dnrops
/
dnrops.gitlink.net
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dnrops.gitlink.net/posts/ctf/4.1_Misc.html

1379 lines
97 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html lang="en" class="coal" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>Misc - Andrew&#x27;s Blog</title>
<!-- Custom HTML head -->
<meta name="description" content="Andrew Ryan&#x27;s Blog">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../../favicon.svg">
<link rel="shortcut icon" href="../../favicon.png">
<link rel="stylesheet" href="../../css/variables.css">
<link rel="stylesheet" href="../../css/general.css">
<link rel="stylesheet" href="../../css/chrome.css">
<!-- Fonts -->
<link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" href="../../highlight.css">
<link rel="stylesheet" href="../../tomorrow-night.css">
<link rel="stylesheet" href="../../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<link rel="stylesheet" href="../../src/style/custom.css">
<!-- MathJax -->
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script>
</head>
<body class="sidebar-visible no-js">
<div id="body-container">
<!-- Provide site root to javascript -->
<script>
var path_to_root = "../../";
var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "coal" : "coal";
</script>
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
var theme = localStorage.getItem('mdbook-theme');
var sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
var theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
var html = document.querySelector('html');
html.classList.remove('coal')
html.classList.add(theme);
var body = document.querySelector('body');
body.classList.remove('no-js')
body.classList.add('js');
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
var body = document.querySelector('body');
var sidebar = null;
var sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
body.classList.remove('sidebar-visible');
body.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<div class="sidebar-scrollbox">
<ol class="chapter"><li class="chapter-item affix "><a href="../../index.html">Andrew's Blog</a></li><li class="chapter-item "><a href="../../posts/linux/linux.html"><strong aria-hidden="true">1.</strong> linux</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/linux/install_linux.html"><strong aria-hidden="true">1.1.</strong> install linux</a></li><li class="chapter-item "><a href="../../posts/linux/bash_profile.html"><strong aria-hidden="true">1.2.</strong> bash profile</a></li><li class="chapter-item "><a href="../../posts/linux/command_list.html"><strong aria-hidden="true">1.3.</strong> command list</a></li><li class="chapter-item "><a href="../../posts/linux/git_guide.html"><strong aria-hidden="true">1.4.</strong> git guide</a></li><li class="chapter-item "><a href="../../posts/linux/tar.html"><strong aria-hidden="true">1.5.</strong> tar</a></li><li class="chapter-item "><a href="../../posts/linux/run_x86_elf_in_x64_setup.html"><strong aria-hidden="true">1.6.</strong> run x86 elf in x64 setup</a></li></ol></li><li class="chapter-item "><a href="../../posts/mac/mac.html"><strong aria-hidden="true">2.</strong> mac</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/mac/macos_profiles.html"><strong aria-hidden="true">2.1.</strong> macos profiles</a></li></ol></li><li class="chapter-item "><a href="../../posts/swift/swift.html"><strong aria-hidden="true">3.</strong> swift</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/swift/learn_swift.html"><strong aria-hidden="true">3.1.</strong> learn swift basics</a></li><li class="chapter-item "><a href="../../posts/swift/swift_extensions.html"><strong aria-hidden="true">3.2.</strong> Swift extensions</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_extension.html"><strong aria-hidden="true">3.3.</strong> SwiftUI extensions</a></li><li class="chapter-item "><a href="../../posts/swift/install_swift.html"><strong aria-hidden="true">3.4.</strong> install swift</a></li><li class="chapter-item "><a href="../../posts/swift/task_planner.html"><strong aria-hidden="true">3.5.</strong> implment task panner app with SwiftUI</a></li><li class="chapter-item "><a href="../../posts/swift/swift_cheat_sheet.html"><strong aria-hidden="true">3.6.</strong> Swift Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/swift/yinci_url.html"><strong aria-hidden="true">3.7.</strong> Personal privacy protocol</a></li><li class="chapter-item "><a href="../../posts/swift/swift_regular_exressions.html"><strong aria-hidden="true">3.8.</strong> Swift regular exressions</a></li><li class="chapter-item "><a href="../../posts/ios/how_to_create_beautiful_ios_charts_in_swift.html"><strong aria-hidden="true">3.9.</strong> How to Create Beautiful iOS Charts in鑱絊wift</a></li><li class="chapter-item "><a href="../../posts/swift/swiftui_source_code.html"><strong aria-hidden="true">3.10.</strong> SwiftUI source code</a></li><li class="chapter-item "><a href="../../posts/swift/use_swift_fetch_iciba_api.html"><strong aria-hidden="true">3.11.</strong> use swift fetch iciba API</a></li></ol></li><li class="chapter-item "><a href="../../posts/ios/ios.html"><strong aria-hidden="true">4.</strong> ios</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ios/cocaposd_setup_and_install_for_ios_project.html"><strong aria-hidden="true">4.1.</strong> cocaposd setup and install for ios project</a></li><li class="chapter-item "><a href="../../posts/ios/swiftui_show_gif_image.html"><strong aria-hidden="true">4.2.</strong> SwiftUI show gif image</a></li><li class="chapter-item "><a href="../../posts/ios/implement_task_planner_app.html"><strong aria-hidden="true">4.3.</strong> implement Task planner App</a></li></ol></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c.html"><strong aria-hidden="true">5.</strong> objective_c</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/objective_c/objective_c_cheat_sheet.html"><strong aria-hidden="true">5.1.</strong> Objective-C Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/objective_c/objective_c_for_absolute_beginners_read_note.html"><strong aria-hidden="true">5.2.</strong> Objective-C Note</a></li></ol></li><li class="chapter-item "><a href="../../posts/dart/dart.html"><strong aria-hidden="true">6.</strong> dart</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/dart/flutter.html"><strong aria-hidden="true">6.1.</strong> Flutter Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/dart/dart_cheat_sheet.html"><strong aria-hidden="true">6.2.</strong> Dart Cheat Sheet</a></li><li class="chapter-item "><a href="../../posts/flutter/flutter_dev_test.html"><strong aria-hidden="true">6.3.</strong> Flutter dev test</a></li></ol></li><li class="chapter-item "><a href="../../posts/rust/rust.html"><strong aria-hidden="true">7.</strong> rust</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/rust/offline_use_rust.html"><strong aria-hidden="true">7.1.</strong> Offline use rust</a></li><li class="chapter-item "><a href="../../posts/rust/rust_grammer.html"><strong aria-hidden="true">7.2.</strong> rust grammar</a></li><li class="chapter-item "><a href="../../posts/rust/pase_string_and_decimal_conversion.html"><strong aria-hidden="true">7.3.</strong> pase string and decimal conversion</a></li><li class="chapter-item "><a href="../../posts/rust/parse_types.html"><strong aria-hidden="true">7.4.</strong> rust types</a></li><li class="chapter-item "><a href="../../posts/rust/rust_life_cycle.html"><strong aria-hidden="true">7.5.</strong> Rust life cycle</a></li><li class="chapter-item "><a href="../../posts/rust/rust_generic.html"><strong aria-hidden="true">7.6.</strong> rust generics</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implment_matrix.html"><strong aria-hidden="true">7.7.</strong> Rust implement matrix</a></li><li class="chapter-item "><a href="../../posts/rust/rust_sort.html"><strong aria-hidden="true">7.8.</strong> Rust implement sort algorithms</a></li><li class="chapter-item "><a href="../../posts/rust/implement_aes_encryption.html"><strong aria-hidden="true">7.9.</strong> Rust implement AEC encryption and decryption</a></li><li class="chapter-item "><a href="../../posts/rust/implement_trie_data_structure.html"><strong aria-hidden="true">7.10.</strong> implement trie data structure</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_tree.html"><strong aria-hidden="true">7.11.</strong> implement tree data_structure</a></li><li class="chapter-item "><a href="../../posts/rust/list_dir.html"><strong aria-hidden="true">7.12.</strong> list dir</a></li><li class="chapter-item "><a href="../../posts/rust/fast_way_to_implment_object_trait.html"><strong aria-hidden="true">7.13.</strong> fast way to implment object trait</a></li><li class="chapter-item "><a href="../../posts/rust/compress_rust_binary_size.html"><strong aria-hidden="true">7.14.</strong> compress rust binary size</a></li><li class="chapter-item "><a href="../../posts/rust/implment_file_upload_backend.html"><strong aria-hidden="true">7.15.</strong> impliment file upload</a></li><li class="chapter-item "><a href="../../posts/rust/this_is_add_post_cli_implementation_in_rust.html"><strong aria-hidden="true">7.16.</strong> this is add_post cli implementation in rust</a></li><li class="chapter-item "><a href="../../posts/rust/use_rust_implment_a_copyclipbord_cli.html"><strong aria-hidden="true">7.17.</strong> Use rust implment a copyclipbord CLI</a></li><li class="chapter-item "><a href="../../posts/rust/sqlite_database_add_delete_update_show_in_rust.html"><strong aria-hidden="true">7.18.</strong> sqlite database add delete update show in rust</a></li><li class="chapter-item "><a href="../../posts/rust/implementing_tokio_joinhandle_for_wasm.html"><strong aria-hidden="true">7.19.</strong> Implementing tokio JoinHandle for wasm</a></li><li class="chapter-item "><a href="../../posts/rust/rust_implement_a_crate_for_encode_and_decode_brainfuck_and_ook.html"><strong aria-hidden="true">7.20.</strong> rust implement a crate for encode and decode brainfuck and ook</a></li><li class="chapter-item "><a href="../../posts/rust/slint_builtin_elements.html"><strong aria-hidden="true">7.21.</strong> Slint Builtin Elements</a></li><li class="chapter-item "><a href="../../posts/rust/corporate_network_install_rust_on_windows.html"><strong aria-hidden="true">7.22.</strong> Corporate network install Rust on windows</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_file_how_to_judge_static_link_or_dynamic_link_in_macos.html"><strong aria-hidden="true">7.23.</strong> rust binary file how to judge static link or dynamic link in Macos</a></li><li class="chapter-item "><a href="../../posts/rust/rust_binary_include_dir_and_get_contents.html"><strong aria-hidden="true">7.24.</strong> rust binary include dir and get contents</a></li><li class="chapter-item "><a href="../../posts/rust/rust_logger_non-block.html"><strong aria-hidden="true">7.25.</strong> rust logger non-block</a></li><li class="chapter-item "><a href="../../posts/rust/rust_connect_sql_server_database.html"><strong aria-hidden="true">7.26.</strong> rust connect sql server database</a></li><li class="chapter-item "><a href="../../posts/rust/rust_websocket_implment.html"><strong aria-hidden="true">7.27.</strong> rust websocket implment</a></li></ol></li><li class="chapter-item "><a href="../../posts/java/java.html"><strong aria-hidden="true">8.</strong> java</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/java/java_grammar.html"><strong aria-hidden="true">8.1.</strong> java grammar and codewar</a></li><li class="chapter-item "><a href="../../posts/java/run_jar.html"><strong aria-hidden="true">8.2.</strong> java run .jar</a></li><li class="chapter-item "><a href="../../posts/java/java_pomxml_add_defaultgoal_to_build.html"><strong aria-hidden="true">8.3.</strong> Java pomxml add defaultGoal to build</a></li><li class="chapter-item "><a href="../../posts/java/java_set_mvn_mirror.html"><strong aria-hidden="true">8.4.</strong> Java set mvn mirror</a></li></ol></li><li class="chapter-item "><a href="../../posts/python/python.html"><strong aria-hidden="true">9.</strong> python</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/python/convert_pesn.html"><strong aria-hidden="true">9.1.</strong> convert pesn</a></li><li class="chapter-item "><a href="../../posts/python/find_remove_dir.html"><strong aria-hidden="true">9.2.</strong> find and remove dir</a></li><li class="chapter-item "><a href="../../posts/python/timing_message.html"><strong aria-hidden="true">9.3.</strong> wechat send message</a></li><li class="chapter-item "><a href="../../posts/python/use_python_openpyxl_package_read_and_edit_excel_files.html"><strong aria-hidden="true">9.4.</strong> Use python openpyxl package read and edit excel files</a></li></ol></li><li class="chapter-item "><a href="../../posts/go/go.html"><strong aria-hidden="true">10.</strong> go</a></li><li class="chapter-item "><a href="../../posts/js/js.html"><strong aria-hidden="true">11.</strong> js</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/js/js_tutorial.html"><strong aria-hidden="true">11.1.</strong> js tutorial</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_map.html"><strong aria-hidden="true">11.2.</strong> ja map</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_math.html"><strong aria-hidden="true">11.3.</strong> js math</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_object.html"><strong aria-hidden="true">11.4.</strong> js object</a></li><li class="chapter-item "><a href="../../posts/js/js_tutorial_set.html"><strong aria-hidden="true">11.5.</strong> js set</a></li><li class="chapter-item "><a href="../../posts/js/single_thread_and_asynchronous.html"><strong aria-hidden="true">11.6.</strong> single thread and asynchronous</a></li><li class="chapter-item "><a href="../../posts/js/this.html"><strong aria-hidden="true">11.7.</strong> js this</a></li><li class="chapter-item "><a href="../../posts/js/js_implment_aes.html"><strong aria-hidden="true">11.8.</strong> js implment aes</a></li><li class="chapter-item "><a href="../../posts/js/getting_started_with_ajax.html"><strong aria-hidden="true">11.9.</strong> getting started with ajax</a></li><li class="chapter-item "><a href="../../posts/js/BinarySearchTree.html"><strong aria-hidden="true">11.10.</strong> binary search tree</a></li><li class="chapter-item "><a href="../../posts/js/goole_zx.html"><strong aria-hidden="true">11.11.</strong> goole zx</a></li><li class="chapter-item "><a href="../../posts/js/es6.html"><strong aria-hidden="true">11.12.</strong> es6</a></li></ol></li><li class="chapter-item "><a href="../../posts/ruby/ruby.html"><strong aria-hidden="true">12.</strong> ruby</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ruby/rails_setup_env.html"><strong aria-hidden="true">12.1.</strong> ruby on rails setup environment</a></li><li class="chapter-item "><a href="../../posts/ruby/learn_ruby.html"><strong aria-hidden="true">12.2.</strong> learn ruby</a></li><li class="chapter-item "><a href="../../posts/ruby/ruby_note.html"><strong aria-hidden="true">12.3.</strong> Ruby Note</a></li><li class="chapter-item "><a href="../../posts/ruby/setup_ruby_for_ctf.html"><strong aria-hidden="true">12.4.</strong> Setup ruby for CTF</a></li></ol></li><li class="chapter-item "><a href="../../posts/react/react.html"><strong aria-hidden="true">13.</strong> react</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/react/react_life_cycle.html"><strong aria-hidden="true">13.1.</strong> react life cycle</a></li><li class="chapter-item "><a href="../../posts/react/react_router.html"><strong aria-hidden="true">13.2.</strong> react router</a></li><li class="chapter-item "><a href="../../posts/react/react_this.html"><strong aria-hidden="true">13.3.</strong> react this</a></li><li class="chapter-item "><a href="../../posts/react/react_interviw.html"><strong aria-hidden="true">13.4.</strong> react interview</a></li><li class="chapter-item "><a href="../../posts/react/important_react_interview.html"><strong aria-hidden="true">13.5.</strong> important react interview</a></li><li class="chapter-item "><a href="../../posts/react/react_quick_reference.html"><strong aria-hidden="true">13.6.</strong> react quick reference</a></li><li class="chapter-item "><a href="../../posts/react/redux_quick_reference.html"><strong aria-hidden="true">13.7.</strong> redux quick reference</a></li></ol></li><li class="chapter-item "><a href="../../posts/vue/vue.html"><strong aria-hidden="true">14.</strong> vue</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/vue/vue_ajax.html"><strong aria-hidden="true">14.1.</strong> vue ajax</a></li></ol></li><li class="chapter-item "><a href="../../posts/angular/angular.html"><strong aria-hidden="true">15.</strong> angular</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/angular/controller_communication.html"><strong aria-hidden="true">15.1.</strong> controller communication</a></li><li class="chapter-item "><a href="../../posts/angular/creating_custom_directives.html"><strong aria-hidden="true">15.2.</strong> creating custom directives</a></li><li class="chapter-item "><a href="../../posts/angular/directive_notes.html"><strong aria-hidden="true">15.3.</strong> directive notes</a></li><li class="chapter-item "><a href="../../posts/angular/directive_communication.html"><strong aria-hidden="true">15.4.</strong> directive communication</a></li><li class="chapter-item "><a href="../../posts/angular/post_params.html"><strong aria-hidden="true">15.5.</strong> post params</a></li><li class="chapter-item "><a href="../../posts/angular/read_json_angular.html"><strong aria-hidden="true">15.6.</strong> read json angular</a></li><li class="chapter-item "><a href="../../posts/angular/same_route_reload.html"><strong aria-hidden="true">15.7.</strong> same route reload</a></li></ol></li><li class="chapter-item "><a href="../../posts/css/css.html"><strong aria-hidden="true">16.</strong> css</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/css/use_css_media.html"><strong aria-hidden="true">16.1.</strong> use css media</a></li></ol></li><li class="chapter-item "><a href="../../posts/php/php.html"><strong aria-hidden="true">17.</strong> php</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/php/for_php_string_implment_some_extemtion_functions.html"><strong aria-hidden="true">17.1.</strong> for php string implment some extemtion functions</a></li><li class="chapter-item "><a href="../../posts/php/php_cheatsheet.html"><strong aria-hidden="true">17.2.</strong> PHP cheatsheet</a></li></ol></li><li class="chapter-item "><a href="../../posts/leetcode/leetcode.html"><strong aria-hidden="true">18.</strong> leetcode</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/leetcode/rust_leetcode.html"><strong aria-hidden="true">18.1.</strong> rust leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_codewar.html"><strong aria-hidden="true">18.2.</strong> rust codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/swift_codewar.html"><strong aria-hidden="true">18.3.</strong> swift codewar</a></li><li class="chapter-item "><a href="../../posts/leetcode/js_leetcode.html"><strong aria-hidden="true">18.4.</strong> js leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/java_leetcode.html"><strong aria-hidden="true">18.5.</strong> java leetcode</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_huawei.html"><strong aria-hidden="true">18.6.</strong> huawei test</a></li><li class="chapter-item "><a href="../../posts/leetcode/rust_utils.html"><strong aria-hidden="true">18.7.</strong> rust common functions</a></li><li class="chapter-item "><a href="../../posts/leetcode/olympiad_training.html"><strong aria-hidden="true">18.8.</strong> Computer olympiad training</a></li></ol></li><li class="chapter-item expanded "><a href="../../posts/ctf/CTF.html"><strong aria-hidden="true">19.</strong> ctf</a><a class="toggle"><div></div></a></li><li><ol class="section"><li class="chapter-item "><a href="../../posts/ctf/CTF_Note.html"><strong aria-hidden="true">19.1.</strong> CTF Note</a></li><li class="chapter-item "><a href="../../posts/ctf/0.1_Web.html"><strong aria-hidden="true">19.2.</strong> Web</a></li><li class="chapter-item expanded "><a href="../../posts/ctf/4.1_Misc.html" class="active"><strong aria-hidden="true">19.3.</strong> Misc</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">19.4.</strong> PWN</a></li><li class="chapter-item "><a href="../../posts/ctf/3.1_Crypto.html"><strong aria-hidden="true">19.5.</strong> Crypto</a></li><li class="chapter-item "><a href="../../posts/ctf/3.4_RSA_note.html"><strong aria-hidden="true">19.6.</strong> Rsa attack</a></li><li class="chapter-item "><a href="../../posts/ctf/3.5_Base64.html"><strong aria-hidden="true">19.7.</strong> Base64</a></li><li class="chapter-item "><a href="../../posts/ctf/0.0_SQL Injection Cheatsheet.html"><strong aria-hidden="true">19.8.</strong> SQL Injection Cheatsheet</a></li><li class="chapter-item "><a href="../../posts/ctf/1.1_SQL_injection.html"><strong aria-hidden="true">19.9.</strong> SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.2_SQL_injection_UNION_attacks.html"><strong aria-hidden="true">19.10.</strong> SQL Injection UNION attacks</a></li><li class="chapter-item "><a href="../../posts/ctf/1.3_Blind SQL injection.html"><strong aria-hidden="true">19.11.</strong> Blind SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.4_Code Injection.html"><strong aria-hidden="true">19.12.</strong> Code Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.5_SSRF.html"><strong aria-hidden="true">19.13.</strong> SSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.6_OS command injection.html"><strong aria-hidden="true">19.14.</strong> OS command injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.7_Local file inclusion.html"><strong aria-hidden="true">19.15.</strong> Local file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.8_Remote file inclusion.html"><strong aria-hidden="true">19.16.</strong> Remote file inclusion</a></li><li class="chapter-item "><a href="../../posts/ctf/1.9_CSRFm.html"><strong aria-hidden="true">19.17.</strong> CSRF</a></li><li class="chapter-item "><a href="../../posts/ctf/1.10_NoSQL injection.html"><strong aria-hidden="true">19.18.</strong> NoSQL injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.11_JSON injection.html"><strong aria-hidden="true">19.19.</strong> JSON injection</a></li><li class="chapter-item "><a href="../../posts/ctf/1.12_CTF_Web_SQL_Note.html"><strong aria-hidden="true">19.20.</strong> CTF Web SQL Note</a></li><li class="chapter-item "><a href="../../posts/ctf/2.1_XXE.html"><strong aria-hidden="true">19.21.</strong> XXE</a></li><li class="chapter-item "><a href="../../posts/ctf/2.2_XSS.html"><strong aria-hidden="true">19.22.</strong> XSS</a></li><li class="chapter-item "><a href="../../posts/ctf/2.3_Upload File.html"><strong aria-hidden="true">19.23.</strong> Upload File</a></li><li class="chapter-item "><a href="../../posts/ctf/2.4_serialize_unserialize.html"><strong aria-hidden="true">19.24.</strong> serialize unserialize</a></li><li class="chapter-item "><a href="../../posts/ctf/2.5_Race condition.html"><strong aria-hidden="true">19.25.</strong> Race condition</a></li><li class="chapter-item "><a href="../../posts/ctf/3.2_PWN_note.html"><strong aria-hidden="true">19.26.</strong> PWN_note</a></li><li class="chapter-item "><a href="../../posts/ctf/3.3_pwn HCTF2016 brop.html"><strong aria-hidden="true">19.27.</strong> pwn HCTF2016 brop</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_patch_defense_skill.html"><strong aria-hidden="true">19.28.</strong> PWN Patch defense skill</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_stack_overflow.html"><strong aria-hidden="true">19.29.</strong> PWN stack overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_heap_overflow.html"><strong aria-hidden="true">19.30.</strong> PWN heap overflow</a></li><li class="chapter-item "><a href="../../posts/ctf/pwn_format_string_vulnerability.html"><strong aria-hidden="true">19.31.</strong> PWN Format String Vulnerability</a></li><li class="chapter-item "><a href="../../posts/ctf/kali_linux_tutorials.html"><strong aria-hidden="true">19.32.</strong> Kali linux tutorials</a></li><li class="chapter-item "><a href="../../posts/ctf/google_dorks_2023_lists.html"><strong aria-hidden="true">19.33.</strong> Google Dorks 2023 Lists</a></li><li class="chapter-item "><a href="../../posts/ctf/dvwa_writeup.html"><strong aria-hidden="true">19.34.</strong> DVWA WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/bwapp_writeup.html"><strong aria-hidden="true">19.35.</strong> bWAPP WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/sqlilabs_writeup.html"><strong aria-hidden="true">19.36.</strong> sqlilabs WriteUp</a></li><li class="chapter-item "><a href="../../posts/ctf/ctf_train_at_hangzhou.html"><strong aria-hidden="true">19.37.</strong> ctf train at hangzhou</a></li><li class="chapter-item "><a href="../../posts/ctf/ctf_common_mindmap_list.html"><strong aria-hidden="true">19.38.</strong> ctf common mindmap list</a></li><li class="chapter-item "><a href="../../posts/ctf/error_based_sql_injection.html"><strong aria-hidden="true">19.39.</strong> Error Based SQL Injection</a></li><li class="chapter-item "><a href="../../posts/ctf/urlfinder_tutorial.html"><strong aria-hidden="true">19.40.</strong> URLFinder Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/observer_ward_tutorial.html"><strong aria-hidden="true">19.41.</strong> observer_ward Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/mysql_udf_.html"><strong aria-hidden="true">19.42.</strong> MySQL UDF 提权</a></li><li class="chapter-item "><a href="../../posts/ctf/nuclei__tutorial.html"><strong aria-hidden="true">19.43.</strong> Nuclei Tutorial</a></li><li class="chapter-item "><a href="../../posts/ctf/2024_ctf_solution_thinking.html"><strong aria-hidden="true">19.44.</strong> 2024 ctf solution thinking</a></li><li class="chapter-item "><a href="../../posts/ctf/man_che_si_te_bian_ma.html"><strong aria-hidden="true">19.45.</strong> 曼彻斯特编码</a></li></ol></li></ol>
</div>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<!-- Track and set sidebar scroll position -->
<script>
var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox');
sidebarScrollbox.addEventListener('click', function(e) {
if (e.target.tagName === 'A') {
sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop);
}
}, { passive: true });
var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll');
sessionStorage.removeItem('sidebar-scroll');
if (sidebarScrollTop) {
// preserve sidebar scroll position when navigating via links within sidebar
sidebarScrollbox.scrollTop = sidebarScrollTop;
} else {
// scroll sidebar to current active section when navigating via "next/previous chapter" buttons
var activeSection = document.querySelector('#sidebar .active');
if (activeSection) {
activeSection.scrollIntoView({ block: 'center' });
}
}
</script>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Andrew&#x27;s Blog</h1>
<div class="right-buttons">
<a href="https://gitlink.org.cn/dnrops/dnrops.gitlink.net.git" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="ctf-misc"><a class="header" href="#ctf-misc">CTF-Misc</a></h1>
<ul>
<li><a href="#CTF-Misc">CTF-Misc</a></li>
<li><a href="#%E6%97%B6%E9%97%B4%E5%8F%96%E8%AF%81">时间取证</a></li>
<li><a href="#%E6%97%B6%E9%97%B4%E6%88%B3">时间戳</a></li>
<li><a href="#%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81">内存取证</a></li>
<li><a href="#iso">iso</a></li>
<li><a href="#Volatility">Volatility</a></li>
<li><a href="#%E5%B8%B8%E8%A7%81%E7%9A%84%E5%87%A0%E4%B8%AA%E8%BF%9B%E7%A8%8B">常见的几个进程</a></li>
<li><a href="#notepad.exe">notepad.exe</a></li>
<li><a href="#TrueCrypt.exe">TrueCrypt.exe</a></li>
<li><a href="#DumpIt.exe">DumpIt.exe</a></li>
<li><a href="#mspaint.exe">mspaint.exe</a></li>
<li><a href="#cmd.exe">cmd.exe</a></li>
<li><a href="#fat">fat</a></li>
<li><a href="#%E6%8C%82%E8%BD%BD%E4%BF%AE%E5%A4%8D">挂载修复</a></li>
<li><a href="#vmdk">vmdk</a></li>
<li><a href="#%E7%A3%81%E7%9B%98%E5%8F%96%E8%AF%81">磁盘取证</a></li>
<li><a href="#%E7%A3%81%E7%9B%98%E5%88%86%E6%9E%90">磁盘分析</a></li>
<li><a href="#DiskGenius">DiskGenius</a></li>
<li><a href="#%E7%A3%81%E7%9B%98%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86">磁盘加密解密</a></li>
<li><a href="#VeraCrypt">VeraCrypt</a></li>
<li><a href="#%E6%96%87%E4%BB%B6%E5%8F%96%E8%AF%81">文件取证</a></li>
<li><a href="#stegsolve">stegsolve</a></li>
<li><a href="#Notepad++">Notepad++</a></li>
<li><a href="#010editor">010editor</a></li>
<li><a href="#%E7%BC%96%E7%A0%81">编码</a></li>
<li><a href="#%E4%BF%AE%E6%94%B9%E9%95%BF%E5%AE%BD">修改长宽</a></li>
<li><a href="#%E7%B2%98%E8%B4%B4%E5%A4%8D%E5%88%B6%E4%BA%8C%E8%BF%9B%E5%88%B6">粘贴复制二进制</a></li>
<li><a href="#IDAT%E6%A0%87%E8%AF%86%E7%BC%BA%E5%A4%B1">IDAT标识缺失</a></li>
<li><a href="#%E6%B5%8B%E8%AF%95%E5%BC%82%E6%88%96">测试异或</a></li>
<li><a href="#%E4%BA%8C%E7%BB%B4%E7%A0%81%E6%89%AB%E6%8F%8F">二维码扫描</a></li>
<li><a href="#QR-Research">QR-Research</a></li>
<li><a href="#%E6%B1%89%E4%BF%A1%E7%A0%81">汉信码</a></li>
<li><a href="#%E4%BF%AE%E8%A1%A5%E4%BA%8C%E7%BB%B4%E7%A0%81">修补二维码</a></li>
<li><a href="#%E6%89%B9%E9%87%8F%E4%BA%8C%E7%BB%B4%E7%A0%81">批量二维码</a></li>
<li><a href="#%E5%AD%97%E8%8A%82%E8%BD%AC%E4%BA%8C%E7%BB%B4%E7%A0%81">字节转二维码</a></li>
<li><a href="#%E5%8E%8B%E7%BC%A9%E5%8C%85">压缩包</a></li>
<li><a href="#%E5%8E%8B%E7%BC%A9%E5%8C%85%E5%88%86%E6%9E%90%E6%96%87%E4%BB%B6%E5%A4%B4">压缩包分析文件头</a></li>
<li><a href="#RAR">RAR</a></li>
<li><a href="#%E5%8A%A0%E5%AF%86%E7%9A%84%E5%8E%8B%E7%BC%A9%E5%8C%85zip">加密的压缩包zip</a></li>
<li><a href="#%E4%BC%AA%E5%8A%A0%E5%AF%86">伪加密</a></li>
<li><a href="#zip%E4%BC%AA%E5%8A%A0%E5%AF%86">zip伪加密</a></li>
<li><a href="#rar%E4%BC%AA%E5%8A%A0%E5%AF%86">rar伪加密</a></li>
<li><a href="#%E5%BC%B1%E5%AF%86%E7%A0%81">弱密码</a></li>
<li><a href="#zip%E5%9B%BE%E7%89%87">zip-图片</a></li>
<li><a href="#CRC32%E7%88%86%E7%A0%B4">CRC32爆破</a></li>
<li><a href="#%E6%98%8E%E6%96%87%E6%94%BB%E5%87%BB">明文攻击</a></li>
<li><a href="#7z">7z</a></li>
<li><a href="#%E5%8E%8B%E7%BC%A9%E5%8C%85%E7%88%86%E7%A0%B4">压缩包爆破</a></li>
<li><a href="#%E6%8E%A9%E7%A0%81%E7%88%86%E7%A0%B4">掩码爆破</a></li>
<li><a href="#%E7%94%9F%E6%97%A5%E7%88%86%E7%A0%B4">生日爆破</a></li>
<li><a href="#%E5%BE%AA%E7%8E%AF%E8%A7%A3%E5%8E%8B">循环解压</a></li>
<li><a href="#%E9%9A%90%E5%86%99%E7%B1%BB">隐写类</a></li>
<li><a href="#base64%E9%9A%90%E5%86%99">base64隐写</a></li>
<li><a href="#base64%E8%BD%AC%E5%9B%BE%E7%89%87">base64转图片</a></li>
<li><a href="#pyc%E6%96%87%E4%BB%B6">pyc文件</a></li>
<li><a href="#pyc%E9%9A%90%E5%86%99">pyc隐写</a></li>
<li><a href="#pyc%E5%8F%8D%E7%BC%96%E8%AF%91">pyc反编译</a></li>
<li><a href="#%E6%B0%B4%E5%8D%B0%E9%9A%90%E5%86%99">水印隐写</a></li>
<li><a href="#java%E7%9B%B2%E6%B0%B4%E5%8D%B0">java盲水印</a></li>
<li><a href="#%E7%9B%B2%E6%B0%B4%E5%8D%B0">盲水印</a></li>
<li><a href="#%E9%A2%91%E5%9F%9F%E7%9B%B2%E6%B0%B4%E5%8D%B0">频域盲水印</a></li>
<li><a href="#png%E9%9A%90%E5%86%99">png隐写</a></li>
<li><a href="#pngcheck">pngcheck</a></li>
<li><a href="F5%E9%9A%90%E5%86%99">F5隐写</a></li>
<li><a href="#outguess%E9%9A%90%E5%86%99">outguess隐写</a></li>
<li><a href="#LSB%E9%9A%90%E5%86%99">LSB隐写</a></li>
<li><a href="#TTL%E9%9A%90%E5%86%99">TTL隐写</a></li>
<li><a href="#%E6%97%B6%E9%97%B4%E9%9A%90%E5%86%99">时间隐写</a></li>
<li><a href="#%E9%9B%B6%E5%AE%BD%E5%BA%A6%E5%AD%97%E8%8A%82%E9%9A%90%E5%86%99">零宽度字节隐写</a></li>
<li><a href="#BMP%E9%9A%90%E5%86%99">BMP隐写</a></li>
<li><a href="#SilentEye%E9%9A%90%E5%86%99">SilentEye隐写</a></li>
<li><a href="#%E7%BC%96%E7%A8%8B%E8%AF%AD%E8%A8%80">编程语言</a></li>
<li><a href="#logo%E8%AF%AD%E8%A8%80%E8%A7%A3%E9%87%8A%E5%99%A8">logo语言解释器</a></li>
<li><a href="#G%E8%AF%AD%E8%A8%80%E8%A7%A3%E9%87%8A%E5%99%A8">G语言解释器</a></li>
<li><a href="#Velato">Velato</a></li>
<li><a href="#lolcode">lolcode</a></li>
<li><a href="#emojicode%E8%AF%AD%E8%A8%80">emojicode语言</a></li>
<li><a href="#%E5%85%B6%E5%AE%83%E5%B8%B8%E7%94%A8%E6%93%8D%E4%BD%9C">其它常用操作</a></li>
<li><a href="#Windows">Windows</a></li>
<li><a href="#%E5%8F%B3%E9%94%AE%E6%9F%A5%E7%9C%8B%E5%B1%9E%E6%80%A7">右键查看属性</a></li>
<li><a href="#%E6%96%87%E6%9C%AC%E6%AF%94%E8%BE%83">文本比较</a></li>
<li><a href="#Beyond_compare4">Beyond_compare4</a></li>
<li><a href="#%E5%88%86%E5%B8%A7">分帧</a></li>
<li><a href="#ScreenToGif">ScreenToGif</a></li>
<li><a href="#%E6%96%87%E5%AD%97%E8%AF%86%E5%88%AB">文字识别</a></li>
<li><a href="#QCR">QCR</a></li>
<li><a href="#%E5%AD%97%E8%AF%8D%E9%A2%91%E7%8E%87%E7%BB%9F%E8%AE%A1">字词频率统计</a></li>
<li><a href="#Ps">Ps</a></li>
<li><a href="#%E9%A2%9C%E8%89%B2%E5%8D%81%E5%85%AD%E8%BF%9B%E5%88%B6%E5%8F%B7">颜色十六进制号</a></li>
<li><a href="#dnspy">dnspy</a></li>
<li><a href="#PowerRename">PowerRename</a></li>
<li><a href="#PyInstaller-%E6%8F%90%E5%8F%96%E5%99%A8">PyInstaller-提取器</a></li>
<li><a href="#Linux">Linux</a></li>
<li><a href="#ELF">ELF</a></li>
<li><a href="#%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%8F%8D%E8%BD%AC">字符串反转</a></li>
<li><a href="#grep">grep</a></li>
<li><a href="#binwalk">binwalk</a></li>
<li><a href="#dd">dd</a></li>
<li><a href="#foremost">foremost</a></li>
<li><a href="#strings">strings</a></li>
<li><a href="#exiftool">exiftool</a></li>
<li><a href="#%E5%9B%BE%E7%89%87%E6%8B%BC%E6%8E%A5">图片拼接</a></li>
<li><a href="#zsteg">zsteg</a></li>
<li><a href="#file">file</a></li>
<li><a href="#vim">vim</a></li>
<li><a href="#%E6%96%87%E4%BB%B6%E6%A0%BC%E5%BC%8F">文件格式</a></li>
<li><a href="#%E5%B8%B8%E8%A7%81%E6%96%87%E4%BB%B6%E5%A4%B4">常见文件头</a></li>
<li><a href="#%E5%85%B6%E5%AE%83%E6%96%87%E4%BB%B6">其它文件</a></li>
<li><a href="#apng">apng</a></li>
<li><a href="#BGP">BGP</a></li>
<li><a href="#OGG">OGG</a></li>
<li><a href="#bmp">bmp</a></li>
<li><a href="#%E6%B5%81%E9%87%8F%E5%8F%96%E8%AF%81">流量取证</a></li>
<li><a href="#wireshark">wireshark</a></li>
<li><a href="#%E5%88%86%E7%BB%84%E5%AD%97%E8%8A%82%E6%B5%81%E6%90%9C%E7%B4%A2">分组字节流搜索</a></li>
<li><a href="#%E8%BF%BD%E8%B8%AA%E6%B5%81">追踪流</a></li>
<li><a href="#%E5%AF%BC%E5%87%BAHTTP%E5%AF%B9%E8%B1%A1">导出HTTP对象</a></li>
<li><a href="#tshark">tshark</a></li>
<li><a href="#lsass.dmp">lsass.dmp</a></li>
<li><a href="#USB%E6%B5%81%E9%87%8F">USB流量</a></li>
<li><a href="#UsbKeyboardDataHacker">UsbKeyboardDataHacker</a></li>
<li><a href="#%E7%A7%81%E9%92%A5%E8%A7%A3%E5%AF%86">私钥解密</a></li>
<li><a href="#%E6%B5%81%E9%87%8F%E5%8C%85%E6%8F%90%E5%8F%96%E6%95%B0%E6%8D%AE">流量包提取数据</a></li>
<li><a href="#%E5%A4%A7%E6%B5%81%E9%87%8F%E7%BB%9F%E8%AE%A1">大流量统计</a></li>
<li><a href="#%E9%9F%B3%E9%A2%91%E5%8F%96%E8%AF%81">音频取证</a></li>
<li><a href="#Audacity">Audacity</a></li>
<li><a href="#%E5%AF%BC%E5%85%A5%E5%8E%9F%E5%A7%8B%E6%95%B0%E6%8D%AE">导入原始数据</a></li>
<li><a href="#dtmf2num">dtmf2num</a></li>
<li><a href="#%E9%9F%B3%E9%A2%91LSB%E9%9A%90%E5%86%99">音频LSB隐写</a></li>
<li><a href="#Steghide">Steghide</a></li>
<li><a href="#steghide%E7%88%86%E7%A0%B4">steghide爆破</a></li>
<li><a href="#%E9%A2%91%E8%B0%B1%E5%9B%BE">频谱图</a></li>
<li><a href="#qsstv">qsstv</a></li>
<li><a href="#DeepSound">DeepSound</a></li>
<li><a href="#%E7%A3%81%E7%9B%98%E5%8F%96%E8%AF%81">磁盘取证</a></li>
<li><a href="#Ntfs%E9%9A%90%E5%86%99">Ntfs隐写</a></li>
<li><a href="#DOC%E5%8F%96%E8%AF%81">DOC取证</a></li>
<li><a href="#%E5%AF%86%E7%A0%81%E7%88%86%E7%A0%B4">密码爆破</a></li>
<li><a href="#%E9%9A%90%E8%97%8F%E6%96%87%E5%AD%97">隐藏文字</a></li>
<li><a href="#%E5%AF%86%E7%A0%81%E5%8F%96%E8%AF%81">密码取证</a></li>
<li><a href="#%E5%8F%A4%E5%85%B8%E5%AF%86%E7%A0%81%E7%B1%BB">古典密码类</a></li>
<li><a href="#autokey%E7%88%86%E7%A0%B4">autokey爆破</a></li>
<li><a href="#encrypto">encrypto</a></li>
<li><a href="#ALPHUCK">ALPHUCK</a></li>
<li><a href="#toy%E5%AF%86%E7%A0%81">toy密码</a></li>
<li><a href="#%E7%99%BB%E5%BD%95%E5%8F%96%E8%AF%81">登录取证</a></li>
<li><a href="#Mozilla">Mozilla</a></li>
<li><a href="#VNC">VNC</a></li>
<li><a href="#%E5%AF%86%E7%A0%81%E7%88%86%E7%A0%B4">密码爆破</a></li>
<li><a href="#John">John</a></li>
<li><a href="#opharack">opharack</a></li>
<li><a href="#%E5%BE%85%E5%88%86%E7%B1%BB%E8%A7%A3%E5%AF%86">待分类解密</a></li>
<li><a href="#CnCrypt">CnCrypt</a></li>
<li><a href="#%E5%85%B6%E5%AE%83">其它</a></li>
<li><a href="#%E5%9F%BA%E7%AB%99%E5%AE%9A%E4%BD%8D%E6%9F%A5%E8%AF%A2">基站定位查询</a></li>
<li><a href="#IP%E5%8F%8D%E6%9F%A5%E5%9F%9F%E5%90%8D">IP反查域名</a></li>
<li><a href="#%E5%9D%90%E6%A0%87%E5%8F%96%E8%AF%81">坐标取证</a></li>
<li><a href="#%E6%96%87%E7%AB%A0">文章</a></li>
<li>https://ctf-wiki.org/misc/introduction/</li>
</ul>
<h2 id="时间取证"><a class="header" href="#时间取证">时间取证</a></h2>
<h3 id="时间戳"><a class="header" href="#时间戳">时间戳</a></h3>
<p>https://tool.chinaz.com/tools/unixtime.aspx</p>
<h2 id="内存取证"><a class="header" href="#内存取证">内存取证</a></h2>
<p>一般是raw、img、iso、dump文件
raw文件是内存取证工具Dumpit提取内存生成的内存转储文件可以使用类似Volatility等内存取证分析工具进行取证分析。</p>
<h3 id="iso"><a class="header" href="#iso">ISO</a></h3>
<p>用foremost分离</p>
<h3 id="volatility"><a class="header" href="#volatility">Volatility</a></h3>
<p>Volatility是一款开源内存取证框架能够对导出的内存镜像进行分析通过获取内核数据结构使用插件获取内存的详细情况以及系统的运行状态。
<a href="https://www.cnblogs.com/p20050001/p/11892766.html">Volatility支持的插件列表</a></p>
<pre><code class="language-bash">git clone https://github.com/volatilityfoundation/volatility.git
# pip install pycrypto
官方Githubhttps://github.com/volatilityfoundation
支持pyhton2: https://github.com/volatilityfoundation/volatility
支持python3https://github.com/volatilityfoundation/volatility3
</code></pre>
<p>https://mengsec.com/2018/10/20/CTF-Volatility/
用法:</p>
<pre><code class="language-bash"># 先通过 imageinfo 获取系统信息
python2 vol.py -f Target.vmem imageinfo
python2 vol.py -f ../memory.img imageinfo
# 查看进程
python2 vol.py -f ../memory.img --profile=Win2003SP1x86 pslist
# dump内存
python2 vol.py -f easy_dump.img --profile=Win7SP1x64 memdump -p 2952 --dump-dir=./
# 文件扫描内存中的jpg文件
python2 vol.py -f easy_dump.img --profile=Win7SP1x64 filescan | grep -ia .jpg
# dump文件
python2 vol.py -f easy_dump.img --profile=Win7SP1x64 dumpfiles -Q 0x00000000235c8770 --dump-dir=./
# 查看cmd命令使用记录
python2 vol.py -f ../memory.img --profile=Win2003SP1x86 cmdscan
# 使用hashdump命令获取用户名
python2 vol.py -f Target.vmem --profile=Win7SP1x64 hashdump
# lsadump命令获取最后登录的用户
python2 vol.py -f Target.vmem --profile=Win7SP1x64 lsadump
# 环境变量
volatility -f FILESERV-20211222-032924.raw --profile=Win2003SP2x86 envars
</code></pre>
<p>用mimikatz插件获取</p>
<pre><code>python2 -m pip install construct
cp mimikatz.py /volatility/plugins/
python2 vol.py -f tmp.vmem --profile=Win7SP1x64 mimikatz
</code></pre>
<p><strong>raw文件</strong></p>
<pre><code class="language-bash"># 分析镜像
python2 vol.py -f L-12A6C33F43D74-20161114-125252.raw imageinfo
</code></pre>
<p><img src="../../img_list/raw1.png" alt="image" /></p>
<pre><code class="language-bash"># 查看进程
python2 vol.py -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86 pslist
</code></pre>
<p><img src="../../img_list/raw2.png" alt="image" />
列出可疑进程</p>
<pre><code>explorer.exe 1416
notepad.exe 280
cmd.exe 1568
nc.exe 120
DumpIt.exe 392
</code></pre>
<pre><code class="language-bash"># 要获取用户的账户密码的话用hashdump插件把hash值提取出来
python2 vol.py hashdump -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86
</code></pre>
<p><img src="../../img_list/raw3.png" alt="image" />
得到结果如下:</p>
<pre><code>Administrator:500:1e27e87bd14ec8af43714428b303e3e4:1e581aafa474dfadfdf83fc31e4fd4ea:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:687255e91a0f559b6d75553dbd51f785:b6125736bdd2d5f154fdce59f52e39f1:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:fb41f8d1334fba131974c39bfab09512:::
</code></pre>
<p>另存为hash.txt文件
<code>john --wordlist=/usr/share/wordlists/rockyou.txt --rule --format=NT hash.txt </code>
<img src="../../img_list/raw4.png" alt="image" /></p>
<pre><code class="language-bash"># 提取压缩包
python2 vol.py -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86 filescan | grep "P@ssW0rd_is_y0ur_bir7hd4y.zip"
python2 vol.py -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002c61318 --dump-dir=./
</code></pre>
<p><img src="../../img_list/raw5.png" alt="image" /></p>
<h4 id="常见的几个进程"><a class="header" href="#常见的几个进程">常见的几个进程</a></h4>
<h5 id="notepadexe"><a class="header" href="#notepadexe">notepad.exe</a></h5>
<p>notepad.exe是记事本一般记事本中会有内容hint或者在内存中(还未保存)</p>
<pre><code class="language-bash"># 用notepad插件列出记事本的内容
python2 vol.py notepad -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86
# 若出现This command does not support the profile Win7SP1x64 则直接通过PID dump notepad.exe的内存
python2 vol.py -f easy_dump.img --profile=Win7SP1x64 memdump --dump-dir=./ -p 2952
# 可以用strings查看dmp 这里由于记事本以16位little-endian存储文本所以需要使用参数
strings -e l 2952.dmp | grep "flag{"
</code></pre>
<h5 id="truecryptexe"><a class="header" href="#truecryptexe">TrueCrypt.exe</a></h5>
<p>推测题目所给的另一个文件是使用TrueCrypt进行加密了的。进程没有退出那么加密的密钥有可能就在进程中将该进程作为文件导出。
使用Elcomsoft Forensic Disk Decryptor进行解密
<img src="../../img_list/elcomsoft1.png" alt="image" />
<img src="../../img_list/elcomsoft2.png" alt="image" />
<img src="../../img_list/elcomsoft3.png" alt="image" />
下一步另存为即可点击mount挂载
工具:ForensicDiskDecryptor
https://www.anxz.com/down/69216.html
序列号激活码AEFSDRP-LWJQT-52698-FMNVW-84362
winmm.dll放到程序目录下</p>
<h5 id="dumpitexe"><a class="header" href="#dumpitexe">DumpIt.exe</a></h5>
<p>DumpIt是一款绿色免安装的 windows 内存镜像取证工具。利用它我们可以轻松地将一个系统的完整内存镜像下来,并用于后续的调查取证工作。</p>
<pre><code class="language-bash"># 将DumpIT.exe进程dump下来 -p为进程号
python2 vol.py -f memory.img --profile=Win2003SP1x86 memdump -p 1992 --dump-dir=./
注意这里1992是explorer.exe的进程
# 分离dmp
foremost 1992.dmp
</code></pre>
<h5 id="mspaintexe"><a class="header" href="#mspaintexe">mspaint.exe</a></h5>
<p>mspaint.exe是一个画图软件</p>
<h5 id="cmdexe"><a class="header" href="#cmdexe">cmd.exe</a></h5>
<pre><code class="language-bash"># 查看下cmd.exe的使用情况
python2 vol.py -f L-12A6C33F43D74-20161114-125252.raw --profile=WinXPSP2x86 cmdscan
</code></pre>
<h3 id="fat"><a class="header" href="#fat">fat</a></h3>
<p>VeraCrypt 进行挂载
需要挂载密码,可猜测,任意选一个挂载盘
不同的密码能开启不同的盘
<img src="../../img_list/veracrypt1.png" alt="image" />
打不开的文件可以winhex-&gt;工具-&gt;打开磁盘</p>
<h3 id="挂载修复"><a class="header" href="#挂载修复">挂载修复</a></h3>
<p>挂载指的就是将设备文件中的顶级目录连接到Linux根目录下的某一目录访问此目录就等同于访问设备。
ext类型的文件需要挂载</p>
<pre><code class="language-bash">mount attachment.img /mnt
cd /mnt
ls -al /mnt
</code></pre>
<p>修复:</p>
<pre><code class="language-bash">extundelete attachment.img --restore-all
# 会在当前生成文件夹如果没看到东西尝试ls -al
</code></pre>
<p>取消挂载</p>
<pre><code>umount /mnt/cdrom
</code></pre>
<h4 id="vmdk"><a class="header" href="#vmdk">vmdk</a></h4>
<p>VMDKVMWare Virtual Machine Disk Format是虚拟机VMware创建的虚拟硬盘格式文件存在于VMware文件系统中被称为VMFS虚拟机文件系统
遇到vmdk可以试试使用7z这个压缩软件打开
linux下7z解压vmdk更完整windows下7z有问题</p>
<pre><code class="language-bash">7z x flag.vmdk
</code></pre>
<h3 id="磁盘取证"><a class="header" href="#磁盘取证">磁盘取证</a></h3>
<h4 id="磁盘分析"><a class="header" href="#磁盘分析">磁盘分析</a></h4>
<h5 id="diskgenius"><a class="header" href="#diskgenius">DiskGenius</a></h5>
<p>一般用于对后缀名为VHD文件挂载,VHD是微软虚拟磁盘文件
DiskGenius-&gt;磁盘-&gt;打开虚拟磁盘文件
DiskGenius-&gt;Disk-&gt;Open virtual Disk File</p>
<h4 id="磁盘加密解密"><a class="header" href="#磁盘加密解密">磁盘加密解密</a></h4>
<h5 id="veracrypt"><a class="header" href="#veracrypt">VeraCrypt</a></h5>
<p>磁盘取证,也可用于挂载,需要密码,且每次不一样的密码都有不一样的结果
<img src="../../img_list/verycrypt1.png" alt="image" /></p>
<h2 id="文件取证"><a class="header" href="#文件取证">文件取证</a></h2>
<h3 id="stegsolve"><a class="header" href="#stegsolve">stegsolve</a></h3>
<p>Frame Browser:帧浏览器 主要是对GIF之类的动图进行分解把动图一帧帧的放有时候会是二维码</p>
<h3 id="notepad"><a class="header" href="#notepad">Notepad++</a></h3>
<p>右上角插件可转换 hex-&gt;Ascii</p>
<h3 id="010editor"><a class="header" href="#010editor">010Editor</a></h3>
<p><strong>如何导入十六进制文件</strong>
文件-&gt;导入十六进制文件
安装插件Templates</p>
<h3 id="编码"><a class="header" href="#编码">编码</a></h3>
<h3 id="修改长宽"><a class="header" href="#修改长宽">修改长宽</a></h3>
<p><strong>png</strong>
一般在第二行 6 7列
6是宽 7是高
也可以用脚本爆破对应正常的宽高
<img src="../../img_list/kuangao.png" alt="image" />
<strong>jpg</strong></p>
<h3 id="粘贴复制二进制"><a class="header" href="#粘贴复制二进制">粘贴复制二进制</a></h3>
<p>编辑-&gt;粘贴为
编辑-&gt;复制为</p>
<h3 id="idat标识缺失"><a class="header" href="#idat标识缺失">IDAT标识缺失</a></h3>
<p>对比好的png利用png插件来增加IDAT标识</p>
<h3 id="测试异或"><a class="header" href="#测试异或">测试异或</a></h3>
<p>取目标的十六进制与猜测的文件头异或,若都为同一个值,存在异或</p>
<h2 id="二维码"><a class="header" href="#二维码">二维码</a></h2>
<h3 id="qr-research"><a class="header" href="#qr-research">QR-Research</a></h3>
<h3 id="汉信码"><a class="header" href="#汉信码">汉信码</a></h3>
<p>需要用手机app 中国编码扫描</p>
<h3 id="修补二维码"><a class="header" href="#修补二维码">修补二维码</a></h3>
<p>https://merricx.github.io/qrazybox/
完成后tools-&gt;extract</p>
<h3 id="批量二维码"><a class="header" href="#批量二维码">批量二维码</a></h3>
<p><code>微微二维码</code>
https://pc.wwei.cn/</p>
<h3 id="字节转二维码"><a class="header" href="#字节转二维码">字节转二维码</a></h3>
<p>一个文本只有1和0 而且有40000个字符 那就是200*200的正方形</p>
<pre><code class="language-py">from PIL import Image
with open ("1.txt",'r') as d:
flag = Image.new('L',(200,200))
plain = d.read()
i = 0
for x in range(200):
for y in range(200):
if (plain[i] == '0'):
flag.putpixel([x,y],0)
else:
flag.putpixel([x,y],255)
i += 1
flag.show()
</code></pre>
<h3 id="压缩包分析文件头"><a class="header" href="#压缩包分析文件头">压缩包分析文件头</a></h3>
<p>https://blog.csdn.net/Claming_D/article/details/105899397</p>
<h4 id="rar"><a class="header" href="#rar">RAR</a></h4>
<p><img src="../../img_list/rar1.png" alt="" /></p>
<pre><code>D5 56 HEAD_CRC2字节也就是文件头部分的crc校验值
74 HEAD_TYPE1字节块类型74表示块类型是文件头
20 90 HEAD_FLAGS2字节位标记这块在资料上没找到对应的数值不知道20 90代表什么意思。
2D 00 HEAD_SIZE2字节文件头的全部大小包含文件名和注释
10 00 00 00 PACK_SIZE4字节已压缩文件大小
10 00 00 00 UNP_SIZE4字节未压缩文件大小
02HOST_OS1字节保存压缩文件使用的操作系统02代表windows
C7 88 67 36FILE_CRC4字节文件的CRC值
6D BB 4E 4B FTIME4字节MS DOS 标准格式的日期和时间
1DUNP_VER1字节解压文件所需要的最低RAR版本
30METHOD1字节压缩方式这里是存储压缩
08 00 NAME_SIZE2字节表示文件名大小这里文件名大小是8字节flag.txt
20 00 00 00 ATTR4字节表示文件属性这里是txt文件
66 6C 61 67 2E 74 78 74FILE_NAME文件名 NAME_SIZE字节大小这里NAME_SIZE大小为8
再往后是txt文件内容一直到第六行 65 结束,下面是另一个文件块的开始
这个块中存在两个crc值一个是文件头块中从块类型到文件名这38个字节的校验后一个则是压缩包中所包含文件的crc校验解压时会计算解压后生成文件的crc值如果等于这里的crc则解压完成如果不同则报错中断。
</code></pre>
<h3 id="加密的压缩包zip"><a class="header" href="#加密的压缩包zip">加密的压缩包zip</a></h3>
<p>ARCHPR打不开的原因(这个档案文件是用xxx版本创建的。目前ARCHPR不支持)
1.版本号不正确,改为0即可
<img src="../../img_list/indenityzip.png" alt="image" /></p>
<h4 id="伪加密"><a class="header" href="#伪加密">伪加密</a></h4>
<p>用winhex查看全局加密标志和局部加密标志</p>
<h3 id="zip伪加密"><a class="header" href="#zip伪加密">zip伪加密</a></h3>
<p>工具ZipCenOp.jar
<code>java -jar ZipCenOp.jar r 111.zip</code> 解密</p>
<h3 id="rar伪加密"><a class="header" href="#rar伪加密">rar伪加密</a></h3>
<p><img src="../../img_list/rarweijiami.png" alt="image" />
第24个字节该字节尾数为4表示加密0表示无加密将尾数改为0即可解开伪加密</p>
<h3 id="注释"><a class="header" href="#注释">注释</a></h3>
<p>压缩包注释一般会提示解压密码思路
<img src="../../img_list/zhushi.png" alt="image" /></p>
<h4 id="弱密码"><a class="header" href="#弱密码">弱密码</a></h4>
<p>题目中会有提示或者给出字典,直接爆破</p>
<h4 id="zip图片"><a class="header" href="#zip图片">zip—图片</a></h4>
<p>一般是隐写题目,从图片中找出密码</p>
<h4 id="crc32爆破"><a class="header" href="#crc32爆破">CRC32爆破</a></h4>
<p>CRC32:CRC本身是“冗余校验码”的意思CRC32则表示会产生一个32bit8位十六进制数的校验值。
每个文件都有唯一的CRC32值即便数据发生很微小的变化都会导致CRC32的值变化。假设知道段数据的长度和CRC32值那么便可穷举数据与其CRC32的值比较匹配这样就可以达到暴力破解的目的。但是这么做缺点也很明显就是<code>只适用于数据内容较小的文件</code>
注意:一般数据内容<code>小于5Bytes(&lt;=4Bytes)</code>即可尝试通过爆破CRC32穷举数据内容
https://mochu.blog.csdn.net/article/details/110206427
内容为1Byte的CRC爆破</p>
<pre><code class="language-py">import binascii
import string
def crack_crc():
print('-------------Start Crack CRC-------------')
crc_list = [0xda6fd2a0, 0xf6a70, 0x70659eff, 0x862575d]#文件的CRC32值列表注意顺序
comment = ''
chars = string.printable
for crc_value in crc_list:
for char1 in chars:
char_crc = binascii.crc32(char1.encode())#获取遍历字符的CRC32值
calc_crc = char_crc &amp; 0xffffffff#将获取到的字符的CRC32值与0xffffffff进行与运算
if calc_crc == crc_value:#将每个字符的CRC32值与每个文件的CRC32值进行匹配
print('[+] {}: {}'.format(hex(crc_value),char1))
comment += char1
print('-----------CRC Crack Completed-----------')
print('Result: {}'.format(comment))
if __name__ == '__main__':
crack_crc()
</code></pre>
<p>内容为2Byte的CRC爆破</p>
<pre><code class="language-py">import binascii
import string
def crack_crc():
print('-------------Start Crack CRC-------------')
crc_list = [0xef347b51, 0xa8f1b31e, 0x3c053787, 0xbbe0a1b]#文件的CRC32值列表注意顺序
comment = ''
chars = string.printable
for crc_value in crc_list:
for char1 in chars:
for char2 in chars:
res_char = char1 + char2#获取遍历的任意2Byte字符
char_crc = binascii.crc32(res_char.encode())#获取遍历字符的CRC32值
calc_crc = char_crc &amp; 0xffffffff#将获取到的字符的CRC32值与0xffffffff进行与运算
if calc_crc == crc_value:#将获取字符的CRC32值与每个文件的CRC32值进行匹配
print('[+] {}: {}'.format(hex(crc_value),res_char))
comment += res_char
print('-----------CRC Crack Completed-----------')
print('Result: {}'.format(comment))
if __name__ == '__main__':
crack_crc()
</code></pre>
<p>内容为3Byte的CRC爆破</p>
<pre><code class="language-py">import binascii
import string
def crack_crc():
print('-------------Start Crack CRC-------------')
crc_list = [0x2b17958, 0xafa8f8df, 0xcc09984b, 0x242026cf]#文件的CRC32值列表注意顺序
comment = ''
chars = string.printable
for crc_value in crc_list:
for char1 in chars:
for char2 in chars:
for char3 in chars:
res_char = char1 + char2 + char3#获取遍历的任意3Byte字符
char_crc = binascii.crc32(res_char.encode())#获取遍历字符的CRC32值
calc_crc = char_crc &amp; 0xffffffff#将遍历的字符的CRC32值与0xffffffff进行与运算
if calc_crc == crc_value:#将获取字符的CRC32值与每个文件的CRC32值进行匹配
print('[+] {}: {}'.format(hex(crc_value),res_char))
comment += res_char
print('-----------CRC Crack Completed-----------')
print('Result: {}'.format(comment))
if __name__ == '__main__':
crack_crc()
</code></pre>
<p>内容为4Byte的CRC爆破</p>
<pre><code class="language-py">import binascii
import string
def crack_crc():
print('-------------Start Crack CRC-------------')
crc_list = [0xc0a3a573, 0x3cb6ab1c, 0x85bb0ad4, 0xf4fde00b]#文件的CRC32值列表注意顺序
comment = ''
chars = string.printable
for crc_value in crc_list:
for char1 in chars:
for char2 in chars:
for char3 in chars:
for char4 in chars:
res_char = char1 + char2 + char3 + char4#获取遍历的任意4Byte字符
char_crc = binascii.crc32(res_char.encode())#获取遍历字符的CRC32值
calc_crc = char_crc &amp; 0xffffffff#将遍历的字符的CRC32值与0xffffffff进行与运算
if calc_crc == crc_value:#将获取字符的CRC32值与每个文件的CRC32值进行匹配
print('[+] {}: {}'.format(hex(crc_value),res_char))
comment += res_char
print('-----------CRC Crack Completed-----------')
print('Result: {}'.format(comment))
if __name__ == '__main__':
crack_crc()
</code></pre>
<p>内容为4-6byte的文件
https://github.com/theonlypwner/crc32</p>
<h4 id="明文攻击"><a class="header" href="#明文攻击">明文攻击</a></h4>
<p>题给的压缩包里面有一个flag.txt和刚解压出的txt大小相同则可以明文攻击
有时候需要删掉其他文件,只保留同大小的文件
攻击时要注意txt重新压缩找对应的压缩软件winrar
有时候 zip的文件需要bandzip压缩
用archpr2明文攻击 - 破解类型 纯文本/明文攻击
爆破时间较长 点击确定保存为zip文件解压出现flag
<img src="../../img_list/mingwengongji.png" alt="image" /></p>
<h4 id="7z"><a class="header" href="#7z">7z</a></h4>
<p>7z能直接解压伪加密的文件</p>
<h3 id="压缩包爆破"><a class="header" href="#压缩包爆破">压缩包爆破</a></h3>
<p>archpr2 可爆破rar</p>
<h4 id="掩码爆破"><a class="header" href="#掩码爆破">掩码爆破</a></h4>
<p>archpr工具可掩码爆破
掩码:知道密码中的一部分,只需按规则构造其余部分
15????????.??
结合时间戳</p>
<h4 id="生日爆破"><a class="header" href="#生日爆破">生日爆破</a></h4>
<p>19700000-20000000</p>
<h4 id="循环解压"><a class="header" href="#循环解压">循环解压</a></h4>
<pre><code class="language-bash">while [ "`find . -type f -name '*.tar.xz' | wc -l`" -gt 0 ]; do
find -type f -name "*.tar.xz" -exec tar xf '{}' \;
-exec rm -- '{}' \;;
done;
</code></pre>
<h3 id="隐写类"><a class="header" href="#隐写类">隐写类</a></h3>
<h4 id="base64隐写"><a class="header" href="#base64隐写">base64隐写</a></h4>
<p>py脚本跑</p>
<h5 id="base64转图片"><a class="header" href="#base64转图片">base64转图片</a></h5>
<p>https://the-x.cn/base64 右下角另存为即可</p>
<h4 id="pyc文件"><a class="header" href="#pyc文件">pyc文件</a></h4>
<h5 id="pyc隐写"><a class="header" href="#pyc隐写">pyc隐写</a></h5>
<p>https://github.com/AngelKitty/stegosaurus
https://zhuanlan.zhihu.com/p/51226097
Stegosaurus 是一款隐写工具,它允许我们在 Python 字节码文件( pyc 或 pyo )中嵌入任意 Payload 。由于编码密度较低,因此我们嵌入 Payload 的过程既不会改变源代码的运行行为,也不会改变源文件的文件大小。 Payload 代码会被分散嵌入到字节码之中,所以类似 strings 这样的代码工具无法查找到实际的 Payload 。 Python 的 dis 模块会返回源文件的字节码,然后我们就可以使用 Stegosaurus 来嵌入 Payload 了。
python -m stegosaurus aaa.py -s payload “test{123}”
./stegosaurus -x O_O.pyc
直接用github releases已经打包好的bin文件 kali下运行
<img src="../../img_list/stegosaurus.png" alt="image" /></p>
<h5 id="pyc反编译"><a class="header" href="#pyc反编译">pyc反编译</a></h5>
<p>https://tool.lu/pyc/</p>
<h4 id="水印隐写"><a class="header" href="#水印隐写">水印隐写</a></h4>
<h5 id="java盲水印"><a class="header" href="#java盲水印">java盲水印</a></h5>
<p>https://github.com/ww23/BlindWatermark
只需一张图片
<code>java -jar BlindWatermark.jar decode -c bingbing.jpg decode.jpg</code></p>
<h5 id="盲水印"><a class="header" href="#盲水印">盲水印</a></h5>
<p>https://github.com/chishaxie/BlindWaterMark</p>
<pre><code class="language-py">pip install -r requirements.txt
#requirements.txt里面版本有点问题修改别的版本即可
#合成盲水印图
python bwm.py encode hui.png wm.png hui_with_wm.png
#提取图中的盲水印 (需要原图)
python bwm.py decode hui.png hui_with_wm.png wm_from_hui.png
</code></pre>
<h5 id="频域盲水印"><a class="header" href="#频域盲水印">频域盲水印</a></h5>
<p>https://github.com/linyacool/blind-watermark</p>
<pre><code class="language-py">import cv2
import numpy as np
import random
import os
from argparse import ArgumentParser
ALPHA = 5
def build_parser():
parser = ArgumentParser()
parser.add_argument('--original', dest='ori', required=True)
parser.add_argument('--image', dest='img', required=True)
parser.add_argument('--result', dest='res', required=True)
parser.add_argument('--alpha', dest='alpha', default=ALPHA)
return parser
def main():
parser = build_parser()
options = parser.parse_args()
ori = options.ori
img = options.img
res = options.res
alpha = options.alpha
if not os.path.isfile(ori):
parser.error("original image %s does not exist." % ori)
if not os.path.isfile(img):
parser.error("image %s does not exist." % img)
decode(ori, img, res, alpha)
def decode(ori_path, img_path, res_path, alpha):
ori = cv2.imread(ori_path)
img = cv2.imread(img_path)
ori_f = np.fft.fft2(ori)
img_f = np.fft.fft2(img)
height, width = ori.shape[0], ori.shape[1]
watermark = (ori_f - img_f) / alpha
watermark = np.real(watermark)
res = np.zeros(watermark.shape)
random.seed(height + width)
x = range(height / 2)
y = range(width)
random.shuffle(x)
random.shuffle(y)
for i in range(height / 2):
for j in range(width):
res[x[i]][y[j]] = watermark[i][j]
cv2.imwrite(res_path, res, [int(cv2.IMWRITE_JPEG_QUALITY), 100])
if __name__ == '__main__':
main()
</code></pre>
<pre><code class="language-py"># 如果报错装这个
pip install opencv-python==4.2.0.32 -i http://mirrors.aliyun.com/pypi/simple --trusted-host mirrors.aliyun.com
# 解密命令
python2 pinyubwm.py --original huyao.png --image stillhuyao.png --result out.png
</code></pre>
<h4 id="png隐写"><a class="header" href="#png隐写">png隐写</a></h4>
<h4 id="pngcheck"><a class="header" href="#pngcheck">pngcheck</a></h4>
<pre><code class="language-bash">pngcheck -v hint.png
</code></pre>
<p>一般检查png是否缺块</p>
<h4 id="f5隐写"><a class="header" href="#f5隐写">F5隐写</a></h4>
<p>F5隐写-steganography</p>
<pre><code class="language-bash">git clone https://github.com/matthewgao/F5-steganography
java Extract 文件
java Extract 文件 -p 密码 -e 输出文件
</code></pre>
<h4 id="outguess隐写"><a class="header" href="#outguess隐写">outguess隐写</a></h4>
<pre><code class="language-bash">git clone https://github.com/crorvick/outguess
cd outguess
./configure &amp;&amp; make &amp;&amp; make install
# 加密
outguess -k "my secret key" -d hidden.txt demo.jpg out.jpg
# 解密
outguess -k "my secret key" -r out.jpg hidden.txt
</code></pre>
<h4 id="lsb隐写"><a class="header" href="#lsb隐写">LSB隐写</a></h4>
<p>一般判断方式 stegsolve lsb观察有东西</p>
<ol>
<li>Stegosolve</li>
</ol>
<ul>
<li>Anglyse-Data-Extract 选择Bit Planes 的0 红绿蓝都试试 -save bin
https://github.com/livz/cloacked-pixel
python2 lsb.py extract 1.png 1.txt 123456</li>
</ul>
<h4 id="ttl隐写"><a class="header" href="#ttl隐写">TTL隐写</a></h4>
<p>https://www.cnblogs.com/yunqian2017/p/14671031.html
TTL隐写中用到四个值00 11111163,01 111111127,10 111111191,11 111111255,解密的时候只取前两位然后转换成ascii</p>
<pre><code>IP报文在路由间穿梭的时候每经过一个路由TTL就会减1当TTL为0的时候该报文就会被丢弃。
TTL所占的位数是8位也就是0-255的范围但是在大多数情况下通常只需要经过很小的跳数就能完成报文的转发
远远比上限255小得多所以我们可以用TTL值的前两位来进行传输隐藏数据。
须传送H字符只需把H字符换成二进制每两位为一组每次填充到TTL字段的开头两位并把剩下的6位设置为1xx111111这样发4个IP报文即可传送1个字节。
</code></pre>
<h4 id="时间隐写"><a class="header" href="#时间隐写">时间隐写</a></h4>
<p>例子得到一张flag.gif。考虑一下每帧停顿的时间。
使用<code>identify</code>命令。
<code>identify -format “%T” flag.gif</code>
会得到一串数字</p>
<h4 id="零宽度字节隐写"><a class="header" href="#零宽度字节隐写">零宽度字节隐写</a></h4>
<p>vim打开可以发现有很多&lt;200b&gt;
http://330k.github.io/misc_tools/unicode_steganography.html
https://yuanfux.github.io/zero-width-web/
<img src="../../img_list/zero1.png" alt="image" />
<img src="../../img_list/zero2.png" alt="image" /></p>
<h4 id="bmp隐写"><a class="header" href="#bmp隐写">BMP隐写</a></h4>
<p>wbStego4.3open 加解密
<img src="../../img_list/wbstego4.png" alt="image" />
保存为txt</p>
<h4 id="silenteye隐写"><a class="header" href="#silenteye隐写">SilentEye隐写</a></h4>
<p>SilentEye是一款免费的图片信息隐藏工具,采用全新的隐写算法和加密算法,帮助用户轻松隐藏在图片中跨平台应用程序设计中。
也可以隐藏声音
https://sourceforge.net/projects/silenteye/</p>
<h3 id="编程语言"><a class="header" href="#编程语言">编程语言</a></h3>
<h4 id="logo语言解释器"><a class="header" href="#logo语言解释器">logo语言解释器</a></h4>
<pre><code>cs pu lt 90 fd 500 rt 90 pd fd 100 rt 90 repeat 18[fd 5 rt 10]
</code></pre>
<p>https://www.calormen.com/jslogo/</p>
<h4 id="g语言解释器"><a class="header" href="#g语言解释器">G语言解释器</a></h4>
<p>https://ncviewer.com/</p>
<h4 id="velato"><a class="header" href="#velato">Velato</a></h4>
<p>http://velato.net/
Velato是一种编程语言由Daniel Temkin在 2009 年创建,它使用 MIDI 文件作为源代码:音符的模式决定命令。
文件头为 MThd
Vlt.exe decode_it
会生成decode_it.exe
cmd下运行得到结果</p>
<h4 id="lolcode"><a class="header" href="#lolcode">lolcode</a></h4>
<p>https://www.dcode.fr/lolcode-language
<img src="../../img_list/lolcode.png" alt="image" /></p>
<h4 id="emojicode语言"><a class="header" href="#emojicode语言">emojicode语言</a></h4>
<p>https://www.emojicode.org/
kali
<code>emojicodec math.emojic</code></p>
<ul>
<li>参考文章https://mp.weixin.qq.com/s/YjX8TBcyfFhD18kMNM3UcA</li>
</ul>
<h3 id="其它常用操作"><a class="header" href="#其它常用操作">其它常用操作</a></h3>
<h4 id="windows"><a class="header" href="#windows">Windows</a></h4>
<h5 id="右键查看属性"><a class="header" href="#右键查看属性">右键查看属性</a></h5>
<p>右键查看属性-详情信息-备注</p>
<h4 id="文本比较"><a class="header" href="#文本比较">文本比较</a></h4>
<h5 id="beyond_compare4"><a class="header" href="#beyond_compare4">Beyond_compare4</a></h5>
<h5 id="分帧"><a class="header" href="#分帧">分帧</a></h5>
<h6 id="screentogif"><a class="header" href="#screentogif">ScreenToGif</a></h6>
<p>gif分帧工具
打开编辑器拖进图片即可</p>
<h4 id="文字识别"><a class="header" href="#文字识别">文字识别</a></h4>
<h5 id="qcr"><a class="header" href="#qcr">QCR</a></h5>
<p>https://www.onlineocr.net/zh_hant/
识别后,需要手动纠正很多容易识别错误的地方</p>
<h4 id="字词频率统计"><a class="header" href="#字词频率统计">字词频率统计</a></h4>
<p>在线网站http://www.aihanyu.org/cncorpus/CpsTongji.aspx
<img src="../../img_list/zicitongji.png" alt="image" /></p>
<h4 id="ps"><a class="header" href="#ps">Ps</a></h4>
<h5 id="颜色十六进制号"><a class="header" href="#颜色十六进制号">颜色十六进制号</a></h5>
<p>用PS的颜色取样器工具点击图片上的颜色
<img src="../../img_list/yanse1.png" alt="image" />
颜色后两位十六进制转ascii</p>
<h4 id="dnspy"><a class="header" href="#dnspy">dnspy</a></h4>
<p>dnspy反编译工具
将dll拖进去右键编辑类 可修改后编译</p>
<h4 id="powerrename"><a class="header" href="#powerrename">PowerRename</a></h4>
<p>Windows微软的一款批量命名工具软件
<img src="../../img_list/powername.png" alt="image" /></p>
<h4 id="pyinstaller-提取器"><a class="header" href="#pyinstaller-提取器">PyInstaller-提取器</a></h4>
<p>https://github.com/extremecoders-re/pyinstxtractor
PyInstaller Extractor 是一个 Python 脚本,用于提取 PyInstaller 生成的 Windows 可执行文件的内容。可执行文件中的 pyz 文件(通常是 pyc 文件)的内容也被提取出来。</p>
<h4 id="linux"><a class="header" href="#linux">Linux</a></h4>
<h5 id="elf"><a class="header" href="#elf">ELF</a></h5>
<p>./ 执行即可</p>
<h5 id="字符串反转"><a class="header" href="#字符串反转">字符串反转</a></h5>
<pre><code class="language-bash">cat 1 | rev
</code></pre>
<h5 id="grep"><a class="header" href="#grep">grep</a></h5>
<p>linux之用 grep -r 关键字 快速搜索在目录下面的含有关键字的文件</p>
<pre><code class="language-bash">grep -r 'CTF' ./output
grep -rn 'flag{' ./*
grep -rn 'key' ./*
grep -rn 'password' ./*
grep -rn 'ctf' ./*
</code></pre>
<h5 id="binwalk"><a class="header" href="#binwalk">binwalk</a></h5>
<p>kali</p>
<pre><code class="language-py">binwalk xxx
binwalk -e xxx
</code></pre>
<p>binwalk分离出的zlib文件往往隐藏信息
2AE96和2AE96.zlib 2AE96.zlib是压缩的zlib块2AE96是解压后的zlib块。</p>
<pre><code>XML document, version: "1.0"
表示ppt文件、docx文件
</code></pre>
<h5 id="dd"><a class="header" href="#dd">dd</a></h5>
<p>分离指定命令</p>
<pre><code class="language-bash">dd if=attachment.jpg of=test.zip skip=21639 bs=1
</code></pre>
<h5 id="foremost"><a class="header" href="#foremost">foremost</a></h5>
<p>kali下用foremost</p>
<h5 id="strings"><a class="header" href="#strings">strings</a></h5>
<p>打印文件中可打印的字符
strings 4.png</p>
<h5 id="exiftool"><a class="header" href="#exiftool">exiftool</a></h5>
<p>跟右键查看属性类似 一个升级版
用于读写和处理图像
exiftool attachment.jpg
kali:
<code>exiftool * | grep flag</code>
也可以用kali下的strings 4.png</p>
<h5 id="图片拼接"><a class="header" href="#图片拼接">图片拼接</a></h5>
<p>kali</p>
<pre><code class="language-bash">montage -tile 10x12 -geometry 200x100+0+0 *jpg flag.jpg
gaps --image=flag.jpg --generations=40 --population=120 --size=100
</code></pre>
<p>环境安装:</p>
<pre><code>apt-get install graphicsmagick-imagemagick-compat
git clone https://github.com/nemanja-m/gaps.git
cd gaps
python3 set-up.py install
pip3 install -r requirement.txt
</code></pre>
<h5 id="zsteg"><a class="header" href="#zsteg">zsteg</a></h5>
<p>zsteg可以检测PNG和BMP图片里的隐写数据。</p>
<pre><code class="language-bash">git clone https://github.com/zed-0xff/zsteg
cd zsteg/
gem install zsteg
# 查看LSB信息
zsteg pcat.png
# 查看所有通道全部信息
zsteg -a 1.png
# 发现DOS扇区数据用-e命令提取
zsteg -e "b8,rgb,lsb,xy" att.png &gt; diskimage.dat
# testdisk恢复文件
testdisk diskimage.dat
</code></pre>
<h5 id="file"><a class="header" href="#file">file</a></h5>
<pre><code class="language-bash">file xxx
</code></pre>
<p>可查看文件详情信息
<img src="../../img_list/file1.png" alt="image" />
</p>
<pre><code>Linux rev 1.0 ext3 filesystem data, UUID=f2b1e8fa-29a6-454b-b6df-6182044790bc (needs journal recovery) (large files)
</code></pre>
<p>可知是ext3文件 需要挂载</p>
<h5 id="vim"><a class="header" href="#vim">vim</a></h5>
<pre><code class="language-bash"># 恢复交换文件
vim -r .swp
</code></pre>
<h3 id="文件格式"><a class="header" href="#文件格式">文件格式</a></h3>
<h4 id="常见文件头"><a class="header" href="#常见文件头">常见文件头</a></h4>
<p>https://vxhly.github.io/views/windows/file-header-and-tail.html#%E4%BB%8E-ultraedit-%E6%8F%90%E5%8F%96%E7%9A%84%E6%96%87%E4%BB%B6%E5%A4%B4%E4%BF%A1%E6%81%AF</p>
<pre><code>JPEG (jpg)   文件头FFD8FF E0                     文件尾FF D9
PNG (png)    文件头89504E47                      文件尾AE 42 60 82
GIF89 (gif)   文件头4749463839                      文件尾00 3B
ZIP Archive (zip) 文件头504B0304                      文件尾50 4B
TIFF (tif)   文件头49492A00                      文件尾
Windows Bitmap (bmp)   文件头424D                         文件尾:
CAD (dwg)   文件头41433130                      文件尾
Adobe Photoshop (psd) 文件头38425053                      文件尾
Rich Text Format (rtf) 文件头7B5C727466                     文件尾:
XML (xml) 文件头3C3F786D6C                     文件尾:
HTML (html) 文件头68746D6C3E
Email [thorough only] (eml) 文件头44656C69766572792D646174653A
Outlook Express (dbx) 文件头CFAD12FEC5FD746F
Outlook (pst) 文件头2142444E
MS Word/Excel (xls.or.doc) 文件头D0CF11E0
MS Access (mdb) 文件头5374616E64617264204A
WordPerfect (wpd) 文件头FF575043
Adobe Acrobat (pdf) 文件头255044462D312E
Quicken (qdf) 文件头AC9EBD8F
Windows Password (pwl) 文件头E3828596
RAR Archive (rar) 文件头52 61 72 21 1A 07 00 文件尾0700
Wave (wav) 文件头57415645
AVI (avi) 文件头41564920
Real Audio (ram) 文件头2E7261FD
Real Media (rm) 文件头2E524D46
MPEG (mpg) 文件头000001BA
MPEG (mpg) 文件头000001B3
Quicktime (mov) 文件头6D6F6F76
Windows Media (asf) 文件头3026B2758E66CF11
MIDI (mid) 文件头4D546864
gzip 文件头1F 8B
</code></pre>
<h4 id="其它文件"><a class="header" href="#其它文件">其它文件</a></h4>
<h5 id="apng"><a class="header" href="#apng">apng</a></h5>
<p>https://products.aspose.app/imaging/zh-hans/image-view
免费在线图像查看器。建议用这个 更高清准确点
kali下用ffmpeg转为gif</p>
<pre><code class="language-bash">ffmpeg -i girl.apng -f gif out.gif
</code></pre>
<h5 id="bgp"><a class="header" href="#bgp">BGP</a></h5>
<p>BPGBetter Portable Graphics是一种新的图像格式。它的目的是在质量或文件大小有问题时替换 JPEG 图像格式
工具下载地址https://bellard.org/bpg/
直接将BGP拖动到bgview.exe即可</p>
<h5 id="ogg"><a class="header" href="#ogg">OGG</a></h5>
<p>OGG是一种音频压缩格式扩展为.ogg,用audacity打开</p>
<h5 id="bmp"><a class="header" href="#bmp">bmp</a></h5>
<p>https://www.cnblogs.com/robin-oneway/p/13932982.html
<img src="../../img_list/bmp.png" alt="image" /></p>
<h2 id="流量取证"><a class="header" href="#流量取证">流量取证</a></h2>
<h3 id="wireshark"><a class="header" href="#wireshark">Wireshark</a></h3>
<h4 id="过滤器"><a class="header" href="#过滤器">过滤器</a></h4>
<p>过滤POST包</p>
<pre><code>http.request.method==POST
</code></pre>
<p>去掉404</p>
<pre><code>http.response.code !=404
</code></pre>
<pre><code class="language-bash">ip.contains "flag" #
tcp contains "KEY" # 搜索tcp协议有没有KEY关键字
udp contains "flag" # 搜索UDP协议有没有flag关键字
</code></pre>
<p>tcp流</p>
<pre><code>tcp.stream eq 0
</code></pre>
<h4 id="分组字节流搜索"><a class="header" href="#分组字节流搜索">分组字节流搜索</a></h4>
<p>Ctrl+F 可打开如下
<img src="../../img_list/wireshark1.png" alt="image" />
可以快速搜索关键字符串
password flag {} 对应比赛需求关键字等</p>
<h4 id="追踪流"><a class="header" href="#追踪流">追踪流</a></h4>
<p>例子TCP追踪流 点击TCP右键追踪流往往有flag以及关键字</p>
<h4 id="导出http对象"><a class="header" href="#导出http对象">导出HTTP对象</a></h4>
<p>文件-&gt;导出对象-&gt;save all-&gt;选择一个文件夹
内容较多的时候可以拖到linux跑 ctf flag啥的
<code>grep -r 'CTF' ./new/</code></p>
<h4 id="tshark"><a class="header" href="#tshark">tshark</a></h4>
<pre><code>tshark -r sqltest.pcapng -Y "http.request" -T fields -e http.request.full_uri &gt; data.txt
tshark -r misc4.pcapng -Y "tcp &amp;&amp; ip.src == 106.75.209.165" -T fields -e data &gt; 1.txt
</code></pre>
<p>-r 读取文件
-Y 过滤语句
-T pdml|ps|text|fields|psml,设置解码结果输出的格式
-e 输出特定字段
http.request.uri http请求的uri部分
-w: -w &lt;outfile|-&gt; 设置raw数据的输出文件。这个参数不设置tshark将会把解码结果输出到stdout,“-w -”表示把raw输出到stdout。如果要把解码结果输出到文件使用重定向“&gt;”而不要-w参数。
-F: -F <output file type>,设置输出的文件格式,默认是.pcapng,使用tshark -F可列出所有支持的输出文件类型。
-V: 增加细节输出;
-O: -O <protocols>,只显示此选项指定的协议的详细信息。
-P: 即使将解码结果写入文件中,也打印包的概要信息;
-S: -S <separator> 行分割符
-x: 设置在解码输出结果中每个packet后面以HEX dump的方式显示具体数据。
-T: -T pdml|ps|text|fields|psml,设置解码结果输出的格式包括text,ps,psml和pdml默认为text
-e: 如果-T fields选项指定-e用来指定输出哪些字段;
-E: -E <fieldsoption>=<value>如果-T fields选项指定使用-E来设置一些属性比如
header=y|n
separator=/t|/s|<char>
occurrence=f|l|a
aggregator=,|/s|<char>
-t: -t a|ad|d|dd|e|r|u|ud 设置解码结果的时间格式。“ad”表示带日期的绝对时间“a”表示不带日期的绝对时间“r”表示从第一个包到现在的相对时间“d”表示两个相邻包之间的增量时间delta
-u: s|hms 格式化输出秒;
-l: 在输出每个包之后flush标准输出
-q: 结合-z选项进行使用来进行统计分析
-X: <key>:<value> 扩展项lua_script、read_format具体参见 man pages
-z统计选项具体的参考文档;tshark -z help,可以列出,-z选项支持的统计方式。</p>
<h4 id="lsassdmp"><a class="header" href="#lsassdmp">lsass.dmp</a></h4>
<p>lsass是windows系统的一个进程用于本地安全和登陆策略。mimikatz可以从 lsass.exe 里获取windows处于active状态账号明文密码。本题的lsass.dmp就是内存运行的镜像也可以提取到账户密码
https://github.com/gentilkiwi/mimikatz/releases/
以管理员身份运行</p>
<pre><code>privilege::debug
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords full
</code></pre>
<h3 id="usb流量"><a class="header" href="#usb流量">USB流量</a></h3>
<p>usb取证 wireshark里全是USB协议流量数据包</p>
<h4 id="usbkeyboarddatahacker"><a class="header" href="#usbkeyboarddatahacker">UsbKeyboardDataHacker</a></h4>
<p>https://github.com/WangYihang/UsbKeyboardDataHacker
虚拟机下运行(建议在ubuntu下跑,kali下跑有点问题主要是tshark问题)
<code>python UsbKeyboardDataHacker.py bingbing.pcapng</code>
删掉<code>2&lt;del&gt;</code>
<strong>tshark提取USB流量</strong></p>
<pre><code class="language-bash">tshark -r bingbing.pcapng -T fields -e usb.capdata &gt; usbdata.txt
</code></pre>
<h3 id="私钥解密"><a class="header" href="#私钥解密">私钥解密</a></h3>
<p>在流量包发现私钥后另存为本地1.key
编辑-&gt;首选项-&gt;protocols-&gt;TLS 把1.key导入即可追踪TLS流
例题greatescape</p>
<h3 id="流量包提取数据"><a class="header" href="#流量包提取数据">流量包提取数据</a></h3>
<p>以下是提取ICMP最后8位的例子</p>
<pre><code class="language-py">from scapy.all import *
packets = rdpcap('out.pcapng')
for packet in packets:
if packet.haslayer(ICMP):
if packet[ICMP].type == 0:
print packet[ICMP].load[-8:]
</code></pre>
<h3 id="大流量统计"><a class="header" href="#大流量统计">大流量统计</a></h3>
<p>统计出现最多的IP
统计 -&gt; IPv4 Statistics -&gt; All Addresses</p>
<h2 id="音频取证"><a class="header" href="#音频取证">音频取证</a></h2>
<h3 id="audacity"><a class="header" href="#audacity">Audacity</a></h3>
<p>关于摩斯电码的一个小技巧
文件-&gt;导出为wav若有两个声道则先分离立体声到单音道
<img src="../../img_list/audacity1.png" alt="image" />
kali(kali右上角要开启声音)</p>
<pre><code class="language-bash">morse2ascii good.wav
</code></pre>
<p><img src="../../img_list/audacity.png" alt="image" />
<code>t</code>替换为<code>-</code>e替换为<code>.</code></p>
<h4 id="导入原始数据"><a class="header" href="#导入原始数据">导入原始数据</a></h4>
<p>s8后缀</p>
<h3 id="dtmf2num"><a class="header" href="#dtmf2num">dtmf2num</a></h3>
<p>DTMF拨号音识别
dtmf2num.exe girlfriend.wav
<img src="../../img_list/dtmf1.png" alt="" /></p>
<h3 id="音频lsb隐写"><a class="header" href="#音频lsb隐写">音频LSB隐写</a></h3>
<p>SilentEye工具解码</p>
<h3 id="steghide"><a class="header" href="#steghide">Steghide</a></h3>
<p>Steghide是一个可以将文件隐藏到图片或音频中的工具</p>
<pre><code class="language-bash">apt-get install steghide
# 隐藏文件
steghide embed -cf [图片文件载体] -ef [待隐藏文件]
steghide embed -cf 1.jpg -ef 1.txt
# 查看图片中嵌入的文件信息
steghide info 1.jpg
# 提取图片中隐藏的文件
steghide extract -sf 1.jpg
</code></pre>
<h4 id="steghide爆破"><a class="header" href="#steghide爆破">steghide爆破</a></h4>
<p>kali下运行文件为flag.jpg</p>
<pre><code class="language-py">#python3运行
from subprocess import *
def foo():
stegoFile='flag.jpg'#隐写的图片
extractFile='result.txt'#爆破的密码
passFile='english.dic'#字典
errors=['could not extract','steghide --help','Syntax error']
cmdFormat='steghide extract -sf "%s" -xf "%s" -p "%s"'
f=open(passFile,'r')
for line in f.readlines():
cmd=cmdFormat %(stegoFile,extractFile,line.strip())
p=Popen(cmd,shell=True,stdout=PIPE,stderr=STDOUT)
content=str(p.stdout.read(),'gbk')
for err in errors:
if err in content:
break
else:
print (content),
print ('the passphrase is %s' %(line.strip()))
f.close()
return
if __name__ == '__main__':
foo()
print ('ok')
pass
</code></pre>
<h3 id="频谱图"><a class="header" href="#频谱图">频谱图</a></h3>
<p>https://www.sonicvisualiser.org/download.html
layer-&gt;Add Peak Frequency Spectrogram或者Shift+K
audacity 转为频谱图,在声道左侧下拉即可</p>
<h3 id="qsstv"><a class="header" href="#qsstv">qsstv</a></h3>
<p>慢扫描电视SSTV
慢扫描电视Slow-scan television是业余无线电爱好者的一种主要图片传输方法慢扫描电视通过无线电传输和接收单色或彩色静态图片。
kali安装QSSTV
<code>apt-get install qsstv</code>
Options-&gt;Configuration-&gt;Sound勾选From file
然后点击这个小按钮选择attachment.wav开始解码
<img src="../../img_list/qsstv.png" alt="image" /></p>
<h3 id="deepsound"><a class="header" href="#deepsound">DeepSound</a></h3>
<p>https://deepsound.soft112.com/
存在密码的话,需要破解脚本
https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/run/deepsound2john.py
<code>python3 deepsound2john.py final_flag.wav&gt;hashes.txt</code>
<code>john hashes.txt</code>
<img src="../../img_list/john1.png" alt="image" /></p>
<h2 id="磁盘取证-1"><a class="header" href="#磁盘取证-1">磁盘取证</a></h2>
<h3 id="ntfs隐写"><a class="header" href="#ntfs隐写">Ntfs隐写</a></h3>
<p>工具NtfsStreamsEditor
虚拟机 有些需要winrar、7z解压才能提取到</p>
<h2 id="doc取证"><a class="header" href="#doc取证">DOC取证</a></h2>
<p>flag有时候把颜色设置为白色 需要全选换成可见颜色
https://www.cnblogs.com/WhiteHatKevil/articles/10051582.html</p>
<h3 id="密码爆破"><a class="header" href="#密码爆破">密码爆破</a></h3>
<p>https://down.52pojie.cn/?query=
Accent OFFICE Password Recovery v5.1 CracKed By Hmily[LCG][LSG]
一般猜测四位纯数字
<img src="../../img_list/word1.png" alt="image" /></p>
<h3 id="隐藏文字"><a class="header" href="#隐藏文字">隐藏文字</a></h3>
<p>文件-&gt;选项-&gt;显示-&gt;隐藏文字
格式刷或者右键文字隐藏去掉 就可以复制</p>
<h3 id="doc改为zip"><a class="header" href="#doc改为zip">doc改为zip</a></h3>
<p>ppt也可以改为zip
grep -rn flag{ ./*</p>
<h2 id="密码取证"><a class="header" href="#密码取证">密码取证</a></h2>
<p>https://passwordrecovery.io/zip-file-password-removal/
据说是个在线爆破工具,但用不了 先放着吧</p>
<h3 id="古典密码类"><a class="header" href="#古典密码类">古典密码类</a></h3>
<h4 id="autokey爆破"><a class="header" href="#autokey爆破">autokey爆破</a></h4>
<p>py文件下载地址</p>
<pre><code>http://www.practicalcryptography.com/cryptanalysis/stochastic-searching/cryptanalysis-autokey-cipher/
配置文件下载地址
http://www.practicalcryptography.com/cryptanalysis/text-characterisation/quadgrams/#a-python-implementation
</code></pre>
<p>需要先下载三个配置文件两个txt一个ngram_score.py文件
安装pycipher库
<code>pip install pycipher</code>
py文件里改一下要爆破的字符串python2环境运行
<code>python2 break_autokey.py</code></p>
<h4 id="encrypto"><a class="header" href="#encrypto">encrypto</a></h4>
<p>https://macpaw.com/encrypto
Encrypto 接受任何文件或文件夹并为其添加 AES-256 加密。通过加密您知道您的文件非常安全只有合适的人才能访问它。Encrypto 接受任何文件或文件夹并为其添加 AES-256 加密。通过加密,您知道您的文件非常安全,只有合适的人才能访问它。
.crypto格式</p>
<h4 id="alphuck"><a class="header" href="#alphuck">ALPHUCK</a></h4>
<p>https://www.dcode.fr/alphuck-language</p>
<h4 id="toy密码"><a class="header" href="#toy密码">toy密码</a></h4>
<p>https://eprint.iacr.org/2020/301.pdf</p>
<pre><code class="language-py">list1 = {'M':'ACEG','R':'ADEG','K':'BCEG','S':'BDEG','A':'ACEH','B':'ADEH','L':'BCEH','U':'BDEH','D':'ACEI','C':'ADEI','N':'BCEI','V':'BDEI','H':'ACFG','F':'ADFG','O':'BCFG','W':'BDFG','T':'ACFH','G':'ADFH','P':'BCFH','X':'BDFH','E':'ACFI','I':'ADFI','Q':'BCFI','Y':'BDFI'}
list2 = original_list = ['M','R','K','S','A','B','L','U','D','C','N','V','H','F','O','W','T','G','P','X','E','I','Q','Y']
list2_re =list2[::-1]
ori_str = 'BCEHACEIBDEIBDEHBDEHADEIACEGACFIBDFHACEGBCEHBCFIBDEGBDEGADFGBDEHBDEGBDFHBCEGACFIBCFGADEIADEIADFH'
flag_1 = ''
for i in range(0,len(ori_str),4):
_val = ori_str[i:i+4]
for key, val in list1.items():
if val == _val:
flag_1 += key
print(flag_1)
flag = ''
for i in flag_1:
for j,k in enumerate(list2):
if i == k:
flag += list2_re[j]
print(flag)
</code></pre>
<h3 id="登录取证"><a class="header" href="#登录取证">登录取证</a></h3>
<h4 id="mozilla"><a class="header" href="#mozilla">Mozilla</a></h4>
<p>https://github.com/lclevy/firepwd
Firepwd.py一个用于解密 Mozilla 保护密码的开源工具
默认情况下firepwd.py 处理当前目录中的 key3.db或 key4.db和 signons.sqlitelogins.json文件但可以使用 -d 选项提供替代目录。不要忘记末尾的“/”。
<code>python3 firepwd.py logins.json </code></p>
<h4 id="vnc"><a class="header" href="#vnc">VNC</a></h4>
<p>https://github.com/x0rz4/vncpwd VNC密码解密工具
<code>vncpwd.exe 375ebe8670b3c6f3</code>
例如得到“Password“=hex:37,5e,be,86,70,b3,c6,f3</p>
<h3 id="密码爆破-1"><a class="header" href="#密码爆破-1">密码爆破</a></h3>
<h4 id="john"><a class="header" href="#john">John</a></h4>
<p>hashdump出来的NTLM Hash
另存为hash.txt</p>
<pre><code>Administrator:500:0182bd0bd4444bf867cd839bf040d93b:c22b315c040ae6e0efee3518d830362b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:132893a93031a4d2c70b0ba3fd87654a:fe572c566816ef495f84fdca382fd8bb:::
</code></pre>
<pre><code class="language-bash">john --wordlist=/usr/share/john/password.lst --rule --format=NT hash.txt
</code></pre>
<h4 id="opharack"><a class="header" href="#opharack">opharack</a></h4>
<p>基于彩虹表的爆破
ophcrack: https://sourceforge.net/projects/ophcrack/
ophcrack-tables: https://ophcrack.sourceforge.io/tables.php</p>
<h3 id="待分类解密"><a class="header" href="#待分类解密">待分类解密</a></h3>
<h4 id="cncrypt"><a class="header" href="#cncrypt">CnCrypt</a></h4>
<p>https://72k.us/file/20044976-439996462
目前用到解密ccx
在虚拟机打开 需要密码
<img src="../../img_list/cncrypt.png" alt="image" /></p>
<h2 id="其它"><a class="header" href="#其它">其它</a></h2>
<h3 id="基站定位查询"><a class="header" href="#基站定位查询">基站定位查询</a></h3>
<p>https://v.juhe.cn/cell/Triangulation/index.html?s=inner</p>
<h3 id="ip反查域名"><a class="header" href="#ip反查域名">IP反查域名</a></h3>
<p>https://www.ipip.net/ip.html</p>
<h3 id="坐标取证"><a class="header" href="#坐标取证">坐标取证</a></h3>
<p><strong>情况1</strong>
如:坐标转二维码</p>
<pre><code>10 10
10 11
10 13
....
</code></pre>
<pre><code class="language-bash">sudo apt-get install gnuplot
gnuplot
plot "文件名"
</code></pre>
<p><strong>情况2</strong></p>
<pre><code>(376, 38462.085), (485, 49579.895)
</code></pre>
<pre><code class="language-py">import matplotlib.pyplot as plt
import numpy as np
import matplotlib as mpl
mpl.rcParams['font.family'] = 'sans-serif'
mpl.rcParams['font.sans-serif'] = 'NSimSun,Times New Roman'
with open('dataset.txt', 'r') as f:
lines = f.readlines()
for line in lines:
line = eval(line)
for tup in line:
x, y = tup[0], tup[1]
plt.plot(x, y, '.', color='black')
plt.xlabel('x')
plt.ylabel('y')
plt.title('Data')
plt.legend()
plt.show()
</code></pre>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../../posts/ctf/0.1_Web.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../posts/ctf/3.2_PWN_note.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../../posts/ctf/0.1_Web.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../../posts/ctf/3.2_PWN_note.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<script>
window.playground_line_numbers = true;
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../../ace.js"></script>
<script src="../../editor.js"></script>
<script src="../../mode-rust.js"></script>
<script src="../../theme-dawn.js"></script>
<script src="../../theme-tomorrow_night.js"></script>
<script src="../../elasticlunr.min.js"></script>
<script src="../../mark.min.js"></script>
<script src="../../searcher.js"></script>
<script src="../../clipboard.min.js"></script>
<script src="../../highlight.js"></script>
<script src="../../book.js"></script>
<!-- Custom JS scripts -->
<script src="../../src/js/custom.js"></script>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink