[鹏城杯 2022]Misc_water
题目tips:盲水印 图片隐写 PNG宽高修复
题目解压后得到一张png图片,名字是相反的
使用在线文字反转
得到图片名字为water_picture
将图片拖进十六进制编辑器,搜索常见的文件头,发现2张png文件和1张jpg文件,先搜索jpg文件头
在png文件头时,发现jpg文件头和png文件头紧挨着一起
根据提示反转立马搜索jpg文件尾,发现和第一张png文件尾相连,怀疑这是一张反转的jpg图片
将这3张图片分别提取出来,其中jpg文件是反转的需要使用脚本将这个16进制反转过来
with open('p2.jpg', 'rb') as f:
with open('flag.jpg', 'wb') as g:
g.write(f.read()[::-1])
得到一张新的jpg图片
将这3张图片分别尝试各种隐写查看,也没什么发现
查看提示盲水印,而且旁边这个压缩包也需要密码,怀疑密码藏在flag.jpg图片里
盲水印不是很会,网上找来一个脚本
import cv2 as cv
import numpy as np
import matplotlib.pyplot as plt
img = cv.imread('flag.jpg', 0)
f = np.fft.fft2(img)
fshift = np.fft.fftshift(f)
s1 = np.log(np.abs(fshift))
plt.subplot(121)
plt.imshow(img, 'gray')
plt.title('original')
plt.subplot(122)
plt.imshow(s1,'gray')
plt.title('center')
plt.show()
盲水印解密
放大即可得到密码:ZC4#QaWbW(吐槽,最烦这种费眼力的密码,眼快瞎了)
得到一张jpg文件,二话不说丢到十六进制编辑器查看,得到文件头是png,修改后缀,查看图片没发现什么
对这个图片各种隐写查看,和十六进制查找常规文件头,也没什么发现。
查看提示有PNG修复,丢到Linux查看能否打开,发现不能打开
xdg-open abc.png
使用crc32碰撞脚本(网上的)
import zlib
import struct
filename = 'abc.png' # 这个文件放入要爆破的图片
with open(filename, 'rb') as f:
all_b = f.read()
crc32key = int(all_b[29:33].hex(),16)
data = bytearray(all_b[12:29])
n = 4095 # 理论上0xffffffff,但考虑到屏幕实际/cpu,0x0fff就差不多了
for w in range(n): # 高和宽一起爆破
width = bytearray(struct.pack('>i', w)) #q为8字节,i为4字节,h为2字节
for h in range(n):
height = bytearray(struct.pack('>i', h))
for x in range(4):
data[x+4] = width[x]
data[x+8] = height[x]
crc32result = zlib.crc32(data)
if crc32result == crc32key:
print("宽为:",end="")
print(width)
print("高为:",end="")
print(height)
exit(0)
使用脚本,获得正确宽高:000002dd,000002ba
使用编辑器对宽高进行修复
图片恢复正常,获得flag,格式使用NSSCTF{}
成功过关
[CISCN 2022 初赛]ez_usb
题目tips:流量分析 USB协议 键盘流量
这题不是很了解,网上只是简单了解了一下USB协议,目前知道2.8.1和2.10.1为有用信息
将这两个分别过滤,提取特定分组
使用网上的工具脚本UsbKeyboardDataHacker.py,对两个文件进行数据的提取
#!/usr/bin/env python
import sys
import os
DataFileName = "usb.dat"
presses = []
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":":","34":"\"","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
def main():
# check argv
if len(sys.argv) != 2:
print("Usage : ")
print(" python UsbKeyboardHacker.py data.pcap")
print("Tips : ")
print(" To use this python script , you must install the tshark first.")
print(" You can use `sudo apt-get install tshark` to install it")
print("Author : ")
print(" WangYihang <wangyihanger@gmail.com>")
print(" If you have any questions , please contact me by email.")
print(" Thank you for using.")
exit(1)
# get argv
pcapFilePath = sys.argv[1]
# get data of pcap
os.system("tshark -r %s -T fields -e usb.capdata 'usb.data_len == 8' > %s" % (pcapFilePath, DataFileName))
# read data
with open(DataFileName, "r") as f:
for line in f:
presses.append(line[0:-1])
# handle
result = ""
for press in presses:
if press == '':
continue
if ':' in press:
Bytes = press.split(":")
else:
Bytes = [press[i:i+2] for i in range(0, len(press), 2)]
if Bytes[0] == "00":
if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
result += normalKeys[Bytes[2]]
elif int(Bytes[0],16) & 0b10 or int(Bytes[0],16) & 0b100000: # shift key is pressed.
if Bytes[2] != "00" and normalKeys.get(Bytes[2]):
result += shiftKeys[Bytes[2]]
else:
print("[-] Unknow Key : %s" % (Bytes[0]))
print("[+] Found : %s" % (result))
# clean the temp data
os.system("rm ./%s" % (DataFileName))
if __name__ == "__main__":
main()
python3 UsbKeyboardDataHacker.py 2101.pcapng
Running as user "root" and group "root". This could be dangerous.
[+] Found : 35c535765e50074a
python3 UsbKeyboardDataHacker.py 2811.pcapng
Running as user "root" and group "root". This could be dangerous.
[-] Unknow Key : 04
[-] Unknow Key : 04
[-] Unknow Key : 01
[-] Unknow Key : 01
[+] Found : 526172211a0700<CAP>c<CAP>f907300000d00000000000000c4527424943500300000002<CAP>a000000<CAP>02b9f9b0530778b5541d33080020000000666c61672<CAP>e<CAP>747874<CAP>b9b<CAP>a013242f3a<CAP>fc<CAP>000b092c229d6e994167c05<CAP>a7<CAP>8708b271f<CAP>fc<CAP>042ae3d251e65536<CAP>f9a<CAP>da87c77406b67d0<CAP>e6316684766<CAP>a86e844d<CAP>c81aa2<CAP>c72c71348d10c4<CAP>c<DEL>3d7b<CAP>00400700
其中2811文件的文件开头很像rar文件头,将此16进制进行还原,需要将"“和”"剔除
将16进制数据进行保存为rar文件
解压密码为2110文件提取的数据:35c535765e50074a
成功获取flag值
成功过关
[OtterCTF 2018]General Info
题目tips:内存取证注册表
根据提示是内存取证,直接一把梭子查计算机名和网址名就行了,此题没什么可讲
本人使用的是volatility3版本,所以命令跟volatility2有所不同
python3 volatility3/vol.py -f OtterCTF.vmem windows.registry.printkey --offset 0xf8a000024010 --key "ControlSet001\Control\ComputerName\ComputerName"
计算机名:WIN-LO6FAF3DTFE
查看网络连接状态
python3 volatility3/vol.py -f OtterCTF.vmem windows.netscan
可以得知ip地址:192.168.202.131
flag值为:NSSCTF{WIN-LO6FAF3DTFE-192.168.202.131}
成功过关
[CISCN 2022 初赛]everlasting_night
题目tips:图片隐写 图片修复 lsb md5
常规操作,十六进制找文件头,Steg隐写大法查看图片通道
题目提示有lsb,说明为lsb隐写
使用StegSolve数据提取Alpha通道2发现可疑字符串:f78dcd383f1b574b,初步怀疑这是lsb的加密密码
使用lsb.py解密脚本,将密码带入
python2 lsb.py extract 123456.png result f78dcd383f1b574b
import sys
import struct
import numpy
import matplotlib.pyplot as plt
from PIL import Image
from crypt import AESCipher
# Decompose a binary file into an array of bits
def decompose(data):
v = []
# Pack file len in 4 bytes
fSize = len(data)
bytes = [ord(b) for b in struct.pack("i", fSize)]
bytes += [ord(b) for b in data]
for b in bytes:
for i in range(7, -1, -1):
v.append((b >> i) & 0x1)
return v
# Assemble an array of bits into a binary file
def assemble(v):
bytes = ""
length = len(v)
for idx in range(0, len(v)/8):
byte = 0
for i in range(0, 8):
if (idx*8+i < length):
byte = (byte<<1) + v[idx*8+i]
bytes = bytes + chr(byte)
payload_size = struct.unpack("i", bytes[:4])[0]
return bytes[4: payload_size + 4]
# Set the i-th bit of v to x
def set_bit(n, i, x):
mask = 1 << i
n &= ~mask
if x:
n |= mask
return n
# Embed payload file into LSB bits of an image
def embed(imgFile, payload, password):
# Process source image
img = Image.open(imgFile)
(width, height) = img.size
conv = img.convert("RGBA").getdata()
print "[*] Input image size: %dx%d pixels." % (width, height)
max_size = width*height*3.0/8/1024 # max payload size
print "[*] Usable payload size: %.2f KB." % (max_size)
f = open(payload, "rb")
data = f.read()
f.close()
print "[+] Payload size: %.3f KB " % (len(data)/1024.0)
# Encypt
cipher = AESCipher(password)
data_enc = cipher.encrypt(data)
# Process data from payload file
v = decompose(data_enc)
# Add until multiple of 3
while(len(v)%3):
v.append(0)
payload_size = len(v)/8/1024.0
print "[+] Encrypted payload size: %.3f KB " % (payload_size)
if (payload_size > max_size - 4):
print "[-] Cannot embed. File too large"
sys.exit()
# Create output image
steg_img = Image.new('RGBA',(width, height))
data_img = steg_img.getdata()
idx = 0
for h in range(height):
for w in range(width):
(r, g, b, a) = conv.getpixel((w, h))
if idx < len(v):
r = set_bit(r, 0, v[idx])
g = set_bit(g, 0, v[idx+1])
b = set_bit(b, 0, v[idx+2])
data_img.putpixel((w,h), (r, g, b, a))
idx = idx + 3
steg_img.save(imgFile + "-stego.png", "PNG")
print "[+] %s embedded successfully!" % payload
# Extract data embedded into LSB of the input file
def extract(in_file, out_file, password):
# Process source image
img = Image.open(in_file)
(width, height) = img.size
conv = img.convert("RGBA").getdata()
print "[+] Image size: %dx%d pixels." % (width, height)
# Extract LSBs
v = []
for h in range(height):
for w in range(width):
(r, g, b, a) = conv.getpixel((w, h))
v.append(r & 1)
v.append(g & 1)
v.append(b & 1)
data_out = assemble(v)
# Decrypt
cipher = AESCipher(password)
data_dec = cipher.decrypt(data_out)
# Write decrypted data
out_f = open(out_file, "wb")
out_f.write(data_dec)
out_f.close()
print "[+] Written extracted data to %s." % out_file
# Statistical analysis of an image to detect LSB steganography
def analyse(in_file):
'''
- Split the image into blocks.
- Compute the average value of the LSBs for each block.
- The plot of the averages should be around 0.5 for zones that contain
hidden encrypted messages (random data).
'''
BS = 100 # Block size
img = Image.open(in_file)
(width, height) = img.size
print "[+] Image size: %dx%d pixels." % (width, height)
conv = img.convert("RGBA").getdata()
# Extract LSBs
vr = [] # Red LSBs
vg = [] # Green LSBs
vb = [] # LSBs
for h in range(height):
for w in range(width):
(r, g, b, a) = conv.getpixel((w, h))
vr.append(r & 1)
vg.append(g & 1)
vb.append(b & 1)
# Average colours LSB per each block
avgR = []
avgG = []
avgB = []
for i in range(0, len(vr), BS):
avgR.append(numpy.mean(vr[i:i + BS]))
avgG.append(numpy.mean(vg[i:i + BS]))
avgB.append(numpy.mean(vb[i:i + BS]))
# Nice plot
numBlocks = len(avgR)
blocks = [i for i in range(0, numBlocks)]
plt.axis([0, len(avgR), 0, 1])
plt.ylabel('Average LSB per block')
plt.xlabel('Block number')
# plt.plot(blocks, avgR, 'r.')
# plt.plot(blocks, avgG, 'g')
plt.plot(blocks, avgB, 'bo')
plt.show()
def usage(progName):
print "LSB steganogprahy. Hide files within least significant bits of images.\n"
print "Usage:"
print " %s hide <img_file> <payload_file> <password>" % progName
print " %s extract <stego_file> <out_file> <password>" % progName
print " %s analyse <stego_file>" % progName
sys.exit()
if __name__ == "__main__":
if len(sys.argv) < 3:
usage(sys.argv[0])
if sys.argv[1] == "hide":
embed(sys.argv[2], sys.argv[3], sys.argv[4])
elif sys.argv[1] == "extract":
extract(sys.argv[2], sys.argv[3], sys.argv[4])
elif sys.argv[1] == "analyse":
analyse(sys.argv[2])
else:
print "[-] Invalid operation specified"
得到一个压缩包,但是需要密码
查看一下原图的文件尾部,结合题目提示,怀疑这是一个MD5代码
拿去解密MD5在线网站进行解密,得到密码:ohhWh04m1
解压得到一个flag文件,拖进去十六进制,发现是一个png文件,但是却打不开
删除第一行PNG文件头,然后保存为flag.png文件
使用gimp进行恢复,但是需要将flag.png改成flag.data不然会报错,也不知道为什么
mv flag.png flag.data
gimp flag.data
得到flag图片
但是这个图片好像不是很标准,将宽度左右调整一下得到flag值:NSSCTF{607f41da-e849-4c0b-8867-1b3c74536cc4}
成功过关
[UTCTF 2020]Spectre
这道题没什么可讲,送分题,打开Audacity抬走
我甚至连过关图片懒得发…
[GFCTF 2021]pikapikapika
题目是一张皮卡丘的图片,拖进十六进制查看存在一个压缩包文件,保存下来
需要解压密码,查看原图flag.jpg文件,好像有密码规律
根据密码规律解出密码:I_want_a_p1ka!
得到一个音频文件
拖到Audacity观察,查看波形图,好像只有高低两种音频
正常音频不可能只有这两种,怀疑是2进制数,高代表1,低代表0
使用网上的现成脚本将音频文件进行还原
但是好像需要对其文件头进行剔除,保留其数据部分
执行脚本
f = open('flag.wav','rb').read()
flag = ''
for i in range(len(f)//2):
if(f[i*2:i*2+2] == b'\x98:'):
flag += '0'
else:
flag += '1'
s = ''
rflag = ''
for i in flag:
s+=i
if len(s)==8:
rflag += chr(int(s,2))
s=''
print(rflag)
等待执行过程…(好久)
将base64进行解密并导出一个新的文件,使用file命令发现这是一个png文件
base64 -d flag > flagResult
file flagResult
flagResult: PNG image data, 653 x 155, 8-bit/color RGB, non-interlaced
下载下来进行查看
总感觉这个图片的宽高是不对的,于是拿到Linux打开图片检测
好了,已经铁锤了,使用脚本进行修复吧,crc脚本上面已发布就不再发布
碰撞得出正确宽高
修改正确宽高,得出flag值
成功过关