# Writeup of Flag Thief in WMCTF 2021 ## preface: 在两天前的WMCTF2021中我和th31nk共同解决了一个名为Flag Thief的取证挑战并且获得了该题目类型的一血 ![first blood](https://i.imgur.com/DmO64JG.png) ## description: ``` 2021年8月28日 01:00 UTC,著名Flag大盗L1near被缉拿归案。警方已经将其作案用的电脑制作成镜像,他们试图找到L1near藏匿在其中的Flag但都以失败告终。警方知道你是取证专业人士,现在需要你的帮助! On August 28, 2021, at 01:00 UTC, The famous Flag thief L1near was arrested. Police have made a mirror image of the computer he used to commit the crime, and they have tried unsuccessfully to find the Flag that L1near was hiding inside. The police know you're a forensics professional, now they need your help! Attachment: Baidu Drive(Code:m8yx) Or Google Drive the 7z's passowrd is ec19b53ce10adc41be119713ffe34760 Flag Thief hint1:经过警方长达一天的审讯,L1near交代他曾经对受害人的电脑远程操控过 ``` 通过 hint 注意到远程连接的bmc位图缓存,路径如下: ![bmc位图缓存地址路径](https://i.imgur.com/lQ6NqNF.png) 利用`bmc-tools`恢复缓存的 bmc 位图,通过大概浏览可以得到其中存在记事本的界面,里面包含着 veracrypt 的字样,那么将其拼接得到: ![](https://i.imgur.com/H44gBCy.png) ``` VeraCrypt 5eCuri7yPaSsW0rd@__WMCTF Oh no! U found it! ``` 那么就需要找到能让我们解密的 veracrypt 容器,这里通过取证大师的加密文件分类定位到一个可疑的文件: ![](https://i.imgur.com/wedFU0E.png) 将其利用之前得到的秘钥挂载得到`nox-disk2.vmdk`,通过名称可以得知是夜神模拟器的数据盘,将其挂载在模拟器中即可打开,发现存在锁屏密码: ![](https://i.imgur.com/wO9ptGw.png) 这里通过删除vmdk中的 gatekeeper.pattern.key gatekeeper.password.key 以及 device_policies.xml 文件可以绕过锁屏直接进入,查看通讯录发现: ![](https://i.imgur.com/Ajd2KjA.png) ![](https://i.imgur.com/vTQ8Yat.png) 可恶还是需要锁屏密码,非预期方法被防了 :sob: :sob: 那么我们再来看锁屏密码,这里参考中科实数杯的考点: https://mp.weixin.qq.com/s?__biz=MzAxODA3NDc3NA==&mid=2247484582&idx=1&sn=716471f5440de7305ae1a8075e5c7bf9 X-ways先提取`/system/device_policies.xml`以确认密码为9位: ![](https://i.imgur.com/D6Yo8Hd.png) ![](https://i.imgur.com/OXbRSdj.png) 然后提取 gatekeeper.pattern.key ,计算哈希并爆破密码,那么我们首先生成字典(9位不重复数字): ```python # python3 file1 = open('password.txt', 'a') for a in "123456789": for b in "123456789": for c in "123456789": for d in "123456789": for e in "123456789": for f in "123456789": for g in "123456789": for h in "123456789": for i in "123456789": if a != b and a != c and a != d and a != e and a != f and a != g and a != h and a != i \ and b != c and b != d and b != e and b != f and b != g and b != h and b != i \ and c != d and c != e and c != f and c != g and c != h and c != i\ and d != e and d != f and d != g and d != h and d != i\ and e != f and e != g and e != h and e != i\ and f != g and f != h and f != i\ and g != h and g != i\ and h != i: password = a + b + c + d + e + f + g + h + i file1.write(password + '\n') file1.close() ``` 爆破脚本: ```python import struct import binascii import scrypt N = 16384 r = 8 p = 1 f = open('gatekeeper.pattern.key', 'rb') blob = f.read() s = struct.Struct('<' + '17s 8s 32s') (meta, salt, signature) = s.unpack_from(blob) f1 = open('password.txt', 'rb') lines = f1.readlines() for i in range(len(lines)): password = lines[i][:-2] to_hash = meta to_hash += password hash = scrypt.hash(to_hash, salt, N, r, p) print('password: %s' % password) print('signature: %s' % binascii.hexlify(signature)) print('Hash: %s' % binascii.hexlify(hash[0:32])) print('Equal: %s' % (hash[0:32] == signature)) if hash[0:32] == signature: print("OK") exit() ``` 得到密码: ``` password: 183492765 signature fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Hash: fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7 Equal: True OK ``` 锁屏验证后发现可以解开 (当然上述的部分也可以使用hashcat进行爆破,速度应该比这个脚本要快上不少) 那么猜测接下来的过程是利用解得的锁屏作为密钥来解密文: ``` cipher: BS7nX1uw+KmS4LSXlK3LIntByEturqY4qjGI/yj3Di8aps4K+DR9hCzndjUD7w54 key: 183492765 ``` AES 解密 http://tool.chacuo.net/cryptaes ![](https://i.imgur.com/HFyjTYM.png) flag: ``` wmctf{dc4fc81e0aedc4692a7e312ce503e3ef} ```
Last changed by  
crazyman
r3kapig摸鱼划水人 平常喜欢做做misc以及取证类题目 现在在学习逆向和pwn 密码等方向 比较菜 呜呜呜呜
1290

Read more

西湖论剑-Isolated Machine Memory Analysis Writeup

本文赛后与zysgmzb共同完成 Isolated Machine Memory Analysis: 题目名称: Isolated Machine Memory Analysis 题目内容: 张三,现用名叫Charlie,在一家外企工作,负责flag加密技术的研究。为了避免flag泄露,这家企业制定了严格的安全策略,严禁flag离开研发服务器,登录服务器必须经过跳板机。张三使用的跳板机是一台虚拟机,虽然被全盘加密没法提取,但好消息是至少还没关机。 免责声明:本题涉及的人名、单位名、产品名、域名及IP地址等均为虚构,如有雷同纯属巧合。 注:本题模拟真实研发环境,解题有关的信息不会出现在人名、域名或IP地址等不合常理的地方。链接:https://pan.baidu.com/s/1WESej-pyjWKZni7drZGTig?pwd=cq46 提取码:cq46 题目难度:

3/1/2023
Insomni'hack teaser 2023 - Autopsy:

In the Lunar New Year, I played Insomni'hack teaser 2023, one of the topics labeled forensics, realistic, windows aroused my interest, I solved him. And I learned some knowledge from it. This is the record writeup Autopsy: Wireshark loads through the export object and selects http, save all and then filters to get three files SYSTEM, SECURITY, ntds.dit Then after searching, you can learn some relevant content about credential extraction https://github.com/SecureAuthCorp/impacket Through some things made by secretdump.py, it seems that it is not very useful. But it may be used to extract the key to decrypt the traffic

1/23/2023
idek 2022* CTF Pyjail && Pyjail Revenge Writeup

Pyjail: The code looks like this blocklist = ['.', '\\', '[', ']', '{', '}',':'] DISABLE_FUNCTIONS = ["getattr", "eval", "exec", "breakpoint", "lambda", "help"] DISABLE_FUNCTIONS = {func: None for func in DISABLE_FUNCTIONS} There is a blocklist ban off '.' , '\\', '[', ']', '{', '}', ':'. Then there is a DISABLE_FUNCTIONS that registers None objects for 'getattr', 'eval', 'exec', 'breakpoint', 'lambda', 'help' and overrides the corresponding functions in __builtins__. Also, the file name is jail.py, and the one in docker is also jail, so you can use __import__('jail'), but you may have to type it twice, so it's better to use __import__(__main__). Also flag sets permission not to read directly and then gives a readflag, called with the argument /readflag giveflag Also, this question can be executed in multiple lines, so you can do something like emptying the blocklist as follows

1/18/2023
idek CTF 2022* Forensics - HiddenGem Mixtape Writeup

This week is the Preliminary Eve in China, and most of my time is resting and partying. At the same time, there are some good challenges in idek CTF, among which I prefer the HiddenGem Mixtape series of challenges. Since I am a forensics enthusiast, and I I am also a malware analyst. So I prefer this challenge that is close to the realworld. Although some people may feel that this challenge is strange,guessing. Including some designs that may confuse the players. I hope my writeup can let you learn more much.Let's gooooo And a digression: szymex73 so strong! █Bquanman█ so strong! HiddenGem Mixtape: After downloading the file, we got three files 2023-01-07T194857_HiddenGem.zip,Note.txt,HiddenGem.7z 2023-01-07T194857_HiddenGem.zip after decompression is 2023-01-07T194857_HiddenGem.vhdx Note.txt:

1/16/2023
Read more from crazyman
Published on HackMD