buuoj_misc

[RoarCTF2019]forensic

拿到raw文件拖到kali里，首先看镜像信息、

volatility -f /root/mem.raw imageinfo

 

用建议的profile，Win7SP1x86。先查看下内存中的进程

volatility -f /root/mem.raw pslist --profile=Win7SP1x86

 

有几个进程比较值得关注

TrueCrypt.exe    ---一款磁盘加密工具

notepad.exe      ---windows里的记事本

mspaint.exe      ---windows画图工具

DumpIt.exe       ---内存镜像提取工具

 

用命令查看一下提取内存时的内存数据，发现noetepad和mspaint在内存中都没有数据

volatility -f /root/mem.raw --profile=Win7SP1x86 userassist

 

再扫描文件看看

volatility -f /root/mem.raw --profile=Win7SP1x86 filescan |grep -E 'png|jpg|gif|zip|rar|7z|pdf|txt|doc'

无标题.png是windows画图工具的默认文件名

 

把图片dump下来

volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001efb29f8 --dump-dir=/root/111

应该是密码，先收着后面用

1YxfCQ6goYBD6Q

 

再扫描一下桌面文件看看

volatility -f /root/mem.raw --profile=Win7SP1x86 filescan | grep "Desktop"

 

dumpit.exe默认生成的文件是 {hash}.raw，默认保存路径是dumpit.exe所在的路径

LETHALBE3A-20190916-135515.raw是DumpIt.exe生成的文件，dump下来看看

volatility -f /root/mem.raw --profile=Win7SP1x86 dumpfiles -Q 0x000000001fca1130 --dump-dir=/root/111

 

发现没数据，说明取证的时候dumpit.exe还在运行，那就dump一下dumpit.exe的内存镜像看看

volatility -f /root/mem.raw --profile=Win7SP1x86 memdump -p 3380 -D /root/111

 

对dumpit.exe的内存镜像进行分析

foremost 3380.dmp

分离出包含flag.txt的加密压缩包文件，密码是图片内容1YxfCQ6goYBD6Q

flag.txt内容为RoarCTF{wm_D0uB1e_TC-cRypt}

 

[*CTF2019]babyflash

用JPEXS反编译flash.swf得到441张黑白图片和1个mp3文件

软件下载地址：https://github.com/jindrapetrik/jpexs-decompiler/releases

右键导出图片

图片很规律，张数刚好是441=21*21，按照图片顺序，黑为1白为0，拼凑出0-1序列

图像处理脚本——识别1和0：

from PIL import Image
def aaa(s):
    image = Image.open("frames/"+str(i)+".png")
    a,b,c,d = image.getpixel((50,50))
    return a
s=''
for i in range(1,442):
    if aaa(i)==0:
        s+='1'
    else:
        s+='0'
print (s)

输出：

111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011

尝试一下拼一起

图片处理脚本——拼接图片：

from PIL import Image

length = 21
img = Image.new('RGB', (length*5, length*5))
#黑点为1白点为0
data = "111111100110001111111100000100111001000001101110101011001011101101110100100101011101101110100101101011101100000100110001000001111111101010101111111000000001010100000000111011111011111000100110110011011101111011101101111001101111011010010001100000000011111010100000100011000000000001011100110011111111101011100110101100000101101000100010101110101011011000001101110100101101110000101110101101110110001100000101011100010010111111101101100001011"

for x in range(length):
    for y in range(length):
        if data[x*length+y] == '1':
            for xx in range(x*5, x*5+5):
                for yy in range(y*5, y*5+5):
                    img.putpixel([xx, yy], (0,0,0))
        else:
            for xx in range(x*5, x*5+5):
                for yy in range(y*5, y*5+5):
                    img.putpixel([xx, yy], (255,255,255))
img.save('out.png')

输出：

 

 

得到前半个flag

*ctf{half_flag_&

再导出mp3文件，这个是常见套路频谱隐写，得到后半段flag

&_the_rest}

 

参考：https://zhuanlan.zhihu.com/p/64252028