Attack and defense world practice area Misc

Posted by gc40 on Thu, 17 Feb 2022 07:42:47 +0100

1.this is flag

Idea: the title description is flag


Attachment: link:
Extraction code: 5zzi

Idea: open the attachment and find a pdf file with a picture

In the title description, "there is nothing below the picture", it is speculated that it is multi-layer or picture occlusion

Open with PS and find that there is only one layer

Try to use Adobe Acrobat Pro to edit pdf files, remove the pictures and get the flag

3. Tathagata thirteen palms

Attachment: link:
Extraction code: l8wu

Idea: the attachment is a word document

The content is Buddhist scripture text, which is decrypted through the website of Buddhism and Zen

And Buddhism on Zen (

Because it is the thirteen palm of Tathagata, try to decrypt it through rot13

The obtained ciphertext is still ciphertext, which is decoded by base64 to get flag


Attachment: link:
Extraction code: 860r

Idea: the attachment is a moving picture. After playing, it is found that there is a QR code hidden in one frame. After pausing, it is found that the positioning angle is missing

Complete the QR code and scan the code to get the flag


Attachment: link:
Extraction code: yo4n

Idea: open the pdf file and find that the content is more than the displayed part. After selecting all, copy and paste it into the Notepad. It is found that there is only AB content in one line. It is speculated that it is encrypted by Morse code

After converting to Morse code, get flag

6. Persist for 60s

Attachment: link:
Extraction code: j6ft

Idea: the attachment is a java project. After opening, it is a small game. Combined with the title, you can get the encrypted flag after 60s

Obviously, the real flag is obtained after base64 encryption and decryption

Idea 2: since no flag was given at the beginning of 60s, use the java reverse tool luyten to download the link: GitHub - deathmarine/Luyten: An Open Source Java Decompiler Gui for Procyon

In planegameframe Obviously, the encrypted flag can also be obtained in the class file


Attachment: link:
Extraction code: 7tz0

Idea: the attachment is a compressed package. There are 104 pure black and white pictures in the directory gif. It is speculated that it is binary encryption. White is 0 and black is 1. After decoding, it is converted into text to get flag

8. Lift the table

Message: c8e9aca0c6f2e5f3e8c4efe7a1a0d4e8e5a0e6ece1e7a0e9f3baa0e8eafae3f9e4eafae2eae4e3eaebfaebe3f5e7e9f3e4e3e8eaf9eaf3e2e4e4e4e6f2

Idea: try base64 decoding first, but it is unsuccessful. Try md5 decoding again, but it is still unsuccessful. It is speculated that the text is converted to two digit hexadecimal, but they are beyond the range of ASCII, so subtract 128 and then convert it to text to get flag

#include <iostream>
using namespace std;
int main()
    string s1="c8e9aca0c6f2e5f3e8c4efe7a1a0d4e8e5a0e6ece1e7a0e9f3baa0e8eafae3f9e4eafae2eae4e3eaebfaebe3f5e7e9f3e4e3e8eaf9eaf3e2e4e6f2";
    char s2[3];
    int ten,single,hex;
    //cout<< sizeof(s1)<<endl;
    int i=0;
    for (i=0;i<118;i++)
            s2[0] = s1[i];
            s2[1] = s1[i + 1];
            //cout << '-';


Attachment: link:
Extraction code: e419

Idea: the attachment is a file without suffix. Search for the title ext3, and you know that it is a file system under linux, but you can open it through explore2fs tool under Windows (explore2fs tool link: - Explore2fs)

Drag the file into winhex and search the flag information to get the flag Txt path

Get the flag through the path in explore2fs Txt, view after export

Obviously, it is the ciphertext encrypted by base64, and the flag is obtained after decryption


Attachment: link:
Extraction code: jqkp

Idea: the attachment is a compressed file, and there is only one text document flag in the compressed package Txt, the content is "flag is not here". Open it in winhex and find that there is secret in the compressed package Png, so check the file format.

After the two red boxes come out, 74 should be connected to indicate the file header in the compressed file. After modification, extract secret png

For the explanation of rar file, see the blog rar file simple analysis - Angel - Steve - blog Park (

Use stegsolve to open the picture and get the QR code of the lower part

It can be seen from the title description that the file should be multi-layer. Try to open it with ps, but there are the following errors, and then open it with winhex for analysis

After observing the file header, it is found that the file is actually in gif format. After modifying the suffix, open it with ps, merge the two layers, and then use stegsolve to get the QR code of the upper part. After patching and completing, scan the code to get the flag


Attachment: link:
Extraction code: kmnh

Idea: the attachment is an encrypted compressed package. Since there is no prompt for decompression password, it is judged to be pseudo encryption, and is used Jar de pseudo encryption

Get stego file

The second method to remove the pseudo encryption is to modify the binary file, open the pseudo encrypted compressed package with winhex, and modify the continuous 4-bit byte to "504b 01 02" (P, K.) The following byte is encrypted when it is odd and not encrypted when it is even (usually at the end of the file, there are multiple places)

Replace the blue 9 with 0 to remove the pseudo encryption

Put stego Txt ciphertext decryption, get an article about steganography

After analysis, it is found that there is no flag in the article, then go back to the original text to find clues.

According to the principle of base64 encryption, when n = occur, the last character of Base64 ciphertext can be steganographed in 2n bits. The specific explanation is as follows.

The number in the red box can be changed at will and will not affect the decoded result. Therefore, stego Txt is implicitly written to the last bit of the binary number extracted, and then eight bits into a group of text, you can get the flag.

#include <fstream>
using namespace std;
const string base64[64][2]={    //Create base64 encoding
int main()
    ifstream infile("D:\\stego.txt");//input file 
    ofstream outfile("D:\\flag.txt");//output file
    string line,line_end,base64_flag,binary_flag;
    char end[3];
    int length,i,count;
        cout<<"The file was not opened successfully"<<endl;
    while(getline(infile,line)) //From stego Txt to read the string line by line
        length=line.size(); //Take string length
        //cout<<line[length-1];   // Judge the last bit of string
        for(i=0;i<3;i++)    //Take the last three digits
        for(i=0;i<3;i++)    //Judgment last = quantity
            line_end=line[length-count-1];    //Turn the last bit into a string
                if(base64[i][1]==line_end)  //Find the base64 binary corresponding to the last character
        else if(count==2)
            line_end=line[length-count-1];    //Turn the last bit into a string
                if(base64[i][1]==line_end)  //Find the base64 binary corresponding to the last character
    return 0;

12. No matter how high your Kung Fu is, you are afraid of a kitchen knife

Attachment: link:
Extraction code: of2k

Idea: check the data package in wireshark and find the compressed package and flag txt

Open it with winhex, find the flag file, find the zip file header, and reorganize the block into a new file

The compressed packet is encrypted. Guess the password hidden in the packet and continue to go back to wireshark to find clues

Search the data package with the flag and check it one by one. In the 1150 data package, the following information is found. Due to the beginning FFD8FFE0, it is judged to be the hexadecimal of the jpg file, which is copied to winhex to form a new file. Check it, get the decompression password and open the flag Txt to get the flag

foremost tool can also be used for file separation. Address: foremost/foremost.exe at master · raddyfiy/foremost · GitHub

Drag the file to be separated into foremost Exe, you can get the separated file

Topics: C++ security