202404_QQ_ZIP嵌套

Tags:ZIP,嵌套

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202404_QQ_ZIP嵌套.zip

0x01. WP

• 打开txt文件发现文件头为504b0304
• 导入到010Editor另存为tmp.zip
• 打开tmp.zip发现里面是另一个txt
• 打开txt文件发现又是个文件头为504b0304，重复步骤1
• 尝试编写脚本进行循环解码，最终得到flag

exp.py

import os
import zipfile

# 计数器
iNum=1

# 删除zip.txt，并将50.txt另存为zip.txt
if os.path.exists("zip.txt"):
    os.remove("zip.txt")

with open("50.txt", "rb") as source_file:
    with open("zip.txt", "wb") as target_file:
        target_file.write(source_file.read())

# 循环爆破
while True:
    with open('zip.txt', 'r') as file:
        content = file.read()
        print(iNum, content[0:50])
        iNum+=1

    if content[0:8]!="504b0304":
        break

    # 将zip.txt内容以十六进制方式写入tmp.zip
    binary_data = bytes.fromhex(content)
    with open('tmp.zip', 'wb') as file:
        file.write(binary_data)

    # 删除zip.txt
    os.remove("zip.txt")

    # 读取tmp.zip文件
    with zipfile.ZipFile("tmp.zip", 'r') as zip_ref:
        for file_name in zip_ref.namelist():
            zip_ref.extract(file_name)

    # 解压缩文件，并将文件复制为tmp.txt
    with open(file_name, "rb") as source_file:
        with open("zip.txt", "wb") as target_file:
            target_file.write(source_file.read())

    # 删除解压出的txt文件
    os.remove(file_name)

    # 删除tmp.zip文件
    os.remove("tmp.zip")

D:\=MAX230_Wiki=\题库\Archives\Misc\Archives\202404_QQ_zip嵌套>python exp.py
1 504b03041400000008001b7e2956caecbb54d78d0600e0830b
2 504b03041400000008001b7e2956fec1725d82c105002c1c0a
3 504b03041400000008001b7e295687ef0f25a80d05006ee008
4 504b03041400000008001b7e2956c968856ec96f0400eaca07
5 504b03041400000008001b7e2956a04270c907e503000ad806
... ...
46 504b03041400000008001a7e2956f74a15e9ae010000580300
47 504b03041400000008001a7e29567c1ade91400100008e0200
48 504b03041400000008001a7e29562c5e732ddb000000d00100
49 504b03041400000008001a7e295676ed28377c000000280100
50 504b0304140000000800c97a2956b55e178528000000260000
51 flag{97de6c664734b9bdf3eeb0fe265bd8df}