admin@birkenwald.cn<\/code>\u53d1\u9001\u90ae\u4ef6\u5373\u53ef\u83b7\u53d6\u8d26\u53f7\u3002<\/p>\n\n\n\n\u63d0\u793a\u6587\u6863\u662f\u4e2azip\u538b\u7f29\u5305\uff0c\u91cc\u9762\u8fd8\u6709\u4e00\u4e2a\u52a0\u5bc6\u7684\u538b\u7f29\u5305\uff0c\u770b\u5230\u4e09\u4e2a\u6587\u4ef6\u90fd\u88ab\u52a0\u5bc6\u4e86\uff0c\u5c1d\u8bd5\u7528\u4f2a\u52a0\u5bc6\u5de5\u5177\u7834\u89e3\u4e00\u4e0b<\/p>\n\n\n\n![\"image-20211115222035349\"\/](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/figure>\n\n\n\n\u89e3\u5b8c\u540e\u53d1\u73b0\u793a\u4f8b-\u526f\u672c<\/code>\u53ef\u4ee5\u6253\u5f00\uff0c\u5176\u4ed6\u6253\u4e0d\u5f00<\/p>\n\n\n\n\u540c\u65f6\u770b\u5230\u793a\u4f8b\u4e0e\u793a\u4f8b\u7684CRC32\u662f\u76f8\u540c\u7684\uff0c\u5927\u5c0f\u4e5f\u4e00\u6837\uff0c\u6240\u4ee5\u5c1d\u8bd5\u660e\u6587\u653b\u51fb<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5f97\u5230\u5bc6\u7801qwe@123<\/code>\uff0c\u89e3\u538b\u51fapassword.zip\uff0c\u4f46\u6253\u5f00\u8fd8\u662f\u52a0\u5bc6\u7684\uff0c\u5bc6\u7801\u4e5f\u4e0d\u4e00\u6837<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u53d1\u73b01.txt~2.txt\u7684\u5927\u5c0f\u4e00\u6837\uff0c\u90fd\u662f6\u5b57\u8282\uff0c\u4e8e\u662f\u60f3\u5230CRC32\u78b0\u649e<\/p>\n\n\n\n
\u5230\u8fd9\u91cc\u5c31\u4e0e\u5b98\u65b9wp\u6709\u533a\u522b\uff0c\u811a\u672c\u5de5\u5177\u4ec0\u4e48\u7684<\/p>\n\n\n\n
\u9996\u5148\u6211\u7528\u7684\u811a\u672c\u662f\u4e09\u4e2a\u6587\u4ef6\u4e00\u8d77\u7206\u7834\uff0c\u901f\u5ea6\u5f88\u6162\u4e14\u7ed3\u679c\u53ea\u51fa\u6765\u4e00\u4e2a\uff0c\u5e38\u89c4\u6765\u8bf4CRC\u76f8\u540c\u4f46\u91cc\u9762\u5185\u5bb9\u6709\u5f88\u591a\u79cd<\/p>\n\n\n\n
\u8fd9\u91cc\u5c31\u5bfc\u81f4\u6700\u540e\u6ca1\u505a\u51fa\u6765<\/p>\n\n\n\n
#!\/usr\/bin\/env python
# -*- coding:utf-8 -*-
import datetime
import binascii
\u200b
\u200b
def crack(crc_in):
crcs = set([crc_in])
\u200b
r = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_1234567890~!@#$%^&*' # \u538b\u7f29\u5b57\u7b26\u4e32
for a in r:
for b in r:
for c in r:
for d in r:
for e in r:
for f in r:
txt = a + b + c + d + e + f
crc = binascii.crc32(txt)
if (crc & 0xFFFFFFFF) in crcs:
return txt
\u200b
\u200b
\u200b
\u200b
\u200b
if __name__ == \"__main__\":
s = [0x1028C889,0x4B8F7BE7,0x21137233]
password = ''
for x in s:
passw = crack(x)
password += str(passw)
print password<\/code><\/pre>\n\n\n\n\u8fd9\u4e2a\u662f\u7206\u7834\u4e09\u4e2acrc32\u7684\u811a\u672c<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u6700\u540e\u7206\u51fa\u6765\u8fd9\u4e2a\u7ed3\u679c\uff0c\u5f53\u65f6\u53d1\u73b0\u6700\u540e\u4e00\u6bb5\u5f88\u5947\u602a\uff0c\u53733.txt\u7206\u51fa\u6765\u7684\u5185\u5bb9<\/p>\n\n\n\n
\u6700\u540e\u5c31\u5361\u5728\u8fd9\u91cc\u4e86\uff0c\u89e3\u538b\u5bc6\u7801\u4e0d\u6b63\u786e\u4e5f\u4e0d\u4f1a\u505a<\/p>\n\n\n\n
\n\n\n\n\u590d\u76d8\uff1a<\/p>\n\n\n\n
\u5f53\u65f6\u5728GitHub\u4e0a\u4e5f\u4e0b\u8f7d\u4e86crc32\u78b0\u649e\u5de5\u5177<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u4f46\u6709\u4e00\u4e2a\u70b9\u6211\u505a\u9519\u4e86\uff0c\u5c31\u662f\u547d\u4ee4\u8f93\u5165crc32\u65f6\u6ca1\u6709\u52a0\u4e0a0x<\/strong><\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5e76\u4e14\u901f\u5ea6\u4e5f\u662f\u79d2\u51fa\u7684\uff0c\u4e0d\u4f1a\u50cf\u4e0a\u9762\u90a3\u4e2a\u811a\u672c\u7206\u7834\u5feb\u56db\u5341\u5206\u949f<\/p>\n\n\n\n
\u5f88\u7edd\u671b\u5c31\u5dee\u8fd9\u4e00\u6b65\uff0c\u524d\u4e24\u4e2a\u90fd\u7206\u7834\u51fa\u6765\u4e86<\/p>\n\n\n\n
\u5269\u4e0b\u76841.txt\u548c2.txt\u4e5f\u5982\u56fe\u6240\u793a\u8f93\u5165<\/p>\n\n\n\n
python crc32.py reverse 0x21137233<\/code><\/pre>\n\n\n\n\u6700\u540e\u7b5b\u9009\u51fa\u5f97\u5230\u5bc6\u7801welc0me_sangforctf<\/code>\uff0c\u89e3\u538b\u5f97\u5230.password.swp<\/code>\u6587\u4ef6<\/p>\n\n\n\n\u6240\u77e5swp\u6587\u4ef6\u65f6vim\u7f16\u8f91\u5668\u4e0d\u6b63\u5e38\u9000\u51fa\u7559\u4e0b\u7684<\/p>\n\n\n\n
\u62c9\u8fdbkali\u8fdb\u884c\u8bfb\u53d6<\/p>\n\n\n\n
vim -r .password.swp
cat .password.swp<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7136\u540e\u767b\u5f55\u7f51\u7ad9\u7528bp\u6293\u5305\u67e5\u770b\u56de\u663e\u5305\u5c31\u5f97\u5230flag<\/p>\n\n\n\n
Bridge<\/h2>\n\n\n\n
\u4e0b\u8f7d\u6765\u662f\u4e00\u5f20png\u56fe\u7247<\/p>\n\n\n\n
\u7167\u5e38\u62c9\u8fdbkali\u8fdb\u884cbinwalk\u5206\u6790\uff0c\u65e0\u679c\uff0c\u8fdb\u884czsteg\u67e5\u770b<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u53d1\u73b0\u6709zlib\u6570\u636e\uff0c\u4ee5\u53ca\u5728bgr\u901a\u9053\u6709\u810f\u6570\u636e<\/p>\n\n\n\n
\u5728kali\u91cc\u8fdb\u884cpngcheck\u4e5f\u8bc1\u660e\u6709\u5f02\u5e38IDAT\u5757<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5728010editor\u91cc\u67e5\u770b\u5f02\u5e38IDAT\u5757<\/p>\n\n\n\n
\u5c0687\u6539\u621078\uff0c\u5e76\u4ece78\u6bb5\u5f00\u59cb\u63d0\u53d6\u4e3a\u5341\u516d\u8fdb\u5236(78 9C\u662fzlib\u7684\u6587\u4ef6\u5934)<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7528\u811a\u672c\u5c06\u8fd9\u6bb5zlib\u6570\u636e\u538b\u7f29<\/p>\n\n\n\n
import zlib
data = open(\"zlib_hex_data.txt\", 'r',
encoding=\"utf-8\").read().replace(\" \", \"\").replace(\"\\n\",
\"\").strip()
data_dec = zlib.decompress(bytes.fromhex(data))
print(data_dec[:100])
with open(\"zlib_data.rar\", 'wb') as wf:
wf.write(data_dec)<\/code><\/pre>\n\n\n\n<\/div><\/figure>\n\n\n\n\u53d1\u73b0\u751f\u6210rar\u538b\u7f29\u5305\uff0c\u6253\u5f00\u538b\u7f29\u5305\u63d0\u793a\u5bfb\u627eflag1<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u7ee7\u7eed\u5bf9bridge\u56fe\u7247\u8fdb\u884c\u5206\u6790<\/p>\n\n\n\n
\u5728\u5bf9bridge\u56fe\u7247\u8fdb\u884cexif\u4fe1\u606f\u67e5\u8be2\u65f6\u53d1\u73b0\u4e00\u4e32\u5b57\u7b26<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u8fdb\u884c\u5341\u516d\u8fdb\u5236\u8f6cASCII\u7801<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u5f97\u5230dynamical-geometry<\/code><\/p>\n\n\n\n\u5728\u524d\u9762zsteg\u53d1\u73b0\u7684\u810f\u6570\u636e\u8fd8\u6ca1\u5229\u7528\uff0c\u7528stegsolve\u5de5\u5177\u67e5\u770b<\/p>\n\n\n\n
(\u5728\u524d\u9762zsteg\u627e\u5230\u7684\u810f\u6570\u636e\u662f\u5728BGR\u901a\u9053<\/strong>\uff0c\u5f53\u65f6\u5728\u6bd4\u8d5b\u65f6\u5c31\u662f\u56e0\u4e3a\u6ca1\u6709\u8c03\u5230BGR\u6240\u4ee5\u6ca1\u53d1\u73b0\u8fd9\u6bb5\u6570\u636e)<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n<\/div><\/figure>\n\n\n\n\u4fdd\u5b58\u4e3apng\u56fe\u7247\uff0c\u53d1\u73b0\u6253\u4e0d\u5f00\uff0c\u5728kali\u91cc\u8fdb\u884cforemost\u5206\u79bb\u51fapng\u56fe\u7247\uff0c\u5f97\u5230\u4e00\u6bb5\u8272\u5f69\u503c\u6df7\u4e71\u7684\u56fe\u7247\uff0c\u8fdb\u884c\u5206\u6790\u50cf\u7d20<\/p>\n\n\n\n
from PIL import Image
image = Image.open(r'C:\\Users\\Aria\\Desktop\\ctf\u8d5b\u9898\\\u6df1\u80b2\u676f\\00000000.png')
allpixels = []
for x in range(image.width):
for y in range(image.height):
allpixels.append(image.getpixel((x, y)))
print(len(allpixels))
print(allpixels[:4])<\/code><\/pre>\n\n\n\n\u5f97\u5230\u8f93\u51fa\uff0c\u53d6\u4e86\u524d\u56db\u6bb5\u503c\uff0c\u5c06\u7b2c\u4e09\u5217\u5341\u516d\u8fdb\u5236\u8f6c\u5341\u8fdb\u5236\u5f97\u523050 4B 03 04<\/code>\uff0c\u4e3azip\u538b\u7f29\u6587\u4ef6\u5934<\/p>\n\n\n\n348100
[(40, 176, 80), (37, 181, 75), (1, 253, 3), (2, 252, 4)]
0x50 0x4B 0X03 0X04<\/pre>\n\n\n\n\u6279\u91cf\u63d0\u53d6\u5e76\u4fdd\u5b58\u4e3azip\u538b\u7f29\u5305<\/p>\n\n\n\n
from PIL import Image
image = Image.open(r'C:\\Users\\Aria\\Desktop\\ctf\u8d5b\u9898\\\u6df1\u80b2\u676f\\00000000.png')
allpixels = []
for x in range(image.width):
for y in range(image.height):
if image.getpixel((x, y)) == (0, 0, 0):
continue
allpixels.append(image.getpixel((x, y))[2])
hex_datalist = [str(hex(i))[2:].zfill(2) for i in allpixels]
print(\"\".join(hex_datalist)[:100])
with open(\"outpur.txt\", 'w') as wf:
wf.write(\"\".join(hex_datalist))<\/code><\/pre>\n\n\n\n\u5c06\u751f\u6210\u7684txt\u6587\u4ef6\u91cc\u7684\u5185\u5bb9\u7528010editor\u7c98\u8d34\u751f\u6210zip\uff0c\u7528\u524d\u9762\u8f6c\u6210ASCII\u7801\u7684\u5b57\u7b26dynamical-geometry<\/code>\u4f5c\u4e3a\u89e3\u538b\u5bc6\u7801<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u767e\u5ea6\u641c\u7d22\u5f97\u77e5stl\u6587\u4ef6\u662f3D\u6587\u4ef6\uff0c\u5728\u5fae\u8f6f\u5546\u5e97\u641c\u7d22\u52303D\u8f6f\u4ef6\u8bfb\u53d6\u56683D Builder<\/code>\u53ef\u4ee5\u76f4\u63a5\u6253\u5f00\uff08\u81ea\u5e26\u76843D\u753b\u56fe\u6253\u4e0d\u5f00\uff09<\/p>\n\n\n\n<\/div><\/figure>\n\n\n\n\u540c\u7406\u5f97\u5230\u4e4b\u524d\u538b\u7f29\u5305\u7684flag2\u4e5f\u662fstl\u6587\u4ef6\u683c\u5f0f\uff0c\u6253\u5f00\u5f97\u5230\u7b2c\u4e8c\u6bb5flag<\/p>\n\n\n\n
<\/p>\n\n\n\n
![\"image-20211115222035349\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115222035.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115222709640\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115222709.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115222810254\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115222810.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115223513471\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115223513.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115223720884\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115223720.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115223915733\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115223915.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211115224419284\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211115224419.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119082718554\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119082725.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119083027653\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119083027.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119083747403\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119083747.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119083620093\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119083620.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119083955851\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119083955.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119084215744\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119084215.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119084419922\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119084420.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119084559813\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119084559.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119085023095\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119085023.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119084817962\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119084818.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119091702750\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119091702.png\")
<\/div><\/figure>\n\n\n\n![\"image-20211119092921649\"\/](\"https:\/\/gitee.com\/Hermitaria\/blogimagee\/raw\/master\/20211119092921.png\")
<\/div><\/figure>\n\n\n\n