陈年题合集2

天权信安&catf1ag

简单隐写

下载附件

binwalk分离

使用jphs无密码得到一个txt

查看1.txt

得到压缩包密码，解压压缩包

随波逐流一把梭

最后flag为

catf1ag{JPhs_w1n_Y0u_G3t_IT!!!}

十位马

下载附件

010查看文件

十六进制解码试试

发现是png文件，不过是反过来了

reverse后改前前两个字节

exp:

with open('E:\\脚本合集\\赛题脚本\\陈年题\\swm\\data','r') as f:
	s = f.readlines()[0]
	s = [s[i:i+2] for i in range(0,len(s),2)]
	s = ''.join(s[::-1])
	with open('E:\\脚本合集\\赛题脚本\\陈年题\\swm\\data.txt','w') as f1:
		f1.write(s)

运行得到

改前前两个字节，赛博厨子一把梭

保存并解压压缩包

montage拼图

montage *.png -tile 10x10 -geometry +0+0 flag.png

ps补上定位码

扫描二维码得到

最后flag为

flag{cbef4c93-5e9c-11ed-8205-666c80085daf}

反方向的钟

题目描述:

听一万遍反方向的钟能回到过去吗

下载附件

查看音频文件发现是周杰伦的反方向的钟，查看频谱以及尝试各种音频隐写都没什么发现

根据题目描述

听一万遍《反方向的钟》能回到过去吗”，可以得到10000的倒数为1/10000

所以压缩包密码为

1/10000

解压压缩包得到一个无后缀文件，010查看文件

看到这些乱码是文件被逆序直接reverse然后补全png文件头

保存并查看图片

将音乐倒放末尾得到一段钢琴音乐，简谱为1433223(之前学过音乐听出来的)
cloacked-pixel隐写

最后flag为

flag{6d19919b-659a-11ed-af80-ac1203fb3249}

ez_misc

下载附件

查看pass.txt

password is 米糊油

查看文件夹发现是原神游戏，猜测密码是yuanshen

解压压缩包得到

010查看系统文件 config.Sys

将16进制数四个字符串一组之后加空格进行中文电码解密

核心价值观解密

最后flag为

flag{744f24ae-6970-11ed-ae9d-ac1203fb3249}

Wind water turn turn turn

下载附件

010查看文件

发现是zip文件，改后缀.zip

word文件，打开乱码，还是010查看吧

发现是逆序zip，提取下来reverse得到zip，snow隐写得到flag

最后flag为

flag{ffd81975-648c-11ed-b5fe-ac1203fb3249}

Devil’s Eighty Hammer

下载附件

爆破压缩包密码

解压压缩包得到无后缀文件，010查看

去掉连接符得到长字符串

魔改base(王八七七师傅脚本)

exp:

# coding:utf-8
 
#s = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
#s = "vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/"
s = "i5jLW7S0GX6uf1cv3ny4q8es2Q+bdkYgKOIT/tAxUrFlVPzhmow9BHCMDpEaJRZN"
 
def My_base64_encode(inputs):
    # 将字符串转化为2进制
    bin_str = []
    for i in inputs:
        x = str(bin(ord(i))).replace('0b', '')
        bin_str.append('{:0>8}'.format(x))
    #print(bin_str)
    # 输出的字符串
    outputs = ""
    # 不够三倍数，需补齐的次数
    nums = 0
    while bin_str:
        #每次取三个字符的二进制
        temp_list = bin_str[:3]
        if(len(temp_list) != 3):
            nums = 3 - len(temp_list)
            while len(temp_list) < 3:
                temp_list += ['0' * 8]
        temp_str = "".join(temp_list)
        #print(temp_str)
        # 将三个8字节的二进制转换为4个十进制
        temp_str_list = []
        for i in range(0,4):
            temp_str_list.append(int(temp_str[i*6:(i+1)*6],2))
        #print(temp_str_list)
        if nums:
            temp_str_list = temp_str_list[0:4 - nums]
            
        for i in temp_str_list:
            outputs += s[i]
        bin_str = bin_str[3:]
    outputs += nums * '='
    print("Encrypted String:\n%s "%outputs)
    
def My_base64_decode(inputs):
    # 将字符串转化为2进制
    bin_str = []
    for i in inputs:
        if i != '=':
            x = str(bin(s.index(i))).replace('0b', '')
            bin_str.append('{:0>6}'.format(x))
    #print(bin_str)
    # 输出的字符串
    outputs = ""
    nums = inputs.count('=')
    while bin_str:
        temp_list = bin_str[:4]
        temp_str = "".join(temp_list)
        #print(temp_str)
        # 补足8位字节
        if(len(temp_str) % 8 != 0):
            temp_str = temp_str[0:-1 * nums * 2]
        # 将四个6字节的二进制转换为三个字符
        for i in range(0,int(len(temp_str) / 8)):
            outputs += chr(int(temp_str[i*8:(i+1)*8],2))
        bin_str = bin_str[4:]   
    print("Decrypted String:\n%s "%outputs)
    
print()
print("     *************************************")
print("     *    (1)encode         (2)decode    *") 
print("     *************************************")
print()
 
 
num = input("Please select the operation you want to perform:\n")
if(num == "1"):
    input_str = input("Please enter a string that needs to be encrypted: \n")
    My_base64_encode(input_str)
else:
    input_str = input("Please enter a string that needs to be decrypted: \n")
    My_base64_decode(input_str)

运行得到

 E:\脚本合集\赛题脚本> & e:/脚本合集/赛题脚本/.venv/Scripts/python.exe e:/脚本合集/赛题脚本/陈年题/魔改base.py

     *************************************
     *    (1)encode         (2)decode    *
     *************************************

Please select the operation you want to perform:
1T29c4qMf9/9f4nL19WBnLfo1WfB1939f9WH1L2C1LG9f4fB14dBcL2Cf9/C1TQSf9W91L2Bf9/C1TqBf9fB1Lfo1439fTfpf9WB39qof9d9f4fB1T39c42Cf93C1T3wf9WH1LXS1LGCf9nL1T2CnTfo14dC1Tfp1T2H1Lf9f9/9f4qBf9G9c429f93C1Tfpf9W9c42B1LfCn4fB19WBfTfo1439f93w1/qB39fw1LfC1Tfpf/2BfTfof9/C1Tdmf9WH1L2Cf9/9f4nLf9GBfTfof/29fTfp1T291Ldo1W3C1Tfp1T2BfT2Cf9/9fT391T29c4XS1Lf9f4nL1T3CnL2Cf9/H193wf9f9c4f91W39f4nL1LdBf9fo143C1Tdm1T29c43M1LGC1Tfp1T2CnTfof93C1L39f9WH1Lf919dC1Tfp14d9c429f93C1Tfp1T29c4XSf9/C1TfB1T2MfLfof9/H19fp1Tf91L2C1/29f4qM1T2BnL2Cf93Cn4qM1T29c4qM19dCn4qB1T2M19fo1WfB3T39f9WH1L2C1LGC1Tfp1LdBfT291Wf9fT391T29c4XS1Lf9f4qBf9fB1Lfo1439fT3wf9f9c4fw1Lf9f4fp1T3Bf9fo143C1Tdm1T29c42C1LGC1TqB14W919fof939f939f9WB39f919d9f4qBf9G9c429f939f9nWf9WH19f9f9/C1TfB1T2MfL2Cf9/C1T3wf9WB392C1/29f4fB1T39c42C143C1Tdmf9WH1Lfw1LK9f4nLf9GBf9fof9/Cc4fp1T291L2C1LG9f4qBf9fBfTQ71WfC1TQS1T29c4XSf9/C1TqBf9f9c42Cf9/H193Df9W9c4fw1LfC1Tfpf/2Bf9fo143C1T3w1T29c42C1LfCn4qBf9GBf92Cf9/wnT3wf9W9c4f91L3C1Tfp14dBfTf9f9/C1TdMf9WB392Cf9/C1TfB1T2MfLfo1439f9fp1Tf91Lfw1LfC1Tfpf9fBf9Q7f93Cn4nL1T29c4qMf9/Cf9fB1T29c4fo1WfB3T39f9WH1LQ71/WC1T3wf9f9c4Q71T/9nL1W
Please enter a string that needs to be decrypted:
1T29c4qMf9/9f4nL19WBnLfo1WfB1939f9WH1L2C1LG9f4fB14dBcL2Cf9/C1TQSf9W91L2Bf9/C1TqBf9fB1Lfo1439fTfpf9WB39qof9d9f4fB1T39c42Cf93C1T3wf9WH1LXS1LGCf9nL1T2CnTfo14dC1Tfp1T2H1Lf9f9/9f4qBf9G9c429f93C1Tfpf9W9c42B1LfCn4fB19WBfTfo1439f93w1/qB39fw1LfC1Tfpf/2BfTfof9/C1Tdmf9WH1L2Cf9/9f4nLf9GBfTfof/29fTfp1T291Ldo1W3C1Tfp1T2BfT2Cf9/9fT391T29c4XS1Lf9f4nL1T3CnL2Cf9/H193wf9f9c4f91W39f4nL1LdBf9fo143C1Tdm1T29c43M1LGC1Tfp1T2CnTfof93C1L39f9WH1Lf919dC1Tfp14d9c429f93C1Tfp1T29c4XSf9/C1TfB1T2MfLfof9/H19fp1Tf91L2C1/29f4qM1T2BnL2Cf93Cn4qM1T29c4qM19dCn4qB1T2M19fo1WfB3T39f9WH1L2C1LGC1Tfp1LdBfT291Wf9fT391T29c4XS1Lf9f4qBf9fB1Lfo1439fT3wf9f9c4fw1Lf9f4fp1T3Bf9fo143C1Tdm1T29c42C1LGC1TqB14W919fof939f939f9WB39f919d9f4qBf9G9c429f939f9nWf9WH19f9f9/C1TfB1T2MfL2Cf9/C1T3wf9WB392C1/29f4fB1T39c42C143C1Tdmf9WH1Lfw1LK9f4nLf9GBf9fof9/Cc4fp1T291L2C1LG9f4qBf9fBfTQ71WfC1TQS1T29c4XSf9/C1TqBf9f9c42Cf9/H193Df9W9c4fw1LfC1Tfpf/2Bf9fo143C1T3w1T29c42C1LfCn4qBf9GBf92Cf9/wnT3wf9W9c4f91L3C1Tfp14dBfTf9f9/C1TdMf9WB392Cf9/C1TfB1T2MfLfo1439f9fp1Tf91Lfw1LfC1Tfpf9fBf9Q7f93Cn4nL1T29c4qMf9/Cf9fB1T29c4fo1WfB3T39f9WH1LQ71/WC1T3wf9f9c4Q71T/9nL1W
Decrypted String:
66395739314C714D314C474331546642313457486639666F313464396654334431543239314C5137313464396634664231542F42634C666F31576639665433393154323963346639313964436E347142315433426E4C324366392F423139667031546639314C3242312F32396634714D663966426639324366392F43314C646D663957423339334D314C474331546670663947426639666F3134644331543377663957396334663966392F3966346670313957396334666F3157664D66346E57663957776E546677314C4B433154664266394742634C324366392F433154334431543242333932433139644331546670663966426654513731343343314C3377315432396334334D315733396634667066396642314C666F313464396654667031543248314C32433139693966346642315433426E4C666F66392F3966543339663957483139324366392F4331546642663966436E54324366392F42313933446639574233396677314C6639663466703154333963343243663933436E346E4C6639573963346639314C4B4331546E6A664233396E693D3D
PS E:\脚本合集\赛题脚本> & e:/脚本合集/赛题脚本/.venv/Scripts/python.exe e:/脚本合集/赛题脚本/陈年题/魔改base.py

     *************************************
     *    (1)encode         (2)decode    *
     *************************************

Please select the operation you want to perform:
f9W91LqM1LGC1TfB14WHf9fo14d9fT3D1T291LQ714d9f4fB1T/BcLfo1Wf9fT391T29c4f919dCn4qB1T3BnL2Cf9/B19fp1Tf91L2B1/29f4qMf9fBf92Cf9/C1Ldmf9WB393M1LGC1Tfpf9GBf9fo14dC1T3wf9W9c4f9f9/9f4fp19W9c4fo1WfMf4nWf9WwnTfw1LKC1TfBf9GBcL2Cf9/C1T3D1T2B392C19dC1Tfpf9fBfTQ7143C1L3w1T29c43M1W39f4fpf9fB1Lfo14d9fTfp1T2H1L2C19i9f4fB1T3BnLfof9/9fT39f9WH192Cf9/C1TfBf9fCnT2Cf9/B193Df9WB39fw1Lf9f4fp1T39c42Cf93Cn4nLf9W9c4f91LKC1TnjfB39ni==
Please enter a string that needs to be decrypted:
f9W91LqM1LGC1TfB14WHf9fo14d9fT3D1T291LQ714d9f4fB1T/BcLfo1Wf9fT391T29c4f919dCn4qB1T3BnL2Cf9/B19fp1Tf91L2B1/29f4qMf9fBf92Cf9/C1Ldmf9WB393M1LGC1Tfpf9GBf9fo14dC1T3wf9W9c4f9f9/9f4fp19W9c4fo1WfMf4nWf9WwnTfw1LKC1TfBf9GBcL2Cf9/C1T3D1T2B392C19dC1Tfpf9fBfTQ7143C1L3w1T29c43M1W39f4fpf9fB1Lfo14d9fTfp1T2H1L2C19i9f4fB1T3BnLfof9/9fT39f9WH192Cf9/C1TfBf9fCnT2Cf9/B193Df9WB39fw1Lf9f4fp1T39c42Cf93Cn4nLf9W9c4f91LKC1TnjfB39ni==
Decrypted String:
31345742663451533157324866346E5731346948314C3243663933776E54644D663947396334646F3157334366396470314C474266393243315766423139333931397139314C714D312F32486634324866396648664C6677663933426E5464426639474D3139334431573239665466703134644D31393243315766396634336F66394748314C32433139643966346E4C31393348664B3D3D
PS E:\脚本合集\赛题脚本> & e:/脚本合集/赛题脚本/.venv/Scripts/python.exe e:/脚本合集/赛题脚本/陈年题/魔改base.py

     *************************************
     *    (1)encode         (2)decode    *
     *************************************

Please select the operation you want to perform:
14WBf4QS1W2Hf4nW14iH1L2Cf93wnTdMf9G9c4do1W3Cf9dp1LGBf92C1WfB193919q91LqM1/2Hf42Hf9fHfLfwf93BnTdBf9GM193D1W29fTfp14dM192C1Wf9f43of9GH1L2C19d9f4nL193HfK==
Please enter a string that needs to be decrypted:
14WBf4QS1W2Hf4nW14iH1L2Cf93wnTdMf9G9c4do1W3Cf9dp1LGBf92C1WfB193919q91LqM1/2Hf42Hf9fHfLfwf93BnTdBf9GM193D1W29fTfp14dM192C1Wf9f43of9GH1L2C19d9f4nL193HfK==
Decrypted String:
51416F4F514D505466342F773239714D63794243664C47437534576F5165335032344F743277484F32395777664C314132546677314C7452
PS E:\脚本合集\赛题脚本> & e:/脚本合集/赛题脚本/.venv/Scripts/python.exe e:/脚本合集/赛题脚本/陈年题/魔改base.py

     *************************************
     *    (1)encode         (2)decode    *
     *************************************

Please select the operation you want to perform:
& e:/脚本合集/赛题脚本/.venv/Scripts/python.exe e:/脚本合集/赛题脚本/陈年题/魔改base.py
Please enter a string that needs to be decrypted:
QAoOQMPTf4/w29qMcyBCfLGCu4WoQe3P24Ot2wHO29WwfL1A2Tfw1LtR
Decrypted String:
flag{c192c579-6026-11ed-a8ec-ac1203fb3249}

最后flag为

flag{c192c579-6026-11ed-a8ec-ac1203fb3249}

Coffee_loving_cat

下载附件

发现前三个带有密码，查看最后一个文件

发现是一些咖啡还有咖啡价格

尝试搜一下咖啡暗语之类的，结果看到了这个

揭示Starbucks杯子上字母的含义！看懂这些密码以后别再喝错饮料！ | MOpress - Professional Writer’s Content Platform

对应得到

ALCMCMFW

尝试把价格加起来:

6+9+12+10+14+11=62

关于62的编码之类应该只有base62

对ALCMCMFW 进行base62加密

解压压缩包得到

那两张带二维码的图片扫码没什么发现，010查看fla@.png

发现是bmp文件，根据题目名Coffee loving cat 考虑和cat有关的只有猫脸变换了

但是shuffle_times、a、b没给，最离谱这边来了，结果是比赛日期(wcndm)

猫脸变换脚本:

import cv2
import numpy as np
import matplotlib.image as mpimg

def de_arnold(img, shuffle_time, a, b):
    r, c, d = img.shape
    dp = np.zeros(img.shape, np.uint8)
    
    for s in range(shuffle_time):
        for i in range(r):
            for j in range(c):
                x = ((a * b + 1) * i - b * j) % r
                y = (-a * i + j) % c
                dp[x, y, :] = img[i, j, :]
        img = np.copy(dp)
    
    return img

# 替换为实际的图像路径
image_path = 'E:\\脚本合集\\赛题脚本\\0xgame2024\\猫脸变换\\fla@.bmp'
img = mpimg.imread(image_path)
if img is None:
    raise ValueError("Failed to load image. Please check the path.")

img = img[:, :, [2, 1, 0]]  # Convert BGR to RGB

# 确保shuffle_time, a, b与加密时使用的参数一致
new = de_arnold(img, 12, 0, 9)  # 比赛日期12.09

cv2.imshow('picture', new)
cv2.waitKey(0)
cv2.destroyAllWindows()  # 清理所有窗口

运行得到

ps翻转图片

最后flag为

flag{512ed05a-629a-11ed-ae9d-ac1203fb3249}

强国杯

找找GIF

下载附件

压缩包需要密码，伪加密

010查看aaa文件

png文件，添加后缀.png查看文件

一眼图片宽高有问题，直接一把梭

ps水平翻转

得到压缩包密码为

ghkDF45#^$4Gfgb

解压压缩包bbb.zip得到bbb无后缀文件，010查看

对比ccc.gif，补充gif’文件头GIF89a

保存并打开gif文件

发现flag一闪而过，使用stegsolve逐帧查看

最后flag为

flag{89rutgjhkfnbmguriehgnlor90jhkndc}

大佬大佬

下载附件

zsteg一把梭

zsteg提取图片

zsteg -e b1,rgb,lsb,xy 1.png>dl.png

宽高一把梭

最后flag为

flag{fbn41shc03dikqja9z8uovmt65xeglwp}

The fun picture

下载附件

爆破压缩包密码

得到压缩包密码

6T7h

解压压缩包得到

查看flag.txt

010查看无后缀文件

改为zip

010查看文件发现是png图片，缺少文件头补上

保存并打开文件

扫描二维码得到

base解密

最后flag为

flag{krep490fjml584ngfkldm2ndlm40gnvj}

B@tCh

下载附件

batchencryption解密

使用010editor打开bat，切换为hex模式，在程序头部加入如下字段：

::BatchEncryption Build 201610 By gwsbhqt@163.com

保存为1.txt解密

exp:

#!/usr/bin/python
# -*- coding:utf-8 -*-
#
# Batch Decryption 202009 (BatchEncryption Build 201610)
#
 
import os
import sys
 
encrypt_file = ''
encodeErrByteArray = [b'\xfe', b'\xff']
 
def decryption(data):
    # 去除头部后的源代码下标开始位置
    i = data.index(b'163.com\r\n') + 9
    vars = {}
    length = len(data)
    source = ''
    while i < length:
        Data = run(vars, data, i)
        i = Data.get('index')
        source += Data.get('buf')
    return source
 
def run(vars, data, i):
    buf = ''
    f = 0
    t = 0
    x = False
    l = len(data)
    while(True):
        if data[i] == 0x0d and data[i+1] == 0x0a:
            i += 2
            break
        # get %var:~x,y% %0
        if data[i] == 0x25:
            if not x:
                x = True
                f = i
            else:
                x = False
                t = i
                rst = var_percent(data[f:t+1], vars)
                buf += rst
            i += 1
        else:
            if not x:
                try:
                    buf += str(data[i:i+1], encoding="utf-8")
                    i += 1
                except Exception as err:
                    # 过滤掉无法解析的字节
                    if data[i:i+1] in encodeErrByteArray:
                        buf = ''
                        i += 1
                    else:
                        # 以ansi码解析中文
                        chinese = b''
                        temp = i
                        while (str(data[temp:temp+1]).find('x') >= 0):
                            chinese += data[temp:temp+1]
                            temp += 1
                        buf += chinese.decode('ansi', 'ignore')
                        i = temp
            else:
                if (f + 1 == i) and ((data[i] >= 0x30 and data[i] <= 0x39) or data[i] == 0x2a):
                    x = False
                    t = i
                    rst = str(data[f:t+1], encoding="utf-8")
                    buf += rst
                i += 1
        if i >= l:
            break
    #print(buf)
    bufs = buf.split('&@')
    for var in bufs:
        if var[0:4] == 'set ':
            var = var[4:]
            b = var.find('=')
            vars[var[0:b]] = var[b+1:].replace('^^^', '^')
    buf += '\r\n'
    return {'index':i, 'buf':buf}
 
"""
%':~-53,1%
':~-53,1
["'", '-53,1']
"""
def var_percent(data, vars):
    full = str(data, encoding="utf-8")
    buf = full[1:len(full)-1]
    buf = buf.split(':~')
    var = buf[0]
    if not var in vars:
        vars[var] = os.getenv(var)
    ent = vars[var]
    if (len(buf) > 1):
        l = len(ent)
        buf = buf[1].split(',')
        f = int(buf[0])
        t = int(buf[1])
        if f < 0:
            f, t = l + f, t
        rst = ent[f: f+t]
    else:
        rst = full
    return rst
 
def makeFile(path,content):
    try:
        encryptionFilePath = os.path.dirname(sys.argv[1])
        encryptionFileName = os.path.basename(sys.argv[1])
        encryptionFile = encryptionFileName.split('.')
        decryptionFileName = encryptionFile[0] + '_denctyption.' + encryptionFile[1]
        decryptionFile = encryptionFilePath + '/' + decryptionFileName
        print(decryptionFile)
        file = open(decryptionFile, 'w+')
        file.write(content)
        file.close()
    except Exception as err:
        print(err)
        exit        
 
if __name__ == '__main__':
 
    try:
        if len(sys.argv) < 2:
            print('param len error\nuse: python dencrypt.py encrypt.bat')
            exit
        encrypt_file = sys.argv[1]
        file = open(encrypt_file, "rb")
        data = file.read()
        file.close()
        source = decryption(data)
        makeFile(encrypt_file, source)
    except Exception as err:
        print(err)
        exit

得到flag

最后flag为

flag{a9da469b-03d7-431c-8c34-6c02130c58b6}

2021 暨南大学 Xp0int 杯网络安全大赛

77777

题目描述:

我给你准备了一个LED灯组成的大屏幕，每一行都有512个灯，这场面应该很震撼吧

下载附件

解压得到一个文本，里面只有abcdefg七个字母，由LED联想到七段数码管，数字0-9，通过搜索(https://baike.baidu.com/item/%E4%B8%83%E6%AE%B5%E6%95%B0%E7%A0%81%E7%AE%A1/927592) 即可得到七段数码管的表示方法：

Tube={
    '0':"abcdef",
    '1':"bc",
    '2':"abged",
    '3':"abgcd",
    '4':"fgbc",
    '5':"fgcda",
    '6':"afedcg",
    '7':"abc",
    '8':"abcdefg",
    '9':"afgbcd"
}

根据提示把这些字母转换成数字，保存为txt文件，通过缩小视图即可看到flag

exp:

Num={
    "abcdef":'0',
    "bc":'1',
    "abged":'2',
    "abgcd":'3',
    "fgbc":'4',
    "fgcda":'5',
    "afedcg":'6',
    "abc":'7',
    "abcdefg":'8',
    "afgbcd":'9'
}
x=69 #77777.txt一共有69行
y=512 #根据提示每行是512个数字
seven=open('E:\\脚本合集\\赛题脚本\\陈年题\\led\\77777.txt','r',encoding='utf-16')
flag=open('E:\\脚本合集\\赛题脚本\\陈年题\\led\\flag.txt','w',encoding='utf-16')
for i in range(x):
    line=seven.readline().split(' ')
    string=''
    for j in range(y):
        string=string+Num[line[j]]
    string+='\n'
    flag.write(string)
seven.close()
flag.close()

最后flag为

flag{as5d6-68t2z6-apb33-arg}

blind

题目描述:

一起来看小姐姐，咦，我的小姐姐呢

下载附件

查看图片

foremost分离

伪加密

010查看压缩包发现末尾是zip文件

reverse一下

保存并打开压缩包发现另一张一模一样图片

双图盲水印攻击

最后flag为

flag{easy_misc}

boom shakalaka

题目描述:

boom shakalaka~ boom shakalaka~

下载附件

92F7B9?2101134780DC5A6584025EBDAA3A182407EB3?11275D3D592808998A5CA556C88DD6228AC53C389?A4B69040A0C7045E8B9F064C89A0F1795232F4AFA17C79F5A784?6A02

hint：
DES
CBC 
PAD_PKCS5
key = "pl2iz!z."
iv = key

DES解密，缺少四位直接爆破

exp:

from pyDes import *
import binascii
import string
import pyDes

# 秘钥
KEY = 'pl2iz!z.'
def des_encrypt(s):
    """
    DES 加密
    :param s: 原始字符串
    :return: 加密后字符串，16进制
    """
    secret_key = KEY
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    en = k.encrypt(s, padmode=PAD_PKCS5)
    return binascii.b2a_hex(en)


def des_descrypt(s):
    """
    DES 解密
    :param s: 加密后的字符串，16进制
    :return:  解密后的字符串
    """
    secret_key = KEY
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    de = k.decrypt(binascii.a2b_hex(s), padmode=PAD_PKCS5)
    return de

s="flag{We_know_that_brute_f0rce_1s_4_go0d_method_to_hack_the_wor1d!!!}"
#加密之后大写
res=(des_encrypt(s)).upper()
print(res)

st = '0123456789ABCDEF'
stt = string.printable
# print(st)
print(stt)

origin = '92F7B9E2101134780DC5A6584025EBDAA3A182407EB3011275D3D592808998A5CA556C88DD6228AC53C389DA4B69040A0C7045E8B9F064C89A0F1795232F4AFA17C79F5A78466A02'
cipher = '92F7B9?2101134780DC5A6584025EBDAA3A182407EB3?11275D3D592808998A5CA556C88DD6228AC53C389?A4B69040A0C7045E8B9F064C89A0F1795232F4AFA17C79F5A784?6A02'
cipher_text = cipher.replace('?','{}')
k = 0
for i1 in reversed(st):
    for i2 in reversed(st):
        for i3 in reversed(st):
            for i4 in reversed(st):
                data = cipher_text.format(i1,i2,i3,i4)
                k = k + 1
                if k % 100 == 0:
                    print(k)
                if origin == data:
                    print('!!!!!!!!!!!!!!!!!!!!')
                    # res = des_descrypt(data)
                    # print(res)
                    # sys.exit(1)
                try:
                    res=des_descrypt(data)
                    if b'flag' in res:
                        for i in range(len(res)):
                            if chr(res[i]) in stt:
                                if i == len(res) - 1:
                                    print(res)
                                    sys.exit(1)
                                continue
                            else:
                                break
                except:
                    continue

运行得到

最后flag为

flag{We_know_that_brute_f0rce_1s_4_go0d_method_to_hack_the_wor1d!!!}

easy_misc

密码使用莫斯电码解密为123，图片为lsb隐写，密码为123，解开后获得密码flag{this_is_the_second_password}，压缩包密码为this_is_the_second_password；零宽度字符解出为flag{this_is_true?},验证错误,提出原字符fierltmaa_stgs_e{eg},用栅栏密码四位加密，得到答案

flag{it_seems_grate}

EZQIM

题目描述：

lena好像有水印，你能帮我提取出来吗?

下载附件

量化索引调制水印嵌入和提取

exp:

clear
global delta
global b
delta=uint8(16);
b=uint8(2);
watermarked_lena=imread("watermarked_lena.jpg");
watermarked_lena=reshape(watermarked_lena,1,[]);
f=reshape(Extract(watermarked_lena(1:80*512)),80,512);
imwrite(f*255,"flag.jpg");
function w=Extract(p)
    global delta;
    global b;
    w=zeros(1,length(p));
    for i=1:length(p)
        w(i)=mod(uint8(p(i)/delta),b);
    end
end

最后flag为

flag{2a3b-89e-f594}

FFIVE

题目描述:

你会使用win10刷新快捷键吗

下载附件

f5隐写

java Extract Xp0int1.jpg

brainfuck解密

最后flag为

flag{ad45f2-a52f3-ae956ff-ac4b2e}

fgo

下载附件

拼图

exp:

import cv2
import hashlib
import time
import os

flag=cv2.imread("flag.jpg")

for i in range(0,flag.shape[0],60):
    for j in range(0,flag.shape[1],60):
        tmp=flag[i:i+60,j:j+60]
        cv2.imwrite("result/%s.jpg"%(hashlib.md5(str(time.time()).encode('utf-8')).hexdigest()),tmp)

os.system('touch result/*.jpg')

运行得到

最后flag为

flag{Fa73-Grand-Ord3r!!}

misc???

下载附件

加密源码

import cv2
import random
import pickle
import sys

text = 'flag{##################################}'
stego_imgname = 'hide.png'
random_seed = 555111333444999000666777222888

key_table = [3, 5, 7, 0,
             6, 2, 4, 1]

def find_bound(canny):
    bound = []
    for i in range(len(canny)):
        for j in range(len(canny[i])):
            if canny[i][j] != 0:
                bound.append([i, j])
    return bound

lenna = cv2.imread('lenna.png')
# 转换通道
lenna_png = cv2.cvtColor(lenna, cv2.COLOR_BGR2RGB)
lenna = cv2.GaussianBlur(lenna, (5,5), 0)
canny = cv2.Canny(lenna, 50, 150)

bound = find_bound(canny)
write_file = open('pkl/bound.pkl', 'wb')
pickle.dump(bound, write_file)
write_file.close()

bound_len = len(bound)
nor_len = lenna_png.shape[0] * lenna_png.shape[1] - bound_len
if type(text) == str:
    text_len = len(text)
else:
    text_len = text_row * text_col
if text_len > bound_len + 4 or text_len > nor_len + 4:
    print('Too long.')
    sys.exit(1)

bound_x = [i[0] for i in bound]
bound_y = [i[1] for i in bound]
bound_x = list(set(bound_x))
bound_y = list(set(bound_y))

hide_len_pixel = [[lenna_png.shape[0]-1,lenna_png.shape[1]-1],[lenna_png.shape[0]-1,lenna_png.shape[1]-2],
                  [lenna_png.shape[0]-1,lenna_png.shape[1]-3], [lenna_png.shape[0]-1,lenna_png.shape[1]-4]]

def PRNG(textlen, bound, bound_x, bound_y, col = 512):
    global random_seed
    # 设定随机数发生器种子
    random.seed(random_seed)

    bound_field = []
    nor_field = []
    for i in range(textlen):
        x_flag = 1
        while x_flag:
            x = random.choice(bound_x)
            x_flag = 0
            y = random.choice(bound_y)
            tmp_y = y
            if [x, y] in bound and [x, y] not in bound_field and [x, y] not in hide_len_pixel:
                bound_field.append([x, y])
                break
            else:
                bound_y_i = bound_y.index(y)
                bound_y_len = len(bound_y)
                while True:
                    bound_y_i = (bound_y_i + 1) % bound_y_len
                    y = bound_y[bound_y_i]
                    if y == tmp_y:
                        x_flag = 1
                        bound_x.remove(x)
                        break
                    if [x, y] in bound and [x, y] not in bound_field and [x,y] not in hide_len_pixel:
                        bound_field.append([x, y])
                        break
    for i in range(textlen):
        x_flag = 1
        while x_flag:
            x = random.randint(0, col-1)
            y = random.randint(0, col-1)
            tmp_y = y
            if [x, y] not in bound and [x, y] not in nor_field and [x, y] not in hide_len_pixel:
                nor_field.append([x, y])
                break
            else:
                while True:
                    y = (y + 1) % col
                    if y == tmp_y:
                        continue
                    if [x, y] not in bound and [x, y] not in nor_field and [x, y] not in hide_len_pixel:
                        nor_field.append([x, y])
                        x_flag = 0
                        break
    return bound_field, nor_field


bound_field, nor_field = PRNG(text_len, bound, bound_x, bound_y, lenna_png.shape[1])

def hide_length(lenna_png, text_len):
    global hide_len_pixel
    text_len = bin(text_len).lstrip('0b').rjust(len(hide_len_pixel) * 4,'0')
    for index in range(len(hide_len_pixel)):
        tmp_len = int(text_len[4*index:4*index+4], 2)
        tmp_pixel = lenna_png[hide_len_pixel[index][0], hide_len_pixel[index][1]]
        tmp_pixel[0] = tmp_pixel[0] - (tmp_pixel[0] % 2) + ((tmp_len >> 3) & 0b1)
        tmp_pixel[1] = tmp_pixel[1] - (tmp_pixel[1] % 2) + ((tmp_len >> 2) & 0b01)
        tmp_pixel[2] = tmp_pixel[2] - (tmp_pixel[2] % 4) + (tmp_len & 0b11)
        lenna_png[hide_len_pixel[index][0], hide_len_pixel[index][1]] = tmp_pixel
    return lenna_png

lenna_png = hide_length(lenna_png, text_len)

def data_displace(text):
    global key_table
    ascii_text = [ord(i) for i in text]

    # 转换成二进制并置换
    ascii_text_displace = []
    for i in ascii_text:
        tmp_str = bin(i).lstrip('0b').rjust(8,'0')
        # print('origin: ' + tmp_str)
        result = ''
        # 置换
        for j in key_table:
            result = result + tmp_str[j]
        # print('change: ' + result)
        result_int = int(result, 2)
        ascii_text_displace.append(result_int)
    return ascii_text_displace

ascii_text_displace = data_displace(text)

def water_mark(lenna_png, ascii_text_displace, bound_field, nor_field):
    global stego_imgname
    # 隐藏
    for index in range(len(ascii_text_displace)):
        # 获取要隐藏的像素的RGB
        tmp_bound = lenna_png[bound_field[index][0],bound_field[index][1]]
        tmp_nor = lenna_png[nor_field[index][0],nor_field[index][1]]
        # print(bin(ascii_text_displace[index]).lstrip('0b').rjust(8,'0'))
        # 将每个像素点的RGB值余2，这样可以去掉最低位的值,从需要隐藏的信息中取出一位，转换为整型,两值相加，就把信息隐藏起来了
        # print('origin: ' + bin(tmp_bound[0]).lstrip('0b').rjust(8,'0'),bin(tmp_bound[1]).lstrip('0b').rjust(8,'0'),bin(tmp_bound[2]).lstrip('0b').rjust(8,'0'))
        # print('origin: ' + bin(tmp_nor[0]).lstrip('0b').rjust(8,'0'),bin(tmp_nor[1]).lstrip('0b').rjust(8,'0'),bin(tmp_nor[2]).lstrip('0b').rjust(8,'0'))
        # 边缘像素隐藏
        tmp_bound[0] = tmp_bound[0] - (tmp_bound[0] % 2) + (ascii_text_displace[index] >> 7)
        tmp_bound[1] = tmp_bound[1] - (tmp_bound[1] % 2) + ((ascii_text_displace[index] >> 6) & 0b01)
        tmp_bound[2] = tmp_bound[2] - (tmp_bound[2] % 4) + ((ascii_text_displace[index] >> 4) & 0b0011)

        # 非边缘像素隐藏
        tmp_nor[0] = tmp_nor[0] - (tmp_nor[0] % 2) + ((ascii_text_displace[index] >> 3) & 0b1)
        tmp_nor[1] = tmp_nor[1] - (tmp_nor[1] % 2) + ((ascii_text_displace[index] >> 2) & 0b01)
        tmp_nor[2] = tmp_nor[2] - (tmp_nor[2] % 4) + (ascii_text_displace[index] & 0b11)
        # print('change: ' + bin(tmp_bound[0]).lstrip('0b').rjust(8,'0'),bin(tmp_bound[1]).lstrip('0b').rjust(8,'0'),bin(tmp_bound[2]).lstrip('0b').rjust(8,'0'))
        # print('change: ' + bin(tmp_nor[0]).lstrip('0b').rjust(8,'0'),bin(tmp_nor[1]).lstrip('0b').rjust(8,'0'),bin(tmp_nor[2]).lstrip('0b').rjust(8,'0'))
        # print(tmp_bound, tmp_nor)

        # 将结果写回
        lenna_png[bound_field[index][0], bound_field[index][1]] = tmp_bound
        lenna_png[nor_field[index][0], nor_field[index][1]] = tmp_nor
        # print(lenna_png[bound_field[index][0], bound_field[index][1]])
        # print(lenna_png[nor_field[index][0], nor_field[index][1]])

    # 生成新的图像
    lenna_hide = cv2.cvtColor(lenna_png, cv2.COLOR_RGB2BGR)
    cv2.imwrite(stego_imgname, lenna_hide)
water_mark(lenna_png, ascii_text_displace, bound_field, nor_field)

解密exp

import pickle
import cv2
import random
import numpy as np
from PIL import Image


######################## patameter_change ############################################################
extract_imgname = 'hide.png'
canny_imgname = 'pkl/bound.pkl'
random_seed = 555111333444999000666777222888


######################## permutation matrix ##########################################################
key_table = [3, 5, 7, 0,
             6, 2, 4, 1]


######################## canny 边缘检测 ###############################################################
def find_bound(filename='pkl/bound.pkl'):
    """
    找边缘像素
    """
    f = open(filename, 'rb')
    bound = pickle.load(f)
    return bound

lenna = cv2.imread(extract_imgname)
# 转换通道
lenna_png = cv2.cvtColor(lenna, cv2.COLOR_BGR2RGB)

# 存储边缘像素的文件
bound = find_bound(canny_imgname)
# print(bound)

# 获取边缘像素所在的所有横坐标
bound_x = [i[0] for i in bound]
bound_y = [i[1] for i in bound]
bound_x = list(set(bound_x))
bound_y = list(set(bound_y))
# print(len(bound_x))
# print(len(bound_y))

# 隐藏长度的位置
hide_len_pixel = [[lenna_png.shape[0]-1,lenna_png.shape[1]-1],[lenna_png.shape[0]-1,lenna_png.shape[1]-2],
                  [lenna_png.shape[0]-1,lenna_png.shape[1]-3], [lenna_png.shape[0]-1,lenna_png.shape[1]-4]]


######################## len_extract  #########################################################
def len_extract(lenna_png):
    """
    将信息长度隐藏到图像中
    """
    global hide_len_pixel
    text_len = ''
    for index in range(len(hide_len_pixel)):
        tmp_pixel = lenna_png[hide_len_pixel[index][0], hide_len_pixel[index][1]]
        text_len += bin(tmp_pixel[0])[-1:] + bin(tmp_pixel[1])[-1:] + bin(tmp_pixel[2])[-2:]
    # print(int(text_len, 2))
    return int(text_len, 2)

######################## PRNG  ###############################################################
def PRNG(bound, bound_x, bound_y, textlen, col):
    """
    每轮随机选择一个边缘像素和一个非边缘像素作为一对像素进行隐写
    """
    global random_seed
    # 设定随机数发生器种子
    random.seed(random_seed)

    # 信息长度
    # text_len = 340
    # 两个列表分别存储选取的像素
    bound_field = []
    nor_field = []
    # 选择边缘像素进行提取、需要去重！！！
    for i in range(textlen):
        x_flag = 1
        while x_flag:
            x = random.choice(bound_x)
            x_flag = 0
            y = random.choice(bound_y)
            tmp_y = y
            # 如果是边缘像素并且未被选取
            if [x, y] in bound and [x, y] not in bound_field and [x, y] not in hide_len_pixel:
                bound_field.append([x, y])
                break
            else:
                bound_y_i = bound_y.index(y)
                bound_y_len = len(bound_y)
                while True:
                    # 随机选取后做线性操作
                    bound_y_i = (bound_y_i + 1) % bound_y_len
                    y = bound_y[bound_y_i]
                    # y = (y + 1) % col
                    if y == tmp_y:
                        x_flag = 1
                        bound_x.remove(x)
                        break
                    if [x, y] in bound and [x, y] not in bound_field and [x, y] not in hide_len_pixel:
                        bound_field.append([x, y])
                        break
    # 选择非边缘像素进行提取、需要去重！！！
    for i in range(text_len):
        x_flag = 1
        while x_flag:
            x = random.randint(0, col-1)
            y = random.randint(0, col-1)
            tmp_y = y
            # 如果是非边缘像素并且未被选取
            if [x, y] not in bound and [x, y] not in nor_field and [x, y] not in hide_len_pixel:
                nor_field.append([x, y])
                break
            else:
                while True:
                    # 随机选取后做线性操作
                    y = (y + 1) % col
                    if y == tmp_y:
                        continue
                    if [x, y] not in bound and [x, y] not in nor_field and [x, y] not in hide_len_pixel:
                        nor_field.append([x, y])
                        x_flag = 0
                        break
    return bound_field, nor_field

text_len= len_extract(lenna_png)
# print(text_len)
bound_field, nor_field = PRNG(bound, bound_x, bound_y, text_len, lenna_png.shape[1])
# print(bound_field)
# print(nor_field)
# print(len(bound_field),len(nor_field))


######################## data_extract  ##########################################################
def data_extract(lenna_png, bound_field, nor_field):
    """
    从相应的一对像素提取信息
    """
    cry_str = []
    for index in range(len(bound_field)):
        # 获取有隐藏信息的像素的RGB
        tmp_bound = lenna_png[bound_field[index][0], bound_field[index][1]]
        tmp_nor = lenna_png[nor_field[index][0], nor_field[index][1]]
        # print(tmp_bound,tmp_nor)
        # print(bin(tmp_bound[0])[-1:], bin(tmp_bound[1])[-1:], bin(tmp_bound[2])[-2:])
        # 提取信息
        tmp_text = bin(tmp_bound[0])[-1:] + bin(tmp_bound[1])[-1:] + bin(tmp_bound[2])[-2:]
        tmp_text = tmp_text + bin(tmp_nor[0])[-1:] + bin(tmp_nor[1])[-1:] + bin(tmp_nor[2])[-2:]
        cry_str.append(tmp_text)
    return cry_str

cry_str = data_extract(lenna_png, bound_field, nor_field)
# print(cry_str)


######################## data_restore  ##########################################################
def data_restore(cry_str):
    """
    将提取的信息进行置换得到原始信息
    """
    global key_table
    cry_text = []
    # 还原明文
    k = 0
    for i in cry_str:
        result = ''
        for j in range(8):
            result = result + i[key_table.index(j)]
        # cry_text.append(chr(int(result, 2)))
        cry_text.append(chr(int(result, 2)))
    return cry_text

# 如果是字符串直接合并打印，如果是图像则显示图像
cry_text = data_restore(cry_str)
print(''.join(cry_text))

最后flag为

flag{m1sc_rev_1s_excited_???}

zero_width

零宽隐写

最后flag为

flag{98055234-e9e1-4c76-b1b0-fedb03d523ce}