Solar2月应急响应公益月赛

server/2025/3/4 11:16:41/

暗链排查-1

burp 抓包，找到 js，cyberchef 一把梭，纯黑盒

暗链排查-2

root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# gcore -o nginx_core 11
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f5e5760f5b9 in sigsuspend () from /lib/x86_64-linux-gnu/libc.so.6
warning: target file /proc/11/cmdline does not contain a trailing null character
Saved corefile nginx_core.11
[Inferior 1 (process 11) detached]
root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# ls
nginx_core.11
root@tianshou-0e3d41087e0b47e587d7b244849b893b-7769f979cf-szxvl:~# strings nginx_core.11 | grep flag
SSL_CONF_CTX_set_flags
X509_STORE_set_flags
ngx_conf_set_flag_slot
ngx_event_flags
FLAG=flag{f682645fd1004f90840305712c3eca37}
# flag{Xv4C_ZtqD_5umj_cwgw}
# flag{Xv4C_ZtqD_5umj_cwgw}

VMDK 修复

逆向-1

grok 直接秒了

"""
@ Author: b3nguang
@ Date: 2025-01-18 11:48:14
"""from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modesdef decrypt_file(input_file_path, output_file_path):# 读取加密文件with open(input_file_path, "rb") as f:file_data = f.read()# 验证标识符identifier = file_data[-8:].decode("utf-8")if identifier != "12346578":raise ValueError("无效的文件格式：标识符不匹配。")# 提取 IV（16 字节）iv = file_data[-24:-8]  # 从倒数第 24 字节到倒数第 8 字节# 提取密钥（32 字节）key = file_data[-56:-24]  # 从倒数第 56 字节到倒数第 24 字节# 提取加密数据encrypted_data = file_data[:-56]  # 去掉末尾 56 字节（32 密钥 + 16 IV + 8 标识符）# 设置 AES CBC 解密backend = default_backend()cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)decryptor = cipher.decryptor()# 解密数据decrypted_padded_data = decryptor.update(encrypted_data) + decryptor.finalize()# 去除 PKCS7 填充unpadder = padding.PKCS7(algorithms.AES.block_size).unpadder()decrypted_data = unpadder.update(decrypted_padded_data) + unpadder.finalize()# 保存解密后的文件with open(output_file_path, "wb") as f:f.write(decrypted_data)print(f"文件 '{input_file_path}' 已解密为 '{output_file_path}'。")if __name__ == "__main__":# 设置输入和输出文件路径encrypted_file_path = r"E:\Downloads\附件\encrypted_file.txt"decrypted_file_path = "decrypted_file.txt"try:decrypt_file(encrypted_file_path, decrypted_file_path)except Exception as e:print("错误:", str(e))