🇷🇺Saratov State University’s SarCTF 2020 Writeup 8 min read
本文最后更新于 180 天前,其中的信息可能已经有所发展或是发生改变。

Author:颖奇L’Amore

Blog:www.gem-love.com


本来想做web,结果web实在是卡的不行,发个包等半分钟都没有回应,题目甚至还需要brute force,完全没法做,只能做几个杂项题刷分。

队友太顶了,把题都刷的差不多了。

MISC

Deep Dive (701)

附件是flag.txt,通过file查看得知是tar压缩包,解压之

然后又解压出flag.txt,同样的方法,依次得到:tar – zip – bzip2 – zip – tar ….

但是做了几个就做不动了。考虑可能是压缩次数过多,用脚本跑了一下发现果然有350多次压缩:

tar zip bz2 tar gz tar zip tar xz tar gz gz zip gz bz2 tar gz bz2 gz tar gz gz gz tar bz2 gz bz2 tar xz tar tar zip bz2 bz2 tar gz gz gz tar gz tar xz tar xz tar zip tar zip gz tar xz tar xz tar tar tar bz2 tar bz2 tar bz2 bz2 tar gz zip xz tar xz tar xz tar bz2 tar tar xz tar zip gz zip tar zip gz gz tar bz2 zip bz2 tar gz tar bz2 tar bz2 tar xz tar bz2 gz bz2 tar bz2 gz tar xz tar bz2 bz2 gz tar tar gz tar xz tar gz tar gz tar xz tar tar bz2 bz2 bz2 tar gz gz tar gz tar tar zip bz2 tar xz tar bz2 tar zip tar gz gz tar gz gz xz tar gz xz tar zip zip gz tar gz tar tar zip zip gz bz2 tar tar xz tar gz zip gz tar bz2 tar bz2 tar bz2 bz2 tar zip tar zip bz2 zip bz2 tar tar bz2 tar bz2 bz2 tar bz2 tar gz xz tar xz tar gz tar bz2 tar xz tar bz2 bz2 tar zip xz tar bz2 bz2 bz2 bz2 tar bz2 tar xz tar xz tar gz bz2 tar gz gz bz2 zip tar tar gz tar xz tar xz tar bz2 tar xz tar gz bz2 tar bz2 tar gz tar gz tar xz tar bz2 tar xz tar tar bz2 bz2 gz gz bz2 xz tar bz2 tar bz2 tar tar bz2 tar bz2 bz2 tar gz bz2 bz2 zip bz2 tar tar tar tar zip tar bz2 gz tar xz tar bz2 tar xz tar gz gz xz tar zip zip gz tar gz gz gz tar bz2 tar xz tar zip xz tar tar zip bz2 gz gz zip tar bz2 gz tar tar zip bz2 tar bz2 tar gz gz bz2 tar gz tar zip bz2 tar gz tar tar xz tar bz2 tar xz tar gz tar bz2 tar bz2 tar gz tar tar bz2 gz tar bz2 bz2 tar bz2 tar xz tar gz tar zip tar gz tar zip xz tar bz2 gz tar zip tar zip zip gz tar xz tar bz2 bz2 tar gz tar bz2 zip tar gz tar gz tar bz2 bz2 tar xz tar gz bz2 tar zip xz tar bz2 xz tar zip gz gz tar gz tar bz2 tar bz2 bz2 tar gz bz2 tar zip gz gz xz tar gz gz tar zip tar xz tar gz bz2 tar gz tar tar bz2 tar bz2 tar tar bz2 tar gz tar xz tar bz2 bz2 tar zip gz xz tar gz xz tar bz2 tar zip xz tar zip xz tar gz tar tar tar zip gz tar xz tar bz2 xz tar bz2 tar gz tar gz tar bz2 tar zip bz2 tar bz2 bz2 tar bz2 tar gz gz gz gz tar zip xz tar gz tar gz tar bz2 tar gz tar gz tar bz2 gz gz bz2 zip gz xz tar bz2 gz tar bz2 tar zip gz zip bz2 tar gz tar bz2 tar bz2 tar gz bz2 tar gz tar tar gz zip gz tar xz tar zip zip bz2 tar xz tar zip bz2 tar bz2 tar tar gz bz2 tar bz2 tar bz2 tar bz2 tar zip xz tar tar gz bz2 gz tar zip tar gz tar gz zip xz tar tar xz tar bz2 xz tar gz tar xz tar gz xz tar bz2 gz gz tar bz2 zip bz2 gz tar gz tar bz2 tar bz2 tar zip bz2 tar zip gz tar zip xz tar bz2 gz bz2 tar gz zip bz2 tar gz tar tar gz bz2 bz2 bz2 bz2 zip xz tar bz2 tar gz tar zip gz tar gz tar bz2 tar bz2 tar gz bz2 zip tar gz bz2 bz2 zip bz2 bz2 tar bz2 bz2 xz tar bz2 tar gz tar zip bz2 zip gz tar gz tar zip bz2 tar bz2 tar xz tar gz tar bz2 tar xz tar xz tar bz2 tar zip xz tar zip gz tar tar gz tar gz gz tar gz tar bz2 tar bz2 bz2 zip bz2 tar

用脚本跑:

#Author:颖奇L'Amore
#Blog:www.gem-love.com
import os
import filetype
import re
import time

zi = r"zip"
tar = r"tar"
xz = r"xz"
bzip = r"bz"
gz = r"gz"
i = 0
t = 0.1
while 1:
	kind = filetype.guess('flag.txt')
	if kind is None:
		print("flag is here:")
		a = os.popen("cat flag.txt")
		print(a.read())
		break
	else:
		if re.match(gz, kind.extension):
			print(kind.extension, end=' ')
			a = os.popen("mv flag.txt y1ng.gz")
			time.sleep(t)
			b = os.popen("gzip -d y1ng.gz")
			time.sleep(t)
			c = os.popen("mv y1ng flag.txt")
			time.sleep(t)
		elif re.match(bzip, kind.extension):
			print(kind.extension, end=' ')
			a = os.popen("mv flag.txt y1ng.bz2")
			time.sleep(t)
			b = os.popen("bzip2 -d y1ng.bz2")
			time.sleep(t)
			c = os.popen("mv y1ng flag.txt")
			time.sleep(t)
		elif re.match(xz, kind.extension):
			print(kind.extension, end=' ')
			a = os.popen("mv flag.txt y1ng.xz")
			time.sleep(t)
			b = os.popen("xz -d y1ng.xz")
			time.sleep(t)
			c = os.popen("mv y1ng flag.txt")
			time.sleep(t)
		elif re.match(tar, kind.extension):
			print(kind.extension, end=' ')
			a = os.popen("mv flag.txt y1ng.tar")
			time.sleep(t)
			b = os.popen("tar xf y1ng.tar")
			i += 1
			time.sleep(t)
			c = os.popen("mv y1ng* GemLoveCom/{}".format(i))
			time.sleep(t)
		elif re.match(zi, kind.extension):
			print(kind.extension, end=' ')
			a = os.popen("mv flag.txt y1ng.zip")
			time.sleep(t)
			b = os.popen("unzip y1ng.zip")
			i += 1
			time.sleep(t)
			c = os.popen("mv y1ng* GemLoveCom/{}".format(i))
			time.sleep(t)

flag:FLAG{matri0sha256}


Layouts (866pt)

附件没有扩展名,用file查看之后是zip,但是解压需要密码

用HexFrend查看也不是伪加密,卡了好久,爆破也不是弱密码

后来突发奇想,用文件名作为密码,解压成功

但是一个文件解压出来另一个,file再看依然是zip,密码依然是文件名,考虑可能和Deep Dive一样的套路,多次压缩,使用Python进行解压:

#颖奇L'Amore
#www.gem-love.com
import os
import filetype

while 1:
	a = os.popen('ls gemLoveCom')
	a = a.read().replace('\n', '')
	path = 'gemLoveCom/' + a
	kind = filetype.guess(path)
	if kind.extension is 'zip':
		os.system("unzip -P {} {} -d gemLoveCom/; rm {}".format(a, path, path))
	else:
		print('解压完成')
		break

创建一个明文gemLoveCom的空文件夹,把题目的附件放进去,确保gemLoveCom文件夹和Python脚本处在同一个目录内,然后运行,最后解压得到flag文件

结果flag又是和多重压缩:

直接拿出Deep Dive的脚本,跑一下然后得到了一个文件夹,里面有很多子目录

但是很多子目录是空的,也有很多目录不是空的

find . -name "*"

得到:

./135
./61
./95
./95/15
./132
./59
./92
./66
./104
./50
./68
./103
./103/8
./57
./168
./157
./150
./159
./32
./166
./192
./35
./195
./161
./102
./102/11
./69
./56
./105
./51
./51/10
太长了不全都贴出来

可以看到,有些是单独的数字,有一小部分却有两个文件夹,比如/83/1  /89/2 /78/3 把他们按照后面的这个数字排序后,把这些文件名的数字整理出来,得到:

83 89 78 84 123 122 52 103 101 51 102 117 120 52 95 110 53 112 49 49 125

Ascii转字符:

str = '83 89 78 84 123 122 52 103 101 51 102 117 120 52 95 110 53 112 49 49 125'
l = str.split(' ')
for i in l:
	i = int(i)
	print(chr(i), end = '')

得到:SYNT{z4ge3fux4_n5p11}

考虑是ASCII码偏移了,进行rot:

ROT-0: SYNT{z4ge3fux4_n5p11}
ROT-1: TZOU{a4hf3gvy4_o5q11}
ROT-2: UAPV{b4ig3hwz4_p5r11}
ROT-3: VBQW{c4jh3ixa4_q5s11}
ROT-4: WCRX{d4ki3jyb4_r5t11}
ROT-5: XDSY{e4lj3kzc4_s5u11}
ROT-6: YETZ{f4mk3lad4_t5v11}
ROT-7: ZFUA{g4nl3mbe4_u5w11}
ROT-8: AGVB{h4om3ncf4_v5x11}
ROT-9: BHWC{i4pn3odg4_w5y11}
ROT-10: CIXD{j4qo3peh4_x5z11}
ROT-11: DJYE{k4rp3qfi4_y5a11}
ROT-12: EKZF{l4sq3rgj4_z5b11}
ROT-13: FLAG{m4tr3shk4_a5c11}
ROT-14: GMBH{n4us3til4_b5d11}
ROT-15: HNCI{o4vt3ujm4_c5e11}
ROT-16: IODJ{p4wu3vkn4_d5f11}
ROT-17: JPEK{q4xv3wlo4_e5g11}
ROT-18: KQFL{r4yw3xmp4_f5h11}
ROT-19: LRGM{s4zx3ynq4_g5i11}
ROT-20: MSHN{t4ay3zor4_h5j11}
ROT-21: NTIO{u4bz3aps4_i5k11}
ROT-22: OUJP{v4ca3bqt4_j5l11}
ROT-23: PVKQ{w4db3cru4_k5m11}
ROT-24: QWLR{x4ec3dsv4_l5n11}
ROT-25: RXMS{y4fd3etw4_m5o11}

ROT13得到flag:FLAG{m4tr3shk4_a5c11}


True Detective(1681pt)

题目:

https://docs.google.com/forms/d/e/1FAIpQLSdpESvbfK_dafCvhkTjcLK1KBMwklUgYcy-J0mu3g_jjgisRw/viewform

题目需要回答的是路旁的一些文字

全部可以用Google地图解决

不一个一个截图了,5个题目的答案分别是:

tesco
bridport
Finsbury
euston
hungary

全部回答正确即可得到flag:FLAG{08c49c3d9ae88983437729747bcf1be8}


Crypto

Invitation (873pt)

题目附件:

这个是跳舞的小人密码,解密网站:

https://www.dcode.fr/dancing-men-cipher

解密后得到:

  • Itwasindeedlikeoldti
    meswhenatthathourIfo
    undmyselfseatedbesid
    ehiminahansommyrevol
    verinmypocketandthet
    hrillofadventureinmy
    heartHolmeswascoldan
    dsternandsilentAsthe
    gleamofthestreetlamp
    sflasheduponhisauste
    refeaturesIsawthathi
    sbrowsweredrawndowni
    nthoughtandhisthinli
    pscompressedIknewnot
    whatwildbeastwewerea
    bouttohuntdowninthed
    arkjungleofcriminalL
    ondonbutIwaswellassu
    redfromthebearingoft
    hismasterhuntsmanfla
    gdiscoinSaratovthatt
    headventurewasamostg
    raveonewhilethesardo
    nicsmilewhichoccasio
    nallybrokethroughhis
    asceticgloombodedlit
    tlegoodfortheobjecto
    fourquest

flag:FLAG{discoinSaratov}


Forensics

Doc. Holmes (100pt)

签到题,附件不知道是什么东西,用file命令查看得知是word文档

word内的媒体文件可以通过foremost分离出来,分出一个图片得到flag

flag:FLAG{prOMinentplace}


Blogger (632pt)

附件是USB流量,参考:

你可能没见过的流量取证 

记一道USB流量分析CTF题

这个题做法和第二篇文章里的做法基本一样

tshark -r usb_here.pcapng -T fields -e usb.capdata > usbdata.txt

然后跑脚本,但是直接跑他的这个脚本得到的明文有点问题,提交flag是错的

主要是有一些字符用这个脚本跑不出来,可以使用第一篇freebuf文章中给出的现成的脚本:

#https://www.freebuf.com/articles/network/196374.html
mappings = { 0x04:"aA",  0x05:"bB",  0x06:"cC", 0x07:"dD", 0x08:"eE", 0x09:"fF", 0x0A:"gG",
  			 0x0B:"hH",  0x0C:"iI",  0x0D:"jJ", 0x0E:"kK", 0x0F:"lL", 0x10:"mM", 0x11:"nN",
  			 0x12:"oO",  0x13:"pP",  0x14:"qQ", 0x15:"rR", 0x16:"sS", 0x17:"tT", 0x18:"uU",
  			 0x19:"vV",  0x1A:"wW",  0x1B:"xX", 0x1C:"yY", 0x1D:"zZ", 0x1E:"1!", 0x1F:"2@", 
  			 0x20:"3#",  0x21:"4$",  0x22:"5%", 0x23:"6^", 0x24:"7&", 0x25:"8*", 0x26:"9(", 
  			 0x27:"0)",  0X2B:"  ",  0x2C:"  ", 0x2D:"-_", 0x2E:"=+", 0x2F:"[{",  0x30:"]}",  
  			 0x31:"\\",  0x32:"#~",  0x33:";:", 0x34:"'\"", 0x36:",<",  0x37:".>" }
lines = ["","","","",""]
pos = 0
for x in open('usbdata.txt',"r").readlines():
	l = x.split(':')
	code = int(l[2],16)
	if code == 0:
		continue
	if code == 0x51 or code == 0x28:
		pos += 1
		continue
	if code == 0x52:
		pos -= 1
		continue
	if int(l[0], 16) == 2:
		lines[pos] += mappings[code][1]
	else:
		lines[pos] += mappings[code][0]

for i in lines:
	print i

flag:FLAG{like_a_b100dh0und}

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/1471.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

评论

  1. imagin

    惊了 竟然还有能直接翻译pdf的网站

    1年前
    2020-2-17 21:12:57

发送评论 编辑评论

上一篇
下一篇