BUUCTF-Misc(151-160)
第四扩展FSbinwalk提取一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202040095-1348899680.png
然后提取出来一个加密压缩包,密码就在图片的备注里Pactera
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202039463-294883703.png
提取出来是一个文本
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202038593-756325677.png
字频统计得到flag
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202037493-1108917965.png
flag{huanwe1sik4o!}Beautiful_Side
010editor打开,发现一个png文件,我们提取出来
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202036754-1708766935.png
发现是半张二维码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202035915-1805354033.png
然后打开QRazyBox - QR Code Analysis and Recovery Toolkit (merri.cx)去补全,先创建一个空白的二维码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202035288-188552790.png
然后加载图片
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202034756-1700733571.png
对着描点,然后扫描,我这里没搞
flag{OQWIC_4DS1A_S034S}remote-multimedia-controller
追踪流然后找到一大串base64
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202034040-1920688619.png
然后Cyberchef解密
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202033557-1336440038.png
行为艺术
打开图片是一个压缩包的十六进制,经典 50 4B 03 04,但是好像少了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202032913-412133722.png
我们改一下宽高,风二西的宽高一把梭工具
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202030917-594257104.png
然后手动出来吧
504B0304140000000800DB93C55086A3
9007D8000000DF01000008000000666C
61672E74787475504B0E823010DD9370
8771DDCCB0270D5BBD0371815A9148AC
6951C2ED9D271F89C62E2693D7F76BB7
DE9FC80D2E6E68E782A326D2E01F81CE
6D55E76972E9BA7BCCB3ACEF7B89F7B6
E90EA16A6EE2439D45179ECDD1C5CCFB
6B9AA489C1218C92B898779D765FCCBB
58CC920B6662C5F91749931132258F32
BBA7C288C5AE103133106608409DAC41
9F77241A3412907814AB7A922106B8DE
D0D25AEC8A634929025C46A33FE5A1D3
167A100323B1ABEE4A7A0708413A19E1
7718165F5D3E73D577798E36D5144B66
315AAE315078F5E51A29246AF402504B
01021F00140009000800DB93C55086A3
9007D8000000DF010000080024000000
000000002000000000000000666C6167
2E7478740A0020000000000001001800
4A0A9A64243BD601F9D8AB39243BD601
2D00CA13223BD601504B050600000000
010001005A000000FE00000000000000然后010editor 新建十六进制文件,给这弄进去就好了,保存为zip文件
然后解压需要密码,发现这个是伪加密,我们改一下就好了
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202028751-32158684.png
然后就解压出来一个flag.txt
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202028220-1585469400.png
然后这个就是brainfuck解密
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202027742-307385958.png
AutoKey
参考:
[XMAN2018排位赛]AutoKey_autokey(autokeycipher)-CSDN博客
打开流量包发现是usb流量
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202027116-1656282904.png
然后我们试试mumuzi的键鼠流量工具
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202026371-985871208.png
MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ然后就是autokey爆破,需要使用breakautokey这个工具,网上可以搜一下怎么搞得
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202025322-1952273762.png
然后就是
flag{JHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF}not so deep
参考:INSHack2018 so deep 音频隐写 - Nemuzuki - 博客园 (cnblogs.com)](https://www.cnblogs.com/nemuzuki/p/17205719.html)
直接Audacity打开频谱图
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202024688-781716645.png
发现这个只有一半flag,还有一半在哪呢
然后提示了deepsound隐写,打开需要密码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202023280-1246511776.png
我们先看一下这个wav的哈希值,过会john爆破
#! python3
import logging
import os
import sys
import textwrap
def decode_data_low(buf):
return buf[::2]
def decode_data_normal(buf):
out = bytearray()
for i in range(0, len(buf), 4):
out.append((buf & 15) << 4 | (buf & 15))
return out
def decode_data_high(buf):
out = bytearray()
for i in range(0, len(buf), 8):
out.append((buf & 3) << 6 | (buf & 3) << 4 \
| (buf & 3) << 2 | (buf & 3))
return out
def is_magic(buf):
# This is a more efficient way of testing for the `DSCF` magic header without
# decoding the whole buffer
return (buf & 15)== (68 >> 4) and (buf& 15) == (68 & 15) \
and (buf & 15)== (83 >> 4) and (buf& 15) == (83 & 15) \
and (buf & 15)== (67 >> 4) and (buf & 15) == (67 & 15) \
and (buf & 15) == (70 >> 4) and (buf & 15) == (70 & 15)
def is_wave(buf):
return buf == b'RIFF' and buf == b'WAVE'
def process_deepsound_file(f):
bname = os.path.basename(f.name)
logger = logging.getLogger(bname)
# Check if it's a .wav file
buf = f.read(12)
if not is_wave(buf):
global convert_warn
logger.error('file not in .wav format')
convert_warn = True
return
f.seek(0, os.SEEK_SET)
# Scan for the marker...
hdrsz = 104
hdr = None
while True:
off = f.tell()
buf = f.read(hdrsz)
if len(buf) < hdrsz: break
if is_magic(buf):
hdr = decode_data_normal(buf)
logger.info('found DeepSound header at offset %i', off)
break
f.seek(-hdrsz + 1, os.SEEK_CUR)
if hdr is None:
logger.warn('does not appear to be a DeepSound file')
return
# Check some header fields
mode = hdr
encrypted = hdr
modes = {2: 'low', 4: 'normal', 8: 'high'}
if mode in modes:
logger.info('data is encoded in %s-quality mode', modes)
else:
logger.error('unexpected data encoding mode %i', modes)
return
if encrypted == 0:
logger.warn('file is not encrypted')
return
elif encrypted != 1:
logger.error('unexpected encryption flag %i', encrypted)
return
sha1 = hdr
print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))
if __name__ == '__main__':
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--verbose', '-v', action='store_true')
parser.add_argument('files', nargs='+', metavar='file',
type=argparse.FileType('rb', bufsize=4096))
args = parser.parse_args()
if args.verbose:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.WARN)
convert_warn = False
for f in args.files:
process_deepsound_file(f)
if convert_warn:
print(textwrap.dedent.rstrip(), file=sys.stderr)然后成功的到hash值,然后john破解密码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202022478-2044542630.png
得到密码就是azerty,提取出来这个隐藏文件
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202021503-1250406787.png
最后拼一下这个flag
flag{Aud1o_st3G4n0_1s_4lwayS_Th3_S4me}X-man-Keyword
参考:[QCTF2018]X-man-Keyword-CSDN博客
打开图片就是一个
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202021088-738303633.png
然后提取文件提取到zlib文件,推测可能是lsb隐写,我们就提取一下
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202020631-1147477641.png
然后BUUCTF少了提示
Welcome to QCTF
hint1:把给出的keyword放到前面试试
hint2:一种把关键词提前的置换我们直接随波逐流梭哈(但是好像得遵从大小写,最后改一下大小写)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202019840-1394020011.png
flag{cCgeLdnrIBCX9G1g13KFfeLNsnMRdOwf}10-cl0v3rf13ld-lane-signal
foremost提取出来两个图片
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202019339-1777028448.png
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202018611-693127665.png
然后第一张图放大发现了东西
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202017319-1459734705.png
.... . .-.. .--. -- .
helpme然后看原文件png后面还有一个文件
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202016869-936981638.png
我们给他弄出来,保存为ogg后缀
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202015691-210005346.png
然后audacity打开,发现是莫斯密码
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202015043-2059581782.png
.. -. ... .- -.--. -- ----- .-. ..... ...-- ..--.- .-- .---- .-.. .-.. ..--.- -. ...-- ...- ...-- .-. ..--.- ....- --. ...-- -.-.-- -.--.-然后网站解密在线摩斯密码翻译器 (lddgo.net)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202014359-821499614.png
探求xxx
听了一下音频,感觉是手机拨号的音,我们去网站识别一下Detect DTMF Tones (dialabc.com)
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202013863-543875504.png
18684221609然后这里是发公众号的,搜了wp,我这里就直接放flag
flag{Oh!!!!!_Y0u_f1nd_my_secret}一路到底
参考:BUUCTF:一路到底_buuctf 一路到底-CSDN博客
一堆文本文档,然后发现前面的数字暗藏玄机
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202013434-2009187411.png
转成16进制
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202012989-431607122.png
然后再看提示的下一个文件,发现03 04 少了一个0,我们需要补全
https://img2023.cnblogs.com/blog/3439569/202406/3439569-20240616202010968-1102683864.png
然后就用师傅的脚本
import binascii
hexdata = ''
with open('./files/start.txt') as f:
cont = f.read()
nexttxt = cont[-36:]
hexdata += '{:04x}'.format(int(cont))
while True:
path = './files/' + nexttxt
try:
with open(path) as f:
cont = f.read()
nexttxt = cont[-36:]
hexdata += '{:04x}'.format(int(cont))
except:
break
with open('flag.zip','wb') as f:
f.write(binascii.unhexlify(hexdata))然后不想等了,出来就是一个压缩包,爆破解密,记得勾选数字和小写字母,然后出来文件头是个错误的,改成jpg
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]