<h4>WEB</h4>

<h4>MISC</h4>

<h5>1、非常简单的流量分析</h5>

wireshark打开流量包,先过滤下http,导出http,发现robots.txt:

看到abc.html

md5 0x99a98e067af6b09e64f3740767096c96

DES 0xb19b21e80c685bcb052988c11b987802d2f2808b2c2d8a0d  (129->143)

DES 0x684a0857b767672d52e161aa70f6bdd07c0264876559cb8b  (143->129)

继续分析发现都是IPSec加密后的流量,尝试还原:
还原配置:

还原之后发现url请求中存在ascii码,直觉是flag:

c =
[102,108,97,103,123,50,55,98,48,51,98,55,53,56,102,50,53,53,50,55,54,101,53,97,57,56,100,97,48,101,49,57,52,55,98,101,100,125]
p = ''

for i in c:
    p += chr(i)
print (p)


flagflag{27b03b758f255276e5a98da0e1947bed}

<h5>2、来玩个游戏吧</h5>

下载附件得到题目:

第一关很明显的盲文:

⠏⠏⠄⠁⠄⠀⠂⡑⡒⡓⠄⡒⠂⡑⠇⠆⡒⠉⠇⠁⠉⡔⠉⠁⠁⠀⠁⠇⡓⠅⠉⠂=

在线解密:

得到密文:

??41402abc4b2a76b9719d911017c592

但是前两位不知道,扔到百度查一下:

很容易就查到了。

第二关前段时间刚遇到过,是MD5强碰撞。
直接拿上次的文件就可以了:

这样就接收到了邮件:
送你一封包含flag的邮件:
Dear Professional ; Especially for you - this cutting-edge 
intelligence ! If you no longer wish to receive our 
publications simply reply with a Subject: of "REMOVE" 
and you will immediately be removed from our club . 
This mail is being sent in compliance with Senate bill 
2216 , Title 9 ; Section 306 ! THIS IS NOT MULTI-LEVEL 
MARKETING . Why work for somebody else when you can 
become rich as few as 35 weeks . Have you ever noticed 
more people than ever are surfing the web and people 
will do almost anything to avoid mailing their bills 
. Well, now is your chance to capitalize on this ! 
WE will help YOU decrease perceived waiting time by 
120% & decrease perceived waiting time by 140% . You 
can begin at absolutely no cost to you . But don't 
believe us ! Mrs Jones of Minnesota tried us and says 
"I was skeptical but it worked for me" . We assure 
you that we operate within all applicable laws . Because 
the Internet operates on "Internet time" you must act 
now ! Sign up a friend and your friend will be rich 
too . Warmest regards . Dear Cybercitizen , We know 
you are interested in receiving red-hot announcement 
! We will comply with all removal requests ! This mail 
is being sent in compliance with Senate bill 1619 ; 
Title 2 ; Section 301 . This is NOT unsolicited bulk 
mail ! Why work for somebody else when you can become 
rich within 53 MONTHS ! Have you ever noticed more 
people than ever are surfing the web and more people 
than ever are surfing the web . Well, now is your chance 
to capitalize on this . We will help you use credit 
cards on your website plus decrease perceived waiting 
time by 150% . The best thing about our system is that 
it is absolutely risk free for you ! But don't believe 
us ! Mrs Simpson of Washington tried us and says "Now 
I'm rich, Rich, RICH" . We assure you that we operate 
within all applicable laws ! We beseech you - act now 
! Sign up a friend and your friend will be rich too 
. Thank-you for your serious consideration of our offer 
! Dear Friend ; This letter was specially selected 
to be sent to you ! If you no longer wish to receive 
our publications simply reply with a Subject: of "REMOVE" 
and you will immediately be removed from our mailing 
list . This mail is being sent in compliance with Senate 
bill 2716 , Title 2 ; Section 306 ! This is a ligitimate 
business proposal . Why work for somebody else when 
you can become rich inside 33 weeks . Have you ever 
noticed more people than ever are surfing the web plus 
more people than ever are surfing the web . Well, now 
is your chance to capitalize on this ! WE will help 
YOU SELL MORE and process your orders within seconds 
. You can begin at absolutely no cost to you . But 
don't believe us ! Mrs Jones of Kentucky tried us and 
says "I was skeptical but it worked for me" ! This 
offer is 100% legal ! We implore you - act now . Sign 
up a friend and you'll get a discount of 50% . God 
Bless .

通过百度垃圾邮件、栅格密码得知用了卡尔达诺栅格码加密,在线解密

flag:flag{a0dd1e2e6b87fe47e5ad0184dc291e04}

<h4>CRYPTO</h4>

<h5>1、密码本</h5>

下载附件得到三段密文和题目说明:

这个密码本本该只使用一次的,但是却使用了多次,导致密文易被破解
经过一番尝试发现,秘钥的首字母很可能是y,剩下的就靠你了
cip1: rlojsfklecby
cip2: ulakqfgfsjlu
cip3: dpaxwxtjgtay

提到了密码本加密,关于一次性密码本加密的方式(百度百科):

若要加密讯息“This is an example”,而用以加密的一次性密码本如下所示:
MASKL NSFLD FKJPQ
则利用指定数字的方法,可分别将两者给做以下的转换:
This is an example → 19 7 8 18 8 18 0 13 4 23 0 12 15 11 4
MASKL NSFLD FKJPQ → 12 0 18 10 11 13 18 5 11 3 5 10 9 15 16
两者依序相加后得到的讯息如下:
31 7 26 28 19 31 18 18 15 26 5 22 24 26 20
将以上得到的讯息模26后可得:
5 7 0 2 7 5 8 8 11 0 5 22 24 0 20
它也就变成了
FHACHFIILAFWYAU
而若要解密以上信息,反向操作即可。

提到密码本的首字母为y,先猜测密码本前四位为year,那么可以先解出三段密文的第一个字母:

#-*- coding:utf-8
x = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z']
y = [0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]
m = dict(zip(x,y))
n = dict(zip(y,x))

c1 = 'rlojsfklecby'
c2 = 'ulakqfgfsjlu'
c3 = 'dpaxwxtjgtay'
p1 = ''
p2 = ''
p3 = ''
key = 'year'

for i in range(len(key)):
    p1 += n[(m[c1[i]]-m[key[i]])%26]
    p2 += n[(m[c2[i]]-m[key[i]])%26]
    p3 += n[(m[c3[i]]-m[key[i]])%26]

print (p1)
print (p2)
print (p3)

得到结果:

thos
what
flag

看到第一段明文的前四位为thos,猜测下一位为e,测试key的下一位为o时,满足,查一下yearo开头的单词:

挨个测试下每一位是否正确。测试发现yearofthes部分是有效的,此时的明文为:

thosearea
whatcanyo
flagisacc

猜测第二段明文的下一位为u,此时算出key的下一位为p:

k9=n[(m['j']-m['u'])%26]

此时的明文为:

thosearean
whatcanyou
flagisacce

由第三段明文判断第三段明文为flagisaccess:

k10=n[(m['a']-m['s'])%26]
k11=n[(m['y']-m['s'])%26]

得到最后的密码本为yearofthepig
flag:flag{260eb14f58d69f878c03a07eee1a029b}

<h5>2、hahaha</h5>

拿到题目发现是CRC32爆破,用工具爆破:




得到密码:tanny_is_very_beautifu1_解压后得到flag.pdf

知道flag的sha1为e6079c5ce56e781a50f4bf853cdb5302e0d8f054
涉及的字符包括:

1!    2@    {[    }]    asefcghnl

因为每个字符都用了一遍并且flag的格式为flag{},因此还剩下的字符有:

1!    2@ sehnc

就是对这些字符排列组合,用到python自带的排列组合常用的的函数:

itertools.product(sequence,repeat) //有放回排列
itertools.permutations(sequence,repeat)  //无放回排列
itertools.combinations(sequence,repeat)  //无放回组合
itertools.combinations_with_replacement(sequence,repeat)  //y有放回组合

思路是先对1! 2@进行无放回组合取第一个,减少字符数,然后对字符进行无放回排列,验证sha1.

import hashlib
import itertools

def sha1(str):
    c = hashlib.sha1(str).hexdigest()
    return c

dic1 = '1!'
dic2 = '2@'
dic3 = 'sehnc'

for p1 in itertools.combinations(dic1,1):
    for p2 in itertools.combinations(dic2,1):
        dic4 = p1[0]+p2[0]+dic3
        for p in itertools.permutations(dic4):
            tmp = (''.join(p))
            str = 'flag{'+tmp+'}'
            if sha1(str) == 'e6079c5ce56e781a50f4bf853cdb5302e0d8f054':
                print str
                break

得到flag:flag{sh@1enc}