[羊城杯 2023]GIFuck

于 2024-09-08 19:45:53 发布
阅读量494 收藏 7
点赞数 5
分类专栏: CTF比赛WP 文章标签: CTF kali linux 网络安全 web安全 笔记 经验分享 羊城杯
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_73049307/article/details/142031781
版权

下载附件解压缩:

一个flag.gif文件

用PuzzleSolver拆分间隔帧:

这么多图片肯定没法一个个弄,用gif0.py跑一下:

import os
import hashlib
 
current_directory = os.getcwd()
 
for root, dirs, files in os.walk(current_directory):
    for i in range(1,1791):
        file_name = str(i)+".png"
        file_path = os.path.join(root, file_name)
        if os.path.isfile(file_path):
            with open(file_path, 'rb') as file:
                md5_hash = hashlib.md5()
                while True:
                    data = file.read(4096)  # 每次读取4KB
                    if not data:
                        break
                    md5_hash.update(data)
                if md5_hash.hexdigest() == "a6680292f0fc8a9796121447574de6ec":
                    print("+",end='')
                elif md5_hash.hexdigest() == "04b5ae733105563b238777baff564e17":
                    print("[",end='')
                elif md5_hash.hexdigest() == "f041b11363a41c0c7e1b755e45d908a3":
                    print("-",end='')
                elif md5_hash.hexdigest() == "7514082f25355bc663e015e6d51763af":
                    print(">",end='')
                elif md5_hash.hexdigest() == "06df41b1b5eea0485269b7178093d1ff":
                    print("<",end='')
                elif md5_hash.hexdigest() == "d4884cc21151c6e90acc351bf371935b":
                    print("]",end='')
                elif md5_hash.hexdigest() == "a53ffccc32e0aab29201cc8984fa9c7b":
                    print(".",end='')
                else:
                    print(f"File: {file_path} MD5: {md5_hash.hexdigest()}")

额,好像在windows上没法显示,还是用kali吧,首先要安装ffmpeg工具:

wget https://johnvansickle.com/ffmpeg/builds/ffmpeg-git-amd64-static.tar.xz

wget https://johnvansickle.com/ffmpeg/builds/ffmpeg-git-amd64-static.tar.xz.md5

tar xvf ffmpeg-git-amd64-static.tar.xz

在kali中新建flag文件夹和gif0文件夹,复制flag.gif粘贴到gif0文件夹中

进入到ffmpeg-git文件夹中,输入:

./ffmpeg -i /home/kali/Desktop/gif0/flag.gif /home/kali/Desktop/gif0/flag/%d.png

之后就可以看到在flag文件夹中生成了一堆png图片了

将gif0.py复制粘贴到flag文件夹

在终端中进入flag文件夹并且运行gif0.py文件就会生成一堆符号了:

等等先,这里明显不对劲,kali工具生成的符号比PuzzleSolver多了几百张:

好几个帧都是一张图片,然后PuzzleSolver只区分了不同,但kali中的工具是逐帧分析,我是想用PuzzleSolver得出的图片运行gif0.py得出字符的,但是已经试过windows中运行gif0.py是没法正常显示出字符,而且不知道为什么我想复制粘贴windows中的flag文件夹或者压缩成zip文件到kali去的时候,却弹出警告“kali未能执行文件传输源文件名和目标文件名的数目必须一致”,到这里我的心态其实有点崩溃了,但还是得做,找了个OCR批量识别工具:

但是批量OCR工具识别的不准确,所以还是得换别的思路来实现(真的艹了)

挂了代理去外网访问https://pablojorge.github.io/brainfuck/,粘贴kali得出的一堆字符++++[->++++<]>[->++++++<]>-[-

(这里省略大部分,避免影响观感)

点击“Start”后看到memory显示出结果:

复制粘贴到字符 编码/解码网站,进行十六进制解码:

调整一下flag的格式:

NSSCTF{Pen_Pineapple_Apple_Pen}

接下来用PuzzleSolver查看帧间隔:

times = ['240', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '360', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '1860', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '120', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '120', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '120', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '180', '60', '180', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '60', '180', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '240', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '60', '180', '60', '180', '60', '120', '540', '60', '60', '60', '540', '60', '60', '60', '120', '60', '60', '300', '60', '60', '60', '300', '60', '60', '60', '180', '60', '180', '120', '420', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '480', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '120', '60', '60', '240', '60', '60', '60', '240', '60', '60', '60', '180', '60', '60', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '180', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '480', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '60', '60', '360', '60', '180', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '60', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '360', '60', '360', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '120', '60', '360', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '420', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '540', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '60', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '120', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '840', '60', '60', '60', '300', '60', '60', '540', '60', '60', '60', '540', '60', '60', '60', '180', '60', '60', '480', '60', '60', '60', '480', '60', '60', '60', '480', '60', '180', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '180', '60', '60', '60', '180', '60', '60', '60', '240', '60', '60', '420', '60', '60', '60', '420', '60', '60', '60', '360', '60', '60', '60', '60', '60']
strings = "+[->+<]>[->+<]>-[->+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+<]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]<+[->+<]>[->-<]>[-<+>]<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]<+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+<+[->+<]>[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>][->+<]>[-<+>]+<+[->+<]>[->-<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+[->+<]>[->+<]>[-<+>]+<+<+[->+<]>[->+<]>[->+<]>[-<+>]<+[->+<]>+.<+[->+<]>+.+.+.<+[->-<]>-.<+[->+<]>+.<+[->+<]>+.-.<+[->-<]>-.<+[->+<]>+.<+[->-<]>-.+.-.<+[->-<]>-.<+[->+<]>+.+.<+[->-<]>-.+.<+[->-<]>-.<+[->+<]>+.<+[->+<]>+.<+[->-<]>-.<+[->+<]>+.+.+.<+[->-<]>-.<+[->+<]>+.-.<+[->+<]>+.<+[->-<]>-.<+[->-<]>-.[-]<"

out = ''
for i in range(len(times)):
    out += strings[i] * ((int(times[i]))//60)
print(out)

将得到的信息编写成gif.py脚本,这里太累了,实在是不想继续弄了,就这样完结吧

南暮思鸢
关注
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值