2019红帽杯-MISC-复盘WriteUp

前言：

　　前阵子玩了玩今年的红帽杯，题目质量很高，值得记录一下。

　　题目见：https://github.com/DrsEeker/redhat2019

0x01: Advertising for marriage

 拿到题目，是一个500多M的RAW文件，可知这是一道内存取证题目，使用内存取证工具Volatility进行分析：

使用格式:Volatility -f [imgfile] [command]

　　

发现是WindowsXPSP2，查看进程信息：

Volatility -f [imgfile] --profile=WinXPSP2 psscan

发现两个可疑进程：notepad.exe(记事本)和mspaint.exe(画图)

查看记事本内容：Volatility -f [imgfile] --profile=WinXPSP2x86 notepad

 看到提示：????needmoneyandgirlfirend(吐槽一下，这里的girlfriend还打错了)

前四个字符不可知，dump画图进程：

Volatility -f [imgfile] --profile=WinXPSP2x86 memdump -p [pid] --dump-dir [outdir]

 

 使用GIMP工具载入原始图像数据(先重命名后缀为data)，具体操作：

 调整位移可以调整图像在内存中的偏移，调整高度和宽度则是图像分辨率，先调整高度至一个适合的值，再调整宽度，再慢慢调整位移，可以得到进程在内存中的图像信息。

hint:每个宽度与高度均对应了一个分辨率，不同分辨率可以呈现的画面是不同的

经过我的多次调试后发现，把图像宽度调至960可以发现：

 其中的图片是镜像的，这便是画图界面在内存中的图像信息，镜像反转后可以得到b1cx这四个字符，结合notepad中提取的hint可以得到：b1cxneedmoneyandgirlfirend

到现在并没有发现一些直截了当的信息，于是，转变方向，我们可以尝试查看一下桌面上有什么内容：

volatility -f [imgfile] --profile=[imgversion] filescan | grep [arg]

可以看到桌面上有Dump It.exe(就是这个程序生成的内存dump文件，即我们拿到的题目文件),HP-xxxx.raw(这个raw文件就是我们的题目文件了),vegetable.png(可疑，dump下来看看)

volatility -f [imgfile] --profile=[imgversion] dumpfiles -Q [file_offset] --dump-dir [outdir]

 

查看dump出的图片:

 打开图片时遇到错误，提示CRC校验出错，猜测是高度或者宽度有问题，利用CRC爆破可以得到图片的正确高度为：

 

 贴上脚本:

# -*- coding: utf-8 -*-
import binascii
import struct
crc32key = 0xB80A1736
height = 0
width = 0x11f
for i in range(0, 0xffff):
  height = struct.pack('>i', i)
  #width = struct.pack('>i',i)
  data = 'x49x48x44x52' + struct.pack('>i',width) + height + 'x08x06x00x00x00' #爆破高度用
  #data = 'x49x48x44x52' + width + struct.pack('>i',height) + 'x08x06x00x00x00' #爆破宽度用
  crc32result = binascii.crc32(data) & 0xffffffff
  if crc32result == crc32key:
    print(''.join(map(lambda c: "%02X" % ord(c), height)))

在010editor中改好打开图片看到:

 看到是模糊的flag，使用binwalk也没有什么发现，怀疑是LSB隐写，使用cloacked-pixel工具：

python extract [infile] [outfile] [pass]

 可以看到

 Base64解密得:

Virginia ciphertext:gnxtmwg7r1417psedbs62587h0

看到是维吉尼亚密码，由于维吉尼亚密码的秘钥只能是字母，所以从b1cxneedmoneyandgirlfirend剔除掉１再解密

可以得到

 ｆｌａｇ : flagisd7f1417bfafbf62587e0

0x02: 恶臭的数据包

 拿到手是一个cap文件，可知这是一道流量分析题，用wireshark打开：

可以看到是802.11的无线数据包，我们需要借助aIrcrack-ng 来破解他的密码：

aircrack-ng  -w  password.txt  -b [MAC] [capfile]

 

 可以看到破解出的密码是12345678

之后再解密出cap文件：

airdecap-ng [capfile]  -e [ESSID]  -p [pass]

 解密出的cap文件为cacosmia_dec.cap使用wireshark查看：

 可以看到已经是可以进行分析的cap包了。

导出HTTP对象：

可以看到一个图片：

 binwalk后可以看到：

 其后有一个压缩包，foremost出来：

 可以看到一个flag.txt但是是有密码的，尝试了伪加密后无果，用azpr爆破后也无果，于是目标转向数据包内，查看一些信息，

在HTTP上传这个图片的包中，看到cookie是JWT格式的，于是尝试JWT解密：

 

 看到payload中的提示：为了安全起见，我把密码设置成了我刚刚ping过的一个网站。

于是从ping中查看，想到ping域名之前，一定要通过DNS来获取域名指向的ip，于是过滤DNS协议：

 尝试其中的几个域名后发现，压缩包解压密码为最后一个域名: 26rsfb.dnslog.cn

解压得到flag：

 0x03:玩具车()

 这个题脑洞蛮大的，题目给了一个压缩包，其中包含十几个wav文件和两张单片机示意图，起初我还以为是音频分析题，查看频谱图之后感觉像是莫斯电码，尝试了一番后发现并没有什么结果

于是又看了一遍题目，看看他的小车在干啥，想到可能是要分析小车的运动轨迹

查了下小车的型号后发现有一个操作手册

 可以看到和给的wav文件是对应的，于是我们开始写脚本输出每个端口的信号情况：

#-*- coding:utf-8 -*-
import wave
import numpy as np
import turtle

filename = 'L293_1_A1'
wavfile = wave.open(filename + '.wav','rb')
params = wavfile.getparams()
nchannels, sampwidth, framerate, nframes = params[:4]
sig = wavfile.readframes(nframes)
sig = np.frombuffer(sig, dtype=np.short)
seq = ''
for i in range(0,len(sig),framerate):
    if sig[i] > 1000:
        seq += "1"
    else:
        seq += "0"
file = open(filename + '.txt','w')
file.write(seq)
file.close()

之后，再根据每个端口的信号情况，模拟出小车的运动轨迹：

 贴上脚本：

#-*- coding:utf-8 -*-

import turtle

L_1_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_1_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_1_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_1_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_1_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_1_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_A1='11110011011001101101101100110110111100011110011011011011011001101111100110001101101111001101100011110110110101111010111100011011011001101101101111000110110110011110100110111100011110001111011011110011011000111101101101100111101001101101100101100100111111110001101100011011011011110001111001101101011101101001101101011110101111000110110110110101110110100110110110011110100110111100011110011011110001111011000110111101101101101101101101101100110111100001111011011010111011010011011111000110110001101101101101100101100100111111010111100011011011011011011011001101111100011011000110110110111100011110001111011011110011011000111101101101101111000110110110011011101011110001101101101111100011011000110110110111100011110110001101111011011011010111101011110001101111000111100110110111011110000110'
L_2_A2='00001100100110010010010011001001000011100001100100100100100110010000011001110010010000110010011100001001001010000101000011100100100110010010010000111001001001100001011001000011100001110000100100001100100111000010010010011000010110010010011010011011000000001110010011100100100100001110000110010010100010010110010010100001010000111001001001001010001001011001001001100001011001000011100001100100001110000100111001000010010010010010010010010011001000011110000100100101000100101100100000111001001110010010010010011010011011000000101000011100100100100100100100110010000011100100111001001001000011100001110000100100001100100111000010010010010000111001001001100100010100001110010010010000011100100111001001001000011100001001110010000100100100101000010100001110010000111000011001001000100001111001'
L_2_B1='11011110001111000110111100011011110110110011001101111110001100111110111100000110111101111000110110011011011111001111100110001101111000110111111001100011011110110011000011110110110011011001101111011110001101100110110111101100110000110110110000010111101111011011010110110001101111011011001100110111110100111000110111110011111001100011011011011111010011100011011110110011000011110110110011001111011011001101101101100110110110110110111111000110011110110011001101101111101001110001111101101101011011000110110110110000010111101101111100110110001101101111110001100111110110110101101100011011110110110011011001101111011110001101100110110111111001100011011110001110111110011011000110111110110110101101100011011110110110011011011011001101101101111100111110011000111101101100110011011111110011000011'
L_2_B2='00100001110000111001000011100100001001001100110010000001110011000001000011111001000010000111001001100100100000110000011001110010000111001000000110011100100001001100111100001001001100100110010000100001110010011001001000010011001111001001001111101000010000100100101001001110010000100100110011001000001011000111001000001100000110011100100100100000101100011100100001001100111100001001001100110000100100110010010010011001001001001001000000111001100001001100110010010000010110001110000010010010100100111001001001001111101000010010000011001001110010010000001110011000001001001010010011100100001001001100100110010000100001110010011001001000000110011100100001110001000001100100111001000001001001010010011100100001001001100100100100110010010010000011000001100111000010010011001100100000001100111100'
L_2_EnA='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'
L_2_EnB='11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111101111110111111111110000000000000101111111101111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111011111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111110111111110111111101111111111110000000000000111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111011111111011111110111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111'

path = '' #1为前进2为后退3为左转4为右转
front_1 = '' #1为正转2为反转0为停止
front_2 = ''
back_1 = ''
back_2 = ''

for i in range(0,len(L_1_EnA)):
    if L_1_EnA[i] == '1':
        if L_1_A1[i] == '1' and L_1_A2[i] == '0':
            front_1 = 1
        elif L_1_A1[i] == '0' and L_1_A2[i] == '1':
            front_1 = 2
        else:
            front_1 = 0
    else:
        front_1 = 0
    if L_1_EnB[i] == '1':
        if L_1_B1[i] == '1' and L_1_B2[i] == '0':
            front_2 = 1
        elif L_1_B1[i] == '0' and L_1_B2[i] == '1':
            front_2 = 2
        else:
            front_2 = 0
    else:
        front_2 = 0
    if L_2_EnA[i] == '1':
        if L_2_A1[i] == '1' and L_2_A2[i] == '0':
            back_1 = 1
        elif L_2_A1[i] == '0' and L_2_A2[i] == '1':
            back_1 = 2
        else:
            back_1 = 0
    else:
        back_1 = 0
    if L_2_EnB[i] == '1':
        if L_2_B1[i] == '1' and L_2_B2[i] == '0':
            back_2 = 1
        elif L_2_B1[i] == '0' and L_2_B2[i] == '1':
            back_2 = 2
        else:
            back_2 = 0
    else:
        back_2 = 0
    if front_1 == 1 and front_2 == 1 and back_1 == 1 and back_2 == 1:
        path += '1'
    elif front_1 == 2 and front_2 == 2 and back_1 == 2 and back_2 == 2:
        path += '2'
    elif front_1 == 2 and front_2 == 1 and back_1 == 2 and back_2 == 1:
        path += '3'
    elif front_1 == 1 and front_2 == 2 and back_1 == 1 and back_2 == 2:
        path += '4'
    else:
        path += '5'
turtle.left(90)
for i in path:
    if i == '1':
        turtle.forward(5)
    elif i == '2':
        turtle.backward(5)
    elif i == '3':
        turtle.left(90)
    elif i == '4':
        turtle.right(90)
turtle.mainloop()

总结:

　　这次红帽杯的杂项题脑洞很大，题目质量也很高，从中学习到了很多新东西，赞