护网杯2019-Writeup

• 签到

  import string
  from base64 import *
  b=b64decode("RU9CRC43aWdxNDs3NDFSOzFpa1I1MWliT08w")  #原题RU9CRC43aWdxNDs3NDFSOzFpa1I1MWliT08w，本题：aWdxNDs3NDFSOzFpa1I1MWliT08w
  data=list(b)
  for k in range(0,200):
      key=""
      for i in range(len(data)):
          key+=chr(ord(data[i])^k)
      print key+"\n"
    
  EOBD.7igq4;741R;1ikR51ibOO0
        igq4;741R;1ikR51ibOO0
    
  FLAG-4jdr78472Q82jhQ62jaLL3
  jdr78472Q82jhQ62jaLL3
  

• baby_forensic

  内存取证

  先imageinfo

  volatility -f data.vmem imageinfo
  

  Volatility Foundation Volatility Framework 2.6
  INFO    : volatility.debug    : Determining profile based on KDBG search...
            Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                       AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                       AS Layer2 : FileAddressSpace (/mnt/c/Users/wdbbw/Desktop/baby_forensic/data3/data.vmem)
                        PAE type : PAE
                             DTB : 0xb18000L
                            KDBG : 0x80546ae0L
            Number of Processors : 1
       Image Type (Service Pack) : 3
                  KPCR for CPU 0 : 0xffdff000L
               KUSER_SHARED_DATA : 0xffdf0000L
             Image date and time : 2019-09-04 14:22:51 UTC+0000
       Image local date and time : 2019-09-04 22:22:51 +0800
  

  查进程

  volatility -f data.vmem pslist
  

  看一眼cmd

  volatility -f data.vmem cmdscan
  

  Volatility Foundation Volatility Framework 2.6
  **************************************************
  CommandProcess: csrss.exe Pid: 440
  CommandHistory: 0x3713850 Application: cmd.exe Flags: Allocated, Reset
  CommandCount: 1 LastAdded: 0 LastDisplayed: 0
  FirstCommand: 0 CommandCountMax: 50
  ProcessHandle: 0x424
  Cmd #0 @ 0x55d868: hill_matrix 3,2,2,9,7,7,6,4,9
  

  有一个hill密钥矩阵

  找密文

  看一眼文件，有一堆，查有没有zip

  volatility -f data.vmem filescan | grep zip
  

  Volatility Foundation Volatility Framework 2.6
  0x00000000012f6028      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\disk.zip
  0x00000000016bb390      1      0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\zipfldr.dll
  

  dump出来

  volatility -f data.vmem dumpfiles -Q 0x00000000012f6028 -D ./ -u
  

  解压得到disk.img，挂载看一波

  mount -o loop message.img /mnt
  cd /mnt
  

  有一个usb.pcapng

  tshark -r usb.pcapng -T fields -e usb.capdata > usbdata.txt
  

  键盘数据包

  mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
  nums = []
  keys = open('usbdata.txt')
  for line in keys:
      if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
           continue
      nums.append(int(line[6:8],16))
  keys.close()
  output = ""
  for n in nums:
      if n == 0 :
          continue
      if n in mappings:
          output += mappings[n]
      #else:
       #   output += '[unknown]'
  print 'output :\n' + output
  

  'UUTDOBZIPSRN'.HILLDECODEAABAAAAABBAABBABCBABBBCCCBBBCDCCCCECCCCECCCEDCCDCDCCCDDCDEDDCCFCDCDFCDCDCCECDCCCDCCCBCBDBBBBBCBBBBACBAABABAAAAABAABAAAAAAAAAAAAAAAAAAAAA
  

  得到密文UUTDOBZIPSRN

  解密得到QLBPGZBSTWEL

  qlbpgzbstwel

  flag为小写wdnmd