buuoj_misc

[RoarCTF2019]forensic

拿到raw檔案拖到kali裡，首先看鏡像資訊、

volatility -f /root/mem.raw imageinfo

用建議的profile，Win7SP1x86。先檢視下記憶體中的程序

volatility -f /root/mem.raw pslist --profile=Win7SP1x86

有幾個程序比較值得關注

TrueCrypt.exe    ---一款磁盤加密工具

notepad.exe      ---windows裡的記事本

mspaint.exe      ---windows畫圖工具

DumpIt.exe       ---記憶體鏡像提取工具

用指令檢視一下提取記憶體時的記憶體資料，發現noetepad和mspaint在記憶體中都沒有資料

volatility -f /root/mem.raw --profile=Win7SP1x86 userassist

再掃描檔案看看

volatility -f /root/mem.raw --profile=Win7SP1x86 filescan |grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc'

無标題.png是windows畫圖工具的預設檔案名

把圖檔dump下來

volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001efb29f8 --dump-dir=/root/111

應該是密碼，先收着後面用

1YxfCQ6goYBD6Q

再掃描一下桌面檔案看看

volatility -f /root/mem.raw --profile=Win7SP1x86 filescan | grep "Desktop"

dumpit.exe預設生成的檔案是 {hash}.raw，預設儲存路徑是dumpit.exe所在的路徑

LETHALBE3A-20190916-135515.raw是DumpIt.exe生成的檔案，dump下來看看

volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001fca1130 --dump-dir=/root/111

發現沒資料，說明驗證的時候dumpit.exe還在運作，那就dump一下dumpit.exe的記憶體鏡像看看

volatility -f /root/mem.raw --profile=Win7SP1x86 memdump -p 3380 -D /root/111

對dumpit.exe的記憶體鏡像進行分析

foremost 3380.dmp

分離出包含flag.txt的加密壓縮封包件，密碼是圖檔内容1YxfCQ6goYBD6Q

flag.txt内容為RoarCTF{wm_D0uB1e_TC-cRypt}

[*CTF2019]babyflash

用JPEXS反編譯flash.swf得到441張黑白圖檔和1個mp3檔案

軟體下載下傳位址：https://github.com/jindrapetrik/jpexs-decompiler/releases

右鍵導出圖檔

圖檔很規律，張數剛好是441=21*21，按照圖檔順序，黑為1白為0，拼湊出0-1序列

圖像處理腳本——識别1和0：

from PIL import Image
def aaa(s):
    image = Image.open("frames/"+str(i)+".png")
    a,b,c,d = image.getpixel((50,50))
    return a
s=''
for i in range(1,442):
    if aaa(i)==0:
        s+='1'
    else:
        s+='0'
print (s)      

輸出：

111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011

嘗試一下拼一起

圖檔處理腳本——拼接圖檔：

from PIL import Image

length = 21
img = Image.new('RGB', (length*5, length*5))
#黑點為1白點為0
data = "111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011"

for x in range(length):
    for y in range(length):
        if data[x*length+y] == '1':
            for xx in range(x*5, x*5+5):
                for yy in range(y*5, y*5+5):
                    img.putpixel([xx, yy], (0,0,0))
        else:
            for xx in range(x*5, x*5+5):
                for yy in range(y*5, y*5+5):
                    img.putpixel([xx, yy], (255,255,255))
img.save('out.png')      

得到前半個flag

*ctf{half_flag_&

再導出mp3檔案，這個是常見套路頻譜隐寫，得到後半段flag

&_the_rest}

參考：https://zhuanlan.zhihu.com/p/64252028