[CTF]-蓝帽杯2022复现
[CTF]-蓝帽杯2022复现
- 电子取证
-
- 手机取证-1
- 手机取证-2
- 网站取证1
- 网站取证2
- 网站取证3
- 网站取证4
- 计算机取证1
- 计算机取证2
- Misc
-
- domainhacker
- domainhacker2
电子取证
手机取证-1
打开.exe文件
![[CTF]-蓝帽杯2022复现_第1张图片](http://img.e-com-net.com/image/info8/f804faaf50aa43d08b4712af13e8186e.jpg)
搜索文件
627604C2-C586-48C1-AA16-FF33C3022159.PNG
![[CTF]-蓝帽杯2022复现_第2张图片](http://img.e-com-net.com/image/info8/24cecf15567e4601b3f72e3829a1b41b.jpg)
![[CTF]-蓝帽杯2022复现_第3张图片](http://img.e-com-net.com/image/info8/e6b863eb968f48918c0dd18015ad6086.jpg)
导出文件,查看属性
![[CTF]-蓝帽杯2022复现_第4张图片](http://img.e-com-net.com/image/info8/425ba639c5134b109382cfe3f1ce9be8.jpg)
360x360
手机取证-2
搜索姜总
![[CTF]-蓝帽杯2022复现_第5张图片](http://img.e-com-net.com/image/info8/f247c490689b466fa5a0b7370238bfb8.jpg)
![[CTF]-蓝帽杯2022复现_第6张图片](http://img.e-com-net.com/image/info8/3738ed059904496ca1de4c5ec8f54334.jpg)
聊天记录中找到
SF1142358694796
网站取证1
打开是个thinkphp5的框架,要求是找后门
使用D盾扫描后门
![[CTF]-蓝帽杯2022复现_第7张图片](http://img.e-com-net.com/image/info8/111783a21be54fc6bc290fb650f074ca.jpg)
找到第一个代码段
![[CTF]-蓝帽杯2022复现_第8张图片](http://img.e-com-net.com/image/info8/efcb826a474f4b12978ca18ee8d16486.jpg)
lanmaobei666
网站取证2
加密文件 encrypt.php
<?php
function my_encrypt(){
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
return $dencrypted;
}
是AES加密算法
![[CTF]-蓝帽杯2022复现_第9张图片](http://img.e-com-net.com/image/info8/c56a87dab54149d3b2db8a81cc51c7c7.jpg)
KBLT123
网站取证3
![[CTF]-蓝帽杯2022复现_第10张图片](http://img.e-com-net.com/image/info8/1507934e5d4e4724bb0a953d2f40a494.jpg)
jyzg123456
网站取证4
将2022-04-02 00:00:00-2022-04-18 23:59:59的张宝和王子豪的记录取出来,还有汇率取出来放着
![[CTF]-蓝帽杯2022复现_第11张图片](http://img.e-com-net.com/image/info8/d271997cff8b4aa9af09639b6b9c1b12.jpg)
汇率
0.04,0.06,0.05,0.07,0.10,0.15,0.17,0.23,0.22,0.25,0.29,0.20,0.28,0.33,0.35,0.35,0.37
# exp
import base64
import hashlib
sum = 0
p = [0.04,0.06,0.05,0.07,0.10,0.15,0.17,0.23,0.22,0.25,0.29,0.20,0.28,0.33,0.35,0.35,0.37]
with open('./data.txt','r',encoding="utf-8") as f:
d = f.readlines()
for i in range(len(d)):
key = hashlib.md5(b'jyzg123456').hexdigest()
x = 0
char = ''
s = ''
if d[i].strip().split()[6] == '5,' and d[i].strip().split()[7] == '3,':
data = base64.b64decode(d[i].strip().split()[-1])
date = int(d[i].strip().split()[4][9:11]) - 2
for i in range(len(data)):
if x == len(key):
x = 0
char += key[x:x + 1]
x += 1
for i in range(len(data)):
if ord(data[i:i + 1]) < ord(char[i:i + 1]):
s += chr(ord(data[i:i + 1]) + 256 - ord(char[i:i + 1]))
else:
s += chr(ord(data[i:i + 1]) - ord(char[i:i + 1]))
sum += float(s) * p[date]
else:
continue
print(sum)
计算机取证1
![[CTF]-蓝帽杯2022复现_第12张图片](http://img.e-com-net.com/image/info8/0c70189af78b4494aa5cd0b2dce3520f.jpg)
taqi7:1000:aad3b435b51404eeaad3b435b51404ee:7f21caca5685f10d9e849cc84c340528:::
![[CTF]-蓝帽杯2022复现_第13张图片](http://img.e-com-net.com/image/info8/9d9397b4c628444897d2d124dcec506e.jpg)
anxinqi
计算机取证2
volatility -f 1.dmp --profile=Win7SP1x64 pslist
![[CTF]-蓝帽杯2022复现_第14张图片](http://img.e-com-net.com/image/info8/bcf517de56c64c14a37e004aa831b4c1.jpg)
0xfffffa800f103b30 MagnetRAMCaptu 2192 2044 16 333 1 1 2022-04-28 05:54:30 UTC+0000
2192
Misc
domainhacker
搜http流 ,有个rar流量包
![[CTF]-蓝帽杯2022复现_第15张图片](http://img.e-com-net.com/image/info8/5f54adfe9d124750bb7d45cacc2dff27.jpg)
![[CTF]-蓝帽杯2022复现_第16张图片](http://img.e-com-net.com/image/info8/334b18943e4249aaa96a853bef03a681.jpg)
导出rar文件
![[CTF]-蓝帽杯2022复现_第17张图片](http://img.e-com-net.com/image/info8/826a3d61416e4ed696c9d0768365c090.jpg)
![[CTF]-蓝帽杯2022复现_第18张图片](http://img.e-com-net.com/image/info8/d72bcd8bdda444e88b3e0d06b4a86dc5.jpg)
用010打开,把冗余的部分删掉,保存为.rar
![[CTF]-蓝帽杯2022复现_第19张图片](http://img.e-com-net.com/image/info8/85081815c93549e0a92ba1decbf1605e.jpg)
![[CTF]-蓝帽杯2022复现_第20张图片](http://img.e-com-net.com/image/info8/b2245d005a194c238d56740a322cb8f3.jpg)
里面有个1.txt,需要解压密码
密码在 13 流中
![[CTF]-蓝帽杯2022复现_第21张图片](http://img.e-com-net.com/image/info8/1339cc2720c943eaade4499d17203303.jpg)
有一段base64
YNY2QgL2QgImM6XFxXaW5kb3dzXFxUZW1wIiZyYXIuZXhlIGEgLVBTZWNyZXRzUGFzc3cwcmRzIDEucmFyIDEudHh0JmVjaG8gZWZhOTIzYmE1MDQmY2QmZWNobyAxYTRiZTg4MTVlZjg%3D
但是无法解码
然后是要前面加上几个字符
eeYNY2QgL2QgImM6XFxXaW5kb3dzXFxUZW1wIiZyYXIuZXhlIGEgLVBTZWNyZXRzUGFzc3cwcmRzIDEucmFyIDEudHh0JmVjaG8gZWZhOTIzYmE1MDQmY2QmZWNobyAxYTRiZTg4MTVlZjg%3D&yee092cda97a62
![[CTF]-蓝帽杯2022复现_第22张图片](http://img.e-com-net.com/image/info8/3f1a403f8e5545e490a905b267b7033b.jpg)
cd /d "c:\\Windows\\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef87
密码是
SecretsPassw0rds
![[CTF]-蓝帽杯2022复现_第23张图片](http://img.e-com-net.com/image/info8/0162bb63f54143dea47238de4acf9a16.jpg)
flag{416f89c3a5deb1d398a1a1fce93862a7}
domainhacker2
解压有两个文件
misc-2.pcapng
ntds.rar
在流 27 中发现密码
![[CTF]-蓝帽杯2022复现_第24张图片](http://img.e-com-net.com/image/info8/e339e3c6e66c4038a50d9150146496b6.jpg)
![[CTF]-蓝帽杯2022复现_第25张图片](http://img.e-com-net.com/image/info8/d1dcf741d78d43269b0def1b97e5af6d.jpg)
cd /d "c:\\Windows\\Temp"&rar.exe a -PFakePassword123$ ntds.rar new&echo 1d3632&cd&echo 78bc462ab
密码
FakePassword123$
解压得到文件
![[CTF]-蓝帽杯2022复现_第26张图片](http://img.e-com-net.com/image/info8/22b85ed5e6844fb58d24d53d7e8068d0.jpg)
利用secretsdump.py
python .\secretsdump.py -system SYSTEM -ntds .\ntds.dit LOCAL -history
![[CTF]-蓝帽杯2022复现_第27张图片](http://img.e-com-net.com/image/info8/b56555675d744a71947ecf010011dbf1.jpg)
flag{07ab403ab740c1540c378b0f5aaa4087}