第八届西湖论剑 DS-easyrawencode

easyrawencode

解压后是一个raw，vol启动

虚拟机性能太差了，我直接本机win跑vol

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" imageinfo

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 pstree

发现软件很多，不细看了，直接看cmdlind、cmdscan这些东西

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 cmdline

可以发现有些有意思的，在rsa文件夹下有怪东西

filescan查找一下

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 filescan | findstr rsa

直接导出

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 dumpfiles -Q 0x00000000061f5630 -D .

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 dumpfiles -Q 0x000000003dfdf070 -D .

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 dumpfiles -Q 0x000000003fd5bf20 -D .

后续自己ren重命名为原来的名字

看private.pem，是个私钥，下一个。zip文件解压出来是二进制文件，不看

hack.py

import os
import hashlib
from Crypto.Cipher import AES, PKCS1_OAEP
from Crypto.PublicKey import RSA

hackkey = os.getenv('hackkey')
if not hackkey:
    raise ValueError("Environment variable 'hackkey' is not set")

with open('private.pem', 'r') as f:
    private_key = RSA.import_key(f.read())
public_key = private_key.publickey().export_key()

aes_key = hashlib.sha256(hackkey.encode()).digest()

with open('data.csv', 'rb') as f:
    data = f.read()

cipher_aes = AES.new(aes_key, AES.MODE_EAX)
ciphertext, tag = cipher_aes.encrypt_and_digest(data)
cipher_rsa = PKCS1_OAEP.new(RSA.import_key(public_key))
enc_aes_key = cipher_rsa.encrypt(aes_key)

with open('encrypted_data.bin', 'wb') as f:
    f.write(ciphertext)
    
print(enc_aes_key.hex())
print(cipher_aes.nonce.hex())
print(tag.hex())

是一个rsa嵌套aes的加密，其中的hackkey是读取系统环境变量。

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 envars | findstr hackkey

gpt启动

import os
import hashlib
from Crypto.Cipher import AES, PKCS1_OAEP
from Crypto.PublicKey import RSA

# 假设这些变量由用户自行填入
hackkey = '4etz0hHbU3TgKqduFL'  # 环境变量中的 hackkey
if not hackkey:
    raise ValueError("Environment variable 'hackkey' is not set")

# 加载私钥
with open('private.pem', 'r') as f:
    private_key = RSA.import_key(f.read())

# 填入从加密过程中获得的值
enc_aes_key_hex = ""  # RSA 加密后的 AES 密钥 (hex 格式)
nonce_hex = ""        # AES 加密时使用的 nonce (hex 格式)
tag_hex = ""          # AES 加密时生成的 tag (hex 格式)

# 将 hex 字符串转换为字节
enc_aes_key = bytes.fromhex(enc_aes_key_hex)
nonce = bytes.fromhex(nonce_hex)
tag = bytes.fromhex(tag_hex)

# 使用私钥解密 AES 密钥
cipher_rsa = PKCS1_OAEP.new(private_key)
aes_key = cipher_rsa.decrypt(enc_aes_key)

# 使用解密出的 AES 密钥解密数据
with open('encrypted_data.bin', 'rb') as f:
    ciphertext = f.read()

cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=nonce)
decrypted_data = cipher_aes.decrypt_and_verify(ciphertext, tag)

# 将解密后的数据保存到文件或打印
with open('decrypted_data.csv', 'wb') as f:
    f.write(decrypted_data)

print("Data has been successfully decrypted and saved to 'decrypted_data.csv'")

缺了三个变量，如果这个hack.py被人运行过，那肯定是会输出这三变量的，cmdscan看看历史记录，可以发现确实有

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 cmdscan

那就consoles打印完整的命令

.\volatility_2.6.exe -f "C:\Users\Eth\Desktop\match\西湖\easyrawencode.raw" --profile=Win7SP1x64 consoles

20d96098010eb9b326be6c46e1ce1ca679e29f1d65dec055cf8c46c6436c3356af2dc312b2d35466308b9fff0dd427b44a37e34fca12992e45db2ddd81884bd8eb5bccd3c595e8a9a352bd61322e1d52329d6c8638bbfce65edffbc4d3a5759e88c0f90e31ce518837552a3a09d8e7e3c374f3857bfe501cce2066fb233ff1f5faac18d73c3b665a54e8c55574f16bf4678c5ce835d2a14a65f8c1cec012435a8c06314cbe727a3a9b6060dfd6cdb850073423841178f6f409bb7ce8d4863c6f58855954d34af3d2964c488c9057c8c5072a54e43f1f8039d32409eb1ff3abca41c0b302788c4c56c1a4be4506ff5b8aff0242e21c0ee7ffee2da20ed9434334

d919c229aab6535efa09a52c589c8f47

5b204675b1b173c32c04b0b8a100ee29

填进去解密脚本即可得到csv文件

后面的东西就和取证没什么关系了

excel直接打开csv会乱码，如下打开

然后后面就是官wp内容了

经过测试得知是RC4加密

import pandas as pd
from Crypto.Cipher import ARC4
import base64

def decrypt_rc4(ciphertext, key):
    cipher = ARC4.new(key.encode())
    decrypted_data = cipher.decrypt(base64.b64decode(ciphertext))
    return decrypted_data.decode('utf-8')

df = pd.read_csv('data.csv')
df['个性签名(解密版)'] = df.apply(lambda row: decrypt_rc4(row['个性签名(加密版)'], row['密码']), axis=1)
df.to_csv('data_decode.csv', index=False)

搜索得到其中序号为 1329 的个性签名解密后存在 flag

所以 flag 是 DASCTF{fc450e2a9062a39049d501cb5ce287d0}