i春秋解题笔记-MISC

一、编码类题目
- 1.爱吃培根的你
- 2.“百度杯”CTF比赛十二月场misc2
二、流量分析类题目
- 1.Intercepted Conversations Pt.2
三、其他
- 1.misc1-纵横四海

一、编码类题目

1.爱吃培根的你

题目：听说你也喜欢吃培根？那我们一起来欣赏一段培根的介绍吧：
bacoN is one of aMerICa’S sWEethEartS. it’s A dARlinG, SuCCulEnt fOoD tHAt PaIRs FlawLE
什么，不知道要干什么？上面这段巨丑无比的文字，为什么会有大小写呢？你能发现其中的玄机吗？
提交格式：PCTF{你发现的玄机}
题解：将题目中的字符去空格、删掉标点符号，利用CyberChef_v9.7.17工具
alphabet:standard，translation:case
输出结果：BACONISNOTFOOD
flag:PCTF{baconisnotfood}

2.“百度杯”CTF比赛十二月场misc2

题目：
i春秋解题笔记-MISC - 图1
题解：猪圈密码
i春秋解题笔记-MISC - 图2
flag{NSN}

二、流量分析类题目

1.Intercepted Conversations Pt.2

题目：We managed to intercept more of the hacker traffic unfortunately since our last encounter they have figured out that they’re being watched. They’ve gotten more clever in their communication so we need you to try to make sense of this traffic.
题解：追踪 Protocol 为 IRC 的流，可以得到一段聊天内容

PRIVMSG Cold_Storm :Hi
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :It's not safe here
PRIVMSG Cold_Storm :What do you mean?
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :Someone is listening
PRIVMSG Cold_Storm :What?!
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :Yea, someone intercepted our last encounter
PING LAG1470558285526987
:irc.glitch.is PONG irc.glitch.is :LAG1470558285526987
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :We need to be careful about what we say on open channels.
PRIVMSG Cold_Storm :Oh 0k, so what do w3 do?
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :I made som3thing...
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :S0mething that will allow us to exchange s3crets secure1y
PING LAG1470558315569084
:irc.glitch.is PONG irc.glitch.is :LAG1470558315569084
:Cold_Storm!~finalC@localhost PRIVMSG Ice_Venom :.DCC SEND encode.pyc 1494322064 1117 1737.
PING LAG1470558345608305
:irc.glitch.is PONG irc.glitch.is :LAG1470558345608305
PRIVMSG Cold_Storm :Ok
PING LAG1470558375659432
:irc.glitch.is PONG irc.glitch.is :LAG1470558375659432
PRIVMSG Cold_Storm :Wmkvw680HDzDqMK6UBXChDXCtC7CosKmw7R9w7JLwr/CoT44UcKNwp7DllpPwo3DtsOID8OPTcOWwrzDpi3CtMOKw4PColrCpXUYRhXChMK9w6PDhxfDicOdwoAgwpgNw5/Cvw==

大意是传输了一个 encode.pyc 文件，并用其加密了一段文字,密文如下：
Wmkvw680HDzDqMK6UBXChDXCtC7CosKmw7R9w7JLwr/CoT44UcKNwp7DllpPwo3DtsOID8OPTcOWwrzDpi3CtMOKw4PColrCpXUYRhXChMK9w6PDhxfDicOdwoAgwpgNw5/Cvw==
解题步骤：

导出encode.pyc文件，搜索字符串”encode.py”，选定第37个数据包，追踪TCP数据流，将数据包保存为原始数据，文件名为encode.pyc。
利用命令uncompyle6 反编译出pythond脚本out.py，uncompyle6 -o out.py encode.pyc ```python import random, base64 P = [27, 35, 50, 11, 8, 20, 44, 30, 6, 1, 5, 2, 33, 16, 36, 64, 3, 61, 54, 25, 12, 21, 26, 10, 57, 53, 38, 56, 58, 37, 43, 17, 42, 47, 4, 14, 7, 46, 34, 19, 23, 40, 63, 18, 45, 60, 13, 15, 22, 9, 62, 51, 32, 55, 29, 24, 41, 39, 49, 52, 48, 28, 31, 59] S = [68, 172, 225, 210, 148, 172, 72, 38, 208, 227, 0, 240, 193, 67, 122, 108, 252, 57, 174, 197, 83, 236, 16, 226, 133, 94, 104, 228, 135, 251, 150, 52, 85, 56, 174, 105, 215, 251, 111, 77, 44, 116, 128, 196, 43, 210, 214, 203, 109, 65, 157, 222, 93, 74, 209, 50, 11, 172, 247, 111, 80, 143, 70, 89] inp = input() inp += ‘’.join(chr(random.randint(0, 47)) for _ in range(64 - len(inp) % 64)) print(inp)

ans = [‘’ for i in range(len(inp))] for j in range(0, len(inp), 64): for i in range(64): ans[j + P[i] - 1] = chr((ord(inp[(j + i)]) + S[i]) % 256) ans = ‘’.join(ans)

print(base64.b64encode(ans.encode(‘utf8’)).decode(‘utf8’))


3. 解密程序大意：将输入的内容用0-47随机ascii码补全，长度为64的整数倍，用j、i两层循环由inp得到ans，题目给出的base64加密字符串解码后的长度为64，所以输入的inp长度不超过64，所以第一层循环实际只运行了j=0一次。所以解密程序简化为如下代码：
```python
import  base64
P = [27, 35, 50, 11, 8, 20, 44, 30, 6, 1, 5, 2, 33, 16, 36, 64, 3, 61, 54, 25, 12, 21, 26, 10, 57, 53, 38, 56, 58, 37, 43, 17, 42, 47, 4, 14, 7, 46, 34, 19, 23, 40, 63, 18, 45, 60, 13, 15, 22, 9, 62, 51, 32, 55, 29, 24, 41, 39, 49, 52, 48, 28, 31, 59]
S = [68, 172, 225, 210, 148, 172, 72, 38, 208, 227, 0, 240, 193, 67, 122, 108, 252, 57, 174, 197, 83, 236, 16, 226, 133, 94, 104, 228, 135, 251, 150, 52, 85, 56, 174, 105, 215, 251, 111, 77, 44, 116, 128, 196, 43, 210, 214, 203, 109, 65, 157, 222, 93, 74, 209, 50, 11, 172, 247, 111, 80, 143, 70, 89]

ans_b64="Wmkvw680HDzDqMK6UBXChDXCtC7CosKmw7R9w7JLwr/CoT44UcKNwp7DllpPwo3DtsOID8OPTcOWwrzDpi3CtMOKw4PColrCpXUYRhXChMK9w6PDhxfDicOdwoAgwpgNw5/Cvw=="
ans=base64.b64decode(ans_b64).decode('utf8')

inp=[]
for i in range(64):
    inp.append('')

for i in range(64):
    inp[i]=chr((ord(ans[P[i]-1])-S[i]+256)%256)

inp = ''.join(inp)
print(inp)

flag:IceCTF{4Lw4y5_US3_5s1_AnD_n3VR4r_mAKe_Y0ur_0wN_cRyp70}
注意：第6行代码ans=base64.b64decode(ans_b64).decode(‘utf8’)，
如果改为ans= str(base64.b64decode(ans_b64))没有得到正确结果，求高手批点。

三、其他

1.misc1-纵横四海

题目：有句话说的好，天下分久必合，合久必分，题目给出一个压缩包，里面包含名称为dabiaojieaa、dabiaojieab…等件，每个文件包含flag的一个字字母。
题解：
[1]将文件内容指输出到指定文个new.txt，此时nex.txt文件每行包含一个flag字母，需要将其在一行输出。
cat dabiaojie* > new.txt
[2]将多行文件内容输出至一行：
cat new.txt |xargs echo
[3]将输出内容中替换所有换行得flag。
xargs 用法：https://www.runoob.com/linux/linux-comm-xargs.html