MISC刷题10
[CISCN 2022 初赛]babydisk
附件---babydisk.vmdk
使用Diskgenius挂载:
挂载后发现有个.wav文件:
邮件复制到桌面上,得到voipNewRing.wav文件
wav的隐写有deepsound和silenteye或者其他
使用John爆破deepsound密码:
python3 deepsound2john.py voipNewRing.wav > 1.txt
john 1.txt
deepsound2john.py:https://github.com/openwall/john/blob/bleeding-jumbo/run/deepsound2john.py
#!/usr/bin/env python3
'''
deepsound2john extracts password hashes from audio files containing encrypted
data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).
This method is known to work with files created by DeepSound 2.0.
Input files should be in .wav format. Hashes can be recovered from audio files
even after conversion from other formats, e.g.,
ffmpeg -i input output.wav
Usage:
python3 deepsound2john.py carrier.wav > hashes.txt
john hashes.txt
This software is copyright (c) 2018 Ryan Govostes <rgovostes@gmail.com>, and
it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without
modification, are permitted.
'''
import logging
import os
import sys
import textwrap
def decode_data_low(buf):
return buf[::2]
def decode_data_normal(buf):
out = bytearray()
for i in range(0, len(buf), 4):
out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
return out
def decode_data_high(buf):
out = bytearray()
for i in range(0, len(buf), 8):
out.append((buf[i] & 3) << 6 | (buf[i + 2] & 3) << 4 \
| (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
return out
def is_magic(buf):
# This is a more efficient way of testing for the `DSCF` magic header without
# decoding the whole buffer
return (buf[0] & 15) == (68 >> 4) and (buf[2] & 15) == (68 & 15) \
and (buf[4] & 15) == (83 >> 4) and (buf[6] & 15) == (83 & 15) \
and (buf[8] & 15) == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)
def is_wave(buf):
return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'
def process_deepsound_file(f):
bname = os.path.basename(f.name)
logger = logging.getLogger(bname)
# Check if it's a .wav file
buf = f.read(12)
if not is_wave(buf):
global convert_warn
logger.error('file not in .wav format')
convert_warn = True
return
f.seek(0, os.SEEK_SET)
# Scan for the marker...
hdrsz = 104
hdr = None
while True:
off = f.tell()
buf = f.read(hdrsz)
if len(buf) < hdrsz: break
if is_magic(buf):
hdr = decode_data_normal(buf)
logger.info('found DeepSound header at offset %i', off)
break
f.seek(-hdrsz + 1, os.SEEK_CUR)
if hdr is None:
logger.warn('does not appear to be a DeepSound file')
return
# Check some header fields
mode = hdr[4]
encrypted = hdr[5]
modes = {2: 'low', 4: 'normal', 8: 'high'}
if mode in modes:
logger.info('data is encoded in %s-quality mode', modes[mode])
else:
logger.error('unexpected data encoding mode %i', modes[mode])
return
if encrypted == 0:
logger.warn('file is not encrypted')
return
elif encrypted != 1:
logger.error('unexpected encryption flag %i', encrypted)
return
sha1 = hdr[6:6+20]
print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--verbose', '-v', action='store_true')
parser.add_argument('files', nargs='+', metavar='file',
type=argparse.FileType('rb', bufsize=4096))
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.WARN)
convert_warn = False
for f in args.files:
process_deepsound_file(f)
if convert_warn:
print(textwrap.dedent('''
---------------------------------------------------------------
Some files were not in .wav format. Try converting them to .wav
and try again. You can use: ffmpeg -i input output.wav
---------------------------------------------------------------
'''.rstrip()), file=sys.stderr)
密码为feedback
e575ac894c385a6f
这个时候拿到key肯定要解密什么东西,接下来使用FTK挂载vmdk:
FTK下载:https://www.52pojie.cn/thread-1698481-1-1.html
汉化:https://blog.csdn.net/NDASH/article/details/110135403
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\AccessData] "Preferred Language"="CHS"
打开FTK
在回收站发现两个文件(之前在Diskgenius并没有发现):
右键-->Export Files,得到$RDWTTK4
密码用之前得到的e575ac894c385a6f
随即VeraCrypt不退出,到H盘下查看,发现了一个spiral文件
将spiral拖入010,发现是一个zip:
但是内容异常
结合文件名的意思是螺旋,搜索得知与螺旋矩阵有关,它针对的是n*n的矩形,因此要找出压缩包的n
winhex看到长度一共是7579,容易找到n为87
针对这个压缩包写脚本:
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
with open("spiral","rb") as fr:
r = fr.read()
spiral = function(87)
for i in range(87):
for j in range(87):
#保证下标的一致性 防止溢出
spiral[i][j] -= 1
res = []
for i in range(87): # 这里的87就是n
for v in spiral[i]:
tmp = hex(r[v])[2:]
if len(tmp) == 1:
#补首位0
tmp = "0"+tmp
res.append(tmp)
print("".join(res))
运行后得到一堆16进制数:
导入到010中得到一个zip文件
解压后得到1.png:
先把字符都取出来,发现一共是49个,7的平方,那么再矩阵变换:
def function(n):
matrix = [[0] * n for _ in range(n)]
number = 1
left, right, up, down = 0, n - 1, 0, n - 1
while left < right and up < down:
# 从左到右
for i in range(left, right):
matrix[up][i] = number
number += 1
# 从上到下
for i in range(up, down):
matrix[i][right] = number
number += 1
# 从右向左
for i in range(right, left, -1):
matrix[down][i] = number
number += 1
for i in range(down, up, -1):
matrix[i][left] = number
number += 1
left += 1
right -= 1
up += 1
down -= 1
# n 为奇数的时候,正方形中间会有个单独的空格需要单独填充
if n % 2 != 0:
matrix[n // 2][n // 2] = number
return matrix
s = "ohhhhhhf5-410f3f969bl696}6-a-1eb59ge1-4d3{f9af107"
while(True):
arr = [s[i:i+7] for i in range(0,len(s),7)]
spiral = function(7)
for i in range(7):
for j in range(7):
spiral[i][j] -= 1
flag = ""
for i in range(7):
for v in spiral[i]:
flag += s[v]
s = flag
if flag.find("hhflag") != -1:
print(s)
运行后发现有好几个结果:
尝试后发现flag{701fa9fe-63f5-410b-93d4-119f96965be6}改为NSSCTF后为正确结果
[安洵杯 2020]王牌特工
附件---findme
也没后缀,没思路。。
https://blog.csdn.net/mochu7777777/article/details/110151315
file查看,发现是ext3文件系统,直接挂载:
file findme
mount findme /mnt
发现了key.txt和flagbox两个文件
只是这个Key.txt是假的key
使用strings命令查看key,发现有一个隐藏的cool.key文件:
但刚开始挂载上去时是没有看到的,可能文件被删了,现在尝试恢复:
apt install extundelete
extundelete findme --restore-all
55yf55qE5a+G56CBOnRoaXNfaXNfYV90cnVlX2tleQ==
不要将那个me也一起解码了!!!
解码后:
真的密码:this_is_a_true_key
然后使用VeraCrypt挂载:
得到readflag.txt:
flag{you_are_a_cool_boy}
[HGAME 2022 week4]摆烂
附件---摆烂.zip,需要密码
尝试zip伪加密:
虽然没有成功,但是提示了zip有隐写
使用foremost分离,得到00000016.png和00000000.zip文件
其中00000000.zip中有加密的CTF.png、好.png、难.png、啊.png
用010查看png发现,这个png里面有多个Png:
使用apng工具将png提取出来
得到了两张近似的图片:
尝试盲水印:
发现一串字符串:
4C*9wfg976
以此为密码,打开压缩包,得到四个二维码碎片,将碎片拼起来扫码,得到特殊的文本:
在这种困难的抉择下,本人思来想去,寝食难安。 既然如此, 亚伯拉罕·林肯在不经意间这样说过,你活了多少岁不算什么,重要的是你是如何度过这些岁月的。这启发了我, CTF好难,到底应该如何实现。 总结的来说, 我们都知道,只要有意义,那么就必须慎重考虑。 我认为, 每个人都不得不面对这些问题。 在面对这种问题时, CTF好难,到底应该如何实现。
一眼零宽隐写:https://330k.github.io/misc_tools/unicode_steganography.html
[HNCTF 2022 WEEK4]Bronya
附件--flag.zip,需要密码
打开压缩包:
提示2016????
但是不准确:
使用AHCHPR:
密码为20160818
得到两张近似相同的图片,猜测是盲水印
尝试发现,为 python3 的 bwm 双图盲水印
https://github.com/chishaxie/BlindWaterMark
python .\bwmforpy3.py decode .\flag.png .\bronya.png 1.png
最终生成一个png:
nssctf{Th3_P10t_S0_sweet}
[FSCTF 2023]夜深人静的时候也会偷偷emo
stegovideo
附件--flag.zip,带密码
在压缩包密码爆破之前一定要确定关键参数设置好!!
密码为12345
解压获得flag.mp3
使用mp3stego解密:
Decode.exe -X flag.mp3 -P 12345
打开flag.mp3.txt:
FSCTF{CemMEnt_Se@1s_tHe_heaaaaaart_foR_An0ther_D@y}
浙公网安备 33010602011771号