首届“网刃杯”网络安全大赛部分WP
这是之前打比赛写的WP,供大家参考
藏在S7里的秘密
1.修复流量包
下载流量包打开后发现提示错报
The file"S7.pcap" isn’t a capture file in a format Wireshark understands.
所以我们找修复流量包的工具
http://f00l.de/hacking/pcapfix.php
修复完毕成功打开,审查流量包
藏在S7里的秘密
2.寻找有用信息
发现里面有PNG图片
尝试用tshark抓取出来
tshark -r C:\Users\XINO\Desktop\hSPdjGhhyQXX52qq.pcap -T fields -e s7comm.resp.data -Y "s7comm.param.func == 0x05 and ip.src==192.168.139.1" > png.txt
打开png.txt文件
复制后将其放进010保存为PNG
3.修改图片高度
图片没有显示完整,我们接着用010修改其高度
flag{FSfeQefjg}
老练的黑客
分析问题查看流量并分析,猜测问题出自modbus协议中
1.过滤出modbus协议流量
根据
2021CTF工业信息安全技能大赛-损坏的风机中找错误值的方法,我们对流量包进行审查
2.寻找被修改的错误值
我们审查流量包后,在1198行发现错误的data数据
因为答案是被修改的错误值和之前的转速,我们找修改之前的值
3.寻找被修改前的值
经过不断寻找发现在1209行有个4500的转数数据
我们将其hex值拼接即为flag
flag{22b81194}
baby-usb
下载下来是两个文件,一个流量包,一个需要解密的文档,推测需要在流量包里找到密码解开
我们审查一下流量包
1.找有用信息
审查下来发现是键盘流量,键盘流量的数据长度为8个字节,其中有关击键的信息在第三字节(十六进制表示)
于是我们用tshark命令提取对应的Leftover Capture Data域中数据
tshark -r /home/kali/桌面/key.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt
分出一个usbdata.txt
我们打开后是一串
2.脚本处理
网上找个脚本,为其加上冒号
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # 鼠标流量的话len改为8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close()
得到out.txt文件
3.提取出键盘流量后用脚本还原数据对应的信息
网上找的脚本
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"" ,"29":"" ,"2a":"", "2b":"\t",
"2c":"" ,"2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"" ,"33":";","34":"'","35":"" ,"36":",","37":".",
"38":"/","39":"" ,"3a":"" ,"3b":"" , "3c":"" ,"3d":"" ,
"3e":"" ,"3f":"" ,"40":"" ,"41":"" ,"42":"" ,"43":"" ,
"44":"" ,"45":"" }
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"" ,"29":"" ,"2a":"", "2b":"\t","2c":"" ,
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"" ,"33":"\"",
"34":":","35":"" ,"36":"<","37":">","38":"?","39":"" ,"3a":"" ,
"3b":"" , "3c":"" ,"3d":"" ,"3e":"" ,"3f":"" ,"40":"" ,
"41":"" ,"42":"" ,"43":"" ,"44":"" ,"45":"" }
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="" :
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
稍微修改一下即可运行
> ct<DEL>onh<DEL>gratue<DEL>latioke<DEL><DEL>nsonfiny<DEL>dingmebutiwii<DEL>llns<DEL>ottellyouwheretqa<DEL><DEL>hepz<DEL>asswordws<DEL><DEL>ox<DEL>fwe<DEL>od<DEL>rddoc<DEL>cumentisgoarfv<DEL><DEL><DEL>ndfinditagain
> output
> :congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain
顺着输入一遍就会发现被删除的即为key
The key is qazwsxedcrfv
我们就可以打开word
flag{685b42b0-da3d-47f4-a76c-0f3d07ea962a}
mspaint
下载压缩包解压后发现是个.raw后缀的文件,于是我们用取证工具查看下有啥重要信息
1.用取证工具找有用信息
先看一下系统
volatility -f /root/桌面/mspaint.raw imageinfo
找到版本后我们接着查看进程,看看是否有提示点
volatility -f /root/桌面/mspaint.raw --profile=Win7SP1x64 pslist
之后经过提示我们查看一下浏览器历史记录
volatility -f /root/桌面/mspaint.raw --profile=Win7SP1x64 iehistory
发现有个名字为key的图片,我们接着把它dump下来
volatility -f mspaint.raw --profile=Win7SP1x64 filescan | grep key.png
只有四个字符hack
猜测是某个解密密码,因为之前看浏览记录是有个百度网盘链接,于是我们试试这个
成功发现一个压缩包
下载后是个flag.exe加密文件还是需要密码
返回虚拟机继续找有用信息
dump一个名为dump.exe的文件
volatility -f /root/桌面/mspaint.raw --profile=Win7SP1x64 memdump -p 1064 -D ./
之后发现可以用图像处理工具GIMP打开
之后反复测试找到信息
q2A!~R%8
即为解压密码
我们打开flag.exe
2.逆写脚本
经过逆向得到
key = 'xxxxxxxxxxxxxxx'
flag = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
data = ''
for i in range(0, len(flag)):
data += hex(ord(flag[i]) ^ ord(key[(i % 15)]))[2:].zfill(2)
else:
print(data.upper())
data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'
我们缺一个key于是回去看
volatility -f /root/桌面/mspaint.raw --profile=Win7SP1x64 cmdscan
根据提示看截屏
volatility -f /root/桌面/mspaint.raw --profile=Win7SP1x64 screenshot -D ./
key = ['t','h','1','s','_','1','s','_','t','h','3','_','k','3','y']
flag = ''
for i in range(0,42):
flag += chr(data[i] ^ ord(key[(i % 15)]))
print(flag)
//flag{20708c15-eb55-4cbc-930b-68de15c55b32}
签到
两个txt文件,其中内容两个分别为
010查看和kali查看flag.txt后发现可能存在零宽度字符隐写
解码网站解密一下
the key is md5(myself)
接着我们md5加密一下flag.txt本身文件
f71b6b842d2f0760c3ef74911ffc7fdb
flag{WelY0me_2_bOl3an}