zoukankan      html  css  js  c++  java

  • 2019红帽杯-MISC-复盘WriteUp

    前言:

      前阵子玩了玩今年的红帽杯,题目质量很高,值得记录一下。

      题目见:https://github.com/DrsEeker/redhat2019

    0x01: Advertising for marriage

     拿到题目,是一个500多M的RAW文件,可知这是一道内存取证题目,使用内存取证工具Volatility进行分析:

    使用格式:Volatility -f [imgfile] [command]

      

    发现是WindowsXPSP2,查看进程信息:

    Volatility -f [imgfile] --profile=WinXPSP2 psscan

    发现两个可疑进程:notepad.exe(记事本)和mspaint.exe(画图)

    查看记事本内容:Volatility -f [imgfile] --profile=WinXPSP2x86 notepad

     看到提示:????needmoneyandgirlfirend(吐槽一下,这里的girlfriend还打错了)

    前四个字符不可知,dump画图进程:

    Volatility -f [imgfile] --profile=WinXPSP2x86 memdump -p [pid] --dump-dir [outdir]

     

     使用GIMP工具载入原始图像数据(先重命名后缀为data),具体操作:

     调整位移可以调整图像在内存中的偏移,调整高度和宽度则是图像分辨率,先调整高度至一个适合的值,再调整宽度,再慢慢调整位移,可以得到进程在内存中的图像信息。

    hint:每个宽度与高度均对应了一个分辨率,不同分辨率可以呈现的画面是不同的

    经过我的多次调试后发现,把图像宽度调至960可以发现:

     其中的图片是镜像的,这便是画图界面在内存中的图像信息,镜像反转后可以得到b1cx这四个字符,结合notepad中提取的hint可以得到:b1cxneedmoneyandgirlfirend

    到现在并没有发现一些直截了当的信息,于是,转变方向,我们可以尝试查看一下桌面上有什么内容:

    volatility -f [imgfile] --profile=[imgversion] filescan | grep [arg]

    可以看到桌面上有Dump It.exe(就是这个程序生成的内存dump文件,即我们拿到的题目文件),HP-xxxx.raw(这个raw文件就是我们的题目文件了),vegetable.png(可疑,dump下来看看)

    volatility -f [imgfile] --profile=[imgversion] dumpfiles -Q [file_offset] --dump-dir [outdir]

     

    查看dump出的图片:

     打开图片时遇到错误,提示CRC校验出错,猜测是高度或者宽度有问题,利用CRC爆破可以得到图片的正确高度为:

     

     贴上脚本:

    # -*- coding: utf-8 -*-
import binascii
import struct
crc32key = 0xB80A1736
height = 0
width = 0x11f
for i in range(0, 0xffff):
  height = struct.pack('>i', i)
  #width = struct.pack('>i',i)
  data = 'x49x48x44x52' + struct.pack('>i',width) + height + 'x08x06x00x00x00' #爆破高度用
  #data = 'x49x48x44x52' + width + struct.pack('>i',height) + 'x08x06x00x00x00' #爆破宽度用
  crc32result = binascii.crc32(data) & 0xffffffff
  if crc32result == crc32key:
    print(''.join(map(lambda c: "%02X" % ord(c), height)))

    在010editor中改好打开图片看到:

     看到是模糊的flag,使用binwalk也没有什么发现,怀疑是LSB隐写,使用cloacked-pixel工具:

    python extract [infile] [outfile] [pass]

     可以看到

     Base64解密得:

    Virginia ciphertext:gnxtmwg7r1417psedbs62587h0

    看到是维吉尼亚密码,由于维吉尼亚密码的秘钥只能是字母,所以从b1cxneedmoneyandgirlfirend剔除掉1再解密

    可以得到

     flag : flagisd7f1417bfafbf62587e0

    0x02: 恶臭的数据包

     拿到手是一个cap文件,可知这是一道流量分析题,用wireshark打开:

    可以看到是802.11的无线数据包,我们需要借助aIrcrack-ng 来破解他的密码:

    aircrack-ng  -w  password.txt  -b [MAC] [capfile]

     

     可以看到破解出的密码是12345678

    之后再解密出cap文件:

    airdecap-ng [capfile]  -e [ESSID]  -p [pass]

     解密出的cap文件为cacosmia_dec.cap使用wireshark查看:

     可以看到已经是可以进行分析的cap包了。

    导出HTTP对象:

    可以看到一个图片:

     binwalk后可以看到:

     其后有一个压缩包,foremost出来:

     可以看到一个flag.txt但是是有密码的,尝试了伪加密后无果,用azpr爆破后也无果,于是目标转向数据包内,查看一些信息,

    在HTTP上传这个图片的包中,看到cookie是JWT格式的,于是尝试JWT解密:

     

     看到payload中的提示:为了安全起见,我把密码设置成了我刚刚ping过的一个网站。

    于是从ping中查看,想到ping域名之前,一定要通过DNS来获取域名指向的ip,于是过滤DNS协议:

     尝试其中的几个域名后发现,压缩包解压密码为最后一个域名: 26rsfb.dnslog.cn

    解压得到flag:

     0x03:玩具车()

     这个题脑洞蛮大的,题目给了一个压缩包,其中包含十几个wav文件和两张单片机示意图,起初我还以为是音频分析题,查看频谱图之后感觉像是莫斯电码,尝试了一番后发现并没有什么结果

    于是又看了一遍题目,看看他的小车在干啥,想到可能是要分析小车的运动轨迹

    查了下小车的型号后发现有一个操作手册

     可以看到和给的wav文件是对应的,于是我们开始写脚本输出每个端口的信号情况:

    #-*- coding:utf-8 -*-
import wave
import numpy as np
import turtle

filename = 'L293_1_A1'
wavfile = wave.open(filename + '.wav','rb')
params = wavfile.getparams()
nchannels, sampwidth, framerate, nframes = params[:4]
sig = wavfile.readframes(nframes)
sig = np.frombuffer(sig, dtype=np.short)
seq = ''
for i in range(0,len(sig),framerate):
    if sig[i] > 1000:
        seq += "1"
    else:
        seq += "0"
file = open(filename + '.txt','w')
file.write(seq)
file.close()

    之后,再根据每个端口的信号情况,模拟出小车的运动轨迹:

     贴上脚本:

    #-*- coding:utf-8 -*-

import turtle

L_1_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_1_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_1_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_1_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_1_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_1_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_2_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_2_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_2_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_2_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'

path = '' #1为前进2为后退3为左转4为右转
front_1 = '' #1为正转2为反转0为停止
front_2 = ''
back_1 = ''
back_2 = ''

for i in range(0,len(L_1_EnA)):
    if L_1_EnA[i] == '1':
        if L_1_A1[i] == '1' and L_1_A2[i] == '0':
            front_1 = 1
        elif L_1_A1[i] == '0' and L_1_A2[i] == '1':
            front_1 = 2
        else:
            front_1 = 0
    else:
        front_1 = 0
    if L_1_EnB[i] == '1':
        if L_1_B1[i] == '1' and L_1_B2[i] == '0':
            front_2 = 1
        elif L_1_B1[i] == '0' and L_1_B2[i] == '1':
            front_2 = 2
        else:
            front_2 = 0
    else:
        front_2 = 0
    if L_2_EnA[i] == '1':
        if L_2_A1[i] == '1' and L_2_A2[i] == '0':
            back_1 = 1
        elif L_2_A1[i] == '0' and L_2_A2[i] == '1':
            back_1 = 2
        else:
            back_1 = 0
    else:
        back_1 = 0
    if L_2_EnB[i] == '1':
        if L_2_B1[i] == '1' and L_2_B2[i] == '0':
            back_2 = 1
        elif L_2_B1[i] == '0' and L_2_B2[i] == '1':
            back_2 = 2
        else:
            back_2 = 0
    else:
        back_2 = 0
    if front_1 == 1 and front_2 == 1 and back_1 == 1 and back_2 == 1:
        path += '1'
    elif front_1 == 2 and front_2 == 2 and back_1 == 2 and back_2 == 2:
        path += '2'
    elif front_1 == 2 and front_2 == 1 and back_1 == 2 and back_2 == 1:
        path += '3'
    elif front_1 == 1 and front_2 == 2 and back_1 == 1 and back_2 == 2:
        path += '4'
    else:
        path += '5'
turtle.left(90)
for i in path:
    if i == '1':
        turtle.forward(5)
    elif i == '2':
        turtle.backward(5)
    elif i == '3':
        turtle.left(90)
    elif i == '4':
        turtle.right(90)
turtle.mainloop()

    总结:

      这次红帽杯的杂项题脑洞很大,题目质量也很高,从中学习到了很多新东西,赞
  • 相关阅读:
    关于idea中启动clean时Process terminated报错
    关于idea启动jsp时候Please, configure Web Facet first!
    关于Javaweb中jstl的foreach不能显示数据的问题
    关于Javaweb中报错信息Cause: java.sql.SQLException: Unknown initial character set index '255' received from server.解决办法
    关于使用idea 进行druid的数据库连接报错解决Cannot resolve com.mysq.jdbc.Connection.ping method. Will use 'SELECT 1' instead
    关于c3p0中显示数据库连接超时处理方法
    havel定理
    Skier
    扩展欧几里德算法(待补充)
    next_permutation(全排列)
  • 原文地址:https://www.cnblogs.com/basstorm/p/11885798.html
Copyright © 2011-2022 走看看