2024 强网杯 谍影重重5.0 超详解
2024 强网杯 谍影重重5.0 超详解
打开流量包:主要的有smb、rdp、tls等
第一个点在smb:
过滤smb2,有尝试登录的请求,在包122的时候用tom用户名登录是成功的,后门的smb是加密的
现在需要解密smb:找到类似的文章:
Wireshark分析--SMB2协议包及hashcat爆破_wireshark smb-CSDN博客
需要根据这个构造hash:
username::domain:ntlmv2_response.chall:ntproofstr:不包含ntproofstr的ntlmv2_response值
都能找到,但是好像有点不对,能用tsahrk直接提取:
所以最后正确的是:
tom::.:c1dec53240124487:ca32f9b5b48c04ccfa96f35213d63d75:010100000000000040d0731fb92adb01221434d6e24970170000000002001e004400450053004b0054004f0050002d004a0030004500450039004d00520001001e004400450053004b0054004f0050002d004a0030004500450039004d00520004001e004400450053004b0054004f0050002d004a0030004500450039004d00520003001e004400450053004b0054004f0050002d004a0030004500450039004d0052000700080040d0731fb92adb0106000400020000000800300030000000000000000100000000200000bd69d88e01f6425e6c1d7f796d55f11bd4bdcb27c845c6ebfac35b8a3acc42c20a001000000000000000000000000000000000000900260063006900660073002f003100370032002e00310036002e003100300035002e003100320039000000000000000000注意最后一段要把ntproofstr删了,hashcat爆破:得到密码是babygirl1233
现在有了密码可以破解出session key:
解密脚本:
这个脚本模板也是网上能搜到的:
SMB Decryption - TryHackMe :: MWLab — Ladislav's Malware Lab
from Crypto.Cipher import ARC4
from Crypto.Hash import MD4, MD5, HMAC
password = 'babygirl233'
passwordHash = MD4.new(password.encode('utf-16-le')).hexdigest()
username = 'tom'
domain = '.'
ntProofStr = 'ca32f9b5b48c04ccfa96f35213d63d75'
serverChallenge = 'c1dec53240124487'
sessionKey = '5643a37f253b00b2f52df1afd48c1514'
responseKey = HMAC.new(bytes.fromhex(passwordHash), (username.upper()+domain.upper()).encode('utf-16-le'), MD5).digest()
keyExchangeKey = HMAC.new(responseKey, bytes.fromhex(ntProofStr), MD5).digest()
decryptedSessionKey = ARC4.new(keyExchangeKey).decrypt(bytes.fromhex(sessionKey))
print('Decrypted SMB Session Key is: {}'.format(decryptedSessionKey.hex()))
解出来smb session key:
还需要session id 之后导入,注意wireshark里面的大小端问题,原本的id是0x0000100000000009,反转一下最终是这样的:
session key:a3abe4d64394909a641062342ffe291b
session id:0900000000100000导入wireshark中解密smb:
之后smb流量就能正常查看了:
发现有flag.7z
直接导出smb的对象:
有flag.7z还有两个证书,后面要用
flag.7z需要密码,再去看其他流量,有证书,有rdp,tls,先把证书导入进去,看看有什么变化,注意wireshark的tls证书支持的是.pem格式,用openssl转换,密码尝试后mimikatz是对的:
转换之后导入即可:
之后rdp流量就可以看了:
有很多内容,有鼠标也有键盘
之前以为是鼠标,还原鼠标的轨迹之后没有任何规律,再去看键盘,首先用tshark提取对应字段的值:
不知道字段是什么的可以这样做:
例如这里的,可以右键scancode,复制,选里面的列出选中树的所有项目
里面的 rdp.fastpath.scancode.keycode 是对应的键盘码
rdp.fastpath.scancode.release是是否按着,true代表是
tshark提取:
长这样,我们只需要是True的,把前面的时间也可以删了
处理后的:
写个解密对应的脚本,对应的码表可以让gpt给:
def map_keycode(key_code):
"""根据扫描码返回相应的字符或描述"""
# 特殊键的映射
special_keys = {
0x00: 'None', # No key
0x01: 'Esc', # Esc
0x02: '1', # 1
0x03: '2', # 2
0x04: '3', # 3
0x05: '4', # 4
0x06: '5', # 5
0x07: '6', # 6
0x08: '7', # 7
0x09: '8', # 8
0x0A: '9', # 9
0x0B: '0', # 0
0x0C: '-', # -
0x0D: '=', # =
0x0E: 'Backspace', # Backspace
0x0F: 'Tab', # Tab
0x10: 'Q', # Q
0x11: 'W', # W
0x12: 'E', # E
0x13: 'R', # R
0x14: 'T', # T
0x15: 'Y', # Y
0x16: 'U', # U
0x17: 'I', # I
0x18: 'O', # O
0x19: 'P', # P
0x1A: '[', # [
0x1B: ']', # ]
0x1C: 'Enter', # Enter
0x1D: 'Left Ctrl', # Left Control
0x1E: 'A', # A
0x1F: 'S', # S
0x20: 'D', # D
0x21: 'F', # F
0x22: 'G', # G
0x23: 'H', # H
0x24: 'J', # J
0x25: 'K', # K
0x26: 'L', # L
0x27: ';', # ;
0x28: "'", # '
0x29: 'Grave', # `
0x2A: 'Left Shift', # Left Shift
0x2B: 'Backslash', # \
0x2C: 'Z', # Z
0x2D: 'X', # X
0x2E: 'C', # C
0x2F: 'V', # V
0x30: 'B', # B
0x31: 'N', # N
0x32: 'M', # M
0x33: ',', # ,
0x34: '.', # .
0x35: '/', # /
0x36: 'Right Shift', # Right Shift
0x37: 'Keypad *', # Keypad *
0x38: 'Alt', # Alt
0x39: 'Space', # Space
0x3A: 'Caps Lock', # Caps Lock
0x3B: 'F1', # F1
0x3C: 'F2', # F2
0x3D: 'F3', # F3
0x3E: 'F4', # F4
0x3F: 'F5', # F5
0x40: 'F6', # F6
0x41: 'F7', # F7
0x42: 'F8', # F8
0x43: 'F9', # F9
0x44: 'F10', # F10
0x45: 'F11', # F11
0x46: 'F12', # F12
0x47: 'Num Lock', # Num Lock
0x48: 'Keypad 7', # Keypad 7
0x49: 'Keypad 8', # Keypad 8
0x4A: 'Keypad 9', # Keypad 9
0x4B: 'Keypad -', # Keypad -
0x4C: 'Keypad 4', # Keypad 4
0x4D: 'Keypad 5', # Keypad 5
0x4E: 'Keypad 6', # Keypad 6
0x4F: 'Keypad +', # Keypad +
0x50: 'Keypad 1', # Keypad 1
0x51: 'Keypad 2', # Keypad 2
0x52: 'Keypad 3', # Keypad 3
0x53: 'Keypad 0', # Keypad 0
0x54: 'Keypad .', # Keypad .
0x5B: 'Left Win', # Left Windows
0x5C: 'Right Win', # Right Windows
0x5D: 'Menu', # Menu
0x5E: 'Right Ctrl', # Right Control
0x5F: 'Right Alt', # Right Alt
}
return special_keys.get(key_code, f"Unknown key code: {key_code}")
def process_keyboard_data(data):
"""处理键盘输入数据,返回对应的按键描述"""
output = []
for entry in data:
# 分割扫描码并转换为整数
key_codes = entry.split(',')
mapped_keys = [map_keycode(int(code, 16)) for code in key_codes]
output.append(' '.join(mapped_keys))
return output
# 示例键盘输入数据
keyboard_data = [
"0x0f,0x2a,0x36,0x1d,0x1d,0x0f,0x38,0x0f,0x38,0x0f",
"0x0f,0x2a,0x36,0x1d,0x1d,0x0f,0x38,0x0f,0x38,0x0f",
"0x0f,0x5b,0x5c,0x2a,0x36,0x1d,0x1d,0x0f,0x38,0x0f,0x38,0x0f",
"0x14",
"0x23",
"0x12",
"0x2a",
"0x39",
"0x08",
"0x2c",
"0x39",
"0x19",
"0x1e",
"0x1f",
"0x1f",
"0x11",
"0x18",
"0x13",
"0x20",
"0x39",
"0x17",
"0x1f",
"0x39",
"0x21",
"0x28",
"0x1a",
"0x2a",
"0x11",
"0x17",
"0x31",
"0x20",
"0x18",
"0x11",
"0x1f",
"0x0c",
"0x2a",
"0x19",
"0x1e",
"0x1f",
"0x1f",
"0x11",
"0x18",
"0x13",
"0x20",
"0x1b",
"0x2a",
"0x0a",
"0x04",
"0x05",
"0x08",
"0x0b",
"0x02",
"0x04",
"0x02",
"0x09",
"0x03",
"0x28",
"0x1f",
"0x1d",
"0x0f,0x2a,0x36,0x1d,0x1d,0x0f,0x38,0x0f,0x38,0x0f"
]
# 处理每行数据
keyboard_output = process_keyboard_data(keyboard_data)
# 将结果写入文本文件
with open('keyboard_output.txt', 'w') as file:
for entry in keyboard_output:
file.write(entry + '\n')
print("结果已写入 keyboard_output.txt")
最终解出结果:
再处理一下:
7z的密码是之前windows的密码加上这一串,也就是babygirl2339347013182
解压缩得到flag
转载
分享
发布投稿
没有评论