logoChat01.ai

Câu hỏi

attachment-19.zip

解flag

Suy nghĩ

bash -lc python3 - <<'PY' import hashlib,hmac,itertools,string,math ct=bytes.fromhex('6bcc444558c4248b64763a1d61bea7803257e13cedccc06d9042ad8ff96190392b54d09752c6') seq=0x7c3a0c7a; seq0=0x7c3a0c79; ack=0x7814bd4b starts=set([seq,seq0,ack,seq+5,seq+81,seq+86,seq-5,seq>>7,seq0>>7,ack>>7,seq & 0xffff,seq>>16,seq0 & 0xffff,0x7f3a,0x7c3a,0xc79,0xc7a,0x2000,0x2000<<7,50432-49152,50432,443,3,7]) seeds=[] for A in ['2026-01-18T22:54:12Z','2026-01-19T22:54:12Z','2026-01-18 22:54:12','1768776852']: for B in ['2026-01-18T22:27:33Z','2026-01-18T23:27:33Z','2026-01-19T00:27:33Z','1768775253']: for C in ['2026-01-18T22:56:21Z','2026-01-19T22:56:21Z','1768776981']: for pre in ['','KEYMAT:']: seeds.append(f'{pre}AURORA-ER|flight=LX-517|syn={A}|idl={B}|a2={C}'.encode())

def stream(seed,kind,st): key=hashlib.sha256(seed).digest();out=b'';i=st while len(out)<len(ct): if kind=='key4': block=hashlib.sha256(key+i.to_bytes(4,'big')).digest() elif kind=='key4le': block=hashlib.sha256(key+i.to_bytes(4,'little')).digest() elif kind=='key8': block=hashlib.sha256(key+i.to_bytes(8,'big')).digest() elif kind=='seed4': block=hashlib.sha256(seed+i.to_bytes(4,'big')).digest() elif kind=='seed8': block=hashlib.sha256(seed+i.to_bytes(8,'big')).digest() elif kind=='seeddec': block=hashlib.sha256(seed+str(i).encode()).digest() elif kind=='seedpipe': block=hashlib.sha256(seed+b'|'+str(i).encode()).digest() out += block; i += 1 return out[:len(ct)] for seed in seeds: for kind in ['key4','key4le','key8','seed4','seed8','seeddec','seedpipe']: for st in starts: try: ks=stream(seed,kind,st) except Exception: continue pt=bytes(a^b for a,b in zip(ct,ks)) if b'flag' in pt.lower() or sum(32<=c<127 for c in pt)>34: print('hit',kind,st,hex(st),repr(pt),seed); raise SystemExit print('no') PY

Thought for 26m 19s

Trả lời

我已把附件拆开分析到关键线索,但还没能可靠解出最终 flag,不想瞎报一个假的。

当前确认信息:

text
附件包含:
- LX517.txt
- LX517.png
- LX517.pcap

LX517.txt 末尾 base64 解码得到核心提示:

text
KEYMAT:AURORA-ER|flight=LX-517|syn=<EVT_A_UTC>|idl=<EVT_B_UTC>|a2=<EVT_C_UTC>
ALGO:SHA256|XOR|CTR
REASM:SEQ_ORDER|frag=3
IDRULE:idx26_applied_to_idx>=27_only
UTC:local+date_corr-timezone

NOTE:EVT_A=TCP_SYN_SENT,EVT_B=IDL_CROSS,EVT_C=ANOMALY_MARKER_A2

我从日志推出来最可能的 UTC 是:

text
EVT_B / IDL_CROSS        = 2026-01-18T22:27:33Z
EVT_A / TCP_SYN_SENT     = 2026-01-18T22:54:12Z
EVT_C / ANOMALY_MARKER_A2= 2026-01-18T22:56:21Z

因此最可能的 key material 是:

text
AURORA-ER|flight=LX-517|syn=2026-01-18T22:54:12Z|idl=2026-01-18T22:27:33Z|a2=2026-01-18T22:56:21Z

pcap 里抓到密文:

text
6bcc444558c4248b64763a1d61bea7803257e13cedccc06d9042ad8ff96190392b54d09752c6

我已经尝试了多种 SHA256-XOR-CTR 变体,包括:

text
sha256(keymat) 重复异或
sha256(key + counter)
sha256(keymat + counter)
counter 大端 / 小端 / 十进制字符串
counter 从 0 / 1 / 3 / 7 / TCP seq / 端口 / frag 开始
AES-CTR + sha256(keymat)
按 TCP seq 偏移
图片 LSB / PNG chunk / C2PA metadata

都没有得到稳定的 flag{...} 明文。

所以目前结论是:线索和密文已定位,卡在 SHA256|XOR|CTR 的具体 keystream 生成方式或 keymat 时间格式上。

Chia sẻ Q&A này