本篇是Forensic,即取证类的题解。包括有一些常规的入门misc题目,比如流量分析,图片、文件隐写之类的。部分题目附件已打包。链接: https://pan.baidu.com/s/1kfx8GEnio7V1Z5Fa4TrfMQ 提取码: 5a9u
(拖了半个月终于把这篇补完了,还好题目还开着,拖延症彻底没救了-0-……)
Can you unzip this file for me and retreive the flag?
Make sure to submit the flag as picoCTF{XXXXX}
签到题,解压zip,得到flag.jpg
输入图上的字符就行了。
flag:picoCTF{welcone_to_forensics}
Hmm for some reason I can't open this PNG? Any ideas?
How do operating systems know what kind of file it is? (It's not just the ending!
Make sure to submit the flag as picoCTF{XXXXX}
使用file
命令查看图片的文件格式。
❯ file flag.png
flag.png: JPEG image data, JFIF standard 1.01, resolution (DPI), density 75x75, segment length 16, baseline, precision 8, 909x190, frames 3
本质是jpg文件,修改后缀为.jpg就可以打开了。(其实大多的图片浏览器都可以直接打开这种单纯修改一下后缀的图片)
flag:picoCTF{extensions_are_a_lie}
Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with
nc 2018shell1.picoctf.com 54782
. incidents.json
If you need to code, python has some good libraries for it.
文件里面是一段json数据。
...
{
"ticket_id": 0,
"timestamp": "2015/05/09 22:28:20",
"file_hash": "b807c12fc3e10ba3",
"src_ip": "248.63.150.241",
"dst_ip": "251.0.92.254"
},
{
"ticket_id": 1,
"timestamp": "2016/12/27 04:01:52",
"file_hash": "1698b8b87f51ce8e",
"src_ip": "248.63.150.241",
"dst_ip": "116.196.246.151"
},
}
...
nc到问题服务器,一步步处理后发现有三个问题:
第三个有点拗口,大概意思就是要算出每个单独的文件发送到的ip地址个数的平均数是多少。使用python的list和dict对象可以很方便的处理这些数据。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import json
import re
from pwn import *
with open('./incidents.json') as f:
text = f.read()
text = json.loads(text)
r = remote('2018shell2.picoctf.com', 54782)
src_ip_count = {}
dst_ip_count = []
unique_dst_ip = 0
hash_dst_ip = {}
r.recvuntil('common ones.')
for i in text['tickets']:
# Question 1
if i['src_ip'] not in src_ip_count.keys():
src_ip_count[i['src_ip']] = 1
else:
src_ip_count[i['src_ip']] += 1
r.sendline(max(src_ip_count))
content = r.recvuntil('?\n')
content = re.findall(r'address \d{1,3}.\d{1,3}.\d{1,3}.\d{1,3} ?',content)
content = ''.join(content).split(' ')[1]
for i in text['tickets']:
# Question 2
if i['dst_ip'] not in dst_ip_count and i['src_ip'] == content:
dst_ip_count.append(i['dst_ip'])
unique_dst_ip += 1
# Question 3
if i['file_hash'] not in hash_dst_ip.keys() and i['file_hash'] != []:
hash_dst_ip[i['file_hash']] = []
hash_dst_ip[i['file_hash']].append(i['dst_ip'])
elif i['file_hash'] in hash_dst_ip.keys() and i['file_hash'] != []:
hash_dst_ip[i['file_hash']].append(i['dst_ip'])
avg = 0
for i in hash_dst_ip:
avg += len(hash_dst_ip[i])
avg = avg * 1.0 / len(hash_dst_ip)
# print unique_dst_ip
# print round(avg, 2)
r.sendline(str(unique_dst_ip))
r.sendline(str(round(avg, 2)))
# r.interactive()
print r.recvuntil('}\n')
r.close()
运行脚本得到flag。
flag:picoCTF{J4y_s0n_d3rUUUULo_c74e3495}
Stego-Saurus hid a message for you in this image, can you retreive it?
Maybe you can find an online decoder?
LSB隐写,使用stegsolve
提取最低位。
勾选RGB信道的最低位0
,顺序是LSB First,就可以看到flag。
flag:picoCTF{r34d1ng_b37w33n_7h3_by73s}
There used to be a bunch of animals here, what did Dr. Xernon do to them?
Some files have been deleted from the disk image, but are they really gone?.
使用binwalk
查看文件,发现有很多隐写进去的jpg文件,用foremost
提取出来。
❯ foremost animals.dd
foremost: /usr/local/etc/foremost.conf: No such file or directory
Processing: animals.dd
|*|
提取完成查看图片,可以看到最后一张就是flag。
flag:picoCTF{th3_5n4p_happ3n3d}
We captured some traffic logging into the admin panel, can you find the password?
Tools like wireshark are pretty good for analyzing pcap files.
使用wireshrak打开pcap流量包,追踪tcp流,在第5个流可以看到flag。
当然这里我们知道flag的形式是picoCTF{***}
,可以直接在分组字节流中搜索相关字符串,同样也可以找到flag。
flag:picoCTF{n0ts3cur3_13597b43}
This cat has a secret to teach you. You can also find the file in /problems/hex-editor_2_c1a99aee8d919f6e42697662d798f0ff on the shell server.
What is a hex editor?
Maybe google knows.
使用16进制编辑器查看文件16进制内容,windows环境下可以使用winhex、010editor,mac环境下可以使用hex friend。
可以看到到jpg文件格式的结尾FF D9
之后还有一串字符,就是我们要的flag。
flag:picoCTF{and_thats_how_u_edit_hex_kittos_8BcA67a2}
Can you help us find the flag in this Meta-Material? You can also find the file in /problems/truly-an-artist_3_066d6319e350c1d579e5cf32e326ba02.
Try looking beyond the image.
Who created this?
文件属性隐藏了信息,windows下直接右键查看文件属性就可以看到,mac可以使用exiftool查看。
❯ exiftool 2018.png
ExifTool Version Number : 11.11
File Name : 2018.png
Directory : .
File Size : 13 kB
File Modification Date/Time : 2018:10:28 01:06:38+08:00
File Access Date/Time : 2018:10:28 01:06:50+08:00
File Inode Change Date/Time : 2018:10:28 01:06:51+08:00
File Permissions : rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 1200
Image Height : 630
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Artist : picoCTF{look_in_image_7e31505f}
Image Size : 1200x630
Megapixels : 0.756
flag:picoCTF{look_in_image_7e31505f}
We heard that there is something hidden in this picture. Can you find it?
There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it.
Is it really all one shade of red?
还是用stegsolve
打开文件,查看不同信道下的图片,发现flag在隐藏在红色0信道中。
flag:picoCTF{n0w_y0u533_m3}
We salvaged a ruined Ext SuperMagic II-class mech recently and pulled the filesystem out of the black box. It looks a bit corrupted, but maybe there's something interesting in there. You can also find it in /problems/ext-super-magic_4_f196e59a80c3fdac37cc2f331692ef13 on the shell server.
Are there any tools for diagnosing corrupted filesystems? What do they say if you run them on this one?
How does a linux machine know what type of file a file is?
You might find this doc helpful.
Be careful with endianness when making edits.
Once you've fixed the corruption, you can use /sbin/debugfs to pull the flag file out.
给了一个镜像文件,file
命令查看一下,发现不能识别。debugfs
可以识别出镜像损坏的部分。
❯ file ext-super-magic.img
ext-super-magic.img: data
❯ debugfs ext-super-magic.img
debugfs 1.44.1 (24-Mar-2018)
Checksum errors in superblock! Retrying...
ext-super-magic.img: Bad magic number in super-block while opening filesystem
依据提示查看ext2镜像格式的文档,我们需要在superblock
的第56和57字节之间插入magic number
,即0xef53
。
❯ file fixed.img
fixed.img: Linux rev 1.0 ext2 filesystem data, UUID=fad5d44e-2bb4-4c22-9410-79b020de84dd (large files)
修复成功,挂载打开,发现有很多的jpg文件,其中有一张flag.jpg
里面就有flag。
flag:picoCTF{a7DB29eCf7dB9960f0A19Fdde9d00Af0}
Some odd traffic has been detected on the network, can you identify it? More info here. Connect with
nc 2018shell1.picoctf.com 50875
to help us answer some questions.
No Hints.
需要分析异常访问流量,对照图片一个个看就可以了。
You'll need to consult the file `traffic.png` to answer the following questions.
Which of these logs have significantly higher traffic than is usual for their time of day? You can see usual traffic on the attached plot. There may be multiple logs with higher than usual traffic, so answer all of them! Give your answer as a list of `log_ID` values separated by spaces. For example, if you want to answer that logs 2 and 7 are the ones with higher than usual traffic, type 2 7.
log_ID time num_IPs
0 0 00:00:00 9552
1 1 02:30:00 11573
2 2 06:00:00 10381
3 3 07:00:00 11674
4 4 07:00:00 10224
5 5 07:30:00 10966
6 6 16:00:00 9685
7 7 17:45:00 15875
8 8 18:00:00 11889
9 9 19:15:00 11935
10 10 19:30:00 11191
11 11 20:30:00 9952
12 12 20:45:00 9898
13 13 22:45:00 11609
1 3 7 13
Correct!
Great job. You've earned the flag: picoCTF{w4y_0ut_ff5bd19c}
flag:picoCTF{w4y_0ut_ff5bd19c}
Say my name, say my name.
If you visited a website at an IP address, how does it know the name of the domain?
提示给的很明显了,我们需要查找和DNS
有关的信息流,在wireshark过滤器中搜寻dns流量,就可以看到flag了。
同样也可以通过字符串搜索的方式找到flag,方法和admin panel
一样。
There has been some malware detected, can you help with the analysis? More info here. Connect with
nc 2018shell1.picoctf.com 18874
.
No Hints.
还是看图识别数据,和Lying Out
差不大多,第一个问题看图片找特征,第二个问题看哪个文件与题目问的文件的jmp_count
和add_count
的数值相近就选哪个。
You'll need to consult the file `clusters.png` to answer the following questions.
How many attackers created the malware in this dataset?
5
Correct!
In the following sample of files from the larger dataset, which file was made by the same attacker who made the file 628e79cf? Indicate your answer by entering that file's hash.
hash jmp_count add_count
0 628e79cf 17.0 18.0
1 1f2c7915 18.0 60.0
2 6e7d554a 10.0 42.0
3 a55f572c 30.0 37.0
4 f118fcd7 36.0 13.0
5 97b1425e 35.0 30.0
6 a163e543 18.0 71.0
7 ebaf5ccd 11.0 18.0
8 9059414f 38.0 13.0
9 c30ea3fe 18.0 37.0
ebaf5ccd
Correct!
Great job. You've earned the flag: picoCTF{w4y_0ut_dea1794b}