湖湘杯2020misc

Hxb2020 misc

Misc1

用Wireshark打开 文件-导出对象-HTTP Save All

打开index-demo.html查看源代码，发现大段base64编码

KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==
KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==	      	 	      	    
KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK
......

base64解码

(｡･∀･)ﾉﾞ嗨Hi~ 
(＠_＠;)(＠_＠;)(＠_＠;)
(+_+)?(。>︿<)_θ(。>︿<)_θ
o(*￣▽￣*)ブ゜
＜（＾－＾）＞(╯▽╰ )好香~~
ヽ(✿ﾟ▽ﾟ)ノ(＠＾０＾)
......

以为是颜文字编码，aadecode解码无果

赛后才知道是base64隐写,将base64编码保存在txt,用脚本解密

def get_base64_diff_value(s1, s2):
    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    res = 0
    for i in xrange(len(s2)):
        if s1[i] != s2[i]:
            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
    return res


def solve_stego():
    with open('E:\Desktop\1.txt', 'rb') as f:
        file_lines = f.readlines()
        bin_str = ''
        for line in file_lines:
            steg_line = line.replace('
', '')
            norm_line = line.replace('
', '').decode('base64').encode('base64').replace('
', '')
            diff = get_base64_diff_value(steg_line, norm_line)
            print diff
            pads_num = steg_line.count('=')
            if diff:
                bin_str += bin(diff)[2:].zfill(pads_num * 2)
            else:
                bin_str += '0' * pads_num * 2
            print goflag(bin_str)


def goflag(bin_str):
    res_str = ''
    for i in xrange(0, len(bin_str), 8):
        res_str += chr(int(bin_str[i:i + 8], 2))
    return res_str


if __name__ == '__main__':
    solve_stego()

运行结果：key:"lorrie"

还有一层snow 隐写

snow>SNOW.EXE -p lorrie D:CTF湖湘杯2020Misc1index-demo.html
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_← →_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_ ←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}

# 商业转载请联系作者获得授权，非商业转载请注明出处。
# For commercial use, please contact the author for authorization. For non-commercial use, please indicate the source.
# 协议(License)：署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)
# 作者(Author)：Snowywar
# 链接(URL)：http://snowywar.top/wordpress/index.php/2020/11/02/hxbwriteup/
# 来源(Source)：魔法少女雪殇

# -*- coding:utf-8 -*-
res = []
import re

unit = 3
answer = '→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←'
tmp = ""
cnt = 0
answer = answer.split(" ")
print(answer)
for element in answer:
    s = re.findall(r'.{3}', element)
    for ele in s:

        if ele == '→_→':
            tmp += "-"
        if ele == '←_←':
            tmp += "."

    tmp += '/'
print(tmp)

#['→_→←_←←_←←_←←_←', '→_→→_→←_←←_←←_←', '→_→←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '←_←', '←_←←_←←_←→_→→_→', '→_→→_→→_→→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←←_←', '←_←→_→→_→→_→→_→', '→_→→_→→_→→_→→_→', '←_←←_←←_←←_←←_←', '←_←←_←→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←→_→', '←_←→_→', '←_←←_←→_→→_→→_→', '→_→→_→→_→→_→←_←', '←_←←_←←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←→_→', '→_→→_→→_→→_→→_→', '→_→←_←→_→←_←', '←_←', '→_→→_→←_←←_←←_←', '→_→→_→→_→→_→←_←', '→_→←_←→_→←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '→_→→_→←_←←_←←_←', '→_→→_→→_→←_←←_←']

#-..../--.../-.../...--/...--/./...--/----./-.../...../.----/-----/...../..-./-.../....-/.-/..---/----./...../...--/.-/-----/-.-././--.../----./-.-./...--/...--/--.../---../

摩斯密码解密67B33E39B5105FB4A2953A0CE79C3378

flag: 67b33e39b5105fb4a2953a0ce79c3378

神奇的 Base64 隐写 base64隐写

Misc2

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump
Volatility Foundation Volatility Framework 2.4
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
#最后两个字段 空密码：密码
0a640404b5c386ab12092587fe19cd02md5解密：qwer1234
flag:sha1(qwer1234)=db25f2fc14cd2d2b1e7af307241f548fb03c312a

Misc3

Winrar修复zip,将mingwen - 副本.txt提取出来，用winrar将mingwen - 副本.txt打包成zip,

删除修复后zip的flag.txt,用Archpr对修复后的zip进行明文攻击，明文选择mingwen - 副本zip

口令：123%asd!O (单独查看flag.txt,没能成功解压)

仅需5，跳过去
ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

栅栏密码解密

flag{febc7d2138555b9ebccb32b554dbb11c}

misc压缩文件的明文攻击

Misc4

volatility -f 1.vmem imageinfo
volatility -f 1.vmem --profile=Win2003SP1x86 hashdump
volatility -f 1.vmem --profile=Win2003SP1x86 filescan | grep .txt
volatility -f 1.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 --dump-dir=.

dump file.txt win下用记事本打开
什么？计算机又被不知名账户登录了？明明在计算机管理中没有这个用户，为什么还会被这个用户登录呢？电脑跟前的你能帮我找到原因吗？flag为该用户的用户名以及密码的md5值。

格式：md5(用户名:密码)    

https://blog.csdn.net/q851579181q/article/details/109454629

参考链接：

内存取证之旅

2020湖湘杯MISC全解-writeup

其他题目：2020湖湘杯部分Writeup 湖湘杯 联合魔法少女WriteUp 2020湖湘杯部分WriteUp