2023 极客大挑战 MISC WP

MISC

ez_smilemo

UndertaleModTool解包data.win，在字符串最后的内容中找到flag
c20xbGVfMXNfQF9uMWNlX2dAbWU=

base64:
sm1le_1s_@_n1ce_g@me

Qingwan的心要碎了

百度识图：
重庆中国三峡博物馆

时代的眼泪

取证大师 -> 最近访问 -> 图片内容
SYC{You_defeated_me_after_22_years}

下一站是哪儿呢

airport.png
百度识图：宝安国际机场

分离出 1.jpg 的压缩包
binwalk -e 1.jpg

解压压缩包得到以下图片，进行识图得到码表

对照码表得到
i want to go to liquor city
搜寻得到酒城指泸州

总结得到以下信息：
1.宝安国际机场 -> 泸州 
2.航班飞行时间在21:00左右

尝试后面几天的航班即可得到
SYC{CZ8579_Luzhou}

xqr

# 分离出需要异或的图片
binwalk -e xqr.png

from PIL import Image

# 将图像改尺寸修改
im = Image.open('out.png')
im= im.resize((75,75))
im.save('out2.png')

异或
反色

SYC{hOp3_u_h@ve_Fun}

extractMe

import binascii
import itertools
import string

crc_list = [0x8712de1d, 0x06eacbd7, 0x20a8e291, 0x31ee3074, 0x77aacf7f, 0x35fb7c6c, 0xf978d5aa, 0x016f7a0b]
wordlist = string.printable
data_list = itertools.product(wordlist, repeat=4)

for data in data_list:
    data = ''.join(data)

    crc = binascii.crc32(data.encode())
    if crc in crc_list:
        for i in range(len(crc_list)):
            if crc == crc_list[i]:
                crc_list[i] = data

print(''.join(crc_list))

# SYC{_cR@ck_1s_Useful_sometime$_}

DEATH_N0TE

from PIL import Image

im = Image.open('kamisama.png')
start_pixel = (5, 5)
size = 10
out = Image.new('RGB', ((im.size[0] - start_pixel[0]) // size, (im.size[1] - start_pixel[1]) // size))

for y in range((im.size[1] - start_pixel[1]) // size):
    for x in range((im.size[0] - start_pixel[0]) // size):
        pixel = im.getpixel((start_pixel[0] + x * size, start_pixel[1] + y * size))
        out.putpixel((x, y), pixel)

out.show()

省略此步骤，复现对照码表麻烦

>>> zsteg kamisama.png
>>> IuS9oOe7p+e7reinguWvn+aJi+S4iua8hum7keiJsueahOeslOiusOacrO+8jOWGt+mdmeS4i+adpeeahOS9oOWPkeeOsOS6huiXj+WcqOWwgemdouacgOS4i+i+ueeahOS4gOihjOWwj+WtlzpTWUN7RDRAVGhfTjB0NF8iCiLkvaDmtY/op4jov4fmlbTkuKrnrJTorrDmnKzvvIzlj6/mg5zlhajmmK/nqbrnmb3pobXvvIzlhbbkuK3mnInkuIDpobXkuI3nn6XpgZPooqvosIHmkpXmjonkuobvvIzkvaDmnIDnu4jov5jmmK/nv7vliLDkuobnvLrlpLHnmoTpgqPkuIDpobUiCiLkvaDnlKjpk4XnrJTmtoLmirnnnYDlkI7pnaLkuIDpobXvvIzkuIrpnaLnvJPnvJPlh7rnjrDkuobpgZflpLHnmoTnl5Xov7kuLi4i

base64解码
SYC{D4@Th_N0t4_

拼接得到flag

DEATH_N1TE

from PIL import Image

im = Image.open('killer.webp')
n_frame = im.n_frames

for i in range(n_frame):
    im.seek(i)
    im.save(f'{i}.png')

多图拼接

gaps run 'input.png' 'output.png' --size=48

L.mp3中间部分使用mmsstv，得到图像

SYC{H4xr0t0r__14_Ki114R}

DEATH_N2TE

import cv2
from PIL import Image

video = cv2.VideoCapture('kira.mp4')
video_size = [1920, 1080]
# fps: 8 * 24

start_pixel = 5
size = 10
out = Image.new('RGB', (video_size[0] // size, video_size[1] // size))

fps_count = 0
while True:
    success, frame = video.read()
    if not success:
        break

    for y in range((video_size[1] - start_pixel) // size):
        try:
            pixel = Image.fromarray(frame).getpixel((start_pixel + fps_count * size, start_pixel + y * size))
            out.putpixel((fps_count, y), pixel)
        except:
            pass
    fps_count += 1

out.save('out.png')

SYC{we1c0m4_T0_De@th_W0r1d}

窃听风云

NTLM解密

No.7流内容
NTLM Server Challenge: 2af71b5ca7246268

No.8流内容
User name: jack
Domain name: WIDGETLLC
NTProofStr: 2d1d24572b15fe544043431c59965d30
modified NTLM v2 response:
0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000

以以下格式构造hash:
username::domain:ServerChallenge:NTproofstring:modifiedntlmv2response
jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000

hashcat爆破:
hashcat -m 5600 jack::WIDGETLLC:2af71b5ca7246268:2d1d24572b15fe544043431c59965d30:0101000000000000040d962b02edd901e6994147d6a34af200000000020012005700490044004700450054004c004c004300010008004400430030003100040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0003002e0044004300300031002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c0007000800040d962b02edd90106000400020000000800300030000000000000000000000000300000078cdc520910762267e40488b60032835c6a37604d1e9be3ecee58802fb5f9150a001000000000000000000000000000000000000900200048005400540050002f003100390032002e003100360038002e0030002e0031000000000000000000 '/root/Desktop/rockyou.txt'

SYC{iamjackspassword}

窃听风云V2

思路如上，不过V2在wireshark里base64内容不会被wireshark解析，需要手动根据特征对照出具体内容

User name: jack
Domain name: WidgetLLC.Internal
NTLM Server Challenge: 3e3966c8cacd29f7
NTProofStr: ddd46fd8f78c262eae16918f66185497
modified NTLM v2 response:
010100000000000050fd26d235edd9011219408ccb8a364800000000020012005700490044004700450054004c004c0043000100100043004c00490045004e00540030003300040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000300360043004c00490045004e005400300033002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000700080050fd26d235edd90106000400020000000800300030000000000000000000000000300000c78e803920758ec5672c36696ee163f6a4e61c8b5463c247daef8571677995a40a001000000000000000000000000000000000000900200053004d00540050002f0075006e007300700065006300690066006900650064000000000000000000

构造hash:
jack::WidgetLLC.Internal:3e3966c8cacd29f7:ddd46fd8f78c262eae16918f66185497:010100000000000050fd26d235edd9011219408ccb8a364800000000020012005700490044004700450054004c004c0043000100100043004c00490045004e00540030003300040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000300360043004c00490045004e005400300033002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000700080050fd26d235edd90106000400020000000800300030000000000000000000000000300000c78e803920758ec5672c36696ee163f6a4e61c8b5463c247daef8571677995a40a001000000000000000000000000000000000000900200053004d00540050002f0075006e007300700065006300690066006900650064000000000000000000

hashcat爆破:
hashcat -m 5600 jack::WidgetLLC.Internal:3e3966c8cacd29f7:ddd46fd8f78c262eae16918f66185497:010100000000000050fd26d235edd9011219408ccb8a364800000000020012005700490044004700450054004c004c0043000100100043004c00490045004e00540030003300040024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000300360043004c00490045004e005400300033002e005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c00050024005700690064006700650074004c004c0043002e0049006e007400650072006e0061006c000700080050fd26d235edd90106000400020000000800300030000000000000000000000000300000c78e803920758ec5672c36696ee163f6a4e61c8b5463c247daef8571677995a40a001000000000000000000000000000000000000900200053004d00540050002f0075006e007300700065006300690066006900650064000000000000000000 '/root/Desktop/rockyou.txt'

SYC{jack100589barney}