题目下载下来是一个dd.img,首先挂载磁盘:
mount dd.img /mnt/cdrom/
cd /mnt/cdrom/
文件如下:
大部分都是让人不知道想表达什么的恶心文字,只有d4997e4eb81ca133文件夹下的7948954c771171c2文件不一样,通过file命令知道它是一个mp4文件。
打开图形文件夹(nautilus /mnt/cdrom/)可以看到这是一段视频,也是意义不明。strings磁盘会提示NTFS,但是我用ntfsstreamseditor对磁盘和磁盘内文件扫了一遍并没有发现什么Q Q
如果对题目文件使用tail命令会发现一串可疑的base64:
H4sIAOq1yVwAA6tWUFBKyc8vUrJSMDIAAh0gvzi1sDQ1LzkVKBatAATVSgX5RSVAnqGBgSFQhVJB
UX5JPpCvFOoSoFSrg67Gkgg1RihqQpyxqSHGLjMizLEgwhxi7DIgwi4DIswxIcIcI0xzFBRiQbGT
X5CaF1+cWpyYC4ogJXdPX19XhRAPVwU3H0d3hQCfKD09PSVoNMZn5pWkFpUl5oAN1YHGNbKoaS0A
gssCMwICAAA=
仔细看截图,base64的前(BGZ)后(EGZ),查阅了资料,这是一个gzip文件。
还原:
echo “H4sIAOq1yVwAA6tWUFBKyc8vUrJSMDIAAh0gvzi1sDQ1LzkVKBatAATVSgX5RSVAnqGBgSFQhVJBUX5JPpCvFOoSoFSrg67Gkgg1RihqQpyxqSHGLjMizLEgwhxi7DIgwi4DIswxIcIcI0xzFBRiQbGTX5CaF1+cWpyYC4ogJXdPX19XhRAPVwU3H0d3hQCfKD09PSVoNMZn5pWkFpUl5oAN1YHGNbKoaS0AgssCMwICAAA=” |base64 -d >file.gz
打开压缩包得到如下内容:
{ “door”: 20000, “sequence”: [ {“port”: 10010, “proto”: “UDP”}, {“port”: 10090, “proto”: “UDP”}, {“port”: 10020, “proto”: “TCP”}, {“port”: 10010, “proto”: “UDP”}, {“port”: 10060, “proto”: “TCP”}, {“port”: 10080, “proto”: “UDP”}, {“port”: 10010, “proto”: “UDP”}, {“port”: 10000, “proto”: “TCP”}, {“port”: 10000, “proto”: “UDP”}, {“port”: 10040, “proto”: “TCP”}, {“port”: 10020, “proto”: “UDP”} ], “open_sesame”: “GIMME THE FLAG PLZ…”, “seq_interval”: 10, “door_interval”: 5}
然后这里也学到了新知识点,超开心!
记笔记~记笔记~
上面那个文件是端口试探(port knocking):
如字面意思,类似‘敲门’,只是这里敲的是‘端口’,而且需要按照顺序‘敲’端口。如果敲击规则匹配,则可以让防火墙实时更改策略。从而达到开关防火墙的目的。
不过这道赛题已经关掉连不上了,马克一下国外师傅的脚本,还没有研究透,有待进一步学习:
#!/usr/bin/env python3 import time import socket import select import json class Knocker(object): def __init__(self, ports_proto: list, delay=400, udp=False, host="127.0.0.1", timeout=200): self.timeout = timeout / 1000 self.delay = delay / 1000 self.default_udp = udp self.ports_proto = ports_proto self.address_family, _, _, _, (self.ip_address, _) = socket.getaddrinfo( host=host, port=None, flags=socket.AI_ADDRCONFIG )[0] def knock_it(self): last_index = len(self.ports_proto) - 1 for i, port in enumerate(self.ports_proto): use_udp = self.default_udp if port.find(':') != -1: port, protocol = port.split(':', 2) if protocol == 'TCP': use_udp = False elif protocol == 'UDP': use_udp = True else: error = 'WTF!' raise ValueError(error.format(protocol)) s = socket.socket(self.address_family, socket.SOCK_DGRAM if use_udp else socket.SOCK_STREAM) s.setblocking(False) socket_address = (self.ip_address, int(port)) if use_udp: print("Knocking port {} using UDP".format(port)) s.sendto(b'', socket_address) else: print("Knoocking port {} using TCP".format(port)) s.connect_ex(socket_address) select.select([s], [s], [s], self.timeout) s.close() if self.delay and i != last_index: time.sleep(self.delay) if __name__ == '__main__': host = "you-shall-not-pass.ctf.insecurity-insa.fr" print("[?] Getting Data ...") json_file = open("file", "r") data = json.load(json_file) open_sesame = data["open_sesame"] ports_proto = [str(i["port"])+":"+i["proto"] for i in data["sequence"]] print("[+] Knocking Ports now...") Knocker(ports_proto, delay=900, host=host).knock_it() time.sleep(1) print("[?] Asking for Flag ...") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, int(data["door"]))) except Exception as e: print("[!] CONNECTION FAILED!!!, Port may not be opened") else: print("[+] DOOR OPENED") s.send(open_sesame.encode()) try: flag = s.recv(2014).decode() print("Got flag: ", flag) except Exception as e: print("NOTHING") finally: s.close()
⚪参考:
https://omega-coder.ninja/post/inshack-you-shall-not-pass-forensics-330-writeup/