hiden

题目附件给了下面这两个文件

ycb1

txt文件的内容如下

GK4368 ;?:C

;G8F 34C2WVDJ?E]8<8V[ V6@VX ?7 Di

​ 8<80B?8? l D]6C?BWX

​ DGJC0JC2 l JC2W8<80B?8?X

​ 8<80B?8? l DGJC0JC2]830@=8C7Wb[ @=8C36BC6 l VJG88JCVX Z 8<80B?8?

;G8F ;?:C]34C2WQ8C78];?:Q[ Q6@QX ?7 Di

​ ?886G@ l D]EC84?6?K7WX

​ ;?:0B?8? l @=8C?66?=W D]6C?BD6?KC7W`X X

D36 G2BC< G2 6?2ECWJC2W8<80B?8?XXi

​ ;?:0B?8?,G2BC< Y c. l 8<80B?8?,G2BC<.

;G8F ;?:C]34C2WQFGBC2];?:Q[ Q;@QX ?7 Di

​ D]7C84?6?K7W?886G@X

​ D];6G8CD6?KC7W;?:0B?8?X

根据名称猜测是rot47+rot13,解密可以得到下面的东西,目测python脚本

ycb2

然后再来一次rot13解密,即可得到下面这个加密脚本

对照上面这个加密脚本,写一个脚本提取flag即可

1
2
3
4
5
6
7
8
9
10
11
import wave

with wave.open("hiden.wav", "rb") as f:
    wav_data = bytearray(f.readframes(-1))

file_len = int.from_bytes(wav_data[0:3*4:4], byteorder='little')
extracted_data = bytes([wav_data[i*4] for i in range(3, 3 + file_len)])
print(extracted_data.decode('utf-8', errors='ignore'))

# ok,now you find me,so the flag give you
# DASCTF{12jkl-456m78-90n1234}

checkin

题目附件给了一个压缩包,里面有一个Flag.txt

ycb3

压缩包注释里的字符串base58解码后得到:Welcome2GZ

然后Flag.txt把多余的\x00字符删掉可以得到一个pacpng流量包文件,里面主要是SMB流量

写了一个python脚本来统计每行\x00字符的数量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
dict = {
    "11": "1",
    "12": "2",
    "13": "3",
    "14": "4",
    "15": "5",
    "16": "6",
    "17": "7",
    "18": "8",
    "19": "9",
    "20": "A",
    "21": "B",
    "22": "C",
    "23": "D",
    "24": "E",
    "25": "F",
}

def calc():
    with open("Flag.txt", 'rb') as f:
        data = f.readlines()
    res = []
    for line in data[:4785]:
        cnt = 0
        for item in line:
            if item == 0:
                cnt += 1
        res.append(cnt)
    for item in res:
        # print(dict[str(item)], end="")
        print(item, end=' ')
    # print(len(res))
    # print(res)


def solve():
    with open("Flag.txt", 'rb') as f:
        data = f.read().replace(b'\x00', b' ')
    with open("hex.txt", "wb") as f:
        f.write(data)


if __name__ == "__main__":
    calc()
    # solve()

(wbstego隐写,待复现)

1z_misc

附件下载下来后有一个天机不可泄露.txt

ycb4

根据网上找到的信息,女可以是坐标(1,1)和坐标(11,24)位置,觜可以是(9,1)和(7,25)位置,根据 是以十二岁 可知十二时辰,每个时辰末尾对应的星宿为坐标开始的字ycb5

获得如下列表

ycb6

1
心胃心奎奎心奎心胃心心心胃心心胃心奎奎奎奎胃奎心奎奎胃奎心奎心奎奎

然后只有三个字,猜测是摩斯电码,解得解压密码 E@SI1Y!

解压后得到一个flag文件和一个hint.jpg

hint文件中提示了天琴座,天琴座的英文是 lyra

联想到前不久2024ISCC考察的一道题目,主要用到了这个开源项目 https://github.com/google/lyra

因此按照Github上的步骤安装一下lyra,这个项目需要使用 bazel 进行安装,所以安装lyra之前需要先安装bazel

安装完成后,把之前那段未知数据的后缀改为.lyra,然后使用lyra解码即可得到一个wav文件

ycb7

打开wav,发现语音播报了社会主义核心价值观编码,因此直接找个在线网站识别然后解密即可

ycb8

ycb9

1
DASCTF{W0w!_You_d0_4_g00d_j0b!}

不一样的数据库_2

题目附件给了一个压缩包,解压密码是弱密码直接爆破就行:753951

ycb10

解压后得到一张定位块丢失的二维码,修复定位块

ycb11

扫码即可得到一下内容

NRF@WQUKTQ12345&WWWF@WWWFX#WWQXNWXNU

rot13解密一下得到:AES@JDHXGD12345&JJJS@JJJSK#JJDKAJKAH

ycb12

ycb13

Title:passisDASCTF

UserName:passisDASCTF

Password:WBArAG6ku6ALmLGGn3iq

Notes:给你了可以找到flag吗,真相就在其中

翻看历史记录,在里面找到一段AES加密的密文

U2FsdGVkX193h7iNsZs3RsLxH+V1zztkdS+fBy2ZQfzH77Uo4l3hSWplMV+GcLpAGflXlQuPTU5qIkOY7xJN9A==

ycb14

用DASCTF作为密钥ycb15解一下这个AES即可得到flag:DASCTF{snsnndjahenanheanjjskk12235}

miaoro

翻看流量包,发现执行的命令在请求头的 GWHT 字段中

在流10中发现执行了 echo Th15_11111111s_pP@sssssw000rd!!!>pass.txt 命令

ycb16

ycb17

在流13中发现下载了一个secret.txt

ycb18

ycb19

base64解码响应的数据,发现有一个数据逆序的压缩包ycb20

手动提取出压缩包,用之前得到的密码:Th15_11111111s_pP@sssssw000rd!!!

解压压缩包可以得到一张 flag2.png 图片,图片明显分块,尝试拼图后发现无果,考虑JPG图片宽高修改

ycb22

获得一个猫猫字母表,谷歌识图以后找到对照表

ycb23

image-20240923170322209

得到后半段flag

在导出HTTP对象中导出几个网页,通过谷歌识图可以发现是sharo-attacker流量,追踪前几个流可以发现sharo-attacker内置字典的第十个密码就是密码:MTIzNDU2Nzg5MGFiY2RlZg==

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import base64
import binascii
from Crypto.Cipher import AES

# 补位
pad = lambda s: s + chr(16 - len(s) % 16) * (16 - len(s) % 16)
# 除去补16字节的多余字符
unpad = lambda s: s[:-s[-1]]

def aes_CBC_Decrypt(data, key, iv): # CBC模式的解密函数,data为密文,key为16字
节密钥
	aes = AES.new(key=key, mode=AES.MODE_CBC, iv=iv) # 创建解密对象
   
# decrypt AES解密 B64decode为base64 转码
    result = aes.decrypt(data)
    result = unpad(result) # 除去补16字节的多余字符
    return result # 以字符串的形式返回

def force(data, key):
    f = base64.b64decode(data)
    
    keys = open("shiro_keys.txt", "r").read().split("\n")
    keyb = base64.b64decode(key)
    iv = f[:16]
    enc = f[16:]
    de = aes_CBC_Decrypt(enc, keyb, iv)
    return de

data =
"PGBTg3fqmEIidH1E+Fz7zVBJC4KTR5RmTmyZCUX1g8gK13Bt7GQaFr7Wh1kL+hCDTq9Vff4kcaITiLxPYsj8dCtR2SzEdQeP4jIY2Z3siUdZk2FMeSxEbt/4hzY5bmLUVKQh97Gu948+CKE9RsV+Gf7BltkNXOaim8OCv409wil2Ck4zXO7tnbWOiD6p4ZsQ2hzG8iFl/UlmaqpdUuS49kZ6BDbqp3dYqZ16+u2TNIb/jEkMMVX9X0bn4a9adFzeyCJQAFu0VrgDB/cpyvvwPAmDkKwvBdj8wWSB0ztuo6x+vrOKDNrxLITG0sxKrKlKIsZAt83lCbhiSYd8mgUtPiNkznWYxO07mRaNFWBNiNyGeg0vPNyh/NDF6e0JMkQQ6a77Otq0+Gnx7H/zYTBlxF+Id8b1T2XCQHSfkivOpERR53d23HSTsWeuFZB0Yqq8mgLdfIk7hOYTuTFqwkh0wfguA0gW63ixU8cno/3tP1JJqkcpo81eWhY2O/FPQw3jKyk5MfRE77i4NVtSTzMZ9ebKlYw/2fjPIydKI2nS/vsNGM1ebkKFbmwrdXYaIJIXMXRNEUYRfHOXgYsfQCy0zCgl5Df7BUe9sFY3azs2wS+q2Xo591nX358CsE+mx1Guao0icEcvtEXIrqRM0DWBcdGSkjdEIngr3qMlNUrlECh7fMSW5ThBmnTwqzLZDtxZzAJxQvk1zsuqMa+Uv1hoc0O7n5BrvDEAaiyWJ6Akrlv+bprjhsd0y9V0ugWn6TaIt1t5nr5xQTZQbFH0IpxYqoOpmuVgrVIpqaOXl4O7L/NyQBAZrrDqn5/ic+43MH8S+XwArv56xnbMSUUopwi02/LAQSykmpjuOhLjBD/sV+Faa7M6W+FlbSM3hAo9mAWg3APuBHEOTatRrZDi2KNNWfKN4pThkh2vaxyWmXqBw/s0xZpULD+T04KeaMgNdbtKmmfLou4aQD614KJQMtp2mITKexuyfhraT30LuO6XU1QFd7Gei/FfRE/Jfh6zWXPRln7aVbuoJzmrUPSG8gQlm/Bn6nacE91TAF2QRwOt7dOj3Tifn6wAEAWMhTVWisA6KxXdJWB9UujrEl5JhedC+aaO4Gzsv0JSe/sqGb1b5N9ik6sxBTqPEWCvLLzkcWEMIqRJyWX+gACpyH7ID9UH6/q+fq19s5WQicyuKmO6F3JzbSQ1bTi9ZcnbKBVKmtDFhTPl3ovIyVbT66xU4yQz8x1Wxg6u8zCCop6LKoz2l0X+J2iJRi7pJCOqlkemJCrSkNDb0+Rd+j6w4ysOcRolmKrhSvIJXzBfOqXvdJkRMW/7u4LfBTr0pLdJx3hhvKfgVRNAK0hY4nUrspG3iI06fEpT82tlWYG1YOt/+u2oSzPV3d0IQArSZG4YT6WnbLSpSVjPwSg5wJgo/HSzRKwBISyqi/JIcph+fts4iXiIWfSiFQG7WDvKpT0pwiUumcisZzaEDuaVtziVgHY4PUMWFWDjdbM0I21S6670Yh3HgvPdFEZBKYZH9k1yjx6+hA0n00/kyttVDNqGXjNXcLKjJBYOVS3RAtvsu3H5C4YxuaHjejZtNe2If+EBzVfMg3lkmdvwEkRk8qFuNf/6gJhl0mCozQc4hcdo/YddPCdw3Xz2nqpwCwktKmZ4Cw4wPmNXzFu/nYF2WKi77ix4m/kqdNq+UcOK0Fh6+90wMdLd3o9dCcMcebB4W0Ku0b71icf2Fku1e0KVaPpjstiQjENwBsQITTLb9NdX7pZ1EZDzmjoGAiEjuqpLeOBbrT6jqjl63QGXtgK8bKQDsPz89o6N1VCQnGrZ+Ld3Q0fMG5XsqGAG6qxWYLfwOAmccLF+L7r/UB2WiljDOu9PIzs3bTRmUYTA0IKjIzkIQdT/sqatU6m6MJS1NtUnw9FrGoo1Q0FFjw6ZGABsdzFtqVurzO0AURFytfONcNPXZXglgh4Mp//vPnNG1zN/KmSZGFhwrj2fKFmHfxKtlOtthcee9kUTOCBu8jQ/oaGKkCwNHvv6B44cn7AIERbbeDT+gJVHsspDLjKpVhFyGhi4ssUl2erofJNE0i3fo9XByIcrKym+pFimQ0fnOqwkdXXVUUSzSxZ8G81/5y6E2SZWOWtXUeMjCrW2PSpHL6qqFbA5948ahWxhJxOJAKNazcfF9vyxcOnlG7iRQkJZNMVQnsfT3Zj1DXFZvFXOisoUaw0EyIivu4b29+8nIkUIQ8JoCReGaieZxpCo0O0mOh9j8yBDgJEF2G4i5TYFzSwQ2PwlOje8O+ad1iP7/3T+414jq7LgBxBXqVzPMfSpO4UAPaO5UX9R8nMStSeLEBtTwtfGD/OI1A+lWgknHOib8Ad8v2nhDswZ0i/0PoEhLZsg4T4HIBMreLVWtoe85JsrDheKpgKIJkUdhTkrGj1P/la4E95QtS1ru9iDOd6Zj1pILecRCIJBQ45IyJtH136o4h6kMJZ2YHc96gFLZ7uo354/EL/Y2Af0/mH7ozFT/mFpE385alNIktepDiQ14+bwNDNfiJ1y3lFNchyXvkxeLPSOO4mR/xtdubdJO3ykYxKK+Y7l9HNg6Ogxt3wos5aF9w7MES9MMnrb/dvAjqB3jFVXKdh+PbRxyQi2If9v5xtmitQY6ye5k+29Z5dIji9fa4crisTtSFVKGD1HctYLItyN25GEbUYac9uomY3gNNFXE52EpQG7V9AUNlzcU6/kz9qAy23VmjAv/BwV0tOwb4y/OcM1JnfUy/Ytt137L9qDDFqnZPMs9WLDVUoT4tycFy9O0gJq8fL9IOXUNfXRdTkDP8DHHRB9R94t2PNZH7eaeZmuRhBYn/K1lf4HyhOpOensvbqDhIkr4ptTItj5Z9+ZFUsshKo7nJk8zk1z2sr/OBspn0MymxOIcnUqdNZeAbL2xaJnBvbic6iX66qKdOHeqI2/XWtTfp4fWzrz4vGXG7oRQjwOLisSOzzi2oQ7JY4h7i66tnIcW4W+Bn8E9MxZa1tPsEDjSndibCeiQcFRQAfoRmXnTRYgxloLIPxl8Mo2fPvwrmxRw/KPShAcnhCfE5vIY18ay6FmcxzDY5en5AV0TlNeJNYtJkfC0i0AkxFD+nYBSVoaF5cEdvWzAJX792JU0CbexCBF2cvkjXVXu6GmUw4bDMf1jlX8Djj6v5X/IYRfRxFX3hGev+iTybD2SMgw5pbSpqAXC9cT/8Iy7dyW0lfv3kgxCybFsQhO6x/jvWafEHRa0BkRxo4VbY/Jpcy7CyxR7TSRlYuQyNi7oETZY7v/yRU/h7+IIJZoKB9RQ/7aEcpUTja3yR7cqAgp62zVyIMIVi/kghAXjMxobexfBTaAD2W/upQr8EYVlQw32iD0wQjdzN4YYAmxTBefWLH6WV8dzPCiuV9eQGArTFaQk5Y+f6+l9sHcQ4CJtuaV+Ezt3ZKXauh9TckaKx50z6n6NYHJSqeAMNGUMMkPrM96oxM3p43cKZsPx5+STr8g1V0Yrj2z6pmG/lSwIW4a1gF/+qlDLZylquUovMfRX8ldH/ptcnkSS5Ws7l46/k/YvbsMVbKoiVhDYSvnpdtJp5Jkj/EjvaJ+4phWLh7ZvniqTxuM0YhdFQrUMnbyQpWD8NwFxwxzsVKYgYFQW+609rbB15dPT6ewZAPo2yoz9Czc6r5FMJ2E12VIK3TdeMZXxdS2hM9eK/hfv3z7uJLLTLDBPL/nziXvJzwnD/K256yfEBZhmhjx6NgEyh6qoEfgonqiC9RnVUplLHQPpjpVKP54s8qG4eKTRYwA6liKILpxt5mZYzGIqe0gi91qwpscqNdHoAi43wyF6JbIijNvWcCi5ws3/8GlWIjOWDiWI4MTFmBOus9pZjd28t3Nhs7ncA6wm6I48sPZQHdgAEoHR+peZkcURwI3M1koo5UVQpYK1WhOzHdokXtywVvk3OldpVugcRZsh8pjbp3ecNmNT5xV7nt1W40/ZO9YTyvtIHAJgxbPUfDayh1hwRa7Nfj8YOXLvdCcGjRHauYb25k+2JPXtySgg5CIhl2fYDTwTM2Ttw8fsyDBMtqBGwwON8YS8BnevlV2Uqr1i3tno3B+k9RyQrE8eiwqLyJ09D8SGuy7RE6OMIrZWW/mA08tv+8V3ccNhnYRhjVxLmVRF+1FR55/AQ0CeJwPvbhkQydYRfRiRUU2WriQWXG8jLiT6KhSeVt2qXOTZnaAIyu7rN6fl04O2yVYY4o53/t4w1q8dMbhMHtUiuIJCkz8q+N50942sukYLoQVI5LJuunZHn3hyn1wsE5+7JvHL+QoPTxRBUxIepZy/XdMSBd3IsoPBdieUqavq6dGM4Hc9Fu6MFq9qY0vJEtwix6Y2uf/NGSDAGn9Z2N+dBPUcxzrynA0V6nLXJSBxr2dY/GUCrcFcCJqLS+paX0mb/tDcJwMhlPMBwPZ30ak2YiJJNr7/exwxHPNRQQaifzNCd04oL0i+YaXKMgMEcaLtSW0VXHeGy5CjJ+JdLjvel9oruQUYAcPbxTNYcEDHoe0GVQlYmls96MIzzmOzKdCD1MkC10i13W5OlgGUOdnFDXg7fDZ5NFf2xAL6akDsIZqDlRzPbw0X2gjcLqxegC5fvxVenZtYDQhuXysOpYSwDw9213IQZ0pVS2QyY/FhAEIihqTkwbQsSUBuiwDNWIC1pHYzravpv113X2E5ZDMAwUIOpqFY2oP2eRHhfe8wPYP3UvpsxP2UFbVGhe7L6DIjlOtLP6i9vCgkcHHT+/08ZUEkPDn/t2bR6ErTBizXiIdd/1ckYVQh0QPtRGQrPPgxtqHmf2OqVUhIz6Og4WpCv1DGaMlocm/ES1F+A6LKhiaEVOktsAdl0Rjt/EXOX6TSAEIGt6y+p4g4/fzcY2efjZw5ai20qWGjfLbRJy8Ns6drxCU4VwVLXuJp1VhtTSvyEKWSPq1zIuIX8EoE2fOVtyeQq1xZctUeKx3vcA084UE6YslsCjV2eTGEgwKKrmuzYDX6E47ns8oiDFbU8QExV8LfQ3jDvpSMGlAQEQoFr5iyM96KLIf7zeMt3CQ5vtkxlbKnmaDPXflZH1DCO/4+o55WSM0Y3G1eF4lhxljG/FELd60521dAM0OQ78I6I48tdNfjRX1qWsZ+qv+G6aK/qxpOrG2CkPY2nfDCIKcsUDvo1XrqqYvDt/JkRs7Y7xBN8K9PMDxd1BmM6+jAngrc+MrZUBgq1m60Sx1k+dQb8ITsSzh/rEMBWlRvi3FL+8mZNsZHsmN8y7yIkU9OOnH30Ew1rPPfC1s/VaSw4X4lDX0ua0M2yEXzRQXVivZ/aOaioypAn6UDoQDEMUPJ5AGX/N8xHhVGv0A3ZZNcX79SwNQyzJ/o6EQxRwZkJduUAqO"

with open("d.data", "w") as f:
	f.write(binascii.hexlify(force(data,"MTIzNDU2Nzg5MGFiY2RlZg==")).decode())

然后得到 Java 序列化数据,用SerializationDumper得到结构化数据

ycb21

得到前半段flag,拼接获得DASCTF{B916CFEB-C40F-45D6-A7BC-EB OFDELQDIAA}