PolarD&N-misc（困难）【正在更新】

Polar币！！！我来了（舔嘴巴~）

社会主义大法好

给了一个rar和一个jpg，在这个jpg里面写的是红色政治内容，大致是介绍社会主义，rar有加密

拿jpg里面的1945可以解开压缩包

压缩包里面是

U2FsdGVkX18hXTEdmaHlK9Wa0JuJu4UApkMzMe69xXg8yBK0Fw5q4HtQ5+qK6BCB+WkHQDiIxks=

看到U2FsdGVkX1以为是盐值加密，以为是AES，因为这个base64解密后Salted__是OpenSSL的加密标志

但这个题反常规，是rabbit….，直接rabbit解密就可以出flag

算法	标志性特征
OpenSSL AES	`Salted__` 前缀
bcrypt	$2a$ 、 $2b$ 、 $2y$ 前缀
scrypt	$scrypt$ 前缀
Argon2	$argon2i$ 、 $argon2d$ 、 $argon2id$
PBKDF2	$pbkdf2-sha256$ 等
Rabbit	没有标准前缀或标记

鎏金哇开呀库裂!

是一张png

看到文件末尾有

5LuU57uG55yL55yL5Zu+54mH

解密出来是

仔细看看图片

好家伙，图片左下角

用binwalk提取出一个zip，我这里打开一直显示文件损坏，但是打开里面的flag.txt

先试了一下owForever，发现密码不对，用ARCHPR爆破

打开后：

发现存在零宽字节字符解密，进行解密即可找到flag隐藏字符解密

broken_hash

一个tip和一个png

txt写的是加密的规则片段

import hashlib
rar_pwd = '????' # letters+digital
rar_pwd = hashlib.md5('????'.encode()).hexdigest()

png用binwalk扫描出rar，进行提取

┌──(kali㉿kali)-[~/桌面]
└─$ binwalk 1.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 559 x 1000, 8-bit/color RGB, non-interlaced
62            0x3E            Zlib compressed data, default compression
582638        0x8E3EE         RAR archive data, version 5.x
                                                                                                                                                           
┌──(kali㉿kali)-[~/桌面]
└─$ binwalk -e 1.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
62            0x3E            Zlib compressed data, default compression

rar里面有一个flag文件，用爆破软件显示文件损坏，但是注意到下面给了一串数字

到这里已经可以判断，密码是一个4个字节的16字节hash，然后这个hash开头是这个注释内容

脚本：

import hashlib
import itertools
import string
 
def find_password():
    chars = string.ascii_letters + string.digits
    target_prefix = '7bf21a26cd6'
    
    for length in range(4, 5):
        for candidate in itertools.product(chars, repeat=length):
            candidate_str = ''.join(candidate)
            md5_hash = hashlib.md5(candidate_str.encode()).hexdigest()
            if md5_hash.startswith(target_prefix):
                print(f"密码: {candidate_str}")
                print(f"md5: {md5_hash}")
                return
    print("没找到")
 
find_password()

运行：

密码: H3lo
md5: 7bf21a26cd627170e0e05ceee551c044

解压压缩包得到flag

deep

给了一个cpp文件，一个hint.txt

这个cpp里面：（代码意图：把字符数组每 4 字节打包成一个整数，逐行打印。）

/*
    g_szBuffer数组中存储原本flag，不小心被删除了！
    运行后得到的数据存储在hint文件中，恢复flag嘛，看你的了^_^
    得到数据后，注意格式：flag{g_szBuffer中的数据}
*/
#include 
char g_szBuffer[] = ""; 
int main(int argc, char *argv[])
{
    unsigned int uNum = 0;
    for (int i = 0; i < sizeof(g_szbuffer) / 4; i++)
    {
        unum = *(unsigned int*)(&g_szbuffer[i * 4]);
        printf("%d\r\n", unum);
    }
    
    system("pause");
    
    return 0;
}

这里用python写的逆向程序

# CTF Flag还原程序

numbers = [859254885, 1714499893, 875837240, 825505075, 
           962737761, 1647404083, 842360118, 811938613]

flag = ""

for num in numbers:
    # 将整数转换为4字节(小端序)
    for i in range(4):
        byte_value = (num >> (i * 8)) & 0xFF
        if byte_value != 0:  # 跳过空字节
            flag += chr(byte_value)

print(f"flag{{{flag}}}")

关于小端序；

爱你

只给了一个PNG，放进随波逐流里面，发现存在LSB隐写

用stegsolve提取出来，看看这个zip文件，里面有加密的flag

这里导出的ascll转化16进制的方法，可以参考010的ascll转16进制（主要是打开010里面的Hex显示形式）

这个压缩包的16进制里里面还有提示

hint:rfc4042


pwd = b",\x9b\xce\xa6s)\xd0\xd2t\x10\x9c\x0c'3\x99\xdc`r2\x08\r'1\x010\xdev2\x90\xcf&\xe3 \xc4"

通过ai得知这是utf-9（RFC 4042即为UTF-9 及 UTF-18 有效的 Unicode 转换）

写脚本，得出flag

import utf9
pwd = b",\x9b\xce\xa6s)\xd0\xd2t\x10\x9c\x0c'3\x99\xdc`r2\x08\r'1\x010\xdev2\x90\xcf&\xe3 \xc4"
utf9.utf9decode(pwd)

ps：这个UTF-9是个“同人作品”….PIP下载半天都在加载

所以写了另一个脚本

pwd = b",\x9b\xce\xa6s)\xd0\xd2t\x10\x9c\x0c'3\x99\xdc`r2\x08\r'1\x010\xdev2\x90\xcf&\xe3 \xc4"
 
 
def decode_utf9(data):
    # 1. 将字节转换为完整的二进制字符串
    bits = "".join(f"{b:08b}" for b in data)
 
    # 2. 每 9 位取出一个数值
    decoded_chars = []
    for i in range(0, len(bits) - 8, 9):  # 步长为 9
        nonet = bits[i:i + 9]
        if len(nonet) == 9:
            decoded_chars.append(chr(int(nonet, 2)))
 
    return "".join(decoded_chars)
 
 
result = decode_utf9(pwd)
print(f"解密结果为: {result}")

得到

解密结果为: Yougetit!passw0rd is LoveCynd1

打开压缩包即可拿到flag

菜狗

附件是压缩包，分析得知是伪加密爆破得到密码zaqqza

解压后是一张图片，然后没有隐藏文件，这个是cloacked-pixel隐写（最低有效位隐写），密码是压缩包密码，用puzzlesolve

东北话是最好的语言

就给了个txt，内容很大，先看下首尾

ogGK0wROBVi,46esab;gnp/egami:atad

结尾有这个东西，这是倒着的说明这段数据是倒置并且base64加密的png

with open("look.txt", "r", encoding="utf-8") as f:
    content = f.read()

reversed_content = content[::-1]

with open("look_reversed.txt", "w", encoding="utf-8") as f:
    f.write(reversed_content)

print(reversed_content)
（当然可以直接用cyberchef里的re）

把图片单独提出来，101里看

图片末尾有Base64编码，解码后

弗赖哥是活雷锋。
鹅城都是活雷锋。
弗赖哥装二。
弗赖哥稍稍。
唠唠：弗赖哥。
弗赖哥稍稍。
唠唠：弗赖哥。
弗赖哥装二。
唠唠：弗赖哥。
弗赖哥装一。
唠唠：弗赖哥。
弗赖哥稍稍。
唠唠：弗赖哥。
弗赖哥装13加112。
唠唠：弗赖哥刨掉一堆堆九。
鹅城来了个“a”。
鹅城来了个“b”。
鹅城来了个“c”。
鹅城来了个“d”。
鹅城来了个“e”。
鹅城来了个“f”。
鹅城来了个“g”。
鹅城来了个“h”。
鹅城来了个“i”。
鹅城来了个“j”。
鹅城来了个“k”。
鹅城来了个“l”。
鹅城来了个“m”。
鹅城来了个“n”。
鹅城来了个“o”。
鹅城来了个“p”。
鹅城来了个“q”。
鹅城来了个“r”。
鹅城来了个“s”。
鹅城来了个“t”。
鹅城来了个“u”。
鹅城来了个“v”。
鹅城来了个“w”。
鹅城来了个“x”。
鹅城来了个“y”。
鹅城来了个“z”。
唠唠：鹅城的老大。
唠唠：鹅城的老七。
唠唠：鹅城的老九。
唠唠：鹅城的老幺。
唠唠：“01101000”。
唠唠：鹅城的老（二加三）。
唠唠：“0x72”。
唠唠：“101”。

东北话语言，基于python改的一种编程语言，逻辑与python3一致，具体安装和语法参考github上的文件:

https://github.com/zhanyong-wan/dongbei

安装好环境后，把文件改后缀为dongbei,在根目录下打开终端,输入命令后得到运行结果。

根据注释，结果为纯字母，观察得知，102,108很容易想到是ascii的f和l，而01101000是二进制，转为ascii码为h，0x72是十六进制，转为ascii码为r,101十进制转为ascii码为e，连起来就是flagizhere,然后md5就得到flag

路由自启动

拿到一个bin文件

文件名告诉你了，squashfs文件系统，这里使用unsquash解开该文件系统。进入分离出的文件夹，该镜像分为kernel（内核）和rootfs（主文件系统）两部分。这里需要linux知识，自启动配置脚本在rootfs的/etc/rc.local下，所以使用unsquashfs命令，解开rootfs。

*知识点：

unsquashfs 是用于解压 SquashFS 文件系统的命令行工具

选项	说明
`-d <目录>`	指定输出目录
`-f`	强制覆盖已存在的文件
`-li`	列出文件信息（不解压）
`-x`	排除某些文件
`-no-progress`	不显示进度条

unsquashfs 镜像文件

# 查看 squashfs 镜像内容
unsquashfs -li root

# 解压到当前目录的 root/ 文件夹
unsquashfs -d ./root root.squashfs

# 强制解压并覆盖
unsquashfs -f -d output_dir firmware.bin

另外：rc.local 里面一般存放的是 系统启动完成后自动执行的自定义命令或脚本，本质上就是一个 shell 脚本。

让op跑起来

照着hint做即可

Mozilla

火狐浏览器（Firefox）是非营利组织Mozilla开发的一款浏览器。32.0 版本及以上的火狐浏览器加密保存的密码在logins.json中

工具；GitHub – lclevy/firepwd: firepwd.py, an open source tool to decrypt Mozilla protected passwords

将key3.db和logins.json以及整个文件夹5vz0vl9j.default放到firepwd的文件夹中后执行工具

python firepwd.py -d "C:\Users\q1388\Downloads\1\5vz0vl9j.default"

（因为这个key3.db版本太老旧了，所以需要手动降版本才可以显示出密码。新版本的firewd是3.23.0，需要改成3.9.0）

你真的懂二维码吗？

给了个压缩包，但是解压的时候有点问题.

发现有1个损毁的1.zip和可以解压的jpg

用winrar修复破损的1.zip，发现是个加密的png的压缩包

解压后一个jpg，发现文件尾部有666777888

用这个密码打开压缩包，得到一个txt,里面显然是一个png的hex码，但此处是ascll形式

在010里面“粘贴为hex”后得到该图片，这个新的二维码扫出来便是flag

四选其二

给了三个文件

先对awsd.zip进行爆破,得到密码nopass

文件是这个样子的

猜测：可能是excel表格分成了四份，刚好对应题目和xlsx文件

对这个awsd进行压缩，改后缀名位xlsx，打开后发现跟外边的xlsx文件是一样的

flag6,3,zip是一个损坏的压缩包…

后面看了别的大佬的wp：https://www.cnblogs.com/mumuhhh/p/17779721.html，才明白这个题做法

在分析下题目名“四选其二”，意思是四个字节为一组选其第二个，但我们可以看到这样选的话得到的内容没什么意义，再仔细观察压缩包每个字节发现一个有意思的情况，就拿50 4B 03 04 来说，本来是03变成了00也就是把它的第二个位置变成了0，再往后面观察，会发现整体上整个压缩包每个字节的第二位为0或者1的情况很多，那么可以猜想四选其二意味着每四个字节为一组，而且每个字节的第二位都变成0或1

提取每2字节取第1个字节的低4位

import binascii

with open('flag6.3.zip','rb') as file:
    hex_content = binascii.hexlify(file.read()).decode()
grouped_content = [hex_content[i:i+4] for i in range(0 , len(hex_content), 4)]
second_digits = [group[1] for group in grouped_content]

with open('1.txt', 'w') as file:
    file.write(''.join(second_digits))

得到txt：

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001111111111111001100110011111111111111111111111110010011111100001100110001111110011000000111111111111100001111111111111001100110011111111111111111111111110010011111100001100110001111110011000000111111111111100001100000000011001100111111111101100110011110011001111100000000111111001100000001111110000110000000001100001100000000011001100111111111101100110011110011001111100000000111111001100000001111110000110000000001100001100111110011001100111100111100000000000000011001101111000011111111111110000001100110000110011111001100001100111110011001100111100111100000000000000011001101111000011111111111110000001100110000110011111001100001100111110011001100110000110000000000011001100110010011001111000011000011100110011001100110011111001100001100111110011001100110000110000000000011001100110010011001111000011000011100110011001100110011111001100001100111110011000000110000000010011000011001111111111111111111111100110001111111111000000110011111001100001100000000011001111111111111111111000011110000110000011000000111111001110011001111000000110000000001100001100000000011001111111111111111111000011110000110000011000000111111001110011001111000000110000000001100001111111111111001100110011001101100110011001100110010011001100110011001101100110011001100111111111111100001111111111111001100110011001101100110011001100110010011001100110011001101100110011001100111111111111100000000000000000000011001111110011111110000000000110000011000011110011001110000000000000000000000000000000000000000000000000011001111110011111110000000000110000011000011110011001110000000000000000000000000000000001111000011111000011000011111110011001111000011111111111001100111111111100011000011110000001101111111100001111000011111000011000011111110011001111000011111111111001100111111111100011000011110000001101111111100001111000001100001100111100001100000110000000011110010011111100001100110001111111111001111001100011111100001111000001100001100111100001100000110000000011110010011111100001100110001111111111001111001100011111100001100111100011000011111100000001111000011111100110000011111100000000110011111110011111111001101111001100001100111100011000011111100000001111000011111100110000011111100000000110011111110011111111001101111001100000011110011100110000000011111111100111111001100001100000000000111111001100000001100110000110011100000000000011110011100110000000011111111100111111001100001100000000000111111001100000001100110000110011100000000000011001100011001111110011001111111111100110000111100000001100111111111101111001100110011111110000000000000011001100011001111110011001111111111100110000111100000001100111111111101111001100110011111110000000000001100000010000111111000000110010011000011001111110010011111100001100110001100001111001111000011111111100001100000010000111111000000110010011000011001111110010011111100001100110001100001111001111000011111111100000000001100011110000001100111111111001100000000110000011111111001100000001100110011110000000001111001100000000001100011110000001100111111111001100000000110000011111111001100000001100110011110000000001111001100001100111111100000011110011001101100000000110000001100000000011111111001110000000000000000110011100111100001111110011111001111001111000000000110011111111001101100001100111111111100011001100000000001110000110000001111110011111001111001111000000000110011111111001101100001100111111111100011001100000000001110000110000001100001111100111100000011111111111111111000011110011111111100001100110001111111111001111001100011111100001100001111100111100000011111111111111111000011110011111111100001100110001111111111001111001100011111100001111110011111000011000000000010011001100111111110000011001100000000000001100110011111100000001111001100001111110011111000011000000000010011001100111111110000011001100000000000001100110011111100000001111001100001111000010000110011110011110000000110000001100001100000000011110011001100011000000000011111111100000000001111000010000110011110011110000000110000001100001100000000011110011001100011000000000011111111100000000001111000010011110000001100001101111111100110000110000000001100110000111101111001100110011111110000110000001111000010011110000001100001101111111100110000110000000001100110000111101111001100110011111110000110000000000000000000111111001100110010011000011001111111111111111100001100110001100001111001111000010011001100000000000000000111111001100110010011000011001111111111111111100001100110001100001111001111000010011001100001111111100011111111110000000011100111111111100111100011001111001100000001100111111111100000001111001100001111111100011111111110000000011100111111111100111100011001111001100000001100111111111100000001111001100000000001110000000000000011110001111110000001100001100000000011110011001100000001100000011110011100111100000000001110000000000000011110001111110000001100001100000000011110011001100000001100000011110011100111100000011000011111111100111111111110011001111000011111111111110000111111111101111001100001111111110000110000000011000011111111100111111111110011001111000011111111111110000111111111101111001100001111111110000110000000000001110000001100110000001100000110000110011110000011111100001100001101100001111001100000010011111100000000001110000001100110000001100000110000110011110000011111100001100001101100001111001100000010011111100001100000010011001111000011000001111000011111100110010011111111001100000001100111111111100110011111001100000011111110000001100110000110011100111111001111110000011000011110011001100011001100001100000011100111100000011111110000001100110000110011100111111001111110000011000011110011001100011001100001100000011100111100001111111111111111111110011001101111110000110000111111111110000110000111101111001111111111111110000110000001111111111111111111110011001101111110000110000111111111110000110000111101111001111111111111110000110000001100110011100000011000000110010011000011111111000001100111111111100111101111111111110011111110011001100001100110011100000011000000110010011000011111111000001100111111111100111101111111111110011111110011001100001100110001111000011001100111111111001111000011111100000001111000000110011100110011001100110011111001100001100110001111000011001100111111111001111000011111100000001111000000110011100110011001100110011111001100000000001101100001100001111001101100001100110011001110011000011110011111100011000000111100000001100111100000000001101100001100001111001101100001100110011001110011000011110011111100011000000111100000001100111100000011000011111000000111100000000000110011111100000011111001100110000111101111000011110000000000000110000000011000011111000000111100000000000110011111100000011111001100110000111101111000011110000000000000110000001111000011100111111000000111111111111111000011000000000111111111100110001111111111001111111110011001100001111000011100111111000000111111111111111000011000000000111111111100110001111111111001111111110011001100001100110011111111100000000000010011001100001111110000000001111000000000001100110011000000111101111001100001100110011111111100000000000010011001100001111110000000001111000000000001100110011000000111101111001100000000001100000110000110011110000000110000000011001110011110000111111111110000000000111111000001100000000000000001100000110000110011110000000110000000011001110011110000111111111110000000000111111000001100000000000000000001111111111111111001101111110000110000110011111110000111111111100011001100111100001100000110000000000000001111111111111111001101111110000110000110011111110000111111111100011001100111100001100000110000001111110011100111111000000000010000000011001111000001100111111111100111101100001111110011111111111001100000011001111111001111110000000000000111100111111111100000111111000000110011100110011001100110011111001100000011001111111001111110000000000000111100111111111100000111111000000110011100110011001100110011111001100000000110011100110000000000110011111110000001111001110011000000110011001100000001100111100000001100000000000000110011100110000000000110011111110000001111001110011000000110011001100000001100111100000001100000000001111001110011000000000011111110011001111000000110011100110000111111111101111001100110000000001100110000001111001110011000000000011111110011001111000000110011100110000111111111101111001100110000000001100110000001100110001100110000000011001100000110000110011001100000111100001100110001111111111001111001110011111100001100110001100110000000011001100000110000110011001100000111100001100110001111111111001111001110011111100001111001111111111111000011110001100000011111111110000000001111000000110011111111111000000111101111001100001111001111111111111000011110001100000011111111110000000001111000000110011111111111000000111101111001100000011110000000000011001100000011111001111001111001110011110000110011111110011001100111111000001100111100000011110000000000011001100000011111001111001111001110011110000110011111110011001100111111000001100111100000000001100011000011000000110011111111100110000111111111111100111111111100011001100111111111110000001100000000001100011000011000000110011111111100110000111111111111100111111111100011001100111111111110000001100000000000000000001100110000001110011000011001100110000011111100001100111101111111111111100000010011111100000000000000000001100110000001110011000011001100110000011111100001100111101111111111111100000010011111100001111111111111000000001100001100011001111000000110010011111111001100110011100110011001100110010000001100001111111111111000000001100001100011001111000000110010011111111001100110011100110011001100110010000001100001100000000011001100110011000011100001100110000110000011000011111111001110000000000111100000011100000000001100000000011001100110011000011100001100110000110000011000011111111001110000000000111100000011100000000001100111110011001100110000111100000110011111100111111111110000111111111100011000011111111111110000000000001100111110011000000111100001111111111111000011000011111111100001100110001100001111000000001101111000000001100111110011000000111100001111111111111000011000011111111100001100110001100001111000000001101111000000001100111110011000000110000000010011001100111111001110011001100000000000011100111111110000000001111000000001100111110011000000110000000010011001100111111001110011001100000000000011100111111110000000001111000000001100000000011001111110000000000000110000001111110001100110011111111111110000001100110000110011100111100001100000000011001111110000000000000110000001111110001100110011111111111110000001100110000110011100111100001111111111111001111000011000011111110000110011110011100111100111100111100011001100111100110011100110000001111111111111001111000011000011111110000110011110011100111100111100111100011001100111100110011100110000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

按照（0：黑色；1：白色）进行转换

from PIL import Image

with open('1.txt', 'r') as file:
    content = file.read()
width = int(len(content) ** 0.5)
height = (len(content) + width - 1) // width
image = Image.new('1', (width, height), color=255)
pixels = image.load()
for i in range(len(content)):
    x = i % width
    y = i // width
    if content[i] == '1':
        pixels[x, y] = 0
image.save('2.png')

得到二维码

解析后：

wdwsswwsdswwwsdsssdddswdwsdsddswdwsswwaaawwswdwsswswdwsswdwsswddwdwwwwwwdddwwaaawwwwaaawaawawsaaassssdsssdddsssaaaswdddwwwwwsddddwssaasssaaswawsswdwddwwaaawwwaaawwsasddswawddwwdwddwsaaasssddasssaaddsw

AWSD是打游戏用的方向键

这是走迷宫的顺序

先转换下：

上右上下下上上下右下上上上下右下下下右右右下上右上下右下右右下上右上下下上上左左左上上下上右上下下上下上右上下下上右上下下上右右上右上上上上上上右右右上上左左左上上上上左左左上左左上左上下左左左下下下下右下下下右右右下下下左左左下上右右右上上上上上下右右右右上下下左左下下下左左下上左上下下上右上右右上上左左左上上上左左左上上下左下右右下上左上右右上上右上右右上下左左左下下下右右左下下下左左右右下上

一个一个走：

0010 0100 01 110 1111011 11000 0010 01111 0 0010 0 0010 0010 00011 01 01111 00001 01111 00011 11110 100 10000 10000 00001 01 11111 1000 1000 0010 00111 00001 00001 11000 00111 00111 11110 11110 1111101

摩尔斯电码；

flag{7f1efeff3a14139d664a0bbf24472299}

EZ签到

给了两个zip：其中hint.zip存在伪加密