前言:
前陣子玩了玩今年的紅帽杯,題目質量很高,值得記錄一下。
題目見:https://github.com/DrsEeker/redhat2019
0x01: Advertising for marriage
拿到題目,是一個500多M的RAW文件,可知這是一道內存取證題目,使用內存取證工具Volatility進行分析:
使用格式:Volatility -f [imgfile] [command]
發現是WindowsXPSP2,查看進程信息:
Volatility -f [imgfile] --profile=WinXPSP2 psscan
發現兩個可疑進程:notepad.exe(記事本)和mspaint.exe(畫圖)
查看記事本內容:Volatility -f [imgfile] --profile=WinXPSP2x86 notepad
看到提示:????needmoneyandgirlfirend(吐槽一下,這里的girlfriend還打錯了)
前四個字符不可知,dump畫圖進程:
Volatility -f [imgfile] --profile=WinXPSP2x86 memdump -p [pid] --dump-dir [outdir]
使用GIMP工具載入原始圖像數據(先重命名后綴為data),具體操作:
調整位移可以調整圖像在內存中的偏移,調整高度和寬度則是圖像分辨率,先調整高度至一個適合的值,再調整寬度,再慢慢調整位移,可以得到進程在內存中的圖像信息。
hint:每個寬度與高度均對應了一個分辨率,不同分辨率可以呈現的畫面是不同的
經過我的多次調試后發現,把圖像寬度調至960可以發現:
其中的圖片是鏡像的,這便是畫圖界面在內存中的圖像信息,鏡像反轉后可以得到b1cx這四個字符,結合notepad中提取的hint可以得到:b1cxneedmoneyandgirlfirend
到現在並沒有發現一些直截了當的信息,於是,轉變方向,我們可以嘗試查看一下桌面上有什么內容:
volatility -f [imgfile] --profile=[imgversion] filescan | grep [arg]
可以看到桌面上有Dump It.exe(就是這個程序生成的內存dump文件,即我們拿到的題目文件),HP-xxxx.raw(這個raw文件就是我們的題目文件了),vegetable.png(可疑,dump下來看看)
volatility -f [imgfile] --profile=[imgversion] dumpfiles -Q [file_offset] --dump-dir [outdir]
查看dump出的圖片:
打開圖片時遇到錯誤,提示CRC校驗出錯,猜測是高度或者寬度有問題,利用CRC爆破可以得到圖片的正確高度為:
貼上腳本:
# -*- coding: utf-8 -*- import binascii import struct crc32key = 0xB80A1736 height = 0 width = 0x11f for i in range(0, 0xffff): height = struct.pack('>i', i) #width = struct.pack('>i',i) data = '\x49\x48\x44\x52' + struct.pack('>i',width) + height + '\x08\x06\x00\x00\x00' #爆破高度用 #data = '\x49\x48\x44\x52' + width + struct.pack('>i',height) + '\x08\x06\x00\x00\x00' #爆破寬度用 crc32result = binascii.crc32(data) & 0xffffffff if crc32result == crc32key: print(''.join(map(lambda c: "%02X" % ord(c), height)))
在010editor中改好打開圖片看到:
看到是模糊的flag,使用binwalk也沒有什么發現,懷疑是LSB隱寫,使用cloacked-pixel工具:
python extract [infile] [outfile] [pass]
可以看到
Base64解密得:
Virginia ciphertext:gnxtmwg7r1417psedbs62587h0
看到是維吉尼亞密碼,由於維吉尼亞密碼的秘鑰只能是字母,所以從b1cxneedmoneyandgirlfirend剔除掉1再解密
可以得到
flag : flagisd7f1417bfafbf62587e0
0x02: 惡臭的數據包
拿到手是一個cap文件,可知這是一道流量分析題,用wireshark打開:
可以看到是802.11的無線數據包,我們需要借助aIrcrack-ng 來破解他的密碼:
aircrack-ng -w password.txt -b [MAC] [capfile]
可以看到破解出的密碼是12345678
之后再解密出cap文件:
airdecap-ng [capfile] -e [ESSID] -p [pass]
解密出的cap文件為cacosmia_dec.cap使用wireshark查看:
可以看到已經是可以進行分析的cap包了。
導出HTTP對象:
可以看到一個圖片:
binwalk后可以看到:
其后有一個壓縮包,foremost出來:
可以看到一個flag.txt但是是有密碼的,嘗試了偽加密后無果,用azpr爆破后也無果,於是目標轉向數據包內,查看一些信息,
在HTTP上傳這個圖片的包中,看到cookie是JWT格式的,於是嘗試JWT解密:
看到payload中的提示:為了安全起見,我把密碼設置成了我剛剛ping過的一個網站。
於是從ping中查看,想到ping域名之前,一定要通過DNS來獲取域名指向的ip,於是過濾DNS協議:
嘗試其中的幾個域名后發現,壓縮包解壓密碼為最后一個域名: 26rsfb.dnslog.cn
解壓得到flag:
0x03:玩具車()
這個題腦洞蠻大的,題目給了一個壓縮包,其中包含十幾個wav文件和兩張單片機示意圖,起初我還以為是音頻分析題,查看頻譜圖之后感覺像是莫斯電碼,嘗試了一番后發現並沒有什么結果
於是又看了一遍題目,看看他的小車在干啥,想到可能是要分析小車的運動軌跡
查了下小車的型號后發現有一個操作手冊
可以看到和給的wav文件是對應的,於是我們開始寫腳本輸出每個端口的信號情況:
#-*- coding:utf-8 -*- import wave import numpy as np import turtle filename = 'L293_1_A1' wavfile = wave.open(filename + '.wav','rb') params = wavfile.getparams() nchannels, sampwidth, framerate, nframes = params[:4] sig = wavfile.readframes(nframes) sig = np.frombuffer(sig, dtype=np.short) seq = '' for i in range(0,len(sig),framerate): if sig[i] > 1000: seq += "1" else: seq += "0" file = open(filename + '.txt','w') file.write(seq) file.close()
之后,再根據每個端口的信號情況,模擬出小車的運動軌跡:
貼上腳本:
#-*- coding:utf-8 -*- import turtle L_1_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110' L_1_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001' L_1_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011' L_1_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100' L_1_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' L_1_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' L_2_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110' L_2_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001' L_2_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011' L_2_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100' L_2_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' L_2_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111' path = '' #1為前進2為后退3為左轉4為右轉 front_1 = '' #1為正轉2為反轉0為停止 front_2 = '' back_1 = '' back_2 = '' for i in range(0,len(L_1_EnA)): if L_1_EnA[i] == '1': if L_1_A1[i] == '1' and L_1_A2[i] == '0': front_1 = 1 elif L_1_A1[i] == '0' and L_1_A2[i] == '1': front_1 = 2 else: front_1 = 0 else: front_1 = 0 if L_1_EnB[i] == '1': if L_1_B1[i] == '1' and L_1_B2[i] == '0': front_2 = 1 elif L_1_B1[i] == '0' and L_1_B2[i] == '1': front_2 = 2 else: front_2 = 0 else: front_2 = 0 if L_2_EnA[i] == '1': if L_2_A1[i] == '1' and L_2_A2[i] == '0': back_1 = 1 elif L_2_A1[i] == '0' and L_2_A2[i] == '1': back_1 = 2 else: back_1 = 0 else: back_1 = 0 if L_2_EnB[i] == '1': if L_2_B1[i] == '1' and L_2_B2[i] == '0': back_2 = 1 elif L_2_B1[i] == '0' and L_2_B2[i] == '1': back_2 = 2 else: back_2 = 0 else: back_2 = 0 if front_1 == 1 and front_2 == 1 and back_1 == 1 and back_2 == 1: path += '1' elif front_1 == 2 and front_2 == 2 and back_1 == 2 and back_2 == 2: path += '2' elif front_1 == 2 and front_2 == 1 and back_1 == 2 and back_2 == 1: path += '3' elif front_1 == 1 and front_2 == 2 and back_1 == 1 and back_2 == 2: path += '4' else: path += '5' turtle.left(90) for i in path: if i == '1': turtle.forward(5) elif i == '2': turtle.backward(5) elif i == '3': turtle.left(90) elif i == '4': turtle.right(90) turtle.mainloop()
總結:
這次紅帽杯的雜項題腦洞很大,題目質量也很高,從中學習到了很多新東西,贊