tinyfisher blog

BCTF2016 writeup

BCTF 2016

周末参加了BCTF,做出了一道签到题,一道杂项题,一道算法题,将思路整理如下,供大家参考.

签到题

题目:IRC
思路:常见的签到题,登陆https://webchat.freenode.net/,注册一个用户,登录到BCTF channel即可获得flag,不赘述。

杂项

题目:catvideo
给了一个mp4的视频,如下图,但是没有看见猫:
video
视频中大多数像素”稳定”(他们不改变自己的颜色) 。但是,我们可以看到这些像素里面还是有一些动作的。
我通常使用Python编程,但这次安装视频文件处理模块有一些问题,所以,我决定切分MP4文件的帧,然后用PIL Python模块处理这些帧,最后重组他们回到正常的视频。
花了半小时后,我得到如下解决方案:

ffmpeg.exe -i catvideo-497570b7e2811eb52dd75bac9839f19d7bca5ef4.mp4 -r 30.0 fr_%4d.bmp

我从官方网站上下载ffmpeg包,并执行上面的命令。它生产1922个BMP文件。然后写个脚本,将每一帧减去第一帧:

from PIL import Image  
from PIL import ImageChops  
import glob  
	im0 = Image.open("fr_0001.bmp")  
	for frame in glob.glob("frames/*"):  
		ImageChops.subtract(Image.open(frame), im0).save(frame.replace("frames", "frames_new"))

我创建了2个文件夹:/frames/frames_new,脚本执行后,我去/frames_new文件夹查看结果。我在帧3-314注意到一个消息:
v2

v3
虽然不清楚,但还是得到了答案BCTF{cute&fat_cats_does_not_like_drinking}

密码学

题目:Special RSA
描述:

While studying and learning RSA, I knew a new form of encryption/decryption with the same safety as RSA.

I encrypted msg.txt and got msg.enc as an example for you.

$ python special_rsa.py enc msg.txt msg.enc

Can you recover flag.txt from flag.enc?

special_rsa.zip.f6e85b8922b0016d64b1d006529819de

给定一个文件special_rsa.zip.f6e85b8922b0016d64b1d006529819de,包含如下信息:

flag.enc
special_rsa.py
msg.enc
msg.txt

题目的思路是用隐藏的key解密flag.enc文件。
阅读special_rsa.py文件加密和解密过程后,我做了简单的公式来找到隐藏的key。
v4
伪代码如下:

N = 23927411014020695772934916764953661641310148480977056645255098192491740356525240675906285700516357578929940114553700976167969964364149615226568689224228028461686617293534115788779955597877965044570493457567420874741357186596425753667455266870402154552439899664446413632716747644854897551940777512522044907132864905644212655387223302410896871080751768224091760934209917984213585513510597619708797688705876805464880105797829380326559399723048092175492203894468752718008631464599810632513162129223356467602508095356584405555329096159917957389834381018137378015593755767450675441331998683799788355179363368220408879117131L

c1 = 14548997380897265239778884825381301109965518989661808090688952232381091726761464959572943383024428028270717629953894592890859128818839328499002950828491521254480795364789013196240119403187073307558598496713832435709741997056117831860370227155633169019665564392649528306986826960829410120348913586592199732730933259880469229724149887380005627321752843489564984358708013300524640545437703771424168108213045567568595093421366224818609501318783680497763353618110184078118456368631056649526433730408976988014678391205055298782061128568056163894010397245301425676232126267874656710256838457728944370612289985071385621160886
c2 = 12793942795110038319724531875568693507469327176085954164034728727511164833335101755153514030256152878364664079056565385331901196541015393609751624971554016671160730478932343949538202167508319292084519621768851878526657022981883304260886841513342396524869530063372782511380879783246034751883691295368172069170967975561364277514063320691930900258017293871754252209727301719207692321798229276732198521711602080244950295889575423383308099786298184477668302842952215665734671829249323604032320696267130330613134368640401070775927197554082071807605399448960911234829590548855031180158567578928333030631307816223152118126597

m1 = 8246074182642091125578311828374843698994233243811347691229334829218700728624047916518503687366611595562099039411430662968666847086659721231623198995017758424796091810259884653332576136128144958751327844746991264667007359518181363522934430676655236880489550093852524801304612322373542296281962196795304499711006801211783005857297362930338978872451934860435597545642219213551685973208209873623909629278321181485010964460652298690058747090298312365230671723790850998541956664376820820570709272500330966205578898690396706695024001970727864091436518202414166919020415892764617055978488996164642229582717493375419993187360
m2 = 15575051453858521753108462063723750986386093067763948316612157946190835527332641201837062951012227815568418309166473080588354562426066694924364886916408150576082667797274000661726279871971377438362829402529682825471299861814829463510659258586020732228351258291527965822977048954720558973840956731377322516168809373640494227129998871167089589689796024458501705704779109152762373660542684880052489213039920383757930855300338529058000330103359636123251274293258

r1 = 12900676191620430360427117641859547516838813596331616166760756921115466932766990479475373384324634210232168544745677888398849094363202992662466063289599443
r2 = 7718975159402389617924543100113967512280131630286624078102368166185443466262861344357647019797762407935675150925250503475336639811981984126529557679881059

_, a, b = xgcd(r1, r2)
k = pow((c1/m1 % N), a, N) * pow((c2/m2 % N), b, N)
print k

得到key:

The key is 175971776542095822590595405274258668271271366360140578776612582276966567082080372980811310146217399585938214712928761559525614866113821551467842221588432676885027725038849513527080849158072296957428701767142294778752742980766436072183367444762212399986777124093501619273513421803177347181063254421492621011961

得到key,解密flag.enc,得到答案:
v3
Flag: BCTF{q0000000000b3333333333-ju57-w0n-pwn20wn!!!!!!!!!!!!}

blog comments powered by Disqus

发布日期

2016-04-04

标签

最近发表