当前位置：网站首页>Part of the problem solution of unctf2020

Part of the problem solution of unctf2020

2022-06-24 01:10:00 【ruochen】

#unctf2020 Part of the question

unctf2020

misc

1、baba_is_you

The title tells us , understand png File format .

Download to get a picture of png Format picture .

use 010editor Open view , It turns out that there's a B Website address

<pre><code>https://www.bilibili.com/video/BV1y44111737

</code></pre>

visit , Check the comments area to get flag

flag：

unctf{let's\_study\_pwn}

2、 Yin Yang person coding

Download to get a pdf, It's full of words （ mystifying ）. go through , There are three kinds of strange Qi of yin and Yang ：

Is this . Won't! ！ Is this ¿

Combined with the code given in the title , It's easy to think Ook！ code

therefore , take Is this . Replace with .

Won't! ！ Replace with ！

Is this ¿ Replace with ？

Get the following ：

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook?

Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!

Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!Ook! Ook! Ook!

Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook.

Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook!

Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook?

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook?

Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!Ook! Ook!

Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook.

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook. Ook.

Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook!Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook.

Ook?Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook.

Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook.

Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook.

Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook?

Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook.

Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook.

Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook!

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook.Ook?

Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook?

Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook.

Ook? Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook.

Ook?

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook! Ook. Ook? Ook.

Copy it to the unveiling website and decrypt it ：

https://www.splitbrain.org/services/ook

obtain

flag{9\_zhe\_Jiu\_zhe\_8\_hui\_8}

3、 My adventures

This accessory is a little big , Download to get a game ,（ To kill a mouse, you have to experience the task “ asphyxia ” game ）

Take a look at it

Find out www Folder , Just click in and see ,（ as everyone knows , The main resources are all in this folder ）

index.html The root page , Click in a error It's real , How can things come out if the environment is not built

But here's a hint This data Folders are important

Click to enter , Found a bunch of json file , In limine A series of map00x.json Attention grabbing , Click in to check , It seems to be the task of every level , however flag None of them . later , Finally in the Items.json It's found in this document flag Including the previous fake flag It's in there too .

UNCTF{WelC0me\_70\_UNCTF2oZ0~}

4、YLB’s CAPTCHA - Sign in problem

Enter a web page ,ctrl+u View source code of webpage

&lt;body&gt;

    &lt;div class="quote" id="neat"&gt; The NBA finals    Speed   YLB   Verification Code    Server down   CISCN   You know   RNM, Refund    There's no code    The down platform   2020  WIFI   Issue   AWD   Industry cancer    The garbage    The platform of the underworld   CTF Spring Festival Gala   phpstudy   Together with the organizers AWD   Target reset   Misc The players are ecstatic    International factory    Broken net   Oo0ilLlWwKkSsOoPpCcZz   Platform features    If you don't want to fight, you can not   PATCH   bad    player AD   Yilinbo    applause   Python Sign in Pwn topic   Docker Distribution mechanism    The rules jump back and forth   BuildBreakFix  OCR   The platform is under attack   AP Isolation    Operation and maintenance is a newcomer    Volunteer to host the competition    Raise the industry's visibility   40 questions , Just 4 The problem can be used    encourage PY   Pheasant competition    Just drive MYSQL Of WEB topic   ylb Is it out of business    Buy equipment and raise scores    The most important game , The most rubbish platform    It can't be handed in flag  YLBNB   The revelry of knowing    Please don't give ylb Pressure    Three and a half hours of problem solving    Change the competition system temporarily    I wish you can close down soon    Yi LiNbO is a great force    The whole field is waiting for the platform to be repaired   player Attack The organizers Defense   Free happy water &lt;/div&gt;

    &lt;form action="./index.php" method="post"&gt;

        &lt;img src="image\_captcha.php"  onclick="this.src='image\_captcha.php?'+new Date().getTime();"&gt;&lt;br/&gt;

        &lt;input type="text" name="captcha" placeholder="Entry the CAPTCHA" style="text-align: center;background-color: #53656f;"&gt;&lt;br/&gt;

        &lt;input type="submit" value="Submit" class="button"&gt;

    &lt;/form&gt;

&lt;script src="./title.js"&gt;&lt;/script&gt;

&lt;/body&gt;

Notice that there's another sentence at the bottom ：

&lt;p&gt;Get 10 points to get flag&lt;br&gt;Your point: &lt;/p&gt;

In other words, the most intuitive method , Read the captcha and get 10% , obtain flag.

therefore , Be situated between Captcha is hard to recognize , Save its picture , use stegesolve Change the channel to see .

【 Be careful 】 Case to distinguish ！！！

【 One step is wrong and the whole thing is lost 】 obtain

UNCTF{7ed2cc4f-184b-43ec-bc21-bc100dbdf9f6}

5、 Hide and seek

Download to get a excel. use 010editor see 504B0304 Change suffix zip The findings are basically xml file . Put it in idea To see ,

Last in sharedDtrings.xml Find something weird .

&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;

&lt;sst xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" count="2" uniqueCount="2"&gt;&lt;si&gt;&lt;t&gt;dW5jdGYlN0I3MzgzYjY3ZGU5MTA2YTZmMTBmZGJlNGU4ZWJjNjRjZSU3RA==&lt;/t&gt;&lt;phoneticPr fontId="1" type="noConversion"/&gt;&lt;/si&gt;&lt;si&gt;&lt;t&gt; You moved the cat away , But you can't find flag&lt;/t&gt;&lt;phoneticPr fontId="1" type="noConversion"/&gt;&lt;/si&gt;&lt;/sst&gt;

Notice a string of base64 Encrypted string .

dW5jdGYlN0I3MzgzYjY3ZGU5MTA2YTZmMTBmZGJlNGU4ZWJjNjRjZSU3RA==

Decryption is

flag

unctf{7383b67de9106a6f10fdbe4e8ebc64ce}

6、 Deep in the Internet 1

Download the attachment , Get a dial tone audio , One txt Scenario step import , And a compressed package with a password .

stay txt There's a string of numbers in it , It's estimated that in the end flag Where it came from .

636806841748368750477720528895492611039728818913495104112781919263174040060359776171712496606031373211949881779178924464798852002228370294736546700438210687486178492208471812570216381077341015321904079977773352308159585335376746026882907466893864815887274158732965185737372992697108862362061582646638841733361046086053127284900532658885220569350253383469047741742686730128763680253048883638446528421760929131783980278391556912893405214464624884824555647881352300550360161429758833657243131238478311219915449171358359616665570429230738621272988581871

txt It's been very clear to us that , You have to unpack the package , In order to understand the meaning of these numbers .

And the zip code is the phone number , That is to say, contained in the trumpet sound .

You can tell by ear what number it is ,（ For me, ） It's just daydreaming .

Go straight to the tool ： dtmf2num.exe

Attach download address

After the download , Execute the order on this ：

dtmf2num.exe  Dial tone .wav

Straight out of here ：

DTMF2NUM 0.1.1

by Luigi Auriemma

e-mail: [email protected]

web:    aluigi.org



- open  Dial tone .wav

  wave size      35200

  format tag     1

  channels:      1

  samples/sec:   8000

  avg/bytes/sec: 16000

  block align:   2

  bits:          16

  samples:       17600

  bias adjust:   -3

  volume peaks:  -29471 29471

  normalize:     3296



- MF numbers:    74



- DTMF numbers:  15975384265

obtain The zip code is ： 15975384265 After decompressing , Another piece of audio and a txt.

adopt txt, We know , There's a huge clue in the audio , To crack the numbers .

use audacity Audio file open , Check the waveform , I didn't find anything .

So I cut to spectrum , Find a key word tupper

I didn't know what it meant at first , So direct Baidu tupper After many searches , finally eureka Tupper Self referential formula mapping

therefore Script on ：（ Actually ） That mysterious number is k

"""

 Copyright (c) 2012, 2013 The PyPedia Project, http://www.pypedia.com

 &lt;br&gt;All rights reserved.



 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:



 # Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

 # Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.



 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR

 ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



 http://www.opensource.org/licenses/BSD-2-Clause

 """



\_\_pypdoc\_\_ = """

 Method: Tupper\_self\_referential\_formula

 Link: http://www.pypedia.com/index.php/Tupper\_self\_referential\_formula

 Retrieve date: Tue, 11 Mar 2014 03:15:49 +0200



 Plots the [http://en.wikipedia.org/wiki/Tupper's\_self-referential\_formula Tupper's\_self-referential\_formula]:

 : &lt;math&gt;{1\over 2} &lt; \left\lfloor \mathrm{mod}\left(\left\lfloor {y \over 17} \right\rfloor 2^{-17 \lfloor x \rfloor - \mathrm{mod}(\lfloor y\rfloor, 17)},2\right)\right\rfloor&lt;/math&gt;



 The plot is the very same formula that generates the plot. 



 [[Category:Validated]]

 [[Category:Algorithms]]

 [[Category:Math]]

 [[Category:Inequalities]]



 """





def Tupper\_self\_referential\_formula():

    k = 636806841748368750477720528895492611039728818913495104112781919263174040060359776171712496606031373211949881779178924464798852002228370294736546700438210687486178492208471812570216381077341015321904079977773352308159585335376746026882907466893864815887274158732965185737372992697108862362061582646638841733361046086053127284900532658885220569350253383469047741742686730128763680253048883638446528421760929131783980278391556912893405214464624884824555647881352300550360161429758833657243131238478311219915449171358359616665570429230738621272988581871

    # love yiran





    def f(x, y):

        d = ((-17 \* x) - (y % 17))

        e = reduce(lambda x, y: x \* y, [2 for x in range(-d)]) if d else 1

        f = ((y / 17) / e)

        g = f % 2

        return 0.5 &lt; g





    for y in range(k + 16, k - 1, -1):

        line = ""

        for x in range(0, 107):

            if f(x, y):

                line += "@"

            else:

                line += " "

        print(line)



# Method name =Tupper\_self\_referential\_formula()

if \_\_name\_\_ == '\_\_main\_\_':

    # print \_\_pypdoc\_\_



    returned = Tupper\_self\_referential\_formula()

    if returned:

        print(str(returned))

Carry out orders .

Watch from a distance The effect is better ！！

obtain flag

flag{Y29pbA==}

7、 The deleted flag

Download the attachment , Get one flag file .

Unknown format , Direct use 010editor open ,ctrl+f search unctf , flag It's out .

unctf{congratulations!}

8、 Can you crack my password

Download the attachment to get a shadow file .

root:!:18556:0:99999:7:::

daemon:\*:18474:0:99999:7:::

bin:\*:18474:0:99999:7:::

sys:\*:18474:0:99999:7:::

sync:\*:18474:0:99999:7:::

games:\*:18474:0:99999:7:::

man:\*:18474:0:99999:7:::

lp:\*:18474:0:99999:7:::

mail:\*:18474:0:99999:7:::

news:\*:18474:0:99999:7:::

uucp:\*:18474:0:99999:7:::

proxy:\*:18474:0:99999:7:::

www-data:\*:18474:0:99999:7:::

backup:\*:18474:0:99999:7:::

list:\*:18474:0:99999:7:::

irc:\*:18474:0:99999:7:::

gnats:\*:18474:0:99999:7:::

nobody:\*:18474:0:99999:7:::

systemd-network:\*:18474:0:99999:7:::

systemd-resolve:\*:18474:0:99999:7:::

systemd-timesync:\*:18474:0:99999:7:::

messagebus:\*:18474:0:99999:7:::

syslog:\*:18474:0:99999:7:::

\_apt:\*:18474:0:99999:7:::

tss:\*:18474:0:99999:7:::

uuidd:\*:18474:0:99999:7:::

tcpdump:\*:18474:0:99999:7:::

avahi-autoipd:\*:18474:0:99999:7:::

usbmux:\*:18474:0:99999:7:::

rtkit:\*:18474:0:99999:7:::

dnsmasq:\*:18474:0:99999:7:::

cups-pk-helper:\*:18474:0:99999:7:::

speech-dispatcher:!:18474:0:99999:7:::

avahi:\*:18474:0:99999:7:::

kernoops:\*:18474:0:99999:7:::

saned:\*:18474:0:99999:7:::

nm-openvpn:\*:18474:0:99999:7:::

hplip:\*:18474:0:99999:7:::

whoopsie:\*:18474:0:99999:7:::

colord:\*:18474:0:99999:7:::

geoclue:\*:18474:0:99999:7:::

pulse:\*:18474:0:99999:7:::

gnome-initial-setup:\*:18474:0:99999:7:::

gdm:\*:18474:0:99999:7:::

guguguguji:$1$AH$xtjky.3kppbU27tR0SDJT.:18556:0:99999:7:::

systemd-coredump:!!:18556::::::

shadow file yes linux The system records root Secret file of password , It can be used john To crack .

Download address ： http://www.openwall.com/john/

After decompressing , Get into run Catalog . And put Carry out orders

john --show shadow

obtain password 123456

obtain flag

unctf{e10adc3949ba59abbe56e057f20f883e}

9、mouse_click

Download the attachment , Get mouse\_click.pcapng Obviously ,USB Flow analysis .

USB The protocol mouse data section is in Leftover Capture Data domain , The data length is Four bytes .

The first byte represents the key ：

Such as 0x00 when , It means there are no buttons 、0x01 when , For the left button ,0x02 when , Represents the right button of the current key .

The second byte represents the horizontal offset of the mouse ：

When the value is positive , Represents how many pixels the mouse moves horizontally to the right , When it is negative , Represents how many pixels are moved horizontally to the left .

The third byte is similar to the second byte , Represents the offset of vertical up and down movement .

1、 take `mouse\_click.pcapng` Medium Leftover Capture Data Domain Export data

tshark -r mouse\_click.pcapng -T fields -e usb.capdata &gt; data.txt

tshark -r mouse\_click.pcapng -T fields -e usb.capdata | sed '/^\s\*$/d' &gt; data.txt # Extract and remove empty lines

obtain Here's the picture data.txt file

2、 Standard colon format

Generally, the extraction will have a colon The format is xx：xx：xx：xx

therefore Run script maohao.py

f=open('data.txt','r')

fi=open('out.txt','w')

while 1:

    a=f.readline().strip()

    if a:

        if len(a)==8: #  Mouse flow of words len Change it to 8, The keyboard is 16

            out=''

            for i in range(0,len(a),2):

                if i+2 != len(a):

                    out+=a[i]+a[i+1]+":"

                else:

                    out+=a[i]+a[i+1]

            fi.write(out)

            fi.write('\n')

    else:

        break



fi.close()

python maohao.py

3、 Mouse traffic is converted to coordinates

And then convert the mouse traffic to xy coordinate , function Script mouse.py as follows

nums = []

keys = open('out.txt','r')

f = open('xy.txt','w')

posx = 0

posy = 0

for line in keys:

    if len(line) != 12 :

        continue

    x = int(line[3:5],16)

    y = int(line[6:8],16)

    if x &gt; 127 :

        x -= 256

    if y &gt; 127 :

        y -= 256

    posx += x

    posy += y

    btn\_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing

    if btn\_flag == 1 :

        f.write(str(posx))

        f.write(' ')

        f.write(str(posy))

        f.write('\n')



f.close()

python mouse.py

obtain ：

4、gnuplot The plot

function gnuplot.exe Draw the image

gnuplot&gt; plot "xy.txt"

gnuplot&gt;

Finally get ：

Obviously , The image is reversed . Flip it vertically ,flag It's out

unctf{[email protected]}

10、 Torn QR code

Download to get a QR code , It's just not all .

as everyone knows , A QR code has three locators , Complete the one in the upper right corner , You can get out of it flag

And remember , When sweeping , Reduce the size of the QR code a little bit .

unctf{[email protected]}

11、 inverted reflection in water

Download the attachment to get a inverted reflection in water .exe use 010editor open , Find out FF D8 FF E0 The file header of , Obviously this is a picture of jpg.

Pull back , Find out Finally, there is a string of base64 Encoded string .

MDAwMDAwMDAwMEI0MDAwMDAwQTUwMDEwMDAxMDAwMDAwMDAwNjA1MEI0MDUxMDZENkE5RUEyNEU1NzY3MTA2RDdBRDU4QUMyMjk0MDEwNkQ3QUQ1OEFDMjI5NDAwMDgxMDAxMDAwMDAwMDAwMDAwMjAwQTA0Nzg3NDdFMjc2MTZDNjY2MDAwMDAwMDAwMDAwMDAwMjAwMDAwMDAwMDAwMDAwNDIwMDgwMDAwMDAwOTEwMDAwMDA1Mjk3RDQ1MzVFMTU1NUU1QzkwMDAwODAxMDAwQTAwMEYzMjAxMEI0MDVCNEVDQzdFOTg4OUVERjFCQTMwQzZGRjcxODM2RUJDRkU5QTczNUVGRDZFNTAxQ0UxNDEwOTUwNTgyNzc2NEI2OURDMzdDNkUyRTQ3ODc0N0UyNzYxNkM2NjYwMDAwMDA4MDAwMDAwMDkxMDAwMDAwNTI5N0Q0NTM1RTE1NTVFNUM5MDAwMDgwMTAwMEEwNDAzMEI0MDU=

Get a bunch of Hexadecimal string

0000000000B4000000A500100010000000006050B405106D6A9EA24E5767106D7AD58AC22940106D7AD58AC229400081001000000000000200A0478747E27616C666000000000000000200000000000000420080000000910000005297D4535E1555E5C90000801000A000F32010B405B4ECC7E9889EDF1BA30C6FF71836EBCFE9A735EFD6E501CE14109505827764B69DC37C6E2E478747E27616C66600000080000000910000005297D4535E1555E5C90000801000A04030B405

shift+v Copy into 010editor.

Be careful ： 40 30 B4 05 In reverse Namely 50 4B 03 04 explain , To reverse the hexadecimal string you get ==》 The true meaning of reflection .

attach java Script ：

public class Main {<!-- -->

    public static void main(String[] args) {<!-- -->

        Scanner in = new Scanner(System.in);

        String s = in.nextLine();

        String str[] = s.split("");

        for(int i=str.length-1;i&gt;=0;--i) {<!-- -->

            System.out.print(str[i]);

        }

    }

}

obtain ：

504B03040A00010800009C5E5551E5354D79250000001900000008000000666C61672E747874E2E6C73CD96B46772850590141EC105E6DFE537A9EFCBE63817FF6C03AB1FDE9889E7CCE4B504B01023F000A00010800009C5E5551E5354D792500000019000000080024000000000000002000000000000000666C61672E7478740A002000000000000100180004922CA85DA7D60104922CA85DA7D6017675E42AE9A6D601504B050600000000010001005A0000004B0000000000

Change suffix zip. Get an encrypted compressed package .

But there are no other hints , Just crack it with violence

obtain password ： 658745

Decompression is obtained. flag

UNCTF{Th13\_Is\[email protected]\[email protected]}

12、EZ_IMAGE

Download it 225 Zhang is in a mess jpg chart . The solution is very simple , Just put this picture together .

1、 montage command

Use this command , To merge multiple graphs into one graph .

（kali Linux） Installation command ：

<pre><code class="prism language-cmd">apt-get install graphicsmagick-imagemagick-compat

</code></pre>

Enter the unzipped folder directory , Carry out orders

montage \*.jpg -tile 15x15 -geometry +0+0 1.jpg

obtain ：

2、 gaps Command auto jigsaw

git clone https://github.com/nemanja-m/gaps.git

cd gaps

First use pip3 Install the following Libraries ：

pip3 install numpy

pip3 install opencv-python

pip3 install matplotlib

pip3 install pytest

pip3 install pillow

After installation , open requirements.txt Modify the corresponding version of the library .

This is the version number , For example, I am a ：

numpy==1.18.4

opencv-python==4.4.0.46

matplotlib==3.2.2

pytest==4.6.11

pillow==6.2.1

Then execute the following command .

pip3 install -r requirements.txt

sudo apt-get install python-tk

pip3 install -e .

After installation , Combine the previous synthesis 1.jpg Drag onto gaps-master Under this directory , Execute the following command ：

gaps --image=1.jpg --population=500 --size=60 --save

【 Be careful 】 Be sure to control pieces Equal to the total number of graphs

Finally get

flag That is to say ：

UNCTF{EZ\_MISC\_AND\_HACK\_FUN}

Crypto

1、easy_rsa

Download it rsa Encryption script , Relatively simple ：

from Crypto.Util import numbe

import gmpy2

from Crypto.Util.number import bytes\_to\_long



p = number.getPrime(1024)

q = number.getPrime(1024)

if p &gt; q:

    a = p + q

    b = p - q

    print(a,b)



n = p \* q

e = 65537

phi = (p-1)\*(q-1)

d = gmpy2.invert(e,phi)

m = bytes\_to\_long(b'msg')

c = pow(m,e,n)

print(c)



#320398687477638913975700270017132483556404036982302018853617987417039612400517057680951629863477438570118640104253432645524830693378758322853028869260935243017328300431595830632269573784699659244044435107219440036761727692796855905230231825712343296737928172132556195116760954509270255049816362648350162111168

#9554090001619033187321857749048244231377711861081522054479773151962371959336936136696051589639469653074758469644089407114039221055688732553830385923962675507737607608026140516898146670548916033772462331195442816239006651495200436855982426532874304542570230333184081122225359441162386921519665128773491795370

#22886015855857570934458119207589468036427819233100165358753348672429768179802313173980683835839060302192974676103009829680448391991795003347995943925826913190907148491842575401236879172753322166199945839038316446615621136778270903537132526524507377773094660056144412196579940619996180527179824934152320202452981537526759225006396924528945160807152512753988038894126566572241510883486584129614281936540861801302684550521904620303946721322791533756703992307396221043157633995229923356308284045440648542300161500649145193884889980827640680145641832152753769606803521928095124230843021310132841509181297101645567863161780

It's easy to get p q And known n e Script directly Just run ：

import libnum

from Crypto.Util.number import long\_to\_bytes



a = 320398687477638913975700270017132483556404036982302018853617987417039612400517057680951629863477438570118640104253432645524830693378758322853028869260935243017328300431595830632269573784699659244044435107219440036761727692796855905230231825712343296737928172132556195116760954509270255049816362648350162111168

b = 9554090001619033187321857749048244231377711861081522054479773151962371959336936136696051589639469653074758469644089407114039221055688732553830385923962675507737607608026140516898146670548916033772462331195442816239006651495200436855982426532874304542570230333184081122225359441162386921519665128773491795370

c = 22886015855857570934458119207589468036427819233100165358753348672429768179802313173980683835839060302192974676103009829680448391991795003347995943925826913190907148491842575401236879172753322166199945839038316446615621136778270903537132526524507377773094660056144412196579940619996180527179824934152320202452981537526759225006396924528945160807152512753988038894126566572241510883486584129614281936540861801302684550521904620303946721322791533756703992307396221043157633995229923356308284045440648542300161500649145193884889980827640680145641832152753769606803521928095124230843021310132841509181297101645567863161780

# a = p + q

# b = p - q

p = (a+b) // 2

q = (a-b) // 2

n = q \* p

e = 65537



d = libnum.invmod(e, (p - 1) \* (q - 1))

m = pow(c, d, n)  # m  The decimal form of 

string = long\_to\_bytes(m)  # m Plaintext 

print(string)  #  The result is  b‘ m ’  In the form of 



#print(libnum.n2s(m))  #（n2s Convert a number to a string ）

obtain

b'UNCTF{welcome\_to\_rsa}'

2、 ordinary RSA

Download to get a txt

e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934

obviously , this e A very large . It immediately occurred to me that rsa wiener-attack . therefore Modify the script as follows ：

import  RSAwienerHacke

e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

d =  RSAwienerHacker.hack\_RSA(e,n)

if d:

    print(d)

obtain d ：

74651354506339782898861455541319178061583554604980363549301373281141419821253

Yes c、e、d、n Next , If you have a hand , Script directly ！

from Crypto.Util.number import long\_to\_bytes



e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934



d = 74651354506339782898861455541319178061583554604980363549301373281141419821253

m = pow(c, d, n)  # m  The decimal form of 

string = long\_to\_bytes(m)  # m Plaintext 

print(string)  #  The result is  b‘ m ’  In the form of

obtain flag：

b'unctf{wi3n3r\[email protected]}'

3、 How to make up for the lack of nutrition in the hearing of judge Anshan

Obviously, the stem gives a string of unknown encoding

ottttootoootooooottoootooottotootttootooottotttooootttototoottooootoooottotoottottooooooooottotootto

Let's take a look first , There are two kinds of letters in it , It's easy to think of Binary system , Try to convert the string , Failure .

There's also a code , Bacon code , It's also about 2 Characters . Try

First the o Replace with A , t Replace with B.

ABBBBAABAAABAAAAABBAAABAAABBABAABBBAABAAABBABBBAAAABBBABABAABBAAAABAAAABBABAABBABBAAAAAAAAABBABAABBA

obtain flag

unctf{PEIGENHENYOUYINGYANG}

Reverse

1、re_checkin

First consider whether there is a shell . use PEID A: nothing . Pull in with ease IDA

First shift+f12 Look at the string .

Find out success Sensitive words , Follow up , Come to the function sub_401550() Press F5

<pre><code class="prism language-c">\_\_int64 sub\_401550()

{

char Str1; // [email protected]

sub_40B300();

puts("Welcome!Please Input:");

sub_419C00("%1000s", &Str1);

if ( !strcmp(&Str1, &Str2) )

puts("success!");

else

puts("fail!");

system("pause");

return 0i64;

}

</code></pre>

Soon found out , strcmp yes Str1 And Str2 contrast , because Str1 Input , So we tracked Str2

Find out stay sub_4015DC function , To view the

<pre><code class="prism language-c">void sub\_4015DC()

{

Str2 = 117;

byte_42F041 = 110;

byte_42F042 = 99;

byte_42F043 = 116;

byte_42F044 = 102;

byte_42F045 = 123;

byte_42F046 = 87;

byte_42F047 = 101;

byte_42F048 = 108;

byte_42F049 = 99;

byte_42F04A = 111;

byte_42F04B = 109;

byte_42F04C = 101;

byte_42F04D = 84;

byte_42F04E = 111;

byte_42F04F = 85;

byte_42F050 = 78;

byte_42F051 = 67;

byte_42F052 = 84;

byte_42F053 = 70;

byte_42F054 = 125;

byte_42F055 = 0;

}

</code></pre>

Obviously ASCII code Convert to get ：

obtain

unctf{WelcomeToUNCTF}

2、babypy

I got a .exe And a txt

txt as follows ：

313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031

First of all, babypy.exe Do a shell check , Find out Shell less .

This is the time , We need to be right about exe Decompile to python Source code .

utilize pyinstxtractor.py Decompile .

Carry out orders ：

python pyinstxtractor.py babypy.exe

be aware babypy Key source files , But because decompiling is not perfect , He lost the header , So there's no suffix .pyc therefore , Open one of its own pyc, View header

42 0D 0D 0A 00 00 00 00

So I added ：

42 0D 0D 0A 00 00 00 00 70 79 69 30 10 01 00 00

And modify the suffix .pyc Then decompile Generate py file

#!/usr/bin/env python

# visit http://tool.lu/pyc/ for more information

import os

import libnum

import binascii

flag = 'unctf{\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}'

# WARNING: Decompyle incomplete

See here , It's quite different from what I thought before , I thought all the scripts would come out , So the train of thought was broken .

In fact, I forgot , Important message from the author ！ that tip.txt

therefore , The solution script is as follows ：

import libnum

m = 0x313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031



str = libnum.n2s(m)

print(libnum.b2s(str))

Run out flag：

unctf{[email protected]\_is\_rea11y\_c001}

3、 Decompile

Download to get a run.exe Add the title “ Decompile ” , In the same way as above .

utilize pyinstxtractor.py Decompile .

Carry out orders ：

python pyinstxtractor.py run.exe

to run Fill up , And modify the suffix

42 0D 0D 0A 00 00 00 00 70 79 69 30 10 01 00 00

Then decompile Generate py file

obtain ：

#!/usr/bin/env python

# visit http://tool.lu/pyc/ for more information

str2 = 'UMAQBvogWLDTWgX"""k'

flag = ''

for i in range(len(str2)):

    flag += chr(ord(str2[i]) + i)



print(flag)

Run straight out of flag

UNCTF{un\_UN\_ctf123}

pwn

1、YLBNB

direct nc One

nc 45.158.33.12 8000

So go straight to exp （ The simplest kind ）

from pwn import \*



p = remote('45.158.33.12', 8000)

payload = ''

p.sendline(payload)



p.interactive()

obtain flag

UNCTF{[email protected]\_Th3\_Bes7\_YLB}

Sure next time ！！

原网站

版权声明
本文为[ruochen]所创，转载请带上原文链接，感谢
https://yzsam.com/2021/11/20211120164931672S.html

当前位置：网站首页>Part of the problem solution of unctf2020

Part of the problem solution of unctf2020

unctf2020

misc

1、baba_is_you

2、 Yin Yang person coding

3、 My adventures

4、YLB’s CAPTCHA - Sign in problem

5、 Hide and seek

6、 Deep in the Internet 1

7、 The deleted flag

8、 Can you crack my password

9、mouse_click

1、 take `mouse\_click.pcapng` Medium Leftover Capture Data Domain Export data

2、 Standard colon format

3、 Mouse traffic is converted to coordinates

4、gnuplot The plot

10、 Torn QR code

11、 inverted reflection in water

12、EZ_IMAGE

2、 gaps Command auto jigsaw

Crypto

1、easy_rsa

2、 ordinary RSA

3、 How to make up for the lack of nutrition in the hearing of judge Anshan

Reverse

1、re_checkin

2、babypy

3、 Decompile

pwn

1、YLBNB

边栏推荐

猜你喜欢

随机推荐

当前位置：网站首页>Part of the problem solution of unctf2020

Part of the problem solution of unctf2020

unctf2020

misc

1、baba_is_you

2、 Yin Yang person coding

3、 My adventures

4、YLB’s CAPTCHA - Sign in problem

5、 Hide and seek

6、 Deep in the Internet 1

7、 The deleted flag

8、 Can you crack my password

9、mouse_click

1、 take mouse\_click.pcapng Medium Leftover Capture Data Domain Export data

2、 Standard colon format

3、 Mouse traffic is converted to coordinates

4、gnuplot The plot

10、 Torn QR code

11、 inverted reflection in water

12、EZ_IMAGE

2、 gaps Command auto jigsaw

Crypto

1、easy_rsa

2、 ordinary RSA

3、 How to make up for the lack of nutrition in the hearing of judge Anshan

Reverse

1、re_checkin

2、babypy

3、 Decompile

pwn

1、YLBNB

边栏推荐

猜你喜欢

随机推荐

1、 take `mouse\_click.pcapng` Medium Leftover Capture Data Domain Export data