LitCTF2025misc全解

Cropping

zip伪加密，进去之后是100张二维码碎片，ai脚本一下就行

from PIL import Image
import os

# 拼图行列数
grid_size = 10  # 10x10 拼图

# 自动获取 tile 尺寸
first_tile_path = "tile_0_0.png"
if not os.path.exists(first_tile_path):
    raise FileNotFoundError(f"未找到 {first_tile_path}，请确认图片命名是否正确")

with Image.open(first_tile_path) as img:
    tile_width, tile_height = img.size

# 创建最终拼图画布
final_image = Image.new("RGB", (tile_width * grid_size, tile_height * grid_size))

# 遍历所有 tile 进行拼接
for row in range(grid_size):
    for col in range(grid_size):
        filename = f"tile_{row}_{col}.png"
        if not os.path.exists(filename):
            raise FileNotFoundError(f"缺少图块: {filename}")
        with Image.open(filename) as tile:
            final_image.paste(tile, (col * tile_width, row * tile_height))

# 保存结果
final_image.save("puzzle_result.png")
print("拼图完成，已保存为 puzzle_result.png")

拼完图就得到一张二维码，扫一下得到flag

LitCTF{e7c3f4b2-9a6f-4d3f-9f98-0b3db91c2a12}

灵感菇🍄哩菇哩菇哩哇擦灵感菇灵感菇🍄

灵感菇🍄哩菇哩菇哩哇擦灵感菇灵感菇🍄

直接进网站，会给动态的flag（应该是），是经过灵感菇加密的，GitHub上找到了加密网址：https://github.com/ProbiusOfficial/Lingicrypt

直接解密就行

NSSCTF{3b4d2bb4-4bc4-489a-aeb9-34eb723da2b9}

像素里的航班

LitCTF是郑州轻工业大学，网安专业在东风校区，最近的是新郑机场

百度识图找到一张这样的图，确定是新郑机场

ccb总决赛在福州，最近的机场是长乐，4.28开赛

只需要确定4.26 - 4.27 南航 新郑 到 长乐 机场的航班即可 看上去是下午 / 傍晚

https://www.flightera.net/route/ZHCC/ZSFZ/2025-04-27%2012_15

可知CZ6917 / CZ8289（哈哈航旅纵横怎么只显示6917呢，搞得我看了半天没看到8289）

后面那个是对的。

LitCTF{CZ8289}

消失的文字

流量分析ctfnetA梭出来这个：

868F-83BD-FF

这个是压缩包密码，解压得到一个txt

010可以看到有些隐藏的文字在里面的

根据hidden-word直接网上搜到一个github地址：Ackites/hidden-word: A Unicode-based text digital watermarking tool for embedding invisible copyright marks and metadata in text content.，有在线工具：Hidden Word

LitCTF{39553317-df30-4951-8aad-fcaf3028ca9d}

洞妖洞妖

偏脑洞的题，如果提示再多点就是好题了。

pptm，宏内自定义类base64编码：

Sub hgf()
Sub CustomEncode()
    Dim inputString As String
    inputString = "*******"
    
    Dim encodedString As String
    encodedString = CustomEncode(inputString)
    
    MsgBox "自定义编码结果为: " & vbCrLf & encodedString
End Sub

Function CustomEncode(inputString As String) As String
    Dim charSet As String
    charSet = "*******************"
    
    Dim byteArray() As Byte
    byteArray = StrConv(inputString, vbFromUnicode)
    
    Dim encodedString As String
    encodedString = ""
    Dim i As Integer
    Dim n As Long
    For i = 1 To LenB(byteArray) Step 3
        n = 0
        n = (n Or (ByteToInt(MidB(byteArray, i, 1)) << 16))
        If i + 1 <= LenB(byteArray) Then
            n = (n Or (ByteToInt(MidB(byteArray, i + 1, 1)) << 8))
        End If
        If i + 2 <= LenB(byteArray) Then
            n = (n Or ByteToInt(MidB(byteArray, i + 2, 1)))
        End If

        encodedString = encodedString & Mid(charSet, (n >> 18) + 1, 1)
        encodedString = encodedString & Mid(charSet, ((n >> 12) And &H3F) + 1, 1)
        If (i + 1) <= LenB(byteArray) Then
            encodedString = encodedString & Mid(charSet, ((n >> 6) And &H3F) + 1, 1)
        Else
            encodedString = encodedString & "="
        End If
        If (i + 2) <= LenB(byteArray) Then
            encodedString = encodedString & Mid(charSet, (n And &H3F) + 1, 1)
        Else
            encodedString = encodedString & "="
        End If
    Next i
    
    CustomEncode = encodedString
End Function

Function ByteToInt(byteVal As Byte) As Long
    ByteToInt = CLng(byteVal)
End Function
End Function
"5uESz7on4R8eyC//"

密文：5uESz7on4R8eyC//

需要符号表来找明文

media文件夹下有一个image2.jpg，010末尾后隐写reverse的压缩包，直接每字节reverse一下就是压缩包了，有密码，里面是123.docx

猜测需要拿到映射表，然后推明文解压缩包

ppt的自动换片间隔里有0和1隐写，在/ppt/slides/slide?.xml的advTm字段里，可以写脚本提出来

脚本：

import os
import re
import xml.etree.ElementTree as ET

def extract_advTm_binary_string(folder='.'):
    slides = []
    
    # 筛选并排序 slide*.xml 文件（按数字顺序）
    for filename in os.listdir(folder):
        match = re.match(r'slide(\d+)\.xml$', filename)
        if match:
            slide_num = int(match.group(1))
            slides.append((slide_num, filename))
    
    slides.sort()  # 按 slide 编号排序

    binary_str = ''
    
    for slide_num, filename in slides:
        filepath = os.path.join(folder, filename)
        try:
            tree = ET.parse(filepath)
            root = tree.getroot()
            
            # 使用命名空间查找 advTm
            ns = {
                'p': 'http://schemas.openxmlformats.org/presentationml/2006/main',
                'mc': 'http://schemas.openxmlformats.org/markup-compatibility/2006'
            }
            
            advTm = None

            # 遍历所有 <p:transition> 标签
            for transition in root.findall('.//p:transition', ns):
                advTm_str = transition.attrib.get('advTm')
                if advTm_str is not None:
                    advTm = int(advTm_str)
                    break  # 找到就可以停止了

            binary_str += '1' if advTm and advTm > 0 else '0'

        except Exception as e:
            print(f"处理文件 {filename} 时出错: {e}")
            binary_str += '0'

    return binary_str

if __name__ == '__main__':
    binary_result = extract_advTm_binary_string('.')
    print(f"结果二进制字符串: {binary_result}")

这个脚本需要我们手动去掉第一张所代表的1，因为第一张时间间隔是24小时不是1秒.

得到：

10000111000101110010011000111110111111011010110101110101100111011011011101100110101110010101110100111001111100101110001110000110101100111001011001101111010110111100001011110101111001111100001101100110101011010010110011011000101011110001101110000011000011011100101011100110110011001001011110101011010011001000110011111001101000100100000111000101010101110010110101001010011100111110100101010001101000011011111001001110100010001110111000011001001100010101111

这串二进制每七位转化成ascii码，得到：CEdcwvZuNmlkJtsrqaV93=7Bzyx654YXWFp0n+MLKjiHgfDAbUeTSORQPoIhG821/

怀疑这个就是编码表，脚本一下

def custom_decode(encoded_str, char_set):
    char_map = {char: index for index, char in enumerate(char_set)}
    decoded_bytes = bytearray()
    
    i = 0
    while i < len(encoded_str):
        chunk = encoded_str[i:i+4]
        num = 0
        pad = chunk.count("=")
        chunk = chunk.rstrip("=")
        
        for c in chunk:
            num = (num << 6) + char_map[c]
        
        if pad < 3:
            decoded_bytes.append((num >> 16) & 0xFF)
        if pad < 2:
            decoded_bytes.append((num >> 8) & 0xFF)
        if pad < 1:
            decoded_bytes.append(num & 0xFF)
        
        i += 4

    try:
        return decoded_bytes.decode('utf-8')  # 如果是文本
    except:
        return decoded_bytes.hex()  # 否则输出原始十六进制

# 示例调用（填入你找到的 charSet）：
encoded = "5uESz7on4R8eyC//"
char_set = "CEdcwvZuNmlkJtsrqaV93=7Bzyx654YXWFp0n+MLKjiHgfDAbUeTSORQPoIhG821/"  # 举例
print(custom_decode(encoded, char_set))

得到pptandword

用这个来解压压缩包得到word文档

移开图片加改色就得到flag了

LitCTF{cfbff0d1-9345-5685-968c-48ce8b15ae17}