HSCSEC 2023-wp

Ancient-MISC

Watch the sky at night

24星宿
斗木獬角木蛟奎木狼亢金龙 牛金牛女土蝠氐土貉井木犴 虚日鼠房日兔心月狐鬼金羊 危月燕室火猪尾火虎柳土獐 壁水貐箕水豹斗木獬牛金牛 女土蝠角木蛟亢金龙星日马 虚日鼠张月鹿娄金狗翼火蛇 危月燕氐土貉房日兔轸水蚓 室火猪心月狐井木犴胃土雉 壁水貐斗木獬鬼金羊柳土獐 牛金牛尾火虎箕水豹女土蝠 虚日鼠昴日鸡柳土獐毕月乌 危月燕觜火猴角木蛟星日马 室火猪参水猿奎木狼壁水貐 斗木獬娄金狗牛金牛女土蝠 虚日鼠胃土雉张月鹿昴日鸡 危月燕翼火蛇室火猪亢金龙 壁水貐斗木獬轸水蚓井木犴 牛金牛氐土貉房日兔女土蝠 虚日鼠危月燕心月狐尾火虎 室火猪鬼金羊柳土獐壁水貐

东北西南依次对应0123,4进制

1
2
3
4
5
6
7
8
9
10
11
m = ""
text ="1020,1103,1003,1103,1011,1003,1323,1003,1032,1133,1001,1232,1203,1221,1211,1232,1310,1133,1001,1100,1331"

c=text.split(",")
for i in c:
        temp = 0
        for j in range(len(i)):
            temp += int(i[j]) * (4 ** (len(i) - j -1))
        m += chr(temp)
print (m)
#HSCSEC{CN_Ancient_AP}

Deduced gossip

盗墓笔记看多了,了解一点,一眼八卦

1
☲☵ ☷☵☳ ☶空 ☷☵☳ ☶☱ ☶空 ☷空☱ ☶空 ☷☳☰ ☷☳☱ ☷☴☳ ☷☳☳ ☷☴☶ ☷☳☳ ☷☷☰ ☷☳空 ☰☴ ☷☴☶ ☷☴☶ ☷☴空 ☷空☲

八卦有八个卦象,还有一个空字,猜测9进制
猜格式是HSCSEC{}
前7个对应9进制80,102,74,102,76,74,146,最后一个是148
则还剩下3,5没有对应,尝试两次就行
exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
dict1 = {'☵':'0','☷':'1','☳':'2','☴':'3','空':'4',
        '☰':'5','☱':'6','☶':'7','☲':'8'}
dict2={'☵':'0','☷':'1','☳':'2','☰':'3','空':'4',
        '☴':'5','☱':'6','☶':'7','☲':'8'}
c= '☲☵ ☷☵☳ ☶空 ☷☵☳ ☶☱ ☶空 ☷空☱ ☶空 ☷☳☰ ☷☳☱ ☷☴☳ ☷☳☳ ☷☴☶ ☷☳☳ ☷☷☰ ☷☳空 ☰☴ ☷☴☶ ☷☴☶ ☷☴空 ☷空☲'
flag1=''
flag2= ''
#表1
for x in c:
    if x==' ':
        flag1 +=' '
        continue
    flag1 +=  dict1.get(x)
#表2
for x in c:
    if x==' ':
        flag2 +=' '
        continue
    flag2+=  dict2.get(x)
print(flag1)
print(flag2)
#80 102 74 102 76 74 146 74 125 126 132 122 137 122 115 124 53 137 137 134 148
#80 102 74 102 76 74 146 74 123 126 152 122 157 122 113 124 35 157 157 154 148

然后在线转换器转一下发现表1是对的
HSCSEC{Chinese_g0ssip}

Social Engineering

Happy Lantern Festival

说明:flag形式为:HSCSEC{} 例如:HSCSEC{广东省广州市天河区天河市天河路天河步行街}

图片信息:阿勒泰市第13届元宵灯会


HSCSEC{新疆维吾尔自治区阿勒泰地区阿勒泰市五百里风情街}

Boat

说明:flag形式为:HSCSEC{} 例如:HSCSEC{具体地址}

百度识图第一张就是

地图搜西湖

HSCSEC{浙江省杭州市西湖区龙井路1号}

Cable car


一眼重庆


根据图片基本可以判断一个区域

看图片是一个靠近江边的地方
搜山什集找到类似的图片

HSCSEC{重庆市渝中区白象居4号楼9-1号}

Romantic firework



甘肃消防

图上建筑吻合
https://cul.sohu.com/a/635448600_120801
地图上找位置
HSCSEC{甘肃省白银市白银区金岭公园}

Airplane


一直分析飞机无果
重庆航空,飞机注册号B-30EL

然查找B-30EL发现:https://www.jiemian.com/article/5391407.html


大兴机场的鸟瞰图
对比吻合
HSCSEC{ 北京市大兴区大兴国际机场}

Beautiful Lake

flag形式为:HSCSEC{} 例如:HSCSEC{广东省广州市天河区天湖}
看图片左侧

宁夏理工学院


HSCSEC{宁夏回族自治区石嘴山市大武口区星海湖}

Beautiful Park

flag形式为:HSCSEC{} 例如:HSCSEC{广东省广州市天河区天河国家湿地公园}


地图搜
HSCSEC{**河北省张家口市怀来县官厅水库国家湿地公园}**

Apple Store

flag形式为:HSCSEC{} 例如:HSCSEC{广东省广州市天河区天河路1号} 例如:HSCSEC{广东省广州市天河区天河路1号环贸F1}

百度地图:苹果西单大悦城店

HSCSEC{北京市西城区西单北大街131号}

Tower

澳门巴黎铁塔附近
全景地图

看图片应该是在楼梯这个位置拍的
HSCSEC{澳门特别行政区路氹填海区澳门路氹金光大道连贯公路澳门巴黎人}

crypto

Operator

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#!/bin/python3
from Crypto.Util.number import bytes_to_long, getPrime

FLAG = "*******************MASK****************"

# print(FLAG)
number1 = getPrime(512)
number2 = getPrime(1024)
print(number1)
result = FLAG * number1 % number2
print(result)

"""
Output:
11488359375916816818731868252559119400126174593041608170883818546254791846479664455120194350355087017477744828351806157930199157462913063513512421460678471
1890846045246997191702622225497063073251667816125412875121879991742654650976309481716690792328873189601779812108551290078049710826355501933349874438201643986975141068179879506727213209273645848165732801667704040761771
"""

显然number2远远大于number1,且flag就30位左右,所以FLAG * number1 mod number2 其实就等于FLAG * number1
直接FLAG =result// number1

1
2
3
4
5
6
from Crypto.Util.number import*
number1=11488359375916816818731868252559119400126174593041608170883818546254791846479664455120194350355087017477744828351806157930199157462913063513512421460678471
result=1890846045246997191702622225497063073251667816125412875121879991742654650976309481716690792328873189601779812108551290078049710826355501933349874438201643986975141068179879506727213209273645848165732801667704040761771
flag=result//number1
print('HSCSEC'+str(long_to_bytes(flag))[6:])
#HSCSEC{qMmZqWvmj70bBsCfmVLT}

EZRSA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from Crypto.Util.number import *
import gmpy2
from flag import m

p = getPrime(1024)
q = getPrime(1024)
n = p * q
print('n =',n)
e = 0x10001
M = m * e * 1 * 2022 * p
c = pow(M,e,n)
print('c =',c)

# n = 16266043783454053154037197753138388613864200794483663334493856481522764684650995230938142916968470804276539967429581472897698022852787399956166067156691430593337430691851251036378709799238876668312530223697905925939542713491015517460139150765778057817475571231361809654951289718071760502692960235551663466242938669673675870151921605230499603814070711617511206013584605131901906195136038060653121164252894949526861390984185085201067988694831398388037080993820517447099157891181179389949333832439004857436617834100885739716577641892686620423154860716308518151628754780994043553863224363539879909831811888663875989774849
# c = 12716190507848578560760116589677996073721225715245215495257947887969923319693501568134141757778665747980229898129090929698368855086594836111461700857934476682700625486249555753323344759513528101651108919161794915999809784961533946922607642974500946026677116418317599095703217004064379100607278317877894742815660315660254853364776654303066021672567442581774299847661025422994141801987588151758971034155714424052693627277202951522779716696303237915400201362585413354036973117149974017434406560929491956957193491445847385625481870256240443170803497196783872213746269940877814806857222191433079944785910813364137603874411

1
2
M = m * e * 1 * 2022 * p
c = pow(M,e,n)

这里猜测可以公约数求p

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import gmpy2
from Crypto.Util.number import *
n = 16266043783454053154037197753138388613864200794483663334493856481522764684650995230938142916968470804276539967429581472897698022852787399956166067156691430593337430691851251036378709799238876668312530223697905925939542713491015517460139150765778057817475571231361809654951289718071760502692960235551663466242938669673675870151921605230499603814070711617511206013584605131901906195136038060653121164252894949526861390984185085201067988694831398388037080993820517447099157891181179389949333832439004857436617834100885739716577641892686620423154860716308518151628754780994043553863224363539879909831811888663875989774849
c = 12716190507848578560760116589677996073721225715245215495257947887969923319693501568134141757778665747980229898129090929698368855086594836111461700857934476682700625486249555753323344759513528101651108919161794915999809784961533946922607642974500946026677116418317599095703217004064379100607278317877894742815660315660254853364776654303066021672567442581774299847661025422994141801987588151758971034155714424052693627277202951522779716696303237915400201362585413354036973117149974017434406560929491956957193491445847385625481870256240443170803497196783872213746269940877814806857222191433079944785910813364137603874411
e = 0x10001
x=(c*gmpy2.invert(pow(2022,e,n),n)*gmpy2.invert(pow(e,e,n),n))%n
#通过乘逆元然后求p,然后解RSA解出M
p=gmpy2.gcd(x,n)
q=n//p
d=gmpy2.invert(e,(p-1)*(q-1))
M=pow(c,d,n)
#然后接着还原flag
m=M//e//2022//p
print('HSCSEC'+str(long_to_bytes(m))[6:])
#HSCSEC{3e5e2789a93a80615cc35edbff397c05}

EZVC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# -*- coding: utf-8 -*-
import flag
alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
key = 'HSC'
assert flag.startswith('HSCSEC{')
flag_num_list = []
c = []
for item in flag:
    flag_num_list.append(alphabet.find(item) + 1)
key_num = alphabet.find(key) + 1
for i in flag_num_list:
    m = (i + key_num) % 94 - 1
    if m == 0:
        c.append("□")
    c.append(alphabet[m-1:m])
print("c = {}".format(''.join(c)))

# c = GRBRDB`jg10ij2g01i,g201gi,2gi2,012igaigagi|

逆推一下就行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
alphabet = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
key = 'HSC'
c = "GRBRDB`jg10ij2g01i,g201gi,2gi2,012igaigagi|"
flag = ""
key_num = alphabet.find(key) + 1
for i in c:
    if i == "□":
        m = 0
    else:
        m = alphabet.find(i) + 1
    flag_num = (m - key_num) % 94 + 1
    flag += alphabet[flag_num-1:flag_num]
print("flag = {}".format(flag))
#flag = HSCSEC{kh21jk3h12j-h312hj-3hj3-123jhbjhbhj}

misc

EZIMG


010打开发现末尾有反过来的png
工具: https://github.com/AabyssZG/FileReverse-Tools
逆序一下python3 FileReverse-Tools.py -i desktop.png

HSCSEC{p3g_h

在文件尾后发现01数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from PIL import Image
MAX = 25
pic = Image.new("RGB",(MAX, MAX))
str = "0000000001001011000000000000000000011111100000000000000000111010110000000000000000001110000000000000000000000010001100000000000000000010001011000000000000000010101010100000000000000001110110100000000011101111101110001110001001100010100110110100001011111010100100110001000111100100000100101001011000101100111100001101011110010010101001001001111100001110100110110100100011110110110110100001001101101011101001111010100011111101100000000101010011000110110000000010001101101010011000000001111111010001101100000000101100101111110010000000001000011010001100000000001010001111011000100000000111000111100000100000000011101101101010011"
i=0
for y in range (0,MAX):
    for x in range (0,MAX):
        if(str[i] == '1'):
            pic.putpixel([x,y],(0, 0, 0))
        else:
            pic.putpixel([x,y],(255,255,255))
        i = i+1
pic.show()
pic.save("flag.png")

转换为二维码

加定点


flag2:aQR_c0de_and
https://www.wotianna.com/pixels/

_3nc}
综上所述:HSCSEC{p3G_haQR_c0de_and_3nc}

Salute


末尾有一段MD5
5d93ceb70e2bf5daa84ec3d0cd2c731a

qwer1234
文件异或qwer1234

得到压缩包

对png

flag2/key that_is意思是flag2和KEY都是that_is,那么前面解出来的那串应该就是flag1了
steghide分离
steghide extract -sf /home/kali/桌面/salute.jpg -p that_is


flag3:_c0ol}
综上所述:HSCSEC{qwer1234that_is_c0ol}

web

EZSSTI

tplmap 一把梭
注入点是name

CTF > 比赛Write Up
#比赛Write Up
HSCSEC 2023-wp
http://example.com/2023/02/13/HSCSEC 2023-wp/
作者
J_0k3r
发布于
2023年2月13日
许可协议
BY J_0K3R