ctf-misc-practice

发表于   |  

#0x00 前言

国内的xctf一年间吸引了很多的安全爱好者(dog),安全从业人员,还有我这种不知道算不算入门的菜鸟。
这个月参加了几场比赛,总结为四个字就是:签到,看题。
接下来我要写一个系列,写写我如何进步,如何我如何成长,那就从MISC开始吧,我要以刷ACM的姿态刷遍所有题。。。
当然,我会参考各位大神的解法,并贴出出处。

#0x01 内容

每一道MISC的题有涉及一个或多个知识点,我会将我做过的题归类总结在这里。

  • 文件系统
  • wireshark 的使用
  • 图片二进制

0x02 真题回顾

Pico Ctf 2013/Failure to Boot: 20

题目描述:

After opening the robot's front panel and looking inside, 
you discover a small red button behind a tangle of wires. 
Pressing the button lights up the robot's primary screen. 
It glows black and quickly flashes blue. A  line of small text types out: 
ERROR: 0x00000023 

The text refreshes and displays the prompt: 
FILE SYSTEM RECOVERY INITIATED... 
FILE SYSTEM COULD NOT BE IDENTIFIED... 
PLEASE ENTER FILE SYSTEM FORMAT:

答案要求输入一个文件系统的类型,百度 file system ERROR: 0x00000023 即可。
答案:FAT

文件系统知识:http://en.wikipedia.org/wiki/File_system
参考:https://picoctf.wordpress.com/tag/failure-to-boot-20/

Pico Ctf 2013/Second Contact: 85

题目描述:

As you're bumming around the Kuiper Belt, 
you catch an incoming transmission[1] from a distant source. 
They seem to be scanning the area, looking for something... 
Maybe you should try to find it first. 
This trace file is also available in cloudshark here[2]

[1]https://2013.picoctf.com/problems/kuiper.pcap 
[2]www.cloudshark.org/captures/f0741cdfee53

使用wireshark打开,一千多行,用 http 过滤,发现 No.609 的包是一个GET请求,拼接地址得到
www.bing.com/search?q=smashing+the+stack+for+fun+and+profit&form=MOZSBR&pc=MOZI
搜索结果为一篇paperSmashing The Stack For Fun And Profit
key 就是这篇 paper 的作者 Aleph One
P.S. 其实我还不是很清楚为什么 key 就是作者呢(@_@),另外这篇 paper 还是很有价值的,Mark

参考:https://github.com/innoying/hydrantlabs.org/blob/master/content/Security/picoCTF/2013/Second%20Contact/index.jade

Pico Ctf 2013/Black Hole: 115

题目描述:

Near the galactic core, you find a beacon indicating that an ancient civilization 
hid one of their worlds within a nearby black hole[1]. 
Is this what passes for intergalactic humor, or is there actually something in there?

The disk image can be found on the shell machines at /problems/blackhole.img 
and the contents of the image are available in /problems/blackhole/
Hint: ls -b will help you get past the first hurdle. Good luck and godspeed. 

[1]https://2013.picoctf.com/problems/blackhole.img

首先我们得到一个linux的磁盘镜像文件,挂载。
然后查看其中的文件,ls -b 可以以八进制溢出序列表示不可打印的字符
找到masked_key.png打开无效,查看十六进制,在文件最后发现反复出现的
EVENT HORIZON EVENT HORIZON, 怀疑是XOR操作(我还布吉岛为什么),
最后用python还原

1
2
3
4
5
6
7
8
9
10
$ sudo mount blackhole.img /mnt/
$ cd /mnt/
$ cd singularity/
$ ls -b
$ cd *
$ ls
$ cp masked_key.png ../../
$ cd ../../

$ hexdump -C masked_key.png
1
2
3
4
5
6
7
8
9
mask_in = open('masked_key.png','rb')
key = bytearray(mask_in.read(983040-64))
mask= bytearray(mask_in.read(64))
for x in range(983040-64):
    key[x] ^= mask[x%64]

key_out = open('unmasked_key.png','wb')
key_out.write(key)
key_out.close()

P.S. not understand now

参考题解:
http://haeresy.tumblr.com/post/49832356680/black-hole
http://sturzu.org/2013/05/07/picoctf-writeup-black-hole-115