分享几道MISC套题/脑洞题

admin 2024年11月6日10:07:35评论6 views字数 14197阅读47分19秒阅读模式

很早以前出的几道CTF Misc题,适用于有一定基础的新手

主要是为了水文章用💦

》Music《

本题考察了选手对流量分析及隐写能力,首先流量抓包,分析HTTP流量,得知下载了一张图片(k448.jpg)

       分享几道MISC套题/脑洞题         

把图片提取后,分离得到压缩包(Staff.zip)和(music.mp3)

       分享几道MISC套题/脑洞题       

(music.mp3)查看频域得到(Staff.zip)压缩包的密码Diana!aLove8

分享几道MISC套题/脑洞题

(Staff.zip)压缩包解压后得到加密的压缩包(whatthisis.zip)和一个需要密码的文档(flag.docx)还有一个(pass.txt)文本文件

       分享几道MISC套题/脑洞题       

文本文件(pass.txt)里的内容发现关键信息REVERSE,得知要REVERSE 0A 0A 00 00 00 00 后边的值,也可以把整个文本逆转一下,能看到关键信息

93632393439383139313D34696F376E6F637F232F2D6F636E2336313E236963757D6F2F2A33707474786

逆转一下得到

68747470733A2F2F6D757369632E3136332E636F6D2F232F736F6E673F69643D31393138393439323639

然后还原成字符串得到链接

https://music.163.com/#/song?id=1918949269

密码为评论区里的作者留言

       分享几道MISC套题/脑洞题       

T0JRWEc0WjJNWkFHU1kzUElCVkVRWVRQTU5HRzZRQT0=

解密为:base64->base32

得到

pass:f@ico@jHbocLo@

文档(whatthisis.zip)密码为:f@ico@jHbocLo@

打开文档后,Ctrl+A后Ctrl+D把隐藏文本的勾去掉,这时候会发现屏幕没有任何变化

       分享几道MISC套题/脑洞题       

再次Ctrl+A发现一小块文本,放大后得到压缩包(flag.zip)密码0llo00llllO0o0o0lOo0l0IolIlIIolO0llO00ll0lIO0IIo0lIoO0I00OOOlIIO

       分享几道MISC套题/脑洞题       

解压压缩包后会得到osu文件,运行OSU谱面后得到假的flag,但仔细查看发现最上面有提示,"Look at your MAP Settings"

       分享几道MISC套题/脑洞题       打开Osu Editor(右键->编辑)后,F4或导航栏查看->地图设置,发现Tag里有东西

       分享几道MISC套题/脑洞题       

一串音频加密,复制黏贴下来解密即可

‖♬♩‖¶♯‖♬♭‖♬♫‖♫♪♭♯♩‖‖‖‖♩♬‖♬♪‖♩♫♭♭♭‖‖♭‖♩♫♭♭♭♭‖♯‖♬♪‖♩♩‖♩¶‖♫§♭♭♭♭♭♬‖♩¶♭♯♩♭♯♩‖♫§♭♭♭‖¶♬‖‖♭‖♬♫‖♬♬♭‖‖‖♫♫§=

也可以直接解压osz文件(osu谱面osz本身就一压缩包),查看*.osu文件发现Tag信息

       分享几道MISC套题/脑洞题       

最后flag

flag{N0tes_1s_Veruy_FuNNy_R1ghT}

》Diana《

首先题目给出 Aztec Code 的01数据,写脚本还原成Aztec,中间补上Aztec的定位标

分享几道MISC套题/脑洞题

分享几道MISC套题/脑洞题

扫码得到下载链接

解压后得到图片

       分享几道MISC套题/脑洞题       

binwalk分离得到音频,SSTV慢扫描得到(flag.zip)压缩包密码

dMP1c2mZ6n

       分享几道MISC套题/脑洞题       

flag解压后,给出一堆SMS PDU数据,排除掉脏(嘉然)数据后,写脚本提取关键数据

0791FEFFFCFFEFFF01000D91683110400805F000084600480069002C0020004400690061006E0061002E00200048006F0077002000610072006500200079006F007500200064006F0069006E006700200074006F006400610079003F0791FEFFFCFFEFFF21000D91683110400805F0000826633A4E0D95197684FF0C4ECA592964AD4E8651E053415206949FFF0C8D5A4E865F88591A94B10791FEFFFCFFEFFF01000D91681603018450F0000814662F561BFF0C8D5A4E865F88591A94B15BF954270791FEFFFCFFEFFF01000D91681603018450F000080A67658BA96211770B770B0791FEFFFCFFEFFF21000D91681603018450F00008084E0D89815566FF0C0791FEFFFCFFEFFF01000D91681603018450F000080E542C8BDDFF0C8BA962115EB75EB70791FEFFFCFFEFFF010008916811544100081A6B384F605E72561B5566FF0C597D597D597DFF0C7ED94F60770B0891681119191154F101000D91681154419191F8000864003800390035003000340045003400370030004400300041003100410030004100300030003000300030003000300044003400390034003800340034003500320030003000300030003000300034004300300030003000300030003000310041003000380891681119191154F101000D91681154419191F800080256090891681119191154F101000D91681154419191F8000864003000330030003000300030003000300032004100390045003400410046003300300030003000300030003000330046003500300034004300350034003400350046004600460046004600460046004600430030004300300046004600460046004300300891681119191154F101000D91681154419191F800080271360891681119191154F101000D91681154419191F8000864004300300046004600430030004300300046004600460046004300300043003000460046004600460043003000460046004600460030003000300030004600460046004600300030003000300046004600300030003000300046004600460046003000300891681119191154F101000D91681154419191F8000802FF0C0891681119191154F101000D91681154419191F8000864003000300046004600460046003000300046004600430030003000300030003000430030004300300030003000300030004300300030003000300030004300300043003000300030003000300043003000430030003000300043003000460046004600460891681119191154F101000D91681154419191F800080262110891681119191154F101000D91681154419191F8000864004600460030003000300030003000300043004300340034004500460046003200300030003000300030003200310039003400390034003400340031003500340033003800380044004100440035003400440039003900320045003400320030003000430891681119191154F101000D91681154419191F8000802771F0891681119191154F101000D91681154419191F8000864003300330034003700380030003700300038003700450041004600460046004600440036003300350042003100390033003900380039004500390045003900440044004400410041004400310034004200320037003900300033003600340032003900320891681119191154F101000D91681154419191F800080276840891681119191154F101000D91681154419191F8000864003000440031004500350031003500340036004200380036004200300044004200380044003900300039004300310041003600330042003800390043003000370043003100390035003400410044003000410044004500460032003700440041003000390891681119191154F101000D91681154419191F8000802597D0891681119191154F101000D91681154419191F8000864004200330046003300390042003500310031003100300038004200360033003400350043003000380043003500310033004300300046003600310045003600330042003400380038003100340031004200370046004600450045004300450032003500450891681119191154F101000D91681154419191F8000802559C0891681119191154F101000D91681154419191F8000864003000440037004100340032003200430045003200320033003100370046003300310030003000390033004400360035003600340034003500330038003000380044004200320038003700390036003200330038003900370030003900430033003000370891681119191154F101000D91681154419191F80008026B220891681119191154F101000D91681154419191F8000864004500300031004100320035004500430033004100450034003000360030004600460034003500310039003800300045003900450037003900370034003400330031003700360038003500350031003500380032003000370038003700310037004300440891681119191154F101000D91681154419191F8000864003600350036004300350043004600460046004500360034003300370031004500450036004200360032003800320036003400390031003000350034003000350031004600310034003800340038003900410041003700350032003000440034003300440891681119191154F101000D91681154419191F80008024F600891681119191154F101000D91681154419191F8000864003400410034003600460037004200320030003600390046003200410044003700360041003300390043003000340039003000440043003900310039004400320034003200450042003100410034003000350037004100330033004400440043004100320891681119191154F101000D91681154419191F8000864004400340045003200440038003800430045004300340045004300430034003700450035003100320033004200430036004300350036003800430042003600350041003500380042003200320034003800340031003600430045004300300034003700420891681119191154F101000D91681154419191F8000864003800430034003500410039003100410045004600390044003100380030004500370031003500310037003200390033004500330045003100320031003600440033003900370035004200360030003400380034003600330045003800360046004500370891681119191154F101000D91681154419191F8000864003700350039003000340045004600360041003600340035003300310041003900300034003600410038003100360039003200320030003400360033003000390037003100370033003500330044003300340044004300410030004200420037003600360891681119191154F101000D91681154419191F8000864003600450031003700420035004300300038004300380041004100420036003800350041004500450039004600450044003200340033004500360042004600300041004500380042004100380045003000380037003200430046003600300034004500380891681119191154F101000D91681154419191F8000864004600360043004400390038003300330044003700310046003100410043003300320044004600450037003200330045004100440034004500360037004100350039004100330043003400430031003300420031003500370031003600460042004600300891681119191154F101000D91681154419191F8000864003800350030004400390039003400420030004100300039003800300042004400450038003800380045004600390034003400410044004200360045004500320034004500450031004200380030004500450035004400430036003700320030004500350891681119191154F101000D91681154419191F8000802554A0891681119191154F101000D91681154419191F8000864004100450045003300380035003700450038004200390042003700320041004200300045004600330041003500300037004200430042003000300045004600350039004100340042004400320042003400330042003800330046003500460044003100320891681119191154F101000D91681154419191F8000864003500410036003500440039003000330043004300430041003900460038003900360033003000350037003900350045003000300037003200390041003600330038003500450037003400340033003300350044003700340045004400370038004200370891681119191154F101000D91681154419191F8000864003900340037003900360044003800370043004300310037003600370032003200420043003400440038003600380037004600370036003900330033004500320045003900380043003300370035004500340042004400430035003000300042003600300891681119191154F101000D91681154419191F8000864004100420045004500420030004400440043004400300032004400450034004400350036004600350036004200440038003600450043003900340034004600300046003900460030004600350045004300430033003700320030003700460031003400340891681119191154F101000D91681154419191F8000864003900330038003200350045003600310035004200320034003700420035003300410043004500300030003000370031003600340036003300390031003500440046004200330038004200420035003800380039003200380037003100340045003000320891681119191154F101000D91681154419191F8000864004200340045003700440033004300380034003200450030004500460033003300350030003100340034004600300044003700370043004400300046003900460039003700360032003900380041003000460032004300440042003900370033004200300891681119191154F101000D91681154419191F8000864003200440041003300450034003900410037003800380044004300350043003200340036003500450036003700450044003300460036003000340045004200440043003900310032004100330043004500390041004100330043003800380033003300350891681119191154F101000D91681154419191F8000864003700310045004500450037003000320031003200410038004400420045004200460046004600450046003100370037004600430036003200420035003900370046004600340044003600410041004600390046003600410046004400300031003400450791FEFFFCFFEFFF01000C9168115441919100084C003400440033003200370031004400430032004600440035003300310030003000300030003000300030003000340039003400350034004500340034004100450034003200360030003800320791FEFFFCFFEFFF01000C9168115441919100082254C7FF0C004400690061006E0061FF016211771F7684597D559C6B224F60554AFF01

解开得到

Hi, Diana. How are you doing today?挺不错的,今天播了几十分钟,赚了很多钱是嘛,赚了很多钱对吧来让我看看不要啦,听话,让我康康欸你干嘛啦,好好好,给你看89504E470D0A1A0A0000000D494844520000004C0000001A08030000002A9E4AF30000003F504C5445FFFFFFFFC0C0FFFFC0C0FFC0C0FFFFC0C0FFFFC0FFFF0000FFFF0000FF0000FFFF0000FFFF00FFC00000C0C00000C00000C0C00000C0C000C0FFFFFF000000CC44EFF20000021949444154388DAD54D992E4200C3347807087EAFFFFD635B193989E9E9DDDAAD14B27903642920D1E51546B86B0DB8D909C1A63B89C07C1954AD0ADEF27DA09B3F39B511108B6345C08C513C0F61E63B488141B7FFEECE25E0D7A422CE22317F310093D6564453808DB287962389709C307E01A25EC3AE4060FF451980E9E7974431768551582078717CD656C5CFFFE64371EE6B62826491054051F148489AA7520D43D4A46F7B2069F2AD76A39C0490DC919D242EB1A4057A33DDCA2D4E2D88CEC4ECC47E5123BC6C568CB65A58B2248416CEC047B8C45A91AEF9D180E71517293E3E1216D3975B6048463E86FE775904EF6A64531A9046A816922046309717353D34DCA0BB7666E17B5C08C8AAB685AEE9FED243E6BF0AE8BA8E0872CF604E8F6CD9833D71F1AC32DFE723EAD4E67A59A3C4C13B15716FBF0850D994B0A0980BDE888EF944ADB6EE24EE1B80EE5DC6720E5AEE3857E8B9B72AB0EF3A507BCB00EF59A4BD2B43B83F5FD125A65D903CCCA9F896305795E00729A6385E744335D74ED78B794796D87CC176722BC4D8687F76933E2E98C375E4BDC500B60ABEEB0DDCD02DE4D56F56BD86EC944F0F9F0F5ECC37207F14493825E615B247B53ACE000716463915DFB38BB588928714E02B4E7D3C842E0EF3350144F0D77CD0F9F976298A0F2CDB973B02DA3E49A788DC5C2465E67ED3F604EBDC912A3CE9AA3C8833571EEE70212A8DBEBFFFEF177FC62B597FF4D6AAF9F6AFD014E4D3271DC2FD5310000000049454E44AE426082哇,Diana!我真的好喜欢你啊!

最后提取出来一张图片

分享几道MISC套题/脑洞题

把图片放到编译器npiet里编译成程序即可回显flag

分享几道MISC套题/脑洞题

flag{3n8Gyn3_928cv1ms1X8HibH4aN6B5A1_19ZceX4nnPq7}

》WOW!!!《

这题需要对着摄像头跳宅舞,人越多越好。这里我推荐幸运星的《拿去吧!水手服》

识别人头==6后在本地生成一份gift,gift为docx文件,里边藏有mp3隐写文件(header4)和LSB隐写图片(header5)

分享几道MISC套题/脑洞题

也可以直接py反编译(主要针对打不开的师傅)

搞人脸这个是为了增加娱乐性🥰,祝各位师傅玩的开心

wav文件(header4)modem数据流解码后,得到一串base64后的Ook!数据

波特率为300

       分享几道MISC套题/脑洞题       

+++++ ++[-> +++++ ++<]> ..<++ +++[- >++++ +<]>+ +++++ ++++. --.<+ ++++[->+++ ++<]> .<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++[- >++++ +<]>+.<+++ ++[-> +++++ <]>+. <++++ +++[- >---- ---<] >---. +++++ .<+++ ++[->+++++ <]>++ +++++ +++.< +++++ +[->- ----- <]>-. .<+++ +++[- >++++ ++<]>+++++ +++++ ++.++ ++.<+ +++++ [->-- ----< ]>--- .---- ----- .<

Ook!解开得到LSB隐写图片(header5)的密码

       分享几道MISC套题/脑洞题       

11TRk1Ke16Y44dhA8

LSB解开后得到一堆数据

https://github.com/livz/cloacked-pixel

       分享几道MISC套题/脑洞题       ROT13转后

发现是jpg文件格式

       分享几道MISC套题/脑洞题       

得到图片

       分享几道MISC套题/脑洞题       

隐水印的图片。。。

调好参数后显示出文字

       分享几道MISC套题/脑洞题       

flag{5Q8qP65U8zqMr}

》Easy Disk《

8c26ffa4ca12b34844628f6ab22b780c_iscc.xmutsec.iloli.moe

PS:flag{Part1+Joe's Password+Part2}

首先 nslookup 查看 xxx.iloli.moe 得到TXT数据,得到 base85,

       分享几道MISC套题/脑洞题       解码后得到 pikachu

pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu pikachu ka ka ka ka pikachu pi pi pi pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pikachu pipi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pichu pikachu pipi ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka pikachu pichu pi pikachu pipi ka ka ka ka ka ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pikachu pipi pi pi pikachu pichu ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pipi ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka pikachu

啊 pikachu 解码后得到下载地址

下载后根据readme.txt信息得知要让我们数据恢复跟取证。

readme.txt文件

       分享几道MISC套题/脑洞题       

直接挂载硬盘,发现第一个分区被破坏了

       分享几道MISC套题/脑洞题       

同时第二个分区存在 BitLocker

       分享几道MISC套题/脑洞题       WinHex打开查看MBR,发现分区地址被删了

       分享几道MISC套题/脑洞题       找到第一个分区地址

       分享几道MISC套题/脑洞题       然后回到MBR

       分享几道MISC套题/脑洞题       并把分区地址补到MBR,再补上类型。。恢复成功。。。。。。

重新挂载磁盘,发现有两个分区

       分享几道MISC套题/脑洞题       分区一

       分享几道MISC套题/脑洞题       

readme.txt内容

       分享几道MISC套题/脑洞题       小彩蛋:

       分享几道MISC套题/脑洞题       你懂我意思吧

ahahahah.png 通过 crc32 爆破发现高度不一样

       分享几道MISC套题/脑洞题       修改高度后得到 BitLocker 的 Key

       分享几道MISC套题/脑洞题       686224-303292-585959-348568-718696-444224-102377-435171

分区二

       分享几道MISC套题/脑洞题       

解锁后,得到 flag.raw 和 readme1.txt.

flag.raw

readme1.txt 文件内容

       分享几道MISC套题/脑洞题       首先查看系统架构(Win7SP1x86_23418)

       分享几道MISC套题/脑洞题       根据题目得知要获取黑客的密码,直接dump hash或用mimikatz

       分享几道MISC套题/脑洞题       

发现存在一个 hacker 用户,将 hash 值解密得到

       分享几道MISC套题/脑洞题       

黑客密码为

maggie

这里改成获取 Joe 的用户密码了,Joe明文解得pass.123

同时查看进程,看看关键信息,发现出题人开着 notepad.exe 和 mspaint.exe

       分享几道MISC套题/脑洞题       把 mspaint.exe 给dump下来,得到

       分享几道MISC套题/脑洞题       打开PS得到

       分享几道MISC套题/脑洞题       然后调整大小,不断移位(4613436,739,1350),得到

       分享几道MISC套题/脑洞题       

把图片下载下来后,稍微处理下得到

       分享几道MISC套题/脑洞题       得到一串字符串

Rr25957Q343H2y8f

查看桌面

       分享几道MISC套题/脑洞题       发现存在 flag.jpg 和 hijack.zip,把俩者

flag.jpg(0x000000000faeb978)

hijack.zip(0x000000000faf4868)

都给 dump 下来,得到两张图片

flag.jpg 检测后发现使用 JPHS 隐写,密码为上面那张图片里的内容

seek 后得到 flag1

flag{gCXp4V4bQWKLy_

接着查看 notepad.exe 进程,发现奇怪的数据

       分享几道MISC套题/脑洞题       另存为文本后发现字符串长度跟总长度不匹配,猜测是宽零隐写

       分享几道MISC套题/脑洞题       

得到

&HZjG9oecvkp~5IT=l

发现是 hijack.zip 的密码,解压缩后得到若干图片

       分享几道MISC套题/脑洞题       查看图片宽度为 6 个像素,写脚本还原

       分享几道MISC套题/脑洞题       发现是一张条形码,扫码得到

5f6d3531413675365a41315478357d

转字符串后得到后半段 flag

_m51A6u6ZA1Tx5}

flag{gCXp4V4bQWKLy_pass.123_m51A6u6ZA1Tx5}

这次杂项很简单

还有好多想法要实现www

原文始发于微信公众号(Gh0xE9):分享几道MISC套题/脑洞题

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年11月6日10:07:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   分享几道MISC套题/脑洞题https://cn-sec.com/archives/3360960.html

发表评论

匿名网友 填写信息