中山市 香山杯2023 Misc pintu

大便题目啊,跟拼图没有半毛钱关系

附件给我们4703张图片,而且给了tip:8->10,且这些图片的宽度都是一样的。

首先我们考虑将黑色图片当作0,白色图片当作1,将这些按编号顺序将这些图片转成二进制串。

py 复制代码
from PIL import Image
bin_str = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)

得到二进制串。

考虑把二进制串转为字节串再用utf-8解码。

py 复制代码
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))

得到:

te 复制代码
flag看到666c是不是特别兴奋,很可惜flag并不在这。(狗头保命),既然走到了这里,那我也给一个通关的关键信息拿去吧,去找到真正的flag吧:sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W                                 哎,对了。拿走之前看一看我精心挑选的笑话吧:猎人打猎,朝狐狸开枪,"砰"地一声枪响之后猎人死了。狐狸叉着腰,冷笑一声:
"没想到吧,我是反射弧。"好不好笑, 有没有感觉一哆嗦,大脑更清晰了。ฅ՞•ﻌ•՞ ต

sUvcu5rgSeAmJQCfdXtEMKIB91Lj3niOo4hyV0b/2azpx8HqZP6wk7GNlTFYDR+W疑似换表base64(其实不太能想到)

然后我们考虑提取这些图片的高度,将高度作为8进制数转为10进制,再通过ASCII码转为字符。

py 复制代码
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
print(height_data)

得到:

复制代码
74 82 70 84 67 53 83 70 71 53 83 85 52 83 84 86 72 66 84 84 67 82 50 83 75 86 83 69 50 78 75 86 73 85 89 70 67 83 50 77 79 86 70 85 87 77 76 76 71 86 75 87 73 84 75 76 74 90 83 69 50 78 75 86 77 82 70 85 87 89 51 69 74 85 51 86 75 90 67 78 71 86 75 85 50 83 75 81 77 78 88 69 50 87 67 86 77 82 71 84 75 86 75 78 77 77 50 88 77 82 75 76 71 69 50 85 83 53 83 69 79 70 87 84 77 82 68 82 78 90 86 84 79 53 76 78 71 90 67 71 89 87 68 86 79 86 89 85 71 53 75 89 75 86 87 84 77 82 68 82 77 82 66 71 52 90 68 78 71 90 74 69 52 84 76 87 73 82 89 87 73 84 74 86 79 86 87 84 77 85 83 79 77 82 71 88 75 52 76 79 78 77 50 86 75 51 74 87 73 82 87 71 73 84 74 86 77 82 87 84 77 85 83 86 74 86 51 70 69 86 76 69 74 85 50 88 75 90 67 67 78 90 75 87 73 84 74 86 74 90 83 69 50 78 75 86 78 90 86 84 79 86 76 69 74 85 50 86 67 87 68 86 71 86 75 85 75 84 76 69 79 70 87 84 77 82 68 77 77 82 71 84 75 86 75 89 79 85 51 88 73 82 74 87 75 74 75 71 73 84 74 86 75 86 83 71 69 79 68 81 78 74 50 85 87 87 67 76 71 66 50 87 87 84 68 67 79 85 51 69 87 81 82 81 74 82 67 88 75 87 68 70 77 82 66 68 73 78 76 74 71 86 88 69 85 83 82 80 77 70 69 85 87 53 84 89 79 70 70 69 69 87 67 84 79 82 71 86 81 83 66 82 78 78 74 72 75 83 50 72 75 82 68 88 73 86 83 83 79 86 69 88 69 53 74 87 78 74 71 87 67 87 67 76 73 74 73 88 65 84 66 88 78 90 86 85 89 81 82 82 79 86 73 86 77 77 68 78 79 82 70 87 75 82 50 74 79 74 70 85 50 83 50 74 71 66 76 69 75 84 75 81 79 70 71 85 52 85 75 71 74 78 50 70 69 85 67 78 75 89 50 69 81 81 75 79 75 86 70 85 50 84 74 86 76 66 88 69 83 83 51 78 77 81 88 86 77 78 90 90 75 89 50 85 81 84 74 80 77 86 83 85 50 83 50 82 73 78 85 88 75 77 76 86 75 70 67 87 54 52 75 76 74 77 90 88 79 50 74 86 74 78 69 71 73 54 74 81 79 53 71 68 75 86 74 87 79 81 51 84 65 77 83 76 74 86 70 70 85 50 83 78 71 65 89 87 52 89 50 89 77 70 71 87 87 85 83 73 78 74 50 87 89 53 51 69 71 65 52 87 89 84 74 87 72 66 52 71 83 90 50 76 74 73 52 87 69 78 68 87 74 81 51 84 75 84 66 84 71 53 76 69 52 53 68 72 74 78 83 85 85 76 90 86 79 66 70 70 77 77 74 83 74 78 50 85 50 78 83 82 77 52 89 84 83 79 75 87 77 69 90 69 89 78 51 66 79 81 52 85 75 90 76 68 78 70 71 86 81 52 83 78 74 78 73 85 85 79 74 88 78 90 51 70 67 50 51 79 79 74 70 88 79 78 76 90 75 70 69 84 81 77 84 79 73 52 51 86 71 83 75 78 75 66 75 84 67 86 83 81 73 78 85 87 69 78 67 76 71 70 68 87 67 89 84 74 74 85 50 71 73 83 76 72 71 82 51 84 71 52 83 82 73 77 90 85 69 83 50 89 78 90 68 84 65 77 68 85 74 85 89 69 75 84 74 81 71 86 52 69 83 54 74 82 78 86 70 87 71 77 67 85 74 73 51 88 75 78 50 78 75 90 52 69 52 53 67 72 71 66 50 68 71 89 84 66 75 70 77 72 83 51 51 88 73 86 72 71 75 54 75 70 79 52 89 84 67 81 50 67 71 82 90 71 52 86 83 89 73 70 73 87 69 54 68 88 73 78 90 69 87 52 66 84 73 53 81 85 67 50 76 83 71 53 76 69 83 86 84 79 73 70 50 69 52 89 75 84 71 77 51 84 73 86 67 75 77 73 89 84 69 51 75 72 74 77 88 88 73 89 51 80 73 53 50 69 75 51 84 86 78 70 90 69 87 89 75 78 79 53 76 71 87 50 83 67 75 90 89 69 75 53 90 85 78 81 90 88 75 79 68 88 76 66 67 87 52 77 74 82 75 90 70 86 65 90 67 76 75 77 51 68 83 89 82 89 75 66 88 69 52 78 67 73 74 74 86 84 69 52 75 70 75 90 73 84 65 50 75 74 77 82 51 85 87 81 82 85 77 70 85 87 69 78 68 87 74 74 72 70 67 78 68 78 78 78 74 70 71 77 90 88 77 69 88 88 73 89 84 66 75 66 73 85 50 90 74 80 74 73 88 86 67 83 75 89 79 73 50 72 85 53 68 72 75 77 51 85 83 82 74 90 79 70 71 83 54 52 50 79 71 70 68 86 81 85 51 74 71 65 89 85 87 50 84 88 71 82 65 85 83 53 75 69 75 66 88 69 50 50 50 50 74 82 84 84 71 52 66 82 73 85 50 84 77 79 75 78 71 74 51 85 67 84 82 86 73 90 86 69 83 87 67 78 78 90 82 85 87 86 83 76 74 85 50 69 77 53 67 79 74 77 51 86 67 53 90 82 77 82 88 68 65 51 90 88 78 70 67 84 75 87 67 75 74 90 73 87 77 77 76 68 71 82 69 87 85 81 84 80 74 90 85 88 83 77 66 88 78 70 84 86 81 83 67 76 73 73 90 86 73 50 84 67 78 82 73 69 75 50 50 76 71 90 69 87 69 85 84 77 74 85 50 87 67 90 74 90 74 86 52 70 85 50 83 74 77 86 68 70 81 86 82 88 71 70 70 71 87 85 66 89 74 74 90 71 52 54 67 89 71 85 89 72 83 87 66 80 71 85 52 69 87 89 82 81 74 70 86 71 69 77 76 76 78 86 86 84 83 52 75 78 79 81 52 68 75 83 83 72 76 65 89 68 71 82 74 86 78 66 70 85 83 78 75 70 78 90 72 68 73 50 67 70 79 85 51 85 50 77 50 78 77 70 87 85 71 83 75 83 77 70 77 71 87 78 50 87 71 77 51 84 65 79 66 84 70 52 50 69 69 90 68 67 72 70 87 70 81 84 76 77 79 65 90 85 87 86 74 85 78 70 66 68 83 84 83 76 77 78 74 88 65 84 66 87 75 73 51 70 81 89 90 82 71 90 88 71 87 79 68 67 71 78 68 84 83 78 90 82 75 90 74 68 81 90 67 78 71 86 75 87 73 84 74 86 71 86 86 72 75 77 75 78 74 81 51 86 67 78 50 78 74 69 51 87 71 90 66 87 79 78 88 84 67 52 82 86 78 77 52 85 75 89 76 66 78 74 69 84 75 76 90 82 79 82 74 70 85 50 84 67 71 78 77 84 83 89 82 86 79 52 89 85 75 79 76 76

我们再将它们作为十进制数转化为字符:

py 复制代码
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)

得到:

复制代码
JRFTC5SFG5SU4STVHBTTCR2SKVSE2NKVIUYFCS2MOVFUWMLLGVKWITKLJZSE2NKVMRFUWY3EJU3VKZCNGVKU2SKQMNXE2WCVMRGTKVKNMM2XMRKLGE2US5SEOFWTMRDRNZVTO5LNGZCGYWDVOVYUG5KYKVWTMRDRMRBG4ZDNGZJE4TLWIRYWITJVOVWTMUSOMRGXK4LONM2VK3JWIRWGITJVMRWTMUSVJV3FEVLEJU2XKZCCNZKWITJVJZSE2NKVNZVTOVLEJU2VCWDVGVKUKTLEOFWTMRDMMRGTKVKYOU3XIRJWKJKGITJVKVSGEODQNJ2UWWCLGB2WWTDCOU3EWQRQJRCXKWDFMRBDINLJGVXEUSRPMFEUW5TYOFFEEWCTORGVQSBRNNJHKS2HKRDXIVSSOVEXE5JWNJGWCWCLIJIXATBXNZVUYQRROVIVMMDNORFWKR2JOJFU2S2JGBLEKTKQOFGU4UKGJN2FEUCNKY2EQQKOKVFU2TJVLBXESS3NMQXVMNZZKY2UQTJPMVSU2S2RINUXKMLVKFCW64KLJMZXO2JVJNEGI6JQO5GDKVJWOQ3TAMSLJVFFU2SNGAYW4Y2YMFGWWUSINJ2WY53EGA4WYTJWHB4GSZ2LJI4WENDWJQ3TKTBTG5LE45DHJNSUULZVOBFFMMJSJN2U2NSRM4YTSOKWMEZEYN3BOQ4UKZLDNFGVQ4SNJNIUUOJXNZ3FC23OOJFXONLZKFETQMTOI43VGSKNKBKTCVSQINUWENCLGFDWCYTJJU2GISLHGR3TG4SRIMZUES2YNZDTAMDUJUYEKTJQGV4ES6JRNVFWGMCUJI3XKN2NKZ4E45CHGB2DGYTBKFMHS33XIVHGK6KFO4YTCQ2CGRZG4VSYIFIWE6DXINZEW4BTI5QUC2LSG5LESVTOIF2E4YKTGM3TIVCKMIYTE3KHJMXXIY3PI52EK3TVNFZEWYKNO5LGW2SCKZYEK5ZUNQZXKODXLBCW4MJRKZFVAZCLKM3DSYRYKBXE4NCIJJVTE4KFKZITA2KJMR3UWQRUMFUWENDWJJHFCNDNNNJFGMZXMEXXIYTBKBIU2ZJPJIXVCSKYOI2HU5DHKM3USRJZOFGS642OGFDVQU3JGAYUW2TXGRAUS5KEKBXE2222JRTTG4BRIU2TMOKNGJ3UCTRVIZVESWCNNZRUWVSLJU2EM5COJM3VC5ZRMRXDA3ZXNFCTKWCKJZIWMMLDGREWUQTPJZUXSMBXNFTVQSCLIIZVI2TCNRIEK22LGZEWEUTMJU2WCZJZJV4FU2SJMVDFQVRXGFFGWUBYJJZG46CYGUYHSWBPGU4EWYRQJFVGEMLLNVVTS4KNOQ4DKSSHLAYDGRJVNBFUSNKFNZHDI2CFOU3U2M2NMFWUGSKSMFMGWN2WGM3TAOBTF42EEZDCHFWFQTLMOAZUWVJUNFBDSTSLMNJXATBWKI3FQYZRGZXGWODCGNDTSNZRKZJDQZCNGVKWITJVGVVHKMKNJQ3VCN2NJE3WGZBWONXTC4RVNM4UKYLBNJETKLZRORJFU2TCGNMTSYRVO4YUKOLL

疑似base32,然后用换表base64解出:

复制代码
iVBORw0KGgoAAAANSUhEUgAAAEwAAAAUCAMAAAAQlCuDAAAAP1BMVEX/////wMD//8DA/8DA///AwP//wP//AAD//wAA/wAA//8AAP//AP/AAADAwAAAwAAAwMAAAMDAAMD///8AAADMRO/yAAABkklEQVQ4ja2UyZLDIAxExWL2zVT+/1tHIDngODWnvJODXa2mJQUskkWtivD6IKIRvXeTUidMLoSszU/qRHn+pUQAQueKBy5bAnRrIQSNxFD58/UW3xUnB9shPrKYhUC0mIYt4iSOnlN3BV8S+lxuLbhBkQZsY7HuI2qk2FhTE24vXbJhkZRa2CyDFQSLcWB7GFW1c5khwmHYLAfLNzhUgjfyHPXxspcNquQwieIISRQlZ6KT9y3Q5RK7KiRrjMF83OrcO6Y9xFvDJ6k38eksjJxmdZGJKzHsXy2fh/egH86I7DxeiS94my+O8xpKsE7YfEqAR2bkqwxn3J/NCeyd3UxizhB3sa/OHsZgJjq5Bg2sVDhjHr5Y6/Rp7gdHzVUo8JXO1uM0hw+e1raJ3+qzmdTt5dUHzKuu76PvX5y1Q3sOd8Vmx7z9uxtnUw9nn1OErZoxPZIaK0mbzFMY3Lm0glDYcFqmViVnft/F/Q+E3deq1bUaSwxbLMTqJK9oiGMdsYmrxWBf8EN+qPayv7T2+k/rD6rwKfsf5fOmAAAAAElFTkSuQmCC  data:image/png;base64

提示png、base64

然后再用base64解一遍:

cyberchef显示得到一张图片,保存下来,用npiet在线解得:

终于得到了flag

附完整exp:

py 复制代码
from Crypto.Util.number import *
from PIL import Image
import os

bin_str = ''
height_data = ''
path = r"D:\qq文件\pintu_26914c79abf08a72af534387e23ffdf6\pintu"
for i in range(4703):
    image_path = path + f"\{i + 1}.png"
    image = Image.open(image_path)
    height = image.size[1]  # 0是宽度,1是高度
    height_data = height_data + chr(int(str(height), 8))
    pixel = image.getpixel((0, 0))  # 获取(0,0)位置的像素
    if pixel == (0, 0, 0):
        bin_str = bin_str + '0'
    else:
        bin_str = bin_str + '1'
print(bin_str)
print(long_to_bytes(int(bin_str,2)).decode('utf-8'))
print(height_data)
ascii_list = height_data.split(" ")
data = ''
for j in ascii_list:
    data = data + chr(int(j))
print(data)
  • 总结:pintu这个题目名太过于误导,后续的换表base也不好想到,考验对数据的处理和分析,是一道misc难题
相关推荐
print_Hyon7 天前
【CTF-MISC-音频和视频】分析音频频谱,提取图片中的文件并尝试解码得到rar文件
ctf
print_Hyon7 天前
【CTF-MISC-盲水印】压缩包8字节反转+bkcarck破解压缩包+双图盲水印
ctf
福来阁86号技师7 天前
2026-now 网络安全笔记
网络安全·ctf·awd
print_Hyon8 天前
【CTF-MISC-压缩包】bkcrake通过已知明文文件攻击来破解加密的压缩包
ctf
祁白_1 个月前
PHP回调函数
web安全·php·ctf·代码审计·writeup
Eileen Seligman1 个月前
0CTF/TCTF 2023 OLAPInfra Nashorn RCE + HDFS UDF RCE
大数据·hadoop·hdfs·ctf·rce
qsuperm2 个月前
LitCTF2026WEB
网络安全·ctf
路baby2 个月前
2026第十届御网杯网络安全大赛线上赛 区域赛WP (MISC和Crypto)(详解-思路-脚本)
安全·web安全·网络安全·密码学·ctf·misc·御网杯
沄媪2 个月前
CSRF 跨站请求伪造
前端·ctf·csrf
沄媪2 个月前
XSS 跨站脚本攻击
前端·ctf·xss