buu-16

March 03, 2022 6437

[INSHack2017]remote-multimedia-controller

image-20220303201420510

描述看起来很nb的样子，事实上是一个简单的流量分析

image-20220303201513861

找到最长的包发现base64，然后结果是个套娃

image-20220303201549086

一路到底

image-20220304141328968

收获了一大堆的文件，题目叫一路到底，我还以为只要找到最后一个文件就可以有flag，观察了一下文件大小，找到了

image-20220304141511196

啥也没有啊，看wp了，这是什么奇怪玩意

image-20220304141714830

麻了，重点居然在前面，这玩意拼起来是一个压缩包，研究了一下大佬的脚本

import binascii

hex_data = ''
with open(r'C:\Users\lxy0218\Desktop\38ff11ef-e3d3-4f8a-b163-3d300bc016ea\files\start.txt', encoding='gbk') as f:
    cont = f.read()
    next_txt = cont[-36:]
    hex_data += '{:04x}'.format(int(cont[0:cont.find(':')-1]))#:04x指的是输出四位十六进制数
    #print(hex_data)
    while True:
        path = './files/' +  next_txt
        try:
            with open(path) as f:
                cont = f.read()
                next_txt = cont[-36:]
                hex_data += '{:04x}'.format(int(cont[0:cont.find(':')-1]))
        except:
            break
with open('flag.zip','wb') as f:
    f.write(binascii.unhexlify(hex_data))#以十六进制文本写入文件

image-20220304150636678

谁会想到这里是真加密然后还是小写字母和数字爆破。。。。。离谱

然后把文件头改为jpg

[SUCTF2018]dead_z3r0

image-20220304181851123

疑似base64的东西

image-20220304182145980

感觉是被编译过的，怀疑是pyc，也许是隐写

image-20220304182820609

理论上说，这样可以得到结果，but，这个环境抽了

image-20220304183854819

不用python了

image-20220304184342008

英语看的题目描述很奇怪，翻译成中文，我只想表示我并不知道这是个啥

给的是个音频

image-20220304184646459

有点东西

deepsound又是什么好软件，还要爆破文件密码

附上大佬的脚本

#!/usr/bin/env python3
'''
deepsound2john extracts password hashes from audio files containing encrypted
data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).
This method is known to work with files created by DeepSound 2.0.
Input files should be in .wav format. Hashes can be recovered from audio files
even after conversion from other formats, e.g.,
    ffmpeg -i input output.wav
Usage:
    python3 deepsound2john.py carrier.wav > hashes.txt
    john hashes.txt
This software is copyright (c) 2018 Ryan Govostes <rgovostes@gmail.com>, and
it is hereby released to the general public under the following terms:
Redistribution and use in source and binary forms, with or without
modification, are permitted.
'''

import logging
import os
import sys
import textwrap


def decode_data_low(buf):
  return buf[::2]

def decode_data_normal(buf):
  out = bytearray()
  for i in range(0, len(buf), 4):
    out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))
  return out

def decode_data_high(buf):
  out = bytearray()
  for i in range(0, len(buf), 8):
    out.append((buf[i] & 3) << 6     | (buf[i + 2] & 3) << 4 \
             | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))
  return out


def is_magic(buf):
  # This is a more efficient way of testing for the `DSCF` magic header without
  # decoding the whole buffer
  return (buf[0] & 15)  == (68 >> 4) and (buf[2]  & 15) == (68 & 15) \
     and (buf[4] & 15)  == (83 >> 4) and (buf[6]  & 15) == (83 & 15) \
     and (buf[8] & 15)  == (67 >> 4) and (buf[10] & 15) == (67 & 15) \
     and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)


def is_wave(buf):
  return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'


def process_deepsound_file(f):
  bname = os.path.basename(f.name)
  logger = logging.getLogger(bname)

  # Check if it's a .wav file
  buf = f.read(12)
  if not is_wave(buf):
    global convert_warn
    logger.error('file not in .wav format')
    convert_warn = True
    return
  f.seek(0, os.SEEK_SET)

  # Scan for the marker...
  hdrsz = 104
  hdr = None

  while True:
    off = f.tell()
    buf = f.read(hdrsz)
    if len(buf) < hdrsz: break

    if is_magic(buf):
          hdr = decode_data_normal(buf)
          logger.info('found DeepSound header at offset %i', off)
          break

    f.seek(-hdrsz + 1, os.SEEK_CUR)

  if hdr is None:
    logger.warn('does not appear to be a DeepSound file')
    return

  # Check some header fields
  mode = hdr[4]
  encrypted = hdr[5]

  modes = {
    
    2: 'low', 4: 'normal', 8: 'high'}
  if mode in modes:
    logger.info('data is encoded in %s-quality mode', modes[mode])
  else:
    logger.error('unexpected data encoding mode %i', modes[mode])
    return

  if encrypted == 0:
    logger.warn('file is not encrypted')
    return
  elif encrypted != 1:
    logger.error('unexpected encryption flag %i', encrypted)
    return

  sha1 = hdr[6:6+20]
  print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))


if __name__ == '__main__':
  import argparse

  parser = argparse.ArgumentParser()
  parser.add_argument('--verbose', '-v', action='store_true')
  parser.add_argument('files', nargs='+', metavar='file',
    type=argparse.FileType('rb', bufsize=4096))
  args = parser.parse_args()

  if args.verbose:
    logging.basicConfig(level=logging.INFO)
  else:
    logging.basicConfig(level=logging.WARN)

  convert_warn = False

  for f in args.files:
    process_deepsound_file(f)

  if convert_warn:
    print(textwrap.dedent('''
    ---------------------------------------------------------------
    Some files were not in .wav format. Try converting them to .wav
    and try again. You can use: ffmpeg -i input output.wav
    ---------------------------------------------------------------
    '''.rstrip()), file=sys.stderr)