1, Title Description
The second BMZCTF network security open, sponsored by: white hat community · WHT team, white hat cup, January 1, 2022
misc
Title: game script
As a programmer, I can't call out 30 lives. I wrote it down in my notes.
Game script hint: compressed package, pay attention to the logo, and then reorganize.
Game script hint 2: notes are recorded with mardown.
Download a photo called 30 Png's soul duel picture:
2, Topic analysis and completion
zsteg take zip
zsteg 30.png (or zsteg -a 30.png):
It is found that there are characters beginning with PK, which may be compressed packages, and the hidden data position is extradata:0
Extract compressed package:
zsteg -E "extradata:0" 30.png > 30.zip
Packet reorganization
010editor opens and finds a prompt: Need_Find_The_Passwd_to_unzip_file0
After deleting the data before 504B0102, double-click to open it. It is found that the compressed package is damaged.
The normal compressed package starts with 50 4B 03 04 and also includes fields such as 50 4B 01 02 and 50 4B 05 06.
A ZIP file consists of three parts:
Compressed source file data area + compressed source file directory area + compressed source file directory end flag
CTF compressed package steganography class (zip, RAR)
50 4B 01 02: File header tag in directory 3F 00: Compression used pkware edition 14 00: Required to unzip the file pkware edition 00 00: Global mode bit mark (with or without encryption, 01 00 here is true encryption) 08 00: Compression mode
Reorganize the compressed packet, search the fields 05, 06, 03 and 04, and find that 504b is missing. Insert these two bit bytes, and then use the repair and reorganization sequence provided by WinRAR.
The compressed package can be opened normally, but a password is required.
IDAT data steganography
Open it with 010editor and find many errors like this:
*ERROR: CRC Mismatch @ chunk[17]; in data: 5468655f; expected: 4a57f189 *error:CRC Mismatch@ chunk[17]; In data:5468655f; estimate:4a57f189
Copy the data after in data: and generate hexadecimal files in order,
5468655f68696e745f69733a55316b6b67473a56624445335b316f795b3145656044457960306768537a463e3e3e3ee4b88ae99da2e5ad97e7aca6e4b8b2e5bc82e68896e99bb6e58f89e99bb6e4b889e784b6e5908ee59ca8424153453634e8a7a3e7a081e38082596f755f
That is, create a new hexadecimal text document, then select import hexadecimal file in the text option, and finally change it to UTF8 coding in the lower right corner.
Get hint:
The_hint_is:U1kkgG:VbDE3[1oy[1EeDEy0ghSzF>>>>The above string XOR zero fork zero three, and then BASE64 decode. You_
Write a python script to get the password: What?That_is_a_passwd?!
import base64
str1 = "U1kkgG:VbDE3[1oy[1Ee`DEy`0ghSzF>>>>"
flag_base64 = ""
for i in range(len(str1)):
a = ord(str1[i]) ^ 0x03
flag_base64 += chr(a)
print(flag_base64)
flag = base64.b64decode(flag_base64)
print(flag)
# What?That_is_a_passwd?!
Decompress the compressed package to get the flag txt.
LaTeX by Markdown
Open the txt document and find that it is a string of codes like the following (opened here with Notepad, which is not arranged in this way actually):
# Game notes \ begin {array} {C} \ begin {array} {C} \ begin {array} {C | ccccc} \ \ uparrow \ uparrow & 0 & 1 & 2 & 3 & 4 \ \ \ hline0 & 1 & 1 & 1 & 1 & 1 \ \ 1 & 1 & 0 & 0 \ \ 2 & 1 & 0 & 1 & 1 \ \ 3 & 1 & 0 & 1 & 1 \ \ 4 & 1 & 0 & 1 & 1 \ \ \ end {array} & \ begin {array} {C | ccccc} \\downarrow\downarrow&0&1&2&3\\hline0&1&1&0&0\1&0&1&0&0\2&0&1&0&1\3&0&1&0&0\4&0&1&0&0 \\end{array}&\begin{array}{c|ccccc}\\rightarrow\rightarrow&0&1&2&3&4\\hline0&1&1&0&1&1\1&0&1&0&1&0\2&0&1&0&1&0\3&1&1&0&1&0\4&0&0&0&1&0\\end{array}&\begin{array}{c|ccccc} \\leftarrow\leftarrow&0&1&2&3\\hline0&0&0&1&0\1&1&1&1&1\2&1&0&1&1\3&1&1&0&1\4&1&0&0&0 \\end{array}&\begin{array}{c|cc}\text{ABAB}&1&2&3&4&5\\hline0&1&1&1&1&1\1&0&0&0&0&1\2&1&1&1&0&1\3&1&1&1&0&1\4&1&1&1&0&1\\end{array}\end{array}\\begin{array}{c}\begin{array}{c|ccccc} \\uparrow\uparrow&0&1&2&3&4\\hline0&1&0&0&0&0\1&1&1&1&1&1\2&0&0&0&0&0\3&1&1&1&0&1\ \end{array}&\begin{array}{c|cc} \\leftarrow\leftarrow&0&1&2&3\\hline0&0&0&0&1\1&1&0&1&0\2&1&0&1&1\3&1&1&0&1\ \end{array} &\begin{array}{c|cc} \\rightarrow\rightarrow&0&1&2&3&4\\hline0&0&1&0&1&0\1&0&1&0&1&1\2&1&1&0&0&0\3&1&0&1&1&0\ \end{array}&\begin{array}{c|cc} \\downarrow\downarrow&0&1&2&3\\hline0&0&1&0&0\1&1&1&0&1\2&0&0&0&1\3&1&1&1&1\ \end{array}&\begin{array}{c|cc}\text{ABAB} &1&2&3&4&5\\hline0&0&0&0&0&1\1&1&1&1&1&1\2&0&0&0&0&0\3&0&0&1&0&0\ \end{array}\end{array}\\begin{array}{c}\begin{array}{c|ccccc} \\uparrow\uparrow&0&1&2&3&4\\hline0&1&0&0&0&0\1&1&1&1&0&1\2&1&0&1&1&1\3&0&1&1&1&1\ \end{array}&\begin{array}{c|cc} \\downarrow\downarrow&0&1&2&3\\hline0&0&1&0&1\1&0&0&1&1\2&1&1&1&1\3&0&0&0&0\ \end{array}&\begin{array}{c|cc} \\rightarrow\rightarrow&0&1&2&3&4\\hline0&0&0&1&1&1\1&1&0&0&0&1\2&0&0&1&1&0\3&1&0&0&1&0\ \end{array}&\begin{array}{c|cc} \\leftarrow\leftarrow&0&1&2&3\\hline0&0&0&0&0\1&0&1&0&0\2&0&0&1&0\3&0&1&1&1\ \end{array} &\begin{array}{c|cc}\text{ABAB} &1&2&3&4&5\\hline0&1&1&0&1&1\1&0&0&0&1&0\2&1&0&1&1&0\3&1&1&1&0&0\ \end{array}\end{array}\\begin{array}{c}\begin{array}{c|ccccc}\\uparrow\uparrow&0&1&2&3&4\\hline0&0&1&0&0&0\1&1&0&1&1&1\2&0&0&0&0&0\3&1&1&1&1&1\4&1&0&0&0&0\\end{array}&\begin{array}{c|cc} \\downarrow\downarrow&0&1&2&3\\hline0&0&0&1&1\1&1&1&1&0\2&0&0&0&1\3&1&1&0&1\4&0&1&0&1 \\end{array}&\begin{array}{c|cc}\text{ABAB}&1&2&3&4&5\\hline0&0&1&0&1&0\1&1&1&1&0&1\2&1&1&0&1&1\3&1&0&1&0&1\4&1&0&0&0&1\\end{array}&\begin{array}{c|cc} \\leftarrow\leftarrow&0&1&2&3\\hline0&1&0&1&0\1&0&1&1&1\2&0&1&0&1\3&0&0&1&0\4&1&1&1&1 \\end{array}&\begin{array}{c|cc}\\rightarrow\rightarrow&0&1&2&3&4\\hline0&1&0&0&0&0\1&1&1&1&1&1\2&0&1&0&0&0\3&1&1&0&1&0\4&1&1&0&0&0\\end{array}\end{array}\\begin{array}{c}\begin{array}{c|ccccc}\\uparrow\uparrow&0&1&2&3&4\\hline0&1&0&1&1&1\1&1&0&1&1&1\2&1&0&1&1&1\3&1&0&0&0&0\4&1&1&1&1&1\\end{array} &\begin{array}{c|cc} \\downarrow\downarrow&0&1&2&3\\hline0&0&1&0&1\1&0&1&0&0\2&0&1&0&1\3&0&1&0&1\4&1&1&0&1 \\end{array}&\begin{array}{c|cc} \\leftarrow\leftarrow&0&1&2&3\\hline0&0&0&0&0\1&0&0&1&1\2&1&1&0&0\3&0&1&1&0\4&1&1&0&0 \\end{array}&\begin{array}{c|cc}\text{ABAB}&1&2&3&4&5\\hline0&1&0&1&0&1\1&1&0&1&1&0\2&0&1&1&0&1\3&0&0&1&1&1\4&0&0&0&0&1\\end{array}&\begin{array}{c|cc}\\rightarrow\rightarrow&0&1&2&3&4\\hline0&1&1&1&1&1\1&0&0&1&1&1\2&1&1&1&1&1\3&1&0&1&1&0\4&1&0&0&1&1\\end{array}\end{array}\end{array}
This is the LaTeX code, combined with the official Hint2: the notes are recorded in mardown.
Markdown insert LaTeX formula
The formula delimiters used by the MarkDown editor of CSDN are $$and $. The single dollar symbol surrounds the in-line formula and the double dollar symbol surrounds the block formula.
We know that in mardown syntax, LaTeX code can be added to two $$, which will be expressed as a formula.
QR code Version
When you see the table with 5 rows and 5 columns, it is all composed of 01. Think of the QR code.
According to the title soul Douluo tune 30 lives, baidu found that the secret script is: up, down, left and right BABA (arranged with up, down, left, right and right ABAB).
However, the two-dimensional code of 23x23 size is unreasonable.
The official name of QR code is Version.
The QR code has a total of 40 dimensions. Version 1 is a matrix of 21 x 21, Version 2 is a matrix of 25 x 25, and Version 3 is a size of 29. Each additional version will increase the size of 4. The formula is: (V-1)*4 + 21 (V is the version number) the highest Version 40, (40-1) * 4 + 21 = 177, so the highest is a square of 177 x 177.
The standard size of version 2 QR code should be 25x25. Think of zero width byte steganography.
Zero width byte steganography
The < 200C > < 200C > < 200C > filled in between the lines is the steganography feature of zero width bytes.
Zero width byte steganography decryption website: https://330k.github.io/misc_tools/unicode_steganography.html
Be careful not to copy all, but decrypt in a single line.
From \ begin{array} to \ end{array}
Arrange with ABAB from top to bottom, left to right and left to right (and so on):
11111 # The first line above 11011 # First line under 00101 # First left row 11011 # First row on the right 11111 # First line of ABAB
from PIL import Image
from zlib import *
MAX = 25
pic = Image.new("RGB", (MAX, MAX))
str = "1111111011001011101111111100000100011110010100000110111010111011001010111011011101001110101101011101101110100010000000101110110000010010001101010000011111111010101010101111111000000001110111110000000011101111101101010110001000001010110100010100010011100000101100000001111101111101001100100010001000101011111110001000011010110011110000001111100101110010100111000110110100100110100000111101011000001010101111110101111111111110100000000100101101000110111111111011001011101010101100000101111111110001000110111010110000111111101011011101000001100011110110101110101011001111110110110000010100110110110001111111111011110011001100001"
i = 0
for y in range(0, MAX):
for x in range(0, MAX):
if(str[i] == '1'):
pic.putpixel([x, y], (0, 0, 0))
else:
pic.putpixel([x, y], (255, 255, 255))
i = i+1
pic.show()
pic.save("flag.png")
Finally, a QR code is generated and scanned to get the flag: BMZCTF{y0u_f1nd_the_4l@g }.