[RoarCTF2019]forensic
拿到raw文件拖到kali里,首先看鏡像信息、
volatility -f /root/mem.raw imageinfo
用建議的profile,Win7SP1x86。先查看下內存中的進程
volatility -f /root/mem.raw pslist --profile=Win7SP1x86
有幾個進程比較值得關注
TrueCrypt.exe ---一款磁盤加密工具
notepad.exe ---windows里的記事本
mspaint.exe ---windows畫圖工具
DumpIt.exe ---內存鏡像提取工具
用命令查看一下提取內存時的內存數據,發現noetepad和mspaint在內存中都沒有數據
volatility -f /root/mem.raw --profile=Win7SP1x86 userassist
再掃描文件看看
volatility -f /root/mem.raw --profile=Win7SP1x86 filescan |grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc'
無標題.png是windows畫圖工具的默認文件名
把圖片dump下來
volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001efb29f8 --dump-dir=/root/111
應該是密碼,先收着后面用
1YxfCQ6goYBD6Q
再掃描一下桌面文件看看
volatility -f /root/mem.raw --profile=Win7SP1x86 filescan | grep "Desktop"
dumpit.exe默認生成的文件是 {hash}.raw,默認保存路徑是dumpit.exe所在的路徑
LETHALBE3A-20190916-135515.raw是DumpIt.exe生成的文件,dump下來看看
volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001fca1130 --dump-dir=/root/111
發現沒數據,說明取證的時候dumpit.exe還在運行,那就dump一下dumpit.exe的內存鏡像看看
volatility -f /root/mem.raw --profile=Win7SP1x86 memdump -p 3380 -D /root/111
對dumpit.exe的內存鏡像進行分析
foremost 3380.dmp
分離出包含flag.txt的加密壓縮包文件,密碼是圖片內容1YxfCQ6goYBD6Q
flag.txt內容為RoarCTF{wm_D0uB1e_TC-cRypt}
[*CTF2019]babyflash
用JPEXS反編譯flash.swf得到441張黑白圖片和1個mp3文件
軟件下載地址:https://github.com/jindrapetrik/jpexs-decompiler/releases
右鍵導出圖片
圖片很規律,張數剛好是441=21*21,按照圖片順序,黑為1白為0,拼湊出0-1序列
圖像處理腳本——識別1和0:
from PIL import Image
def aaa(s): image = Image.open("frames/"+str(i)+".png") a,b,c,d = image.getpixel((50,50)) return a s='' for i in range(1,442): if aaa(i)==0: s+='1' else: s+='0' print (s)
輸出:
111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011
嘗試一下拼一起
圖片處理腳本——拼接圖片:
from PIL import Image
length = 21 img = Image.new('RGB', (length*5, length*5)) #黑點為1白點為0 data = "111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011" for x in range(length): for y in range(length): if data[x*length+y] == '1': for xx in range(x*5, x*5+5): for yy in range(y*5, y*5+5): img.putpixel([xx, yy], (0,0,0)) else: for xx in range(x*5, x*5+5): for yy in range(y*5, y*5+5): img.putpixel([xx, yy], (255,255,255)) img.save('out.png')
輸出:
得到前半個flag
*ctf{half_flag_&
再導出mp3文件,這個是常見套路頻譜隱寫,得到后半段flag
&_the_rest}
參考:https://zhuanlan.zhihu.com/p/64252028