First analyze pcapng to get the flag.
First show the download address: http://ctf5.shiyanbar.com/misc/LOL/LOL.pcapng
Since this is .pcapng, you need to download wireshark for packet analysis
Let's query the http protocol stream, which should be the http protocol is the abbreviation of hypertext transfer protocol, which is a transfer protocol used to transfer hypertext from the server to the local browser
It is found that there are two upload upload points, let's analyze the data flow separately
Found a LOL.zip file, we saved it as a .zip suffix . (The other is LOL.docx, which contains a picture and a sentence
This file is misleading, the focus is on the zip file, so this article does not analyze the docx, directly from the zip)
Decompression discovery requires a password. Maybe many people here think that the decompression password is hidden in the picture in the document, and then do the picture steganography,
But this is not the right direction.
After reading other people's wp , use winhex to analyze the compressed source file directory area and know that it is pseudo-encryption,
The first method is:
Decrypt directly with tools . Get four text files.
The second method is:
Pull the exported LOL.zip file to winhex for analysis
Before the analysis, listen to me to popularize.... the composition of this zip file:
A ZIP file consists of three parts: Compressed source file data area + Compressed source file directory area + Compressed source file directory end mark Compress the source file data area: 50 4B 03 04: This is the header file marker (0x04034b50) 14 00: pkware version required to decompress the file 00 00: Global mode bit flag (with or without encryption) 08 00: Compression method 5A 7E: Last Modified File Time F7 46: Last Modified File Date 16 B5 80 14: CRC-32 checksum (1480B516) 19 00 00 00: Compressed size (25) 17 00 00 00: uncompressed size (23) 07 00: filename length 00 00: Extended record length 6B65792E7478740BCECC750E71ABCE48CDC9C95728CECC2DC849AD284DAD0500
Compressed source file directory area: 50 4B 01 02: File header marker in the directory (0x02014b50) 3F 00: pkware version used for compression 14 00: pkware version required to decompress the file 00 00: Global mode bit flag (with or without encryption, this change is pseudo-encrypted here, and if it is changed to 09 00, it will prompt a password) 08 00: Compression method 5A 7E: Last Modified File Time F7 46: Last Modified File Date 16 B5 80 14: CRC-32 checksum (1480B516) 19 00 00 00: Compressed size (25) 17 00 00 00: uncompressed size (23) 07 00: filename length 24 00: Extended field length 00 00: file comment length 00 00: Disk start number 00 00: Internal file attributes 20 00 00 00: External file properties 00 00 00 00: local head offset 6B65792E7478740A00200000000000010018006558F04A1CC5D001BDEBDD3B1CC5D001BDEBDD3B1CC5D001
Compressed source file directory end flag: 50 4B 05 06: end of directory marker 00 00: current disk number 00 00: The starting disk number of the directory area 01 00: The total number of records on this disk 01 00: The total number of records in the directory area 59 00 00 00: The size of the directory area 3E 00 00 00: the offset of the directory area to the first disk 00 00: ZIP file comment length
To sum up, that is to say, when the global mode bit flag of the compressed source file directory area is changed, it will limit the readability of the Zip file
So, we will think that after modification, it will change the readability of the Zip file.
According to the information found on Baidu, if the second digit of the global mode bit flag is an even number, it will not be encrypted. On the contrary, if it is an odd number, it will be encrypted.
Then we can change 09 00 --> to --> 00 00 through WinHex , and we can successfully get the file inside.
After the modification is completed, click Save and find that it can be successfully decompressed without password.
When we open a decompressed file 11.txt first, we find that the file is a folder starting with 8950....
Sure enough, it is a png image. In this case, our reasoning should be that the png image is encoded by hex16.
Thanks here is the python code provided by s1ye brother, which realizes the operation of restoring png images with hex16
#-*- coding:utf8 -*-
import sys
import os
def conversion(hex):
cipher = hex
name = raw_input('input filename:')
open(name, "wb").write(cipher.decode("hex"))
print "file path:",os.path.abspath(name)
def usage():
print '[*] conversion for hex'
print '[*] usage:'
print ' hex.py hex'
print ' hex.py filename.txt'
print '[*] -*-by s1ye-*-'
def main():
if len(sys.argv)<2:
usage()
else:
if sys.argv[1].split('.')[-1] == 'txt':
with open(sys.argv[1]) as f:
data = f.read()
conversion(data)
else:
conversion(sys.argv[1])
if __name__ == '__main__':
main()
The 1.png picture of the successful solution is
It feels like a QR code, we try to unlock other
Of course, don't forget to scan
