楚穎i2024polarctf夏季個人挑戰賽WriteUp

^cyi^發表於2024-06-01

216fe58619c3bf75ba3c681baf9383e

PolarCTF網路安全2024夏季個人挑戰賽

WRITE UP

參賽人員:

楚穎i

PolarCTF網路安全個人挑戰賽組委會 制

目錄

第一部分:MISC 1

1-1 祺貴人告發 1

1-2 費眼睛的flag 2

1-5 你耳機聽什麼 5

第二部分:CRYPTO 7

2-1 pici 7

2-2 翻柵欄 8

2-3 Hello 9

第三部分:WEB 13

3-2 審計 14

3-3 掃掃看 15

3-4 debudao 16

3-5 Dragon 17

第四部分:REVERSE 25

4-1 crc 25

第一部分:MISC

1-1 祺貴人告發

本題思路如下:

Png圖片尾藏zip,foremost提取得到加密壓縮包

爆破得到密碼1574

楚穎i2024polarctf夏季個人挑戰賽WriteUp

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{3bb6fa896968f804033fb85af5576762}

1-2 費眼睛的flag

本題思路如下:

典題

楚穎i2024polarctf夏季個人挑戰賽WriteUp

字型選擇加粗,背景填充黑色

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{4d58a180010fcce87d331c9ba36e3b93}

1-5 你耳機聽什麼

本題思路如下:

三個zip

第一個:

楚穎i2024polarctf夏季個人挑戰賽WriteUp

https://qr61.cn/oLHDAn/qYdgRdp

下載得到程式碼第一部分

第二個:

壓縮包備註102 49 64 57 105 36 72 101 114 69

ascll轉字元

楚穎i2024polarctf夏季個人挑戰賽WriteUp

密碼f1@9i$HerE

Word改顏色

楚穎i2024polarctf夏季個人挑戰賽WriteUp

Base64解碼得到第二部分程式碼

第三個

楚穎i2024polarctf夏季個人挑戰賽WriteUp

備註steghide

Stegseek爆破一下

楚穎i2024polarctf夏季個人挑戰賽WriteUp

得到第三部分程式碼

完整程式碼

#include <iostream>

#include <Windows.h>

#pragma comment(lib,"winmm.lib")

using namespace std;

enum Scale {

Rest = 0, C8 = 108, B7 = 107, A7s = 106, A7 = 105, G7s = 104, G7 = 103, F7s = 102, F7 = 101, E7 = 100,

D7s = 99, D7 = 98, C7s = 97, C7 = 96, B6 = 95, A6s = 94, A6 = 93, G6s = 92, G6 = 91, F6s = 90, F6 = 89,

E6 = 88, D6s = 87, D6 = 86, C6s = 85, C6 = 84, B5 = 83, A5s = 82, A5 = 81, G5s = 80, G5 = 79, F5s = 78,

F5 = 77, E5 = 76, D5s = 75, D5 = 74, C5s = 73, C5 = 72, B4 = 71, A4s = 70, A4 = 69, G4s = 68, G4 = 67,

F4s = 66, F4 = 65, E4 = 64, D4s = 63, D4 = 62, C4s = 61, C4 = 60, B3 = 59, A3s = 58, A3 = 57, G3s = 56,

G3 = 55, F3s = 54, F3 = 53, E3 = 52, D3s = 51, D3 = 50, C3s = 49, C3 = 48, B2 = 47, A2s = 46, A2 = 45,

G2s = 44, G2 = 43, F2s = 42, F2 = 41, E2 = 40, D2s = 39, D2 = 38, C2s = 37, C2 = 36, B1 = 35, A1s = 34,

A1 = 33, G1s = 32, G1 = 31, F1s = 30, F1 = 29, E1 = 28, D1s = 27, D1 = 26, C1s = 25, C1 = 24, B0 = 23,

A0s = 22, A0 = 21

};

enum Voice {

X1 = C2, X2 = D2, X3 = E2, X4 = F2, X5 = G2, X6 = A2, X7 = B2,

L1 = C3, L2 = D3, L3 = E3, L4 = F3, L5 = G3, L6 = A3, L7 = B3,

M1 = C4, M2 = D4, M3 = E4, M4 = F4, M5 = G4, M6 = A4, M7 = B4,

H1 = C5, H2 = D5, H3 = E5, H4 = F5, H5 = G5, H6 = A5, H7 = B5,

LOW_SPEED = 500, MIDDLE_SPEED = 400, HIGH_SPEED = 300,

_ = 0XFF

};

void Wind() {

HMIDIOUT handle;

midiOutOpen(&handle, 0, 0, 0, CALLBACK_NULL);

// midiOutShortMsg(handle, 2 << 8 | 0xC0);

int volume = 0x7f;

int voice = 0x0;

int sleep = 350;

int wind[] =

{

500, L6, 700, M1, 700, M5, 700, M1, 700, L4, 700, L5, 700, M5, 700, M1, 500, L1, 400, L5, M5, M1, L1, M5, L7,

M5, _, L6, M1, M5, M1, L4, L5, M5, M1, L1, L5, M5, M1, L1, M5, L7, M5, _, _, _,

300, M5, M5, M1, _, M1, _, M2, M3, _, _, M5, M5, M1, M1, M2, M3, 0, M2, M1, _, _, _, 500, 300,

300, M5, M5, M1, _, M1, _, M2, M3, _, 500, M3, _, 300, M2, M3, M4, M3, M2, M4, M3, M2, _, 500, 300,

300, L5, M1, M1, M3, M4, M3, M2, _, M1, M2, _, 300, M3, M3, M3, M3, _, M2, M3, M2, M1, 300,

400, L5, M1, _, M2, M3, M4, M3, M2, M1, M2, _, M3, M3, M3, M3, 0, M2, M3, 0, M2, M1, _, _, 500, 300,

300, L7, 300, M1, 300, M1, 300, M1, 300, M1, L7, M1, M1, _, _, M1, M1, M1, L7, M1, M1, _, _, M1, M1, M1, L7, M1,

M1, _, M1, M1, M1, M5, M5, M5, _, M5, M5, M5, M5, 0, M5, M5, _, _, _, 500, 300,

300, M5, M5, M5, _, M5, M4, M3, M3, 0, 500, 300, _, _, _,

300, M1, M1, M1, M1, L6, _, L7, M1, M5, M4, M3, M1, M1, _, _,

300, M1, M1, M1, M1, _, M3, M1, _, _, L6, L7, M1, M5, M4, M3, M1, M2, _, _, _,

400, _, _, _, _, M3, M2, M4, M3, _, _, M1, M5, M7, L7, M7, M5, M1, _, _, M1, M6, M6, _, _, M6, M5, M5, _, M5,

M4, M3, M2, M3, M4, M3, _, _,

400, M3, M4, M5, M3, _, _, M4, M5, M7, H2, M7, H1, H1, _, _,

400, H1, H1, M5, M5, M6, M5, M4, _, M2, M3, M4, M5, M6, M1, M6, _, 0, M7, M7, _, _, 500, 300,

400, M3, M2, M4, M3, _, M1, M5, M7, H1, M7, M1, M1, _, M1, M6, M6, _, M6, M5, M5, _, M5, M4, M3, M2, M3, M4, M3,

_, _,

400, M3, M4, M5, M3, _, M4, M5, M7, H2, M7, H1, H1, _, _,

400, H1, H1, M5, M5, M6, M5, M4, M2, M3, M4, M5, M6, M1, M6, M7, _, M7, _, _,

300, M3, M2, M4, M3, _, M1, M5, M7, H1, M7, H2, H1, _, _,

300, M1, M6, M6, _, M6, M5, M5, _, M5, M4, M3, M2, M3, M4, M3, _, _, _,

300, M3, M4, M5, M3, _, M4, M5, M7, H2, M7, H1, H1, _, _,

500, H1, H1, M5, M5, M6, M5, M4, L6, L7, M1, M2, M3, M2, _, _,

500, M3, _, M1, _, _, _,

};

for (auto i: wind) {

if (i == 0) {sleep = 175;continue;}

if (i == 700) {Sleep(175);continue;}

if (i == 300) {sleep = 350;continue;}

if (i == _) {

Sleep(350);

continue;

}

// if (i == 900) volume += 100;

voice = (volume << 16) + ((i) << 8) + 0x90;

midiOutShortMsg(handle, voice);

cout << voice << endl;

Sleep(sleep); // midiOutShortMsg(handle, 0x7BB0);

}

midiOutClose(handle);

}

int main() {

Wind();

return 0;

}

楚穎i2024polarctf夏季個人挑戰賽WriteUp

Dev手動連結一下庫

聽一下歌,結合第三個zip圖片,周杰倫的晴天

flag{cbbe546304037478ce0c36437d036711}

第二部分:CRYPTO

2-1 pici

本題思路如下:

5paw5L2b5puw77ya6Ku45q+Y6Zq45YOn6ZmN5ZC96Ku45q+Y6ZmA5q+Y5pGp5q+Y6Zq45YOn57y96Jap5q+Y6aGY5q+Y5YOn6aGY5ZKk6aGY5q+Y5rOi5Zqk5q+Y6ZeN6aGY6ZeN5q+Y5Zqk5Zia5L+u5q+Y6Zq45amG6Zq45q+Y5L+u6Kum5b2M5ZOG5oSN6IGe5q+Y5amG6aCI6aCI55y+5q+Y6I6K5b+D6ZmN55y+6Jap5q+Y5ZOG5oWn5Y+75ZKk6ZeN6aGY5YWc5q+Y5Zqk5q+Y5aaCCg==

Base64:新佛曰:諸毘隸僧降吽諸毘陀毘摩毘隸僧缽薩毘願毘僧願吒願毘波嚤毘闍願闍毘嚤嘚修毘隸婆隸毘修諦彌哆愍聞毘婆須須眾毘莊心降眾薩毘哆慧叻吒闍願兜毘嚤毘如

新約佛論禪/佛曰加密 - 萌研社 - PcMoe!

新約佛論禪:huanyinglaidaowangzherongyao

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{39c6acff08d543f5cb892bdbbdc2841f}

2-2 翻柵欄

本題思路如下:

第一個txt是獸音譯者編碼

楚穎i2024polarctf夏季個人挑戰賽WriteUp

第二個txt給了柵欄的key

楚穎i2024polarctf夏季個人挑戰賽WriteUp

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{d531d5be4f3737afa979a0f77dd8b180}

2-3 Hello

本題思路如下:

楚穎i2024polarctf夏季個人挑戰賽WriteUp

m = 7269767679
e = 65537
n = 365354477477
print((pow(m,e,n)))

flag{124198634960}

第三部分:WEB

3-2 審計

本題思路如下:

拿自己筆記過

楚穎i2024polarctf夏季個人挑戰賽WriteUp

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{1bc29b36f623ba82aaf6724fd3b16718}

3-3 掃掃看

本題思路如下:

御劍開掃,ctrl u 原始碼

楚穎i2024polarctf夏季個人挑戰賽WriteUp

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{094c9cc14068a7d18ccd0dd3606e532f}

3-4 debudao

本題思路如下:

Ctrl u有個假flag

真正flag在cookie裡

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{72077a55w312584wb1aaa88888cd41af}

3-5 Dragon

本題思路如下:

懵逼,又是cookie

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{72077a551386b19fb1aea77814cd41af}

3-7 你知道sys還能這樣玩嗎

本題思路如下:

第四部分:REVERSE

4-1 crc

本題思路如下:

餵給gpt

Exp:

import zlib

def crc32_hash(data):
return format(zlib.crc32(data.encode()) & 0xFFFFFFFF, '08x')

# Define target CRC32 values
targets = [
"d1f4eb9a",
"15d54739",
"540bbb08",
"3fcbd242",
"2479c623",
"fcb6e20c"
]

# Function to brute-force search for matching strings
def find_matching_string(length, target):
import itertools
import string
chars = string.printable # All printable characters
for candidate in itertools.product(chars, repeat=length):
candidate_str = ''.join(candidate)
if crc32_hash(candidate_str) == target:
return candidate_str
return None

# Find substrings that match the CRC32 targets
s1 = find_matching_string(4, targets[0])
c1 = find_matching_string(1, targets[1])
s2 = find_matching_string(4, targets[2])
s3 = find_matching_string(2, targets[3])
s4 = find_matching_string(4, targets[4])
c2 = find_matching_string(1, targets[5])

# Combine the results to form the final input string
if all([s1, c1, s2, s3, s4, c2]):
final_input = s1 + c1 + s2 + s3 + s4 + c2
print("Input to produce 'Very nice!':", final_input)
else:
print("Failed to find matching input for all conditions.")

楚穎i2024polarctf夏季個人挑戰賽WriteUp

flag{ezrebyzhsh}

相關文章