2021 [线下]陇剑杯 wp

• 前言
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 3.1
• 3.3
• 4.1
• 4.2
• 5.1
• 5.2
• Tip

前言

1. wp由EDI yanshu师傅投稿 ，感谢yanshu师傅。
2. 部分题目为赛后复现。
3. 部分题目复现方法由一些师傅提供解题思路，感谢。
4. 题目附件获取方法在文章末尾。

1.1

导出对象 发现 6.html 中有颜文字

解开后 alert(“EBA01E64-416C-419E-9C9A-C807AD9741D2”);

1.2

全局搜X-Forwarded-For，会发现它ip是五位的，答案长度为8，那么不需要标点，去掉最后一位，所以答案是 34244579

1.3

木马密码MD5值 161ebd7d45089b3446ee4e0d86dbcf92

1.4

找zip 文件，在173 流 会看见一个压缩包

188 流中 看见PK 头

对命令解码发现读取的文件就是 /tmp/1.zip

去掉混淆字符后提出文件，但是需要密码

主办方的提示好像是 社工 来着，觉得可能会是脑洞，就没找到

1.5

这题是把1.bin 和 2.bin 内容拼接

所以根据蚁剑读取文件的规则，把/tmp/1.bin 编码 ，找base64后的文件名会在哪出现

http contains “L3RtcC8xLmJpbg” 过滤一下，在234 流找到了

然后把 前后混淆字符去掉 得到答案

F3C4426E-8A4F-49F7-A658-2E33D85BA665

3.1

初赛机密内存的考点，线下有脚本就出了

https://github.com/axcheron/pyvmx-cracker
           

原文件名enc.bin

"key/list/(pair/(phrase/UmBuYyhuIW8%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3d0kVDY4OIuvr2WAG%2bo639Lw%253d%253d,,JV9HGrSxPYiDk%2bJYP0KxHqceNnA%2fB0vLXtXVmrUSGINNbFmXRCX5smPN3Ny0hTcjtSGVTOXie5xUK2HdJaj6NxmgyTtc38Xy80co%2f3swAflWoKvMFxRB86AtVqZZ7Sv%2fbUAjCwVUd7uplXhLUfdCk12BMY0%3d))"
"etHKaa2gijMJ4n3hP9NjN9uNnI10E96xhqVa1P30TCTHr8BUkALO6RiD7mJSzlpX7hX1TF23UV7zhXhvip/8tBaAZYBXFYJHcBEnfVWQ23VetQwm5y+l3K29U14Tpz2jQMC920wxA9joTKs67CaiqdGixKZF/TZ7Mvdm5zc60HaB9Yj/OI4KGdJEjVstAu9U6hryfTRC8MIANadKuRy2rwJR9EkMHyPwNTyQwsDgVPwkvE1evA6tB7Q7RmiWDSEJamCEfo/SaSuky4NIaaGaquczBmMkhphQ7zTmL6nhZYjClcCuWsuzCwGrAeVX3UTShJjmIkbq6w4GRuxvpjt8swV+BmgleU6UEQIFlyqFYvk1a2oe314FootRsJiS4XEW6ngkthe5hw053SfN/GP85RS/uIKsCH11vCrD2Ew029fgBq0yy1YeOZQ/QEYlwrKPtd0eRT83dbZJs/XzM+ehZpKVS+nfJdQjGOlROluXnj9VXBrEK/9MT9qyNca4xOpKKkjmmH+vMpqiZHFwjdRl3NUeiy0bh0hj4YeMAo7L0/Uk77A09E9jrNKnkZ2hILX1+yXbGLyvW9OdDhALGj4QaGNdkfPGDYwv7U6CrjoTlCMXDyZY0idFtPwn7NfdAviPjsDWZonDsILX7LjZDrUTkYvoceGKiSQFOUQ3NlI9c3fzaCRfrnxQ6wLncp0WV8HfFF5+FfLt8HgzYCdGx1d8itwGkvwgy/RtSazrAY88OtpInKAhBZgZfdN4paq5FFdWfWQnB5Rjq20FuUzlv5TUfAUkBalO0zJhQl97R6REHoc5kLK9NxWMQJQ5H/B4/pEifTVSxo5QTLt+xsvWlxo7WnVhZGmdvqNgocLn8l4KzcNKxx7wlzMqWtjSYH6ocBk+atbR1dRNEEYH6ii0ZKdOo0ujlXk0HFUCNozR06WMv1zPQqDaHh2wQaqevX/rFEfWE0P0McISpxW0DMeEjsA3j6YLACcE14GadaGAUc7PrOFMPsPujdhAWjv9KvO8/H0rgkPDza0Tu6yUFBVb6tXhri3t2XtlWuuivU/W8sfh/+MUYXddU/1hUqV/qZ3dgxWYlunywMlBeT1TKKtJQTeq5zmILRy0tKvBU2fsQYuElRVpXWXeMsVDLnCvH+Kr+2MR8MfHt1LG+/OOWRmFe2M12zTIX1m4KZHdB1B+fIHBVC2AKD1e2DAMFjDyccCsB1unyDl07LpVpnrC45Iysbj+iwWT/++exiDR1cntMd/4NgzDbJlWlcjCZNvfPsjvyQznqdUdXy00YivLXrQxwyK8D6PStzIsH5kY/P+08G/KzW7EbT3LWFBT72VPYNAAf3EeL2nM40AyUOU5jfVzAC3WZKAzBwb+B7ZB43LfNzNL83E4G/BAh0onWSlFDzf+oS5wFw/qd7TVjjPYdkZ4D6or3fD+lHLlpkMzROlGuJgQeTpF8A89WMWQpkokbxGVWhunbz7t6hMLdQ507mf/uIQu75eczxTDG0rNvkptX1IJUBXYeh34xRmn/RVzLB55WLsbrrcKyQ9xjHrlrUyCsE9jaJh5AvqNbEC6pPsjnnXcb8mzZXwc876QDuwPZsLGJJ+FZwEpQ1TS89Rwt/MoZdDYlGu/J1AXnYf4fB/9EvAH1rzpyH6m1tSqlCdbPt4pfCO3QGydXVyzfNAARh7wD6KIMlYRja9pDj++OxSfLgQgaSW8u+pJ2q09rYJcGxg7HZEJnt35nlMb3wgCsptw+iSMbUdgr++ApX3fQWBkzAvSb4EjH95bNF0U7E8nkc9M9tcalOYb+EPThSdxgi8iFGP0b+DWHrF5BJQm9mzmntraOSNmnpAAORGW3F4XLmcRN+w3Gm2StQvHWF1td1wtIzHSRHoxSwcVR15Z7IPT4Zi/YU45SLO3xbnL2SlUu0/uaj7kHMqpIYyXdAYi+aeGpl5w+mQjb603Z/L/OZvzkn30RE8IrdBqB+bDl+c7opsu9TBssPV4hO+VWOtswMPSvk4TWn0/57HhSAMwFP5K/mDcW4gYEinHS10tkC7+ssHWUDMDzPmN8FH3JS8YxLJ754M5BF0H3fnTCUylvaXq3oLnHJrzbq+sGNZf9KUsefer/Qh5rWTYgJ0cG73KLQ0KFNaMZdbhJ/IYFI9RMKVyS+yKrD08GqvzyOdjjLThx9Tzbj/E/IAJyw1mQzbi5abrst957zSEzNyJXrFHisjteX56o1YAWNVteqYjSD6GuG6b1QBP0hPLElbc8mjNsF0anuy2EETHO5GRqOIiDEwZIQFLYGfDS09aWXXxOLV7Mqoj8VZ+xkRUuxJwhd8hfEeyQsB3U/hhJTXTFKHWOIwZW7fKK46ZNQPVFR0aaYNxJX9l/BHz3QtUV+PSMZkhcUzd7UjpGOyrVFSgz7kDZN2oeCc/LaH+fJEkLhslUvRf4hZNG+O6zpmt1IB00Jc417l2tpnWlnUyxhIzNdLd5xnRztIUmdKG4dj1mRUUf2JMLZiZMTCys2noq1DweOHSyEh+jzSPjz3QMlZNJcwZ3X8EIb9AV0e7nyyliBZ6Qs1OXQLYTo8ada3uNU+aCTQTlymrFDLWX5RinknPzzDGipX/yMLnkVcZSy7UdIUNviJNyzQzoxKg24DpPibTo0v5eGWMgtG7tp8Bk23Ih1TYOlHdMvnoEGTdskWRBWWPsapUiYbu5T7plRfghtcVkEOv4F1OW6058cSohS5TLFK/aqyfSxl/zKGCuZQhhWbYJSObIHvvLoT+lw2Vm4vqrIXBkJ3jLl0BiNy8AtnVWB1kgA/9+xTUFXpS8LUCApdq/52/VluCbXb4y8e7Soa3HCdmrVUVt/vpGkqCIxRmKrKvibUztbwQfBxCZWuf5NFAubxGnPXx2dyo6Edhz+aZ2bs9BS1pEWhsCurW4t8Zg50lZ3jVhJFaht8iLdH3VOYqUmYs0+gk5yzsvBQ426H1Z0EK0TaPxhEbSKtT1pEPcJ5Y+oNCOKIYZFIhgVqX+GcY+xj1GKbvmGKIo3f94HUxmK/Wv8vJb756mzuRqz75qoFjftOG9XpcpAUtuVyFLa4tzCKhekSetmfA84q2PZ4cjOnva8rAkPCd83qMhcBZnXDOcXWlQEcom9C+S26qqM+5e9AQKceBrtWK56iMTGQloylqck+SnwPAQvb5EAdPS5OuzBPjZrogsX0CZihiMiykX9YOLbuI1YeVz5WYFcKQEYc5cIWpM7n0PHyFqyOaNP14tKaiB1Z2SP3xJFek4U0OHxhjPNdPmRDSNy+owAL+d5MR2f71X7CQwVAm1U0PZ/YB6bsTSM3XoIFPUylWR+hPVBCO2wKuTze7wEgIqVa6LhrUbelnRUy9G0QzZ2X9NKj/mDFuvN3RSodxFI2bArCupjtVzLVQgySQkkhReH3Yfjm0bRk0CPCYH6MpeugzolTPOOZL4F8h0wuq5YMSq+Yg1ZRnVWcbyiESJ9DFiNIhTThxbswtMeGAF4feGxYr56sU70gJN21FMfai8A7vHPQrpMkrJCULOeMjqE0Ys9tyzRcryr2MfvxxoQAvCLpyhTzWMPTvaCbKW8eq9b15vblaYb2kR8H7A/E3N7w7IFPLM6ZmNT8d/AIKTxn/theEhwZXghPD/HONBr4wNEdVYKRZx0Ckr6NqgpfvPv87O0ad4OyFXL1G2avCrP+r8wLtfZ4ZvHSqIXIyR8ZHUkfZR+7ePl6nD1YGzUQo8OEd+7MIBGMmGW6MuiF4WQskycp9QncuadzIhUxGcbvQAOyF8YBSga/FfMntT1cAQNAfWASxGeg/ihBFPGmgD4atgN+gaYPilaCs0odJSEF/XXkA9ed3AnA3H0kChvX9s0AZoQ=="
           

参考 pyvmx-cracker 上的readme 可知 文件类型是 vmx

3.3

将格式改一下

.encoding = "UTF-8"
displayName = "Encrypted"
encryption.keySafe = "vmware:key/list/(pair/(phrase/UmBuYyhuIW8%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3d0kVDY4OIuvr2WAG%2bo639Lw%253d%253d,,JV9HGrSxPYiDk%2bJYP0KxHqceNnA%2fB0vLXtXVmrUSGINNbFmXRCX5smPN3Ny0hTcjtSGVTOXie5xUK2HdJaj6NxmgyTtc38Xy80co%2f3swAflWoKvMFxRB86AtVqZZ7Sv%2fbUAjCwVUd7uplXhLUfdCk12BMY0%3d))"
encryption.data = "etHKaa2gijMJ4n3hP9NjN9uNnI10E96xhqVa1P30TCTHr8BUkALO6RiD7mJSzlpX7hX1TF23UV7zhXhvip/8tBaAZYBXFYJHcBEnfVWQ23VetQwm5y+l3K29U14Tpz2jQMC920wxA9joTKs67CaiqdGixKZF/TZ7Mvdm5zc60HaB9Yj/OI4KGdJEjVstAu9U6hryfTRC8MIANadKuRy2rwJR9EkMHyPwNTyQwsDgVPwkvE1evA6tB7Q7RmiWDSEJamCEfo/SaSuky4NIaaGaquczBmMkhphQ7zTmL6nhZYjClcCuWsuzCwGrAeVX3UTShJjmIkbq6w4GRuxvpjt8swV+BmgleU6UEQIFlyqFYvk1a2oe314FootRsJiS4XEW6ngkthe5hw053SfN/GP85RS/uIKsCH11vCrD2Ew029fgBq0yy1YeOZQ/QEYlwrKPtd0eRT83dbZJs/XzM+ehZpKVS+nfJdQjGOlROluXnj9VXBrEK/9MT9qyNca4xOpKKkjmmH+vMpqiZHFwjdRl3NUeiy0bh0hj4YeMAo7L0/Uk77A09E9jrNKnkZ2hILX1+yXbGLyvW9OdDhALGj4QaGNdkfPGDYwv7U6CrjoTlCMXDyZY0idFtPwn7NfdAviPjsDWZonDsILX7LjZDrUTkYvoceGKiSQFOUQ3NlI9c3fzaCRfrnxQ6wLncp0WV8HfFF5+FfLt8HgzYCdGx1d8itwGkvwgy/RtSazrAY88OtpInKAhBZgZfdN4paq5FFdWfWQnB5Rjq20FuUzlv5TUfAUkBalO0zJhQl97R6REHoc5kLK9NxWMQJQ5H/B4/pEifTVSxo5QTLt+xsvWlxo7WnVhZGmdvqNgocLn8l4KzcNKxx7wlzMqWtjSYH6ocBk+atbR1dRNEEYH6ii0ZKdOo0ujlXk0HFUCNozR06WMv1zPQqDaHh2wQaqevX/rFEfWE0P0McISpxW0DMeEjsA3j6YLACcE14GadaGAUc7PrOFMPsPujdhAWjv9KvO8/H0rgkPDza0Tu6yUFBVb6tXhri3t2XtlWuuivU/W8sfh/+MUYXddU/1hUqV/qZ3dgxWYlunywMlBeT1TKKtJQTeq5zmILRy0tKvBU2fsQYuElRVpXWXeMsVDLnCvH+Kr+2MR8MfHt1LG+/OOWRmFe2M12zTIX1m4KZHdB1B+fIHBVC2AKD1e2DAMFjDyccCsB1unyDl07LpVpnrC45Iysbj+iwWT/++exiDR1cntMd/4NgzDbJlWlcjCZNvfPsjvyQznqdUdXy00YivLXrQxwyK8D6PStzIsH5kY/P+08G/KzW7EbT3LWFBT72VPYNAAf3EeL2nM40AyUOU5jfVzAC3WZKAzBwb+B7ZB43LfNzNL83E4G/BAh0onWSlFDzf+oS5wFw/qd7TVjjPYdkZ4D6or3fD+lHLlpkMzROlGuJgQeTpF8A89WMWQpkokbxGVWhunbz7t6hMLdQ507mf/uIQu75eczxTDG0rNvkptX1IJUBXYeh34xRmn/RVzLB55WLsbrrcKyQ9xjHrlrUyCsE9jaJh5AvqNbEC6pPsjnnXcb8mzZXwc876QDuwPZsLGJJ+FZwEpQ1TS89Rwt/MoZdDYlGu/J1AXnYf4fB/9EvAH1rzpyH6m1tSqlCdbPt4pfCO3QGydXVyzfNAARh7wD6KIMlYRja9pDj++OxSfLgQgaSW8u+pJ2q09rYJcGxg7HZEJnt35nlMb3wgCsptw+iSMbUdgr++ApX3fQWBkzAvSb4EjH95bNF0U7E8nkc9M9tcalOYb+EPThSdxgi8iFGP0b+DWHrF5BJQm9mzmntraOSNmnpAAORGW3F4XLmcRN+w3Gm2StQvHWF1td1wtIzHSRHoxSwcVR15Z7IPT4Zi/YU45SLO3xbnL2SlUu0/uaj7kHMqpIYyXdAYi+aeGpl5w+mQjb603Z/L/OZvzkn30RE8IrdBqB+bDl+c7opsu9TBssPV4hO+VWOtswMPSvk4TWn0/57HhSAMwFP5K/mDcW4gYEinHS10tkC7+ssHWUDMDzPmN8FH3JS8YxLJ754M5BF0H3fnTCUylvaXq3oLnHJrzbq+sGNZf9KUsefer/Qh5rWTYgJ0cG73KLQ0KFNaMZdbhJ/IYFI9RMKVyS+yKrD08GqvzyOdjjLThx9Tzbj/E/IAJyw1mQzbi5abrst957zSEzNyJXrFHisjteX56o1YAWNVteqYjSD6GuG6b1QBP0hPLElbc8mjNsF0anuy2EETHO5GRqOIiDEwZIQFLYGfDS09aWXXxOLV7Mqoj8VZ+xkRUuxJwhd8hfEeyQsB3U/hhJTXTFKHWOIwZW7fKK46ZNQPVFR0aaYNxJX9l/BHz3QtUV+PSMZkhcUzd7UjpGOyrVFSgz7kDZN2oeCc/LaH+fJEkLhslUvRf4hZNG+O6zpmt1IB00Jc417l2tpnWlnUyxhIzNdLd5xnRztIUmdKG4dj1mRUUf2JMLZiZMTCys2noq1DweOHSyEh+jzSPjz3QMlZNJcwZ3X8EIb9AV0e7nyyliBZ6Qs1OXQLYTo8ada3uNU+aCTQTlymrFDLWX5RinknPzzDGipX/yMLnkVcZSy7UdIUNviJNyzQzoxKg24DpPibTo0v5eGWMgtG7tp8Bk23Ih1TYOlHdMvnoEGTdskWRBWWPsapUiYbu5T7plRfghtcVkEOv4F1OW6058cSohS5TLFK/aqyfSxl/zKGCuZQhhWbYJSObIHvvLoT+lw2Vm4vqrIXBkJ3jLl0BiNy8AtnVWB1kgA/9+xTUFXpS8LUCApdq/52/VluCbXb4y8e7Soa3HCdmrVUVt/vpGkqCIxRmKrKvibUztbwQfBxCZWuf5NFAubxGnPXx2dyo6Edhz+aZ2bs9BS1pEWhsCurW4t8Zg50lZ3jVhJFaht8iLdH3VOYqUmYs0+gk5yzsvBQ426H1Z0EK0TaPxhEbSKtT1pEPcJ5Y+oNCOKIYZFIhgVqX+GcY+xj1GKbvmGKIo3f94HUxmK/Wv8vJb756mzuRqz75qoFjftOG9XpcpAUtuVyFLa4tzCKhekSetmfA84q2PZ4cjOnva8rAkPCd83qMhcBZnXDOcXWlQEcom9C+S26qqM+5e9AQKceBrtWK56iMTGQloylqck+SnwPAQvb5EAdPS5OuzBPjZrogsX0CZihiMiykX9YOLbuI1YeVz5WYFcKQEYc5cIWpM7n0PHyFqyOaNP14tKaiB1Z2SP3xJFek4U0OHxhjPNdPmRDSNy+owAL+d5MR2f71X7CQwVAm1U0PZ/YB6bsTSM3XoIFPUylWR+hPVBCO2wKuTze7wEgIqVa6LhrUbelnRUy9G0QzZ2X9NKj/mDFuvN3RSodxFI2bArCupjtVzLVQgySQkkhReH3Yfjm0bRk0CPCYH6MpeugzolTPOOZL4F8h0wuq5YMSq+Yg1ZRnVWcbyiESJ9DFiNIhTThxbswtMeGAF4feGxYr56sU70gJN21FMfai8A7vHPQrpMkrJCULOeMjqE0Ys9tyzRcryr2MfvxxoQAvCLpyhTzWMPTvaCbKW8eq9b15vblaYb2kR8H7A/E3N7w7IFPLM6ZmNT8d/AIKTxn/theEhwZXghPD/HONBr4wNEdVYKRZx0Ckr6NqgpfvPv87O0ad4OyFXL1G2avCrP+r8wLtfZ4ZvHSqIXIyR8ZHUkfZR+7ePl6nD1YGzUQo8OEd+7MIBGMmGW6MuiF4WQskycp9QncuadzIhUxGcbvQAOyF8YBSga/FfMntT1cAQNAfWASxGeg/ihBFPGmgD4atgN+gaYPilaCs0odJSEF/XXkA9ed3AnA3H0kChvX9s0AZoQ=="
           

python3 pyvmx-cracker.py -v enc.vmx -d 字典.txt
           

把默认字典换了

4.1

泄露的信息 (盲注flag)

QL盲注的流量被base64 编码了，wireshark 过滤出盲注流量

用tshark 过滤出流量到txt中，解base64

tshark -r http.pcapng -T fields -e http.request.uri.query.parameter > data.txt
           

二分法SQL注入流量，最后半小时手动拼接没拼对，还错了两回

赛后拍的别的师傅的正确的flag

4.2

webshell 命令

rot13 解开混淆后，查看混淆字符 ，去掉前后混淆字符后 回显就可以解开了

&hcd2b0e72ddf36=Y2QgL2QgIkM6L2N0ZiImd2hvYW1pJmVjaG8gW1NdJmNkJmVjaG8gW0Vd
=>  cd /d "C:/ctf"&whoami&echo [S]&cd&echo [E]
&w53596b0408df4=Y21k
=> cmd
           

最后三个流对应三个系统命令

config.exe#ipconfig#whoami

5.1

win10 的内存结构有点不太一样 ，线下只有vol2 的我们只能罚座

后面发现取证大师的解析工具可以解析内存，但是无法导出注册表。

用vol3 去查看注册表

python3 vol.py -f mem_sec.vmem windows.registry.printkey --offset 0x8084ac206000 --key "Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" | grep BackupProductKeyDefault
           

2021-09-10 16:29:33.000000      0x8084ac206000inREG_SZ  \SystemRoot\System32\Config\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform   BackupProductKeyDefault "F48BJ-8NX82-MRVY9-PF8BW-HMHY2" False
           

产品密钥为 F48BJ-8NX82-MRVY9-PF8BW-HMHY2

5.2

vol2 打不开 内存镜像

用 Magent AXIOM 跑 ，选了Win10x64 就打开了

匿名邮箱:

https://mail.td/zh

Tip

关注公众号 回复【2021陇剑杯】获取附件

你是否想要加入一个安全团

拥有更好的学习氛围？

那就加入EDI安全，这里门槛不是很高，但师傅们经验丰富，可以带着你一起从基础开始，只要你有持之以恒努力的决心

EDI安全的CTF战队经常参与各大CTF比赛，了解CTF赛事，我们在为打造安全圈好的技术氛围而努力，这里绝对是你学习技术的好地方。这里门槛不是很高，但师傅们经验丰富，可以带着你一起从基础开始，只要你有持之以恒努力的决心，下一个CTF大牛就是你。

欢迎各位大佬小白入驻，大家一起打CTF，一起进步。

我们在挖掘，不让你埋没！

你的加入可以给我们带来新的活力，我们同样也可以赠你无限的发展空间。

有意向的师傅请联系邮箱[email protected]（带上自己的简历，简历内容包括自己的学习方向，学习经历等）