跳转至

第四届“安洵杯”网络安全挑战赛 Writeup

Abstract

这次的 misc 算是做得比较好,下面是 writeup


Cthulhu Mythos

hint.mp3 开头是《Overworld Day》泰拉瑞亚OST

后面是SSTV,Scottie1模式。得到图片:

MRPVI4TZL5KGK4TSGRZGSYJBPU======

Base32 解码:d_Try_Terr4ria!}

从图片也能看出这是一个 Base32 的后半部分,需要找前面的一截

然后打开那个wld文件:

7I4YF6QLO

仔细找还可以发现四个箱子:

箱子

3条拼在一起是完整的 Base32

IQYGOM33JUYW4ZLDKI2GM5C7I4YF6QLOMRPVI4TZL5KGK4TSGRZGSYJBPU======

Base32:D0g3{M1necR4ft_G0_And_Try_Terr4ria!}


lovemath

根据题干可以推测出要用到 Tupper's Self-Referential Formula

先看压缩包

flag撞CRC校验

密码: th1s_Is_Y0ur_pa33w0rd_We1c0m3e

解压出来的图片:

这个丢进 stegsolve 后 red 0 比较诡异,所以用 LSB 隐写试试

删掉开头的脏数据得到:

这个转文字输到 Tupper's Self-Referential Formula 的在线网站 https://tuppers-formula.ovh/

1251077695482776025338577125579215707216262981842821000162276994967943212822693842845266851984880336702446444408289977864567921038435144120176357529686342977212633764247620567669441602729004003473312468776582473461071462631554533766709934484393185739708817165738912742570170547790145328253304755428563911689057632001795598667127514331122190795355921436735375126688142856470280128821316586008242687241930886868804388482643589009068543771977163419519208340324352

D0g3{I_LOV3_math}


CyzCC_loves_LOL

开始是 LOLcode,转换得到压缩包密码 AGdJfpqebmXpptloa

得到两张图片,一张名字是 jinx's_flag_in_silent.jpg 推测是用了 SilentEye 这个软件藏了 flag,需要一个密码

第二个图片是一个很小的像素图,输出了一下,颜色一共有 10 种:

#800000FF
#008000FF
#000000FF
#0000FFFF
#FFFF00FF
#00FFFFFF
#FF0000FF
#00FF00FF
#008080FF
#808000FF

所以应该是 Brainloller 而不是 Piet,从在线网站 https://minond.xyz/brainloller/ 或者写代码可以转换得到 brainfuck 代码

Brainloller解释器
from PIL import Image 
import sys

def Brainloller(filename):
    source = Image.open(filename).convert("RGB")
    width, height = source.size
    result = ''
    ptr = (0, 0)
    direction = 0
    while True:
        if ptr[0] >= height or ptr[0] < 0 or ptr[1] >= width or ptr[1] < 0:
            break
        else:
            color = source.getpixel((ptr[1], ptr[0]))
            if   color == (255,   0,   0): result += '>'
            elif color == (128,   0,   0): result += '<'
            elif color == (  0, 255,   0): result += '+'
            elif color == (  0, 128,   0): result += '-'
            elif color == (  0,   0, 255): result += '.'
            elif color == (  0,   0, 128): result += ','
            elif color == (255, 255,   0): result += '['
            elif color == (128, 128,   0): result += ']'
            elif color == (  0, 255, 255): direction = (direction + 1) % 4
            elif color == (  0, 128, 128): direction = (direction - 1) % 4
            else: print(f"[-] Unknown color: {color}")
        if   direction == 0: ptr = ptr[0], ptr[1] + 1
        elif direction == 1: ptr = ptr[0] + 1, ptr[1]
        elif direction == 2: ptr = ptr[0], ptr[1] - 1
        elif direction == 3: ptr = ptr[0] - 1, ptr[1]

    print(f"[+] BrainFuck Code: {result}")
    return result

def Brainfuck(code):
    code = ''.join(filter(lambda x: x in ['.', ',', '[', ']', '<', '>', '+', '-'], code))
    bracemap = buildbracemap(code)

    cells, codeptr, cellptr = [0], 0, 0
    result = ''

    while codeptr < len(code):
        command = code[codeptr]
        if command == ">":
            cellptr += 1
            if cellptr == len(cells): cells.append(0)
        elif command == "<": cellptr = 0 if cellptr <= 0 else cellptr - 1
        elif command == "+": cells[cellptr] = cells[cellptr] + 1 if cells[cellptr] < 255 else 0
        elif command == "-": cells[cellptr] = cells[cellptr] - 1 if cells[cellptr] > 0 else 255
        elif command == "[" and cells[cellptr] == 0: codeptr = bracemap[codeptr]
        elif command == "]" and cells[cellptr] != 0: codeptr = bracemap[codeptr]
        elif command == ".": result += chr(cells[cellptr])
        elif command == ",": cells[cellptr] = ord(input("[*] input one char > "))
        codeptr += 1

    print(f"[+] Result: {result}")

def buildbracemap(code):
    temp_bracestack, bracemap = [], {}
    for position, command in enumerate(code):
        if command == "[": temp_bracestack.append(position)
        if command == "]":
            start = temp_bracestack.pop()
            bracemap[start] = position
            bracemap[position] = start
    return bracemap

if __name__ == "__main__":
    Brainfuck(Brainloller(sys.argv[1]))
-+++++++-+[<++++++++>-]<.>+++++++[<++++>-]<+.+++++++..+++.>>>++++++++[<++++>-]<.>>>++++++++++[<++++-++++>-]<---.<<<<.+++.-+----.--------.>>+.

可以发现它在前面会把指针左移一位,所以需要把 bf 解释器的 cell 的初始指针右移一位(或者在 bf 代码开头加一个 >

得到密码:0MTTW_CWZVN!

然后用 SilentEye 解密那张图片得到 flag:D0g3{544f3225-bbaf-47dc-ba8d-5bda54cbaecb}


最后更新: 2022年6月15日 16:45:09
创建日期: 2022年1月8日 18:06:47
回到页面顶部