梨花杯2026-misc

2026年06月01日 CTF 赛题wp

题目

尾巴里的压缩包

题目提示说图片尾部有多余数据，直接binwalk提取得到zip文件直接解压

打开flag.txt得到flag

1	LHFLAG{tail_zip_webp_9f3a7c2b6e}

你知道CRC吗？

很明显图片的宽高有问题，随波逐流得到修复后的图片

1	LHFLAG{IHDR_CRC_3E8C7A9D}

保密为人民，保密靠人民

直接导出zip文件

解压后在capture_notes文件夹中的flag.txt得到flag

1	LHFLAG{tcp_stream_rebuild_http_export_8f3c2a7d}

网络安全无小事

题目说了DNS和ICMP存在异常信号，所以先分开来分析，先分析ICMP，看请求包和返回包共3种
一下几种

会发现第三种中存在异常数据

1	seq=001;data=6nyxjl2o

猜测是异常数据，于是直接搜索seq字段吧所有都找出来，就不一一展示了
最终得到

seq001: 6nyxjl2o
seq003: zywyrt6n
seq005: zyxuwljk
seq007: znf43cjx
seq009: vqcqa5oy

再分析DNS流量包，翻找到异常数据

搜索s0找到所有数据，最终得到

s000: pcoph4lq
s002: zevy5t2m
s004: vree3ckp
s006: rfh44sgm
s008: j63eym2k
s010: cc7q

按照数字顺序把他们拼接起来

1	pcoph4lq6nyxjl2ozevy5t2mzywyrt6nvree3ckpzyxuwljkrfh44sgmznf43cjxj63eym2kvqcqa5oycc7q

然后Base32 decode+zlib decompress得到flag

import base64
import zlib
dns_chunks = [
    "pcoph4lq", 
    "zevy5t2m",  
    "vree3ckp",  
    "rfh44sgm", 
    "j63eym2k",   
    "cc7q",       
]
icmp_chunks = [
    "6nyxjl2o",  
    "zywyrt6n",   
    "zyxuwljk",  
    "znf43cjx",   
    "vqcqa5oy",   
]

combined_chunks = []
for i in range(max(len(dns_chunks), len(icmp_chunks))):
    if i < len(dns_chunks):
        combined_chunks.append(dns_chunks[i])
    if i < len(icmp_chunks):
        combined_chunks.append(icmp_chunks[i])

print(f"[1] 交错组装 {len(combined_chunks)} 个片段:")
for i, chunk in enumerate(combined_chunks):
    print(f"    [{i:2d}] {chunk}")

decoded_bytes = b""
for chunk in combined_chunks:
    chunk_upper = chunk.upper()
    padding = (8 - len(chunk_upper) % 8) % 8
    padded = chunk_upper + "=" * padding
    decoded = base64.b32decode(padded)
    decoded_bytes += decoded

print(f"\n[2] Base32 解码 → {len(decoded_bytes)} bytes (zlib compressed)")
print(f"    hex: {decoded_bytes.hex()}")
flag = zlib.decompress(decoded_bytes)
print(f"\n[3] zlib 解压 → {len(flag)} bytes")
print(f"\n{'='*60}")
print(f"  Flag: {flag.decode()}")
print(f"{'='*60}")

1	LHFLAG{dns_icmp_mixed_covert_channel_7c9f2a}

夜航日志

既然是4个日志分析，按照题意应该是flag分成了4个隐藏在4个log中
手搓的话不太好分析攻击路径，日志太大了，但是可以先猜测flag形式，先把LHFLAG格式转化为base64(TEhGTEFH)编码尝试搜索一下
可以在app.log中找到

由此锁定了ip:203.0.113.45

再次搜索

会发现更多数据，而且有phase”:2,”checkpoint”:”的后面都会有疑似base64编码的数据
全部提取出来

{"ts":"2026-05-13T02:14:40+08:00","level":"WARN","event":"file_download","ip":"203.0.113.45","rid":"atk675a43ca67dc","path":"/download?file=../../../../var/www/app/.env","normalized":"/srv/app/.env","decision":"allowed_by_legacy_rule","forensic_phase":1,"checkpoint":"TEhGTEFH"}

{"ts":"2026-05-13T02:15:37+08:00","level":"WARN","event":"file_download","ip":"203.0.113.45","rid":"atk8b20fa9e0cd7","path":"/download?file=../../../../var/log/nginx/access.log","normalized":"/var/log/nginx/access.log","decision":"allowed_by_legacy_rule","forensic_phase":2,"checkpoint":"e2xvZ190"}

{"ts":"2026-05-13T02:17:26+08:00","level":"WARN","event":"login_audit","ip":"203.0.113.45","user":"admin","result":"success","rid":"atke79048da6801","session":"s-9f2b7c-admin","reason":"remember_token","forensic_phase":3,"checkpoint":"aW1lbGlu"}

{"ts":"2026-05-13T02:19:07+08:00","level":"ERROR","event":"plugin_upload","ip":"203.0.113.45","user":"admin","rid":"atk5df9e187db8c","session":"s-9f2b7c-admin","filename":"q2_report.php","mime":"application/x-php","sha256":"4159c7982d73b224ed6192d2eb5f58f2d1fdcfe0db37b1e96a9bad47d11c2135","forensic_phase":4,"checkpoint":"ZV9pcF9j"}

{"ts":"2026-05-13T02:21:30+08:00","level":"WARN","event":"admin_export","ip":"198.51.100.211","user":"admin","rid":"atk3bf93ba5330b","session":"s-9f2b7c-admin","scope":"users","bytes":87391,"forensic_phase":5,"checkpoint":"aGFpbl83"}

{"ts":"2026-05-13T02:22:46+08:00","level":"WARN","event":"backup_sync","ip":"198.51.100.211","user":"admin","rid":"atkc1da5b28db47","session":"s-9f2b7c-admin","dest":"s3://night-archive/tmp","note":"same session moved to second IP","forensic_phase":6,"checkpoint":"YzkyYTRm"}

{"ts":"2026-05-13T02:23:45+08:00","level":"WARN","event":"admin_audit_download","ip":"198.51.100.211","user":"admin","rid":"atk5b698d0ef7c5","session":"s-9f2b7c-admin","rows":4312,"forensic_phase":7,"checkpoint":"MX0="}

拼接一下字符

1	TEhGTEFHe2xvZ190aW1lbGluZV9pcF9jaGFpbl83YzkyYTRmMX0=

base64解码后得到flag

1	LHFLAG{log_timeline_ip_chain_7c92a4f1}

文章分类

文章归档

最新文章