DamCTF CTF

rev/incomprehensible

#(lambda x:[([l.append((lambda n,u:(lambda f,*a:f(f,*a))((lambda r,i,u:i if i not in u else r(r,(i+1)%16,u+[i])),n%16,u))(c,l))for c in x[::-1]],l)for l in [[]]][0][1])(l[-1]))

import base64

l = [b'CoOL N0nCE duD3!']


#key : [1, 3, 4, 5, 6, 0, 7, 8, 14, 2, 15, 9, 12, 10, 11, 13]
#en_data : MUIiJmFxRyAnSUQmESoON0QbEy5Hf1EqB0NOFXNLTXleIzMSaRRYID8lcX4WA3RP

def padding_data_16(input_data):
    paddingsize = 16 - len(input_data) % 16
    padding = bytes(list(range(1, paddingsize + 1))[::-1])
    input_data = padding + input_data
    return [input_data[i*16:(i+1)*16] for i in range(len(input_data) // 16)]

data = padding_data_16(input().encode())

print(data)
for i, f in enumerate(data):
    v = [f[j]^l[-1][(i+j+1+(16//2))%16]for j in range(16)]   
    key = (lambda x:[([l.append((lambda n,u:(lambda f,*a:f(f,*a))((lambda r,i,u:i if i not in u else r(r,(i+1)%16,u+[i])),n%16,u))(c,l))for c in x[::-1]],l)for l in [[]]][0][1])(l[-1])
    print(key)
    print(v)
    l.append(bytes([v[0]for v in sorted(zip(v, key), key=lambda x:x[1])]))

print(l)
data_ = b''.join(l[1:])
data_ = base64.b64encode(data_)
print(data_)

需要通过结果逆向MUIiJmFxRyAnSUQmESoON0QbEy5Hf1EqB0NOFXNLTXleIzMSaRRYID8lcX4WA3RP

import base64

l = [b'CoOL N0nCE duD3!']
Key = [5, 0, 9, 1, 2, 3, 4, 6, 7, 11, 13, 14, 12, 15, 8, 10]
Key1 = [8, 3, 10, 11, 5, 13, 4, 0, 7, 6, 2, 9, 12, 14, 1, 15]
Key2 = [12, 9, 15, 3, 6, 4, 13, 7, 11, 0, 8, 2, 14, 1, 5, 10]

data = "MUIiJmFxRyAnSUQmESoON0QbEy5Hf1EqB0NOFXNLTXleIzMSaRRYID8lcX4WA3RP"


#[1, 3, 4, 5, 6, 0, 7, 8, 14, 2, 15, 9, 12, 10, 11, 13]
redata = base64.b64decode(data)
resort_data = [None]*16*(len(redata)//16)

for j in range(len(redata)//16):
    for i in range(16):
        if j == 0:
            resort_data[16*j + Key[i]] = redata[16*j + i]
        elif j == 1:
            resort_data[16*j + Key1[i]] = redata[16*j + i]
        else:
            resort_data[16*j + Key2[i]] = redata[16*j + i]
print(resort_data)


#length = 41

# 按照16为一组分组
grouped_data = [resort_data[16 * i: 16 * (i + 1)] for i in range(len(resort_data) // 16)]

for i,group in enumerate(grouped_data):
    #print(i)
    print(group)
    v = [group[j]^l[-1][(i+j+1+(16//2))%16]for j in range(16)]
    key = (lambda x:[([l.append((lambda n,u:(lambda f,*a:f(f,*a))((lambda r,i,u:i if i not in u else r(r,(i+1)%16,u+[i])),n%16,u))(c,l))for c in x[::-1]],l)for l in [[]]][0][1])(l[-1])
    print(key)
    l.append(bytes([v[0]for v in sorted(zip(group, key), key=lambda x:x[1])]))
    print(bytes(v))

#dam{i_tHink_1_prEf3r_4_l00p5_m0r3_d0nt_U}

rev/take-a-look

Chal文件进行base64解密

data1 = "nDUGiXrVkuFseqMTCHwphAaoWfIEPNzJRSlbmjxBZgLOKtyvQYdc./1234567890?-"
txt = (data1[45] + data1[38] + data1[45])
book = data1[35] + data1[23] + data1[23] + data1[8]
utf8 = data1[9] + data1[45] + data1[25] + data1[61]
GetByTeS = data1[3] + data1[12] + data1[45] + data1[39] + data1[46] + data1[15] + data1[12] + data1[33]
out = data1[23] + data1[9] + data1[45]
data10 = &(Get-Command g????o????T*) .\\book\\0.txt -Raw
data8 = data10
data16 = [system.Text.Encoding]::utf8.GetByTeS(data8)
password = data1[19] + data1[22] + data1[11] + data1[11] + data1[18] + data1[23] + data1[6] + data1[50]
password = password * 4
data7 = -join ((65..90)+(97..122) | &(Get-Command g????????m) -Count 4 | % {[char]$_}) * 8
data9 = data7
data5 = [system.Text.Encoding]::utf8.GetByTeS(-join ((65..80) |  % {[char]$_})) 
data18 = [system.Text.Encoding]::utf8.GetByTeS(data9)
data19 = &(Get-Command ??w-??j???) System.Security.Cryptography.AesManaged
data19.Key = data18
data19.IV = data5
data6 = data19.CreateEncryptor(data18, data5)
data11 = &(Get-Command ??W?????c?) -TypeName System.IO.MemoryStream
data17 = &(Get-Command n??????E??) -TypeName System.Security.Cryptography.CryptoStream -ArgumentList @(data11, data6, \'Write\')
data17.Write(data16, 0, data16.Length)
data17.FlushFinalBlock()
book0 = data11.ToArray()
data12 = [convert]::ToBase64String(book0)
&(Get-Command ??i?????t???) data12 | O\'\'u""t\'\'-F""i\'\'l""e -FilePath .\\book\\out

data7key是随机的,应该需要爆破key

image-20240411232251436

data19IV -> ABCDEFGHIJKLMNOP

加密为AES加密 -> System.Security.Cryptography.AesManaged

from Crypto.Cipher import AES
from hexdump import hexdump
import base64

iv = b'ABCDEFGHIJKLMNOP'
key = b'jwCUjwCUjwCUjwCUjwCUjwCUjwCUjwCU'
file = b'cipher_no_ciphering.enc'

cipher = AES.new(key, AES.MODE_CBC, iv)

with open(file, 'rb') as bin:
    enc = bin.read()

data = base64.b64decode(enc)

aesdata = cipher.decrypt(data)

hexdump(aesdata)

with open('cipher_no_ciphering.dec', 'wb') as bin:
    bin.write(aesdata)

00000000: 38 20 32 20 32 39 20 31  32 20 36 37 33 20 31 39  8 2 29 12 673 19
00000010: 20 36 20 31 32 34 20 34  36 34 20 32 20 31 34 20   6 124 464 2 14
00000020: 32 31 31 20 31 33 20 31  39 20 32 30 20 38 37 20  211 13 19 20 87
00000030: 39 30 20 31 20 31 39 20  32 30 20 32 37 20 31 31  90 1 19 20 27 11
00000040: 30 20 32 30 20 37 20 36  20 32 31 31 20 31 32 36  0 20 7 6 211 126

8 2 29 12 673 19 6 124 464 2 14 211 13 19 20 87 90 1 19 20 27 110 20 7 6 211 126

根据flag应该是dam{自己手动查了一下,17.dec满足

txtdata = "Ihaveanidea.{Flashforwardintime.VanessaisabouttoboardaplanewhichhasalltheRosesonboard.VANESSA:VanessaBloome,FTD.{Holdsoutbadge}:Officialfloralbusiness.It'sreal.SECURITYGUARD:Sorry,ma'am.Nicebrooch.=VANESSA==Thankyou.Itwasagift.{Barryisrevealedtobehidinginsidethebrooch}{FlashbackintimeandBarryandVanessaarediscussingtheirplan}BARRY:Onceinside,wejustpicktherightfloat.VANESSA:HowaboutThePrincessandthePea?:Icouldbetheprincess,andyoucouldbethepea!BARRY:Yes,Igotit.:-WhereshouldIsit?GUARD:-Whatareyou?BARRY:-IbelieveI'mthepea.GUARD:-Thepea?VANESSA:Itgoesunderthemattresses.GUARD:-Notinthisfairytale,sweetheart.-I'mgettingthemarshal.VANESSA:Youdothat!Thiswholeparadeisafiasco!:Let'sseewhatthisbaby'lldo.{Vanessadrivesthefloatthroughtraffic}GUARD:Hey,whatareyoudoing?!BARRY==Thenallwedoisblendinwithtraffic...:...withoutarousingsuspicion.:Onceattheairport,there'snostoppingus.{FlashforwardintimeandBarryandVanessaareabouttogetonaplane}SECURITYGUARD:Stop!Security.:-Youandyourinsectpackyourfloat?VANESSA:-Yes.SECURITYGUARD:Hasitbeeninyourpossessiontheentiretime?VANESSA:-Yes.SECURITYGUARD:Wouldyouremoveyourshoes?{ToBarry}-Removeyourstinger.BARRY:-It'spartofme.SECURITYGUARD:Iknow.Justhavingsomefun.Enjoyyourflight.{BarryplottingwithVanessa}BARRY:Thenifwe'relucky,we'llhavejustenoughpollentodothejob.{FlashforwardintimeandBarryandVanessaareflyingontheplane}Canyoubelievehowluckyweare?Wehavejustenoughpollentodothejob!VANESSA:Ithinkthisisgonnawork.BARRY:It'sgottowork.CAPTAINSCOTT:{Onintercom}Attention,passengers,thisisCaptainScott.:WehaveabitofbadweatherinNewYork.:Itlookslikewe'llexperienceacouplehoursdelay.VANESSA:Barry,thesearecutflowerswithnowater.They'llnevermakeit.BARRY:Igottagetupthereandtalktothem.VANESSA==Becareful.{Barryfliesrightoutsidethecockpitdoor}BARRY:CanIgethelpwiththeSkyMallmagazine?I'dliketoorderthetalkinginflatablenoseandearhairtrimmer.{TheflightattendantopensthedoorandwalksoutandBarryfliesintothecockpitunseen}BARRY:Captain,I'minarealsituation.CAPTAINSCOTT:-What'dyousay,Hal?CO-PILOTHAL:-Nothing.{ScottnoticesBarryandfreaksout}CAPTAINSCOTT:Bee!BARRY:No,no,no,Don'tfreakout!Myentirespecies...{CaptainScottgetsoutofhisseatandtriestosuckBarryintoahandheldvacuum}HAL:{ToScott}Whatareyoudoing?{BarrylandsonHalshairbutScottseeshim.HetriestosuckupBarrybutinsteadhesucksupHalstoupee}CAPTAINSCOTT:Uh-oh.BARRY:-Waitaminute!I'manattorney!HAL:{Haldoesn'tknowBarryisonhishead}-Who'sanattorney?CAPTAINSCOTT:Don'tmove.{ScotthitsHalinthefacewiththevacuuminanattempttohitBarry.HalisknockedoutandhefallsontheliferaftbuttonwhichlaunchesaninfalatableboatintoScott,whogetsknockedoutandfallstothefloor.Theyarebothuncounscious.}BARRY:{Tohimself}Oh,Barry.BARRY:{Onintercom,withaSouthernaccent}Goodafternoon,passengers.Thisisyourcaptain.:WouldaMissVanessaBloomein24Bpleasereporttothecockpit?{Vanessalooksconfused}{Normalaccent}...Andpleasehurry!{Vanessaopensthedoorandseestheliferaftandtheuncounsciouspilots}VANESSA:Whathappenedhere?BARRY:Itriedtotalktothem,butthentherewasaDustBuster,atoupee,aliferaftexploded.:Nowone'sbald,one'sinaboat,andthey'rebothunconscious!VANESSA:...Isthatanotherbeejoke?BARRY:-No!:Noone'sflyingtheplane!BUDDITCHWATER:{Throughradioonplane}ThisisJFKcontroltower,Flight356.What'syourstatus?VANESSA:ThisisVanessaBloome.I'mafloristfromNewYork.BUD:Where'sthepilot?VANESSA:He'sunconscious,andsoisthecopilot.BUD:Notgood.Doesanyoneonboardhaveflightexperience?BARRY:Asamatteroffact,thereis.BUD:-Who'sthat?BARRY:-BarryBenson.BUD:Fromthehoneytrial?!Oh,great."
key = [8,2,29,12,673,19,6,124,464,2,14,211,13,19,20,87,90,1,19,20,27,110,20,7,6,211,126]

for i in key:
    print(txtdata[i], end='')

#dam{LongWalkForAShortDrink}

rev/your-wiSSH-is-my-Command

咕咕咕咕……….. 等我最近把安卓搞一下然后再来补一下,hhhhh