{"id":1593,"date":"2023-04-17T22:24:06","date_gmt":"2023-04-17T14:24:06","guid":{"rendered":"https:\/\/fushuling.com\/?p=1593"},"modified":"2023-07-31T14:42:40","modified_gmt":"2023-07-31T06:42:40","slug":"texas-security-awareness-week-2023-wp","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/04\/17\/texas-security-awareness-week-2023-wp\/","title":{"rendered":"Texas Security Awareness Week 2023\u00a0WP"},"content":{"rendered":"\n

This time I play the game in the name of NotEnoughEffort,and we ended up in 20th place<\/a><\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

This game added more than ten points to us, which means we have now surpassed a group of well-known strong teams and ranked 23rd in the China region on CTFTime\ud83e\udd23\ud83e\udd23<\/p>\n\n\n\n

\"\"<\/div><\/figure>\n\n\n\n

Forensics<\/h1>\n\n\n\n

Lazy Admin<\/h2>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n

Decode the URL to obtain the answer\uff1a<\/p>\n\n\n\n

texsaw{w3@kpa$$worD}<\/code><\/pre>\n\n\n\n
Not Obvious<\/h2>\n\n\n\n
Just exiftool it<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/a>Base64 decoding results in flag<\/p>\n\n\n\n
texsaw{Y0uF0und1t}<\/code><\/pre>\n\n\n\n
Osmium<\/a><\/h2>\n\n\n\n
<\/a>After downloading the attachment, the 010 Editor found that it was a compressed package. After changing it to. zip, it can indeed be decompressed. After decompressing, there is also a rock. lock and a txt file, so it is speculated to be a cyclic decompression. Simply scan the directory first, rename the. lock file to. zip file, and then extract the. lock file from the extracted folder and place it in the original directory and delete the previously renamed rock. zip file, After repeating 491 times, an error will be reported and it will be found that there is a rock. zip file that is not a compressed package. You can use the 010 Editor to obtain the flag<\/p>\n\n\n\n
import os\nimport shutil\nimport time\n\ndef scan_file():\n    for f in os.listdir(): #Since this is the current path, it is necessary to place this code file in the same folder as the file you want to process\n        if f.endswith('.rock'):\n            return f\n\ndef unzip_it(f,i):\n    folder_name = f.split('.')[0]+str(i)\n    target_path = os.path.join('.',folder_name)\n    os.makedirs(target_path)\n    shutil.unpack_archive(f,target_path)\n\ndef delete(f):\n    os.remove(f)\n\nif name == '__main__':\n    i = 1\n    while True:\n        zip_file = scan_file()\n        # print(zip_file)\n        if zip_file:\n            os.rename(zip_file,'rock.zip')\n            unzip_it('rock.zip',i)\n            delete('rock.zip')\n            os.rename('E:\\\\test\\\\rock'+str(i)+'\\\\rock.rock','E:\\\\test\\\\rock.rock')\n            i += 1<\/code><\/pre>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Ghost in the Clipboard<\/h2>\n\n\n\n
<\/a>The ClipboardPayload in ActivitiesCache.db stores the base64 encoded clipboard data, which can be unpacked(AppData\\Local\\ConnectedDevicesPlatform\\4f406c0d314b1399)<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
texsaw{th1s_1s_th3_fl4g}<\/code><\/pre>\n\n\n\n
MISC<\/h1>\n\n\n\n
Get Docxed<\/h2>\n\n\n\n
You can use binwalk to separate a zip file  and obviously, this c_ r_ a_ z_ y. Zip hides flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Then use rockyou. txt to explode and obtain the answer<\/p>\n\n\n\n
Leaking Secrets?<\/h2>\n\n\n\n
Just view the modification records<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Dial Tones<\/h2>\n\n\n\n
After DTMF recognition of wav, it is obtained that:469096804666202280545308428.<\/p>\n\n\n\n
Next, you need to contact the background of the question because it was still in the era of using Nokia phones, and the numbers we obtained obviously wouldn’t be phone numbers, so we can only use T9 to write different words using the nine numbers on the keyboard.<\/p>\n\n\n\n
For T9,https:\/\/www.dcode.fr\/t9-cipher<\/a> this one works,Choose the words with the most normal word order to form a sentence, and the final flag is texsaw{howyougonnaactlikethat}<\/p>\n\n\n\n
Cryptography<\/h1>\n\n\n\n
A Prime Problem<\/h2>\n\n\n\n
Just use Fermat’s theorem decomposition and you will get the answer:<\/p>\n\n\n\n
import gmpy2\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Cipher import PKCS1_OAEP\nimport Crypto.Util.number as number\n\nwith open(\"public.pem\", \"rb\") as f:\n    key = RSA.import_key(f.read())\n\npublic_key = key.publickey()\n\ndef fermat(n):\n    a = gmpy2.isqrt(n) + 1\n    b = a**2 - n\n    while not gmpy2.iroot(b, 2)[1]:\n        a += 1\n        b = a**2 - n\n    b = gmpy2.iroot(b, 2)[0]\n    return (a + b, a - b)\n\n# p, q = fermat(public_key.n)\n\nq = 4035344634524837717521915201305975516098722420219128355538063452416706649582040976771180219125686195204822338707859330665951615120601874544633270967788027074091717031306682541328304029835373501410605229741692482939694335870993275374022062842280710959945654503477963936519342817858077479358738644573785487521029281727169737762573882938206926732178158574479009658125467551018805835614097299871918962876012823726564585700892649184624360581540320684057939677927710690697605112273648424114803479675168145732275761455167827091548475299338153944131864072448859112796081669111927011416022032734279963320442672954117725635057\np = 4035344634524837717521915201305975516098722420219128355538063452416706649582040976771180219125686195204822338707859330665951615120601874544633270967788027074091717031306682541328304029835373501410605229741692482939694335870993275374022062842280710959945654503477963936519342817858077479358738644573785487521032731949949672190534185116624273887980672650136436463485817603675820435108916629224182933010010760147581441906729024860231015150938247223056724681089282171956429028890246653926215568565285817362035961064914955470989239448342478747578795441253265938399505855471220563759562310196608723984550303265351501013993\ne = 7\n# Calculate n and d, where n is the RSA modulus and d is the private key index\nn = p * q\nphi = (p - 1) * (q - 1)\nd = pow(e, -1, phi)  # Using the pow function to calculate the inverse of e\n\n\n#Generate RSA key pairs\n\nkey_pair = RSA.construct((n, e, d, p, q))\n\n# Using RSA to decrypt ciphertext\ncipher_rsa = PKCS1_OAEP.new(key_pair)\nwith open(\"key_gen_flag.bin\", \"rb\") as f:\n    cipher_text = f.read()\n\ndecrypted_text = cipher_rsa.decrypt(cipher_text)\nprint(decrypted_text)<\/code><\/pre>\n\n\n\n
Web<\/h1>\n\n\n\n
The Path to Victory<\/h2>\n\n\n\n
You will move to http:\/\/18.216.238.24:1003\/webpage\/files\/dir\/index.html when you visit the webpage given by the title.You can change the url to http:\/\/18.216.238.24:1003\/webpage\/ and you will find the webpage file directory.Then you can find flag in session_keys.txt.<\/p>\n\n\n\n
Console Scrabble<\/a><\/h2>\n\n\n\n
<\/a>There is a change.js on the webpage, I ran all the functions in the source code one by one in the webpage debugging function and finally obtained the flag.<\/p>\n\n\n\n
Swiftmaster<\/h2>\n\n\n\n
When you access the provided URL, you can find a download button. After pressing it, you can obtain an image, and then view the detailed properties to obtain the flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
So th flag is texsaw{v3rY_5eKr33t}<\/p>\n\n\n\n
Mail<\/h2>\n\n\n\n
It’s a really strange challenge.When you get to http:\/\/18.216.238.24:2020\/flag you will be redirected to another website.The way to solve it is just use POST\uff1a<\/p>\n\n\n\n
curl -X POST http:\/\/18.216.238.24:2020\/flag<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
MIT of The South<\/h2>\n\n\n\n
Visit the webpage http:\/\/18.216.238.24:1004\/webpage\/files\/dir\/robots.txt and you will see a prompt\uff1a<\/p>\n\n\n\n
Robots!?\nThere are no robots here!\nOnly Temoc, and his army of tobors!!<\/code><\/pre>\n\n\n\n
So get to http:\/\/18.216.238.24:1004\/webpage\/files\/dir\/tobors.txt and you will find that there is a large number of addresses stored here.Save them as a dictionary and use burpsuite for path blasting. Eventually, you will find flag in http:\/\/18.216.238.24:1004\/webpage\/files\/dir\/ecss\/4.910\/<\/a><\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
Git er’ done<\/h2>\n\n\n\n
githacker –url http:\/\/18.216.238.24:1002\/.git\/ –output-folder ~\/results<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"
\u56e0\u4e3a\u8fd9\u4e2awp\u653ectftime\u4e0a\u4e86\uff0c\u6240\u4ee5\u7528\u82f1\u6587\u4e86<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1593","post","type-post","status-publish","format-standard","hentry","category-wp"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1593"}],"version-history":[{"count":8,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1593\/revisions"}],"predecessor-version":[{"id":1738,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1593\/revisions\/1738"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}