Find
根据图片的名称,得到提示,应该是LSB隐写,用神器stegsolve打开,找到一张二维码,但和我们通常看到的二维码不太一样
image
扫码得到flag{hctf_3xF$235#\x5e3}
被我吃了
binwalk跑一下
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
103315 0x19393 Zip archive data, at least v2.0 to extract, compressed size: 25, uncompressed size: 23, name: flag.txt
103468 0x1942C End of Zip archive
看到存在zip压缩包 dd一下
打开压缩包,发现flag.txt,打开得到flag{WelcomeT3WhaleCTF}
合体鲸鱼
还是用binwalk跑一下
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
103315 0x19393 JPEG image data, JFIF standard 1.01
发现有两张jpg图片 dd分离,得到另一张图片
flag.jpg
flag:flag{youfindmeWHALE}
亚种
用0xED打开看一下
直接查找flag,找到flag{firsttry}
下雨天
image
预览打开图片,看到一共有6张图片,flag就藏在第5张里:GUETCTF{Y0u_sEE_m3}
这是什么
用0xED打开,在最后发现一串&#ACSII编码的字符串
flag{pE3kQzmaMN}
图像 3.png
解码得到flag{pE3kQzmaMN}
IHDR
IHDR一般是要修改图片的长度,使图片的下面的部分显示出来
所以我们要修改图片的长度
用notepad++打开
png头部:89 50 4E 47 0D 0A 1A 0A
IHDR:0d 49 48 44 52
接着后四位是宽度,我们不要去调,再后四位是长度,我们要调大一些
我们将09 90改为0f f0
打开图片,得到FLAG{ihDR_ALSO_FUN}
愤怒的小猪
还是由图片的名字猜测应该是LSB隐写,用stegsolve打开
找到一张二维码
image
扫一下得到flag{AppLeU0}
底片
图片名称写的是jpg格式,其实是个bmp格式的
通过题目信息,猜测是LSB隐写(这题不是在最低位隐藏了二维码,而是将最低层次的二进制代码直接替换为flag的ASCII码)
BMP文件头部:
| 字段名 | 大小(单位:字节) | 描述 |
|---|---|---|
| bfType | 2 | 位图类别,根据不同的操作系统而不同,在Windows中,此字段的值总’BM’ |
| bfSize | 4 | BMP图像文件的大小 |
| bfReserved1 | 2 | 总为0 |
| bfReserved2 | 2 | 总为0 |
| bfOffBits | 4 | BMP图像数据的地址(倒序) |
首先读取bfOffBits字段,找到数据块偏移,然后读取数据块,提取最低位,将二进制每八位转换为ASCII即可找到flag
还是写个python脚本
def decode(file):
f = open(file,'rb').read()
bfOffBits=int(f[13:9:-1].encode('hex'),16)
s = ""
for i in xrange(bfOffBits,len(f)):
s += str(ord(f[i])&0x1)
lst = [chr(int(s[i:i+8], 2)) for i in xrange(0, len(s), 8)]
fsave=open("flag", 'wb')
fsave.write("".join(lst))
fsave.close()
decode(raw_input("input file_name: "))
运行一下
用notepad++打开生成的文件得到flag:key_is_SimCTF{LSB_yinxie}
真是动图
图片无法打开,用notepad++打开,发现头部缺少GIF8,正常gif头部是GIF89(7)a
修改一下,发现能正常打开了
查看每一张图,得到:PASSWORD is Y2F0Y2hfdGhlX2R5bmFtaWNfZmxhZ19pc19xdWl0ZV9zaW1wbGU=
base64解码得到catch_the_dynamic_flag_is_quite_simple,所以flag就是key{catch_the_dynamic_flag_is_quite_simple}
错误压缩
使用pngcheck分析一下图片
qiqi@qiqi-Mac ~/Desktop> pngcheck -v sctf.png
File: sctf.png (1421461 bytes)
chunk IHDR at offset 0x0000c, length 13
1000 x 562 image, 32-bit RGB+alpha, non-interlaced
chunk sRGB at offset 0x00025, length 1
rendering intent = perceptual
chunk gAMA at offset 0x00032, length 4: 0.45455
chunk pHYs at offset 0x00042, length 9: 3780x3780 pixels/meter (96 dpi)
chunk IDAT at offset 0x00057, length 65445
zlib: deflated, 32K window, fast compression
chunk IDAT at offset 0x10008, length 65524
chunk IDAT at offset 0x20008, length 65524
chunk IDAT at offset 0x30008, length 65524
chunk IDAT at offset 0x40008, length 65524
chunk IDAT at offset 0x50008, length 65524
chunk IDAT at offset 0x60008, length 65524
chunk IDAT at offset 0x70008, length 65524
chunk IDAT at offset 0x80008, length 65524
chunk IDAT at offset 0x90008, length 65524
chunk IDAT at offset 0xa0008, length 65524
chunk IDAT at offset 0xb0008, length 65524
chunk IDAT at offset 0xc0008, length 65524
chunk IDAT at offset 0xd0008, length 65524
chunk IDAT at offset 0xe0008, length 65524
chunk IDAT at offset 0xf0008, length 65524
chunk IDAT at offset 0x100008, length 65524
chunk IDAT at offset 0x110008, length 65524
chunk IDAT at offset 0x120008, length 65524
chunk IDAT at offset 0x130008, length 65524
chunk IDAT at offset 0x140008, length 65524
chunk IDAT at offset 0x150008, length 45027
chunk IDAT at offset 0x15aff7, length 138
chunk IEND at offset 0x15b08d, length 0
No errors detected in sctf.png (28 chunks, 36.8% compression).
发现倒数第二个IDAT块还没有填充完,就有新生成了一个IDAT块,猜测信息应该就藏在这个块中
用16进制编辑器打开,找到偏移量为0x15aff7的地方,发现是IDAT的标识位,于是我们从IDAT块的起始位置往后找138个长度,得到:
789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667
而png图片的压缩方式是zlib,所以我们写个python脚本解压一下
#coding:utf-8
import zlib
import binascii
IDAT = "789C5D91011280400802BF04FFFF5C75294B5537738A21A27D1E49CFD17DB3937A92E7E603880A6D485100901FB0410153350DE83112EA2D51C54CE2E585B15A2FC78E8872F51C6FC1881882F93D372DEF78E665B0C36C529622A0A45588138833A170A2071DDCD18219DB8C0D465D8B6989719645ED9C11C36AE3ABDAEFCFC0ACF023E77C17C7897667".decode('hex')
result = binascii.hexlify(zlib.decompress(IDAT))
bin = result.decode('hex')
print bin
print '\r\n'
print len(bin)
运行一下:
1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011
625
一串01字符串,长度是625,是25的平方,猜测可能是个二维码
所以我们写个脚本来生成一下,试一试
from PIL import Image
MAX = 25
pic = Image.new("RGB", (MAX, MAX))
str = "1111111000100001101111111100000101110010110100000110111010100000000010111011011101001000000001011101101110101110110100101110110000010101011011010000011111111010101010101111111000000001011101110000000011010011000001010011101101111010101001000011100000000000101000000001001001101000100111001111011100111100001110111110001100101000110011100001010100011010001111010110000010100010110000011011101100100001110011100100001011111110100000000110101001000111101111111011100001101011011100000100001100110001111010111010001101001111100001011101011000111010011100101110100100111011011000110000010110001101000110001111111011010110111011011"
i = 0
for y in range(0, MAX):
for x in range(0, MAX):
if(str[i] == '1'):
pic.putpixel([x, y], (0, 0, 0))
else:
pic.putpixel([x, y], (255, 255, 255))
i = i + 1
pic.show()
pic.save("flag.png")
运行一下,真的得到了一个二维码,扫一下得到SCTF{(121.518549,25.040854)}
斗鸡眼
扔binwalk里看一下
qiqi@qiqi-Mac ~/Desktop> binwalk final.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1440 x 900, 8-bit/color RGB, non-interlaced
41 0x29 Zlib compressed data, default compression
1922524 0x1D55DC PNG image, 1440 x 900, 8-bit/color RGB, non-interlaced
1922565 0x1D5605 Zlib compressed data, default compression
发现有两张图片
用foremost分离一下得到两张看上去一模一样的图片
使用stegsolve对比两张图片并进行XOR,导出,用16进制编辑器查
3400003500003400003300003200003300003300003300003200003300003200003000003100003100003000003000003000002E00002F00002F00002E00002C00002C00002C00002E00002F00002F00002F00002F00002E00002F00002F00002F00002E00002F00002F00002F00003100003000003100002E00002E00002E00002E00002F00002E00003000003000003100003000003000003000003100003100003000003000003100003000003000003100003100003000002F00002E00003000003100002F00003100002E00003100002E00003100003000003100003000003100003000003000003100003100003000003100003100003100003000003100003000003000003000003100003000003000003000003100003000003100002F00003000003300003400003400003600003900003900003C00003B00003D00003D00003C00003B000039000036000032000033000033000031000030000031000031000030000031000031000030000030000031000031000031000031000031000030000030000031000031000030000030000030000031000030000031000030000031000031000030000031000031000031000030000030000031000030000031000031000030000031000031000031000030000030000030000030000030000031000030000030000031000030000030000030000031000030000030000030000030000031000031000030000031000030000030000030000030000030000031000030
这样一段存在差异
使用python将差异部分进行提取
from PIL import Image
img1 = Image.open("1.png")
im1 = img1.load()
img2 = Image.open("2.png")
im2 = img2.load()
for x in range(img1.size[0]):
for y in range(img1.size[1]):
if(im1[x, y] != im2[x, y]):
print im1[x, y], im2[x, y]
运行一下,得到
(52, 97, 182) (0, 97, 182)
(52, 97, 182) (1, 97, 182)
(52, 97, 182) (0, 97, 182)
(51, 96, 181) (0, 96, 181)
(51, 96, 181) (1, 96, 181)
(51, 96, 181) (0, 96, 181)
(51, 96, 181) (0, 96, 181)
(50, 95, 180) (1, 95, 180)
(50, 95, 180) (0, 95, 180)
(50, 95, 180) (1, 95, 180)
(50, 95, 180) (0, 95, 180)
(49, 94, 179) (1, 94, 179)
(49, 94, 179) (0, 94, 179)
(49, 94, 179) (0, 94, 179)
(49, 94, 179) (1, 94, 179)
(49, 94, 179) (1, 94, 179)
(48, 95, 177) (0, 95, 177)
(47, 94, 176) (1, 94, 176)
(47, 93, 178) (0, 93, 178)
(47, 93, 178) (0, 93, 178)
(46, 92, 178) (0, 92, 178)
(45, 91, 179) (1, 91, 179)
(45, 91, 179) (1, 91, 179)
(45, 91, 179) (1, 91, 179)
(46, 90, 179) (0, 90, 179)
(46, 90, 179) (1, 90, 179)
(46, 90, 179) (1, 90, 179)
(46, 90, 179) (1, 90, 179)
(46, 90, 179) (1, 90, 179)
(46, 90, 179) (0, 90, 179)
(46, 90, 179) (1, 90, 179)
(46, 90, 179) (1, 90, 179)
(47, 91, 178) (0, 91, 178)
(47, 91, 178) (1, 91, 178)
(47, 91, 178) (0, 91, 178)
(47, 91, 178) (0, 91, 178)
(47, 91, 178) (0, 91, 178)
(48, 92, 179) (1, 92, 179)
(48, 92, 179) (0, 92, 179)
(48, 92, 179) (1, 92, 179)
(46, 92, 178) (0, 92, 178)
(46, 92, 178) (0, 92, 178)
(47, 93, 179) (1, 93, 179)
(47, 93, 179) (1, 93, 179)
(47, 93, 179) (0, 93, 179)
(47, 93, 179) (1, 93, 179)
(48, 94, 180) (0, 94, 180)
(48, 94, 180) (0, 94, 180)
(49, 95, 181) (0, 95, 181)
(49, 95, 181) (1, 95, 181)
(49, 95, 181) (1, 95, 181)
(49, 95, 181) (1, 95, 181)
(49, 95, 181) (0, 95, 181)
(49, 95, 181) (0, 95, 181)
(49, 95, 181) (1, 95, 181)
(49, 95, 181) (1, 95, 181)
(49, 94, 179) (0, 94, 179)
(49, 94, 179) (1, 94, 179)
(48, 93, 178) (0, 93, 178)
(48, 93, 178) (1, 93, 178)
(48, 93, 178) (1, 93, 178)
(48, 93, 178) (0, 93, 178)
(47, 92, 177) (0, 92, 177)
(47, 92, 177) (1, 92, 177)
(48, 94, 180) (0, 94, 180)
(48, 94, 180) (1, 94, 180)
(47, 93, 179) (0, 93, 179)
(48, 92, 179) (1, 92, 179)
(47, 91, 178) (1, 91, 178)
(48, 89, 177) (1, 89, 177)
(47, 88, 176) (1, 88, 176)
(48, 88, 176) (1, 88, 176)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(47, 92, 177) (0, 92, 177)
(49, 91, 177) (1, 91, 177)
(50, 92, 176) (1, 92, 176)
(52, 92, 177) (0, 92, 177)
(52, 93, 175) (0, 93, 175)
(55, 93, 176) (1, 93, 176)
(56, 94, 175) (1, 94, 175)
(56, 94, 175) (1, 94, 175)
(60, 93, 170) (0, 93, 170)
(59, 95, 173) (0, 95, 173)
(60, 95, 176) (1, 95, 176)
(60, 97, 178) (1, 97, 178)
(60, 96, 180) (0, 96, 180)
(58, 95, 183) (1, 95, 183)
(57, 94, 183) (0, 94, 183)
(54, 94, 182) (0, 94, 182)
(50, 91, 179) (0, 91, 179)
(50, 91, 179) (1, 91, 179)
(50, 91, 179) (1, 91, 179)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (1, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(48, 89, 177) (0, 89, 177)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (1, 90, 178)
(49, 90, 178) (0, 90, 178)
(49, 90, 178) (1, 90, 178)
发现前两位都一样,但第一位存在差异,而且第二章图片的最后一位都是0或者1,猜想可能隐藏了数据
所以我们要把01段提取出来,8位一组,转为字符,得到字符串,应该就是flag
所以我们修改一下上面的脚本
from PIL import Image
import binascii
import re
img1 = Image.open("1.png")
im1 = img1.load()
img2 = Image.open("2.png")
im2 = img2.load()
s=''
for x in range(img1.size[0]):
for y in range(img1.size[1]):
if(im1[x, y] != im2[x, y]):
s = s + str(im2[x, y][0])
s = str.strip(re.sub(r'(\d{8})', r'\1 ', s))
a = ''.join([chr(i) for i in [int(b, 2) for b in s.split(' ')]])
lista = ''.join(a)
print lista
运行一下得到ISG{E4sY_StEg4n0gR4pHy}
网友评论