2020湖湘杯部分writeup

週末打了湖湘杯，把做題過程記錄一下，大家交流學習。

下面的連結裡有題目，可以下來看看。

https://download.csdn.net/download/jameswhite2417/13081994

1. misc  passwd

下載檔案發現是raw，是道記憶體取證的題目

拷到kail中，先識別配置檔案

 

獲取密碼hash

進行解密

再根據題目用sha1加密得到flag

 

 

2.CPYPTO 古典美++

Virginia（維吉尼亞）無金鑰解密

1. 破解祕鑰長度。

Python程式碼：

#coding=utf-8#-*- coding:utf-8 –*-def c_alpha(cipher):   # 去掉非字母后的密文
    cipher_alpha = ''
    for i in range(len(cipher)):
        if (cipher[i].isalpha()):
            cipher_alpha += cipher[i]
    return cipher_alpha
# 計算cipher的重合指數def count_CI(cipher):
    N = [0.0 for i in range(26)]
    cipher = c_alpha(cipher)
    L = len(cipher)
    if cipher == '':
        return 0
    else:
        for i in range(L):     #計算所有字母的頻數，存在陣列N當中
            if (cipher[i].islower()):
                 N[ord(cipher[i]) - ord('a')] += 1
            else:
                 N[ord(cipher[i]) - ord('A')] += 1
    CI_1 = 0
    for i in range(26):
        CI_1 += ((N[i] / L) * ((N[i]-1) / (L-1)))
    return CI_1
# 計算祕鑰長度為 key_len 的重合指數def count_key_len_CI(cipher,key_len):        
    un_cip = ['' for i in range(key_len)]    # un_cip 是分組 
    aver_CI = 0.0
    count = 0
    for i in range(len(cipher_alpha)):
        z = i % key_len
        un_cip[z] += cipher_alpha[i]
    for i in range(key_len):
        un_cip[i]= count_CI(un_cip[i])
        aver_CI += un_cip[i]
    aver_CI = aver_CI/len(un_cip)
    return aver_CI
## 找出最可能的前十個祕鑰長度def pre_10(cipher):
    M = [(1,count_CI(cipher))]+[(0,0.0) for i in range(49)]
    for i in range(2,50):
        M[i] = (i,abs(0.065 - count_key_len_CI(cipher,i)))
    M = sorted(M,key = lambda x:x[1])   #按照陣列第二個元素排序
    for i in range(1,10):
        print (M[i])

F = [0.0651738, 0.0124248, 0.0217339,0.0349835, 0.1041442, 0.0197881,0.0158610, 0.0492888, 0.0558094,0.0009033, 0.0050529, 0.0331490,0.0202124, 0.0564513, 0.0596302,0.0137645, 0.0008606, 0.0497563,0.0515760, 0.0729357, 0.0225134,0.0082903, 0.0171272, 0.0013692,0.0145984, 0.0007836]       # 英文字元頻率。
cipher = 'SZWLVSRVVZICMUOJYIIZBSVSSITFSWHPCWCFPVPFXJMWRVJICVRGTCFLHPRJKJKSRVWYFUSEWHFXLHFOSFLYPFXXYFPOEGXFXMBUHVNIYHNDWXPGBXWSYBNDVQRVYRTZUWKTFSKUMVERCCRSBEMKEDRUNYYVRYKXFOKVLVXYGTRQZOEHFEYKJRKRVXFPBOINXFTCSRQCKIGBXWLVOQVVOSFLCRRWXYFQWUHWFGRVVZICMYBUQSKJASUWLRURVVBAVSCTZOPVEUWKKGLQZCRUHJBLRSRSBTFSCYIJICFVDRUUFSIHWYFQONPEGTYBUSMTUSFVVLLOEIGRRGFEGJKIKPMYURAEBHOIIVFNMBVRJKICGYHPMFQOJVLVQYGJHHZUUOJOESFJZVGSIBLUVPEINYZRGISVRHFKIIHPSRWHZTYDGRMEUKSEWMKXYGVPTKZQVVGMUOMHCLOVUMRIRTKICXRUJFSDSRUSWLGZCLRXTMAVESUZQCDDRRHCRKRTLUGHZQXFPLSFIXYFAIGESRSBGRVWYFDSCOTRTRWKZICMRVFXKYUYZZFIKPFSIVICGYTKHVJVAVRIECMYGKKMJJQVROPKIGBBQSKIGBXRJKVKPCLRXEMKEVXRJPGYRASSYJVWLVZJZROPKIGBBPIRUFCDHAYZGKFXPUORGRBEEZRVZQKRCMIKLXVWCBZIMWFJZFIJKICHFSSWUFSYRYJFUVZFLNBQJVUCCJISCBXIVCRFZRUPUBURAEXMICGXYFDOCORVWCFTRQVUMOEHRUJUCEGIIIMKDDRPNGZVVMMFDOCOIECWHYLWKJKSJKIJBGRROSLEGALVXSFESKWMEHQCDHAYFPSEHEIUFSTHRKSCCWWLVFYFKKPVUKSJHIKIYHNRYCEZSWRYIUFCLVEEEKWCHWUPUBZWLZOITFUCFVQSVDPZDCVRGPVBPBKVIMFPOCWLZOEGFIXYJQGFUXZOFSIOIJTMBJLRKICGTKSFMPCFPEEERVFXKYUFWJZEJOMHRYIIZECFGSGQMFKXRZUWTFUWYPUWEJSWGFSINRFXJSUJIRTRVVUINBQBFRRVUMZZVXVORCYHVJUGZCLXNBQUFRHGSYQKLGVUMGRBMKPTSIBIJUFOKVESPSHKKIIJEVKGMJUYBTHFLURVVQMNPLRVUAYBRZRWMKVBSFUPFOEWKXHVJTSXRXKPYZZFIYBBBFLHVBUVRWPRUGHLGINBQCIOSEHGHLGIVJRVVUFLURVFXKYURVVBAVSCBZFIXSYBUZSIEQHFVEPQPSJHRKMWGYHFVHYBRJEZOGKFQHVSGTZVLRMJTROPIJEVKWLIPSUYWLVFYFKKLFXDIEQCZUJZJHIDUMQFPIFVRODRRXUFSGHSGMCHYDXNBJYNLXYUFSZULVBBGURAEXYFUWLVBLHZSEKIGSJLXYJLYJKINBQFRWLVSEZRGXYFPSNDWEPMBVOMJUCBZQKKIGGKLQVBQWKGMUORGFXRUBROCOXYFPWXKXNPPRSXXZTFOCOLRWCHFDWBUFSDZLRURVVQEDFMTKKITPSBKUCZTWCLNRFXNZVDWVNYODLWKIGGEHAQFYZRQHFSYIJWVRMGORQHJICHILIUUMQLUXJFWOJVLVTNCBHJROAMTXVKTCMZQKRTWCLUIWBJZZQKKIPCLJLKICOZUHFZMIKKMELWCLFSLMBARQEXFGHRQHNIYHRQMXOMFRQXCJRHCHKZSJGYHPCUFWENQVGMFRVOZOEBFLXCMLSMHVUPRCRVOGFPVRSWZTFOCOWVFGHNUMKUCBLSWFNCKYHVV'

cipher_alpha = c_alpha(cipher)print u"祕鑰長度為:"
pre_10(cipher)

得出的結果排名靠前的都是7的倍數，我們可以猜測祕鑰長度為7

 

2.將密文分成N組，逐個破解祕鑰。

Python程式碼：

# 猜測單個祕鑰得到的重合指數def count_CI2(cipher,n):     # n 代表我們猜測的祕鑰，也即偏移量
    N = [0.0 for i in range(26)]
    cipher = c_alpha(cipher)
    L = len(cipher)
    for i in range(L):     #計算所有字母的頻數，存在陣列N當中
        if (cipher[i].islower()):
            N[(ord(cipher[i]) - ord('a') - n)%26] += 1
        else:
            N[(ord(cipher[i]) - ord('A') - n)%26] += 1  
    CI_2 = 0
    for i in range(26):
        CI_2 += ((N[i] / L) * F[i])
    return CI_2
def one_key(cipher,key_len):
    un_cip = ['' for i in range(key_len)]   
    cipher_alpha = c_alpha(cipher)
    for i in range(len(cipher_alpha)):     # 完成分組工作
        z = i % key_len
        un_cip[z] += cipher_alpha[i]
    for i in range(key_len):
        print (i)
        pre_5_key(un_cip[i])     ####這裡應該將7個分組的祕鑰猜測全部列印出來
## 找出前5個最可能的單個祕鑰def pre_5_key(cipher):
    M = [(0,0.0) for i in range(26)]
    for i in range(26):
        M[i] = (chr(ord('a')+i),abs(0.065 - count_CI2(cipher,i)))
    M = sorted(M,key = lambda x:x[1])   #按照陣列第二個元素排序

    for i in range(10):
        print (M[i])

key_len = 7   #輸入猜測的祕鑰長度
one_key(cipher,key_len)

結果

得出的祕鑰會按照可能性進行排序，排在第一位的字元取出得到orderby

 

驗證一下

解密的結果最後幾個單詞明顯有意義

 

按題目要求將祕鑰大寫，用md5加密得到flag

 

參考：python實現維吉尼亞祕鑰破解 - 簡書 https://www.jianshu.com/p/23e3dcb3f0e9

 

3.未解出Misc  顏文字之謎

過濾http中含有flag的內容

 

追蹤http流

Base64解碼

 

AAEncode解碼無果 ……

 

 

4.未解出Misc 虛實之間

Binwalk一下

發現有兩個zip包

Foremost分離出來

用360壓縮開啟，有個沒加密的副本，把內容拷出來，儲存到本地。

 

用好壓開啟有3個加密的檔案。檔名也是mingwen-副本，還有個正本，crc32一樣。應該是明文攻擊。把剛才儲存到本地的txt壓縮一下，對比一下crc32一樣，這樣我們就有了明文檔案。

 

用archpr進行明文攻擊，可是報錯了……

 

5. 未解出 web

檔案包含 有過濾 做不動……