2024 HuaWeiCup misc partly WriteUp

Draw_what_you_like

flag1

在桌面上有flag.txt，直接vol提取

flag2

搜索flag2，发现有flag2.zip

提取出来，里面有一个sqlite文件

发现有密码Digital5211314

桌面上有一个draw.zip文件，提取出来，密码同上

有流量包，是数位板流量，用脚本进行处理：

import os
import matplotlib.pyplot as plt
os.system("tshark -r draw.pcap -T fields -e usbhid.data| sed '/^\s*$/d' > 1.txt")
data=[]
with open('1.txt',"r") as f:
    for line in f.readlines():
        if line[16:18] !="00":
            data.append(line)
X = []
Y = []
for line in data:
        x0=int(line[4:6],16)
        x1=int(line[6:8],16)
        x=x0+x1*256
        y0=int(line[8:10],16)
        y1=int(line[10:12],16)
        y=y0+y1*256
        X.append(x)
        Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("result")
ax1.scatter(X, Y, c='b', marker='o')
plt.show()

flag3

附件给了secret.zip，观察大小刚好是50mb，怀疑是VC容器

在查看文件时发现有一个打什么CTF.jpg文件

提取出来，winhex打开删除多余的空字符，作为密钥文件加载secret.zip

flag03:Verakey_graph}

Secret of the Varied Gif

binwalk分离出一个decode，是SVG路径数据，写脚本处理：

import matplotlib.pyplot as plt
from svg.path import parse_path, Line, CubicBezier, QuadraticBezier, Arc
# 定义SVG路径数据，每个子路径作为一个列表元素
svg_paths = [['m320.66772,62.66697c0,0 0,0.59068 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.7254c0,1.18135 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95338 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13472c0,1.77202 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.3627c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18136 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.34444,0.48657 -0.70833,1.77203c-0.16275,0.57487 -0.54214,0.6806 0,1.77202c0.38335,0.77175 0.70833,1.18135 0.70833,1.18135c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -2.83333,0 -3.54167,0c-1.41669,0 -2.12502,0 -2.83336,0c-1.41667,0 -2.125,0 -3.54167,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41667,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83336,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -2.125,0 -2.125,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -1.41667,0 -2.12502,0c-1.41667,0 -2.125,0 -3.54167,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c0,0 -2.125,0 -3.54167,0c-0.70833,0 -2.125,0 -3.54167,0c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41668,0 -2.12501,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41668,0 -2.12501,0c-0.70833,0 -1.41667,0 -2.125,0l0,0'], ['m518.66791,60.66697c0,0 0,0.59067 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.72539c0,1.18135 0,2.95337 0,4.13472c0,1.18135 0,2.36271 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95337 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13473c0,1.77202 0,2.95337 0,4.13472c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.36271c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18135 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.29581,0.48658 -0.60833,1.77203c-0.13978,0.57487 -0.46561,0.6806 0,1.77202c0.32922,0.77175 0.60833,1.18135 0.60833,1.18135c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -2.43333,0 -3.04167,0c-1.21669,0 -1.82502,0 -2.43336,0c-1.21667,0 -1.825,0 -3.04167,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43335,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.825,0 -1.825,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.21667,0 -1.82502,0c-1.21667,0 -1.825,0 -3.04167,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c0,0 -1.825,0 -3.04167,0c-0.60833,0 -1.825,0 -3.04167,0c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.82501,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21668,0 -1.82501,0c-0.60833,0 -1.21667,0 -1.825,0l0,0'], ['m350.66769,62.66697c0,0 0,0.58549 0,1.75648c0,2.34197 0,5.85492 0,8.19689c0,3.51296 0,8.1969 0,10.53888c0,2.92746 0,5.85493 0,9.95337c0,3.51296 0,5.26944 0,7.61141c0,1.17098 0,3.51295 0,5.26943c0,1.75648 0,3.51296 0,4.68394c0,1.17098 0,2.92746 0,4.09845c0,1.17098 0,2.34198 0,3.51297c0,0.58549 0,2.34197 0,3.51295c0,0.58549 0,2.34197 0,2.92746c0,1.75648 0,2.92747 0,4.09845c0,1.75648 0,3.51295 0,4.68394c0,1.17098 0,2.92747 0,4.09846c0,1.75648 0,2.92746 0,4.09845c0,1.17098 0,2.34197 0,3.51296c0,1.17098 0,2.34197 0,3.51295c0,1.17098 0,2.34197 0,3.51295c0,1.171 0,1.171 0,2.34198c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.92746c0,0.5855 0,1.17099 0,1.75648c0,0.58549 0,1.17098 0,1.75648c0,0.58549 0,0.58549 0,2.34197c0,0.58549 0,1.17098 0,1.75648c0,0 0,0.58549 0,1.17098c0,0 0.31202,0.48231 0.64167,1.75649c0.14744,0.56983 0.49113,0.67463 0,1.75648c-0.34726,0.76498 -0.64167,1.17098 -0.64167,1.17098c1.28333,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 2.56667,0 3.20834,0c1.28336,0 1.92503,0 2.56669,0c1.28333,0 1.925,0 3.20834,0c0.64167,0 0.64167,0 1.925,0c0,0 0.64167,0 1.28333,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28333,0 1.925,0c0.64167,0 1.28333,0 1.925,0c0,0 0.64167,0 1.28333,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56669,0c0,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.925,0c0,0 1.28333,0 1.925,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.925,0 1.925,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.28333,0 1.92502,0c1.28333,0 1.925,0 3.20834,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56667,0c0,0 1.925,0 3.20834,0c0.64167,0 1.925,0 3.20834,0c1.28333,0 1.28333,0 1.925,0c0.64167,0 1.28334,0 1.92501,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28335,0 1.92501,0c0.64167,0 1.28333,0 1.925,0l0,0'], ['m560.0764,60.66697c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 2.56338,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.92254,0c0.64088,0 1.92257,0 1.92257,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0,0 1.28169,0 3.20423,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92257,0c0.64085,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.28169,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0.61979 0.64085,1.23958c0,0.61979 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 -0.29402,0.42979 -0.64085,1.23959c-0.24525,0.57262 0,0.61979 0,1.23959c0,0.61979 0.14723,1.25616 0,1.85938c-0.32922,1.34882 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 -0.52831,0.06067 -1.28169,1.23958c-0.67382,1.05445 0,1.85938 0,2.47917c0,0 0,1.23958 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.6198 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,2.47917c0,0 0,0.61979 0,1.23959c0,0.61979 0,1.23958 0,1.23958c0,1.23958 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,1.23958 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.23958c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 -0.64085,2.47917c0,0 0,0.61979 0,1.23958c0,0 0,0.61979 0,1.23959c0,0 0.24525,0.66697 0,1.23958c-0.34682,0.8098 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,0.61979 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0.61979 -0.64085,0.61979 -0.64085,1.23958c0,0.61979 0,1.23959 0,1.85938c0,0.61979 -0.18771,0.80132 -0.64085,1.23958c-0.90627,0.87652 0.67382,1.42471 0,2.47917c-0.75338,1.17891 -1.28169,1.23958 -1.28169,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0 0,0.61979 0,1.23958c0,0 0,0.6198 0,1.23959c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.85938 0,2.47918c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.85938c0,0.61979 -0.24525,1.28677 0,1.85938c0.34682,0.8098 0.64085,1.23958 0.64085,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,0.61979 0,1.23959c0,0 0,0.61979 0,1.23958c0,0.61979 -0.29402,1.04958 -0.64085,1.85938c-0.24525,0.57261 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0 -0.64085,0 -1.28169,0.61979c0,0 -1.28169,0 -1.92254,0c-1.92254,0 -3.20423,0 -3.84507,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -0.64085,0 -1.28169,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64088,0 -1.28173,0 -1.28173,0c-1.28169,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -1.92254,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -3.20423,0.61979c-1.28169,0.61979 -2.56338,0.61979 -3.20423,0.61979c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -1.28169,0 -1.92254,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -3.20423,0c-0.64085,0 -1.28169,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92257,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -0.64085,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -2.56338,0 -3.20423,0c-0.64085,0 -1.28169,0 -1.92254,0c0,0 -0.64085,0 -1.28169,0c0,0 -0.64085,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -2.56338,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -0.64085,0.61979 -1.28169,0.61979c-0.64085,0 -0.64085,0 -1.92254,0l-0.64085,0l-0.64085,0'], ['m674.43176,77.337c0.57234,-0.49745 1.14469,-0.49745 1.71703,-0.49745c1.71703,0 2.28937,0 3.4341,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0,0 1.14469,0 1.71703,0c0.57234,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 2.28937,0c0,0 2.28937,0 3.43406,0c1.14472,0 2.86175,0 4.00644,0c0.57234,0 2.33294,0.19037 2.86172,0c0.74781,-0.26922 1.71703,-0.49745 2.28937,-0.49745c0.57234,0 1.14469,0 1.14469,0c0,-0.49746 1.14469,-0.49746 1.71703,-0.49746c0.57234,0 1.71703,-0.49745 2.28937,-0.49745c1.71703,0 2.86172,0 3.43406,0c0.57234,0 1.73233,0.11429 2.28937,0c1.24561,-0.25556 1.71707,-0.99491 1.71707,-0.99491c1.14469,0 2.28937,0 3.43406,0c0,0 1.18828,0.19037 1.71703,0c0.74778,-0.26922 1.71703,-0.49746 2.28937,-0.49746c1.14469,0 1.71703,-0.49745 2.86172,-0.49745c1.14469,0 2.11394,-0.22823 2.86172,-0.49745c1.05756,-0.38073 1.71703,0 3.43406,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.14469,0c1.14469,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.71703,0 2.28937,0c0,0 0.73995,-0.35175 1.14469,0c0.40473,0.35175 0,0.99491 0,1.49237c0,1.49236 0,1.98982 0,2.98473c0,1.49237 -0.4644,2.55426 -1.71703,3.97964c-1.09858,1.25015 -0.24062,2.52996 -0.57234,3.48219c-0.59798,1.71664 -0.61866,2.5405 -1.14469,4.47709c-0.29407,1.08259 -1.14469,2.98473 -1.14469,3.97964c0,1.98982 0.43296,3.51809 0,5.472c-0.58289,2.63054 -1.71703,3.48219 -1.71703,5.47201c0,0.99491 -0.57234,2.48727 -0.57234,3.48218c0,1.98982 0.52602,2.54051 0,4.4771c-0.29407,1.08259 -0.88171,2.01643 -1.14469,2.98473c-0.29407,1.08259 -1.14469,3.97964 -1.14469,4.97455c0,0.99491 0,2.98473 0,3.48218c0,1.49236 -0.85474,2.92432 -1.14469,4.4771c-0.09166,0.49103 0,1.98982 0,2.98473c0,0.99491 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.29728,2.00909 -0.57234,3.48218c-0.28994,1.55278 0.08475,2.10342 -0.57234,3.48218c-0.30972,0.64996 -0.85474,1.43196 -1.14469,2.98474c-0.09166,0.49103 -0.27828,1.90214 -0.57234,2.98473c-0.26298,0.9683 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.57234,1.98982 -0.57234,1.98982c0,0.99491 0,1.49236 0,2.98473c0,0 0,0.99491 0,1.49236c0,1.49237 0.21903,2.0277 0,2.48728c-0.30972,0.64996 -0.57234,0.99491 -0.57234,0.99491c0,0.99491 0,1.98982 0,2.48727c0,0.49745 0,0.49745 0,1.49236c0,0.49745 0,0.99492 0,0.99492c0,0.49745 0,0.99491 0,0.99491c0,0.99491 -0.57234,0.99491 -0.57234,0.99491c-1.14469,0 -4.57875,0 -6.86812,0c-2.86172,0 -6.86812,0 -9.15749,0c-2.86172,0 -6.29578,0 -8.58515,0c-2.86172,0 -5.15109,0 -7.44046,0c-2.28937,0 -3.43406,0 -5.72347,0c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.28937,0 -3.43406,0c-0.57234,0 -1.71703,0 -2.86172,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -3.43406,0 -4.57878,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -2.86172,0 -4.57875,0c0,0 -1.71703,0.49745 -2.28937,0.49745c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.30467,0.38316 -2.86172,0.49745c-1.24557,0.25557 -2.28937,0.99491 -3.43406,0.99491c-0.57234,0 -1.71703,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.14469,0c-0.57234,0 -1.14469,0 -1.14469,0c-1.14469,0.49745 -1.71703,0.49745 -2.28937,0.49745c0,0 -0.57234,0 -1.14472,0c0,0 -1.14469,0.49745 -1.14469,0.49745c-0.57234,0 -0.96922,0.76668 -1.71703,0.49745c-0.52878,-0.19037 0,-1.49236 0,-1.98982c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.98474c0,-0.49745 0,-1.98982 0,-1.98982c0,-0.99491 0,-1.49236 0,-2.98473c0,0 0,-0.49746 0,-2.98474c0,-0.49745 0.27831,-1.90214 0.57234,-2.98473c0.26301,-0.9683 0,-2.48728 0,-2.98474c0,-0.99491 0,-1.98982 0,-2.98473c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.48728c0,-0.99491 0,-2.98473 0,-3.48218c0,-0.99491 0,-1.98982 0,-2.98474c0,-0.49745 0,-2.48727 0,-3.97964c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49746 0,-1.98983 0,-2.48728c0,-1.49236 0.52518,-1.68481 1.14469,-2.98473c0.43806,-0.91918 0,-1.98982 0,-2.98474c0,-1.49236 0.28243,-1.92941 0.57234,-3.48218c0.09166,-0.49103 0.57234,-0.49745 0.57234,-1.49236c0,-0.99491 0,-1.98982 0,-2.48728c0,-0.49745 1.14472,-2.48728 1.14472,-2.98473c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49236 0,-2.48727c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.99491 0,-1.98982 0,-2.48727c0,-1.49237 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49237 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.49237c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.49745 0,-1.49237c0,0 0,-0.49746 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491l0,-0.99491l-0.57234,-0.49745l0,-0.49745'], ['m1097.66841,53.66696c0,0 0,0.62695 0,1.88084c0,2.50777 0,6.26943 0,8.7772c0,3.76167 0,8.77721 0,11.285c0,3.13471 0,6.26943 0,10.65803c0,3.76167 0,5.6425 0,8.15027c0,1.25389 0,3.76167 0,5.64249c0,1.88083 0,3.76167 0,5.01556c0,1.25388 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76168c0,0.62694 0,2.50777 0,3.76165c0,0.62694 0,2.50777 0,3.13471c0,1.88083 0,3.13472 0,4.38861c0,1.88083 0,3.76167 0,5.01555c0,1.25389 0,3.13472 0,4.38862c0,1.88082 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76167c0,1.25389 0,2.50777 0,3.76167c0,1.25388 0,2.50777 0,3.76165c0,1.2539 0,1.2539 0,2.50778c0,1.25389 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,3.13471c0,0.62695 0,1.25389 0,1.88083c0,0.62694 0,1.25389 0,1.88083c0,0.62694 0,0.62694 0,2.50777c0,0.62694 0,1.25388 0,1.88083c0,0 0,0.62694 0,1.25388c0,0 0.38497,0.51646 0.79167,1.88084c0.18191,0.61017 0.60594,0.72239 0,1.88082c-0.42844,0.81915 -0.79167,1.25389 -0.79167,1.25389c1.58334,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 1.58333,0c0.79167,0 3.16667,0 3.95834,0c1.58337,0 2.37502,0 3.1667,0c1.58334,0 2.375,0 3.95834,0c0.79166,0 0.79166,0 2.375,0c0,0 0.79167,0 1.58333,0c0.79167,0 1.58334,0 1.58334,0c0.79166,0 1.58333,0 2.375,0c0.79166,0 1.58333,0 2.375,0c0,0 0.79167,0 1.58333,0c0,0 0.79167,0 2.375,0c0.79167,0 2.37501,0 2.37501,0c0.79166,0 2.375,0 3.16668,0c0,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 2.375,0c0,0 1.58333,0 2.375,0c0.79167,0 2.375,0 3.16667,0c1.58333,0 2.375,0 2.375,0c1.58333,0 2.375,0 3.16667,0c0.79167,0 1.58333,0 1.58333,0c0.79167,0 2.375,0 3.16667,0c1.58334,0 1.58334,0 2.37502,0c1.58334,0 2.375,0 3.95834,0c0,0 0.79166,0 2.375,0c0.79167,0 2.375,0 2.375,0c0.79167,0 2.375,0 3.16667,0c0,0 2.375,0 3.95833,0c0.79167,0 2.37501,0 3.95834,0c1.58333,0 1.58333,0 2.375,0c0.79167,0 1.58334,0 2.37501,0c1.58333,0 2.375,0 3.16667,0c0.79166,0 1.58333,0 1.58333,0c0.79167,0 1.58335,0 2.37501,0c0.79167,0 1.58334,0 2.37501,0l0,0'], ['m819.66669,80c0,0 1.14602,0 1.14602,0c0,1.17493 0,2.34987 0,2.34987c0,2.34987 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.49351,2.07887 2.29203,3.5248c2.32806,4.21557 1.7654,5.93753 2.29203,8.22453c0.58875,2.55695 3.63642,6.87656 4.58406,8.22453c1.49834,2.13132 0.3561,3.61909 1.14602,7.0496c0.58875,2.55695 3.43805,4.69973 3.43805,5.87466c0,1.17493 0.19837,3.35177 1.14602,4.69973c1.49834,2.13132 1.93971,3.74334 3.43805,5.87466c0.94765,1.34797 3.43805,5.87466 3.43805,5.87466c1.14602,1.17493 0.70745,3.61424 1.14602,4.69973c1.24044,3.07025 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,2.34987 2.29203,3.5248c0,0 1.34439,1.00191 2.29203,2.34987c1.49834,2.13132 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,1.17493 1.14602,2.34987c0,1.17493 1.14602,1.17493 1.14602,1.17493c1.14602,1.17493 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.14602,1.17493 2.29203,2.34987c0,0 1.67181,-0.36019 2.29203,1.17493c0.43857,1.08549 0,1.17493 1.14602,1.17493c1.14602,0 2.62771,0.8308 3.43805,0c1.62068,-1.66161 1.14602,-3.5248 2.29203,-4.69973c0,0 2.62771,-1.51906 3.43805,-2.34987c0.81034,-0.8308 1.14602,-2.34987 1.14602,-2.34987c0,-1.17493 0.79369,-2.56841 2.29203,-4.69973c0.94765,-1.34796 1.48169,-2.69399 2.29203,-3.5248c0.81034,-0.8308 2.29203,-1.17493 2.29203,-1.17493c0,-1.17493 1.14602,-2.34987 3.43805,-4.69973c1.14602,-1.17493 0.54349,-2.52535 1.14602,-3.5248c1.34725,-2.23486 3.08572,-3.74334 4.58406,-5.87466c1.89529,-2.69593 2.29203,-4.69973 3.43805,-5.87466c3.43805,-3.5248 3.29787,-5.95221 4.58406,-8.22453c2.07394,-3.664 3.43805,-4.69973 4.58406,-7.0496c1.14602,-2.34987 -0.05897,-2.70082 1.14602,-4.69973c1.34725,-2.23486 3.34362,-1.62948 4.58406,-4.69973c0.87714,-2.17099 2.46319,-4.08203 3.43805,-4.69973c2.17984,-1.38121 1.34439,-3.35177 2.29203,-4.69973c1.49834,-2.13132 1.85346,-4.78916 2.29203,-5.87466c0.62022,-1.53513 1.23324,-3.07517 2.29203,-3.5248c1.49736,-0.63587 1.14602,-2.34987 1.14602,-2.34987l0,-1.17493l0,-1.17493'], ['m958.66669,166c1.22353,-4.35211 4.08349,-7.70326 6.11765,-11.60563c0.90966,-1.7452 2.67991,-4.18024 4.89412,-8.70423c1.37318,-2.80566 3.88238,-7.03988 4.89412,-8.70423c1.59968,-2.63157 2.18994,-5.91661 3.67059,-10.15493c1.04699,-2.99695 3.6157,-5.14878 4.89412,-10.15493c0.35457,-1.38846 1.22353,-5.80282 2.44706,-8.70423c1.22353,-2.90141 1.51059,-6.02368 2.44706,-8.70423c1.32435,-3.79088 1.58691,-6.69331 4.89412,-10.15493c2.05104,-2.1468 2.44706,-2.90141 2.44706,-2.90141c0,-1.4507 1.78489,-3.90738 2.44706,-5.80282c0.46823,-1.34028 0.7553,-3.01183 1.22353,-4.35211c0.66217,-1.89544 1.22353,-4.35211 1.22353,-5.80282c0,0 1.78489,0.44473 2.44706,-1.4507c0.46823,-1.34028 0,-1.4507 1.22353,-2.90141c1.22353,-1.4507 1.22353,-2.90141 1.22353,-2.90141c1.22353,0 2.44706,1.4507 2.44706,4.35211c0,1.4507 3.04202,5.54712 3.67059,8.70423c0.56225,2.82379 0.4129,3.35113 2.44706,7.25352c0.90966,1.7452 1.45115,3.90609 3.67059,5.80282c1.40373,1.19959 2.44706,4.35211 2.44706,4.35211c1.22353,2.90141 2.65885,5.58917 3.67059,7.25352c1.59968,2.63157 2.0709,4.62195 3.67059,7.25352c2.02348,3.3287 4.89412,5.80282 6.11765,8.70423c1.22353,2.90141 3.56977,3.46264 4.89412,7.25352c0.46816,1.34028 3.32072,6.1099 6.11757,10.15493c1.09702,1.5866 3.56977,2.01194 4.89412,5.80282c0.46823,1.34028 1.22353,2.90141 2.44706,4.35211c2.44706,2.90141 2.62972,3.58943 3.67059,4.35211c2.32728,1.7054 0.8473,3.17125 2.44706,5.80282c1.01174,1.66435 3.00849,2.45667 3.67059,4.35211c0.46823,1.34027 0,1.4507 1.22353,2.90141l0,1.4507']]
# 创建图表
fig, ax = plt.subplots()
ax.set_aspect('equal')

# 存储所有点的列表
all_x_points = []
all_y_points = []

# 遍历每个SVG路径
for path_str in svg_paths:
    # 解析SVG路径
    path_string = path_str[0]   
    path = parse_path(path_string)   
    # 存储当前路径的点
    current_x_points = []
    current_y_points = []

    # 遍历路径中的每个段落
    for segment in path:
        if isinstance(segment, Line):
            # 处理直线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            current_x_points.append(segment.end.real)
            current_y_points.append(segment.end.imag)
        elif isinstance(segment, CubicBezier):
            # 处理三次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, QuadraticBezier):
            # 处理二次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, Arc):
            # 处理圆弧段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)

    # 将当前路径的点添加到总列表中
    all_x_points.extend(current_x_points)
    all_y_points.extend(current_y_points)

    # 在每个子路径结束时插入NaN以断开线条
    all_x_points.append(float('nan'))
    all_y_points.append(float('nan'))

# 绘制路径
ax.plot(all_x_points, all_y_points)

# 设置坐标轴范围
x_min, x_max = min(all_x_points), max(all_x_points)
y_min, y_max = min(all_y_points), max(all_y_points)
ax.set_xlim(x_min - 10, x_max + 10)
ax.set_ylim(y_min - 10, y_max + 10)

# 设置图表标题和轴标签
plt.title('SVG-title')
plt.xlabel('X-axis')
plt.ylabel('Y-axis')

# 显示网格线
plt.grid()

# 显示图表
plt.show()

猪圈密码，但是画反了，上下反转一下

但是最后一个对不上，猜了一下是g，acadesvg

2024第一届“长城杯”信息安全铁人三项线下决赛取证溯源Writeup

关卡描述：黑客攻击此服务器所使用的2个IP分别是什么（ascii码从小到大排列，空格分隔）

202.1.1.1 202.1.1.129

关卡描述：存在安全问题的apk中使用的登录密码是什么?

password663399

关卡描述：黑客尝试上传一个文件但显示无上传权限的文件名是什么？

关卡描述：黑客利用的漏洞接口的api地址是什么?（http://xxxx/xx)

关卡描述：黑客上传的webshell绝对路径是什么？

连上服务器可以找到在/usr/local/tomcat/webapps/ROOT/static/s74e7vwmzs21d5x6.jsp

关卡描述：黑客上传的webshell的密码是什么？

bing_pass

关卡描述：黑客通过webshell执行的第一条命令是什么？

pwd

看一下这个🐎，和冰蝎差不多，是获取随机的uuid之后，将-替换为空，取前16位做密钥然后输出出来，所以后面相应包里前面的16位字符其实就是冰蝎密钥，解密即可。

导入jadx反编译一下

关卡描述：黑客获取webshell时查询当前shell的权限是什么？

同样的步骤

关卡描述：利用webshell查询服务器Linux系统发行版本是什么？

关卡描述：黑客从服务器上下载的秘密文件的绝对路径是什么？

连服务器找一下就有/usr/local/tomcat/webapps/ROOT/static/secert.file

关卡描述：黑客通过反连执行的第一条命令是什么？

关卡描述：黑客通过什么文件修改的root密码（绝对路径）

关卡描述：黑客设置的root密码是多少？

关卡描述：黑客留下后门的反连的ip和port是什么？（ip:port)

202.1.1.129:9999

好像是这个目录/var/spool/mail/root

或者直接看计划任务里面有写

关卡描述：黑客通过后门反连执行的第一条命令是什么？

关卡描述：黑客通过什么文件留下了后门？

查一下服务器的时间

pam_unix.so

关卡描述：黑客设置的后门密码是什么？

ssh_back_pwd

关卡描述：黑客的后门将root密码记录在哪个文件中？（绝对路径）

/tmp/.sshlog

这个地方从flag.sh题目自己的更新脚本里找到了.sshlog，存着之前的密码123456和Come.1234算非预期了

The Last Diary of Forensic

MemLabs Lab 4 | Obsession

下载链接：MemLabs_Lab4

Challenge Descryption

My system was recently compromised. The Hacker stole a lot of information but he also deleted a very important file of mine. I have no idea on how to recover it. The only evidence we have, at this point of time is this memory dump. Please help me.

Note : This challenge is composed of only 1 flag.

The flag format for this lab is: inctf{s0me_l33t_Str1ng}

我的系统最近遭到入侵。黑客窃取了很多信息，但他还删除了我的一个非常重要的文件。我不知道如何恢复它。目前我们拥有的唯一证据就是这个内存转储。请帮我。

Progress

Flag

不多谈了好吧：

嗨嗨嗨，运气~

结合描述，文件被删除了，尝试恢复一下。

说一下 MFT表：

NTFS文件系统包含一个叫主文件表（Master File Table）的文件，简称为MFT。对于在 NTFS 文件系统卷上的每个文件，在 MFT 中都至少会有一个条目。 MFT 条目会存储文件所有的信息，包括名称、大小、时间、时间戳、权限和数据内容，或者会存储在 MFT 条目所描述的 MFT 之外的空间。

随着文件被添加到 NTFS 文件系统卷，会有更多的条目添加到 MFT ，并且 MFT 大小也会随之增加。但是当从 NTFS 卷中删除文件时，它们的 MFT 条目会被重新标记为空闲状态，并且可以重复使用。但是已为这些条目分配的磁盘空间是不会再重新分配的，并且 MFT 的空间不会减小。

文件大小 小于等于 1024字节的文件，会直接存储在 MFT 表中（称为驻留文件），如果超过1024字节，MFT 表就会包含其位置信息，不会存储文件。（称为非驻留文件）

在volatility中提供了mftparser插件来查看系统的 MFT表：

字符串分散开了：inctf{1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}

MemLabs Lab 5 | Black Tuesday

下载链接：MemLabs Lab 5

Challenge Description

We received this memory dump from our client recently. Someone accessed his system when he was not there and he found some rather strange files being accessed. Find those files and they might be useful. I quote his exact statement,

The names were not readable. They were composed of alphabets and numbers but I wasn't able to make out what exactly it was.

Also, he noticed his most loved application that he always used crashed every time he ran it. Was it a virus?

Note-1 : This challenge is composed of 3 flags. If you think 2nd flag is the end, it isn't!! 😛

Note-2 : There was a small mistake when making this challenge. If you find any string which has the string " L4B_3_D0n3 !! " in it, please change it to " L4B_5_D0n3 !! " and then proceed.

Note-3 : You'll get the stage 2 flag only when you have the stage 1 flag.

最近我们从客户那里收到了这个内存转储。有人趁他不在时访问了他的系统，客户发现一些相当奇怪的文件正在被访问。找到这些文件，它们可能很有用。客户的原话是这样：

名字不可读。它们由字母和数字组成，但我不清楚它到底是什么。

注 1 ：此挑战由 3 个flag组成。如果您认为第二个标志是结束，它不是！:P、

注 2：挑战时有一个小错误。如果您发现任何包含字符串“ L4B_3_D0n3 !! ”的字符串，请将其更改为“ L4B_5_D0n3 !! ”然后继续。

注意 3 ：只有当您拥有flag1时，您才会获得flag2。

Progress

Flag 1

不想说了：

pslist

看到了特殊的进程，查看了命令行历史：

确实不可读🤔，提取出来：

emm，Stage2.png 看来是第二部分了，还得去找第一部分。

这个地方用到了iehistory（想不到吧:P）

iehistory插件可以恢复IE浏览器的历史 index.dat 缓存文件的片段。iehistory可以提取基本的访问协议（如http、ftp等）链接、重定向链接（-REDR）和已删除条目（-LEAK）。此外，不仅仅是IE浏览器，它适用于任何加载和使用的 winnet.dll库 的进程，通常包括 Windows 资源管理器甚至恶意软件样本。

运气不错，熟悉的base64：

flag{!!_w3LL_d0n3_St4g3-1_0f_L4B_5D0n3!!}

Flag 2

有了第一个flag，去解密压缩包：

直接出了

flag{W1thth1s$taGe_2_1sc0mPL3T3!!}

Flag 3

前面看到了 notepad.exe，提取文件，转储可执行文件，丢入IDA：

flag3：bi0s{M3m_l4b5OVeR!}

MemLabs Lab 6 | The Reckoning

下载链接：MemLabs Lab 6

Challenge Description

We received this memory dump from the Intelligence Bureau Department. They say this evidence might hold some secrets of the underworld gangster David Benjamin. This memory dump was taken from one of his workers whom the FBI busted earlier this week. Your job is to go through the memory dump and see if you can figure something out. FBI also says that David communicated with his workers via the internet so that might be a good place to start.

Note : This challenge is composed of 1 flag split into 2 parts.

The flag format for this lab is: inctf{s0me_l33t_Str1ng}

我们从情报局收到了这个内存转储。他们说这个证据可能包含黑帮大卫·本杰明的一些秘密。这个内存转储是从本周早些时候被 FBI 逮捕的他的一名手下那里获取的。你的工作是通过内存转储，看看你是否能找出一些东西。联邦调查局还表示，大卫通过互联网与他的手下交流，因此这个内存可能是一个很好的案件突破口。

注意：此挑战由 1 个flag 组成，分为 2 个部分。

本实验的flag格式为：inctf{s0me_l33t_Str1ng}

Progress

The first part of flag

。。。

排查一下可疑进程：

先看WinRAR.exe吧

提取一下：

经典，又是加密。。。

🤔emmm，有点生硬：

First Part：aNAm4zINg!_igU3Ss???}

The second part of flag

还有浏览器历史，之前安装过了插件：https://github.com/superponible/volatility-plugins

向下翻，有这么一条：

有一条回收站：

看一下回收站的链接：

Important - Google 文档，google文档

额，全是拉丁语，不过幸好，有Google 翻译

有个网盘链接：Mega网盘

emm又有加密

靠运气找Key果然还是行不通吗呜呜呜

直接 strings 全局搜：

strings Lab6.raw | grep "Mega Drive Key"

直接看是打不开的，拖进Winhex看看

这个地方要大写的IHDR，修复一下，16进制从69改成49

Second part：inctf{thi5cH4LL3Ng3!sg0nn4b3?

综上，flag为：inctf{thi5cH4LL3Ng3!s_g0nn4b3?_aNAm4zINg!_igU3Ss???}

The Second Diary of Forensic

MemLabs Lab_2 | A New World

下载链接：MemLabs Lab_2

Challenge description

One of the clients of our company, lost the access to his system due to an unknown error. He is supposedly a very popular "environmental" activist. As a part of the investigation, he told us that his go to applications are browsers, his password managers etc. We hope that you can dig into this memory dump and find his important stuff and give it back to us.

Note : This challenge is composed of 3 flags.

我们公司的一位客户由于未知错误而失去了对其系统的访问权限。据推测，他是一位非常受欢迎的“环保”主义者。作为调查的一部分，他告诉我们他的应用程序是浏览器、他的密码管理器等。我们希望你能深入这个内存转储并找到他的重要资料并将其还给我们。

注意：这个挑战由3个flag组成

Progress

Flag 1

老规矩：

根据题目描述，查看进程，重点查看浏览器和密码管理相关进程：

此外，上面还提到了环境变量，envars查看一下：

啊！这串熟悉的base64开头

flag{w3lc0m3T0$T4g3_!_Of_L4B_2}

Flag 2

回到浏览器，提取浏览器历史记录，volatility是不自带这个插件的

https://github.com/superponible/volatility-plugins

(255条消息) volatility2各类外部插件使用简介_Blus.King的博客-CSDN博客_volatility插件

注意： --plugins后写清插件位置，比如这样：

┌──(root㉿SanDieg0)-[/mnt/d/volatility-master]
└─# python2 vol.py  --plugins=./volatility/plugins/ -f "/mnt/f/Memlabs/lab2/Lab2.raw" --profile=Win7SP1x64 chromehistory

发现了一个下载链接，

上个实验第三部分flag：flag{w3ll_3rd_stage_was_easy}

flag{oK_So_Now_St4g3_3_is_DoNE!!}

Flag 3

还有一个密码管理器进程KeePass.exe没有用到

KeePass会存储密码在以.kdbx为后缀的数据库中，并用主密码（master password）进行管理

filescan并进行筛选：

将Hidden.kdbx转储出来后，找密码，文件里面有一张叫Password.png的图片

密码右下角：P4SSw0rd_123

有了密码后，在KeePass里面打开这个数据库：

右键直接复制出来密码：flag{w0w_th1s_1s_Th3_SeC0nDST4g3!!}

（咦？这个才是第二个flag吗？没事，我懒得改了：）

MemLabs Lab 3 | The Evil's Den

下载链接：MemLabs Lab 3

Challenge Descryption

A malicious script encrypted a very secret piece of information I had on my system. Can you recover the information for me please?

Note-1 : This challenge is composed of only 1 flag. The flag split into 2 parts.

Note-2 : You'll need the first half of the flag to get the second.

You will need this additional tool to solve the challenge,

sudo apt install steghide

The flag format for this lab is: inctf{s0me_l33t_Str1ng}

恶意脚本加密了我系统上的一条非常机密的信息。你能为我恢复信息吗？

注意-1：本次挑战只有一个flag，但被分为两个部分。

注意-2：你需要得到第一部分的flag才能得到第二部分flag。

Progress

The first part of the flag

老样子：

题目描述说有恶意脚本，看一下cmd的记录：

确实有一个叫恶意脚本的py脚本🤔还有一个vip.txt

evilscript.py.py：

import sys
import string

def xor(s):

    a = ''.join(chr(ord(i)^3) for i in s)
    return a

def encoder(x):

    return x.encode("base64")

if __name__ == "__main__":

    f = open("C:\\Users\\hello\\Desktop\\vip.txt", "w")

    arr = sys.argv[1]

    arr = encoder(xor(arr))

    f.write(arr)

    f.close()

vip.txt：

呃。。。

看一下脚本过程比较简单，先用一个字符将vip.txt的内容进行异或，然后base64加密一遍，解密也很简单，把过程逆过来就好：

s = 'am1gd2V4M20wXGs3b2U='
d = s.decode('base64')
a = ''.join(chr(ord(i)^3) for i in d)

print a

执行结果：inctf{0n3_h4lf，这是第一部分

The second part of the flag

按照题目描述，还会用到steghide，扫一下图片文件：

.jpg都是些临时文件，.jpeg这个可能性最大，而且名字就很可疑🤔导出来看看：

上面说，有了第一部分的flag才能获取到第二部分，那提示很明显了，密码应该就是第一部分flag

_1s_n0t_3n0ugh}

综上，flag为：inctf{0n3_h4lf_1s_n0t_3n0ugh}

The First Diary of Forensic

用取证软件去做题也能叫取证？懂不懂volatility的含金量啊？
自己到现在还没认真用过Vol，打算刷刷题然后系统学习一下。
（毕竟不能总是指望着用取证大师之类的吧🤔）

MemLabs Lab_0 | Never Too Late Mister

下载链接：Lab0

Challenge Description

My friend John is an "environmental" activist and a humanitarian. He hated the ideology of Thanos from the Avengers: Infinity War. He sucks at programming. He used too many variables while writing any program. One day, John gave me a memory dump and asked me to find out what he was doing while he took the dump. Can you figure it out for me?

我的朋友约翰是一位“环保”活动家和人道主义者。他讨厌复仇者联盟中灭霸的观点：无限战争。他编程很烂。他在编写任何程序时使用了太多变量。有一天，约翰给了我一个内存转储，并让我找出他在转储时在做什么。你能帮我弄清楚吗？

Progress

整体下来就是一个常规取证思路，先imageinfo看一下：

Vol3给出的建议是Win7SP1X86_23418，查看一下进程信息：

看到有运行过cmd.exe，查看一下历史命令行信息：

有一个可疑文件，用cmd调用python.exe，这个地方可以用MARKDOWN_HASH113422dfd86463d669e94c07cf61e0dcMARKDOWNHASH插件，来查看执行的命令行历史记录（扫描CONSOLE_INFORMATION信息）

得到一串字符串335d366f5d6031767631707f

看上去是一段乱码：3]6o]`1vv1p.

如果不解密字符串的话，下一步也不知道干什么。

此时结合上面题目描述"environmental" activist环保主义者提示，应该是要查看环境变量

envars查看一下发现太多了。。。果然是个很差的技术员，在编写程序时使用了太多环境变量

不过后面有提到Thanos，尝试在环境变量里面搜一下

发现真的有，环境变量指向xor and password

先提取password

后面这串查不到啊艹，看了WP人家是查到了。。。。。。

这是第一部分：flag{you_are_good_but

剩下一部分，来处理提示中的xor，目标字符串应该是前面hex解密出的乱码

不过不清楚异或字符是啥，只能爆破了

a = "335d366f5d6031767631707f".decode("hex")
for i in range(0,255):
    b = ""
    for j in a:
        b = b + chr(ord(j) ^ i)
    print b

flag{you_are_good_but1_4m_b3tt3r}

MemLabs Lab_1 | Beginner's Luck

下载链接：Lab1

Challenge description

My sister's computer crashed. We were very fortunate to recover this memory dump. Your job is get all her important files from the system. From what we remember, we suddenly saw a black window pop up with some thing being executed. When the crash happened, she was trying to draw something. Thats all we remember from the time of crash.

Note : This challenge is composed of 3 flags.

我姐姐的电脑坏了。我们非常幸运地恢复了这个内存转储。你的工作是从系统中获取她所有的重要文件。根据我们的记忆，我们突然看到一个黑色的窗口弹出，上面有一些正在执行的东西。崩溃发生时，她正试图画一些东西。这就是电脑崩溃时我们所记得的一切。

注意：此挑战由 3 个flag组成。

Progress

Flag 1

既然有提到突然看到黑色窗口弹出，在执行一些东西，（看描述像是cmd命令行）那么我们用pslist查看一下：

确实是有cmd.exe这个进程，consoles查看命令行输出结果：

很熟悉的base64，

flag{th1s_1s_th3_1st_st4g3!!}

Flag 2

When the crash happened, she was trying to draw something.

在画画，看一下进程列表：

看名称，这个进程和画画有关，PID是2424

修改文件名后缀为data，导入GIMP

调整一下偏移量和宽高，

翻转一下就是flag

flag{Good_Boy_good_girl}

Flag 3

后来才知道，这个地方看的是WinRAR.exe进程，

看一下WinRAR.exe进程历史

看到了一个RAR压缩包：Important.rar

根据地址提取出来：

检测是rar文件类型。修改文件名解压发现需要密码：

hashdump提取

┌──(root㉿SanDieg0)-[/mnt/d/volatility_2.6_win64_standalone]
└─# ./volatility.exe -f "F:\Memlabs\lab1\Lab1.raw" --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SmartNet:1001:aad3b435b51404eeaad3b435b51404ee:4943abb39473a6f32c11301f4987e7e0:::
HomeGroupUser$:1002:aad3b435b51404eeaad3b435b51404ee:f0fc3d257814e08fea06e63c5762ebd5:::
Alissa Simpson:1003:aad3b435b51404eeaad3b435b51404ee:f4ff64c8baac57d22f22edc681055ba6:::

hashdump提取有两个HASH，第一个是使用LANMAN算法，这种散列值非常不安全，在Vista以来的Windows系统已经不再采用LANMAN HASH。因此这个hash前会提供一个aad开头的虚拟值。

第二个HASH是我们常说的NTLM HASH，也好不到哪去。

这个地方要解密NTLM，看用户名我盲猜是最后一个f4ff64c8baac57d22f22edc681055ba6：

拿解密到的字符串怎么试都不对，结果发现，不用解密，换成大写。。。（无语住了）

flag{w3ll_3rd_stage_was_easy}

2025 年 9 月
日	一	二	三	四	五	六
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30