这次是跟hyperion打的,除了签到题就做了这一题,另有一题跟队友合作完成,这里就不放wp了(我没写)

谍影重重5.0

可以看到有很多被加密的SMB2流量

img

参考这篇文章

首先把NTLM hash提取出来,这里我用NTLMRawUnHide这个工具

img

用hashcat爆破出明文密码babygirl233

img

算一下nt

img

找到session key和ntproofstr

img

img

用脚本算得random sk

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import hashlib
import hmac
import argparse

#stolen from impacket. Thank you all for your wonderful contributions to the communitytry:
    from Cryptodome.Cipher import ARC4
    from Cryptodome.Cipher import DES
    from Cryptodome.Hash import MD4
except Exception:
    LOG.critical("Warning: You don't have any crypto installed. You need pycryptodomex")
    LOG.critical("See https://pypi.org/project/pycryptodomex/")

def generateEncryptedSessionKey(keyExchangeKey, exportedSessionKey):
   cipher = ARC4.new(keyExchangeKey)
   cipher_encrypt = cipher.encrypt

   sessionKey = cipher_encrypt(exportedSessionKey)
   return sessionKey
###

parser = argparse.ArgumentParser(description="Calculate the Random Session Key based on data from a PCAP (maybe).")
parser.add_argument("-u","--user",required=True,help="User name")
parser.add_argument("-d","--domain",required=True, help="Domain name")
#parser.add_argument("-p","--password",required=True,help="Password of User")
parser.add_argument("-H","--hash",required=True,help="NTLM hash of User")
parser.add_argument("-n","--ntproofstr",required=True,help="NTProofStr. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-k","--key",required=True,help="Encrypted Session Key. This can be found in PCAP (provide Hex Stream)")
parser.add_argument("-v", "--verbose", action="store_true", help="increase output verbosity")

args = parser.parse_args()

#Upper Case User and Domain
user = str(args.user).upper().encode('utf-16le')
domain = str(args.domain).upper().encode('utf-16le')

#Create 'NTLM' Hash of password#passw = args.password.encode('utf-16le')#hash1 = hashlib.new('md4', passw)#password = hash1.digest()
password = args.hash.decode('hex')

#Calculate the ResponseNTKey
h = hmac.new(password, digestmod=hashlib.md5)
h.update(user+domain)
respNTKey = h.digest()

#Use NTProofSTR and ResponseNTKey to calculate Key Excahnge Key
NTproofStr = args.ntproofstr.decode('hex')
h = hmac.new(respNTKey, digestmod=hashlib.md5)
h.update(NTproofStr)
KeyExchKey = h.digest()

#Calculate the Random Session Key by decrypting Encrypted Session Key with Key Exchange Key via RC4
RsessKey = generateEncryptedSessionKey(KeyExchKey,args.key.decode('hex'))

if args.verbose:
    print "USER WORK: " + user + "" + domain
    print "PASS HASH: " + password.encode('hex')
    print "RESP NT:   " + respNTKey.encode('hex')
    print "NT PROOF:  " + NTproofStr.encode('hex')
    print "KeyExKey:  " + KeyExchKey.encode('hex')    
print "Random SK: " + RsessKey.encode('hex')

img

再找到session id,以大端序排列,在wireshark中导入,解密smb2流量

img

导出smb2传输的文件,一个需要密码的flag.7z,还有远程桌面连接的私钥文件LOCAL_MACHINE_Remote_Desktop_0_DESKTOP-J0EE9MR.pfx

接下来是解密RDP流量,其中pfx需要密码,经过查询不难猜得这里的密码是mimikatz,成功解密RDP流量

img

后面也许有更好的办法,但这里我是手动提取的。

用rdp.fastpath.scancode.keycode过滤出记录了按键的流量

img

展开下面的RDP,可以看到每个流都记录了一个keycode

img

这里我手动把每一个keycode提取了出来,如下

1
0x1c 0x14 0x23 0x12 0x2a 0x39 0x08 0x2c 0x39 0x19 0x1e 0x1f 0x1f 0x11 0x18 0x13 0x20 0x39 0x17 0x1f 0x39 0x21 0x28 0x2a 0x1a 0x11 0x17 0x31 0x20 0x18 0x11 0x1f 0x2a 0x0c 0x19 0x1e 0x1f 0x1f 0x11 0x18 0x13 0x20 0x2a 0x1b 0x0a 0x04 0x05 0x08 0x0b 0x02 0x04 0x02 0x09 0x03 0x28 0x1d 0x1f

将其转换成对应的按键,去除一些行为艺术的按键,可以得到如下一句话

1
the 7z password is windowspassword9347013182

因此密码就是babygirl2339347013182,解压得flag

flag{fa32a0b2-dc26-41f9-a5cc-1a48ca7b2ddd}