文章目录
BadW3ter
打开WATER音频提示文件已损坏,winhex打开发现文件头损坏,但是头文件数据比较可疑,提取数据为CUY1nw31lai,初音未来
手动修复下,恢复音频
wav文件头:52494646E6AD250357415645666D7420
修复完成之后,结合密钥经过尝试为deepsound加密
提取出flag.png(应有关部门要求,该二维码涉及引流,但我觉得二维码打马赛克太离谱了,所以我就截取了一部分)真的会谢,截取了一部分都没法扫了还是违规,虽然本人喜欢这种有直观数据,有排名的感觉,但是这种处处受限制的感觉实在太憋屈,打算弃坑重新搭建小破站。
扫码得到
Never gonna give you up
Never gonna let you down
Never gonna give you up
Never gonna let you down
Never gonna give you up
Never gonna let you down
Never gonna give you up
Never gonna let you down
Never gonna give you up
Never gonna let you down
Never gonna give you up
Never gonna let you down
deepsound只能隐藏一个信息,所以继续找,经过放大发现该二维码并非纯黑白,而是黑白灰三色。
将扫码出的内容还原二维码后,发现与黑灰组成的码完全相符,代表灰色为精心构造的容错。
这里用ps打开flag.png发现文件有误,用kali检查发现其实是tiff文件,然后将后缀名改为tif,再用ps打开,发现有两个图层
图层0
图层1
经过多次尝试,不限于将图层0的灰色变白,黑色变白等,最后发现将图层1完全变黑就可以扫出flag
WannaWacca
解压获取三个文件,首先分析流量包,用binwalk发现末尾有可疑数据
用winhex找到当前位置,获取如下信息:
WannaWacca -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDJFsTzQQX2hVlNxP0djx4Fv1y/A5msFx+k1ivELtqolm4LPNw9
9bC59lNVSbLfBxY+w2pjoCOFgTcaECJkIox1q63lQ33fveYCXrSOuW6dECoKZsKP
upnerPobr3V/TKcE33UE4JXAZpVO0kLmXjCAqIvzRaLGHRnTLH/Wfy9VKQIDAQAB
AoGAF39LoEkW00mdt9Ku6QdSMMW9pqxbBprlHbPRBWmcL1r0nOeNrMfK0NARyMOF
3T3MwaTAB8gsnmsM70S3YBARbXGKN0N33qWoNFkzOdoMLuPFrhJmV7OcTP+B3pYq
ztAyK6PdanM5RTG+WOhJy+JOaEKmAGkgcZcLNGooff8iGckCQQDoLTzNPSA55i15
hPbpFnf3C/vL5A5zPkeMc5MmYXd0SuRD4tpOMrVs8b/umUne4lHk9cN2E20QIH5W
E8dTlWAvAkEA3bjtAItswtFMUuoXmqfxN7grnmYXCur7FiItEn331R4nwqXP5Aez
W2ag63Yf7+KFpPT0zdwk2gBensQKGgOyJwJBAJ0OxPudZuhj0c1Lae+BOIPRAnMJ
gdDph2L2Z8tl0XXEl6dolP6jBOF+o7RW04bHmFiG+8MrHvLy2COIW6Up/hcCQQCB
xJsJ55BnUYI/QP1Bqit29hapZYz0+eSs5qHEoe9sT3Lr7IoJJyylQSLLzN4SU1zu
1+NznPYAlZjLiWd0JFefAkAg93pETCaJdkWS/uZT/5Cd4aQnv7gnTY0ZwrydrLat
bO3T6yHnNlewQxfbkBZqJnSlwDeAWoq0P68vqY1JUcVE
-----END RSA PRIVATE KEY-----
接下来分析镜像文件
python vol.py -f /home/wha1e/桌面/d3-win7-5f799647.vmem --profile=Win7SP1x64 cmdline
发现readme.txt,SmartFalcon.exe这俩个桌面文件比较可疑,都提取出来看看
readme.txt:
发现末尾有很多空格
What Happened to My Flag?
Your important flag is encrypted.
Can I recover My Flag?
Sincerely.We guarantee that you can recover your flag safely and easily. But you have not so enough time. If you don't pay in 48 hours, you won't be able to recover your flag.
How Do I Pay?
Payment is accepted in D3coin only. Send $126 worth of D3coin to the author. All ransom will be used to play Wacca.
YOU WILL NEVER KNOW MY IP ADDRESS!
将SmartFalcon.exe提取到桌面,binwalk分析后用foremost提取
获得加密zip,这里使用bkcrack进行明文爆破,但是很遗憾我没爆破出来。
从头看来半个小时,意识到自己很多条件其实还是没用上,然后翻了一下大哥们的wp,
这个时候获取的flag.zip才是还原的文件,打开没有爆破且有plain提示,这个时候再进行bkceack爆破,获取 light.png。
这里因为本人不会逆向,写不出关键脚本,以及后面的提取像素也不会写,所以这里直接省略。一下很多内容非本人复现。详细脚本可以看r3和n1大哥们的博客。
学misc没出入,早弃坑早舒服。
用提取还原出来的flag.zip可以直接用bkcrack解码。
发现图片有idot块,即apple的特殊信息块,据说用apple的safari浏览器打开可以看到不一样的,但穷学生表示上不起mac,这里借助https://fotoforensics.com/即可看到另一半的图片。
保存下来,发现第一张图左上角和第二张图右下角都有盲文,且图二的盲文需要上下与左右均翻转一次才能解密。
第一张图加密后出来一个压缩包,内容如下
I've been looking for the light in the darkness.
And reaching for the stars to be free.
However, still can't.
It seems like that takes time.
I've been wandering in the sky for a long time.
while wishing for the truly future.
Believe that will be coming surely.
No matter how long it takes.
So, Let me take you down to a radiant place
If I'm with you, we can go anywhere.
The light promising the future will lead us
so that the darkness won't be approaching.
I caught a ray of light in a nightmare
as if it was the last hope for me.
However, so faint, also likely to disappear.
I saw a shooting star at the crack of dawn.
And It looked like knows reasons that we live.
To will be like the star, so I'll keep moving on.
I promise you right now.
So, Would you take me back to glorious days
if I lost the right way to go.
And if you'd get lost, I'll reach out my hands too.
I hope we'll always support each other.
So, Let me take you down to a radiant place.
If I'm with you, we can go anywhere.
I know It's fine.
The way of truth is calling.
The wind is on our side.
Can you see the sun peeking through the clouds?
Teaches never forget no matter when.
We can find the way no matter where we are.
Can find the way.
So now, To be free.
We can go anywhere.
The light promising the future will lead us
so that the darkness won't be approaching.
So, Let me take you down to a radiant place.
If I'm with you, we can go anywhere.
The light promising the future will lead us
so that the darkness won't be approaching.
notepad打开发现有很多del字符
图片二解密base64后获得密钥R@y0f1!9ht
最后更具文本盲水印(https://github.com/guofei9987/text_blind_watermark)获取最终flag
from text_blind_watermark import extract
str1 = open("Future will lead.txt", "r")
passwd = 'R@y0f1!9ht'
_extract = extract(str1, passwd)
print(_extract)
最终获取flag。
300
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
