2024年春秋杯网络安全联赛冬季赛

misc

See anything in these pics?

题目描述:

TBH THERE ARE SO MANY PICS NOT ONLY JUST 2 PIC

下载附件

Aztec码扫描得到压缩包密码

在线阅读Aztec条码

解压压缩包得到

foremost分离

宽高一把梭

最后flag为

flag{opium_00ium}

ez_forensics

题目描述：

简单的内存取证

Rstudio打开文件，找到txt文件和7z文件

导出到本地文件

hint.txt

60 = ( ) + ( )

W@S Q9@S=5 RPW 92Q95S>N 7@P R96 N2QQU@P5 @7 R96 sXa

ROT47+ROT13

使用LovelyMem Vol2-拓展功能-Mimikatz得到密码strawberries

解压压缩包得到MobaXterm的配置文件

御宛杯原题（看我博客）

御宛杯misc复现 | 郑心怡天天开心

最后flag为

flag{you_are_a_g00d_guy}

简单镜像提取

题目描述：

RR_studio

下载附件

foremost分离

r-studio打开磁盘文件

最后flag为

flag{E7A10C15E26AA5750070EF756AAA1F7C}

压力大，写个脚本吧

题目描述：

爆破

下载附件

压缩包套娃，密码需要base解密 注意文件名也变了,PASSWORD+PASSWORD.png，猜测为将所有密码进行组合，得到最终的图片

exp:

import base64
import zipfile

z = zipfile.ZipFile("C:\\Users\\23831\\Desktop\\zip_100-20250119154702-r5f3vna\\zip_99.zip")
pa = base64.b64decode(open("C:\\Users\\23831\\Desktop\\zip_100-20250119154702-r5f3vna\\password_99.txt", "rb").read())
pass_list = [pa]

while True:
    zi = None
    pa_ = None
    if len(z.filelist) != 2:
        break

    for f in z.filelist:
        if f.filename.endswith(".txt"):
            pa_ = z.extract(f.filename, pwd=pa)
        elif f.filename.endswith(".zip"):
            f = z.extract(f.filename, pwd=pa)
            zi = zipfile.ZipFile(f)

    pa = base64.b64decode(open(pa_, "rb").read())
    print(pa_, pa, z, zi)
    z = zi
    pass_list.append(pa)
    pass
open("C:\\Users\\23831\\Desktop\\zip_100-20250119154702-r5f3vna\\pw.bin", "wb").write(b''.join(pass_list[::-1]))

运行得到bin文件

010查看文件

8950一眼png文件，赛博厨子一把梭

扫描二维码得到

最后flag为

flag{_PASSWORDs_is_fl@g!_}

简单算术

题目描述:

想想异或

下载附件

ys~xdg/m@]mjkz@vl@z~lf>b

赛博厨子爆破xor

最后flag为

flag{x0r_Brute_is_easy!}

NetHttP

题目描述:

在凌晨一两点，公司内网有一台私人服务器被入侵，攻击者非常挑衅的留下了明显的痕迹。

下载附件，过滤http

模板注入

http追踪流

这种就是模板注入成功的

过滤

http contains "Welcome rce"

导出分组

查看rce.txt

看到这个/app/secret/mw/m5

提取

if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 1) == 'U' ]; thenecho"rce";fi
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 2) == 'z' ]; thenecho"rce";fi
……
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 229) == 'P' ]; thenecho"rce";fi
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 230) == 'Q' ]; thenecho"rce";fi
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 231) == '=' ]; thenecho"rce";fi
if [ $(cat /app/secret/mw/m5|base64 -w 0| awk NR==1 | cut -c 232) == '=' ]; thenecho"rce";fi

UzBJM2lXaHZzektiT00vT2FsS1RBMGZwbTVPNWNoVlZuWUd5S2Q1blY0ZXJBelJiVjZWNnc4Yi9VaU9mUUVjM0lqaDAwaEZqWUZVMUhheE51YjlHbmxQUy9sY2FtNW1BVGtmMnNKUzZKZ3BKbzZBU2hWUnhXRFlLS3JvamVVZUJaajVNRVBJOC80REdHR3VIRnhteDJieEFhaGREZTFjR25qVFpHV09OcE5JPQ==

base解密

S0I3iWhvszKbOM/OalKTA0fpm5O5chVVnYGyKd5nV4erAzRbV6V6w8b/UiOfQEc3Ijh00hFjYFU1HaxNub9GnlPS/lcam5mATkf2sJS6JgpJo6AShVRxWDYKKrojeUeBZj5MEPI8/4DGGGuHFxmx2bxAahdDe1cGnjTZGWONpNI=

发现private3.pem文件

用openssl解密得到私钥

openssl rsa -in 1.pem -out 2.pem

私钥

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgGsWCFOw+ZSJ3SAS7m0UcsCWYgEPdEIkY7hwCLMspGuvVpdZ/SuF
vf4YzQ3iOQT9eKAA0pjqiypo/J8NsG5NJg2dCm1n093gsbbRqKZTBKAqios0zHRx
nuzFGivQNgiiBzrB0IZKQJsC3A8za2y4PZ8dIYz1A3n6sAp9auwfyEDzAgMBAAEC
gYBEGkP7ba6cH71IW6HUL0/3WOxE/l4SfnAI6P8va/G5Jk5sfOd8WVcGFSG7daaL
nOOs5jkI1QjiVNhsEtmknF3ZMfBZtWECas28XGeKBAP3+uhPfeetLpt0UbGuw1is
DXSHFOMLpMn4MeXyC6IrhPE4Yxtt1W96Azs2iIcgq3DuuQJBAKWSY8ZjJNAAfGVJ
ISKsPtoA+DeUj4rGnvmhXy4C7deB+FcEmcZdpEbO8oWRpebKRZcXaLcpt2Ev99Gm
N//txj0CQQClkmPGYyTQAHxlSSEirD7aAPg3lI+Kxp75oV8uAu3XgfhXBJnGXaRG
zvKFkaXmykWXF2i3KbdhL/fRpjf/7cbvAkEAn9gyJwb0NTMi5Q2yxayQiRrCh7YO
1iVmuQ0HvH3rbFD3ldrFMnKY9Bs6m6S/C45fnLxmxd2qQlNy5p2YFqZQ6QJAfotR
GKpj01nbuWnYGnD9JI+DJq+zucQucupEHZ19fK3ISXGpufON/9RhhXaZDrhf0afB
j+QhVPVdee2JdWCdHwJAL3BqQAhFg4GT0jvIxla+l6FbQNLVtiTF/5z6MSNbKCxt
/CsGqnP/m3qTJkUOdHZb2VAOLrn5kzdzlqy/gWr1NA==
-----END RSA PRIVATE KEY-----

赛博厨子一把梭

最后flag为

flag{343907d2-35a3-4bfe-a5e1-5d6615157851}

Weevil’s Whisper

题目描述:

Bob found that his computer had been hacked. Fortunately, he was using wireshark to test packet capture before the hack. Would you please analyze the packet and find out what the hacker did

下载附件，http追踪流

weevely的webshell

文章 - weevely的webshell分析以及冰蝎/蚁剑免杀-PHP版 - 先知社区

尝试到这个

exp:

import base64
import zlib
# 假设 x 是一个自定义的解密函数，这里用 lambda 表示
# 你需要根据实际情况替换 x 的实现
x = lambda data, key: bytes([data[i] ^ key[i % len(key)] for i in
range(len(data))])
# 假设 m 是一个包含 base64 编码数据的列表，k 是密钥
m = ["Sap6risomCodHP/PqrQaqvueeU+wURkueAeGLStP+bQE+HqsLq39zTQ2L1hsAA=="] 
k = b"161ebd7d" # 替换为实际的密钥
# 解码 base64
decoded_data = base64.b64decode(m[0])
# 使用自定义函数 x 进行解密
decrypted_data = x(decoded_data, k)
# 解压缩数据
uncompressed_data = zlib.decompress(decrypted_data)
print(uncompressed_data)

运行得到

最后flag为

flag{arsjxh-sjhxbr-3rdd78dfsh-3ndidjl}

pixel_master

题目描述:

你是像素高手吗

下载附件

黑 1 白 0 读取二进制，转换十六进制

exp:

from PIL import Image

image = Image.open("C:\\Users\\23831\\Desktop\\flag.png")
img_chucks = []
for x in range(image.size[0]):
    for y in range(image.size[1]):
        pixel = image.getpixel((x, y))
        img_chucks.append("1" if pixel == (0, 0, 0) else "0")

img_chuck = [
    int(''.join(img_chucks[chuck_iv:chuck_iv + 8]), 2).to_bytes()
    for chuck_iv in range(0, len(img_chucks), 8)
]
with open("C:\\Users\\23831\\Desktop\\flag1.png", "wb") as f:
    f.write(b''.join(img_chuck))

得到

发现该图片第一行只有黑、红、绿、蓝三色，并且下方所有内容都只由该四颜色组成，猜测是四进制编码

exp:

from PIL import Image



image = Image.open("C:\\Users\\23831\\Desktop\\flag1.png")
img_chucks = []
for y in range(1, image.size[1]):
    for x in range(image.size[0]):
        pixel = image.getpixel((x, y))
        if pixel == (0, 0, 0):
            img_chucks.append("0")
        elif pixel == (255, 0, 0):
            img_chucks.append("1")
        elif pixel == (0, 255, 0):
            img_chucks.append("2")
        elif pixel == (0, 0, 255):
            img_chucks.append("3")
img_chuck = [
    int(''.join(img_chucks[chuck_iv:chuck_iv + 4]), 4).to_bytes()
    for chuck_iv in range(0, len(img_chucks), 4)
]
with open("C:\\Users\\23831\\Desktop\\flag2.png", "wb") as f:
    f.write(b''.join(img_chuck))

运行得到

补全汉信码

扫描汉信码得到flag

最后flag为

flag{08f87707-f4c6-46cd-aaf6-8fbdd655d5cd}

Infinity

题目描述:

Infinity comes from the Latin word infinitas, meaning "without boundaries".

hint：

BASE58-Ripple、SM4-ECB

下载附件

foremost分离得到压缩包

解压压缩包发现什么后缀类型都有，发现压缩包名字类似编码，gpt整个脚本得到结果

['zMjiQdMYLHK', '6c69b2nqwz2', 'iYMtivbWMUH', 'xi9d6pw4mLY', 'YHtMsKZ9wuX', 'Kbwk4at4AHj', 'dRPuEdHCG4d', '3gR1bg5U8YN', 'JNoFPxJCSQV', 'q5yn3gHbKg6', 'Avpr7Kpj8sD', 'am3p4WHR3fi', 'fpgyMHpeAgV', 'acz8HEJyvgf', 'dCVcJepagGR', 'B7EsL11wcuv', 'yXwZGh3ot37', 'xqstfWn6LHt', 'XEbjV2pKJeH', 'trjrMMjCFDZ', 'RPg6RNirwd1', '1zXsXaQaq9e', 'uJcvgotRUjp', 'YRYWbKB6A25', 'qtQiwA4Gf8Q', 'jfHDyccqkRV', 'jtoMp8SvPf9', 'cR3iiRvwKyE', 'ypi7FVfi2Fw', 'xdUw3wh8tor', 'JsdXXeVLKMd', 'zgiE7geiPvF', 'tfA9qEAsqV7', 'vqk7JncqDHo', 'EDPrsUByKTp', 'vypAjmuQxya', 'NF9GU22MxYL', 'DZDrbqGyaLQ', 'rhaqP5Kn26C', 'C44egaMVpYJ', 'SN4irp67f4K', 'Lv9LpD3WSHq', 'KgJAtGV7KtU', 'Q3MjJ8duxA8', 'CwuadryMdku', 'asrZXj3c9YD', 'Q1Nf7LbXKvz', 'AXye64M1JNN', 'Uks3yrzaPJo', 'UjXqkveanCg', 'LHqaXutHiQM', 'side1jYU2mN', 'uBpjTuZb4mT', 'zKcoamcw6qD', '7PeWL7qGBeB', 'zzEKG4G51Q4', '3EF4125LwYQ', 'eAS721ji7e9', 'M8Lmf8CU315', 'v3unatngTkG', 'LFUGkFuhAmv', 'nvaaCKPS7M3', 'J8XSjdh9ofR', 'FpX8xHdTUBo', 'QutbHXE8uYL', 'Faibrg5ohzA', 'brhPjhSdH2A', 'ei1X3ztdQPx', 'H1rm2PHhm2q', 'QazwAuJDk9L', 'Lg3csdtRiTX', 'b1qmeYoUmud', 'RWkTTgxUf6g', 'd53ckZZj9Bi', 'gJrG5jQfNQ9', 'RfRAhDFBreF', 'U1nLXdyXLnm', 'iVtD6s7Gtb4', 'qXVaLtuRCtF', 'yNW5yu2zyqa', 'SdpXLjfPQxB', '3vzvqCzeDjF', 'yaUMKQS4Nsf', 'BNmiYfRK95E', 'rWieUL24eL2', '8UzqnH65fhe', 'vYKzvN461Hq', '43Pw8vDDMcJ', 'wy4tjLhtFCk', 'Lvj8YUoZaWD', 'DTKgRvTPzrK', '8bzxbsbUMg1', 'mxYTZdt3KH2', 's5nzUHP1xBE', '9E8fknBQ5d5', 'ezC5sRwk412', 'eEEhKv2qohJ', 'Z3gW8JGczKZ', 'Vqh6ks9aXhx', 'DgNyJMANRqm', 'LYZakCKVjv5', 'fqdJRsy2NXJ', 'cXSmsbmaxoE', 'CWzoAaQrY8B', 'AVZHSVbmFb5', 'JACanfgDv3E', 'xPNmMNCdoe4', 'rN4Wg8hX2Bx', 'rNFhP27NxFS', 'HUx57o7LHre', '1NDheyJvG8j', 'iE7i5xmse7E', 'Y5oq1fyCcNk', 'B9bFiXj8rb1', 'CMtbBWUdTP3', 'QifiuAtYdNH', '1bYWx4YRfH3', 'JPFGHfGRaYX', '5jHQz5upm9f', '1qtnyM32bYL', 'CXotjV6FSFa', 'jeaEG3RG6ts', 'VNBZD8scRnE', 'HTaP8qM67cH', '9SzHC6sNeuM', 'qn1nAWUWY4X', '2BW7EUjDg1x', 'PsJvpzLrucb', 'CqdBnN9XKvC', '9oW3fdLYY96', 'nFQwYN4vUki']

逆序得到

nFQwYN4vUki9oW3fdLYY96CqdBnN9XKvCPsJvpzLrucb2BW7EUjDg1xqn1nAWUWY4X9SzHC6sNeuMHTaP8qM67cHVNBZD8scRnEjeaEG3RG6tsCXotjV6FSFa1qtnyM32bYL5jHQz5upm9fJPFGHfGRaYX1bYWx4YRfH3QifiuAtYdNHCMtbBWUdTP3B9bFiXj8rb1Y5oq1fyCcNkiE7i5xmse7E1NDheyJvG8jHUx57o7LHrerNFhP27NxFSrN4Wg8hX2BxxPNmMNCdoe4JACanfgDv3EAVZHSVbmFb5CWzoAaQrY8BcXSmsbmaxoEfqdJRsy2NXJLYZakCKVjv5DgNyJMANRqmVqh6ks9aXhxZ3gW8JGczKZeEEhKv2qohJezC5sRwk4129E8fknBQ5d5s5nzUHP1xBEmxYTZdt3KH28bzxbsbUMg1DTKgRvTPzrKLvj8YUoZaWDwy4tjLhtFCk43Pw8vDDMcJvYKzvN461Hq8UzqnH65fherWieUL24eL2BNmiYfRK95EyaUMKQS4Nsf3vzvqCzeDjFSdpXLjfPQxByNW5yu2zyqaqXVaLtuRCtFiVtD6s7Gtb4U1nLXdyXLnmRfRAhDFBreFgJrG5jQfNQ9d53ckZZj9BiRWkTTgxUf6gb1qmeYoUmudLg3csdtRiTXQazwAuJDk9LH1rm2PHhm2qei1X3ztdQPxbrhPjhSdH2AFaibrg5ohzAQutbHXE8uYLFpX8xHdTUBoJ8XSjdh9ofRnvaaCKPS7M3LFUGkFuhAmvv3unatngTkGM8Lmf8CU315eAS721ji7e93EF4125LwYQzzEKG4G51Q47PeWL7qGBeBzKcoamcw6qDuBpjTuZb4mTside1jYU2mNLHqaXutHiQMUjXqkveanCgUks3yrzaPJoAXye64M1JNNQ1Nf7LbXKvzasrZXj3c9YDCwuadryMdkuQ3MjJ8duxA8KgJAtGV7KtULv9LpD3WSHqSN4irp67f4KC44egaMVpYJrhaqP5Kn26CDZDrbqGyaLQNF9GU22MxYLvypAjmuQxyaEDPrsUByKTpvqk7JncqDHotfA9qEAsqV7zgiE7geiPvFJsdXXeVLKMdxdUw3wh8torypi7FVfi2FwcR3iiRvwKyEjtoMp8SvPf9jfHDyccqkRVqtQiwA4Gf8QYRYWbKB6A25uJcvgotRUjp1zXsXaQaq9eRPg6RNirwd1trjrMMjCFDZXEbjV2pKJeHxqstfWn6LHtyXwZGh3ot37B7EsL11wcuvdCVcJepagGRacz8HEJyvgffpgyMHpeAgVam3p4WHR3fiAvpr7Kpj8sDq5yn3gHbKg6JNoFPxJCSQV3gR1bg5U8YNdRPuEdHCG4dKbwk4at4AHjYHtMsKZ9wuXxi9d6pw4mLYiYMtivbWMUH6c69b2nqwz2zMjiQdMYLHK

赛博厨子一把梭

扫码

https://products.groupdocs.app/zh/scanner/scan-datamatrix

最后flag为

flag{a72dd260-f64d-4116-ab50-b26b40d69883}

EzMisc

题目描述:

某公司网络安全管理员小王截获了一段公司内部向外传输信息的流量，请分析并获取传输的内容

hint：

1、利⽤DP泄露来求出私钥，从⽽还原私钥流解密密⽂ 2、图片经过了Arnold变换

下载附件

追踪第五个流显示有三个文件，私钥、压缩包、密文

分别导出来，私钥是残缺的

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs+6Ep8SasbhvIG62iRgAqppC7E6xtM3edPdn654H0IIJcr3T
sis8OO5JcElSHhJkCkT1xtRgHm1zVyPIpzZTPZY3vMgN+xTuDwn7roPrMJ9oYhUE
8Yt3lBGotOyZh7/fSq/hd9IATqmO3gTgBzQFFPKK+NLHhidYYEkbg7Mj2TCaSOZO
Ztka7LsPfjnr2bo/h3MvJAx86REDO2FXvJAhY9A/ViBatq0pGKD/LioHkwafjd2r
xQA3Sjnur8LxOWeM9nNZkZR4DH/kkxHLKxslRePGkOHbLgwIO9bdplhI1ky7gQpC
Q3moi74VPd88jnngyAftGqm2h0Mw2jVZgwz6RQIDAQABAoIBAENuo1aAjv0Fwtfj
xhLw5OcK8wO+pki9Up6BTff2fLU+1q2iyKCgJWysmOc1A0pz1/wlRfrjArbEjBJf
Pca0zFNrZa4hR2QOvvzx39nSZKUPSL5hZD3l58WdLJ3JgexnExbZfWU7VZQlZX59
Uzw/2Zu1HjIMRGxZeHx1SZN84nV1aMj/9FFlpC54ZG0mz33BsmphKnQTYLlINzQl
laL6ZR5N+/3QoIGj+TNIHkUQhFCR9d285FWIUWEmhh9UE8UwFPw+gaDcrOcVpSpT
hAapMbzBuZ8AAAAAAAAAKLpJRp1+1TmSOtj/eO4sxKXOMdEH1weFCzBUogIKK0H6
VJt6DG0CgYEA7oQV+b31O418CJ3ehDlSjFy3+KdxEXpDujgwP5dwbCenHDNEfx0Y
+TzknEC+A/azdn+AhOQyQAE4xGwygb8i2OPC3ZqOhv26yGhv5WZxG2qsQVMCZYD0
+FCmf656TA2rwx6yRf5UtVBecIhSoUkEekxO0lbiBAAAAAAAAAsmadcCgYEAwR8P
IEpv47T1jla9RTQuSby4eSu3OvrN/SkKPVFui/aDUG/OO0fQzGuEq2rthtXuGBna
Qjvyd+PZngYLn8vHKqmuxAlNUivq3rvGwpayRL83Pts02+4fOa/p7TJkdLlQDHxo
La7sn/SiuAAAAAAAAAeFlii6mTG+kUZ98n3IEUMCgYEAlyQaLNSjpqYkV+16CL2u
QoWqiqXIL3QToNhkMpfLRK3n5iXSnN4aai2dDCq2fhqBZHCtRwi3kvlzOHz7kF5H
PbsuS3DaKk50YvRTG8HLoLz7BLYOSbXrBcNNjpFIrBLpqc4018evc+nGvnaULeHw
NXNPa1hlCNFXgJ4+ne3f/KcCgYEAu0KerDUBoc8KfGbnSH98ksuIJRaaqXog22Y8
I5EenGEAm7KOSzUr5cwr7PvWLnSqVnxbAvaV+mLZ1T0PcHdsPJYkfLp4W0FykV+L
L4xod/jiXPS5oLiZVpqZPgMrHXPDhxfq/MEteTAAAAAAAAApzN0kj6IWrg1qN/we
jFAi+3kCgYABKVPNcN25ZT/FjL4uLKhyu3Q6vgPRQwP//bPlTloenxDT8RN3znpx
qzv0e84HQH5lH/AxNix5eq/apOi8B0q6IW1Fj3ytczR8cvPhCln/zWV/ZXxj6Rul
JR3mGGh3lYDqiTxi+6ZbKqbhc4N7na8VHx+CoAGMqRUFzAAAAAAAAA==
-----END RSA PRIVATE KEY-----

解

E:\>openssl rsa -in private_key.pem -text
Private-Key: (2048 bit, 2 primes)
modulus:
    00:b3:ee:84:a7:c4:9a:b1:b8:6f:20:6e:b6:89:18:
    00:aa:9a:42:ec:4e:b1:b4:cd:de:74:f7:67:eb:9e:
    07:d0:82:09:72:bd:d3:b2:2b:3c:38:ee:49:70:49:
    52:1e:12:64:0a:44:f5:c6:d4:60:1e:6d:73:57:23:
    c8:a7:36:53:3d:96:37:bc:c8:0d:fb:14:ee:0f:09:
    fb:ae:83:eb:30:9f:68:62:15:04:f1:8b:77:94:11:
    a8:b4:ec:99:87:bf:df:4a:af:e1:77:d2:00:4e:a9:
    8e:de:04:e0:07:34:05:14:f2:8a:f8:d2:c7:86:27:
    58:60:49:1b:83:b3:23:d9:30:9a:48:e6:4e:66:d9:
    1a:ec:bb:0f:7e:39:eb:d9:ba:3f:87:73:2f:24:0c:
    7c:e9:11:03:3b:61:57:bc:90:21:63:d0:3f:56:20:
    5a:b6:ad:29:18:a0:ff:2e:2a:07:93:06:9f:8d:dd:
    ab:c5:00:37:4a:39:ee:af:c2:f1:39:67:8c:f6:73:
    59:91:94:78:0c:7f:e4:93:11:cb:2b:1b:25:45:e3:
    c6:90:e1:db:2e:0c:08:3b:d6:dd:a6:58:48:d6:4c:
    bb:81:0a:42:43:79:a8:8b:be:15:3d:df:3c:8e:79:
    e0:c8:07:ed:1a:a9:b6:87:43:30:da:35:59:83:0c:
    fa:45
publicExponent: 65537 (0x10001)
privateExponent:...
prime1:...
prime2:...
exponent1:
    00:97:24:1a:2c:d4:a3:a6:a6:24:57:ed:7a:08:bd:
    ae:42:85:aa:8a:a5:c8:2f:74:13:a0:d8:64:32:97:
    cb:44:ad:e7:e6:25:d2:9c:de:1a:6a:2d:9d:0c:2a:
    b6:7e:1a:81:64:70:ad:47:08:b7:92:f9:73:38:7c:
    fb:90:5e:47:3d:bb:2e:4b:70:da:2a:4e:74:62:f4:
    53:1b:c1:cb:a0:bc:fb:04:b6:0e:49:b5:eb:05:c3:
    4d:8e:91:48:ac:12:e9:a9:ce:34:d7:c7:af:73:e9:
    c6:be:76:94:2d:e1:f0:35:73:4f:6b:58:65:08:d1:
    57:80:9e:3e:9d:ed:df:fc:a7
exponent2:...
coefficient:...

整理得到

n=0x00b3ee84a7c49ab1b86f206eb6891800aa9a42ec4eb1b4cdde74f767eb9e07d0820972bdd3b22b3c38ee497049521e12640a44f5c6d4601e6d735723c8a736533d9637bcc80dfb14ee0f09fbae83eb309f68621504f18b779411a8b4ec9987bfdf4aafe177d2004ea98ede04e007340514f28af8d2c786275860491b83b323d9309a48e64e66d91aecbb0f7e39ebd9ba3f87732f240c7ce911033b6157bc902163d03f56205ab6ad2918a0ff2e2a0793069f8dddabc500374a39eeafc2f139678cf673599194780c7fe49311cb2b1b2545e3c690e1db2e0c083bd6dda65848d64cbb810a424379a88bbe153ddf3c8e79e0c807ed1aa9b6874330da3559830cfa45

dp=0x0097241a2cd4a3a6a62457ed7a08bdae4285aa8aa5c82f7413a0d8643297cb44ade7e625d29cde1a6a2d9d0c2ab67e1a816470ad4708b792f973387cfb905e473dbb2e4b70da2a4e7462f4531bc1cba0bcfb04b60e49b5eb05c34d8e9148ac12e9a9ce34d7c7af73e9c6be76942de1f035734f6b586508d157809e3e9deddffca7

dp泄露

import gmpy2
from Crypto.Util.number import long_to_bytes
e = 0x10001
n = 0x00b3ee84a7c49ab1b86f206eb6891800aa9a42ec4eb1b4cdde74f767eb9e07d0820972bdd3b22b3c38ee497049521e12640a44f5c6d4601e6d735723c8a736533d9637bcc80dfb14ee0f09fbae83eb309f68621504f18b779411a8b4ec9987bfdf4aafe177d2004ea98ede04e007340514f28af8d2c786275860491b83b323d9309a48e64e66d91aecbb0f7e39ebd9ba3f87732f240c7ce911033b6157bc902163d03f56205ab6ad2918a0ff2e2a0793069f8dddabc500374a39eeafc2f139678cf673599194780c7fe49311cb2b1b2545e3c690e1db2e0c083bd6dda65848d64cbb810a424379a88bbe153ddf3c8e79e0c807ed1aa9b6874330da3559830cfa45
dp = 0x0097241a2cd4a3a6a62457ed7a08bdae4285aa8aa5c82f7413a0d8643297cb44ade7e625d29cde1a6a2d9d0c2ab67e1a816470ad4708b792f973387cfb905e473dbb2e4b70da2a4e7462f4531bc1cba0bcfb04b60e49b5eb05c34d8e9148ac12e9a9ce34d7c7af73e9c6be76942de1f035734f6b586508d157809e3e9deddffca7
 
for x in range(1,e):  #遍历X
    if (dp*e-1)%x==0:
        p=(dp*e-1)//x +1
        if n%p==0:
            q=n//p   #得到q
            phi=(p-1)*(q-1)  #欧拉函数
            d=gmpy2.invert(e,phi)  #求逆元
            print(d)

解密得到密文为M1sc_1s_s0_e@sy!

解压压缩包得到

猫脸变换爆破

import numpy as np
import cv2
import random


def dearnold_encode(image, a, b):
    arnold_image = np.zeros(shape=image.shape)  

    h, w = image.shape[0], image.shape[1]
    N = w  
    for x in range(h):
        for y in range(w):
            new_x = ((a * b + 1) * x - a * y) % N
            new_y = (-b * x + y) % N
            arnold_image[new_x, new_y, :] = image[x, y, :]

    arnold_image = np.uint8(arnold_image)

    return arnold_image


r = cv2.imread('flag.png')
cishu=0
for _ in range(10000):
    a=random.randint(1,1000)
    b=random.randint(1,1000)
    cishu+=1
    r = dearnold_encode(r, a, b)
    cv2.imwrite("C:\\Users\\23831\\Desktop\\" + "{}.png".format(cishu), r)

最后flag为

flag{3089ea1c-23a0-4889-a87f-daabe2f6e1b4}

音频的秘密

题目描述:

音频解解看

hint:

wav隐写为deepsound加密，密码为弱口令

deepsound解密，密码为123

构造png头，进行bkcrack爆破

echo 89504E470D0A1A0A0000000D49484452 | xxd -r -ps >png_header

爆破得到密钥

bkcrack.exe -C flag.zip -c flag.png -p png_header

攻击修改压缩包密码

bkcrack.exe -C flag.zip -k 29d29517 0fa535a9 abc67696 -U flag1.zip 123456

解压压缩包得到

zsteg一把梭

最后flag为

flag{Y1_Shun_jian_Fa_ZE_Dian_Fu}