标签：files sum flag BabyMisc path os inf2

BabyMisc

...脑洞坑题（如果7z密码不是那一串超长字符串真不至于0解）

先打开Script.zip，随便打开一个文件夹，得到的是pxx的文件，内容为16进制字节。猜测pxx为对应字节的位置

先提取

import re
import os
path = r'Desktop\HDCTF\BabyMisc\Script'

# 定义函数
def print_files(path):
    lsdir = os.listdir(path)
    dirs = [i for i in lsdir if os.path.isdir(os.path.join(path, i))]
    files = [i for i in lsdir if os.path.isfile(os.path.join(path, i))]
    if files:
        for f in files:
            a = os.path.join(path, f)
            b = open(a,'r').read()
            c= re.findall('p+\w{2,}',a)
            for c in c:
                k = open('pxxx.txt','a')
                e = c + "" + b
                
                k.write(e)
                
            


    if dirs:
        for d in dirs:
            print_files(os.path.join(path, d)) # 递归查找
    # return 0

print_files(path)

提取出来稍微处理以下，拼接起来（按顺序）

0a696e66313d24313b696e66323d24323b6f75663d24333b666c61673d24287763202d6320247b696e66317d207c20637574202d6420272027202d662031293b6966205b2024287763202d6320247b696e66327d207c20637574202d6420272027202d66203129202d67652024666c6167205d203b207468656e20666c61673d24287763202d6320247b696e66327d207c20637574202d6420272027202d662031293b6669203b73756d5f666c61673d303b666c6167315f666c61673d303b666c6167325f666c61673d303b464c41473d303b666f72206920696e20242873657120302024282824666c61672b24666c6167292929203b20646f206966205b2024464c4147202d65712030205d203b207468656e20464c41473d313b2064642069663d24696e6631206f663d246f75662062733d3120636f756e743d31207365656b3d2473756d5f666c616720736b69703d24666c6167315f666c6167207374617475733d6e6f6e653b73756d5f666c61673d2428282473756d5f666c61672b3129293b20666c6167315f666c61673d24282824666c6167315f666c61672b3129293b20656c736520464c41473d303b64642069663d24696e6632206f663d246f75662062733d3120636f756e743d31207365656b3d2473756d5f666c616720736b69703d24666c6167325f666c6167207374617475733d6e6f6e653b73756d5f666c61673d2428282473756d5f666c61672b3129293b666c6167325f666c61673d24282824666c6167325f666c61672b3129293b666920646f6e650a

转hex得到一个sh脚本

inf1=$1;
inf2=$2;
ouf=$3;
flag=$(wc -c ${inf1} | cut -d ' ' -f 1); # 获取flag长度
if [ $(wc -c ${inf2} | cut -d ' ' -f 1) -ge $flag ] ; #判断第二个文件长度是否大于flag
    then flag=$(wc -c ${inf2} | cut -d ' ' -f 1); #如果大于就修改flag长度
fi ;
sum_flag=0;
flag1_flag=0;
flag2_flag=0;
FLAG=0;
for i in $(seq 0 $(($flag+$flag))) ; # 循环两倍flag长度次
do 
    if [ $FLAG -eq 0 ] ; then 
        FLAG=1;
        dd if=$inf1 of=$ouf bs=1 count=1 seek=$sum_flag skip=$flag1_flag status=none;
        sum_flag=$(($sum_flag+1));
        flag1_flag=$(($flag1_flag+1));
    else 
        FLAG=0;
        dd if=$inf2 of=$ouf bs=1 count=1 seek=$sum_flag skip=$flag2_flag status=none;
        sum_flag=$(($sum_flag+1));
        flag2_flag=$(($flag2_flag+1));
    fi 
done # 整个逻辑是 把inf1和inf2中的字符交叉储存到ouf中
# 如果inf1中为1234
# inf2中为 5678
# ouf中就是 15263748

那应该就是要把Encrypted.file一分为二，交叉提取

with open('Encrypted.file','rb') as f:
    data = f.read().hex();
out = {
    '1': '',
    '2': ''
}
for i in range(0,len(data),4):
    out['1'] += data[i:i+2]
    out['2'] += data[i+2:i+4]

with open('out1','wb') as f1:
    f1.write(bytes.fromhex(out['1']));

with open('out2','wb') as f2:
    f2.write(bytes.fromhex(out['2']));

经过识别，得知out2是7z文件，out1是base字符串

BabyMisc hint：“二层加密类型:base&rot系列”

坑点来了，解完base32+rot47得到的超长字符串就是7z密码...

用7z打开（用winrar会提示密码字符过长被截断，无法打开），得到pmf文件

.pmf：pmf文件是 DiskGenius 备份后的一种文件格式，直接拖入DG即可打开

DG中打开得到三个压缩包与lsb的图片

只提取16进制字符串，保存为key（这里直接保存即可，压缩完会发现与$R9EG7XR.zip的CRC值一致）

明显的明文攻击（这里的考点是要判断出是用7z压缩，否则明文攻击会失败） 参考文章

前后为bandzip压缩与7z压缩的区别

得到flag：HDCTF{3783a799-0c94-4ebf-87bd-4731f862683b}

标签：files,sum,flag,BabyMisc,path,os,inf2
From： https://www.cnblogs.com/Mar10/p/17348860.html