HGAME 2022 Week1 writeup by ek1ng

WEB

easy_auth

easy_authMean simple authentication,题目描述admin在todoOn the record the important content of theflag,Examines website login is usedJWTAuthentication knowledge,当Token的signatureThe weak calibration method issecrectWhen empty holes.

First of all we click on the website have a look at,If direct access to the login page will because there is notoken跳转到login.html,题目在login.htmlProvided in the login and registration functions,So the first step we first register an account login in to look at,提示successAfter we logged in registered account.

Because this is our registered after a successful login account,Nothing is so normal,And then we in the browser debugging toolsdevtools里查看cookie,Discover web usageJWT的方式进行登录鉴权,那么JWTShould be on the authentication of loophole of,我们需要将Tokendisguised as a formadmin的身份,通过校验.

TokenIs divided into three parts,分别是JWT一共由三部分组成,head, respectively(header),载荷(payload),签证(signature).三部分用.进行分割,headerIs declared type and encryption algorithm,payloadIs standard in the registration statement and the public、私有声明,The visa part will bebase64编码后的header与base64编码后的payload通过符号.相连,然后通过header中声明的加密方式进行secret组合加密.

我们在jwt.io这样的jwtDecrypt the website can viewToken信息

After many attempts to findtoken的ID改为1,UserName的改为admin,Will the browser temporarytokenTo us the modifiedtoken我们就可以以adminIn the form of a successful login,拿到flag啦.

此外需要注意的是,I also try to the blastingToken,但是注册TokenThe validity of the website prompt only3分钟,And blastingjwt token Will take me several hours to finish.

蛛蛛…嘿嘿我的蛛蛛

​ Subject name and description before didn't start to do the topic we can through the spider I are all looking for头This topic describes speculation will examineHTTPThe knowledge of the request header response headers,topic needs to be usedpythonScript to automate click（Or manually click100个）以及HTTPKnowledge of response headers.

​ People draw after we click into the websiteflagDon't know where was thrown a closed,After trying to click on the button, we find,第nOff to jump to the firstn+1关有nA button only one button is right,通过f12We can see what is the correct button,但是我也不知道flagWhere will turn ah then so try a100Close I also really points to the…

​ 然后提示flagWhen the current page,查看httpThe content of the request headers can be foundflag啦,Writing the answer key feel open point always is not a solution,After all this time because only100Off my point3Minutes to see but if set of words would be more desperate so serious method should be usedpythonScript to point,Then I wrote apython脚本,To do it again this,python代码如下

from time import sleep
from selenium import webdriver

# 打开浏览器
wd = webdriver.Chrome(r'chromedriver.exe')
wd.get('https://hgame-spider.vidar.club/915929bc23')
# Stop the program1sGuarantee to open the page and then automatically click
sleep(1)

# 自动点击
for i in range(100):
    # 点击hrefValue is not empty button
    for link in wd.find_elements_by_xpath("//*[@href]"):
        try:
            if link.get_attribute('href') != '':
                wd.get(link.get_attribute('href'))
        except:
            pass

​ 运行完pythonAfter the script we found from100Close to jump to this page,看起来flagwas dropped（藏）在了这里

​ 找到flagafter the place where it fell,Click on the button is not what happens,f12Look at the front end source is what also have no.

​ Combined with the topic the spider I are all looking for头,在HTTPResponse headers we found customfi4g这个响应头,就找到flag啦

hgame{d76358d92407d56f48a7dd72e34497de5d788abc46b267e2a88b3f974f564b63}

Tetris plus

​ Tetris plusMean, enhanced the tetris,Click on the page found is a small game,Title description tells us to3000分,Problem solving needs to be usedJS审计、Base64、JSfuck编码的知识.

​ 题目提示了3000Points will be givenflag,Then a simple play feel fun playing a game,F12查看源代码后,在checking.jsA part of the file found the check mark.

​ 发现两个地方,The first is not be annotated parts,当score变量的值大于3000时,The page will pop upZmxhZyDosozkvLzooqvol4/otbfmnaXkuobvvIzlho3mib7mib7lkKch进行Base64After decoding to the content of the players,那么我们直接Base64解码看看,found out it was fakeflag.（The evil man questions even if you play in the3000Points will not be given to youflag hhhh）

​ Then another suspicious place is part of the comments below,After searching we found this isJSfuck编码,JSfuckCode only needs to run on the console can decode,Run on the console once and then we also get the trueflag.

Fujiwara Tofu Shop

​ Subject mean to want to become a lr needs to do something abouthhhInitial text is usedD的背景,考察的是HTTP请求头、Knowledge of response headers,And you need to be able to usePostman或者Burpsuite这类工具.

​ At first I didn't understand what is a trip toqiumingshan.net,I thought it was a need to accessqiumingshan.net什么的,然后发现这个qiumingshan.net的DNSResolution is less than corresponding host the word is very confused and asked people questions found to complicated,Access is given topicshop.summ3r.top,Then based on the description to a trip toqingmingshan.net,我们给HTTP请求头添加Referer,RefererThe role of is in the client toweb服务器发送请求时,告诉服务器该网页是从哪个页面链接过来的,The server can be done to the visitor information processing statistics work of what.

Referer: qiumingshan.net

The web page and prompt needed aAE86To be a car god,所以将User-Agent的内容改为Hachi-Roku

User-AgentIs used to access the web site provides the browser you are using type、操作系统及版本、CPU 类型、浏览器渲染引擎、浏览器语言、浏览器插件等信息的标识,We had send the request when the default will bring,更改为Hachi-RokuAfter we get the further hints.

User-Agent: Hachi-Roku

Title suggest put a boxRaspberryflavored cookies,HTTP请求会使用CookieDo persistent access,Then we looked at the response headers found response headers inCookie有个叫flavor的字段,初始值是Stawberry,Exactly as suggested,We use the request header set it toRaspberry就可以了

Cookie: flavor=Raspberry

Change after the author again we need to add petrol to100,We can be found in the response headerGasoline:0,GasolineShould be self defined in the header,非常奇怪,We translate them find the meaning of this word is just gasoline,So will the value of modified into100就可以了.

Gasoline: 100

But I met in very strangeburpsuite给httpWhat request header because I had sent among some strange request,添加Gasoline: 100无法得到响应,I thought it was not so add,But search the ages is also didn't find a problem

So with the feelings of doubt and inpostman中尝试了,The discovery of the magic can

然后再回到burpsuite中尝试了一下,Perhaps before I send inGasoline: 100What also added beforeburpsuitecache or something？？？Anyway tried again found to

​ Here the author suggests to from local access page,我们先尝试XFF,XFFIs to identify the client the most primitiveIP地址的,它通过三个ProxyPut forward the request to the server,改成X-Forwarded-For: 127.0.0.1Found no title and ridicule,Then do I stuck here,After asking the people draw is that there are several kinds of local access words request header way,Then the questioner takes itXFFDisabled so searched on the Internet search foundX-Real-IPCan also be the same effect

X-Forwarded-For: 127.0.0.1

所以我们换了一种方式,添加X-Real-IP请求头,Found outflag

X-Real-IP:127.0.0.1

When writing the antithesis in writingXFFTo go through threeproxyForward the thought of people disable drawXFF这个问题,So I said to try in the back of theproxy里面写127.0.0.1,Found that people draw this disabled disabled only first127.0.0.1这个proxy,So this method can also be the magic to getflag的,And then asked people find this seemingly or unexpected questions（

MISC

欢迎欢迎！热烈欢迎！

Happy sign in( No sign in others the load

这个压缩包有点麻烦

​ 主要是使用ARCHPR这个工具,There are a total of compressed packages6位数字爆破 + 字典 + 明文 + binwalkExtracted after a hiddenzip + Pseudo encryption so5层加密,It is important to note package this topic also updated the attachment,I think it's the old package in clear this layer a little question again so0One solution then I am stuck in clear this place,Behind the words they see update attachment want to rob the 123 blood wasbinwalkThis layer stuck and then if I had just been done on the second dayhhh

​ The first layer of encryption tip withbandzipOpen the package you will see,使用ARCHPR成功解密

Encryption dictionary words fromREADME.txt里面可以看出,This is given by the topicpassword-not.dicis the password dictionary,Using password dictionary is successful decryption

The third layer of plaintext encrypted,At first the givenREADME.txt是68BBut the inside of the package has a73B,Do not conform to the conditions of plaintext encrypted so could also solve,Update the attachment successfully released,以及READMETell us package adopted only in storage compression way,Because the plaintext encrypted is toREADME.txtThe compression package also some compressed files in the same way,With the same file,Two binary values will be a part of the package is equal,Use this for blasting.

After decryption we get aflag.jpg,使用winhex查看发现在jpgAfter the end of a hidden information,我们使用binwalkTool to pick up the hidden zip,Discovery is still a package,使用winhex打开后,找到504B0102后面的这一串,从50开始数第9,10位是0900,改成0000Save it later,我们就拿到了flag.jpg

好康的流量

这题考察了WiresharkTraffic analysis and usingStegSlove分析LSB隐写图片、文本,This I really has tried various was later found to beLSBSteganographic text got another halfflag,Search engine found in a variety of methods are tried again

首先我们打开Wireshark,The upper left corner export and then save as,我们发现这是个.eml,And then found the mail system andoutlook可以打开但是windowsThe mail I didn't also add account before then I don't add account add up,然后换了outlookOpen the mail,Then see two tips,第一个是LSB,提示使用了LSB隐写,The second is that the images we keep it down

用StegSloveAfter opening in the green channel2We found here on the implicit wrote a barcode,Open alipay sweep code found here for a halfflag

hgame{ez_1mg_

Then the other halfflag需要使用stegslove打开图片后,在Extract BySelect calculated on column was able to get the half,Initially selected by the line and then channel to switch to steganographic information also didn't find.

Together we will getflag啦

hgame{ez_1mg_Steg4n0graphy}

群青(其实是幽灵东京)

This is examining audio steganalysis a problem.

搜索后发现SilentEyeA steganalysis tools,After download try to decrypt but didn't get anything,于是用audacity打开,Check the spectrum diagram found hidden wrote the textYoasobi

在SilentEye里将YoasobiFill in the password,Found can decrypt

After the download new audio,搜索SSTV发现 慢扫描电视（Slow-scan television 简称SSTV）Is a kind of amateur radio transmission method so can judge it hides the pictures,我们使用RX-SSTVDecryption of this kindSSTV的软件,Found the steganographic qr code,Sweep the code can getflag啦

CRYPTO

Dancing Line

Title and description is given of information is not much,Open the found is toDancing LineThe game as the background of a picture,With a line of horizontal and vertical said0,1,What's the use of the black spots,I counted the found37个好像（,然后一个flagThe length of the same,We can guess the solution isflag,Between every two black spots a is saidflag的一个字符,But how to clearly see pictures to,I found one onlineps网站,Open the picture found the image which is each step a pixel point

https://ps.gaoding.com/#/

So that we only need to count or to find a way to usepythonScript do some image recognition work again intoflag就可以了,Because here I wanted to think not much point,20分钟可以搞定,So I just use the number of manual method,The following is a record number of manual processhhh,I counted before5Then convert the0和1的对应关系,Just enough to matchhgame,Horizontal is0vertical yes1,Then count each time5个,把这个flagCounted out

Writing the answer key and thought for a moment,The correct solution is withPillow这个Python的图像处理库,To do the work of information processing,It's a pity that writing the answer key wrote here already18.26right away8点要week2了,So before the write a script with the try.

Easy RSA

This is a relatively simpleRSA算法的题目

First of all check information to understand what isrsa：

1. 随意选择两个大的质数p和q,p不等于q,计算N = pq.
2. 根据欧拉函数,求得r=φ(N)=φ(p)φ(q)=(p-1)(q-1).
3. 选择一个小于r的整数e,是e与r互质.并求得e关于r的模反元素,命名为d.(求d令ed≡1(mod r)).(模反元素存在,当且仅当e与r互质）
4. 将p和q的记录销毁.

其中(N,e)是公钥,(N,d)是私钥.

Then we see the title of the encryption algorithm：将flagEach character character throughrsaencrypted and givenpqe和c,So we need to do is simple,求出d然后解出m.

import gmpy2
def make_key(p, q, e):
    n = p * q
    phi = (p-1) * (q-1)
    d = gmpy2.invert(e, phi)
    return d
m = [(12433, 149, 197, 104), (8147, 131, 167, 6633), (10687, 211, 197, 35594), (19681, 131, 211, 15710), (33577, 251, 211, 38798), (30241, 157, 251, 35973), (293, 211, 157, 31548), (26459, 179, 149, 4778), (27479, 149, 223, 32728), (9029, 223, 137, 20696), (4649, 149, 151, 13418), (11783, 223, 251, 14239), (13537, 179, 137, 11702), (3835, 167, 139, 20051), (30983, 149, 227, 23928), (17581, 157, 131, 5855), (35381, 223, 179, 37774), (2357, 151, 223, 1849), (22649, 211, 229, 7348), (1151, 179, 223, 17982), (8431, 251, 163, 30226), (38501, 193, 211, 30559), (14549, 211, 151, 21143), (24781, 239, 241, 45604), (8051, 179, 131, 7994), (863, 181, 131, 11493), (1117, 239, 157, 12579), (7561, 149, 199, 8960), (19813, 239, 229, 53463), (4943, 131, 157, 14606), (29077, 191, 181, 33446), (18583, 211, 163, 31800), (30643, 173, 191, 27293), (11617, 223, 251, 13448), (19051, 191, 151, 21676), (18367, 179, 157, 14139), (18861, 149, 191, 5139), (9581, 211, 193, 25595)]
print(len(m))
for i in range(38):
    e, p, q, c = m[i]
    d = make_key(p, q, e)
    n = p * q
    plaintext = (gmpy2.powmod(c, d, n))
    print(chr(plaintext), end='')

Matryoshka

Topic is known the Caesar encryptionkeyAnd Virginia encryptedkey,It means ciphertextflagWas changed into braille layers of encrypted,Now you need to decrypt it back,Decryption order is like this

Braille 盲文 - > Reverse Reverse password -> Morse 摩斯 -> hex 转16进制 -> Vigenère 维吉尼亚 -> base64 -> 栅栏:22 -> Caesar 凯撒:21 -> Flag

cyberchefDon't know why we work out the layer of moss,Then in a online website solution out,If you don't add this layer of reverse after moss is behind the solution to the solution of the problem was found,也是根据hint 2个置换2a substitution4个编码,Are known and Caesar, Virginia two substitution cipher,So say if moss directly work out and see if I can add a layer of substitution cipher,With reverse after moss can well solve the

Work out after Morse code for characters in the most generally no more thanF,猜测是16进制编码 去cyberchef里面转HEX

After the solution, a layer of Virginia again 这个显然是base64So again in the form of a layer of solutionbase64

Then this fence me incyberchef好像找不到,May be I search not to looking for a website to try

一个一个试过去,Because already know the last layer is Caesar then fence passwordkeyNo more than the length of the original,那么key从1Start after decoding to Caesar21Solution layer again and see if it isflag的形式就好,Finally tried it outkey=22time to decryptflag

后来发现原来cyberchefis the solutionmorsecode的 Is my separators have 选forward slash就可以了

English Novel

题目首先给出了410A block encryptiontxt,其中每个txt是410字节,Can be one to one correspondence,Then the overall train of thought is based on encryption algorithm to write a firstpythonThe script found encryptedkey,然后用key和加密后的flag.encFind the pre-encrypted oneflag.enc

At first did not notice the original and cipher text is not according to the serial number directly to the corresponding so try solution found out each solution after a fewkey都不一样

The first is to find correspondingpart部分 findPart.py

import os

filePath=r"" # 文件夹路径
fileList=os.listdir(filePath)

for file in fileList:
	f=open(os.path.join(filePath,file))
	while True:
		line = f.readline()
		if not line:
			break
		line = line.strip('\n')
		key = 'ktl'
		if key in line:
			print(file)# txt文件内容
			print(line)

根据findPart.py 检索关键字

由于flagThe beginning must behgame Then there isflag.enc我们就能知道key[0]-key[4]的值

比如part0 最前面5个字符是 read It will be after encryption wmme 然后我们用 wmmede-encryptedpart里面检索,就能够找到part0对应了part175

解密部分 encrypt.py

encryptData = "" # Unencrypted data
originalData = "" # 加密后数据
key = [0 for i in range(410)]
encryptFlag = 'klsyf{W0_j0v_ca0z_\'Ks0ao-bln1qstxp_juqfqy\'?}'
def encrypt(originalData, encryptData,):
    for i in range(len(originalData)):
            key[i] = ord(encryptData[i]) - ord(originalData[i])
def enflag(key,encryptFlag):
    result = ""
    for i in range(len(encryptFlag)):
        if encryptFlag[i].isupper():
            result += chr((ord(encryptFlag[i]) - ord('A') - key[i]) % 26 + ord('A'))
        elif encryptFlag[i].islower():
            result += chr((ord(encryptFlag[i]) - ord('a') - key[i]) % 26 + ord('a'))
        else:
            result += encryptFlag[i]
    return result
encrypt(originalData,encryptData)
print(enflag(key,encryptFlag))

After decryption because wekeyOnly in case character get,And if it is a space quotes etc. Ourkey是默认为0的,So only a set of data, we can only part of the solution unless you find it in front of a group of data is equivalent toflagThe length of this string is case sensitive character but this certainly not possible,So I'll just find2组数据.

part21对应326,part38对应pary280:

根据3A corresponding relationship to findflag Then put together a little bit about the getflag啦

# flag.enc klsyf{W0_j0v_ca0z_'Ks0ao-bln1qstxp_juqfqy'?}
# part 0 -> part 175 kgame{W0_y0u_kn0w_'Kn0wn-bla1nttxt_attack'?}
# part 21 -> part 326 hgame{W0_y0v_kn0w_'Kn0wn-pla1ntext_autaqk'?}
# part 38 -> part 280 kgame{D0_j0u_ka0w_'Kn0wo-pln1nttxt_attacy'?}
# hgame{D0_y0u_kn0w_'Kn0wn-pla1ntext_attack'?}

IOT

meal carduno

This problem is I don't know much aboutiot的,Then see download is aHEX文件,hex是16Into the system, so first decoded into characters have a look

And then we seem to get theflag,Though the format is a little problem,但是flagGeneral is to put the characters into a digital some,Or can guess the meaning,Take some at sixes and sevens after removing is successful toflag,Then later becauseweb misc crypto都akCan go to see a few I'm notpwn和re,接触到了ida,使用ida反汇编后,我们就直接发现flagActually be recorded here.

RE

easyasm

Executable file is can't open it,是个DOS程序,Then the title saysasm,asm指Assembly,So this is the need to see the assembly code

We are going to the executable file intoIDA查看,The first is to seeflag的一个形式

程序首先会将si和1Ch做比较,If equal will walk on the right side of the tipright,If it is not equal to will walk on the left,When after the cycle of the left without enterright那就会进入wrong,Here can be concluded that theforThe loop needs to letsi从00H一直++到1Ch 总共走28次,Below is for block assembly code translation

xor     ax, ax axIs the accumulator register,ax和ax一定相等 结果是将ax清零
mov     al, [si] si是源变址寄存器,To hold the source operands offset address,将siThe value on the address givesal al是低8位寄存器 l表示low 是ax寄存器的低8位
shl     al, 1    
shl     al, 1    
shl     al, 1    
shl     al, 1    左移4位
push    ax       push ax是把axIn the value of the stack.即当前esp－4The output value becomes ax的值,axThe value itself remains unchanged.
xor     ax, ax   重复前面的操作
mov     al, [si] 
shr     al, 1    
shr     al, 1	 
shr     al, 1	 
shr     al, 1 	 右移4位
pop     bx       pop bx是把当前esp的值赋给bx,并且esp＋4（bx的值改变,esp在popBefore to place the value of the constant,In which values of the stack will not automatically reset）此时bx = 08H
add     ax, bx   相当于把这个2位16Hexadecimal number about two call
xor     ax, 17h  和17H异或
add     si, 1	 si++
cmp     al, es:[si-1] 将al和以esis the first address of the segmentsiTo offset the value of the compare
jz      short loc_100DD

So we need to first and17H异或,And then the exclusive or value about a swap,转成ascii码表示的字符,就能够得到flag了啦

At first also didn't want to know,Forget the reverse isflagValidation of a process,Need to count backwards back,Dish I thought zha is also not quite right about,Later want to understand before calculated both,Inspection found that the first two characters is h,g,So that our thinking is right

Then I try to write directlypython脚本解决,Find a operation on my this script is very strange,Some part of the overflow will not automatically ignore the,Then with thoughts of hurryflagSo talk first17H异或,Put exclusive or the result of artificial before and after the two changed my,Finally, use the program to turnascii输出了,It's semi-automatic（

flagchecker

这是个apkReverse question,我用了jadx-guiThen the decompiled thisapk,And found the checkflag的类MainActivity.

从代码看flagShould be firstcarol为key用RC4Encrypt and thenbase64Encrypted can be equated to a string of a string,通过校验.

So we just need to put this inside says string firstbase64解码,再RC4解码就可以得到flag了,这里使用了cyberchefThis online website.

PWN

test nc

Just use itnc命令连接靶机,Then, not directly to the usshell,那这样的话cat flag我们就拿到flag啦

然后由于pwnHas been scanning ports nowpwnThe drone connection need to authenticate before,I have no this blasting in thissha256前4A script can't emersion only word to describe.