原题链接
提取码:1234

这是vbs混淆,首先我们打开vs studio,打开调试->选项->实时,把脚本选项打开

image-20240721094623995

win+R,wscript /X +文件路径,这里是我的路径:

1
wscript /X D:\赛题\赛题\HNCTF\Reverse\Baby_OBVBS\Baby_OBVBS\Baby_OBVBS.vbs

image-20240721110049852

image-20240721110118287

再点击vs studio是这种显示

image-20240721112448494

ctrl+a全选复制到记事本

image-20240721112854990

这是vbs混淆,通过脚本来解决

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Option Explicit
 
Function Defuscator(vbs)
	Dim t
	t = InStr(1, vbs, "Execute", 1)
	t = Mid(vbs, t + Len("Execute")) 
	t = Eval(t)
	Defuscator = t
End Function
 
Dim fso, i
Const ForReading = 1
Set fso = CreateObject("Scripting.FileSystemObject")
For i = 0 To WScript.Arguments.Count - 1 
	Dim FileName
	FileName = WScript.Arguments(i)
	Dim MyFile
	Set MyFile = fso.OpenTextFile(FileName, ForReading)
	Dim vbs
	vbs = MyFile.ReadAll	
	WScript.Echo Defuscator(vbs)
	MyFile.Close
Next
 
Set fso = Nothing
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
这段VBScript代码定义了一个名为Defuscator的函数,其主要功能是读取并执行来自其他VBScript文件中的特定代码段。下面是对整个脚本的详细解释:

    一、Option Explicit: 这一行声明要求在使用变量之前必须显式声明它们,以避免因拼写错误或未初始化的变量而引起的错误。

    二、Defuscator Function: 定义了一个名为Defuscator的函数,它接受一个参数vbs(预期是一个包含VBScript代码的字符串)。
        1.使用InStr(1, vbs, "Execute", 1)查找"Execute"第一次出现的位置。这通常用于定位嵌入在输入字符串中的特定命令或模式。
        2.Mid(vbs, t + Len("Execute"))从"Execute"之后的字符开始截取字符串,假设之后的内容是要执行的VBScript代码。
        3.Eval(t)函数会计算并执行截取出的字符串t作为VBScript代码。这是一种动态执行代码的方式,非常灵活但也可能引入安全风险。
        4.最后,Defuscator函数返回执行结果。

    三、文件操作部分:
        1.通过Dim fso, i声明了两个变量,fso用于文件系统操作,i用于循环计数。
        2.Const ForReading = 1定义了一个常量,表示以只读模式打开文件。
        3.使用CreateObject("Scripting.FileSystemObject")创建一个FileSystemObject实例,允许进行文件和目录操作。
        4.通过WScript.Arguments.Count遍历命令行传入的所有参数(这些参数应该是文件名)。
        5.对于每个参数(即每个文件名),打开文件,读取所有内容到变量vbs中。
        6.调用Defuscator(vbs)函数来执行读取到的VBScript代码,并通过WScript.Echo输出执行结果。
        7.读取完成后关闭文件。

    四、清理: Set fso = Nothing释放对FileSystemObject实例的引用,这是良好编程习惯,有助于及时释放资源。

总结来说,这段脚本设计用于读取一系列指定的VBScript文件,寻找并执行其中以"Execute"关键字开始的代码段,然后打印出执行结果。这种类型的脚本可能用于处理或分析已编码或混淆的VBScript代码,但同时也需要注意,直接执行未经检查的代码存在安全隐患

将脚本保存到记事本内并命名为defuscator.vbs,和该题放到同一目录下

在该目录下打开终端,执行命令

1
cscript defuscator.vbs Baby_OBVBS.vbs

显示结果

image-20240721133723716

将显示的内容粘贴到记事本以方便观看

每一段base后都是一段代码,分别破解后保存下来

image-20240721133959978

再次保存下来的代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
eAqi = "59fc6b263c3d0fcbc331ade699e62d3473bbf85522d588e3423e6c751ca091528a3c0186e460483917192c14"
ANtg = "baacc7ffa8232d28f814bb14c428798b"
Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64"
    elem.text = base64EncodedString
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function

Function Initialize(strPwd)
    Dim box(256)
    Dim tempSwap
    Dim a
    Dim b

    For i = 0 To 255
        box(i) = i
    Next

    a = 0
    b = 0

    For i = 0 To 255
        a = (a + box(i) + Asc(Mid(strPwd, (i Mod Len(strPwd)) + 1, 1))) Mod 256
        tempSwap = box(i)
        box(i) = box(a)
        box(a) = tempSwap
    Next

    Initialize = box
End Function
Function Myfunc(strToHash)
    Dim tmpFile, strCommand, objFSO, objWshShell, out
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objWshShell = CreateObject("WScript.Shell")
    tmpFile = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
    objFSO.CreateTextFile(tmpFile).Write(strToHash)
    strCommand = "certutil -hashfile " & tmpFile & " MD5"
    out = objWshShell.Exec(strCommand).StdOut.ReadAll
    objFSO.DeleteFile tmpFile
    Myfunc = Replace(Split(Trim(out), vbCrLf)(1), " ", "")
End Function
Function EnCrypt(box, strData)
    Dim tempSwap
    Dim a
    Dim b
    Dim x
    Dim y
    Dim encryptedData
    encryptedData = ""
    For x = 1 To Len(strData)
        a = (a + 1) Mod 256
        b = (b + box(a)) Mod 256
        tempSwap = box(a)
        box(a) = box(b)
        box(b) = tempSwap
        y = Asc(Mid(strData, x, 1)) Xor box((box(a) + box(b)) Mod 256)
        encryptedData = encryptedData & LCase(Right("0" & Hex(y), 2))
    Next
    EnCrypt = encryptedData
End Function
msgbox "Do you know VBScript?"
msgbox "VBScript (""Microsoft Visual Basic Scripting Edition"") is a deprecated Active Scripting language developed by Microsoft that is modeled on Visual Basic."
msgbox "It allows Microsoft Windows system administrators to generate powerful tools for managing computers without error handling and with subroutines and other advanced programming constructs. It can give the user complete control over many aspects of their computing environment."
msgbox "Interestingly, although VBScript has long since been deprecated, you can still run VBScript scripts on the latest versions of Windows 11 systems."
msgbox "A VBScript script must be executed within a host environment, of which there are several provided with Microsoft Windows, including: Windows Script Host (WSH), Internet Explorer (IE), and Internet Information Services (IIS)."
msgbox "For .vbs files, the host is Windows Script Host (WSH), aka wscript.exe/cscript.exe program in your system."
msgbox "If you can not stop a VBScript from running (e.g. a dead loop), go to the task manager and kill wscript.exe/cscript.exe."
msgbox "cscript and wscript are executables for the scripting host that are used to run the scripts. cscript and wscript are both interpreters to run VBScript (and other scripting languages like JScript) on the Windows platform."
msgbox "cscript is for console applications and wscript is for Windows applications. It has something to do with STDIN, STDOUT and STDERR."
msgbox "OK! Now, let us begin our journey."

key = InputBox("Enter the key:", "CTF Challenge")
if (key = False) then wscript.quit
if (len(key)<>6) then
    wscript.echo "wrong key length!"
    wscript.quit
end if
If (Myfunc(key) = ANtg) Then
    wscript.echo "You get the key!Move to next challenge."
Else
    wscript.echo "Wrong key!Try again!"
    wscript.quit
End If

userInput = InputBox("Enter the flag:", "CTF Challenge")
if (userInput = False) then wscript.quit
if (len(userInput)<>44) then
    wscript.echo "wrong!"
    wscript.quit
end if
box = Initialize(key)
encryptedInput = EnCrypt(box, userInput)

If (encryptedInput = eAqi) Then
    MsgBox "Congratulations! You have learned VBS!"
Else
    MsgBox "Wrong flag. Try again."
End If

wscript.echo "bye!"

开头的ANtg在下面一段中找到了

image-20240721134422080

Myfun就是md5

md5在线解密破解

解密的结果是: H&NKEY

RC4解密得出结果

H&NCTF{VBS_1s_@_s0_7unny_an4_pow3rfu1_t00l!}

image-20240721143432511