近期MISC刷题总结

近期MISC刷题总结-第一版

0xff前言：

近期对misc突发好感，用3-4天的空余时间刷了几十道buu misc的第4-5页的题目wp，刷到后面第6页感觉意义不是很大，就决定去刷近几年的国赛题和含金量比较高的比赛的misc题目，buu的misc就此搁置。觉得此总结还是很好的，作为自己的查询文档很不错，于是这是我的第一版总结，希望后面可以更新【自己刨了坑】

0x00题目：

1.[ACTF新生赛2020]NTFS数据流 https://blog.csdn.net/mochu7777777/article/details/109480204

2.[ACTF新生赛2020]swp https://www.cnblogs.com/Jinx8823/p/16617762.html

3.[GXYCTF2019]SXMgdGhpcyBiYXNlPw== https://blog.csdn.net/mochu7777777/article/details/109463575

4.[UTCTF2020]docx https://db.php1.cn/detail/BUUMISC-UTCTF202_7e24f57b.html

5.[RoarCTF2019]黄金6年 https://blog.csdn.net/mochu7777777/article/details/109461931

6.[WUSTCTF2020]alison_likes_jojo

7.[安洵杯 2019]吹着贝斯扫二维码 题目很好

8.[WUSTCTF2020]爬

9.[GUET-CTF2019]zips

10.[ddctf2018](╯°□°）╯︵ ┻━┻ 【-128得到ascii】

11.[MRCTF2020]千层套路

12.[WUSTCTF2020]girlfriend 【dtmf2num】

13.[XMAN2018排位赛]通行证

14.[SUCTF2018]followme

15.[UTCTF2020]file header

16.[安洵杯 2019]Attack

17.[SUCTF 2019]Game

18.buu USB

19.[BSidesSF2019]zippy

20.[UTCTF2020]basic-forensics

21.[SWPU2019]Network 不错 https://www.cnblogs.com/yunqian2017/p/14671031.html

22.[RCTF2019]draw

23.[ACTF新生赛2020]明文攻击

24.[MRCTF2020]Hello_ misc 不错 https://blog.csdn.net/mochu7777777/article/details/109680577

25.[WUSTCTF2020]spaceclub

26.[UTCTF2020]zero

27.[ACTF新生赛2020]music

28.[CFI-CTF 2018]webLogon capture

29.[MRCTF2020]pyFlag

30.[MRCTF2020]不眠之夜

31.[UTCTF2020]File Carving

32.[GKCTF 2021]excel 骚操作 不错 https://www.cnblogs.com/cuihua-/p/16084084.html

33.[QCTF2018]X-man-A face

34.[watevrCTF 2019]Evil Cuteness

35.[安洵杯 2019]easy misc 非常不错 https://xz.aliyun.com/t/6911#toc-30

36.[INSHack2017]sanity

37.[SCTF2019]电单车

38.[DDCTF2018]流量分析 不错的流量包 https://blog.csdn.net/wangjin7356/article/details/122530530

39.[UTCTF2020]sstv

40.[GUET-CTF2019]soul sipse

41.[UTCTF2020]spectogram

42.[湖南省赛2019]Findme 《非常棒的题目》 https://blog.csdn.net/WYHPROGRAME/article/details/123619873

43.Business Planning Group

44.[ACTF新生赛2020]剑龙

45.[HDCTF2019]你能发现什么蛛丝马迹吗

46.greatescape

47.[GKCTF 2021]你知道apng吗

48.[INSHack2019]INSAnity

49.[INSHack2019]Sanity

50.很好的色彩呃？

51.[*CTF2019]otaku

52.大流量分析（一）

53.真的很杂 安卓逆向

54.[INSHack2018]Self Congratulation

55.[MRCTF2020]小O的考研复试

56.[ACTF新生赛2020]frequency

57.[BSidesSF2019]table-tennis

58.[RCTF2019]disk

59.[GKCTF 2021]FireFox Forensics

60.[MRCTF2020]摇滚DJ（建议大声播放

0x01难度题目：

42.[湖南省赛2019]Findme 《非常棒的题目》 https://blog.csdn.net/WYHPROGRAME/article/details/123619873

44.[ACTF新生赛2020]剑龙

0x02总结：

0.MISC工具集

https://www.cnblogs.com/LEOGG321/p/13735458.html

1.NtfsStreamsEditor || lsass进程 || mimikatz工具 || kali-v0latility内存取证 || VeraCrypt加密虚拟磁盘

涉及ntfs流的要用win rar解压

lsass是windows系统的一个进程，用于本地安全和登陆策略。mimikatz可以从 lsass.exe 里获取windows处于active状态账号明文密码。本题的lsass.dmp就是内存运行的镜像，也可以提取到账户密码
下载：
https://github.com/gentilkiwi/mimikatz/releases/

https://www.cnblogs.com/yunqian2017/p/14992169.html

#volatility内存取证
volatility -f memory.img imageinfo
volatility -f memory.img --profile=Win2003SP1x86 pslist
volatility -f memory.img --profile=Win2003SP1x86 cmdscan
volatility -f memory.img --profile=Win2003SP1x86 dumpfiles -Q 0x000000000726a0f0 -D ./
foremost -T ./3600.dmp

 取证后缀.raw、.vmem、.img

#volalitity
插件名	作用
pslist	列出系统进程
hashdump	查看用户和密码信息
svcscan	查看服务
iehistory	查看浏览器历史记录
netscan	查看网络连接
cmdscan	查看命令行操作
filescan	查看文件
dumpfiles	查看文件内容
notepad	查看当前展示的notepad内容
memdump	提取进程
screenshot	屏幕截图
hivelist	查看注册表注册单元
hivedump	查看注册表键名
printkey	查看注册表键值
userassist	查看运行程序相关记录
timeliner	最大程序提取信息
clipboard	获取复制剪切的内容

# VeraCrypt加密虚拟磁盘 https://sourceforge.net/projects/veracrypt/files/latest/download

https://www.cnblogs.com/cuihua-/p/16114238.html

2.伪加密 || zip文件头|| RAR文件结构 || jpg文件头 || png文件 || CRC报错 || A1异或 || IDAT报错 || IDAT隐写 || 原宽高检测脚本 ||

7zip可能直接打开伪加密的zip

zip文件头 504b 0304
jpg文件头 ffd8 
jpg文件尾 ffd9(应该固定)

png文件标志 89 50 4E 47 0D 0A 1A 0A

rar文件结构
标志：52 61 72 21 1A 07 00

CRC报错，报错信息显示是文件的第三个块，RAR结构有四个块：标记块、归档头部块、文件快、结束块
分析RAR文件结构，发现文件块的位置应该是74并不是7A，修改为74后保存
RAR文件结构分析参考：https://www.freebuf.com/column/199854.html

https://blog.csdn.net/mochu7777777/article/details/109632626

.m4a文件多次出现A1，用A1对全部数据进行异或

https://www.threeyear.com.cn/archives/5124

#原宽高检测脚本
import zlib
import struct
 
filename = '1.png'
with open(filename, 'rb') as f:
    all_b = f.read()
    crc32key = int(all_b[29:33].hex(),16)
    data = bytearray(all_b[12:29])
    n = 4095          
    for w in range(n):         
        width = bytearray(struct.pack('>i', w))   
        for h in range(n):
            height = bytearray(struct.pack('>i', h))
            for x in range(4):
                data[x+4] = width[x]
                data[x+8] = height[x]
            crc32result = zlib.crc32(data)
            if crc32result == crc32key:
                print("宽为：",end="")
                print(width)
                print("高为：",end="")
                print(height)

IDAT有问题的标志：图像显示不全乱码。。

union CTYPE type:IDAT

#IDAT隐写
使用工具pngcheck检查IDAT
工具地址 ：http://www.libpng.org/pub/png/apps/pngcheck.html

pngcheck.exe -v 1.png

3.base64隐写 || base家族 || DES || AES

https://blog.csdn.net/mochu7777777/article/details/109463575

def get_base64_diff_value(s1, s2):
    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    res = 0
    for i in xrange(len(s2)):
        if s1[i] != s2[i]:
            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
    return res


def solve_stego():
    with open('flag.txt', 'rb') as f:
        file_lines = f.readlines()
        bin_str = ''
        for line in file_lines:
            steg_line = line.replace('\n', '')
            norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
            diff = get_base64_diff_value(steg_line, norm_line)
            print diff
            pads_num = steg_line.count('=')
            if diff:
                bin_str += bin(diff)[2:].zfill(pads_num * 2)
            else:
                bin_str += '0' * pads_num * 2
            print goflag(bin_str)


def goflag(bin_str):
    res_str = ''
    for i in xrange(0, len(bin_str), 8):
        res_str += chr(int(bin_str[i:i + 8], 2))
    return res_str


if __name__ == '__main__':
    solve_stego()

base32→16进制→13→85→85→64→85（根据那串编码的格式判断顺序）

这个13不是base家族的，查了一下，是rot13编码

GNATOMJVIQZUKNJXGRCTGNRTGI3EMNZTGNBTKRJWGI2UIMRRGNBDEQZWGI3DKMSFGNCDMRJTII3TMNBQGM4TERRTGEZTOMRXGQYDGOBWGI2DCNBY
base32解码：3A715D3E574E36326F733C5E625D213B2C62652E3D6E3B7640392F3137274038624148
base16解码：:q]>WN62os<^b]!;,be.=n;v@9/17’@8bAH
rot13解码：:d]>JA62bf<^o]!;,or.=a;i@9/17’@8oNU
base85解码：PCtvdWU4VFJnQUByYy4mK1lraTA=
base64解码：<+oue8TRgA@rc.&+Yki0
base85解码：ThisIsSecret!233

DES特征码 ：U2FsdGVkX1我们知道是DES加密【带密匙】
AES特征：key和iv【密码和偏移量】

base家族自动解码脚本

#!/usr/bin/env python
import base64
import re
def baseDec(text, type):
    if type == 1:
        return base64.b16decode(text)
    elif type == 2:
        return base64.b32decode(text)
    elif type == 3:
        return base64.b64decode(text)
    elif type == 4:
        return base64.b85decode(text)
    else:
        pass
def detect(text):
    try:
        if re.match("^[0-9A-F=]+$", text.decode()) is not None:
            return 1
    except:
        pass
    try:
        if re.match("^[A-Z2-7=]+$", text.decode()) is not None:
            return 2
    except:
        pass
    try:
        if re.match("^[A-Za-z0-9+/=]+$", text.decode()) is not None:
            return 3
    except:
        pass
    return 4
def autoDec(text):
    while True:
        if b"MRCTF{" in text:
            print("\n" + text.decode())
            break
        code = detect(text)
        text = baseDec(text, code)
with open("flag.txt", 'rb') as f:
    flag = f.read()
autoDec(flag)

4.Kinovea

逐帧的视频观看

5.ARCHPR 压缩包爆破 || 明问攻击 || 掩码攻击|| gbk字体编码压缩明文攻击

6.outguess隐写 || SilentEye音频隐写 || 盲水印 || 音频隐写sstv-wav || 音频/图片隐写steghide-wav/jpg || 声波可视化 || 剑龙stegosaurus || zsteg

kali 
outguess -k 'killerqueen' -r /root/name.jpg flag.txt

SilentEye
https://www.threeyear.com.cn/archives/5115

#盲水印 https://github.com/chishaxie/BlindWaterMark


#盲水印2 || 频域盲水印
python decode.py --original huyao.png --image stillhuyao.png --result fl.png

https://www.threeyear.com.cn/archives/5560
https://www.cnblogs.com/wrnan/p/12811009.html#gwctf2019huyao

#盲水印2 || 频域盲水印

# coding=utf-8
import cv2
import numpy as np
import random
import os
from argparse import ArgumentParser
ALPHA = 5


def build_parser():
    parser = ArgumentParser()
    parser.add_argument('--original', dest='ori', required=True)
    parser.add_argument('--image', dest='img', required=True)
    parser.add_argument('--result', dest='res', required=True)
    parser.add_argument('--alpha', dest='alpha', default=ALPHA)
    return parser


def main():
    parser = build_parser()
    options = parser.parse_args()
    ori = options.ori
    img = options.img
    res = options.res
    alpha = options.alpha
    if not os.path.isfile(ori):
        parser.error("original image %s does not exist." % ori)
    if not os.path.isfile(img):
        parser.error("image %s does not exist." % img)
    decode(ori, img, res, alpha)


def decode(ori_path, img_path, res_path, alpha):
    ori = cv2.imread(ori_path)
    img = cv2.imread(img_path)
    ori_f = np.fft.fft2(ori)
    img_f = np.fft.fft2(img)
    height, width = ori.shape[0], ori.shape[1]
    watermark = (ori_f - img_f) / alpha
    watermark = np.real(watermark)
    res = np.zeros(watermark.shape)
    random.seed(height + width)
    x = range(height / 2)
    y = range(width)
    random.shuffle(x)
    random.shuffle(y)
    for i in range(height / 2):
        for j in range(width):
            res[x[i]][y[j]] = watermark[i][j]
    cv2.imwrite(res_path, res, [int(cv2.IMWRITE_JPEG_QUALITY), 100])


if __name__ == '__main__':
    main()

#sstv

#kali install
apt-get install qsstv

#use
Options->Configuration->Sound->Sound input勾选From file


wav文件
https://www.cnblogs.com/vuclw/p/15857481.html

#steghide
#steghide 可将文件写入图片和音频，需要密码
steghide extract -sf out.wav

#声波可视化Sonic Visualiser 
#工具地址 https://www.sonicvisualiser.org/download.html

打开文件后，在Layer选项中点击Add Peak Frequency Spectrogram或者Shift+K，然后将右边选项调整成如下图所示

#剑龙 stegosaurus  https://github.com/AngelKitty/stegosaurus
 python stegosaurus.py -x O_O.pyc

#kali zsteg
zsteg flag.png

7.PIL image || 二维码汉信码 || 手绘二维码 || APNG查看 || 二维码01串

汉信码

汉信码
https://www.cnblogs.com/cuihua-/p/16084084.html

像素点绘图

from PIL  import Image
string=''

file=open('qr.txt')
MAX=200

picture=Image.new("RGB",(MAX,MAX))
for y in range(MAX):
    for x in range(MAX):
        string =file.readline()
        picture.putpixel([x,y],eval(string)) #直接使用eval()可以转为元组
picture.show()

#手绘二维码
https://merricx.github.io/qrazybox/

APNG查看网站 https://products.aspose.app/imaging/zh-hans/image-view/apng

7.python带密码解压 || python词频统计

import zipfile
import os
path=r"/home/p/桌面/0573" #这个自己把控想在哪里开始使用脚本
file="0573.zip"
def un_zip(Path,File_name): #传入一个路径和当前路径的压缩包名字，返回解压缩后的文件名字
        current_file=Path+os.sep+File_name #路径+'/'+文件名
        #new_path=''
        os.chdir(Path) #改变当前工作路径，方便添加文件夹
        
        zip_file=zipfile.ZipFile(current_file)
        #print(zip_file.namelist()[0])
        new_file=zip_file.namelist()[0] #新解压的压缩文件为新的路径名字
        
        #new_path=current_path + os.sep + new_file
        #os.mkdir(new_path) #新建一个以解压出来的压缩包为名字的文件夹

        #os.chdir(new_path)
        zip_file.extractall( path=Path, members=zip_file.namelist(), pwd=File_name[0:-4].encode() )#因为密码就是文件名
        zip_file.close()
        
        return new_file

new=file
new1=''
while (1):
        #new1=un_zip(path,new) #第一次解压出来了new1
        if(new ==''):  #判断是否解压完毕，是则直接退出
                print("end:"+new1)
                break

        else:   #否则就开始新的解压
                new1=un_zip(path,new)
                print("continue:"+new1)
                new=new1

#词频统计 http://corpus.zhonghuayuwen.org/CpsTongji.aspx
import re
file = open('D:/edge/read/11.txt')    
line = file.readlines()
file.seek(0,0)
file.close()

result = {}
for i in range(97,123):
    count = 0
    for j in line:
        find_line = re.findall(chr(i),j)
        count += len(find_line)
    result[chr(i)] = count
res = sorted(result.items(),key=lambda item:item[1],reverse=True)

num = 1
for x in res:
        print('频数第{0}: '.format(num),x)
        num += 1

8.DTMF拨号语言

9.grep文件内容查找

grep -r 'CTF' ./new/

10.流量包分析 || USB || RSA解TLS数据

tcp.stream eq 2002
tcp.port == 43935
http.response
http.response.code != 404
http contains flag/FLAG
ip.contains "flag"
tls
smtp
smtp.data.fragment

USB数据包 UsbKeyboardDataHacker脚本提取内容
https://github.com/WangYihang/UsbKeyboardDataHacker

https://blog.csdn.net/mochu7777777/article/details/109632626

RSA添加到wireshark-tls-rsa key里解TLS

https://blog.csdn.net/wangjin7356/article/details/122530530

11.TTL隐写 || 零宽隐写

63  是 00111111 00
127 是 01111111 01
191 是 10111111 10
255 是 11111111 11

零宽隐写
https://330k.github.io/misc_tools/unicode_steganography.html

12.draw || PT2242信号 || 3D打印-gcode代码 || firepwd火狐登录凭证

https://www.calormen.com/jslogo/

cs pu lt 90 fd 500 rt 90 pd fd 100 rt 90 repeat 18[fd 5 rt 10] lt 135 fd 50 lt 135 pu bk 100 pd setcolor pick [ red orange yellow green blue violet ] repeat 18[fd 5 rt 10] rt 90 fd 60 rt 90 bk 30 rt 90 fd 60 pu lt 90 fd 100 pd rt 90 fd 50 bk 50 setcolor pick [ red orange yellow green blue violet ] lt 90 fd 50 rt 90 fd 50 pu fd 50 pd fd 25 bk 50 fd 25 rt 90 fd 50 pu setcolor pick [ red orange yellow green blue violet ] fd 100 rt 90 fd 30 rt 45 pd fd 50 bk 50 rt 90 fd 50 bk 100 fd 50 rt 45 pu fd 50 lt 90 pd fd 50 bk 50 rt 90 setcolor pick [ red orange yellow green blue violet ] fd 50 pu lt 90 fd 100 pd fd 50 rt 90 fd 25 bk 25 lt 90 bk 25 rt 90 fd 25 setcolor pick [ red orange yellow green blue violet ] pu fd 25 lt 90 bk 30 pd rt 90 fd 25 pu fd 25 lt 90 pd fd 50 bk 25 rt 90 fd 25 lt 90 fd 25 bk 50 pu bk 100 lt 90 setcolor pick [ red orange yellow green blue violet ] fd 100 pd rt 90 arc 360 20 pu rt 90 fd 50 pd arc 360 15 pu fd 15 setcolor pick [ red orange yellow green blue violet ] lt 90 pd bk 50 lt 90 fd 25 pu home bk 100 lt 90 fd 100 pd arc 360 20 pu home

PT2242信号
PT2242信号：前面4bit表示同步码，中间20bit表示地址码，后面4bit表示功能码，最后一位是停止码

https://www.threeyear.com.cn/archives/5244

#3D打印-gcode代码  
#https://ncviewer.com/
#https://gcode.ws/

https://blog.csdn.net/qq_36618918/article/details/107912463

#firepwd火狐登录凭证 https://github.com/lclevy/firepwd
python firepwd.py logins.json

https://blog.csdn.net/wangjin7356/article/details/123416304

13.自动拼图montage 和 gaps

https://blog.csdn.net/qq_24033605/article/details/117262765

install

montage安装
apt-get install graphicsmagick-imagemagick-compat

命令用法：

montage *jpg -tile 10x12 -geometry 200x100+0+0 flag.jpg

python3 gaps --image=flag.jpg --generations=40 --population=120 --size=100
#population为图片数量，size为每个图片高度

参数说明：

*.jpg指目标为目录下所有的jpg格式图片
-geometry +0+0的用处是让图片之间没有间隙
resize后是最终合成图片的长x宽
tile后是从左往右张数x从上往下张数
size如何确定？
这道题的图片有一个特点，那就是长是宽的两倍，所以我们可以将一张子图片视为两张拼图（每张拼图是正方形的）
于是有，拼图的宽度，也就是size为600/12=50

14.doc文档隐藏文字 || gbk字体编码压缩明文攻击

#encoding=GBK
f = open('data.txt','w')
s = "Hello everyone, I am Gilbert. Everyone thought that I was killed, but actually I survived. Now that I have no cash with me and I’m trapped in another country. I can't contact Violet now. She must be desperate to see me and I don't want her to cry for me. I need to pay 300 for the train, and 88 for the meal. Cash or battlenet point are both accepted. I don't play the Hearthstone, and I don't even know what is Rastakhan's Rumble."
f.write(s) 
f.close()

15.安卓逆向

准备安卓逆向工具
1.apktool——可以反编译软件的布局文件、图片等资源，方便大家学习一些很好的布局；
2.dex2jar——将apk反编译成java源码（classes.dex转化成jar文件）；
3.jd-gui——查看APK中classes.dex转化成出的jar文件，即源码文件。

工具：https://blog.csdn.net/WYHPROGRAME/article/details/123943424

16.autokey加密

#autokey 工具集：https://www.cnblogs.com/LEOGG321/p/13735458.html

https://www.cnblogs.com/LEOGG321/p/14062442.html#xman2018%E6%8E%92%E4%BD%8D%E8%B5%9Bfile