2022巅峰极客

Misc

easy_Forensic

Desktop下找到这些文件。 除hint.txt都提取出来。

0x7d80a7d0	\Users\Admin\Desktop\gift.jpg	216
0x7d84af20	\Users\Admin\Desktop\hint.txt	216
0x7d84e350	\Users\Admin\Desktop\secret.zip	216
0x7dae0420	\Users\Admin\Desktop\wechat.txt	216

gift打开明显隐藏了高度。用010 修改高度后显示为密码。但需要用_替换空格。

Nothing_is_more_important_than_your_life!

解压 secret.zip

A gift for You:  wHeMscYvTluyRvjf5d7AEX5K4VlZeU2IiGpKLFzek1Q=

base64解码之后是32长度，aes的秘钥正好也是32位,而密文则是dump下来的wechat.txt

# 微信流量取证 https://blog.7herightp4th.top/index.php/archives/22/

from Crypto.Cipher import AES
import hashlib, hmac, ctypes

SQLITE_FILE_HEADER = bytes("SQLite format 3", encoding='ASCII') + bytes(1)  # 文件头
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096  # 4048数据 + 16IV + 20 HMAC + 12
DEFAULT_ITER = 64000
# yourkey
password = bytes.fromhex("c0778cb1c62f4e5bb246f8dfe5dec0117e4ae15959794d88886a4a2c5cde9354".replace(' ', ''))
with open(r'wechat', 'rb') as f:
    blist = f.read()
print(len(blist))

salt = blist[:16]  # 微信将文件头换成了盐
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)  # 获得Key

first = blist[16:DEFAULT_PAGESIZE]  # 丢掉salt

# import struct
mac_salt = bytes([x ^ 0x3a for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)

hash_mac = hmac.new(mac_key, digestmod='sha1')  # 用第一页的Hash测试一下
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))
# hash_mac.update(struct.pack('=I',1))
if hash_mac.digest() == first[-32:-12]:
    print('Correct Password')
else:
    raise RuntimeError('Wrong Password')

blist = [blist[i:i + DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE, len(blist), DEFAULT_PAGESIZE)]
f = open(r'flag.db', 'wb')
f.write(SQLITE_FILE_HEADER)  # 写入文件头
t = AES.new(key, AES.MODE_CBC, first[-48:-32])
f.write(t.decrypt(first[:-48]))
f.write(first[-48:])
for i in blist:
    t = AES.new(key, AES.MODE_CBC, i[-48:-32])
    f.write(t.decrypt(i[:-48]))
    f.write(i[-48:])

在 flag.db 中Session中搜索到flag flag{The_Is_Y0ur_prize}
参考链接：https://mp.weixin.qq.com/s/9Fl8HptnRfhyoVa7Y4m5FA

powerpower

Registry WorkShop 打开注册表

加密 Software/Microsoft/ctf
密文 Software/Microsoft/dfs

ctf中信息为

JFNlY3JldCA9ICd4eHh4eHh4eHh4eHh4eHgnCiRQYXNzcGhyYXNlID0gKEdldC1JdGVtUHJvcGVydHkgLVBhdGggYWFhYTpcU09GVFdBUkVcTWljcm9zb2Z0XEJpZEludGVyZmFjZSkKCiRrZXkgPSBbQnl0ZVtdXSgkUGFzc3BocmFzZS5QYWRSaWdodCgyNCkuU3Vic3RyaW5nKDAsMjQpLlRvQ2hhckFycmF5KCkpCgokU2VjcmV0IHwKICBDb252ZXJ0VG8tU2VjdXJlU3RyaW5nIC1Bc1BsYWluVGV4dCAtRm9yY2UgfCAKICBDb252ZXJ0RnJvbS1TZWN1cmVTdHJpbmcgLUtleSAka2V5IHwgCgo=

解码

$Secret = 'xxxxxxxxxxxxxxx'
$Passphrase = (Get-ItemProperty -Path aaaa:\SOFTWARE\Microsoft\BidInterface)

$key = [Byte[]]($Passphrase.PadRight(24).Substring(0,24).ToCharArray())

$Secret |
  ConvertTo-SecureString -AsPlainText -Force | 
  ConvertFrom-SecureString -Key $key | 

读取了SOFTWARE\Microsoft\BidInterface

F844A6035CF27CC4C90DFEAF579398BE6F7D5ED10270BD12A661DAD04191347559B82ED546015B07317000D8909939A4DA7953AED8B83C0FEE4EB6E120372F536BC5DC39

dfs中密文为

76492d1116743f0423413b16050a5345MgB8AFQAegB3AFAAaAArAFcAVABwAEYAWABLAGoAUwBaAEsAQQBvAHAAagBrAFEAPQA9AHwAOABmADIAOQBmADkANgA4ADkAMABlADIAZgBmADgAMwA0AGEAYwAxADIAMgA5ADYAZgAyADMAMQBiAGEANAA2ADUAOQAxADEANgAyADUANwA2AGEAMgBkAGYANQBjAGQAYwA5ADQAMgAyAGMANgBiADIAYwA5ADEANgA3ADkAZgA1AGUAMgA5ADYANQAyADEAOAA1ADMAYwAyADcAZABhADAAZgA2AGQAOQA0AGEAOAA2ADEAMQA4ADIAZgBhADgAMwBjAGYAMwBmAGEAMQAwADYANQBmADIANwA0AGYANgAxADIAZAA5ADYANgBjAGQANQBkADAAOQA4AGEAMgAwADYAYQA5ADgAMgBkADkANABlAGEANABmADEAMAA0ADEAMQA4ADcAOABlADcAYQBmADQAMQBiADQAMgBmADEANwA=

解密脚本

$msg = "76492d1116743f0423413b16050a5345MgB8AFQAegB3AFAAaAArAFcAVABwAEYAWABLAGoAUwBaAEsAQQBvAHAAagBrAFEAPQA9AHwAOABmADIAOQBmADkANgA4ADkAMABlADIAZgBmADgAMwA0AGEAYwAxADIAMgA5ADYAZgAyADMAMQBiAGEANAA2ADUAOQAxADEANgAyADUANwA2AGEAMgBkAGYANQBjAGQAYwA5ADQAMgAyAGMANgBiADIAYwA5ADEANgA3ADkAZgA1AGUAMgA5ADYANQAyADEAOAA1ADMAYwAyADcAZABhADAAZgA2AGQAOQA0AGEAOAA2ADEAMQA4ADIAZgBhADgAMwBjAGYAMwBmAGEAMQAwADYANQBmADIANwA0AGYANgAxADIAZAA5ADYANgBjAGQANQBkADAAOQA4AGEAMgAwADYAYQA5ADgAMgBkADkANABlAGEANABmADEAMAA0ADEAMQA4ADcAOABlADcAYQBmADQAMQBiADQAMgBmADEANwA="
$Passphrase = "F844A6035CF27CC4C90DFEAF579398BE6F7D5ED10270BD12A661DAD04191347559B82ED546015B07317000D8909939A4DA7953AED8B83C0FEE4EB6E120372F536BC5DC39"
$key = [Byte[]]'F844A6035CF27CC4C90DFEAF'.ToCharArray()
$SecureString = $msg | ConvertTo-SecureString -Key $key
ConvertFrom-SecureString -SecureString $SecureString -AsPlainText
# flag{Y0u_Are_thE_Master_0f_powershell}

Lost

将文件进行二进制对比，有2个bytes不同。提取出来做差转ascii。

import struct

lst = []
for i in range(1,31):
    file = open(f'flag{i}.zip', 'rb').read()
    b = file[0x46:0x48]
    time = struct.unpack('>H', b)[0]
    lst.append(time)

for a,b in zip(lst, lst[1:]):
    print(chr(abs(a-b)), end='')
# flag{Time_Is_SO-iMP0RTANT!!!}