比赛地址：CTF@CIT 2025

比赛时间：26 Apr 2025 05:00 CST - 28 Apr 2025 03:00 CST

Misc

Blank Image

Challenge

I was gonna make a really cool challenge but then I literally forgot about it so all I have is this blank image. Good luck!

Solution

LSB 隐写

🚩CIT{n1F0Rsm0Er40}

I AM Steve

Challenge

You were supposed to be a hero, Brian!

SHA256: 01b3dbe5d8801adf27a9bb779d85ef4c8881905544642fbdbdd41e54e4d0ae5e

Solution

其实还是 LSB 隐写

1VEhJU19pc19hX2NyYWZ0aW5nX3RhYmxl

多了一步 base64 解码罢了

🚩CIT{THIS_is_a_crafting_table}

sw0906

Challenge

Deceive you, the bytes do. Look deeper, you must.

SHA256: b3ca30e35e55e20406c278eb5accdb78ef028b001837f2bfaadda5760943f7f3

Solution

不知道是什么二进制文件，用 010 打开

文件头估计是被改过看不出来，但是文件尾是熟悉的 FF D9 ，推测这是一张 .jpg 文件

从这里可以很轻易地看出来每四个字节经过了一次反转，写一个脚本把它们还原

1def reverse_every_4_bytes(input_file, output_file):2    with open(input_file, 'rb') as f:3        data = f.read()4 5    # 将数据转换为字节数组以便修改6    byte_array = bytearray(data)7 8    # 每4个字节进行反转9    for i in range(0, len(byte_array), 4):10        chunk = byte_array[i:i+4]11        # 反转当前4字节的块12        reversed_chunk = chunk[::-1]13        # 将反转后的块放回原位置14        byte_array[i:i+4] = reversed_chunk15 16    with open(output_file, 'wb') as f:17        f.write(byte_array)18 19input_filename = "yoda"20output_filename = "yoda.jpg"21reverse_every_4_bytes(input_filename, output_filename)

🚩CIT{h1dd3n_n0_m0r3_1t_i5}

Forensics

Brainrot Quiz!

Challenge

Bombardiro Crocodillo or…? You find out…

SHA256: e5f5d4e97506233266904e460fdfea4fc3ce2bf1542dc122283835c545fb8516

Solution

打开题目给的流量包，发现里面很多大小写字母和数字混杂的内容，看着像 base64 编码，先试试看搜索 ==

只有第11行符合条件，内容是

1Q0lUe3RyNGw0bDNyMF90cjRsNGw0fQ==

复制下来解码

🚩CIT{tr4l4l3r0_tr4l4l4}

True CTF Love

Challenge

I got this strange email from another CTF participant not too long ago. I am just not sure what they mean by this…

Do you love CTFs as much as they do?

SHA256: 07cb654ce87444f158a52228848eb4eb501738913dfca44a2f227fb73ee9ed4b

Solution

在这封电子邮件的 DKIM（DomainKeys Identified Mail）签名部分发现了端倪

1DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=waifu.club; s=mail;2	t=1745339340; bh=HSq3Fk4UngoT3615kRTwX9TQfq9o0GNk3L5esFLg2e4=;3	h=Date:From:To:Subject:From;4	b=e65uxTcZ2s8RKde5x7GoMWDhM27qMUa2vpmCC6uPR/kCsC5Tl1lgVNCik9TBiIn7x5	 ThMSG0m17ElJR+eQ3IFACqhDjoJkCdLo+iYAwvx4Go1OOYUYRx7dn7tUisIKy2p7Ns6	 DjJMauF8H1fwIpO6kFZKUPiPescPp6mBJIWBOARUNxRSSReBJv+B8GibZJbN4c64c07	 wOVpmrc1P3sGs/K1i8sjzcHVJyNdBBV2e71n5gJFfbo5EkM/HSmba8Vvfdg2BGkVaY8	 OriRs9vs5+XwV8v9stPhL48avJipOSz1ykfbXW3//QZYpAOGyQz8lhE2cek5YLJulB9	 yO/Pz8vtbkwjA==10	b=V293LCB3aGF0IGEgYmVhdXRpZnVsIGxpdHRsZSBwb2VtLiBJIGFsbW9zdCBzaGVkI11	 GEgdGVhciByZWFkaW5nIHRoYXQuIEhvcGVmdWxseSB5b3UgbGVhcm5lZCBtb3JlIGFi12	 b3V0IGVtYWlsIGhlYWRlcnMuIEJ1dCBzZXJpb3VzbHksIGl0IGdldHMgbWUgd29uZGV13	 yaW5nLi4uIGRvIHlvdSBsb3ZlIENURnMgYXMgbXVjaCBhcyB0aGV5IGRvPwoKQ0lUe214	 lfbDB2M19jdGYkX3QwMH0=

b=... 是由私钥加密生成的实际的签名值，但第 2 个 b 可不是，这是藏有 flag 的一段文本经过 base64 编码后的字符串

🚩CIT{i_l0v3_ctf$_t00}

We lost the flag

Challenge

Sorry everyone, we unfortunately lost the flag for this challenge.

SHA256: d1058ed414e6e45f4d2c7cc41baf73b3778a80be18cdf2d6470348c72ab01dfd

Solution

直接打开发现文件受损了，于是用 010 打开看看是怎么回事

看到 JFIF 说明这本该是 .jpg 文件，所以第一步先把后缀改一下

此时文件还是损坏的，因为文件头还是不对，要把文件头改成 jpg 的 FF D8 DD E0

然后就可以打开了

🚩CIT{us1ng_m4g1c_1t_s33m5}

Bits ‘n Pieces

Challenge

Somewhere in these digital fragments lies what you’ve been searching for your entire lifetime, or really just this weekend ;)

SHA256: 4b52731748484ecaa9ba3a5c8ec455675c78d0e3f8ac349a2a54e5e1f0cbb2a1

Solution

先用 010 打开查看这个二进制文件是什么

发现这是RDP（远程桌面协议）位图缓存，搜索找到了两个工具ANSSI-FR/bmc-tools和BSI-Bund/RdpCacheStitcher

现在当前目录下新建一个文件夹，将其命名为 Cache ，然后运行以下命令来使用 bmc-tools 复原图片

1python bmc-tools.py -s "Cache0000.bin" -d .\Cache

运行后会得到 2992 个图片碎块，接下来使用 RdpCacheStitcher 把它们拼接起来

🚩CIT{c4ch3_m3_if_y0u_c4n}

OSINT

No Country for Old Keys

Challenge

What is Anthony McConnolly’s API key?

Solution

经过搜索 Anthony McConnolly 可以找到这个仓库antmcconn/ai-web-browser

在这条 commit 记录Comparing 3e4b4a03e2ff193706b66afe09fcf827b63727f1…806376a8850cc1edfc0d7d94a4f8ff6272483f0d · antmcconn/ai-web-browser找到 api

🚩CIT{ap9gt04qtxcqfin9}

The Domain Always Resolves Twice

Challenge

What is Anthony McConnolly’s favorite domain registrar?

Solution

经过搜索 Anthony McConnolly 可以找到这个帖子#pentesting #cybersecurity #learning #infosec #ethicalhacking | Anthony McConnolly

whois 查询这个域名Whois ippsec.rocks

🚩CIT{GoDaddy.com, LLC}