本文最后更新于 622 天前,其中的信息可能已经有所发展或是发生改变。
建议考虑的方向
- LSB
- foremost
- stegdetect
- 010editor
- outguess
- binwalk
- image combiner
- F5
- CRC
面具下的flag
题解
- 下载附件,
binwalk
查看是否附加文件,得到压缩包和虚拟机文件解压,得到part one
,part two
,为brainfuck
&Ook
,解码得到flag
- flag{N7F5_AD5_i5_funny!}
九连环
题解
- 下载附件,
binwalk
分离文件,伪加密,得到.jpg
和.zip
steghide
解密- steghide extract -sf xxx.jpg
- 得到压缩包密码。解压文件得到
flag
- https://jbnrz.com.cn/wp-content/uploads/2023/03/misc/mask_5.png
flag
题解
- 下载附件,
stegsolve
打开,LSB
隐写,发现zip
binwalk
分离文件得到flag
- flag{dd0gf4c3tok3yb0ard4g41n}
刷新过的图片
题解
- 考察
F5隐写
- git clone https://github.com/matthewgao/F5-steganography
- java Extract Misc.jpg
- 分离后得到
zip
,解压得到flag
- flag{96efd0a2037d06f34199e921079778ee}
被偷走的文件
题解
- 下载得到流量文件,导出文件,爆破密码得到
flag
- flag{6fe99a5d03fb01f833ec3caa80358fa3}
菜刀666
题解
- 下载附件,打开,追踪
TCP
,在tcp.stream.ea 7
找到base64
- RDpcd2FtcDY0XHd3d1x1cGxvYWRcNjY2Ni5qcGc%3D
- D:\wamp64\www\upload\6666.jpg
- 将16进制数据导入
010
得到password
,解压得到flag
- flag{3OpWdJ-JP6FzK-koCMAK-VkfWBq-75Un2z}
一叶障目
题解
- 根据CRC爆破宽高
#coding=utf-8
import zlib
import struct
#读文件
file = '1.png' #注意,1.png图片要和脚本在同一个文件夹下哦~
fr = open(file,'rb').read()
data = bytearray(fr[12:29])
crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",''))
#crc32key = 0xCBD6DF8A #补上0x,copy hex value
#data = bytearray(b'\x49\x48\x44\x52\x00\x00\x01\xF4\x00\x00\x01\xF1\x08\x06\x00\x00\x00') #hex下copy grep hex
n = 4095 #理论上0xffffffff,但考虑到屏幕实际,0x0fff就差不多了
for w in range(n):#高和宽一起爆破
width = bytearray(struct.pack('>i', w))#q为8字节,i为4字节,h为2字节
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
#print(data)
crc32result = zlib.crc32(data)
if crc32result == crc32key:
print(width,height)
#写文件
newpic = bytearray(fr)
for x in range(4):
newpic[x+16] = width[x]
newpic[x+20] = height[x]
fw = open(file+'.png','wb')#保存副本
fw.write(newpic)
fw.close()
- flag
- xaflag{66666}
梅花香自苦寒来
题解
- 在文件结尾发现
16进制
数据,转为ascii
with open('hex.txt', 'r') as h: # hex.txt为要转换的文本文件
val = h.read()
h.close()
with open('result.txt', 'w') as re: # 转换完成后写入result.txt
tem = ''
for i in range(0, len(val), 2):
tem = '0x' + val[i] + val[i+1]
tem = int(tem, base=16)
print(chr(tem), end="")
re.write(chr(tem))
re.close()
- 得到坐标,用
gnuplot
画图- plot ‘gnuplotTxt.txt’
with open('result.txt', 'r') as res: # 坐标格式文件比如(7,7)
re = res.read()
res.close()
with open('gnuplotTxt.txt', 'w') as gnup: # 将转换后的坐标写入gnuplotTxt.txt
re = re.split()
tem = ''
for i in range(0, len(re)):
tem = re[i]
tem = tem.lstrip('(')
tem = tem.rstrip(')')
for j in range(0, len(tem)):
if tem[j] == ',':
tem = tem[:j] + ' ' + tem[j+1:]
gnup.write(tem + '\n')
gnup.close()
flag
- flag{40fc0a979f759c8892f4dc045e28b820}
谁赢了比赛
题解
- 下载,得到png,binwalk 文件分离,得到 rar,爆破,ps 打开,发现有问题的一帧,提取,stegsolve打开,不同通道,二维码扫描
- flag{shanxiajingwu_won_the_game}
gakki
题解
- 下载图片,binwalk查看,分离,rar 爆破密码,字频分析
- 脚本
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+- =\\{\\}[]"
strings = open('flag.txt').read()
result = {}
for i in alphabet:
counts = strings.count(i)
i = '{0}'.format(i)
result[i] = counts
res = sorted(result.items(),key=lambda item:item[1],reverse=True)
for data in res:
print(data)
for i in res:
flag = str(i[0])
print(flag[0],end="")
# 代码来自:mochu7
# https://blog.csdn.net/mochu7777777/article/details/109377328
- flag
- flag{gaki_IsMyw1fe}
john-in-the-middle
题解
- 下载文件,发现流量中传输了很多的文件,全部导出
- 发现可疑文件,
stegsolve
打开使用image combiner
- flag{J0hn_th3_Sn1ffer}
喵喵喵
题解
- LSB 隐写图片,保存文件,010 打开,删除文件头多余的内容,改高
- NFTS 查看流信息
- 得到
.pyc
,反编译- https://tool.lu/pyc/
#!/usr/bin/env python
# Version: Python 2.7
import base64
def encode():
flag = '*************'
ciphertext = []
for i in range(len(flag)):
s = chr(i ^ ord(flag[i]))
if i % 2 == 0:
s = ord(s) + 10
else:
s = ord(s) - 10
ciphertext.append(str(s))
return ciphertext[::-1]
ciphertext = [
'96',
'65',
'93',
'123',
'91',
'97',
'22',
'93',
'70',
'102',
'94',
'132',
'46',
'112',
'64',
'97',
'88',
'80',
'82',
'137',
'90',
'109',
'99',
'112']
- exp
def decode(arg1):
ciphertext = arg1[::-1]
flag = ''
for i in range(len(ciphertext)):
if i % 2 == 0:
s = int(ciphertext[i]) - 10
else:
s = int(ciphertext[i]) + 10
s = s ^ i
flag += chr(s)
print(flag)
if __name__ == '__main__':
ciphertext = [
'96', '65', '93', '123', '91', '97', '22', '93', '70', '102', '94', '132', '46', '112', '64', '97', '88', '80', '82', '137', '90', '109', '99', '112'
]
decode(ciphertext)
- flag
- flag{Y@e_Cl3veR_C1Ever!}
SXMgdGhpcyBiYXNlPw==
题解
- exp
import base64
def int2Bin(digit):
return bin(digit)[2:] #将索引转成二进制,去掉'0b';
def binAsc(string): #二进制转成ASCII码
temp = ''
for i in range(int(len(string) / 8)):
temp += chr(int(string[i * 8 : i* 8 + 8] , 2))
return temp
def readBase64FromFile(filename):
Base64Char = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" #Base64字符集 已按照规范排列
result = ''
with open(filename ,'r') as f:
for data in f.readlines():
if data.find('==') > 0:
result += int2Bin(Base64Char.index(data[-4]))[-4:] #根据隐写原理,‘==’情况取等号前最后一个字符转换后取后4位
elif data.find('=') > 0:
result += int2Bin(Base64Char.index(data[-3]))[-2:] #根据隐写原理,‘=’情况取等号前最后一个字符转换后取后2位
print(binAsc(result))
readBase64FromFile('flag.txt')
原文链接:https://blog.csdn.net/wangjin7356/article/details/122237992
Mysterious
题解ida ida打开
- ida ida打开
- v4 == 122 && String[3] == 120 && String[5] == 122 && String[4] == 121
- v4 = 122xyz
int __stdcall sub_401090(HWND hWnd, int a2, int a3, int a4)
{
int v4; // eax
char Source[260]; // [esp+50h] [ebp-310h] BYREF
CHAR Text[5]; // [esp+154h] [ebp-20Ch] BYREF
char v8[252]; // [esp+159h] [ebp-207h] BYREF
__int16 v9; // [esp+255h] [ebp-10Bh]
char v10; // [esp+257h] [ebp-109h]
int Value; // [esp+258h] [ebp-108h]
CHAR String[260]; // [esp+25Ch] [ebp-104h] BYREF
memset(String, 0, sizeof(String));
Value = 0;
if ( a2 == 16 )
{
DestroyWindow(hWnd);
PostQuitMessage(0);
}
else if ( a2 == 273 )
{
if ( a3 == 1000 )
{
GetDlgItemTextA(hWnd, 1002, String, 260);
strlen(String);
if ( strlen(String) > 6 )
ExitProcess(0);
v4 = atoi(String);
Value = v4 + 1;
if ( v4 == 122 && String[3] == 120 && String[5] == 122 && String[4] == 121 )
{
strcpy(Text, "flag");
memset(v8, 0, sizeof(v8));
v9 = 0;
v10 = 0;
_itoa(Value, Source, 10);
strcat(Text, "{");
strcat(Text, Source);
strcat(Text, "_");
strcat(Text, "Buff3r_0v3rf|0w");
strcat(Text, "}");
MessageBoxA(0, Text, "well done", 0);
}
SetTimer(hWnd, 1u, 0x3E8u, TimerFunc);
}
if ( a3 == 1001 )
KillTimer(hWnd, 1u);
}
return 0;
}
- flag
- flag{123_Buff3r_0v3rf|0w}
小易的U盘
题解
- 没有题解,只是想说,遇到 iso 的题,不要急着解压,先看16进制,再开隐藏文件
- flag{29a0vkrlek3eu10ue89yug9y4r0wdu10}
哥们在这儿给你说唱(0xGame)
题解
- 描述知存在 deepsound,提取文件,密码在 slienteye 中
- 0xGame{5d4d7df0-6de7-4897-adee-e4b3828978f8}
不太普通的图片
题解
- stegsolve 中发现某个通道存在密码
- 0xGameyyds
- lsb带加密
- https://github.com/livz/cloacked-pixel
$ python lsb.py
LSB steganogprahy. Hide files within least significant bits of images.
Usage:
lsb.py hide <img_file> <payload_file> <password>
lsb.py extract <stego_file> <out_file> <password>
lsb.py analyse <stego_file>