BUUCTF misc刷题

[WUSTCTF2020]spaceclub

一个txt文件，里面每一行是一个长空格或者短空格，猜测要换成1和0，在技术本里面ctrl+h，全部转换

avater

然后转字符串得

avater

得到flag

wctf2020{h3re_1s_y0ur_fl@g_s1x_s1x_s1x}

[ACTF新生赛2020]music

m4a文件，发现文件头都和A1进行了异或

avater

在010里面可以进行异或

avater

然后修复后打开听得到flag

flag{abcdfghijk}

1
2
3

f=open('vip.m4a','rb').read()
newf=open('flag.m4a','wb')
for i in range

hashcat

开局一个xml文件，把后缀改成ppt发现有密码，用Accent OFFICE Password Recovery

破解一波密码 avater

得到密码

9901

然后发现一张图

avater

发现后面还有很多空白页。直接改背景为黑色看看，果然

avater

flag{okYOUWIN}

[*CTF2019]otaku

这道题有点意思，解压得到一个doc，这里有个小坑，如果开了隐藏文字会看不到被隐藏的文字，这波是反向隐藏，把隐藏文字勾掉可以看到内容，

avater

发现这段文字

Hello everyone, I am Gilbert. Everyone thought that I was killed, but actually I survived. Now that I have no cash with me and I’m trapped in another country. I can’t contact Violet now. She must be desperate to see me and I don’t want her to cry for me. I need to pay 300 for the train, and 88 for the meal. Cash or battlenet point are both accepted. I don’t play the Hearthstone, and I don’t even know what is Rastakhan’s Rumble.

然后没发现压缩包密码，把它放进Ziperello发现是伪加密，解压得到flag.zip，先看注释发现

avater

看来是要拿刚刚那段文字做明文攻击，这里发现放到txt里面是433字节，大小不一样,上脚本改一下

#encoding=GBK
f = open("d:\\test.txt", "w")
s="Hello everyone, I am Gilbert. Everyone thought that I was killed, but actually I survived. Now that I have no cash with me and I’m trapped in another country. I can't contact Violet now. She must be desperate to see me and I don't want her to cry for me. I need to pay 300 for the train, and 88 for the meal. Cash or battlenet point are both accepted. I don't play the Hearthstone, and I don't even know what is Rastakhan's Rumble."
f.write(s)
f.close()

然后明文攻击得到png，再zsteg一把梭得到

*ctf{vI0l3t_Ev3rg@RdeN}

[UTCTF2020]zero

空字符隐写

avater

得到flag

utflag{whyNOT@sc11_4927aajbqk14}

voip

直接wireshark 电话>voip就可以听到flag

flag{9001IVR}

[湖南省赛2019]Findme

avater

五张图，第一张图片发现高度不对，上一下别人的脚本

import zlib
import struct
file = '1.png'
fr = open(file,'rb').read()
data = bytearray(fr[12:29])
#crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",'')) 
crc32key = 0xC4ED3 
#data = bytearray(b'\x49\x48\x44\x52\x00\x00\x01\xF4\x00\x00\x01\xF1\x08\x06\x00\x00\x00') 
n = 4095 
for w in range(n): 
    width = bytearray(struct.pack('>i', w))
    for h in range(n): 
        height = bytearray(struct.pack('>i', h)) 
        for x in range(4): 
            data[x+4] = width[x] 
            data[x+8] = height[x] 
            #print(data) 
        crc32result = zlib.crc32(data) 
        if crc32result == crc32key: 
            print(width,height) 
            print(data) 
            newpic = bytearray(fr) 
            for x in range(4): 
                newpic[x+16] = width[x]
                newpic[x+20] = height[x] 
            fw = open(file+'.png','wb') 
            fw.write(newpic) 
            fw.close

修改后用010打开发现有两个块确实IDAT标记，修改后得到和其他几张图片相似的图片，然后在stegslove里面

avater

得到第一段

ZmxhZ3s0X3

第二张png发现有7z文件头，但是解压不了，这里有个坑，这里后面跟的是0304

avater

改成504B就可以解压了。发现很多txt文件，其中有一个大小不一样，得到

1RVcmVfc

第三个png提示crc出错，依旧爆破宽高无果，发现crc值都是十六进制数

avater

转码得到

3RlZ30=

第四个png直接在文件尾发现

avater

得到

cExlX1BsY

第五张同理

avater

得到

Yzcllfc0lN

这里把五段按照不同顺序拼接一下得到flag

ZmxhZ3s0X3Yzcllfc0lNcExlX1BsY1RVcmVfc3RlZ30=

flag{4_v3rY_sIMpLe_PlcTUre_steg}

[QCTF2018]X-man-A face

得到一个残缺的二维码

avater

简单ps一下还是扫不出来

avater

然后发现用微信扫就扫出来了。。。还是微信牛逼

KFBVIRT3KBZGK5DUPFPVG2LTORSXEX2XNBXV6QTVPFZV6TLFL5GG6YTTORSXE7I=

base32得到

avater

QCTF{Pretty_Sister_Who_Buys_Me_Lobster}

[ACTF新生赛2020]剑龙

这道题很有意思,解压后得到三个文件

avater

打开pwd.txt发现是颜文字加密，解密得到

avater

然后在hh.png注释里面发现

avater

那么应该是某种有密钥的jpg加密方式，尝试了一波发现不是这个密钥，要用welcom3!

avater

得到

想要flag吗？解出我的密文吧~
U2FsdGVkX1/7KeHVl5984OsGUVSanPfPednHpK9lKvp0kdrxO4Tj/Q==

看到U2Fsd知道是AES或者DES加密，密钥就是注释里面那段

avater

打开O_O，先file一下

avater

010打开发现

avater

猜测是pyc文件，反编译一下得到

#!/usr/bin/env python
# visit http://tool.lu/pyc/ for more information
from PIL import Image


def dtob(num):
    temp = bin(num).replace("0b", "")
    length = len(temp)
    over = length // 8
    temp = temp.zfill((over + 1) * 8)
    return temp


def getSecret(mpath):
    secret = ""
    file = open(mpath, "rb")
    content = file.read()
    length = len(content)
    for i in range(length):
        tmp = content[i]
        tmp = dtob(tmp)
        secret += tmp
    return secret


def start(ppath, mpath, rpath):
    im = Image.open(ppath)
    px = im.load()
    message = im.size
    width = message[0]
    height = message[1]
    print(width, height)
    secret = getSecret(mpath)
    print(secret)
    s_len = len(secret)
    count = 0
    for i in range(height):
        for j in range(width):
            if count == s_len:
                break
            pix = px[(i, j)]
            r = pix[0]
            g = pix[1]
            b = pix[2]
            r = (r - r % 2) + int(secret[count])
            count += 1
            if count == s_len:
                im.putpixel((j, i), (r, g, b))
                break
            g = (g - g % 2) + int(secret[count])
            count += 1
            if count == s_len:
                im.putpixel((j, i), (r, g, b))
                break
            b = (b - b % 2) + int(secret[count])
            count += 1
            if count == s_len:
                im.putpixel((j, i), (r, g, b))
                break
            if count % 3 == 0:
                im.putpixel((j, i), (r, g, b))
    im.save(rpath)


def extrat(mpath, rpath):
    result = ""
    im = Image.open(mpath)
    size = im.size
    px = im.load()
    w = size[0]
    h = size[1]
    length = 80
    count = 0
    flag = 0
    for i in range(h):
        for j in range(w):
            pix = px[(j, i)]
            r = pix[0]
            g = pix[1]
            b = pix[2]
            r1 = r % 2
            count += 1
            if count == length:
                result += str(r1)
                flag = 1
                break
            g1 = g % 2
            count += 1
            if count == length:
                result += str(r1)
                result += str(g1)
                flag = 1
                break
            b1 = b % 2
            count += 1
            if count == length:
                result += str(r1)
                result += str(g1)
                result += str(b1)
                flag = 1
                break
            result += str(r1)
            result += str(g1)
            result += str(b1)
        if flag == 1:
            break
    aa = open(rpath, "w")
    while result:
        tmp = result[:8]
        result = result[8:]
        tmp = int(tmp, 2)
        re = chr(tmp)
        aa.write(re)


print("wowowo!")
start("1.png", "1.txt", "tets.png")

但是调了半天没发现，又根据那个提示，应该是python字节隐写

avater

flag{3teg0Sauru3_!1}

Business Planning Group

010打开发现块很多，然后发现最后面有点可疑

avater

BPG开头，百度一下,在官网下载工具进行转换

avater

得到

avater

flag{BPG_i5_b3tt3r_7h4n_JPG}

[MRCTF2020]pyFlag

三张图片文件尾部都发现有东西，复制出来拼接得到zip文件，爆破得到密码1234

avater

得到flag

G&eOhGcq(ZG(t2*H8M3dG&wXiGcq(ZG&wXyG(j~~tG&eOdGcq+aG(t5oG(j~~qG&eIeGcq+aG)6Q<G(j~~rG&eOdH9<5qG&eLvG(j~~sG&nRdH9<8rG%++qG%__eG&eIeGc+|cG(t5oG(j~~sG&eOlH9<8rH8C_qH9<8oG&eOhGc+bG&eLvH9<8sG&eLgGcz?cG&3|sH8M3cG&eOtG%?aG(t5oG(j~~tG&wXxGcq+aH8V6sH9<8rG&eOhH9<5qG(<E-H8M3eG&wXiGcq(ZG)6Q<G(j~~tG&eOtG%+<aG&wagG%__cG&eIeGcq+aG&M9uH8V6cG&eOlH9<8rG(<HrG(j~~qG&eLcH9<8sG&wUwGek2)

hint

我用各种baseXX编码把flag套娃加密了，你应该也有看出来。
但我只用了一些常用的base编码哦，毕竟我的智力水平你也知道…像什么base36base58听都没听过
提示：0x10,0x20,0x30,0x55

四个数字分别转十进制是16、32、48、85

因此反向进行base85 解密，这里不知道为什么网页的一直用不了，直接用python

1
2

import base64
print(base64.b85decode('G&eOhGcq(ZG(t2*H8M3dG&wXiGcq(ZG&wXyG(j~tG&eOdGcq+aG(t5oG(j~qG&eIeGcq+aG)6Q<G(j~rG&eOdH9<5qG&eLvG(j~sG&nRdH9<8rG%++qG%__eG&eIeGc+|cG(t5oG(j~sG&eOlH9<8rH8C_qH9<8oG&eOhGc+_bG&eLvH9<8sG&eLgGcz?cG&3|sH8M3cG&eOtG%_?aG(t5oG(j~tG&wXxGcq+aH8V6sH9<8rG&eOhH9<5qG(<E-H8M3eG&wXiGcq(ZG)6Q<G(j~tG&eOtG%+<aG&wagG%__cG&eIeGcq+aG&M9uH8V6cG&eOlH9<8rG(<HrG(j~qG&eLcH9<8sG&wUwGek2)'))

得到

b’475532444B4E525549453244494E4A57475132544B514A54473432544F4E4A5547515A44474D4A5648415A54414E4257473434544B514A5647595A
54514D5A5147553444474D5A5547453355434E5254475A42444B514A57494D3254534D5A5447555A444D4E5256494532444F4E4A57475A4154495242
5547343254454E534447595A544D524A5447415A55493D3D3D’

全大写而且最大是F，base16解码一下