menu L1nearのspace
首届“红明谷”杯技能场景赛MISC_WP
3659 浏览 | 2021-04-03 | 阅读时间: 约 2 分钟 | 分类: Misc | 标签:
请注意,本文编写于 241 天前,最后修改于 241 天前,其中某些信息可能已经过时。

InputMonitor

下载附件,发现在Dump_6e7e51d82aa230fe12d1fbc145da6441\User\link3\Desktop里面有flag.7z和log_data.txt,查看txt发现有监控输入,那么直接上取证大师,查看输入法,得到两组信息:

查看自定义词汇中提到了应该是六个字的密码,查看用户输入历史发现了有志者事竟成,输入解压得到一个pdf,把pdf上面覆盖的图片删掉,得到隐藏文字 ,即为flag:

我的心是冰冰的

rar伪加密破解,得到 一张图片和一个压缩包,图片利用了java盲水印隐写

java -jar BlindWatermark.jar decode -c bingbing.jpg decode.jpg

得到密码:gnibgnib

破解得到一个键盘流量包,tshark+脚本一把嗦,得到:666C61677B38663965643266393333656631346138643035323364303334396531323939637D

解十六进制得到flag:

歪比歪比

winhex打开无后缀附件发现有wireshark字眼,那么应该后缀是.pcapng,是个流量包。打开发现是一堆tcp流量,追踪tcp流量,在tcp流=1的地方,发现了这样一堆数据:

Surprise
Wabby Wabby: 
j 29
z 31
7 25
e 31
l 23
6 37
4 32
p 38
h 27
g 26
x 28
i 25
u 27
n 25
8 36
0 24
o 23
c 28
y 24
1 29
b 26
m 27
2 28
v 25
d 33
f 28
9 33
t 21
w 22
a 31
r 24
s 16
k 32
5 25
q 23
3 32
{ 1
- 4
} 1
Wabby Wabbo: 
0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110
surprise message len: 1000

刚开始以为是二进制数据转字符,试了半天,后面看到{}权重都是1,那么感觉可能是频率,想到哈夫曼,网上找了一个脚本,跑出来哈夫曼编码:

class Node(object):
    def __init__(self,name=None,value=None):
        self._name=name
        self._value=value
        self._left=None
        self._right=None
class HuffmanTree(object):
    def __init__(self,char_weights):
        self.a=[Node(part[0],part[1]) for part in char_weights]
        while len(self.a)!=1:
                self.a.sort(key=lambda node:node._value,reverse=True)
                c=Node(value=(self.a[-1]._value+self.a[-2]._value))
                c._left=self.a.pop(-1)
                c._right=self.a.pop(-1)
                self.a.append(c)
        self.root=self.a[0]
        self.b=list(range(30))
    def pre(self,tree,length):
        node=tree
        if (not node):
                return
        elif node._name:
                x=str(node._name) + '的编码为:'
                for i in range(length):
                        x+=str(self.b[i])
                print(x)
                return
        self.b[length]=0
        self.pre(node._left,length+1)
        self.b[length]=1
        self.pre(node._right,length+1)
    def get_code(self):
        self.pre(self.root,0)
if __name__=='__main__':
        char_weights=[('j',29),('z',31),('7',25),('e',31),('l',23),('6',37),('4',32),('p',38),('h',27),('g',26),('x',28),('i',25),('u',27),('n',25),('8',36),('0',24),('o',23),('c',28),('y',24),('1',29),('b',26),('m',27),('2',28),('v',25),('d',33),('f',28),('9',33),('t',21),('w',22),('a',31),('r',24),('s',16),('k',32),('5',25),('q',23),('3',32),('{',1),('-',4),('}',1)]
        tree=HuffmanTree(char_weights)
        tree.get_code()
0的编码为:00000
7的编码为:00001
i的编码为:00010
n的编码为:00011
v的编码为:00100
5的编码为:00101
b的编码为:00110
g的编码为:00111
m的编码为:01000
u的编码为:01001
h的编码为:01010
f的编码为:01011
2的编码为:01100
c的编码为:01101
x的编码为:01110
1的编码为:01111
j的编码为:10000
a的编码为:10001
e的编码为:10010
z的编码为:10011
3的编码为:10100
k的编码为:10101
4的编码为:10110
9的编码为:10111
d的编码为:11000
8的编码为:11001
6的编码为:11010
p的编码为:11011
t的编码为:111000
}的编码为:111010000
{的编码为:111010001
-的编码为:11100101
s的编码为:1110011
w的编码为:111010
q的编码为:111011
o的编码为:111100
l的编码为:111101
r的编码为:111110
y的编码为:111111

但是因为很多的频率是一样的,所以哈夫曼编码可以互换,比如}也可以是111010001。这里要多尝试几遍。本人是猜测那些01字符串转化后肯定会有flag{字眼出现,那么把flag转化为哈夫曼编码可能是:

01011/01110 + 111101/111100/111011 + 10011/10001/10010 + 00110/00111

一共36种可能,即:

010111111011001100110
010111111011001100111
010111111011000100110
010111111011000100111
010111111011001000110
010111111011001000111
010111111001001100110
010111111001001100111
010111111001000100110
010111111001000100111
010111111001001000110
010111111001001000111
010111110111001100110
010111110111001100111
010111110111000100110
010111110111000100111
010111110111001000110
010111110111001000111
011101111011001100110
011101111011001100111
011101111011000100110
011101111011000100111
011101111011001000110
011101111011001000111
011101111001001100110
011101111001001100111
011101111001000100110
011101111001000100111
011101111001001000110
011101111001001000111
011101110111001100110
011101110111001100111
011101110111000100110
011101110111000100111
011101110111001000110
011101110111001000111

然后依次查询,直到这个才找到了:

那么它紧跟着的就是111010000,即{,那么再找到},即为:01110111001100110111010000001010000010111101000000100001100110110111101001110100000010110110101110100110111000001001111000111010011100010111110101011011101001101001100001100011011001011000100100010110111100001001000101111010001,解哈夫曼即可得到flag(可能需要多试几次)

PS:前面网上找的那个脚本经测试,发现和最后的flag相差比较大,主要在于相同字频的哈夫曼编码是可以互相替换的,所以有可能会出现需要调换编码,得小小的爆破一下,那么这篇文章的哈夫曼编码生成比较靠谱,爆破少一点

PPS:赛后交流了下写法,那么这里放一下脑王@NanoApe师傅的解题脚本:

import copy
import re

def dfs(c, d):
    if len(c.keys()) == 1:
        # g = {'j':29,'z':31,'7':25,'e':31,'l':23,'6':37,'4':32,'p':38,'h':27,'g':26,'x':28,'i':25,'u':27,'n':25,'8':36,'0':24,'o':23,'c':28,'y':24,'1':29,'b':26,'m':27,'2':28,'v':25,'d':33,'f':28,'9':33,'t':21,'w':22,'a':31,'r':24,'s':16,'k':32,'5':25,'q':23,'3':32,'{':1,'-':4,'}':1,}
        # num = 0
        # for k in g.keys():
        #     num += g[k] * len(d[k])
        # print(num)
        # print(c, d)
        g = {}
        for k in d.keys():
            g[d[k]] = k
        a = '0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110'
        m = ''
        st = 0
        while st < len(a):
            ed = st + 5
            while ed <= len(a):
                if a[st:ed] in g.keys():
                    m += g[a[st:ed]]
                    break
                else:
                    ed += 1
            st = ed
        print(re.findall(r'flag\{[a-f0-9-]*\}', m)[0])

    else:
        k0 = list(c.keys())[0]
        k1 = list(c.keys())[1]
        if c[k0] > c[k1]:
            k0, k1 = k1, k0
        for k in list(c.keys())[2:]:
            if c[k] < c[k1]:
                if c[k] < c[k0]:
                    k0, k1 = k, k0
                else:
                    k1 = k
        for a in k0:
            d[a] = '0' + d[a]
        for a in k1:
            d[a] = '1' + d[a]
        c[k0+k1] = c[k0]+c[k1]
        del c[k0]
        del c[k1]
        dfs(copy.deepcopy(c), copy.deepcopy(d))

c = {'j':29,'z':31,'7':25,'e':31,'l':23,'6':37,'4':32,'p':38,'h':27,'g':26,'x':28,'i':25,'u':27,'n':25,'8':36,'r':24,'o':23,'c':28,'y':24,'1':29,'b':26,'m':27,'2':28,'v':25,'d':33,'f':28,'9':33,'t':21,'w':22,'a':31,'0':24,'s':16,'k':32,'5':25,'q':23,'3':32,'{':1,'-':4,'}':1,}
d = {}
for k in c.keys():
    d[k] = ''
dfs(copy.deepcopy(c), copy.deepcopy(d))
# print(c)
知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议

发表评论

email
web

全部评论 (暂无评论)

info 还没有任何评论,你来说两句呐!