little tricks
bitlocker用hashcat解密
010editor看了下是vhdx磁盤,掛載到win發現被bitlocker加密
嘗試了一些軟件都不好使,還是用hashcat做
john the ripper下載地址
在run里找到bitlocker2john.exe
bitlocker2john.exe -i ll2.vhdx
生成了四個hash,先保存下來
User Password hash:
$bitlocker$0$16$212afe1afbb733f18b043338d85c4744$1048576$12$80ad0e8486ead60103000000$60$01c1f4b616a85eecbd9d090ba2f0cbf5642f6591ff2abdf1df84e3fc33240b714e5fd280f03b7b4fbb8fe6f58dcea572f1258671c7d42748c76097ed
Hash type: User Password with MAC verification (slower solution, no false positives)
$bitlocker$1$16$212afe1afbb733f18b043338d85c4744$1048576$12$80ad0e8486ead60103000000$60$01c1f4b616a85eecbd9d090ba2f0cbf5642f6591ff2abdf1df84e3fc33240b714e5fd280f03b7b4fbb8fe6f58dcea572f1258671c7d42748c76097ed
Hash type: Recovery Password fast attack
$bitlocker$2$16$b044a4ad4fc868f736d0baf7ef47a9ea$1048576$12$80ad0e8486ead60106000000$60$58fe021061ac9673d8925324f7a353043381445679ab17420c05c408a728775c3fde50f1333b720a876dab4cc850e29078aa257dab9f4f690be0fb81
Hash type: Recovery Password with MAC verification (slower solution, no false positives)
$bitlocker$3$16$b044a4ad4fc868f736d0baf7ef47a9ea$1048576$12$80ad0e8486ead60106000000$60$58fe021061ac9673d8925324f7a353043381445679ab17420c05c408a728775c3fde50f1333b720a876dab4cc850e29078aa257dab9f4f690be0fb81
找一下bitlocker對應哈希類型
hashcat --help
用個工具里帶的字典,感謝th31nk師傅
hashcat -m 22100 common_8k.txt
跑出結果后加--show查看
得到密碼12345678
這邊看了蓋樂希師傅的博客,說用第二種進行,我這邊嘗試了第一種hash也是可以的(還發現了jtr自帶的字典)
第三種和第四種,hashcat會識別不了
取證
用diskgenius在回收站里找到兩個pdf,打開較大的那個就可以看到
puzzle
gaps嘗試了一下,試了很多參數發現拼不出來
google了一下原圖,想到DDCTF的拼圖技巧,把給的圖片切片一下和原圖進行對比
上次DDCTF大師傅們的腳本利用一下
import cv2
from PIL import Image
import numpy as np
import os
import shutil
import threading
# 讀取目標圖片(原圖)
source = cv2.imread(r"C:\Users\LEOGG\Desktop\wallpaper.jpg")
# 拼接結果
target = Image.fromarray(np.zeros(source.shape, np.uint8))
# 圖庫目錄(切片后的1100張圖片)
dirs_path = r"C:\Users\LEOGG\Desktop\test\test"
# 差異圖片存放目錄(跑的時候生成的圖片)
dst_path = r"C:\Users\LEOGG\Desktop\dd\diff"
def match(temp_file):
# 讀取模板圖片
template = cv2.imread(temp_file)
# 獲得模板圖片的高寬尺寸
theight, twidth = template.shape[:2]
# 執行模板匹配,采用的匹配方式cv2.TM_SQDIFF_NORMED
result = cv2.matchTemplate(source, template, cv2.TM_SQDIFF_NORMED)
# 歸一化處理
cv2.normalize(result, result, 0, 1, cv2.NORM_MINMAX, -1)
# 尋找矩陣(一維數組當做向量,用Mat定義)中的最大值和最小值的匹配結果及其位置
min_val, max_val, min_loc, max_loc = cv2.minMaxLoc(result)
target.paste(Image.fromarray(template), min_loc)
return abs(min_val)
class MThread(threading.Thread):
def __init__(self, file_name):
threading.Thread.__init__(self)
self.file_name = file_name
def run(self):
real_path = os.path.join(dirs_path, k)
rect = match(real_path)
if rect > 6e-10:
print(rect)
shutil.copy(real_path, dst_path)
count = 0
dirs = os.listdir(dirs_path)
threads = []
for k in dirs:
if k.endswith('jpg'):
count += 1
print("processing on pic" + str(count))
mt = MThread(k)
mt.start()
threads.append(mt)
else:
continue
# 等待所有線程完成
for t in threads:
t.join()
target.show()
# 跑出來后的圖片
target.save(r"C:\Users\LEOGG\Desktop\dd.jpg")
flag{you_can_never_finish_the}