Title: 2024 ciscn WP

1. MISC

1. Hotpot chain sightseeing check-in

After opening, connect your wallet, then click to start the game, and click to get NFT after answering the questions eight times. There is nothing to say about the pictures with flags. Knowledge Q&A questions

Redeem NFT

Flag{y0u_ar3_hotpot_K1ng}

2.Power Trajectory Diagram

Method 1: Use numpy and pandas libraries in py to read the npz file and save it as a csv file. The code is as follows: import numpy as npiport pandas as pdnp.set_printoptions(threshold=np.inf)a1=np.load('attachment.npz', allow_pickle=True)print(a1.files)print('read:', a1)index=a1['index']myin=a1['input']myout=a1['output']mytra=a1['trace']# print(mytra.shape)df=pd.DataFrame(mytra)df.to_csv('data1.csv', index=False)df1=pd.DataFrame({'index':index, 'input': myin})df1.to_csv('data2.csv', index=False) gets data1.csv, data2.csv, and merge to get data.csv. Open data.csv and you can see the power consumption data. According to https://zhuanlan.zhihu.com/p/157585244, I think the key to this question is to find a different character from other characters, which is the correct password for the index. Based on this, using Excel's line chart function, such as the fourth character, as shown in the figure, it can be seen that there is a green line that is different from other lines, which is c, so the fourth character is c.

Repeat in turn to get the entire key: _ciscn_2024_

That is, flag: flag{_ciscn_2024_}

Method 2: Test code: import numpy as npimport matplotlib matplotlib.pyplot as pltmatplotlib.use('tkAgg')data=np.load('./attachment.npz')print(data.files)aa=data[data.files[0]]bb=data[data.files[1]]cc=data[data.files[2]]dd=data[data.files[3]]print(len(aa), aa)print(len(bb), bb)print(len(cc), cc)print(len(dd), dd) for i in range(len(dd)): plt.scatter([i for i in range(len(dd[i]))], dd[i]) plt.show() extracts the values of four files from the npz file. The output is empty. The array lengths of the other 3 files are all 520. According to the index, each 40 can be obtained. It is roughly judging that there are 13 plaintexts in total.input is a table.output is empty. The data in the trace are all decimals. Try to draw a dot plot on the data in the trace Found that there are many points in the maximum value of each set of data, and there are only a few points with the minimum value, so we try to find the subscript of the minimum value of each set of data in the trace:

import numpy as npdata=np.load('./attachment.npz')dd=data[data.files[3]] for i in range(len(dd)): min_index=np.argmin(dd[i]) print(f'Minimum index for group {i}: {min_index}') Except for the last set of data, all 985, there are other different numbers in the other data. Use the subscript of the minimum value of every forty groups of data to draw a graph analysis again. It was found that there was only one maximum value, so we need to continue to find the subscript of the maximum value, and then get the corresponding characters from the input tableexp:

import numpy as npimport matplotlib.pyplot as pltf=np.load('./attachment.npz')index=f['index']ip=f['input']tr=f['trace']flag=''for _ in range(13): t=[] table=ip[40*_:40*(_+1)] for i in range(40): # Draw a scatter plot for each list and find the minimum value # plt.scatter([i for i in range(len(tr[_*40+i]))], tr[_*40+i]) # plt.show() # Get the subscript of the minimum value of the list min=np.argmin(tr[_*40+i]) # Insert the subscript of the minimum value into the new list t.append(min) # Use the subscript of the minimum value of 40 lists as data, draw the picture, and find that there is a maximum value for i in range(len(t)): plt.scatter([i for i in range(len(t))], np.array(t)) plt.show() # Find the subscript of the maximum value mins=np.argmax(t) # Use the subscript to take characters from the table ind=table[mins] # Add characters to flag +=indprint(flag)

Get: _ciscn_2024_a Since the last set of data in the previous group is all 985, the a obtained from the last set of data does not count as a. The final flag is obtained: flag{_ciscn_2024_}

3. Mysterious file

Method 1: The ultimate doll is blurry, and it is really just looking for it. Get the PPT file, change the suffix to .zip to find part1 in two xml in the docProps directory. App.xml prompts the decryption algorithm, core.xml prompts the ciphertext and key key, go to Cyber part2 in docx under the ppt/embeddings folder. If you open it from PPT, it is the black piece in the upper left corner of Chapter 2. Double-click, select all after opening, change the font size, change the color, decrypt the Caesar offset 10, and then base64 decrypt it to get part2 part3 is in vbaProject.bin. I really searched for this for a long time. Later, I searched online and found that ppt steganography may be related to macros and macro scripts, which is called VBA project decryption. First open vbaProject.bin, find the DPB byte, change the last bit to x, and save, then change the suffix to .zip, and directly open it to find the file of the connotation. Open the module 1 in the VBA folder.. I found a ciphertext. I don’t know what it is, but the prompt is after base64. Then decrypt it first, and then get garbled code. Generally, the special characters are more RC4 or rot. Finally, I found that it is decrypted without password. Then decrypt it with a layer of base64.part4 directly open PPT (because it is made up of pictures in the media folder). The third picture seems to be to select visible hidden characters. Because my computer automatically selects it by default, you can directly view it. Base64 decode part5 is in the comments of Chapter 5 ppt. Directly Cyber Chef Hat Run, multi-layer base64 decoding, get the fifth part part6 is in the upper left corner of the boundary of the fifth PPT text. It can be scaled or directly disassembled the media folder. Base64 decoding part7 is in the slides4.xml under ppt\slides, the position of id4 is prompted below. Rot13 all, implying that includes number, base64 decoding

part8 is in slideLayout2.xml, Nanping, I didn’t understand what it meant at the beginning, and I only understood it after I connected it. that is, to remove Bb13 from the above string. Then base64 decode part9 directly in the media folder, look at the lower left corner of the picture of the cat man, base64 decode

part10 in comment1.xml, Virginia decoded, the key is furry

In short, the last flag is flag{e675efb3-346f-405f-90dd-222b387edee9} Method 2: First, some simple and easy to find. Follow the prompt rules to decode base64, Virginia, Caesar, etc. and you can find a lot of things in PPT Change the zip suffix, and you will find it in the world document Pictures In total, you can get: part2:675efbPayt4:6f-40pArt5:5f-90dParT6:d-2parT9:deHPARt10:9}The following needs to be more careful The binary file i13POMdzEAzHfy4dGS+vUA==Here is base64+RC4+base64 Get PArt3:3-34ppt file attributes ciphertext: QFCfpPQ6ZymuM3gq Encryption method: bifldKey:lanjing; Get Part1:flag{eppt master Remove Bb13 and solve base64 Get paRt8:87e Select paneRot13+base64 Get PART7=22b3 splicing to get the final flag: flag{e675efb3-346f-405f-90dd-222b387edee9}

4. Research questionnaire for college students' safety testing ability

Fill in the questionnaire

5. Ventilator

Method 1: Get the mwp file, 010 open the first three file headers, open it with V4.0 STEP 7 MicroWIN SP9, look at it in every place, have never seen it before, finally find flag in the symbol table base64 decoded to get flag Method 2: Use binwalk to separate a zlib file, decompress using python, the code is as follows: import zlibdef decompress_zlib_file(input_filename, output_filename): with open(input_filename, 'rb') as compressed_file: compressed_data=compressed_file.read() decompressed_data=zlib.decompress(compressed_data) with open(output_filename, 'wb') as output_file: output_file.write(decompressed_data)# Example usageinput_file='35.zlib'output_file='decompressed_data.txt'decompress_zlib_file(input_file, output_file) Open decompressed_data.txt with Winhex, and you can see the flag encoded after base64. decode to get flag: