Adworld - Misc文件類型

# Adworld - Misc文件類型 ## Source Code ``` 3436455341425F554573444242514141 41414941416C64434658714F7737634B 4141414143594141414149414141415A 6D78685A7935306548524C79306C4D72 7A5A49536B303253457778546B6B304D 6A5130546A593353445531534573784E 544D3054374A494E552B7A7241554155 45734241685141464141414141674143 56304956656F374474776F414141414A 674141414167414A4141414141414141 414167414141414141414141475A7359 57637564486830436741674141414141 41414241426741477845666B39697132 41456245522B54324B725941514A462B 34725971746742554573464267414141 41414241414541576741414145344141 4141414141 ``` ## Recon 這一題有一點通靈，沒有很喜歡 1. 首先給的cipher很明顯是ascii的hex 2. 轉換過後也很明顯是base64 4. 在轉換過後，只有底線後面的部分要轉換成hex 5. 如果把東西print出來的話會看到flag.txt的字樣，感覺上是一個file的byte code，到file signature去看會發現magic header是一個zip file，uncompress之後就會發現flag.txt ![](https://hackmd.io/_uploads/H10OlHGch.png) ## Exploit ```python import base64 cipher = "3436455341425F55457344424251414141414941416C64434658714F7737634B4141414143594141414149414141415A6D78685A7935306548524C79306C4D727A5A49536B303253457778546B6B304D6A5130546A593353445531534573784E544D3054374A494E552B7A72415541554573424168514146414141414167414356304956656F374474776F414141414A674141414167414A4141414141414141414167414141414141414141475A73595763756448683043674167414141414141414241426741477845666B3969713241456245522B54324B725941514A462B34725971746742554573464267414141414142414145415767414141453441414141414141" cipher = bytes.fromhex(cipher).decode('utf-8').split("_")[1] cipher = base64.b64decode(cipher + "==") f = open("./cipher.zip", "wb") f.write(cipher) f.close() import zipfile with zipfile.ZipFile('./cipher.zip', 'r') as zip_ref: zip_ref.extractall('./') f = open('./flag.txt', 'r').read() print(f) ``` ```bash $ python exp.py flag{0bec0ad3da2113c70e50fd5617b8e7f9} ``` ## Reference [XCTF-MISC-Misc文件類型](https://juejin.cn/post/7166166845395828772)