Hxb2020 misc
Misc1
用Wireshark打開 文件-導出對象-HTTP Save All
打開index-demo.html查看源代碼,發現大段base64編碼
KO+9oe+9peKIgO+9pSnvvonvvp7ll6hIaX4gCm==
KO+8oF/vvKA7KSjvvKBf77ygOyko77ygX++8oDspCr==
KCtfKyk/KOOAgj7vuL88KV/OuCjjgII+77i/PClfzrgK
......
base64解碼
(。・∀・)ノ゙嗨Hi~
(@_@;)(@_@;)(@_@;)
(+_+)?(。>︿<)_θ(。>︿<)_θ
o(* ̄▽ ̄*)ブ゜
<(^-^)>(╯▽╰ )好香~~
ヽ(✿゚▽゚)ノ(@^0^)
......
以為是顏文字編碼,aadecode解碼無果
賽后才知道是base64隱寫,將base64編碼保存在txt,用腳本解密
def get_base64_diff_value(s1, s2):
base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
res = 0
for i in xrange(len(s2)):
if s1[i] != s2[i]:
return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))
return res
def solve_stego():
with open('E:\\Desktop\\1.txt', 'rb') as f:
file_lines = f.readlines()
bin_str = ''
for line in file_lines:
steg_line = line.replace('\n', '')
norm_line = line.replace('\n', '').decode('base64').encode('base64').replace('\n', '')
diff = get_base64_diff_value(steg_line, norm_line)
print diff
pads_num = steg_line.count('=')
if diff:
bin_str += bin(diff)[2:].zfill(pads_num * 2)
else:
bin_str += '0' * pads_num * 2
print goflag(bin_str)
def goflag(bin_str):
res_str = ''
for i in xrange(0, len(bin_str), 8):
res_str += chr(int(bin_str[i:i + 8], 2))
return res_str
if __name__ == '__main__':
solve_stego()
運行結果:key:"lorrie"
還有一層snow 隱寫
snow>SNOW.EXE -p lorrie D:\CTF\湖湘杯2020\Misc\1\index-demo.html
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_← →_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_ ←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←}
# 商業轉載請聯系作者獲得授權,非商業轉載請注明出處。
# For commercial use, please contact the author for authorization. For non-commercial use, please indicate the source.
# 協議(License):署名-非商業性使用-相同方式共享 4.0 國際 (CC BY-NC-SA 4.0)
# 作者(Author):Snowywar
# 鏈接(URL):http://snowywar.top/wordpress/index.php/2020/11/02/hxbwriteup/
# 來源(Source):魔法少女雪殤
# -*- coding:utf-8 -*-
res = []
import re
unit = 3
answer = '→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_→←_←←_←←_← →_→→_→→_→←_←←_←'
tmp = ""
cnt = 0
answer = answer.split(" ")
print(answer)
for element in answer:
s = re.findall(r'.{3}', element)
for ele in s:
if ele == '→_→':
tmp += "-"
if ele == '←_←':
tmp += "."
tmp += '/'
print(tmp)
#['→_→←_←←_←←_←←_←', '→_→→_→←_←←_←←_←', '→_→←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '←_←', '←_←←_←←_←→_→→_→', '→_→→_→→_→→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←←_←', '←_←→_→→_→→_→→_→', '→_→→_→→_→→_→→_→', '←_←←_←←_←←_←←_←', '←_←←_←→_→←_←', '→_→←_←←_←←_←', '←_←←_←←_←←_←→_→', '←_←→_→', '←_←←_←→_→→_→→_→', '→_→→_→→_→→_→←_←', '←_←←_←←_←←_←←_←', '←_←←_←←_←→_→→_→', '←_←→_→', '→_→→_→→_→→_→→_→', '→_→←_←→_→←_←', '←_←', '→_→→_→←_←←_←←_←', '→_→→_→→_→→_→←_←', '→_→←_←→_→←_←', '←_←←_←←_←→_→→_→', '←_←←_←←_←→_→→_→', '→_→→_→←_←←_←←_←', '→_→→_→→_→←_←←_←']
#-..../--.../-.../...--/...--/./...--/----./-.../...../.----/-----/...../..-./-.../....-/.-/..---/----./...../...--/.-/-----/-.-././--.../----./-.-./...--/...--/--.../---../
摩斯密碼解密67B33E39B5105FB4A2953A0CE79C3378
flag: 67b33e39b5105fb4a2953a0ce79c3378
Misc2
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86 hashdump
Volatility Foundation Volatility Framework 2.4
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
#最后兩個字段 空密碼:密碼
0a640404b5c386ab12092587fe19cd02md5解密:qwer1234
flag:sha1(qwer1234)=db25f2fc14cd2d2b1e7af307241f548fb03c312a
Misc3
Winrar修復zip,將mingwen - 副本.txt提取出來,用winrar將mingwen - 副本.txt打包成zip,
刪除修復后zip的flag.txt,用Archpr對修復后的zip進行明文攻擊,明文選擇mingwen - 副本zip
口令:123%asd!O (單獨查看flag.txt,沒能成功解壓)
僅需5,跳過去
ffd5e341le25b2dcab15cbb}gc3bc5b{789b51
flag{febc7d2138555b9ebccb32b554dbb11c}
Misc4
volatility -f 1.vmem imageinfo
volatility -f 1.vmem --profile=Win2003SP1x86 hashdump
volatility -f 1.vmem --profile=Win2003SP1x86 filescan | grep .txt
volatility -f 1.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 --dump-dir=.
dump file.txt win下用記事本打開
什么?計算機又被不知名賬戶登錄了?明明在計算機管理中沒有這個用戶,為什么還會被這個用戶登錄呢?電腦跟前的你能幫我找到原因嗎?flag為該用戶的用戶名以及密碼的md5值。
格式:md5(用戶名:密碼)
https://blog.csdn.net/q851579181q/article/details/109454629
參考鏈接: