中山市 香山杯2023 Misc pintu

Smera1d02023-10-16 21:40

大便题目啊,跟拼图没有半毛钱关系

附件给我们4703张图片,而且给了tip:8->10,且这些图片的宽度都是一样的。

首先我们考虑将黑色图片当作0,白色图片当作1,将这些按编号顺序将这些图片转成二进制串。

py 复制代码 
from PIL import Image
bin_str = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)

得到二进制串。

考虑把二进制串转为字节串再用utf-8解码。

py 复制代码 
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))

得到:

te 复制代码 
flag看到666c是不是特别兴奋,很可惜flag并不在这。(狗头保命),既然走到了这里,那我也给一个通关的关键信息拿去吧,去找到真正的flag吧:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W                                 哎,对了。拿走之前看一看我精心挑选的笑话吧:猎人打猎,朝狐狸开枪,"砰"地一声枪响之后猎人死了。狐狸叉着腰,冷笑一声:
"没想到吧,我是反射弧。"好不好笑, 有没有感觉一哆嗦,大脑更清晰了。ฅ՞•ﻌ•՞ ต

sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W疑似换表base64(其实不太能想到)

然后我们考虑提取这些图片的高度,将高度作为8进制数转为10进制,再通过ASCII码转为字符。

py 复制代码 
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
print(height_data)

得到:

复制代码 
74 82 70 84 67 53 83 70 71 53 83 85 52 83 84 86 72 66 84 84 67 82 50 83 75 86 83 69 50 78 75 86 73 85 89 70 67 83 50 77 79 86 70 85 87 77 76 76 71 86 75 87 73 84 75 76 74 90 83 69 50 78 75 86 77 82 70 85 87 89 51 69 74 85 51 86 75 90 67 78 71 86 75 85 50 83 75 81 77 78 88 69 50 87 67 86 77 82 71 84 75 86 75 78 77 77 50 88 77 82 75 76 71 69 50 85 83 53 83 69 79 70 87 84 77 82 68 82 78 90 86 84 79 53 76 78 71 90 67 71 89 87 68 86 79 86 89 85 71 53 75 89 75 86 87 84 77 82 68 82 77 82 66 71 52 90 68 78 71 90 74 69 52 84 76 87 73 82 89 87 73 84 74 86 79 86 87 84 77 85 83 79 77 82 71 88 75 52 76 79 78 77 50 86 75 51 74 87 73 82 87 71 73 84 74 86 77 82 87 84 77 85 83 86 74 86 51 70 69 86 76 69 74 85 50 88 75 90 67 67 78 90 75 87 73 84 74 86 74 90 83 69 50 78 75 86 78 90 86 84 79 86 76 69 74 85 50 86 67 87 68 86 71 86 75 85 75 84 76 69 79 70 87 84 77 82 68 77 77 82 71 84 75 86 75 89 79 85 51 88 73 82 74 87 75 74 75 71 73 84 74 86 75 86 83 71 69 79 68 81 78 74 50 85 87 87 67 76 71 66 50 87 87 84 68 67 79 85 51 69 87 81 82 81 74 82 67 88 75 87 68 70 77 82 66 68 73 78 76 74 71 86 88 69 85 83 82 80 77 70 69 85 87 53 84 89 79 70 70 69 69 87 67 84 79 82 71 86 81 83 66 82 78 78 74 72 75 83 50 72 75 82 68 88 73 86 83 83 79 86 69 88 69 53 74 87 78 74 71 87 67 87 67 76 73 74 73 88 65 84 66 88 78 90 86 85 89 81 82 82 79 86 73 86 77 77 68 78 79 82 70 87 75 82 50 74 79 74 70 85 50 83 50 74 71 66 76 69 75 84 75 81 79 70 71 85 52 85 75 71 74 78 50 70 69 85 67 78 75 89 50 69 81 81 75 79 75 86 70 85 50 84 74 86 76 66 88 69 83 83 51 78 77 81 88 86 77 78 90 90 75 89 50 85 81 84 74 80 77 86 83 85 50 83 50 82 73 78 85 88 75 77 76 86 75 70 67 87 54 52 75 76 74 77 90 88 79 50 74 86 74 78 69 71 73 54 74 81 79 53 71 68 75 86 74 87 79 81 51 84 65 77 83 76 74 86 70 70 85 50 83 78 71 65 89 87 52 89 50 89 77 70 71 87 87 85 83 73 78 74 50 87 89 53 51 69 71 65 52 87 89 84 74 87 72 66 52 71 83 90 50 76 74 73 52 87 69 78 68 87 74 81 51 84 75 84 66 84 71 53 76 69 52 53 68 72 74 78 83 85 85 76 90 86 79 66 70 70 77 77 74 83 74 78 50 85 50 78 83 82 77 52 89 84 83 79 75 87 77 69 90 69 89 78 51 66 79 81 52 85 75 90 76 68 78 70 71 86 81 52 83 78 74 78 73 85 85 79 74 88 78 90 51 70 67 50 51 79 79 74 70 88 79 78 76 90 75 70 69 84 81 77 84 79 73 52 51 86 71 83 75 78 75 66 75 84 67 86 83 81 73 78 85 87 69 78 67 76 71 70 68 87 67 89 84 74 74 85 50 71 73 83 76 72 71 82 51 84 71 52 83 82 73 77 90 85 69 83 50 89 78 90 68 84 65 77 68 85 74 85 89 69 75 84 74 81 71 86 52 69 83 54 74 82 78 86 70 87 71 77 67 85 74 73 51 88 75 78 50 78 75 90 52 69 52 53 67 72 71 66 50 68 71 89 84 66 75 70 77 72 83 51 51 88 73 86 72 71 75 54 75 70 79 52 89 84 67 81 50 67 71 82 90 71 52 86 83 89 73 70 73 87 69 54 68 88 73 78 90 69 87 52 66 84 73 53 81 85 67 50 76 83 71 53 76 69 83 86 84 79 73 70 50 69 52 89 75 84 71 77 51 84 73 86 67 75 77 73 89 84 69 51 75 72 74 77 88 88 73 89 51 80 73 53 50 69 75 51 84 86 78 70 90 69 87 89 75 78 79 53 76 71 87 50 83 67 75 90 89 69 75 53 90 85 78 81 90 88 75 79 68 88 76 66 67 87 52 77 74 82 75 90 70 86 65 90 67 76 75 77 51 68 83 89 82 89 75 66 88 69 52 78 67 73 74 74 86 84 69 52 75 70 75 90 73 84 65 50 75 74 77 82 51 85 87 81 82 85 77 70 85 87 69 78 68 87 74 74 72 70 67 78 68 78 78 78 74 70 71 77 90 88 77 69 88 88 73 89 84 66 75 66 73 85 50 90 74 80 74 73 88 86 67 83 75 89 79 73 50 72 85 53 68 72 75 77 51 85 83 82 74 90 79 70 71 83 54 52 50 79 71 70 68 86 81 85 51 74 71 65 89 85 87 50 84 88 71 82 65 85 83 53 75 69 75 66 88 69 50 50 50 50 74 82 84 84 71 52 66 82 73 85 50 84 77 79 75 78 71 74 51 85 67 84 82 86 73 90 86 69 83 87 67 78 78 90 82 85 87 86 83 76 74 85 50 69 77 53 67 79 74 77 51 86 67 53 90 82 77 82 88 68 65 51 90 88 78 70 67 84 75 87 67 75 74 90 73 87 77 77 76 68 71 82 69 87 85 81 84 80 74 90 85 88 83 77 66 88 78 70 84 86 81 83 67 76 73 73 90 86 73 50 84 67 78 82 73 69 75 50 50 76 71 90 69 87 69 85 84 77 74 85 50 87 67 90 74 90 74 86 52 70 85 50 83 74 77 86 68 70 81 86 82 88 71 70 70 71 87 85 66 89 74 74 90 71 52 54 67 89 71 85 89 72 83 87 66 80 71 85 52 69 87 89 82 81 74 70 86 71 69 77 76 76 78 86 86 84 83 52 75 78 79 81 52 68 75 83 83 72 76 65 89 68 71 82 74 86 78 66 70 85 83 78 75 70 78 90 72 68 73 50 67 70 79 85 51 85 50 77 50 78 77 70 87 85 71 83 75 83 77 70 77 71 87 78 50 87 71 77 51 84 65 79 66 84 70 52 50 69 69 90 68 67 72 70 87 70 81 84 76 77 79 65 90 85 87 86 74 85 78 70 66 68 83 84 83 76 77 78 74 88 65 84 66 87 75 73 51 70 81 89 90 82 71 90 88 71 87 79 68 67 71 78 68 84 83 78 90 82 75 90 74 68 81 90 67 78 71 86 75 87 73 84 74 86 71 86 86 72 75 77 75 78 74 81 51 86 67 78 50 78 74 69 51 87 71 90 66 87 79 78 88 84 67 52 82 86 78 77 52 85 75 89 76 66 78 74 69 84 75 76 90 82 79 82 74 70 85 50 84 67 71 78 77 84 83 89 82 86 79 52 89 85 75 79 76 76

我们再将它们作为十进制数转化为字符:

py 复制代码 
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)

得到:

复制代码 
JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZUWVJUNFBDSTSLMNJXATBWKI3FQYZRGZXGWODCGNDTSNZRKZJDQZCNGVKWITJVGVVHKMKNJQ3VCN2NJE3WGZBWONXTC4RVNM4UKYLBNJETKLZRORJFU2TCGNMTSYRVO4YUKOLL

疑似base32,然后用换表base64解出:

复制代码 
iVBORw0KGgoAAAANSUhEUgAAAEwAAAAUCAMAAAAQlCuDAAAAP1BMVEX/////wMD//8DA/8DA///AwP//wP//AAD//wAA/wAA//8AAP//AP/AAADAwAAAwAAAwMAAAMDAAMD///8AAADMRO/yAAABkklEQVQ4ja2UyZLDIAxExWL2zVT+/1tHIDngODWnvJODXa2mJQUskkWtivD6IKIRvXeTUidMLoSszU/qRHn+pUQAQueKBy5bAnRrIQSNxFD58/UW3xUnB9shPrKYhUC0mIYt4iSOnlN3BV8S+lxuLbhBkQZsY7HuI2qk2FhTE24vXbJhkZRa2CyDFQSLcWB7GFW1c5khwmHYLAfLNzhUgjfyHPXxspcNquQwieIISRQlZ6KT9y3Q5RK7KiRrjMF83OrcO6Y9xFvDJ6k38eksjJxmdZGJKzHsXy2fh/egH86I7DxeiS94my+O8xpKsE7YfEqAR2bkqwxn3J/NCeyd3UxizhB3sa/OHsZgJjq5Bg2sVDhjHr5Y6/Rp7gdHzVUo8JXO1uM0hw+e1raJ3+qzmdTt5dUHzKuu76PvX5y1Q3sOd8Vmx7z9uxtnUw9nn1OErZoxPZIaK0mbzFMY3Lm0glDYcFqmViVnft/F/Q+E3deq1bUaSwxbLMTqJK9oiGMdsYmrxWBf8EN+qPayv7T2+k/rD6rwKfsf5fOmAAAAAElFTkSuQmCC  data:image/png;base64

提示png、base64

然后再用base64解一遍:

cyberchef显示得到一张图片,保存下来,用npiet在线解得:

终于得到了flag

附完整exp:

py 复制代码 
from Crypto.Util.number import *
from PIL import Image
import os

bin_str = ''
height_data = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))
print(height_data)
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)
  • 总结:pintu这个题目名太过于误导,后续的换表base也不好想到,考验对数据的处理和分析,是一道misc难题
相关推荐
诗人不说梦^3 天前
[RootersCTF2019]I_<3_Flask
web·ctf
爱隐身的官人3 天前
cfshow-web入门-php特性
python·php·ctf
爱隐身的官人4 天前
ctfshow - web - nodejs
前端·nodejs·ctf
诗人不说梦^6 天前
[CISCN2019 总决赛 Day2 Web1]Easyweb
web·ctf
Bruce_Liuxiaowei9 天前
基于BeEF的XSS钓鱼攻击与浏览器劫持实验
前端·网络安全·ctf·xss
小小小CTFER10 天前
NSSCTF每日一题_Web_[SWPUCTF 2022 新生赛]奇妙的MD5
ctf
爱隐身的官人11 天前
Web知识的总结
web安全·ctf
诗人不说梦^11 天前
[SWPUCTF 2018]SimplePHP
web·ctf
Chen--Xing12 天前
宁波市第八届网络安全大赛 -- Crypto -- WriteUp
ctf·crypto·宁波市第八届网络安全大赛
clover_pro12 天前
扩展中国剩余定理脚本(恢复密文c)
学习·ctf
热门推荐
01UV安装并设置国内源02GitHub 镜像站点03conda中设置镜像地址(附所有可换的地址)04KGG转MP3工具|非KGM文件|解密音频05A股预测还能更准?开源大模型Kronos带你跑通预测+回测全流程06UV 工具安装与国内镜像源配置指南07突破百度网盘的下载限速,两种方法教会你【超详细】0846个Nano-banana 精选提示词,持续更新中09Spec-Kit 使用指南10保姆级教程:手把手教你用Dify实现完美多轮对话(附Chatflow和提示词)