[MISC] miscstudy - Donek1

xp0int Posted on Aug 28 2020

# [强网先锋] miscstudy
## 操作内容
1.流量包查看http，访问网站http://39.99.247.28/fonts/1获取
2.将网站密文日志写入文件，解密流量包的加密流量，发现新的png，最底下很多base64加密密文，解密获取flag
 ![title](https://leanote.com/api/file/getImage?fileId=5f4319a7ab644139c5000f64)
 ![title](https://leanote.com/api/file/getImage?fileId=5f4319aaab64413bbd000edf)
3.上一步文件底下还有很多base64，解密后为三位二进制代码，全部提取长度为3600，可以转成二维码。（脚本在下面）
![title](https://leanote.com/api/file/getImage?fileId=5f4319b4ab644139c5000f6b)
扫码的到新的地址，下载是新的图片。判断为jphide隐写，steghide爆破密码为power123，使用jphs解密，得到flag和新地址
![title](https://leanote.com/api/file/getImage?fileId=5f4319bdab64413bbd000ee6)
4.扫码的到新的地址，下载一个压缩包里面很多内容，level5.png无法直接提取，但是可以直接foremost出来。
![title](https://leanote.com/api/file/getImage?fileId=5f4319c8ab64413bbd000ee7)
5.level6.zip里面三个文件，但是都很小，考虑直接crc碰撞。碰撞成功得到flag。（脚本在下面）
6.level5.zip中有1.png，而且level7.zip中也有，考虑明文攻击。7zip普通压缩一下1.png然后就能跑出来解密的压缩包。
![title](https://leanote.com/api/file/getImage?fileId=5f4319dbab644139c5000f6e)
两张图片，一张很大一张很小，考虑盲水印，但是python2跑脚本跑不出来，必须使用python3才能跑出来。
![title](https://leanote.com/api/file/getImage?fileId=5f4319e4ab644139c5000f6f)
7.上一步的到网址访问。直接下载html发现有多余数据，考虑html隐写（snow）。
![title](https://leanote.com/api/file/getImage?fileId=5f4319edab644139c5000f71)
网页中有提示，密码为括号内内容no one can find me，网站http://fog.misty.com/cgi/snow解密
![title](https://leanote.com/api/file/getImage?fileId=5f4319f8ab64413bbd000ee9)
8.最终拼接7部分为flag

## 脚本
二维码
```
#coding=utf-8
from PIL import Image
x = 60    #x坐标  通过对txt里的行数进行整数分解
y = 60    #y坐标  x * y = 行数
pic = Image.new("RGB",(x, y))
data = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111110000000100110000100000000011100001111111111100001111111111110000000110111000100000000011100001111111111100001100000000110010011111110010000000001100111001000000000100001100000000110010000110110010000000000001111001000000000100001100111100110010000100110010011100000011101001001111100100001100111100110000100000001110011111110010000001001111100100001100111100110000000000001110011110110010000001001111100100001100111100110011100100111111111100110011100000001111100100001100000000110011000000000111100110110110000001000000000100001100000000110010011000000011100011111110011001000000000100001111111111110010011001001001100110110010011001111111111100001111111111110010011001001100000100110010011001111111111100000000000000000010011111110010011000111000100000000000000000000000000000000010001111100010011000011101100000000000000000001110011000111100000001000000011000001111111001111000111000000110000000000000000001000000011000000000011001000000000000000010000001000011100001000000111100110000011000000010000000001110011001111110000000000000010001001110011111000010011000001110011001111110000000000000011001001110011111000010011000001100111000000011111000000010000100000100100111000000100100000001100000000111011000000111000100001100000111000000000000000011100000111110011000001111111100001100011111110010000000000000111001001100000000001100000111001110011111001000100100000000111001001000000000001000000111001110011111001100100100000011100000110011111111000000011100001111111000001110011100000011000000010011111110000000011100001111111000000110001100000000000100000010000000000000011000001110011001000000100100000000000000000110000000000000000000001110011011100000000000000010001001111110000100000000100000011111111101111100000000000011000000001110000000111111100110000001100000000010000000000011100000001110000000111111100111000000100000000010000000001110000100111111111111000000011100111000011000001100000000001111000110001001100111000000011000011100011000000000000000001111100111001100100101111111111001111100001001110011111100001100000111110000100000000010000000111100011000000011100100001000000111110000100000000010000000111000011000000011100100000011011100000011100000000000000001110000011111000001100100000111111100000011000000000000000011100000001101000000100100001111100000110010000100000000011111000010000000001100010000000111100000000010000110000000000000000110000000001100000000000011100100000010011111000011100000001110000000111000100000001100111000111110011111001111111100001010011111111100011000001000111000111110011111001111111100001110011011111100011000000000000000000010011001001110000001110001111000001100000100000000000000000010011000001100000000110000011000001100000100001111111111110010011000111000110000111100011001001100111100001100000000110000111100000011111111001110001000001100111000001100000000110000111100000011111111001110011000001100111000001100111100110000100001000000100001001110011111111100000000001100111100110000100001000001100001001100001111111000000000001100111100110010011000111111111000111110000111000011011100001100111100110000011000110000000000000110000000000011011100001100111100110000011111110000000100001110011000000000011100001100000000110011100100111000011001111100011111111111100000001100000000110011100100111000011001111100011111111111100000001011111111010010011111110011111001001110011111100000011000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
for i in range(0,x):
	for j in range(0,y):
		line = data[i*x+j]
		print i*x+j
		if line == '1':
			pic.putpixel((i,j),(0,0,0))
		else:
			pic.putpixel((i,j),(255,255,255))
pic.show()
pic.save("flag.png")
```

crc
```
import string
import binascii

dic = string.ascii_letters+"_"+'0123456789'
crc2=0xEED7E184
crc1=0x9AEACC13
crc3=0x289585AF

def aa(crc):
    for i in dic:
        for j in dic:
            for k in dic:
                for p in dic:
                    for q in dic:
                        st = i+j+k+p+q
                        if crc == (binascii.crc32(str(st)) & 0xffffffff):
                            print st
                            return

def bb(crc):
    for i in dic:
        for j in dic:
            for k in dic:
                for p in dic:
                    st = i+j+k+p
                    if crc == (binascii.crc32(str(st)) & 0xffffffff):
                        print st
                        return

aa(crc1)
bb(crc2)
aa(crc3)
```

## flag
flag{level1_begin_and_level2_is_comelevel3_start_itlevel4_here_alllevel5_is_aaalevel6_isreadylevel7isherethe_misc_examaaaaaaa_!!!}

打赏还是打残，这是个问题