secret binwalk -e secret.png提取出来一个zip压缩包,里面有一个flag.txt,内容是:flag is not here 只有一行但是txt大小却是353bytes,感觉很可疑,用vim打开后出现了很多零宽度字符
里面的零宽度字符种类包括:0x200b、0x200d、0x202c、0xfeff
在线网站解密:https://330k.github.io/misc_tools/unicode_steganography.html
拿到一个key:Snow White
回到PNG,二进制编辑器打开,发现在png末尾后还有一段数据,以9e97ba2a开头,经搜索得知这是oursecret 的特征
把图片放进oursecret,点击unhide,出来一个flag.txt,打开发现是这样的,在文本下面显然还藏了东西
再次二进制编辑器打开,发现末尾是一堆09 20 0d 0a
1 2 3 4 09 -> tab 20 -> 空格 0A -> \r 0D -> \n
尝试过将09 20分别对应二进制,或者和摩斯电码对应起来,但都失败了。回想到key:Snow White感觉还没用上,这个文本似乎也和雪有关,于是在搜索引擎中搜索Snow Stegnography,发现了SNOW隐写 。
snow隐写笔记 | 独奏の小屋 (hasegawaazusa.github.io)
SNOW 是 the Steganographic Nature Of Whitespace 的简写。
SNOW 用于通过在行尾附加空格和制表符 来隐藏 ASCII 文本中的消息,即文本隐写 。由于空格和制表符在文本查看器中通常不可见,因此消息实际上对不经意的观察者隐藏。并且如果使用内置加密,即使检测到消息也无法读取。
官网下载对应程序:The SNOW Home Page (darkside.com.au)
提取:
1 SNOW.EXE -C -p "duzou" infile outfile
拿到这一串和八卦有关的字符串
1 兑震乾兑乾坤乾艮乾兑兑艮兑乾震兑乾坎兑艮乾兑乾艮乾艮巽兑离震兑坎坤兑乾艮兑坎离兑兑巽兑艮离兑震兑兑坎震兑离离兑兑离兑坤乾兑艮离兑兑坎兑兑震兑艮巽兑坎坤兑兑巽兑艮兑兑艮乾兑离艮兑兑坤兑坎艮兑乾离兑离巽兑兑坎兑兑离兑艮坤兑艮乾兑离乾兑巽兑兑坤乾兑艮离兑兑巽兑艮兑兑艮乾兑离艮兑离乾兑巽离兑坎坤乾坎震
在这里也做了很多尝试,试过按照乾一兑二…依次转二进制然后拼起来,但结果不对
最后搜索到一个八卦图形base8 工具:chyroc/base8-bagua: 八卦图形base64 (github.com)
Decode原理是把八卦图形转成8进制,再将8进制数字转换成3个二进制数,组成二进制数组,以8个二进制数为一个byte,组成byte数组,返回byte数组
由于github上的这个工具是用go写的,我本地的go已经不支持go get了,于是更换成了另一个基于python的脚本:base8-bagua-py: Python版base8-bagua 八卦符编码解码 (gitee.com)
跑出来得到:
1 XG0NCEpF4SoFjLrYkRJxrMKtoLqpVOnBTMJwpPaxrLqpVPbo+
这是XXencode编码,在线解码,拿到flag:
1 H&NCTF{Do_y0u_want_mak3_a_5now_man}
究极套娃,不过题目挺精彩的,不算太谜语,也涨了见识吧,就是套的有点多
小明是个猴子 Volatility pslist,可以看见有一个mspaint.exe
1 0xfffffa800474f910 mspaint.exe 2980 2192 7 127 1 0 2024-05-05 04:42:46 UTC+0000
memdump把进程存下来
1 $ vol.py -f xiaoming.raw --profile=Win7SP1x64 memdump -p 2980 -D ./
宸极实验室——『CTF』利用 Volatility 对 Windows 画图取证 - 知乎 (zhihu.com)
拿下来是dmp,修改后缀为data后丢给GIMP,官网GIMP - Downloads
图像类型选择平面RGB,宽度调整到2880,高度调整到1536
可以看出来下面那行就是key,需要翻转一下,拿到key:#2a92ak@d27e
回到volatility,filescan|grep Desktop发现有两个zip:xiaoming.zip和secret.zip
1 2 3 4 $ vol.py -f xiaoming.raw --profile=Win7SP1x64 filescan |grep Desktop 0x000000007d8c1f20 16 0 R--rw- \Device\HarddiskVolume2\Users\MIAOMI~1\Desktop\secret.zip 0x000000007fe0ad50 16 0 R--rw- \Device\HarddiskVolume2\Users\MIAOMI~1\Desktop\xiaoming.zip
dumpfiles把两个zip拿下来
1 2 $ vol.py -f xiaoming.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000007d8c1f20 -D . -u $ vol.py -f xiaoming.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000007fe0ad50 -D . -u
secret.zip底下就是flag.txt,两个zip都加密了,拿key直接解密secret.zip,拿到flag
1 H&NCTF{U_r_a_f0rensic_m4s7er}
ez_pcap 拿到两个流量包,ctf1和ctf2,先看的ctf2,过滤http,追踪,发现发送包和响应包具有固定的头:dFAXQV1LORcHRQtLRlwMAhwFTAg/M,TxcWR1NNExZAD0ZaAWMIPAZjH1BFBFtHThcJSlUXWEd
这是冰蝎4.0的特征,behind_decrypt解密:melody27/behinder_decrypt: 冰蝎流量解密脚本, (github.com)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 $ python3 py_decrypt.py -f ~/Desktop/HNCTF--/ctf2.pcapng cd /var/www/html/dvwa/hackable/uploads/ ;zip -P H&Nctf14789 Secret.zip dmp.dmp 进入php文件 } &+mg\Z7Pm4 进入php文件 cd /var/www/html/dvwa/hackable/uploads/ ;zip -P HNCTF--14789 Secret.zip dmp.dmp
重要信息为zip -P HNCTF--14789 Secret.zip,secret.zip的密码就是HNCTF–14789
在http过滤中看见了Get zip的请求
追踪一下,在返回数据中可以看见zip,把zip存下来,用刚才的密码解密,拿到一个dmp.dmp
file dmp.dmp发现是minidump
1 Mini DuMP crash report, 17 streams, Sun May 5 11:27:13 2024, 0x469925 type
搜索到这样一篇wp,里面的minidump的type和这个一样:CTFtime.org / HTB Uni CTF 2021 - 资格赛 / 反击 / 写作 — CTFtime.org / HTB Uni CTF 2021 - Quals / Strike Back / Writeup
这应该是和Cobalt Strike 相关的 Minidump文件,通过radare2,可以确定这是beacon.exe进程的转储
1 2 3 4 5 6 7 8 9 10 11 $ r2 dmp.dmp WARN: Invalid or unsupported enumeration encountered 21 WARN: Invalid or unsupported enumeration encountered 22 INFO: Parsing data sections for large dumps can take time INFO: Please be patient (but if strings ain't your thing try with -z) WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e bin.cache=true` next time WARN: format string ([2]EwwbBddd[4]Ed[2]Ew[2]q (mdmp_processor_architecture)ProcessorArchitecture ProcessorLevel ProcessorRevision NumberOfProcessors (mdmp_product_type)ProductType MajorVersion MinorVersion BuildNumber (mdmp_platform_id)PlatformId CsdVersionRva (mdmp_suite_mask)SuiteMask Reserved2 ProcessorFeatures) is too large for this buffer (53, 52) -- Press 'c' in visual mode to toggle the cursor mode [0x00d50000]> iSq~exe 0x00400000 0x0044b000 ---- C:\Users\admin\Desktop\beacon.exe [0x00d50000]>
C:\Users\admin\Desktop\beacon.exe
在ctf2中可以看见 GET /dpixel也是beacon的特征,那么知道这一点,思路就是从dmp中提取AES 和 HMAC 密钥
DidierStevens/Beta: Beta versions of my software (github.com) 里面有很多跟cs有关的脚本
提取密钥还需要cs流量的发送任务数据 ,转到ctf1,可以看见POST /submit.php?id=465129432这是下发指令的包,里面的data就是发送任务数据
1 2 3 4 5 6 7 8 9 10 $ python3 cs-extract-key.py -c 000002301fb2227e0816dff4d4929ff34a3e8f0e1a99621b59a8a3331810ca4c02b847750a005c797ecd557357a3065cfcb893e9ffdc30706bfa6050afdb7936826d87ad0d0aa6358c8c110bd5e9a71d22eeeec36b6fd5dbf74891ef7c0e45d4a52878d063bc2090bf3433145cc430b2c4b58941c813b5ff76dbe51ad45f1ca9c0e3bbf94976f2bbb096ecd4144ebf905d13f24efaa27e9e947b7b20321cb9784ce0f4b6153d6a0ac2ae5f4decb08a7712b17b70f85b7ed950f786c1a60d12ddedca817cffd3859a3f79f099b5ee33c757d91c63061e81f84b00aeaac8107509cecf0f5dbc1447f99eda8de06f12db79a3bdc45fc56032d13770e32974827f297b0e221c2a52c22e791f8f52a66d7a0f408113e3a9288593d756311cb2e04f32cf87ce1243b6aaa411b56d42061a3a4a368ac54ab9c4787630e9eb33b4e528d20987877b2b2e5c585957ee9f98be431cf4370617e44a32ab9eca9fdab37d9486aceb0fea1736a67a2f639aaad8cf0f80a8db1c69876064b24cacc3605f435735563f753e915fcc5b0464962730af70015ad0aff8b2a75be2b56132bcd6695bb56d49e65c7bf70c5a3f0bad26e6eb344b8b8123c2b306ae0d1197f97f2f1afb424f666812953c20cc4182f2a767889ffcc6b2c3d5d84d3ef70111f6e35f8e500f571ef9365c1479733a9809e4cbfdc476413fde7dbb4ef108f9e97d1ea4c64c3097f03c302aef55bc6cf22e48eef9e14c74744eebb0f3c40edfac127d6f1456f7876cc7f1f77e3f65c2d9e5b7a201d1e8b408dc50 ~/Desktop/dmp.dmp File: /Users/madison/Desktop/dmp.dmp Searching for AES and HMAC keys Searching after sha256\x00 string (0x2ef5ea) AES key position: 0x002f5b22 AES Key: 0406b3801de60f1fd4d7391d618eec81 HMAC key position: 0x002f8e42 HMAC Key: 3e2c8bd57d043ae78caa33c1f76fb3de SHA256 raw key: 3e2c8bd57d043ae78caa33c1f76fb3de:0406b3801de60f1fd4d7391d618eec81
SHA256 raw key: 3e2c8bd57d043ae78caa33c1f76fb3de:0406b3801de60f1fd4d7391d618eec81拿到key之后直接用cs-parse-http-traffic.py提取,脚本需要更改一下编码,否则会报错
1 $ python3.11 ~/Downloads/cs-parse-http-traffic.py -k 3e2c8bd57d043ae78caa33c1f76fb3de:0406b3801de60f1fd4d7391d618eec81 ~/Desktop/ctf1.pcapng -e
拿到flag:
1 H&NCTF{29d5c78b-4367-49ff-807f-dd204341f225}
关于CS流量
CTFtime.org / HTB Uni CTF 2021 - 资格赛 / 反击 / 写作 — CTFtime.org / HTB Uni CTF 2021 - Quals / Strike Back / Writeup
[2021绿城杯] [Misc] 流量分析 + cobaltstrike 流量解密_2021-绿城杯-misc-流量分析-CSDN博客
# Cobalt Strike:使用已知的私钥解密流量-Part 2 - FreeBuf网络安全行业门户
常见webshell流量分析 | ycx’s blog (ilikeoyt.github.io)
从pcap包中解密cobalt-strike流量 | fdvoid0’s blog (fdlucifer.github.io)
常见webshell流量解密分析-CSDN博客
Cobalt Strike:使用已知私钥解密流量 – 第 2 部分 – NVISO Labs — Cobalt Strike: Using Known Private Keys To Decrypt Traffic – Part 2 – NVISO Labs
WBGlIl/CS_Decrypt (github.com)
Forensics ice的秘密 附件中有一个内存镜像和一个ccx文件,这个ccx文件是CnCrypt的格式,根据题目描述,ccx第一层密码是user_domain_password
volatility mimikatz直接拿到第一层密码:ice_CTF_CFRS[]
1 2 3 4 5 6 $ vol.py -f ice_secret.raw --profile=Win7SP1x64 mimikatz Volatility Foundation Volatility Framework 2.6.1 Module User Domain Password -------- ---------------- ---------------- ---------------------------------------- wdigest ice CTF CFRS[] wdigest CTF$ WORKGROUP
CnCrypt挂载
里面又个tips.txt,内容为
1 key分为三段,拼接起来才是真密码哦,key3的第一位是_
猜测这个key是第二层挂载密钥
volatility pslist 发现里面有一个mspaint.exe,又来
接下来的步骤和小明是个猴子 的步骤一样,memdump转储进程,修改后缀,丢进GIMP里,不同的是这次不需要用平面RGB,调整宽高,直接能看见key3:_pic
volatility filescan扫扫桌面,发现了一个main.py和key2.txt
1 2 3 4 $ vol.py -f ice_secret.raw --profile=Win7SP1x64 filescan |grep Desktop 0x000000007e0e65e0 16 0 R--rw- \Device\HarddiskVolume2\Users\ice\Desktop\main.py 0x000000007eb41380 16 0 R--rw- \Device\HarddiskVolume2\Users\ice\Desktop\key2.txt
接下来试图用dumpfiles转文件,但失败了,用mftparser查看和恢复被删除的文件
1 $ vol.py -f ice_secret.raw --profile=Win7SP1x64 mftparser >icemft.txt
在存下来的txt中能看见这两个文件
main.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 $FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2024-05-05 12:43:33 UTC+0000 2024-05-05 13:05:07 UTC+0000 2024-05-05 13:05:07 UTC+0000 2024-05-06 06:56:29 UTC+0000 Users\ice\Desktop\main.py $OBJECT_ID Object ID: dfbea7e7-750b-ef11-a6da-b060882901b6 Birth Volume ID: 80000000-6802-0000-0000-180000000100 Birth Object ID: 4f020000-1800-0000-6465-6620656e636f Birth Domain ID: 64652028-4f4f-304f-4f4f-304f304f4f4f $DATA 0000000000: 64 65 66 20 65 6e 63 6f 64 65 20 28 4f 4f 30 4f def.encode.(OO0O 0000000010: 4f 4f 30 4f 30 4f 4f 4f 30 30 30 30 30 29 3a 0d OO0O0OOO00000):. 0000000020: 0a 20 20 20 20 4f 30 4f 30 30 30 30 30 30 30 4f .....O0O0000000O 0000000030: 30 4f 4f 4f 30 30 20 3d 5b 5d 0d 0a 20 20 20 20 0OOO00.=[]...... 0000000040: 66 6f 72 20 4f 30 4f 30 4f 4f 30 30 4f 30 30 4f for.O0O0OO00O00O 0000000050: 4f 4f 30 4f 4f 20 69 6e 20 4f 4f 30 4f 4f 4f 30 OO0OO.in.OO0OOO0 0000000060: 4f 30 4f 4f 4f 30 30 30 30 30 3a 0d 0a 20 20 20 O0OOO00000:..... 0000000070: 20 20 20 20 20 4f 30 30 30 4f 4f 4f 4f 30 30 30 .....O000OOOO000 0000000080: 4f 30 30 30 4f 30 20 3d 28 6f 72 64 20 28 4f 30 O000O0.=(ord.(O0 0000000090: 4f 30 4f 4f 30 30 4f 30 30 4f 4f 4f 30 4f 4f 20 O0OO00O00OOO0OO. 00000000a0: 29 5e 30 78 31 31 34 30 30 30 20 5e 30 78 35 31 )^0x114000.^0x51 00000000b0: 34 29 2b 31 31 34 30 30 30 2d 35 31 34 0d 0a 20 4)+114000-514... 00000000c0: 20 20 20 20 20 20 20 4f 30 4f 30 30 30 30 30 30 .......O0O000000 00000000d0: 30 4f 30 4f 4f 4f 30 30 20 2e 61 70 70 65 6e 64 0O0OOO00..append 00000000e0: 20 28 4f 30 30 30 4f 4f 4f 4f 30 30 30 4f 30 30 .(O000OOOO000O00 00000000f0: 30 4f 30 20 26 30 78 66 66 29 0d 0a 20 20 20 20 0O0.&0xff)...... 0000000100: 72 65 74 75 72 6e 20 4f 30 4f 30 30 30 30 30 30 return.O0O000000 0000000110: 30 4f 30 4f 4f 4f 30 30 0d 0a 64 65 66 20 64 65 0O0OOO00..def.de 0000000120: 63 6f 64 65 20 28 4f 4f 4f 4f 4f 4f 4f 4f 4f 30 code.(OOOOOOOOO0 0000000130: 4f 4f 4f 30 4f 30 30 29 3a 0d 0a 20 20 20 20 4f OOO0O00):......O 0000000140: 30 4f 30 30 4f 30 30 4f 30 30 30 4f 4f 4f 4f 4f 0O00O00O000OOOOO 0000000150: 20 3d 27 27 0d 0a 20 20 20 20 66 6f 72 20 4f 30 .=''......for.O0 0000000160: 30 4f 4f 30 30 30 30 30 4f 4f 4f 4f 30 30 4f 20 0OO00000OOOO00O. 0000000170: 69 6e 20 4f 4f 4f 4f 4f 4f 4f 4f 4f 30 4f 4f 4f in.OOOOOOOOO0OOO 0000000180: 30 4f 30 30 3a 0d 0a 20 20 20 20 20 20 20 20 4f 0O00:..........O 0000000190: 4f 30 4f 4f 30 4f 30 4f 4f 30 4f 30 4f 30 30 4f O0OO0O0OO0O0O00O 00000001a0: 20 3d 20 3f 0d 0a 20 20 20 20 20 20 20 20 4f 30 .=.?..........O0 00000001b0: 4f 30 30 4f 30 30 4f 30 30 30 4f 4f 4f 4f 4f 20 O00O00O000OOOOO. 00000001c0: 2b 3d 20 3f 0d 0a 20 20 20 20 72 65 74 75 72 6e +=.?......return 00000001d0: 20 4f 30 4f 30 30 4f 30 30 4f 30 30 30 4f 4f 4f .O0O00O00O000OOO 00000001e0: 4f 4f 20 0d 0a 0d 0a 22 22 22 0d 0a 3e 3e 3e 65 OO....."""..>>>e 00000001f0: 6e 63 6f 64 65 28 22 6b 65 79 31 22 29 0d 0a 5b ncode("key1")..[ 0000000200: 32 30 35 2c 20 31 39 31 2c 20 31 38 37 2c 20 31 205,.191,.187,.1 0000000210: 31 35 2c 20 31 32 34 2c 20 31 31 37 2c 20 31 31 15,.124,.117,.11 0000000220: 30 2c 20 31 38 31 2c 20 31 38 37 2c 20 31 35 33 0,.181,.187,.153 0000000230: 2c 20 31 39 39 2c 20 31 31 30 2c 20 31 37 34 2c ,.199,.110,.174, 0000000240: 20 32 30 32 2c 20 31 35 33 5d 0d 0a 22 22 22 .202,.153].."""
整理一下,修改一下变量名得到以下程序
1 2 3 4 5 6 7 8 9 10 11 12 13 def encode (plain): a =[] for i in plain: temp1 =(ord (i )^0x114000 ^0x514 )+114000 -514 a.append(temp1 &0xff ) return a def decode (cipher): b ='' for i in cipher: OO0OO0O0OO0O0O00O = ? b += ? return b """ >>>encode("key1") [205, 191, 187, 115, 124, 117, 110, 181, 187, 153, 199, 110, 174, 202, 153] """
逻辑很简单,经过两个异或和加减后对256取模,直接逆向的话不知道数据应该是多少倍,所以我们直接正向思考,把常用字符的ascii码的范围:33-126按照encode跑一遍,得到对应关系
1 2 3 4 5 list = []for i in range (33 ,127 ): list .append(((i^0x11400 ^0x514 )+114000 -514 )&0xff ) for i in range (0 ,len (list )): print (chr (i+33 ),list [i])
得到对应关系表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 ! 131 " 132 # 133 $ 126 % 127 & 128 ' 129 ( 138 ) 139 * 140 + 141 , 134 - 135 . 136 / 137 0 114 1 115 2 116 3 117 4 110 5 111 6 112 7 113 8 122 9 123 : 124 ; 125 < 118 = 119 > 120 ? 121 @ 162 A 163 B 164 C 165 D 158 E 159 F 160 G 161 H 170 I 171 J 172 K 173 L 166 M 167 N 168 O 169 P 146 Q 147 R 148 S 149 T 142 U 143 V 144 W 145 X 154 Y 155 Z 156 [ 157 \ 150 ] 151 ^ 152 _ 153 ` 194 a 195 b 196 c 197 d 190 e 191 f 192 g 193 h 202 i 203 j 204 k 205 l 198 m 199 n 200 o 201 p 178 q 179 r 180 s 181 t 174 u 175 v 176 w 177 x 186 y 187 z 188 { 189 | 182 } 183 ~ 184
根据上表和[205, 191, 187, 115, 124, 117, 110, 181, 187, 153, 199, 110, 174, 202, 153]拿到key1:key1:34sy_m4th_
在mft存下来的数据中还有key2.txt
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 $FILE_NAME Creation Modified MFT Altered Access Date Name/Path ------------------------------ ------------------------------ ------------------------------ ------------------------------ --------- 2024-05-05 05:07:25 UTC+0000 2024-05-05 05:24:56 UTC+0000 2024-05-05 05:24:56 UTC+0000 2024-05-06 06:55:54 UTC+0000 Users\ice\Desktop\key2.txt $OBJECT_ID Object ID: debea7e7-750b-ef11-a6da-b060882901b6 Birth Volume ID: 80000000-2001-0000-0000-180000000100 Birth Object ID: 07010000-1800-0000-5253-4352435b5b5b Birth Domain ID: 46434353-4643-465d-5d5d-5253525b5b5b $DATA 0000000000: 52 53 43 52 43 5b 5b 5b 46 43 43 53 46 43 46 5d RSCRC[[[FCCSFCF] 0000000010: 5d 5d 52 53 52 5b 5b 5b 46 43 53 43 46 5d 5d 5d ]]RSR[[[FCSCF]]] 0000000020: 43 52 52 5b 5b 5b 46 43 46 46 5d 5d 5d 5b 43 52 CRR[[[FCFF]]][CR 0000000030: 52 43 52 5d 5b 5b 5b 46 43 53 53 53 43 43 43 53 RCR][[[FCSSSCCCS 0000000040: 46 46 5d 5d 5d 5b 52 43 53 52 52 5d 5b 5b 5b 46 FF]]][RCSRR][[[F 0000000050: 43 46 46 53 53 53 5d 5d 5d 43 46 5b 5b 5b 5b 46 CFFSSS]]]CF[[[[F 0000000060: 43 5d 5d 5d 5d 5b 52 52 52 5d 5b 5b 5b 5b 46 43 C]]]][RRR][[[[FC 0000000070: 43 46 5d 5d 5d 5d 5b 46 46 46 5d 5b 52 5d 5b 5b CF]]]][FFF][R][[ 0000000080: 5b 5b 46 43 43 5d 5d 5d 5d 5b 52 5d 5b 5b 5b 46 [[FCC]]]][R][[[F 0000000090: 43 46 5d 5d 5d 52 52 5b 5b 46 43 46 43 46 5d 5d CF]]]RR[[FCFCF]] 00000000a0: 46 46 46 46 52 52 5b 52 52 5d 5b 5b 46 43 46 43 FFFFRR[RR][[FCFC 00000000b0: 46 5d 5d 5b 5b 5b 43 46 5d 5d 5d 46 46 5b 52 43 F]][[[CF]]]FF[RC 00000000c0: 43 52 52 5d 5b 5b 5b 46 5d 5d 5d 5b 5b 5b 46 46 CRR][[[F]]][[[FF 00000000d0: 5d 5d 5d 5b 52 52 43 52 5d 5b 5b 5b 46 46 5d 5d ]]][RRCR][[[FF]] 00000000e0: 5d 5b 46 46 43 46 5d 52 52 43 52 43 52 52 43 52 ][FFCF]RRCRCRRCR 00000000f0: 43 46 46 43 46 46 46 43 46 43 46 5b 46 46 43 46 CFFCFFFCFCF[FFCF 0000000100: 5d 46 46 43 46 43 46
联想到第一层加密中CFRS[],这是一种绘图语言:
[CFRS] | An extremely minimal drawing language consisting of only 6 simple commands: C, F, R, S, [, and ]. (susam.github.io)
在网站中输入数据,需要删除后面几位,可以发现画出来了一个2B,别骂了别骂了
根据提示,B改为小写b,把key拼起来34sy_m4th_2b_pic,再去CnCrypt里面挂载一遍,拿到flag
1 H&NCTF{F0rensics_1s_1nt3r3st1ng}
