MISC刷題12

starme發表於2024-10-16

[安洵杯 2020]BeCare4

附件:帶密碼的flag.7z和npmtxt

將npmtxt拖入010,發現:

image-20240629111846558

有一段故事,但故事之中有隱寫

image-20240629112025100

密碼為RealV1siBle

以此密碼解壓flag.7z,得到Beauty_with_noword.jpg

使用silentEye解密:

image-20240629112220925

[NSSRound#3 Team]funnypng

https://blog.csdn.net/gou1791241251/article/details/124809703

https://blog.csdn.net/qq_47875210/article/details/127719295

附件---funnypng.png

先使用stegsolve開啟檢視每個通道展示的圖片情況:

image-20240629133654240

得到一半的二維碼,接下來就是找另一半二維碼

使用Data Extract檢視是否有LSB隱寫或者MSB隱寫(一般是低位隱寫),但是並沒有發現奇怪的地方

接著檢視圖片屬性:

image-20240629134005579

位深度為48,比較大

加上使用stegsolve時發現A通道其實是空白,說明該圖片只有三個通道RGB,那麼每個通道深度為48/3=16bit,說明該圖片隱藏了另外的8bit的資訊

把原來的圖片所有畫素點修改之後,將深度改為8bit:

import png # pip install pypng
import time

img = png.Reader('funnypng.png')
imginfo = img.read()
w, h, imgdata = imginfo[:3]
data = []
for linedata in imgdata:
    line = []
    for d in linedata:
        line.append(d%(2**8))  
    data.append(line)
with open('front2.png', 'wb') as f:
    img2 = png.Writer(width=w, height=h, greyscale=False, bitdepth=8)
    img2.write(f, data)

kali上執行

再用stegsolve開啟生成的front2.png,在Blue plane 0通道發現另一半二維碼:

image-20240629140419726

將兩張二維碼進行拼接 553*278

image-20240629140757575

image-20240629140628705

image-20240629141338995

對於這種有塗鴉的:QRazyBox----https://merri.cx/qrazybox/

image-20240629142032276

image-20240629142047070

image-20240629142104091

image-20240629142121743

NSSCTF{fbef863db8331e8c63f73d7a04c1cf5b}

[NSSRound#4 SWPU]Type Message

附件---D.wav、F.wav、M.wav、T.wav

透過dtmf2num解密:

D:\32.漏洞學習\misc\工具\音訊隱寫\dtmf2num>dtmf2num.exe F.wav

DTMF2NUM 0.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- open F.wav
  wave size      89600
  format tag     1
  channels:      1
  samples/sec:   16000
  avg/bytes/sec: 32000
  block align:   2
  bits:          16
  samples:       44800
  bias adjust:   1
  volume peaks:  -32766 32766
  normalize:     1
  resampling to: 8000hz

- MF numbers:    7447

- DTMF numbers:  322217493

D:\32.漏洞學習\misc\工具\音訊隱寫\dtmf2num>dtmf2num.exe M.wav

DTMF2NUM 0.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- open M.wav
  wave size      134400
  format tag     1
  channels:      1
  samples/sec:   16000
  avg/bytes/sec: 32000
  block align:   2
  bits:          16
  samples:       67200
  bias adjust:   0
  volume peaks:  -32764 32765
  normalize:     2
  resampling to: 8000hz

- MF numbers:    7744777

- DTMF numbers:  7333221535393

D:\32.漏洞學習\misc\工具\音訊隱寫\dtmf2num>dtmf2num.exe T.wav

DTMF2NUM 0.2
by Luigi Auriemma
e-mail: aluigi@autistici.org
web:    aluigi.org

- open T.wav
  wave size      134400
  format tag     1
  channels:      1
  samples/sec:   16000
  avg/bytes/sec: 32000
  block align:   2
  bits:          16
  samples:       67200
  bias adjust:   -2
  volume peaks:  -32765 32764
  normalize:     3
  resampling to: 8000hz

- MF numbers:    7777

- DTMF numbers:  3118161334374


627474238133 
322217493
7333221535393
3118161334374

實際上是:(第3位是多餘的)

627474238133
32217493
733221535393
318161334374

其他WP提到的網站:http://dialabc.com/sound/detect/index.html

發現是手機鍵盤:

62 74 74 23 81 33 NSSCTF
32 21 74 93  EASY
73 32 21 53 53 93  REALLY 
31 81 61 33 43 74  DTMFIS

即NSSCTF{DTMFISREALLYEASY}

[西湖論劍 2022]mp3

附件---cipher.mp3

foremost後得到一張png

然後使用zsteg:

zsteg mp3.png  # 發現有
zsteg mp3.png -E 'b1,r,lsb,xy' > 1.zip  # 提取壓縮包

image-20240629162048132

image-20240629162101849

獲得1.zip,但需要密碼

使用MP3Stego解密(預設無密碼即可),獲得cipher.mp3.txt

image-20240629162316200

cipher.mp3.txt:

8750d5109208213f

用此密碼去解壓縮zip得47.txt

47.txt:

2lO,.j2lL000iZZ2[2222iWP,.ZQQX,2.[002iZZ2[2020iWP,.ZQQX,2.[020iZZ2[2022iWLNZQQX,2.[2202iW2,2.ZQQX,2.[022iZZ2[2220iWPQQZQQX,2.[200iZZ2[202iZZ2[2200iWLNZQQX,2.[220iZZ2[222iZZ2[2000iZZ2[2002iZZ2Nj2]20lW2]20l2ZQQX,2]202.ZW2]02l2]20,2]002.XZW2]22lW2]2ZQQX,2]002.XZWWP2XZQQX,2]022.ZW2]00l2]20,2]220.XZW2]2lWPQQZQQX,2]002.XZW2]0lWPQQZQQX,2]020.XZ2]20,2]202.Z2]00Z2]02Z2]2j2]22l2]2ZWPQQZQQX,2]022.Z2]00Z2]0Z2]2Z2]22j2]2lW2]000X,2]20.,2]20.j2]2W2]2W2]22ZQ-QQZ2]2020ZWP,.ZQQX,2]020.Z2]2220ZQ--QZ2]002Z2]220Z2]020Z2]00ZQW---Q--QZ2]002Z2]000Z2]200ZQ--QZ2]002Z2]000Z2]002ZQ--QZ2]002Z2]020Z2]022ZQ--QZ2]002Z2]000Z2]022ZQ--QZ2]002Z2]020Z2]200ZQ--QZ2]002Z2]000Z2]220ZQLQZ2]2222Z2]2000Z2]000Z2]2002Z2]222Z2]020Z2]202Z2]222Z2]2202Z2]220Z2]2002Z2]2002Z2]2202Z2]222Z2]2222Z2]2202Z2]2022Z2]2020Z2]222Z2]2220Z2]2002Z2]222Z2]2020Z2]002Z2]202Z2]2200Z2]200Z2]2222Z2]2002Z2]200Z2]2022Z2]200ZQN---Q--QZ2]200Z2]000ZQXjQZQ-QQXWXXWXj

由眾多相同的數字字母,猜測是需要rot

經嘗試,rot47後得到:

a=~[];a={___:++a,aaaa:(![]+"")[a],__a:++a,a_a_:(![]+"")[a],_a_:++a,a_aa:({}+"")[a],aa_a:(a[a]+"")[a],_aa:++a,aaa_:(!""+"")[a],a__:++a,a_a:++a,aa__:({}+"")[a],aa_:++a,aaa:++a,a___:++a,a__a:++a};a.a_=(a.a_=a+"")[a.a_a]+(a._a=a.a_[a.__a])+(a.aa=(a.a+"")[a.__a])+((!a)+"")[a._aa]+(a.__=a.a_[a.aa_])+(a.a=(!""+"")[a.__a])+(a._=(!""+"")[a._a_])+a.a_[a.a_a]+a.__+a._a+a.a;a.aa=a.a+(!""+"")[a._aa]+a.__+a._+a.a+a.aa;a.a=(a.___)[a.a_][a.a_];a.a(a.a(a.aa+"\""+a.a_a_+(![]+"")[a._a_]+a.aaa_+"\\"+a.__a+a.aa_+a._a_+a.__+"(\\\"\\"+a.__a+a.___+a.a__+"\\"+a.__a+a.___+a.__a+"\\"+a.__a+a._a_+a._aa+"\\"+a.__a+a.___+a._aa+"\\"+a.__a+a._a_+a.a__+"\\"+a.__a+a.___+a.aa_+"{"+a.aaaa+a.a___+a.___+a.a__a+a.aaa+a._a_+a.a_a+a.aaa+a.aa_a+a.aa_+a.a__a+a.a__a+a.aa_a+a.aaa+a.aaaa+a.aa_a+a.a_aa+a.a_a_+a.aaa+a.aaa_+a.a__a+a.aaa+a.a_a_+a.__a+a.a_a+a.aa__+a.a__+a.aaaa+a.a__a+a.a__+a.a_aa+a.a__+"}\\\"\\"+a.a__+a.___+");"+"\"")())();

放到控制檯執行即可得DASCTF{f8097257d699d7fdba7e97a15c4f94b4}

[GKCTF 2021]excel騷操作

附件---flag.xlsx

image-20240629164332027

隨便點幾個單元格發現有些單元格為1,有些為空:

image-20240629165021945

image-20240629165035806

選中一個有1的單元格後進行替換:

image-20240629170405017

生成:

image-20240629165455675

修改列寬:

image-20240629165611235

長得有些奇怪的二維碼---漢信碼

image-20240629165813147

線上漢信碼識別:https://tuzim.net/hxdecode/

image-20240629170201431

相關文章