Writeup of Flag Thief in WMCTF 2021

preface:

在两天前的WMCTF2021中我和th31nk共同解决了一个名为Flag Thief的取证挑战并且获得了该题目类型的一血

first blood

description:

2021年8月28日 01:00 UTC，著名Flag大盗L1near被缉拿归案。警方已经将其作案用的电脑制作成镜像，他们试图找到L1near藏匿在其中的Flag但都以失败告终。警方知道你是取证专业人士，现在需要你的帮助！

On August 28, 2021, at 01:00 UTC, The famous Flag thief L1near was arrested. Police have made a mirror image of the computer he used to commit the crime, and they have tried unsuccessfully to find the Flag that L1near was hiding inside. The police know you're a forensics professional, now they need your help!

Attachment: Baidu Drive(Code:m8yx) Or Google Drive

the 7z's passowrd is ec19b53ce10adc41be119713ffe34760

Flag Thief hint1：经过警方长达一天的审讯，L1near交代他曾经对受害人的电脑远程操控过

通过 hint 注意到远程连接的bmc位图缓存，路径如下：

bmc位图缓存地址路径

利用bmc-tools恢复缓存的 bmc 位图，通过大概浏览可以得到其中存在记事本的界面，里面包含着 veracrypt 的字样，那么将其拼接得到：

VeraCrypt

5eCuri7yPaSsW0rd@__WMCTF

Oh no! U found it!

那么就需要找到能让我们解密的 veracrypt 容器，这里通过取证大师的加密文件分类定位到一个可疑的文件：

将其利用之前得到的秘钥挂载得到nox-disk2.vmdk，通过名称可以得知是夜神模拟器的数据盘，将其挂载在模拟器中即可打开，发现存在锁屏密码：

这里通过删除vmdk中的 gatekeeper.pattern.key gatekeeper.password.key 以及 device_policies.xml 文件可以绕过锁屏直接进入，查看通讯录发现：

可恶还是需要锁屏密码,非预期方法被防了 :sob: :sob:

那么我们再来看锁屏密码，这里参考中科实数杯的考点：
https://mp.weixin.qq.com/s?__biz=MzAxODA3NDc3NA==&mid=2247484582&idx=1&sn=716471f5440de7305ae1a8075e5c7bf9

X-ways先提取/system/device_policies.xml以确认密码为9位：

然后提取 gatekeeper.pattern.key ，计算哈希并爆破密码，那么我们首先生成字典（9位不重复数字）：

# python3
file1 = open('password.txt', 'a')
for a in "123456789":
    for b in "123456789":
        for c in "123456789":
            for d in "123456789":
                for e in "123456789":
                    for f in "123456789":
                        for g in "123456789":
                            for h in "123456789":
                                for i in "123456789":
                                    if a != b and a != c and a != d and a != e and a != f and a != g and a != h and a != i \
                                            and b != c and b != d and b != e and b != f and b != g and b != h and b != i \
                                            and c != d and c != e and c != f and c != g and c != h and c != i\
                                            and d != e and d != f and d != g and d != h and d != i\
                                            and e != f and e != g and e != h and e != i\
                                            and f != g and f != h and f != i\
                                            and g != h and g != i\
                                            and h != i:
                                        password = a + b + c + d + e + f + g + h + i
                                        file1.write(password + '\n')
file1.close()

爆破脚本：

import struct
import binascii
import scrypt

N = 16384
r = 8
p = 1
f = open('gatekeeper.pattern.key', 'rb')
blob = f.read()
s = struct.Struct('<' + '17s 8s 32s')
(meta, salt, signature) = s.unpack_from(blob)
f1 = open('password.txt', 'rb')
lines = f1.readlines()
for i in range(len(lines)):
    password = lines[i][:-2]
    to_hash = meta
    to_hash += password
    hash = scrypt.hash(to_hash, salt, N, r, p)
    print('password: %s' % password)
    print('signature: %s' % binascii.hexlify(signature))
    print('Hash:      %s' % binascii.hexlify(hash[0:32]))
    print('Equal:     %s' % (hash[0:32] == signature))
    if hash[0:32] == signature:
        print("OK")
        exit()

得到密码：

password:  183492765
signature  fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7
Hash:      fc677bebe8884278575c19a79a7f0efbab47f2e4dd73d43564adc17373fea9e7
Equal:     True
OK

锁屏验证后发现可以解开

(当然上述的部分也可以使用hashcat进行爆破,速度应该比这个脚本要快上不少)

那么猜测接下来的过程是利用解得的锁屏作为密钥来解密文：