2024数据安全产业人才积分争夺赛|Writeup

更新一下大家比较关心的题目🤤

重要的System32

给了整个Windows的System32的目录,大概率就是审计事件日志、注册表。翻了一坤年注册表,最后看到打印机存在一个flag相关的记录。

/重要的System32/System32/winevt/Logs/Microsoft-Windows-PrintService%4Operational.evtx


可以看到打印了一个flag的PDF文件,得到部分-834f-f797
再找一下这个文件存在哪,搜索得知wbem目录下存放着相关配置和信息。又翻了一坤年文件,在OBJECTS.DATA文件中看到了flag信息。

/重要的System32/System32/wbem/Repository/OBJECTS.DATA


拿到了一部分F1@43_is_{ef63fcbc-3467
接下来继续翻啊翻🤮
最终在注册表中找到一段信息,包含flag和Pwd

/重要的System32/System32/config/RegBack/HKEY_CURRENT_USER.reg


现在需要解密如下信息:

"QuerySavePath"="C:\\Users\\Administrator\\Documents\\Navicat\\MySQL\\Servers\\f1a4_3"
"Pwd"="FB916DAFA4CE92143350DCF66AE9"

目录中可以看到是Navicat连接MySQL的信息,所以搜一下相关的加密算法,最终找到一个合适的项目。

#!/usr/bin/env python3
import sys
from Crypto.Hash import SHA1
from Crypto.Cipher import AES, Blowfish
from Crypto.Util import strxor, Padding

class Navicat11Crypto:

    def __init__(self, Key = b'3DC5CA39'):
        self._Key = SHA1.new(Key).digest()
        self._Cipher = Blowfish.new(self._Key, Blowfish.MODE_ECB)
        self._IV = self._Cipher.encrypt(b'\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF')

    def EncryptString(self, s : str):
        if type(s) != str:
            raise TypeError('Parameter s must be a str.')
        else:
            plaintext = s.encode('ascii')
            ciphertext = b''
            cv = self._IV
            full_round, left_length = divmod(len(plaintext), 8)

            for i in range(0, full_round * 8, 8):
                t = strxor.strxor(plaintext[i:i + 8], cv)
                t = self._Cipher.encrypt(t)
                cv = strxor.strxor(cv, t)
                ciphertext += t
            
            if left_length != 0:
                cv = self._Cipher.encrypt(cv)
                ciphertext += strxor.strxor(plaintext[8 * full_round:], cv[:left_length])

            return ciphertext.hex().upper()

    def DecryptString(self, s : str):
        if type(s) != str:
            raise TypeError('Parameter s must be str.')
        else:
            plaintext = b''
            ciphertext = bytes.fromhex(s)
            cv = self._IV
            full_round, left_length = divmod(len(ciphertext), 8)

            for i in range(0, full_round * 8, 8):
                t = self._Cipher.decrypt(ciphertext[i:i + 8])
                t = strxor.strxor(t, cv)
                plaintext += t
                cv = strxor.strxor(cv, ciphertext[i:i + 8])
            
            if left_length != 0:
                cv = self._Cipher.encrypt(cv)
                plaintext += strxor.strxor(ciphertext[8 * full_round:], cv[:left_length])
            
            return plaintext.decode('ascii')

class Navicat12Crypto(Navicat11Crypto):

    def __init__(self):
        super().__init__()

    def EncryptStringForNCX(self, s : str):
        cipher = AES.new(b'libcckeylibcckey', AES.MODE_CBC, iv = b'libcciv libcciv ')
        padded_plaintext = Padding.pad(s.encode('ascii'), AES.block_size, style = 'pkcs7')
        return cipher.encrypt(padded_plaintext).hex().upper()

    def DecryptStringForNCX(self, s : str):
        cipher = AES.new(b'libcckeylibcckey', AES.MODE_CBC, iv = b'libcciv libcciv ')
        padded_plaintext = cipher.decrypt(bytes.fromhex(s))
        return Padding.unpad(padded_plaintext, AES.block_size, style = 'pkcs7').decode('ascii')

if __name__ == '__main__':

    def Help():
        print('Usage:')
        print('    NavicatCrypto.py <enc|dec> [-ncx] <plaintext|ciphertext>')
        print('')
        print('        <enc|dec>                "enc" for encryption, "dec" for decryption.')
        print('                                 This parameter must be specified.')
        print('')
        print('        [-ncx]                   Indicate that plaintext/ciphertext is')
        print('                                 prepared for/exported from NCX file.')
        print('                                 This parameter is optional.')
        print('')
        print('        <plaintext|ciphertext>   Plaintext string or ciphertext string.')
        print('                                 NOTICE: Ciphertext string must be a hex string.')
        print('                                 This parameter must be specified.')
        print('')

    def Main(argc : int, argv : list):
        if argc == 3:
            if argv[1].lower() == 'enc':
                print(Navicat11Crypto().EncryptString(argv[2]))
            elif argv[1].lower() == 'dec':
                print(Navicat11Crypto().DecryptString(argv[2]))
            else:
                Help()
                return -1
        elif argc == 4:
            if argv[1].lower() == 'enc' and argv[2].lower() == '-ncx':
                print(Navicat12Crypto().EncryptStringForNCX(argv[3]))
            elif argv[1].lower() == 'dec' and argv[2].lower() == '-ncx':
                print(Navicat12Crypto().DecryptStringForNCX(argv[3]))
            else:
                Help()
                return -1
        else:
            Help()
        
        return 0

    exit(Main(len(sys.argv), sys.argv))


得到的结果是-185817e5f846}
所以这道题完整的flag是flag{ef63fcbc-3467-834f-f797-185817e5f846}

Strangesystem

Wireshark打开之后可以看到传了一张png

把这张图片导出来之后在末尾处可以看到有一个压缩包和TLS握手的信息

SERVER_HANDSHAKE_TRAFFIC_SECRET e8ef73b91b4c9d6e37113bcc88465a7f61badb5fd87177ca51c24ceab944b34a 82ec3ebf3131b2442d165bb00dd6b8d1a6b4c866daf3fd373c22d33886290ed2868a7395e691980b990de46b76a54f9e
CLIENT_HANDSHAKE_TRAFFIC_SECRET e8ef73b91b4c9d6e37113bcc88465a7f61badb5fd87177ca51c24ceab944b34a 10965df426257a285c6e812ed54468c59437e77bceff2c3a6d633dacefadf8188e97c4935df6815e5398b24273addc79
SERVER_TRAFFIC_SECRET_0 e8ef73b91b4c9d6e37113bcc88465a7f61badb5fd87177ca51c24ceab944b34a cdbf7c7a161af7aa829b14becaa2c000b8183000983e06589fef0c50e9462cf71aeb487e1cb1defaef06a941234ea7a2
CLIENT_TRAFFIC_SECRET_0 e8ef73b91b4c9d6e37113bcc88465a7f61badb5fd87177ca51c24ceab944b34a e58e4088a7840d3991ac2336c581d2a35edbebfd14420a29c287444c3631dc98038b71f1d153cd37ba46164145a028fd

将这些信息保存为文件导入Wireshark:

之后就可以看到明文信息了,直接追踪QUIC数据流。

可以得到username=admin&password=QUICAUTH-CCC123!@#和一个html页面

<html>
    <head>
        <meta charset="utf-8"/>
        <title>quic-AUTH</title>
        <link rel="stylesheet" href="/style.css"/>
    </head>
    <body>
        <h1>Secret</h1>

        <p>
            Congratulations, you loaded this page using HTTP/3!
	    Your files have been encrypted and saved,Enjoy it!
	    Pass is :
	    admin::SecretServer:d158262017948de9:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000
        </p>

    </body>
</html>

可以看到存在xxxx部分,我们先来了解一下NTLMv2的生成过程:

所以接下来,可以根据整个过程来计算未知的部分。

# -*- coding: utf-8 -*-
# @Author  : 1cePeak

import hashlib
import hmac

_ntlm = hashlib.new("md4", "QUICAUTH-CCC123!@#".encode("utf-16-le")).digest()
ntlm = _ntlm.hex()

print("NTLM:", ntlm)

user_domain_name = 'ADMINSECRETSERVER'.encode("utf-16-le")

firstHMAC = hmac.new(bytes.fromhex(ntlm), user_domain_name, hashlib.md5).hexdigest()

print("First HMAC:", firstHMAC)

ntlm_secret = "d158262017948de9010100000000000058b2da67cbe0d001c575cfa48d38bec50000000002001600450047004900540049004d002d00500043003100340001001600450047004900540049004d002d00500043003100340004001600650067006900740069006d002d00500043003100340003001600650067006900740069006d002d0050004300310034000700080058b2da67cbe0d0010600040002000000080030003000000000000000000000000030000065d85a4000a167cdbbf6eff657941f52bc9ee2745e11f10c61bb24db541165800a001000000000000000000000000000000000000900240063006900660073002f003100390032002e003100360038002e0031002e00310030003700000000000000000000000000"

Bytes_ntlm_secret = bytes.fromhex(ntlm_secret)

ntlmv2 = hmac.new(bytes.fromhex(firstHMAC), Bytes_ntlm_secret, hashlib.md5).hexdigest()

print("NTLMv2 hash:", ntlmv2)

得到的NTLMv2 hash是efa243f442b9d683eb1b00a2b1a0c9fc,用这个来解密压缩包就可以拿到flag{8af4d019-98ae-4b4f-a4e9-97076d205fd2}了。
完结,撒花🎉🎉🎉