2024西湖论剑

misc

easy_table

直接上脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
import csv
from datetime import time
from hashlib import md5


def read_users_file(filename, encoding='utf-8'):
records = []
with open(filename, 'r', newline='', encoding=encoding) as csvfile:
csv_reader = csv.reader(csvfile)
for row in csv_reader:
# 假设每行记录有四列
if len(row) == 4:
record = tuple(row)
records.append(record)
else:
print(f"Ignoring invalid record: {row}")
return records
def read_permissions_file(filename, encoding='utf-8'):
records = []
with open(filename, 'r', newline='', encoding=encoding) as csvfile:
csv_reader = csv.reader(csvfile)
for row in csv_reader:
# 假设每行记录有四列
if len(row) == 4:
record = tuple(row)
records.append(record)
else:
print(f"Ignoring invalid record: {row}")
return records

def read_tables_file(filename, encoding='utf-8'):
records = []
with open(filename, 'r', newline='', encoding=encoding) as csvfile:
csv_reader = csv.reader(csvfile)
for row in csv_reader:
# 假设每行记录有四列
if len(row) == 3:
record = tuple(row)
records.append(record)
else:
print(f"Ignoring invalid record: {row}")
return records
def read_actionlog_file(filename, encoding='utf-8'):
records = []
with open(filename, 'r', newline='', encoding=encoding) as csvfile:
csv_reader = csv.reader(csvfile)
for row in csv_reader:
# 假设每行记录有四列
if len(row) == 4:
record = tuple(row)
records.append(record)
else:
print(f"Ignoring invalid record: {row}")
return records

# 用法示例
filename_1 = 'users.csv'
filename_2 = 'permissions.csv'
filename_3 = 'tables.csv'
filename_4 = 'actionlog.csv'
records_users = read_users_file(filename_1)
records_permission = read_users_file(filename_2)
records_tables = read_tables_file(filename_3)
records_actionlog = read_actionlog_file(filename_4)
name=[]
table_name1=[]
for i in range(1,len(records_tables)):
table_name1.append(records_tables[i][1])
for i in range(1,len(records_users)):
name.append(records_users[i][1])
for i in range(1,len(records_actionlog)):
if records_actionlog[i][1] not in name:
# flag=flag+"0_0_0_"+records_actionlog[i][0]+","
print("0_0_0_"+records_actionlog[i][0])#不存在的人
def get_permissions(i):
return records_permission[i][0],records_permission[i][2],records_permission[i][3]

def get_table(i):
return records_tables[i][0],records_tables[i][1],records_tables[i][2]

def convert_time_range(time_ranges_str):
time_ranges = []
for time_range_str in time_ranges_str:
start_str, end_str = time_range_str.split('~')
start_time = time.fromisoformat(start_str.strip())
end_time = time.fromisoformat(end_str.strip())
time_ranges.append((start_time.strftime('%H:%M:%S'), end_time.strftime('%H:%M:%S')))
return time_ranges

def check_time_range(target_time_str, time_ranges):
target_time = time.fromisoformat(target_time_str)
for start_str, end_str in time_ranges:
start_time = time.fromisoformat(start_str)
end_time = time.fromisoformat(end_str)
if start_time <= target_time <= end_time:
return True
return False
for i in range(1,len(records_users)):
user_id=records_users[i][0]
user_name=records_users[i][1]
user_permission_id=records_users[i][3]
permission_id,permission_action,permission_table_id=get_permissions(int(user_permission_id))
action_list = [tuple for tuple in records_actionlog if user_name in tuple]
permission_action=permission_action.split(",")
for i in range(0, len(action_list)):
if action_list[i][3].split(" ")[0] not in permission_action:
for i1 in range(0,len(table_name1)):
if table_name1[i1] in action_list[i][3].split(" "):
# flag=flag+user_id+"_"+user_permission_id+"_"+str(i1+1)+"_"+action_list[i][0]+","
print(user_id+"_"+user_permission_id+"_"+str(i1+1)+"_"+action_list[i][0]+"权限不对")#权限不对
break
for record in action_list:
flag=0
for i in permission_table_id.split(","):
table_id,table_name,table_time=get_table(int(i))
table_time=table_time.split(",")
formatted_time_ranges = convert_time_range(table_time)
if table_name in record[3].split(" "):
target_time=record[2].split(" ")[1]
if check_time_range(target_time,formatted_time_ranges):
pass
else:
print(user_id+"_"+user_permission_id+"_"+i+"_"+record[0]+"不符合时间")#不符合时间
# flag = flag +user_id+"_"+user_permission_id+"_"+i+"_"+record[0]+","
break
else:
flag=flag+1
if flag==len(permission_table_id.split(",")):
for i in range(1,len(records_tables)):
if records_tables[i][1] in record[3].split(" "):
# flag = flag+user_id+"_"+user_permission_id+"_"+str(i)+"_"+record[0]+","
print(user_id+"_"+user_permission_id+"_"+str(i)+"_"+record[0]+"不存在的表")#不存在的表
# print(flag)
# print(md5(flag))

img

最后整合一下,再去计算md5

1
0_0_0_6810,0_0_0_8377,6_14_91_6786,7_64_69_3448,9_18_61_5681,30_87_36_235,31_76_85_9617,49_37_30_8295,75_15_43_8461,79_3_15_9011

flag:271b1ffebf7a76080c7a6e134ae4c929

easy_rawraw

附件得到一个加密的zip文件和一个raw镜像文件

先用vol2分析raw镜像文件,发现可疑进程

1
python2 vol.py -f 'rawraw.raw' --profile=Win7SP1x64 pstree

img

发现了两个可疑进程,因为是rar压缩包解密,所以把第二个进程提取出来

1
python2 vol.py -f 'rawraw.raw' --profile=Win7SP1x64 memdump -p 2088 -D ./

然后用strings的命令查看可见字符

1
strings -e l 2088.dmp | grep "pass"

img

发现了一段可疑的话,告诉了我们rar压缩文件的密码,和文件类型是磁盘,再结合之前的可疑进程VeraCrypt,估计磁盘是一个加密盘,先去解压rar,得到mysecretfile磁盘文件,但是没有密码文件,就再去镜像分析

1
python2 vol.py -f 'rawraw.raw' --profile=Win7SP1x64 filescan | grep "pass"

img

发现了可以的pass.zip文件,提取出来

1
python2 vol.py -f 'rawraw.raw' --profile=Win7SP1x64 dumpfiles -Q 0x000000003df8b650 --dump-dir=./

提取出来之后放到本地解压缩,发现里面是一张图片,用010打开,在末尾提取出一个压缩包,发现压缩包加密了,用archpr爆破出纯数字密码,得到里面的pass.txt,这个文件应该就是磁盘的密钥文件,我们打开VeraCrypt去挂载

img

添加密钥文件

img

可以看到挂载成功,我们再去真实机看一下磁盘里有什么

img

发现有一个xlsx文件,但是又是加密的,我们先把它拷贝到主机,再去镜像文件里找密码,最后发现是镜像文件的登录密码

img

发现密码das123admin321,拿去解密xlsx文件,发现成功,最后找到文件里隐藏的那一行(第十行)

img

得到flag

DASCTF{5476d4c4ade0918c151aa6dcac12d130}


2024西湖论剑
http://www.qetx.top/posts/32557/
作者
Qetx.Jul.27
发布于
2024年2月7日
许可协议