題目下載下傳位址:
(見我的下載下傳資源)
解壓,得到圖檔: catfeatherrain.png 。
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiIyVGduV2YfNWawNyZuBnL3MTM0IjYxEjNjBjN3UTO5I2YwQjYyYWOhNWYzYzMxkzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
用010Editor分析,載入PNG的分析模闆,運作發現 crc mismatch 的錯誤告警:
*ERROR: CRC Mismatch @ chunk[1]; in data: 504b0304; expected: 182333b3
*ERROR: CRC Mismatch @ chunk[2]; in data: 14000100; expected: 54323b8e
*ERROR: CRC Mismatch @ chunk[3]; in data: 00006c6a; expected: 9a48185c
*ERROR: CRC Mismatch @ chunk[4]; in data: 76541cc6; expected: e2108601
*ERROR: CRC Mismatch @ chunk[5]; in data: 17760f00; expected: 5ebf4f0c
*ERROR: CRC Mismatch @ chunk[6]; in data: 00000300; expected: e585836d
其中,第一個的crc是504b0304,聯想到是zip檔案的魔術值。于是,寫腳本把這些crc都提取出來,拼湊成一個zip檔案 。
content = open("catfeatherrain.png",'rb').read()
len_h = 0x2029
png2 = content[len_h:len_h+4]
i = 1
while(len_h+4+i*0x200c < len(content)):
print(hex(len_h+i*0x200c))
png2 += content[len_h+i*0x200c:len_h+i*0x200c+4]
i+=1
# print(png2)
with open("cat.zip",'wb') as f:
f.write(png2)
再打開壓縮包,發現有4個檔案 ,但加密了。仔細一看,1.txt, 2.txt, 3.txt都隻有3個字元,可以根據CRC值暴力破解出3個字元的内容:
1.txt 3d0f3388
2.txt 7617c61c
3.txt 572df59a
hastcat暴力破解:
$ hashcat -m 11500 -a 3 3d0f3388:00000000 ?a?a?a --keep-guessing
3d0f3388:00000000:Qag
$ hashcat -m 11500 -a 3 7617c61c:00000000 ?a?a?a --keep-guessing
7617c61c:00000000:1hA
$ hashcat -m 11500 -a 3 572df59a:00000000 ?a?a?a --keep-guessing
572df59a:00000000:8Q4
-m 11500 代表CRC32
-a 3 掩碼攻擊
後面的:00000000,具體原因不明,不加就沒法跑
?a?a?a 三位未知密碼
--keep-guessing 開啟持久化攻擊,所有可能的明文全跑一遍,防止重複
拼接,得到解壓密碼:
Qag1hA8Q4
解壓,得到flag:
DASCTF{28a08ceda3ca6b1db5bdb3191e784f40}