20190425进度

Posted on

20190425进度

Forensics1

用wireshake 打开文件,分析http部分:

Imgur

可以看到传送的内容是一张png图片:

Imgur

png图片文件头标志是8950 4e47 0d0a 1a0a,故对原始数据内以8950 4e47 0d0a 1a0a开头的部分进行截取即为图片部分:

Imgur

将图片部分以原始数据截取下来后进行处理,先将数据以png格式保存

1
2
3
4
f = open('pc.png','wb')#文件以二进制写模式打开
s ='89504e470d0a1a0a0000000d49484452000000c8000000c80802000000223a39c9000005104944415478daedd9516ed34800c7e140d5f78a7b0097e08d23a00a55ea05ca41ca059050857a04de7a89967b54483c2228b33bda617662bb21c9bf80f47d0fabc64decf1f8e771b63cbabbbb5bc1be3d121609c222425844088b086111212c22844584b088101611c222425844088b086111212c228445c4cfb0be7dfb767878587ffefaf5ebc1c1c1e3c78febcbefdfbf6f7d80ba93dbdbdba3a3a385b77dfaf4e9f9f3e7db1d6897717efefcf9e3c78faf5ebdda7d2aff46272727171717f75e9d2dfc0cebf2f2f2d9b3674f9f3eed7f5d6bdb3aac92cbcdcdcd26976d97b07619e75c58933bdc71367eafb9c19719383b3b7bfffefd7e0ff733ac12efdbb76f8772779ccac9581f72d6ee25acd5bf4bfede4fea9fb0ea7ad8367df8f0a14df4fa68da7367d53d7a4a40c7c7c76d7b7d92aea6c2aa2bd3f0b6f5675919d29b376fca3bafafafebfbcbaf6a0457575775b4ede393e3ec0fb4306b759fe5873afebacf61425ebf7e5d6ee8c98d0b439abc7eed74da244f8eb3df58dfd9df00fd73e0de8f2f9c513cac762d7f69c56aa7d7afa54349e5e5cb972ffb7dce9dc370a03298172f5e94cf3e79f2a44ccde9e9e9bb77efbe7cf9525ed62f04e5e8e7e7e76d76868ff7976179a92fbf6dfb2ca32d5beaa7365cb1fa8f0f439a0bab4e4e9d87c971d67dd6a3f493bc1ed6dc694e4ef2f28ab57c4b3c4458fde2d46ea6f5b0fa19ef7738f76d713dac3298f243dd737959c36af338bc7f78d9dfb2abb51b74086b7225d83cacb9214d5ebfe1b793e3ec6fcee5b0e64e7372929787573e52febbc76f5abf1656df507f19dab36cb88493fb5cfd57677fe6fb0d6bf3ef76bf37acc9716e1ed6f2690e93fc47af58fd6a5f465357acb2b1bc9c3cbd85331ffe87f157c3ea1f5baba91ba03d4d96cd853537ddc3c6fee3c39026afdf30a4c971b649ae27353c16868dcba7b9c919ad1ef83b56ff67adaa1ebb2d4ee5ebc2fa8ab5faff77ff21ac619f758793079a0babcc637d4f5b1ae7c6d93f26da379b750b61b53df4cbf0b0b15eda61487326afdfe438db77edb2deb4e1b58dfdccaf7f7c729217ce68950e6b6bc39ddadf16fbfd73c31ff8c7ccf49036ff43e02efe82b086c579bff322acd02964ff40bab561ed1d9ee27bfc47835dae62ffcc6aee7d786d31a4fd1e281dd643fc930eec91b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222425844088b086111212c22844584b088101611c222e20759b4e8cb3d42ad580000000049454e44ae426082'
f = write(s.decode('hex'))
f.close()

图片内即为flag

Imgur

Invisible flag

打开图片后发现长度不够,内容显示不全,通过010editor分析,可知图片的16进制编码格式:

Imgur

除了png文件头标志外接下来的地方就是IHDR数据块:

0000 000d为IHDR头块长

4948 4452IHDR标识

0000 0234图像的宽

0000 0190图像的高

图片是一个564*400的图片,试着用tweakpng将图片高修改到564时即得flag

Imgur