Misc

misc1 顏文字之謎

http導出對象，有個index-demo.html

查看源碼里面有一大段base64

base64隱寫得到key:lorrie

snow隱寫，注意不要加-C

snow.exe -p lorrie index-demo.html

flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}

聯想到摩斯電碼，只有兩個符號和空格組成

→_→替換成-

←_←替換成.

在線網站解一下轉小寫得到flag

misc2 passwd

hivelist查看注冊表

volatility -f 555.raw --profile=Win7SP1x86 hivelist
Volatility Foundation Volatility Framework 2.6
Virtual    Physical   Name
---------- ---------- ----
0x93fc41e8 0x030cf1e8 \SystemRoot\System32\Config\SAM
0x93fe7008 0x1bc6c008 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x9494e9c8 0x11c9a9c8 \??\C:\Users\CTF\AppData\Local\Microsoft\Windows\UsrClass.dat
0x992de5d8 0x223cb5d8 \SystemRoot\System32\Config\DEFAULT
0x8a00c2b0 0x23e0a2b0 [no name]
0x8a01c008 0x24019008 \REGISTRY\MACHINE\SYSTEM
0x8a03d008 0x22dfa008 \REGISTRY\MACHINE\HARDWARE
0x8c6d99c8 0x22b499c8 \Device\HarddiskVolume1\Boot\BCD
0x8e00d9c8 0x189629c8 \??\C:\Users\CTF\ntuser.dat
0x8f97c008 0x22de2008 \SystemRoot\System32\Config\SOFTWARE
0x93fb19c8 0x00a759c8 \SystemRoot\System32\Config\SECURITY
0x93fb7440 0x03145440 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT

hashdump取出密碼，-y是system的virtual地址，-s是SAM表的virtual地址

volatility -f 555.raw --profile=Win7SP1x86 hashdump -y 0x8a01c008 -s 0x93fc41e8

0a640404b5c386ab12092587fe19cd02去md5解密的qwer1234

再sha1()加密

ps：其實一條命令hashdump就夠了,人菜就多敲一條=。=

flag：db25f2fc14cd2d2b1e7af307241f548fb03c312a

misc3 虛實之間

偽加密得到文件mingwen.txt

明文攻擊得到密碼

拿到flag.txt

ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

柵欄位數5

解密一下

ps：吐槽一下captEncoder這個小帽子解碼軟件，柵欄有問題

misc4 隱藏的秘密

先看一下pslist，找到notepad.exe，去grep一下txt文件

volatility -f mm.vmem --profile=Win2003SP1x86 filescan | grep "txt"
Volatility Foundation Volatility Framework 2.6
0x000000000412cde0      1      0 RW-r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\file.txt
0x000000000426b890      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt
0x000000000426ba90      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt
0x000000000426bc90      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt
0x000000000426be90      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt
0x000000000479d4a8      4      2 -W-rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware VGAuth\logfile.txt.0
0x00000000049e1cf0      1      0 R--rw- \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.txt
0x00000000049e6228      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\file.txt.lnk
0x0000000004a511a0      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice.txt
0x0000000004a513a0      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt
0x0000000004a51770      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt
0x0000000004c05370      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\manifest.txt
0x0000000004c70ae8      1      0 RW---- \Device\HarddiskVolume1\WINDOWS\system32\CatRoot2\dberr.txt
0x0000000004d44028      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt

找到file.txt，dump下來

volatility -f mm.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 -D ./

什么？計算機又被不知名賬戶登錄了？明明在計算機管理中沒有這個用戶，為什么還會被這個用戶登錄呢？電腦跟前的你能幫我找到原因嗎？flag為該用戶的用戶名以及密碼的md5值。

格式：md5(用戶名:密碼)

hivelist查看注冊表，找到最近登陸的用戶，使用WRR(windows registry recovery)查找注冊表

volatility -f mm.vmem --profile=Win2003SP1x86 dumpregistry -D ./

查SAM表

根據最近登陸的用戶發現只有Administrator和FHREhpe登陸過

列出用戶名和密碼

volatility -f mm.vmem --profile=Win2003SP1x86 hashdump -y 0xe101d008 -s 0xe1757860

得到用戶名密碼，md5解密一下FHREhpe$:NIAIWOMA

md5加密一下

flag：8cf1d5b00c27cb8284bce9ccecb09fb7

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 湖湘杯2020misc 2020湖湘杯復現 2018湖湘杯web、misc記錄 2020湖湘杯-CRYPTO-LFSRXOR WriteUp 祥雲杯2020 Misc題解 2020湖湘杯-CRYPTO-簡單的密碼3 WriteUp （CBC字節翻轉） 2021 湖湘杯 Reverse WP 2021湖湘杯pwn-wp Bugku Writeup —文件上傳2(湖湘杯) CTF 湖湘杯 2018 WriteUp (部分)