2021年大学生网络安全邀请赛暨第七届上海市大学生网络安全大赛“东华杯”Misc（全）-Writeup

文章目录

MISC

checkin

project

JumpJumpTiger

where_can_find_code 

---

MISC

checkin

题目：

+AGYAbABhAGcAewBkAGgAYgBfADcAdABoAH0-

Magic一把梭，UTF-7编码

flag{dhb_7th}

project

（脑洞题披上工控题的外衣）

附件解压打开，发现可疑压缩包

解压之后拿到疑似流量数据，共三段。

前两段：

Date: Sun, 19 Sep 2021 21:28:55 +0800
From: "[email protected]" 
To: mklkxxx 
Subject: =?UTF-8?B?5L2g5p2l5LqGfg==?=
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.20.273[cn]
Mime-Version: 1.0
Message-ID: <[email protected]>
Content-Type: multipart/related;
	boundary="----=_001_NextPart057850482324_=----"

This is a multi-part message in MIME format.

------=_001_NextPart057850482324_=----
Content-Type: multipart/alternative;
	boundary="----=_002_NextPart832058858335_=----"


------=_002_NextPart832058858335_=----
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: base64

6KGo5oOF5YyF5paH5YyW77yM5piv6ZqP552A572R57uc56S+5Lqk5rKf6YCa55qE5aKe5aSa5Ye6
546w55qE5LiA56eN5Li75rWB5paH5YyW44CC5LiA5Liq5Lq655qE6KGo5oOF5YyF5piv5YW26ZqQ
6JeP6LW35p2l55qE55yf5oiR77yM5LiA5Liq5Zu95a6255qE6KGo5oOF5YyF6YeM6IO955yL5Yiw
6L+Z5Liq5Zu95a6255qE6KGo5oOF44CC4oCM4oCM4oCM4oCM4oCN4oCs4oCs4oCM5pyJ5pe25YCZ
77yM6KGo5oOF5YyF6KGo6L6+55qE5piv5LiN6IO96YGT56C055qE55yf5a6e5oOz5rOV5ZKM5oSf
5Y+X77yM6K+t6KiA5ZKM5paH5a2X55qE5bC95aS077yM5bCx5piv6KGo5oOF5YyF5pa95bGV55qE
56m66Ze044CCDQrooajmg4XljIXmmK/nvZHnu5zor63oqIDnmoTkuIDnp43ov5vljJbvvIzlroPn
moTkuqfnlJ/lkozmtYHooYzkuI7lhbbnibnlrprnmoTigJzigIzigIzigIzigIzigI3vu7/igI3i
gI3nlJ/lrZjnjq/looPigJ3mnInlhbPjgILlhbbov73msYLphpLnm67jgIHmlrDlpYfjgIHosJDo
sJHnrYnmlYjmnpznmoTnibnngrnvvIzigIzigIzigIzigIzigI3vu7/igIzigKzkuI7lubTovbvk
urrlvKDmiazkuKrmgKflkozmkJ7mgKrnmoTlv4PnkIbnm7jnrKbigIzigIzigIzigIzigI3vu7/i
gIzigKzjgIINCuihqOaDheWMheS5i+aJgOS7peiDveWkn+Wkp+iMg+WbtOWcsOS8oOaSre+8jOKA
jOKAjOKAjOKAjOKAje+7v+KArOKAjeaYr+WboOS4uuWFtuW8peihpeS6huaWh+Wtl+S6pOa1geea
hOaer+eHpeWSjOaAgeW6puihqOi+vuS4jeWHhuehrueahOW8seeCue+8jOacieaViOWcsOaPkOmr
mOS6huayn+mAmuaViOeOh+OAgumDqOWIhuihqOaDheWMheWFt+acieabv+S7o+aWh+Wtl+eahOWK
n+iDve+8jOKAjOKAjOKAjOKAjOKAje+7v+KAjeKAjei/mOWPr+S7peiKguecgeaJk+Wtl+aXtumX
tOKAjOKAjOKAjOKAjOKAje+7v+KAjOKAjOOAgumaj+edgOaZuuiDveaJi+acuueahOWFqOmdouaZ
ruWPiuWSjOekvuS6pOW6lOeUqOi9r+S7tueahOWkp+mHj+S9v+eUqO+8jOihqOaDheWMheW3sue7
j+mrmOmikeeOh+WcsOWHuueOsOWcqOS6uuS7rOeahOe9kee7nOiBiuWkqeWvueivneW9k+S4reOA
gg0K

------=_002_NextPart832058858335_=----
Content-Type: text/html;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

=0A
=E8=A1=A8=E6=83=85=
=E5=8C=85=E6=96=87=E5=8C=96=EF=BC=8C=E6=98=AF=E9=9A=8F=E7=9D=80=E7=BD=91=
=E7=BB=9C=E7=A4=BE=E4=BA=A4=E6=B2=9F=E9=80=9A=E7=9A=84=E5=A2=9E=E5=A4=9A=
=E5=87=BA=E7=8E=B0=E7=9A=84=E4=B8=80=E7=A7=8D=E4=B8=BB=E6=B5=81=E6=96=87=
=E5=8C=96=E3=80=82=E4=B8=80=E4=B8=AA=E4=BA=BA=E7=9A=84=E8=A1=A8=E6=83=85=
=E5=8C=85=E6=98=AF=E5=85=B6=E9=9A=90=E8=97=8F=E8=B5=B7=E6=9D=A5=E7=9A=84=
=E7=9C=9F=E6=88=91=EF=BC=8C=E4=B8=80=E4=B8=AA=E5=9B=BD=E5=AE=B6=E7=9A=84=
=E8=A1=A8=E6=83=85=E5=8C=85=E9=87=8C=E8=83=BD=E7=9C=8B=E5=88=B0=E8=BF=99=
=E4=B8=AA=E5=9B=BD=E5=AE=B6=E7=9A=84=E8=A1=A8=E6=83=85=E3=80=82=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=E2=80=AC=E2=80=AC=E2=80=8C=E6=9C=89=
=E6=97=B6=E5=80=99=EF=BC=8C=E8=A1=A8=E6=83=85=E5=8C=85=E8=A1=A8=E8=BE=BE=
=E7=9A=84=E6=98=AF=E4=B8=8D=E8=83=BD=E9=81=93=E7=A0=B4=E7=9A=84=E7=9C=9F=
=E5=AE=9E=E6=83=B3=E6=B3=95=E5=92=8C=E6=84=9F=E5=8F=97=EF=BC=8C=E8=AF=AD=
=E8=A8=80=E5=92=8C=E6=96=87=E5=AD=97=E7=9A=84=E5=B0=BD=E5=A4=B4=EF=BC=8C=
=E5=B0=B1=E6=98=AF=E8=A1=A8=E6=83=85=E5=8C=85=E6=96=BD=E5=B1=95=E7=9A=84=
=E7=A9=BA=E9=97=B4=E3=80=82
=E8=A1=A8=E6=83=85=E5=8C=85=E6=98=AF=
=E7=BD=91=E7=BB=9C=E8=AF=AD=E8=A8=80=E7=9A=84=E4=B8=80=E7=A7=8D=E8=BF=9B=
=E5=8C=96=EF=BC=8C=E5=AE=83=E7=9A=84=E4=BA=A7=E7=94=9F=E5=92=8C=E6=B5=81=
=E8=A1=8C=E4=B8=8E=E5=85=B6=E7=89=B9=E5=AE=9A=E7=9A=84=E2=80=9C=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8D=E2=80=8D=E7=94=9F=
=E5=AD=98=E7=8E=AF=E5=A2=83=E2=80=9D=E6=9C=89=E5=85=B3=E3=80=82=E5=85=B6=
=E8=BF=BD=E6=B1=82=E9=86=92=E7=9B=AE=E3=80=81=E6=96=B0=E5=A5=87=E3=80=81=
=E8=B0=90=E8=B0=91=E7=AD=89=E6=95=88=E6=9E=9C=E7=9A=84=E7=89=B9=E7=82=B9=
=EF=BC=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=
=E2=80=AC=E4=B8=8E=E5=B9=B4=E8=BD=BB=E4=BA=BA=E5=BC=A0=E6=89=AC=E4=B8=AA=
=E6=80=A7=E5=92=8C=E6=90=9E=E6=80=AA=E7=9A=84=E5=BF=83=E7=90=86=E7=9B=B8=
=E7=AC=A6=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=
=E2=80=AC=E3=80=82
=E8=A1=A8=E6=83=85=E5=8C=85=E4=B9=8B=E6=89=80=
=E4=BB=A5=E8=83=BD=E5=A4=9F=E5=A4=A7=E8=8C=83=E5=9B=B4=E5=9C=B0=E4=BC=A0=
=E6=92=AD=EF=BC=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=
=E2=80=AC=E2=80=8D=E6=98=AF=E5=9B=A0=E4=B8=BA=E5=85=B6=E5=BC=A5=E8=A1=A5=
=E4=BA=86=E6=96=87=E5=AD=97=E4=BA=A4=E6=B5=81=E7=9A=84=E6=9E=AF=E7=87=A5=
=E5=92=8C=E6=80=81=E5=BA=A6=E8=A1=A8=E8=BE=BE=E4=B8=8D=E5=87=86=E7=A1=AE=
=E7=9A=84=E5=BC=B1=E7=82=B9=EF=BC=8C=E6=9C=89=E6=95=88=E5=9C=B0=E6=8F=90=
=E9=AB=98=E4=BA=86=E6=B2=9F=E9=80=9A=E6=95=88=E7=8E=87=E3=80=82=E9=83=A8=
=E5=88=86=E8=A1=A8=E6=83=85=E5=8C=85=E5=85=B7=E6=9C=89=E6=9B=BF=E4=BB=A3=
=E6=96=87=E5=AD=97=E7=9A=84=E5=8A=9F=E8=83=BD=EF=BC=8C=E2=80=8C=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8D=E2=80=8D=E8=BF=98=E5=8F=AF=
=E4=BB=A5=E8=8A=82=E7=9C=81=E6=89=93=E5=AD=97=E6=97=B6=E9=97=B4=E2=80=8C=
=E2=80=8C=E2=80=8C=E2=80=8C=E2=80=8D=EF=BB=BF=E2=80=8C=E2=80=8C=E3=80=82=
=E9=9A=8F=E7=9D=80=E6=99=BA=E8=83=BD=E6=89=8B=E6=9C=BA=E7=9A=84=E5=85=A8=
=E9=9D=A2=E6=99=AE=E5=8F=8A=E5=92=8C=E7=A4=BE=E4=BA=A4=E5=BA=94=E7=94=A8=
=E8=BD=AF=E4=BB=B6=E7=9A=84=E5=A4=A7=E9=87=8F=E4=BD=BF=E7=94=A8=EF=BC=8C=
=E8=A1=A8=E6=83=85=E5=8C=85=E5=B7=B2=E7=BB=8F=E9=AB=98=E9=A2=91=E7=8E=87=
=E5=9C=B0=E5=87=BA=E7=8E=B0=E5=9C=A8=E4=BA=BA=E4=BB=AC=E7=9A=84=E7=BD=91=
=E7=BB=9C=E8=81=8A=E5=A4=A9=E5=AF=B9=E8=AF=9D=E5=BD=93=E4=B8=AD=E3=80=82

------=_002_NextPart832058858335_=------

 提取第一串base64解码，解密得到一段话，

表情包文化，是随着网络社交沟通的增多出现的一种主流文化。一个人的表情包是其隐藏起来的真我，一个国家的表情包里能看到这个国家的表情。‌‌‌‌‍‬‬‌有时候，表情包表达的是不能道破的真实想法和感受，语言和文字的尽头，就是表情包施展的空间。
表情包是网络语言的一种进化，它的产生和流行与其特定的“‌‌‌‌‍‍‍生存环境”有关。其追求醒目、新奇、谐谑等效果的特点，‌‌‌‌‍‌‬与年轻人张扬个性和搞怪的心理相符‌‌‌‌‍‌‬。
表情包之所以能够大范围地传播，‌‌‌‌‍‬‍是因为其弥补了文字交流的枯燥和态度表达不准确的弱点，有效地提高了沟通效率。部分表情包具有替代文字的功能，‌‌‌‌‍‍‍还可以节省打字时间‌‌‌‌‍‌‌。随着智能手机的全面普及和社交应用软件的大量使用，表情包已经高频率地出现在人们的网络聊天对话当中。

 

其中包含不可见字符，猜测零宽字符解密Unicode Steganography with Zero-Width Characters 

直接默认配置，解密得到密文

hurryup

 之后解码第二段密文，为quoted-printable，解密后与第一段完全相同。

解码第三段密文，为jpg图片的base64编码。

 010Editor解码后，拿到一张图片，Miss Spider's（怪吓人的）

 一段密文，一张图片，fuzz一下发现是OurSecret

拿到flag

flag{f3a5dc36-ad43-d4fa-e75f-ef79e2e28ef3}

JumpJumpTiger

ida打开，发现hint

int  main(int argc, const char **argv, const char **envp)
{
	int v4[100]; // [rsp+20h] [rbp-60h]
	int v5[101]; // [rsp+1B0h] [rbp+130h]
	int v6; // [rsp+344h] [rbp+2C4h]
	int v7; // [rsp+348h] [rbp+2C8h]
	int i; // [rsp+34Ch] [rbp+2CCh]

	printf("This is your hint!!!");
	v7 = 0;
	v6 = 0;
	for (i = 0; i <= 99; ++i)
	{
		if (i & 1)
			v4[v6++] = i;
		else
			v5[v7++] = i;
	}
	return 0;
}

大致意思是奇数位置和偶数位置分离。

010Editor打开查看到jump.exe里面含有大量疑似base64编码，并且在编码中可以搜索到两个=号，结合hint联想为两端编码奇偶交叉，提取出来进行分离。

file = open("in.txt")
file2 = open("out.txt","r+")
for line in file:
    tmp = line
    print(tmp)
    s = ''
    for i in range(len(tmp)):
        if i & 2 == 1:
        #if i % 2 == 1:
            s += tmp[i]
    file2.write(s)
    print(len(s))

 去除第一串末尾大量0，刚好拿到两串base64编码均以=号结尾。base64解码后拿到一张jpg图片一张png图片，两张图片几乎完全相同。

1.jpg

2.png

 直接尝试盲水印，以png作为加密图，jpg作为原图。

python3 b.py decode 1.jpg 2.png out.png

 拿到盲水印图，flag直接就写在上面。

flag{72f73bbe-9193-e59a-c593-1b1cb8f76714｝

where_can_find_code 

给了一个附件，名字叫code.asc，内容如下。

Where can find code?


format("Translate the letter J into I");
dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}

fuzz一下发现是wb隐写，提取出一段数字。

20810842042108421

只由01248组成，云隐密码，上网搜脚本。

def de_code(c):
    dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
    flag = []
    c2 = [i for i in c.split("0")]
    for i in c2:
        c3 = 0
        for j in i:
            c3 += int(j)
        flag.append(dic[c3 - 1])
    return flag


def encode(plaintext):
    dic = [chr(i) for i in range(ord("A"), ord("Z") + 1)]
    m = [i for i in plaintext]
    tmp = [];
    flag = []
    for i in range(len(m)):
        for j in range(len(dic)):
            if m[i] == dic[j]:
                tmp.append(j + 1)
    for i in tmp:
        res = ""
        if i >= 8:
            res += int(i / 8) * "8"
        if i % 8 >= 4:
            res += int(i % 8 / 4) * "4"
        if i % 4 >= 2:
            res += int(i % 4 / 2) * "2"
        if i % 2 >= 1:
            res += int(i % 2 / 1) * "1"
        flag.append(res + "0")
    print("".join(flag)[:-1])



c = "20810842042108421"
t = de_code(c)
for i in t:
    print(i, end='')
# BINGO

得到密文BINGO，结合题目附件中

format("Translate the letter J into I");
dpeb{e58ca5e2-2c51-4eef-5f5e-33539364deoa}

联想Playfair Cipher，感谢雪姐姐提供的网站QAQ

拿到flag 

flag{f58dc5f2-2d51-4ffa-5a5f-33539364efbf}