这里真的就是随便记录了,毕竟 musc 知识太杂,(`_´)ゞ

picoctf 靶场

Forensics_Event-Viewing

在这道题中,我学到的是 Windows 的日志 evtx 分析的常识
比如说

1
2
3
Installation -> Event ID 1033
Registry Change -> Event ID 4657
Shutdown -> Event ID 1074

根据题意,我需要做的是分析这三个事件 id,然后看看有没有出题师傅留下的 flag

我这里一共有两个方式,一个是通过电脑自带的 evtx 查看器

具体像这样

另一个方式是使用 Linux 终端工具chainsaw

下面我将记录命令行工具的使用

先是提取 1033 事件

1
chainsaw search -t 'Event.System.EventID: =1033' Windows_Logs.evtx

然后直接 base64 -d 就能解码(其实这个就是我喜欢终端命令行的原因之一,( •̀ ω •́ )y

1
2
yolo@Yolo:~/Desktop/tools$ echo cGljb0NURntFdjNudF92aTN3djNyXw== | base64 -d
picoCTF{Ev3nt_vi3wv3r_

同样的方式,可以查看下 4657 端口,这个是查看注册表是否更改的,根据题目介绍,那个软件运行了下,但是没有界面,那么自然更改了某些东西

这里又能看到一些编码

得到了第二部分 flag

1
2
yolo@Yolo:~/Desktop/tools$ echo MXNfYV9wcjN0dHlfdXMzZnVsXw== | base64 -d
1s_a_pr3tty_us3ful_

1074 查找的就是电脑的关机日志,我发现最后一次日志中有编码信息,得到了最后一部分 flag

ok,这道题就解决到这里

1
picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9}

Forensics_Bitlocker-2

第一次做这类题目,简单来说就是用磁盘解密后的 mem 镜像提取 BitLocker 密钥,然后解密磁盘得到 flag,目前我尝试了两个方式,第一个方式是无脑工具梭

这样的话,我们就得到了解密后的磁盘 decrypt.dd

第二个方式是通过 vol2 的插件 BitLocker

推荐这个仓库https://github.com/breppo/Volatility-BitLocker

里面有详细的使用介绍的

我在本题中这样弄的

1
2
3
4
5
mkdir -p ~/Desktop/timu/keys_for_dislocker

python vol.py -f ../../Desktop/timu/memdump.mem --profile=Win10x64_19041 bitlocker --dislocker ../../Desktop/timu/keys_for_dislocker


注意这里,提取出来的密钥应该是 Address 为 0x8087865bead0 的这个

1
2
3
4
5
6
7
8
9
10
11
sudo mkdir -p /mnt/dislocker_tmp /mnt/decrypted

sudo dislocker -v -k keys_for_dislocker/0x8087865bead0-Dislocker.fvek -- bitlocker-2.dd /mnt/dislocker_tmp

sudo apt-get install ntfs-3g   #这里有必要弄,因为Linux系统没有ntfs这个Windows文件系统

sudo mount -o loop,ro -t ntfs-3g /mnt/dislocker_tmp/dislocker-file /mnt/decrypted
yolo@Yolo:~/Desktop/timu$ ls /mnt/decrypted
'$RECYCLE.BIN'   flag.txt  'System Volume Information'
yolo@Yolo:~/Desktop/timu$ cat /mnt/decrypted/flag.txt
picoCTF{B1tl0ck3r_dr1v3_d3crypt3d_9029ae5b}

Forensics_Bitlocker-1

这里就简单的学习了下怎么提取 hash 并对 BitLocker 爆破

那个 passware ket 工具自然能用,这里不做赘述

爆破密码

首先把 john 和 hashcat 给安装好,然后通过 bitLocker2john 将 BitLocker 磁盘的 hash 提取出来,接下来直接用 hashcat 进行爆破,得到密码后开始后续的挂载读取

1
2
3
sudo apt install john hashcat -y
bitlocker2john -i bitlocker-1.dd >bitlockerhash
hashcat -m 22100 -a 0 bitlocker.hash /usr/share/wordlists/rockyou.txt

挂载读 flag

首先要有 dislocker 解密工具,然后使用密码对 BitLocker 磁盘进行解密,这里会将解密的虚拟文件传入/mnt/dislocker_tmp 中,也就是说我们需要提前弄好这两个路径,接下来直接挂载就行,然后就是正常的读取文件操作了,最后取消挂载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 第一个用于 dislocker 生成虚拟文件
sudo mkdir /mnt/dislocker_tmp
# 第二个用于最终挂载,浏览文件
sudo mkdir /mnt/decrypted_volume

sudo apt install dislocker
sudo dislocker -v -u'jacqueline'  bitlocker-1.dd /mnt/dislocker_tmp
sudo mount -o loop,ro /mnt/dislocker_tmp/dislocker-file /mnt/decrypted_volume

# 取消挂载
sudo umount /mnt/decrypted_volume
sudo umount /mnt/dislocker_tmp
# 要是想确保完全删干净,可以这样弄
sudo rmdir /mnt/decrypted_volume
sudo rmdir /mnt/dislocker_tmp

Blast from the past

记录下,这个解题的模式感觉不错,是给我下发一个 jpg 图片,要更改它的所有元信息

然后通过 nc 提交,另一个容器返回结果,就像这样

1
2
3
4
Submit your modified picture here:
nc -w 2 mimas.picoctf.net 60105 < original_modified.jpg
Check your modified picture here:
nc mimas.picoctf.net 54064

解题倒是不难

1
exiftool -AllDates="1970:01:01 00:00:00" -SubSecTime=001 -SubSecTimeOriginal=001 -SubSecTimeDigitized=001 -FileModifyDate="1970:01:01 00:00:00+00:00" -o modified.jpg original.jpg

然后提交的时候,发现最后一个 check 一直失败

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
yolo@Yolo:~/Desktop/timu$ nc mimas.picoctf.net 63779
MD5 of your picture:
eb5ae92ce9f801b9d1aa8e4c800e9705  test.out

Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 2/7
Looking at ExifIFD: DateTimeOriginal
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 3/7
Looking at ExifIFD: CreateDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 4/7
Looking at Composite: SubSecCreateDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 5/7
Looking at Composite: SubSecDateTimeOriginal
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 6/7
Looking at Composite: SubSecModifyDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 7/7
Timezones do not have to match, as long as it's the equivalent time.
Looking at Samsung: TimeStamp
Looking for '1970:01:01 00:00:00.001+00:00'
Found: 2023:11:20 20:46:21.420+00:00
Oops! That tag isn't right. Please try again.

然后就直接用 010 查看好了,在最后发现了时间戳

这里仅仅需要把时间戳改成这样,弄了 12 个 00

然后保存再提交就成了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
yolo@Yolo:~/Desktop/timu$ nc -w 2 mimas.picoctf.net 60105 < original.jpg
yolo@Yolo:~/Desktop/timu$ nc mimas.picoctf.net 54064
MD5 of your picture:
5ad8a6e01e19d24121349d3012eac471  test.out

Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 2/7
Looking at ExifIFD: DateTimeOriginal
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 3/7
Looking at ExifIFD: CreateDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!

Checking tag 4/7
Looking at Composite: SubSecCreateDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 5/7
Looking at Composite: SubSecDateTimeOriginal
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 6/7
Looking at Composite: SubSecModifyDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!

Checking tag 7/7
Timezones do not have to match, as long as it's the equivalent time.
Looking at Samsung: TimeStamp
Looking for '1970:01:01 00:00:00.001+00:00'
Found: 1970:01:01 00:00:00.001+00:00
Great job, you got that one!

You did it!
picoCTF{71m3_7r4v311ng_p1c7ur3_83ecb41c}

Investigative Reversing 1

这道题虽然标着 hard,但是一点也不难,值得记录,是我第一次手敲 py 脚本,没有依赖 ai,放一份脚本就够了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# decrypt_flag.py

print("--step1:read files--")
try:
    with open('mystery.png','rb') as f:
        f.seek(-16,2)
        mystery_data=f.read()
    with open('mystery2.png','rb') as f:
        f.seek(-2,2)
        mystery2_data=f.read()

    with open('mystery3.png','rb') as f:
        f.seek(-8,2)         #第二个2的意思是说从文件末尾开始,备注下,0是从文件头开始,1是从当前位置开始
        mystery3_data=f.read()
    print("--step 1 susscssful")
    print(f"成功读取 'mystery.png'末尾16字节,{mystery_data}")
    print(f"成功读取 'mystery2.png'末尾2字节,{mystery2_data}")
    print(f"成功读取 'mystery3.png'末尾8字节,{mystery3_data}")

except Exception as e:
    print(f"wrong:{e}")
    print("好好检查下代码,哪里出错了呢")
    exit()

print("\n--step 2 recovery flag--\n")

flag_bytes=[0]*26
print(f"初始化空的flag容器,长度26:{flag_bytes}")
flag_bytes[0]=mystery2_data[0]-21

flag_bytes[3]=mystery2_data[1]-4

flag_bytes[1]=mystery3_data[0]
flag_bytes[2]=mystery3_data[1]
flag_bytes[5]=mystery3_data[2]

flag_bytes[4]=mystery_data[0]

flag_bytes[6:10]=mystery_data[1:5]
flag_bytes[10:15]=mystery3_data[3:8]
flag_bytes[15:26]=mystery_data[5:16]

print(f"恢复后的flag字节列表:{flag_bytes}")
print("\n--step 4 :read flag--")

final_flag=bytes(flag_bytes).decode()

print("="*30)
print(f"😘解密成功!{final_flag}")
print("="*30)

来自 C4-1

Hacker!!!

共四问

第一问

C3 太狠了,直接干了 20 多万流量包,前面全是爆破,最后面的着手点是这里

当看到那个返回后,我就悟了,直接查看{“success”:true}

1
http.response.code == 200 && http contains "{\"success\":true}"

解决username=test1&password=a123456

第二问

这里考察的是 sql 注入流量分析吧

http contains "database()" or http contains "schema_name"

初步判断这里得按照 sql 盲注打

emm,接下来拿 tshark 把它们提出来,然后写个脚本分析

这里应该是 c3 把流量包顺序搞乱了吧,我分析了好一会儿,没分析出结果,先重新排一下,然后再提取分析

1
2
3
4
5
reordercap hack.pcapng sorted_hack.pcapng
tshark -r sorted_hack.pcapng -Y "http.request.uri contains \"INFORMATION_SCHEMA.SCHEMATA\"" -T fields -e http.request.full_uri > final_requests.txt
tshark -r sorted_hack.pcapng -Y "http.request.uri contains \"INFORMATION_SCHEMA.SCHEMATA\"" -T fields -e tcp.stream | sort -un > stream_ids.txt
> final_responses.txt
for stream in $(cat stream_ids.txt); do   tshark -r sorted_hack.pcapng -Y "tcp.stream eq $stream and http.response.code" -T fields -e http.response.code >> final_responses.txt; done

然后这个是解密脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
import re
from collections import defaultdict
import sys

def solve_blind_sql(filename):
    """
    通过分析 TShark 导出的日志文件,
    破解基于布尔的 SQL 盲注获取的数据库名。

    Args:
        filename (str): 包含注入攻击URL和响应码的数据文件名。
    """
    # 正则表达式,用于从URL中提取三个关键部分:
    # 1. LIMIT 子句的偏移量 (第几个数据库)
    # 2. 字符的位置 (第几个字符)
    # 3. 用于比较的ASCII码
    pattern = re.compile(r"LIMIT%20(\d+)%2C1%29%2C(\d+)%2C1%29%29%3E(\d+)")
    db_conditions = defaultdict(lambda: defaultdict(lambda: {'true': set(), 'false': set()}))

    print(f"[+] 正在读取并解析文件: {filename}")

    try:
        with open(filename, 'r') as f:
            for line_num, line in enumerate(f, 1):
                parts = line.strip().split()
                if len(parts) < 2:
                    continue

                url, status_code = parts[0], parts[1]

                match = pattern.search(url)
                if not match:
                    continue

                db_index = int(match.group(1))
                char_pos = int(match.group(2))
                ascii_val = int(match.group(3))


                if status_code == '200':
                    db_conditions[db_index][char_pos]['true'].add(ascii_val)
                elif status_code == '500':
                    db_conditions[db_index][char_pos]['false'].add(ascii_val)

    except FileNotFoundError:
        print(f"[!] 错误: 文件 '{filename}' 未找到。请确保文件名正确且文件在同一目录下。")
        return

    if not db_conditions:
        print("[!] 文件中未找到有效的SQL注入模式。")
        return

    print("[+] 解析完成。正在解码字符...")


    for db_index in sorted(db_conditions.keys()):
        decoded_chars = {}


        for char_pos in sorted(db_conditions[db_index].keys()):
            true_conds = db_conditions[db_index][char_pos]['true']
            false_conds = db_conditions[db_index][char_pos]['false']

            lower_bound = max(true_conds) if true_conds else -1
            upper_bound = min(false_conds) if false_conds else 256

            if lower_bound < upper_bound:
                final_ascii = upper_bound

                if all(final_ascii > val for val in true_conds):
                    decoded_chars[char_pos] = chr(final_ascii)
                else:
                    decoded_chars[char_pos] = '?'
            else:
                decoded_chars[char_pos] = '?'

        result_name = "".join(decoded_chars.get(i, '') for i in range(1, max(decoded_chars.keys()) + 1))

        print("\n" + "="*40)
        print(f"[*] 已解码第 {db_index + 1} 个数据库名: {result_name}")
        print("="*40)


if __name__ == "__main__":
    if len(sys.argv) > 1:
        data_file = sys.argv[1]
    else:
        data_file = "solution_data.txt"

    solve_blind_sql(data_file)

答案:uzymall

第三问

这题把我难住了,主要原因是我没有找到这个包

这个包有有那个哥斯拉 shell 的源码,拿到密钥那就可以开始解密了

我用的这个工具

最终得到的指令就这样吧

1
2
3
4
methodName=execCommand
methodName=test
methodName=close
methodName=getBasicsInfo

第四问

先分析 elf,确实是个后门程序,和 c2 有关,但是仅仅是个加载器,我通过标志 l64 找到了这个加载器传送的文件

下面的这个文件其实就在 http 下面第一个 tcp 中,很好找的

然后使用脚本转换,拿到 c2 真正交互的 🐎

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
def decrypt_file(input_path, output_path, key=0x99):
    """
    解密使用指定密钥异或的二进制文件

    参数:
    input_path: 加密的二进制文件路径
    output_path: 解密后的文件保存路径
    key: 异或密钥,默认为0x99
    """
    try:
        # 读取加密文件
        with open(input_path, 'rb') as f:
            encrypted_data = f.read()

        # 执行异或解密
        decrypted_data = bytes([byte ^ key for byte in encrypted_data])

        # 保存解密结果
        with open(output_path, 'wb') as f:
            f.write(decrypted_data)

        print(f"解密完成!结果已保存到: {output_path}")
        print("解密后的文本内容(尝试UTF-8解码):")
        print(decrypted_data.decode('utf-8', errors='replace'))

    except Exception as e:
        print(f"解密过程出错: {str(e)}")

if __name__ == "__main__":
    # 输入文件路径(你保存的bin文件)
    input_file = "testvshell.bin"  # 替换为你的bin文件路径
    # 输出文件路径(解密后的结果)
    output_file = "decrypted_data.bin"

    # 调用解密函数
    decrypt_file(input_file, output_file)

可惜,我没有逆向能力,只能回到 vshell 工具的学习上了
image-20250818122000186

未完待续…

ISCTF2023

DISK

是一道 ntfs 日志分析题目,先挂载上 vhd

image-20250819114618767

把$logfile 提取出来,这个是 ntfs 磁盘记录日志的地方,然后这个东西是个二进制文件,需要使用工具logfileparser帮我们把该文件处理一下,可以生成 csv 或 db 文件方便我们查找数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
sqlite> .tables
IndexEntries  LogFile
sqlite> .schema LogFile
CREATE TABLE LogFile (lf_Offset TEXT,lf_MFTReference INTEGER,lf_MftHdr_Seq INTEGER,lf_MftHdr_Lsn INTEGER,lf_MftHdr_Flags TEXT,lf_RealMFTReference INTEGER,lf_MFTBaseRecRef INTEGER,lf_LSN INTEGER,lf_LSNPrevious INTEGER,lf_RedoOperation TEXT,lf_UndoOperation TEXT,lf_OffsetInMft INTEGER,lf_FileName TEXT,lf_CurrentAttribute TEXT,lf_TextInformation TEXT,lf_UsnJrlFileName TEXT,lf_UsnJrlMFTReference INTEGER,lf_UsnJrlMFTParentReference INTEGER,lf_UsnJrlTimestamp TEXT,lf_UsnJrlReason TEXT,lf_UsnJrnlUsn INTEGER,lf_SI_CTime TEXT,lf_SI_ATime TEXT,lf_SI_MTime TEXT,lf_SI_RTime TEXT,lf_SI_FilePermission TEXT,lf_SI_MaxVersions INTEGER,lf_SI_VersionNumber INTEGER,lf_SI_ClassID INTEGER,lf_SI_SecurityID INTEGER,lf_SI_QuotaCharged INTEGER,lf_SI_USN INTEGER,lf_SI_PartialValue TEXT,lf_FN_CTime TEXT,lf_FN_ATime TEXT,lf_FN_MTime TEXT,lf_FN_RTime TEXT,lf_FN_AllocSize INTEGER,lf_FN_RealSize INTEGER,lf_FN_Flags TEXT,lf_FN_Namespace TEXT,lf_DT_StartVCN INTEGER,lf_DT_LastVCN INTEGER,lf_DT_ComprUnitSize INTEGER,lf_DT_AllocSize INTEGER,lf_DT_RealSize INTEGER,lf_DT_InitStreamSize INTEGER,lf_DT_DataRuns TEXT,lf_DT_Name TEXT,lf_FileNameModified INTEGER,lf_RedoChunkSize INTEGER,lf_UndoChunkSize INTEGER,lf_client_index INTEGER,lf_record_type INTEGER,lf_transaction_id INTEGER,lf_flags INTEGER,lf_target_attribute INTEGER,lf_lcns_to_follow INTEGER,lf_attribute_offset INTEGER,lf_MftClusterIndex INTEGER,lf_target_vcn INTEGER,lf_target_lcn INTEGER,InOpenAttributeTable INTEGER,FromRcrdSlack INTEGER,IncompleteTransaction INTEGER);
sqlite> SELECT lf_UsnJrlTimestamp, lf_UsnJrlReason, lf_FileName FROM LogFile WHERE lf_UsnJrlReason LIKE '%RENAME%' ORDER BY lf_LSN;
lf_UsnJrlTimestamp           lf_UsnJrlReason        lf_FileName
---------------------------  ---------------------  --------------
2023-10-23 09:37:01.3932100  RENAME_OLD_NAME        1230193492.txt
2023-10-23 09:37:01.3932100  RENAME_NEW_NAME        ==AVDNVS.txt
2023-10-23 09:37:01.3932100  RENAME_NEW_NAME+CLOSE  ==AVDNVS.txt
2023-10-23 09:37:01.9097480  RENAME_OLD_NAME        1182487903.txt
2023-10-23 09:37:01.9097480  RENAME_NEW_NAME        ==AaUtnR.txt
2023-10-23 09:37:01.9097480  RENAME_NEW_NAME+CLOSE  ==AaUtnR.txt
2023-10-23 09:37:02.4154154  RENAME_OLD_NAME        1918846768.txt
2023-10-23 09:37:02.4154154  RENAME_OLD_NAME        1918846768.txt
2023-10-23 09:37:02.4154154  RENAME_NEW_NAME        ==QafNXa.txt
2023-10-23 09:37:02.4154154  RENAME_NEW_NAME        ==QafNXa.txt
2023-10-23 09:37:02.4154154  RENAME_NEW_NAME+CLOSE  ==QafNXa.txt
2023-10-23 09:37:02.4154154  RENAME_NEW_NAME+CLOSE  ==QafNXa.txt
2023-10-23 09:37:02.9265785  RENAME_OLD_NAME        811884366.txt
2023-10-23 09:37:02.9265785  RENAME_OLD_NAME        811884366.txt
2023-10-23 09:37:02.9265785  RENAME_NEW_NAME        ==wbO91c.txt
2023-10-23 09:37:02.9265785  RENAME_NEW_NAME        ==wbO91c.txt
2023-10-23 09:37:02.9265785  RENAME_NEW_NAME+CLOSE  ==wbO91c.txt
2023-10-23 09:37:02.9265785  RENAME_NEW_NAME+CLOSE  ==wbO91c.txt
2023-10-23 09:37:03.4336734  RENAME_OLD_NAME        1413895007.txt
2023-10-23 09:37:03.4336734  RENAME_OLD_NAME        1413895007.txt
2023-10-23 09:37:03.4336734  RENAME_NEW_NAME        ==gcU9Fd.txt
2023-10-23 09:37:03.4336734  RENAME_NEW_NAME        ==gcU9Fd.txt
2023-10-23 09:37:03.4336734  RENAME_NEW_NAME+CLOSE  ==gcU9Fd.txt
2023-10-23 09:37:03.4336734  RENAME_NEW_NAME+CLOSE  ==gcU9Fd.txt
2023-10-23 09:37:03.9477415  RENAME_OLD_NAME        1298230881.txt
2023-10-23 09:37:03.9477415  RENAME_OLD_NAME        1298230881.txt
2023-10-23 09:37:03.9477415  RENAME_NEW_NAME        ==gZfVWd.txt
2023-10-23 09:37:03.9477415  RENAME_NEW_NAME        ==gZfVWd.txt
2023-10-23 09:37:03.9477415  RENAME_NEW_NAME+CLOSE  ==gZfVWd.txt
2023-10-23 09:37:03.9477415  RENAME_NEW_NAME+CLOSE  ==gZfVWd.txt
2023-10-23 09:37:04.4590557  RENAME_OLD_NAME        1734701693.txt
2023-10-23 09:37:04.4590557  RENAME_OLD_NAME        1734701693.txt
2023-10-23 09:37:04.4590557  RENAME_NEW_NAME        ==QfnFGb.txt
2023-10-23 09:37:04.4590557  RENAME_NEW_NAME        ==QfnFGb.txt
2023-10-23 09:37:04.4590557  RENAME_NEW_NAME+CLOSE  ==QfnFGb.txt
2023-10-23 09:37:04.4590557  RENAME_NEW_NAME+CLOSE  ==QfnFGb.txt
sqlite>

注意看文件名的前后更改,那些数字可以推测是由 flag 进行字节串转换成数字得到的,然后就是逆转回来能拿到 flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
numbers = [
    1230193492,
    1182487903,
    1918846768,
    811884366,
    1413895007,
    1298230881,
    1734701693,
]

flag = ""

for num in numbers:
    byte_length = (num.bit_length() + 7)//8

    byte_part = num.to_bytes(byte_length, 'big')

    flag += byte_part.decode()

print("最终拼接出的Flag是:")
print(flag)
'''
最终拼接出的Flag是:
ISCTF{U_r_G00d_NTFS_Manager}
'''

说些什么吧!

waline