HNCTF2022 复现 MISC部分

警告
本文最后更新于 2023-02-01,文中内容可能已过时。

今天是2022.12.16,为了复习一下misc

我来复现hnctf了

MISC

python逃逸先放一放,比较麻烦

week1

简单编码

图片文件尾得到一串url编码

1
%54%55%52%46%65%45%31%45%52%58%68%4E%56%45%46%33%54%56%52%46%65%45%31%45%51%58%68%4E%56%45%46%34%54%56%52%46%64%30%31%45%52%58%68%4E%52%45%56%34%54%55%52%42%64%30%31%55%52%58%64%4E%56%45%56%34%54%55%52%46%64%30%31%45%51%58%68%4E%56%45%46%33%54%56%52%46%64%30%31%45%52%58%68%4E%56%45%56%33%54%56%52%46%64%30%31%55%52%58%64%4E%56%45%56%34%54%55%52%42%65%45%31%55%52%58%64%4E%52%45%56%34%54%55%52%46%65%45%31%55%51%58%64%4E%56%45%56%33%54%56%52%46%64%30%31%45%51%58%68%4E%56%45%46%34%54%56%52%46%64%30%31%55%51%58%64%4E%52%45%56%34%54%55%52%42%65%45%31%55%51%58%64%4E%56%45%46%34%54%56%52%46%65%45%31%55%51%58%68%4E%56%45%46%34%54%55%52%42%64%30%31%45%52%58%68%4E%56%45%46%34%54%55%52%46%64%30%31%55%52%58%64%4E%52%45%46%33%54%56%52%42%65%45%31%55%51%58%68%4E%56%45%56%33%54%55%52%46%65%45%31%55%52%58%64%4E%52%45%56%33%54%56%52%46%64%30%31%55%51%58%64%4E%56%45%46%34%54%56%52%42%65%45%31%55%52%58%64%4E%52%45%56%34%54%55%52%42%65%45%31%55%52%58%64%4E%56%45%56%33%54%56%52%46%65%45%31%45%51%58%68%4E%56%45%46%34%54%55%52%42%65%45%31%45%52%58%68%4E%56%45%56%34%54%55%52%46%50%51%3D%3D

image-20221216001248868

1
nssctf{nssctf_huanyingni}

三生三世

一个加密压缩包,爆破密码

image-20221216001610293

得到一串data:image开头的base64,直接放到浏览器地址栏

得到一个二维码

image-20221216001908220

CQR扫码

1
nc{lmTnc}stWceostsfeo__sf

N型栅栏密码三栏

image-20221216002007181

1
nssctf{Welcome_To_nssctf}

my_png

一个png,文件尾分离出zip

密码提示为四位纯数字

爆破得到6666

解压得到flag

1
NSSCTF{welc0me_t0_StegAn0graphY!!!}

piz.galf

先逆序

得到flag.zip

里面又有个pmb.galf

再次倒序

image-20221216132920929

1
NSSCTF{d1r0w_0ll3h}

silly_zip

zip有伪加密,先还原

解压得到一个bmp

修改高度,可以看到flag

image-20221216133718633

1
NSSCTF{bmp_3ndian}

week2

Kiana

两张全是马赛克的图

image-20221216135520144

用stegslove 两张图合起来xor

image-20221216135546252

1
NSSCTF{come_and_play_bh3}

ez_flow

流量包

image-20221216135731755

tcp的第5流里看到flag

1
NSSCTF{Hacker!!!!_Y0u_g3t_nny_f10w}

ex_word

一个docx,题目描述说docx的本质是什么

以zip的格式解压

image-20221216140834416

在media中找到一个不能正常显示的png

发现是zip,解压得到一串emoji

image-20221230133317505

解base100

image-20221216141028681

1
nssctf{t01s_1s_th0_tru3_f1ag}

扫不出来的二维码

一个二维码,扫描得到一个蓝奏链接

1
https://wwz.lanzouy.com/iYZ6v0d8tk3e

下载 二维码里只有黑和白.pdf

重命名为zip,解压是一个MAXICODE

zxing解码 再解base64

1
nssctf{I_h0te_the_QRc0de!!!!}

calligraphy

复现不出来

odttf2ttf报错

Matryoshka

一个pass.txt和一个加密压缩包

image-20221216184537129

txt里有零宽,解出来不是压缩包密码,明文是密码

image-20221216184638282

得到一串emoji

image-20221230133342891

有密码联想到emoji-aes

image-20221216184646352

1
NSSCTF{wh4t_1s_th1s_huh}

PDF && PNG

pdf,里面有条很细的颜色线,是npiet

用acrobat提取出来,执行得到一串key

1
d1d_u_f1nd_Th1s_KEy_F1l3

再用wbstego4.3解密pdf

得到flag

1
NSSCTF{u_can_use_wbstego_and_find_flag}

Baldi’s Basics

用pwntools写交互脚本,计算1000道题

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
from pwn import *
from tqdm import tqdm
# context.log_level=('debug')
p = remote('43.143.7.97',28712)
p.recvuntil('1000 problems.\n')
for i in tqdm(range(1000)):
    result = str(eval(p.recvline()))
    p.sendline(result)
    p.recvuntil('Correct!\n')
p.interactive()

image-20221218002108694

1
NSSCTF{Y0u_3sc4ped_fr0m_th3_schoo1}

4 byte command

简单的python逃逸

image-20221218002454796

1
2
3
4
5
input_data = input("> ")
if len(input_data)>4:
    print("Oh hacker!")
    exit(0)
print('Answer: {}'.format(os.system(input_data)))

关键部分源码

week3

TaQWaR

给了一张有7x7个二维码的图,逐个扫描然后再合并数据

还是png的raw数据,套娃继续扫就行

问题卡在,python用zxing和pyzbar都不能出原始数据,手改过zxing也会有部分数据损坏

image-20221216230948336

有很多数据变成了3F

所以最后还是用了zbarimg

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
#/bin/sh
convert file.png -crop 123x123 ./QR/QR-%02d.png
for i in `seq -w 0 48`;
do
zbarimg --raw -Sbinary ./QR/QR-$i.png > ./QR/$i.data
done
echo "done"
cat ./QR/*.data > 0.png
zbarimg --raw -Sbinary  0.png > 1.png
zbarimg --raw -Sbinary  1.png > 2.png
zbarimg --raw -Sbinary  2.png > 3.png
zbarimg --raw -Sbinary  3.png > 4.png
zbarimg --raw -Sbinary  4.png > flag.txt
cat flag.txt
1
NSSCTF{T@nj1Ji_think_U_hv_qu1ck_re3p0nse}

天书

crc爆破

用cn2an把中文的数字转成阿拉伯数字

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import zipfile,zlib,itertools,tqdm,cn2an

def crc_gen2():
    crc_list=[]
    crc_value_list = []
    for i in itertools.product(range(256), repeat=2):
        crc_list.append(int(zlib.crc32(bytes(i))))
        crc_value_list.append(bytes(i))
    return crc_list,crc_value_list

def crc_gen3():
    crc_list=[]
    crc_value_list = []
    for i in itertools.product(range(256), repeat=3):
        crc_list.append(int(zlib.crc32(bytes(i))))
        crc_value_list.append(bytes(i))
    return crc_list,crc_value_list

crc2_list ,crc2_value_list = crc_gen2()
crc3_list ,crc3_value_list = crc_gen3()
def solve():
    z = zipfile.ZipFile('flag.zip')
    crcs = [None for i in range(len(z.filelist)-1)]

    for i in z.filelist[1:]:
        filename = i.filename.encode('CP437').decode('gbk')
        index=cn2an.cn2an(filename.rstrip('章册节卷本页话集回部.tx').lstrip('flag/第'))
        crcs[int(index)-1] = i.CRC
    print(crcs)
    crcs[0] = b'Rar!'#注意第一个文件是4字节的
    crcs  =[crc2_value_list[crc2_list.index(j)] if j in crc2_list else j for j in crcs]
    crcs  =[crc3_value_list[crc3_list.index(j)] if type(j) !=bytes and j in crc3_list else j for j in tqdm.tqdm(crcs)]
    open('result1.rar','wb').write(b''.join(crcs))
    return

solve()

改进了一下算法,压缩时间到了四分之一,不过内存占用好像高了

看不见的代码

由空格和tab组成的隐写

whiteSpace和snow的区别,我觉得主要是长短

whitespace相对更短

找个在线运行

1
flag{you_cant_see}

神秘的压缩包

image-20221217123729577

爆破6位crc为密码

1
passwordisClassicalencryptionishint6

密码

1
Classicalencryptionishint6

解压得到

1
]cX^r:X\jXiV`jVm\ipV`ek\ijk`e^t

rot47爆破得到flag

1
flag{Caesar_is_very_intersting}

symbol

Wakanda symbol

image-20221217125508315

1
flag{SYmbol_Substitui0r_Wakanda}

week4

ez_lsp

png,lsb隐写

image-20221217133826737

rgb0层

分离出二维码

image-20221217133847952

扫码然后解码

1
NSSCTF{Vi3_BashRc_lS_Fl4g!!!}

Bronya

加密压缩包,注释2016????

掩码爆破得到密码

1
20160818

得到两张一样的图,双图盲水印

尝试发现,为python3 的bwm双图盲水印

image-20221217140223809

1
nssctf{Th3_P10t_S0_sweet}
0%