- wireshark提取data.zip文件,解压后得到data.vmem
- 使用volatility检查内存
- volatility -f data.vmem imageinfo猜测profile值:WinXPSP3x86
- volatility -f data.vmem –profile=WinXPSP3x86 volshell
- volatility -f data.vmem –profile=WinXPSR3x86 pslist
- volatility -f data.vmem –profile=WinXPSP3x86 cmdscan 获取到一个密码
- Cmd #0 @ 0x3609ea0: passwd:weak_auth_top100
- Cmd #1 @ 0x5576d0: start wireshark
- Cmd #13 @ 0x9f009f: ??
- Cmd #41 @ 0x9f003f: ?\?????????
- strings导出所有string,发现explorer.exe中C:\Documents and Settings\Administrator\flag.zip
- 查找内存中是否有flag.zip,在内存中找到flag.img,打开发现有usbdata.txt,解压需要密码
- 密码在cmdscan时得到为weak_auth_top100
- 解压得到内容
00:00:09:00:00:00:00:00 00:00:0F:00:00:00:00:00 00:00:04:00:00:00:00:00 00:00:0A:00:00:00:00:00 00:00:2F:00:00:00:00:00 00:00:23:00:00:00:00:00 00:00:26:00:00:00:00:00 00:00:1F:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:25:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:22:00:00:00:00:00 00:00:24:00:00:00:00:00 00:00:25:00:00:00:00:00 00:00:21:00:00:00:00:00 00:00:08:00:00:00:00:00 00:00:06:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:08:00:00:00:00:00 00:00:07:00:00:00:00:00 00:00:25:00:00:00:00:00 00:00:07:00:00:00:00:00 00:00:1F:00:00:00:00:00 00:00:04:00:00:00:00:00 00:00:23:00:00:00:00:00 00:00:21:00:00:00:00:00 00:00:08:00:00:00:00:00 00:00:24:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:09:00:00:00:00:00 00:00:08:00:00:00:00:00 00:00:26:00:00:00:00:00 00:00:1E:00:00:00:00:00 00:00:20:00:00:00:00:00 00:00:06:00:00:00:00:00 00:00:27:00:00:00:00:00 00:00:30:00:00:00:00:00
- 一开始根据凯撒编码,解密出来前四个为FLAG,之后的译不出来,浪费了很多时间
- 回想起这是wireshark抓的usb设备的数据包,故对照击键数据包进行译码flag{69200835784ec3ed8d2a64e73fe913c0}