mp3
用MP3stego无密码解密mp3,得到txt
用binwalk分析mp3,发现有png,用foremost提取
用zsteg分析png,发现藏有zip,提取出来
zip加密了一个47.txt,用前面得到的密码解开,rot47解码,用控制台跑一下得到flag
take_the_zip_easy
对zip进行明文攻击
分析流量包,发现有flag.zip,但被加密了
追踪TCP流,发现了哥斯拉加密
发现37流在上传flag.zip,所以36流应该为加密压缩包
用脚本解哥斯拉得到密码
打开zip,得到flag
机你太美
得到npbk文件,需要用夜神模拟器打开,在模拟器助手中导入,启动发现需要密码
找到Nox的bin文件夹
adb shell cd data/system ls 可能以下文件在system文件夹不存在,如存在,执行命令删除 rm /data/system/locksettings.db rm /data/system/locksettings.db-shm rm /data/system/locksettings.db-wal rm /data/system/gatekeeper.password.key rm /data/system/gatekeeper.pattern.key rm /data/system/fingerprintpassword.key rm /data/system/personal.key rm /data/system/gesture.key rm /data/system/password.key
重启模拟器,发现有QQ和Skred两个聊天app,QQ登不上,Skred有和bbb的聊天记录,传了很多文件
用adb pull提取文件
用Stegsolve打开png,发现Alpha plane 2有数据
用脚本提取
from PIL import Image
img=Image.open("41.png")
# print(img.mode) #RGBA
# print(img.width)
# print(img.height)
f=0
s=''
for i in range(img.width):
for j in range(img.height):
pixl = img.getpixel((i,j))
if(pixl[3] == 255):
if(f==1):
s=s+'1'
else:
f=1
s=s+'0'
if(len(s)>=1000):
break
print(s)
解码得到一个密码,应该是最后一个压缩包的密码
打开发现全是乱码,用exiftool分析jpg,得到提示XOR DASCTF2022
解码得到flag
Isolated Machine Memory Analysis
hint1:
hint2:为什么这个Windows内存镜像是ELF格式?
hint3:
The system below had about 5.5 GB RAM: $ python vol.py -f ~/Desktop/win7sp1x64_vbox.elf --profile=Win7SP1x64 vboxinfo Volatility Foundation Volatility Framework 2.4 Magic: 0xc01ac0de Format: 0x10000 VirtualBox 4.1.23 (revision 80870) CPUs: 1 File Offset PhysMem Offset Size ------------------ ------------------ ------------------ 0x0000000000000758 0x0000000000000000 0x00000000e0000000 0x00000000e0000758 0x00000000e0000000 0x0000000003000000 0x00000000e3000758 0x00000000f0400000 0x0000000000400000 0x00000000e3400758 0x00000000f0800000 0x0000000000004000 0x00000000e3404758 0x00000000ffff0000 0x0000000000010000 0x00000000e3414758 0x0000000100000000 0x000000006a600000 The system below had 8 GB RAM: File Offset Memory Offset Size ----------- ------------- ---------- 0x000000808 0x00000000000 0xe0000000 0x0e0000808 0x000e0000000 0x01b00000 0x0e1b00808 0x000f0400000 0x00400000 0x0e1f00808 0x000f0800000 0x00004000 0x0e1f04808 0x000ffff0000 0x00010000 0x0e1f14808 0x00100000000 0xffdf0000 0x1e1d04808 0x001ffdf0000 0x20210000 The system below had 10 GB RAM: File Offset Memory Offset Size ----------- ------------- ---------- 0x000000808 0x00000000000 0xe0000000 0x0e0000808 0x000e0000000 0x01b00000 0x0e1b00808 0x000f0400000 0x00400000 0x0e1f00808 0x000f0800000 0x00004000 0x0e1f04808 0x000ffff0000 0x00010000 0x0e1f14808 0x00100000000 0xffdf0000 0x1e1d04808 0x001ffdf0000 0x9de10000
imageinfo:
pslist:
发现有ClipboardMonit进程和mstsc.exe进程
clipboard:
clipboard -v:
-----BEGIN PUBLIC KEY----- MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAIEZTxxle7+5rywC5byIuBkPhwkyv57R 756DUCD9i2MWYyUs0Acc6JZwyqVOmR74uMvreI2slle4Gy7Hl6PcXxECAQI= -----END PUBLIC KEY-----
dump mstsc.exe进程
把后缀dmp改为data,利用gimp加载原始数据,修改图像类型为RGBA,再修改位移宽度高度,得到一幅图,得知需要的东西不在内存中
vboxinfo:
得知显存在内存文件中的位置0xdffcda2c以及大小0x2000000,用010手动提取
结合提示给出的1440x900的分辨率以及32的位深度,可以写个脚本将色彩文件转成图片
from PIL import Image
width = 1440
height = 900
flag = open('vram','rb').read()
def makeSourceImg():
img = Image.new('RGBA', (width, height))
x = 0
for i in range(height):
for j in range(width):
img.putpixel((j, i), (flag[x], flag[x + 1], flag[x + 2],flag[x+3]))
x += 4
return img
img = makeSourceImg()
img.save('1.png')
from Crypto.Util.number import bytes_to_long,long_to_bytes
with open('flag.txt','rb') as f:
m = bytes_to_long(f.read())
from Crypto.PublicKey import RSA
with open('flag.pub.pem','r') as f
pubkey = RSA.import_key(f.read())
pubkey.size_in_bits()
512
c = pow(m,pubkey.e,pubkey.n)
long_to_bytes(c).hex()
'089ebf3622f6f6d498c1b5ecfe4d831d3e876bf55578586389127e0053bb4fe006e2eee5398b86274fdce0418d16c9bb0bf24922cec491b3047d33eb661784c9'
先求一下c
from Crypto.Util.number import bytes_to_long
print(bytes_to_long(bytes.fromhex("089ebf3622f6f6d498c1b5ecfe4d831d3e876bf55578586389127e0053bb4fe006e2eee5398b86274fdce0418d16c9bb0bf24922cec491b3047d33eb661784c9")))
#451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433
分解Public key
from Crypto.PublicKey import RSA
with open('flag.pub.pem','r') as f:
pubkey = RSA.import_key(f.read())
print(pubkey.e)
print(pubkey.n)
分解n
q=79346858353882639199177956883793426898254263343390015030885061293456810296567
p=85213910804835068776008762162103815863113854646656693711835550035527059235383
e=2,n可分解,符合rabin
import gmpy2
def rabin_decrypt(c, p, q, e=2):
n = p * q
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
yp = gmpy2.invert(p, q)
yq = gmpy2.invert(q, p)
r = (yp * p * mq + yq * q * mp) % n
rr = n - r
s = (yp * p * mq - yq * q * mp) % n
ss = n - s
return (r, rr, s, ss)
c=451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433
p=79346858353882639199177956883793426898254263343390015030885061293456810296567
q=85213910804835068776008762162103815863113854646656693711835550035527059235383
m = rabin_decrypt(c, p, q)
for i in range(4):
try:
print(bytes.fromhex(hex(m[i])[2:]))
except:
pass
b'=\x7f\xc0\xdc\x96\x88D\x886\xa7\xdaa\xc9\x10\x183\x1aG4m\xf6Yws\n0f\xbb\xbb\x01V\x84\xa3R\xe1\xd0\xea\x17W\x97/C\xfd\xf4\xc48\xbc\x96\xbbn\x88\x97)\x99`\x845\x1e\x90\x95\x10\xbfk\xb5'
b'C\x99\x8e?\xce\xf3{1x\x84(\x83\xf3x\x9f\xe5\xf5?\xd4\xc4\xc9EZ|\x94R\xe9eB\x8a\x0c\x91\xbf\xd2J\xff\x1d\x05\x90\xffA\x86\xa7Y\xd4\xe6<"\x10|\xef\xf6\x82\xfc\xf73\xe6\x107\x02\x93\x1c\xf3\\'
b'\x81\x19O\x1ce{\xbf\xb9\xaf,\x02\xe5\xbc\x88\xb8\x19\x0f\x87\t2{]~\xacJ<\xd4\xd7\x89V\x03\xb2\x19\xb2\xf9l\xcf\xd0o7\r\x9a2\xfce\xb2\xc4d\x98\x87\x19\x19|7 o\xb5\xcfcfV\xa9)\x94'
b'DASCTF{It5_dIr3c7Ly_c0rR3l4T3d_t0_7He_d1M35}'
标签:img,system,flag,复现,2022,import,rm,data,论剑 From: https://www.cnblogs.com/carefree669/p/17149372.html