建议考虑的方向

• LSB
• foremost
• stegdetect
• 010editor
• outguess
• binwalk
• image combiner
• F5
• CRC

面具下的flag

题解

• 下载附件，binwalk查看是否附加文件，得到压缩包和虚拟机文件解压，得到part one,part two，为brainfuck&Ook，解码得到flag
  • flag{N7F5_AD5_i5_funny!}

九连环

题解

• 下载附件，binwalk分离文件，伪加密，得到.jpg和.zip

• steghide 解密
  • steghide extract -sf xxx.jpg

• 得到压缩包密码。解压文件得到flag
  • https://jbnrz.com.cn/wp-content/uploads/2023/03/misc/mask_5.png

flag

题解

• 下载附件，stegsolve打开，LSB隐写，发现zip

• binwalk分离文件得到flag
  • flag{dd0gf4c3tok3yb0ard4g41n}

刷新过的图片

题解

• 考察F5隐写
  • git clone https://github.com/matthewgao/F5-steganography
  • java Extract Misc.jpg

• 分离后得到zip，解压得到flag
  • flag{96efd0a2037d06f34199e921079778ee}

被偷走的文件

题解

• 下载得到流量文件，导出文件，爆破密码得到flag
  • flag{6fe99a5d03fb01f833ec3caa80358fa3}

菜刀666

题解

• 下载附件，打开，追踪TCP，在tcp.stream.ea 7找到base64
  • RDpcd2FtcDY0XHd3d1x1cGxvYWRcNjY2Ni5qcGc%3D
  • D:\wamp64\www\upload\6666.jpg

• 将16进制数据导入010得到password，解压得到flag
  • flag{3OpWdJ-JP6FzK-koCMAK-VkfWBq-75Un2z}

一叶障目

题解

• 根据CRC爆破宽高

#coding=utf-8
import zlib
import struct
#读文件
file = '1.png'  #注意，1.png图片要和脚本在同一个文件夹下哦~
fr = open(file,'rb').read()
data = bytearray(fr[12:29])
crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",''))
#crc32key = 0xCBD6DF8A #补上0x，copy hex value
#data = bytearray(b'\x49\x48\x44\x52\x00\x00\x01\xF4\x00\x00\x01\xF1\x08\x06\x00\x00\x00')  #hex下copy grep hex
n = 4095 #理论上0xffffffff,但考虑到屏幕实际，0x0fff就差不多了
for w in range(n):#高和宽一起爆破
    width = bytearray(struct.pack('>i', w))#q为8字节，i为4字节，h为2字节
    for h in range(n):
        height = bytearray(struct.pack('>i', h))
        for x in range(4):
            data[x+4] = width[x]
            data[x+8] = height[x]
            #print(data)
        crc32result = zlib.crc32(data)
        if crc32result == crc32key:
            print(width,height)
            #写文件
            newpic = bytearray(fr)
            for x in range(4):
                newpic[x+16] = width[x]
                newpic[x+20] = height[x]
            fw = open(file+'.png','wb')#保存副本
            fw.write(newpic)
            fw.close()

• flag
  • xaflag{66666}

梅花香自苦寒来

题解

• 在文件结尾发现16进制数据，转为ascii

with open('hex.txt', 'r') as h:     # hex.txt为要转换的文本文件
    val = h.read()
    h.close()

with open('result.txt', 'w') as re: # 转换完成后写入result.txt
    tem = ''
    for i in range(0, len(val), 2):
        tem = '0x' + val[i] + val[i+1]
        tem = int(tem, base=16)
        print(chr(tem), end="")
        re.write(chr(tem))
    re.close()

• 得到坐标，用gnuplot画图
  • plot ‘gnuplotTxt.txt’

with open('result.txt', 'r') as res:  # 坐标格式文件比如(7,7)
    re = res.read()
    res.close()
    
with open('gnuplotTxt.txt', 'w') as gnup:   # 将转换后的坐标写入gnuplotTxt.txt
    re = re.split()
    tem = ''
    for i in range(0, len(re)):
        tem = re[i]
        tem = tem.lstrip('(')
        tem = tem.rstrip(')')
        for j in range(0, len(tem)):
            if tem[j] == ',':
                tem = tem[:j] + ' ' + tem[j+1:]
        gnup.write(tem + '\n')
    gnup.close()

• flag
  • flag{40fc0a979f759c8892f4dc045e28b820}

谁赢了比赛

题解

• 下载，得到png，binwalk 文件分离，得到 rar，爆破，ps 打开，发现有问题的一帧，提取，stegsolve打开，不同通道，二维码扫描
  • flag{shanxiajingwu_won_the_game}

gakki

题解

• 下载图片，binwalk查看，分离，rar 爆破密码，字频分析
• 脚本

alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+- =\\{\\}[]"
strings = open('flag.txt').read()

result = {}
for i in alphabet:
	counts = strings.count(i)
	i = '{0}'.format(i)
	result[i] = counts

res = sorted(result.items(),key=lambda item:item[1],reverse=True)
for data in res:
	print(data)

for i in res:
	flag = str(i[0])
	print(flag[0],end="")
# 代码来自：mochu7
# https://blog.csdn.net/mochu7777777/article/details/109377328

• flag
  • flag{gaki_IsMyw1fe}

john-in-the-middle

题解

• 下载文件，发现流量中传输了很多的文件，全部导出

• 发现可疑文件，stegsolve打开使用image combiner
  • flag{J0hn_th3_Sn1ffer}

喵喵喵

题解

• LSB 隐写图片，保存文件，010 打开，删除文件头多余的内容，改高

• NFTS 查看流信息

• 得到.pyc，反编译
  • https://tool.lu/pyc/

#!/usr/bin/env python
# Version: Python 2.7

import base64

def encode():
    flag = '*************'
    ciphertext = []
    for i in range(len(flag)):
        s = chr(i ^ ord(flag[i]))
        if i % 2 == 0:
            s = ord(s) + 10
        else:
            s = ord(s) - 10
        ciphertext.append(str(s))
    
    return ciphertext[::-1]

ciphertext = [
    '96',
    '65',
    '93',
    '123',
    '91',
    '97',
    '22',
    '93',
    '70',
    '102',
    '94',
    '132',
    '46',
    '112',
    '64',
    '97',
    '88',
    '80',
    '82',
    '137',
    '90',
    '109',
    '99',
    '112']

• exp

def decode(arg1):
	ciphertext = arg1[::-1]
	flag = ''
	for i in range(len(ciphertext)):
		if i % 2 == 0:
			s = int(ciphertext[i]) - 10
		else:
			s = int(ciphertext[i]) + 10 
		s = s ^ i
		flag += chr(s)
	print(flag)

if __name__ == '__main__':
	ciphertext = [
        '96', '65', '93', '123', '91', '97', '22', '93', '70', '102', '94', '132', '46', '112', '64', '97', '88', '80', '82', '137', '90', '109', '99', '112'
    ]
	decode(ciphertext)

• flag
  • flag{Y@e_Cl3veR_C1Ever!}

SXMgdGhpcyBiYXNlPw==

题解

• exp

import base64

def int2Bin(digit):
	return bin(digit)[2:]	#将索引转成二进制，去掉'0b';


def binAsc(string):		#二进制转成ASCII码
	temp = ''
	for i in range(int(len(string) / 8)):
		temp += chr(int(string[i * 8 : i* 8 + 8] , 2))
	return temp

def readBase64FromFile(filename):
	Base64Char = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"     #Base64字符集 已按照规范排列
	result = ''
	with open(filename ,'r') as f:
		for data in f.readlines():
			if data.find('==') > 0:
				result += int2Bin(Base64Char.index(data[-4]))[-4:]		#根据隐写原理，‘==’情况取等号前最后一个字符转换后取后4位
			elif data.find('=') > 0:
				result += int2Bin(Base64Char.index(data[-3]))[-2:]		#根据隐写原理，‘=’情况取等号前最后一个字符转换后取后2位
	print(binAsc(result))

readBase64FromFile('flag.txt')
原文链接：https://blog.csdn.net/wangjin7356/article/details/122237992

Mysterious

题解ida ida打开

• ida ida打开
  • v4 == 122 && String[3] == 120 && String[5] == 122 && String[4] == 121
  • v4 = 122xyz

int __stdcall sub_401090(HWND hWnd, int a2, int a3, int a4)
{
  int v4; // eax
  char Source[260]; // [esp+50h] [ebp-310h] BYREF
  CHAR Text[5]; // [esp+154h] [ebp-20Ch] BYREF
  char v8[252]; // [esp+159h] [ebp-207h] BYREF
  __int16 v9; // [esp+255h] [ebp-10Bh]
  char v10; // [esp+257h] [ebp-109h]
  int Value; // [esp+258h] [ebp-108h]
  CHAR String[260]; // [esp+25Ch] [ebp-104h] BYREF

  memset(String, 0, sizeof(String));
  Value = 0;
  if ( a2 == 16 )
  {
    DestroyWindow(hWnd);
    PostQuitMessage(0);
  }
  else if ( a2 == 273 )
  {
    if ( a3 == 1000 )
    {
      GetDlgItemTextA(hWnd, 1002, String, 260);
      strlen(String);
      if ( strlen(String) > 6 )
        ExitProcess(0);
      v4 = atoi(String);
      Value = v4 + 1;
      if ( v4 == 122 && String[3] == 120 && String[5] == 122 && String[4] == 121 )
      {
        strcpy(Text, "flag");
        memset(v8, 0, sizeof(v8));
        v9 = 0;
        v10 = 0;
        _itoa(Value, Source, 10);
        strcat(Text, "{");
        strcat(Text, Source);
        strcat(Text, "_");
        strcat(Text, "Buff3r_0v3rf|0w");
        strcat(Text, "}");
        MessageBoxA(0, Text, "well done", 0);
      }
      SetTimer(hWnd, 1u, 0x3E8u, TimerFunc);
    }
    if ( a3 == 1001 )
      KillTimer(hWnd, 1u);
  }
  return 0;
}

• flag
  • flag{123_Buff3r_0v3rf|0w}

小易的U盘

题解

• 没有题解，只是想说，遇到 iso 的题，不要急着解压，先看16进制，再开隐藏文件
  • flag{29a0vkrlek3eu10ue89yug9y4r0wdu10}

哥们在这儿给你说唱(0xGame)

题解

• 描述知存在 deepsound，提取文件，密码在 slienteye 中
  • 0xGame{5d4d7df0-6de7-4897-adee-e4b3828978f8}

不太普通的图片

题解

• stegsolve 中发现某个通道存在密码
  • 0xGameyyds
• lsb带加密
  • https://github.com/livz/cloacked-pixel

$ python lsb.py 
LSB steganogprahy. Hide files within least significant bits of images.

Usage:
  lsb.py hide <img_file> <payload_file> <password>
  lsb.py extract <stego_file> <out_file> <password>
  lsb.py analyse <stego_file>