网刃杯复现misc+流量包
签到
cipher.txt
U2FsdGVkX1+WTSHujcCjvHj/gcwL0C7u37XtW4idGcpci3H913I=
U2F那些,考虑为aes,des啥的
发现flag.txt是零宽度字符,
md5加密一下文件
f71b6b842d2f0760c3ef74911ffc7fdb
测试发现是rabbit,解密获得flag
mspaint
看一下iehistory
发现key.png和百度网盘
volatility -f mspaint.raw --profile=Win7SP1x64 filescan | grep key.png
volatility -f mspaint.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e96e7d0 -D ./
得到百度网盘的密码
发现加密的压缩包,还需要key
想到截屏
volatility -f mspaint.raw --profile=Win7SP1x64 screenshot -D ./
得到一个key,但是并不是压缩包的密码。
th1s_1s_th3_k3y
在看进程的时候有一个dumpit.exe,dump一下这个进程
volatility -f mspaint.raw --profile=Win7SP1x64 memdump -p 1064 -D ./
调整参数
得到压缩包的解压密码
q2A!~R%8
后面是队里的re手个人秀
把flag.exe转成flag.pyc
文件夹里出现
修改文件头为pyc
key = 'xxxxxxxxxxxxxxx'
flag = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
data = ''
for i in range(0, len(flag)):data += hex(ord(flag[i]) ^ ord(key[(i % 15)]))[2:].zfill(2)
else:print(data.upper())data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'
这里的key15位 就是那张图片里的th1s_1s_th3_k3y
写出解密脚本
key = 'th1s_1s_th3_k3y'
flag = ''
data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'
data_list = []
for i in range(0,len(data),2):data_list.append('0x' + data[i:i+2])
print(data_list)
for i in range(0,len(data_list)):flag += chr(int(data_list[i],16)^ord(key[(i % 15)]))print(flag)
flag{20708c15-eb55-4cbc-930b-68de15c55b32}
藏在s7里的秘密
题目描述:某工厂的安全设备捕获了攻击者向PLC中写入恶意数据的数据包,你能分析出并找到其中隐藏的数据吗?
附件打开发现流量包损坏打不开,010打开发现文件头被修改了,直接pcapfix修复下就好。
打开后,追踪tcp流发现png图片
保存后发现只能看清楚一半的图
显然十六进制数据是不完整的,然后因为没咋做过流量包,到这思路也就停滞了。赛后看师傅的wp发现要看,这个流量包中出现最多的流s7comm,
先使用上面的过滤框,单独过滤这个协议
在查看这个流的时候发现长度有不一样的地方,看第一个长度541的包,发现存在png的文件头,最后一个长度329的包存在png的文件尾
拿导出第一部分举例
选中data->显示分组字节
单击左下角改为原始数据
选中010,ctrl+shift+v保存即可。按照顺序依次把数据加进去即可。
保存后发现crc的值报错,说明宽高被修改了,修改高度获得flag
flag{FSfeQefjg}
老练的黑客
题目描述:一黑客成功入侵某核电站且获得了操作员站控制权,该操作员站可控制离心机的转速,当离心机的转速持续高于5000时将导致设备损坏,为了保护设备,操作员站检测到转速超过5000时会自动限制转速。但该黑客非常老练,他在修改了转速后,还欺骗了操作员站,使得操作员站读取到错误的转速数据。你能找到黑客修改后的转速值和操作员站读取到的错误转速值吗?(flag格式:flag{修改后转速的+读取的错误转速} 值用16进制表示
通过查看发现转速的数据位于data
5000的十六进制为1388,所以只要找到data大于1388的包查看数据即可
使用过滤器
modbus.data>1338
所以第一部分的flag为22b8。
又说转速被修改了,往下翻倒数read的几个包,找到一个4500对应十六进制为1194,肯定是被修改的转速。
flag{22b81194}
baby-usb
usb流量找到有数据的包,发现是八字节的,可能是键盘流量。
那就找键盘流量的脚本梭一下。
用脚本直接跑没啥输出,所以先用tshark提取了一下
tshark -r key.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > fileaaa.txt
然后修改了下脚本有输出了
import os,sysnormalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}#pcapFilePath = sys.argv[1]
#os.system("tshark -r "+pcapFilePath+" -T fields -e usb.capdata | sed '/^\s*$/d' > out.txt")output = []
keys = open('out.txt')
for line in keys:line = ''.join(line[i:i+2]+':' for i in range(0,len(line)-1,2)).strip(':') try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:passkeys.close()flag=0
#print("".join(output))
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:passprint ('output :' + "".join(output))
os.system("rm -rf out.txt"
output :congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain
到这其实就没什么思路了,尝试了各种东西,赛后看发现方向错了。
借用盖乐希师傅的脚本
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('filebbb.txt')
for line in keys:try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:passkeys.close()flag=0
print("".join(output))
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:passprint ('output :' + "".join(output))
ct<DEL>onh<DEL>gratue<DEL>latioke<DEL><DEL>nsonfiny<DEL>dingmebutiwii<DEL>llns<DEL>ottellyouwheretqa<DEL><DEL>hepz<DEL>asswordws<DEL><DEL>ox<DEL>fwe<DEL>od<DEL>rddoc<DEL>cumentisgoarfv<DEL><DEL><DEL>ndfinditagain
output :congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain
每个前面的字符就是key qazwsxedcrfv
flag{685b42b0-da3d-47f4-a76c-0f3d07ea962a}
网刃杯复现misc+流量包相关推荐
- 第二届网刃杯 ICS+Misc wp
文章目录 ICS LED_BOOM carefulguy 喜欢移动的黑客 easyiec xyp07 需要安全感 cryptolalia Misc 玩坏的winxp ICS LED_BOOM 一段对称 ...
- 第二届网刃杯网络安全大赛 Writeup
第二届网刃杯网络安全大赛 Writeup 前言 MISC 玩坏的XP * ISC ncsubj carefulguy easyiec xypo7 喜欢移动的黑客* LED_BOOM* 需要安全感* c ...
- 2021第一届网刃杯网络安全大赛-老练的黑客
2021第一届网刃杯网络安全大赛-老练的黑客 难度系数:4.0 题目描述:一黑客成功入侵某核电站且获得了操作员站控制权,该操作员站可控制离心机的转速,当离心机的转速持续高于5000时将导致设备损坏,为 ...
- 2022第二届网刃杯网络安全大赛-ICS
2022第二届网刃杯网络安全大赛-ICS 前言 提示:该内容由夜刃TEOT战队-夜白君师傅原创,禁止抄袭! 一.ICS1-ncsubj 难度系数:4.0 题目描述:wowowow,某厂商上位机TIA ...
- 2022第二届网刃杯网络安全大赛-Web
2022第二届网刃杯网络安全大赛-Web 前言 提示:该内容由夜刃TEOT战队-夜白君师傅原创,禁止抄袭! 一.Web2-upload 难度系数:4.0 题目描述:只有想不到,没有做不到,sql yy ...
- 2022第二届网刃杯网络安全大赛-Re
2022第二届网刃杯网络安全大赛-Re 前言 提示:该内容由夜刃TEOT战队-rootkit师傅原创,禁止抄袭! 一.RE1-ez_algorithm? 难度系数:5.0 题目描述:就是玩!!! 输入 ...
- 零宽字符隐写——2021网刃杯CTF 签到
0x01 零宽字符 零宽度字符是一些不可见的,不可打印的字符.它们存在于页面中主要用于调整字符的显示格式,下面就是一些常见的零宽度字符及它们的unicode码和原本用途: 零宽度空格符 (zero-w ...
- 首届“网刃杯”网络安全大赛部分WP
这是之前打比赛写的WP,供大家参考 藏在S7里的秘密 1.修复流量包 下载流量包打开后发现提示错报 The file"S7.pcap" isn't a capture file i ...
- 2022网刃杯ics
目录 easyiec Ncsubj 喜欢移动的黑客 xyp07 ICS6-LED_BOOM 根据许多大佬的wp后,自己做了一遍 这次学到很多东西 ICS easyiec tcp追踪流直接能看到 Ncs ...
最新文章
- webservice接口与HTTP接口学习笔记
- 我是如何解决gitlab 命令行上传需要输密码
- 第二天 Linux常见命令
- 梯度下降法的三种形式批量梯度下降法、随机梯度下降以及小批量梯度下降法
- 蓄水池抽样(Reservoir Sampling)
- JavaScript Object 及相关操作
- 2021-06-19表单,内嵌框架
- 配置php apache,apache如何配置php
- 云计算相关的一些概念Baas、Saas、Iaas、Paas
- js Google 翻译 Api
- 税控服务器管理系统发票号段重复,两个税控盘都有同样的发票号码可以吗
- python爬虫qq音乐_Python爬虫实战:采集全部QQ音乐歌曲
- 闪电对计算机或网络设备的威胁,计算机网络的雷电防护_计算机网络
- oracle中制表符,oracle中去掉文本中的换行符、回车符、制表符
- 数学里上凹,下凹,上凸,下凸
- CnOpenData中国行政区划shp数据
- 如何看待阿里云推出的免费虚拟主机?
- 【Linux】linux中的strip命令
- XILINX GTX学习笔记
- cdr2022订阅版 全新版本新功能体验CorelDRAW2022
热门文章
- 新车多久做一次保养才合理,名悦集团给你一个答案
- 封装一个版本对比(x.xx.xx)的方法
- Windows如何解除bitlocker加密? • 貓噗知識+
- 是福不是祸,是祸躲不过
- MS-OFFICE2013之EXCEL神器-Power Map数据地图可视化范例
- RT-Thread studio学习笔记5-stm32F407 FSMC驱动TFTLCD
- 【学习日记2023.5.8】之 springboot案例之登录功能(会话技术_JWT令牌_过滤器_拦截器)
- OL领工资时的万种风情
- Jetson之OpenCV硬件解码摄像头
- var is a reserved word