Buuctf Misc 刷题合集

浅记我在好久之前刷过的misc题目

零、MISC知识架构图

0

一、面具下的flag -- misc 伪加密

1、题目

0
 
0

2、解法

binwalk -Me ./mjanju,jpg 得到一张照片
直接搜 50 4b 01 02
往后的第五个字节,把09 00 改为 00 00即可
得到一个vmdk文件
 
0
安装7z
sudo apt install p7zip-full # 注意要安装full的,而不是仅仅p7zip
7z x flag.vmdk -o./flag # 注意这里-o和输出路径之间没有空格的。解压到flag文件夹(不存在会自动创建)
之后在线这个网站运行BrainfuckOok!代码。
得到 flag{N7F5_AD5_i5_funny!}
 

二、九连环

1、binwalk分离得到:

 
0

2、Steghide工具得到加密密码

steghide extract -sf ./good-已合并.jpg
 
0
拿到flag : flag{1RTo8w@&4nK@z*XL}
 
0
 
0

三、被劫持的神秘礼物

追踪http流
0
 
0
flag{1d240aafe21a86afc11f38a45b541a49}

四、[ACTF新生赛2020]outguess

 
0
社会主义核心价值观编码器 :
 
0
安装 sudo apt-get install outguess
outguess -k 'abc' -r ./mmm.jpg ./flag
 
0
 
0
拿到flag
ACTF{gue33_Gu3Ss!2020}
 

五、谁赢了比赛

1、binwarlk

2、ARCHPR爆破

 
0

3、stegslove找到第310帧

 
0
 
0
保存后打开这一帧,不断右移直到 Red plane 0:
0

4、下载QR Research 拿到flag

0
flag{shanxiajingwu_won_the_game}
 

六、[WUSTCTF2020]find_me

1、下载 exiftool

sudo apt-get install exiftool
0
 
0
或者查看文件属性
0

2、盲文在线解密

 
0
wctf2020{y0u_f1nd_Meeee$e}
 

七、[SWPU2019]我有一只马里奥

0

1、ntfs流隐藏

0
 

2、显示流

命令为: notepad .\1.txt:flag.txt
0
swupctf{ddg_is_cute}
 
 
ps:我们可以通过这种方式隐藏数据
 
0
 

八、[ACTF新生赛2020]明文攻击

1、前置知识

zip文件格式:
 
0
 
0
也就是说数据存储区中在 偏移 30 即 0x1e的地方应该是压缩包内文件的名称
同理:
0
 

2、被隐藏zip

由题目明文攻击,猜测照片里存在zip
0
可以发现在flag.txt前0x1e字节处没有50 4B 03 04 标志
手动补齐:
 
0
再次binwarlk得到:
0

3、明文攻击

 
0
我们把binwarlk得到的flag.txt压缩成 zip文件,之后进行明文攻击;
 
0
flag{3te9_nbb_ahh8}

九、[MRCTF2020]Hello_ misc

0

1、Stegslove 发现red 通道有图片

0
得到图片
0
!@#$%67*()-+

2、binwarlk try to restore it.png

得到压缩包,密码为 !@#$%67*()-+
解压:
 
0
 
0
 
0
  
with open('out.txt','r') as Dec:
    res = ''
    for i in Dec.readlines():
        Bin = '{:08b}'.format(int(i))
        print(Bin)
        Sub_Bin = Bin[:-6]
        res += Sub_Bin
    print(res)

    for j in range(0,len(res),8):
        full_bin = res[j:j+8]
        print(chr(int(full_bin,2)),end="")
rar-passwd:0ac1fe6b77be5dbe

3、doc文档

doc文档解压就是这样的
0
直接改名: fffflag.doc

4、全选黑色字体

0

5、分行解base64

 
0
 
0
flag{He1Lo_mi5c~}
 

十、WUSTCTF2020-spaceclub

010打开
0
或者 sublime
 
0
发现是每一行的长短对应一个二进制位
拿到flag:
wctf2020{h3re_1s_y0ur_fl@g_s1x_s1x_s1x}

 

十一、[UTCTF2020]zero

0宽字符隐写
0
0
utflag{whyNOT@sc11_4927aajbqk14}
 

十二、[GKCTF 2021]签到

wireshark 导出http流
 
0
base64解密=>逐行反转=>base64解密
cip = ["wIDIgACIgACIgAyIK0wIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMiCNoQD",
"jMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjMyIjoQDjACIgACIgACIggDM6EDM6AjMgAzMtMDMtEjM",
"t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0iCNMyIjMyIjMyIjMyI",
"6AjMgAzMtMDMtEjMwIjO0eZ62ep5K0wKrQWYwVGdv5EItAiM1Aydl5mK6M6jlfpqnrQDt0SLt0SL",
"t0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLK0AIdZavo75mlvlCNMTM6EDM",
"z0yMw0SMyAjM6Q7lpb7lmrQDrsCZhBXZ09mTg0CIyUDI3VmbqozoPW+lqeuCN0SLt0SLt0SLt0SL",
"sxWZld1V913e7d2ZhFGbsZmZg0lp9iunbW+Wg0lp9iunbW+Wg0lp9iunbW+WK0wMxoTMwoDMyACM",
"DN0QDN0QDlWazNXMx0Wbf9lRGRDNDN0ard0Rf9VZl1WbwADIdRampDKilvFIdRampDKilvVKpM2Y",
"==QIhM0QDN0Q"]
import base64

c = ""
for i in range(len(cip)):
    c += (cip[i])[::-1]

print(c)
m = base64.b64decode(c)
print(m.decode())
得到:
#######################################
#         2021-03-30 20:01:08         #
#######################################
--------------------------------------------------
窗口:*new 52 - Notepad++
时间:2021-03-30 20:01:13
[回车]
--------------------------------------------------
窗口:*new 52 - Notepad++
时间:2021-03-30 20:01:13
[回车] [回车] [回车] ffllaagg{{}}WWeellcc))[删除] [删除] 00mmee__GGkkCC44FF__mm11ssiiCCCCCCCCCCCC!!
每两个连续重复出现的去重:
拿到flag:
flag{Welc0me_GkC4F_m1siCCCCCC!}
 

十三、[ACTF新生赛2020]music

对比音频文件格式
0
 
0
猜测文件被异或加密
使用010edoitor对其进行异或解密
0
异或值为 0xa1
得到:
 
0
之后听音频得到:
abcdfghijk
flag即为:
flag{abcdfghijk}

十四、[MRCTF2020]Unravel!!

1、根据文件名提示找到一处base64:

U2FsdGVkX1/nSQN+hoHL8OwV9iJB/mSdKk5dmusulz4=
0

2、binWarlk图片

得到:
 
0
AES解密得到:
 
0
 
CCGandGulu
这种属于base64加盐+AES,不用管它
silenteye解密得到flag
0
flag{Th1s_is_the_3nd1n9}
 

十五、二维码

不太会
 

十六、[CFI-CTF 2018]webLogon capture

 
0
 
0
flag{1ns3cur3_l0g0n}
秒杀
 

十七、Beautiful_Side

1、formost分离

2、二维码在线补全

 

十八、[GUET-CTF2019]soul sipse

1、Steghide无密码分离

2、修复png

0
 
0

十九、[UTCTF2020]spectogram

0
 
0
 
义眼顶真
flag{sp3tr0gr4m0ph0n3}
 

二十、Business Planning Group

010Editor打开,发现其隐藏了一个bpg文件
0
https://bellard.org/bpg/ 下载这个:
 
0
查看即可:
.\bpgview.exe .\2.bpg
0
base64解码得:
flag{BPG_i5_b3tt3r_7h4n_JPG}
 

二十一、湖南省赛Findme

1、修复名字

0

2、修复宽高

import zlib
import struct
file = r'C:\Users\Administrator\Desktop\LanCTF\misc刷题\22-[湖南省赛2019]Findme\Findme\1.png'
fr = open(file,'rb').read()
data = bytearray(fr[12:29])
#crc32key = eval(str(fr[29:33]).replace('\\x','').replace("b'",'0x').replace("'",'')) 
crc32key = 0xC4ED3 
#data = bytearray(b'\x49\x48\x44\x52\x00\x00\x01\xF4\x00\x00\x01\xF1\x08\x06\x00\x00\x00') 
n = 4095 
for w in range(n): 
    width = bytearray(struct.pack('>i', w))
    for h in range(n): 
        height = bytearray(struct.pack('>i', h)) 
        for x in range(4): 
            data[x+4] = width[x] 
            data[x+8] = height[x] 
            #print(data) 
        crc32result = zlib.crc32(data) 
        if crc32result == crc32key: 
            print(width,height) 
            print(data) 
            newpic = bytearray(fr) 
            for x in range(4): 
                newpic[x+16] = width[x]
                newpic[x+20] = height[x] 
            fw = open(file+'.png','wb') 
            fw.write(newpic) 
            fw.close
得到:
 
0

3、使用StegSlove在Blue2行道发现二维码

0
 
0
即: ZmxhZ3s0X3

4、2.png

 
0
虽然其写着7z标致,但其结构和7z压缩包完全不一样,倒是像zip,我们尝试把里面的7z全部换成PK
脚本如下
file = r'C:\Users\Administrator\Desktop\LanCTF\misc刷题\22-[湖南省赛2019]Findme\Findme\2.png'
file_new = r'C:\Users\Administrator\Desktop\LanCTF\misc刷题\22-[湖南省赛2019]Findme\Findme\ttt.zip'
fp = open(file,"rb")
data = fp.read()
fp.close()

data = data[0x18fc9:]
data = data.replace(b"\x37\x7a",b"\x50\x4b")


fp = open(file_new,"wb")
fp.write(data)
fp.close()
可以得到:
 
0
在618.txt中发现:
 
0
1RVcmVfc

5、3.png

 
0
crc的值有些端倪
提取得到:
3RlZ30=

6、4.png

 
0
cExlX1BsY

7、5.png

 
0
Yzcllfc0lN
 

8、拿到flag

按照 15423的顺序拼接flag
ZmxhZ3s0X3Yzcllfc0lNcExlX1BsY1RVcmVfc3RlZ30=
flag{4_v3rY_sIMpLe_PlcTUre_steg}

二十二、[ACTF新生赛2020]剑龙

1、颜文字解密

 
0
welcom3!
 

2、hh.jpg隐写

steghide extract -sf ./hh.jpg
key是 welcom3!
得到
0
U2FsdGVkX1/7KeHVl5984OsGUVSanPfPednHpK9lKvp0kdrxO4Tj/Q==

3、DES解密

https://www.sojson.com/encrypt_des.html

 
0
think about stegosaurus

4、在github上使用stegosaurus

python3 stegosaurus.py -x O_O.pyc
得到flag:
flag{3teg0Sauru3_!1}
 

二十三、我爱Linux

1、改标志

 
0
没啥用

2、dump冗余字段

 
0

3、使用文件识别工具Trld识别

 
0
注意是下载可执行文件和数据

4、识别

 
0
Python Pickle序列号数据

5、脚本转化

import pickle

fp = open("2.tlsn", "rb+")
fw = open('result.txt', 'w')
a = pickle.load(fp)
pickle = str(a)
fw.write(pickle)
fw.close()
fp.close()
得到一堆坐标:
 
0
脚本转化:
flag = [
    [(3, 'm'), (4, '"'), (5, '"'), (8, '"'), (9, '"'), (10, '#'), (31, 'm'), (32, '"'), (33, '"'), (44, 'm'), (45, 'm'),
     (46, 'm'), (47, 'm'), (50, 'm'), (51, 'm'), (52, 'm'), (53, 'm'), (54, 'm'), (55, 'm'), (58, 'm'), (59, 'm'),
     (60, 'm'), (61, 'm'), (66, 'm'), (67, '"'), (68, '"'), (75, '#')],
    [(1, 'm'), (2, 'm'), (3, '#'), (4, 'm'), (5, 'm'), (10, '#'), (16, 'm'), (17, 'm'), (18, 'm'), (23, 'm'), (24, 'm'),
     (25, 'm'), (26, 'm'), (31, '#'), (37, 'm'), (38, 'm'), (39, 'm'), (43, '"'), (47, '"'), (48, '#'), (54, '#'),
     (55, '"'), (57, '"'), (61, '"'), (62, '#'), (64, 'm'), (65, 'm'), (66, '#'), (67, 'm'), (68, 'm'), (72, 'm'),
     (73, 'm'), (74, 'm'), (75, '#')],
    [(3, '#'), (10, '#'), (15, '"'), (19, '#'), (22, '#'), (23, '"'), (25, '"'), (26, '#'), (29, 'm'), (30, 'm'),
     (31, '"'), (36, '"'), (40, '#'), (47, 'm'), (48, '"'), (53, 'm'), (54, '"'), (59, 'm'), (60, 'm'), (61, 'm'),
     (62, '"'), (66, '#'), (71, '#'), (72, '"'), (74, '"'), (75, '#')],
    [(3, '#'), (10, '#'), (15, 'm'), (16, '"'), (17, '"'), (18, '"'), (19, '#'), (22, '#'), (26, '#'), (31, '#'),
     (36, 'm'), (37, '"'), (38, '"'), (39, '"'), (40, '#'), (45, 'm'), (46, '"'), (52, 'm'), (53, '"'), (61, '"'),
     (62, '#'), (66, '#'), (71, '#'), (75, '#')],
    [(3, '#'), (10, '"'), (11, 'm'), (12, 'm'), (15, '"'), (16, 'm'), (17, 'm'), (18, '"'), (19, '#'), (22, '"'),
     (23, '#'), (24, 'm'), (25, '"'), (26, '#'), (31, '#'), (36, '"'), (37, 'm'), (38, 'm'), (39, '"'), (40, '#'),
     (43, 'm'), (44, '#'), (45, 'm'), (46, 'm'), (47, 'm'), (48, 'm'), (51, 'm'), (52, '"'), (57, '"'), (58, 'm'),
     (59, 'm'), (60, 'm'), (61, '#'), (62, '"'), (66, '#'), (71, '"'), (72, '#'), (73, 'm'), (74, '#'), (75, '#')],
    [(23, 'm'), (26, '#'), (32, '"'), (33, '"')], [(24, '"'), (25, '"')], [],
    [(12, '#'), (17, 'm'), (18, '"'), (19, '"'), (23, 'm'), (24, 'm'), (25, 'm'), (26, 'm'), (33, '#'), (36, 'm'),
     (37, 'm'), (38, 'm'), (39, 'm'), (40, 'm'), (41, 'm'), (46, 'm'), (47, 'm'), (52, 'm'), (53, 'm'), (54, 'm'),
     (65, 'm'), (66, 'm'), (67, 'm'), (68, 'm'), (71, 'm'), (72, 'm'), (73, 'm'), (74, 'm'), (75, 'm'), (76, 'm')],
    [(2, 'm'), (3, 'm'), (4, 'm'), (9, 'm'), (10, 'm'), (11, 'm'), (12, '#'), (15, 'm'), (16, 'm'), (17, '#'),
     (18, 'm'), (19, 'm'), (22, '"'), (26, '"'), (27, '#'), (30, 'm'), (31, 'm'), (32, 'm'), (33, '#'), (40, '#'),
     (41, '"'), (45, 'm'), (46, '"'), (47, '#'), (50, 'm'), (51, '"'), (55, '"'), (58, 'm'), (59, 'm'), (60, 'm'),
     (64, '#'), (65, '"'), (68, '"'), (69, 'm'), (75, '#'), (76, '"')],
    [(1, '#'), (2, '"'), (5, '#'), (8, '#'), (9, '"'), (11, '"'), (12, '#'), (17, '#'), (24, 'm'), (25, 'm'), (26, 'm'),
     (27, '"'), (29, '#'), (30, '"'), (32, '"'), (33, '#'), (39, 'm'), (40, '"'), (44, '#'), (45, '"'), (47, '#'),
     (50, '#'), (51, 'm'), (52, '"'), (53, '"'), (54, '#'), (55, 'm'), (57, '#'), (58, '"'), (61, '#'), (64, '#'),
     (65, 'm'), (68, 'm'), (69, '#'), (74, 'm'), (75, '"')],
    [(1, '#'), (2, '"'), (3, '"'), (4, '"'), (5, '"'), (8, '#'), (12, '#'), (17, '#'), (26, '"'), (27, '#'), (29, '#'),
     (33, '#'), (38, 'm'), (39, '"'), (43, '#'), (44, 'm'), (45, 'm'), (46, 'm'), (47, '#'), (48, 'm'), (50, '#'),
     (55, '#'), (57, '#'), (58, '"'), (59, '"'), (60, '"'), (61, '"'), (65, '"'), (66, '"'), (67, '"'), (69, '#'),
     (73, 'm'), (74, '"')],
    [(1, '"'), (2, '#'), (3, 'm'), (4, 'm'), (5, '"'), (8, '"'), (9, '#'), (10, 'm'), (11, '#'), (12, '#'), (17, '#'),
     (22, '"'), (23, 'm'), (24, 'm'), (25, 'm'), (26, '#'), (27, '"'), (29, '"'), (30, '#'), (31, 'm'), (32, '#'),
     (33, '#'), (37, 'm'), (38, '"'), (47, '#'), (51, '#'), (52, 'm'), (53, 'm'), (54, '#'), (55, '"'), (57, '"'),
     (58, '#'), (59, 'm'), (60, 'm'), (61, '"'), (64, '"'), (65, 'm'), (66, 'm'), (67, 'm'), (68, '"'), (72, 'm'),
     (73, '"')], [], [], [],
    [(5, '#'), (8, '#'), (16, 'm'), (17, 'm'), (18, 'm'), (19, 'm'), (23, 'm'), (24, 'm'), (25, 'm'), (26, 'm'),
     (30, 'm'), (31, 'm'), (32, 'm'), (33, 'm'), (38, 'm'), (39, 'm'), (40, 'm'), (50, '#'), (57, '#'), (64, '#'),
     (71, 'm'), (72, 'm'), (73, 'm')],
    [(2, 'm'), (3, 'm'), (4, 'm'), (5, '#'), (8, '#'), (9, 'm'), (10, 'm'), (11, 'm'), (15, '#'), (16, '"'), (19, '"'),
     (20, 'm'), (22, 'm'), (23, '"'), (26, '"'), (27, 'm'), (29, '#'), (34, '#'), (36, 'm'), (37, '"'), (41, '"'),
     (44, 'm'), (45, 'm'), (46, 'm'), (50, '#'), (51, 'm'), (52, 'm'), (53, 'm'), (57, '#'), (58, 'm'), (59, 'm'),
     (60, 'm'), (64, '#'), (65, 'm'), (66, 'm'), (67, 'm'), (73, '#')],
    [(1, '#'), (2, '"'), (4, '"'), (5, '#'), (8, '#'), (9, '"'), (11, '"'), (12, '#'), (15, '#'), (16, 'm'), (19, 'm'),
     (20, '#'), (22, '#'), (25, 'm'), (27, '#'), (29, '"'), (30, 'm'), (31, 'm'), (32, 'm'), (33, 'm'), (34, '"'),
     (36, '#'), (37, 'm'), (38, '"'), (39, '"'), (40, '#'), (41, 'm'), (43, '#'), (44, '"'), (47, '#'), (50, '#'),
     (51, '"'), (53, '"'), (54, '#'), (57, '#'), (58, '"'), (60, '"'), (61, '#'), (64, '#'), (65, '"'), (67, '"'),
     (68, '#'), (73, '#')],
    [(1, '#'), (5, '#'), (8, '#'), (12, '#'), (16, '"'), (17, '"'), (18, '"'), (20, '#'), (22, '#'), (27, '#'),
     (29, '#'), (33, '"'), (34, '#'), (36, '#'), (41, '#'), (43, '#'), (44, '"'), (45, '"'), (46, '"'), (47, '"'),
     (50, '#'), (54, '#'), (57, '#'), (61, '#'), (64, '#'), (68, '#'), (73, '#')],
    [(1, '"'), (2, '#'), (3, 'm'), (4, '#'), (5, '#'), (8, '#'), (9, '#'), (10, 'm'), (11, '#'), (12, '"'), (15, '"'),
     (16, 'm'), (17, 'm'), (18, 'm'), (19, '"'), (23, '#'), (24, 'm'), (25, 'm'), (26, '#'), (29, '"'), (30, '#'),
     (31, 'm'), (32, 'm'), (33, 'm'), (34, '"'), (37, '#'), (38, 'm'), (39, 'm'), (40, '#'), (41, '"'), (43, '"'),
     (44, '#'), (45, 'm'), (46, 'm'), (47, '"'), (50, '#'), (51, '#'), (52, 'm'), (53, '#'), (54, '"'), (57, '#'),
     (58, '#'), (59, 'm'), (60, '#'), (61, '"'), (64, '#'), (65, '#'), (66, 'm'), (67, '#'), (68, '"'), (71, 'm'),
     (72, 'm'), (73, '#'), (74, 'm'), (75, 'm')], [], [], [],
    [(2, 'm'), (3, 'm'), (4, 'm'), (5, 'm'), (8, 'm'), (9, 'm'), (10, 'm'), (11, 'm'), (12, 'm'), (19, '#'), (24, 'm'),
     (25, 'm'), (26, 'm'), (29, '"'), (30, '"'), (31, 'm')],
    [(1, '#'), (2, '"'), (5, '"'), (6, 'm'), (8, '#'), (16, 'm'), (17, 'm'), (18, 'm'), (19, '#'), (22, 'm'), (23, '"'),
     (27, '"'), (31, '#')],
    [(1, '#'), (2, 'm'), (5, 'm'), (6, '#'), (8, '"'), (9, '"'), (10, '"'), (11, '"'), (12, 'm'), (13, 'm'), (15, '#'),
     (16, '"'), (18, '"'), (19, '#'), (22, '#'), (23, 'm'), (24, '"'), (25, '"'), (26, '#'), (27, 'm'), (31, '"'),
     (32, 'm'), (33, 'm')],
    [(2, '"'), (3, '"'), (4, '"'), (6, '#'), (13, '#'), (15, '#'), (19, '#'), (22, '#'), (27, '#'), (31, '#')],
    [(1, '"'), (2, 'm'), (3, 'm'), (4, 'm'), (5, '"'), (8, '"'), (9, 'm'), (10, 'm'), (11, 'm'), (12, '#'), (13, '"'),
     (15, '"'), (16, '#'), (17, 'm'), (18, '#'), (19, '#'), (23, '#'), (24, 'm'), (25, 'm'), (26, '#'), (27, '"'),
     (31, '#')], [(29, '"'), (30, '"')]]
temp = [' '] * 76
for line, data in enumerate(flag):
    if not data:
        print()
    else:
        for t in data:
            try:
                temp[t[0]] = t[1]
            except Exception:
                pass

    print(''.join(temp))

    temp = [' '] * 76
拿到flag
flag{a273fdedf3d746e97db9086ebbb195d6}
 

二十四、[MRCTF2020]摇滚DJ-建议大声播放

 
0
 
0
merak{r3ce1ved_4n_img}
 

__EOF__

本文作者_TLSN
本文链接https://www.cnblogs.com/lordtianqiyi/articles/17591672.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角推荐一下。您的鼓励是博主的最大动力!
posted @   TLSN  阅读(838)  评论(0编辑  收藏  举报
编辑推荐:
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
阅读排行:
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· 25岁的心里话
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现
点击右上角即可分享
微信分享提示
AI IDE Trae