xpxp

Get system information

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw  imageinfo   

as follows

Volatility Foundation Volatility Framework 2.6.1
 INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/wha1e/ desktop /xpxp.raw)
                      PAE type : PAE
                           DTB : 0xb18000L
                          KDBG : 0x80546ae0L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2022-05-20 03:09:02 UTC+0000
     Image local date and time : 2022-05-20 11:09:02 +0800

obtain

Volatility Foundation Volatility Framework 2.6.1
0x0000000002021c98      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\logowin.gif
0x00000000022d08d8      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\My Pictures\letter_PixelReplacement.png
0x00000000022e89d8      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\lvback.gif
0x00000000022faf28      1      0 R--rwd \Device\HarddiskVolume1\WINDOWS\Web\Wallpaper\Bliss.bmp
0x0000000002409e28      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp
0x000000000250d240      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Administrator.bmp

extract egg3 and letter_PixelReplacement.png

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x0000000002409e28 -D /home/wha1e/ desktop 
┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x00000000022d08d8 -D /home/wha1e/ desktop 

according to egg3 hinder 3 Guess there are others egg, By keyword egg To search , Found five egg, Extract it all

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw profile=WinXPSP2x86 filescan | grep -E "egg"
Volatility Foundation Volatility Framework 2.6.1
0x00000000020273b8      1      0 R--rwd \Device\HarddiskVolume1\Program Files\xerox\egg4.txt
0x00000000020cb2b8      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg4.lnk
0x0000000002137248      1      0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\egg1.rtf
0x000000000214c450      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg5.lnk
0x00000000022c4d08      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg1.lnk
0x000000000231e748      1      0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\egg3.lnk
0x000000000232d938      1      0 R--rwd \Device\HarddiskVolume1\Program Files\Messenger\egg5.txt
0x0000000002409e28      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Pictures\egg3.bmp
0x000000000251c538      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\Administrator\My Documents\My Music\egg2.txt

The information is as follows ：

# egg1
Do you know what the Chinese meaning of ankle is? flag is that.

Remember to convert the answer to a 32-bit lowercase MD5 value.

# egg2
 I heard about the pictures , There is an encryption method , It is called image pixel replacement encryption . Permutation encryption algorithm is one of the simplest encryption algorithms , The principle is to replace the characters in the alphabet with those in another alphabet . So what about pixel replacement encryption . It seems that a tool integrates this encryption . But I forgot . It is said that it was put in the mailbox draft .

# egg3
Pixel replacement 15 -by Ankle

#egg4
 Do you know XOR encryption . XOR is a type of logical analysis of two operators , The symbol is XOR or EOR. It is said that part of the code is placed somewhere on the computer , The content is to XOR a file , But there is one letter I don't know where I put it , It seems to be some colored egg . Can you work it out .

#egg5
According to Homer's epic, the hero Achilles is the precious son of the mortal Polus and the beautiful fairy Thetis.
It is said that her mother Tethys carried him upside down into the Styx river when he was just born, so that he could be invulnerable. 
Unfortunately, due to the rapid flow of the Ming River, his mother didn't dare to let go of his heel.
The heel held by his mother was accidentally exposed outside the water, so the heel was the most vulnerable place, leaving the only "dead hole" in his body, so he buried the disaster. 
When he grew up, Achilles fought bravely. When he went to attack the city of Troy (the story of Trojan horse slaughtering the city), the brave Achilles singled out the Trojan general Hector, killed him and dragged his body to demonstrate. 
But later, after conquering Troy, Achilles was attacked by an arrow by Hector's brother-in-law Paris and hit his ankle - the hero fell to the ground and died at the moment of shaking.
ankle, ankle, I love ankle.The password is ??k1eAn???

There is no tool for image pixel replacement encryption , however GitHub There is a ready-made wheel on it .（ When doing the problem, I wonder whether XOR and pixel replacement can be done directly without the problem , This is the fact.

obtain letter

Check Notepad to find out if there is any key information, such as XOR code

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw profile=WinXPSP2x86 editbox

Get key code

f = open('./flag.zip', 'rb').read()
new = open('./fffflllaag.dat', 'ab')

letter = ''
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))

Search for keywords flag

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw profile=WinXPSP2x86 filescan | grep -E "flag"                             
Volatility Foundation Volatility Framework 2.6.1
0x000000000240cad8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Documents\flagData.zip

extract

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw --profile=WinXPSP2x86 dumpfiles -Q 0x000000000240cad8 -D /home/wha1e/ desktop 

There's a fffflllaag.dat

┌──(wha1e㉿wha1e)-[~/volatility]
└─$ python vol.py -f /home/wha1e/ desktop /xpxp.raw --profile=WinXPSP2x86 filescan | grep -E "jpg|png|jpeg|bmp|gif"

Change the code here and it will come out

f = open('./fffflllaag.dat', 'rb').read()
new = open('./flag.zip', 'ab')

letter = 'A'
secret = int(letter,16)
print(secret)
for i in f:
    n = int(i) ^ secret
    new.write(int(n).to_bytes(1, 'big'))

according to egg5,ankle, ankle, I love ankle.The password is ??k1eAn???, Contact context , Guess the password is ankleankle, But the letters are capitalized or matched with numbers , Replace with characters , Here first according to the given k1eAn Guess for Ank1eAnk1e, Guess right 2333
obtain flag.txt

The answer to egg1 is : You are the only weakness in my body
This is also the answer to flag

according to egg1 take You are the only weakness in my bodymd5 After encryption, pack flag{} that will do .

ZIPCracker

Pseudo encryption

Plaintext attack
It's strange here , The normal practice should be plaintext attack , But I failed , I collected it online wp They are also plaintext attacks , But looking at their screenshots, it seems that they didn't succeed or ... It 's a long story , If any master knows the problem, you are welcome to give advice ！

The zip code is crQ2#!, Decompression acquisition flag

PNGCracker

Change the image height to get zip Of passwd,winhex Manually separate zip, Decompression acquisition flag.png,stegsolve perhaps zsteg, Check in difficulty jumps directly .

Secrets in data flow

Refer to the blog reproduced ：https://wkr.moe/ctf/806.html
Through the length, it is found that rar file , Manual extraction

Here we need to extract five pieces of data , The length is 65539,93,65539,93,46505 Five paragraphs of , And I only extracted the three longest . And the extracted data only needs TCP segment data Subtract the previous 4441544100000100. Finally, the extracted compressed package still has a password .

track tcp flow , In the flow 14 Found in h264 The file header 00 00 00 01 67, Manual extraction

h264 For monitoring video , I don't have a dedicated player to open , The format factory is converted to mp4（ ok , Read the blog of the big guy , use PotPlayer that will do ）

After opening, it is a QR code divided into four parts , Screenshot , then ps Fix it , because CSDN If you can block the QR code, don't put the picture
Scan the code and get 695c630e-523c-4098-8ff8-0bac8f8b22d7, That is, the compressed package password
stay .git/config Found in file github project https://github.com/KuroLabs/stegcloak.git
And the password just4fun, Find a website with hidden information online through the project https://stegcloak.surge.sh/

Find the code at the end of the picture

Decode it , There are a lot of invisible characters , Combined with the decoding website found above

The wheel ‍‍‌⁢⁤⁣‍⁢⁢‍‍‌⁡‍‌‍⁡‌⁢⁢‌⁢‍⁢‌‍⁢⁡‍‌⁢‍⁤‍⁡⁣‌⁤⁢‍‍‍⁢⁢⁤⁤‍⁤⁢‌⁤⁤⁡‍⁡‍⁤⁢⁤⁣⁡‍⁤‌‍⁢⁡⁢‌⁢‌⁢⁡⁢‍‍⁡‍‍⁡‌‍⁢‍⁡‍‌⁢⁢⁤‌⁡⁢⁢⁢⁣‌⁢‌⁡‍⁤⁡‌⁡‌⁢⁡‍⁢‍‍⁢⁢⁢⁢⁤⁡‍⁢⁡⁣⁤‍⁣‌⁢‍‌‍⁢‍‌⁢⁢‍‌⁢‍‌‍‍⁢⁡‍⁣⁤⁢⁣⁢⁢⁤⁡‌⁢⁡⁢‍⁢⁣turns, nothing is ever new.

Decrypt it , obtain flag