DDCTF2018 部分WriteUP

发表于 | 分类于 |

前言

最近参加DDCTF2018,记录其中两个题的WriteUp

1. 第四扩展FS

题目给了一张图片,用foremost提取出一张图片和加密的zip压缩包,爆破解压密码许久都没有成功,用EmEditor打开看到有字符串:Pactera,成功解压压缩包,然后根据提示需要统计字符出现次数。

1
2
3
4
5
6
from collections import Counter
f=open("file.txt",'r')
print(Counter(f.readlines()[0]))

#输出:
Counter({'D': 3950, 'C': 1900, 'T': 1850, 'F': 1800, '{': 1750, 'h': 1700, 'u': 1650, 'a': 1600, 'n': 1550, 'w': 1500, 'e': 1450, '1': 1400, 's': 1350, 'i': 1300, 'k': 1250, '4': 1200, 'o': 1150, '!': 1100, '}': 1050})

得到flag:DDCTF{huanwe1sik4o!}

2. 安全通信

该题使用ECB(电子密码本模式)进行加密,由于分组模式中ECB模式相同的明文分组,会得到相同密文输出。

根据这个特性,以爆破第一位为例,构造输入Agent ID 为45个1,加密消息为:

1
Connection for mission: ID为111111111111111111111111111111111111111111111, your mission's flag is: D

然后加上Flag的第一位,构成96(16*6)个字符长度输入,截取密文的前192(32*6)。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Please enter mission key:
b9ba15b341c847c8beba85273f9b7f90
#Agent ID为45个1
Please enter your Agent ID to secure communications:
#返回的欢迎加密信息,取前192位作为判断
111111111111111111111111111111111111111111111
ce62ff6f5ebd23a8d059b1bd831a8d0fed6d82e4257f35a62ef76a43970ade3e06b6e8e7589fddd8b8ac55e5c29625e906b6e8e7589fddd8b8ac55e5c29625e9eae01a76a2f84e768e4408555cb4acbf17888d387e8b7756e9a3de2a68b4fbf726b43ef60ec00ce6bfbdf91d4d9dba79bb2983e79315def49a0fa8eaa10cd4a8250e53382d70f71936a32961d5741662

Please send some messages to be encrypted, 'quit' to exit:
#猜测第一位为C
Connection for mission: 111111111111111111111111111111111111111111111, your mission's flag is: C
ce62ff6f5ebd23a8d059b1bd831a8d0fed6d82e4257f35a62ef76a43970ade3e06b6e8e7589fddd8b8ac55e5c29625e906b6e8e7589fddd8b8ac55e5c29625e9eae01a76a2f84e768e4408555cb4acbf18c2aed45181d467f22c858da3d1b03b
Please send some messages to be encrypted, 'quit' to exit:
#猜测第一位为D
Connection for mission: 111111111111111111111111111111111111111111111, your mission's flag is: D
ce62ff6f5ebd23a8d059b1bd831a8d0fed6d82e4257f35a62ef76a43970ade3e06b6e8e7589fddd8b8ac55e5c29625e906b6e8e7589fddd8b8ac55e5c29625e9eae01a76a2f84e768e4408555cb4acbf17888d387e8b7756e9a3de2a68b4fbf7
Please send some messages to be encrypted, 'quit' to exit:

当输入的最后一位为D时,加密结果和欢迎消息密文的前192位结果相同。接下来爆破Flag的第二位时,将Agent ID位数减1(44位)。依次递增Flag位数,同时递减Agent ID位数即可爆破出Flag,写个脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#Connection for mission: 111111111111111111111111111111111111111111111, your mission's flag is: D
from pwn import *
mission_key="b9ba15b341c847c8beba85273f9b7f90"
flag=""
payloads = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyz.@_-}{'
for i in range(50):
    r = remote('116.85.48.103', 5002)
    r.recvuntil("Please enter mission key:")
    r.sendline(mission_key)
    mission_len=45-i
    r.recvuntil("Please enter your Agent ID to secure communications:")
    r.sendline("1"*mission_len)
    data_1=r.recvuntil("Please send some messages to be encrypted, 'quit' to exit:").strip()[:192]
    #print data_1
    for j in payloads:
    	name="1"*mission_len
    	flag_buf=flag+j
    	message = "Connection for mission: {}, your mission's flag is: {}".format(name, flag_buf)
    	#print message
    	r.sendline(message)
        data_2=r.recvuntil("Please send some messages to be encrypted, 'quit' to exit:").strip()[:192]
        #print data_2
        if data_1==data_2:
        	flag=flag+j
        	print flag
        	r.sendline("quit")
        	if j=='}':
        		exit(0)
        	break
#输出
……
DDCTF{afd18f4a112ca67951fc95afb92b7
DDCTF{afd18f4a112ca67951fc95afb92b74
DDCTF{afd18f4a112ca67951fc95afb92b74d8
DDCTF{afd18f4a112ca67951fc95afb92b74d8}

得到Flag;DDCTF{afd18f4a112ca67951fc95afb92b74d8}