ICode9

精准搜索请尝试: 精确搜索
首页 > 其他分享> 文章详细

ciscn 初赛 MISC wp

2022-05-30 18:32:17  阅读:255  来源: 互联网

标签:ciscn MISC number 初赛 flag output line range matrix


ez_usb

打开流量包观察后发现在2.4.1,2.8.1,2.10.1三个流里有HID Data,于是分别导出,并用

tshark -T json -r xxx.pcapng > xxx.json

strings xxx.json | grep usb.capdata

来导出hiddata(不知道为啥这里不可以直接用tshark导出usbdata)

简单处理后使用脚本处理生成键盘敲击内容

#!/usr/bin/env python
# -*- coding:utf-8 -*-

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('x.txt')
for line in keys:
   try:
       if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
            continue
       if line[6:8] in normalKeys.keys():
           output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
       else:
           output += ['[unknown]']
   except:
       pass
keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
   try:
       a=output.index('<DEL>')
       del output[a]
       del output[a-1]
   except:
       pass
for i in range(len(output)):
   try:
       if output[i]=="<CAP>":
           flag+=1
           output.pop(i)
           if flag==2:
               flag=0
       if flag!=0:
           output[i]=output[i].upper()
   except:
       pass
print ('output :' + "".join(output))

处理后发现,2.4.1里无信息,2.8.1里的是一个rar压缩包,2.10.1里的不知道是什么,打开压缩包之后发现有密码,猜测2.10.1里内容是密码,于是成功打开压缩包,里面就是flag

everlasting_night(好像非预期了)

使用在线图片一把梭网站,上传后发现两个密码

然后根据提示使用cloacked-pixel脚本解密

python2 lsb.py extract everlasting_night.png 1.txt f78dcd383f1b574b

发现是个zip压缩包,再使用第二个密码ohhWh04m1打开压缩包发现flag文件,改后缀为data后用gimp打开随便调调宽度就有flag

babydisk

磁盘取证,直接上取证大师,结果如下

发现一个加密文件和一个wav音频文件,导出后分析出加密文件是一个veracrypt,暂时没有密码,就先放着,去分析音频。分析发现音频有deepsound信息,于是使用john爆破deepsound密码

python3 deepsound2john.py voipNewRing.wav > 1.txt
john 1.txt

爆破很快,得到密码是feedback,拿去用deepsound解密得到一个key.txt

内容是e575ac894c385a6f,于是将其作为密码去用veracrypt,得到一个文件叫“spiral”,搜了一下是螺旋的意思,winhex打开发现文件头像zip格式但是文件尾以及文件整体都怪怪的,上网查查发现有个算法叫螺旋算法,代码比较简单,分析一下又发现这个spiral文件大小是7569字节,刚好是87的平方,可以凑一个矩阵,所以写脚本解密

def function(n):
   matrix = [[0] * n for _ in range(n)]

   number = 1
   left, right, up, down = 0, n - 1, 0, n - 1
   while left < right and up < down:
       # 从左到右
       for i in range(left, right):
           matrix[up][i] = number
           number += 1

       # 从上到下
       for i in range(up, down):
           matrix[i][right] = number
           number += 1

       # 从右向左
       for i in range(right, left, -1):
           matrix[down][i] = number
           number += 1

       for i in range(down, up, -1):
           matrix[i][left] = number
           number += 1
       left += 1
       right -= 1
       up += 1
       down -= 1
   # n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
   if n % 2 != 0:
       matrix[n // 2][n // 2] = number
   return matrix

f = open('spiral','rb').read()
k = function(87)
k = sum(k,[])
arr = [0]*7569
for i in range(len(k)):
   arr[i] = f[k[i]-1]

for i in arr:
   print(hex(i)[2:].zfill(2),end='')

再把解密出的正确顺序的hex处理成一个压缩包,打开后发现一个图片

发现连着前面的ohhhhhh刚好是49个字符,于是还是螺旋,就可以得到flag

标签:ciscn,MISC,number,初赛,flag,output,line,range,matrix
来源: https://www.cnblogs.com/zysgmzb/p/16327773.html

专注分享技术,共同学习,共同进步。侵权联系[admin#icode9.com]

Copyright (C)ICode9.com, All Rights Reserved.

ICode9版权所有