当前位置:网站首页>VNCTF2022 WriteUp
VNCTF2022 WriteUp
2022-07-06 04:11:00 【It's mumuzi】
List of articles
Crypto
ezmath
Limit 60s I can only say that I play with this junk computer MC You can't finish while running 777 Ciwucao
If 2^N-1 Can be 15 to be divisible by , Then natural numbers N Those values should be taken Baidu search (2^n-1) % 15 There is
from pwn import *
context.log_level='debug'
import re
def sha256(enc,sec):
table = string.ascii_letters+string.digits
for i in table:
for j in table:
for k in table:
for n in table:
s = i+j+k+n
s1 = s+sec
m = hashlib.sha256(s1.encode())
mi = m.hexdigest()
if(enc == mi):
return s
p = remote('node4.buuoj.cn',28865)
rec = p.recv()
sec = rec[16:32].decode()
sha = rec[37:-23].decode()
print(sec,sha)
result = sha256(sha,sec)
print(result)
p.sendline(result.encode())
i = 0
while 1:
r = p.recv().decode()
que = re.search('plz give me the (.*)\(n\)',r).group(1)[:-3]
ans = str(int(que)*4).encode()
print(i)
p.sendline(ans)
i += 1
if(i == 777):
p.recv()
p.recv()
p.recv()
p.recvuntil('are so smart.\n')
Web
GameV4.0
find /js/data.js. Pull to the bottom to see base64 Encoding flag
VNCTF{Welcome_to_VNCTF2022}
Reverse
BabyMaze
Print out the bytecode directly , In the old way
import dis, marshal, sys
header_sizes = [
# (size, first version this applies to)
# pyc files were introduced in 0.9.2 way, way back in June 1991.
(8, (0, 9, 2)), # 2 bytes magic number, \r\n, 4 bytes UNIX timestamp
(12, (3, 6)), # added 4 bytes file size
# bytes 4-8 are flags, meaning of 9-16 depends on what flags are set
# bit 0 not set: 9-12 timestamp, 13-16 file size
# bit 0 set: 9-16 file hash (SipHash-2-4, k0 = 4 bytes of the file, k1 = 0)
(16, (3, 7)), # inserted 4 bytes bit flag field at 4-8
# future version may add more bytes still, at which point we can extend
# this table. It is correct for Python versions up to 3.9
]
header_size = next(s for s, v in reversed(header_sizes) if sys.version_info >= v)
with open('BabyMaze.pyc', "rb") as f:
metadata = f.read(header_size) # first header_size bytes are metadata
code = marshal.load(f) # rest is a marshalled code object
dis.dis(code)
You can see a lot 0,2 and 1 individual 1 and 1 individual 3,.
And obviously 31*31
With the , Draw a picture
s = '0000000000000000000000000000000010222222222222222220222222222002020000000002000002020000000200202220222222202220222020222020020000020000000002000002020202002220222022222222222220222022200002020002000000000000020000000022202022202222222220222022202002000202000200000002020002020200222220202220222020202220202220000000020200020202020002020002002222222022222022202022202022200200000000000000020202000202000022222220222222202022202220222002000002020202000200000200000000202220202020202220222222222220020202020202000200020000020002002020202020222022202022202022200202000202000200020202020002000022202220202222202020202220222002000202020200000202020002020200202220202022222220202020202020020200020200000000000202020202002022202020222222222020202020200200020202000002020202020202020022202020222220202022202220202000000200000002000200000002000200222220222220222022222220222220020000020002000200000002000002002222222220222222222222202222300000000000000000000000000000000'
from PIL import Image
pic = Image.new('RGB',(31,31),(255,255,255))
for i in range(31):
for j in range(31):
if(s[i*31+j] == '0'):
pic.putpixel((j,i),(0,0,0))
elif(s[i*31+j] == '1'):
pic.putpixel((j,i),(255,255,0))
elif(s[i*31+j] == '3'):
pic.putpixel((j,i),(255,0,255))
pic.show()
pic.save('flag.png')
You can also see in the back if 29,29 It outputs flag, The starting point is 1,1.
Walk manually
ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss
md5 It is the flag( Go again ,flag I'm not sure if it's this )
VNCTF{801f190737434100e7d2790bd5b0732e}
Misc
questionnaire
VNCTF{See_You_Next_Time!!!}
Look for it carefully
Direct script neighbor discovery interval is different , I want to use the blue hat semi decisive blasting script and find that I can't find it ,PS It didn't work out , Finally, I was thinking of rolling my hands one by one , Then I found that in fact 24 Column sum 15 row , Only black and white , That one extracts white , There are indexes of abscissa and ordinate .
from PIL import Image
pic = Image.open('flag.png')
w,h = [],[]
for i in range(pic.size[0]):
if(pic.getpixel((i,15)) == (255,255,255)):
w.append(i)
for i in range(pic.size[1]):
if(pic.getpixel((24,i)) == (255,255,255)):
h.append(i)
img = Image.new('RGB',(len(w),len(h)),(255,255,255))
for i in range(len(w)):
for j in range(len(h)):
img.putpixel((i,j),pic.getpixel((w[i],h[j])))
img.show()
vnctf{[email protected]}
Strange flag
In fact, it is to use tree Is there a folder inside to represent 0 and 1, It's a kind of esolang, It's called Folders. give an example :
Then hand roll
I can only say that one letter is missing for the first time
vnctf{d23903879df57503879bcdf1efc141fe}
simple macos
Not to hint Is it a weak password , At the beginning, I faced keychain and login-keychain Blast , The latter is used rockyou, The former uses common 6000 password , It still doesn't explode . search VNCTF( Include case ) And its 16 Into the system and base I didn't find anything famous . The title is mainly about system, So I went to system Folder search . except Preboot Everything else is empty , Go straight in . Then one by one ( I didn't read the system files )
And then /var/db I found something . by CryptoUserInfo.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>79FABCCE-3636-4266-A6CF-8E3BB40332B4</key>
<dict>
<key>FullName</key>
<string>Scr1pt</string>
<key>PasswordHint</key>
<string>our secret need a password</string>
<key>PictureData</key>
<data>
base strand , It's not convenient to show
</data>
<key>PictureFormat</key>
<string>JPEG</string>
<key>ShortName</key>
<string>scr1pt</string>
<key>UserType</key>
<string>OpenDirectory</string>
</dict>
</dict>
</plist>
passwordHint oursecret
Of course , It's also obvious not to give the prompt to the end of the file oursecret, because oursecret It depends on these feature blocks to identify
Obviously , The end of the file is now mixed with other data , And there are }, Guess is the second half flag. So copy it out and delete the following part
Then combine the weak password . After two attempts, it came out . The password is 123456
Together, you get flag
VNCTF{Macos_Forensllc_1s_s1MMple}
prize wheel
First of all python-exe-unpacker-master The inverse
And then use BabyMaze Say the way to get the bytecode
Can obviously find password:f6a623a2c577de3b46c079267d4bdd6e
Unpack .
Then I succeeded 6 More than a hour
The first idea is to read in circles , And then rearrange it , It turns out like this
It's strange .
The index is given hint, Immediately thought of [HECTF2021] Seven color rainbow 、[b01lers2020]image_adjustments. What exactly is it to see wp
So there is a more strange picture . Here, because the debugging is overwritten, the drawing is not displayed .
after , I thought of connecting the above two . That is, read in circles 、 Look for the index 、 Tile write
Probably get this bird like picture .
It's obvious what you can see , That is, they are getting more and more flat . Then combine it with a big turntable , Ah, I think of it .
You should read in circles 、 Look for the index 、 Write in circles
After that, I adjusted the script one hour faster , I'm too fond of vegetables. .
from PIL import Image
def get_round(w):
tb = []
# From top left to top right 、 From top right to bottom right 、 From bottom right to bottom left 、 From bottom left to top left , In four steps
for i in range(w,609-w):
tmp = img.getpixel((i,w))
# print(tmp)
tb.append(tmp)
# print(len(tb))
for i in range(w+1,609-w):
tmp = img.getpixel((609-1-w,i))
tb.append(tmp)
for i in range(w+1,609-w):
tmp = img.getpixel((609-1-i,609-w-1))
tb.append(tmp)
for i in range(w+1,609-w-1):
tmp = img.getpixel((w,609-1-i))
tb.append(tmp)
# print(len(tb)) #2432== 609*2+607*2
return tb
def put_round(w,img,tb): # Use the same method as above , Just put the value in , That's it .
ind = 0
for i in range(w,609-w):
tmp = img.putpixel((i,w),tb[ind])
ind += 1
# print(len(tb))
for i in range(w+1,609-w):
tmp = img.putpixel((609-1-w,i),tb[ind])
ind += 1
for i in range(w+1,609-w):
tmp = img.putpixel((609-1-i,609-w-1),tb[ind])
ind += 1
for i in range(w+1,609-w-1):
tmp = img.putpixel((w,609-1-i),tb[ind])
ind += 1
if __name__ == '__main__':
# Remove the middle point , altogether (609-1)//2
img = Image.open('flag.png')
pic = Image.new('RGBA',(609,609),(255,255,255,255))
for i in range(304):
table = get_round(i)
ind = table.index((255,255,255,255))
# print(ind)
new_table = table[ind:] + table[:ind] # At that time, I used two cycles to do it here , Like a fool
put_round(i,pic,new_table)
pic.show()
vnctf{3fd2f296-60cf-46d7-82b2-2f9949664ed7}
Here for a better look , Minor repair .
( The latter part belongs to the post game recurrence )
Because you can find , from (i,i) Point as the starting point , So the white thread , It's slanting .
Then find a way to let him go sideways .
But pinch , Still from (i,i) Point as the starting point . In this case , Just let the white pixels on the horizontal plane or the vertical horizontal plane
Only need to main To such :
if __name__ == '__main__':
# Remove the middle point , altogether (609-1)//2
img = Image.open('flag.png')
pic = Image.new('RGBA',(609,609),(255,255,255,255))
for i in range(304):
table = get_round(i)
ind = table.index((255,255,255,255))
# print(ind)
new_table = table[ind:] + table[:ind] # At that time, I used two cycles to do it here , Like a fool
new_table = new_table[len(new_table)//8:] + new_table[:len(new_table)//8]
put_round(i,pic,new_table)
# pic.show()
pic.save('real_flag.png')
I super ! It's so beautiful
You might think the code was so simple at the beginning
In the wrong
At the beginning, the code was written while debugging 200 Multiple lines , A mess .
Even one who wrote a Gaosu operation took 15 minutes to know the reason in a white picture without reporting an error
for k in range(f,len(table)):
img.putpixel((i_2, j_2),table[f])
边栏推荐
- How many of the 10 most common examples of istio traffic management do you know?
- Mlapi series - 04 - network variables and network serialization [network synchronization]
- 20、 EEPROM memory (AT24C02) (similar to AD)
- 综合能力测评系统
- [Zhao Yuqiang] deploy kubernetes cluster with binary package
- MySql数据库root账户无法远程登陆解决办法
- How to modify field constraints (type, default, null, etc.) in a table
- 【FPGA教程案例11】基于vivado核的除法器设计与实现
- Proof of Stirling formula
- Interface idempotency
猜你喜欢
颠覆你的认知?get和post请求的本质
How to modify field constraints (type, default, null, etc.) in a table
C (thirty) C combobox listview TreeView
查询mysql数据库中各表记录数大小
ESP32_ FreeRTOS_ Arduino_ 1_ Create task
Proof of Stirling formula
绑定在游戏对象上的脚本的执行顺序
题解:《单词覆盖还原》、《最长连号》、《小玉买文具》、《小玉家的电费》
Basic use of MySQL (it is recommended to read and recite the content)
Basic knowledge of binary tree, BFC, DFS
随机推荐
MySql數據庫root賬戶無法遠程登陸解决辦法
Solution to the problem that the root account of MySQL database cannot be logged in remotely
Stable Huawei micro certification, stable Huawei cloud database service practice
【FPGA教程案例11】基于vivado核的除法器设计与实现
Lombok原理和同时使⽤@Data和@Builder 的坑
Yyds dry goods inventory web components series (VII) -- life cycle of custom components
AcWing 243. A simple integer problem 2 (tree array interval modification interval query)
查询mysql数据库中各表记录数大小
Global and Chinese market of rubber wheel wedges 2022-2028: Research Report on technology, participants, trends, market size and share
【按键消抖】基于FPGA的按键消抖模块开发
Ks003 mall system based on JSP and Servlet
Class A, B, C networks and subnet masks in IPv4
Query the number and size of records in each table in MySQL database
Ybtoj coloring plan [tree chain dissection, segment tree, tarjan]
[Key shake elimination] development of key shake elimination module based on FPGA
软考 系统架构设计师 简明教程 | 总目录
C language -- structs, unions, enumerations, and custom types
[disassembly] a visual air fryer. By the way, analyze the internal circuit
Tips for using dm8huge table
使用JS完成一个LRU缓存