[2021深育杯线上初赛]Disk
知识点:
hashcat爆破BitLocker
rdp缓存协议
附件:
附件是个veracrypt加密容器,根据文件名,键盘加密找出密码pvd并挂载磁盘(内有goooood,是个压缩包,改后缀解压)
解压后得到gooood,是磁盘文件,挂起发现有个BitLocker分区
原来bitlocker2john结合hashcat可以爆破BitLocker
bitlocker2john:
λ bitlocker2john.exe -i C:\Users\shen\Desktop\gooood
Opening file C:\Users\shen\Desktop\gooood
Signature found at 0x01000003
Version: 8
Invalid version, looking for a signature with valid version...
Signature found at 0x03200000
Version: 2 (Windows 7 or later)
VMK entry found at 0x032000a2
VMK encrypted with user password found!
VMK encrypted with AES-CCM
VMK entry found at 0x03200182
VMK encrypted with Recovery key found!
VMK encrypted with AES-CCM
User Password hash:
$bitlocker$0$16$$bitlocker$0$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: User Password with MAC verification (slower solution, no false positives)
$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa
Hash type: Recovery Password fast attack
$bitlocker$2$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056
Hash type: Recovery Password with MAC verification (slower solution, no false positives)
$bitlocker$3$16$9d0ef79ddd7378938d2e192b0f86c8d3$1048576$12$a0348897f591d70106000000$60$de3a14e281933427b5d31f2a1480a08c3fa72b249f2305b64dc707f0989d404a9dc05aca6e171eb675584dd0ef24236b88df130c0987f38f1197e056
hashcat
hashcat.exe -m 22100 -a0 $bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60 $fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa wordlist.dic
hashcat (v6.2.2) starting...
…………
$bitlocker$1$16$6c1fbe8314e64b4042110147cb1632d2$1048576$12$a0348897f591d70103000000$60$fb026c1039aec7a85c77964d9cf2b63f6261579f431dfdb675322ab91e44acab870c75a64b5722be3500b35bcee969dc59e31ffdf88c1cb3a07776fa:abcd1234
得到BitLocker密码abcd1234
解密之后发现啥的没有,全盘搜索flag得到提示
翻一翻发现回收站里面有东西,是个压缩包$R元文件直接恢复出来
$RECYCLE.BIN\S-1-5-21-383221445-1139645558-3682731431-1001$R64CIW9
解压后看名字,联系3389端口,猜测是Windows远程桌面的bmc协议,利用GitHub工具分离
看了wp才知道太抽象了: cmRwY2FjaGUtYm1j
解密baset64即为flag:SangFor{rdpcache-bmc}
参考文章:https://mp.weixin.qq.com/s/1V5BEsfdZNRKwWP1mCs8wQ