网刃杯复现misc+流量包

签到

cipher.txt

U2FsdGVkX1+WTSHujcCjvHj/gcwL0C7u37XtW4idGcpci3H913I=

U2F那些，考虑为aes,des啥的

发现flag.txt是零宽度字符，

md5加密一下文件

f71b6b842d2f0760c3ef74911ffc7fdb

测试发现是rabbit，解密获得flag

mspaint

看一下iehistory

发现key.png和百度网盘

volatility -f mspaint.raw --profile=Win7SP1x64 filescan | grep key.png

volatility -f mspaint.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e96e7d0  -D ./

得到百度网盘的密码

发现加密的压缩包，还需要key

想到截屏

volatility -f mspaint.raw --profile=Win7SP1x64 screenshot -D ./

得到一个key，但是并不是压缩包的密码。

th1s_1s_th3_k3y

在看进程的时候有一个dumpit.exe,dump一下这个进程

volatility -f mspaint.raw --profile=Win7SP1x64 memdump -p 1064 -D ./

调整参数

得到压缩包的解压密码

q2A!~R%8

后面是队里的re手个人秀

把flag.exe转成flag.pyc

文件夹里出现

修改文件头为pyc

key = 'xxxxxxxxxxxxxxx'
flag = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
data = ''
for i in range(0, len(flag)):data += hex(ord(flag[i]) ^ ord(key[(i % 15)]))[2:].zfill(2)
else:print(data.upper())data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'

这里的key15位就是那张图片里的th1s_1s_th3_k3y

写出解密脚本

key = 'th1s_1s_th3_k3y'
flag = ''
data = '12045014240343684450506E5E1E1C165D045E6B52113C5951006F091E4F4C0C54426A52466A165B0122'
data_list = []
for i in range(0,len(data),2):data_list.append('0x' + data[i:i+2])
print(data_list)
for i in range(0,len(data_list)):flag += chr(int(data_list[i],16)^ord(key[(i % 15)]))print(flag)

flag{20708c15-eb55-4cbc-930b-68de15c55b32}

藏在s7里的秘密

题目描述：某工厂的安全设备捕获了攻击者向PLC中写入恶意数据的数据包，你能分析出并找到其中隐藏的数据吗？

附件打开发现流量包损坏打不开，010打开发现文件头被修改了，直接pcapfix修复下就好。
打开后，追踪tcp流发现png图片

保存后发现只能看清楚一半的图

显然十六进制数据是不完整的，然后因为没咋做过流量包，到这思路也就停滞了。赛后看师傅的wp发现要看，这个流量包中出现最多的流s7comm，

先使用上面的过滤框，单独过滤这个协议

在查看这个流的时候发现长度有不一样的地方，看第一个长度541的包，发现存在png的文件头，最后一个长度329的包存在png的文件尾

拿导出第一部分举例
选中data->显示分组字节

单击左下角改为原始数据

选中010,ctrl+shift+v保存即可。按照顺序依次把数据加进去即可。
保存后发现crc的值报错，说明宽高被修改了，修改高度获得flag

flag{FSfeQefjg}

老练的黑客

题目描述：一黑客成功入侵某核电站且获得了操作员站控制权，该操作员站可控制离心机的转速，当离心机的转速持续高于5000时将导致设备损坏，为了保护设备，操作员站检测到转速超过5000时会自动限制转速。但该黑客非常老练，他在修改了转速后，还欺骗了操作员站，使得操作员站读取到错误的转速数据。你能找到黑客修改后的转速值和操作员站读取到的错误转速值吗？（flag格式：flag{修改后转速的+读取的错误转速} 值用16进制表示
通过查看发现转速的数据位于data
5000的十六进制为1388，所以只要找到data大于1388的包查看数据即可
使用过滤器

modbus.data>1338

所以第一部分的flag为22b8。
又说转速被修改了，往下翻倒数read的几个包，找到一个4500对应十六进制为1194,肯定是被修改的转速。

flag{22b81194}

baby-usb

usb流量找到有数据的包，发现是八字节的，可能是键盘流量。

那就找键盘流量的脚本梭一下。
用脚本直接跑没啥输出，所以先用tshark提取了一下

tshark -r key.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > fileaaa.txt

然后修改了下脚本有输出了

import os,sysnormalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}#pcapFilePath = sys.argv[1]
#os.system("tshark -r "+pcapFilePath+" -T fields -e usb.capdata | sed '/^\s*$/d' > out.txt")output = []
keys = open('out.txt')
for line in keys:line = ''.join(line[i:i+2]+':' for i in range(0,len(line)-1,2)).strip(':') try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:passkeys.close()flag=0
#print("".join(output))
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:passprint ('output :' + "".join(output))
os.system("rm -rf out.txt"

output :congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain

到这其实就没什么思路了，尝试了各种东西，赛后看发现方向错了。
借用盖乐希师傅的脚本

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e","09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j","0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o","13":"p", "14":"q", "15":"r", "16":"s", "17":"t","18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y","1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4","22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E","09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J","0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O","13":"P", "14":"Q", "15":"R", "16":"S", "17":"T","18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y","1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$","22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('filebbb.txt')
for line in keys:try:if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":continueif line[6:8] in normalKeys.keys():output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']else:output += ['[unknown]']except:passkeys.close()flag=0
print("".join(output))
for i in range(len(output)):try:a=output.index('<DEL>')del output[a]del output[a-1]except:passfor i in range(len(output)):try:if output[i]=="<CAP>":flag+=1output.pop(i)if flag==2:flag=0if flag!=0:output[i]=output[i].upper()except:passprint ('output :' + "".join(output))

ct<DEL>onh<DEL>gratue<DEL>latioke<DEL><DEL>nsonfiny<DEL>dingmebutiwii<DEL>llns<DEL>ottellyouwheretqa<DEL><DEL>hepz<DEL>asswordws<DEL><DEL>ox<DEL>fwe<DEL>od<DEL>rddoc<DEL>cumentisgoarfv<DEL><DEL><DEL>ndfinditagain
output :congratulationsonfindingmebutiwillnottellyouwherethepasswordofworddocumentisgoandfinditagain

每个~~前面的字符就是key qazwsxedcrfv~~

flag{685b42b0-da3d-47f4-a76c-0f3d07ea962a}