reverseMe

what-is-this

Change suffix .zip, Continue to decompress .
Use stegsolve The tool combiner The function combines two pictures , You can get flag

red-green

pure_color

Aesop_secret

This problem involves dynamic graph decomposition ,ASE Decrypt （ Need to decrypt twice ）.
AES It's a symmetric password , Require key decryption .
1. In dynamic graph analysis website , Analyze the picture .
Dynamic graph analysis website

Get the key ISCC
2, Reuse 010editor open , At the bottom base64 code

AES Encrypt and decrypt websites

Inverted house

a_good_idea

First separate the pictures to get two pictures
Conduct image combiner

Black and red , That means the contrast of pixels plays a decisive role .

Adjust the exposure
Save the picture first , And then use Photoshop Open the picture , We open the adjustment on the right panel -> Exposure ：

Maximum exposure , There's a QR code

2017_Dating_in_Singapore

simple-transfer

Separate pcap
use notepad++ open

hit-the-cote

We found capital XCTF There are only four letters between each letter , Use python Extract it , obtain flag.

num='cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}'
flag=''
for i in range (3,len(num),5):
    # The first 0 Number is the first number , Count the steps to the keyword 
    flag+=num[i]
print(flag)

Ditf

Pull up the picture to give the password
Separate the flow packet of the picture
Traffic packet search flag To no avail , Try searching png,jpg,zip. obtain base code , Out flag

gif

x=[0b01100110, 0b01101100, 0b01100001, 0b01100111, 0b01111011, 0b01000110, 0b01110101, 0b01001110, 0b01011111, 0b01100111, 0b01101001, 0b01000110, 0b01111101]
b="";
for a in x:
    b+=chr(a);
print(b)

ext3

Understanding of Mount
install mount

sudo apt-get install mount   
mkdir ctf   // Create a new directory  ctf
mount f1fc23f5c743425d9e0073887c846d23 ctf/         // The middle one is the attachment name , Then mount it into this directory 
find / -name flag.txt         Find... In the root directory flag.txt, It means to search the whole hard disk 
find ctf -name flag.txt       stay ctf Directory lookup 
find . -name flag.txt         Find in current directory 
umount -f f1fc23f5c743425d9e0073887c846d23// Cancel the mount 

simpleRAR

article

base64stego

base64 Steganography

import base64

# 64 individual Base64  character 
b64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

with open('C:\\Users\\ Han \\Desktop\\stego.txt', 'rb') as f:#rb Read in binary 
    bin_str = ""
    flag = ""
    for line in f.readlines():# Read every line 

        #  Convert to str type 
        stegb64 = str(line, "utf-8").strip("\n")# With UTF-8 Encoding storage ,strip: Remove line breaks 

        #  After decoding and recoding , Get the... Before steganography  Base64 code 
        rowb64 = str(base64.b64encode(base64.b64decode(stegb64)), "utf-8").strip("\n")

        #  The data at the end of the two codes will be different , Mainly due to  Base64  Steganography will part of the binary code   It's in storage   In binary code that will be discarded during encoding 
        #  What we need to do is to find out and splice the binary code of the abandoned part , transformation , Find the string represented by binary code 

        #  Find the difference in the position of the last character of each encoding  =>  Will get   The number of digits of the difference , The binary code of the steganographic part can be obtained by converting the number of bits into binary code 
        offset = abs(b64chars.index(stegb64.replace('=', '')[-1]) - b64chars.index(rowb64.replace('=', '')[-1]))# Red area 
		#abs Returns the absolute value of the number  [-1] The last one in the array 
        #  In every line  ‘=’  The number of  =>  Be supplemented  0  Number of digits 
        #  One  ‘=’  Express   Mended   Two binary bits 
        #  Two  ’=‘  Express   Mended   Four binary bits 
        #  These bits may have hidden parts 
        equalnum = stegb64.count('=')

        #  contain  ‘=’  when   namely   May contain  Base64  Steganography 
        if equalnum:
            #  The difference will be   Convert to   Binary system  =>  Get the corresponding binary code and splice it 
            # equalnum * 2  It means ： Added bits 
            bin_str += bin(offset)[2:].zfill(equalnum * 2)# Splice binary 
			#zfill The function mainly defines the length for the string , If not satisfied , The missing part is used 0 fill 
    #  Convert binary file to string 
    for i in range(0, len(bin_str), 8):
        flag += chr(int(bin_str[i:i + 8], 2))
    print(flag)

Their thinking

 Read each line in turn , Extract the steganographic bit .
 If not in the end ‘=’, Description no steganography bit , skip .
 If the last one is ‘=’, Indicates that there are two steganographic bits , Convert the penultimate character to the corresponding binary index , Then take the last two .
 If the last two ‘=’, Indicates that there are four steganographic bits , Convert the penultimate character to the corresponding binary index , Then take the last four digits .
 Connect the extracted steganographic bits of each row in turn , Every time 8 A set of bits is converted to ASCII character , In the end 8 Bit discarding .

Misc-pic-again

zsteg

zsteg -a// Try all known combinations 
zsteg -e "b1,bgr,lsb,xy" pcat.png > p.exe// Export content 
grep  Use regular to search for characters in text 
strings Search for text in a file 
strings '/root/Desktop/1' | grep "hctf"

Banmabanma

We directly use barcode to read the content online ：https://online-barcode-reader.inliteresearch.com/

Suitable for desktop

use stegolve Green channel finds QR code

Hear-with-your-Eyes

Open binary discovery wav, Change it to wav, Can't open , Then change it into a folder , use audacity open wav, Replace it with spectrum diagram to get flag

something in image

strings '/root/Desktop/badimages' | grep -i Flag（-i Case insensitive ）

stage1

Put the picture in strgolve Find the QR code
After scanning, we get a string of hexadecimal numbers , Put it in 010editor, See is pyc file , Then decompile
python Decompile address

def flag():
    str = [
        65,
        108,
        112,
        104,
        97,
        76,
        97,
        98]
    flag = ''
    for i in str:
        flag += chr(i)
    
    print flag

Revise it

str = [
	65,
        108,
        112,
        104,
        97,
        76,
        97,
        98]
flag = '03F30D0AB6266A576300000000000000000100000040000000730D0000006400008400005A00006401005328020000006300000000030000000800000043000000734E0000006401006402006403006404006405006406006405006407006708007D00006408007D0100781E007C0000445D16007D02007C01007400007C0200830100377D0100712B00577C010047486400005328090000004E6941000000696C000000697000000069680000006961000000694C0000006962000000740000000028010000007403000000636872280300000074030000007374727404000000666C6167740100000069280000000028000000007307000000746573742E7079520300000001000000730A00000000011E0106010D0114014E280100000052030000002800000000280000000028000000007307000000746573742E707974080000003C6D6F64756C653E010000007300000000'
for i in str:
    flag += chr(i)
    
print(flag)

Miscellaneous-200（ mapping ）

All three primary colors , Can draw

The script is as follows

from ast import literal_eval as make_tuple
from PIL import Image
f = open(r'.txt', 'r')
corl = [make_tuple(line) for line in f.readlines()]
f.close()
img0 = Image.new('RGB', (270, 270), '#ffffff')
k=0
for i in range(246):
   for j in range(246):
      img0.putpixel ([i , j], corl[k])
      k=k+1
img0.save("result.png")

The company you love

strings Available in pcap. Remember to enter the desktop

strings webshell.pcapng | grep {

hidden massege

UDP Protocol transmission packet ： Port steganography

0 and 1 Convert to string

Recover-Deleted-File

funny_video( Audio steganography Matroska+Audition)

article

Goodbye, Li Hua

Mask burst

Ordinary Sudoku

Sudoku looks like a QR code , There will be numbers for 1, Those without numbers are 0
Use binary to make QR code

# -*- coding:utf-8 -*-
from PIL import Image
x = 45
y = 45

im = Image.new("RGB", (x, y))  #  Create a picture 
file = open('1.txt', 'r')  #  open rbg Value file 
for i in range(0, x):
    line = file.readline()  #  Get a row 
    for j in range(0, y):
        if line[j] == '0':
            im.putpixel((i, j), (255, 255, 255))  # rgb Convert to pixels 
        else:
            im.putpixel((i, j), (0, 0, 0))  # rgb Convert to pixels 
im.show()

ordinary Disco

Here we use audacity open , See binary
Pay attention to counting binary numbers , yes 105 individual , That is, the step size is 7

s = '110011011011001100001110011111110111010111011000010101110101010110011011101011101110110111011110011111101'
flag = ''
for i in range(0,len(s),7):
    flag += chr(int('0'+s[i:i + 7],2))
print(flag)

• int(x,2) Represents the way it is processed into binary
  Got stuck in a place , How to find binary waveform , Just zoom in
  

Little PDF

foremost that will do

Excaliflag

stegslove Found in the blue channel

magical modbus

Industrial equipment message transmission uses modbus agreement , Filter it and search directly , But it is sctf{Easy_Mdbus}, Add... In the middle o,sctf{Easy_Modbus} That's right

embarass

At the beginning, separate the flow , But it's too much , Search directly

A wild

zsteg notice

2-1

Open discovery png The header file is incorrect 89504E47
It still cannot be opened after modification , open 010editor Found no width
Run to get accurate width and height （crc Just after the second line ）

import struct
import binascii
import os
#  Remember to add crc
m = open(r"C:/Users/Lenovo/Desktop/148a3ba22b8541f48f354f3e27f0aa4c.png", "rb").read()
k = 0
for i in range(5000):
    if k == 1:
        break
    for j in range(5000):
        c = m[12:16] + struct.pack('>i', i) + struct.pack('>i', j)+m[24:29]
        crc = binascii.crc32(c) & 0xffffffff
        if crc == 0x932f8a6b:
            k = 1
            print(hex(i), hex(j))
            break

halo(base64 XOR usage )

from base64 import *

b = b64decode('aWdxNDs0NDFSOzFpa1I1MWliT08w')

data = list(b)

for i in range(0, 200):
    key = ''
    for j in range(len(data)):
    	#  Be careful ,python3 No longer used in ord Go and turn around 
        key += chr(data[j]^i)
    print(key)

There is an online tool , But you need a key

This seems normal

Sign in problem

SSCTF The online election beauty contest has begun , Teddy took his password and decrypted it , Submit the contents in curly brackets （Z2dRQGdRMWZxaDBvaHRqcHRfc3d7Z2ZoZ3MjfQ==）

base64 Decrypt ：[email protected]_sw{gfhgs#}

Fence decryption （ Displacement 7）：ggqht{ggQht_gsQ10jsf#@fopwh}

Caesar code （ Displacement 14）：ssctf{ssCtf_seC10ver#@rabit}

MISCall

principle ：git Information disclosure
The name of the downloaded file is too long , Change your name first

[email protected]:~/Desktop/CTF# mv d02f31b893164d56b7a8e5edb47d9be5 miscall
[email protected]:~/Desktop/CTF# ls
miscall

Let's check the file type first

[email protected]:~/Desktop/CTF# file miscall 
miscall: bzip2 compressed data, block size = 900k

The discovery is a bzip2 The package , decompression

[email protected]:~/Desktop/CTF# bzip2 -d miscall 
bzip2: Can't guess original name for miscall -- using miscall.out 
# I can't guess miscall The original name of -- Use miscall.out
[email protected]:~/Desktop/CTF# ls
miscall.out

Although an error was reported , But you can find that the file name has changed

[email protected]:~/Desktop/CTF# bzip2 -d miscall 
bzip2: Can't guess original name for miscall -- using miscall.out
[email protected]:~/Desktop/CTF# ls
miscall.out

Without saying a word, let's look at the file type

[email protected]:~/Desktop/CTF# file miscall.out 
miscall.out: POSIX tar archive (GNU)  #tar file 

Continue to decompress

[email protected]:~/Desktop/CTF# tar -xvf miscall.out 
[email protected]:~/Desktop/CTF# ls
ctf  miscall.out

Found a new directory ctf, Go in and have a look , Finally see flag 了 , But it's a fake

[email protected]:~/Desktop/CTF# cd ctf/
[email protected]:~/Desktop/CTF/ctf# ls
flag.txt
[email protected]:~/Desktop/CTF/ctf# cat flag.txt 
Nothing to see here, moving along...

Nothing there? , What do I do ？ Take a closer look , Hidden files found .git, What is a , Baidu wave , Found available commands , Give it a try

[email protected]:~/Desktop/CTF/ctf# ls -a
.  ..  flag.txt  .git

Command view git Record

[email protected]:~/Desktop/CTF/ctf# git log
commit bea99b953bef6cc2f98ab59b10822bc42afe5abc (HEAD -> master)
Author: Linus Torvalds <[email protected]>
Date:   Thu Jul 24 21:16:59 2014 +0200

    Initial commit

git stash show Show what changes have been made , Default show First storage , If you want to display other storage , Back plus [email protected]{$num}, Like the second one git stash show [email protected]{1}

git stash apply Apply some storage , But the storage will not be removed from the storage list , The first storage is used by default , namely [email protected]{0}, If you want to use another ,git stash apply [email protected]{$num} , Like the second one ：git stash apply [email protected]{1} , Equivalent to restoring the changed content

open s.py or python s.py obtain flag

It's in it

 We usually  Linux  Operation and maintenance management , Often perform various data backup tasks . Export the data and package . Usually in the environment with high security requirements , We can use  OpenSSL  The tool encrypts and decrypts the packed data , This can further ensure the security of data .

article
Some documents were found while tracking the second stream ,pub.key Public key , Guess there's a private key

There are multiple traffic files tcp flow , Just turn down . The same is true for finding other streams
Find the private key , Save as pri.key( It must be .key The suffix )
foremost Traffic packets will get jpg、pdf、zip,zip After unzipping, we get key.txt, It's a mess , It is presumed that encryption exists , use openssl Decrypt

 command ：openssl rsautl -decrypt -in key.txt -inkey pri.key -out flag.txt
-in  For the encrypted document to be decrypted  -inkey  As the key  -out  For the output document  
[ For details, see how to use OpenSSL  Encrypt and decrypt files _petpig0312 The blog of -CSDN Blog _openssl Encrypt file ](https://blog.csdn.net/petpig0312/article/details/79784016)

flag_universe

  Extract files from traffic packets ：1、tcpxtract -f + file name  2、 use NetworkMiner 3、 use wireshark 4、foremost -v -i + file name  5、 use Chaosreader
 [ article ](https://www.cnblogs.com/micr067/p/14076573.html)

Search in traffic packets universe, Can find a few universe.png, It should be extracting pictures from traffic packets ,binwalk I found that there were pictures , however foremost It can't be extracted
use NetworkMiner
See the specific opening method Big brother's article
Before binwalk I see many pictures , We put NetworkMiner All the pictures of zsteg, find flag

get_the_key.txt

There is no suffix ,file Check the type
mkdir Create a new directory ,mount mount

mkdir ctfff
mount forensic100 ctfff
cd _forensic100.extracted// Entry directory 
ls
grep -r key.txt//grep -r  Recursively find a substring in a directory , According to the title is to find key.txt
file 1// see file , yes gzip
gunzip<1// unpack 
umount forensic100// Cancel the mount 

reverse it

Drag in 010editor Inside observation , The beginning is FFD9, It ends with FFD8, All hexadecimals are reversed

a=' All hex '
b=[::a]
print(b)

Open the picture

3-11

zsteg Steganography found a compressed package

zsteg -e b1,rgb,lsb,xy 2.png -> 1.zip, extracted , decompression , Get a bunch of base64 code , Turn picture

Become_a_Rockstar

There is no suffix , First, check the type , Found to be txt, But after opening it, I found a lot of useless words
Look carefully, the suffix is rock.rockstar It's a language
take rockstar Turn into python Language

function python, I am here vscode The above did not run successfully , It's using IDLE

intoU

Examination site ：audacity Sampling rate
article

Cephalopod

You can search for flag Found the picture open
binwalk,foremost There are pictures displayed , But I can't open it ,networkMiner either

apt-get install tcpxtract

Tcpxtract -f  file name // stay root Inside looking for 

Our secret is green

• OurSecret
  According to the title , Using tools OurSecret. stay Unhide Decrypt the domain
  
  Password look at the picture , Green numbers
  
• Brute force
  Birthday is an eight digit number , To crack
• Plaintext attack
  
  There are two readme.txt, take readme.txt Compressed into zip
• Fence code
• Caesar code
• Pseudo encryption
  Compress source data area ：
  50 4B 03 04： This is the header file tag （0x04034b50）
  14 00： Unzip file required pkware edition
  01 00： Global mode bit notation （ It is an important sign to judge whether there is encryption ）
  08 00： Compression way
  5A 7E： Last modified file time
  F7 46： Last modified document date
  16 B5 80 14：CRC-32 check （1480B516）
  19 00 00 00： Dimensions after compression （25）
  17 00 00 00： Uncompressed dimensions （23）
  07 00： File name length
  00 00： Extended record length
  6B65792E7478740BCECC750E71ABCE48CDC9C95728CECC2DC849AD284DAD0500

Compress source directory area ：
50 4B 01 02： File header mark in directory (0x02014b50)
3F 00： compression-used pkware edition
14 00： Unzip file required pkware edition
00 00： Global mode bit notation （ Whether there is an important sign of encryption , This change is pseudo encrypted here , Change it to 09 00 When you open it, you will be prompted with a password ）
08 00： Compression way
5A 7E： Last modified file time
F7 46： Last modified document date
16 B5 80 14：CRC-32 check （1480B516）
19 00 00 00： Dimensions after compression （25）
17 00 00 00： Uncompressed dimensions （23）
07 00： File name length
24 00： Extended field length
00 00： File comment length
00 00： Disk start number
00 00： Internal file properties
20 00 00 00： External file properties
00 00 00 00： Local head offset
6B65792E7478740A00200000000000010018006558F04A1CC5D001BDEBDD3B1CC5D001BDEBDD3B1CC5D001

Compression source directory end flag ：
50 4B 05 06： End of directory tag
00 00： Current disk number
00 00： The directory area starts with the disk number
01 00： Total number of records on this disk
01 00： Total number of records in the directory area
59 00 00 00： Directory area size
3E 00 00 00： The offset of the directory area from the first disk
00 00：ZIP File comment length

Focus on !
use 010hex open zip file .
hold 504B0304 Later 3、4 individual byte Change to 0000 also
hold 504B0102 Later 5、6 individual byte Change to 0000 You can crack the pseudo encryption .

## Identify true and false encryption
No encryption
The global encryption of the compressed source file data area should be 00 00
And the global mode bit mark of the compressed source file directory area should be 00 00
False encryption
The global encryption of the compressed source file data area should be 00 00
And the global mode bit mark of the compressed source file directory area should be 09 00
True encryption
The global encryption of the compressed source file data area should be 09 00
And the global mode bit mark of the compressed source file directory area should be 09 00
————————————————
Copyright notice ： This paper is about CSDN Blogger 「BJFU_vth」 The original article of , follow CC 4.0 BY-SA Copyright agreement , For reprint, please attach the original source link and this statement .
Link to the original text ：https://blog.csdn.net/weixin_41687289/article/details/82695801

Just-No-One（ agreement ）

Get one exe

It was found to be an installation package

Found in the agreement flag

The company you love

This search flag Can't find it , Only search fl, use strings Command search is OK , stay wireshark It's OK to search in ,fl4g:{ftop_Is_Waiting_4_y}

labour

There is no suffix after opening , I don't know the type of article , First use nodepad++ Look inside

After opening, it is found that it is downloadable software ExpertGPS
Change the file suffix (.gpx)
Use appropriate brackets and underscores to separate words if you succeed–> Translation is “ If it works , Separate words with appropriate square brackets and underscores – >”
article

4-2

quipqiup analysis

The feature is the last few words of encryption

low

article

• Low bit steganography lsb Steganography
• StegSolve It is found that the QR code is covered , Pixel processing is required

from PIL import Image

img = Image.open('./pic/low.bmp')
img_tmp = img.copy()
pix = img_tmp.load()
width, height = img_tmp.size
for w in range(width):
    for h in range(height):
        if pix[w, h] & 1 == 0:
            pix[w,h] = 0
        else:
            pix[w, h] = 255

img_tmp.show()

misc1

Every two groups are hexadecimal , After converting to decimal -128( The offset for the 128)

Again into ascii Code get flag：DDCTF{9af3c9d377b61d269b11337f330c935f}
python Script

import re
s = 'd4e8e1f4a0f7e1f3a0e6e1f3f4a1a0d4e8e5a0e6ece1e7a0e9f3baa0c4c4c3d4c6fbb9e1e6b3e3b9e4b3b7b7e2b6b1e4b2b6b9e2b1b1b3b3b7e6b3b3b0e3b9b3b5e6fd'
num = re.findall('\w{2}' ,s)
flag = ''
for i in num:
   ch = chr(int(i,16)-128)
   flag += ch
print(flag)

Hidden information

It's octal , use CaptfEncoder( Network security tool suite ) transformation , It's very useful
Octal conversion ASCII, Found to look like base64

Miscellaneous-300

Get a compressed package , Need a password ,winhex Looked at the , Not pseudo encryption , The code was as like as two peas in the explosion. , Unzip to get the next encrypted file , The password is still the same as the file name , Many in a row , Like Russian Dolls , Found a script

import zipfile
import re
zipname = "C:\\Users\\86139\\Desktop\\tmp\\"+"47096.zip"
while True:
    if zipname != "C:\\Users\\86139\\Desktop\\tmp\\73168.zip":
        ts1 = zipfile.ZipFile(zipname)
        res = re.search('[0-9]*',ts1.namelist()[0])
        print(res.group())
        passwd = res.group()
        ts1.extractall("C:\\Users\\86139\\Desktop\\tmp\\",pwd=passwd.encode('ascii'))
        zipname = "C:\\Users\\86139\\Desktop\\tmp\\"+ts1.namelist()[0]
    else:
        print("find")

Run to the 12475.zip The times is wrong , The password obtained by blasting is b0yzz

obtain mess.wav, Still enter AUdacity in , Turn it into a spectrum , Find out flag,BallsRealBolls

challenge_how_many_Vigenère

Virginia solved the key and the original
website

Solution to the problem

Py-Py-Py

• Stegosaurus pyc Steganography
  Stegosaurus Is a steganography tool , It allows us to Python Bytecode file ( pyc or pyo ) Embed any Payload . Due to the low coding density , So we embed Payload The process of does not change the running behavior of the source code , It will not change the file size of the source file . Payload The code will be scattered and embedded into bytecode , So similar strings Such code tools cannot find the actual Payload . Python Of dis The module will return the bytecode of the source file , Then we can use Stegosaurus To embed Payload 了 .

git clone https://github.com/AngelKitty/stegosaurus

Happy fat house

It's a swf file , use PotPlayer Open to traverse every frame , It's OK to play through customs