The second session of Tsctfwriteup and his experience-misc

1. WELCOME_TO_TSCTF

Give the password, access the article enter the password to get:

No, it's almost done.

2.zip Packet Pseudo-encryption

That is, the compression package let the input password, open packet discovery is a pseudo-encryption, this to check the package structure of the zip, the inside is clear text, but the end of the directory encrypted identity bit is 09, changed to 00 is good, and then open to see the logo image, put it into the stegslove inside analysis frame, get

or analyze it directly with Binwalk, I'm not going to

3. My moral integrity to the ground

Jigsaw puzzles, QR code puzzles

Teammates with PS to restore, I feel very dick. But at first thought that there are two pieces is a puzzle block, not, after all, more than two pieces to spell a square. Can't sweep it out.

And then think about it. A text QR code is generated on the two-dimensional code generator.

A pair than found that the red circle inside the thing is there, the corner of the three boxes do not, so, manually fill up!

This isn't exactly six bucks.

4. Text watermarking algorithm

Two paragraphs of the same length of text, the ground is different, understand it,

Extracted, ground (a 0, a 1, self-test) after, oops, there is an equal sign, and so what, base64 hurriedly! Wrong...

Later teammates found Base32. The heart collapses.

5. Package Analysis Questions

First introduced a very cock tool assembledfiles, teammates use, I do not know how to use. And then you get a lot of interesting information.

Re-analysis found that there are a lot of www.tsctf.com and our IP interaction packets, are ICMP, all the ICMP packets together, found that there are gong teacher is saying, and then followed a bunch of a bit like base64 packets,  Wireshark analysis out, and then programmed to restore it, lift AH road, incredibly is a program. And then just want to lie in the Groove this program a few meaning, and then analyze the packet data, found that there is a compressed package inside, a password, a no password, curious strange! It turned out to be a plaintext attack, ARCHPR.

Decrypted: (click on the lock above, automatically generate the decrypted file)

A few meaning, the third is to find the front of those symbols, and then search the back of the symbol, the results in order to connect, the sign preceded by a space, is 1, no space is 0.

Then you get a hint and then you know what the program is. Clear is the text information hiding AH Orz

01–> Hex then –> ASCII Bingo

(Transfer from Fight ~ TSCTF writeup)

The second session of Tsctfwriteup and his experience-misc