xpxp
萧禾财 Lv4
  2022-07-31 12:52:42 2022-07-31 12:52    1.9k 字  10 分钟  

观察题目

给了一个raw文件 一般对于题要用 volatility内存取证工具

官网下载地址 不建议下载3.0版本 还不稳定

我是在windows系统上运行的,以下命令都是在win命令

首先查看系统的属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x80546ae0
Offset (P)                    : 0x546ae0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP3x86
Version64                     : 0x80546ab8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab)     : 2600.xpsp.080413-2111
PsActiveProcessHead           : 0x8055b158 (35 processes)
PsLoadedModuleList            : 0x80554fc0 (123 modules)
KernelBase                    : 0x804d8000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit)
Offset (V)                    : 0x80546ae0
Offset (P)                    : 0x546ae0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): WinXPSP2x86
Version64                     : 0x80546ab8 (Major: 15, Minor: 2600)
Service Pack (CmNtCSDVersion) : 3
Build string (NtBuildLab)     : 2600.xpsp.080413-2111
PsActiveProcessHead           : 0x8055b158 (35 processes)
PsLoadedModuleList            : 0x80554fc0 (123 modules)
KernelBase                    : 0x804d8000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 1
KPCR                          : 0xffdff000 (CPU 0)

可以发现系统最大可能是WinXPSP2x86,接下来我们取查看运行的进程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x821b9830 System                    4      0     59      252 ------      0
0x81cc2020 smss.exe                540      4      3       19 ------      0 2022-05-20 03:06:37 UTC+0000
0x82013da0 csrss.exe               608    540     11      447      0      0 2022-05-20 03:06:40 UTC+0000
0x82012ca8 winlogon.exe            632    540     23      459      0      0 2022-05-20 03:06:40 UTC+0000
0x81c9dda0 services.exe            676    632     16      274      0      0 2022-05-20 03:06:41 UTC+0000
0x820eb1c8 lsass.exe               688    632     24      356      0      0 2022-05-20 03:06:41 UTC+0000
0x81f4eda0 vmacthlp.exe            900    676      1       25      0      0 2022-05-20 03:06:41 UTC+0000
0x81fe7240 svchost.exe             916    676     19      198      0      0 2022-05-20 03:06:41 UTC+0000
0x81e1dda0 svchost.exe             996    676      9      274      0      0 2022-05-20 03:06:41 UTC+0000
0x81dc5da0 svchost.exe            1136    676     66     1215      0      0 2022-05-20 03:06:41 UTC+0000
0x820f4020 svchost.exe            1184    676      5       67      0      0 2022-05-20 03:06:41 UTC+0000
0x81ec87e8 svchost.exe            1236    676     15      196      0      0 2022-05-20 03:06:42 UTC+0000
0x81d24c10 spoolsv.exe            1532    676     14      130      0      0 2022-05-20 03:06:44 UTC+0000
0x81ca5da0 explorer.exe           1808   1748     17      448      0      0 2022-05-20 03:06:54 UTC+0000
0x82102c18 rundll32.exe           1936   1808      4       78      0      0 2022-05-20 03:06:55 UTC+0000
0x81ff5da0 vmtoolsd.exe           1944   1808      5      202      0      0 2022-05-20 03:06:55 UTC+0000
0x81d7e448 ctfmon.exe             1952   1808      1      110      0      0 2022-05-20 03:06:55 UTC+0000
0x820ad378 msmsgs.exe             1980   1808      5      162      0      0 2022-05-20 03:06:55 UTC+0000
0x820ac470 svchost.exe             212    676      5       87      0      0 2022-05-20 03:07:00 UTC+0000
0x81c10228 VGAuthService.e         328    676      2       60      0      0 2022-05-20 03:07:00 UTC+0000
0x81f8b410 vmtoolsd.exe            512    676      9      261      0      0 2022-05-20 03:07:08 UTC+0000
0x821022e0 wmiprvse.exe           1108    916     13      241      0      0 2022-05-20 03:07:08 UTC+0000
0x820c8660 wscntfy.exe            1572   1136      1       39      0      0 2022-05-20 03:07:08 UTC+0000
0x81d41da0 alg.exe                1416    676      7      104      0      0 2022-05-20 03:07:09 UTC+0000
0x81da1da0 wordpad.exe             244   1808      2      100      0      0 2022-05-20 03:07:09 UTC+0000
0x81fedda0 notepad.exe             236   1808      1       50      0      0 2022-05-20 03:07:14 UTC+0000
0x81f33508 mspaint.exe             680   1808      5      120      0      0 2022-05-20 03:07:36 UTC+0000
0x820134b8 svchost.exe            1096    676      8      132      0      0 2022-05-20 03:07:36 UTC+0000
0x81ecb2c0 wuauclt.exe             404   1136      8      173      0      0 2022-05-20 03:07:53 UTC+0000
0x81d5dda0 notepad.exe             372    528      1       50      0      0 2022-05-20 03:08:03 UTC+0000
0x81c12da0 wuauclt.exe             752   1136      5      139      0      0 2022-05-20 03:08:08 UTC+0000
0x8211e438 notepad.exe             132   1808      1       50      0      0 2022-05-20 03:08:08 UTC+0000
0x8207b020 notepad.exe            2060   1808      1       50      0      0 2022-05-20 03:08:18 UTC+0000
0x81ca27f0 DumpIt.exe             2304   1808      1       29      0      0 2022-05-20 03:09:00 UTC+0000
0x81ffc6e8 conime.exe             2316   2304      1       38      0      0 2022-05-20 03:09:00 UTC+0000

我们可以发现使用过notepad(记事本)程序,将记事本中的内容输出出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 notepad
Volatility Foundation Volatility Framework 2.6
Process: 236
Text:
?

Text:
d

Text:


Text:
?

Text:
??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Process: 372
Text:
?

Text:
d

Text:


Text:
?

Text:
f = open('./flag.zip', 'rb').read()
new = open('./fffflllaag.dat', 'ab')

letter = ''
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))

Process: 132
Text:
?

Text:
d

Text:


Text:
?

Text:
According to Homer's epic, the hero Achilles is the precious son of the mortal Polus and the beautiful fairy Thetis.
It is said that her mother Tethys carried him upside down into the Styx river when he was just born, so that he could be invulnerable.
Unfortunately, due to the rapid flow of the Ming River, his mother didn't dare to let go of his heel.
The heel held by his mother was accidentally exposed outside the water, so the heel was the most vulnerable place, leaving the only "dead hole" in his body, so he buried the disaster.
When he grew up, Achilles fought bravely. When he went to attack the city of Troy (the story of Trojan horse slaughtering the city), the brave Achilles singled out the Trojan general Hector, killed him and dragged his body to demonstrate.
But later, after conquering Troy, Achilles was attacked by an arrow by Hector's brother-in-law Paris and hit his ankle - the hero fell to the ground and died at the moment of shaking.
ankle, ankle, I love ankle.The password is ??k1eAn???

Process: 2060
Text:
?

Text:
d

Text:


Text:
?

Text:
???????????????????????????????XOR?EOR????????????????????????????????letter?????????????????????????

提出关键信息

1
2
3
4
5
6
7
8
9
10
11
12
13
//可能python代码
f = open('./flag.zip', 'rb').read()
new = open('./fffflllaag.dat', 'ab')

letter = ''
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))
 
//提示password
ankle, ankle, I love ankle.The password is ??k1eAn???

记事本中提到两个重要文件 ./flag.zip和**./fffflllaag.dat**

我们搜寻一下

1
2
3
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 filescan | findstr flag
Volatility Foundation Volatility Framework 2.6
0x000000000240cad8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip

我们找到一个有关flag的一个文件

把它提取出来

1
2
3
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000240cad8 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x0240cad8   None   \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip

得到一个dat文件

直接在kali中用foremost指令

1
2
3
4
5
6
7
$ foremost file.None.0x81d20978.dat 
Processing: file.None.0x81d20978.dat
|foundat=fffflllaag.dat�r����b���j��w�e��..�p f�b��I��U�+������������������;��x�{�1�8�e��J�eN�oV*��m��u�f��/�����Rl�3U(�2����e��-~=���y�y�OȽ[U3W�[}H00DQ�Rfʃi�7�O�Y-��2�B��l�#/����9D�p9V�
                                      ��4��
                                           Pn.!�:�a���at�N�p���(G~�rn�| ��
*|

得到dat文件中隐藏的zip压缩包

随后我们便能看见fffflllaag.dat文件

根据我们得到的python代码 可知原文件应该是zip文件,zip文件与secret进行异或就得到了dat文件

dat文件头为5A 41 zip文件的文件头为50 4B

1
2
0X5A ^ 0X50 = 0X0A
0X41 ^ 0X48 = 0X0A

所以secret应该为 0x0A

我们用010打开dat文件

image-20220731133518449

image-20220731133550622

异或后更改文件后缀为zip

并不是伪加密 需要密码

根据记事本中的提示我们有两种方法获得密码

方法一

利用工具ARCHPR掩码爆破

image-20220731134243110

时间很长

大概要半个小时

可以爆出密码

Ank1eAnk1e

方法二

??k1eAn??? 就很像两个ankle连在一起

Ank1eAnk1e

得flag

1
2
The answer to egg1 is : You are the only weakness in my body
This is also the answer to flag

直接提交**flag{You are the only weakness in my body}**不对

看来我们还需要找出问题egg1

1
2
3
4
5
6
7
8
9
10
11
PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 filescan | findstr egg
Volatility Foundation Volatility Framework 2.6
0x00000000020273b8      1      0 R--rwd \Device\HarddiskVolume1\Program Files\xerox\egg4.txt
0x00000000020cb2b8      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg4.lnk
0x0000000002137248      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\egg1.rtf
0x000000000214c450      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg5.lnk
0x00000000022c4d08      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg1.lnk
0x000000000231e748      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg3.lnk
0x000000000232d938      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\egg5.txt
0x0000000002409e28      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp
0x000000000251c538      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\egg2.txt

把egg1.rtf文件dump出来

用写字板打开

1
2
3
4
Do you know what the Chinese meaning of ankle is? flag is that.

Remember to convert the answer to a 32-bit lowercase MD5 value.

原来如此 将answer MD5 32小写加密

1
flag{47155018947fbed1987313fe2d02e0bb}
  • 本文标题:xpxp
  • 本文作者:萧禾财
  • 创建时间:2022-07-31 12:52:42
  • 本文链接:https://ipartmentxhc.github.io/2022/07/31/xpxp/
  • 版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!