Let’s talk about a misc question in the MAR DASCTF Mingyu Offensive and Defence Competition, let’s learn about the cracking of pseudo-encryption and image steganography.
Knowledge points of this article:
1. Pseudo encryption of encrypted compressed package
2. Image steganography
3. Hexadecimal data restoration
4. Identification of true and false encryption
无加密
压缩源文件数据区的全局加密应当为00 00
且压缩源文件目录区的全局方式位标记应当为00 00
假加密
压缩源文件数据区的全局加密应当为00 00
且压缩源文件目录区的全局方式位标记应当为09 00
真加密
压缩源文件数据区的全局加密应当为09 00
且压缩源文件目录区的全局方式位标记应当为09 00
This misc question combines compressed package pseudo-encryption and image steganography technology, and then enters the main topic:
we can see that the files in this compressed package are encrypted, here first consider pseudo-encryption, there are two solutions;
solution one:
put Drag the compressed package image to the tool WinHex to view the hexadecimal data, as shown below:
You can see 09 00 in the first line . This is probably the case. We directly look up the hexadecimal value 504B and see that 09 is changed to 00 :
Solution 2:
We can also use a tool to crack pseudo-encryption—ZipCenOp
command: java -jar ZipCenOp.jar r Simple png steganographic attachment. zip
image steganography cracking:
using binwalk and stegsolve, we can’t find anything useful. Here is a tool to introduce you to pngcheck , which can identify multiple image types; the
command: pngcheck -v hint.png A
normal image should only have one IDAT data difference, and there are two different, so it is concluded that there are two A picture; put the picture in the 010Editor tool to view, search for the hexadecimal value 789C, because the png picture has only one 789C, so we need to delete the first one, from the selected 49 to the next IDAT starting value. can:
Save the picture after deleting it, you can see a new picture:
You can see that 89504E should be the picture secret key, and there should be a guess here. We can guess that this is outguess steganography.
Command: outguess -k'gemlove' -r sheng_huo_zhao_zhao.jpg out.txt to
get a string of base64 encoding:
MUY4QjA4MDg5MTgwNzg1RTAwMDM2NjZDNjE2NzJFNzQ3ODc0MDA0QkNCNDk0Q0FGMzZCMDMwMzQ0RDM1NDlCNjRDMzMzNTMzMzRCMTQ4MzVCNzQ4NEEzNTMzNDg0OTMyMzU0QjRFMzUzMTQ5MzFCNUFDRTVFMjAyMDA0NjhCMjIzRjI4MDAwMDAw
Decode base64 encoding to get a string of hexadecimal numbers:
1F8B08089180785E0003666C61672E747874004BCB494CAF36B030344D3549B64C33353334B14835B7484A3533484932354B4E35314931B5ACE5E20200468B223F28000000
We copy this string of hexadecimal numbers into WinHex, we can see that there is a flag.txt, the file obtained by the hex of the file header is .gz. 
Save and change the suffix .gz, open it to get the flag
flag {0815e4c9f56148e78be60db56ce44d59}