Adworld - Misc文件類型

Posted on | Post modified | In |

Adworld - Misc文件類型

Source Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
3436455341425F554573444242514141
41414941416C64434658714F7737634B
4141414143594141414149414141415A
6D78685A7935306548524C79306C4D72
7A5A49536B303253457778546B6B304D
6A5130546A593353445531534573784E
544D3054374A494E552B7A7241554155
45734241685141464141414141674143
56304956656F374474776F414141414A
674141414167414A4141414141414141
414167414141414141414141475A7359
57637564486830436741674141414141
41414241426741477845666B39697132
41456245522B54324B725941514A462B
34725971746742554573464267414141
41414241414541576741414145344141
4141414141

Recon

這一題有一點通靈,沒有很喜歡

  1. 首先給的cipher很明顯是ascii的hex
  2. 轉換過後也很明顯是base64
  3. 在轉換過後,只有底線後面的部分要轉換成hex
  4. 如果把東西print出來的話會看到flag.txt的字樣,感覺上是一個file的byte code,到file signature去看會發現magic header是一個zip file,uncompress之後就會發現flag.txt

Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
 
import base64

cipher = "3436455341425F55457344424251414141414941416C64434658714F7737634B4141414143594141414149414141415A6D78685A7935306548524C79306C4D727A5A49536B303253457778546B6B304D6A5130546A593353445531534573784E544D3054374A494E552B7A72415541554573424168514146414141414167414356304956656F374474776F414141414A674141414167414A4141414141414141414167414141414141414141475A73595763756448683043674167414141414141414241426741477845666B3969713241456245522B54324B725941514A462B34725971746742554573464267414141414142414145415767414141453441414141414141"

cipher = bytes.fromhex(cipher).decode('utf-8').split("_")[1]
cipher = base64.b64decode(cipher + "==")

f = open("./cipher.zip", "wb")
f.write(cipher)
f.close()


import zipfile
with zipfile.ZipFile('./cipher.zip', 'r') as zip_ref:
    zip_ref.extractall('./')
f = open('./flag.txt', 'r').read()
print(f)

1
2
 
$ python exp.py
flag{0bec0ad3da2113c70e50fd5617b8e7f9}

Reference

XCTF-MISC-Misc文件類型