Misc
pcb5-ZipCracker
压缩包伪加密可解压
图片binwalk可以得到flag1.txt和flag2.txt
FM解调得到音频
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
| import numpy as np
import matplotlib.pyplot as plt
from scipy import signal
import scipy.io.wavfile as wav
def nbfm_demodulate(i_file, q_file, output_wav='recovered_audio.wav'):
"""
从NBFM调制的I/Q文件中恢复原始音频
参数:
i_file: 实部数据文件 (flag1.txt)
q_file: 虚部数据文件 (flag2.txt)
output_wav: 输出音频文件名
"""
usrp_rate = 576000
if_rate = 192000
samp_rate = 48000
max_dev = 5000
print(f"[1/7] 读取I/Q数据文件...")
try:
i_data = np.fromfile(i_file, dtype=np.float32)
q_data = np.fromfile(q_file, dtype=np.float32)
print(f" - I数据长度: {len(i_data)}")
print(f" - Q数据长度: {len(q_data)}")
except Exception as e:
print(f"错误:无法读取文件 - {e}")
return None
min_len = min(len(i_data), len(q_data))
i_data = i_data[:min_len]
q_data = q_data[:min_len]
print(f"\n[2/7] 构造复数信号...")
complex_signal = i_data + 1j * q_data
print(f" - 复数信号长度: {len(complex_signal)}")
print(f" - 采样率: {usrp_rate} Hz")
print(f"\n[3/7] 降采样到中频采样率...")
decim_factor = usrp_rate // if_rate
complex_signal = signal.decimate(complex_signal, decim_factor, ftype='fir')
print(f" - 降采样因子: {decim_factor}")
print(f" - 新信号长度: {len(complex_signal)}")
print(f" - 新采样率: {if_rate} Hz")
print(f"\n[4/7] 低通滤波...")
cutoff = 5000
nyquist = if_rate / 2
b, a = signal.butter(5, cutoff / nyquist, btype='low')
complex_signal = signal.filtfilt(b, a, complex_signal)
print(f" - 截止频率: {cutoff} Hz")
print(f"\n[5/7] NBFM解调(鉴频)...")
phase = np.unwrap(np.angle(complex_signal))
demodulated = np.diff(phase) * if_rate / (2 * np.pi)
demodulated = demodulated / max_dev
print(f" - 解调后信号长度: {len(demodulated)}")
print(f" - 信号范围: [{demodulated.min():.3f}, {demodulated.max():.3f}]")
print(f"\n[6/7] 降采样到音频采样率...")
decim_factor2 = if_rate // samp_rate
b_audio, a_audio = signal.butter(5, 0.8/decim_factor2, btype='low')
demodulated = signal.filtfilt(b_audio, a_audio, demodulated)
audio = signal.decimate(demodulated, decim_factor2, ftype='fir')
print(f" - 降采样因子: {decim_factor2}")
print(f" - 音频信号长度: {len(audio)}")
print(f" - 采样率: {samp_rate} Hz")
print(f" - 时长: {len(audio)/samp_rate:.2f} 秒")
audio = audio - np.mean(audio)
audio = audio / np.max(np.abs(audio))
print(f"\n[7/7] 保存音频文件...")
audio_int16 = np.int16(audio * 32767)
wav.write(output_wav, samp_rate, audio_int16)
print(f" - 输出文件: {output_wav}")
print(f" - 格式: 16-bit PCM, {samp_rate} Hz")
return audio
def alternative_demod(i_file, q_file, output_wav='recovered_audio2.wav'):
"""
备用解调方法:使用quadrature解调
"""
print("\n" + "="*50)
print("[备用方法] 使用Quadrature解调")
print("="*50)
usrp_rate = 576000
if_rate = 192000
samp_rate = 48000
i_data = np.fromfile(i_file, dtype=np.float32)
q_data = np.fromfile(q_file, dtype=np.float32)
min_len = min(len(i_data), len(q_data))
complex_signal = (i_data[:min_len] + 1j * q_data[:min_len])
complex_signal = signal.decimate(complex_signal, 3, ftype='fir')
demod = np.real(complex_signal[1:] * np.conj(complex_signal[:-1]))
demod = np.arctan2(np.imag(complex_signal[1:] * np.conj(complex_signal[:-1])),
np.real(complex_signal[1:] * np.conj(complex_signal[:-1])))
demod = signal.decimate(demod, 4, ftype='fir')
demod = demod / np.max(np.abs(demod))
audio_int16 = np.int16(demod * 32767)
wav.write(output_wav, samp_rate, audio_int16)
print(f"备用方法输出: {output_wav}")
return demod
if __name__ == "__main__":
print("="*50)
print("CTF NBFM信号解调工具")
print("="*50)
audio = nbfm_demodulate('flag1.txt', 'flag2.txt', 'recovered_audio.wav')
print("\n" + "="*50)
print("[完成] 解调完成!")
print("="*50)
|
音频解莫斯码,得到解压密码
得到两个文件
已知部分内容
bkbreak明文攻击得到flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C .\flag.zip -c flag.txt -x 0 666c61677b593075 -x 25 2121217d
bkcrack 1.8.1 - 2025-10-25
[13:14:31] Z reduction using 1 bytes of known plaintext
100.0 % (1 / 1)
[13:14:31] Attack on 2555904 Z values at index 6
Keys: 33b19021 93c4a78d 9ceed931
13.3 % (339246 / 2555904)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 339246
[13:17:00] Keys
33b19021 93c4a78d 9ceed931
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C .\flag.zip -c .\flag.txt -k 33b19021 93c4a78d 9ceed931 -d flag.txt
bkcrack 1.8.1 - 2025-10-25
[13:19:43] Writing deciphered data flag.txt
Zip error: found no entry named ".\flag.txt".
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C .\flag.zip -k 33b19021 93c4a78d 9ceed931 -U new.zip 123456
bkcrack 1.8.1 - 2025-10-25
[13:20:23] Writing unlocked archive new.zip with password "123456"
100.0 % (1 / 1)
Wrote unlocked archive.
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64>
|
https://www.cnblogs.com/start1/p/19065842
pcb5-Hidden
图片随波逐流可以发现密码
pcb5-whiteout
加载镜像容器
docker load -i .\image.tar
1
2
3
4
5
6
7
8
|
docker load -i .\image.tar
docker images
docker run -it misc_docker_whiteout:latest /bin/bash
|
进入docker之后发现decode.py
但是目录下的syslog.bin文件已经被删除
在目录\whiteout\image\blobs\sha256搜索syslog.bin
pcb5-SMB
解密SMB2流量
username::domain:ntlmv2_response.chall:ntproofstr:不包含 ntproofstr 的 ntlmv2_response 值
1
2
| # smb.txt
rockyou::PC:5649f6b5969a9fbf:f8cb9296a5206484b1baf6bce47abe3b:0101000000000000f68d75c3fb59dc01ba30ab51dc5395c3000000000200160046004c00410047002d005300450052005600450052000100160046004c00410047002d005300450052005600450052000400160046004c00410047002d005300450052005600450052000300160046004c00410047002d0053004500520056004500520007000800f68d75c3fb59dc0106000400020000000800300030000000000000000100000000200000c06bb8a56b86b084ba3cfc2b7e5a0eaef96088346e865b0c93bdd8b4de440ff70a001000000000000000000000000000000000000900200063006900660073002f0046004c00410047002d005300450052005600450052000000000000000000
|
hashcat爆破
1
2
3
| PS D:\Tools\crypto\hashcat-6.2.6\hashcat-6.2.6> .\hashcat.exe -m 5600 .\smb2.txt .\rockyou.txt --show
ROCKYOU::PC:5649f6b5969a9fbf:f8cb9296a5206484b1baf6bce47abe3b:0101000000000000f68d75c3fb59dc01ba30ab51dc5395c3000000000200160046004c00410047002d005300450052005600450052000100160046004c00410047002d005300450052005600450052000400160046004c00410047002d005300450052005600450052000300160046004c00410047002d0053004500520056004500520007000800f68d75c3fb59dc0106000400020000000800300030000000000000000100000000200000c06bb8a56b86b084ba3cfc2b7e5a0eaef96088346e865b0c93bdd8b4de440ff70a001000000000000000000000000000000000000900200063006900660073002f0046004c00410047002d005300450052005600450052000000000000000000:12megankirwin12
PS D:\Tools\crypto\hashcat-6.2.6\hashcat-6.2.6>
|
可以解密流量
还有一种要计算sessionKey
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| from Crypto.Cipher import ARC4
from Crypto.Hash import MD4, MD5, HMAC
password = '12megankirwin12'
passwordHash = MD4.new(password.encode('utf-16-le')).hexdigest()
username = 'rockyou'
domain = 'PC'
ntProofStr = 'f8cb9296a5206484b1baf6bce47abe3b'
serverChallenge = '5649f6b5969a9fbf'
sessionKey = '8a71c61fcb8ed0c8d011a5bf7591b0c3'
responseKey = HMAC.new(bytes.fromhex(passwordHash), (username.upper()+domain.upper()).encode('utf-16-le'), MD5).digest()
keyExchangeKey = HMAC.new(responseKey, bytes.fromhex(ntProofStr), MD5).digest()
decryptedSessionKey = ARC4.new(keyExchangeKey).decrypt(bytes.fromhex(sessionKey))
print('Decrypted SMB Session Key is: {}'.format(decryptedSessionKey.hex()))
|
然后去填写
https://perfsky.github.io/matches/qiangwang2024-misc/
导出letter.zip
压缩包里是一个exe文件,压缩包带密码
根据exe头固定内容进行明文攻击
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C "E:\pcb\Misc\SMB\letter.zip" -c "letter.exe" -x 0 4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000
bkcrack 1.8.1 - 2025-10-25
[19:37:12] Z reduction using 50 bytes of known plaintext
100.0 % (50 / 50)
[19:37:13] Attack on 160906 Z values at index 6
Keys: 68cc45ab 864060ce ac958caa
47.5 % (76402 / 160906)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 76402
[19:37:39] Keys
68cc45ab 864060ce ac958caa
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C "E:\pcb\Misc\SMB\letter.zip" -c "letter.exe" -k 68cc45ab 864060ce ac958caa -U "E:\pcb\Misc\SMB\flag.zip" 123456
bkcrack 1.8.1 - 2025-10-25
[19:38:26] Writing unlocked archive E:\pcb\Misc\SMB\flag.zip with password "123456"
100.0 % (1 / 1)
Wrote unlocked archive.
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64>
|
多次运行发现会随机输出一个字符
搜索字符串可以定位到
动调可以跟进到
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| _QWORD *__fastcall _$LT$alloc..string..String$u20$as$u20$core..iter..traits..collect..FromIterator$LT$char$GT$$GT$::from_iter::h8922e7021132a38c(
_DWORD a1,
_DWORD a2,
__int64 a3,
_QWORD *a4,
__int64 a5)
{
__int64 v6;
__int64 v9;
__int64 v10;
char v11;
unsigned __int64 v12;
__int64 v13;
unsigned __int8 v14;
__int64 v15;
__int64 v16;
__int64 v17;
__int64 v18;
v16 = 0LL;
v17 = 1LL;
v18 = 0LL;
v6 = a5 - a3;
if ( a5 != a3 )
{
alloc::raw_vec::RawVecInner$LT$A$GT$::reserve::do_reserve_and_handle::h0d69aea4efd9441c(v6, a4, 0LL, &v16, v6);
v9 = v18;
v10 = 0LL;
do
{
v11 = *(_BYTE *)(a3 + v10);
v12 = (v11 < 0) + 1LL;
v13 = v9;
if ( v12 > v16 - v9 )
{
alloc::raw_vec::RawVecInner$LT$A$GT$::reserve::do_reserve_and_handle::h0d69aea4efd9441c(
v6,
a4,
v9,
&v16,
(v11 < 0) + 1LL);
v13 = v18;
}
v14 = v11 ^ 0x42;
v15 = v17;
if ( v11 < 0 )
{
*(_BYTE *)(v17 + v13 + 1) = v14 & 0xBF;
v14 = (v14 >> 6) | 0xC0;
}
*(_BYTE *)(v15 + v13) = v14;
v9 += v12;
v18 = v9;
++v10;
}
while ( v6 != v10 );
}
a4[2] = v18;
*a4 = v16;
a4[1] = v17;
return a4;
}
|
a3数据亦或了0x42
Blue
附件只有一张图片
LSB隐写
根据题目名称blue,蓝色通道全选可以发现
保存为二进制文件后,对文件进行处理,保留每个字节的高四位
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
"""
处理二进制文件脚本
读取二进制文件的所有字节,去除每个字节的低4位(保留高4位)
"""
def process_binary_file(input_file, output_file=None):
"""
处理二进制文件,去除每个字节的低4位
Args:
input_file: 输入二进制文件路径
output_file: 输出文件路径,如果为None则为 input_file + '_processed'
"""
if output_file is None:
output_file = input_file + '_processed'
try:
with open(input_file, 'rb') as f:
data = f.read()
print(f"✓ 成功读取文件: {input_file}")
print(f"✓ 文件大小: {len(data)} 字节")
processed_data = bytearray()
for i in range(0, len(data), 2):
high_nibble = (data[i] >> 4) & 0x0F
if i + 1 < len(data):
low_nibble = (data[i + 1] >> 4) & 0x0F
combined_byte = (high_nibble << 4) | low_nibble
else:
combined_byte = high_nibble << 4
processed_data.append(combined_byte)
processed_data = bytes(processed_data)
with open(output_file, 'wb') as f:
f.write(processed_data)
print(f"✓ 成功处理并保存到: {output_file}")
print(f"✓ 原始文件大小: {len(data)} 字节")
print(f"✓ 处理后文件大小: {len(processed_data)} 字节")
print(f"✓ 压缩比: {len(processed_data) / len(data) * 100:.1f}%")
return True
except FileNotFoundError:
print(f"✗ 错误: 找不到文件 {input_file}")
return False
except Exception as e:
print(f"✗ 错误: {e}")
return False
if __name__ == '__main__':
input_file = 'test'
output_file = 'flag.zip'
process_binary_file(input_file, output_file)
|
提取出压缩包后还是一样的套路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C "E:\pcb\Misc\blue\flag.zip" -c xor.png -x 0 89504E470D0A1A0A0000000D49484452
bkcrack 1.8.1 - 2025-10-25
[20:15:01] Z reduction using 9 bytes of known plaintext
100.0 % (9 / 9)
[20:15:01] Attack on 707085 Z values at index 6
Keys: 68cc45ab 864060ce ac958caa
29.2 % (206173 / 707085)
Found a solution. Stopping.
You may resume the attack with the option: --continue-attack 206173
[20:16:52] Keys
68cc45ab 864060ce ac958caa
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64> .\bkcrack.exe -C "E:\pcb\Misc\blue\flag.zip" -k 68cc45ab 864060ce ac958caa -U "E:\pcb\Misc\blue\decflag.zip" 123456
bkcrack 1.8.1 - 2025-10-25
[20:21:05] Writing unlocked archive E:\pcb\Misc\blue\decflag.zip with password "123456"
100.0 % (1 / 1)
Wrote unlocked archive.
PS D:\Tools\misc\bkcrack-1.8.1-win64\bkcrack-1.8.1-win64>
|
压缩包中有一张图片
提示为xor,且该图片中还有一张图片,用foremost提取得到
有蓝色条纹
双图xor之后可以得到
之后双图盲水印
1
2
3
4
| PS D:\Tools\misc\WaterMakr(水印)\BlindWaterMark> python .\bwmforpy3.py decode "E:\pcb\Misc\blue\decflag\foremost_output\png\00000000.png" "E:\pcb\Misc\blue\decflag\foremost_output\png\solved.bmp" "E:\pcb\Misc\blue\decflag\foremost_output\png\flag.png"
image<E:\pcb\Misc\blue\decflag\foremost_output\png\00000000.png> + image(encoded)<E:\pcb\Misc\blue\decflag\foremost_output\png\solved.bmp> -> watermark<E:\pcb\Misc\blue\decflag\foremost_output\png\flag.png>
[ WARN:0@4.468] global loadsave.cpp:1063 cv::imwrite_ Unsupported depth image for selected encoder is fallbacked to CV_8U.
PS D:\Tools\misc\WaterMakr(水印)\BlindWaterMark>
|
