西湖论剑2025 Misc Writeup+复现

Writeup

糟糕的磁盘

取证大师一下子导入五个镜像即可，可以看到key和secret

veracrypt挂载一下，key.png当做密钥文件

复现

CSCS

挺逆天的题目，当时比赛的时候是零解。本来前阵子我为了出题专门研究过CS流量，结果这个题中没直接给私钥，也不是已知私钥，也没给镜像什么的，当时就直接给我干懵了。谁知道他这里是要用密码学自己去分解得到私钥。。。不过手撕pem什么的操作我倒是也会。。。好吧还是我菜了:(

可以看到给出了http beacon

用1768.py可以拿到公钥

当时就是停在这了，根本没想到这个公钥可以分解。。。

把这串十六进制数做成pem格式，拿到n

这n可以直接用yafu分解。。。

然后做成pem格式的私钥文件

from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.backends import default_backend
import gmpy2
def generate_rsa_keys_from_components(p, q, n, e, d):
    private_key = rsa.RSAPrivateNumbers(
        p=p,
        q=q,
        d=d,
        dmp1=d % (p - 1),
        dmq1=d % (q - 1),
        iqmp=rsa.rsa_crt_iqmp(p, q),
        public_numbers=rsa.RSAPublicNumbers(e=e, n=n),
    ).private_key(backend=default_backend())
    public_key = private_key.public_key()

    return public_key, private_key
def save_keys_to_pem(public_key, private_key, public_path, private_path):
    public_pem = public_key.public_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PublicFormat.SubjectPublicKeyInfo,
    )
    private_pem = private_key.private_bytes(
        encoding=serialization.Encoding.PEM,
        format=serialization.PrivateFormat.PKCS8,
        encryption_algorithm=serialization.NoEncryption(),
    )
    with open(public_path, "wb") as f:
        f.write(public_pem)
    with open(private_path, "wb") as f:
        f.write(private_pem)
def main():
    p = 7605291443685150594150190909345113655196508809219162555499789316232908573154196070425269090153291952292016936024761413150455793038505322748933150548026221
    q = 7605291443685150594150190909345113655196508809219162555499789316232908573154196070425269090153291952292016936024761413150455793038505322748933150548026527
    e = 0x10001
    n = p * q
    phi = (p - 1) * (q - 1)
    d = gmpy2.invert(e, phi)
    print(d)
    d = int(d)
    public_key, private_key = generate_rsa_keys_from_components(p, q, n, e, d)
    save_keys_to_pem(public_key, private_key, "publicKey.pem", "privateKey.pem")
    print("公钥和私钥已成功生成并保存到文件中！")
if __name__ == "__main__":
    main()

接下来就是经典的解密cs流量

先找到cookie，拿到AES key和HMAC key

import base64
import hashlib
import struct
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization, hashes
from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend

PRIVATE_KEY = """
-----BEGIN PRIVATE KEY-----
MIICdAIBADANBgkqhkiG9w0BAQEFAASCAl4wggJaAgEAAoGAUl4XgfLwLRMqeBim
0mm63b85NSyNICkOwilPvk135lSe9HZtiw4WIAAK3716/5nNcvBWI+sN7yAiZc9j
HdiVrNXpgdqEJMA6KViVyBlKMWQfLuzVqHFcqJzb+UM8XUN1OHZ2ZsO9sPhilVU3
W1dP5AipSugvkpYAhdQWN08WVLMCAwEAAQKBgClZWuu9jZzTNkq79WND+K9BQ/LR
vrcaZXJLUuDx+vMCIBoRKcTY+XpvCwZvFMQj7eN5i4TUh1Y4B4yco+FjzR85KDCz
q9KuLsJzGcxQQSfcAzDhhLAEhoEaR0ud/F+ltL+RRRv/Pv8DVJG02rWfiFliKecb
Y2lS6I7VarAeo4ahAkEAkTXj5VW3w40YhnWoh/hyoCcCa2ic+HIM11hlALQiXE3P
KLGj+WeVNzzRveNhQDjDwYZBBl5rvSinhFJ8glXjbQJBAJE14+VVt8ONGIZ1qIf4
cqAnAmtonPhyDNdYZQC0IlxNzyixo/lnlTc80b3jYUA4w8GGQQZea70op4RSfIJV
5J8CQHq8lC4p77NoNUyhcpvLEgfwMQlcWSFeNSBn5KddmpVuZyU8UR7jwKn5zEa2
RGMmF8AhnCCn+mTeUgl0Ny1rL1kCQCGUN64Jw2PqFdjKDn3a2w7j1nBmEZ52KTgH
Ddw6y5NSvuvnIEcFSAEtBEeH9C44sjPnStQhM4LbitlThc1R9XsCQCKkR++Zd/hF
okuUihZl79eQ1ekZyxgh5p51S/b3Gpo0BsDseESze3C7r4bRA/Vi4A82nbwU2h7n
Zd8mFVZPDUM=
-----END PRIVATE KEY-----
"""

encode_data = 'SLHAIOj8/1icVtP6fImtJz6B6wR0t/XwLg1G0Y3AxoxnseBfPONxoyjAWCCOH84IJULnCZZrO7cIRxJPS2PtmDD4MvD8/PIpoW8Gj8536vhwd+tyXjNKyLNyNYcj+JgO4N5FTnKtkONgv7KnsMjJC3E0eI0ctqmZll8SrXLUS9k='# Load the private key
private_key = serialization.load_pem_private_key(
    PRIVATE_KEY.encode(),
    password=None,
    backend=default_backend()
)

# Decrypt the data using the private key
ciphertext = base64.b64decode(encode_data)
plaintext = private_key.decrypt(
    ciphertext,
    PKCS1v15()
)

def isFlag(var, flag):
    return (var & flag) == flag

def toIP(var):
    var2 = (var & 0xFF000000) >> 24
    var4 = (var & 0x00FF0000) >> 16
    var6 = (var & 0x0000FF00) >> 8
    var8 = var & 0x000000FF
    return f"{var2}.{var4}.{var6}.{var8}"

def getName(var0):
    # Your existing getName function remains unchanged
    if var0 == 37:
        return "IBM037"
    elif var0 == 437:
        return "IBM437"
    elif var0 == 500:
        return "IBM500"
    elif var0 == 708:
        return "ISO-8859-6"
    elif var0 == 709:
        return ""
    elif var0 == 710:
        return ""
    elif var0 == 720:
        return "IBM437"
    elif var0 == 737:
        return "x-IBM737"
    elif var0 == 775:
        return "IBM775"
    elif var0 == 850:
        return "IBM850"
    elif var0 == 852:
        return "IBM852"
    elif var0 == 855:
        return "IBM855"
    elif var0 == 857:
        return "IBM857"
    elif var0 == 858:
        return "IBM00858"
    elif var0 == 860:
        return "IBM860"
    elif var0 == 861:
        return "IBM861"
    elif var0 == 862:
        return "IBM862"
    elif var0 == 863:
        return "IBM863"
    elif var0 == 864:
        return "IBM864"
    elif var0 == 865:
        return "IBM865"
    elif var0 == 866:
        return "IBM866"
    elif var0 == 869:
        return "IBM869"
    elif var0 == 870:
        return "IBM870"
    elif var0 == 874:
        return "x-windows-874"
    elif var0 == 875:
        return "IBM875"
    elif var0 == 932:
        return "Shift_JIS"
    elif var0 == 936:
        return "x-mswin-936"
    elif var0 == 949:
        return "x-windows-949"
    elif var0 == 950:
        return "Big5"
    elif var0 == 1026:
        return "IBM1026"
    elif var0 == 1047:
        return "IBM1047"
    elif var0 == 1140:
        return "IBM01140"
    elif var0 == 1141:
        return "IBM01141"
    elif var0 == 1142:
        return "IBM01142"
    elif var0 == 1143:
        return "IBM01143"
    elif var0 == 1144:
        return "IBM01144"
    elif var0 == 1145:
        return "IBM01145"
    elif var0 == 1146:
        return "IBM01146"
    elif var0 == 1147:
        return "IBM01147"
    elif var0 == 1148:
        return "IBM01148"
    elif var0 == 1149:
        return "IBM01149"
    elif var0 == 1200:
        return "UTF-16LE"
    elif var0 == 1201:
        return "UTF-16BE"
    elif var0 == 1250:
        return "windows-1250"
    elif var0 == 1251:
        return "windows-1251"
    elif var0 == 1252:
        return "windows-1252"
    elif var0 == 1253:
        return "windows-1253"
    elif var0 == 1254:
        return "windows-1254"
    elif var0 == 1255:
        return "windows-1255"
    elif var0 == 1256:
        return "windows-1256"
    elif var0 == 1257:
        return "windows-1257"
    elif var0 == 1258:
        return "windows-1258"
    elif var0 == 1361:
        return "x-Johab"
    elif var0 == 10000:
        return "x-MacRoman"
    elif var0 == 10001:
        return ""
    elif var0 == 10002:
        return ""
    elif var0 == 10003:
        return ""
    elif var0 == 10004:
        return "x-MacArabic"
    elif var0 == 10005:
        return "x-MacHebrew"
    elif var0 == 10006:
        return "x-MacGreek"
    elif var0 == 10007:
        return "x-MacCyrillic"
    elif var0 == 10008:
        return ""
    elif var0 == 10010:
        return "x-MacRomania"
    elif var0 == 10017:
        return "x-MacUkraine"
    elif var0 == 10021:
        return "x-MacThai"
    elif var0 == 10029:
        return "x-MacCentralEurope"
    elif var0 == 10079:
        return "x-MacIceland"
    elif var0 == 10081:
        return "x-MacTurkish"
    elif var0 == 10082:
        return "x-MacCroatian"
    elif var0 == 12000:
        return "UTF-32LE"
    elif var0 == 12001:
        return "UTF-32BE"
    elif var0 == 20000:
        return "x-ISO-2022-CN-CNS"
    elif var0 == 20001:
        return ""
    elif var0 == 20002:
        return ""
    elif var0 == 20003:
        return ""
    elif var0 == 20004:
        return ""
    elif var0 == 20005:
        return ""
    elif var0 == 20105:
        return ""
    elif var0 == 20106:
        return ""
    elif var0 == 20107:
        return ""
    elif var0 == 20108:
        return ""
    elif var0 == 20127:
        return "US-ASCII"
    elif var0 == 20261:
        return ""
    elif var0 == 20269:
        return ""
    elif var0 == 20273:
        return "IBM273"
    elif var0 == 20277:
        return "IBM277"
    elif var0 == 20278:
        return "IBM278"
    elif var0 == 20280:
        return "IBM280"
    elif var0 == 20284:
        return "IBM284"
    elif var0 == 20285:
        return "IBM285"
    elif var0 == 20290:
        return "IBM290"
    elif var0 == 20297:
        return "IBM297"
    elif var0 == 20420:
        return "IBM420"
    elif var0 == 20423:
        return ""
    elif var0 == 20424:
        return "IBM424"
    elif var0 == 20833:
        return ""
    elif var0 == 20838:
        return "IBM-Thai"
    elif var0 == 20866:
        return "KOI8-R"
    elif var0 == 20871:
        return "IBM871"
    elif var0 == 20880:
        return ""
    elif var0 == 20905:
        return ""
    elif var0 == 20924:
        return ""
    elif var0 == 20932:
        return "EUC-JP"
    elif var0 == 20936:
        return "GB2312"
    elif var0 == 20949:
        return ""
    elif var0 == 21025:
        return "x-IBM1025"
    elif var0 == 21027:
        return ""
    elif var0 == 21866:
        return "KOI8-U"
    elif var0 == 28591:
        return "ISO-8859-1"
    elif var0 == 28592:
        return "ISO-8859-2"
    elif var0 == 28593:
        return "ISO-8859-3"
    elif var0 == 28594:
        return "ISO-8859-4"
    elif var0 == 28595:
        return "ISO-8859-5"
    elif var0 == 28596:
        return "ISO-8859-6"
    elif var0 == 28597:
        return "ISO-8859-7"
    elif var0 == 28598:
        return "ISO-8859-8"
    elif var0 == 28599:
        return "ISO-8859-9"
    elif var0 == 28603:
        return "ISO-8859-13"
    elif var0 == 28605:
        return "ISO-8859-15"
    elif var0 == 29001:
        return ""
    elif var0 == 38598:
        return "ISO-8859-8"
    elif var0 == 50220:
        return "ISO-2022-JP"
    elif var0 == 50221:
        return "ISO-2022-JP-2"
    elif var0 == 50222:
        return "ISO-2022-JP"
    elif var0 == 50225:
        return "ISO-2022-KR"
    elif var0 == 50227:
        return "ISO-2022-CN"
    elif var0 == 50229:
        return "ISO-2022-CN"
    elif var0 == 50930:
        return "x-IBM930"
    elif var0 == 50931:
        return ""
    elif var0 == 50933:
        return "x-IBM933"
    elif var0 == 50935:
        return "x-IBM935"
    elif var0 == 50936:
        return ""
    elif var0 == 50937:
        return "x-IBM937"
    elif var0 == 50939:
        return "x-IBM939"
    elif var0 == 51932:
        return "EUC-JP"
    elif var0 == 51936:
        return "GB2312"
    elif var0 == 51949:
        return "EUC-KR"
    elif var0 == 51950:
        return ""
    elif var0 == 52936:
        return "GB2312"
    elif var0 == 54936:
        return "GB18030"
    elif var0 == 57002:
        return "x-ISCII91"
    elif var0 == 57003:
        return "x-ISCII91"
    elif var0 == 57004:
        return "x-ISCII91"
    elif var0 == 57005:
        return "x-ISCII91"
    elif var0 == 57006:
        return "x-ISCII91"
    elif var0 == 57007:
        return "x-ISCII91"
    elif var0 == 57008:
        return "x-ISCII91"
    elif var0 == 57009:
        return "x-ISCII91"
    elif var0 == 57010:
        return "x-ISCII91"
    elif var0 == 57011:
        return "x-ISCII91"
    elif var0 == 65000:
        return ""
    elif var0 == 65001:
        return "UTF-8"
    else:
        return ""

if plaintext[0:4] == b'\x00\x00\xBE\xEF':

    # 16
    raw_aes_keys = plaintext[8:24]

    # 2
    var9 = plaintext[24:26]
    var9 = int.from_bytes(var9, byteorder='little', signed=False)
    var9 = getName(var9)
    # 2
    var10 = plaintext[26:28]
    var10 = int.from_bytes(var10, byteorder='little', signed=False)
    var10 = getName(var10)

    # 4
    id = plaintext[28:32]
    id = int.from_bytes(id, byteorder='big', signed=False)
    print("Beacon id:{}".format(id))

    # 4
    pid = plaintext[32:36]
    pid = int.from_bytes(pid, byteorder='big', signed=False)
    print("pid:{}".format(pid))

    # 2
    port = plaintext[36:38]
    port = int.from_bytes(port, byteorder='big', signed=False)
    print("port:{}".format(port))

    # 1
    flag = plaintext[38:39]
    flag = int.from_bytes(flag, byteorder='big', signed=False)

    if isFlag(flag, 1):
        barch = ""
        pid = ""
        is64 = ""
    elif isFlag(flag, 2):
        barch = "x64"
    else:
        barch = "x86"

    if isFlag(flag, 4):
        is64 = "1"
    else:
        is64 = "0"

    if isFlag(flag, 8):
        bypassuac = "True"
    else:
        bypassuac = "False"

    print("barch:" + barch)
    print("is64:" + is64)
    print("bypass:" + bypassuac)

    # 2
    var_1 = plaintext[39:40]
    var_2 = plaintext[40:41]
    var_1 = int.from_bytes(var_1, byteorder='big', signed=False)
    var_2 = int.from_bytes(var_2, byteorder='big', signed=False)
    windows_var = str(var_1) + "." + str(var_2)
    print("windows var:" + windows_var)

    # 2
    windows_build = plaintext[41:43]
    windows_build = int.from_bytes(windows_build, byteorder='big', signed=False)
    print("windows build:{}".format(windows_build))

    # 4
    x64_P = plaintext[43:47]

    # 4
    ptr_gmh = plaintext[47:51]
    # 4
    ptr_gpa = plaintext[51:55]

    # if ("x64".equals(this.barch)) {
    # this.ptr_gmh = CommonUtils.join(var10, this.ptr_gmh)
    # this.ptr_gpa = CommonUtils.join(var10, this.ptr_gpa)
    # }
    #
    # this.ptr_gmh = CommonUtils.bswap(this.ptr_gmh)
    # this.ptr_gpa = CommonUtils.bswap(this.ptr_gpa)

    # 4
    intz = plaintext[55:59]
    intz = int.from_bytes(intz, byteorder='little', signed=False)
    intz = toIP(intz)

    if intz == "0.0.0.0":
        intz = "unknown"
    print("host:" + intz)

    if var9 is None:
        ddata = plaintext[59:].decode("ISO8859-1")
    else:
        ddata = plaintext[59:].decode("ISO8859-1")

    ddata = ddata.split("\t")
    if len(ddata) > 0:
        computer = ddata[0]
    if len(ddata) > 1:
        username = ddata[1]
    if len(ddata) > 2:
        process = ddata[2]

    print("PC name:" + computer)
    print("username:" + username)
    print("process name:" + process)

    raw_aes_hash256 = hashlib.sha256(raw_aes_keys)
    digest = raw_aes_hash256.digest()
    aes_key = digest[0:16]
    hmac_key = digest[16:]

    print("AES key:{}".format(aes_key.hex()))
    print("HMAC key:{}".format(hmac_key.hex()))

    print("Ciphertext:")
    print(plaintext.hex())

在流1382处传了一个流量包，提取出来

import hmac
import binascii
import base64
import hexdump
from Crypto.Cipher import AES
AES_KEY = binascii.unhexlify("9fe14473479a283821241e2af78017e8")
HMAC_KEY = binascii.unhexlify("1e3d54f1b9f0e106773a59b7c379a89d")
encrypt_data = "hex" #把上面图中的Data部分复制过来
def decrypt(encrypted_data, iv_bytes, signature, AES_KEY, hmac_key):
    cipher = AES.new(AES_KEY, AES.MODE_CBC, iv_bytes)
    return cipher.decrypt(encrypted_data)
encrypt_data = bytes.fromhex(encrypt_data)
try:
    encrypt_data_length = int.from_bytes(encrypt_data[:4], byteorder='big', signed=False)
    encrypt_data_l = encrypt_data[4:]
    data1 = encrypt_data_l[:encrypt_data_length-16]
    signature = encrypt_data_l[encrypt_data_length-16:encrypt_data_length]
    iv_bytes = b"abcdefghijklmnop"
    dec = decrypt(data1, iv_bytes, signature, AES_KEY, HMAC_KEY)
except:
    dec = decrypt(encrypt_data, iv_bytes, signature, AES_KEY, HMAC_KEY)
print("counter: {}".format(int.from_bytes(dec[:4], byteorder='big', signed=False)))
print("任务返回长度: {}".format(int.from_bytes(dec[4:8], byteorder='big', signed=False)))
print("任务输出类型: {}".format(int.from_bytes(dec[8:12], byteorder='big', signed=False)))
print(hexdump.hexdump(dec[:1000]))
open('secret.pcapng','wb').write(dec[64:-76])

打开流量包，发现里面全都是27015端口在通讯，查询可知这是游戏cs1.6的流量包

接下来根据这篇文章来解密

将下面这个cpp文件编译成so文件

extern "C"
{
    int _LongSwap(int l)
    {
        unsigned int res = __builtin_bswap32(*(unsigned int *)&l);
        return *(int *)&(res);
    }

    const unsigned char mungify_table[] =
        {
            0x7A, 0x64, 0x05, 0xF1,
            0x1B, 0x9B, 0xA0, 0xB5,
            0xCA, 0xED, 0x61, 0x0D,
            0x4A, 0xDF, 0x8E, 0xC7};

    const unsigned char mungify_table2[] =
        {
            0x05, 0x61, 0x7A, 0xED,
            0x1B, 0xCA, 0x0D, 0x9B,
            0x4A, 0xF1, 0x64, 0xC7,
            0xB5, 0x8E, 0xDF, 0xA0};

    unsigned char mungify_table3[] =
        {
            0x20, 0x07, 0x13, 0x61,
            0x03, 0x45, 0x17, 0x72,
            0x0A, 0x2D, 0x48, 0x0C,
            0x4A, 0x12, 0xA9, 0xB5};

    void COM_UnMunge2(unsigned char *data, int len, int seq)
    {
        int i;
        int mungelen;
        int c;
        int *pc;
        unsigned char *p;
        int j;

        mungelen = len & ~3;
        mungelen /= 4;

        for (i = 0; i < mungelen; i++)
        {
            pc = (int *)&data[i * 4];
            c = *pc;
            c ^= seq;

            p = (unsigned char *)&c;
            for (j = 0; j < 4; j++)
            {
                *p++ ^= (0xa5 | (j << j) | j | mungify_table2[(i + j) & 0x0f]);
            }

            c = _LongSwap(c);
            c ^= ~seq;
            *pc = c;
        }
    }
}

g++ -fPIC -shared -o dll.so 1.cpp

然后用下面的程序加载编译出的dll.so解密流量

# -*- coding: UTF-8 -*-
from scapy.all import *
from ctypes import *
import struct

lib=CDLL('./dll.so')
COM_UnMunge=lib.COM_UnMunge2

pcaps = rdpcap("secret.pcapng")

f=open('res','wb')
for mpacket in pcaps.filter(lambda x:UDP in x and x[UDP].sport==27015):
    # mpacket.show()
    udp=mpacket[UDP]
    data=bytes(udp.payload)[8:]
    seq=bytes(udp.payload)[:4]
    ack=bytes(udp.payload)[4:8]
    c=create_string_buffer(data)
    COM_UnMunge(c,len(data),seq[0])
    print(mpacket.time,mpacket[IP].src,'->',mpacket[IP].dst)
    decode_bytes=bytes(c)
    if len(decode_bytes)>10:
        if struct.unpack('<L', seq)[0] & (1<<30):
            if len(decode_bytes)>10+struct.unpack('<h', decode_bytes[7:9])[0]+1:
                print('find extra data block:')
                print(decode_bytes[10+struct.unpack('<h', decode_bytes[7:9])[0]:])
            decode_bytes=decode_bytes[10:10+struct.unpack('<h', decode_bytes[7:9])[0]]
        f.write(decode_bytes)
    print(f'finally decode data:{decode_bytes}\nlength:{len(decode_bytes)}')        
f.close

在得到的res文件中搜索不难找到flag