picoCTF 2018 – Forensics 下

題目: LoadSomeBits

圖片下載下來看起來就是很普通圖片

加減還是分析一下

root@hackercat:~/CTF/picoCTF2018/Forensics/LoadSomeBits# file pico2018-special-logo.bmp 
pico2018-special-logo.bmp: PC bitmap, Windows 98/2000 and newer format, 1200 x 630 x 24Code language: PHP (php)

想說用StegSolve分析看看 結果出現error

看了一下bmp的magic number是42 4D沒有錯

仔細再看看hint

(1) Look through the Least Significant Bits for the image 
(2) If you interpret a binary sequence (seq) as ascii and then try interpreting the same binary sequence from an offset of 1 (seq[1:]) as ascii do you get something similar or completely different?Code language: JavaScript (javascript)

突然看到題目想起來?! 難道是LSB
LSB隱寫
:::success
文件是由bytes組成 每個byte是8bits
譬如 10101100 (最後一個0就被稱為LSB)
1st digit is MSB and Last digit is LSB

改變LSB(最低有效位元)並不能使值發生很大的變化
譬如
10101100 (base 2)== 172 (base 10)
將LSB改成1
10101101 (base 2)== 173 (base 10)
:::

不過看懂原理了其實還是不知道怎麼實作 = =”

:::warning
Python位運算符:
位運算符作用於位和位操作執行位。
假設,如果a =60;且b =13;現在以二進製格式它們將如下:
a = 0011 1100
b = 0000 1101
(a & b) = 12 即 0000 1100
也就是只有遇到1跟1才會留下1
其他都是0
:::

寫個程式
把每個bytes的最低位元取出來

import binascii
import time
data = open('pico2018-special-logo.bmp','rb').read()
s = ''
for d in data:
    # print('d: ',d)
    # print('ord(d): ', ord(d))
    # print('str(ord(d)): ', str(ord(d)))
    s += str((ord(d)) & 1)
    # time.sleep(3)
    # print(s)
for it in range(16):
    ss = ''
    try:
        ss = binascii.unhexlify('%x' % int(s[:-it], 2))
    except:
        pass

    if 'pico' in ss:
        print ss[ss.find('pico') : ss.find('pico') + 60] 
        breakCode language: PHP (php)

得到flag
picoCTF{st0r3d_iN_tH3_l345t_s1gn1f1c4nT_b1t5_882756901}

上面程式目前還是搞不懂為什麼要offset range(16)

工具整理
工具
eog,feh (terminal下開啟圖片,這兩個都可以用apt安裝)
file (簡單查看檔案資訊,檔案類型)
exiftool (apt安裝)
binwalk
foremost
fdisk
fsck
testdisk
zsteg (github資源)
xxd, hexedit, bvi (hex模式)
Stegsolve(GUI介面的,用java寫的)
StegDetect(針對jpg windows的)
Stegosuite(也是用java寫的)(https://stegosuite.org/)
各式各樣的hex editor
https://www.ubuntupit.com/best-linux-hex-editor-top-20-linux-hex-viewers-editors/

發佈留言