红明谷ctf复现

取证

题目描述：Akira在某次取证的过程中，在桌面找到了一个奇怪的文件，但是除此之外好像没有找到什么有价值的情报，很多的数据都被抹干净了，而且这个用户似乎根本就没装什么第三方的软件。Akira还粗心的只拷贝了C盘下的User目录，这下还有机会解开可疑文件吗？

给了一个User文件夹，桌面上有一个加密压缩包

打开log_data.txt看到

可知要查看用户键盘输入，这个属于输入法取证，可以直接用软件梭，这里参考文章

可以知道Win10系统自带中文输入法程序的用户词库文件主要存储在

C:\Users\Administrator\AppData\Roaming\Microsoft\InputMethod\Chs

其中ChsPinyinlH和ChsPinyinUDL这两个DAT文件，里面的信息会随着系统用户输入行为的发生

而不断变化，而且信息以Unicode明码的方式保存在数据区中，打开此目录的两个文件

发现

根据密码六位，猜测密码为有志者事竟成，得到hidden.pdf

全选复制得到flag

flag{y0u_F1nd_h1dd3n_m3g}

这里有点奇怪，我用wps复制出来是乱码，我用谷歌浏览器打开复制才得到的flag

我的心是冰冰的

直接爆破zip得到密码

gnibgnib

得到bingbing.pcapng，打开一看是usb流量，先提取数据再上脚本

tshark -r bingbing.pcap -T fields -e usb.capdata > usbdata.txt

#!/usr/bin/env python
import sys
import os

DataFileName = "usbdata.txt"

presses = []

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}

def main():
    # check argv
    if len(sys.argv) != 2:
        print "Usage : "
        print "        python UsbKeyboardHacker.py data.pcap"
        print "Tips : "
        print "        To use this python script , you must install the tshark first."
        print "        You can use `sudo apt-get install tshark` to install it"
        print "Author : "
        print "        Angel_Kitty <angelkitty6698@gmail.com>"
        print "        If you have any questions , please contact me by email."
        print "        Thank you for using."
        exit(1)

    # get argv
    pcapFilePath = sys.argv[1]
    
    # get data of pcap
    os.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName))

    # read data
    with open(DataFileName, "r") as f:
        for line in f:
            presses.append(line[0:-1])
    # handle
    result = ""
    for press in presses:
        Bytes = press.split(":")
        if Bytes[0] == "00":
            if Bytes[2] != "00":
                result += normalKeys[Bytes[2]]
        elif Bytes[0] == "20": # shift key is pressed.
            if Bytes[2] != "00":
                result += shiftKeys[Bytes[2]]
        else:
            print "[-] Unknow Key : %s" % (Bytes[0])
    print "[+] Found : %s" % (result)

    # clean the temp data
    os.system("rm ./%s" % (DataFileName))


if __name__ == "__main__":
main()

或者这个python2的脚本

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('2.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

得到

666C61677B3866396564326639333365662[DEL]31346138643035323364303334396531323939637D

里面有个[DEL],删掉前面一位再转hex就

得到flag

flag{8f9ed2f933ef14a8d0523d0349e1299c}

歪比歪比

流量题，打开追踪流发现

哈夫曼编码，上脚本

class Node(object):
    def __init__(self,name=None,value=None):
        self._name=name
        self._value=value
        self._left=None
        self._right=None
class HuffmanTree(object):
    def __init__(self,char_weights):
        self.a=[Node(part[0],part[1]) for part in char_weights]
        while len(self.a)!=1:
                self.a.sort(key=lambda node:node._value,reverse=True)
                c=Node(value=(self.a[-1]._value+self.a[-2]._value))
                c._left=self.a.pop(-1)
                c._right=self.a.pop(-1)
                self.a.append(c)
        self.root=self.a[0]
        self.b=list(range(30))
    def pre(self,tree,length):
        node=tree
        if (not node):
                return
        elif node._name:
                x=str(node._name) + '的编码为:'
                for i in range(length):
                        x+=str(self.b[i])
                print(x)
                return
        self.b[length]=0
        self.pre(node._left,length+1)
        self.b[length]=1
        self.pre(node._right,length+1)
    def get_code(self):
        self.pre(self.root,0)
if __name__=='__main__':
        char_weights=[('j',29),('z',31),('7',25),('e',31),('l',23),('6',37),('4',32),('p',38),('h',27),('g',26),('x',28),('i',25),('u',27),('n',25),('8',36),('0',24),('o',23),('c',28),('y',24),('1',29),('b',26),('m',27),('2',28),('v',25),('d',33),('f',28),('9',33),('t',21),('w',22),('a',31),('r',24),('s',16),('k',32),('5',25),('q',23),('3',32),('{',1),('-',4),('}',1)]
        tree=HuffmanTree(char_weights)
        tree.get_code()
0的编码为:00000
7的编码为:00001
i的编码为:00010
n的编码为:00011
v的编码为:00100
5的编码为:00101
b的编码为:00110
g的编码为:00111
m的编码为:01000
u的编码为:01001
h的编码为:01010
f的编码为:01011
2的编码为:01100
c的编码为:01101
x的编码为:01110
1的编码为:01111
j的编码为:10000
a的编码为:10001
e的编码为:10010
z的编码为:10011
3的编码为:10100
k的编码为:10101
4的编码为:10110
9的编码为:10111
d的编码为:11000
8的编码为:11001
6的编码为:11010
p的编码为:11011
t的编码为:111000
}的编码为:111010000
{的编码为:111010001
-的编码为:11100101
s的编码为:1110011
w的编码为:111010
q的编码为:111011
o的编码为:111100
l的编码为:111101
r的编码为:111110
y的编码为:111111

这里是看的第一名的wp

#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
 
# 统计字符出现频率，生成映射表
def count_frequency(text):
    chars = []
    ret = []
 
    for char in text:
        if char in chars:
            continue
        else:
            chars.append(char)
            ret.append((char, text.count(char)))
 
    return ret
 
 
# 节点类
class Node:
    def __init__(self, frequency):
        self.left = None
        self.right = None
        self.father = None
        self.frequency = frequency
 
    def is_left(self):
        return self.father.left == self
 
 
# 创建叶子节点
def create_nodes(frequency_list):
    return [Node(frequency) for frequency in frequency_list]
 
 
# 创建Huffman树
def create_huffman_tree(nodes):
    queue = nodes[:]
 
    while len(queue) > 1:
        queue.sort(key=lambda item: item.frequency)
        node_left = queue.pop(0)
        node_right = queue.pop(0)
        node_father = Node(node_left.frequency + node_right.frequency)
        node_father.left = node_left
        node_father.right = node_right
        node_left.father = node_father
        node_right.father = node_father
        queue.append(node_father)
 
    queue[0].father = None
    return queue[0]
 
 
# Huffman编码
def huffman_encoding(nodes, root):
    huffman_code = [''] * len(nodes)
 
    for i in range(len(nodes)):
        node = nodes[i]
        while node != root:
            if node.is_left():
                huffman_code[i] = '0' + huffman_code[i]
            else:
                huffman_code[i] = '1' + huffman_code[i]
            node = node.father
 
    return huffman_code
 
 
# 编码整个字符串
def encode_str(text, char_frequency, codes):
    ret = ''
    for char in text:
        i = 0
        for item in char_frequency:
            if char == item[0]:
                ret += codes[i]
            i += 1
 
    return ret
 
 
# 解码整个字符串
def decode_str(huffman_str, char_frequency, codes):
    ret = ''
    while huffman_str != '':
        i = 0
        for item in codes:
            if item in huffman_str and huffman_str.index(item) == 0:
                ret += char_frequency[i][0]
                huffman_str = huffman_str[len(item):]
            i += 1
 
    return ret
 
 
if __name__ == '__main__':
    text = raw_input('The text to encode:')
 
    char_frequency = [('j', 29), ('z', 31), ('7', 25), ('e', 31), ('l', 23), ('6', 37), ('4', 32), ('p', 38), ('h', 27), ('g', 26), ('x', 28), ('i', 25), ('u', 27), ('n', 25), ('8', 36), ('0', 24), ('o', 23), ('c', 28), ('y', 24), ('1', 29), ('b', 26), ('m', 27), ('2', 28), ('v', 25), ('d', 33), ('f', 28), ('9', 33), ('t', 21), ('w', 22), ('a', 31), ('r', 24), ('s', 16), ('k', 32), ('5', 25), ('q', 23), ('3', 32), ('{', 1), ('-', 4), ('}', 1)]
 
    nodes = create_nodes([item[1] for item in char_frequency])
    root = create_huffman_tree(nodes)
    codes = huffman_encoding(nodes, root)
 
    huffman_str = '0111110001000011001010001111011110101010011011011110100000110010111101000010010010001100001110010000011110011101101111011001111101000000111010100000101101001000111100000000010100110100101001011101110010001100011100010010111001100011100110011010011000101010100011011110001111111110111001011100010100101111100001011011001001001000010111110101110111010111100010111011000011001011001101001010010111111001110101000110001001001100101110111101111000110010010111111000111110000101001100100100001001110100101011111101111110011101011101000000100100100011111111001000101110101001001101110001011101101001001001011010000101111111001011111100110010100111111110001001100100010010010011110111110110110001101000010010110110001011010000100011010111110101110000110000010001111111110000101000100101101111000111100101101011001100010101011000110010011111001010011110100100011000101111110111011011000011011010100011011100010001010001010000000001101001010010100111111010010110110011110100101010010101001010100010101011010011110001000011000100001010111001110001100101100001010111011110110111110000001011011111011101101000111111110100111100110011101111100111100101101101101010100110001100100110101011110000011111111100011110011101010011110101010111100111100001000111110111110100010011110011000010000100001100101111101010110101100011100010010100001110001001010110010010010100010101101101001110000101111110101010110110110000010011000111000010001001101101101101100111000011000011010101111010101100101000011011001011000101101110100011110001100111101111011000100110110000111010101101111101001111111111100001000111000001001011111011110010110101011110001110001101010011000101111100001111111011100110101001000011111101111111011001111110001110111110110010111000111011011110010101010110011001110110011110001111010000011010101000111110111011100101100100100100001111101010011101111100110011100000010100101000111100100011001011111000000111111111000000011111111101110111111001110100100000100000011011111010000000011110101110111101101011001111011010101111000010110001101000111000111000001110110111000100011110101100100100011100111100101101010010110101011111110011100100000111011011010101101110111000001001100110111001000111001000000111000110010110000100100010001001111010101000101101111000000110101110011101001011100110111101101111100001111000110001101010000111100100011110001100110111001101011100010101011110111111111100101100101010001101110101101101010101001110100001101011000100001111011011100101011000001001000011011000111011101110011001101110100000010100000101111010000001000011001101101111010011101000000101101101011101001101110000010011110001110100111000101111101010110111010011010011000011000110110010110001001000101101111000010010001011110100010111010100101100101111010100001110111100000100101101011110010110001000111111001000000101110010111010001101101111101110111000010101100100001010101001010010001011101001100101010101001111110000010011010011110101001001001110010110100111011110110000111101000010011111000111111001111010011101011010011100010001111101001110011110101111111111111011010100000010100010010011110100110011011101011101011101100000100111110111100100000101011000110110000010110001001111111111011101011000010101111110111001011101111111100111011101001000111011110110111101001011110011000110011000010011011001001100010010111110000110100001110111100110110100101010010111001001100101111010010001001111111000010111101010110000001110101000111011010111100110101001001110001110001001111110001000010011011110100111011111000101111110011000011010001000101000110011100011001001011000111011100101101000110001110011011101010101001010011101110100100111101011101010011010101010111101110101101000001111100111111010011010111101000101011111101011100101101101001100011001111101111100100111101101101110111111010111010100100101110111000011100001001000011100010101110100111110011001100101111110110100111101000010001000011011110000011010110111010110001110011111110000011110010001011010010111111101010101110010000001010011111011100101000101101010101101101000101000110011101101010110001100101011101110111100000001010000011110011010011000011111110100111011100100111000001101001110111100000101010110000010000100001110111000011111110010010100111111101010110000000000111011010000101100100111001110000001011101100000110110101011001011000111001111110010101111001011011101000010001100011101110010100111000011111001110001100111110110111101010101011001000101011010001100000010001111110011001101111111010110010001111001100111110001110011100010011011100100010011011000110000100101111100111110111101010010001101010011100110001011001111000100011011110100011101011101010111111110000011110110111011110000010111100110011100011010111101111110100000010001111100101100011110001101011111101111111011111011101010001101001000111000101111110101000110011000111011111101111110100001111011110010100011101110111111010101100111000101100100010011101001011110011111001111101110001110111111011100111100010110010011011010100011100101010101010110000001010111001101111100111110010100111000010101111001110011011011111001101110011111001000000000111101011000111110001101010011011000010100100100111011111110010000000101001111111110101100001010000001110100101001111001011011001001001011100101111110'
 
    origin_str = decode_str(huffman_str, char_frequency, codes)
 
    print 'Encode result:' + huffman_str
    print 'Decode result:' + origin_str