你说爱我?尊嘟假嘟
你说爱我 -> ook. 尊嘟 -> ook! 假嘟 -> ook?
ook在线解密Brainfuck/Ook! Obfuscation/Encoding [splitbrain.org]
base64得到flag
ISCTF{9832h-s92hw-23u7w-2j8s0}
小蓝鲨的秘密
zip伪加密,放010把四个14 00 09 00改成 14 00 01 00后面保存
解压得到flag.txt 和 小蓝鲨.png
图片放进kali中无法正常显示缩略图说明宽高有问题
使用crc爆破脚本爆破图片正确宽高
#只爆破宽度
import os
import binascii
import struct
#爆破宽高
import struct
crcbp = open(r"C:\Users\abc\Desktop\workbench\小蓝鲨.png","rb").read() # 打开图片= open("C://Users//abc//Desktop//flag.png","rb").read()
crc32frombp = int(crcbp[29:33].hex(), 16) # 读取图片中的CRC校验值
print(crc32frombp)
for i in range(4000): # 宽度1-4000进行枚举
for j in range(4000): # 高度1-4000进行枚举
data = crcbp[12:16] + \
struct.pack('>i', i) + struct.pack('>i', j) + crcbp[24:29]
crc32 = binascii.crc32(data) & 0xffffffff
# print(crc32)
if (crc32 == crc32frombp): # 计算当图片大小为i:j时的CRC校验值,与图片中的CRC比较,当相同,则图片大小已经确定
print(i, j)
print('hex:', hex(i), hex(j))
exit(0)
#output:1668 1667
010修改图片宽高
得到原图
结合flag.txt AES解密 key为15CTF2023
flag:ISCTF{2832-3910-232-3742-7320}(解不出来就多换几个工具或者网站)
杰伦可是流量明星
010发现mp3文件实际上为rar,改文件后缀为rar
wireshark追踪tcp流 搜索flag字符串
或者kali直接strings 字符串
URL解码(不知道mp3有什么用)
ISCTF{wddhr836459_83}
easy_zip
爆破得到压缩包密码
解压查看文件得到flag
ISCTF{4e0e78ba-072a-468f-b07c-36c2ec582a6f}
蓝鲨的福利
010一眼修补png文件头
保存改文件后缀为png得到flag
ISCTF{blueshark_welcome_you}
ez_misc
key5在底下的备注里
解压得到图片补齐文件头
图片看着唬人实际上就是QR码能直接扫出来
ISCTF{5e093f8a-6b8c-4fa5-b9f7-0ae3b6b0da56}
spalshes
猜谜猜不出来就直接爆破
ISCTF{8374-su23-9s7e-237s-js65-55sg}
PNG的基本食用
part1.png修改图片宽高,流程同上
part2.png lsb查看
part3.png 010直接查看
合起来得到flag
ISCTF{png-is-so-ez-for-you}
小猫
stegsolve BGR通道能得到错误的jpg文件
修复文件头得到社会主义核心价值观的图
按照图片左上角的坐标一一对应
MCSMO-猫猫
QQ群发送 “flag我来啦” 机器人回复一串消息
用Vscode打开能看到零宽字符
按照零宽字符选择对应的模式
Unicode Steganography with Zero-Width Characters
ISCTF{[o]F0oO.LliI_Bu_D4Ng_r3N}
镜流
经典爆破
得到图片和hint:把图片缩小十倍
kali使用convert工具
得到一张新的图
stegsolve 000通道得到新的png图片,save bin保存
ISCTF{JINGLIU_IS_SO_COOL}
stream
导出对象可以看出来sql盲注
一心不可二用
文件后缀改为.zip
/res/drawable目录下找到flag.zip
百度这个备注得到报错类型为SyntaxError,作为解压码打开文件
ISCTF{Err0R_is_no7_ex1ste9}
小白小黑
题目描述:小白说:zo23n,小黑说:f5s7e
联想题目名字依稀能看出是二维码
猜测白色为:zero one 2 3 nine
黑色为:four 5 six 7 eight
01239替换为空格
PS自由变化
ISCTF{5c136b05-f165-4b60-99c2-d6bcc5c19d39}
张万森,下雪了
解压出的dic.txt作为字典文件爆破出压缩包密码
打开flag.txt发现大量空格,结合题目名字猜测为snow隐写
tip.txt内容进行17次base64解码后字频统计得到
ISCTFZ023daGYXpJmbNxMcEjn5BeoOQy4D9q6PA
以ISCTFZ023为key进行snow隐写
ISCTF{34da-a87s-sk87-s384-3982-398233}
ezusb
tshark -r usb.pcapng -T fields -Y "bluetooth" -e btatt.value | sed '/^\s*$/d' > blue.txt
tshark读取蓝牙流量得到blue.txt,手动删除多余的01,03字符
knm提取usb流量得到usbdata.txt
脚本去除多余字符
usbdata = open(r"C:\Users\abc\Desktop\usbdata.txt",'r').read().split('\n')
for i in range(len(usbdata)):
data = usbdata[i][2:18]
print(data)
结果和blue.txt手动拼接
键盘流量脚本得到明文
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
nums = []
keys = open(r"C:\Users\abc\Desktop\blue.txt")
for line in keys:
if len(line)!=17: #首先过滤掉鼠标等其他设备的USB流量
continue
nums.append(line[0:2]+line[4:6]) #取一、三字节
keys.close()
output = ""
for n in nums:
if n[2:4] == "00" :
continue
if n[2:4] in normalKeys:
if n[0:2]=="02": #表示按下了shift
output += shiftKeys [n[2:4]]
else :
output += normalKeys [n[2:4]]
else:
output += ''
print('output :' + output)
output :<CAP>aggsz{k<CAP>p_wn_<CAP>yrv<CAP>_so<DEL><DEL>sov_je<DEL>mzus<DEL><DEL><DEL>fyffjs!!b<DEL>!}
<cap> -> 大写 <del> -> 删除
删除的内容“soezusb"为key,剩余"Aggsz{Kp_wn_YRV_sov_jmfyffjs!!!}”为明文维吉尼亚解密
ISCTF{So_ez_USB_and_vigenere!!!}
Beyond Hex, Meet Heptadecimal
table = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
data = "ID71QI6UV7NRV5ULVJDJ1PTVJDVINVBQUNT"
flag=""
for i in data:
flag+=bin(table.index(i))[2:].zfill(5)
for i in range(int(len(flag)/7)):
ascii_value = int(flag[i * 7:i * 7 + 7], 2)
print(chr(ascii_value), end="")
DISK
参考https://www.cnblogs.com/WXjzc/p/16702647.html
首先win+x磁盘管理挂载磁盘
然后使用X-ways打开磁盘
在/$Extend/$UsnJrnl路径下找到$J
选择恢复/复制 导出内容
使用NTFS Log Tracker工具将日志文件解析并生成数据库
将数据库导入DB Browser for SQLite
from Crypto.Util.number import *
a = 1230193492
b = 1182487903
c = 1918846768
d = 811884366
e = 1413895007
f = 1298230881
g = 1734701693
print(long_to_bytes(a)+long_to_bytes(b)+long_to_bytes(c)+long_to_bytes(d)+long_to_bytes(e)+long_to_bytes(f)+long_to_bytes(g))
ISCTF{U_r_G00d_NTFS_Manager}