题目:
We found evidence of a password spray attack against the Domain Controller, and identified a suspicious RDP session. We'll provide you with our RDP logs and other files. Can you see what they were up to?
我们发现了针对域控制器的密码喷雾攻击的证据,并确定了一个可疑的RDP会话。我们将向您提供我们的RDP日志和其他文件。你能看到他们在干什么吗?
给了两个文件,.bin的rdp cache文件和.bmc 的cached bitmap file
过程:
Bitmap caches are used by the client and server to store graphic bitmaps. Each bitmap cache holds bitmaps of a specified size in pixels (known as the "tile size"). If a bitmap does not fit into a single cache entry, the server uses a tiling algorithm to divide the bitmap into tiles that will fit into the cache entries so that they can be stored separately into the cache
位图缓存由客户端和服务器用来存储图形位图。每个位图缓存都保存以像素为单位的指定大小的位图(称为“平铺大小”)。如果位图不适合单个缓存项,服务器将使用平铺算法将位图划分为适合缓存项的平铺,以便将其单独存储到缓存中
需要用bmc-tools去提取缓存文件
./bmc-tools.py -s Cache0000.bin
找到flag