Kryptokaffe 2024 Writeup

Kryptokaffe CTF 2024

Chokladboll

Quizmästaren-`webb`

题目:

https://kryptokaffe.github.io/

解题:

打开链接是一个知识答题

需要答对10道题获得flag

F12 查看网络请求发现SQLite文件双击下载使用 DataGrip 打开查看表即可看到flag 和所有题目及正确答案

Fika[blåbärspaj_med_owaspgrädde]

418-`webb`

题目:

Fikamyndighetens nya centrala styrsystem för alla kaffemaskiner runtom på myndigheten har hackats, tydligen är systemet övertygat om att det inte längre ska jobba med kaffe. Kan du hitta ett sätt att beställa kaffe?

解题:

先了解了下418协议;然而没啥用,根据题目内容咖啡机被入侵;需要想办法获得咖啡

分析源代码发现特殊内容

Use the header “Secret-Key”

Use the header “Secret-Key” 很清晰告诉我们要加上 Secret-Key 请求头 key 是 kosmiskstrålning

CSS 隐藏的信息拼起来刚好是 fix-coffee

带上 Secret-Key 头请求 fix-coffee 获得flag

Fika[kaffe_med_kosmisk_strålning]

Rymdresan-`webb`

题目:

一个游戏

https://obfuscatedstarlight.github.io/

解题:

F12分析网络请求在game.js 中发现 goal-flag

16进制转换得到flag

Fika[obfuskerad_men_enkel_bulle]

Reklamfilmen-`Forensik`

题目:

一个视频

解题:

播放视频在 5秒处有一个画框上面是二进制

Fika[konst_kaka]

Målarboken-`Forensik`

题目:

附件链接：https://pan.baidu.com/s/17-UYScYrVdW9k_pigrakPQ?pwd=t9aj

解题:

Stegsolve 打开在Alpha Plane 0 发现flag

Fika[flaggad_webbkaka]

Geniet-`Nätverk`

题目:

链接：https://pan.baidu.com/s/1RN4OQtirJX3r5xO8Qd4G5w?pwd=ld5n

解题:

Wireshark 打开流量包

通过追踪HTTP流发现每次 /api/status的请求中的User-Agent 的第一个字母不一样对其提取

提取脚本

import pyshark


def extract_user_agents(pcapng_file):
    # 加载pcapng文件
    cap = pyshark.FileCapture(pcapng_file, display_filter='http.request.full_uri contains "/api/status"', tshark_path=r'D:\Program Files\Wireshark\tshark.exe')

    # 遍历捕获的数据包
    for packet in cap:
        # 检查是否是HTTP层
        if 'HTTP' in packet:
            # 获取HTTP请求的头部信息
            http_layer = packet.http
            # 打印User-Agent字段
            user_agent = http_layer.get('user_agent', 'No User-Agent Found')
            print(user_agent[0], end='')

    # 关闭文件
    cap.close()


extract_user_agents("geniets-trafik.pcapng")

# 46696B615B6578706F6E657261645F6CE46E67645D

发现结果是16进制字符串进行 CyberChef 解码

Fika[exponerad_längd]

Sommargåvan-`Kryptografi`

题目:

链接：https://pan.baidu.com/s/1gur5g4ABUI9mR-ai4OJTCQ?pwd=t7t4

解题:

查看文件类型

PK 开头压缩包使用解压工具解压

根据目录结构判断应该是 ODF 文件

查看 Thumbnails 缩略图

content.xml 保存了文档中的文字信息打开发现 rsa 加密数据

n 过大不好分解寻找其他思路

通过 010 Editor 查看两张图发现尾部有数值

猜测是 p 和 q 的值使用python 验证 p*q 的确等于 n

rsa 解密

from Crypto.Util.number import long_to_bytes
from gmpy2 import gmpy2

p = 130958128470176100902720469380446369109326974758924912532214019651956038963911683896030120620729393040494273755056054632909162417822816850256309935201375953533317627652387735319668437800407409910425640352029104322189050555094739951873453252279431745963764163773149308333026431316853706209684022163410911535707
q = 167489004754113381575646573385775423908762434825121835425295084286942872299379597057651150917644998604559390293020683809828447884950218028779268428440790011375853275035889047672046213421553134079272059156094443637191200821429174816573514585364309272949198358328162584475701977560746775204303956007366908892313

c = 6947870956216127831444259211915549158146120399920520751589942974104525565162045776038139509446867207779669655848853249877479619351837419910820290895960585567896784211882794450626052110879163757040154102958066538959700957945718578590478429742793656350175630760182520751792094630516203448154195409867620697963406929197883938152110088860612004414998197368636770665241451104161031037212120846522201959983760859671910278800904287246258965661063217873238090319841723560480977441539536958293600254386411319799084408024008495491300482908444788188883062935903091287154439970655426659085455798938026289704501553765958431909383
n = 21934046601931115950262607334962177415966529285655394986998697521115725837524186566350673323766779686122267894540325135687290292763882376199053091126405462105963870402463428913618996886261947895934190895713377659597210844175110790234387576573202363791433960415429285583890508209515125022308897872289452348734447613129809600142735728393370593286015497958525713714325922619303600103480896784074257701362567263520249301934281635459537584648056848519759027267706801125854257131656431911378796241070143227182598117602703775449844464865306381705180708921329170826204009041913764504722984914977324665563377071372889117320291
e = 65537

# print(p * q)  # pq=n

d = gmpy2.invert(e, (p - 1) * (q - 1))
m = pow(c, d, n)
print(long_to_bytes(m).decode())

# Fika[cipher_cake]

Fika[cipher_cake]

Receptsystemet-`Reverse`

题目:

链接：https://pan.baidu.com/s/1crW3dkoin3CmaeO1i0T3yA?pwd=z1fm

解题:

解压发现是.net程序

使用dnspy反编译

关键代码

private static string SnyggaTill(string input)
{
    return Convert.ToBase64String(Encoding.UTF8.GetBytes(input));
}

private static void RequestRecipe()
{
    Console.Write("\nAnge namnet på receptet du vill önska: ");
    if (Program.SnyggaTill(Console.ReadLine()).Equals(Program.temptemp123))
    {
        Console.ForegroundColor = ConsoleColor.Yellow;
        Console.WriteLine("Det är endast fikaklassade ... nting annat: " + Program.Decrypt(Program.nytemp));
        Console.ResetColor();
        Console.WriteLine("");
        return;
    }
    Console.ForegroundColor = ConsoleColor.Green;
    Console.WriteLine("Tack för ditt önskemål!\n");
    Console.ResetColor();
    Console.WriteLine("");
}

private static string Decrypt(string input)
{
    byte[] bytes = Convert.FromBase64String(input);
    return Program.FixarSenMvhIngeKrypto(Encoding.UTF8.GetString(bytes), -9);
}

private static string Encrypt(string input)
{
    string s = Program.FixarSenMvhIngeKrypto(input, 9);
    return Convert.ToBase64String(Encoding.UTF8.GetBytes(s));
}

private static string FixarSenMvhIngeKrypto(string input, int shift)
{
    StringBuilder stringBuilder = new StringBuilder();
    foreach (char c in input)
    {
        if (c >= 'a' && c <= 'z')
        {
            stringBuilder.Append((char)(((int)(c - 'a') + shift + 26) % 26 + 97));
        }
        else if (c >= 'A' && c <= 'Z')
        {
            stringBuilder.Append((char)(((int)(c - 'A') + shift + 26) % 26 + 65));
        }
        else if (c >= 'å' && c <= 'ö')
        {
            stringBuilder.Append((char)(((int)(c - 'å') + shift + 26) % 26 + 229));
        }
        else
        {
            stringBuilder.Append(c);
        }
    }
    return stringBuilder.ToString();
}


private static string nytemp = "T3J0alt2bm1qYWtuY2phcGHDpG1tbl0=";
private static string temptemp123 = "RGVuIGV4a2x1c2l2YSBjaGVmc2dyw6RkZGVu";

逻辑简单将 temptemp123 做base64 解密 dnspy运行dll 选择 3 输入 Den exklusiva chefsgrädden 即可获得flag

但是我的控制台是 GBK 编码无法正确处理字符 ä 所以手动解

import base64


def krypto(input_string, shift):
    from string import ascii_lowercase, ascii_uppercase
    result = []

    swedish_lower = 'åäö'

    for c in input_string:
        if c in ascii_lowercase:
            result.append(chr((ord(c) - ord('a') + shift) % 26 + 97))
        elif c in ascii_uppercase:
            result.append(chr((ord(c) - ord('A') + shift) % 26 + 65))
        elif c in swedish_lower:
            index = swedish_lower.index(c)
            result.append(swedish_lower[(index + shift) % len(swedish_lower)])
        else:
            result.append(c)

    return ''.join(result)


nytemp = "T3J0alt2bm1qYWtuY2phcGHDpG1tbl0="
temptemp123 = "RGVuIGV4a2x1c2l2YSBjaGVmc2dyw6RkZGVu"

print(base64.b64decode(temptemp123).decode())
# Den exklusiva chefsgrädden

input_text = base64.b64decode(nytemp).decode()
flag = krypto(input_text, -9)
print(flag)
# Fika[medarbetargrädde]

Fika[medarbetargrädde]

Låtbidraget-`Forensik`

题目:

链接：https://pan.baidu.com/s/1upMz-uyR-sVir1ghzOxECg?pwd=1jwz

解题:

最后面听到摩尔斯电报

对音频进行降速听长短

GZMD SOMMIG 无法求证FLAG是否正确

Motangreppet (del 1)-`Nätverk`

题目:

链接：https://pan.baidu.com/s/1CXWcNRNAFlaWoiEg0NItaA?pwd=nybw

解题:未解出

在 en_ihopskrynklad_lapp_i_fickan.txt 中得到的信息

1
2
3

44 69 73 72 75 70 74 20 46 F8 64 65 76 61 72 65 73 74 79 72 65 6C 73 65 6E 73 20 73 6F 6D 6D 65 72 74 61 6C 65

Disrupt Fødevarestyrelsens sommertale

1
2
3

01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000 00100000 01010010 11000011 10111000 01100100 01011111 01110000 11000011 10111000 01101100 01110011 01100101 00110001 00111001 00110011 00110000

Rød_pølse1930

1
2
3

SXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEgSXQncyBteSBsaWZlIDEyMyEg 

It's my life 123!

分析流量包是802.11 无线流量先使用 Aircrack-ng 爆破无线密码使用的是 rockyou.txt 字典爆破成功密码是 1234567812345678

1	`aircrack-ng -w rockyou.txt IKKE_Bageribanditterne_24GHz.cap`

使用 airdecap-ng 解密流量 SSID 在Wireshark中能看到 IKKE_ Bageribanditterne

1	`airdecap-ng -p 1234567812345678 -e "IKKE_ Bageribanditterne" IKKE_Bageribanditterne_24GHz.cap`

得到解密流量

没有更多信息发现

Motangreppet (del 2)-`Nätverk`

题目:

链接：https://pan.baidu.com/s/17Q_zoLAyYF5T0HrBjPz-Rg?pwd=s725

解题:未解出

Wireshark 打开流量包

追踪TCP流在16处流发现FTP 文件传输

文件->导出对象->FTP-DATA->全部保存

privat_ikke_tjek.pdf 加密了对 mp3 进行音转文和翻译发现交谈中说到密码

from openai import OpenAI

client = OpenAI(api_key="sk-proj-xxxxxx")

audio_file = open(r"DoughDial_Recording_20240617113812_DK.mp3", "rb")  # AU处理截取对话语音进行转写 提高准确度
transcription = client.audio.transcriptions.create(
    model="whisper-1",
    file=audio_file
)
print(transcription.text)

''' 完整语音
This conversation has been recorded with DoughDial, the trial version of the ultimate baking-themed recording app.Just like a perfectly baked cake, we've captured every layer of your chat.Upgrade now to enjoy your recordings without interruptions. DoughDial. Where every conversation is a treat. 
Hi, this is Tør. Hi Tør, this is Nicoletta Cluetta. Oh, hi Nicoletta. Nice to hear from you. How are you? I'm fine, thanks for asking. How are you? I'm fine. Speaking of wiener bread, you know the code to the secret folder with the inscription on it, right? Definitely. It's mylife123. No, no, that's wrong. The code is wienerbred1800, but with an o instead of an Ø. Okay, wienerbred1800.   But I think my code was better. That was bad. Well, I have to go now. Bye. Okay, me too. Bye. 
This conversation has been recorded with DoughDial,the trial version of the ultimate baking-themed recording app. Just like a perfectly baked cake, we've captured every layer of your chat.Upgrade now to enjoy your recordings without interruptions. DoughDial. Where every conversation is a treat.
'''

''' 对话语音
Hej, det er Tørre.
Hej Tørre, det er Nicoletta Cluetta.
Nå, hej Nicoletta. Dejligt at høre fra dig. Hvordan har du det?
Jeg har det fint, tak fordi du spørger. Hvordan har du det? 
Jeg har det vinergodt.
Apropos vinerbrød. Du kender koden til den hemmelige mappe med opskriften på chefskredet, ikke?
Helt sikkert. Det er it's my life 123. 
Nej, nej.
Det er helt forkert. Koden er vinerbrød 1800, men med et o i stedet for ø.
Okay, vinerbrød 1800. Men jeg synes min kode var bedre. Den var dårlig. 
Nå, men jeg skal smutte nu. Hej. 
Okay, mig også. Hej.
'''

''' 中文翻译
嗨，我是托雷。
嗨，托雷，我是尼科莱塔·克卢埃塔。
哦，嗨，尼科莱塔。很高兴听到你的声音。你怎么样？
我很好，谢谢你的关心。你呢？
我感觉非常好。
说到丹麦糕点，你知道那个包含秘密食谜的文件夹的密码吗？
当然。密码是 it's my life 123。
不，不是的。
那完全错了。密码是 vinerbrød 1800，但是用 o 替换 ø。
好的，vinerbrød 1800。但我觉得我的密码更好。它很糟糕。
哦，我现在得走了。再见。
好的，我也是。再见。
'''

vinerbrod 1800 各种尝试密码还是不对

$pdf$5*6*256*-1028*1*16*44c9b1fe9a07f04096ad3169c3ee54aa*127*8159a62124d5702d268d64174a33a452e6be15d41ed7c2a76fbd0211becaa320000f2557dae4240e4b4e6ac9187336da00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*127*9045816e1dd5e9f647ecf850cc9101be9b97307a886a01e7d6efc70251104ce73050c3b27e0df3ddaf796b140e7fc86a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000*32*fd0f1cc8ae2d136e00e791646ccaf0c06b975852e382d20d73fc6985fd301603*32*29c9cb88350d23026ce7f4a060db241d7cb62f718c11728e6bd34d67d2e1ad8c

CTF

#CTF #Kryptokaffe

n00bzCTF-2024 Writeup 上一篇

ImaginaryCTF-2024 Writeup 下一篇

Kryptokaffe 2024 Writeup

Kryptokaffe CTF 2024

Chokladboll

Quizmästaren-webb

418-webb

Rymdresan-webb

Reklamfilmen-Forensik

Målarboken-Forensik

Geniet-Nätverk

Sommargåvan-Kryptografi

Receptsystemet-Reverse

Låtbidraget-Forensik

Motangreppet (del 1)-Nätverk

Motangreppet (del 2)-Nätverk