最近在亚马逊EC2云主机上搭建了CTF网站,你可以直接通过网址访问(http://35.86.165.89),也可以通过域名来访问ctf.hackbiji.top,站点预计留存至2023年底,抓紧时间体验哦,前面我们已经学习了图片隐写入门,基础,中级的题目,现在来看进阶题目了,题目稍微有点难,稍息,立正,坐好,抓紧安全带,发车了。
ailx10
网络安全优秀回答者
网络安全硕士
去咨询
1、16 PNG IDAT
sudo apt install pngcheck通过 pngcheck 命令,发现图片最后一个IDAT块是人为构造的,因为每个IDAT的大小都是65524,才会写下一个IDAT,倒数第二个的IDAT大小是45027,很明显没有写满,因此最后IDAT等于138的块必然是伪造的
通过WinHex打开,通过坐标定位到最后一个IDAT块的16进制内容
通过脚本计算,新增的IDAT块经过ZIP解压,得到625 长度的 01 串,625 开平方等于25,是个正方形
# python3import zlibimport binasciiIDAT = bytes.fromhex("789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667")result = zlib.decompress(IDAT)print(result)print(len(result))通过将01串转换成二维码
from PIL import Image, ImageFont# import ImageMAX = 25pic = Image.new("RGB",(MAX, MAX))str = "1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011"i=0for y in range (0,MAX): for x in range (0,MAX): if(str[i] == '1'): pic.putpixel([x,y],(0, 0, 0)) else: pic.putpixel([x,y],(255,255,255)) i = i+1pic.show()# pic.save("flag.png")扫一扫,直接获得 flag
2、17 GIF1 空间域
逐帧分析
可以通过调整色阶,让隐藏的字符串更加明显,体现Mac笔记本的优势的时候到了:)
从里面把字符串扣出来,分别是
Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=直接base64解码,就能拿到 flag
echo "Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdW10ZV9zaW1wbGU=" | base64 -d3、18 GIF2 时间域
GIF 打不开,看来内部应该发生了篡改,使用WinHex查看,发现缺少GIF头,需要手动补上
手动添加一个GIF头,保存
再次打开,发现306帧,帧帧都相似
从时间上找规律,304帧的时许间隔,要么是10,要么是20
identify -format "%s %T \n" 100_KHf05OI.gif我们将10映射成0,20映射成1,那么会得到长度是304的01字符串,一共38组,每组8个01串,将其转换成ASCII码,拼接在一起就 flag
# python3str1 = "20102010102020202010202010102010201020202020201020102020101010202010101010201010202010101020201020201010201010202020101020102010202010102010101020201010201020102010102020201020201010202010201020101020201020102010102020102020202010102010202020101020201020202010102020102010201010202020201020201010202020102020101010202020201010202010202020101020201020102010102020102020202010102010202020201010201010102020101020201010202010102010201020201010201010202020101020102020202010102020101020101020202020102010102020102010201010202020101020101020201010202010102020202010202010102020101020201010201020102010101010102010"str2 = str1.replace("20","A")str3 = str2.replace("10","B")str4 = str3.replace("B","1")str5 = str4.replace("A","0")ascii_chars = ""for i in range(1,len(str5)+1): if i % 8 == 0: binary_str = str5[i-8:i] decimal_num = int(binary_str, 2) ascii_char = chr(decimal_num) ascii_chars += ascii_charprint(ascii_chars)4、20 steghide隐写01
binwalk Misc.png图片包含了PDF,JPEG等
foremost Misc.png提取到 jpg 和 pdf ,其中 pdf 是一个加密文档,密码需要从 jpg 中提取
steghide extract -sf 00001213.jpg使用密码成功解出 pdf 中的 flag
5、21 steghide隐写02
通过 steghide 尝试无密码提取,失败
通过kali 自带的密码本,破解 steghide 密码
# kali python3import subprocessdef foo(): stego_file = 'rose.jpg' extract_file = 'flag.txt' pass_file = '/usr/share/wordlists/john.lst' errors = ['could not extract', 'steghide --help', 'Syntax error'] cmd_format = f"steghide extract -sf {stego_file} -xf {extract_file} -p {{}}" with open(pass_file, 'r') as f: for line in f: cmd = cmd_format.format(line.strip()) p = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, text=True) content = p.stdout.read() for err in errors: if err in content: break else: print(content) print(f'the passphrase is {line.strip()}') returnif __name__ == '__main__': foo() print('ok')在kali 上运行脚本,直接拿到密码
再次运行,拿到 flag
steghide extract -sf rose.jpg -xf flag.txt -p 123456编辑于 2023-11-29 20:56・IP 属地江苏