Misc

签到题

是张图片,binwalk,得到压缩包,压缩包打开里面还有压缩包,压缩包名字还是递减的数字,显然是循环解压,找脚本跑

1
2
3
4
5
6
7
8
9
10
11
12
import zipfile
number=232
for i in range(232,1,-1):
	path="C:\\Users\\一只小唐尼OvO\\Desktop\\232\\"+str(number)+".zip"
	zip_file=zipfile.ZipFile(path)
	zip_list=zip_file.namelist()
	for f in zip_list:
		zip_file.extract(f,"C:\\Users\\一只小唐尼OvO\\Desktop\\232")
	number=number-1
	if number==1:
		break
zip_file.close()

跑完了,用7z打开1.zip得到一个流量包,流量包一看就和国赛一模一样,直接上wp

tshark -r keyboard.pcap -T fields -e usb.capdata > usbdata.txt

每条数据都是十六个字节,用脚本加上冒号再对应一下

加冒号

1
2
3
4
5
6
7
8
9
new = open('1.5.1.txt','w')
myStr = ""  #直接将十六进制连接起来丢到这里面便可
for i in range(0,len(myStr),16):
    newmyStr = myStr[i:i+16]
    str = newmyStr[0:2]+':'+newmyStr[2:4]+':'+newmyStr[4:6]+':'+newmyStr[6:8]+':'+newmyStr[8:10]+':'+newmyStr[10:12]+':'+newmyStr[12:14]+':'+newmyStr[6:8]
    print(str)
    new.write(str)
    new.write('\n')
new.close()

一一对应脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
\#!/usr/bin/env python

\# -*- coding:utf-8 -*-

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"	","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"	","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

output = []

keys = open('1.5.1.txt')

for line in keys:
	try:
    	if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
			continue
        if line[6:8] in normalKeys.keys():
			output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
    	else:
			output += ['[unknown]']
    except:
    	pass

keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
    	a=output.index('<DEL>')
        del output[a]
        del output[a-1]
        except:
            pass
        for i in range(len(output)):
            try:
                if output[i]=="<CAP>":
                    flag+=1
                    output.pop(i)
                    if flag==2:
                        flag=0
                if flag!=0:
                    output[i]=output[i].upper()
            except:
                pass
print ('output :' + "".join(output))

img

最后格式交半天交不对,大小写,首字母大写都试过了,没想到还有下划线在中间,还是得仔细阿

flag:nepctf{welcome_to_nepctf_2nd}

花花画画画花花

这道题就纯是找软件了,要解压掉,不然一开始的找osz后缀方向是错的,解压后发现osu后缀文件,整个osz用osu!音游软件编辑地图的功能打开,慢慢看就可以发现flag了,(一开始还以为要玩通,结果那难度根本玩不过,艹)

img

找到这个后面慢慢看就好了

flag:NepCTF{MASTER_OF_坏女人!}

9点直播

直播主页就有flag,不过昨晚直播间在打原是怎么回事,我超,原!

馅饼?陷阱!

一开始找东北饺子城,找不到,后来模糊搜索,搜大禾寿司上面的妆美业,结果真有

img

啥都出来了,就是光大银行

flag:NepCTF{www.cebbank.com}

少见的bbbbase

题目是一张jpg图片,用过steghide、binwalk、改宽高、stegsolve都没发现线索,直到找到了2020强网杯一道misc的一个步骤,其中stegdetect工具用了一下,发现也是jphide隐写

img

本来用stegbreak爆破

.\stegbreak.exe -r rules.ini -f password.txt -t p 1.jpg # password.txt为字典文件

但是爆了几十万的字典都没出,感觉有问题,可能密码要去别的地方找,结果是没有密码。。。。

直接jphs的seek空密码就出了

img

Basebreak爆一下就出了,是base58

img

flag:flag{Real_qiandao~}

DCTris

这题属实是难搞,首先得知道cdi文件是一个DC游戏的光盘镜像,然后需要去找模拟器挂载,一开始都找的是主机模拟器,找过nullDC、Makaraon,但是要么不稳定要么就加载不了,最后找了安卓的一个模拟器reicast,还需要下载dreamcast的bios文件读取,后面就是苦练俄罗斯方块,真的太难了,玩了好久玩到4w多分才有后续

img

拼接一下

img

得到flag:NepCTF{LetsPlayFallingBlocksGameOnDreamCast!}

这题,感叹一下,太难了!!

Crypto

signin

题目给了n和e,先尝试分解n,factordb分解失败就用yafu分解

img

一开始还以为失败了,结果是两个素数太接近了

得到p和q之后,继续利用接下来的条件,已知p、q和c求余p和q的值,问了学数学系的同学知道了可以用中国剩余定理,于是找到脚本跑了一下得到c,再常规rsa解就出来了

中国剩余定理脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# 求两个数的最大公约数gcd函数

def gcd(a,b):
    if b == 0:
        return a
    else :
        return gcd(b,a % b)
    #判断一个列表任意两个数是否两两互质
def compare(list):
    for i in range(0,len(list)):
        flag = 1
        for j in range(i+1,len(list)):
            if gcd(list[i],list[j]) != 1:
                print('不能直接使用中国剩余定理!')
                exit()
#如果满足条件,就会继续执行,否则退出程序

# 求出输入的m1,m2,..,mk 的乘积m
def product_m(list):
    m = 1
    for i in list:
        m *= i
    return m

# 求M1,M2,..,MK 的值 Mj = m / mj 并返回一个名为shang的列表
def get_divsion(list,m):
    div = []
    for i in list:
        div.append(m // i)
return div

def get_inverse(a, m):  # 求一个数a 的逆  再模m 的值  这个函数返回的是一个值不是列表
	if gcd(a, m) != 1:
    	return None
    u1, u2, u3 = 1, 0, a
    v1, v2, v3 = 0, 1, m
    while v3 != 0:
		q = u3 // v3
        v1, v2, v3, u1, u2, u3 = (u1 - q * v1), (u2 - q * v2), (u3 - q * v3), v1, v2, v3
	return u1 % m

# 求Xj  算法为:Xj = (M * M_INVERSE * a) % mj
def get_x(M:int ,M_inverse:int ,a :int,m:int):
	product_x = (M * M_inverse * a) % m
	return product_x

# 算出最终答案X = X1+X2+...Xk
def get_solution(list_m, list_a):
	# compare(list_m)
    m = product_m(list_m)
    list_M = get_divsion(list_m, m)
    list_M_inverse = []
	list_X = []
	total = 0
	for i in range(0,len(list_M)):
		list_M_inverse.append(get_inverse(list_M[i], list_m[i]))
	for i in range(len(list_M)):
		list_X.append(get_x(list_M[i],list_M_inverse[i],list_a[i],m))
	for x in list_X:
		total += x
return total % m

 # 测试数据
#list_a = [2,3,2]
#list_m = [3,5,7]
#print(get_solution(list_m, list_a))

# 调用get_solution()函数即可使用中国剩余定理
# get_solution()函数要传入得是两个列表list_a,list_m
# 读取与输入list_a,list_m;并将其变为整型的数据

其中p、q位置需要换一下,得到c

img

img

flag:NepCTF{ju5t_d0_f4ct_4nd_crt_th3n_d3crypt}

Reverse

快来签到

这题属实是没想到

用ida打开提示因为这个 main 函数太大,无法以流程图的方式显示出来,百度一下改下参数就行了

img

img

img

把这边节点最大数目改大一点就行了

img

flag:NepCTF{welc0me_t0_nepctf}