2024 强网杯初赛 Misc方向 部分WriteUp
C3ngH Lv3

givemesecret

image

Master Of OSINT

图1:看上去像是西北方,应该在内蒙新疆青海一带,最远处有一篇湖,百度地图一个个找过去最终在找到地点:

青海省海南藏族自治州共和县倒湖茶公路

image

图2:根据图片最右侧的建筑,有一个明显的百安居,根据这个建筑入手找到上海浦东新区 百安居(龙阳店)

image

图4:根据图中卡车所属公司浙通物流,位于杭州萧山,加上我经常去杭州感觉这个隔音栏就像杭州绕城高速 优美爱有限公司附近

image

图5:根据建筑立体和蓝白色围栏初步判定在重庆 重庆市九龙坡区谢家湾立交桥

image

图6:根据建筑密度和风格判定在东南方大城市,远处有一个类似H形的建筑 南京聚宝楼招待所 附近

image

图7:初步判定大城市,有河,远处有一栋特征明显建筑 湖南省长沙市岳麓区五一大道橘子洲大桥

image

图8:应该是海,但是颜色不蓝,可能是入海口的地方,有风车 上海市崇明区G40(沪陕高速)

image

图9:根据吊桥顶部形状,根据谷歌识图找到这篇文章https://www.gov.cn/jrzg/2009-12/26/content_1497241.htm 确定位置:湖北省武汉市青山区武汉天兴洲长江大桥

image

图10:根据立交桥一行字中铁三局集团解说促进浙江经济发展,识图找到新塘高铁公园

image

image

谍影重重5.0

在协议分级中可以初步判断一下流量的种类

image

可以看到有很多加密后的SMB3流量,可以根据这篇博客SMB流量分析了解SMB流量协议的组成,在Frame 122中找到NTLM的Hash,也找到很多RDP流量

image

根据这篇文章:

https://malwarelab.eu/posts/tryhackme-smb-decryption/#smb-traffic-decryption-with-the-password

使用tshark导出

1
tshark -n -r 谍影重重5.0.pcapng -Y 'ntlmssp.messagetype == 0x00000003' -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain -e ntlmssp.ntlmv2_response.ntproofstr -e ntlmssp.auth.sesskey -e smb2.sesid

image

手动修改为hashcat支持的格式tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000

写入hash.txt

1
echo -n "tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000" > hash.txt

然后使用hashcat进行爆破

1
hashcat -m 5600 hash.txt rockyou.txt --show

image

获得密码babygirl233,在Wireshark中,编辑 -> 首选项 -> Protocols -> NTLMSSP输入password,即可解密SMB3的加密流量

image

导出SMB对象可以获得一个flag.7z文件和证书文件image

这个是本地RDP证书,需要将证书进行解密

https://github.com/GoSecure/pyrdp/tree/main/docs
https://www.haxor.no/en/article/analyzing-captured-rdp-sessions

猜测证书是使用猕猴桃导出的(猕猴桃导出的默认密码是mimikatz)使用该密码解密TLS成功,解密后进行PDU导出,过滤器选择OSI Layer 7,导出后选择.pcap文件

1
pyrdp-convert -o output 1.pcap

转换为pyrdp可读的文件,然后加载pyrdp-player,提取pyrdp文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<Return pressed>
<Return released>the
<Shift pressed>
<Shift released>
<Space pressed>
<Space released>7z
<Space pressed>
<Space released>password
<Space pressed>
<Space released>is
<Space pressed>
<Space released>f'
<Shift pressed>{
<Shift released>windows
<Shift pressed>_
<Shift released>password
<Shift pressed>}
<Shift released>9347013182'
<Control pressed>s
<Control released>

# the 7z password is f'{windows_password}9347013182'

得到解压密码是babygirl2339347013182

image

 评论
评论插件加载失败
正在加载评论插件
总字数 77.8k 访客数 访问量