说是misc,其实全是取证。

这次比赛取证还是蛮有意思的,所以想着一定要记录一下,复现一下

比赛的时候只剩那个bademail了,这题真难吧。

checkwebshell

除了那个公众号签到这个已经是简单题了。

一条条流追踪过来发现前面全是whoami,22流dir了一下,

1757343891241

下一条就是type flag

1757344027769

大体看一下发现是sm4加密,我们需要写一个解密脚本

流量包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
POST /shell.php HTTP/1.1
Host: 192.168.144.128:8000
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 30

shell=system("type flag.txt");HTTP/1.1 200 OK
Date: Mon, 11 Aug 2025 08:40:43 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

<?php
class SM4 {
    const ENCRYPT = 1;
    private $sk; 
    private static $FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC];
    private static $CK = [
        0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269,
        0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9,
        0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249,
        0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9,
        0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229,
        0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299,
        0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209,
        0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279
    ];
    private static $SboxTable = [
        0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,
        0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
        0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,
        0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,
        0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,
        0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,
        0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x0D, 0x2D, 0xEC,
        0x84, 0x9B, 0x1E, 0x87, 0xE0, 0x3E, 0xB5, 0x66, 0x48, 0x02, 0x6C, 0xBB, 0xBB, 0x32, 0x83, 0x27,
        0x9E, 0x01, 0x8D, 0x53, 0x9B, 0x64, 0x7B, 0x6B, 0x6A, 0x6C, 0xEC, 0xBB, 0xC4, 0x94, 0x3B, 0x0C,
        0x76, 0xD2, 0x09, 0xAA, 0x16, 0x15, 0x3D, 0x2D, 0x0A, 0xFD, 0xE4, 0xB7, 0x37, 0x63, 0x28, 0xDD,
        0x7C, 0xEA, 0x97, 0x8C, 0x6D, 0xC7, 0xF2, 0x3E, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7,
        0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x36, 0x24, 0x07, 0x82, 0xFA, 0x54, 0x5B, 0x40,
        0x8F, 0xED, 0x1F, 0xDA, 0x93, 0x80, 0xF9, 0x61, 0x1C, 0x70, 0xC3, 0x85, 0x95, 0xA9, 0x79, 0x08,
        0x46, 0x29, 0x02, 0x3B, 0x4D, 0x83, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x1A, 0x47, 0x5C, 0x0D, 0xEA,
        0x9E, 0xCB, 0x55, 0x20, 0x15, 0x8A, 0x9A, 0xCB, 0x43, 0x0C, 0xF0, 0x0B, 0x40, 0x58, 0x00, 0x8F,
        0xEB, 0xBE, 0x3D, 0xC2, 0x9F, 0x51, 0xFA, 0x13, 0x3B, 0x0D, 0x90, 0x5B, 0x6E, 0x45, 0x59, 0x33
    ];

    public function __construct($key) {
        $this->setKey($key);
    }
    public function setKey($key) {
        if (strlen($key) != 16) {
            throw new Exception("SM4");
        }
        $key = $this->strToIntArray($key);
        $k = array_merge($key, [0, 0, 0, 0]);
        for ($i = 0; $i < 4; $i++) {
            $k[$i] ^= self::$FK[$i];
        }
        for ($i = 0; $i < 32; $i++) {
            $k[$i + 4] = $k[$i] ^ $this->CKF($k[$i + 1], $k[$i + 2], $k[$i + 3], self::$CK[$i]);
            $this->sk[$i] = $k[$i + 4];
        }
    }
    public function encrypt($plaintext) {
        $len = strlen($plaintext);
        $padding = 16 - ($len % 16);
        $plaintext .= str_repeat(chr($padding), $padding); 
        $ciphertext = '';
        for ($i = 0; $i < strlen($plaintext); $i += 16) {
            $block = substr($plaintext, $i, 16);
            $ciphertext .= $this->cryptBlock($block, self::ENCRYPT);
        }
        return $ciphertext;
    }
    private function cryptBlock($block, $mode) {
        $x = $this->strToIntArray($block);

        for ($i = 0; $i < 32; $i++) {
            $roundKey = $this->sk[$i];
            $x[4] = $x[0] ^ $this->F($x[1], $x[2], $x[3], $roundKey);
            array_shift($x);
        }
        $x = array_reverse($x);
        return $this->intArrayToStr($x);
    }
    private function F($x1, $x2, $x3, $rk) {
        return $this->T($x1 ^ $x2 ^ $x3 ^ $rk);
    }
    private function CKF($a, $b, $c, $ck) {
        return $a ^ $this->T($b ^ $c ^ $ck);
    }
    private function T($x) {
        return $this->L($this->S($x));
    }
    private function S($x) {
        $result = 0;
        for ($i = 0; $i < 4; $i++) {
            $byte = ($x >> (24 - $i * 8)) & 0xFF;
            $result |= self::$SboxTable[$byte] << (24 - $i * 8);
        }
        return $result;
    }
    private function L($x) {
        return $x ^ $this->rotl($x, 2) ^ $this->rotl($x, 10) ^ $this->rotl($x, 18) ^ $this->rotl($x, 24);
    }
    private function rotl($x, $n) {
        return (($x << $n) & 0xFFFFFFFF) | (($x >> (32 - $n)) & 0xFFFFFFFF);
    }
    private function strToIntArray($str) {
        $result = [];
        for ($i = 0; $i < 4; $i++) {
            $offset = $i * 4;
            $result[$i] =
                (ord($str[$offset]) << 24) |
                (ord($str[$offset + 1]) << 16) |
                (ord($str[$offset + 2]) << 8) |
                ord($str[$offset + 3]);
        }
        return $result;
    }
    private function intArrayToStr($array) {
        $str = '';
        foreach ($array as $int) {
            $str .= chr(($int >> 24) & 0xFF);
            $str .= chr(($int >> 16) & 0xFF);
            $str .= chr(($int >> 8) & 0xFF);
            $str .= chr($int & 0xFF);
        }
        return $str;
    }
}
try {
    $key = "a8a58b78f41eeb6a";
    $sm4 = new SM4($key);
    $plaintext = "flag";
    $ciphertext = $sm4->encrypt($plaintext);
    echo  base64_encode($ciphertext) ; //VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu
} catch (Exception $e) {
    echo $e->getMessage() ;
}
?>

解密脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
import base64

SBOX = [
    0xD6,0x90,0xE9,0xFE,0xCC,0xE1,0x3D,0xB7,0x16,0xB6,0x14,0xC2,0x28,0xFB,0x2C,0x05,
    0x2B,0x67,0x9A,0x76,0x2A,0xBE,0x04,0xC3,0xAA,0x44,0x13,0x26,0x49,0x86,0x06,0x99,
    0x9C,0x42,0x50,0xF4,0x91,0xEF,0x98,0x7A,0x33,0x54,0x0B,0x43,0xED,0xCF,0xAC,0x62,
    0xE4,0xB3,0x1C,0xA9,0xC9,0x08,0xE8,0x95,0x80,0xDF,0x94,0xFA,0x75,0x8F,0x3F,0xA6,
    0x47,0x07,0xA7,0xFC,0xF3,0x73,0x17,0xBA,0x83,0x59,0x3C,0x19,0xE6,0x85,0x4F,0xA8,
    0x68,0x6B,0x81,0xB2,0x71,0x64,0xDA,0x8B,0xF8,0xEB,0x0F,0x4B,0x70,0x56,0x9D,0x35,
    0x1E,0x24,0x0E,0x5E,0x63,0x58,0xD1,0xA2,0x25,0x22,0x7C,0x3B,0x01,0x0D,0x2D,0xEC,
    0x84,0x9B,0x1E,0x87,0xE0,0x3E,0xB5,0x66,0x48,0x02,0x6C,0xBB,0xBB,0x32,0x83,0x27,
    0x9E,0x01,0x8D,0x53,0x9B,0x64,0x7B,0x6B,0x6A,0x6C,0xEC,0xBB,0xC4,0x94,0x3B,0x0C,
    0x76,0xD2,0x09,0xAA,0x16,0x15,0x3D,0x2D,0x0A,0xFD,0xE4,0xB7,0x37,0x63,0x28,0xDD,
    0x7C,0xEA,0x97,0x8C,0x6D,0xC7,0xF2,0x3E,0x1A,0x71,0x1D,0x29,0xC5,0x89,0x6F,0xB7,
    0x62,0x0E,0xAA,0x18,0xBE,0x1B,0xFC,0x56,0x36,0x24,0x07,0x82,0xFA,0x54,0x5B,0x40,
    0x8F,0xED,0x1F,0xDA,0x93,0x80,0xF9,0x61,0x1C,0x70,0xC3,0x85,0x95,0xA9,0x79,0x08,
    0x46,0x29,0x02,0x3B,0x4D,0x83,0x3A,0x0A,0x49,0x06,0x24,0x1A,0x47,0x5C,0x0D,0xEA,
    0x9E,0xCB,0x55,0x20,0x15,0x8A,0x9A,0xCB,0x43,0x0C,0xF0,0x0B,0x40,0x58,0x00,0x8F,
    0xEB,0xBE,0x3D,0xC2,0x9F,0x51,0xFA,0x13,0x3B,0x0D,0x90,0x5B,0x6E,0x45,0x59,0x33
]
FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC]
CK = [
    0x00070E15,0x1C232A31,0x383F464D,0x545B6269,
    0x70777E85,0x8C939AA1,0xA8AFB6BD,0xC4CBD2D9,
    0xE0E7EEF5,0xFC030A11,0x181F262D,0x343B4249,
    0x50575E65,0x6C737A81,0x888F969D,0xA4ABB2B9,
    0xC0C7CED5,0xDCE3EAF1,0xF8FF060D,0x141B2229,
    0x30373E45,0x4C535A61,0x686F767D,0x848B9299,
    0xA0A7AEB5,0xBCC3CAD1,0xD8DFE6ED,0xF4FB0209,
    0x10171E25,0x2C333A41,0x484F565D,0x646B7279
]

def rotl(x,n): x&=0xFFFFFFFF; return ((x<<n)&0xFFFFFFFF)|((x>>(32-n))&0xFFFFFFFF)
def S(x):
    r=0
    for i in range(4):
        b=(x>>(24-8*i))&0xFF
        r |= SBOX[b]<<(24-8*i)
    return r & 0xFFFFFFFF
def L(x): return (x ^ rotl(x,2) ^ rotl(x,10) ^ rotl(x,18) ^ rotl(x,24)) & 0xFFFFFFFF
def T(x): return L(S(x))
def F(x1,x2,x3,rk): return T((x1 ^ x2 ^ x3 ^ rk) & 0xFFFFFFFF)
def CKF(a,b,c,ck): return (a ^ T((b ^ c ^ ck) & 0xFFFFFFFF)) & 0xFFFFFFFF

def strToIntArray(block16: bytes):
    assert len(block16) >= 16
    out=[]
    for i in range(4):
        off=4*i
        out.append(((block16[off]<<24)|(block16[off+1]<<16)|(block16[off+2]<<8)|block16[off+3]) & 0xFFFFFFFF)
    return out
def intArrayToStr(arr):
    out=bytearray()
    for v in arr:
        out.extend([(v>>24)&0xFF,(v>>16)&0xFF,(v>>8)&0xFF,v&0xFF])
    return bytes(out)

def expand_key(key16: bytes):
    assert len(key16)==16
    k = strToIntArray(key16)
    for i in range(4):
        k[i] ^= FK[i]
    sk=[]
    for i in range(32):
        new = (k[i] ^ CKF(k[i+1], k[i+2], k[i+3], CK[i])) & 0xFFFFFFFF
        k.append(new)
        sk.append(new)
    return sk  # 加密轮密钥;解密时需 sk[::-1]

def crypt_block(block16: bytes, sk):
    x = strToIntArray(block16)
    for i in range(32):
        x4 = (x[0] ^ F(x[1], x[2], x[3], sk[i])) & 0xFFFFFFFF
        x = [x[1], x[2], x[3], x4]
    x = list(reversed(x))
    return intArrayToStr(x)

def pkcs7_unpad(b: bytes):
    if not b: return b
    n = b[-1]
    if n<1 or n>16 or b[-n:] != bytes([n])*n:
        raise ValueError("bad padding")
    return b[:-n]

if __name__ == "__main__":
    KEY_ASCII = b"a8a58b78f41eeb6a"
    CIPHERTEXT_B64 = "VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu"

    # 生成轮密钥并解密(解密用 sk[::-1])
    sk = expand_key(KEY_ASCII)
    ct = base64.b64decode(CIPHERTEXT_B64)
    pt = b"".join(crypt_block(ct[i:i+16], sk[::-1]) for i in range(0, len(ct), 16))
    print(pkcs7_unpad(pt).decode("utf-8", errors="ignore"))

SilentMiner

这个其实也不难。

先用diskginux挂载一下dd文件,在var/log下面找到auth.log。

粗略查看一下,可以看到

1757344786747

有很多192.168.145.131在爆破ssh,数一下是257次。

但是得加一个258次才对。

得到两个:

flag{192.168.145.131}

flag{258}

往下翻就可以发现后门。

这里可以发现

  • 10:04:00:sudo /usr/bin/mv sshd ../bin → 把当前目录下的 sshd 移动到上一级 bin 目录。
  • 10:04:07 - 10:04:18:sudo tee sshdsudo tee -a sshd → 可能在 sshd 文件里写入内容。
  • 10:04:23:sudo chmod u+x sshd → 给 sshd 文件加了可执行权限。
  • 10:04:28:sudo service sshd restart → 重启了 SSH 服务。
1757345166364

后门:flag{/usr/sbin/sshd}

下一步看bash_history,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
sudo apt-get install dnsmasq
ps aux | grep unattended
sudo systemctl stop unattended-upgrades
sudo apt-get install dnsmasq
sudo rm /var/lib/dpkg/lock-frontend 
sudo rm /var/lib/dpkg/lock
sudo apt-get install dnsmasq
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
sudo tee /etc/dnsmasq.conf > /dev/null << 'EOF'
# 监听所有接口

listen-address=127.0.0.1
# 上游 DNS 服务器

server=8.8.8.8
server=8.8.4.4
# 启用查询日志

log-queries
# 日志到 syslog

log-facility=/var/log/dnsmasq.log
# 缓存大小

cache-size=1000
# 不读取 /etc/hosts(可选)

no-hosts
EOF

sudo cp /etc/resolv.conf /etc/resolv.conf.bak
sudo rm /etc/resolv.conf
sudo tee /etc/resolv.conf > /dev/null << 'EOF'
nameserver 127.0.0.1
EOF

sudo systemctl enable dnsmasq
sudo systemctl start dnsmasq
nslookup google.com
sudo tail -f /var/log/dnsmasq.log
wget baidu.com
sudo tail -f /var/log/dnsmasq.log
sudo apt install net-tools
ifconfig

于是去翻翻log/dnsmasq.log,看到

1757345349073

这个就是域名了。(也可以发现这两步也确实在分发恶意域名地址)

flag{tombaky.com}

最后一步我是非预期出来的,我是问ai了一些常见的木马家族试出来的。

第一个就是:

1757345730676

预期解(参考了aura神的wp):

r-studio发现一个删除的文件:sxyq

1757345534758

下过来,可以发现里面执行了很长的一串命令,先base64,gunzip一下再base64

1757346490132

看到一系列恶意bash

1757346573582

其中有一条是BIN_NAME="kinsing",可以发现木马家族是kinsing

flag{kinsing}

bademail

重头戏来了。

这个比赛的时候只做出来一步,卡在mac地址上了。

先用diskginux/xways/取证大师挂载起来,会出现一个动态磁盘,这个就是要取证的东东了。

在data/mailbox/inbox下:发现hnhuimeng_hr@163.com

1757386125541

这个就是攻击者的邮箱了

flag{hnhuimeng_hr@163.com}

然后在inbox往下拉,会发现有一堆的base64传输的东西,转文件就能发现一个Ink

1757386308202

然后上面还传输了一个解压密码:

1
<meta http-equiv="Content-Type" content="text/html; charset=gb2312"><div data-ntes="ntes_mail_body_root" style="line-height:1.7;color:#000000;font-size:14px;font-family:Arial"><div>各位员工:</div><div>现将2025年新版管理规定发送于你,请各部门领导组织学习,认真落实。注意保密纪律,切勿外传。解压密码为:250815</div></div>

解压出来这个就是木马了。

然后我们010打开,参考溯源专题 | 通过lnk样本进行攻击溯源 - FreeBuf网络安全行业门户获得mac地址

1757386980743

得到{C17B5FA0-4980-11F0-B894-000C29D8D069}

flag{00:0c:29:d8:d0:69}

攻击者是虚拟机吗?

直接猜是

flag{y}

然后我们放沙箱跑一下木马:安恒云沙箱-下一代沙箱的领航者样本报告-微步在线云沙箱

分析一下可以发现:

1757387766935

ai一下脚本可以得到id

1757387924182

flag{T1547.001}