AntCTF x D^3CTF 2023|Misc Writeup




根据hint的提示locate flag




  • 时间
  • 空间


# -*- coding: UTF-8 -*-
from PIL import Image

def readImageValue():
    for j in range(0, 1089):
        print("./gif/flag-{}.png".format(j), end = ' ')
        img ="./gif/flag-{}.png".format(j))
        x = img.size[0]
        y = img.size[1]
        result = []
        for i in range(x): 
            for j in range(y):
                print('(' + str(i) + ',' + str(j) + ')', end = ' ')
                data = (img.convert("RGB").getpixel((i, j)))  # 每个像素点RGBA的值(r,g,b,alpha)

(r, g, b)
(1, 18, 0)
(0, 19, 0)
(29, 26, 0)
(3, 31, 0)
(9, 1, 0)
(1, 30, 0)
(18, 10, 0)
(10, 19, 0)
(12, 22, 1)
(29, 2, 1)
(20, 25, 1)
(9, 6, 0)
(18, 8, 1)
(18, 23, 0)
(15, 16, 0)
(32, 29, 1)
(24, 8, 0)
(10, 7, 0)
(6, 17, 0)
(17, 25, 0)
(18, 6, 1)
(20, 28, 1)
(19, 29, 0)
(7, 19, 1)
(31, 31, 0)
(24, 25, 1)
(4, 9, 1)
(25, 1, 0)


# -*- coding: UTF-8 -*-

from PIL import Image
img ='(x,y,bin).gif')
rgb = []

for i in range(1089):
	data = img.convert("RGB").getpixel((0, 0))

flag ='RGB', (33, 33))

for j in rgb:
    flag.putpixel((j[0], j[1]), (j[2] * 255, j[2] * 255, j[2] * 255))'result.png')






  -h, --help            list all available options and their default values.
                        Default values may be set in the configuration file
                        User based configuration file
  -d, --debug           Debug volatility
  --plugins=PLUGINS     Additional plugin directories to use (colon separated)
  --info                Print information about all registered objects
                        Directory where cache files are stored
  --cache               Use caching
  --tz=TZ               Sets the (Olson) timezone for displaying timestamps
                        using pytz (if installed) or tzset
  -f FILENAME, --filename=FILENAME
                        Filename to use when opening an image
                        Name of the profile to load (use --info to see a list
                        of supported profiles)
  -l file:///Users/yunoon/Downloads/d3image-attachment/out.mem, --location=file:///Users/yunoon/Downloads/d3image-attachment/out.mem
                        A URN location from which to load an address space
  -w, --write           Enable write support
  --dtb=DTB             DTB Address
  --shift=SHIFT         Mac KASLR shift address
  --output=text         Output in this format (support is module specific, see
                        the Module Output Options below)
                        Write output in this file
  -v, --verbose         Verbose information
                        Linux kernel physical shift address
                        Linux kernel virtual shift address
  -g KDBG, --kdbg=KDBG  Specify a KDBG virtual address (Note: for 64-bit
                        Windows 8 and above this is the address of
  --force               Force utilization of suspect profile
  --cookie=COOKIE       Specify the address of nt!ObHeaderCookie (valid for
                        Windows 10 only)
  -k KPCR, --kpcr=KPCR  Specify a specific KPCR address

	Supported Plugin Commands:

		imagecopy      	Copies a physical address space out as a raw DD image
		limeinfo       	Dump Lime file format information
		linux_apihooks 	Checks for userland apihooks
		linux_arp      	Print the ARP table
		linux_aslr_shift	Automatically detect the Linux ASLR shift
		linux_banner   	Prints the Linux banner information
		linux_bash     	Recover bash history from bash process memory
		linux_bash_env 	Recover a process' dynamic environment variables
		linux_bash_hash	Recover bash hash table from bash process memory
		linux_check_afinfo	Verifies the operation function pointers of network protocols
		linux_check_creds	Checks if any processes are sharing credential structures
		linux_check_fop	Check file operation structures for rootkit modifications
		linux_check_idt	Checks if the IDT has been altered
		linux_check_inline_kernel	Check for inline kernel hooks
		linux_check_modules	Compares module list to sysfs info, if available
		linux_check_syscall	Checks if the system call table has been altered
		linux_check_tty	Checks tty devices for hooks
		linux_cpuinfo  	Prints info about each active processor
		linux_dentry_cache	Gather files from the dentry cache
		linux_dmesg    	Gather dmesg buffer
		linux_dump_map 	Writes selected memory mappings to disk
		linux_dynamic_env	Recover a process' dynamic environment variables
		linux_elfs     	Find ELF binaries in process mappings
		linux_enumerate_files	Lists files referenced by the filesystem cache
		linux_find_file	Lists and recovers files from memory
		linux_getcwd   	Lists current working directory of each process
		linux_hidden_modules	Carves memory to find hidden kernel modules
		linux_ifconfig 	Gathers active interfaces
		linux_info_regs	It's like 'info registers' in GDB. It prints out all the
		linux_iomem    	Provides output similar to /proc/iomem
		linux_kernel_opened_files	Lists files that are opened from within the kernel
		linux_keyboard_notifiers	Parses the keyboard notifier call chain
		linux_ldrmodules	Compares the output of proc maps with the list of libraries from libdl
		linux_library_list	Lists libraries loaded into a process
		linux_librarydump	Dumps shared libraries in process memory to disk
		linux_list_raw 	List applications with promiscuous sockets
		linux_lsmod    	Gather loaded kernel modules
		linux_lsof     	Lists file descriptors and their path
		linux_malfind  	Looks for suspicious process mappings
		linux_memmap   	Dumps the memory map for linux tasks
		linux_moddump  	Extract loaded kernel modules
		linux_mount    	Gather mounted fs/devices
		linux_mount_cache	Gather mounted fs/devices from kmem_cache
		linux_netfilter	Lists Netfilter hooks
		linux_netscan  	Carves for network connection structures
		linux_netstat  	Lists open sockets
		linux_pidhashtable	Enumerates processes through the PID hash table
		linux_pkt_queues	Writes per-process packet queues out to disk
		linux_plthook  	Scan ELF binaries' PLT for hooks to non-NEEDED images
		linux_proc_maps	Gathers process memory maps
		linux_proc_maps_rb	Gathers process maps for linux through the mappings red-black tree
		linux_procdump 	Dumps a process's executable image to disk
		linux_process_hollow	Checks for signs of process hollowing
		linux_psaux    	Gathers processes along with full command line and start time
		linux_psenv    	Gathers processes along with their static environment variables
		linux_pslist   	Gather active tasks by walking the task_struct->task list
		linux_pslist_cache	Gather tasks from the kmem_cache
		linux_psscan   	Scan physical memory for processes
		linux_pstree   	Shows the parent/child relationship between processes
		linux_psxview  	Find hidden processes with various process listings
		linux_recover_filesystem	Recovers the entire cached file system from memory
		linux_route_cache	Recovers the routing cache from memory
		linux_sk_buff_cache	Recovers packets from the sk_buff kmem_cache
		linux_slabinfo 	Mimics /proc/slabinfo on a running machine
		linux_strings  	Match physical offsets to virtual addresses (may take a while, VERY verbose)
		linux_threads  	Prints threads of processes
		linux_tmpfs    	Recovers tmpfs filesystems from memory
		linux_truecrypt_passphrase	Recovers cached Truecrypt passphrases
		linux_vma_cache	Gather VMAs from the vm_area_struct cache
		linux_volshell 	Shell in the memory image
		linux_yarascan 	A shell in the Linux memory image
		mbrparser      	Scans for and parses potential Master Boot Records (MBRs)
		patcher        	Patches memory based on page scans
		raw2dmp        	Converts a physical memory sample to a windbg crash dump
		vmwareinfo     	Dump VMware VMSS/VMSN information


volatility -f out.mem --profile=LinuxUbuntu16x64 linux_bash

可以看到一条nohup proxychains firefox &的命令。

ProxyChains是Linux和其他Unix下的代理工具。 它可以使任何程序通过代理上网, 允许TCP和DNS通过代理隧道, 支持HTTP、 SOCKS4和SOCKS5类型的代理服务器, 并且可配置多个代理。 ProxyChains通过一个用户定义的代理列表强制连接指定的应用程序, 直接断开接收方和发送方的连接。


volatility -f out.mem --profile=LinuxUbuntu16x64 linux_enumerate_files | grep 'proxychains.conf'
Volatility Foundation Volatility Framework 2.6.1
0xffff9978bb96ebf0                    147170 /etc/proxychains.conf


volatility -f out.mem --profile=LinuxUbuntu16x64 linux_find_file -i 0xffff9978bb96ebf0 -O proxychains.conf


# add proxy here ...
# meanwile
# defaults set to "tor"
socks5 51234 Gigantic_Splight Tearalaments_Kitkalos

socks5 ip:port Gigantic_Splight Tearalaments_Kitkalos, ip/port即为提供的ip/port



strings out.mem | grep

到目前为止,猜测可以看看dst ip和返回包的状态,然后有一个ip是可以访问拿到token的。折腾了一晚上发现没有什么用,倒是第一次见证了北京从黑夜到清晨的全貌。

tshark -r magic.pcap -Y "(icmp.code == 0 or icmp.code == 3) and icmp.type == 0" -T fields -e ip.dst -e icmp.code | awk '{if ($2 == "0") {print $1" 0"} else {print $1" 1"}}' | sort -k 1,1n > output.txt


import struct

f = open("magic.pcap","rb")
data =

D = bytearray(5038056)
data_len = len(data)
offset = 0

def procees1(num,status):
    unreachable = status & 0x00030000
    realstatus = (status & 0xFFFF0000) >> 16
    if(D[num] == 0):
        D[num] = 0x30
    elif(D[num] == 0x30 and (not unreachable)):
        D[num] = 0x31
    elif(D[num] == 0x31):
        D[num] = 0x41
def procees4(num,status):
    unreachable = status & 0x00030000
    realstatus = (status & 0xFFFF0000) >> 16
    if(realstatus == 0x0800 and D[num] == 0):
        D[num] = 0x30
    elif(realstatus == 0x0000 and D[num] == 0x30):
        D[num] = 0x31
    elif(realstatus == 0x0003 and D[num] == 0x30):
        D[num] = 0x30

def procees2(num,status):
    unreachable = status & 0x00030000
    realstatus = (status & 0xFFFF0000) >> 16
    if(realstatus == 0x0800):
        D[num] = 0x30
    if(realstatus == 0x0003):
        D[num] = 0x31
    if(realstatus == 0x0000):
        D[num] = 0x30

def procees3(num,status):
    unreachable = status & 0x00030000
    realstatus = (status & 0xFFFF0000) >> 16
    if(D[num] == 0):
        D[num] = 0x31
    if(D[num] == 0x31 and realstatus == 0x0800):
        D[num] = 0x30
    if(realstatus == 0x0003):
        D[num] = 0x30
    if(realstatus == 0x0000):
        D[num] = 0x31

while(offset < data_len):
    R = struct.unpack_from(">IIIIIIIIIII",data,offset)
    offset += 44
    dst = R[8]
    status = R[9]
    #0800 request
    #0003 unreachable
    #0000 reachable
    num = dst &  0x00FFFFFF

for i in range(len(D)):
    if(D[i] == 0):
        D[i] = 0x30

f = open("Q9","wb")










L 🐻
LT 🍆
R 🍉
RT 🥔
Y 🥺