首页 > 其他分享 >复现:西湖论剑2022

复现:西湖论剑2022

时间:2023-02-23 20:55:42浏览次数:43  
标签:img system flag 复现 2022 import rm data 论剑

mp3

用MP3stego无密码解密mp3,得到txt

 

 

 用binwalk分析mp3,发现有png,用foremost提取

 

用zsteg分析png,发现藏有zip,提取出来

 

 

 zip加密了一个47.txt,用前面得到的密码解开,rot47解码,用控制台跑一下得到flag

 

 

 take_the_zip_easy

对zip进行明文攻击

 

 

 

 

 

 

 

 

 分析流量包,发现有flag.zip,但被加密了

 

 

 追踪TCP流,发现了哥斯拉加密

 

 

 发现37流在上传flag.zip,所以36流应该为加密压缩包

 

 

 用脚本解哥斯拉得到密码

 

 

 打开zip,得到flag

机你太美

得到npbk文件,需要用夜神模拟器打开,在模拟器助手中导入,启动发现需要密码

 

 

 

 

找到Nox的bin文件夹

adb shell
cd data/system
ls
可能以下文件在system文件夹不存在,如存在,执行命令删除
rm /data/system/locksettings.db
rm /data/system/locksettings.db-shm
rm /data/system/locksettings.db-wal
rm /data/system/gatekeeper.password.key
rm /data/system/gatekeeper.pattern.key
rm /data/system/fingerprintpassword.key
rm /data/system/personal.key
rm /data/system/gesture.key
rm /data/system/password.key

 

 

 

 

 

 

 重启模拟器,发现有QQ和Skred两个聊天app,QQ登不上,Skred有和bbb的聊天记录,传了很多文件

 

 

 用adb pull提取文件

 

 

 用Stegsolve打开png,发现Alpha plane 2有数据

 

 

 用脚本提取

from PIL import Image

img=Image.open("41.png")
# print(img.mode) #RGBA
# print(img.width)
# print(img.height)
f=0
s=''
for i in range(img.width):
    for j in range(img.height):
        pixl = img.getpixel((i,j))
        if(pixl[3] == 255):
            if(f==1):
                s=s+'1'
        else:
            f=1
            s=s+'0'
        if(len(s)>=1000):
            break
print(s)

 解码得到一个密码,应该是最后一个压缩包的密码

 

 

 打开发现全是乱码,用exiftool分析jpg,得到提示XOR DASCTF2022

 

 

 解码得到flag

Isolated Machine Memory Analysis

hint1:

 

 

 hint2:为什么这个Windows内存镜像是ELF格式?

hint3:

The system below had about 5.5 GB RAM:

$ python vol.py -f ~/Desktop/win7sp1x64_vbox.elf --profile=Win7SP1x64 vboxinfo 
Volatility Foundation Volatility Framework 2.4

Magic: 0xc01ac0de
Format: 0x10000
VirtualBox 4.1.23 (revision 80870)
CPUs: 1

File Offset        PhysMem Offset     Size              
------------------ ------------------ ------------------
0x0000000000000758 0x0000000000000000 0x00000000e0000000
0x00000000e0000758 0x00000000e0000000 0x0000000003000000
0x00000000e3000758 0x00000000f0400000 0x0000000000400000
0x00000000e3400758 0x00000000f0800000 0x0000000000004000
0x00000000e3404758 0x00000000ffff0000 0x0000000000010000
0x00000000e3414758 0x0000000100000000 0x000000006a600000

 The system below had 8 GB RAM:

File Offset Memory Offset Size      
----------- ------------- ----------
0x000000808 0x00000000000 0xe0000000
0x0e0000808 0x000e0000000 0x01b00000
0x0e1b00808 0x000f0400000 0x00400000
0x0e1f00808 0x000f0800000 0x00004000
0x0e1f04808 0x000ffff0000 0x00010000
0x0e1f14808 0x00100000000 0xffdf0000
0x1e1d04808 0x001ffdf0000 0x20210000

The system below had 10 GB RAM:

File Offset Memory Offset Size      
----------- ------------- ----------
0x000000808 0x00000000000 0xe0000000
0x0e0000808 0x000e0000000 0x01b00000
0x0e1b00808 0x000f0400000 0x00400000
0x0e1f00808 0x000f0800000 0x00004000
0x0e1f04808 0x000ffff0000 0x00010000
0x0e1f14808 0x00100000000 0xffdf0000
0x1e1d04808 0x001ffdf0000 0x9de10000

 imageinfo:

 

 

 pslist:

发现有ClipboardMonit进程和mstsc.exe进程

clipboard:

 

 

 clipboard -v:

-----BEGIN PUBLIC KEY-----
MFowDQYJKoZIhvcNAQEBBQADSQAwRgJBAIEZTxxle7+5rywC5byIuBkPhwkyv57R
756DUCD9i2MWYyUs0Acc6JZwyqVOmR74uMvreI2slle4Gy7Hl6PcXxECAQI=
-----END PUBLIC KEY-----

 dump mstsc.exe进程

 

 

 把后缀dmp改为data,利用gimp加载原始数据,修改图像类型为RGBA,再修改位移宽度高度,得到一幅图,得知需要的东西不在内存中

vboxinfo:

得知显存在内存文件中的位置0xdffcda2c以及大小0x2000000,用010手动提取

 

 

 结合提示给出的1440x900的分辨率以及32的位深度,可以写个脚本将色彩文件转成图片

from PIL import Image

width = 1440
height = 900
flag = open('vram','rb').read()

def makeSourceImg():
    img = Image.new('RGBA', (width, height))
    x = 0
    for i in range(height):
        for j in range(width):
            img.putpixel((j, i), (flag[x], flag[x + 1], flag[x + 2],flag[x+3]))
            x += 4
    return img

img = makeSourceImg()
img.save('1.png')

 

 

 

 

from Crypto.Util.number import bytes_to_long,long_to_bytes
with open('flag.txt','rb') as f:
	    m = bytes_to_long(f.read())

from Crypto.PublicKey import RSA
with open('flag.pub.pem','r') as f
	    pubkey = RSA.import_key(f.read())

pubkey.size_in_bits()
512
c = pow(m,pubkey.e,pubkey.n)
long_to_bytes(c).hex()
'089ebf3622f6f6d498c1b5ecfe4d831d3e876bf55578586389127e0053bb4fe006e2eee5398b86274fdce0418d16c9bb0bf24922cec491b3047d33eb661784c9'

 先求一下c

from Crypto.Util.number import bytes_to_long
print(bytes_to_long(bytes.fromhex("089ebf3622f6f6d498c1b5ecfe4d831d3e876bf55578586389127e0053bb4fe006e2eee5398b86274fdce0418d16c9bb0bf24922cec491b3047d33eb661784c9")))
#451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433

 分解Public key

from Crypto.PublicKey import RSA
with open('flag.pub.pem','r') as f:
	pubkey = RSA.import_key(f.read())
print(pubkey.e)
print(pubkey.n)

 分解n

q=79346858353882639199177956883793426898254263343390015030885061293456810296567
p=85213910804835068776008762162103815863113854646656693711835550035527059235383

 e=2,n可分解,符合rabin

import gmpy2

def rabin_decrypt(c, p, q, e=2):
    n = p * q
    mp = pow(c, (p + 1) // 4, p)
    mq = pow(c, (q + 1) // 4, q)
    yp = gmpy2.invert(p, q)
    yq = gmpy2.invert(q, p)
    r = (yp * p * mq + yq * q * mp) % n
    rr = n - r
    s = (yp * p * mq - yq * q * mp) % n
    ss = n - s
    return (r, rr, s, ss)

c=451471540081589674653974518512438308733093273213393434162105049845933212224386755831134427109878720380821421287108607669893882611307516611482749725279433
p=79346858353882639199177956883793426898254263343390015030885061293456810296567
q=85213910804835068776008762162103815863113854646656693711835550035527059235383

m = rabin_decrypt(c, p, q)
for i in range(4):
    try:
        print(bytes.fromhex(hex(m[i])[2:]))
    except:
        pass
b'=\x7f\xc0\xdc\x96\x88D\x886\xa7\xdaa\xc9\x10\x183\x1aG4m\xf6Yws\n0f\xbb\xbb\x01V\x84\xa3R\xe1\xd0\xea\x17W\x97/C\xfd\xf4\xc48\xbc\x96\xbbn\x88\x97)\x99`\x845\x1e\x90\x95\x10\xbfk\xb5'
b'C\x99\x8e?\xce\xf3{1x\x84(\x83\xf3x\x9f\xe5\xf5?\xd4\xc4\xc9EZ|\x94R\xe9eB\x8a\x0c\x91\xbf\xd2J\xff\x1d\x05\x90\xffA\x86\xa7Y\xd4\xe6<"\x10|\xef\xf6\x82\xfc\xf73\xe6\x107\x02\x93\x1c\xf3\\'
b'\x81\x19O\x1ce{\xbf\xb9\xaf,\x02\xe5\xbc\x88\xb8\x19\x0f\x87\t2{]~\xacJ<\xd4\xd7\x89V\x03\xb2\x19\xb2\xf9l\xcf\xd0o7\r\x9a2\xfce\xb2\xc4d\x98\x87\x19\x19|7 o\xb5\xcfcfV\xa9)\x94'
b'DASCTF{It5_dIr3c7Ly_c0rR3l4T3d_t0_7He_d1M35}'

 

标签:img,system,flag,复现,2022,import,rm,data,论剑
From: https://www.cnblogs.com/carefree669/p/17149372.html

相关文章