前言
- wp由EDI yanshu师傅投稿 ,感谢yanshu师傅。
- 部分题目为赛后复现。
- 部分题目复现方法由一些师傅提供解题思路,感谢。
- 题目附件获取方法在文章末尾。
1.1
导出对象 发现 6.html 中有颜文字
解开后 alert(“EBA01E64-416C-419E-9C9A-C807AD9741D2”);
1.2
全局搜X-Forwarded-For,会发现它ip是五位的,答案长度为8,那么不需要标点,去掉最后一位,所以答案是 34244579
1.3
木马密码MD5值 161ebd7d45089b3446ee4e0d86dbcf92
1.4
找zip 文件,在173 流 会看见一个压缩包
188 流中 看见PK 头
对命令解码发现读取的文件就是 /tmp/1.zip
去掉混淆字符后提出文件,但是需要密码
主办方的提示好像是 社工 来着,觉得可能会是脑洞,就没找到
1.5
这题是把1.bin 和 2.bin 内容拼接
所以根据蚁剑读取文件的规则,把/tmp/1.bin 编码 ,找base64后的文件名会在哪出现
http contains “L3RtcC8xLmJpbg” 过滤一下,在234 流找到了
然后把 前后混淆字符去掉 得到答案
F3C4426E-8A4F-49F7-A658-2E33D85BA665
3.1
初赛机密内存的考点,线下有脚本就出了
https://github.com/axcheron/pyvmx-cracker
原文件名enc.bin
"key/list/(pair/(phrase/UmBuYyhuIW8%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3d0kVDY4OIuvr2WAG%2bo639Lw%253d%253d,,JV9HGrSxPYiDk%2bJYP0KxHqceNnA%2fB0vLXtXVmrUSGINNbFmXRCX5smPN3Ny0hTcjtSGVTOXie5xUK2HdJaj6NxmgyTtc38Xy80co%2f3swAflWoKvMFxRB86AtVqZZ7Sv%2fbUAjCwVUd7uplXhLUfdCk12BMY0%3d))"
"etHKaa2gijMJ4n3hP9NjN9uNnI10E96xhqVa1P30TCTHr8BUkALO6RiD7mJSzlpX7hX1TF23UV7zhXhvip/8tBaAZYBXFYJHcBEnfVWQ23VetQwm5y+l3K29U14Tpz2jQMC920wxA9joTKs67CaiqdGixKZF/TZ7Mvdm5zc60HaB9Yj/OI4KGdJEjVstAu9U6hryfTRC8MIANadKuRy2rwJR9EkMHyPwNTyQwsDgVPwkvE1evA6tB7Q7RmiWDSEJamCEfo/SaSuky4NIaaGaquczBmMkhphQ7zTmL6nhZYjClcCuWsuzCwGrAeVX3UTShJjmIkbq6w4GRuxvpjt8swV+BmgleU6UEQIFlyqFYvk1a2oe314FootRsJiS4XEW6ngkthe5hw053SfN/GP85RS/uIKsCH11vCrD2Ew029fgBq0yy1YeOZQ/QEYlwrKPtd0eRT83dbZJs/XzM+ehZpKVS+nfJdQjGOlROluXnj9VXBrEK/9MT9qyNca4xOpKKkjmmH+vMpqiZHFwjdRl3NUeiy0bh0hj4YeMAo7L0/Uk77A09E9jrNKnkZ2hILX1+yXbGLyvW9OdDhALGj4QaGNdkfPGDYwv7U6CrjoTlCMXDyZY0idFtPwn7NfdAviPjsDWZonDsILX7LjZDrUTkYvoceGKiSQFOUQ3NlI9c3fzaCRfrnxQ6wLncp0WV8HfFF5+FfLt8HgzYCdGx1d8itwGkvwgy/RtSazrAY88OtpInKAhBZgZfdN4paq5FFdWfWQnB5Rjq20FuUzlv5TUfAUkBalO0zJhQl97R6REHoc5kLK9NxWMQJQ5H/B4/pEifTVSxo5QTLt+xsvWlxo7WnVhZGmdvqNgocLn8l4KzcNKxx7wlzMqWtjSYH6ocBk+atbR1dRNEEYH6ii0ZKdOo0ujlXk0HFUCNozR06WMv1zPQqDaHh2wQaqevX/rFEfWE0P0McISpxW0DMeEjsA3j6YLACcE14GadaGAUc7PrOFMPsPujdhAWjv9KvO8/H0rgkPDza0Tu6yUFBVb6tXhri3t2XtlWuuivU/W8sfh/+MUYXddU/1hUqV/qZ3dgxWYlunywMlBeT1TKKtJQTeq5zmILRy0tKvBU2fsQYuElRVpXWXeMsVDLnCvH+Kr+2MR8MfHt1LG+/OOWRmFe2M12zTIX1m4KZHdB1B+fIHBVC2AKD1e2DAMFjDyccCsB1unyDl07LpVpnrC45Iysbj+iwWT/++exiDR1cntMd/4NgzDbJlWlcjCZNvfPsjvyQznqdUdXy00YivLXrQxwyK8D6PStzIsH5kY/P+08G/KzW7EbT3LWFBT72VPYNAAf3EeL2nM40AyUOU5jfVzAC3WZKAzBwb+B7ZB43LfNzNL83E4G/BAh0onWSlFDzf+oS5wFw/qd7TVjjPYdkZ4D6or3fD+lHLlpkMzROlGuJgQeTpF8A89WMWQpkokbxGVWhunbz7t6hMLdQ507mf/uIQu75eczxTDG0rNvkptX1IJUBXYeh34xRmn/RVzLB55WLsbrrcKyQ9xjHrlrUyCsE9jaJh5AvqNbEC6pPsjnnXcb8mzZXwc876QDuwPZsLGJJ+FZwEpQ1TS89Rwt/MoZdDYlGu/J1AXnYf4fB/9EvAH1rzpyH6m1tSqlCdbPt4pfCO3QGydXVyzfNAARh7wD6KIMlYRja9pDj++OxSfLgQgaSW8u+pJ2q09rYJcGxg7HZEJnt35nlMb3wgCsptw+iSMbUdgr++ApX3fQWBkzAvSb4EjH95bNF0U7E8nkc9M9tcalOYb+EPThSdxgi8iFGP0b+DWHrF5BJQm9mzmntraOSNmnpAAORGW3F4XLmcRN+w3Gm2StQvHWF1td1wtIzHSRHoxSwcVR15Z7IPT4Zi/YU45SLO3xbnL2SlUu0/uaj7kHMqpIYyXdAYi+aeGpl5w+mQjb603Z/L/OZvzkn30RE8IrdBqB+bDl+c7opsu9TBssPV4hO+VWOtswMPSvk4TWn0/57HhSAMwFP5K/mDcW4gYEinHS10tkC7+ssHWUDMDzPmN8FH3JS8YxLJ754M5BF0H3fnTCUylvaXq3oLnHJrzbq+sGNZf9KUsefer/Qh5rWTYgJ0cG73KLQ0KFNaMZdbhJ/IYFI9RMKVyS+yKrD08GqvzyOdjjLThx9Tzbj/E/IAJyw1mQzbi5abrst957zSEzNyJXrFHisjteX56o1YAWNVteqYjSD6GuG6b1QBP0hPLElbc8mjNsF0anuy2EETHO5GRqOIiDEwZIQFLYGfDS09aWXXxOLV7Mqoj8VZ+xkRUuxJwhd8hfEeyQsB3U/hhJTXTFKHWOIwZW7fKK46ZNQPVFR0aaYNxJX9l/BHz3QtUV+PSMZkhcUzd7UjpGOyrVFSgz7kDZN2oeCc/LaH+fJEkLhslUvRf4hZNG+O6zpmt1IB00Jc417l2tpnWlnUyxhIzNdLd5xnRztIUmdKG4dj1mRUUf2JMLZiZMTCys2noq1DweOHSyEh+jzSPjz3QMlZNJcwZ3X8EIb9AV0e7nyyliBZ6Qs1OXQLYTo8ada3uNU+aCTQTlymrFDLWX5RinknPzzDGipX/yMLnkVcZSy7UdIUNviJNyzQzoxKg24DpPibTo0v5eGWMgtG7tp8Bk23Ih1TYOlHdMvnoEGTdskWRBWWPsapUiYbu5T7plRfghtcVkEOv4F1OW6058cSohS5TLFK/aqyfSxl/zKGCuZQhhWbYJSObIHvvLoT+lw2Vm4vqrIXBkJ3jLl0BiNy8AtnVWB1kgA/9+xTUFXpS8LUCApdq/52/VluCbXb4y8e7Soa3HCdmrVUVt/vpGkqCIxRmKrKvibUztbwQfBxCZWuf5NFAubxGnPXx2dyo6Edhz+aZ2bs9BS1pEWhsCurW4t8Zg50lZ3jVhJFaht8iLdH3VOYqUmYs0+gk5yzsvBQ426H1Z0EK0TaPxhEbSKtT1pEPcJ5Y+oNCOKIYZFIhgVqX+GcY+xj1GKbvmGKIo3f94HUxmK/Wv8vJb756mzuRqz75qoFjftOG9XpcpAUtuVyFLa4tzCKhekSetmfA84q2PZ4cjOnva8rAkPCd83qMhcBZnXDOcXWlQEcom9C+S26qqM+5e9AQKceBrtWK56iMTGQloylqck+SnwPAQvb5EAdPS5OuzBPjZrogsX0CZihiMiykX9YOLbuI1YeVz5WYFcKQEYc5cIWpM7n0PHyFqyOaNP14tKaiB1Z2SP3xJFek4U0OHxhjPNdPmRDSNy+owAL+d5MR2f71X7CQwVAm1U0PZ/YB6bsTSM3XoIFPUylWR+hPVBCO2wKuTze7wEgIqVa6LhrUbelnRUy9G0QzZ2X9NKj/mDFuvN3RSodxFI2bArCupjtVzLVQgySQkkhReH3Yfjm0bRk0CPCYH6MpeugzolTPOOZL4F8h0wuq5YMSq+Yg1ZRnVWcbyiESJ9DFiNIhTThxbswtMeGAF4feGxYr56sU70gJN21FMfai8A7vHPQrpMkrJCULOeMjqE0Ys9tyzRcryr2MfvxxoQAvCLpyhTzWMPTvaCbKW8eq9b15vblaYb2kR8H7A/E3N7w7IFPLM6ZmNT8d/AIKTxn/theEhwZXghPD/HONBr4wNEdVYKRZx0Ckr6NqgpfvPv87O0ad4OyFXL1G2avCrP+r8wLtfZ4ZvHSqIXIyR8ZHUkfZR+7ePl6nD1YGzUQo8OEd+7MIBGMmGW6MuiF4WQskycp9QncuadzIhUxGcbvQAOyF8YBSga/FfMntT1cAQNAfWASxGeg/ihBFPGmgD4atgN+gaYPilaCs0odJSEF/XXkA9ed3AnA3H0kChvX9s0AZoQ=="
参考 pyvmx-cracker 上的readme 可知 文件类型是 vmx
3.3
将格式改一下
.encoding = "UTF-8"
displayName = "Encrypted"
encryption.keySafe = "vmware:key/list/(pair/(phrase/UmBuYyhuIW8%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3d0kVDY4OIuvr2WAG%2bo639Lw%253d%253d,,JV9HGrSxPYiDk%2bJYP0KxHqceNnA%2fB0vLXtXVmrUSGINNbFmXRCX5smPN3Ny0hTcjtSGVTOXie5xUK2HdJaj6NxmgyTtc38Xy80co%2f3swAflWoKvMFxRB86AtVqZZ7Sv%2fbUAjCwVUd7uplXhLUfdCk12BMY0%3d))"
encryption.data = "etHKaa2gijMJ4n3hP9NjN9uNnI10E96xhqVa1P30TCTHr8BUkALO6RiD7mJSzlpX7hX1TF23UV7zhXhvip/8tBaAZYBXFYJHcBEnfVWQ23VetQwm5y+l3K29U14Tpz2jQMC920wxA9joTKs67CaiqdGixKZF/TZ7Mvdm5zc60HaB9Yj/OI4KGdJEjVstAu9U6hryfTRC8MIANadKuRy2rwJR9EkMHyPwNTyQwsDgVPwkvE1evA6tB7Q7RmiWDSEJamCEfo/SaSuky4NIaaGaquczBmMkhphQ7zTmL6nhZYjClcCuWsuzCwGrAeVX3UTShJjmIkbq6w4GRuxvpjt8swV+BmgleU6UEQIFlyqFYvk1a2oe314FootRsJiS4XEW6ngkthe5hw053SfN/GP85RS/uIKsCH11vCrD2Ew029fgBq0yy1YeOZQ/QEYlwrKPtd0eRT83dbZJs/XzM+ehZpKVS+nfJdQjGOlROluXnj9VXBrEK/9MT9qyNca4xOpKKkjmmH+vMpqiZHFwjdRl3NUeiy0bh0hj4YeMAo7L0/Uk77A09E9jrNKnkZ2hILX1+yXbGLyvW9OdDhALGj4QaGNdkfPGDYwv7U6CrjoTlCMXDyZY0idFtPwn7NfdAviPjsDWZonDsILX7LjZDrUTkYvoceGKiSQFOUQ3NlI9c3fzaCRfrnxQ6wLncp0WV8HfFF5+FfLt8HgzYCdGx1d8itwGkvwgy/RtSazrAY88OtpInKAhBZgZfdN4paq5FFdWfWQnB5Rjq20FuUzlv5TUfAUkBalO0zJhQl97R6REHoc5kLK9NxWMQJQ5H/B4/pEifTVSxo5QTLt+xsvWlxo7WnVhZGmdvqNgocLn8l4KzcNKxx7wlzMqWtjSYH6ocBk+atbR1dRNEEYH6ii0ZKdOo0ujlXk0HFUCNozR06WMv1zPQqDaHh2wQaqevX/rFEfWE0P0McISpxW0DMeEjsA3j6YLACcE14GadaGAUc7PrOFMPsPujdhAWjv9KvO8/H0rgkPDza0Tu6yUFBVb6tXhri3t2XtlWuuivU/W8sfh/+MUYXddU/1hUqV/qZ3dgxWYlunywMlBeT1TKKtJQTeq5zmILRy0tKvBU2fsQYuElRVpXWXeMsVDLnCvH+Kr+2MR8MfHt1LG+/OOWRmFe2M12zTIX1m4KZHdB1B+fIHBVC2AKD1e2DAMFjDyccCsB1unyDl07LpVpnrC45Iysbj+iwWT/++exiDR1cntMd/4NgzDbJlWlcjCZNvfPsjvyQznqdUdXy00YivLXrQxwyK8D6PStzIsH5kY/P+08G/KzW7EbT3LWFBT72VPYNAAf3EeL2nM40AyUOU5jfVzAC3WZKAzBwb+B7ZB43LfNzNL83E4G/BAh0onWSlFDzf+oS5wFw/qd7TVjjPYdkZ4D6or3fD+lHLlpkMzROlGuJgQeTpF8A89WMWQpkokbxGVWhunbz7t6hMLdQ507mf/uIQu75eczxTDG0rNvkptX1IJUBXYeh34xRmn/RVzLB55WLsbrrcKyQ9xjHrlrUyCsE9jaJh5AvqNbEC6pPsjnnXcb8mzZXwc876QDuwPZsLGJJ+FZwEpQ1TS89Rwt/MoZdDYlGu/J1AXnYf4fB/9EvAH1rzpyH6m1tSqlCdbPt4pfCO3QGydXVyzfNAARh7wD6KIMlYRja9pDj++OxSfLgQgaSW8u+pJ2q09rYJcGxg7HZEJnt35nlMb3wgCsptw+iSMbUdgr++ApX3fQWBkzAvSb4EjH95bNF0U7E8nkc9M9tcalOYb+EPThSdxgi8iFGP0b+DWHrF5BJQm9mzmntraOSNmnpAAORGW3F4XLmcRN+w3Gm2StQvHWF1td1wtIzHSRHoxSwcVR15Z7IPT4Zi/YU45SLO3xbnL2SlUu0/uaj7kHMqpIYyXdAYi+aeGpl5w+mQjb603Z/L/OZvzkn30RE8IrdBqB+bDl+c7opsu9TBssPV4hO+VWOtswMPSvk4TWn0/57HhSAMwFP5K/mDcW4gYEinHS10tkC7+ssHWUDMDzPmN8FH3JS8YxLJ754M5BF0H3fnTCUylvaXq3oLnHJrzbq+sGNZf9KUsefer/Qh5rWTYgJ0cG73KLQ0KFNaMZdbhJ/IYFI9RMKVyS+yKrD08GqvzyOdjjLThx9Tzbj/E/IAJyw1mQzbi5abrst957zSEzNyJXrFHisjteX56o1YAWNVteqYjSD6GuG6b1QBP0hPLElbc8mjNsF0anuy2EETHO5GRqOIiDEwZIQFLYGfDS09aWXXxOLV7Mqoj8VZ+xkRUuxJwhd8hfEeyQsB3U/hhJTXTFKHWOIwZW7fKK46ZNQPVFR0aaYNxJX9l/BHz3QtUV+PSMZkhcUzd7UjpGOyrVFSgz7kDZN2oeCc/LaH+fJEkLhslUvRf4hZNG+O6zpmt1IB00Jc417l2tpnWlnUyxhIzNdLd5xnRztIUmdKG4dj1mRUUf2JMLZiZMTCys2noq1DweOHSyEh+jzSPjz3QMlZNJcwZ3X8EIb9AV0e7nyyliBZ6Qs1OXQLYTo8ada3uNU+aCTQTlymrFDLWX5RinknPzzDGipX/yMLnkVcZSy7UdIUNviJNyzQzoxKg24DpPibTo0v5eGWMgtG7tp8Bk23Ih1TYOlHdMvnoEGTdskWRBWWPsapUiYbu5T7plRfghtcVkEOv4F1OW6058cSohS5TLFK/aqyfSxl/zKGCuZQhhWbYJSObIHvvLoT+lw2Vm4vqrIXBkJ3jLl0BiNy8AtnVWB1kgA/9+xTUFXpS8LUCApdq/52/VluCbXb4y8e7Soa3HCdmrVUVt/vpGkqCIxRmKrKvibUztbwQfBxCZWuf5NFAubxGnPXx2dyo6Edhz+aZ2bs9BS1pEWhsCurW4t8Zg50lZ3jVhJFaht8iLdH3VOYqUmYs0+gk5yzsvBQ426H1Z0EK0TaPxhEbSKtT1pEPcJ5Y+oNCOKIYZFIhgVqX+GcY+xj1GKbvmGKIo3f94HUxmK/Wv8vJb756mzuRqz75qoFjftOG9XpcpAUtuVyFLa4tzCKhekSetmfA84q2PZ4cjOnva8rAkPCd83qMhcBZnXDOcXWlQEcom9C+S26qqM+5e9AQKceBrtWK56iMTGQloylqck+SnwPAQvb5EAdPS5OuzBPjZrogsX0CZihiMiykX9YOLbuI1YeVz5WYFcKQEYc5cIWpM7n0PHyFqyOaNP14tKaiB1Z2SP3xJFek4U0OHxhjPNdPmRDSNy+owAL+d5MR2f71X7CQwVAm1U0PZ/YB6bsTSM3XoIFPUylWR+hPVBCO2wKuTze7wEgIqVa6LhrUbelnRUy9G0QzZ2X9NKj/mDFuvN3RSodxFI2bArCupjtVzLVQgySQkkhReH3Yfjm0bRk0CPCYH6MpeugzolTPOOZL4F8h0wuq5YMSq+Yg1ZRnVWcbyiESJ9DFiNIhTThxbswtMeGAF4feGxYr56sU70gJN21FMfai8A7vHPQrpMkrJCULOeMjqE0Ys9tyzRcryr2MfvxxoQAvCLpyhTzWMPTvaCbKW8eq9b15vblaYb2kR8H7A/E3N7w7IFPLM6ZmNT8d/AIKTxn/theEhwZXghPD/HONBr4wNEdVYKRZx0Ckr6NqgpfvPv87O0ad4OyFXL1G2avCrP+r8wLtfZ4ZvHSqIXIyR8ZHUkfZR+7ePl6nD1YGzUQo8OEd+7MIBGMmGW6MuiF4WQskycp9QncuadzIhUxGcbvQAOyF8YBSga/FfMntT1cAQNAfWASxGeg/ihBFPGmgD4atgN+gaYPilaCs0odJSEF/XXkA9ed3AnA3H0kChvX9s0AZoQ=="
python3 pyvmx-cracker.py -v enc.vmx -d 字典.txt
把默认字典换了
4.1
泄露的信息 (盲注flag)
QL盲注的流量被base64 编码了,wireshark 过滤出盲注流量
http contains "id=LTE2MTAgT1IgKE9SRChNSUQoKFNFTEVDVCBJRk5VTEwoQ0FTVChmbGFnIEFTIENIQVIpLDB4MjApIEZST00gY3RmX3Rlc3QuZmxhZyBPUkRFUiBCWSBJZCBMSU1JVCAwL"
用tshark 过滤出流量到txt中,解base64
tshark -r http.pcapng -T fields -e http.request.uri.query.parameter > data.txt
二分法SQL注入流量,最后半小时手动拼接没拼对,还错了两回
赛后拍的别的师傅的正确的flag
4.2
webshell 命令
rot13 解开混淆后,查看混淆字符 ,去掉前后混淆字符后 回显就可以解开了
&hcd2b0e72ddf36=Y2QgL2QgIkM6L2N0ZiImd2hvYW1pJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
=> cd /d "C:/ctf"&whoami&echo [S]&cd&echo [E]
&w53596b0408df4=Y21k
=> cmd
最后三个流对应三个系统命令
config.exe#ipconfig#whoami
5.1
win10 的内存结构有点不太一样 ,线下只有vol2 的我们只能罚座
后面发现取证大师的解析工具可以解析内存,但是无法导出注册表。
用vol3 去查看注册表
python3 vol.py -f mem_sec.vmem windows.registry.printkey --offset 0x8084ac206000 --key "Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" | grep BackupProductKeyDefault
2021-09-10 16:29:33.000000 0x8084ac206000inREG_SZ \SystemRoot\System32\Config\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform BackupProductKeyDefault "F48BJ-8NX82-MRVY9-PF8BW-HMHY2" False
产品密钥为 F48BJ-8NX82-MRVY9-PF8BW-HMHY2
5.2
vol2 打不开 内存镜像
用 Magent AXIOM 跑 ,选了Win10x64 就打开了
匿名邮箱:
https://mail.td/zh
Tip
关注公众号 回复【2021陇剑杯】获取附件
你是否想要加入一个安全团
拥有更好的学习氛围?
那就加入EDI安全,这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心
EDI安全的CTF战队经常参与各大CTF比赛,了解CTF赛事,我们在为打造安全圈好的技术氛围而努力,这里绝对是你学习技术的好地方。这里门槛不是很高,但师傅们经验丰富,可以带着你一起从基础开始,只要你有持之以恒努力的决心,下一个CTF大牛就是你。
欢迎各位大佬小白入驻,大家一起打CTF,一起进步。
我们在挖掘,不让你埋没!
你的加入可以给我们带来新的活力,我们同样也可以赠你无限的发展空间。
有意向的师傅请联系邮箱root@edisec.net(带上自己的简历,简历内容包括自己的学习方向,学习经历等)
1819
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
