- 取得連結
- 以電子郵件傳送
- 其他應用程式
題目包
我覺得這題應該不難
因此跟隊友說去找goldwave
之後他們就解出來了~Carry
主要的觀念是這個 雙音多頻
(細節因為不是我做的 所以有空補上)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY9FPyWQvOcMNmO6t_B96L3-HnRjqT0fnEmfgV7UfeBLkObZqyNE-te8e4na6MKuCNHwYVGWKTY4VFqNQOseL2K0t1Jy0_e9-zCX5Nqoy3m04SHLFPYG3j2k8CR13CaJ0YIBHppKvhYRL7/s400/407A25A2-C77B-4A67-9C0C-54B6CB749D07.png)
可以看到xray跟一些看不懂的亂碼
我馬上想到xor加密的可能(AIS3回憶模式
xortool flag
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC8Dm5qZhwKMoqCk6PG3c95YSGiM1PUxY_byO734D0FGmp_NAhZ1BILTyjkUlnKQqQRN_6jOsrGXMazgpE-BG4Cb1tYQ5dI9911Gg-H4zyAfzr2ir0fZfb4iCYsJCBJNwPghcN_-__B4NQ/s400/E8A1E21F-5080-48B3-AA3D-130E530D851F.png)
果不其然有機會
xortool -l 4 -c '\x00' flag
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7L1NTBKnT9NeswYjqnkKZ2JU96ecwemvXeM1K31gfq6bUg8RH9yBSVYv4iWk9zBZnrkotA_j1aZXpVNSovDiiCSu9ViVW5VxGsi_UAqTLTcIW0ouMUJsnc2e3FH1dWKG0rj9aY5QcxkMh/s400/F4516F21-9B09-4D92-8BE3-30D8278950EE.png)
看起來圖片的key是xray...鳥到炸掉...
file 0.out
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6i3dSv6Q6U3CD7kMAzCmniMlqKP6qrF9pA36_C2K6uDe7eYfW0pSICwZo2J9k79KQ35Jizonv-RqPOtPgeLTAbZs31DInx1f1q6Ld0M5zRzHiCJkMWMOBJwI7qpKjOva_7vpKanKv0RFn/s400/5B1646EF-E23C-4C9E-8079-2900F9517D9F.png)
是一個壓縮檔
tar -xf 0.out
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnve_nxMT4297hUQg2G_q7XApF-UP5ojab1c-brxjy2dFKmPNtAfopo-WWjFy6LMBT8kUGSC6B62SYD5YFZML0hiJuCye7Pa-cLECmmFE1b2-Frx_SjT8Ew_lfG8qjB0_1tNo3AkSAhtSy/s400/E5A94CDF-6DB7-476A-AD66-014EFB59209D.png)
跳出一個flags資料夾?!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZbb_Mo360U1cG1qanB2t_x20VskcES1uLECqpW_agG_fG9QJfCSip88K0-E7MMA6PthRuDJ-tdF7mA841wyY8sXPmcKftI5-5u1Il6e9JJjtM7VsXEcr5y_bGvvpIhA5DInkNtJt-hVC0/s400/294C57F4-0A19-47A6-AE40-84777D412BC0.png)
裡面有新提示
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRnRPzBsgSVkb9G2VxBrT0aHO73YKB-n9AjKd5tfvbrhctrWeIIH-76pAw7BLT_G-G5EVvdUsLtAc_VAuJKPYB6U5K8oXPdK_6zl7MDPUIjnLwTblW9rHhR2Byc9xU1NVdoMEP67eBlgXH/s400/9D828827-328D-47BA-A2E5-EC394E2E7308.png)
還是沒有什麼頭緒...
strings THE-WORLD-FLAG.jpg | more
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3E2kWI7jUq-kETBR9wgXcpG6Za2fEF3VEAJ7baiWbtSCxomt31WOKaNZ6fK4742t5OYNWdL4CscKwCpvNfL5utBdOVnWDaGhZ7N8t0WEd6WtuEJdNoOs3xihZuO2soej46ZNgy7Y0nlGd/s400/A0A8A6AE-7C6F-4D45-852D-793F9CB7D3A3.png)
The flag is : kidsarehappynow
1.音訊題
我覺得這題應該不難
因此跟隊友說去找goldwave
之後他們就解出來了~Carry
主要的觀念是這個 雙音多頻
(細節因為不是我做的 所以有空補上)
2.圖片題
strings flag![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY9FPyWQvOcMNmO6t_B96L3-HnRjqT0fnEmfgV7UfeBLkObZqyNE-te8e4na6MKuCNHwYVGWKTY4VFqNQOseL2K0t1Jy0_e9-zCX5Nqoy3m04SHLFPYG3j2k8CR13CaJ0YIBHppKvhYRL7/s400/407A25A2-C77B-4A67-9C0C-54B6CB749D07.png)
可以看到xray跟一些看不懂的亂碼
我馬上想到xor加密的可能(AIS3回憶模式
xortool flag
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC8Dm5qZhwKMoqCk6PG3c95YSGiM1PUxY_byO734D0FGmp_NAhZ1BILTyjkUlnKQqQRN_6jOsrGXMazgpE-BG4Cb1tYQ5dI9911Gg-H4zyAfzr2ir0fZfb4iCYsJCBJNwPghcN_-__B4NQ/s400/E8A1E21F-5080-48B3-AA3D-130E530D851F.png)
果不其然有機會
xortool -l 4 -c '\x00' flag
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7L1NTBKnT9NeswYjqnkKZ2JU96ecwemvXeM1K31gfq6bUg8RH9yBSVYv4iWk9zBZnrkotA_j1aZXpVNSovDiiCSu9ViVW5VxGsi_UAqTLTcIW0ouMUJsnc2e3FH1dWKG0rj9aY5QcxkMh/s400/F4516F21-9B09-4D92-8BE3-30D8278950EE.png)
看起來圖片的key是xray...鳥到炸掉...
file 0.out
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6i3dSv6Q6U3CD7kMAzCmniMlqKP6qrF9pA36_C2K6uDe7eYfW0pSICwZo2J9k79KQ35Jizonv-RqPOtPgeLTAbZs31DInx1f1q6Ld0M5zRzHiCJkMWMOBJwI7qpKjOva_7vpKanKv0RFn/s400/5B1646EF-E23C-4C9E-8079-2900F9517D9F.png)
是一個壓縮檔
tar -xf 0.out
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnve_nxMT4297hUQg2G_q7XApF-UP5ojab1c-brxjy2dFKmPNtAfopo-WWjFy6LMBT8kUGSC6B62SYD5YFZML0hiJuCye7Pa-cLECmmFE1b2-Frx_SjT8Ew_lfG8qjB0_1tNo3AkSAhtSy/s400/E5A94CDF-6DB7-476A-AD66-014EFB59209D.png)
跳出一個flags資料夾?!
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZbb_Mo360U1cG1qanB2t_x20VskcES1uLECqpW_agG_fG9QJfCSip88K0-E7MMA6PthRuDJ-tdF7mA841wyY8sXPmcKftI5-5u1Il6e9JJjtM7VsXEcr5y_bGvvpIhA5DInkNtJt-hVC0/s400/294C57F4-0A19-47A6-AE40-84777D412BC0.png)
裡面有新提示
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRnRPzBsgSVkb9G2VxBrT0aHO73YKB-n9AjKd5tfvbrhctrWeIIH-76pAw7BLT_G-G5EVvdUsLtAc_VAuJKPYB6U5K8oXPdK_6zl7MDPUIjnLwTblW9rHhR2Byc9xU1NVdoMEP67eBlgXH/s400/9D828827-328D-47BA-A2E5-EC394E2E7308.png)
還是沒有什麼頭緒...
strings THE-WORLD-FLAG.jpg | more
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3E2kWI7jUq-kETBR9wgXcpG6Za2fEF3VEAJ7baiWbtSCxomt31WOKaNZ6fK4742t5OYNWdL4CscKwCpvNfL5utBdOVnWDaGhZ7N8t0WEd6WtuEJdNoOs3xihZuO2soej46ZNgy7Y0nlGd/s400/A0A8A6AE-7C6F-4D45-852D-793F9CB7D3A3.png)
The flag is : kidsarehappynow
3.密碼題
拿到一個exe檔 解壓縮看看![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG4rarGJBvQdX_WEH_R6jPJcD59Swz5CdX93sShaLXXKWAwCfLHH0sMzOMGXhI5okUmc3ixOP5CnDNSD5AS4gNf2skdnxrYwUGqOgqQTtyHroAaHphkoizdZGxqH0mwXAcMIeZSfNzJ-lc/s320/DF9E2B9A-852B-4A1F-BD1B-0EC88CD20462.png)
竟然噴出class了...
拿jd-gui反組譯
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-JYOjAZuhiHZJafbnAKmrQNq5agtX0ZEUbTuA1hfd80KK7iUYSB0shC1X8eoIKxyqZ0Hpk9oU-FVNB9sE9_gJd_sHrgP2NzL6TBXy5ONARHiv1o5k13_SOCA4OnOF6ECZRn1VLMY67l30/s320/038BD1A8-58EA-45A5-BD06-53FF70FAF049.png)
得到了key:rup2jp4ru;3
拿去AES Online Decryption
<~<+ohcAo(mg+DGm>3Zq!:@;R-.FE2;;B-:Yp@psM$AKXPlG%De*AS#a%G@b2u/g*_.@;R-!ARTUqATMo8@V'%XF`V+:8LJ[m+C\nnDBNA"Ea`Zm/g*_.@;R-2Bldi.@V'%XF`V+:8LJ[m+C\nnDBNP0Des-/BJ'~>
得到一個沒看過特徵的編碼
(比賽只做到這邊)
賽後帥帥的工程師說是ASCII 85(崩潰這三小
拿去Online ASCII85 decoder
The flag is : I am strong because I've been weak. I am fearless because I've been afraid. I am wise because I've been foolish.
4. 看似web題
但其實一點都不web頁面大概是長這樣
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5mOWZQ1QVqyawzz7yPUcj3BOVBVH2-llfkpQZuIw4W6jfPVouUUeDZjFFs3H973lHlky9xYJ2B9NNwWNsbkUFjebHQgsy37mHCj4y2eQiudjvKSOUuqQEapNnjo20NTPtL9_8qKJiusi9/s400/AD937665-715E-4C71-9916-91A61A0309EF.png)
先把上面的code複製起來
fzrXUuE4g5QSkctD/2zACNNJXSNFTez4hOUnZ6rPioo=
打開開發工具
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjjDEbqQ_W7VFhHVxJPPutyxYTGxLBOONQdqYV2vHCDWOYs7AoPqINAwUmhOU2xoxk12PnS-ry91eN3VlO9Mj0PyFQAA_jVMVx12QTtkGH1-Y0aWWQbLTcs70wZwssHJc5MmCG8fMatnM/s400/F32FFAAB-9113-4E7A-913D-10BC1664499E.png)
藏了一張圖片和一個Msg.class.bak
先看圖片
strings 3DNA.jpg
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp8LBbFr_r49IT3R9xZPmDvqjfPvfd9yf0XoQwy2yj9UpUnVDRX0eOlNSnQxtwAIX9nIHF6xC2oqyWEIX_06OHETprd-EPoxeWH_Tllxo1HScAIqHn3XgLnUheLV2ViLUKUVadJbYDRf5C/s400/14B9D2AA-8F40-4401-99F9-1FDAC25AFE29.png)
發現一個JS 二話不說丟給瀏覽器
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtnAD0_Tiu48xFWYzf-yJF7GdgvQxNeRT3vTx5hjfTE8vevteXR4bi1jj9Ykncp3pAR18DXrct_8UPGaXnyUSLKTGiDefM5moVxMeuPoEq7dLPWuFVBOtDnustmdb1nkw__QctIouCjl92/s320/A9253E47-56EF-4E55-829E-C17017EC96E2.png)
噴出了key A19B06074809AC0DBE0F378102E5C405
在看MSG.class
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLwL4JlAMu2XlsGng6dUIW8bqI_5eYxnvfvlrp5f2sZaI5tmgkNDzgt7zsyB2KdIculDIMtrJMhOoBqMtBJooupUc-miEuJ-b12uOS4ksDbVwuNxPNil-5Uvjc97UwXeT9JuUp0gJuose-/s320/7F5C320C-3541-43F5-BA5C-2AB8A587A4C0.png)
可以看到只是先AES在base64
把加密步驟反過來做
decode base64 decode aes 就可以得到
the flag is plumageofPttisAshin
比賽的時候被online tool雷到
解出來的flag後面被截斷-.-
以上四題就是我們隊伍有解出來的題目
後面的題目雖然都有嘗試一下
不過都沒能順利地解開
之後如果有空
會把每一題解開
並補上writeup!
留言
張貼留言