Part of the problem solution of unctf2020

#Part of the problem solution of unctf2020

⭐unctf2020

⭐misc

1,baba_is_you

The title tells us to understand the png file format.

Download a picture in png format.

Open it with 010editor and find that there is a website of station B at the end

<pre><code>https://www.bilibili.com/video/BV1y44111737

</code></pre>

Visit and check the comment area to get the flag

flag:

unctf{let's\_study\_pwn}

2. Yin Yang human code

Download and get a pdf with all the words in it. If you look closely, there are three kinds of strange things:

That's it. No! That's it

Combined with the code given in the title, it's easy to think of Ook! code

So, replace this with

It can't be true! Replace with!

Replace this with?

The results are as follows:

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook?

Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!

Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!Ook! Ook! Ook!

Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook.

Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook!

Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook?

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook!

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook?

Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!Ook! Ook!

Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook.

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook. Ook.

Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook!Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook.

Ook?Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook.

Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook.

Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook.

Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook?

Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook! Ook!

Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook.

Ook. Ook. Ook. Ook! Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook. Ook? Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook.Ook.

Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook!

Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook.Ook?

Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook?

Ook! Ook! Ook. Ook? Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook.

Ook? Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.Ook.

Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook. Ook? Ook! Ook! Ook!

Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook! Ook! Ook? Ook. Ook? Ook! Ook. Ook? Ook! Ook!

Ook! Ook! Ook! Ook! Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook! Ook? Ook! Ook! Ook.

Ook?

Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook? Ook. Ook? Ook! Ook. Ook? Ook. Ook. Ook. Ook. Ook. Ook. Ook. Ook.

Ook. Ook. Ook! Ook. Ook? Ook.

Copy him to the secret website for decryption:

https://www.splitbrain.org/services/ook

obtain

flag{9\_zhe\_Jiu\_zhe\_8\_hui\_8}

3. My adventures

This attachment is a little big. You can download a game (you have to experience the "suffocation" game of killing mice to do tasks)

Decompress it

Find the folder of www and click it directly. (as we all know, the main resources are all in this folder)

index.html root page, click in and give an error, which is very real. How can things come out if the environment is not built

But here we are reminded that this data folder is very important

Click to enter and find a pile of JSON files. At the beginning, a series of map00x.json attracted people's attention. Click to check. It seems that it is the task of each level, but the flag does not appear. Later, I finally found the flag in the Items.json file, including the previous fake flag.

UNCTF{WelC0me\_70\_UNCTF2oZ0~}

4. YLB's CAPTCHA - check in question

Enter a web page and ctrl+u to view the web page source code

&lt;body&gt;

    &lt;div class="quote" id="neat"&gt;Speed up the finals  YLB  Verification code server down  CISCN  Know  RNM，Is there a code for refund🐴  Down platform 2020  WIFI  Set a topic  AWD  Industry cancer foreign garbage hell platform  CTF Spring Festival Gala  phpstudy  Together with the organizer AWD  Target reset  Misc Players are ecstatic about the disconnection of international factories  Oo0ilLlWwKkSsOoPpCcZz  Platform features can be ignored if you don't want to  PATCH  Bad player AD  Yi LiNbO applauded  Python Sign in Pwn topic  Docker Issuing mechanism rule repeated horizontal jump  BuildBreakFix  OCR  Platform attacked  AP Isolated operation and maintenance is an incentive for newcomers to volunteer to host competitions and improve the popularity of the industry. There are 40 questions and 4 questions can be used PY  Pheasant competition is open only MYSQL of WEB topic  ylb Is it closed down? The most important competition to buy equipment and raise scores, and the most garbage platform can't be handed in flag  YLBNB  Please don't give me the knowledge of carnival ylb After three and a half hours of pressure, the problem-solving competition was temporarily changed to the competition system. I wish it would close down as soon as possible. Yi LiNbO forced the whole audience to wait for the players to repair the platform Attack Sponsor? Defense  Free happy water&lt;/div&gt;

    &lt;form action="./index.php" method="post"&gt;

        &lt;img src="image\_captcha.php"  onclick="this.src='image\_captcha.php?'+new Date().getTime();"&gt;&lt;br/&gt;

        &lt;input type="text" name="captcha" placeholder="Entry the CAPTCHA" style="text-align: center;background-color: #53656f;"&gt;&lt;br/&gt;

        &lt;input type="submit" value="Submit" class="button"&gt;

    &lt;/form&gt;

&lt;script src="./title.js"&gt;&lt;/script&gt;

&lt;/body&gt;

Note the following sentence at the bottom:

&lt;p&gt;Get 10 points to get flag&lt;br&gt;Your point: &lt;/p&gt;

In other words, the most intuitive method is to read the verification code and get the flag.

Therefore, since the verification code is difficult to recognize, save the picture and use stegesolve to change the channel for viewing.

[note] be case sensitive!!!

[one step wrong, lose all]

UNCTF{7ed2cc4f-184b-43ec-bc21-bc100dbdf9f6}

5. Hide and seek

Download an excel. Check 504B0304 with 010editor to modify the suffix zip. It is found that it is basically an xml file. Put it in idea for viewing,

Finally, I found something strange in sharedDtrings.xml.

&lt;?xml version="1.0" encoding="UTF-8" standalone="yes"?&gt;

&lt;sst xmlns="http://It's the same as your openxml. Org / spread '' '' '' '' '' '' '' '' '' '' '' '''smosmosmosmosmosmosmosmosmosmostatstatstatstatstatstatstatstatstatstatstatstatstatstatstatstatstatstats.org '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ''s the one that's the one that''s the one that's the one that's the one that's the one that ''s the one that''s the number that '' ''s the number that''s the number that '''s the 2 "& gt & gt & gt & lt & lt & gt; lt & lt & gt & lt & gt; T & gt & lt & lt & gt; T & lt & gt; T & lt & lt & gt; T & lt & gt; T & lt; T & gt; T & lt & lt; T & gt; t & gt; T & PR fontid =" 1 "type =" 1 " noConversion"/></si></sst>

Notice a string of base64 encrypted strings.

dW5jdGYlN0I3MzgzYjY3ZGU5MTA2YTZmMTBmZGJlNGU4ZWJjNjRjZSU3RA==

Decrypted

flag

unctf{7383b67de9106a6f10fdbe4e8ebc64ce}

6. Network depth 1

Download the attachment, get a dial tone audio, a txt scenario step import, and a compressed package with password.

There is a string of numbers in txt, which is estimated to be the source of the final flag.

636806841748368750477720528895492611039728818913495104112781919263174040060359776171712496606031373211949881779178924464798852002228370294736546700438210687486178492208471812570216381077341015321904079977773352308159585335376746026882907466893864815887274158732965185737372992697108862362061582646638841733361046086053127284900532658885220569350253383469047741742686730128763680253048883638446528421760929131783980278391556912893405214464624884824555647881352300550360161429758833657243131238478311219915449171358359616665570429230738621272988581871

txt has clearly told us that we must unpack the compressed package in order to understand the meaning of this string of numbers.

The compressed packet password is the telephone number, which is contained in the wave horn.

It's a daydream (to me) to tell what number is by human ears.

Direct tool: dtmf2num.exe

Attach download address

After downloading, execute the command:

dtmf2num.exe Dial tone.wav

Straight out:

DTMF2NUM 0.1.1

by Luigi Auriemma

e-mail: aluigi@autistici.org

web:    aluigi.org



- open Dial tone.wav

  wave size      35200

  format tag     1

  channels:      1

  samples/sec:   8000

  avg/bytes/sec: 16000

  block align:   2

  bits:          16

  samples:       17600

  bias adjust:   -3

  volume peaks:  -29471 29471

  normalize:     3296



- MF numbers:    74



- DTMF numbers:  15975384265

The compressed package password is 15975384265. After decompression, you get an audio and a txt.

Through txt, we know that there is a great clue in the audio to crack the string of numbers.

Open it with audacity audio file and check the waveform. Nothing is found.

So I cut to the spectrum and found a keyword tupper

At the beginning, I didn't know what it meant, so I directly searched Baidu Tupper and finally found Tupper's self referential formula for drawing

So the script: (in fact) that string of mysterious numbers is k

"""

 Copyright (c) 2012, 2013 The PyPedia Project, http://www.pypedia.com

 &lt;br&gt;All rights reserved.



 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:



 # Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

 # Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.



 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND

 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR

 ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

 LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

 ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.



 http://www.opensource.org/licenses/BSD-2-Clause

 """



\_\_pypdoc\_\_ = """

 Method: Tupper\_self\_referential\_formula

 Link: http://www.pypedia.com/index.php/Tupper\_self\_referential\_formula

 Retrieve date: Tue, 11 Mar 2014 03:15:49 +0200



 Plots the [http://en.wikipedia.org/wiki/Tupper's\_self-referential\_formula Tupper's\_self-referential\_formula]:

 : &lt;math&gt;{1\over 2} &lt; \left\lfloor \mathrm{mod}\left(\left\lfloor {y \over 17} \right\rfloor 2^{-17 \lfloor x \rfloor - \mathrm{mod}(\lfloor y\rfloor, 17)},2\right)\right\rfloor&lt;/math&gt;



 The plot is the very same formula that generates the plot. 



 [[Category:Validated]]

 [[Category:Algorithms]]

 [[Category:Math]]

 [[Category:Inequalities]]



 """





def Tupper\_self\_referential\_formula():

    k = 636806841748368750477720528895492611039728818913495104112781919263174040060359776171712496606031373211949881779178924464798852002228370294736546700438210687486178492208471812570216381077341015321904079977773352308159585335376746026882907466893864815887274158732965185737372992697108862362061582646638841733361046086053127284900532658885220569350253383469047741742686730128763680253048883638446528421760929131783980278391556912893405214464624884824555647881352300550360161429758833657243131238478311219915449171358359616665570429230738621272988581871

    # love yiran





    def f(x, y):

        d = ((-17 \* x) - (y % 17))

        e = reduce(lambda x, y: x \* y, [2 for x in range(-d)]) if d else 1

        f = ((y / 17) / e)

        g = f % 2

        return 0.5 &lt; g





    for y in range(k + 16, k - 1, -1):

        line = ""

        for x in range(0, 107):

            if f(x, y):

                line += "@"

            else:

                line += " "

        print(line)



# Method name =Tupper\_self\_referential\_formula()

if \_\_name\_\_ == '\_\_main\_\_':

    # print \_\_pypdoc\_\_



    returned = Tupper\_self\_referential\_formula()

    if returned:

        print(str(returned))

Execute the command.

Better viewing effect from a distance!!

Get flag

flag{Y29pbA==}

7. Deleted flag

Download the attachment and get a flag file.

Unknown format, open it directly with 010editor, ctrl+f, search unctf, and the flag will appear.

unctf{congratulations!}

8. Can you crack my password

Download the attachment to get a shadow file.

root:!:18556:0:99999:7:::

daemon:\*:18474:0:99999:7:::

bin:\*:18474:0:99999:7:::

sys:\*:18474:0:99999:7:::

sync:\*:18474:0:99999:7:::

games:\*:18474:0:99999:7:::

man:\*:18474:0:99999:7:::

lp:\*:18474:0:99999:7:::

mail:\*:18474:0:99999:7:::

news:\*:18474:0:99999:7:::

uucp:\*:18474:0:99999:7:::

proxy:\*:18474:0:99999:7:::

www-data:\*:18474:0:99999:7:::

backup:\*:18474:0:99999:7:::

list:\*:18474:0:99999:7:::

irc:\*:18474:0:99999:7:::

gnats:\*:18474:0:99999:7:::

nobody:\*:18474:0:99999:7:::

systemd-network:\*:18474:0:99999:7:::

systemd-resolve:\*:18474:0:99999:7:::

systemd-timesync:\*:18474:0:99999:7:::

messagebus:\*:18474:0:99999:7:::

syslog:\*:18474:0:99999:7:::

\_apt:\*:18474:0:99999:7:::

tss:\*:18474:0:99999:7:::

uuidd:\*:18474:0:99999:7:::

tcpdump:\*:18474:0:99999:7:::

avahi-autoipd:\*:18474:0:99999:7:::

usbmux:\*:18474:0:99999:7:::

rtkit:\*:18474:0:99999:7:::

dnsmasq:\*:18474:0:99999:7:::

cups-pk-helper:\*:18474:0:99999:7:::

speech-dispatcher:!:18474:0:99999:7:::

avahi:\*:18474:0:99999:7:::

kernoops:\*:18474:0:99999:7:::

saned:\*:18474:0:99999:7:::

nm-openvpn:\*:18474:0:99999:7:::

hplip:\*:18474:0:99999:7:::

whoopsie:\*:18474:0:99999:7:::

colord:\*:18474:0:99999:7:::

geoclue:\*:18474:0:99999:7:::

pulse:\*:18474:0:99999:7:::

gnome-initial-setup:\*:18474:0:99999:7:::

gdm:\*:18474:0:99999:7:::

guguguguji:$1$AH$xtjky.3kppbU27tR0SDJT.:18556:0:99999:7:::

systemd-coredump:!!:18556::::::

shadow file is a confidential file recording root password in linux system, which can be cracked by john.

Download address: http://www.openwall.com/john/

After decompression, enter the run directory and execute the command

john --show shadow

Get password 123456

Get flag

unctf{e10adc3949ba59abbe56e057f20f883e}

9,mouse_click

Download the attachment and get mouse\_click.pcapng. Obviously, USB traffic analysis.

The USB protocol mouse data part is in the Leftover Capture Data field, and the data length is four bytes.

The first byte represents the key:

For example, when 0x00, it means there is no key, when 0x01, it means the left key, and when 0x02, it means the current key is the right key.

The second byte represents the horizontal offset of the mouse:

When the value is positive, it represents how many pixels the mouse moves horizontally to the right, and when it is negative, it represents how many pixels the mouse moves horizontally to the left.

The third byte is similar to the second byte and represents the offset of vertical up and down movement.

1. Export the Leftover Capture Data field data in mouse\_click.pcapng

tshark -r mouse\_click.pcapng -T fields -e usb.capdata &gt; data.txt

tshark -r mouse\_click.pcapng -T fields -e usb.capdata | sed '/^\s\*$/d' &gt; data.txt #Extract and remove empty lines

Get the data.txt file as shown in the figure below

2. Canonical colon format

Generally, there will be colons in the format of xx: xx: xx: xx

Then run the script maohao.py

f=open('data.txt','r')

fi=open('out.txt','w')

while 1:

    a=f.readline().strip()

    if a:

        if len(a)==8: # For mouse traffic, len is changed to 8 and keyboard is 16

            out=''

            for i in range(0,len(a),2):

                if i+2 != len(a):

                    out+=a[i]+a[i+1]+":"

                else:

                    out+=a[i]+a[i+1]

            fi.write(out)

            fi.write('\n')

    else:

        break



fi.close()

python maohao.py

3. Convert mouse traffic to coordinates

Then convert the obtained mouse traffic into xy coordinates, and run the script mouse.py as follows

nums = []

keys = open('out.txt','r')

f = open('xy.txt','w')

posx = 0

posy = 0

for line in keys:

    if len(line) != 12 :

        continue

    x = int(line[3:5],16)

    y = int(line[6:8],16)

    if x &gt; 127 :

        x -= 256

    if y &gt; 127 :

        y -= 256

    posx += x

    posy += y

    btn\_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing

    if btn\_flag == 1 :

        f.write(str(posx))

        f.write(' ')

        f.write(str(posy))

        f.write('\n')



f.close()

python mouse.py

Get:

4. gnuplot drawing image

Run gnuplot.exe to draw the image

gnuplot&gt; plot "xy.txt"

gnuplot&gt;

Finally:

Obviously, the image is reversed. Flip it vertically and the flag will appear

unctf{U5BC@P}

10. Torn QR code

Download a QR code, but not all.

As we all know, a QR code has three locators. Complete the one in the upper right corner to get the flag

Also remember, when scanning, slightly reduce the size of the QR code.

unctf{QR@2yB0x}

11. Reflection

Download the attachment and get a reflection. exe. Open it with 010editor and find the file header of FF D8 FF E0. Obviously, this is a jpg.

Pull back and find a string of base64 encoded strings at the end.

MDAwMDAwMDAwMEI0MDAwMDAwQTUwMDEwMDAxMDAwMDAwMDAwNjA1MEI0MDUxMDZENkE5RUEyNEU1NzY3MTA2RDdBRDU4QUMyMjk0MDEwNkQ3QUQ1OEFDMjI5NDAwMDgxMDAxMDAwMDAwMDAwMDAwMjAwQTA0Nzg3NDdFMjc2MTZDNjY2MDAwMDAwMDAwMDAwMDAwMjAwMDAwMDAwMDAwMDAwNDIwMDgwMDAwMDAwOTEwMDAwMDA1Mjk3RDQ1MzVFMTU1NUU1QzkwMDAwODAxMDAwQTAwMEYzMjAxMEI0MDVCNEVDQzdFOTg4OUVERjFCQTMwQzZGRjcxODM2RUJDRkU5QTczNUVGRDZFNTAxQ0UxNDEwOTUwNTgyNzc2NEI2OURDMzdDNkUyRTQ3ODc0N0UyNzYxNkM2NjYwMDAwMDA4MDAwMDAwMDkxMDAwMDAwNTI5N0Q0NTM1RTE1NTVFNUM5MDAwMDgwMTAwMEEwNDAzMEI0MDU=

Get a string of hexadecimal strings

0000000000B4000000A500100010000000006050B405106D6A9EA24E5767106D7AD58AC22940106D7AD58AC229400081001000000000000200A0478747E27616C666000000000000000200000000000000420080000000910000005297D4535E1555E5C90000801000A000F32010B405B4ECC7E9889EDF1BA30C6FF71836EBCFE9A735EFD6E501CE14109505827764B69DC37C6E2E478747E27616C66600000080000000910000005297D4535E1555E5C90000801000A04030B405

shift+v is copied into 010editor.

Note: the reverse of 40 30 B4 05 is 50 4B 03 04. It is necessary to reverse the hexadecimal string = = "the true meaning of the reflection.

Attached java script:

public class Main {<!-- -->

    public static void main(String[] args) {<!-- -->

        Scanner in = new Scanner(System.in);

        String s = in.nextLine();

        String str[] = s.split("");

        for(int i=str.length-1;i&gt;=0;--i) {<!-- -->

            System.out.print(str[i]);

        }

    }

}

Get:

504B03040A00010800009C5E5551E5354D79250000001900000008000000666C61672E747874E2E6C73CD96B46772850590141EC105E6DFE537A9EFCBE63817FF6C03AB1FDE9889E7CCE4B504B01023F000A00010800009C5E5551E5354D792500000019000000080024000000000000002000000000000000666C61672E7478740A002000000000000100180004922CA85DA7D60104922CA85DA7D6017675E42AE9A6D601504B050600000000010001005A0000004B0000000000

Modify the suffix zip. Get an encrypted compressed packet.

But there are no other tips. Just crack it violently

Get password: 658745

Extract the flag

UNCTF{Th13\_Is\_@\_F1@G}

12,EZ_IMAGE

Download 225 unorganized jpg images. The solution is very simple. Just put the picture together.

1. montage command

Use this command to merge multiple graphs into one graph.

(kali Linux) installation command:

<pre><code class="prism language-cmd">apt-get install graphicsmagick-imagemagick-compat

</code></pre>

Enter the extracted folder directory and execute the command

montage \*.jpg -tile 15x15 -geometry +0+0 1.jpg

Get:

2. Gap command automatic jigsaw puzzle

git clone https://github.com/nemanja-m/gaps.git

cd gaps

First install the following libraries with pip3:

pip3 install numpy

pip3 install opencv-python

pip3 install matplotlib

pip3 install pytest

pip3 install pillow

After installation, open requirements.txt to modify the corresponding version of the library.

This is the version number. For example, I am:

numpy==1.18.4

opencv-python==4.4.0.46

matplotlib==3.2.2

pytest==4.6.11

pillow==6.2.1

Then execute the following command.

pip3 install -r requirements.txt

sudo apt-get install python-tk

pip3 install -e .

After installation, drag the previously synthesized 1.jpg to the gap master directory and execute the following command:

gaps --image=1.jpg --population=500 --size=60 --save

[note] be sure to control pieces equal to the total number of graphs

Finally get

flag is:

UNCTF{EZ\_MISC\_AND\_HACK\_FUN}

⭐Crypto

1,easy_rsa

Download the rsa encryption script, which is relatively simple:

from Crypto.Util import numbe

import gmpy2

from Crypto.Util.number import bytes\_to\_long



p = number.getPrime(1024)

q = number.getPrime(1024)

if p &gt; q:

    a = p + q

    b = p - q

    print(a,b)



n = p \* q

e = 65537

phi = (p-1)\*(q-1)

d = gmpy2.invert(e,phi)

m = bytes\_to\_long(b'msg')

c = pow(m,e,n)

print(c)



#320398687477638913975700270017132483556404036982302018853617987417039612400517057680951629863477438570118640104253432645524830693378758322853028869260935243017328300431595830632269573784699659244044435107219440036761727692796855905230231825712343296737928172132556195116760954509270255049816362648350162111168

#9554090001619033187321857749048244231377711861081522054479773151962371959336936136696051589639469653074758469644089407114039221055688732553830385923962675507737607608026140516898146670548916033772462331195442816239006651495200436855982426532874304542570230333184081122225359441162386921519665128773491795370

#22886015855857570934458119207589468036427819233100165358753348672429768179802313173980683835839060302192974676103009829680448391991795003347995943925826913190907148491842575401236879172753322166199945839038316446615621136778270903537132526524507377773094660056144412196579940619996180527179824934152320202452981537526759225006396924528945160807152512753988038894126566572241510883486584129614281936540861801302684550521904620303946721322791533756703992307396221043157633995229923356308284045440648542300161500649145193884889980827640680145641832152753769606803521928095124230843021310132841509181297101645567863161780

It's easy to get P, Q and known n, e. just run the script directly:

import libnum

from Crypto.Util.number import long\_to\_bytes



a = 320398687477638913975700270017132483556404036982302018853617987417039612400517057680951629863477438570118640104253432645524830693378758322853028869260935243017328300431595830632269573784699659244044435107219440036761727692796855905230231825712343296737928172132556195116760954509270255049816362648350162111168

b = 9554090001619033187321857749048244231377711861081522054479773151962371959336936136696051589639469653074758469644089407114039221055688732553830385923962675507737607608026140516898146670548916033772462331195442816239006651495200436855982426532874304542570230333184081122225359441162386921519665128773491795370

c = 22886015855857570934458119207589468036427819233100165358753348672429768179802313173980683835839060302192974676103009829680448391991795003347995943925826913190907148491842575401236879172753322166199945839038316446615621136778270903537132526524507377773094660056144412196579940619996180527179824934152320202452981537526759225006396924528945160807152512753988038894126566572241510883486584129614281936540861801302684550521904620303946721322791533756703992307396221043157633995229923356308284045440648542300161500649145193884889980827640680145641832152753769606803521928095124230843021310132841509181297101645567863161780

# a = p + q

# b = p - q

p = (a+b) // 2

q = (a-b) // 2

n = q \* p

e = 65537



d = libnum.invmod(e, (p - 1) \* (q - 1))

m = pow(c, d, n)  # Decimal form of m

string = long\_to\_bytes(m)  # m plaintext

print(string)  # The result is in the form of b'm '



#print(libnum.n2s(m))  #(n2s convert numeric values to strings)

obtain

b'UNCTF{welcome\_to\_rsa}'

2. Simple RSA

Download a txt

e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934

Obviously, this e is very big. I immediately thought it was RSA Wiener attack. The script is modified as follows:

import  RSAwienerHacke

e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

d =  RSAwienerHacker.hack\_RSA(e,n)

if d:

    print(d)

Get d:

74651354506339782898861455541319178061583554604980363549301373281141419821253

There are c, e, d and n. next, just have a hand and go directly to the script!

from Crypto.Util.number import long\_to\_bytes



e= 18437613570247445737704630776150775735509244525633303532921813122997549954741828855898842356900537746647414676272022397989161180996467240795661928117273837666615415153571959258847829528131519423486261757569454011940318849589730152031528323576997801788206457548531802663834418381061551227544937412734776581781

n= 147282573611984580384965727976839351356009465616053475428039851794553880833177877211323318130843267847303264730088424552657129314295117614222630326581943132950689147833674506592824134135054877394753008169629583742916853056999371985307138775298080986801742942833212727949277517691311315098722536282119888605701

c= 140896698267670480175739817539898638657099087197096836734243016824204113452987617610944986742919793506024892638851339015015706164412994514598564989374037762836439262224649359411190187875207060663509777017529293145434535056275850555331099130633232844054767057175076598741233988533181035871238444008366306956934



d = 74651354506339782898861455541319178061583554604980363549301373281141419821253

m = pow(c, d, n)  # Decimal form of m

string = long\_to\_bytes(m)  # m plaintext

print(string)  # The result is in the form of b'm '

Get flag:

b'unctf{wi3n3r\_Att@ck}'

3. How to make up for the lack of nutrition in the hearing of justice Anshan

Obviously, the stem of the question gives an unknown encoded string

ottttootoootooooottoootooottotootttootooottotttooootttototoottooootoooottotoottottooooooooottotootto

Let's take a look first. There are two letters involved. It's easy to think of binary. Trying to convert to string fails.

Another code, bacon password, also involves 2 characters. attempt

First replace o with A and t with B.

ABBBBAABAAABAAAAABBAAABAAABBABAABBBAABAAABBABBBAAAABBBABABAABBAAAABAAAABBABAABBABBAAAAAAAAABBABAABBA

Get flag

unctf{PEIGENHENYOUYINGYANG}

⭐Reverse

1,re_checkin

First consider whether there is a shell. Check with PEID. Safely drag into IDA

First shift+f12 to view the string.

Find the success sensitive word, track it, and come to the function sub_401550() press F5

<pre><code class="prism language-c">\_\_int64 sub\_401550()

{

char Str1; // sp+20h@1

sub_40B300();

puts("Welcome!Please Input:");

sub_419C00("%1000s", &Str1);

if ( !strcmp(&Str1, &Str2) )

puts("success!");

else

puts("fail!");

system("pause");

return 0i64;

}

</code></pre>

It is soon found that strcmp is the comparison between Str1 and Str2. Because Str1 is input, Str2 is tracked

Found in sub_4015DC function to view

<pre><code class="prism language-c">void sub\_4015DC()

{

Str2 = 117;

byte_42F041 = 110;

byte_42F042 = 99;

byte_42F043 = 116;

byte_42F044 = 102;

byte_42F045 = 123;

byte_42F046 = 87;

byte_42F047 = 101;

byte_42F048 = 108;

byte_42F049 = 99;

byte_42F04A = 111;

byte_42F04B = 109;

byte_42F04C = 101;

byte_42F04D = 84;

byte_42F04E = 111;

byte_42F04F = 85;

byte_42F050 = 78;

byte_42F051 = 67;

byte_42F052 = 84;

byte_42F053 = 70;

byte_42F054 = 125;

byte_42F055 = 0;

}

</code></pre>

Obviously, ASCII conversion results in:

obtain

unctf{WelcomeToUNCTF}

2,babypy

Got an. exe and a txt

txt as follows:

313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031

First, check the shell of babypy.exe and find that there is no shell.

At this time, we need to decompile exe into python source code.

Use pyinstxtracker.py to decompile.

Execute command:

python pyinstxtractor.py babypy.exe

Note that babypy focuses on the source file, but because the decompilation is not perfect, it loses the file header, so there is no suffix. pyc. Therefore, open a pyc to view the file header

42 0D 0D 0A 00 00 00 00

So he added:

42 0D 0D 0A 00 00 00 00 70 79 69 30 10 01 00 00

And modify the suffix. pyc, and then decompile to generate py file

#!/usr/bin/env python

# visit http://tool.lu/pyc/ for more information

import os

import libnum

import binascii

flag = 'unctf{\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}'

# WARNING: Decompyle incomplete

Seeing this, I was very different from what I thought before. I thought I would produce all the scripts, so I broke my mind.

In fact, I forgot the important information given by the author! That tip.txt

Therefore, the problem-solving script is as follows:

import libnum

m = 0x313131303130313031313031313130303131303030313130313131303130303031313030313130303131313130313130313031303130303031313031303030303130303030303030313131303130303031303131313131303131303130303130313131303031313031303131313131303131313030313030313130303130313031313030303031303031313030303130303131303030313031313131303031303130313131313130313130303031313030313130303030303031313030303030303131303030313031313131313031



str = libnum.n2s(m)

print(libnum.b2s(str))

Run out of flag:

unctf{Th@t\_is\_rea11y\_c001}

3. Decompile

Download a run.exe with the title "decompilation", which is the same as the previous title.

Use pyinstxtracker.py to decompile.

Execute command:

python pyinstxtractor.py run.exe

Fill in run and modify the suffix

42 0D 0D 0A 00 00 00 00 70 79 69 30 10 01 00 00

Then decompile to generate py file

Get:

#!/usr/bin/env python

# visit http://tool.lu/pyc/ for more information

str2 = 'UMAQBvogWLDTWgX"""k'

flag = ''

for i in range(len(str2)):

    flag += chr(ord(str2[i]) + i)



print(flag)

Run straight out of flag

UNCTF{un\_UN\_ctf123}

⭐pwn

1,YLBNB

Just give it a hand

nc 45.158.33.12 8000

So go directly to exp (the simplest one)

from pwn import \*



p = remote('45.158.33.12', 8000)

payload = ''

p.sendline(payload)



p.interactive()

Get flag

UNCTF{Gu@rd\_Th3\_Bes7\_YLB}

Next time!!

Added by sukanya.paul on Sun, 21 Nov 2021 09:36:08 +0200

Programming VIP

Part of the problem solution of unctf2020

⭐unctf2020

⭐misc

1,baba_is_you

2. Yin Yang human code

3. My adventures

4. YLB's CAPTCHA - check in question

5. Hide and seek

6. Network depth 1

7. Deleted flag

8. Can you crack my password

9,mouse_click

1. Export the Leftover Capture Data field data in mouse\_click.pcapng

2. Canonical colon format

3. Convert mouse traffic to coordinates

4. gnuplot drawing image

10. Torn QR code

11. Reflection

12,EZ_IMAGE

2. Gap command automatic jigsaw puzzle

⭐Crypto

1,easy_rsa

2. Simple RSA

3. How to make up for the lack of nutrition in the hearing of justice Anshan

⭐Reverse

1,re_checkin

2,babypy

3. Decompile

⭐pwn

1,YLBNB

Popular Keywords