2020湖湘杯MISC全解-writeup-有解無憂

MISC1

匯出index-demo.html，查看代碼發現隱藏了一長串base64

使用base64隱寫進行解密

key:"lorrie"

得到key說明可能存在某種隱寫，是snow隱寫，但用網頁版的snow隱寫解出來是一串亂碼，于是嘗試使用本地版的SNOW.EXE

SNOW.EXE -p lorrie index-demo.html

flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_ ←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_ ←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_ →←_←←_←←_← →_→→_→→_→←_←←_←}

把→_→和→_ →替換成-，把 ←_←和 ←_ ←替換成.，然后摩斯解密，得到

67b33e39b5105fb4a2953a0ce79c3378

MISC2 -passwd

記憶體取證

volatility2.6.exe -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo

Win7SP1x86_23418, Win7SP0x86, Win7SP1x86

volatility2.6.exe -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86_23418 hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::

db25f2fc14cd2d2b1e7af307241f548fb03c312a

MISC3-虛實之間

binwalk提取出一個明文和一個加密的壓縮包

修復加密壓縮包

使用AZPR4.0進行明文攻擊

123%asd!O

解壓得到：

僅需5，跳過去

ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

柵欄解密：

https://www.qqxiuzi.cn/bianma/zhalanmima.php

flag{febc7d2138555b9ebccb32b554dbb11c}

MISC4 隱藏的秘密

volatility2.6.exe -f 隱藏的秘密.vmem imageinfo

//Win2003SP0x86, Win2003SP1x86, Win2003SP2x86

volatility2.6.exe -f 隱藏的秘密.vmem --profile=Win2003SP0x86 filescan

windows下檔案掃描出錯，換成kali下，也不行，把版本換成Win2003SP1x86