Tags:ZIP,嵌套
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202404_QQ_ZIP嵌套.zip
0x01. WP
- 打开txt文件发现文件头为
504b0304 - 导入到010Editor另存为tmp.zip
- 打开tmp.zip发现里面是另一个txt
- 打开txt文件发现又是个文件头为
504b0304,重复步骤1 - 尝试编写脚本进行循环解码,最终得到flag
exp.py
import os
import zipfile# 计数器
iNum=1# 删除zip.txt,并将50.txt另存为zip.txt
if os.path.exists("zip.txt"):os.remove("zip.txt")with open("50.txt", "rb") as source_file:with open("zip.txt", "wb") as target_file:target_file.write(source_file.read())# 循环爆破
while True:with open('zip.txt', 'r') as file:content = file.read()print(iNum, content[0:50])iNum+=1if content[0:8]!="504b0304":break# 将zip.txt内容以十六进制方式写入tmp.zipbinary_data = bytes.fromhex(content)with open('tmp.zip', 'wb') as file:file.write(binary_data)# 删除zip.txtos.remove("zip.txt")# 读取tmp.zip文件with zipfile.ZipFile("tmp.zip", 'r') as zip_ref:for file_name in zip_ref.namelist():zip_ref.extract(file_name)# 解压缩文件,并将文件复制为tmp.txtwith open(file_name, "rb") as source_file:with open("zip.txt", "wb") as target_file:target_file.write(source_file.read())# 删除解压出的txt文件os.remove(file_name)# 删除tmp.zip文件os.remove("tmp.zip")
D:\=MAX230_Wiki=\题库\Archives\Misc\Archives\202404_QQ_zip嵌套>python exp.py
1 504b03041400000008001b7e2956caecbb54d78d0600e0830b
2 504b03041400000008001b7e2956fec1725d82c105002c1c0a
3 504b03041400000008001b7e295687ef0f25a80d05006ee008
4 504b03041400000008001b7e2956c968856ec96f0400eaca07
5 504b03041400000008001b7e2956a04270c907e503000ad806
... ...
46 504b03041400000008001a7e2956f74a15e9ae010000580300
47 504b03041400000008001a7e29567c1ade91400100008e0200
48 504b03041400000008001a7e29562c5e732ddb000000d00100
49 504b03041400000008001a7e295676ed28377c000000280100
50 504b0304140000000800c97a2956b55e178528000000260000
51 flag{97de6c664734b9bdf3eeb0fe265bd8df}