Kuri's Blog

large picture of the cover

[Writeup] WHUCTF 2025 Misc

战绩

AK了,整体难度不是很高(比起XYCTF逆天的Python pwn确实低到不知道哪里去了),感谢队友感谢队友感谢队友(博主自己只做了一道)

行星防御理事会

听音频知SSTV,输入软件得到图像:

图像中有Passwd: 2024-YR4

用此passwd对音频进行解密(deepsound),得到secret.zip,再用此passwd对压缩包解压,得到QR_modified.png和script.py

后续:@Dicaeopolis

通过观察这个脚本可以发现rotate函数传入了两个参数m和arr,观察修改后的二维码,数格子数出来它是由原二维码进行5x5分块之后,每一分块进行旋转再拼合后的结果,于是只需要旋转回来即可。

(搞错方向导致旋转了3次才出正确结果……)

然后扫码即可得到flag:WHUCTF{much_ado_about_nothing}

[签到]益智游戏

By:rhzhrhzhr

part1:数独

直接上求解器,再上行列式计算器

25770150*81=2087382150,以此为密码解压缩包得到flag1:

WHUCTF{Little_games_reall

Part2:数织

同样上求解器

然后二进制转十进制得key:(忘记这里的key是多少了),再解包得flag2:

y_train_your_brain_&_play

part3:鬼脚图

由于学长算错了key,所以此部分忽略

(后编:参考鬼脚图笔记 | 独奏の小屋这篇文章就行) 

三部分连起来即得flag:

WHUCTF{Little_games_really_train_your_brain_&_play_more_in_cn.puzzle_website}

青轴还是红轴

By:rhzhrhzhr

先用length筛选出带有usbhid.data的条目:

再将其导出为JSON文件。

然后过脚本,提取出usbhid.data数据:

import json

# 1. 读取JSON文件
input_file = "./2.json"  # 替换为你的JSON文件路径
output_file = "./usbhid_data2.txt"  # 保存提取结果的文件路径

with open(input_file, "r", encoding="utf-8") as f:
    data = json.load(f)  # 加载JSON数据

# 2. 提取所有usbhid.data值
usbhid_data_values = []
for item in data:
    if "_source" in item and "layers" in item["_source"] and "usbhid.data" in item["_source"]["layers"]:
        usbhid_data_values.append(item["_source"]["layers"]["usbhid.data"])

# 3. 保存到新文件
with open(output_file, "w", encoding="utf-8") as f:
    for value in usbhid_data_values:
        f.write(value + "\n")  # 每个值写入一行

print(f"提取完成,结果已保存到 {output_file}")

再将usbhid.data数据用脚本转化为键值,进而转换为对应的按键:

#!/usr/bin/env python
# -*- coding:utf-8 -*-
 
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('atta.txt',encoding='utf-8')#提取出来的usbdata.txt文件
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()
 
flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

得到按键信息:IJNIOKJ TFCFG FGTRDCV IUHBGHJ JKIUHNM YGVGH_IJNJKMN UHBN TGBNJUJM GHYTFVB_FGHYGVB YGBNJU_ [DEL]ESZSD DFRESXC HGVBHUHB_UYHBV DCFVG HBU HJKIJNM UYGBN ESZSDX(处理时[DEL]与前面的空格抵消)

根据键盘上的按键位置(就是把键盘当画布)画出轨迹得到flag:whuctf{prefer_blue_to_red_switch}

哪里有文档

哪有什么大学生活,都是被樱花季的游客创死前的幻想罢了。 哪有什么CTF新生赛,都是被帽子叔叔带走前的幻想罢了。

By:Kuri

前四个Part都可以解压+全局搜索或者直接打开文档找出来:

(上图隐藏部分可以直接复制,内容是part2: yM6Jm95peg5qW86bii5LmL5b2w77yM5Lqm5oql5Lul55WF55yL54Ca5rC077yM5rGC5bCG5Li)

第五个Part主要是有个矛盾:启用宏会导致弹窗关不掉,无法进行后续操作;不启用宏会导致无法编辑

于是我们把word/vbaData.xml中的这段删除,禁用自动启动的宏(后编:可以用工具提取,而且WPS好像可以直接看):

然后进入宏编辑器,愉快地拿到第五段:

拼接,Base64解码:

然后页脚处有一行小字

提示我们去找Abracadabra encoder,搜索发现一个开源项目:

丢进去解密(解码)就行:

~(∠+,ω<)⌒☆

by Dicaeopolis

题目告诉我们只能用上面这些字符来构造数字,但其实真正有用的运算符只有(),+<这五个。由于a<a恒为假,考虑构造0=(()<()),1=(()<((),))。然后就是表示得到的数字的二进制咯。因为目前只有<<(左移)可用,所以考虑从高位往低位扫,每新读入一位就往后面移一位,然后视情况加一。

放进交互脚本里面跑得到一个key。

考虑到题目交互时问的数都是0~255以内的,并且给出了一个5字节的16进制key,考虑两者异或一下:

这题是个算法题(逃

个性签名是啥,好吃吗?

site logo

Hi,Friend

© 2025 Kuri's Blog