OtterCTF 13道内存取证题目详细解析(下)
OtterCTF 13道内存取证题目详细解析(下)
ChaMd5安全团队
发布于 2018-12-28 11:23:20
发布于 2018-12-28 11:23:20
7- Hide And Seek 100
question
The reason that we took rick's PC memory dump is because there was a malware infection. Please find the malware process name (including the extension)
BEAWARE! There are only 3 attempts to get the right flag!
format: CTF{flag}
solve
pstree一下
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0xfffffa801b27e060:explorer.exe 2728 2696 33 854 2018-08-04 19:27:04 UTC+0000
. 0xfffffa801b486b30:Rick And Morty 3820 2728 4 185 2018-08-04 19:32:55 UTC+0000
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000
. 0xfffffa801b2f02e0:WebCompanion.e 2844 2728 0 ------ 2018-08-04 19:27:07 UTC+0000
. 0xfffffa801a4e3870:chrome.exe 4076 2728 44 1160 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a4eab30:chrome.exe 4084 4076 8 86 2018-08-04 19:29:30 UTC+0000
.. 0xfffffa801a5ef1f0:chrome.exe 1796 4076 15 170 2018-08-04 19:33:41 UTC+0000
.. 0xfffffa801aa00a90:chrome.exe 3924 4076 16 228 2018-08-04 19:29:51 UTC+0000
.. 0xfffffa801a635240:chrome.exe 3648 4076 16 207 2018-08-04 19:33:38 UTC+0000
.. 0xfffffa801a502b30:chrome.exe 576 4076 2 58 2018-08-04 19:29:31 UTC+0000
.. 0xfffffa801a4f7b30:chrome.exe 1808 4076 13 229 2018-08-04 19:29:32 UTC+0000
.. 0xfffffa801a7f98f0:chrome.exe 2748 4076 15 181 2018-08-04 19:31:15 UTC+0000
. 0xfffffa801b5cb740:LunarMS.exe 708 2728 18 346 2018-08-04 19:27:39 UTC+0000
. 0xfffffa801b1cdb30:vmtoolsd.exe 2804 2728 6 190 2018-08-04 19:27:06 UTC+0000
. 0xfffffa801b290b30:BitTorrent.exe 2836 2728 24 471 2018-08-04 19:27:07 UTC+0000
.. 0xfffffa801b4c9b30:bittorrentie.e 2624 2836 13 316 2018-08-04 19:27:21 UTC+0000
.. 0xfffffa801b4a7b30:bittorrentie.e 2308 2836 15 337 2018-08-04 19:27:19 UTC+0000
0xfffffa8018d44740:System 4 0 95 411 2018-08-04 19:26:03 UTC+0000
. 0xfffffa801947e4d0:smss.exe 260 4 2 30 2018-08-04 19:26:03 UTC+0000
0xfffffa801a2ed060:wininit.exe 396 336 3 78 2018-08-04 19:26:11 UTC+0000
. 0xfffffa801ab377c0:services.exe 492 396 11 242 2018-08-04 19:26:12 UTC+0000
.. 0xfffffa801afe7800:svchost.exe 1948 492 6 96 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801ae92920:vmtoolsd.exe 1428 492 9 313 2018-08-04 19:26:27 UTC+0000
... 0xfffffa801a572b30:cmd.exe 3916 1428 0 ------ 2018-08-04 19:34:22 UTC+0000
.. 0xfffffa801ae0f630:VGAuthService. 1356 492 3 85 2018-08-04 19:26:25 UTC+0000
.. 0xfffffa801abbdb30:vmacthlp.exe 668 492 3 56 2018-08-04 19:26:16 UTC+0000
.. 0xfffffa801aad1060:Lavasoft.WCAss 3496 492 14 473 2018-08-04 19:33:49 UTC+0000
.. 0xfffffa801a6af9f0:svchost.exe 164 492 12 147 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa801ac2e9e0:svchost.exe 808 492 22 508 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801ac753a0:audiodg.exe 960 808 7 151 2018-08-04 19:26:19 UTC+0000
.. 0xfffffa801ae7f630:dllhost.exe 1324 492 15 207 2018-08-04 19:26:42 UTC+0000
.. 0xfffffa801a6c2700:mscorsvw.exe 3124 492 7 77 2018-08-04 19:28:43 UTC+0000
.. 0xfffffa801b232060:sppsvc.exe 2500 492 4 149 2018-08-04 19:26:58 UTC+0000
.. 0xfffffa801abebb30:svchost.exe 712 492 8 301 2018-08-04 19:26:17 UTC+0000
.. 0xfffffa801ad718a0:svchost.exe 1164 492 18 312 2018-08-04 19:26:23 UTC+0000
.. 0xfffffa801ac31b30:svchost.exe 844 492 17 396 2018-08-04 19:26:18 UTC+0000
... 0xfffffa801b1fab30:dwm.exe 2704 844 4 97 2018-08-04 19:27:04 UTC+0000
.. 0xfffffa801988c2d0:PresentationFo 724 492 6 148 2018-08-04 19:27:52 UTC+0000
.. 0xfffffa801b603610:mscorsvw.exe 412 492 7 86 2018-08-04 19:28:42 UTC+0000
.. 0xfffffa8018e3c890:svchost.exe 604 492 11 376 2018-08-04 19:26:16 UTC+0000
... 0xfffffa8019124b30:WmiPrvSE.exe 1800 604 9 222 2018-08-04 19:26:39 UTC+0000
... 0xfffffa801b112060:WmiPrvSE.exe 2136 604 12 324 2018-08-04 19:26:51 UTC+0000
.. 0xfffffa801ad5ab30:spoolsv.exe 1120 492 14 346 2018-08-04 19:26:22 UTC+0000
.. 0xfffffa801ac4db30:svchost.exe 868 492 45 1114 2018-08-04 19:26:18 UTC+0000
.. 0xfffffa801a6e4b30:svchost.exe 3196 492 14 352 2018-08-04 19:28:44 UTC+0000
.. 0xfffffa801acd37e0:svchost.exe 620 492 19 415 2018-08-04 19:26:21 UTC+0000
.. 0xfffffa801b1e9b30:taskhost.exe 2344 492 8 193 2018-08-04 19:26:57 UTC+0000
.. 0xfffffa801ac97060:svchost.exe 1012 492 12 554 2018-08-04 19:26:20 UTC+0000
.. 0xfffffa801b3aab30:SearchIndexer. 3064 492 11 610 2018-08-04 19:27:14 UTC+0000
.. 0xfffffa801aff3b30:msdtc.exe 1436 492 14 155 2018-08-04 19:26:43 UTC+0000
. 0xfffffa801ab3f060:lsass.exe 500 396 7 610 2018-08-04 19:26:12 UTC+0000
. 0xfffffa801ab461a0:lsm.exe 508 396 10 148 2018-08-04 19:26:12 UTC+0000
0xfffffa801a0c8380:csrss.exe 348 336 9 563 2018-08-04 19:26:10 UTC+0000
. 0xfffffa801a6643d0:conhost.exe 2420 348 0 30 2018-08-04 19:34:22 UTC+0000
0xfffffa80198d3b30:csrss.exe 388 380 11 460 2018-08-04 19:26:11 UTC+0000
0xfffffa801aaf4060:winlogon.exe 432 380 3 113 2018-08-04 19:26:11 UTC+0000
0xfffffa801b18f060:WebCompanionIn 3880 1484 15 522 2018-08-04 19:33:07 UTC+0000
. 0xfffffa801aa72b30:sc.exe 3504 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801aeb6890:sc.exe 452 3880 0 ------ 2018-08-04 19:33:48 UTC+0000
. 0xfffffa801a6268b0:WebCompanion.e 3856 3880 15 386 2018-08-04 19:34:05 UTC+0000
. 0xfffffa801b08f060:sc.exe 3208 3880 0 ------ 2018-08-04 19:33:47 UTC+0000
. 0xfffffa801ac01060:sc.exe 2028 3880 0 ------ 2018-08-04 19:33:49 UTC+0000
0xfffffa801b1fd960:notepad.exe 3304 3132 2 79 2018-08-04 19:34:10 UTC+0000很多都是没用的,但是看到有一个很奇怪,ppid比pid还大
.. 0xfffffa801a4c5b30:vmware-tray.ex 3720 3820 8 147 2018-08-04 19:33:02 UTC+0000dlllist一下
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3820
Volatility Foundation Volatility Framework 2.6
************************************************************************
Rick And Morty pid: 3820
Command line : "C:\Torrents\Rick And Morty season 1 download.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount LoadTime Path
------------------ ------------------ ------------------ ------------------------------ ----
0x0000000000400000 0x56000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Torrents\Rick And Morty season 1 download.exe
0x00000000776f0000 0x1a9000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Windows\SYSTEM32\ntdll.dll
0x0000000075210000 0x3f000 0x3 2018-08-04 19:32:55 UTC+0000 C:\Windows\SYSTEM32\wow64.dll
0x00000000751b0000 0x5c000 0x1 2018-08-04 19:32:55 UTC+0000 C:\Windows\SYSTEM32\wow64win.dll
0x00000000751a0000 0x8000 0x1 2018-08-04 19:32:55 UTC+0000 C:\Windows\SYSTEM32\wow64cpu.dll
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 dlllist -p 3720
Volatility Foundation Volatility Framework 2.6
************************************************************************
vmware-tray.ex pid: 3720
Command line : "C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe"
Note: use ldrmodules for listing DLLs in Wow64 processes
Base Size LoadCount LoadTime Path
------------------ ------------------ ------------------ ------------------------------ ----
0x0000000000ec0000 0x6e000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Users\Rick\AppData\Local\Temp\RarSFX0\vmware-tray.exe
0x00000000776f0000 0x1a9000 0xffff 1970-01-01 00:00:00 UTC+0000 C:\Windows\SYSTEM32\ntdll.dll
0x0000000075210000 0x3f000 0x3 2018-08-04 19:33:03 UTC+0000 C:\Windows\SYSTEM32\wow64.dll
0x00000000751b0000 0x5c000 0x1 2018-08-04 19:33:03 UTC+0000 C:\Windows\SYSTEM32\wow64win.dll
0x00000000751a0000 0x8000 0x1 2018-08-04 19:33:03 UTC+0000 C:\Windows\SYSTEM32\wow64cpu.dlltemp执行,看起来就有问题了,就他了
flag
CTF{vmware-tray.exe}8 - Path To Glory 150
question
How did the malware got to rick's PC? It must be one of rick old illigal habits… format: CTF{…}
solve
malware,那就是看软件了,filescan一下,发现太多,过滤出rick还是多,以Rick And Morty过滤
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan |grep "Rick And Morty"
Volatility Foundation Volatility Framework 2.6
0x000000007d63dbc0 10 0 R--r-d \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
0x000000007d8813c0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
0x000000007da56240 2 0 RW-rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe
0x000000007dae9350 2 0 RWD--- \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
0x000000007dcbf6f0 2 0 RW-rwd \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
0x000000007e710070 8 0 R--rwd \Device\HarddiskVolume1\Torrents\Rick And Morty season 1 download.exe把文件dump出来
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007dae9350 -D .
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x7dae9350 None \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\BitTorrent\Rick And Morty season 1 download.exe.1.torrent
➜ Desktop
➜ Desktop ls
1.py MS17-010 pwn_exp.py
3720.dmp OtterCTF.7z pygmcrypto
executable.3720.exe OtterCTF.vmem strings.txt
f out.txt verinfo.txt
file.None.0xfffffa801b42c9e0.dat plugin volatility-2.6.zip
h.dd pwn volatility-master
help.txt pwn_1 welcome.zip
➜ Desktop strings file.None.0xfffffa801b42c9e0.dat
d8:announce44:udp://tracker.openbittorrent.com:80/announce13:announce-listll44:udp://tracker.openbittorrent.com:80/announceel42:udp://tracker.opentrackr.org:1337/announceee10:created by17:BitTorrent/7.10.313:creation datei1533150595e8:encoding5:UTF-84:infod6:lengthi456670e4:name36:Rick And Morty season 1 download.exe12:piece lengthi16384e6:pieces560:\I
!PC<^X
B.k_Rk
0<;O87o
!4^"
3hq,
&iW1|
K68:o
w~Q~YT
$$o9p
bwF:u
e7:website19:M3an_T0rren7_4_R!ckeflag
CTF{M3an_T0rren7_4_R!ck}9 - Path To Glory 200
question
Continue the search after the the way that malware got in. format: CTF{…}
solve
先dump出所有的chrome进程
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 memdump -n chrome -D ./f/
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing chrome.exe [ 4076] to 4076.dmp
************************************************************************
Writing chrome.exe [ 4084] to 4084.dmp
************************************************************************
Writing chrome.exe [ 576] to 576.dmp
************************************************************************
Writing chrome.exe [ 1808] to 1808.dmp
************************************************************************
Writing chrome.exe [ 3924] to 3924.dmp
************************************************************************
Writing chrome.exe [ 2748] to 2748.dmp
************************************************************************
Writing chrome.exe [ 3648] to 3648.dmp
************************************************************************
Writing chrome.exe [ 1796] to 1796.dmp查找下download.exe.torren
➜ Desktop strings ./f/* | grep "download\.exe\.torrent"
Rick And Morty season 1 download.exe.torrent
==e1f778b7-adf6-48f2-816d-740c99c5f9a4C:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrentC:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
==de371043-340d-42e5-8e16-90e6fbfbc509C:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrentC:\Users\Rick\Downloads\Rick And Morty season 1 download.exe.torrent
Visited: Rick@file:///C:/Users/Rick/Downloads/Rick%20And%20Morty%20season%201%20download.exe.torrent
Rick And Morty season 1 download.exe.torrent
Rick And Morty season 1 download.exe.torrent
Rick And Morty season 1 download.exe.torrent
Rick And Morty season 1 download.exe.torrent
Content-Disposition: attachment; filename="Rick And Morty season 1 download.exe.torrent"
attachment; filename="Rick And Morty season 1 download.exe.torrent"
Download complete: Rick And Morty season 1 download.exe.torrent. Press Shift+F6 to cycle to the downloads bar area.➜ Desktop strings ./f/* | grep "download\.exe\.torrent" -A 10 -B 10
display:inline;width:56px;height:200px;m>
Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@inYear
//sec-s.uicdn.com/nav-cdn/home/preloader.gif
simple-icon_toolbar-change-view-horizontal
nnx-track-sec-click-communication-inboxic.com
nx-track-sec-click-dashboard-hide_smileyable
Nftd-box stem-north big fullsize js-focusable
js-box-flex need-overlay js-componentone
Jhttps://search.mail.com/web [q origin ]Year
ntrack-and-trace__delivery-info--has-iconf
Rick And Morty season 1 download.exe.torrent
tbl_1533411035475_7.0.1.40728_2033115181
panel-mail-display-table-mail-default35"
Cnpanel-mail-display-table-mail-horizontal.js
trc_rbox text-links-a trc-content-sponsored
identity_OjpwcmVsb2FkZXIuaHRtbC50d2ln
Move the widget to its desired position.3c8=
Set-Cookie, no-store, proxy-revalidateHxRKw=
Set-Cookie, no-store, proxy-revalidate143/
tbl_1533411035475_7.0.9.40728_2033115181
"mail.com Update" <service@corp.mail.com>eflag
CTF{Hum@n_I5_Th3_Weak3s7_Link_In_Th3_Ch@in}10 - Bit 4 Bit 100
question
We've found out that the malware is a ransomware. Find the attacker's bitcoin address. format: CTF{…}
solve
dump出之前的exe
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 procdump -p 3720 -D ./
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
------------------ ------------------ -------------------- ------
0xfffffa801a4c5b30 0x0000000000ec0000 vmware-tray.ex OK: executable.3720.exe然后ida拖进去逆下就ok
text "UTF-16LE", "Click next for more information and payment on how "
text "UTF-16LE", "to get your files back.",0
aButton1: // DATA XREF: hidden_tear.Form1__InitializeComponent+1C6↑o
// hidden_tear.Form2__InitializeComponent+122↑o ...
text "UTF-16LE", "button1",0
aNext: // DATA XREF: hidden_tear.Form1__InitializeComponent+1FC↑o
text "UTF-16LE", "Next",0
aPicturebox1: // DATA XREF: hidden_tear.Form1__InitializeComponent+25E↑o
// hidden_tear.Form3__InitializeComponent+72↑o
text "UTF-16LE", "pictureBox1",0
aThisIcon: // DATA XREF: hidden_tear.Form1__InitializeComponent+351↑o
text "UTF-16LE", "$this.Icon",0
aForm1: // DATA XREF: hidden_tear.Form1__InitializeComponent+37C↑o
text "UTF-16LE", "Form1",0
aTextbox1: // DATA XREF: hidden_tear.Form2__InitializeComponent+99↑o
// hidden_tear.Form3__InitializeComponent+120↑o
text "UTF-16LE", "textBox1",0
aTextbox1Text: // DATA XREF: hidden_tear.Form2__InitializeComponent+E0↑o
text "UTF-16LE", "textBox1.Text",0
aNext_0: // DATA XREF: hidden_tear.Form2__InitializeComponent+158↑o
text "UTF-16LE", "Next,",0
aForm2: // DATA XREF: hidden_tear.Form2__InitializeComponent+201↑o
text "UTF-16LE", "Form2",0
aCheckingPaymen: // DATA XREF: hidden_tear.Form3__button1_Click+1↑o
text "UTF-16LE", "Checking Payment.................Please Wait",0
aPleaseWait: // DATA XREF: hidden_tear.Form3__button1_Click+6↑o
text "UTF-16LE", "Please wait",0
aYourPaymentHas: // DATA XREF: hidden_tear.Form3__button1_Click+11↑o
text "UTF-16LE", "Your Payment has failed, The funs have been sent ba"
text "UTF-16LE", "ck to your wallet. Please send it again",0
aError: // DATA XREF: hidden_tear.Form3__button1_Click+16↑o
text "UTF-16LE", "Error",0
a1mmpemebjkqxg8: // DATA XREF: hidden_tear.Form3__InitializeComponent+163↑o
text "UTF-16LE", "1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M",0
aSend016ToTheAd: // DATA XREF: hidden_tear.Form3__InitializeComponent+219↑o
text "UTF-16LE", "Send 0.16 to the address below.",0
aIPaidNowGiveMe: // DATA XREF: hidden_tear.Form3__InitializeComponent+2B5↑o
text "UTF-16LE", "I paid, Now give me back my files.",0
aForm3: // DATA XREF: hidden_tear.Form3__InitializeComponent+376↑o
text "UTF-16LE", "Form3",0
aHiddenTearProp: // DATA XREF: hidden_tear.Properties.Resources__get_ResourceManager+E↑o
text "UTF-16LE", "hidden_tear.Properties.Resources",0flag
CTF{1MmpEmebJkqXG8nQv4cjJSmxZQFVmFo63M}11 - Graphic's For The Weak 150
question
There's something fishy in the malware's graphics. format: CTF{…}
solve
要提取图片,我太菜ida搞不动了,只能上dnspy了(ps:还是太菜了没想到,为什么不上一题就用) 拖开就能看到
flag
CTF{S0_Just_M0v3_Socy}12 - Recovery 300
question
Rick got to have his files recovered! What is the random password used to encrypt the files?
format: CTF{…}
solve
form1里面有个sendpassword函数,不过没发送只是用computerName+username
// hidden_tear.Form1
// Token: 0x06000006 RID: 6 RVA: 0x000022E8 File Offset: 0x000004E8
public void SendPassword(string password)
{
string text = string.Concat(new string[]
{
this.computerName,
"-",
this.userName,
" ",
password
});
}strings一下吧
➜ Desktop strings -el OtterCTF.vmem | grep WIN-LO6FAF3DTFE-Rick
WIN-LO6FAF3DTFE-Rick aDOBofVYUNVnmp7flag
CTF{aDOBofVYUNVnmp7}13 - Closure 400
question
Now that you extracted the password from the memory, could you decrypt rick's files?
solve
先查看下exe的pdb信息
➜ Desktop strings executable.3720.exe|grep pdb
C:\Users\Tyler\Desktop\hidden-tear-master\hidden-tear\hidden-tear\obj\Debug\VapeHacksLoader.pdb之前filescan时记得桌面有个flag.txt
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 filescan |grep Desktop
Volatility Foundation Volatility Framework 2.6
0x000000007d660500 2 0 -W-r-- \Device\HarddiskVolume1\Users\Rick\Desktop\READ_IT.txt
0x000000007d74c2d0 2 1 R--rwd \Device\HarddiskVolume1\Users\Rick\Desktop
0x000000007d7f98c0 2 1 R--rwd \Device\HarddiskVolume1\Users\Rick\Desktop
0x000000007d864250 16 0 R--rwd \Device\HarddiskVolume1\Users\Public\Desktop\desktop.ini
0x000000007d8a9070 16 0 R--rwd \Device\HarddiskVolume1\Users\Rick\Desktop\desktop.ini
0x000000007d8ac800 2 1 R--rwd \Device\HarddiskVolume1\Users\Public\Desktop
0x000000007d8ac950 2 1 R--rwd \Device\HarddiskVolume1\Users\Public\Desktop
0x000000007e410890 16 0 R--r-- \Device\HarddiskVolume1\Users\Rick\Desktop\Flag.txt
0x000000007e5c52d0 3 0 R--rwd \Device\HarddiskVolume1\Users\Rick\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini
0x000000007e77fb60 1 1 R--rw- \Device\HarddiskVolume1\Users\Rick\Desktop先把文件dump出来
➜ Desktop volatility -f OtterCTF.vmem --profile=Win7SP1x64 dumpfiles -Q 0x000000007e410890 -D ./f/
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x7e410890 None \Device\HarddiskVolume1\Users\Rick\Desktop\Flag.txt
➜ Desktop file ./f/file.None.0xfffffa801b0532e0.dat
./f/file.None.0xfffffa801b0532e0.dat: data移除文件后面的00 字节用hidden-tear-decrypto工具密码aDOBofVYUNVnmp7解开即得到flag
flag
CTF{Im_Th@_B3S7_RicK_0f_Th3m_4ll}本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2018-12-17,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录