# Writeup of Flag Thief in WMCTF 2021 ## preface: 在两天前的WMCTF2021中我和th31nk共同解决了一个名为Flag Thief的取证挑战并且获得了该题目类型的一血 ![first blood](https://i.imgur.com/DmO64JG.png) ## description: ``` 2021年8月28日 01:00 UTC,著名Flag大盗L1near被缉拿归案。警方已经将其作案用的电脑制作成镜像,他们试图找到L1near藏匿在其中的Flag但都以失败告终。警方知道你是取证专业人士,现在需要你的帮助! On August 28, 2021, at 01:00 UTC, The famous Flag thief L1near was arrested. Police have made a mirror image of the computer he used to commit the crime, and they have tried unsuccessfully to find the Flag that L1near was hiding inside. The police know you're a forensics professional, now they need your help! Attachment: Baidu Drive(Code:m8yx) Or Google Drive the 7z's passowrd is ec19b53ce10adc41be119713ffe34760 Flag Thief hint1:经过警方长达一天的审讯,L1near交代他曾经对受害人的电脑远程操控过 ``` 通过 hint 注意到远程连接的bmc位图缓存,路径如下: ![bmc位图缓存地址路径](https://i.imgur.com/lQ6NqNF.png) 利用`bmc-tools`恢复缓存的 bmc 位图,通过大概浏览可以得到其中存在记事本的界面,里面包含着 veracrypt 的字样,那么将其拼接得到: ![](https://i.imgur.com/H44gBCy.png) ``` VeraCrypt 5eCuri7yPaSsW0rd@__WMCTF Oh no! U found it! ``` 那么就需要找到能让我们解密的 veracrypt 容器,这里通过取证大师的加密文件分类定位到一个可疑的文件: ![](https://i.imgur.com/wedFU0E.png) 将其利用之前得到的秘钥挂载得到`nox-disk2.vmdk`,通过名称可以得知是夜神模拟器的数据盘,将其挂载在模拟器中即可打开,发现存在锁屏密码: ![](https://i.imgur.com/wO9ptGw.png) 这里通过删除vmdk中的 gatekeeper.pattern.key gatekeeper.password.key 以及 device_policies.xml 文件可以绕过锁屏直接进入,查看通讯录发现: ![](https://i.imgur.com/Ajd2KjA.png) ![](https://i.imgur.com/vTQ8Yat.png) 可恶还是需要锁屏密码,非预期方法被防了 :sob: :sob: 那么我们再来看锁屏密码,这里参考中科实数杯的考点: https://mp.weixin.qq.com/s?__biz=MzAxODA3NDc3NA==&mid=2247484582&idx=1&sn=716471f5440de7305ae1a8075e5c7bf9 X-ways先提取`/system/device_policies.xml`以确认密码为9位: ![](https://i.imgur.com/D6Yo8Hd.png) ![](https://i.imgur.com/OXbRSdj.png) 然后提取 gatekeeper.pattern.key ,计算哈希并爆破密码,那么我们首先生成字典(9位不重复数字): ```python # python3 file1 = open('password.txt', 'a') for a in "123456789": for b in "123456789": for c in "123456789": for d in "123456789": for e in "123456789": for f in "123456789": for g in "123456789": for h in "123456789": for i in "123456789": if a != b and a != c and a != d and a != e and a != f and a != g and a != h and a != i \ and b != c and b != d and b != e and b != f and b != g and b != h and b != i \ and c != d and c != e and c != f and c != g and c != h and c != i\ and d != e and d != f and d != g and d != h and d != i\ and e != f and e != g and e != h and e != i\ and f != g and f != h and f != i\ and g != h and g != i\ and h != i: password = a + b + c + d + e + f + g + h + i file1.write(password + '\n') file1.close() ``` 爆破脚本: ```python import struct import binascii import scrypt N = 16384 r = 8 p = 1 f = open('gatekeeper.pattern.key', 'rb') blob = f.read() s = struct.Struct('<' + '17s 8s 32s') (meta, salt, signature) = s.unpack_from(blob) f1 = open('password.txt', 'rb') lines = f1.readlines() for i in range(len(lines)): password = lines[i][:-2] to_hash = meta to_hash += password hash = scrypt.hash(to_hash, salt, N, r, p) print('password: %s' % password) print('signature: %s' % binascii.hexlify(signature)) print('Hash: %s' % binascii.hexlify(hash[0:32])) print('Equal: %s' % (hash[0:32] == signature)) if hash[0:32] == signature: print("OK") exit() ``` 得到密码: ``` password: 183492765 signature fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Hash: fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Equal: True OK ``` 锁屏验证后发现可以解开 (当然上述的部分也可以使用hashcat进行爆破,速度应该比这个脚本要快上不少) 那么猜测接下来的过程是利用解得的锁屏作为密钥来解密文: ``` cipher: BS7nX1uw+KmS4LSXlK3LIntByEturqY4qjGI/yj3Di8aps4K+DR9hCzndjUD7w54 key: 183492765 ``` AES 解密 http://tool.chacuo.net/cryptaes ![](https://i.imgur.com/HFyjTYM.png) flag: ``` wmctf{dc4fc81e0aedc4692a7e312ce503e3ef} ```