中山市 香山杯2023 Misc pintu

Smera1d02023-10-16 21:40

大便题目啊,跟拼图没有半毛钱关系

附件给我们4703张图片,而且给了tip:8->10,且这些图片的宽度都是一样的。

首先我们考虑将黑色图片当作0,白色图片当作1,将这些按编号顺序将这些图片转成二进制串。

py 复制代码 
from PIL import Image
bin_str = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)

得到二进制串。

考虑把二进制串转为字节串再用utf-8解码。

py 复制代码 
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))

得到:

te 复制代码 
flag看到666c是不是特别兴奋,很可惜flag并不在这。(狗头保命),既然走到了这里,那我也给一个通关的关键信息拿去吧,去找到真正的flag吧:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W                                 哎,对了。拿走之前看一看我精心挑选的笑话吧:猎人打猎,朝狐狸开枪,"砰"地一声枪响之后猎人死了。狐狸叉着腰,冷笑一声:
"没想到吧,我是反射弧。"好不好笑, 有没有感觉一哆嗦,大脑更清晰了。ฅ՞•ﻌ•՞ ต

sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W疑似换表base64(其实不太能想到)

然后我们考虑提取这些图片的高度,将高度作为8进制数转为10进制,再通过ASCII码转为字符。

py 复制代码 
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
print(height_data)

得到:

复制代码 
74 82 70 84 67 53 83 70 71 53 83 85 52 83 84 86 72 66 84 84 67 82 50 83 75 86 83 69 50 78 75 86 73 85 89 70 67 83 50 77 79 86 70 85 87 77 76 76 71 86 75 87 73 84 75 76 74 90 83 69 50 78 75 86 77 82 70 85 87 89 51 69 74 85 51 86 75 90 67 78 71 86 75 85 50 83 75 81 77 78 88 69 50 87 67 86 77 82 71 84 75 86 75 78 77 77 50 88 77 82 75 76 71 69 50 85 83 53 83 69 79 70 87 84 77 82 68 82 78 90 86 84 79 53 76 78 71 90 67 71 89 87 68 86 79 86 89 85 71 53 75 89 75 86 87 84 77 82 68 82 77 82 66 71 52 90 68 78 71 90 74 69 52 84 76 87 73 82 89 87 73 84 74 86 79 86 87 84 77 85 83 79 77 82 71 88 75 52 76 79 78 77 50 86 75 51 74 87 73 82 87 71 73 84 74 86 77 82 87 84 77 85 83 86 74 86 51 70 69 86 76 69 74 85 50 88 75 90 67 67 78 90 75 87 73 84 74 86 74 90 83 69 50 78 75 86 78 90 86 84 79 86 76 69 74 85 50 86 67 87 68 86 71 86 75 85 75 84 76 69 79 70 87 84 77 82 68 77 77 82 71 84 75 86 75 89 79 85 51 88 73 82 74 87 75 74 75 71 73 84 74 86 75 86 83 71 69 79 68 81 78 74 50 85 87 87 67 76 71 66 50 87 87 84 68 67 79 85 51 69 87 81 82 81 74 82 67 88 75 87 68 70 77 82 66 68 73 78 76 74 71 86 88 69 85 83 82 80 77 70 69 85 87 53 84 89 79 70 70 69 69 87 67 84 79 82 71 86 81 83 66 82 78 78 74 72 75 83 50 72 75 82 68 88 73 86 83 83 79 86 69 88 69 53 74 87 78 74 71 87 67 87 67 76 73 74 73 88 65 84 66 88 78 90 86 85 89 81 82 82 79 86 73 86 77 77 68 78 79 82 70 87 75 82 50 74 79 74 70 85 50 83 50 74 71 66 76 69 75 84 75 81 79 70 71 85 52 85 75 71 74 78 50 70 69 85 67 78 75 89 50 69 81 81 75 79 75 86 70 85 50 84 74 86 76 66 88 69 83 83 51 78 77 81 88 86 77 78 90 90 75 89 50 85 81 84 74 80 77 86 83 85 50 83 50 82 73 78 85 88 75 77 76 86 75 70 67 87 54 52 75 76 74 77 90 88 79 50 74 86 74 78 69 71 73 54 74 81 79 53 71 68 75 86 74 87 79 81 51 84 65 77 83 76 74 86 70 70 85 50 83 78 71 65 89 87 52 89 50 89 77 70 71 87 87 85 83 73 78 74 50 87 89 53 51 69 71 65 52 87 89 84 74 87 72 66 52 71 83 90 50 76 74 73 52 87 69 78 68 87 74 81 51 84 75 84 66 84 71 53 76 69 52 53 68 72 74 78 83 85 85 76 90 86 79 66 70 70 77 77 74 83 74 78 50 85 50 78 83 82 77 52 89 84 83 79 75 87 77 69 90 69 89 78 51 66 79 81 52 85 75 90 76 68 78 70 71 86 81 52 83 78 74 78 73 85 85 79 74 88 78 90 51 70 67 50 51 79 79 74 70 88 79 78 76 90 75 70 69 84 81 77 84 79 73 52 51 86 71 83 75 78 75 66 75 84 67 86 83 81 73 78 85 87 69 78 67 76 71 70 68 87 67 89 84 74 74 85 50 71 73 83 76 72 71 82 51 84 71 52 83 82 73 77 90 85 69 83 50 89 78 90 68 84 65 77 68 85 74 85 89 69 75 84 74 81 71 86 52 69 83 54 74 82 78 86 70 87 71 77 67 85 74 73 51 88 75 78 50 78 75 90 52 69 52 53 67 72 71 66 50 68 71 89 84 66 75 70 77 72 83 51 51 88 73 86 72 71 75 54 75 70 79 52 89 84 67 81 50 67 71 82 90 71 52 86 83 89 73 70 73 87 69 54 68 88 73 78 90 69 87 52 66 84 73 53 81 85 67 50 76 83 71 53 76 69 83 86 84 79 73 70 50 69 52 89 75 84 71 77 51 84 73 86 67 75 77 73 89 84 69 51 75 72 74 77 88 88 73 89 51 80 73 53 50 69 75 51 84 86 78 70 90 69 87 89 75 78 79 53 76 71 87 50 83 67 75 90 89 69 75 53 90 85 78 81 90 88 75 79 68 88 76 66 67 87 52 77 74 82 75 90 70 86 65 90 67 76 75 77 51 68 83 89 82 89 75 66 88 69 52 78 67 73 74 74 86 84 69 52 75 70 75 90 73 84 65 50 75 74 77 82 51 85 87 81 82 85 77 70 85 87 69 78 68 87 74 74 72 70 67 78 68 78 78 78 74 70 71 77 90 88 77 69 88 88 73 89 84 66 75 66 73 85 50 90 74 80 74 73 88 86 67 83 75 89 79 73 50 72 85 53 68 72 75 77 51 85 83 82 74 90 79 70 71 83 54 52 50 79 71 70 68 86 81 85 51 74 71 65 89 85 87 50 84 88 71 82 65 85 83 53 75 69 75 66 88 69 50 50 50 50 74 82 84 84 71 52 66 82 73 85 50 84 77 79 75 78 71 74 51 85 67 84 82 86 73 90 86 69 83 87 67 78 78 90 82 85 87 86 83 76 74 85 50 69 77 53 67 79 74 77 51 86 67 53 90 82 77 82 88 68 65 51 90 88 78 70 67 84 75 87 67 75 74 90 73 87 77 77 76 68 71 82 69 87 85 81 84 80 74 90 85 88 83 77 66 88 78 70 84 86 81 83 67 76 73 73 90 86 73 50 84 67 78 82 73 69 75 50 50 76 71 90 69 87 69 85 84 77 74 85 50 87 67 90 74 90 74 86 52 70 85 50 83 74 77 86 68 70 81 86 82 88 71 70 70 71 87 85 66 89 74 74 90 71 52 54 67 89 71 85 89 72 83 87 66 80 71 85 52 69 87 89 82 81 74 70 86 71 69 77 76 76 78 86 86 84 83 52 75 78 79 81 52 68 75 83 83 72 76 65 89 68 71 82 74 86 78 66 70 85 83 78 75 70 78 90 72 68 73 50 67 70 79 85 51 85 50 77 50 78 77 70 87 85 71 83 75 83 77 70 77 71 87 78 50 87 71 77 51 84 65 79 66 84 70 52 50 69 69 90 68 67 72 70 87 70 81 84 76 77 79 65 90 85 87 86 74 85 78 70 66 68 83 84 83 76 77 78 74 88 65 84 66 87 75 73 51 70 81 89 90 82 71 90 88 71 87 79 68 67 71 78 68 84 83 78 90 82 75 90 74 68 81 90 67 78 71 86 75 87 73 84 74 86 71 86 86 72 75 77 75 78 74 81 51 86 67 78 50 78 74 69 51 87 71 90 66 87 79 78 88 84 67 52 82 86 78 77 52 85 75 89 76 66 78 74 69 84 75 76 90 82 79 82 74 70 85 50 84 67 71 78 77 84 83 89 82 86 79 52 89 85 75 79 76 76

我们再将它们作为十进制数转化为字符:

py 复制代码 
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)

得到:

复制代码 
JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZUWVJUNFBDSTSLMNJXATBWKI3FQYZRGZXGWODCGNDTSNZRKZJDQZCNGVKWITJVGVVHKMKNJQ3VCN2NJE3WGZBWONXTC4RVNM4UKYLBNJETKLZRORJFU2TCGNMTSYRVO4YUKOLL

疑似base32,然后用换表base64解出:

复制代码 
iVBORw0KGgoAAAANSUhEUgAAAEwAAAAUCAMAAAAQlCuDAAAAP1BMVEX/////wMD//8DA/8DA///AwP//wP//AAD//wAA/wAA//8AAP//AP/AAADAwAAAwAAAwMAAAMDAAMD///8AAADMRO/yAAABkklEQVQ4ja2UyZLDIAxExWL2zVT+/1tHIDngODWnvJODXa2mJQUskkWtivD6IKIRvXeTUidMLoSszU/qRHn+pUQAQueKBy5bAnRrIQSNxFD58/UW3xUnB9shPrKYhUC0mIYt4iSOnlN3BV8S+lxuLbhBkQZsY7HuI2qk2FhTE24vXbJhkZRa2CyDFQSLcWB7GFW1c5khwmHYLAfLNzhUgjfyHPXxspcNquQwieIISRQlZ6KT9y3Q5RK7KiRrjMF83OrcO6Y9xFvDJ6k38eksjJxmdZGJKzHsXy2fh/egH86I7DxeiS94my+O8xpKsE7YfEqAR2bkqwxn3J/NCeyd3UxizhB3sa/OHsZgJjq5Bg2sVDhjHr5Y6/Rp7gdHzVUo8JXO1uM0hw+e1raJ3+qzmdTt5dUHzKuu76PvX5y1Q3sOd8Vmx7z9uxtnUw9nn1OErZoxPZIaK0mbzFMY3Lm0glDYcFqmViVnft/F/Q+E3deq1bUaSwxbLMTqJK9oiGMdsYmrxWBf8EN+qPayv7T2+k/rD6rwKfsf5fOmAAAAAElFTkSuQmCC  data:image/png;base64

提示png、base64

然后再用base64解一遍:

cyberchef显示得到一张图片,保存下来,用npiet在线解得:

终于得到了flag

附完整exp:

py 复制代码 
from Crypto.Util.number import *
from PIL import Image
import os

bin_str = ''
height_data = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))
print(height_data)
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)
  • 总结:pintu这个题目名太过于误导,后续的换表base也不好想到,考验对数据的处理和分析,是一道misc难题
相关推荐
给勒布朗上上对抗呀9 小时前
NginxDeny绕过-玄武杯2025-眼见不为实
ctf
蓝之白20 小时前
流量分析_SnakeBackdoor-1~6
web安全·ctf·流量分析·逆向分析
蓝之白2 天前
Web15-网站被黑
web安全·ctf
777sea2 天前
CTFSHOW-2026元旦跨年欢乐赛-CS2026
ctf
给勒布朗上上对抗呀2 天前
序列化绕过-攻防世界-unseping
ctf
给勒布朗上上对抗呀3 天前
FlaskSession伪造-攻防世界-catcat-new
flask·ctf
蓝之白4 天前
Web14-game1
web安全·ctf
print_Hyon5 天前
【CTF-WEB】原型链污染及Pug模板注入
ctf
print_Hyon5 天前
【CTF-APK】基于TRAE和jadx的MCP实现AI逆向分析APK文件
ctf
print_Hyon5 天前
【CTF-WEB】在线Lua执行器漏洞
lua·ctf
热门推荐
01GitHub 镜像站点02安娜的档案(Anna’s Archive) 镜像网站/国内最新可访问入口(持续更新)03Linux下V2Ray安装配置指南04手把手教你通过Gemini3 pro 学生认证,白用一年,手慢无!05Labelme从安装到标注:零基础完整指南06jdk21下载、安装(Windows、Linux、macOS)07GitLab 零基础入门指南:从安装到项目管理全流程08【踩坑笔记】50系显卡适配的 PyTorch 安装09UV安装并设置国内源102025-04-03 Latex学习1——本地配置Latex + VScode环境