[记录] 2024观安杯部分writeup

观安杯题目是中途发来了 ，三道做了2道

1、office

尝试binwalk foremost无果，直接查看属性：

base解码：

打开xlsm，输入该字符串：

其中参考了：https://www.52pojie.cn/thread-1634125-1-1.html

清除密码后，保存新文件，再进行操作，否则没啥用;

最终获取到：

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Function Check(user_enc)
    Encrypted = "184,116,232,38,216,127,29,89,225,84,108,82,8,0,161,49,232,127,45,252,147,140,185,210,26,107,123,2,82,189,0,167,205,130,94,54,94,242,138,139,102,79,250,139,9,142,17,42,198,113,246,6,142,31,"

    If (user_enc <> Encrypted) Then
        Check = False
    Else
        Check = True
    End If
End Function

Private Sub Worksheet_Change(ByVal Target As Range)
    If Not Intersect(Target, Me.Range("B2")) Is Nothing Then
        If Check(crypto(Target.Value)) Then
            Me.Range("C2").Value = "success"
            Me.Range("C2").Interior.Color = RGB(232, 245, 233)
        Else
            Me.Range("C2").Value = "fail"
            Me.Range("C2").Interior.Color = RGB(251, 233, 231)
        End If
    End If
End Sub

Function crypto(sMessage)
    Dim kLen, x, y, i, j, temp
    Dim s(256)

    For i = 0 To 255
        s(i) = i
    Next

    j = 0
    For i = 0 To 255
        j = (j + s(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
    Next

    x = 0
    y = 0
    For i = 1 To Len(sMessage)
        x = (x + 1) Mod 256
        y = (y + s(x)) Mod 256
        temp = s(x)
        s(x) = s(y)
        s(y) = temp

        crypto = crypto & (s((s(x) + s(y)) Mod 256) Xor Asc(Mid(sMessage, i, 1))) & ","
    Next
End Function

也可以直接在bin文件中搜索：

2、see it

使用binwalk提取到文件：

用steghide可以分离一张图片：

最后用stegsolve提取lsb即可：

刚开始以为跟音频有关，各种尝试无效，。。。。