[2021深育杯线上初赛]Disk writeup

[2021深育杯线上初赛]Disk

知识点:

hashcat爆破BitLocker
rdp缓存协议

附件:

在这里插入图片描述

附件是个veracrypt加密容器,根据文件名,键盘加密找出密码pvd并挂载磁盘(内有goooood,是个压缩包,改后缀解压)

[2021深育杯线上初赛]Disk writeup_第1张图片
解压后得到gooood,是磁盘文件,挂起发现有个BitLocker分区
在这里插入图片描述
[2021深育杯线上初赛]Disk writeup_第2张图片

原来bitlocker2john结合hashcat可以爆破BitLocker

bitlocker2john:

λ bitlocker2john.exe -i C:\Users\shen\Desktop\gooood
Opening file C:\Users\shen\Desktop\gooood

Signature found at 0x01000003
Version: 8
Invalid version, looking for a signature with valid version...

Signature found at 0x03200000
Version: 2 (Windows 7 or later)

VMK entry found at 0x032000a2
VMK encrypted with user password found!
VMK encrypted with AES-CCM

VMK entry found at 0x03200182
VMK encrypted with Recovery key found!
VMK encrypted with AES-CCM

User Password hash:
$bitlocker$0$16$$bitlocker$0$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: User Password with MAC verification (slower solution, no false positives)
$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: Recovery Password fast attack
$bitlocker$2$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056
Hash type: Recovery Password with MAC verification (slower solution, no false positives)
$bitlocker$3$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056

hashcat

hashcat.exe -m 22100 -a0 $bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60 $fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa wordlist.dic
hashcat (v6.2.2) starting...

…………

$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa:abcd1234

得到BitLocker密码abcd1234
[2021深育杯线上初赛]Disk writeup_第3张图片
解密之后发现啥的没有,全盘搜索flag得到提示
[2021深育杯线上初赛]Disk writeup_第4张图片
翻一翻发现回收站里面有东西,是个压缩包$R元文件直接恢复出来
$RECYCLE.BIN\S-1-5-21-383221445-1139645558-3682731431-1001$R64CIW9
[2021深育杯线上初赛]Disk writeup_第5张图片
解压后看名字,联系3389端口,猜测是Windows远程桌面的bmc协议,利用GitHub工具分离
[2021深育杯线上初赛]Disk writeup_第6张图片
[2021深育杯线上初赛]Disk writeup_第7张图片
[2021深育杯线上初赛]Disk writeup_第8张图片
看了wp才知道太抽象了: cmRwY2FjaGUtYm1j
[2021深育杯线上初赛]Disk writeup_第9张图片
解密baset64即为flag:SangFor{rdpcache-bmc}

参考文章:https://mp.weixin.qq.com/s/1V5BEsfdZNRKwWP1mCs8wQ

你可能感兴趣的:(ctf,BitLocker,hashcat,ctf)