美文网首页
2018鹏城杯writeup

2018鹏城杯writeup

作者: sgdream | 来源:发表于2018-12-05 18:41 被阅读0次

Welcome

  • 公众号签到flag{ausjnhjajfjakjw45}
wp-welcome.png

easy_crypto

  • 这道题iv直接给了 直接推就行
#!usr/bin/python 
#_*_ coding=UTF-8 _*_

from Crypto.Cipher import AES
from binascii import b2a_hex, a2b_hex
from Crypto import Random
import sys,base64
#from FLAG import flag
class CryptoError(Exception):
    pass
class aesdemo:
    #aes = AES.new(key,mode)
    def __init__(self,key):
        self.key = key
        #self.BS=BS
    

    def pad(self,msg):
        #BS = AES.block_size 
        # aes数据分组长度为128 bit
        byte = 16 - len(msg) % 16
        return msg + chr(byte) * byte
    def unpad(msg):
        if not msg:
            return ''
        return msg[:-ord(msg[-1])]      

    def xor(self,a, b):
            #assert len(a) == len(b)
            return ''.join([chr(ord(ai)^ord(bi)) for ai, bi in zip(a,b)])

    def split_by(self,data,step):
            return [data[i : i+step] for i in xrange(0, len(data), step)]

    def encrypt(self, plaintext):
        # 生成随机初始向量IV
        iv = Random.new().read(16)

        aes = AES.new(self.key,AES.MODE_CBC,iv)
        prev_pt = iv
        prev_ct = iv
        ct=""

        msg=self.pad(plaintext)
        print(msg)
        for block in self.split_by(msg, 16):
            ct_block = self.xor(block, prev_pt)
            ct_block = aes.encrypt(ct_block)
            ct_block = self.xor(ct_block, prev_ct)
            ct += ct_block
        # print(b2a_hex(ct))
        return b2a_hex(iv + ct)

    def tsb_decrypt(self, msg):
        #1
        msg = a2b_hex(msg)
        print(msg)
        iv, msg = msg[:16], msg[16:]
        prev_pt = iv
        prev_ct = iv
        pt = ''
        aes = AES.new(self.key, AES.MODE_CBC, iv)
        for block in self.split_by(msg, 16):
            pt_block = self.xor(block, prev_ct)
            pt_block = aes.decrypt(pt_block)
            pt_block = self.xor(pt_block, prev_pt)
            pt += pt_block
            # prev_pt = pt_block
            # prev_ct = block
        # pt, mac = pt[:-16], pt[-16:]
        # if mac != iv:
        #   print(1)
        # print pt.encode('hex')
        return (pt)
    def decrypt(self, ciphertext,iv):
        ciphertext = a2b_hex(ciphertext)
        # iv = ciphertext[0:AES.block_size]
        ciphertext = ciphertext[AES.block_size:len(ciphertext)]
        cryptor = AES.new(self.key, AES.MODE_CBC, iv)
        plaintext = cryptor.decrypt(ciphertext)
        return plaintext.rstrip(chr(0))


# 测试模块
if __name__ == '__main__':
    BS = AES.block_size # aes数据分组长度为128 bit
    # 524160f3d098ad937e252494f827f8cf26cc549e432ff4b11ccbe2d8bfa76e5c6606aad5ba17488f11189d41bca45baa
    key="asdfghjkl1234567890qwertyuiopzxc"
    demo = aesdemo(key)
    # e = demo.encrypt("flag{}")
    # print("加密:", e)
    e= '524160f3d098ad937e252494f827f8cf26cc549e432ff4b11ccbe2d8bfa76e5c6606aad5ba17488f11189d41bca45baa'
    a=demo.tsb_decrypt(e)
    print(a)
    exit()  

得到flag pcbctf{345f3_asss3_loasd_aswew}

Traffic Light

  • 这个题目有 1168 张图片

    提取出后将图片划分为012

import os
from PIL import Image
def main(gif_file):
    png_dir = gif_file[:-4] + '/'
    os.mkdir(png_dir)
    img = Image.open(gif_file)
    try:
        while True:
            current = img.tell()
            print(current)
            img.save(png_dir+str(current)+'.png')
            img.seek(current+1)
    except:
        pass
import time

# gif_file = 'Traffic_Light.gif'
# main(gif_file)

def getf(word):
    dict = {'.-': 'A', '-...': 'B', '-.-.': 'C', '-..': 'D', '.': 'E', '..-.': 'F', '--.': 'G', '....': 'H', '..': 'I',
            '.---': 'J', '-.-': 'K', '.-..': 'L', '--': 'M', '-.': 'N', '---': 'O', '.--.': 'P', '--.-': 'Q',
            '.-.': 'R', '...': 'S', '-': 'T', '..-': 'U', '...-': 'V', '.--': 'W', '-..-': 'X', '-.--': 'Y',
            '--..': 'Z', '.----': '1', '..---': '2', '...--': '3', '....-': '4', '.....': '5', '-....': '6',
            '--...': '7', '---..': '8', '----.': '9', '-----': '0', '..--..': '?', '-..-.': '/', '-.--.-': '()',
            '-....-': '-', '.-.-.-': '.'}
    word=word.split(' ')
    for i in word:
        try:
            print(dict[i],end='')
        except:
            a =1
    print('')
if __name__ == '__main__':
    gif_file = 'Traffic_Light.gif'
    main(gif_file)

    imgs = './Traffic_Light/{png}.png'
    word = ''
    k=0
    for i in range(0,1168,2):
        # print(imgs.format(png=str(i)))
        img = Image.open(imgs.format(png=str(i)))
        # img = img.convert('RGBA')
        data = (img.getpixel((100, 50)))# 100     50  1 00  150
        if data != 14 and data != 69:
            k=k+1
            word+='0'
            print('.',end='')
            continue
        # print('data', data)
        data = (img.getpixel((100, 100)))# 100     50  1 00  150
        # print(data)
        if data != 14 and data != 69:
            k = k + 1
            word += '1'
            print('-',end='')
            continue
        # print('data', data)
        data = (img.getpixel((100, 150)))# 100     50  1 00  150
        if data != 14 and data != 69:
            k = k + 1
            word += '2'
            print('/',end='')
            continue
        # word += '/'
        # print('/', end='')
        # print('data',data)
        # img.show()
        # time.sleep(1)
        # img.close()
        # cropImg = img.crop((0,0,100,50))
        # cropImg.show()
        # exit()
    print()
    print(k)

    # exit()
    print()
    print(word)
    word1=word.replace('1','.')
    word1=word1.replace('0','-')
    word1=word1.replace('2','/')
    print(word1)
    getf(word1)

    word1=word.replace('1','-')
    word1=word1.replace('0','.')
    word1=word1.replace('2','/')
    print(word1)
    getf(word1)

    word1=word.replace('1','-')
    word1=word1.replace('0','/')
    word1=word1.replace('2','.')
    print(word1)
    getf(word1)

    word1=word.replace('1','.')
    word1=word1.replace('0','/')
    word1=word1.replace('2','-')
    print(word1)
    getf(word1)

    word1=word.replace('1','/')
    word1=word1.replace('0','.')
    word1=word1.replace('2','-')
    print(word1)
    getf(word1)

    word1=word.replace('1','/')
    word1=word1.replace('0','-')
    word1=word1.replace('2','.')
    print(word1)
    getf(word1)

.--..--./.--.--../.--....-/.--..---/.----.--/.-.-..../.--.--../..--..--/..--.-../.---..--/..--..--/.-.-----/.---..../..--.-../.----..-/.-.-----/..--.-../.---.-../.---.-../..--..--/.--.---./.---.-../..--...-/..--..../.--.---./.-.-----/.---.-../..--..../.-.-----/.---.-../.---..-./..--.-../.--..--./.--..--./..--...-/.--...--/.-.-----/.---..--/..--.-../.--..--./..--..--/.---.-../.----..-/.-.-----/.---.---/.--.-.../..--..--/.--.---./.-.-----/.----..-/..--..../.---.-.-/.-.-----/..--.-../.---..-./..--..--/.-.-----/..--..../.---.-.-/.---.-../.---..--/..--...-/.--..-../..--..--/.-----.-

%u66%u6c%u61%u67%u7b%u50%u6c%u33%u34%u73%u33%u5f%u70%u34%u79%u5f%u34%u74%u74%u33%u6e%u74%u31%u30%u6e%u5f%u74%u30%u5f%u74%u72%u34%u66%u66%u31%u63%u5f%u73%u34%u66%u33%u74%u79%u5f%u77%u68%u33%u6e%u5f%u79%u30%u75%u5f%u34%u72%u33%u5f%u30%u75%u74%u73%u31%u64%u33%u7d

进行unicode 解码

image-20181201225128863.png

flag{Pl34s3_p4y_4tt3nt10n_t0_tr4ff1c_s4f3ty_wh3n_y0u_4r3_0uts1d3}

### WEB three-body1

  • 这道题非预期解:

  • 直接dirsearch扫目录 扫到了.bash_history .bash_logout 等等在home目录下的文件

  • .bash_history 里面有flag的操作记录,于是直接下载flag.txt 直接读取到(顺手将flag.txt加入字典中)

  • flag{Three_b0dy_1s_AMAZ1NG}
    

Quotes

Maya Angelou的名言
My+mission+in+life+is+not+mer ely+to+survive+but to+thrive+and+to+do+so+w ith+s  ome+pass i on+some+compass ion+so me+humor+and+some+style

多次测试后发现 将+号去除,以空格分割字符串,每组字符串长度对应a-z

X = []
Y = {}
for i in range(27):
    X.append(i + 1)
    # Y.append(chr(97 + i))
    Y[i]=chr(96 +i)
print(X)
print(Y)

word='My+mission+in+life+is+not+mer ely+to+survive+but to+thrive+and+to+do+so+w ith+s  ome+pass i on+some+compass ion+so me+humor+and+some+style'
nu = 0
word =word.replace('+','')
word =word.split(' ')
print(word)
for i in word:
    # print(len(i))
    print(Y[len(i)],end='')
#word`games

Flag 为flag{word games}

还有部分等到线下打完再补上2333

相关文章

  • 2018鹏城杯writeup

    Welcome 公众号签到flag{ausjnhjajfjakjw45} easy_crypto 这道题iv直接给...

  • [鹏城杯线上] web部分writeup

    [鹏城杯] web部分writeup 这次鹏城杯是真的对web不友好。 shadow 这题出的还是挺好的58.20...

  • 2018鹏城杯pwn第一题overInt writeup

    By Robin 题目资源: https://pan.baidu.com/s/1e5NWSpLPYxNKsD0Co...

  • 第一届安洵杯writeup

    安洵官方writeup安洵writeup第一届安洵杯writeup MISC 幺元 booom 爆破 查看pass...

  • 2018鹏城杯Write Up

    Web myblog 翻了一下。说这个站用php写的,确给我们展示了index.html。访问index.php,...

  • 鹏城杯总结

    一个强大的队伍背后一定有强大的后援团,CTF竞赛怎么能少了远程支援,简单介绍几个常用的线下赛技巧。 1.ssh连接...

  • 红帽杯writeup

    目录 Not Only Wireshark听说你们喜欢手工爆破这是道web题?simple uploadshopp...

  • 湖湘杯 easyheap

    湖湘杯easyheap writeup off-by-null 思路 leak heap leak libc ch...

  • [网鼎杯] writeup

    网鼎杯 这次还行很开心 挺满足 题目列表 web facebook 首先访问robots.txt 存在备份泄露,把...

  • [护网杯] writeup

    护网杯 Web : ltshop (done) 条件竞争 + 整型溢出条件竞争用bp就可以了,只要大于5个能买第二...

网友评论

      本文标题:2018鹏城杯writeup

      本文链接:https://www.haomeiwen.com/subject/tctscqtx.html