日期: 2025 年 4 月 17 日

2025能源网络安全大赛 | 发⚡组 Misc 部分writeup

为❤发⚡

alarm_clock

给了vmdk,取证一下恢复一个wav和一个压缩包

image

image

很明显是SSTV,

7b01c5563befbcf1f7f3248865339e4

解压后发现是

image

按照所给hint,按照时钟进行画图:

import matplotlib.pyplot as plt
import numpy as np

direction_map = {
    0: (0, 1),   
    1: (0.5, 0.5),  
    2: (1, 0.25),  
    3: (1, 0),  
    4: (0.5, -0.5),  
    5: (0.25, -1),   
    6: (0, -1),  
    7: (-0.5, -0.5), 
    8: (-1, -0.25),  
    9: (-1, 0),  
    10: (-0.5, 0.5), 
    11: (-0.25, 1)   
}

paths = [
    [3,3,3,3,9,9,6,6,6,0,0,0,0,1,1,5,5],
    ......
]

fig, ax = plt.subplots(figsize=(12, 8))
colors = plt.cm.tab10(np.linspace(0, 1, len(paths)))

for i, path in enumerate(paths):
    x, y = [0], [0]
    for d in path:
        dx, dy = direction_map[d]
        x.append(x[-1] + dx)
        y.append(y[-1] + dy)
    x = np.array(x) + i * 5
    y = np.array(y)
    ax.plot(x, y, color=colors[i], linewidth=2, label=f'Path {i+1}')

ax.set_aspect('equal')
ax.axis('off')
plt.title("Clock Direction Paths (Simplified)", fontsize=14)
plt.legend(loc='upper right', fontsize=8)
plt.tight_layout()
plt.show()

image

Bluetooth

观察流量包,发现是考L2CAP层协议解析,

image

提取一下Bluetooth L2CAP Payload

tshark -r Bluetooth.pcapng  -e "btl2cap.payload" -T fields > result.txt

image

发现result中长度34位里的数据只有后三位不一样,提取出来


def extract_third_last(filename):
    with open(filename, 'r', encoding='utf-8') as f:
        lines = f.readlines()

    result = []

    for line in lines:
        line = line.strip()
        if len(line) == 36:
            result.append(line[-3])

    return result

if __name__ == "__main__":
    filename = 'result.txt'
    chars = extract_third_last(filename)
    for ch in chars:
        print(ch)

image

发现只有 01248,0作为分隔符号,所以我们需要将0​批量替换为空然后利用正则:1 1 1​与1 1​是1,2 2 2​与 2 2​是2,4 4 4​与4 4​ 是4 ,8 8 8​与8 8​是8

import re

text = """
2 2 2    4 4 4    2 2 2    4 4 4
"""

result = re.sub(r'(\d)(?:\s\1){1,2}', r'\1', text)

print(result.strip())

转变为4进制,1替换成0,2替换成1,4替换成2,8替换成3

121212301201121313230......

按两位一组组合为四进制数,转换为十进制字符:

text = "121212301201121313230......"

# 每两个字符一组
pairs = [text[i:i+2] for i in range(0, len(text), 2)]

# 将每组视为4进制并转为10进制
decimal_values = [int(pair, 4) for pair in pairs]

print(decimal_values)
# [6, 6, 6, 12, 6, 1, 6, 7, 7, 11, ......]
def convert_numbers_to_custom_encoding(numbers):
    result = []
    for num in numbers:
        if 0 <= num <= 9:
            result.append(str(num))
        elif 10 <= num <= 15:
            result.append(chr(num - 10 + ord('A')))
        else:
            result.append('?')  # 这里用 '?' 表示无效数字
    return ''.join(result)

numbers = [6, 6, 6, 12, 6, 1, 6, 7, 7, 11, ......]

encoded_str = convert_numbers_to_custom_encoding(numbers)
print(encoded_str)
# 666C61677B......

image