CISCN初赛Misc
robot
翻流量包追踪tcp流,可以看到一些tgPos{}.value.[]样式的数据,后面的内容很明显是坐标
先把整个tcp流保存为txt,然后写个脚本把那些tgPos数据提取出来
f = open('1.txt', 'r')
fi = open('tgPos.txt', 'w')
while 1:
a = f.readline().strip()
if a:
for i in range(200):
if "tgPos{%d}"%(i) in a:
#b = a[a.find("tgPos") : a.rfind("0]") + 2]
fi.write(a[a.find("tgPos"):a.rfind("0]") + 2] + "\n")
else:
break
fi.close()得到一系列数据
tgPos{1}.Value.[27,36,0]
tgPos{2}.Value.[28,35,0]
tgPos{3}.Value.[29,35,0]
tgPos{4}.Value.[31,35,0]
tgPos{5}.Value.[32,35,0]
tgPos{6}.Value.[33,35,0]
tgPos{7}.Value.[35,35,0]
......坐标的最后一位都是0,所以是个平面,提取前两位画个图
from PIL import Image
flag = Image.new("RGB", (400, 400), (255, 255, 255))
f = open('tgPos.txt', 'r')
while 1:
a = f.readline().strip()
if a:
x = int(a[a.find('[') + 1 : a.rfind(',')].split(',')[0])
y = int(a[a.find('[') + 1 : a.rfind(',')].split(',')[1])
flag.putpixel((x, y), (0, 0, 0))
else:
break
flag.save("flag.png")
字符串求md5得到flag
CISCN{d4f1fb80bc11ffd722861367747c0f10}running_pixel
分离gif图,得到382张单独的图片
convert running_pixel.gif ./out/out.png在最后几张图中放大可以看到有一个像素点挡住了原本的图像,像素值为(0xe9, 0xe9, 0xe9),即233
写脚本遍历一下所有图片,把特定像素值的像素点画出来 由于题中给的是gif,分离出来的图片为P模式,所以在取像素之前要把它转换成RGB模式
from PIL import Image
out = Image.new('RGB', (400, 400), (0, 0, 0))
f = 0
for i in range(382):
f += 1
pic = Image.open("out-%d.png"%(i)).convert("RGB")
x = pic.size[0]
y = pic.size[1]
for xx in range(x):
for yy in range(y):
a = pic.getpixel((xx, yy))
if a == (233, 233, 233):
out.putpixel((yy, xx), (255, 255, 255))
#if f % 8 == 0:
out.save("%d.png"%(f))
out.save("flag.png")通过画出来的382张图,按照图片生成顺序,可以依次找到36个字符,构成uuid的格式,小写即为flag
CISCN{12504d0f-9de1-4b00-87a5-a5fdd0986a00}tiny traffic
导出http流有flag_wrapper,改后缀为gz能解压出来CISCN{}
还有两个br文件,其中test.br能解压出来
syntax = "proto3";
message PBResponse {
int32 code = 1;
int64 flag_part_convert_to_hex_plz = 2;
message data {
string junk_data = 2;
string flag_part = 1;
}
repeated data dataList = 3;
int32 flag_part_plz_convert_to_hex = 4;
string flag_last_part = 5;
}
message PBRequest {
string cate_id = 1;
int32 page = 2;
int32 pageSize = 3;
}https://cloud.tencent.com/developer/article/1510536 https://blog.csdn.net/mijichui2153/article/details/99585860
利用上面文章里提到的protoc把test文件编译为test_pb2.py,利用python把secret反序列化
import test_pb2
pb = test_pb2.PBResponse()
f = open('secret', 'rb').read()
pb.ParseFromString(f)
print(pb)
直接根据反序列化得到的内容一行一行搞一下
part1 hex(15100450) : 0xe66a22
part2 e2345
part3 7889b0
part4 hex(16453958) : 0xfb1146
part5 d172a38dc拼成完整flag
CISCN{e66a22e23457889b0fb1146d172a38dc}隔空传话
0011000D9开头编码,能搜到个PDU短信协议,在线网站解一下,前几行可以得到一些明文信息
hello,bob!what is the flag?
the first part of the flag is the first 8 digits of your phone number
那其他部分呢
看看你能从这些数据里发现什么?w465可以得知第一部分flag的为发送第一句对话的人的手机号的前八位
SMSC#
Receipient:+8615030442000
Validity:Rel 4d
TP_PID:00
TP_DCS:00
TP_DCS-popis:Uncompressed Text
No class
Alphabet:Default
hello,bob!what is the flag?
Length:27删去+86前八位为 15030442 从 http://www.sendsms.cn/pdu/ 提取出 pdu.js:https://paste.ubuntu.com/p/Z3hVKb5kbQ/ 写个脚本调用一下,按照时间顺序把png的十六进制还原
let { getPDUMetaInfo } = require('./pdu');
let fs = require('fs');
let data = fs.readFileSync('data.txt').toString();
let objs = []
for(let line of data.split('\n')) {
let meta = getPDUMetaInfo(line);
let body = meta.split('\n\n')[1].split('\n')[0]
let headers = meta.split('\n\n')[0].split('\n')
let datetime = headers[2].slice(headers[2].indexOf(':')+1);
let a = datetime.split(' ')[0].split('/');
let date = new Date(`20${a[2]}-${a[1]}-${a[0]} ${datetime.split(' ')[1]}`);
objs.push({date:date, body:body});
// console.log(.split('\n'))
}
let result = ''
for(let o of objs.slice(4)) {
result += o.body;
}
console.log(result)十六进制转成png
from binascii import unhexlify
with open('data', 'r') as f, open('a.png', 'wb') as img:
img.write(unhexlify(f.read()))得到的图片宽度不对,在最开始的消息中提到了w465,想到修改宽度为465,得到最后的图片
flag前八位为电话号前八位:15030442
CISCN{15030442_b586_4c9e_b436_26def12293e4}
![[2020西湖论剑]Misc-Yusapapa-Writeup](https://developer.qcloudimg.com/http-save/yehe-7648136/215d9800c9b069d4dcd1d3dd8275649d.png)
腾讯云开发者
