2021津门杯
煤矿路口西 Lv4

2021津门杯Misc


m0usb

运气好+师傅们都还没起床,有幸拿了一血

usb流量

shark -r 12.pcapng -T fields -e usb.capdata > usbdata.txt

提取出来的文件带空行,调整命令

tshark -r 12.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

usb脚本结合

txt格式(无“:”)

更改脚本

#!/usr/bin/env python
# -*- coding:utf-8 -*-
usb_codes = {
0x04: "aA", 0x05: "bB", 0x06: "cC", 0x07: "dD", 0x08: "eE", 0x09: "fF",
0x0A: "gG", 0x0B: "hH", 0x0C: "iI", 0x0D: "jJ", 0x0E: "kK", 0x0F: "lL",
0x10: "mM", 0x11: "nN", 0x12: "oO", 0x13: "pP", 0x14: "qQ", 0x15: "rR",
0x16: "sS", 0x17: "tT", 0x18: "uU", 0x19: "vV", 0x1A: "wW", 0x1B: "xX",
0x1C: "yY", 0x1D: "zZ", 0x1E: "1!", 0x1F: "2@", 0x20: "3#", 0x21: "4$",
0x22: "5%", 0x23: "6^", 0x24: "7&", 0x25: "8*", 0x26: "9(", 0x27: "0)",
0x2C: " ", 0x2D: "-_", 0x2E: "=+", 0x2F: "[{", 0x30: "]}", 0x32: "#~",
0x33: ";:", 0x34: "'\"", 0x36: ",<", 0x37: ".>", 0x38: "/?", 0x39: "<CAP><CAP>",
0x3a: "<F1><F1>", 0x3b: "<F4><F4>", 0x3e: "<F5><F5>", 0x3f: "<F6><F6>",
0x40: "<F7><F7>", 0x41: "<F8><F8>", 0x42: "<F9><F9>", 0x43: "<F10><F10>",
0x44: "<F11><F11>", 0x45: "<F12><F12>"
}
data = ''
for x in open("uuu.txt", "r").readlines():
code = int(x[4:6], 16) # 有冒号时提取数据的[6:8],无冒号时数据在[4:6]
# print(x[4:6])
if code == 0:
continue
if code == 0x28:
print('ENTER!')
print(data)
data = ''
continue
upper = 0
if int(x[0:2], 16) == 0x02 or int(x[0:2], 16) == 0x20:
upper = 1
data += usb_codes[code][upper]
print(data)

# 884080810882108108821042084010421

01248编码

上网找到脚本


#!/usr/bin/python
# -*- coding=utf8 -*-
"""
# @Author : pig
# @CreatedTime:2019-11-2423:54:02
# @Description :
"""

def de_code(c):
dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
flag = []
c2 = [i for i in c.split("0")]
for i in c2:
c3 = 0
for j in i:
c3 += int(j)
flag.append(dic[c3 - 1])
return flag
def encode(plaintext):
dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
m = [i for i in plaintext]
tmp = [];flag = []
for i in range(len(m)):
for j in range(len(dic)):
if m[i] == dic[j]:
tmp.append(j + 1)
for i in tmp:
res = ""
if i >= 8:
res += int(i/8)*"8"
if i%8 >=4:
res += int(i%8/4)*"4"
if i%4 >=2:
res += int(i%4/2)*"2"
if i%2 >= 1:
res += int(i%2/1)*"1"
flag.append(res + "0")
print ("".join(flag)[:-1])
c = input("输入要解密的数字串:")
print (de_code(c))
m_code = input("请输入要加密的数字串:")
encode(m_code)

# 输入要解密的数字串:884080810882108108821042084010421
# ['T', 'H', 'I', 'S', 'I', 'S', 'F', 'L', 'A', 'G']
# flag{THISISFLAG}

m1bmp

lsb隐写

Stegsolve中提取最低位

后得到base

解码得到flag


tunnel

参考博客

https://blog.xpnsec.com/bsidessf-dnscap/

tshark -r tunnel.pcap -Tfields -e dns.qry.name > names.txt

观察得到的txt

出现诸多【evil.im

观察第一行数据【UEsDBDMAAwBjAJ12k1KDFWibyjR.evil.im

尝试一把梭解码,发现base64:【PK3cv“Rƒh›Ê4】

zip文件头

尝试

import re
name = open('names.txt')
a = []
b = []
for i in name:
# print(i)
if re.findall('.evil.im', i):
if i not in a:
a.append(i)

print(a)

进行数据清洗,

base64解码后拼接,提示zip格式报错。

卡住

事后复现的时候才知道

此处应当对base64按行补齐,再进行拼接

with open("11.txt", "r") as f:
x = f.readlines()

for i in x:
i = i.strip()
# print(i)
l = 4 - len(i) % 4
# print(l)
if l != 4:
i += "="* l
print(i)

这样才能得到不报错的zip压缩包

def inttobin(a, n):
ret = bin(a)[2:]
while len(ret) < n:
ret = '0' + ret
return ret

table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

f = open("2.txt", "r")
tmpbin = ''
res = ''
line = f.readline()
while line:
if line[-2] == '=':
if line[-3] == '=':
tmpbin += inttobin(table.index(line[-4]), 6)[2:]
else:
tmpbin += inttobin(table.index(line[-3]), 6)[4:]
line = f.readline()
quotient = int(len(tmpbin)/8)
for i in range(quotient):
res += chr(int(tmpbin[8*i:8*i+8], 2))
print(res)

# password: B@%MG"6FjbS8^c#r

flag

  • 本文标题:2021津门杯
  • 本文作者:煤矿路口西
  • 创建时间:2021-05-11 14:27:53
  • 本文链接:http://www.mklkx.xyz/2021/05/11/2021津门杯/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!