强网杯2021 qwb misc WP 5题

BlueTeaming、ISO1995、CipherMan、ExtremelySlow、EzTime

本来是说昨天发的，忘了……
然后取证题，比较偏向爆破出的flag；如果是想知道原理等可以去看看空白师傅的WP：https://mp.weixin.qq.com/s/ItaIgLxcXCjvAhyyP3On9Q

BlueTeaming

下载解压，得到一个无后缀，winhex查看是7z文件头，添加.7z，解压
得到一个5个G的memory.dmp文件
是一个内存镜像，常见的内存镜像文件有raw、vmem、dmp、img，这里也正好满足
题目问的是

所以要查找有关powershell的hive
根据百度可知，注册表项是左边的路径(HKEY)

现在开始对镜像下手，首先查看镜像的基本信息
volatility -f memory.dmp imageinfo

然后直接看hive

因为是powershell恶意程序，所以这里优先考虑software。
尝试用dumpregistry，笑死，根本找不到插件

你说百度搜吧，没搜到。谷歌吧，没找到。看万能的gayhub吧，也没有。
没办法，直接winhex找了呗，反正是HKEY，再加上怀疑SOFTWARE，就直接找吧

对比了一下自己的计算机，winhex直接搜HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

一共47个项目
怎么找也是非常简单，找到周围有“powershell”的字样，尝试提交就行了。

这不
然后提交HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Communication
对了

CipherMan
解压得到一个无后缀，加上.7z解压，memory添加上.vmem后缀，然后volatility

Dump出来

拖到010里面看

然后bitlocker解密，我用取证大师

ISO1995
这题很绕思路，这比赛跟试错比赛似的。
首先是用UltralISO打开，把1024个文件给下载出来。
然后尝试按照时间排序，这里就不贴脚本了(反正是错误思路)得到一串文本，有95个字符，UUencode也不对，想尝试base95发现不会写脚本……
然后重新查看iso1995，找到flag的位置，发现前面有一串FFFFFFFF
并且经过查找，一共1024个，而且后面的跟在FFFFFFFF后面的数字也在变化，并且随便看了十几个，发现总值不超过1024，猜测用这个当做那1024个提取出来的文件的顺序。

首先写脚本将FF FF FF FF后面的俩个字节提取出来

f = open("iso1995.iso",'rb').read()
f1 = open("flag",'wb')

def find_all_indexes(input_str, search_str):
    l1 = []
    length = len(input_str)
    index = 0
    while index < length:
        i = input_str.find(search_str, index)
        if i == -1:
            return l1
        l1.append(i)
        index = i + 1
    return l1

s = find_all_indexes(f,b'\xff\xff\xff\xff')
for i in s:
    f1.write(f[i+4:i+6])
print("done")

然后把10进制的值提取出来（注释掉上面那段）

s = [""]*1024
f = "000000AA035702C50023026802F202DB03E501E5010102A80236026703F2009E002A00E0039801B0028A006D03D1019D01CB031B031902A0025900A1022D030500510231003C02C702E301990235037E0185012E007400A2006C021602FC01B401AA026902CE00FD00B601D3004903BC02F000F2016503A4032501EE03B403DE02DE03F80147024F033C0263001C03F4009702EC0091000C00BF0168023301A4038C024E024D03C50086037C001202C101110126036801C7000702F3007000BB0304036B02D3004103AF0130017C003403970061008102A301A80092012A002C01350323028E00F902D7010901A702F8032701EF000F03C8020E014A02600344034300C4022C0099026D008A030103F10273031F009D00F501FA010D037A036101E10307021502E201B70225031000350243028602D8010803EF01F5030A03390170010701770100005C021C01690063010203E1039C00DA037D01BC014002A5034900D8033A00C1004403CF029101FF03D802390338030B010602B303FB03F0007701CD025600EC004C03EB000101620266035B0298000A02CC0248011500A8034D025401D703E9035A02270065016B03AC03830039019503EA030D03AE02820078001501B8011D018600F600180148038E00F4013701F0012203CD011E027201CE01F103B8022B02AE00BE03850133033E020C021003A901BD00ED033403300214008F014B00D700040265014301A901800178034C0062030201BE02F5036600AD02AD016403330142036E03E00345018A00E300A300FB028F03BF022F02DC039E03D90314006803B600A602D202220103004D03F9008B01F6018E03E3030000C002AA01A10139019F0360025B01BA027600F0038D001F0006028C013203D6020B0198018802A1023801E6007C035D0064009F024A00D001BB005E02BD019A019300F803A30362019E00D4026E03EE0352015F023201FB03C002BA03BE02EB01C103900129039900CC02AC02BB02A9003800E400E1009C020A03200396020701F90192034E02B501F8032803CB024200B7038100B803E7012F019C031C03F50230023C0113006F00AE01DE0071029601F702A2004A01280110005F024701C4034B03E603ED0318008C015A03BA03F600AB0079028100AF00EA01A20127011C0056018F02BF0002018303A100CF013D029A031E02710138021903640261007601AB03E800A501EB03DD01A300600096017B007E01B3035403E2012B017103FC000901C901FC021E00B9032E02E4026C008502D902DF027A01AC03CE00E200670365038401DC01F40212012000CD0221021B01DA0209013E031D005B0378016C007300CA0255008D00C20082009A0224001B001303750347027801D603D000EF037103EC002F03A002B103FA002501D8004F01B102C3029F030902A4028B009302BC00D5028801B600FF011403F3030E021F002100D6018D036F032103530029015B034603D7034F0043017303DB01600292039203370030017F02F70124003E02F601AF010E039D0246028701B9021A010C0394025000F303A20000011603AD0377011A02EF02CA0153031201E8034A0311022902AF03A50359036D01A6023B021D00FA02D0033500BD025F0326037F03A801EA011B029E03CC0201038A016A03800037013F0080029B01CA025302E90088037001C802F103B30205003A031701AD0125018701970237014E025E036A011F020F00A9014C008E030C032B005201410355029702950275013A0350015702AB03FF00F7009800DD015E038701E4008700550159013C0105019B01D1019402CF004502B000C60022026F01E001DD033B03FD01D20154005D03890024039F01DF028D03BB024500110003002700C702BE004700C902B601B5009B006E03C3016E00B5025D005900160008002D0066007A037B01BF030802ED035C02CD00E500C5020802FB028001CF025A03DA018B017A02B801040190003D03BD0089020403910289014F027401C303220151019602C203D203F7029401D900BA015803FE03B103B501ED014D0136023A004203740315039500E9034200DE00D101B203400020004E015C013B00AC036302D40223002600DB017E0123006B02DD02FF029900F100840217001400900176020602B4023E0372032F023D01C002E60220007202FE03C901D00053032901C6033D027C03B903690028005002DA00D901E9001A02CB017202E80356019102EE009501C20094007F025101840144024B03B0012102030264022E034802FD03730249003602C8027B0226016D03C700170040038602620270025202E50234010F03C4010B0150029302B9016F038203AB018902B7039B014601F2030F00CB005400C801DB035E03880083001D007B00FE0181010A003301E203C103E402FA01630358006900E702E0017D00EE02900166027E003B02F400D30341027901790228015202B2036C0119033603AA0174029D011703A7023F02D6021801FD0134001902C0000D0161032D001001490167002E004B020003C6004600B3005A01D5020203130131012C033200B2021301A502EA026A02D5000E007D03B202C900EB003103D500B401E700BC039A01550367032A0156030302850351025802D100A7027F011201EC031602C6002B00A00284004800CE01E3024100B0025C02A601CC030602C400B1024002E703DF029C033100DF00750005006A03B7003F00D201F3026B032C00FC005801D40393032401AE038F018C01FE03C20182015D00E6020D0175012D003203CA02E1038B03D4027702F9025702A7031A00A403DC01C5024C021100C30244001E022A0283027D035F00DC03A60379033F037600E80118014503D30057000B"
for i in range(1024):
    print(int(f[i*4:i*4+4],16))
    s[i] = int(f[i*4:i*4+4],16)
print(s)
print(len(s))

再然后，对之前那1024个文件进行重命名

import os
path = 'C:\\Users\\mumuzi\\Desktop\\1995'
num= 0
for file in os.listdir(path):
    os.rename(os.path.join(path,file),os.path.join(path,str(num)))
    num+=1

最后，将他们拼起来即可（注释掉重命名过程和第一步）

f = open("flag1",'wb')
for j in s:
    f1 = open("C:\\Users\\mumuzi\\Desktop\\1995\\"+str(j),"rb").read()
    f.write(f1)
print("done")

FLAG{Dir3ct0ry_jYa_n41}

ExtremelySlow
HTTP里面有很多可以导出的，看了tcp流量也发现有单字节，根据标题是慢传输，再加上有个range，可以猜测是要将其提取出来然后排序
.\tshark.exe -r .\ExtremelySlow.pcapng -T fields -e ip.src -e ip.dst -e data.data -e http.request.method -e http.response.line -Y http >fflag.txt

然后按照range:bytes xx-xx的xx，按顺序，拼接起来。
因为导出的是gbk编码，python运行脚本报错，所以要把它ctrl-a ctrl-c粘贴到一个新的文本(utf-8)里，跑那个新的utf-8文本

f = open('fflag (2).txt','r').read()
file1 = f.split('\n')
s = []
for i in range(1987):
    s.append(0)
for file1 in file1:
    content_range_posision = file1.find('content-range')
    if (content_range_posision >= 0):
        tmp = file1[20:22]
        tmp = int(tmp, 16)
        num = file1[content_range_posision+21:content_range_posision+31]
        num = num.split('-')[0]
        num = int(num)
        s[num] = tmp
s = bytes(s)
f2 = open('latest','wb')
f2.write(s)

弄完观察是一个pyc文件，然后发现这个pyc不对劲，和3.7以下的文件头是对不上号的，根据pyc的文件头，在3.9以上是61开头，55是38,41是3.7以下。所以去临时装了一个python3.10a

虽然还是61开头，但是后面不是pyi0，给的脚本应该没问题。
这里找到一篇文章，是研究pyc的。

https://stackoverflow.com/questions/32562163/how-can-i-understand-a-pyc-file-content

运行之后，会生成一大段字节码，这里我放ubuntu pastebin了
https://pastebin.ubuntu.com/p/wJ6wv8b6r2/

这里要字节码一个个反推回去
得到反推出来的python文件，这里还是放WP里吧：
里面的p = “ ”因为是做出来的了，所以已经填上了值

# -*- codeing = utf-8 -*-
# @Author : Mumuzi
# @File : flaggg.py
# @Software : PyCharm

import sys
from hashlib import sha256

def KSA(key):
    keylength = len(key)
    S = list(range(256))
    j = 0
    for i in range(256):
        j = (j + S[i] + key[i%keylength]) % 256
        S[i], S[j] = S[j], S[i]#ROT_TWO:交换两个数
    return S

def PRGA(S):
    i = 0
    j = 0

    while (1):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]

        K = S[(S[i] + S[j]) % 256]
        yield K #YIELD_VALUE

def RC4(key):
    S = KSA(key)
    return PRGA(S)

def xor(p, stream):
    return bytes(map(lambda x:x ^ stream.__next__(), p))

def bit_count(i):
    return bin(i).count("1")

if __name__ == '__main__':
    w = b'\xf6\xef\x10H\xa9\x0f\x9f\xb5\x80\xc1xd\xae\xd3\x03\xb2\x84\xc2\xb4\x0e\xc8\xf3<\x151\x19\n\x8f'
    e = b'$\r9\xa3\x18\xddW\xc9\x97\xf3\xa7\xa8R~'
    b = b'geo'
    s = b'}\xce`\xbej\xa2\x120\xb5\x8a\x94\x14{\xa3\x86\xc8\xc7\x01\x98\xa3_\x91\xd8\x82T*V\xab\xe0\xa1\x141'
    t = b"Q_\xe2\xf8\x8c\x11M}'<@\xceT\xf6?_m\xa4\xf8\xb4\xea\xca\xc7:\xb9\xe6\x06\x8b\xeb\xfabH\x85xJ3$\xdd\xde\xb6\xdc\xa0\xb8b\x961\xb7\x13=\x17\x13\xb1"
    m = {2:115, 8:97, 11:117, 10:114}
    n = {3:119, 7:116, 9:124, 12:127}
    m |= {x:x ^ n[x] for x in n}
    m |= ((bit_count(i), i) for i in b)

    stream = RC4(list(map(lambda x:x[1], sorted(m.items()))))
    print(sha256(w).digest())
    print(xor(w, stream))

    p = b'\xe5\n2\xd6"\xf0}I\xb0\xcd\xa2\x11\xf0\xb4U\x166\xc5o\xdb\xc9\xead\x04\x15b' 
    e = xor(e, stream)
    c = xor(p, stream)
    print(sha256(c).digest())

    if (sha256(c).digest() == s):
        print(xor(t, stream))
        print(c)
    else:
        print(e)

然后运行会提示stegosaurus
这是pyc的隐写工具，弄出来运行报错

去查看这里

还是报错

现在运行，完美

把这段密文填到p=””里面
提示congratulation！
发现只输出了一个，再把c打印出来，得到flag

flag{P0w5rFu1_0pEn_50urcE}

EzTime

MFT能用diskgenius直接看，方法如下：

注意属性为A，都是不能导出的，但是这题问的是名字，所以已经够用了
$LogFile用github的LogFileParser能打开，可是已经不需要了
就这个MFT，一个个试不同时间的就行了。

{45EF6FFC-F0B6-4000-A7C0-8D1549355A8C}.png
为什么不是其他的，我也不知道，反正试错了好多个。