[羊城杯 2020]image_rar
binwalk发现有很多压缩包,改文件后缀为zip,得到一大堆图片,发现图片65不显示,怀疑有东西
发现好像是个压缩包,文件头被改了,我们将其改回来Rar!(52 61 72 21)
得到压缩包,但是需要密码,可能遗漏了什么,回头看,发现上一个压缩包有信息
压缩包密码(6位):GWxxxx
后面可能会用到的哦
用AR爆破发现似乎爆破不了,换一种思路,利用rar2john提取hash ,然后利用hashcat爆破hash
step1:
kali@kali:~$ /usr/sbin/rar2john /home/kali/桌面/65.rar
/home/kali/桌面/65.rar:$rar5$16$a2dce3925af59efb2df9851dbfc24fb1$15$bb005ea8f91bf0356c8dddcfa41ac4cb$8$62293dc5e26e9e7f
step2:
hashcat -m 13000 -a 3 '$rar5$16$a2dce3925af59efb2df9851dbfc24fb1$15$bb005ea8f91bf0356c8dddcfa41ac4cb$8$62293dc5e26e9e7f' GW?a?a?a?a
得到
GW5!3#
改PNG即出现flag
GWHT{R3fresh_1s_so_Cool}
[羊城杯 2020]TCP_IP
标识(Identification):由发送方帮助组装数据报的片段的标识值
标识里有东西,提出来
0x00000040
0x00000069
0x00000048
0x0000003c
0x0000002c
0x0000007b
0x0000002a
0x0000003b
0x0000006f
0x00000055
0x00000070
0x0000002f
0x00000069
0x0000006d
0x00000022
0x00000051
0x00000050
先转码
import binascii
infile = open('data.txt','r')
content = infile.readlines()
flag = b""
for line in content:
flag += binascii.unhexlify(line.rstrip('\n')[-2:])
infile.close()
print(flag)
解出来
b'@iH<,{*;oUp/im"QPl`yR*ie}NK;.D!Xu)b:J[Rj+6KKM7P@iH<,{*;oUp/im"QPl`yR'
改进一下脚本
import binascii
import base91
infile = open('data.txt','r')
content = infile.readlines()
flag = b""
for line in content:
flag += binascii.unhexlify(line.rstrip('\n')[-2:])
infile.close()
print(flag)
print(base91.decode(flag.decode()))
bytearray(b’flag{wMt84iS06mCbbfuOfuVXCZ8MSsAFN1GA\xfd\xe3\x9f"1w\xe3Aw\xea\xbe\x18\tXV\xb8|\x8f’)
得到flag
[CFI-CTF 2018]Kadyrov’s Cat
给了个jpg与pdf
exiftool /home/kali/桌面/kadyrov_cat.jpeg
梭出来个
GPS Latitude : 56 deg 56’ 46.63"
GPS Longitude : 24 deg 6’ 18.28"
转经纬度查询得到city定位Riga
exiftool /home/kali/桌面/message.pdf
得到Kotik Kadyrov
根据flag格式得到flag
flag{Kotik_Kadyrov_of_Riga}
[*CTF2019]babyflash
解压后是个叫flash.swf的文件,百度百科swf(shock wave flash)是Macromedia(现已被ADOBE公司收购)公司的动画设计软件Flash的专用格式
需要工具JPEXS Free Flash Decompiler 来进行反编译
https://github.com/jindrapetrik/jpexs-decompiler/releases
发现有441(21*21)个黑白块,怀疑是二维码,找脚本进行拼接
from os import listdir
from PIL import Image
dirlist = listdir('./images/')
dirlist.sort(key=lambda x:int(x.split('.')[0]))
qrdata = ''
for imgname in dirlist:
img = Image.open('./images/'+imgname)
img = img.load()
if img[0,0] == (0, 0, 0):
qrdata += '1'#黑色对应1
elif img[0,0] == (255, 255, 255):
qrdata += '0'#白色对应0
width=height=21
new_img = Image.new("RGB",(width,height))
i = 0
for w in range(width):
for h in range(height):
if qrdata[i] == '1':
new_img.putpixel([w,h],(0, 0, 0))
elif qrdata[i] == '0':
new_img.putpixel([w,h],(255,255,255))
i += 1
new_img.save('flag.png')
得到flag.png,扫一下
ctf{half_flag_&
得到一半flag,怀疑遗漏了什么,回头看,发现有音频文件,用Audacity看看频谱图得到另一半flag
&_the_rest}
合起来就是flag
ctf{half_flag_&&_the_rest}
但不知道为啥flag是
flag{halfflag&&_the_rest}
[羊城杯 2020]逃离东南亚
解压的三个日记,先看第一个,解压发现图片与MD,看图片发现CRC错误,改宽高发现提示
zip_pwd:wdnmd
看日记二
发现里面test内容疑似brainfuck加密,直接解解不出来,需要在头上加++++++++
之后base64解码,发现是elf开头,放kali里去运行
发现没有权限
chmod u+x 1
运行发现没有东西,换思路,发现wav文件放slienteye里看看,果然有东西
This1sThe3rdZIPpwd
解压第三个日记,发现elf文件下的rtld.c、malloc文件夹下的malloc.c、malloc文件夹下的arena.c发现有空格和tab组成的信息
到这不会了,网上找了一个脚本
def f_read(name):
f=open(name,"r")
flag=""
useless=r"abcdefghijklmnopqrstuvw\\xyz;,)"
for line in f.readlines():
line=line.replace("\\n","")
if "}" in line:
t = line.split("}")
if len(t[1]) != 0:
x = 1
for i in useless:
if i in t[1]:
x = 0
break
if x:
for s in t[1]:
if s == '\\t':
flag += "1"
else:
flag += "0"
f.close()
print(flag)
print("*****")
f_read("rtld.c")
f_read("arena.c")
f_read("malloc.c")
转码
01010011010011110101001100100001001000000111000001101100011001010110000101110011011001010010000001101000011001010110110001110000001000000110110101100101001000000010110100111110001000000111001001110100011011000110010000101110011000110111100101101111011101010111001000100000011001100110110001100001011001110010000001101001011100110010000001101001011011100010000001101101011000010110110001101100011011110110001100101110011000110100011101010111010000110101010001000110011110110110001101101111011001000110010101011111011100110111010001100101011001110110000101101110011011110110011101110010011000010111000001101000011110010101111100110001011100110101111101100110011101010110111001101110011110010010000101111101
直接ciphey一把梭
GWCTF{code_steganography_1s_funny!}
[INSHack2018]42.tar.xz
This file is very deep. Will you dare dig in it ?
压缩包里有很多分支,单点爆破42.tar
import tarfile
import os
current_path = r"C:/Users/XINO/Desktop/attachment/"
if __name__ == "__main__":
i = 0
target = "42.tar.xz"
tarname = current_path + target
while True:
i += 1
print("当前层数:{0}".format(i))
tar = tarfile.open(tarname)
filenames = tar.getnames()
if target not in filenames: break
tar.extract(target,current_path)
tar.close()
print("最后一层:{}".format(filenames),"\n正在解压……")
tar.extractall(current_path)
tar.close()
文件太大,type命令直接出
INSA{04ebb0d6a87f9771f2eea4dce5b91a85e7623c13301a8007914085a91b3ca6d9}
[XMAN2018排位赛]AutoKey
看别人解题发现了一个新思路,对于usb流量有专门的工具来破解
UsbKeyboardDataHacker工具破解
贴一个链接
https://github.com/WangYihang/UsbKeyboardDataHacker/commit/1d4f364cd9f6d841160e597d0af2636c42d323dd
kali@kali:~/桌面/UsbKeyboardDataHacker-master$ python2 /home/kali/桌面/UsbKeyboardDataHacker-master/UsbKeyboardDataHacker.py /home/kali/桌面/attachment.pcapng
[+] Found : <CAP>a<CAP>utokey('****').decipheer('<CAP>mplrvffczeyoujfjkybxgzvdgqaurkxzolkolvtufblrnjesqitwahxnsijxpnmplshcjbtyhzealogviaaissplfhlfswfehjncrwhtinsmambvexo<DEL>pze<DEL>iz')
找到加密字符
mplrvffczeyoujfjkybxgzvdgqaurkxzolkolvtufblrnjesqitwahxnsijxpnmplshcjbtyhzealogviaaissplfhlfswfehjncrwhtinsmambvexopzeiz
根据题目,猜测是Autokey加密,我们需要爆破密钥
autokey, klen 8 :"FLAGHERE", HELLOBOYSANDGIRLSYOUARESOSMARTTHATYOUCANFINDTHEFLAGTHATIHIDEINTHEKEYBOARDPACKAGEFLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXYGGKSA
找到flag
[BSidesSF2019]diskimage
png图片zsteg一把梭
zsteg -e 'b8,rgb,lsb,xy' attachment.png > disk.dat
用testdisk看,发现存在额外内容,根据方式复制导出
发现是flAG图片
flag{FAT12_FTW}
考察就是工具的使用吧,对于我这种没用过testdisk的人来说,第一次还是不太会弄的
[QCTF2018]X-man-Keyword
hints
Welcome to QCTF
hint1:把给出的keyword放到前面试试
hint2:一种把关键词提前的置换
lsb隐写,根据已知的密码提数据
PVSF{vVckHejqBOVX9C1c13GFfkHJrjIQeMwf}
根据“hint1:把给出的keyword放到前面试试”的提示,从26个英文字母里把 “lovekfc”提出来放到前面做密钥。
lovekfcabdghijmnpqrstuwxyz
脚本
# -*- coding:utf-8 -*-
import string
ciphertext = 'PVSF{vVckHejqBOVX9C1c13GFfkHJrjIQeMwf}'
secretkey = 'lovekfcabdghijmnpqrstuwxyz'
plaintext = ''
for letter in ciphertext:
if letter in string.ascii_lowercase:
index = secretkey.lower().index(letter)
plaintext += string.ascii_lowercase[index]
continue
if letter in string.ascii_uppercase:
index = secretkey.upper().index(letter)
plaintext += string.ascii_uppercase[index]
continue
plaintext += letter
print(plaintext)