BUU MISC [INSHack2018](not) so deep 音频隐写
BUU MISC [INSHack2018](not) so deep
用Audacity打开wav文件,点击final_flag,选择频谱图,可以看到flag的前半部分INSA{Aud1o_st3G4n
用DeepSound打开wav,发现需要密码
通过deepsound2john.py脚本来获得密码的hash值,代码如下。
#! python3 import logging import os import sys import textwrap def decode_data_low(buf): return buf[::2] def decode_data_normal(buf): out = bytearray() for i in range(0, len(buf), 4): out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15)) return out def decode_data_high(buf): out = bytearray() for i in range(0, len(buf), 8): out.append((buf[i] & 3) << 6 | (buf[i + 2] & 3) << 4 \ | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3)) return out def is_magic(buf): # This is a more efficient way of testing for the `DSCF` magic header without # decoding the whole buffer return (buf[0] & 15) == (68 >> 4) and (buf[2] & 15) == (68 & 15) \ and (buf[4] & 15) == (83 >> 4) and (buf[6] & 15) == (83 & 15) \ and (buf[8] & 15) == (67 >> 4) and (buf[10] & 15) == (67 & 15) \ and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15) def is_wave(buf): return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE' def process_deepsound_file(f): bname = os.path.basename(f.name) logger = logging.getLogger(bname) # Check if it's a .wav file buf = f.read(12) if not is_wave(buf): global convert_warn logger.error('file not in .wav format') convert_warn = True return f.seek(0, os.SEEK_SET) # Scan for the marker... hdrsz = 104 hdr = None while True: off = f.tell() buf = f.read(hdrsz) if len(buf) < hdrsz: break if is_magic(buf): hdr = decode_data_normal(buf) logger.info('found DeepSound header at offset %i', off) break f.seek(-hdrsz + 1, os.SEEK_CUR) if hdr is None: logger.warn('does not appear to be a DeepSound file') return # Check some header fields mode = hdr[4] encrypted = hdr[5] modes = {2: 'low', 4: 'normal', 8: 'high'} if mode in modes: logger.info('data is encoded in %s-quality mode', modes[mode]) else: logger.error('unexpected data encoding mode %i', modes[mode]) return if encrypted == 0: logger.warn('file is not encrypted') return elif encrypted != 1: logger.error('unexpected encryption flag %i', encrypted) return sha1 = hdr[6:6+20] print('%s:$dynamic_1529$%s' % (bname, sha1.hex())) if __name__ == '__main__': import argparse parser = argparse.ArgumentParser() parser.add_argument('--verbose', '-v', action='store_true') parser.add_argument('files', nargs='+', metavar='file', type=argparse.FileType('rb', bufsize=4096)) args = parser.parse_args() if args.verbose: logging.basicConfig(level=logging.INFO) else: logging.basicConfig(level=logging.WARN) convert_warn = False for f in args.files: process_deepsound_file(f) if convert_warn: print(textwrap.dedent.rstrip(), file=sys.stderr)
并使用Kali的john工具来暴力破解原相
python3 deepsound2john.py final_flag.wav > hash.txt john hash.txt
可以看到原密码为azerty
将密码输入后就会显示隐藏文件flag2.txt,点击上面的Extract secret files进行提取,输出到我们设置的Output directory中
果然有flag的后半段
flag就是flag{Aud1o_st3G4n0_1s_4lwayS_Th3_S4me}
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· 没有源码,如何修改代码逻辑?
· PowerShell开发游戏 · 打蜜蜂
· 在鹅厂做java开发是什么体验
· WPF到Web的无缝过渡:英雄联盟客户端的OpenSilver迁移实战