观察题目 给了一个raw文件 一般对于题要用 volatility内存取证工具
官网下载地址 不建议下载3.0版本 还不稳定
我是在windows系统上运行的,以下命令都是在win命令
首先查看系统的属性
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw kdbgscan Volatility Foundation Volatility Framework 2.6 ************************************************** Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x80546ae0 Offset (P) : 0x546ae0 KDBG owner tag check : True Profile suggestion (KDBGHeader): WinXPSP3x86 Version64 : 0x80546ab8 (Major: 15, Minor: 2600) Service Pack (CmNtCSDVersion) : 3 Build string (NtBuildLab) : 2600.xpsp.080413-2111 PsActiveProcessHead : 0x8055b158 (35 processes) PsLoadedModuleList : 0x80554fc0 (123 modules) KernelBase : 0x804d8000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 1 KPCR : 0xffdff000 (CPU 0) ************************************************** Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x80546ae0 Offset (P) : 0x546ae0 KDBG owner tag check : True Profile suggestion (KDBGHeader): WinXPSP2x86 Version64 : 0x80546ab8 (Major: 15, Minor: 2600) Service Pack (CmNtCSDVersion) : 3 Build string (NtBuildLab) : 2600.xpsp.080413-2111 PsActiveProcessHead : 0x8055b158 (35 processes) PsLoadedModuleList : 0x80554fc0 (123 modules) KernelBase : 0x804d8000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 1 KPCR : 0xffdff000 (CPU 0)
可以发现系统最大可能是WinXPSP2x86,接下来我们取查看运行的进程
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 pslist Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x821b9830 System 4 0 59 252 ------ 0 0x81cc2020 smss.exe 540 4 3 19 ------ 0 2022-05-20 03:06:37 UTC+0000 0x82013da0 csrss.exe 608 540 11 447 0 0 2022-05-20 03:06:40 UTC+0000 0x82012ca8 winlogon.exe 632 540 23 459 0 0 2022-05-20 03:06:40 UTC+0000 0x81c9dda0 services.exe 676 632 16 274 0 0 2022-05-20 03:06:41 UTC+0000 0x820eb1c8 lsass.exe 688 632 24 356 0 0 2022-05-20 03:06:41 UTC+0000 0x81f4eda0 vmacthlp.exe 900 676 1 25 0 0 2022-05-20 03:06:41 UTC+0000 0x81fe7240 svchost.exe 916 676 19 198 0 0 2022-05-20 03:06:41 UTC+0000 0x81e1dda0 svchost.exe 996 676 9 274 0 0 2022-05-20 03:06:41 UTC+0000 0x81dc5da0 svchost.exe 1136 676 66 1215 0 0 2022-05-20 03:06:41 UTC+0000 0x820f4020 svchost.exe 1184 676 5 67 0 0 2022-05-20 03:06:41 UTC+0000 0x81ec87e8 svchost.exe 1236 676 15 196 0 0 2022-05-20 03:06:42 UTC+0000 0x81d24c10 spoolsv.exe 1532 676 14 130 0 0 2022-05-20 03:06:44 UTC+0000 0x81ca5da0 explorer.exe 1808 1748 17 448 0 0 2022-05-20 03:06:54 UTC+0000 0x82102c18 rundll32.exe 1936 1808 4 78 0 0 2022-05-20 03:06:55 UTC+0000 0x81ff5da0 vmtoolsd.exe 1944 1808 5 202 0 0 2022-05-20 03:06:55 UTC+0000 0x81d7e448 ctfmon.exe 1952 1808 1 110 0 0 2022-05-20 03:06:55 UTC+0000 0x820ad378 msmsgs.exe 1980 1808 5 162 0 0 2022-05-20 03:06:55 UTC+0000 0x820ac470 svchost.exe 212 676 5 87 0 0 2022-05-20 03:07:00 UTC+0000 0x81c10228 VGAuthService.e 328 676 2 60 0 0 2022-05-20 03:07:00 UTC+0000 0x81f8b410 vmtoolsd.exe 512 676 9 261 0 0 2022-05-20 03:07:08 UTC+0000 0x821022e0 wmiprvse.exe 1108 916 13 241 0 0 2022-05-20 03:07:08 UTC+0000 0x820c8660 wscntfy.exe 1572 1136 1 39 0 0 2022-05-20 03:07:08 UTC+0000 0x81d41da0 alg.exe 1416 676 7 104 0 0 2022-05-20 03:07:09 UTC+0000 0x81da1da0 wordpad.exe 244 1808 2 100 0 0 2022-05-20 03:07:09 UTC+0000 0x81fedda0 notepad.exe 236 1808 1 50 0 0 2022-05-20 03:07:14 UTC+0000 0x81f33508 mspaint.exe 680 1808 5 120 0 0 2022-05-20 03:07:36 UTC+0000 0x820134b8 svchost.exe 1096 676 8 132 0 0 2022-05-20 03:07:36 UTC+0000 0x81ecb2c0 wuauclt.exe 404 1136 8 173 0 0 2022-05-20 03:07:53 UTC+0000 0x81d5dda0 notepad.exe 372 528 1 50 0 0 2022-05-20 03:08:03 UTC+0000 0x81c12da0 wuauclt.exe 752 1136 5 139 0 0 2022-05-20 03:08:08 UTC+0000 0x8211e438 notepad.exe 132 1808 1 50 0 0 2022-05-20 03:08:08 UTC+0000 0x8207b020 notepad.exe 2060 1808 1 50 0 0 2022-05-20 03:08:18 UTC+0000 0x81ca27f0 DumpIt.exe 2304 1808 1 29 0 0 2022-05-20 03:09:00 UTC+0000 0x81ffc6e8 conime.exe 2316 2304 1 38 0 0 2022-05-20 03:09:00 UTC+0000
我们可以发现使用过notepad(记事本)程序,将记事本中的内容输出出来
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 notepad Volatility Foundation Volatility Framework 2.6 Process: 236 Text: ? Text: d Text: Text: ? Text: ?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Process: 372 Text: ? Text: d Text: Text: ? Text: f = open('./flag.zip', 'rb').read() new = open('./fffflllaag.dat', 'ab') letter = '' secret = int(letter,16) print(secret) for i in f: n = int(i) ^ secret new.write(int(n).to_bytes(1, 'big')) Process: 132 Text: ? Text: d Text: Text: ? Text: According to Homer's epic, the hero Achilles is the precious son of the mortal Polus and the beautiful fairy Thetis. It is said that her mother Tethys carried him upside down into the Styx river when he was just born, so that he could be invulnerable. Unfortunately, due to the rapid flow of the Ming River, his mother didn't dare to let go of his heel. The heel held by his mother was accidentally exposed outside the water, so the heel was the most vulnerable place, leaving the only "dead hole" in his body, so he buried the disaster. When he grew up, Achilles fought bravely. When he went to attack the city of Troy (the story of Trojan horse slaughtering the city), the brave Achilles singled out the Trojan general Hector, killed him and dragged his body to demonstrate. But later, after conquering Troy, Achilles was attacked by an arrow by Hector's brother-in-law Paris and hit his ankle - the hero fell to the ground and died at the moment of shaking. ankle, ankle, I love ankle.The password is ??k1eAn??? Process: 2060 Text: ? Text: d Text: Text: ? Text: ???????????????????????????????XOR?EOR????????????????????????????????letter?????????????????????????
提出关键信息
1 2 3 4 5 6 7 8 9 10 11 12 13 //可能python代码 f = open('./flag.zip', 'rb').read() new = open('./fffflllaag.dat', 'ab') letter = '' secret = int(letter,16) print(secret) for i in f: n = int(i) ^ secret new.write(int(n).to_bytes(1, 'big')) //提示password ankle, ankle, I love ankle.The password is ??k1eAn???
记事本中提到两个重要文件 ./flag.zip 和**./fffflllaag.dat**
我们搜寻一下
1 2 3 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 filescan | findstr flag Volatility Foundation Volatility Framework 2.6 0x000000000240cad8 1 0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip
我们找到一个有关flag的一个文件
把它提取出来
1 2 3 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000240cad8 -D ./ Volatility Foundation Volatility Framework 2.6 DataSectionObject 0x0240cad8 None \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip
得到一个dat文件
直接在kali中用foremost指令
1 2 3 4 5 6 7 $ foremost file.None.0x81d20978.dat Processing: file.None.0x81d20978.dat |foundat=fffflllaag.dat�r����b���j��w�e��..�p f�b��I��U�+������������������;��x�{�1�8�e��J�eN�oV*��m��u�f��/�����Rl�3U(�2����e��-~=���y�y�OȽ[U3W�[}H00DQ�Rfʃi�7�O�Y-��2�B��l�#/����9D�p9V� ��4�� Pn.!�:�a���at�N�p���(G~�rn�| �� *|
得到dat文件中隐藏的zip压缩包
随后我们便能看见fffflllaag.dat文件
根据我们得到的python代码 可知原文件应该是zip文件,zip文件与secret进行异或就得到了dat文件
dat文件头为5A 41 zip文件的文件头为50 4B
1 2 0X5A ^ 0X50 = 0X0A 0X41 ^ 0X48 = 0X0A
所以secret应该为 0x0A
我们用010打开dat文件
异或后更改文件后缀为zip
并不是伪加密 需要密码
根据记事本中的提示我们有两种方法获得密码
方法一 利用工具ARCHPR掩码爆破
时间很长
大概要半个小时
可以爆出密码
Ank1eAnk1e
方法二 猜
??k1eAn??? 就很像两个ankle连在一起
Ank1eAnk1e
得flag 1 2 The answer to egg1 is : You are the only weakness in my body This is also the answer to flag
直接提交**flag{You are the only weakness in my body}**不对
看来我们还需要找出问题egg1
1 2 3 4 5 6 7 8 9 10 11 PS D:\CTF\22年国赛\复赛\misc\已解\xpxp\volatility_2.6_win64_standalone> .\volatility_2.6_win64_standalone.exe -f xpxp.raw --profile=WinXPSP2x86 filescan | findstr egg Volatility Foundation Volatility Framework 2.6 0x00000000020273b8 1 0 R--rwd \Device\HarddiskVolume1\Program Files\xerox\egg4.txt 0x00000000020cb2b8 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg4.lnk 0x0000000002137248 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\egg1.rtf 0x000000000214c450 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg5.lnk 0x00000000022c4d08 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg1.lnk 0x000000000231e748 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg3.lnk 0x000000000232d938 1 0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\egg5.txt 0x0000000002409e28 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp 0x000000000251c538 1 0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\egg2.txt
把egg1.rtf文件dump出来
用写字板打开
1 2 3 4 Do you know what the Chinese meaning of ankle is? flag is that. Remember to convert the answer to a 32-bit lowercase MD5 value.
原来如此 将answer MD5 32小写加密
1 flag{47155018947fbed1987313fe2d02e0bb}