[De1ctf 2020]-MISC-雜燴/Misc Chowder&Easy Protocol&Easy Protocol

雜燴/Misc Chowder

題目附件：
鏈接：https://pan.baidu.com/s/1Wb6cCIUundA-rCmQ-eJNLw
提取碼：tk2t

比賽放的hint:
1、流量包中的網絡連接對解題沒有幫助 The network connection in pcap is not helping to the challenge
2、不需要訪問流量里任何一個的服務器地址，所有數據都可以從流量包里直接提取 Do not need to connect the network, every data can be extracted from the pcap
3、In the burst test point of compressed packet password, the length of the password is 6, and the first two characters are “D” and “E”. 壓縮包密碼暴破考點中，密碼的長度為6位，前兩位為DE

1、用foremosr分離出6張模模糊糊的jpg
2、導出http對象，扒出6張jpg和1張鏈接png
png圖片中的鏈接如下：
https://drive.google.com/file/d/1JBdPj7eRaXuLCTFGn7AluAxmxQ4k1jvX/view
下載后得到readme.docx，binwalk分離出一個加密的You_found_me_Orz.zip
根據后來放的hint,掩碼爆破,睡一覺，爆出來了

從You_found_me_Orz.zip中的jpg分離出rar

但是666.jpg在ubuntu打不開，用file命令得知是png（也能用HxD看出）
3、666.png是ADS隱寫，用ntfsstreamseditor.exe能看到

life

鏈接：https://pan.baidu.com/s/14S_ddf1i6u1LWmrlC43-Lg
提取碼：j52i

題目描述：No Game No Life!

1、在game.jpg中分離出一個加密的flag.zip和passphare.png

2、這個png是27*27的，確定不是二維碼
賽后知道有個生命游戲模擬器
手動填充點點

點擊單步，得到：

掃出：AJTC8ADEVRA13AR，能解開flag.zip
3、解開是txt.pilf.txt，flip意為翻轉

0QjN1MTM0MTN0QjN3ImNjNzM3QTNmdTN3MTNmdzMzcjNxcjM3QTNmdDN2gzMzUjZ2czM0YDZzMjMxcDZ

str = "0QjN1MTM0MTN0QjN3ImNjNzM3QTNmdTN3MTNmdzMzcjNxcjM3QTNmdDN2gzMzUjZ2czM0YDZzMjMxcDZ"
print(str[::-1])

ZDcxMjMzZDY0Mzc2ZjUzMzg2NDdmNTQ3MjcxNjczMzdmNTM3NTdmNTQ3MzNjNmI3NjQ0NTM0MTM1NjQ0

base64 decode得到：d71233d64376f5338647f54727167337f53757f54733c6b7644534135644
再翻轉，得到：4465314354467b6c33745f75735f73376172745f7468335f67346d33217d
hex轉ascii。

Easy Protocol

題目附件

這道題俺一點思路都沒有，有一些內網的東西

hint.txt的意思就是flag的3部分都是8位純數字

part1.pcapng

1、par1.pcapng中出現了tcp、ldap、krb5協議，Ctrl+F，看到67和70幀都有De1ctf關鍵字，將protocol排序

搜一下這個kerberos協議


kerberos協議參考：
Kerberos協議探索系列之掃描與爆破篇
Windows內網協議學習Kerberos篇之TGSREQ& TGSREP

在TGS-REP的ticket（票據）中找到cipher

hashcat爆破參考：https://www.freebuf.com/sectool/164507.html

在hashcat wiki找到kerberos 5的格式：

構造好hashcat支持的hash值，part1：
$krb5tgs\(23\)De1CTF2020\(TEST.LOCAL\)part1/De1CTF2020$b9bac2cd9555738bc4f8a38b7aa3b01d12befde687b62d10d325ebc03e0dd0d6bca1f526240dfa6d23dc5bcafc224591dcf4ba97bf6219cfbe16f1b59d289800fdcc8f051626b7fe0c2343d860087c45b68d329fd1107cebe4e537f77f9eea0834ae8018a4fe8518f1c69be95667fd69dcc590d3d443a8530ff8e38ee7f7b6e378d64a8b43b985bcc20f941947ea9e8463fd7e0fa77f284368b9b489f6d557da1e02990cfc725723e5d452ff6e659717947805b852ad734c5acc8011e535b96cef3af796610196d31c725362f7426e0cf92985ffe0717baaf5066fdba760b90e2c9b7e15bc9a4952cff47d4a092d3be6128997f9ff85dbafb85a5569b5d021b2a23c6371cbdf8beaa68b332e6ba1c1a8dc43c50695498ed8c2dfbf11760af35e1b913cd36b8015df37a146d2696c8b6b5f2ce375f2674acc0ce04aa98b9d21291466ce7a2aeb5a72fda17fa53e5b41df67d3898457d05fc899096092b3aa5bc333cb75eb5eee4b1c33356e72d9d28d6d674a5e47f64c72afb580e8d4f713a5ae265a4c825c39c19313a532a23c27eaf24bcde29c5e65c13cc057e0db72094bcedb6049574e35e511847f460180ddd78f4c9187345b1068bd608ca238c20d200ffa7e3891d076fe6fcef93d044c79f5ec9fb33561a35acf785b2a203df6d07e39161d9d3cedbe6d4394bd2bf43e545acd03f796c7863d684f9db4a5eef070f71e58a4882c2387d0705f4bed32fd7986dd672a15f6cfa56fe127af7c157216b2ea4f61ab7963d9dcaf4bb9222a7cba86d6a5e6c24833ffbf1957d90224764a01e0cb5a90f12dfea4ddaef23e30c2bdafcbcd99031db5d0698c1a050fc679213a8b81b854c08686f43241a4ec937c71cd09c9519fa2bba3aa845c4e84dbd6d9bbc3a62c876fb4c30bfa7960f0f51587ece14a31add698b1b9743e14fc343394f8a346c8e24cc8c26a8f8246f6a68928d0118dea81fea9976af3c57fa4c764f565e458e065d5a2a3dd1b083f7851d4ae1b791ada853e9a20e5b169ea0b8b582711f04df4dad8b461771dda5fca11c3f8f82d85e657bbd57d12cf15c8bbce7ad6cd1ebf540c45aefd4aef2ec828b06f208bd57be6a5529481b9f8b8fad5962e86b349a720ec2a1380ed711ee0261b29383907dae6f7a45d3fff54efae7ace1f4d7193f4a4d932699a41c3deb3ba9934278942e8f09ecd4339de4059dd3ff06b78e773b6ab9826df7ea2a443dddd55cdf79db1f76e2f05105e6cc5f0c4bd494b9556d921c6cb3fa48d1ddd27cf077ebd3e44b716fc74d1115b293e348fb9676e6727a3a97a7c2b86e8b83d8f90b9bf628c71e56aabcac381a32d493db3f255378c498a0bf527a9677cb81ec89911a9b09d6ffe16e2f2de63728439f8275d9f6feac2da860c5aab772034b2b0b962c033f8102ac86b2a9b07a82e9c70be65fe371e9d296afbe0e7272b90256428553c6a4fb0a8f5290098e4dad4021d99a65f2a3fa4ad0d2f

hashcat64.exe -m 13100 test1.txt ?d?d?d?d?d?d?d?d -a 3 --force --show

part2.pcapng

Ctrl+F，搜索關鍵字De1ctf
有關kerberos協議的ASREQ & ASREP認證模塊，參考：Windows內網協議學習Kerberos篇之ASREQ& ASREP

part2：$krb5asrep\(23\)De1CTF2020@TEST.LOCAL:2a00ca98642914e2cebb2718e79cbfb6$9026dd00f0b130fd4c4fd71a80817ddd5aec619a9b2e9b53ae2309bde0a9796ebcfa90558e8aaa6f39350b8f6de3a815a7b62ec0c154fe5e2802070146068dc9db1dc981fb355c94ead296cdaefc9c786ce589b43b25fb5b7ddad819db2edecd573342eaa029441ddfdb26765ce01ff719917ba3d0e7ce71a0fae38f91d17cf26d139b377ea2eb5114a2d36a5f27983e8c4cb599d9a4a5ae31a24db701d0734c79b1d323fcf0fe574e8dcca5347a6fb98b7fc2e63ccb125a48a44d4158de940b4fd0c74c7436198380c03170835d4934965ef6a25299e3f1af107c2154f40598db8600c855b2b183

hashcat64.exe -m 18200 test2.txt ?d?d?d?d?d?d?d?d -a 3 --force --show

part3.pcapng

Ctrl+F,在第68，69幀找到De1ctf關鍵字，搜搜這個NTLM，存在NTML身份認證（參考：Windows身份認證及利用思路
Windows下的密碼hash——NTLM hash和Net-NTLM hash介紹
Windows內網協議學習NTLM篇之NTLM基礎介紹）
從第68幀看出這里是Net-NTLM v2

part3：De1CTF2020::TEST:56886f90fcb73ded:b5991cc2a0d585d0f813358eaafc7412:0101000000000000130cb9102308d601d2290bc0c25617a80000000002000800540045005300540001000c0044004d0032003000310032000400140074006500730074002e006c006f00630061006c000300220064006d0032003000310032002e0074006500730074002e006c006f00630061006c000500140074006500730074002e006c006f00630061006c0007000800130cb9102308d60106000400020000000800300030000000000000000000000000100000ecaa3d44ddc464026c453206813aafa0b918f2ad43d497ef8fb6beb2083258a40a0010000000000000000000000000000000000009001e0048005400540050002f0074006500730074002e006c006f00630061006c000000000000000000

hashcat64.exe -m 5600 test3.txt ?d?d?d?d?d?d?d?d -a 3 --force --show