PICTURE
拿到之后是个图片,首先用010Editor打开发现是一个jpg:
再用ubuntu的binwalk查看是否还有其他文件:
FF D9是jpg的标准结尾。78 9C是zlib的开始。
利用如下代码解密zlib数据:(python 2)
import zlib
import binascii
data ="789CAD50C9929B400CFD200E060C060E3974B3B9C1F6B00468B8D1801B308B3D80B1F9FA402533955B2E51A99E9EA457924A3E0734085D005607889D1B7609AE357A4474CD75016CB841CC2BB704EBB6EC87CFBC8E778FE22C97533E75B475F4FCFA298530C7B9D4702F271062E5D117E579D6693570EA699C9EE4C3D2F054D9240BBA0ECBDD25DD993816AD72E4E30377637C27B53C38CFAE5279AE2E758811C5D129AF73FDD1667A084FC0453BF0AF3BD5ADF9DBD0378335E1BD46A5807E15005C29347702C2293B1B85373143A97CFE04A1684A87F7911FCF30D00703D23FFA7574B8F1E3BC82960163740BECF58417E8B912F6D8656DA716186497CAE3C8F7D735D7DC7B90B5469D445619F303B54DEE99ED5D9AB5E15A1359645E4A62CE9498C692ABB783E6F614E9C99D980145F56B2EF0A54FA2D78016C0A06AD33553E283D749857752019944CA2D8F5E8D43591BA980FEBD3B6AC33761BD7BDE364B1A299387AD37D9A3C3B726FD4FD107F2C987738C2F4BCE2BEF440592FDF50B007EFC0269EAC2D4".decode('hex')
result = binascii.hexlify(zlib.decompress(data))
print result
这些应该是文件的hex,看看对应的ascii的字符,再解一次hex:
result.decode(‘hex’)
里面是0-9a-zA-z /+,最后又是=,所以是个base64,所以解密:
#python2
import zlib
import binascii
import base64
data = "789CAD50C9929B400CFD200E060C060E3974B3B9C1F6B00468B8D1801B308B3D80B1F9FA402533955B2E51A99E9EA457924A3E0734085D005607889D1B7609AE357A4474CD75016CB841CC2BB704EBB6EC87CFBC8E778FE22C97533E75B475F4FCFA298530C7B9D4702F271062E5D117E579D6693570EA699C9EE4C3D2F054D9240BBA0ECBDD25DD993816AD72E4E30377637C27B53C38CFAE5279AE2E758811C5D129AF73FDD1667A084FC0453BF0AF3BD5ADF9DBD0378335E1BD46A5807E15005C29347702C2293B1B85373143A97CFE04A1684A87F7911FCF30D00703D23FFA7574B8F1E3BC82960163740BECF58417E8B912F6D8656DA716186497CAE3C8F7D735D7DC7B90B5469D445619F303B54DEE99ED5D9AB5E15A1359645E4A62CE9498C692ABB783E6F614E9C99D980145F56B2EF0A54FA2D78016C0A06AD33553E283D749857752019944CA2D8F5E8D43591BA980FEBD3B6AC33761BD7BDE364B1A299387AD37D9A3C3B726FD4FD107F2C987738C2F4BCE2BEF440592FDF50B007EFC0269EAC2D4".decode('hex')
result = binascii.hexlify(zlib.decompress(data))
print result
result = result.decode('hex')
print result
r = base64.b64decode(result)
print r
f = open(r"2.zip","wb")
f.write(r)
f.close()
打开之后发现一个被加密的文件,双击的时候出来这个所以修复文件头:KP -> PK
看到注释,密码已经很明显了,python2:
解压得到
begin 644 key.txt
G0TE30TY[-T$X0T5$1D$V-#1".#<T,D8Y,3)!0CDQ-T4T-4%#,#9]
`
end
这是个uucode,直接解密:
>>> import binascii
>>> binascii.a2b_uu('G0TE30TY[-T$X0T5$1D$V-#1".#<T,D8Y,3)!0CDQ-T4T-4%#,#9]')
b'CISCN{7A8CEDFA644B8742F912AB917E45AC06}'
得到flag。
CISCN{7A8CEDFA644B8742F912AB917E45AC06}