BUUCTF-[MISC Miscellaneous]-[Big White] to [zip pseudo-encryption]
BUUCTF-MISC-Dabai------->BUUCTF-MISC-zip pseudo-encryption
Table of contents
BUUCTF-Misc-Big White
topic
answer
Download the attachment, open the compressed package, and there is a picture inside, a big white picture. and unzip it down
According to the prompt information of the title, open the picture and observe
It is found that the picture is not fully displayed, and it is guessed that the height may be modified, and the display is not complete. Next, we open the picture with the tool 010 hexadecimal editor, try to modify the height, and see if the picture can be displayed relatively completely, and we get what we want. information needed
Modify the height, save it, and view the picture
Observe the picture and find the flag
The flag of this question is:
flag{He1l0_d4_ba1}
BUUCTF-MISC-N methods to solve
topic
answer
Download the compressed package, open it, and observe that there is an executable file inside.
After decompression, you can click Try to execute it
When this message appears, it is found that there may be a problem with the executable file. Throw the file into kali and check the file type:
It is found that it is a text file, just rename it to text
Open it after renaming, and find that there is a base64 encoding to convert the image, and use a script or tool to restore it, that is, base64 converts the image
Online tools:
BASE64 to picture- Webmaster Tools- Speed Data (jisuapi.com)
After conversion, you get: a QR code, you can get the information after scanning with WeChat or other QR code scanning tools
Use the QR code tool here:
Get the key information, just replace the key with the flag
The flag of this question:
KEY{dca57f966e4e4e31fd5b15417da63269} replace key with flag
flag{dca57f966e4e4e31fd5b15417da63269}
BUUCTF-MISC- Wuzhen Summit Planting Map
topic
answer
After downloading the attachment, get a picture
According to the information given in the title, the flag we are looking for is hidden in the picture, we directly use the 010 hexadecimal viewer to view it, search for flag
The flag of this question is:
flag{97314e7864a8f62627b26f3f998c37f1}
BUUCTF-MISC- Basic Crack
topic
answer
Download the attachment of the topic and get a compressed package. After opening it, we find that there is a compressed package inside. In the compressed package, we find a flag.txt file, which may be the information we want.
After decompressing, I found that a password is required. According to the prompt in the title, the password is a four-digit number. According to the prompt, use a tool to crack it
Tool: ARCHPR
brute force
Select the length, according to the prompts in the title, choose 4 for the length
Then start cracking:
Saved text information:
Open the flag file in the compressed package with a password
Found to be encrypted, the encryption method is base64, and the flag can be obtained by decrypting
After decryption:
The flag of this question is:
flag{70354300a5100ba78068805661b93a5c}
BUUCTF-MISC-wireshark
topic
answer
Download the compressed package, observe that it is a data flow package, decompress it, and analyze it through wireshark
Solution one:
Open it through wireshark and find a lot of TCP three-way handshake and other information
We click on a data message, track the TCP flow, find the password password information, find the user name and password, and then according to the prompt information of the question, the password is the answer, and then splicing according to the user name flag, we can get the flag of this question
Solution two:
Open the packet file directly with the 010 hexadecimal editor and search for flag
Then according to the question prompt, the administrator password is the answer, and then according to the user name, guess it is the flag
Click on the first one to find the flag information we want, just splicing it
The flag of this question is:
flag{ffb7567a1d4f4abdffdb54e022f8facd}
BUUCTF-MISC-Secrets in Files
topic
answer
Download the compressed package, and then check that there is a picture inside
According to the prompt, you can view the properties of the image file to see if there is any information we want
Through the detailed information in the attributes, we directly saw the flag
The flag of this question is:
flag{870c5a72806115cb5439345d8b014396}
BUUCTF-MISC-LSB
topic
answer
According to the topic analysis, it is an LSB steganographic question
Download the attachment, open the compressed package and decompress it locally, and found that it is a picture
Put the picture in kali and use the zsteg tool for analysis
The analysis shows that the PNG image is hidden in the image, we extract it, and use the zsteg command line or stegsolve tool to extract and view it
Put the picture into stegsolve, extract the data, check the least significant bit, find the PNG picture, and save it in advance
The format of the exported image is png
After saving, it is found to be a QR code. Scan the code or put it in the QR code tool to view it:
If flag is found, replace cumtctf in cumtctf{1sb_i4_s0_Ea4y} with flag
The flag of this question is:
flag{1sb_i4_s0_Ea4y}
BUUCTF-MISC-zip pseudo encryption
topic
Download additional zip
answer
After opening the compressed package, it is found that the flag text file inside is encrypted. According to the prompt information, the APK is pseudo-encrypted. We use the ZipCenOp tool to crack it.
method one:
Found that the compressed package is encrypted, we can try to brute force crack the password of the compressed package, and throw the compressed package into Ziperello
Blast the password and find that the password is not found. Blasting to no avail.
Open the archive with a 010 hex editor
The zip file consists of three parts:
Compressed source file data area + compressed source file directory area + compressed source file directory end sign
Compressed source file data area: 50 4B 03 04: This is the header file mark
Compressed source file directory area: 50 4B 01 02: file header mark in the directory
1F 00: The pkware version used for compression
14 00: The pkware version required to decompress the file
00 00: global mode bit mark (with or without encryption, this change here performs pseudo-encryption, if it is changed to 09 00, it will prompt for a password)
Compressed source file directory end mark: 50 4B 05 06
Determine whether to encrypt:
Only the second number among the four numbers marked by the global mode bit has an influence on it , and no matter what the other values are, it will not affect its encryption properties, namely:
When the second number is odd –> encrypt
When the second number is even –> unencrypted
1. No encryption:
The global mode bit mark of the compressed source file data area should be 00 00 (after 50 4B 03 04 14 00)
And the global mode bit mark of the compressed source file directory area should be 00 00 (after 50 4B 01 02 14 00)
2. Pseudo-encryption
The global mode bit mark of the compressed source file data area should be 00 00 (after 50 4B 03 04 14 00)
And the global mode bit mark of the compressed source file directory area should be 09 00 (after 50 4B 01 02 14 00)
3. True Encryption
The global mode bit mark of the compressed source file data area should be 09 00 (after 50 4B 03 04 14 00)
And the global mode bit mark of the compressed source file directory area should be 09 00 (after 50 4B 01 02 14 00)
The hexadecimal information of the compressed package for this question:
It is found that 09 appears after 50 4B 03 04 and 50 4B 01 02, which may be true encryption, but after the above blasting, the password is not successfully blasted, then try to modify the hexadecimal value, first come to the normal 50 4B 01 Change the 09 after 02 to an even number to try
After changing to an even number, open the compressed package and find that there is no password, you can check the flag directly.
The flag of this question is: flag{Adm1N-B2G-kU-SZIP}
Through this question, we found that we checked the compressed package through the hexadecimal system and found that it was a real encrypted compressed package, but it failed after blasting. We tried to modify the hexadecimal point, but the result was still a pseudo-encrypted question. From this question, we can see that the above conclusions are also true. It is not possible to judge with 100% whether the compressed package is pseudo-encrypted. All we can directly use tools to crack, using the APK pseudo-encryption tool ZipCenOp. The tools are more realistic.
Method Two:
Use the APK pseudo-encryption tool ZipCenOp to crack:
Re-open the compressed package and find that the flag text file can be opened normally, and the flag can be viewed normally
The flag of this question is:
flag{Adm1N-B2G-kU-SZIP}