BeginCTF2024 WP

文章发布时间:

最后更新时间:

MISC:

问卷

image-20240205141014619

real check in

image-20240131111154377

使用CyberChef直接解:

image-20240131111301602

FLAG:begin{WELCOMe_to_B3GinCTF_2024_H0Pe_YOU_wiL1_11ke_i7}

Tupper

使用python脚本把所有文件内的字符按照文件顺序从小到大依次提取合并输出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import os

def read_files(folder_path):
    result = ""
    file_list = sorted(os.listdir(folder_path), key=lambda x: int(os.path.splitext(x)[0]))
    for file_name in file_list:
        file_path = os.path.join(folder_path, file_name)
        if os.path.isfile(file_path):
            with open(file_path, 'r') as file:
                content = file.read()
                result += content
    return result

folder_path = "D://Document//BeginCTF(自由赛道)//MISC//tupper"
output = read_files(folder_path)
print(output)

得到下面的值使用base64解码:

1
MTQyNzgxOTM0MzI3MjgwMjYwNDkyOTg1NzQ1NzU1NTc1MzQzMjEwNjIzNDkzNTI1NDM1NjI2NTY3NjY0Njk3MDQwOTI4NzQ2ODgzNTQ2NzkzNzEyMTI0NDQzODIyOTg4MjEzNDIwOTM0NTAzOTg5MDcwOTY5NzYwMDI0NTg4MDc1OTg1MzU3MzUxNzIxMjY2NTc1MDQxMzExNzE2ODQ5MDcxNzMwODY2NTk1MDUxNDM5MjAzMDAwODU4MDg4MDk2NDcyNTY3OTAzODQzNzg1NTM3ODAyODI4OTQyMzk3NTE4OTg2MjAwNDExNDMzODMzMTcwNjQ3MjcxMzY5MDM2MzQ3NzA5MzYzOTg1MTg1NDc5MDA1MTI1NDg0MTk0ODYzNjQ5MTUzOTkyNTM5NDEyNDU5MTEyMDUyNjI0OTM1OTExNTg0OTc3MDgyMTkxMjY0NTM1ODc0NTY2MzczMDI4ODg3MDEzMDMzODIyMTA3NDg2Mjk4MDAwODE4MjE2ODQyODMxODczNjg1NDM2MDE1NTk3Nzg0MzE3MzUwMDY3OTQ3NjE1NDI0MTMwMDY2MjEyMTkyMDczMjI4MDg0NDkyMzIwNTA1Nzg4NTI0MzEzNjE2Nzg3NDUzNTU3NzY5MjExMzIzNTI0MTk5MzE5MDc4MzgyMDUwMDExODQ=

解码得到:

1
14278193432728026049298574575557534321062349352543562656766469704092874688354679371212444382298821342093450398907096976002458807598535735172126657504131171684907173086659505143920300085808809647256790384378553780282894239751898620041143383317064727136903634770936398518547900512548419486364915399253941245911205262493591158497708219126453587456637302888701303382210748629800081821684283187368543601559778431735006794761542413006621219207322808449232050578852431361678745355776921132352419931907838205001184

根据题目:tupper 自我指涉公式生成图片,使用的这个网站在线生成https://tuppers-formula.ovh/

image-20240131162448257

FLAG:begin{T4UUPER!}

where is crazyman v1.0

image-20240201174425939

FLAG:begin{秋叶原}

where is crazyman v2.0

image-20240201173939503

FLAG:begin{Boulevard World}

WEB:

zupload

image-20240201162559944

FLAG:begin{jUs7_reAd_924f8274a285}

Reverse:

real checkin xor

1
2
3
4
5
6
7
8
9
10
11
12
13
def verify_func(ciper,key):
    encrypted = []
    for i in range(len(ciper)):
        encrypted.append(ord(ciper[i])^ord(key[i%len(key)]))
    return encrypted

secret = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
print("这是一个保险箱,你能输入相关的key来进行解密吗?")
input_line = input("请输入key > ")
if verify_func(input_line,"ez_python_xor_reverse") == secret:
    print("密码正确")
else:
    print("密码错误")

解密程序

1
2
3
4
5
6
7
8
9
10
11
# ### 解密程序
# def decrypt_func(cipher, key):
#     decrypted = []
#     for i in range(len(cipher)):
#         decrypted.append(chr(cipher[i] ^ ord(key[i % len(key)])))
#     return ''.join(decrypted)
# cipher = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
# key = "ez_python_xor_reverse"

# plaintext = decrypt_func(cipher, key)
# print("解密结果:", plaintext)

FLAG:begin{3z_PY7hoN_r3V3rSE_For_TH3_Be9inNEr!}

Forensics:

逆向工程(reverse)入门指南

打开是PDF文件直接全选标注颜色发现上面有一块Ctrl+A全选

image-20240202194857190

Ctrl+V复制到其他地方查看发现flag

1
2
3
4
(省略了其他的内容)
查看AndroidManifest.xml 中 \<application> 元
素中是否包含了 android:debuggable="true"
begin{0kay_1_thiNK_YoU_Ar3_a1Re@DY_rE4D_6uiDe8ooK_AnD_9OT_FL46}

FLAG:begin{0kay_1_thiNK_YoU_Ar3_a1Re@DY_rE4D_6uiDe8ooK_AnD_9OT_FL46}

学取证咯 - cmd

执行:volatility_2.6_win64_standalone.exe -f 学取证咯.raw –profile=Win7SP1x64 cmdscan

image-20240202201243214

FLAG:begin{Cmd_1in3_109_i5_imp0rt@nt}

学取证咯 - 还记得ie吗?

开始使用

1
volatility_2.6_win64_standalone.exe -f 学取证咯.raw --profile=Win7SP0x64 iehistory

并未找到flag

搜索教程中发现浏览器的历史记录有本地文件,使用

1
volatility_2.6_win64_standalone.exe -f 学取证咯.raw --profile=Win7SP0x64 filescan

查找浏览器的历史文件history文件夹相关文件

image-20240202214801024

根据下图左侧的0x编号提取文件

1
volatility_2.6_win64_standalone.exe -f 学取证咯.raw --profile=Win7SP0x64 dumpfiles -Q 0x000000001e62b430 -D ./

image-20240202214825503

提取出来的bat文件改成txt搜索flag找到flag(顺便发现另一题的机密文件)

image-20240202215024983

FLAG:begin{Y0v_c@n_g3t_th3_i3hi5t0ry}

学取证咯 - 机密文件

机密文件

image-20240202215713168

同样把文件提取出来改名字后缀直接打开得到flag

1
volatility_2.6_win64_standalone.exe -f 学取证咯.raw --profile=Win7SP0x64 dumpfiles -Q 0x000000001e742dd0 -D ./

image-20240202215817463

FLAG:begin{Y0v_c@n_d0vvn_th3_fi13}