[2021深育杯线上初赛]Disk writeup

[2021深育杯线上初赛]Disk

知识点：

hashcat爆破BitLocker
rdp缓存协议

附件：

附件是个veracrypt加密容器，根据文件名，键盘加密找出密码pvd并挂载磁盘（内有goooood，是个压缩包，改后缀解压）

解压后得到gooood，是磁盘文件，挂起发现有个BitLocker分区

原来bitlocker2john结合hashcat可以爆破BitLocker

bitlocker2john：

λ bitlocker2john.exe -i C:\Users\shen\Desktop\gooood
Opening file C:\Users\shen\Desktop\gooood

Signature found at 0x01000003
Version: 8
Invalid version, looking for a signature with valid version...

Signature found at 0x03200000
Version: 2 (Windows 7 or later)

VMK entry found at 0x032000a2
VMK encrypted with user password found!
VMK encrypted with AES-CCM

VMK entry found at 0x03200182
VMK encrypted with Recovery key found!
VMK encrypted with AES-CCM

User Password hash:
$bitlocker$0$16$$bitlocker$0$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: User Password with MAC verification (slower solution, no false positives)
$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: Recovery Password fast attack
$bitlocker$2$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056
Hash type: Recovery Password with MAC verification (slower solution, no false positives)
$bitlocker$3$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056

hashcat

hashcat.exe -m 22100 -a0 $bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60 $fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa wordlist.dic
hashcat (v6.2.2) starting...

…………

$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa:abcd1234

得到BitLocker密码abcd1234

解密之后发现啥的没有，全盘搜索flag得到提示

翻一翻发现回收站里面有东西，是个压缩包$R元文件直接恢复出来
$RECYCLE.BIN\S-1-5-21-383221445-1139645558-3682731431-1001$R64CIW9

解压后看名字，联系3389端口，猜测是Windows远程桌面的bmc协议，利用GitHub工具分离



看了wp才知道太抽象了: cmRwY2FjaGUtYm1j

解密baset64即为flag:SangFor{rdpcache-bmc}

参考文章：https://mp.weixin.qq.com/s/1V5BEsfdZNRKwWP1mCs8wQ