MISC1
Export index-demo.html, check the code and find that a long list of base64 is hidden
Use base64 steganography for decryption
key:"lorrie"
Obtaining the key indicates that there may be some kind of steganography, which is snow steganography, but it is a bunch of garbled characters to solve with the snow steganography of the web version, so I tried to use the local version of SNOW.EXE
SNOW.EXE -p lorrie index-demo.html
flag{→_→←_←←_←←_←←_← →_→→_→←_←←_←←_← →_→←_←←_←←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ ←_← ←_←←_←←_←→_→→_→ →_→→_→→_→→_→←_← →_→←_←←_←←_← ←_←←_←←_←←_←←_← ←_←→_→→_→→_→→_→ →_→→_→→_→→_→→_→ ←_←←_←←_←←_←←_← ←_←←_←→_→←_← →_→←_←←_ ←←_← ←_←←_←←_←←_←→_→ ←_←→_→ ←_←←_←→_→→_→→_→ →_→→_→→_→→_→←_← ←_←←_←←_←←_ ←←_← ←_←←_←←_←→_→→_→ ←_←→_→ →_→→_→→_→→_→→_→ →_→←_←→_→←_← ←_← →_→→_→←_←←_←←_← →_→→_→→_→→_→←_← →_→←_←→_→←_← ←_←←_←←_←→_→→_→ ←_←←_←←_←→_→→_→ →_→→_ →←_←←_←←_← →_→→_→→_→←_←←_←}
Replace →_→ and →_ → with -, and replace ←_← and ←_ ← with ., and then Morse decrypts to get
67b33e39b5105fb4a2953a0ce79c3378
MISC2 -passwd
Memory card
volatility2.6.exe -f WIN-BU6IJ7FI9RU-20190927-152050.raw imageinfo
Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
volatility2.6.exe -f WIN-BU6IJ7FI9RU-20190927-152050.raw --profile=Win7SP1x86_23418 hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::
db25f2fc14cd2d2b1e7af307241f548fb03c312a
MISC3-Between the real and the virtual
Binwalk extracts a plaintext and an encrypted compressed package
Repair encrypted compressed package
Use AZPR4.0 for plaintext attacks
123% asd! O
Unzip it to get:
Just 5, jump over
ffd5e341le25b2dcab15cbb} gc3bc5b {789b51
Fence decryption:
https://www.qqxiuzi.cn/bianma/zhalanmima.php
flag{febc7d2138555b9ebccb32b554dbb11c}
MISC4 Hidden Secrets
volatility2.6.exe -f hidden secret.vmem imageinfo
//Win2003SP0x86, Win2003SP1x86, Win2003SP2x86
volatility2.6.exe -f hidden secrets.vmem --profile=Win2003SP0x86 filescan
File scan error under windows, change to kali, it doesn’t work, change the version to Win2003SP1x86
volatility -f 1.vmem --profile=Win2003SP1x86 filescan
volatility -f 1.vmem --profile=Win2003SP1x86 dumpfiles -Q 0x000000000412cde0 --dump-dir=.
View the file to get:
what? Is the computer logged in by an unknown account again? Obviously there is no such user in the computer management, why is this user logged in? Can you help me find the reason? Flag is the md5 value of the user name and password of the user
Format: md5 (user name: password)
Use hashdump to find multiple accounts
Export registry
volatility -f 1.vmem --profile=Win2003SP1x86 dumpregistry --dump-dir= .
Open registry.0xe1757860.SAM.reg with a registry analysis tool to analyze users.
As you can see, Administrator has login records, and other accounts have no login records. Check one by one and find that the record of account FHREhpe$ is the same as Administrator
FHREhpe $
volatility -f 1.vmem --profile=Win2003SP1x86 hashdump |grep FHREhpe
FHREhpe $: 1171: 70fdb8f853bd427d7584248b8d2c9f9e: f3cf477fc3ea6ec0b3b5887616dd4506 :::
Do md5 according to the meaning of the question
FHREhpe $: NIAIWOMA
8cf1d5b00c27cb8284bce9ccecb09fb7