LitCTF 2025 Misc 部分

最近其他的吃多了 倒感觉LitCTF的misc眉清目秀的

Cropping

先是压缩包伪加密修复

拼图即可

magick montage *.png -tile 10x10 -geometry +0+0 flag.png

LitCTF{e7c3f4b2-9a6f-4d3f-9f98-0b3db91c2a12}

像素中的航班

Osint题 小李要去参加长城杯了，他乘坐的哪趟航班？ 长城杯决赛在福州 时间为4.28

图片中的信息是中国南方航空

https://www.flightera.net/zh/airport/Fuzhou/ZSFZ/arrival

在这个网站，过滤南方航空，从4.27一个个往前找，最后找到是在4.26的航空CZ8289

LitCTF{CZ8289}

灵感菇🍄哩菇哩菇哩哇擦灵感菇灵感菇🍄

灵感菇编码

探姬的项目https://github.com/ProbiusOfficial/Lingicrypt

消失的文字

将流量包用neta梭哈一下得到压缩包密码868F-83BD-FF

解压后得到一个文档，叫做hidden-word，用https://hidden-word.top/解密得到flag

洞妖洞妖

附件给了一个ppt，改zip解压后发现在ppt目录中有一个vbaProject.bin，是宏代码，用olevba .\vbaProject.bin看看具体执行了什么

大概就是用换表base64做了一些编码和加密，给了密文，需要写脚本解出明文，但是这里的字符表没给，那么需要去找一下

olevba 0.60.2 on Python 3.9.1 - http://decalage.info/python/oletools
===============================================================================
FILE: .\vbaProject.bin
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO 模块1.bas 
in file: .\vbaProject.bin - OLE stream: 'VBA/模块1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Sub hgf()
Sub CustomEncode()
    Dim inputString As String
    inputString = "*******"

    Dim encodedString As String
    encodedString = CustomEncode(inputString)

    MsgBox "自定义编码结果为: " & vbCrLf & encodedString
End Sub

Function CustomEncode(inputString As String) As String
    Dim charSet As String
    charSet = "*******************"

    Dim byteArray() As Byte
    byteArray = StrConv(inputString, vbFromUnicode)

    Dim encodedString As String
    encodedString = ""
    Dim i As Integer
    Dim n As Long
    For i = 1 To LenB(byteArray) Step 3
        n = 0
        n = (n Or (ByteToInt(MidB(byteArray, i, 1)) << 16))
        If i + 1 <= LenB(byteArray) Then
            n = (n Or (ByteToInt(MidB(byteArray, i + 1, 1)) << 8))
        End If
        If i + 2 <= LenB(byteArray) Then
            n = (n Or ByteToInt(MidB(byteArray, i + 2, 1)))
        End If

        encodedString = encodedString & Mid(charSet, (n >> 18) + 1, 1)
        encodedString = encodedString & Mid(charSet, ((n >> 12) And &H3F) + 1, 1)
        If (i + 1) <= LenB(byteArray) Then
            encodedString = encodedString & Mid(charSet, ((n >> 6) And &H3F) + 1, 1)
        Else
            encodedString = encodedString & "="
        End If
        If (i + 2) <= LenB(byteArray) Then
            encodedString = encodedString & Mid(charSet, (n And &H3F) + 1, 1)
        Else
            encodedString = encodedString & "="
        End If
    Next i

    CustomEncode = encodedString
End Function

Function ByteToInt(byteVal As Byte) As Long
    ByteToInt = CLng(byteVal)
End Function
End Function
"5uESz7on4R8eyC//"

后面发现在幻灯片浏览中发现后面的页面的帧间隔都是0和1，猜到是ppt帧间隔隐写

让ai搓个脚本，提取一下xml中的持续时间

import os
import re

def extract_unique_advTm_per_file(directory, output_file):
    advTm_pattern = re.compile(r'advTm="(.*?)"')
    results = []

    for i in range(1, 457):  # slide1.xml 到 slide456.xml
        file_name = f'slide{i}.xml'
        file_path = os.path.join(directory, file_name)
        try:
            with open(file_path, 'r', encoding='utf-8') as f:
                content = f.read()
                matches = advTm_pattern.findall(content)
                unique_matches = sorted(set(matches))
                if unique_matches:
                    results.append(f"{', '.join(unique_matches)}")
        except FileNotFoundError:
            print(f'{file_path} not found. Skipping.')
        except Exception as e:
            print(f'Error reading {file_path}: {e}')

    with open(output_file, 'w', encoding='utf-8') as f_out:
        for line in results:
            f_out.write(line + '\n')

if __name__ == '__main__':
    directory = './slides'  # <<< 修改为你的目录路径
    output_file = 'result.txt'
    extract_unique_advTm_per_file(directory, output_file)
    print(f'Done. Results saved to {output_file}')

然后丢给厨子 7位二进制转字符即可得到字符表，

然后再让ai写个解密脚本即可解出密码

import sys

# Custom Base64-like decoder based on provided VBA code

def custom_decode(encoded: str, charSet: str) -> bytes:
    """
    Decode a string encoded with the custom Base64-like algorithm.

    :param encoded: The encoded string (may include '=' padding).
    :param charSet: A 64-character alphabet used for encoding.
    :return: Decoded bytes.
    """
    decoded = bytearray()
    # Process each 4-character block
    for i in range(0, len(encoded), 4):
        block = encoded[i:i+4]
        # Build the 24-bit number
        num = 0
        for ch in block:
            num <<= 6
            if ch != '=':
                idx = charSet.find(ch)
                if idx == -1:
                    raise ValueError(f"Character '{ch}' not found in charSet")
                num |= idx
        # Extract original bytes
        byte1 = (num >> 16) & 0xFF
        byte2 = (num >> 8) & 0xFF
        byte3 = num & 0xFF
        decoded.append(byte1)
        if block[2] != '/':
            decoded.append(byte2)
        if block[3] != '/':
            decoded.append(byte3)
    return bytes(decoded)


def main():
    # Example usage
    # Replace with actual 64-character alphabet used in your VBA charSet
    charSet = 'CEdcwvZuNmlkJtsrqaV93=7Bzyx654YXWFp0n+MLKjiHgfDAbUeTSORQPoIhG821/'
    encoded_str = '5uESz7on4R8eyC//'

    try:
        decoded_bytes = custom_decode(encoded_str, charSet)
        # Adjust decoding as needed (e.g., utf-8, latin-1)
        try:
            decoded_str = decoded_bytes.decode('utf-8')
        except UnicodeDecodeError:
            decoded_str = decoded_bytes.decode('latin-1')
        print(f"Decoded result: {decoded_str}")
    except Exception as e:
        print(f"Error during decoding: {e}", file=sys.stderr)


if __name__ == '__main__':
    main()

ppt的末尾还藏了个逆转加密压缩包，提取出来翻转一下

然后将得到的密码解压加密压缩包，然后，打开文档，把图片删了然后全选改颜色发现flag