首页 > 其他分享 >2020 第四届强网杯 线上赛Misc_Writeup

2020 第四届强网杯 线上赛Misc_Writeup

时间:2023-06-19 19:32:15浏览次数:54  
标签:zip 上赛 Writeup Misc 密码 flag 得到 steghide png



目录

  • upload
  • 签到
  • 问卷调查
  • miscstudy


upload

下载附件,打开是流量包文件,wireshark打开

2020 第四届强网杯 线上赛Misc_Writeup_Arc


查看http的包,追踪一下

2020 第四届强网杯 线上赛Misc_Writeup_ide_02


很明显是POST上传的图片

2020 第四届强网杯 线上赛Misc_Writeup_Arc_03


File->Export Object->HTTP...将文件Save all保存出来,得到如下:

2020 第四届强网杯 线上赛Misc_Writeup_ide_04


%5c有提示steghide隐藏

2020 第四届强网杯 线上赛Misc_Writeup_上传_05


steghide.php用notepad++打开

2020 第四届强网杯 线上赛Misc_Writeup_Arc_06


去掉前面这四行,保存修改后缀为jpg或者png都行,得到如下图:

2020 第四届强网杯 线上赛Misc_Writeup_ide_07


然后把照片丢进kali使用steghide工具提取隐藏信息

2020 第四届强网杯 线上赛Misc_Writeup_ide_08


有密码,在网上找个爆破steghide密码的脚本,如下:

# -*- coding: utf8 -*-
#python2
from subprocess import *

def foo():
    stegoFile='a.jpg'#这里填图片名称
    extractFile='hide.txt'#输出从图片中得到的隐藏内容
    passFile='english.dic'#字典,用的是Advanced Archive Password Recovery的字典

    errors=['could not extract','steghide --help','Syntax error']
    cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
    f=open(passFile,'r')

    for line in f.readlines():
        cmd=cmdFormat %(stegoFile,extractFile,line.strip())
        p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
        content=unicode(p.stdout.read(),'gbk')
        for err in errors:
            if err in content:
                break
        else:
            print content,
            print 'the passphrase is %s' %(line.strip())
            f.close()
            return

if __name__ == '__main__':
    foo()
    print 'ok'
    pass

2020 第四届强网杯 线上赛Misc_Writeup_ide_09


密码是:123456hide.txt已经提取了隐藏的flag的内容,或者也可以steghide extract -sf a.jpg然后输入密码,得到flag.txt

flag{te11_me_y0u_like_it}

签到

2020 第四届强网杯 线上赛Misc_Writeup_上传_10


老天爷,哪次比赛让我签到拿个一血也行啊~

flag{welcome_to_qwb_S4}

问卷调查

2020 第四届强网杯 线上赛Misc_Writeup_ide_11


枯了,比赛的时问卷调查最后出来的,竟然没看到,发现的时候已经结束了…orz

flag{Welc0me_tO_qwbS4_Hope_you_play_h4ppily}

miscstudy

Hint: 本题目flag由7个部分构成,第一个部分为flag{level1...,最后一个部分为 !!!} 每一关都会存有flag的一部分,将所有flag的字符串拼接即为最后flag

首先下载附件解压是一个流量包,打开后筛选http的包,访问这个url

2020 第四届强网杯 线上赛Misc_Writeup_Arc_12


得到level1level2的flag

2020 第四届强网杯 线上赛Misc_Writeup_ide_13

flag{level1_begin_and_level2_is_come

除了flag之外,页面中这些其他的参数应该很明显就是TLS协议的Master-Secret log file

2020 第四届强网杯 线上赛Misc_Writeup_Arc_14


讲这些参数保存为ket.txt

在wireshark中,Edit->Preferences->Protocols->TLS->(Pre)-Master-Secret log filename中选择ket.txt然后点击OK添加成功后,再次查看http协议的包,发现多了个包

2020 第四届强网杯 线上赛Misc_Writeup_Arc_15


2020 第四届强网杯 线上赛Misc_Writeup_Arc_16


保存图片,使用010 Ediotr或者winhex之类的16进制编辑工具查看

2020 第四届强网杯 线上赛Misc_Writeup_ide_17


chunk8-chunk11IDAT标志后都跟着一串类似base64的编码,而且除了chunk11其他chunk的base编码看着应该就是大量的01,其中chunk11中的IDAT后的内容比较不一样,复制出来解密得到:

2020 第四届强网杯 线上赛Misc_Writeup_Arc_18


2020 第四届强网杯 线上赛Misc_Writeup_ide_19

level3_start_it

chunk8-chunk10三段中得到base64编码如下:

MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTExMTExMTExMTEwMDAwMDAwMTAwMTEwMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDAwMDAwMTEwMTExMDAwMTAwMDAwMDAwMDExMTAwMDAxMTExMTExMTExMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMTExMTEwMDEwMDAwMDAwMDAxMTAwMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDAwMTEwMTEwMDEwMDAwMDAwMDAwMDAxMTExMDAxMDAwMDAwMDAwMTAwMDAxMTAwMTExMTAwMTEwMDEwMDAwMTAwMTEwMDEwMDExMTAwMDAwMDExMTAxMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAwMDAxMTEwMDExMTExMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDAwMDAwMDAwMDAxMTEwMDExMTEwMTEwMDEwMDAwMDAxMDAxMTExMTAwMTAwMDAxMTAwMTExMTAwMTEwMDExMTAwMTAwMTExMTExMTExMTAwMTEwMDExMTAwMDAwMDAxMTExMTAwMTAwMDAxMTAwMDAwMDAwMTEwMDExMDAwMDAwMDAwMTExMTAwMTEwMTEwMTEwMDAwMDAxMDAwMDAwMDAwMTAwMDAxMTAwMDAwMDAwMTEwMDEwMDExMDAwMDAwMDExMTAwMDExMTExMTEwMDExMDAxMDAwMDAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMDAxMTAwMTEwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAxMDAxMTAwMDAwMTAwMTEwMDEwMDExMDAxMTExMTExMTExMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMTExMTEwMDEwMDExMDAwMTExMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDAxMTExMTAwMDEwMDExMDAwMDExMTAxMTAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDAwMTExMTAwMDAwMDAxMDAwMDAwMDExMDAwMDAxMTExMTExMDAxMTExMDAwMTExMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDExMDAwMDAwMDAwMDExMDAxMDAwMDAwMDAwMDAwMDAwMDEwMDAwMDAxMDAwMDExMTAwMDAxMDAwMDAwMTExMTAwMTEwMDAwMDExMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTEwMDExMDAxMTExMTEwMDAwMDAwMDAwMDAwMDExMDAxMDAxMTEwMDExMTExMDAwMDEwMDExMDAwMDAxMTAwMTExMDAwMDAwMDExMTExMDAwMDAwMDEwMDAwMTAwMDAwMTAwMTAwMTExMDAwMDAwMTAwMTAwMDAwMDAxMTAwMDAwMDAwMTExMDExMDAwMDAwMTExMDAwMTAwMDAxMTAwMDAwMTExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMTExMTEwMDExMDAwMDAxMTExMTExMTAwMDAxMTAwMDExMTExMTEwMDEwMDAwMDAwMDAwMDAwMTExMDAxMDAxMTAwMDAwMDAwMDAxMTAwMDAwMTExMDAxMTEwMDExMTExMDAxMDAwMTAwMTAwMDAwMDAwMTExMDAxMDAxMDAwMDAwMDAwMDAxMDAwMDAwMTExMDAxMTEwMDExMTExMDAxMTAwMTAwMTAwMDAwMDExMTAwMDAwMTEwMDExMTExMTExMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAxMTEwMDExMTAwMDAwMDExMDAwMDAwMDEwMDExMTExMTEwMDAwMDAwMDExMTAwMDAxMTExMTExMDAwMDAwMTEwMDAxMTAwMDAwMDAwMDAwMTAwMDAwMDEwMDAwMDAwMDAwMDAwMDExMDAwMDAxMTEwMDExMDAxMDAwMDAwMTAwMTAwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMTEwMDExMDExMTAwMDAwMDAwMDAwMDAwMDEwMDAxMDAxMTExMTEwMDAwMTAwMDAwMDAwMTAwMDAwMDExMTExMTExMTAxMTExMTAwMDAwMDAwMDAwMDExMDAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTEwMDAwMDAxMTAwMDAwMDAwMDEwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMTExMTAwMTExMDAwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMDAxMTEwMDAwMTAwMTExMTExMTExMTExMDAwMDAwMDExMTAwMTExMDAwMDExMDAwMDAxMTAwMDAwMDAwMDAxMTExMDAwMTEwMDAxMDAxMTAwMTExMDAwMDAwMDExMDAwMDExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAxMTExMTAwMTExMDAxMTAwMTAwMTAxMTExMTExMTExMDAxMTExMTAwMDAxMDAxMTEwMDExMTExMTAwMDAxMTAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMTAwMDExMDAwMDAwMDExMTAwMTAwMDAxMDAwMDAwMTExMTEwMDAwMTAwMDAwMDAwMDEwMDAwMDAwMTExMDAwMDExMDAwMDAwMDExMTAwMTAwMDAwMDExMDExMTAwMDAwMDExMTAwMDAwMDAwMDAwMDAwMDAxMTEwMDAwMDExMTExMDAwMDAxMTAwMTAwMDAwMTExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDExMTAwMDAwMDAxMTAxMDAwMDAwMTAwMTAwMDAxMTExMTAwMDAwMTEwMDEwMDAwMTAwMDAwMDAwMDExMTExMDAwMDEwMDAwMDAwMDAxMTAwMDEwMDAwMDAwMTExMTAwMDAwMDAwMDEwMDAwMTEwMDAwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAxMTAwMDAwMDAwMDAwMDExMTAwMTAwMDAwMDEwMDExMTExMDAwMDExMTAwMDAwMDAxMTEwMDAwMDAwMTExMDAwMTAwMDAwMDAxMTAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMDEwMDExMTExMTExMTAwMDExMDAwMDAxMDAwMTExMDAwMTExMTEwMDExMTExMDAxMTExMTExMTAwMDAxMTEwMDExMDExMTExMTAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAxMDAxMTEwMDAwMDAxMTEwMDAxMTExMDAwMDAxMTAwMDAwMTAwMDAwMDAwMDAwMDAwMDAwMDEwMDExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMDExMDAwMDAxMTAwMDAwMTAwMDAxMTExMTExMTExMTEwMDEwMDExMDAwMTExMDAwMTEwMDAwMTExMTAwMDExMDAxMDAxMTAwMTExMTAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDAxMDAwMDAxMTAwMTExMDAwMDAxMTAwMDAwMDAwMTEwMDAwMTExMTAwMDAwMDExMTExMTExMDAxMTEwMDExMDAwMDAxMTAwMTExMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAwMTAwMDAxMDAxMTEwMDExMTExMTExMTAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDAwMTAwMDAxMDAwMDAxMTAwMDAxMDAxMTAwMDAxMTExMTExMDAwMDAwMDAwMDAxMTAwMTExMTAwMTEwMDEwMDExMDAwMTExMTExMTExMDAwMTExMTEwMDAwMTExMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMDAwMTEwMDAwMDAwMDAwMDAwMTEwMDAwMDAwMDAwMDExMDExMTAwMDAxMTAwMTExMTAwMTEwMDAwMDExMTExMTEwMDAwMDAwMTAwMDAxMTEwMDExMDAwMDAwMDAwMDExMTAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMTAwMDAwMDAwMTEwMDExMTAwMTAwMTExMDAwMDExMDAxMTExMTAwMDExMTExMTExMTExMTAwMDAwMDAxMDExMTExMTExMDEwMDEwMDExMTExMTEwMDExMTExMDAxMDAxMTEwMDExMTExMTAwMDAwMDExMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw

base64解密得到:

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

将base64解密得到的这些二进制保存为file.txt

2020 第四届强网杯 线上赛Misc_Writeup_上传_20


总长度: 3600

使用01二进制转二维码脚本:

import PIL
from PIL import Image

MAX = 60
img = Image.new("RGB",(MAX,MAX)) 
i = 0
str = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

for x in range(MAX):
    for y in range(MAX):
        if(str[i] == '1'):
            img.putpixel([x,y],(0,0,0))
        else:
            img.putpixel([x,y],(255,255,255))
        i = i+1
img.show()
img.save("result.png")

得到二维码,使用QR Research扫描

2020 第四届强网杯 线上赛Misc_Writeup_ide_21


网盘下载得到压缩包level4.zip,解压得到level4.jpg使用stegdetect检测发现有jphide

2020 第四届强网杯 线上赛Misc_Writeup_ide_22


使用stegbreak爆破密码,得到密码为:power123

2020 第四届强网杯 线上赛Misc_Writeup_ide_23


使用JPHS工具打开图片,点击Seek输入密码

2020 第四届强网杯 线上赛Misc_Writeup_Arc_24


然后会导出个文件(不需要输入文件后缀什么的,直接随便输入文件名导出即可)这里导出为level4

2020 第四届强网杯 线上赛Misc_Writeup_上传_25

level4_here_all

网盘下载附件,得到压缩包level5.zip,解压,如下:

2020 第四届强网杯 线上赛Misc_Writeup_Arc_26

level5_is_aaa

level6.ziplevel7.zip都有压缩密码,解不开,先看到level6.zip

2020 第四届强网杯 线上赛Misc_Writeup_ide_27


原始文件大小都是<=5 Byte,猜测CRC32碰撞,网上很多其他的CRC32碰撞脚本都试了不行,最后找到这个Zip-CRC32碰撞脚本:

Zip-CRC32碰撞脚本: https://github.com/kmyk/zip-crc-cracker注: 该脚本笔者运行环境为Linux,Windows试过几次不行

2020 第四届强网杯 线上赛Misc_Writeup_ide_28


按照1,2,3的顺序排好

level6_isready

使用ARCHPR打开level7.zip1.png压缩成1.zip添加到明文密钥进行明文爆破

2020 第四届强网杯 线上赛Misc_Writeup_ide_29


根据网上的师傅的说法,等到剩余时间小于1h即可停止

2020 第四届强网杯 线上赛Misc_Writeup_Arc_30


然后会自动保存名为level7_decrypted.zip的已经解开加密的压缩包

2020 第四届强网杯 线上赛Misc_Writeup_ide_31


2020 第四届强网杯 线上赛Misc_Writeup_Arc_32


直接解压level7_decrypted.zip4.png5.png分辨率一样,size不一样,盲水印

2020 第四届强网杯 线上赛Misc_Writeup_ide_33


BlindWaterMask: https://github.com/chishaxie/BlindWaterMark

PS D:\Tools\Misc\BlindWaterMark> python3 .\bwmforpy3.py decode .\4.png .\5.png result.png
image<.\4.png> + image(encoded)<.\5.png> -> watermark<result.png>

2020 第四届强网杯 线上赛Misc_Writeup_上传_34

level7ishere

并且得到最后一关的相关地址:http://39.99.247.28/final_level/

2020 第四届强网杯 线上赛Misc_Writeup_ide_35


html snow隐写

html snow隐写解密网站:http://fog.misty.com/perry/ccs/snow/snow/snow.html把网址格式填对,Password为题目注释中的括号里的内容

2020 第四届强网杯 线上赛Misc_Writeup_ide_36


点击Decrypt

2020 第四届强网杯 线上赛Misc_Writeup_Arc_37

the_misc_examaaaaaaa_!!!}

综上所述,flag为其部分拼接:

flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}


标签:zip,上赛,Writeup,Misc,密码,flag,得到,steghide,png
From: https://blog.51cto.com/u_16159500/6517113

相关文章

  • 2022DASCTF Apr X FATE 防疫挑战赛 Writeup
    文章目录[MISC]SimpleFlow[MISC]熟悉的猫[MISC]冰墩墩[MISC]SimpleFlow首先tcp.streameq50中分析传入的执行命令的变量是$s,也就是参数substr($_POST["g479cf6f058cf8"],2)找到对应的参数,然后去掉前面两位字符解码即可cd"/Users/chang/Sites/test";zip-PPaSsZiPWorDfl......
  • 第四届“强网”拟态防御国际精英挑战赛MISC-mirror
    题目附件请自取链接:https://pan.baidu.com/s/18K00ClgwJsqmKphPmqMpHw提取码:6r3jfull.png使用010Editor打开出现CRC校验报错,猜测需要修复宽高,其次发现了文件末尾附加了镜像翻转的png字节流数据将附加数据提取出来另存为png文件,通过分析不难发现将字节流数据逆序然后每十六个字......
  • BMZCTF:misc_bbmpp
    http://bmzclub.cn/challenges#misc_bbmpp首先根据提示我们需要爆破压缩包的密码,6位纯数字得到压缩包密码:333520解压得到bbmppp观察整个文件头格式,判断这里应该只是去掉了文件头类型(2字节)和文件大小(4字节)根据当前整个文件大小为80736计算原文件大小为80742十六进制为13B66......
  • 2023届陕西省大学生网络技能安全赛-misc复现
    赛事地址【云演】--信息安全在线教育平台,让攻防更简单!(yunyansec.com)管道   附件一张图片,由题目介绍可知存在lsb隐写使用zsteg指令检测 可是雪飘进双眼所给附件有一个加密压缩包和文件夹文件夹里有一个音频和文本 音频里藏有摩斯密码  由txt文件可以......
  • binfmt_misc
    一:binfmt_misc是什么binfmt_misc是内核中的一个功能,它能将非本机的二进制文件与特定的解析器自动匹配起来,进行二进制解析。    例如,在x86上解析arm64架构的二进制。    通过binfmt_misc可以注册解析器来处理指定二进制文件格式的请求。这些解析器可以是本地......
  • 2023 安洵杯SYCTF Web-writeup
    2023安洵杯SYCTFWeb-writeupWeb文末:附官方wp,失效可留言联系CarelessPy首页的源代码中存在注释,提供了两个功能点。<!--好像有/eval路由和/login路由是拿来干什么的呢?-→还有一张图片,访问图片发现请求路径:会请求/download?file=zayu2.jpg,这里能任意下载文件总共......
  • 安洵杯SYCCTF2023 writeup
    一、MISC1.sudoku_easy简单的数独交互,几个小注意点,每次发送level之后sleep5秒才会返回题目将形如---------------------800103720023840650410006008300001062000052407072060090160000375205019846000030000---------------------转换成二维数组进行解数独......
  • 2022 360强国杯决赛Web-writeup
    Webezxunrui分析1、下载附件开始审计迅睿路由规则不过多介绍了,需要选手自行分析代码逻辑,这里只公布漏洞点。控制器在如下位置。在API控制器中。存在qrcode操作用来生成二维码,会获取略缩图参数,如图。跟进一下发现存在curl的调用,存在SSRF漏洞。2、SSRFFastCGIRCE......
  • 第一届山城杯初赛Web-WriteUp
    Webwriteup:Web1(Lesen):考点:文件包含反序列化伪协议界面:源码:<?phperror_reporting(0);highlight_file(__FILE__);$from=$_GET['from'];$to=$_GET['to'];if(!isset($from)or!isset($to)orstripos($from,"flag")!=FALSE){......
  • SYCTF2023 WEB writeup
    CarelessPy一进来就是个任意文件下载功能,不过做了些限制,这题从头到尾都在骂杂鱼。。。(虽然我确实是(bushi)查看页面源代码,给了个/eval/login两个路由,/eval是个目录遍历,/login尝试登录无果,有session,应该需要伪造session,利用/eval查看app下的pyc文件,然后down下载在线找个pyc......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99