羊城杯决赛Misc

羊城杯决赛Misc

easy00aes比赛时没离线0宽环境摆了

LmqHmAsk没思路，赛后看着群里各位师傅讨论才明白预期解，wp里直接放toto师傅的脚本了

这里放个toto师傅博客： https://blog.csdn.net/jyttttttt?type=blog

easy00aes

比赛时没环境，回来狠狠复现

图片分离得到压缩包

图片名YXNkZHNh是base64，解码得压缩包密码asddsa

得到key.txt与flag.jpg（其实是png）

又是熟悉的0宽，但这线下离线赛出这种题是否太...

结合题目，AES解密

hacker

哥斯拉流量，找到密文跟key解就行

import gzip
import base64

def encode(D, K):
	D = list(D)
	for i in range(len(D)):
		c = K[i + 1 & 15]
		D[i] = D[i] ^ c
	return bytes(D)

key = b"3c6e0b8a9c15224a"
cipher_text = "fL1tMGI4YTljMkiqW080ZnGz2stJciAN+e/swbLmTDlqJNVxQhhviSQqOD0AAcHRDEGwKRBXmdmG0CWg7kEL5JPgX2eowRSn/4WwlqOi9abxUod7ph3k5UoX0nsV3eldf7yo2wp/3Q5IGV0WES/kEm7HEvhLoYeWRRBgQ8PqNpGa+1In80ndUQtZTdcx3X8f5r7uQ6wWoKG9+SJR+m9ovp+FHcGY/fziz8GeW1ko5wa5wj7xI3t3NyKggQ/DzUXMtGQquPAm+s+RxONDJDlqvkpYWETA2vObwUKU01eQ8GpLoCQJQ11Z8r3/o/bTloCT8l0oJCGy5RZ5xKsv0MTojzAmt5EyJ7uWmvHeYyXWbkIN55XgiqRRUNYVlpiR7nFEzJhGknIQOTfTljG/UXXrBh0kym6OpP0cEy1vR5gNKymtdE0rLREadF42eH/HdO+M+dWd0t4vJAVw08uBdxcj8FVrrKrAEZjXq0BtjJp+uFco8Ol8vw0oTR7GHly+1z5CVq35FlyzlS8E9qh0Ob0NHuaC1ql4lik8txUnsApuHhW9anYvPC3WjomjlGN1cEblfX9y1TNdrKtboVp695zLYhYedv7QE18sjl3CvUWCVTlXdKixEMzJUewwVOdydxjbZeXNaV8YuOl8TpeH1CKc2+HujpskvefLUqM5GlShxOIr40b/y6gU0RnmBxC4DHTUl+c57KnaJsjc6r500Y4REgGg3e0KrTN6FUK/sW4e/GGJLufkUAzdKSwXuN3Cw6wpJLEj5FQop5JANZZ6N+NJxuUicq5cVVVQaHgnNUqfIzuf5AJn7zls2vPiKUARH/ISiOcGkcGUAhGnt4yWBDgb7hJN7U2TL59EK9OGxaTlhkpqdeQlvndAUhFyXrgPUUuFJnxTClAmRdgfkYIsTgSG90xHTdZlHjeYLLIUJeNZsAbkxyR57tXrdaONcbn25qB+ksq7HrxGoLOT9m9p98ipYmR83ydochsTYnJmZnGzOhZKuQ+YRr+7s+y1TQj3BNTrznPmybMLp4rXNyM84vw7tOl8AJmmusOCcuGzW6/v/hweQYYkXSyS+uAsIRHsXT0pi8Pt5mo5QVPrGWAC+lSdu2m8j/RXSVE8kN5gscsFQ73+KzXTG3grNqOaZPoW5wp7p+f8WDEkhI8bymmW3wz5LLVUz1JJPlGK6Sor//gI0ZVCrunes3JWmyhJ6ux3SlbVlNaYT08irTYD7KVbajUgkdX2DtABHG+yeDboESGrJLlocdq5pTmwJQ709M7aHoJFSpbcFY0q4sYlMrWosJXoOs6XgWh6TILRb3nP68Rt+SwdjiniAfY6OwxtXy/ztM1mgaYQsAHpw0iL+EiD8YeTS039i5KjxGmLdkPgdzANEdDhr9aC4nn3SIEjJe/jHZWom9e7p+XkjnuXfCn+PXCtfy22Lcd7yKLZOiqk0DgueDpZnbPjsCfeIRZ42aynC/xbUwn/9x4ZQw2qGauBOYya++BR1B+wsHVF9dpbikJz6YzNPpTPN7uYmC8sLQXdZDejthzB9ywBrBHtKG2yi5WUWll03kidk6LKgQ4afdCsmSLzcgKx0qQYedcGaaW0J3kvbmJl56H80FAtm40c/Kuebt9uUah9geK8e2g8gLCTEFMC9GA0kDhjR3Mc4OCUh71QxTx0Lt+CFqswDMy9kAWXMr4/6yvSCAJRo0VbUh5Wdsoftl5NHd6PrfJMRHtOHE+defrqLEh2obJdmuHzKeAXS7ftfqytEz8sUfUAlUwOLw2YxpCSo8SJLN6vRA0YEjXfWmI89/iRZ/TlcUR80fiUSIH5RsHTKNWOWjrGkVjUuVGg1Gd8GlZYBGOsGT9dPQR7Aiw80wnEGBGVX3jzni6tvAU9hbf8nTV5sq+Ok7TZaWACVsiypzIWwfa8QiJw6rwMsq6d8bIxC7lUNzkYv8N9nHjTRxp2OUPsmGWilVDP1FtTCT9Skeywbaq9f/fxAqF6A1kwXMRUYUUM3elR3jiqF5Oaexx49G6VFHw00bgp5PZ+Ovk4dJwDFuNfXq/pMXYhvJRc9REZE0bdJPLWDQgrKzH0XyvB+XZz264fAT+/VBp4Sqh4SgiMWlzfvAlQ3tIcp+8gs5vpGeUxKulrWjd8LsCCVZdzabSo/nlqiozLm9BY3xEORMfw6e1E0bosN1GBILziMRbYahLJNws07983bhWR4Zx49G6cNpMB6v0eWWaL9u/5roYWC7+8KLxnhycFKHig3qd9AtskgYWFKxx8nYGoiXQGbGFKoZP3dhgsWvgEj5kLOsQLyENTSuNSSjnfBZownHNnesNgn6PlP0CwHMsB8w9svTxAGwz1bMDfLOmpcfpGobjCNZMabY6SMk6ZiwajqBrUScn7CmXDXPQ7S1h1IUybTLRZHQk4uNAlImF61uJb3gh8U2ZeXZp0qETpZagby+n4y8Ryf9/EZGmt11wSGZQ3kAzNbfz/hHpj+cXFMeUoU4+7fgXDYB6L26Qy9BPvQ8k+khpXuhE8VlltazC23BHFNSnTiyWo4kUdA2az7cqx/cEUXgQiMsHxsaXdpNVJKi7WdBmpJzCEPjQyIKwIGT2/LW4n6fcmwe1v/lxX+lmH3pHQL1P3bTk4d8dZJgYoEzMFFY3orCw2NIb+Ifz28W04DI1NdQ2+m7YKVKFUZWX3eM98UTeAx6OrZtl8vARd6G65ItYM01VMkqt5CcXE5OByMvavAhS/s8mDb7gpMwCWWgYeyQvDjPWlm/1bUwkRtsXLjRHW9rQILCjxM2uv4ebNIXsPoL/lFQUzyxLlTvG82koU7ANPHbf08BhT2GZ26EqM9j/9AIdaDG9aBB9v+m8CTF58yGzurrfNMDV99Tf6OuR9RX6BV4fLtaiyMzpVafGD+gztMPEVnfY3vFIJd+4ilQBIKG4W2r6mpWfa+zRfj7m2v0ShZn5MTA+Qoso1LUcxb9e7WVkOXltsBh3Ao4ahi/QVkGIfBmxKwfwDwGpXeYsJrepwjXtFnTOE+6T7gPxqo7nHvazZOxf5YfKRh6i0z8P4n7EwcNg+SRlAOvBECnQFQc/+/Xz/u7zHYAmVny2AVnZX6wFBgTIfpn4T4zj7qZJ6XE2Hrj7mVUDECFEIs1gfAZx+Qm22VKbaCx3jHe+JX5LMJoBM9xwxqHxOmn5c6AqK5VRLyvjPadulBVBGYdDrvj+63NGpZA5LOwJjMy//jkWTgV1+zrQeEl9Xh0YIxe1Y3crjtT18eK6Z5mRGFemxKvDIq8zvN5D2lcMeQIyM9OgMB8yC/ruUUG2ItQ/f3iXHbvJSNQkxczNj"

out = encode(base64.b64decode(cipher_text), key)
print(gzip.decompress(out))

运行完看到是个zip,稍微处理下数据提出来就好

with open('1.txt') as f:
    data = f.read()[2:-2].strip().split('\\n');

zip = ''
for i in data:
    zip += ''.join(i.split(' ')[1:-2])

with open('1.zip','wb') as f:
    f.write(bytes.fromhex(zip))

密码

解压后的是一个维吉尼亚密码

DASCTF{VIGENERE_IS_VERY_FUN}

黑客的秘密

flag.txt不是文本文件，这个文件大小一眼ceracrypt挂载（用passware也能检测出来）

key.jpg是密钥文件，挂载得到流量包

直接strings找flag:

base64解码

LmqHmAsk

类似nctf2022 qrssssss这题

https://www.cnblogs.com/zysgmzb/p/16945880.html

通过二维码data-masking的顺序来排flag里字符顺序的，大致是：L0~7 M0~7 Q0~7 H0~7

以下应该是非预期做法（toto师傅的脚本）

import os
from datetime import datetime
import qrcode
from PIL import Image
from pyzbar.pyzbar import decode

# 定义一个函数来递归遍历文件夹并扫描二维码
flag = ''
current_directory = os.getcwd()
for root, _, files in os.walk(current_directory):
    # 遍历文件夹内的jpg文件
    jpg_files = [file for file in files if file.lower().endswith(".jpg")]

    if jpg_files:
        # 获取每个jpg文件的创建时间并存储在字典中
        file_creation_times = {}
        for jpg_file in jpg_files:
            file_path = os.path.join(root, jpg_file)
            creation_time = datetime.fromtimestamp(os.path.getctime(file_path))
            file_creation_times[jpg_file] = creation_time

        # 根据创建时间对文件进行排序
        sorted_files = sorted(file_creation_times.items(), key=lambda x: x[1])

        # 扫描每张图片中的二维码并打印结果
        for file, _ in sorted_files:
            file_path = os.path.join(root, file)

            # 打开图片并解码其中的二维码
            image = Image.open(file_path)
            decoded_objects = decode(image)
            for obj in decoded_objects:
                flag+=obj.data.decode('utf-8')

flagg=''
for i in range(0,100,25):
    flagg+=flag[i:i+25]
    flagg+=flag[i+100:i+100+25]
    flagg+=flag[i+200:i+200+25]
    flagg+=flag[i+300:i+300+25]
    flagg+=flag[i+400:i+400+25]
    flagg+=flag[i+500:i+500+25]
flagg+=flag[600:625]
print(flagg)

1111111000011011001111111100000100001100110100000110111010101000010010111011011101000010001101011101101110100001000110101110110000010000110011010000011111111010101010101111111000000001111010100000000011101111111101001110001001111010000100100101100001010111110010110011101000111000100010001010101110100101011010101100011101011001111010100110001110000110110111011000001011110010100010101111101100101010101111110110010011111100000000000100001011000100011111111010100001101011101100000101011011010001101010111010101001101111110011011101000100110000011111101110101000100110001010110000010100101111001110101111111011110111111011011

https://bahamas10.github.io/binary-to-qrcode/

扫码得flag