题目下载地址:
(见我的下载资源)
解压,得到图片: catfeatherrain.png 。
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiIyVGduV2YfNWawNyZuBnL3MTM0IjYxEjNjBjN3UTO5I2YwQjYyYWOhNWYzYzMxkzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
用010Editor分析,载入PNG的分析模板,运行发现 crc mismatch 的错误告警:
*ERROR: CRC Mismatch @ chunk[1]; in data: 504b0304; expected: 182333b3
*ERROR: CRC Mismatch @ chunk[2]; in data: 14000100; expected: 54323b8e
*ERROR: CRC Mismatch @ chunk[3]; in data: 00006c6a; expected: 9a48185c
*ERROR: CRC Mismatch @ chunk[4]; in data: 76541cc6; expected: e2108601
*ERROR: CRC Mismatch @ chunk[5]; in data: 17760f00; expected: 5ebf4f0c
*ERROR: CRC Mismatch @ chunk[6]; in data: 00000300; expected: e585836d
其中,第一个的crc是504b0304,联想到是zip文件的魔术值。于是,写脚本把这些crc都提取出来,拼凑成一个zip文件 。
content = open("catfeatherrain.png",'rb').read()
len_h = 0x2029
png2 = content[len_h:len_h+4]
i = 1
while(len_h+4+i*0x200c < len(content)):
print(hex(len_h+i*0x200c))
png2 += content[len_h+i*0x200c:len_h+i*0x200c+4]
i+=1
# print(png2)
with open("cat.zip",'wb') as f:
f.write(png2)
再打开压缩包,发现有4个文件 ,但加密了。仔细一看,1.txt, 2.txt, 3.txt都只有3个字符,可以根据CRC值暴力破解出3个字符的内容:
1.txt 3d0f3388
2.txt 7617c61c
3.txt 572df59a
hastcat暴力破解:
$ hashcat -m 11500 -a 3 3d0f3388:00000000 ?a?a?a --keep-guessing
3d0f3388:00000000:Qag
$ hashcat -m 11500 -a 3 7617c61c:00000000 ?a?a?a --keep-guessing
7617c61c:00000000:1hA
$ hashcat -m 11500 -a 3 572df59a:00000000 ?a?a?a --keep-guessing
572df59a:00000000:8Q4
-m 11500 代表CRC32
-a 3 掩码攻击
后面的:00000000,具体原因不明,不加就没法跑
?a?a?a 三位未知密码
--keep-guessing 开启持久化攻击,所有可能的明文全跑一遍,防止重复
拼接,得到解压密码:
Qag1hA8Q4
解压,得到flag:
DASCTF{28a08ceda3ca6b1db5bdb3191e784f40}