AAA CTF101 安全攻防实践短学期 Misc Lab 2

实验指导

仅供参考。

Challenge 1

foremost 即可。

1
2
3
4
5
$ foremost songmingti.jpg
Processing: songmingti.jpg
|*|

$ imgcat output/jpg/*

Challenge 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ exif miao_exif.jpg
EXIF tags in 'miao_exif.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
X-Resolution        |144
Y-Resolution        |144
Resolution Unit     |Inch
Artist              |key:m1a0@888
YCbCr Positioning   |Centered
Exif Version        |Exif Version 2.1
FlashPixVersion     |FlashPix Version 1.0
Color Space         |Uncalibrated
--------------------+----------------------------------------------------------

$ steghide extract -sf miao_exif.jpg -p m1a0@888
wrote extracted data to "secret_file.txt".

Challenge 3

用 StegSolve 加载图片,Analyse -> Data Extract 可以观察到明显的 PNG 特征。Save Bin 得到图片 flag。

StegSolve

Challenge 4: Palette Stego

chal-palette.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from PIL import Image
import numpy as np

img = Image.open('chal-palette.png')

palette = np.array(img.getpalette()).reshape(-1, 3)

y = [round(.299 * r + .587 * g + .114 * b, 8) for r, g, b in palette]

y_idx = {i: y for i, y in enumerate(np.argsort(y)[::-1])}

inverse_y_idx = {y: i for i, y in y_idx.items()}

bits = []

for i in range(img.height):
    for j in range(img.width):
        bits.append((inverse_y_idx[img.getpixel((j, i))] % 2) ^ 1)

print(int(''.join(map(str, bits[:400])), 2).to_bytes(50).decode())

img.close()

img.palette.palette 就得到 768 = 256 * 3 字节的原始 palette 数据。

AAA{gOoD_joB_P4lEtTE_M0D3_c@N_al$0_57E9o!}

Challenge 5: Spectrogram

RTFM 题,有点坐牢。可以通过 GIF 图还原出 power_to_db 的结果,librosa 文档里也可以直接找到 db_to_powermel_to_audio 函数。

spectrogram.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import librosa
import numpy as np
import soundfile as sf
from PIL import Image, ImageSequence


num_freqs = 32
quantize = 2
min_db = -60
max_db = 30
sample_rate = 22050
fft_window_size = 2048
frame_step_size = 512
window_function_type = 'hann'

img = Image.open('flag.gif')

Mdb = np.ndarray((num_freqs, img.n_frames), dtype=np.float32)

for i, frame in enumerate(ImageSequence.Iterator(img)):
    pixels = np.asarray(frame.resize(
        (frame.width // quantize, frame.height // quantize)
    ).convert(mode='P')).transpose()

    pixels = np.delete(pixels, range(0, pixels.shape[0], 2), axis=0)

    pixels[pixels < 128] = 1
    pixels[pixels > 127] = 0

    for j, pixel in enumerate(pixels):
        Mdb[j, i] = np.float32(min_db + np.sum(pixel) * 2)

img.close()

y = librosa.feature.inverse.mel_to_audio(
    librosa.db_to_power(Mdb),
    sr=sample_rate,
    n_fft=fft_window_size,
    hop_length=frame_step_size,
    window=window_function_type
)

sf.write('reflag.mp3', y, sample_rate)

原曲为 Rick Astley - Never Gonna Give You Up。截取前 10s 用 generate.py 产生的 GIF 图也可以看出来是一样的。

ZJU > CTF 暑 2023
AAA CTF101 安全攻防实践短学期 Misc Lab 2
https://heap.45gfg9.net/t/ZJU/2023-CTF101/8bca39d16f7b/
作者
45gfg9
发布于
2023-07-25
许可协议