很早以前出的几道CTF Misc题,适用于有一定基础的新手
主要是为了水文章用💦
》Music《
本题考察了选手对流量分析及隐写能力,首先流量抓包,分析HTTP流量,得知下载了一张图片(k448.jpg)
把图片提取后,分离得到压缩包(Staff.zip)和(music.mp3)
(music.mp3)查看频域得到(Staff.zip)压缩包的密码Diana!aLove8
(Staff.zip)压缩包解压后得到加密的压缩包(whatthisis.zip)和一个需要密码的文档(flag.docx)还有一个(pass.txt)文本文件
文本文件(pass.txt)里的内容发现关键信息REVERSE,得知要REVERSE 0A 0A 00 00 00 00 后边的值,也可以把整个文本逆转一下,能看到关键信息
93632393439383139313D34696F376E6F637F232F2D6F636E2336313E236963757D6F2F2A33707474786
逆转一下得到
68747470733A2F2F6D757369632E3136332E636F6D2F232F736F6E673F69643D31393138393439323639
然后还原成字符串得到链接
https://music.163.com/#/song?id=1918949269
密码为评论区里的作者留言
T0JRWEc0WjJNWkFHU1kzUElCVkVRWVRQTU5HRzZRQT0=
解密为:base64->base32
得到
pass:f@ico@jHbocLo@
文档(whatthisis.zip)密码为:f@ico@jHbocLo@
打开文档后,Ctrl+A后Ctrl+D把隐藏文本的勾去掉,这时候会发现屏幕没有任何变化
再次Ctrl+A发现一小块文本,放大后得到压缩包(flag.zip)密码0llo00llllO0o0o0lOo0l0IolIlIIolO0llO00ll0lIO0IIo0lIoO0I00OOOlIIO
解压压缩包后会得到osu文件,运行OSU谱面后得到假的flag,但仔细查看发现最上面有提示,"Look at your MAP Settings"
打开Osu Editor(右键->编辑)后,F4或导航栏查看->地图设置,发现Tag里有东西
一串音频加密,复制黏贴下来解密即可
‖♬♩‖¶♯‖♬♭‖♬♫‖♫♪♭♯♩‖‖‖‖♩♬‖♬♪‖♩♫♭♭♭‖‖♭‖♩♫♭♭♭♭‖♯‖♬♪‖♩♩‖♩¶‖♫§♭♭♭♭♭♬‖♩¶♭♯♩♭♯♩‖♫§♭♭♭‖¶♬‖‖♭‖♬♫‖♬♬♭‖‖‖♫♫§=
也可以直接解压osz文件(osu谱面osz本身就一压缩包),查看*.osu文件发现Tag信息
最后flag
flag{N0tes_1s_Veruy_FuNNy_R1ghT}
》Diana《
首先题目给出 Aztec Code 的01数据,写脚本还原成Aztec,中间补上Aztec的定位标
扫码得到下载链接
解压后得到图片
binwalk分离得到音频,SSTV慢扫描得到(flag.zip)压缩包密码
dMP1c2mZ6n
flag解压后,给出一堆SMS PDU数据,排除掉脏(嘉然)数据后,写脚本提取关键数据
0791FEFFFCFFEFFF01000D91683110400805F000084600480069002C0020004400690061006E0061002E00200048006F0077002000610072006500200079006F007500200064006F0069006E006700200074006F006400610079003F
0791FEFFFCFFEFFF21000D91683110400805F0000826633A4E0D95197684FF0C4ECA592964AD4E8651E053415206949FFF0C8D5A4E865F88591A94B1
0791FEFFFCFFEFFF01000D91681603018450F0000814662F561BFF0C8D5A4E865F88591A94B15BF95427
0791FEFFFCFFEFFF01000D91681603018450F000080A67658BA96211770B770B
0791FEFFFCFFEFFF21000D91681603018450F00008084E0D89815566FF0C
0791FEFFFCFFEFFF01000D91681603018450F000080E542C8BDDFF0C8BA962115EB75EB7
0791FEFFFCFFEFFF010008916811544100081A6B384F605E72561B5566FF0C597D597D597DFF0C7ED94F60770B
0891681119191154F101000D91681154419191F800086400380039003500300034004500340037003000440030004100310041003000410030003000300030003000300030004400340039003400380034003400350032003000300030003000300030003400430030003000300030003000300031004100300038
0891681119191154F101000D91681154419191F80008025609
0891681119191154F101000D91681154419191F800086400300033003000300030003000300030003200410039004500340041004600330030003000300030003000300033004600350030003400430035003400340035004600460046004600460046004600460043003000430030004600460046004600430030
0891681119191154F101000D91681154419191F80008027136
0891681119191154F101000D91681154419191F800086400430030004600460043003000430030004600460046004600430030004300300046004600460046004300300046004600460046003000300030003000460046004600460030003000300030004600460030003000300030004600460046004600300030
0891681119191154F101000D91681154419191F8000802FF0C
0891681119191154F101000D91681154419191F800086400300030004600460046004600300030004600460043003000300030003000300043003000430030003000300030003000430030003000300030003000430030004300300030003000300030004300300043003000300030004300300046004600460046
0891681119191154F101000D91681154419191F80008026211
0891681119191154F101000D91681154419191F800086400460046003000300030003000300030004300430034003400450046004600320030003000300030003000320031003900340039003400340034003100350034003300380038004400410044003500340044003900390032004500340032003000300043
0891681119191154F101000D91681154419191F8000802771F
0891681119191154F101000D91681154419191F800086400330033003400370038003000370030003800370045004100460046004600460044003600330035004200310039003300390038003900450039004500390044004400440041004100440031003400420032003700390030003300360034003200390032
0891681119191154F101000D91681154419191F80008027684
0891681119191154F101000D91681154419191F800086400300044003100450035003100350034003600420038003600420030004400420038004400390030003900430031004100360033004200380039004300300037004300310039003500340041004400300041004400450046003200370044004100300039
0891681119191154F101000D91681154419191F8000802597D
0891681119191154F101000D91681154419191F800086400420033004600330039004200350031003100310030003800420036003300340035004300300038004300350031003300430030004600360031004500360033004200340038003800310034003100420037004600460045004500430045003200350045
0891681119191154F101000D91681154419191F8000802559C
0891681119191154F101000D91681154419191F800086400300044003700410034003200320043004500320032003300310037004600330031003000300039003300440036003500360034003400350033003800300038004400420032003800370039003600320033003800390037003000390043003300300037
0891681119191154F101000D91681154419191F80008026B22
0891681119191154F101000D91681154419191F800086400450030003100410032003500450043003300410045003400300036003000460046003400350031003900380030004500390045003700390037003400340033003100370036003800350035003100350038003200300037003800370031003700430044
0891681119191154F101000D91681154419191F800086400360035003600430035004300460046004600450036003400330037003100450045003600420036003200380032003600340039003100300035003400300035003100460031003400380034003800390041004100370035003200300044003400330044
0891681119191154F101000D91681154419191F80008024F60
0891681119191154F101000D91681154419191F800086400340041003400360046003700420032003000360039004600320041004400370036004100330039004300300034003900300044004300390031003900440032003400320045004200310041003400300035003700410033003300440044004300410032
0891681119191154F101000D91681154419191F800086400440034004500320044003800380043004500430034004500430043003400370045003500310032003300420043003600430035003600380043004200360035004100350038004200320032003400380034003100360043004500430030003400370042
0891681119191154F101000D91681154419191F800086400380043003400350041003900310041004500460039004400310038003000450037003100350031003700320039003300450033004500310032003100360044003300390037003500420036003000340038003400360033004500380036004600450037
0891681119191154F101000D91681154419191F800086400370035003900300034004500460036004100360034003500330031004100390030003400360041003800310036003900320032003000340036003300300039003700310037003300350033004400330034004400430041003000420042003700360036
0891681119191154F101000D91681154419191F800086400360045003100370042003500430030003800430038004100410042003600380035004100450045003900460045004400320034003300450036004200460030004100450038004200410038004500300038003700320043004600360030003400450038
0891681119191154F101000D91681154419191F800086400460036004300440039003800330033004400370031004600310041004300330032004400460045003700320033004500410044003400450036003700410035003900410033004300340043003100330042003100350037003100360046004200460030
0891681119191154F101000D91681154419191F800086400380035003000440039003900340042003000410030003900380030004200440045003800380038004500460039003400340041004400420036004500450032003400450045003100420038003000450045003500440043003600370032003000450035
0891681119191154F101000D91681154419191F8000802554A
0891681119191154F101000D91681154419191F800086400410045004500330038003500370045003800420039004200370032004100420030004500460033004100350030003700420043004200300030004500460035003900410034004200440032004200340033004200380033004600350046004400310032
0891681119191154F101000D91681154419191F800086400350041003600350044003900300033004300430043004100390046003800390036003300300035003700390035004500300030003700320039004100360033003800350045003700340034003300330035004400370034004500440037003800420037
0891681119191154F101000D91681154419191F800086400390034003700390036004400380037004300430031003700360037003200320042004300340044003800360038003700460037003600390033003300450032004500390038004300330037003500450034004200440043003500300030004200360030
0891681119191154F101000D91681154419191F800086400410042004500450042003000440044004300440030003200440045003400440035003600460035003600420044003800360045004300390034003400460030004600390046003000460035004500430043003300370032003000370046003100340034
0891681119191154F101000D91681154419191F800086400390033003800320035004500360031003500420032003400370042003500330041004300450030003000300037003100360034003600330039003100350044004600420033003800420042003500380038003900320038003700310034004500300032
0891681119191154F101000D91681154419191F800086400420034004500370044003300430038003400320045003000450046003300330035003000310034003400460030004400370037004300440030004600390046003900370036003200390038004100300046003200430044004200390037003300420030
0891681119191154F101000D91681154419191F800086400320044004100330045003400390041003700380038004400430035004300320034003600350045003600370045004400330046003600300034004500420044004300390031003200410033004300450039004100410033004300380038003300330035
0891681119191154F101000D91681154419191F800086400370031004500450045003700300032003100320041003800440042004500420046004600460045004600310037003700460043003600320042003500390037004600460034004400360041004100460039004600360041004600440030003100340045
0791FEFFFCFFEFFF01000C9168115441919100084C00340044003300320037003100440043003200460044003500330031003000300030003000300030003000300034003900340035003400450034003400410045003400320036003000380032
0791FEFFFCFFEFFF01000C9168115441919100082254C7FF0C004400690061006E0061FF016211771F7684597D559C6B224F60554AFF01
解开得到
Hi, Diana. How are you doing today?
挺不错的,今天播了几十分钟,赚了很多钱
是嘛,赚了很多钱对吧
来让我看看
不要啦,
听话,让我康康
欸你干嘛啦,好好好,给你看
89504E470D0A1A0A0000000D494844520000004C0000001A08
030000002A9E4AF30000003F504C5445FFFFFFFFC0C0FFFFC0
C0FFC0C0FFFFC0C0FFFFC0FFFF0000FFFF0000FF0000FFFF00
00FFFF00FFC00000C0C00000C00000C0C00000C0C000C0FFFF
FF000000CC44EFF20000021949444154388DAD54D992E4200C
3347807087EAFFFFD635B193989E9E9DDDAAD14B2790364292
0D1E51546B86B0DB8D909C1A63B89C07C1954AD0ADEF27DA09
B3F39B511108B6345C08C513C0F61E63B488141B7FFEECE25E
0D7A422CE22317F310093D6564453808DB287962389709C307
E01A25EC3AE4060FF451980E9E7974431768551582078717CD
656C5CFFFE64371EE6B62826491054051F148489AA7520D43D
4A46F7B2069F2AD76A39C0490DC919D242EB1A4057A33DDCA2
D4E2D88CEC4ECC47E5123BC6C568CB65A58B2248416CEC047B
8C45A91AEF9D180E71517293E3E1216D3975B6048463E86FE7
75904EF6A64531A9046A816922046309717353D34DCA0BB766
6E17B5C08C8AAB685AEE9FED243E6BF0AE8BA8E0872CF604E8
F6CD9833D71F1AC32DFE723EAD4E67A59A3C4C13B15716FBF0
850D994B0A0980BDE888EF944ADB6EE24EE1B80EE5DC6720E5
AEE3857E8B9B72AB0EF3A507BCB00EF59A4BD2B43B83F5FD12
5A65D903CCCA9F896305795E00729A6385E744335D74ED78B7
94796D87CC176722BC4D8687F76933E2E98C375E4BDC500B60
ABEEB0DDCD02DE4D56F56BD86EC944F0F9F0F5ECC37207F144
93825E615B247B53ACE000716463915DFB38BB588928714E02
B4E7D3C842E0EF3350144F0D77CD0F9F976298A0F2CDB973B0
2DA3E49A788DC5C2465E67ED3F604EBDC912A3CE9AA3C88335
71EEE70212A8DBEBFFFEF177FC62B597FF4D6AAF9F6AFD014E
4D3271DC2FD5310000000049454E44AE426082
哇,Diana!我真的好喜欢你啊!
最后提取出来一张图片
把图片放到编译器npiet里编译成程序即可回显flag
flag{3n8Gyn3_928cv1ms1X8HibH4aN6B5A1_19ZceX4nnPq7}
》WOW!!!《
这题需要对着摄像头跳宅舞,人越多越好。这里我推荐幸运星的《拿去吧!水手服》
识别人头==6后在本地生成一份gift,gift为docx文件,里边藏有mp3隐写文件(header4)和LSB隐写图片(header5)
也可以直接py反编译(主要针对打不开的师傅)
搞人脸这个是为了增加娱乐性🥰,祝各位师傅玩的开心
wav文件(header4)modem数据流解码后,得到一串base64后的Ook!数据
波特率为300
+++++ ++[-> +++++ ++<]> ..<++ +++[- >++++ +<]>+ +++++ ++++. --.<+ ++++[
->+++ ++<]> .<+++ ++++[ ->--- ----< ]>--- ----- -.<++ +++[- >++++ +<]>+
.<+++ ++[-> +++++ <]>+. <++++ +++[- >---- ---<] >---. +++++ .<+++ ++[->
+++++ <]>++ +++++ +++.< +++++ +[->- ----- <]>-. .<+++ +++[- >++++ ++<]>
+++++ +++++ ++.++ ++.<+ +++++ [->-- ----< ]>--- .---- ----- .<
Ook!解开得到LSB隐写图片(header5)的密码
11TRk1Ke16Y44dhA8
LSB解开后得到一堆数据
https://github.com/livz/cloacked-pixel
ROT13转后
发现是jpg文件格式
得到图片
隐水印的图片。。。
调好参数后显示出文字
flag{5Q8qP65U8zqMr}
》Easy Disk《
8c26ffa4ca12b34844628f6ab22b780c_iscc.xmutsec.iloli.moe
PS:flag{Part1+Joe's Password+Part2}
首先 nslookup 查看 xxx.iloli.moe 得到TXT数据,得到 base85,
解码后得到 pikachu
pi pi pi pi pi pi pi pi pi pi pika pipi pi pipi pi pi pi pipi pi pi pi pi pi pi pi pipi pi pi pi pi pi pi pi pi pi pi pichu pichu pichu pichu ka chu pipi pipi pipi pipi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu pikachu ka ka ka ka pikachu pi pi pi pikachu pichu ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu pikachu pipi pikachu ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pichu ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka ka pikachu ka ka ka ka ka ka ka pikachu pichu pikachu pipi ka ka ka ka ka ka ka ka ka ka ka pikachu pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka pikachu pichu pi pikachu pipi ka ka ka ka ka ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pi pi pi pi pi pi pi pi pi pikachu pipi pi pi pikachu pichu ka ka ka ka ka ka ka ka pikachu pi pi pi pi pikachu ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka ka pikachu ka ka ka ka ka ka pikachu pipi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu pipi ka ka ka pikachu pichu pi pi pi pi pi pi pi pikachu pichu pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pi pikachu ka ka ka pikachu
啊 pikachu 解码后得到下载地址
下载后根据readme.txt信息得知要让我们数据恢复跟取证。
readme.txt文件
直接挂载硬盘,发现第一个分区被破坏了
同时第二个分区存在 BitLocker
WinHex打开查看MBR,发现分区地址被删了
找到第一个分区地址
然后回到MBR
并把分区地址补到MBR,再补上类型。。恢复成功。。。。。。
重新挂载磁盘,发现有两个分区
分区一
readme.txt内容
小彩蛋:
你懂我意思吧
ahahahah.png 通过 crc32 爆破发现高度不一样
修改高度后得到 BitLocker 的 Key
686224-303292-585959-348568-718696-444224-102377-435171
分区二
解锁后,得到 flag.raw 和 readme1.txt.
flag.raw
readme1.txt 文件内容
首先查看系统架构(Win7SP1x86_23418)
根据题目得知要获取黑客的密码,直接dump hash或用mimikatz
发现存在一个 hacker 用户,将 hash 值解密得到
黑客密码为
maggie
这里改成获取 Joe 的用户密码了,Joe明文解得pass.123
同时查看进程,看看关键信息,发现出题人开着 notepad.exe 和 mspaint.exe
把 mspaint.exe 给dump下来,得到
打开PS得到
然后调整大小,不断移位(4613436,739,1350),得到
把图片下载下来后,稍微处理下得到
得到一串字符串
Rr25957Q343H2y8f
查看桌面
发现存在 flag.jpg 和 hijack.zip,把俩者
flag.jpg(0x000000000faeb978)
hijack.zip(0x000000000faf4868)
都给 dump 下来,得到两张图片
flag.jpg 检测后发现使用 JPHS 隐写,密码为上面那张图片里的内容
seek 后得到 flag1
flag{gCXp4V4bQWKLy_
接着查看 notepad.exe 进程,发现奇怪的数据
另存为文本后发现字符串长度跟总长度不匹配,猜测是宽零隐写
得到
&HZjG9oecvkp~5IT=l
发现是 hijack.zip 的密码,解压缩后得到若干图片
查看图片宽度为 6 个像素,写脚本还原
发现是一张条形码,扫码得到
5f6d3531413675365a41315478357d
转字符串后得到后半段 flag
_m51A6u6ZA1Tx5}
flag{gCXp4V4bQWKLy_pass.123_m51A6u6ZA1Tx5}
这次杂项很简单
还有好多想法要实现www
原文始发于微信公众号(Gh0xE9):分享几道MISC套题/脑洞题
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论