2022巅峰极客初赛 Misc wp

一开始做misc1没啥思路,转去misc2,结果一下子给电脑搞废了,太哈人了,以后对注册表都有心理阴影了,还好队友给力,躺进决赛,这里的wp都是今早修完电脑后再复现的。。。

easy_Forensic

拿到镜像,先vol来一套分析,发现桌面上有不少好东西,于是把镜像导入取证大师,全给它提出来

其中gift.jpg的左下角明显像是有东西被挡住了,于是改一下宽高再结合hint得到密码

Nothing_is_more_important_than_your_life!

解开压缩包得到‘gift’:wHeMscYvTluyRvjf5d7AEX5K4VlZeU2IiGpKLFzek1Q=

注意到内存里还有个wechat.txt,提取出来分析应该是加密后的微信数据库,而密钥是32位的,上面的密文base64解密之后也是32位的,于是用脚本成功解出微信数据库

# -*- coding: utf-8 -*-
from Crypto.Cipher import AES
import hashlib, hmac, ctypes

SQLITE_FILE_HEADER = bytes("SQLite format 3",encoding='ASCII') + bytes(1)#文件头
IV_SIZE = 16
HMAC_SHA1_SIZE = 20
KEY_SIZE = 32
DEFAULT_PAGESIZE = 4096 #4048数据 + 16IV + 20 HMAC + 12
DEFAULT_ITER = 64000
#yourkey
password = bytes.fromhex("C0778CB1C62F4E5BB246F8DFE5DEC0117E4AE15959794D88886A4A2C5CDE9354".replace(' ',''))
with open(r'1.db', 'rb') as f:
   blist = f.read()
print(len(blist))

salt = blist[:16]#微信将文件头换成了盐
key = hashlib.pbkdf2_hmac('sha1', password, salt, DEFAULT_ITER, KEY_SIZE)#获得Key

first = blist[16:DEFAULT_PAGESIZE]#丢掉salt

# import struct
mac_salt = bytes([x^0x3a for x in salt])
mac_key = hashlib.pbkdf2_hmac('sha1', key, mac_salt, 2, KEY_SIZE)

hash_mac = hmac.new(mac_key ,digestmod = 'sha1')#用第一页的Hash测试一下
hash_mac.update(first[:-32])
hash_mac.update(bytes(ctypes.c_int(1)))
# hash_mac.update(struct.pack('=I',1))
if (hash_mac.digest() == first[-32:-12]):
   print('Correct Password')
else:
   raise RuntimeError('Wrong Password')

blist = [blist[i:i+DEFAULT_PAGESIZE] for i in range(DEFAULT_PAGESIZE,len(blist),DEFAULT_PAGESIZE)]
with open(r'path\MSG0_dec.db', 'wb') as f:
   f.write(SQLITE_FILE_HEADER)#写入文件头
   t = AES.new(key ,AES.MODE_CBC ,first[-48:-32])
   f.write(t.decrypt(first[:-48]))
   f.write(first[-48:])
   for i in blist:
           t = AES.new(key ,AES.MODE_CBC ,i[-48:-32])
           f.write(t.decrypt(i[:-48]))
           f.write(i[-48:])

解密成功,用Navicat连接数据库,注意这里要选SQLite,flag在这里

flag{The_Is_Y0ur_prize}

powerpower

乌鱼子,电脑给整坏了,导致挂机一天,绷不住辣(

注册表的software/Microsoft/dfs和software/Microsoft/ctf里分别有加密后的密文和加密方法,上网找了一下找到了相应的解密脚本

$Passphrase = Read-Host 'Enter the secret pass phrase'

$Path = "$env:C:\Users\16334\Desktop\secret.txt"

$key = [Byte[]]($Passphrase.PadRight(24).Substring(0,24).ToCharArray())

try
{
$decryptedTextSecureString = Get-Content -Path $Path -Raw |
ConvertTo-SecureString -Key $key -ErrorAction Stop

$cred = New-Object -TypeName System.Management.Automation.PSCredential('dummy', $decryptedTextSecureString)
$decryptedText = $cred.GetNetworkCredential().Password
}
catch
{
$decryptedText = '(wrong key)'
}
"The decrypted secret text: $decryptedText"

根据加密脚本密码在SOFTWARE\Microsoft\BidInterface,去拿到密码直接解就行

Lost

观察发现30个压缩包只有创建时间有区别,全提取出来就行,再两两算差值,我是手动提取并转换的十进制,然后就是脚本

l=[1406,1304,1412,1509,1406,1283,1367,1262,1153,1052,957,884,769,864,781,702,747,852,929,1009,961,1043,959,894,816,732,699,666,633,758]
for i in range(30):
if(i!=0):
a=l[i]-l[i-1]
if(a<0):
a=-a
print(chr(a),end='')

posted @ 2022-08-18 17:30  zysgmzb  阅读(733)  评论(5编辑  收藏  举报