image_processing_1

考点

  1. Binwalk 分离
  2. 盲水印
  3. crypto 解密
  4. hashcat 爆破
  5. docx 隐藏文字
  6. bmp 隐写

解题过程

1. Binwalk 分离

拿到图片先进行 Binwalk 文件分析,可以看到有个 zip 压缩包,则 Binwalk 分离提取压缩包。

1
2
3
4
1:PNG image, 440 x 449, 8-bit/color RGB, non-interlaced
2:Zlib compressed data, compressed
3:Zip archive data, at least v2.0 to extract, compressed size: 192868, uncompressed size: 205062, name: wanan.png
4:End of Zip archive, footer length: 22

2. 盲水印

进入压缩包后有wanan.png舔狗日记.crypto两个文件,仔细看则会发现两个图片几乎一样,则容易联想到可能是盲水印
使用随波逐流工具箱或者BlindWaterMark进行双图盲水印(key)解密,得到关键信息 1:ARJXU4MjE0

wanan.png 为题目图片, wanan2.png 为解压后的图片。

1
python bwmforpy3.py decode wanan.png wanan2.png out.png

image_processing_1

3. crypto 解密

.crypto文件使用Encrypto打开,输入前面获取的ARJXU4MjE0,得到三个文件舔狗日记1.docx舔狗日记2.docx最终我不想舔了.bmp.

word 需要配置打开隐藏文字的格式标记,否则后面无法展示隐藏文字。
image_processing_1

打开舔狗日记1.docx,全选文字颜色加深,发现没有异常,使用 Binwalk 文件分析,发现有异常的remember.zip

Binwalk 文件分析
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
1:Zip archive data, at least v2.0 to extract, compressed size: 350, uncompressed size: 1432, name: [Content_Types].xml
2:Zip archive data, at least v2.0 to extract, name: _rels/
3:Zip archive data, at least v2.0 to extract, compressed size: 247, uncompressed size: 737, name: _rels/.rels
4:Zip archive data, at least v2.0 to extract, name: customXml/
5:Zip archive data, at least v2.0 to extract, name: customXml/_rels/
6:Zip archive data, at least v2.0 to extract, compressed size: 188, uncompressed size: 296, name: customXml/_rels/item1.xml.rels
7:Zip archive data, at least v2.0 to extract, compressed size: 149, uncompressed size: 258, name: customXml/item1.xml
8:Zip archive data, at least v2.0 to extract, compressed size: 228, uncompressed size: 327, name: customXml/itemProps1.xml
9:Zip archive data, at least v2.0 to extract, name: docProps/
10:Zip archive data, at least v2.0 to extract, compressed size: 346, uncompressed size: 624, name: docProps/app.xml
11:Zip archive data, at least v2.0 to extract, compressed size: 327, uncompressed size: 633, name: docProps/core.xml
12:Zip archive data, at least v2.0 to extract, compressed size: 252, uncompressed size: 383, name: docProps/custom.xml
13:Zip archive data, at least v2.0 to extract, compressed size: 162, uncompressed size: 224, name: remember.zip
14:Zip archive data, at least v2.0 to extract, name: word/
15:Zip archive data, at least v2.0 to extract, name: word/_rels/
16:Zip archive data, at least v2.0 to extract, compressed size: 246, uncompressed size: 822, name: word/_rels/document.xml.rels
17:Zip archive data, at least v2.0 to extract, compressed size: 3739, uncompressed size: 57660, name: word/document.xml
18:Zip archive data, at least v2.0 to extract, compressed size: 682, uncompressed size: 3062, name: word/fontTable.xml
19:Zip archive data, at least v2.0 to extract, compressed size: 1026, uncompressed size: 2629, name: word/settings.xml
20:Zip archive data, at least v2.0 to extract, compressed size: 2328, uncompressed size: 26902, name: word/styles.xml
21:Zip archive data, at least v2.0 to extract, name: word/theme/
22:Zip archive data, at least v2.0 to extract, compressed size: 1339, uncompressed size: 6436, name: word/theme/theme1.xml

将该 word 文件后缀改为.zip后解压,拿到remember.zip。解压,打开里面的remember.txt,获取关键信息 2:那天,你告诉了我你最重要的8个数字,我记住了
从中获取关键信息 3:8个数字

4. hashcat 爆破

打开舔狗日记2.docx,发现需要密码,再加上前面得知密码为 8 个数字。所以选择使用 hashcat 爆破 word 密码。
使用 hashcat 爆破前需要得到 hash 值,所以我们使用 Office2john 获取舔狗日记2.docx的 hash 值(文件路径不能有中文,需要改名)。

john-1.8.0-jumbo-1\run目录下执行:

1
python office2john.py 2.docx > hash

获取文件 hash,打开删除前面的2.docx:,得到 hash

1
$office$*2007*20*128*16*e8acb3ffadb859fcd9c0f38906f5a9b5*dc0a3deef00efb5fcdc115daa4784734*f97102e56fc53cf48fedba9a927e149d711928b2

可以看到是 2007 版本 office。

在 hashcat 文件夹下执行.\hashcat.exe --help | findstr Office,获得 office 的 Hash modes。

1
2
3
4
5
6
7
8
9
10
 9400 | MS Office 2007                                             | Document
 9500 | MS Office 2010                                             | Document
 9600 | MS Office 2013                                             | Document
25300 | MS Office 2016 - SheetProtection                           | Document
 9700 | MS Office <= 2003 $0/$1, MD5 + RC4                         | Document
 9710 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #1            | Document
 9720 | MS Office <= 2003 $0/$1, MD5 + RC4, collider #2            | Document
 9810 | MS Office <= 2003 $3, SHA1 + RC4, collider #1              | Document
 9820 | MS Office <= 2003 $3, SHA1 + RC4, collider #2              | Document
 9800 | MS Office <= 2003 $3/$4, SHA1 + RC4                        | Document

2007对应9400的 hash 类型,使用 hashcat 爆破,得到关键信息 4:19990821

1
.\hashcat.exe -m 9400 hash -a 3 ?d?d?d?d?d?d?d?d -w 3 -O

image_processing_1

hashcat 同一个文件如果执行过的会保存记录,需要加--show展示密码

5. docx 隐藏文字

输入密码后,打开舔狗日记2.docx,全选文字,并且加深后,会发现出现隐藏文字,关键信息 5:HowCaniForgetyou

image_processing_1

6. bmp 隐写

还有一个 bmp 文件最终我不想舔了.bmp没有用到,推测为 bmp 隐写,我们使用软件wbStego4.3open,输入图片路径和密码,得到 txt 文件, 里面为最后的 flag:ACTF{Tr1edT0f0rgeTy0uBuTf1nallyTurnsT0f0rg1ve}

此 flag:Tr1edT0f0rgeTy0uBuTf1nallyTurnsT0f0rg1ve为 Leet speak 加密,解密为TriedToForgetYouButFinallyTurnsToForgive,意为尝试忘记你,但最终选择原谅

参考文章

许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章