VNCTF2022 WriteUp

Crypto

ezmath

Limit 60s I can only say that I play with this junk computer MC You can't finish while running 777 Ciwucao

If 2^N-1 Can be 15 to be divisible by , Then natural numbers N Those values should be taken Baidu search (2^n-1) % 15 There is

from pwn import *
context.log_level='debug'
import re
def sha256(enc,sec):
    table = string.ascii_letters+string.digits
    for i in table:
        for j in table:
            for k in table:
                for n in table:
                    s = i+j+k+n
                    s1 = s+sec
                    m = hashlib.sha256(s1.encode())
                    mi = m.hexdigest()
                    if(enc == mi):
                        return s

p = remote('node4.buuoj.cn',28865)
rec = p.recv()
sec = rec[16:32].decode()
sha = rec[37:-23].decode()
print(sec,sha)
result = sha256(sha,sec)
print(result)
p.sendline(result.encode())
i = 0
while 1:
    r = p.recv().decode()
    que = re.search('plz give me the (.*)\(n\)',r).group(1)[:-3]
    ans = str(int(que)*4).encode()
    print(i)
    p.sendline(ans)
    i += 1
    if(i == 777):
        p.recv()
        p.recv()
        p.recv()
    p.recvuntil('are so smart.\n')

Web

GameV4.0

find /js/data.js. Pull to the bottom to see base64 Encoding flag

VNCTF{Welcome_to_VNCTF2022}

Reverse

BabyMaze

Print out the bytecode directly , In the old way

import dis, marshal, sys

header_sizes = [
    # (size, first version this applies to)
    # pyc files were introduced in 0.9.2 way, way back in June 1991.
    (8,  (0, 9, 2)),  # 2 bytes magic number, \r\n, 4 bytes UNIX timestamp
    (12, (3, 6)),     # added 4 bytes file size
    # bytes 4-8 are flags, meaning of 9-16 depends on what flags are set
    # bit 0 not set: 9-12 timestamp, 13-16 file size
    # bit 0 set: 9-16 file hash (SipHash-2-4, k0 = 4 bytes of the file, k1 = 0)
    (16, (3, 7)),     # inserted 4 bytes bit flag field at 4-8
    # future version may add more bytes still, at which point we can extend
    # this table. It is correct for Python versions up to 3.9
]
header_size = next(s for s, v in reversed(header_sizes) if sys.version_info >= v)

with open('BabyMaze.pyc', "rb") as f:
    metadata = f.read(header_size)  # first header_size bytes are metadata
    code = marshal.load(f)          # rest is a marshalled code object

dis.dis(code)

You can see a lot 0,2 and 1 individual 1 and 1 individual 3,.

And obviously 31*31

With the , Draw a picture

s = '0000000000000000000000000000000010222222222222222220222222222002020000000002000002020000000200202220222222202220222020222020020000020000000002000002020202002220222022222222222220222022200002020002000000000000020000000022202022202222222220222022202002000202000200000002020002020200222220202220222020202220202220000000020200020202020002020002002222222022222022202022202022200200000000000000020202000202000022222220222222202022202220222002000002020202000200000200000000202220202020202220222222222220020202020202000200020000020002002020202020222022202022202022200202000202000200020202020002000022202220202222202020202220222002000202020200000202020002020200202220202022222220202020202020020200020200000000000202020202002022202020222222222020202020200200020202000002020202020202020022202020222220202022202220202000000200000002000200000002000200222220222220222022222220222220020000020002000200000002000002002222222220222222222222202222300000000000000000000000000000000'
from PIL import Image
pic = Image.new('RGB',(31,31),(255,255,255))
for i in range(31):
    for j in range(31):
        if(s[i*31+j] == '0'):
            pic.putpixel((j,i),(0,0,0))
        elif(s[i*31+j] == '1'):
            pic.putpixel((j,i),(255,255,0))
        elif(s[i*31+j] == '3'):
            pic.putpixel((j,i),(255,0,255))
pic.show()
pic.save('flag.png')

You can also see in the back if 29,29 It outputs flag, The starting point is 1,1.

Walk manually

ssssddssaassddddwwwwddwwddddddwwddddddssddwwddddddddssssaawwaassaassaassddssaassaawwwwwwaaaaaaaassaassddddwwddssddssssaassddssssaaaaaawwddwwaawwwwaassssssssssssddddssddssddddddddwwaaaaaawwwwddssddwwwwwwwwddssddssssssssddddss

md5 It is the flag( Go again ,flag I'm not sure if it's this )

VNCTF{801f190737434100e7d2790bd5b0732e}

Misc

questionnaire

VNCTF{See_You_Next_Time!!!}

Look for it carefully

Direct script neighbor discovery interval is different , I want to use the blue hat semi decisive blasting script and find that I can't find it ,PS It didn't work out , Finally, I was thinking of rolling my hands one by one , Then I found that in fact 24 Column sum 15 row , Only black and white , That one extracts white , There are indexes of abscissa and ordinate .

from PIL import Image
pic = Image.open('flag.png')
w,h = [],[]
for i in range(pic.size[0]):
    if(pic.getpixel((i,15)) == (255,255,255)):
        w.append(i)
for i in range(pic.size[1]):
    if(pic.getpixel((24,i)) == (255,255,255)):
        h.append(i)
img = Image.new('RGB',(len(w),len(h)),(255,255,255))
for i in range(len(w)):
    for j in range(len(h)):
        img.putpixel((i,j),pic.getpixel((w[i],h[j])))
img.show()

vnctf{[email protected]}

Strange flag

In fact, it is to use tree Is there a folder inside to represent 0 and 1, It's a kind of esolang, It's called Folders. give an example ：

Then hand roll

I can only say that one letter is missing for the first time

vnctf{d23903879df57503879bcdf1efc141fe}

simple macos

Not to hint Is it a weak password , At the beginning, I faced keychain and login-keychain Blast , The latter is used rockyou, The former uses common 6000 password , It still doesn't explode . search VNCTF( Include case ) And its 16 Into the system and base I didn't find anything famous . The title is mainly about system, So I went to system Folder search . except Preboot Everything else is empty , Go straight in . Then one by one （ I didn't read the system files ）

And then /var/db I found something . by CryptoUserInfo.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>79FABCCE-3636-4266-A6CF-8E3BB40332B4</key>
	<dict>
		<key>FullName</key>
		<string>Scr1pt</string>
		<key>PasswordHint</key>
		<string>our secret need a password</string>
		<key>PictureData</key>
		<data>
		base strand , It's not convenient to show 
		</data>
		<key>PictureFormat</key>
		<string>JPEG</string>
		<key>ShortName</key>
		<string>scr1pt</string>
		<key>UserType</key>
		<string>OpenDirectory</string>
	</dict>
</dict>
</plist>

passwordHint oursecret

Of course , It's also obvious not to give the prompt to the end of the file oursecret, because oursecret It depends on these feature blocks to identify

Obviously , The end of the file is now mixed with other data , And there are }, Guess is the second half flag. So copy it out and delete the following part

Then combine the weak password . After two attempts, it came out . The password is 123456

Together, you get flag

VNCTF{Macos_Forensllc_1s_s1MMple}

prize wheel

First of all python-exe-unpacker-master The inverse

And then use BabyMaze Say the way to get the bytecode

Can obviously find password：f6a623a2c577de3b46c079267d4bdd6e

Unpack .

Then I succeeded 6 More than a hour

The first idea is to read in circles , And then rearrange it , It turns out like this

It's strange .

The index is given hint, Immediately thought of [HECTF2021] Seven color rainbow 、[b01lers2020]image_adjustments. What exactly is it to see wp

So there is a more strange picture . Here, because the debugging is overwritten, the drawing is not displayed .

after , I thought of connecting the above two . That is, read in circles 、 Look for the index 、 Tile write

Probably get this bird like picture .

It's obvious what you can see , That is, they are getting more and more flat . Then combine it with a big turntable , Ah, I think of it .

You should read in circles 、 Look for the index 、 Write in circles

After that, I adjusted the script one hour faster , I'm too fond of vegetables. .

from PIL import Image
def get_round(w):
    tb = []
    # From top left to top right 、 From top right to bottom right 、 From bottom right to bottom left 、 From bottom left to top left , In four steps 
    for i in range(w,609-w):
        tmp = img.getpixel((i,w))
        # print(tmp)
        tb.append(tmp)
    # print(len(tb))
    for i in range(w+1,609-w):
        tmp = img.getpixel((609-1-w,i))
        tb.append(tmp)
    for i in range(w+1,609-w):
        tmp = img.getpixel((609-1-i,609-w-1))
        tb.append(tmp)
    for i in range(w+1,609-w-1):
        tmp = img.getpixel((w,609-1-i))
        tb.append(tmp)
    # print(len(tb)) #2432== 609*2+607*2
    return tb

def put_round(w,img,tb): # Use the same method as above , Just put the value in , That's it .
    ind = 0
    for i in range(w,609-w):
        tmp = img.putpixel((i,w),tb[ind])
        ind += 1
    # print(len(tb))
    for i in range(w+1,609-w):
        tmp = img.putpixel((609-1-w,i),tb[ind])
        ind += 1
    for i in range(w+1,609-w):
        tmp = img.putpixel((609-1-i,609-w-1),tb[ind])
        ind += 1
    for i in range(w+1,609-w-1):
        tmp = img.putpixel((w,609-1-i),tb[ind])
        ind += 1

if __name__ == '__main__':
    #  Remove the middle point , altogether (609-1)//2
    img = Image.open('flag.png')
    pic = Image.new('RGBA',(609,609),(255,255,255,255))
    for i in range(304):
        table = get_round(i)
        ind = table.index((255,255,255,255))
        # print(ind)
        new_table = table[ind:] + table[:ind] # At that time, I used two cycles to do it here , Like a fool 
        put_round(i,pic,new_table)
    pic.show()

vnctf{3fd2f296-60cf-46d7-82b2-2f9949664ed7}

Here for a better look , Minor repair .

（ The latter part belongs to the post game recurrence ）

Because you can find , from (i,i) Point as the starting point , So the white thread , It's slanting .

Then find a way to let him go sideways .

But pinch , Still from (i,i) Point as the starting point . In this case , Just let the white pixels on the horizontal plane or the vertical horizontal plane

Only need to main To such ：

if __name__ == '__main__':
    #  Remove the middle point , altogether (609-1)//2
    img = Image.open('flag.png')
    pic = Image.new('RGBA',(609,609),(255,255,255,255))
    for i in range(304):
        table = get_round(i)
        ind = table.index((255,255,255,255))
        # print(ind)
        new_table = table[ind:] + table[:ind] # At that time, I used two cycles to do it here , Like a fool 
        new_table = new_table[len(new_table)//8:] + new_table[:len(new_table)//8]
        put_round(i,pic,new_table)
    # pic.show()
    pic.save('real_flag.png')

I super ！ It's so beautiful
You might think the code was so simple at the beginning
In the wrong
At the beginning, the code was written while debugging 200 Multiple lines , A mess .
Even one who wrote a Gaosu operation took 15 minutes to know the reason in a white picture without reporting an error

                    for k in range(f,len(table)):
                        img.putpixel((i_2, j_2),table[f])