Round 1

hide_png

题目给了一张图片，flag就在图片上，不过不太明显，写个python脚本处理一下

from PIL import Image
​
# 打开图像并转换为RGB模式
img = Image.open("./attachments.png").convert("RGB")
​
# 获取图像的宽度和高度
w, h = img.size
print(w, h)
​
# 创建一个新的黑色图像，尺寸与原图相同
flag = Image.new("RGB", (w, h), (0, 0, 0))
​
# 遍历原图像的每一个像素
for i in range(w):
    for j in range(h):
        # 获取当前像素的RGB值
        pixel = img.getpixel((i, j))
​
        # 如果该像素接近白色
        if pixel[0] > 230 and pixel[1] > 230 and pixel[2] > 230:
            # 在新图像中设置对应像素为白色
            flag.putpixel((i, j), (255, 255, 255))
​
# 显示处理后的新图像
flag.show()
​
# 将处理后的图像另存为新图像文件
flag.save("flag.png")

读取后得到flag

YLCTF{a27f2d1a-9176-42cf-a2b6-1c87b17b98dc}

plain_crack

题目给了一个加密的压缩包和一个py脚本

crack.zip内容如下

#info：build.py
# -*- coding:utf8 -*-
​
import pyminizip
from hashlib import md5
import os
​
def create(files, zfile):
    password = os.urandom(15)
    password = md5(password).hexdigest()
    pyminizip.compress_multiple(files,[], zfile, password, 0)
    pass
​
if __name__ == '__main__':
    files = ['build.py','flag.docx']
    zfile = 'crack.zip'
    create(files, zfile)

我们将build.py压缩为zip文件，发现其CRC和加密压缩包里面的build.py一样，可以猜测为明文攻击

使用ARCHPR明文攻击破解key后，得到解密后的压缩包crack_decrypted.zip

打开flag.docx发现一个图片，将图片移开后看到一个假的flag

将flag.docx后缀修改，得到flag.zip，解压后在flag\word\media下发现新的图片，得到flag

pngorzip

题目给了一张png图片，我们尝试多种隐写后使用zsteg发现lsb隐写，图片隐藏着zip文件

接着我们使用StegSolve发现lsb隐写，将压缩包导出来

压缩包是被加密的，注释里面有提示，可能是密码的格式

直接进行掩码攻击爆破出key为 114514giao

解压后得到flag

YLCTF{d359d6e4-740a-49cf-83eb-5b0308f09c8c}

whatmusic

hint1 : 这是桑德拉(Thundra)给她女儿唱的歌

hint2 : flag中字母全为大写并且套上YLCTF

题目给了一个password文件和一个加密的flag文件，思路很明了，直接从password文件下手，先放入010查看

疑似是个图片，但是数据顺序不对，是倒着的16进制，写个脚本修正一下

from binascii import unhexlify
​
def reverse_hex_string(hex_string):
    # 将输入的16进制字符串进行切片，获取每个16进制字符
    hex_digits = [hex_string[i:i+2] for i in range(0, len(hex_string), 2)]
    # 将切片后的列表进行倒序排序
    hex_digits.reverse()
    # 拼接倒序排序后的16进制字符列表，并返回结果
    return ''.join(hex_digits)
​
# 测试功能实现
hex_str = "826042AE444E454900000000C178C8AA70014C000FFF5800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B21CE000129CEEFF35FE000227B657B9CFFC47F22BD6F26DCCDCF2734BBB60FC26CD84CA07B4F99CAB27AF8C9E1867C4ECABE5759143F2FF133C9CA2F0A26E0766F7691F7559E15F7C2F7835CE5D7CF71E65FD5561267FC51FCC33E74DE7ABAD6F91A2F997AACCED9FA31F3253FD1B6A6F16BC5FAFBFC76CEE7FE7CC65C358F83EE0A70C14EE4F25850DFFC9E3F2C158586153795DE5EEC1AEDD739579EC76E8546E13E7FBA27BF24B0AE9D3298C97BB54665E4A7383B2AB83FF7E70716D74DD8FFD41F7F75CAB2D2FB83BF98C5B8CEDFA72C87E3298C6E8F845A2CD5A6EB9AECB455EF31FEDF753F269E22EAE92DE93C148AD7F31A5FC4ABA6F2CE1DBE12F3FB8D0D59EE7654AD81BF06F9E06F1FBFA131BF6177FC4A776496EF7F558AF755E7CF233D6AFB32DFDA81759E71E5491465AD55CCBEDD16CF9569B6BF6157265588B8DB6462D72DF9EA232133EBCCB2358F23F85E727F0DFD3DDB73C376ED2D5AC69C226E1E37BFDA5976D5652A4084E13752D63AC9F7779359D55B39CDE1655B6CF936D362C82B70B7D6BAC75AE17E1465CA05865962E3D56563AD246531B165FA5CA96AAF80370A379B639BAA569B36030D9F2FA49B64FE65F6611386C5F8CA6320974DEBF2E1DFFA49B1F11757627CD8D32765D74A91FBCE2D3F24534BE7A1D6DC38EB37300B033533AF7F926EBFD5E292952DF4906F9EE78C733713BEF02B75122C961B75D54ACFEA479F9E3E7ABCF5919F3FD456BF9919D35BFBA6AD36924B89CD3F3F6C20316BAEFD23EB1E47D852DB7ABD63CDE3AC75A8E9FEC4DADE5E84FC8F312F86DD5EBADDE9A58C6EFE50EFF87DBFF43537B9BB5629E379B769C1FAC3CCC49BCE22EAE6574EFBE63BAC3E47893E7D48798E86CCD7D83F5E0E9FF97E6ED2A464AED1CD329953F786ED1356879B37CC729A49352A58A659F8A91FAD41FD319FABFBF8629DDD4E9DF862D33FA94B4CBB3772FBC915DD9F26A968AA65D27CF698CF5DDE7CE66D70F556AE662FEDBCA4AB4D9FB4C938B5D77E91F58F23EABF14CFEDB0F4D2A5181C369B56BCEBACDD7E7F3DC9D579A9DBABA75BB8C19F96AAC7FB661F6FFA63DFAB5D6EDBE255C5D3FDDDB74E62E7F8CB09BC6F0E032FC47EE1B2AB838A4F6CC247EF9F64FC1B335F76FE1C97F6E7B709A99B43DDA48CBD7923F9E6D59B555D318BFA949B4FF27CF3E9E2A544AE79589305870A41EFC633F467AFC84FF2FE9CEEE27F6D9EB7868377DF554CBACD6270D6FBEAB6E19EB5BDE14FEBF465CBAAB446DBF619E4E2D703018D39C5FB9CEA6E3E1B343F3DDE4FF957AC791FD974AFD0F07ECC7347B13D3B7949175572DD7E6531FEBAE737966E55939DFC7DE1B335F32FE24A6D7B838AF5E7C2CC679E8CA633886062878FE4D256BDFE7EB3738E1EA997CF8B1FA787AC69EB06FEDD75FD02B9CFC7CB5F713F3E478AD7E61A0D6DDFB7C3B5EF8D14DDFEEFFDB4F47D1CD55EE8863F1F3819EA636E33F77AF21FEC3EB746DA63785AF2775FF305819A6BB459F2F3FBAECB957EA5BAABD63C8FECBAFBFDD1576DD2E95273D19ECDC1FBF41B5C9DDBF32C8E362FEBB668B83AB94F9FE448A67B9B9668CB94D451453F4F77936545167F93E0D99AF953E1CFE1871493AF067E0E4BFB2E595E8B13FD2F39E8CA6324A3DCE28774A89B53DFB9FACCEC3F7F8FD3FDA8F6DB89305865E9737D52BDC27B1B93F7F9352D5252531FF3FA201C8D5D72B11715BF4CA89B4DDB98A98FF9A4B1EE92F96DC52547B83AC75CBEFADA9FEFD8B6EDBCA95A6CF9C0CF5F19F3BBCD258937D375D9A5CACE6BBE85EEEBB7AD2C4FDB86F0B5CB7EB5269BDDEB9BD6EEAE962DDEB1E47ED81EEF8ECD5DB71B81398ECBF27359555B3E52D6D530AEFAE5CA4C7668D36CDD25EB2727EC0D9A9B6E2D93FB9D8FEB2B5F8CA07822786CD1451BCA461B395F21FD7DE7BD9F26BCCBBCB345564DDAD3F0725992A4C02F3F46531ED3C9D63F99F269715F96A4CD6A7FBDFFE269E21CD79E5A9EF9EBDF9961BAA9B6C3504BABF5C7B92C62019ADC59B8F77A699372793F6FFF42A9FBF1779FA3AE8A2E774A5E3DCAF38E6EE45166098FC7CE63D5F78A99C24A9696F8BA32757DB1CD1B6997314FDBF5F45AF1BFD0E9BD5DDEBE3ADDCFBD63C8FCD362FD4B17AE3D54B1381D81B38E6EAF27EE8E677D789A48BAF7F9376A378FAEA9B6F34F5C3ACDD93E7851B1C9F35D1DDB7376B2A554CB99616FD28D245B43DD994C43E7871EE72C758CCDBBFA4F9FB4B10A0660D9CAFA37F54CDBACA969B6A9E3614EC3D624F51FF06C5F8CA9BE285D143B92251972C0A3F2AF32B3EDDB529751D7397B639B6A44D474B1423DBB6BDCE038FDEF25F2A3AC6ECB2D170FE619DB9C3EFE15798FE252C45DD9DFBEEDD5A44E17BE429DBAE559A6DBB7DD34A4D351DD9B2E14BF3DA633D4C67ED32ACA3F69959CDCF7F577152C758DB611AD3F0DB6AF16BC6FFDEB75BC3D3B754DB56F58F23E2BFB1B37455CD36C3AA6F27384DF838BEF1D71F2D67F4915BF7997E5EABF5B378E952F34F5BA2926D36C39EB09BB7952B697AE172ACAA6DABF5C22E5CAAD3665ABCC8BF0928DA5BE2AC8597E2912AF6A7FB18C3672BEA5FD6E5D14DFDA3570E22EAFCAC265F1B2D5C2CF936887CAC26E701EBF5A93293D12CDA9FEED4A9A4F8FE127CD258EEFBF6021E1CB2D15594A9B6350EAF497739FD48DDDF7D64EC9F9352D7676DCEE6EDA51445A10E79338FDD6E9739D2EE72B47DF9A0F17EE80BF7EDB1F1F3D5E7AE1F33FDDF77CE554FF5BB2CB440BF5DB316E0EAF5AD6EBC36D318B5D77E9666FBEDAA92A55BD63C8FBEC395D6F35D8780BBE8B75CFCB3561C54A9B692F9B3755E2FCD257EA520EEB6C03EC75C792BF4F535AB7CDCB345CAF3656B84CB23E86C2CD116AF3E5CE73285BA8CBF6B5576FB9A9A8E962F58CBFDA7AC49BC1B335F2EFE338FEA12D463FA7EF311F81C1F8CB27E3F70E5CAAD362D2710C66199F5663F44D5E793507FCA5F7A64A4B14B1FAECD4AD0F812B0348DC49F31BA7DFBDFDFF15CB9D0D93B09BB6D52C5D36D5F91FA9937E4D49497E269E3893E6AF546197E0AC7E3E7033D64737972792BB5B0C0E482CCAAC9CF5FA2D7EBFB78BDDEA5ABA6DAA1DEB1E47CAD4EB7D36DDDB5F31B6FE7D3AB38759BB29638056EBC15C37BBF99D2DD257E9EB0934373B2B5C26531C589C9EA3ACCDAE983B9CC922B9CABEC9BA4B2AB838B6DCE4A90D99AF857F2EC606BF0FECBF38F8AA573272FE13298FADD2F8E693A313DBA52A4431BA9FED5AF77DA4AD4F3AF31FE34E3FF4BEFAB292A65D24505F31EBECE72BF97A524C87BB352B463B2761B9F7C6ECCAB1D699DFFA97E7EC512FEA64F1F9BA99DFF153E8A67F9F554BC75C780D63C8FD397FAFFA7DF3CCD5F73B9D1F4DB71AFF0D99AF85FF8146C3E999713C7EB11879BB0F17D72E692AF687BB3A6531C7FE363DA890FC84268FCD54AD027F2E64ED8E6DA0BAF339EBDF558938F1FFBBFAA46F34CBB32FE137D78CA99B4DDB9EA074F149136A7FB18FDB0B26FAF9355A6F5D24188DB7A7FBB2747E92C699970E5D949520BFFF547FE5ABD5517DA24526F58EA9F52070CBFFACCBD26A4AD8F25EA7FEF2B9B6144D34FF692B4BBFD563FA6CB2D167CB8E374DE59A32E5DA1F06CCD7D23D4DFE9929238DFEAFF99D87DA28BCFDA255A9E9232D6FD73768AB9C75BBAC7336AE7269E24BE11757A6963E4FEE75CDAAC9B4DB7195D2450EAE5CA96A8170365574A92D7DC6F2F6194914D8B9695A9BB8EFF77646BDA7C735256B8791FE64F1127D6398F62BE63965AB32A6F58F23F6ADCFEF9A3F4CAB22EB9C9965EB77152C4DFF87B7F6BF26AB4DC7FE0FB5235DE24F9C1BC7E92B1FAE54CEAAE589FF0A7D3FE24F986CE57DC9FEF7C2BEFF1C6EECBF62F1BE4E9F6A4BDFBCA9DDF0994C79ED843D3B758EEFBCBB914510FD76695B8A41E3F5A2450E2938EB8F8FD78A65514954DB0F4A4ABAD8A4B3AE3C3A588E4FA5A22D566502FB9AAE459F2B5567AFB5E283BA3D122AACA67B9955D2E50297DBA52AE724C871491E6F850EE67CA568A296A31F75E196DCD8BAB929624F146AE6AD8F6538752EF9C398FD2939D6C91438F3EB1CC6BBB98D4B2CCBE358F23F6AD93CB4514A5E26B9E9DBA2E70702F89143A32E5B4D8B7BF5AEBBAD7739CE7383B9DCA155A2CD2D4DBF2E783FC7B5634F7FBBED3ED0D9E2F953E41B81AFBE4ED5703E6784CA634B6FD70E6B6DB5256A488B3771DD166ED555D97FE9F6BAA0FC2BFFE168A264F09BB52288B02FDD55A248D73980BAABEB2EE75776CDCE0E28776BF295A6F09D53E8A2AD145152CB1E7D63F8C3503455EBAAB44CA6358E19FD52362D5AAA6931840A2B5576FBC9D9E89B168A56B0BE1B395F35FE77B88A28A28A369B1613FB97AF56AF54B549C03E783F8B376AD55C7EEABD55A6C586CE57D600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B22C00003645800006C8B00000D91600001B21D3E000009F4FEFFE0400004E739FFDC7F33B9E3C4EC64EEDB42E7EEDDBAFEEEDD713AFD9DD6CC17B0C89F255145224CCA08F92A0D585952CC2C24B5A141619590B0B3255959482A5811CB310A451452C44F8979FBE1C6DF4EE36EAFDCED9C78544144499F0F00005FB424CA00000002081500000009020000524448490D0000000A1A0A0D474E5089"
reversed_hex_str = reverse_hex_string(hex_str)
print("倒置后的16进制字符串:", reversed_hex_str)
​
# 将字符串转换为字节数据
image_data = unhexlify(reversed_hex_str)
​
# 保存为PNG文件
file_path = 'key.png'
with open(file_path, 'wb') as file:
    file.write(image_data)
​
print(f"PNG文件已保存到: {file_path}")

得到key.png，然后爆破宽高得到input.png

密码是反着的，写个倒置脚本

from PIL import Image
​
# 打开PNG文件
img = Image.open("input.png")
​
# 倒置图像
flipped_img = img.transpose(Image.FLIP_LEFT_RIGHT)
​
# 保存倒置后的图像
flipped_img.save("output.png")

得到新的图片

密码为 PASSWORD:&*asdsaxc141123123xcoaa#

解压后得到flag文件，根据提示桑德拉(Thundra)给她女儿唱的歌，女儿就是lyra，我们将flag后缀修改为flag.lyra

使用bazel将其转为音频后得到flag

YLCTF{YLYRM6S5ICG00ODLL0VE}

乌龟子啦

发现文档中为base字符，直接转图片(Base64解码 Base64编码 UTF8 GB2312 UTF16 GBK 二进制 十六进制 解密 - The X 在线工具)

新的图片都是01字符，我们使用在线网站将内容提取出来(在线文字识别转换 - 免费图片转文字工具OCR - 在线工具系列)

然后写个脚本删去换行符

# 读取文件内容，并删除换行符
with open('key.txt', 'r', encoding='utf-8') as file:
    content = file.read().replace('\n', '')
​
# 将修改后的内容写回到一个新文件
with open('output_file.txt', 'w', encoding='utf-8') as file:
    file.write(content)
​
print("换行符已删除，结果已保存到 output_file.txt")

然后使用随波逐流1,0字符转图片得到一张二维码，扫描后得到flag

YLCTF{f6a6f8cf-c25b-49a8-8f17-c8fbd751faa4}

Round 2

Trace

将给的flag.png放入010查看，发现尾部有多余的数据，看格式像是base64字符串

然后将多余的base数据提取出来，找个在线网站(Base64解码 Base64编码 UTF8 GB2312 UTF16 GBK 二进制 十六进制 解密 - The X 在线工具)转换一下，得到新的rar文件，但是需要密码来解压。题目提示密码是六位数，我们直接使用kali中的john进行破解。

rar2john flag.rar > hash.txt 
john --wordlist=six_num.txt hash.txt   

得到密码后解压得到新的图片

处理后得到flag： YLCTF{ccfe9e2c-391f-4055-a128-c06b65426c83}

听~

将给的音频文件sample.wav文件放入deepsound可以发现，音频中隐藏了一个压缩包secret.zip，可以直接提取出来

然后这个压缩包是加密的，找密码的时候我直接按照常规密码爆破了，最后试出来是五位数：“10117”

用密码解压后得到新的图片

zsteg一下，发现有隐藏信息

直接使用stegsolve，查看通道后筛选有隐写的通道可以发现flag：

YLCTF{1b690589-9f50-49ea-b0b0-da92c10c7e18}

滴答滴

#exp:
def read_from_file(filename):
    # 从文件中读取二进制数据
    with open(filename, 'rb') as file:
        return file.read()

def manchester_to_binary(manchester_data):
    # 将曼切斯特编码的数据转换回二进制字符串
    binary_str = ''
    i = 0
    while i < len(manchester_data):
        if manchester_data[i] == 0 and manchester_data[i+1] ==255:
            binary_str += '0'
        elif manchester_data[i] == 255 and manchester_data[i+1] == 0:
            binary_str += '1'
        i += 2  # 每次处理两个字节
    return binary_str

def binary_to_char(binary_str):
    # 将二进制字符串转换回ASCII字符
    return ''.join([chr(int(binary_str[i:i+8], 2)) for i in range(0, len(binary_str), 8)])

# 示例使用
filename = "attachment"  # 输入文件名
manchester_data = read_from_file(filename)
binary_str = manchester_to_binary(manchester_data)
print(binary_str)
ascii_str = binary_to_char(binary_str)

print(f"解码后的ASCII字符串: {ascii_str}")

# 解码后的ASCII字符串: YLCTF{7d160084-4dd5-4eec-bf1f-12f3ad8c8a6b}

Round 3

Blackdoor

密码就在html/include/include.php中，flag为

YLCTF{e2bae51b981c707eb28302fe22d60340}

Tinted

根据提示利用画图查看RGB的值，提取后如下

import binascii
​
a = ['#040067', '#ff0065', '#ff0072', '#040049', '#ff3c66', '#ff004a', '#ff3c6a', '#ff3c42', '#ff3c52', '#ff3c5a',
     '#ff0066', '#00ff31', '#ff0052', '#040067', '#040062', '#040074', '#ff0052', '#ff004c', '#ff0052', '#ff0039',
     '#ff0054', '#ff0064', '#ff004a', '#ff0075', '#00ff52', '#040063', '#040075', '#040075', '#00ff53', '#00ff74',
     '#ff0057', '#00ff75', '#ff0051', '#040067', '#ff004a', '#ff0074', '#ff0069', '#ff3c5a', '#ff0057', '#00ff39',
     '#ff0054', '#ff0067', '#00ff4a', '#ff3c7a', '#040054', '#ff0064', '#ff0052', '#ff3c76', '#040054', '#ff004c',
     '#ff0069', '#ff0075', '#00ff52', '#040074', '#ff3c62', '#00ff71', '#00ff70', '#00ff62', '#ff0035', '#040035']
res = ''
for i in a:
    # print(i, i[5:])
    res += i[5:]
print(binascii.unhexlify(res))
# b'gerIfJjBRZf1RgbtRLR9TdJuRcuuStWuQgJtiZW9TgJzTdRvTLiuRtbqpb55'

将得到的字符进行base64换表解密后得到flag：

YLCTF{25e1d30c-9141-4784-a3b8-9a99358f4340}

figure

给的figure文件内容为大量的16进制字符串，看着像png的16进制数值，不过是倒置的

我们将16进制数据倒置后得到一个带有坐标的图片

首先把他们都提取出来

1 (52, 50)
2 (83, 115)
3 (102, 120)
4 (82, 68)
5 (121, 86)
6 (76, 122)
7 (106, 77)
8 (112, 84)
9 (69, 106)
10 (74, 99)
11 (102, 105)
12 (106, 84)
13 (105, 107)
14 (119, 120)
15 (78, 71)
16 (101, 106)
17 (71, 120)
18 (66,112)
19 (119, 57)
20 (87,49)
21 (49, 82)
22 (115, 66)
23 (55, 71)
24 (113, 65)
25 (114, 89)
26 (116, 77)
27 (111, 103)
28 (68,84)
29 (88,89)
30 (100, 76)
31 (72, 56)
32 (107, 90)                                                     
33 (109, 102)
34 (85, 101)
35 (104, 51)
36 (85, 109)
37 (81,89)

根据提示hint1 : x1x2x3..xnyn....y3y2y1，可以得到下列数据

52 83 102 82 121 76 106 112 69 74 102 106 105 119 78 101 71 66 119 87 49 115 55 113 114 116 111 68 88 100 72 107 109 85 104 85 81 89 109 51 101 102 90 56 76 89 84 103 77 89 65 71 66 82 49 57 112 120 106 71 120 107  84 105 99 106 84 77 122 86 68 120 115 50

然后10进制转字符得到

4SfRyLjpEJfjiwNeGBwW1s7qrtoDXdHkmUhUQYm3efZ8LYTgMYAGBR19pxjGxkTicjTMzVDxs2

根据提示hint2 : 栅栏 block=13，可以得到栅栏fence解码（13栏）

4jiwrHQZM1GcVSpwWtkY8Y9xjDfEN1ommLApkTxRJesDU3YGxTMsyfG7XheTBjiz2LjBqdUfgR

base58:.XQ1^F\FQ"12&L#BP(LV1,Lak@qT=->V]c!2I&(J@5TksAi*mS11s>
base85:*{r%uL2b2h43hf\_242\cgd2\2bd6\4ba542f4`72gN
ROT47:
YLCTF{a3a9cb97-0aca-485a-a35e-c32dca7c1fa8}

CheckImg

将图片放入StegSolve中查看，在Red 0通道发现隐写

将数值提取出来，发现是png的十六进制数据，但是顺序不对，写个脚本矫正一下

# 读取文件内容，并删除换行符
with open('1.txt', 'r', encoding='utf-8') as file:
    content = file.read().replace('\n', '')
​
# 将修改后的内容写回到一个新文件
with open('input.txt', 'w', encoding='utf-8') as file:
    file.write(content)
​
print("换行符已删除，结果已保存到 input.txt")
​
def reverse_chunks(file_path, output_path):
    with open(file_path, 'r', encoding='utf-8') as file:
        content = file.read()
​
    # 将内容按每四个字符分组
    chunks = [content[i:i + 4] for i in range(0, len(content), 4)]
​
    # 反转每组并拼接
    reversed_content = ''.join(chunk[::-1] for chunk in chunks)
​
    # 将结果写入新的文件
    with open(output_path, 'w', encoding='utf-8') as output_file:
        output_file.write(reversed_content)
​
    return reversed_content
​
​
# 使用示例
file_path = 'input.txt'  # 替换为你的输入文件路径
output_path = 'output.txt'  # 替换为你想要保存的输出文件路径
result = reverse_chunks(file_path, output_path)
print(result)

然后我们将矫正的数据保存为png，得到新的图片后用zsteg查看

得到了一串DNA编码，写个脚本解码一下

src = "GCAGTTCTGCTGGGGGGTGTACTAGAGTGACTCGTTGCAGTTGTATACGCATATCTGGTGGGGGTATCCCTTGATCGTGCACTGTCCTAAGCAGCAGAAGAGTCCCTGGCAGCTCTATAAGATCTTCTAGTGGGGGCTGTAGCAGAGGTTCGGGTTGAGGCTCGTGTCGCAGTTGCACTGTCCGTCTATGTGGCAGTTGACGTGTAAGGTTATTAAGAAGGTGAGGTTGTAGTTGTAGCTGATTATGATCTTGAGGGGGCAGCTGAGTATGCCCTCGAGGCTGCAGACGATGGGTCCCTTGTAGGGGCATAAGATGTTCGTGTGGTAGTCGTAGAGGCACTTGCCGTTGCGGTAGCACTTGCAGCTCTTCTGGAAGTTTATGTTGCAGTTGAACTGGCGGTAGATTAAGATGCGTATCTCGCGGTTGTAGTCGATGCTCTCGTGGGGGGGGTAGAAGAGTGAGCACTGTAGGCTTCCGCCGCATAGTCCCTCCTGGTCGCATAAGCATGACTGCTGGGGGTCGTACTAGAAGATCTCCTTGCGGTGTCCGAGGATCGGTCGCTGCTAGTCGCAGTTGCAGTTGCTCTGTAAGTGTCCCTAGAGCTTGAAGTGTAGGTTGCACGTGAGGGTGATCTGGCGGGTGTAGGTGAGGCTGCACTGTCCGTCGCAGAAGCACGGTATGTGTGCGCGTCCGTGGATGTTCGGGTTCGGGTGGTAGCCGCACTTCTCCTTGCGGGTGCAGAAGATCTTGCGCTCGAGGTCGGTTGA"
mapping = {
    'AAA': 'a', 'AAC': 'b', 'AAG': 'c', 'AAT': 'd', 'ACA': 'e', 'ACC': 'f',
    'ACG': 'g', 'ACT': 'h', 'AGA': '', 'AGC': 'j', 'AGG': 'k', 'AGT': 'l',
    'ATA': 'm', 'ATC': 'n', 'ATG': 'o', 'ATT': 'p', 'CAA': 'q', 'CAC': 'r',
    'CAG': 's', 'CAT': 't', 'CCA': 'u', 'CCC': 'v', 'CCG': 'w', 'CCT': 'x',
    'CGA': 'y', 'CGC': 'z', 'CGG': 'A', 'CGT': 'B', 'CTA': 'C', 'CTC': 'D',
    'CTG': 'E', 'CTT': 'F', 'GAA': 'G', 'GAC': 'H', 'GAG': 'I', 'GAT': 'J',
    'GCA': 'K', 'GCC': 'L', 'GCG': 'M', 'GCT': 'N', 'GGA': 'O', 'GGC': 'P',
    'GGG': 'Q', 'GGT': 'R', 'GTA': 'S', 'GTC': 'T', 'GTG': 'U', 'GTT': 'V',
    'TAA': 'W', 'TAC': 'X', 'TAG': 'Y', 'TAT': 'Z', 'TCA': '1', 'TCC': '2',
    'TCG': '3', 'TCT': '4', 'TGA': '5', 'TGC': '6', 'TGG': '7', 'TGT': '8',
    'TTA': '9', 'TTC': '0', 'TTG': '', 'TTT': '. '
}
​
result = ""
i = 0
​
while i < len(src):
    if src[i] not in "ATCG":
        result += src[i]
        i += 1
    else:
        result += mapping[src[i:i+3]]
        i += 3
​
print(result)
#KVEEQRSCI5DVKVSXKZEUQS2FJBKE2WKKGI2EKNCWJFCUQNSKIVAVINBTKVKE2TZUKVHUWRZWGRIVSVSNJZJFIQKNIZLDINKHJQ2FSQKWJVBUSTSIKFLVMSKFKNFEGVZVKVGEMSJWJMZDMVSTJNDUQQSGI5KEYN2LKY2DETKWK5EEQTSCGJDFMU2IJA3ECTKVKVNEWU2CIFGUYVKBIRJEMRSRINKE2TKGKAZU6M2UJVAVAUSLKFDFMRKGJFMDITR5

然后将得到的数据进行如下图解密即可得到flag