ciscn 2022 华中赛区 misc

xpxp

获取系统信息

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw  imageinfo   

如下

Volatility Foundation Volatility Framework 2.6.1
 INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/wha1e/桌面/xpxp.raw)
                      PAE type : PAE
                           DTB : 0xb18000L
                          KDBG : 0x80546ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2022-05-20 03:09:02 UTC+0000
     Image local date and time : 2022-05-20 11:09:02 +0800

获取

Volatility Foundation Volatility Framework 2.6.1
0x0000000002021c98      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\logowin.gif
0x00000000022d08d8      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\My Pictures\letter_PixelReplacement.png
0x00000000022e89d8      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\lvback.gif
0x00000000022faf28      1      0 R--rwd \Device\HarddiskVolume1\WINDOWS\Web\Wallpaper\Bliss.bmp
0x0000000002409e28      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp
0x000000000250d240      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Administrator.bmp

提取egg3和letter_PixelReplacement.png

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002409e28 -D /home/wha1e/桌面
┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000022d08d8 -D /home/wha1e/桌面

根据egg3后面的3猜测还有其他egg，通过关键字egg进行搜索，发现有五个egg，全部提取出来

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw profile=WinXPSP2x86 filescan | grep -E "egg"
Volatility Foundation Volatility Framework 2.6.1
0x00000000020273b8      1      0 R--rwd \Device\HarddiskVolume1\Program Files\xerox\egg4.txt
0x00000000020cb2b8      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg4.lnk
0x0000000002137248      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\egg1.rtf
0x000000000214c450      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg5.lnk
0x00000000022c4d08      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg1.lnk
0x000000000231e748      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg3.lnk
0x000000000232d938      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\egg5.txt
0x0000000002409e28      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp
0x000000000251c538      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\egg2.txt

信息如下：

# egg1
Do you know what the Chinese meaning of ankle is? flag is that.

Remember to convert the answer to a 32-bit lowercase MD5 value.

# egg2
听说对图片，有一种加密方式，叫做图像像素置换加密。置换加密算法是一种最简单的加密算法，原理就是将字母表中的字符替换成另一个字母表中的字符。那么像素置换加密是怎么样的呢。好像有一个工具集成了这个加密。但是我忘记了。据说放到邮箱草稿里面了。

# egg3
Pixel replacement 15 -by Ankle

#egg4
你知道异或加密吗。异或是对两个运算元的一种逻辑分析类型，符号为XOR或EOR。据说在电脑某处放了部分代码，内容是对一个文件进行异或，但是有个letter不知到放到哪里了，好像是某个彩蛋吧。你能解出来吗。

#egg5
According to Homer's epic, the hero Achilles is the precious son of the mortal Polus and the beautiful fairy Thetis.
It is said that her mother Tethys carried him upside down into the Styx river when he was just born, so that he could be invulnerable. 
Unfortunately, due to the rapid flow of the Ming River, his mother didn't dare to let go of his heel.
The heel held by his mother was accidentally exposed outside the water, so the heel was the most vulnerable place, leaving the only "dead hole" in his body, so he buried the disaster. 
When he grew up, Achilles fought bravely. When he went to attack the city of Troy (the story of Trojan horse slaughtering the city), the brave Achilles singled out the Trojan general Hector, killed him and dragged his body to demonstrate. 
But later, after conquering Troy, Achilles was attacked by an arrow by Hector's brother-in-law Paris and hit his ankle - the hero fell to the ground and died at the moment of shaking.
ankle, ankle, I love ankle.The password is ??k1eAn???

这里找不到图像像素置换加密的工具，但是GitHub上有一个现成的轮子。（做题的时候就在想异或和像素置换是不是可以脱离题目直接做，事实如此

获取letter

通过查看记事本寻找是否还有关键信息如异或代码

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw profile=WinXPSP2x86 editbox

获取关键代码

f = open('./flag.zip', 'rb').read()
new = open('./fffflllaag.dat', 'ab')

letter = ''
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))

搜索关键字flag

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw profile=WinXPSP2x86 filescan | grep -E "flag"                             
Volatility Foundation Volatility Framework 2.6.1
0x000000000240cad8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip

提取

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000240cad8 -D /home/wha1e/桌面

里面有一个fffflllaag.dat

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/桌面/xpxp.raw --profile=WinXPSP2x86 filescan | grep -E "jpg|png|jpeg|bmp|gif"

这里把代码改一改就出了

f = open('./fffflllaag.dat', 'rb').read()
new = open('./flag.zip', 'ab')

letter = 'A'
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))

根据egg5，ankle, ankle, I love ankle.The password is ??k1eAn???，联系上下文，猜测密码是ankleankle，但是其中的字母进行了大小写或者与数字，字符进行替换，这里先根据给出的k1eAn猜测为Ank1eAnk1e，猜测正确2333
获取flag.txt

The answer to egg1 is : You are the only weakness in my body
This is also the answer to flag

根据egg1将You are the only weakness in my bodymd5加密后包上flag{}即可。

ZIPCracker

伪加密

明文攻击
这里很奇怪😀，正常做法应该是明文攻击，但是我失败了，网上搜集了一下wp也都是明文攻击，但是看他们的截图好像没成功或者。。。一言难尽，如果有师傅知道问题所在欢迎指点！

压缩包密码为crQ2#!，解压获取flag

PNGCracker

改图片高度获取zip的passwd，winhex手动分离一下zip，解压获取flag.png，stegsolve或者zsteg，签到难度直接跳。

数据流中的秘密

参照一下博客复现出的：https://wkr.moe/ctf/806.html
通过长度发现有rar文件，手动提取

这里需要提取五段数据，即长度为65539，93，65539，93，46505的五段，而我只提取了三段最长的。而且提取的数据也只需要TCP segment data减去前面的4441544100000100。最终提取出来的压缩包还存在密码。

追踪tcp流，在流14中发现h264文件头00 00 00 01 67，手动提取

h264为监控视频，我没有专属播放器打开，就格式工厂转换成了mp4（好吧，看了大佬的博客，用PotPlayer即可）

打开后为一个被分成四份的二维码，截图，然后ps修复一下，因为CSDN会屏蔽二维码就不放图了
扫码后得到695c630e-523c-4098-8ff8-0bac8f8b22d7，即压缩包密码
在.git/config文件中找到github项目https://github.com/KuroLabs/stegcloak.git
以及密码just4fun，通过项目找到一个在线隐藏信息的网站https://stegcloak.surge.sh/

在图片尾发现编码

解码一下，存在大量不可见字符，结合上面发现的解码网站

The wheel ‍‍‌⁢⁤⁣‍⁢⁢‍‍‌⁡‍‌‍⁡‌⁢⁢‌⁢‍⁢‌‍⁢⁡‍‌⁢‍⁤‍⁡⁣‌⁤⁢‍‍‍⁢⁢⁤⁤‍⁤⁢‌⁤⁤⁡‍⁡‍⁤⁢⁤⁣⁡‍⁤‌‍⁢⁡⁢‌⁢‌⁢⁡⁢‍‍⁡‍‍⁡‌‍⁢‍⁡‍‌⁢⁢⁤‌⁡⁢⁢⁢⁣‌⁢‌⁡‍⁤⁡‌⁡‌⁢⁡‍⁢‍‍⁢⁢⁢⁢⁤⁡‍⁢⁡⁣⁤‍⁣‌⁢‍‌‍⁢‍‌⁢⁢‍‌⁢‍‌‍‍⁢⁡‍⁣⁤⁢⁣⁢⁢⁤⁡‌⁢⁡⁢‍⁢⁣turns, nothing is ever new.

解密一下，获取flag