First of all, I would like to thank the 360 Strong Nations Cup platform and the big guys who came up with the questions.
Table of contents
Cheers everyone ( •̀ ω •́ )y I look forward to seeing you again
-
Title: Welcome_to_QGB
Direct base64 to get flag
-
Topic name: big boss big boss
Download the attachment to get a picture
The topic hints that you can get pictures through lsb steganography, but most people don't know how to use stegsolve.
Here is a more direct way
put in kali
Find information with zsteg
Found a picture inside
propose pictures
zsteg -e b1,rgb,lsb,xy 1.png>99.png
extract a picture
The picture has arrows to guide the thought that it may be highly steganographic
drag to 010
change height
get flag
get flag
-
Title: The fn picture
Downloading attachments found that a password is required
When you find that there is no prompt
just try to blast
Get the four-digit decompression password
7u3N
Open the compressed package
open txt
Txt has a prompt, so just put the flag in 010 directly
txt says it is a picture and according to the 010 code
So add the file header of png
Successfully get a QR code
But the scan found that the flag is not here
So it may be confusing information
one more file
Can't open and drag 010 miles
It is found that it is a compressed package format
directly change the suffix
After opening, there is still a file without a suffix
Think of txt tips
decisively change the file header
get a QR code
Transcode to get flag
-
Title: Find GIFs
Download attachments
It is found that the compressed package requires a decompression password
Tried again to no avail
Drag to 010
Found that the compressed package is a fake password
Unzip after repairing with the repair tool that comes with the win software
get
aaa drag 010
found in png format
add suffix to a picture
Drag 010 miles directly to change the height
Rotate the picture to get the decompression password of bbb.zip
get a bbb file without a suffix
At first, I was obsessed with analyzing GIF animations (later found to be very useful)
Compare bbb and ccc.gif file formats
find similarities
So there is reason to suspect that bbb is a gif file
So decisively replace the garbled characters of bbb with the head of ccc
Save it as a gif file
get another gif file
I vaguely found that there was a flag flashing inside.
Put it in stegsolve to mention the number of frames
In the eighth frame there is indeed something
After saving, use stegsolve directly
Turn on the grading bits to find the clearest one
get flag
-
Title: B@tCh
Unzip to get the bat file
Not sure what it is
Use 010 to open first
garbled
click hex
After searching through multi-party resources, it is known that the encryption method is batchencryption. Use py to write a script for decryption. Before that, you need to do some processing on the bat to match the encryption method. Use 010editor to open the bat, switch to hex mode, and add the following fields to the program header :
::BatchEncryption Build 201610 By [email protected]
save as txt file
At this time, the script needs to be fixed.
Attach the script (it's free)
#!/usr/bin/python
# -*- coding:utf-8 -*-
#
# Batch Decryption 202009 (BatchEncryption Build 201610)
#
import os
import sys
encrypt_file = ''
encodeErrByteArray = [b'\xfe', b'\xff']
def decryption(data):
# 去除头部后的源代码下标开始位置
i = data.index(b'163.com\r\n') + 9
vars = {}
length = len(data)
source = ''
while i < length:
Data = run(vars, data, i)
i = Data.get('index')
source += Data.get('buf')
return source
def run(vars, data, i):
buf = ''
f = 0
t = 0
x = False
l = len(data)
while(True):
if data[i] == 0x0d and data[i+1] == 0x0a:
i += 2
break
# get %var:~x,y% %0
if data[i] == 0x25:
if not x:
x = True
f = i
else:
x = False
t = i
rst = var_percent(data[f:t+1], vars)
buf += rst
i += 1
else:
if not x:
try:
buf += str(data[i:i+1], encoding="utf-8")
i += 1
except Exception as err:
# 过滤掉无法解析的字节
if data[i:i+1] in encodeErrByteArray:
buf = ''
i += 1
else:
# 以ansi码解析中文
chinese = b''
temp = i
while (str(data[temp:temp+1]).find('x') >= 0):
chinese += data[temp:temp+1]
temp += 1
buf += chinese.decode('ansi', 'ignore')
i = temp
else:
if (f + 1 == i) and ((data[i] >= 0x30 and data[i] <= 0x39) or data[i] == 0x2a):
x = False
t = i
rst = str(data[f:t+1], encoding="utf-8")
buf += rst
i += 1
if i >= l:
break
#print(buf)
bufs = buf.split('&@')
for var in bufs:
if var[0:4] == 'set ':
var = var[4:]
b = var.find('=')
vars[var[0:b]] = var[b+1:].replace('^^^', '^')
buf += '\r\n'
return {'index':i, 'buf':buf}
"""
%':~-53,1%
':~-53,1
["'", '-53,1']
"""
def var_percent(data, vars):
full = str(data, encoding="utf-8")
buf = full[1:len(full)-1]
buf = buf.split(':~')
var = buf[0]
if not var in vars:
vars[var] = os.getenv(var)
ent = vars[var]
if (len(buf) > 1):
l = len(ent)
buf = buf[1].split(',')
f = int(buf[0])
t = int(buf[1])
if f < 0:
f, t = l + f, t
rst = ent[f: f+t]
else:
rst = full
return rst
def makeFile(path,content):
try:
encryptionFilePath = os.path.dirname(sys.argv[1])
encryptionFileName = os.path.basename(sys.argv[1])
encryptionFile = encryptionFileName.split('.')
decryptionFileName = encryptionFile[0] + '_denctyption.' + encryptionFile[1]
decryptionFile = encryptionFilePath + '/' + decryptionFileName
print(decryptionFile)
file = open(decryptionFile, 'w+')
file.write(content)
file.close()
except Exception as err:
print(err)
exit
if __name__ == '__main__':
try:
if len(sys.argv) < 2:
print('param len error\nuse: python dencrypt.py encrypt.bat')
exit
encrypt_file = sys.argv[1]
file = open(encrypt_file, "rb")
data = file.read()
file.close()
source = decryption(data)
makeFile(encrypt_file, source)
except Exception as err:
print(err)
exit
Enter at the cmd command line
D:\py>python 2.py 2.txt
get flag
-
Title: babyRSA
Download the attachment to get
A standard rsa decoding
A look at rsa steganography
On the script (oh it's free)
from Crypto.Util.number import long_to_bytes
import gmpy2
p =gmpy2.mpz(138426212841397149251588296134109165537899310438173750798364671675288360000561798355248532054510396589533971267028332214842673811687883616744131130398289077554612883492204032984950562003356001139508926059499376562553551028636226548350263501563647121411422314575340826478224596800551927493501012088298680613879)
q =gmpy2.mpz(143049585916449723925099288769361999764006236021072588846981723369760726410300239985500007665844216512624584735358913225102358935263419564762626442560266419262555820476424949328464294635696200999314599615276252945343396324462380831303649657541178450608628341694003116451196859197001909770503494349726784153027)
e =gmpy2.mpz(33)
phi_n= (p - 1) * (q - 1)
d = gmpy2.invert(e, phi_n)
n=q*p
print("d is:")
print (d)
print("n")
print(n)
c=eval('8289193595993122921665841895022976104081072031742625708463764526627277052318279883859957490142516216024577600646435489409922900157398525709897066174566802837502462355349783465478982642622084973551364981880045419080599645199823932885880822500635358984691098019833373137233421653021398144494548012693727095816659975325054446041806452350925160187980103112171629784199440456927010178848494443466141894033183475723365090593126309457761806861074583084445735295863195227044710706725657905516027928685083079534461311107335936896525014768633605005601716003989306032040278750752221002412831419560140443505534384151408234420458')
m = pow(c, d, n)
print(m)
string = long_to_bytes(m)
print(string)
run
get flag
For the sake of free scripting, please pay attention.
download attachment