BUU MISC [INSHack2018](not) so deep 音频隐写

BUU MISC [INSHack2018](not) so deep

用Audacity打开wav文件，点击final_flag，选择频谱图，可以看到flag的前半部分INSA{Aud1o_st3G4n

用DeepSound打开wav，发现需要密码

通过deepsound2john.py脚本来获得密码的hash值，代码如下。

#! python3
 
import logging
import os
import sys
import textwrap
 
def decode_data_low(buf):
  return buf[::2]
 
def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out
 
def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out
 
 
def is_magic(buf):
  # This is a more efficient way of testing for the `DSCF` magic header without
  # decoding the whole buffer
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)
 
def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'
 
 
def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)
 
  # Check if it's a .wav file
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)
  # Scan for the marker...
  hdrsz = 104
  hdr = None
  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break
    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break
    f.seek(-hdrsz + 1, os.SEEK_CUR)
  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return
  # Check some header fields
  mode = hdr[4]
  encrypted = hdr[5]
  modes = {2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return
  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return
  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))
if __name__ == '__main__':
  import argparse
  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()
  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)
  convert_warn = False
  for f in args.files:
    process_deepsound_file(f)
  if convert_warn:
    print(textwrap.dedent.rstrip(), file=sys.stderr)

并使用Kali的john工具来暴力破解原相

python3 deepsound2john.py final_flag.wav > hash.txt
john hash.txt

可以看到原密码为azerty

将密码输入后就会显示隐藏文件flag2.txt，点击上面的Extract secret files进行提取，输出到我们设置的Output directory中

果然有flag的后半段

flag就是flag{Aud1o_st3G4n0_1s_4lwayS_Th3_S4me}