2021CTF WP

2021西湖论剑

Yusa的密码

一个镜像文件，一个加密压缩包

题目有五个彩蛋

1
2
3
4
5


egg1 yusa姐姐很担心比赛时平台卡得崩溃，为此彻夜难眠
egg2 yusa姐姐是尊贵的SVIP8，不会有人不知道叭
egg3 You still have lots more to work on...
egg4 yusa姐姐有好多好多的小娇妻，渣男
egg5 yusa姐姐希望西湖论剑的flag格式为yusameinv{.*?}，但我就不^_^

直接mimikatz得到密码YusaYusa520

1
2
3
4


Module   User             Domain           Password
-------- ---------------- ---------------- ----------------------------------------
wdigest  Yusa             YUSA-PC          YusaYusa520
wdigest  YUSA-PC$         WORKGROUP

解密压缩包得到Who_am_I文件，不知道是什么文件

filescan看到Sakura文件这个文件夹中有几个文件

1
2
3
4
5
6


0x000000003e58ada0      1      0 R--r-- \Device\HarddiskVolume2\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Sakura-didi
0x000000003e78c6a0      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-公告
0x000000003f2ae290      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-egg5
0x000000003f959980      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-备忘录
0x000000003faa3a20      2      0 RW-rw- \Device\HarddiskVolume2\Users\Yusa\AppData\Roaming\Microsoft\Windows\Recent\Sakura文件.lnk
0x000000003fabc220      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-logo

其中Sakura-didi是一个加密了的zip文件，Sakura文件.lnk就是指向到桌面Sakura文件夹的link文件，Sakura-logo是一个樱花logo，Sakura-egg5是彩蛋，Sakura-公告文件内容为

1

全体成员注意，我们将在11月20号，对地球发起总攻，请做好准备。

提示在Sakura-备忘录中

1

2021.11.15：请组织内的人务必删除所有不必要的联系方式，防止我们的计划出现问题。

寻找联系方式

两个文件Mystery Man.contact 和 Yusa.contact

文件1

文件可以用文本编辑器直接打开，是xml文本；也可以用Windows联系人打开，消息在备注里。

1
2
3
4
5


LF2XGYPPXSGOPO4E465YPZMITLSYRGXGWS7OJOEL42O2LZFYQDSLRKXEXO56LCVB566IZ2FPW7S37K7HQK46LLUM42EJB354RTSL3IHFR6VONHEJ4S4ITZNEVHTJPNXJS62OHAECGZGCWWRVOBUXMNKMGJTTKTDZME2TKU3PGVMWS5ZVGVYUKYJSKY2TON3ZJU2VSK3WGVGHK3BVGVJW6NLBGZCDK33NKQ2WE6KBGU3XKRJVG52UQNJXOVNDKTBSM42TK4KFGVRGK3BVLFLTGNBUINBTKYTFNQ2VSVZTGVNEOOJVLJBU4NKMGZSDKNCXNY2UY4KHGVGHSZZVG52WMNSLMVCTKWLJLI2DIQ2DMEZFMNJXG54WCT2EJF3VSV2NGVGW2SJVLJVFKNCNKRIXSWLNJJUVS6SJGNMTERLZJ5KFM3KNK5HG2TSEM46Q====
# base32解密得到
Yusa，组织刚刚派下来一个任务，请快点完成，你只有三天时间。6L+Z5piv5L2g5Lya55So5Yiw55qEa2V577yM5Y+v5Lul55So5a6D5omT5byA57uE57uH57uZ5L2g55qE5bel5YW344CC5bel5YW35ZG95ZCN5L6d54Wn5LqG5Lyg57uf6KeE5YiZ44CCa2V577yaODIwYWM5MmI5ZjU4MTQyYmJiYzI3Y2EyOTVmMWNmNDg=
# base64解密得到
这是你会用到的key，可以用它打开组织给你的工具。工具命名依照了传统规则。key：820ac92b9f58142bbbc27ca295f1cf48

用得到的key解密Sakura-didi.zip得到key.bmp文件，不知道是什么

文件2

同上，网站中是egg3，文本打开的话还有一串base，解密后是bmp图片，也就是Windows联系人的头像

附注里面有一串字

1

一位经常忘事，所以会把重要事情记录在便笺里的漂亮女孩

寻找便笺内容

得到StickyNotes.snt，这是win7的存储便笺的文件，win7应该可以直接用便笺打开，win10好像不行

直接010看内容，cyberchecf from hex + decode text得到如下内容

1
2


\'d6\'d5\'d3\'da\'c4\'c3\'b5\'bd\'c1\'cb\'d7\'e9\'d6\'af\'b5\'c4\'ba\'cb\'d0\'c4'c3\'dc\'c2\'eb\'a3\'ac\'ce\'d2\'b2\'bb\'cf\'eb\'d4\'d9\'b5\'b1\'ce\'d4\'b5\'d7\'c1\'cb\'a3\'ac\'ce\'d2\'cf\'eb\'b8\'cf\'bd\'f4\'c0\'eb\'bf\'aa\'d5\'e2\'b8\'f6\'b9\'ed\'b5\'d8\'b7\'bd\'a1\'a3\'ba\'cb\'d0\'c4\'c3\'dc\'c2\'eb\'ca\'c7\'a3\'ba\'ca\'c0\'bd\'e7\'c3\'bb\'c1\'cb\'d0\'c4\'cc\'f8\'a1\'a3\
终于拿到了组织的核心密码，我不想再当卧底了，我想赶紧离开这个鬼地方。核心密码是：世界没了心跳。

使用核心密码解密得到的key.zip文件，得到加密exp，是利用上面的key.bmp文件和flag得到Who_am_I的加密逻辑，就是很简单的异或。

下方注释部分替换掉原来的就能解密得到flag文件，是一个gif

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


from PIL import Image
import struct
pic = Image.open('key.bmp')
fp = open('flag', 'rb')
fs = open('Who_am_I', 'wb')
# fp = open('flag', 'wb')
# fs = open('Who_am_I', 'rb')

a, b = pic.size
list1 = []
for y in range(b):
    for x in range(a):
        pixel = pic.getpixel((x, y))
        list1.extend([pixel[1], pixel[0], pixel[2], pixel[2], pixel[1], pixel[0]])

data = fp.read()
for i in range(0, len(data)):
    fs.write(struct.pack('B', data[i] ^ list1[i % a*b*6]))
# data = fs.read()
# for i in range(0, len(data)):
#     fp.write(struct.pack('B', data[i] ^ list1[i % a*b*6]))

fp.close()
fs.close()

直接stegsolve看Frame10得到flag

1

DASCTF{c3837c61-77f1-413e-b2e6-3ccbc96df9f4}

彩蛋部分

1：桌面有个新建文本文档.txt里面是egg1

1

0x000000003e20d900      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\新建文本文档.txt

2：filedumps得到egg2，里面内容就是彩蛋

1

0x000000003f82fdc0      1      0 R--r-- \Device\HarddiskVolume2\Program Files\Reference Assemblies\Microsoft\Framework\egg2

3：Yusa.contact的网站部分

1

egg3 You still have lots more to work on...

4：cmdscan得到egg4

1
2


egg4 eXVzYeWnkOWnkOacieWlveWkmuWlveWkmueahOWwj+Woh+Wmu++8jOa4o+eUtw==
# base解密得到：yusa姐姐有好多好多的小娇妻，渣男

5：screenshot 得到th1s_1s_3gg5_k3y

用上面的密钥下面文件得到egg5

1

0x000000003f2ae290      1      0 R--r-- \Device\HarddiskVolume2\Users\Yusa\Desktop\Sakura文件\Sakura-egg5

2021L3HCTF

DeepDarkFantasy

安装torch

刚好有CUDA 就想着跟着复现一遍

pth是torch模型文件 xor后获得正确的模型

官网一条命令安装torch

1

pip3 install torch==1.10.0+cu102 torchvision==0.11.1+cu102 torchaudio===0.10.0+cu102 -f https://download.pytorch.org/whl/cu102/torch_stable.html

前置知识

torch有两种模型保存方法

保存整个神经网络的结构信息和模型的参数信息 save对象是网络net

该方法保存的模型通过torch.load()直接初始化新的神经网络

1
2
3
4


#保存模型
torch.save(model_object,'resnet.pth')
#加载模型
model=torch.load('resnet.pth')

只保存神经网络的训练模型参数 save对象是net.state_dict()

该方法保存的方式：首先导入对应的网络再net.load_state_dict()完成模型参数的加载

1
2
3
4
5


#将my_resnet模型存储为my_resnet.pth
torch.save(my_resnet.state_dict(),"my_resnet.pth")
#加载resnet，模型存放在my_resnet.pth
my_resnet.load_state_dict(torch.load("my_resnet.pth"))
#其中my_resnet是my_resnet.pth对应的网络结构；

复现过程

0x01 先确定保存模型的方法

load(model)报错反序列化find_class出错，这个MyAutoEncoder就是他定义的类。

那么就需要我们手动构建网络然后导入

手动定义一个同名类后实例化load提示缺少Encoder&Decoder

编写三个空类后可以成功load 看到保存的网络结构和训练好的参数

至此我们可以确定保存的是第一种类型即既保存网路模型又保存训练参数

0x02 恢复网络结构

上面说到成功load model

因为state_dict是具体参数我们可以暂时不管直接print model查看网络结构

1

print(ruokeqxmodel['model'])

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36


MyAutoEncoder(
  (encoder): Encoder(
    (conv): Sequential(
      (0): Conv2d(1, 16, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1))
      (1): ReLU()
      (2): MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
      (3): Conv2d(16, 8, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1))
      (4): MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
      (5): ReLU()
      (6): Conv2d(8, 8, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1))
      (7): MaxPool2d(kernel_size=2, stride=2, padding=1, dilation=1, ceil_mode=False)
      (8): ReLU()
      (9): MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False)
      (10): Flatten(start_dim=1, end_dim=-1)
    )
    (fc): Linear(in_features=32, out_features=16, bias=True)
  )
  (decoder): Decoder(
    (convt): Sequential(
      (0): ConvTranspose2d(1, 256, kernel_size=(1, 1), stride=(1, 1))
      (1): ReLU()
      (2): ConvTranspose2d(256, 256, kernel_size=(1, 1), stride=(1, 1))
      (3): ReLU()
      (4): ConvTranspose2d(256, 512, kernel_size=(1, 1), stride=(1, 1))
      (5): ReLU()
      (6): ConvTranspose2d(512, 128, kernel_size=(4, 4), stride=(4, 4))
      (7): ReLU()
      (8): ConvTranspose2d(128, 64, kernel_size=(4, 4), stride=(4, 4))
      (9): ReLU()
      (10): ConvTranspose2d(64, 32, kernel_size=(2, 2), stride=(2, 2))
      (11): ReLU()
      (12): ConvTranspose2d(32, 1, kernel_size=(2, 2), stride=(2, 2))
      (13): Sigmoid()
    )
  )
)

接下来照抄恢复网络结构

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59


class Encoder(Module):
    def __init__(self):
        super().__init__()
        self.conv = Sequential(
            Conv2d(1, 16, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1)),
            ReLU(),
            MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False),
            Conv2d(16, 8, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1)),
            MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False),
            ReLU(),
            Conv2d(8, 8, kernel_size=(3, 3), stride=(2, 2), padding=(1, 1)),
            MaxPool2d(kernel_size=2, stride=2, padding=1, dilation=1, ceil_mode=False),
            ReLU(),
            MaxPool2d(kernel_size=2, stride=2, padding=0, dilation=1, ceil_mode=False),
            Flatten(start_dim=1, end_dim=-1)
        )
        self.fc = Linear(in_features=32, out_features=16, bias=True)

    def forward(self, t):
        t = self.conv(t)
        t = self.fc(t)
        return t


class Decoder(Module):
    def __init__(self):
        super().__init__()
        self.convt = Sequential(
            ConvTranspose2d(1, 256, kernel_size=(1, 1), stride=(1, 1)),
            ReLU(),
            ConvTranspose2d(256, 256, kernel_size=(1, 1), stride=(1, 1)),
            ReLU(),
            ConvTranspose2d(256, 512, kernel_size=(1, 1), stride=(1, 1)),
            ReLU(),
            ConvTranspose2d(512, 128, kernel_size=(4, 4), stride=(4, 4)),
            ReLU(),
            ConvTranspose2d(128, 64, kernel_size=(4, 4), stride=(4, 4)),
            ReLU(),
            ConvTranspose2d(64, 32, kernel_size=(2, 2), stride=(2, 2)),
            ReLU(),
            ConvTranspose2d(32, 1, kernel_size=(2, 2), stride=(2, 2)),
            Sigmoid()
        )

    def forward(self, t):
        t = self.convt(t)
        return t


class MyAutoEncoder(Module):
    def __init__(self):
        super().__init__()
        # self.encoder = Encoder()
        # self.decoder = Decoder()

    def forward(self, t):
        t = self.encoder.forward(t)
        t = self.decoder.forward(t)
        return t

再接下来我们可以实例化一个自己的网络然后用load_state_dict 把刚才说的model里训练好的参数读出来

0x03 fuzz and solve

导入参数后，随便输入一个张量decode

Conv2d输入参数为四维数据，如果不是4维的会报错提示要输入4-dimensional

生成一个随机的四维张量输入可以看到输出隐约有L3字样

1
2
3
4
5
6


toPIL = transforms.ToPILImage()
data = torch.randn(1, 1, 1, 1)
print(data)     # tensor([[[[1.7006]]]])
pics = ruokeqxmodel.forward(data)[0]
pic = toPIL(pics)
pic.save('./flag.jpg')

再生成一个四维[1,1,4,4]16个随机数，可以看到不同随机数下输出不同字样，爆破即可

生成正负20个数发现正的部分到12就不变然后很清晰负的到19还不是很清晰

设置offset -5 然后生成数增加到正负30

可以看到到-22基本不变，+14基本不变，最终offset就定-4，step1太大了，所以step0.1，range180

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


modelname = "./decrypted.pth"
ruokeqxmodel = MyAutoEncoder()
ruokeqxmodel.load_state_dict(torch.load(modelname)['state_dict'])

offset = -4
for i in range(180):
    trans = transforms.ToPILImage()

    pl = [[[[offset + 0.1 * i]]]]
    nl = [[[[offset - 0.1 * i]]]]
    pdata = torch.tensor(pl)
    ndata = torch.tensor(nl)
    ppic = ruokeqxmodel.forward(pdata)[0]
    npic = ruokeqxmodel.forward(ndata)[0]
    pic = toPIL(ppic[0])
    pic.save('./flag/flag' + str(10*offset + i) + '.png')
    pic = trans(npic[0])
    pic.save('./flag/flag' + str(10*offset - i) + '.png')

拼图得到flag

1

L3HCTF{blackbinarysencoder0xb1a876a}

2021CISCN初赛

稍微做了一点misc 带躺还得看队友

tiny traffic

http看到get了flag相关东西
flag_wrapper gzip解密得到flag头 CISCN{}

python br解密test得到proto

syntax = "proto3";
message PBResponse {
    int32 code = 1;
    int64 flag_part_convert_to_hex_plz = 2;
    message data {
        string junk_data = 2;
        string flag_part = 1;
    }
    repeated data dataList = 3;
    int32 flag_part_plz_convert_to_hex = 4;
    string flag_last_part = 5;
}

message PBRequest {
    string cate_id = 1;
    int32 page = 2;
    int32 pageSize = 3;
}

https://www.buymeacoffee.com/marcgravell

用他的在线工具生成py(好像是这个的作者)

1
2


# 打印一下得到flag
hex(proto.flag_part_convert_to_hex_plz)[2:] +  proto.dataList[0].flag_part + proto.dataList[1].flag_part + hex(proto.flag_part_plz_convert_to_hex)[2:] + proto.flag_last_part

running_pixel

抽帧看了一眼大概是每十帧一重复看了一眼像素每张两个像素不一样循环输出点发现位置不一样但很近画出来看了一眼是字符那就全画出来就是flag了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


from PIL import Image
flag=[(231, 114), (325, 171), (231, 115), (326, 171), (231, 116), (327, 171), (232, 114), (328, 171), (233, 114), (329, 171), (233, 115), (229, 114), (233, 116), (229, 115), (36, 242), (229, 116), (36, 243), (230, 116), (36, 244), (231, 114), (37, 242), (231, 115), (38, 242), (231, 116), (38, 243), (232, 114), (38, 244), (233, 114), (39, 244), (233, 115), (40, 242), (233, 116), (40, 243), (36, 242), (40, 244), (36, 243), (36, 244), (306, 256), (37, 242), (306, 257), (38, 242), (306, 258), (38, 243), (307, 256), (38, 244), (307, 258), (39, 244), (308, 256), (40, 242), (308, 258), (40, 243), (309, 256), (40, 244), (309, 258), (310, 256), (306, 256), (310, 257), (306, 257), (310, 258), (306, 258), (307, 256), (359, 145), (307, 258), (359, 147), (308, 256), (360, 145), (308, 258), (360, 147), (309, 256), (361, 145), (309, 258), (361, 146), (310, 256), (361, 147), (310, 257), (362, 147), (310, 258), (363, 147), (152, 101), (359, 145), (152, 102), (359, 147), (153, 101), (360, 145), (153, 103), (360, 147), (154, 101), (361, 145), (154, 103), (361, 146), (155, 101), (361, 147), (155, 103), (362, 147), (156, 101), (363, 147), (156, 102), (152, 101), (152, 102), (360, 225), (153, 101), (360, 226), (153, 103), (360, 227), (154, 101), (361, 225), (154, 103), (361, 227), (155, 101), (362, 225), (155, 103), (362, 227), (156, 101), (363, 225), (156, 102), (363, 227), (364, 225), (360, 225), (364, 226), (360, 226), (364, 227), (360, 227), (235, 383), (361, 225), (235, 384), (361, 227), (235, 385), (362, 225), (236, 383), (362, 227), (237, 383), (363, 225), (237, 384), (363, 227), (237, 385), (364, 225), (238, 383), (364, 226), (239, 383), (364, 227), (32, 197), (235, 383), (32, 198), (235, 384), (32, 199), (235, 385), (236, 383), (237, 383), (278, 35), (237, 384), (278, 36), (237, 385), (278, 37), (238, 383), (279, 35), (239, 383), (279, 37), (280, 35), (32, 197), (280, 36), (32, 198), (280, 37), (32, 199), (281, 37), (282, 35), (278, 35), (282, 36), (278, 36), (282, 37), (278, 37), (174, 295), (279, 35), (174, 296), (279, 37), (175, 295), (280, 35), (175, 297), (280, 36), (176, 295), (280, 37), (176, 297), (281, 37), (177, 295), (282, 35), (177, 297), (282, 36), (178, 295), (282, 37), (178, 296), (174, 295), (167, 231), (174, 296), (167, 232), (175, 295), (167, 233), (175, 297), (168, 231), (176, 295), (169, 231), (176, 297), (169, 232), (177, 295), (169, 233), (177, 297), (170, 231), (178, 295), (171, 231), (178, 296), (171, 232), (167, 231), (171, 233), (167, 232), (167, 233), (249, 356), (168, 231), (250, 356), (169, 231), (251, 356), (169, 232), (252, 356), (169, 233), (253, 356), (170, 231), (171, 231), (342, 340), (171, 232), (342, 341), (171, 233), (342, 342), (243, 65), (249, 356), (243, 67), (250, 356), (244, 65), (251, 356), (244, 67), (252, 356), (245, 65), (253, 356), (245, 66), (245, 67), (342, 340), (246, 67), (342, 341), (247, 67), (342, 342), (117, 346), (243, 65), (117, 347), (243, 67), (118, 346), (244, 65), (118, 348), (244, 67), (119, 346), (245, 65), (119, 347), (245, 66), (120, 346), (245, 67), (120, 348), (246, 67), (121, 346), (247, 67), (121, 347), (117, 346), (67, 229), (117, 347), (67, 230), (118, 346), (67, 231), (118, 348), (68, 229), (119, 346), (68, 231), (119, 347), (69, 229), (120, 346), (69, 231), (120, 348), (70, 229), (121, 346), (70, 231), (121, 347), (71, 229), (67, 229), (71, 230), (67, 230), (71, 231), (67, 231), (39, 278), (68, 229), (39, 279), (68, 231), (39, 280), (69, 229), (40, 278), (69, 231), (40, 280), (70, 229), (41, 278), (70, 231), (41, 280), (71, 229), (42, 278), (71, 230), (42, 280), (71, 231), (43, 278), (39, 278), (43, 279), (39, 279), (43, 280), (39, 280), (40, 278), (279, 14), (40, 280), (279, 15), (41, 278), (279, 16), (41, 280), (42, 278), (264, 374), (42, 280), (264, 375), (43, 278), (264, 376), (43, 279), (265, 374), (43, 280), (265, 376), (266, 374), (266, 375), (279, 14), (266, 376), (279, 15), (267, 374), (279, 16), (267, 376), (264, 374), (268, 374), (264, 375), (268, 375), (264, 376), (268, 376), (265, 374), (70, 52), (265, 376), (70, 53), (266, 374), (70, 54), (266, 375), (71, 54), (266, 376), (72, 54), (267, 374), (73, 54), (267, 376), (74, 54), (268, 374), (268, 375), (228, 63), (268, 376), (229, 62), (70, 52), (229, 64), (70, 53), (230, 62), (70, 54), (230, 63), (71, 54), (230, 64), (72, 54), (231, 62), (73, 54), (231, 64), (74, 54), (232, 62), (232, 64), (228, 63), (229, 62), (321, 163), (229, 64), (321, 164), (230, 62), (321, 165), (230, 63), (322, 163), (230, 64), (323, 163), (231, 62), (323, 164), (231, 64), (323, 165), (232, 62), (324, 165), (232, 64), (325, 163), (325, 164), (321, 163), (325, 165), (321, 164), (289, 238), (321, 165), (289, 239), (322, 163), (289, 240), (323, 163), (323, 164), (161, 296), (323, 165), (162, 295), (324, 165), (162, 297), (325, 163), (163, 295), (325, 164), (163, 296), (325, 165), (163, 297), (164, 295), (289, 238), (164, 297), (289, 239), (165, 295), (289, 240), (165, 297), (161, 296), (72, 134), (162, 295), (72, 135), (162, 297), (72, 136), (163, 295), (73, 134), (163, 296), (74, 134), (163, 297), (74, 135), (164, 295), (74, 136), (164, 297), (75, 136), (165, 295), (76, 134), (165, 297), (76, 135), (72, 134), (76, 136), (72, 135), (72, 136), (165, 344), (73, 134), (165, 345), (74, 134), (165, 346), (74, 135), (166, 344), (74, 136), (167, 344), (75, 136), (167, 345), (76, 134), (167, 346), (76, 135), (168, 344), (76, 136), (169, 344), (165, 344), (310, 124), (165, 345), (310, 125), (165, 346), (311, 124), (166, 344), (311, 126), (167, 344), (312, 124), (167, 345), (312, 126), (167, 346), (313, 124), (168, 344), (313, 126), (169, 344), (314, 124), (314, 125), (310, 124), (310, 125), (357, 246), (311, 124), (357, 247), (311, 126), (358, 246), (312, 124), (358, 248), (312, 126), (359, 246), (313, 124), (359, 248), (313, 126), (360, 246), (314, 124), (360, 248), (314, 125), (361, 246), (361, 247), (357, 246), (14, 124), (357, 247), (14, 125), (358, 246), (14, 126), (358, 248), (15, 124), (359, 246), (15, 126), (359, 248), (16, 124), (360, 246), (16, 126), (360, 248), (17, 124), (361, 246), (17, 126), (361, 247), (18, 124), (14, 124), (18, 125), (14, 125), (18, 126), (14, 126), (15, 124), (386, 92), (15, 126), (386, 93), (16, 124), (386, 94), (16, 126), (387, 92), (17, 124), (387, 94), (17, 126), (388, 92), (18, 124), (388, 93), (18, 125), (388, 94), (18, 126), (389, 94), (390, 92), (386, 92), (390, 93), (386, 93), (390, 94), (386, 94), (315, 190), (387, 92), (315, 191), (387, 94), (315, 192), (388, 92), (316, 190), (388, 93), (316, 192), (388, 94), (317, 190), (389, 94), (317, 191), (390, 92), (317, 192), (390, 93), (318, 190), (390, 94), (318, 192), (315, 190), (319, 190), (315, 191), (319, 191), (315, 192), (319, 192), (316, 190), (231, 95), (316, 192), (231, 96), (317, 190), (231, 97), (317, 191), (232, 95), (317, 192), (233, 95), (318, 190), (233, 96), (318, 192), (233, 97), (319, 190), (234, 95), (319, 191), (234, 97), (319, 192), (235, 95), (231, 95), (235, 96), (231, 96), (235, 97), (231, 97), (232, 95), (337, 78), (233, 95), (338, 77), (233, 96), (338, 79), (233, 97), (339, 77), (234, 95), (339, 78), (234, 97), (339, 79), (235, 95), (340, 77), (235, 96), (340, 79), (235, 97), (341, 77), (341, 79), (337, 78), (338, 77), (379, 59), (338, 79), (379, 60), (339, 77), (379, 61), (339, 78), (380, 59), (339, 79), (380, 61), (340, 77), (381, 59), (340, 79), (381, 61), (341, 77), (382, 59), (341, 79), (382, 61), (383, 59), (379, 59), (383, 60), (379, 60), (383, 61), (379, 61), (122, 204), (380, 59), (122, 205), (380, 61), (122, 206), (381, 59), (123, 204), (381, 61), (123, 206), (382, 59), (124, 204), (382, 61), (124, 206), (383, 59), (125, 204), (383, 60), (125, 206), (383, 61), (126, 204), (122, 204), (126, 205), (122, 205), (126, 206), (122, 206)]
pic = Image.new("RGB",(400,400))
i=0
for pix in flag:
    i=i+1
    x=pix[1]
    y=pix[0]
    pic.putpixel((x,y),(255,255,255))
    pic.save(f'{i:05d}.png')

隔空传话

找到一个在线工具

https://tool.letmetellyou.xyz/pdu/

直接解，然后合并一下搜常见文件头看到8950 看到时间戳是乱的想到排序后组合图片万能excel排个序

写个脚本恢复文件

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


str = ""
data = open('data.txt','w')
with open('op.csv','r',newline='')as f:
    lines = f.readlines()
    for line in lines:
        temp = line.split(',')[1].split('\r\n')[0]
        # print(temp)
        str += temp
        data.write(str)

data.close()

合并一下第一部分的提示就是flag

the first part of the flag is the first 8 digits of your phone number

DESTINATION ADDRESS: +8615030442000

robot

根据题目描述猜测可能跟位置或者路径有关，查看流量搜pos可以发现很多坐标导出pos

1

strings cap.pcapng | grep "Value" -A 1 | grep "\["  | grep "\]" > pos.txt

去掉了括号刚开始想用scatter画但是不知道为啥画出来很奇怪换成画图片就行了

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


from PIL import Image
from hashlib import md5
pic = Image.new("RGB",(400,400))
with open('pos.txt','r') as f:
    lines = f.readlines()
    for line in lines:
        pic.putpixel( (int(line.split(',')[0]),int(line.split(',')[1])) ,(255,255,255))
pic.show()
pic.save('./pic.png')
print(md5(b'easy_robo_xx').hexdigest())