zoukankan      html  css  js  c++  java

  • 湖湘杯2020 Misc题解

    Author:LEOGG

    Misc

    misc1 颜文字之谜

    http导出对象,有个index-demo.html

    查看源码里面有一大段base64

    base64隐写得到key:lorrie

    snow隐写,注意不要加-C

    snow.exe -p lorrie index-demo.html

    flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}

    联想到摩斯电码,只有两个符号和空格组成

    →_→替换成-

    ←_←替换成.

    image-20201101154633257

    在线网站解一下转小写得到flag

    image-20201101154735302

    misc2 passwd

    hivelist查看注册表

    volatility -f 555.raw --profile=Win7SP1x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0x93fc41e8 0x030cf1e8 SystemRootSystem32ConfigSAM
0x93fe7008 0x1bc6c008 ??C:WindowsServiceProfilesNetworkServiceNTUSER.DAT
0x9494e9c8 0x11c9a9c8 ??C:UsersCTFAppDataLocalMicrosoftWindowsUsrClass.dat
0x992de5d8 0x223cb5d8 SystemRootSystem32ConfigDEFAULT
0x8a00c2b0 0x23e0a2b0 [no name]
0x8a01c008 0x24019008 REGISTRYMACHINESYSTEM
0x8a03d008 0x22dfa008 REGISTRYMACHINEHARDWARE
0x8c6d99c8 0x22b499c8 DeviceHarddiskVolume1BootBCD
0x8e00d9c8 0x189629c8 ??C:UsersCTF
tuser.dat
0x8f97c008 0x22de2008 SystemRootSystem32ConfigSOFTWARE
0x93fb19c8 0x00a759c8 SystemRootSystem32ConfigSECURITY
0x93fb7440 0x03145440 ??C:WindowsServiceProfilesLocalServiceNTUSER.DAT

    hashdump取出密码,-y是system的virtual地址,-s是SAM表的virtual地址

    volatility -f 555.raw --profile=Win7SP1x86 hashdump -y 0x8a01c008 -s 0x93fc41e8

    image-20201101154025739

    0a640404b5c386ab12092587fe19cd02去md5解密的qwer1234

    再sha1()加密

    ps:其实一条命令hashdump就够了,人菜就多敲一条=。=

    flag:db25f2fc14cd2d2b1e7af307241f548fb03c312a

    misc3 虚实之间

    伪加密得到文件mingwen.txt

    明文攻击得到密码

    image-20201101182454113

    拿到flag.txt

    ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

    栅栏位数5

    解密一下

    ps:吐槽一下captEncoder这个小帽子解码软件,栅栏有问题

    image-20201101182418116

    misc4 隐藏的秘密

    先看一下pslist,找到notepad.exe,去grep一下txt文件

    volatility -f mm.vmem --profile=Win2003SP1x86 filescan | grep "txt"
Volatility Foundation Volatility Framework 2.6
0x000000000412cde0      1      0 RW-r-- DeviceHarddiskVolume1Documents and SettingsAdministrator桌面file.txt
0x000000000426b890      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filterswin7gadgets.txt
0x000000000426ba90      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersvmwarefilters.txt
0x000000000426bc90      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersvisualstudio2005.txt
0x000000000426be90      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersvistasidebar.txt
0x000000000479d4a8      4      2 -W-rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware VGAuthlogfile.txt.0
0x00000000049e1cf0      1      0 R--rw- DeviceHarddiskVolume1Program FilesVMwareVMware Toolsvmacthlp.txt
0x00000000049e6228      1      0 RW-rw- DeviceHarddiskVolume1Documents and SettingsAdministratorRecentfile.txt.lnk
0x0000000004a511a0      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersmicrosoftoffice.txt
0x0000000004a513a0      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersgoogledesktop.txt
0x0000000004a51770      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersadobephotoshopcs3.txt
0x0000000004c05370      1      0 R--rwd DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware Toolsmanifest.txt
0x0000000004c70ae8      1      0 RW---- DeviceHarddiskVolume1WINDOWSsystem32CatRoot2dberr.txt
0x0000000004d44028      1      0 R--rw- DeviceHarddiskVolume1Documents and SettingsAll UsersApplication DataVMwareVMware ToolsUnity Filtersadobeflashcs3.txt

    找到file.txt,dump下来

    volatility -f mm.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 -D ./

    什么?计算机又被不知名账户登录了?明明在计算机管理中没有这个用户,为什么还会被这个用户登录呢?电脑跟前的你能帮我找到原因吗?flag为该用户的用户名以及密码的md5值。

格式:md5(用户名:密码)

    hivelist查看注册表,找到最近登陆的用户,使用WRR(windows registry recovery)查找注册表

    volatility -f mm.vmem --profile=Win2003SP1x86 dumpregistry -D ./

    image-20201103085519017

    查SAM表

    根据最近登陆的用户发现只有Administrator和FHREhpe登陆过

    image-20201103085230226

    列出用户名和密码

    volatility -f mm.vmem --profile=Win2003SP1x86 hashdump -y 0xe101d008 -s 0xe1757860

    得到用户名密码,md5解密一下FHREhpe$:NIAIWOMA

    image-20201101174420296

    md5加密一下

    flag:8cf1d5b00c27cb8284bce9ccecb09fb7
  • 相关阅读:
    Python:遍历文件目录及子目录,并批量改变文件名称
    python:利用递归遍历文件夹所有文件(包括子文件夹里的文件)
    python文件,文件夹操作
    Ubuntu安装vim报错的的处理
    Centos7安装Chrome
    Centos7更换阿里yum源
    CentOS7设置启动默认界面方法
    Vim快捷键学习---记性不行了,留这里备查
    第7-9章作业汇总
    第四次作业---第三题陈岩岩
  • 原文地址:https://www.cnblogs.com/LEOGG321/p/13917688.html
Copyright © 2011-2022 走看看