RCTF 题目综合教学文档<\/h1>

一、Wanna Feel Love 题目解析<\/h2>

1.1 Challenge 1：邮件隐写分析<\/h3>

技术要点<\/h4>

文件格式<\/strong>：EML格式邮件文件分析<\/li>
编码方式识别<\/strong>：Base64、Quoted-Printable等邮件编码<\/li>

多部分邮件解析<\/strong>：递归遍历MIME结构<\/li> <\/ul>
实现代码分析<\/h4>
# 核心解码函数<\/span> <\/span><\/span>def<\/span> decode_part<\/span>(part): <\/span><\/span> # 获取传输编码类型<\/span> <\/span><\/span> cte =<\/span> (part.<\/span>get("Content-Transfer-Encoding"<\/span>) or<\/span> ""<\/span>).<\/span>lower() <\/span><\/span> <\/span><\/span> # 根据编码类型选择解码方式<\/span> <\/span><\/span> if<\/span> "base64"<\/span> in<\/span> cte: <\/span><\/span> decoded_bytes =<\/span> base64.<\/span>b64decode(raw) <\/span><\/span> elif<\/span> "quoted-printable"<\/span> in<\/span> cte: <\/span><\/span> decoded_bytes =<\/span> quopri.<\/span>decodestring(raw) <\/span><\/span> <\/span><\/span> # 字符集处理<\/span> <\/span><\/span> charset =<\/span> part.<\/span>get_content_charset() or<\/span> "utf-8"<\/span> <\/span><\/span><\/code><\/pre>关键发现<\/h4> 邮件正文中隐藏的垃圾邮件文本包含重要信息<\/li> 通过分析邮件各部分内容，提取隐藏的"低语"信息<\/li> <\/ul> 1.2 Challenge 2：XM音频文件隐写<\/h3> 技术原理<\/h4> XM格式<\/strong>：Extended Module音乐文件格式<\/li> 峰值编码<\/strong>：通过音频波形峰值传递二进制信息<\/li> 采样率转换<\/strong>：将音乐数据转换为可分析的波形<\/li> <\/ul> 解码步骤<\/h4> 文件转换<\/strong>：使用OpenMPT\/MilkyTracker将XM转为WAV<\/li> 参数设置<\/strong>：确定采样率、位深度等关键参数<\/li> 峰值检测<\/strong>：滑动窗口分析波形绝对值最大值<\/li> 比特提取<\/strong>：阈值判断生成二进制序列<\/li> <\/ol> 核心算法<\/h4> # 峰值检测算法示意<\/span> <\/span><\/span>samples_per_bit =<\/span> 1000<\/span> # 每个bit对应的采样数<\/span> <\/span><\/span>threshold_ratio =<\/span> 0.7<\/span> # 峰值阈值比例<\/span> <\/span><\/span> <\/span><\/span>for<\/span> i in<\/span> range(0<\/span>, len(samples), samples_per_bit): <\/span><\/span> window =<\/span> samples[i:i+<\/span>samples_per_bit] <\/span><\/span> max_val =<\/span> max(abs(window)) <\/span><\/span> <\/span><\/span> if<\/span> max_val ><\/span> threshold_ratio: <\/span><\/span> bit_stream.<\/span>append('1'<\/span>) <\/span><\/span> else<\/span>: <\/span><\/span> bit_stream.<\/span>append('0'<\/span>) <\/span><\/span><\/code><\/pre>解码结果<\/h4> 隐藏信息："I Feel Fantastic heyheyhey"<\/p> 1.3 Challenge 3：YouTube视频溯源<\/h3> OSINT技术要点<\/h4> 视频ID识别<\/strong>：rLy-AwdCOmI<\/li> 时间线重建<\/strong>：上传日期2009-04-15<\/li> 上传者确认<\/strong>：Creepyblog账号<\/li> <\/ul> 验证方法<\/h4> 多源交叉验证（Wiki、存档站、考据文章）<\/li> Internet Archive历史记录查询<\/li> 相关社区讨论分析<\/li> <\/ul> 1.4 Challenge 4：数字商品溯源<\/h3> 关键信息<\/h4> 购买链接<\/strong>：http:\/\/www.androidworld.com\/prod68.htm<\/li> 发件人<\/strong>：Android World \/ Chris Willis<\/li> 创作年份<\/strong>：2004年（非上传年份）<\/li> <\/ul> 验证依据<\/h4> 官方网站产品页面信息<\/li> 音乐数据库元数据（MusicBrainz）<\/li> 实际购买者的详细记录<\/li> <\/ul> 1.5 Challenge 5：数字墓碑查找<\/h3> 技术路径<\/h4> 创作者确认<\/strong>：John L. Bergeron<\/li> 死亡信息<\/strong>：2005年7月22日，Vermont州<\/li> 墓地定位<\/strong>：Resurrection Park Cemetery<\/li> <\/ol> 最终结果<\/h4> 数字墓碑URL：https:\/\/www.findagrave.com\/memorial\/63520325\/john_louis-bergeron<\/p> 二、Signin题目技术分析<\/h2> 2.1 解题方法<\/h3> 进程监控<\/strong>：直接抓包分析进程通信<\/li> Flag提取<\/strong>：从进程内存或通信数据中获取<\/li> <\/ul> 三、Shadows of Asgard流量分析<\/h2> 3.1 C2通信识别<\/h3> 网络特征<\/h4> 服务端口<\/strong>：10111<\/li> 通信协议<\/strong>：HTTP伪装<\/li> IP地址<\/strong>：106.52.166.133<\/li> <\/ul> 初始化流程分析<\/h4> { <\/span><\/span> "agentId"<\/span>: "vf3d665af4a0ebc4"<\/span>, <\/span><\/span> "aesKey"<\/span>: "WzUsMTM5LDI1NSwuLi5d"<\/span>, <\/span><\/span> "aesIV"<\/span>: "WzEyNCw4MiwuLi5d"<\/span>, <\/span><\/span> "data"<\/span>: "N2M3N2ZlN2ExYTdhZGMxY2E3MmZhMzY4MzgxMjUxMjQ5ZDY..."<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>3.2 AES加解密实现<\/h3> 密钥恢复算法<\/h4> import<\/span> base64,<\/span> json,<\/span> ast <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span> <\/span><\/span># 密钥解析<\/span> <\/span><\/span>aes_key_str =<\/span> base64.<\/span>b64decode(body["aesKey"<\/span>]).<\/span>decode() <\/span><\/span>key_list =<\/span> ast.<\/span>literal_eval(aes_key_str) <\/span><\/span>key =<\/span> bytes(key_list) # 32字节AES-256密钥<\/span> <\/span><\/span><\/code><\/pre>数据解密流程<\/h4> # Base64解码<\/span> <\/span><\/span>data_b64 =<\/span> body["data"<\/span>] <\/span><\/span>data_hex_ascii =<\/span> base64.<\/span>b64decode(data_b64) <\/span><\/span>cipher_bytes =<\/span> bytes.<\/span>fromhex(data_hex_ascii.<\/span>decode()) <\/span><\/span> <\/span><\/span># AES解密<\/span> <\/span><\/span>cipher =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv) <\/span><\/span>plain =<\/span> cipher.<\/span>decrypt(cipher_bytes) <\/span><\/span><\/code><\/pre>3.3 PNG隐写技术<\/h3> 隐写结构分析<\/h4> PNG Chunk<\/strong>：tEXt类型chunk隐藏数据<\/li> 数据格式<\/strong>：Keyword + Base64编码的加密数据<\/li> 解密链<\/strong>：Base64 → Hex ASCII → AES解密 → JSON解析<\/li> <\/ul> 隐写数据示例<\/h4> tEXt chunk数据：Comment\x00ZDRmNGZhMTU1MTU1YzI4NTM5NmU2NDNiMGM4YzlhMDE2ODdjZjFlMzc1MmZj. <\/code><\/pre> 3.4 命令执行分析<\/h3> 发现的命令序列<\/h4> pwd<\/code> - 当前目录查询（taskId: c0c6125e）<\/li> drives<\/code> - 磁盘信息收集<\/li> whoami<\/code> - 用户身份确认<\/li> 文件上传操作<\/li> <\/ol> 关键信息提取<\/h4> C盘创建时间<\/strong>：2018-09-14 23:09:26<\/li> 代理进程路径<\/strong>：C:\Users\dell\Desktop\Microsoft VS Code\Code.exe<\/code><\/li> <\/ul> 3.5 Flag获取过程<\/h3> 文件外传分析<\/h4> { <\/span><\/span> "outputChannel"<\/span>: "o-2ggeq7qpt2u"<\/span>, <\/span><\/span> "taskId"<\/span>: "shell-upload-1763017722153"<\/span>, <\/span><\/span> "fileId"<\/span>: "dd45c631-ec19-40b1-aa1b-e3dea35d21ae"<\/span>, <\/span><\/span> "filePath"<\/span>: "C:\Users\dell\Desktop\Microsoft VS Code\fllllag.txt"<\/span>, <\/span><\/span> "fileData"<\/span>: "UkNURnt0aGV5IGFsd2F5cyBzYXkgUmF2ZW4gaXMgaW5hdXNwaWNpb3VzfQ=="<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>Flag解码<\/h4> import<\/span> base64 <\/span><\/span>encoded_data =<\/span> "UkNURnt0aGV5IGFsd2F5cyBzYXkgUmF2ZW4gaXMgaW5hdXNwaWNpb3VzfQ=="<\/span> <\/span><\/span>flag =<\/span> base64.<\/span>b64decode(encoded_data).<\/span>decode() <\/span><\/span># 结果：RCTF{they always say Raven is inauspicious}<\/span> <\/span><\/span><\/code><\/pre>四、Chaos题目分析<\/h2> 4.1 解题方法<\/h3> 终端执行<\/strong>：直接运行获得flag<\/li> 相对简单的签到类题目<\/li> <\/ul> 五、综合技术要点总结<\/h2> 5.1 关键技能要求<\/h3> 文件格式分析<\/strong>：EML、XM、PNG等格式深入理解<\/li> 加密算法应用<\/strong>：AES-CBC模式加解密实战<\/li> 网络流量分析<\/strong>：Wireshark高级使用技巧<\/li> 隐写技术识别<\/strong>：多媒介隐写方案识别与破解<\/li> OSINT调查<\/strong>：开源情报收集与验证<\/li> <\/ol> 5.2 工具链推荐<\/h3> 音频处理<\/strong>：OpenMPT、MilkyTracker<\/li> 流量分析<\/strong>：Wireshark<\/li> 加解密<\/strong>：Python + PyCryptodome<\/li> 十六进制编辑<\/strong>：HxD<\/li> OSINT工具<\/strong>：各种存档站、数据库查询<\/li> <\/ul> 5.3 解题思维模式<\/h3> 数据流追踪<\/strong>：从原始数据到最终结果的完整路径<\/li> 交叉验证<\/strong>：多源信息对比确认<\/li> 协议逆向<\/strong>：自定义协议的解析与理解<\/li> 隐蔽通道识别<\/strong>：非常规通信方式的发现与分析<\/li> <\/ol> 本教学文档涵盖了RCTF多个题目的详细技术解析，重点突出了实际攻防中的关键技术点和解题思路，为CTF参赛者和安全研究人员提供了完整的学习路径。<\/p>