDD754F91CC6554C9E71929CCE72DB95E8E1A9267B7A1188556B2013B330CC175B9C0F1B6A831C399E269772661B2F5FF47436671B6E533D8DC3614845DF95B70FDC3088560732A5AC135644506F1290186A5D0B1CEAB27F4E77C0C5D68E1671797C52E15F763380B45E841EC322DB95E8E1A9267B7A1188556B2013B334A8A08F09D37B73795649038408B5F33D95679752134A2D9EB61DBD7B91C4BCC6F8F57715090DA2632453988D9A1501BE1671797C52E15F763380B45E841EC32B14A7B8059D9C055954C92674CE60032E358EFA489F58062F10DD7316B65649ED95679752134A2D9EB61DBD7B91C4BCCB14A7B8059D9C055954C92674CE600326F8F57715090DA2632453988D9A1501B865C0C0B4AB0E063E5CAA3387C1A874103C7C0ACE395D80182DB07AE2C30F0344A8A08F09D37B73795649038408B5F33CBB184DD8E05C9709E5DCAEDAA0495CF"
md5map = {}
key = 'ABCDEFGHIGKLMNOPQRSTUVWXYZabcdefghigklmnopqrstuvwxyz0123456789`~!@#$%^&*()-=_+[]\\{}|;\':\",./<>?'

for ch in key:
    md5map[md5(ch.encode()).hexdigest().upper()] = ch

for i in range(21):
    print(md5map.get(txt[i*32:i*32+32]),end="")