misc

babyflash

Description

​ Recently my younger brother learnt how to make a flash. Here’s his first work.

​ File: 823081f554a741199bec9a03c2653df0.zip(里面有一个swf文件)

Analyze

1.swf文件分离

2.MP3文件隐写

3.将二进制流转化为二维码

详细分析:

1.使用SWF提取器对swf文件进行提取(注意:由于我是随便在一个网站上,下载的工具,不敢在宿主机里面进行操作,所以我将软件下载并丢到windows XP虚拟机上进行操作),操作结果:

发现——一个MP3文件,441个png文件(441 = 21 * 21,这个很关键),将MP3文件导出(图片不要,这个后面会讲解)。

2.对MP3文件进行操作,这个是一个老套路,在其他ctf比赛上出现过。

操作方法:使用Audacity打开MP3文件,查看频谱图,发现:

获得后半个flag:

1
&_the_rest}

3.既然得到了后半个flag,那么剩下的半个flag一定是隐藏在png图片里面了。

失败的尝试:将所有png图片导出,进行比对,发现内容一模一样。。。。此路不通

成功的操作:仔细看png文件的数量,为441,是一个平方数,由此想到二维码。但是二维码需要黑白数据(1、0数据流),但到底在哪呢?通过队友提醒,发现:

这个不正是我们要找数据流吗!

但现在问题是怎么把441个数据拿下来————————由于水平问题,我是手动录下来的,尴尬。。。

然后就是怎么把二进制流转换为黑白网格?

我的操作方法:使用matlab————里面集成好了生成黑白格子的操作

然后就可以生成二维码了

前半个flag:

1
*ctf{half_flag_&

Solve

matlab脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
clear all;close all;clc

flag=[0,0,0,0,0,0,0,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,0,0,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1,0,0,0,1,0,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0,1,0,0,1,0,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,0,1,0,0,1,1,1,1,1,0,1,1,0,0,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,1,1,1,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,0,0,0,1,0,0,1,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,1,1,1,1,0,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,0,1,1,1,1,1,0,1,0,0,1,0,1,1,1,0,1,1,1,0,1,0,1,0,0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,0,0,1,0,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,1,1,0,1,0,0,0,1,0,1,0,0,1,0,0,0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,1,0,1,0,0,0,1,1,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,1,0,0]
h=21;
w=21;
n=21;
img=zeros(h,w);
count=1;
for y=1:h
for x=1:w
if flag(count)==1
img(y,x)=3;
end
count =count+1;
end

end
imshow(img)

flag:

1
*ctf{half_flag_&&_the_rest}

otaku

Description

​ One day, you and your otaku friend went to the comic expo together and he had a car accident right beside you. Before he died, he gave you a USB hard disk which contained this zip. Please find out his last wish.

​ File: 82598457d27f4149a96e2cc38f49c873.zip

Hint

The txt is GBK encoding.

Analyze

1.

2.zip明文攻击

3.png图片lsb隐写(RGB)

详细分析:

1.使用notepad++(或者其他16进制查看器)打开题目文件,查看文件头:

得出结论,zip文件没有加密,但直接解压文件需要密码,所以是伪加密,可以采用上面zip伪加密链接里面的方式进行破解。

解压成功,得Anime_Intro.doc和flag.zip

2.尝试解压flag.zip(里面有 last word.txtflag.png 两个文件),发现要密码。

flag.zip里面有注释:

1
2
3
压缩软件:winrar版本 5.70 beta 2
配置:zip压缩文件(低压缩率)
压缩方式:标准

且重复步骤1,发现不是伪加密。尝试数字爆破,弱口令爆破,无解。打开Anime_Intro.doc文件,一篇英文。由于英语6级还没有过,不得已复制出来贴到翻译工具里面,如下:

1
Violet is a soldier in the Leidenschaftlich Army who served under Major Gilbert Bougainvillea, who she was utterly devoted to. However, Violet is injured after a mission which resulted in the loss of her arms, requiring them to be replaced with prosthesis. Colonel Hodgins, an old acquaintance of Gilbert, arrives to pick up Violet. He explains to Violet that the war they were fighting has ended and peace has come, though he is unwilling to tell Violet what happened to Gilbert. They leave for the capital city of Leiden, where Gilbert had already arranged for Violet to be adopted by the Evergarden family. However, Violet cannot adjust to civilian life due to her military indoctrination. Hodgins then decides to show Violet his business, the CH postal company which acts as a private mail and ghostwriting service and hires her as a postal worker. She then witnesses the Auto Memory Dolls of the ghostwriting department writing a letter for an illiterate man who wants to proclaim his love to someone. Violet then remembers that "I love you " were the last words Gilbert I-the-almighty-quiz-maker had told her. Wanting to know the meaning of the words, Violet asks Hodgins for her to join the ghostwriting department. Impressed that Violet has finally shown signs of acting on her own free will instead of on someone else's orders, Hodgins accepts Violet's request despite her not being an Auto Memory Doll.

注意里面的“I love you”字段,因为和原文不一样,原文:

回到上面提到,flag.zip里面有一个文件last words.txt,还有提示The txt is GBK encoding.,大胆猜测是明文攻击,攻击字段就是“I love you”对应的段落,结合提示制作出last words.txt,然后根据题目是使用压缩工具(根据flag.zip注释知道是winrar)对last words.txt进行压缩(细节比如要不要引号之类,需要自己去测试,最终结果要使得zip里面的crc32与flag.zip里面的相同)

crc32:

1
ZA066FEC

last words.txt:

1
Hello everyone, I am Gilbert. Everyone thought that I was killed, but actually I survived. Now that I have no cash with me and I’m trapped in another country. I can't contact Violet now. She must be desperate to see me and I don't want her to cry for me. I need to pay 300 for the train, and 88 for the meal. Cash or battlenet point are both accepted. I don't play the Hearthstone, and I don't even know what is Rastakhan's Rumble.

进行明文攻击,使用工具ARCHPR即可,最终结果:

使用此密码解压flag.zip文件,得flag.png文件。

3.使用图片三原色分析神器Stegsolve,打开图片,lsb隐写套路,如图:

Solve

flag:

1
*ctf{vI0l3t_Ev3rg@RdeN}