The attacker maliciously accessed the user’s PC and encrypted specific volumes. How to decrypt the volume?

解法1

下载下来文件,010 editor打开,发现7z文件头,解压后得到secret和memory。
看wp说是bitlocker文件。
先用volatility分析下memory

  1. Volatility Foundation Volatility Framework 2.6
  2. INFO    : volatility.debug    : Determining profile based on KDBG search...
  3.           Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86
  4.                      AS Layer1 : IA32PagedMemoryPae (Kernel AS)
  5.                      AS Layer2 : FileAddressSpace (D:\Download\强网杯\MISC\CipherMan\附\CipherMan~\memory)
  6.                       PAE type : PAE
  7.                            DTB : 0x185000L
  8.                           KDBG : 0x82d72c28L
  9.           Number of Processors : 1
  10.      Image Type (Service Pack) : 1
  11.                 KPCR for CPU 0 : 0x82d73c00L
  12.              KUSER_SHARED_DATA : 0xffdf0000L
  13.            Image date and time : 2018-08-06 08:41:18 UTC+0000
  14.      Image local date and time : 2018-08-06 17:41:18 +0900

然后查看桌面下的文件:

  1. Volatility Foundation Volatility Framework 2.6
  2. 0x000000007ca92050      8      0 R--r-- \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
  3. 0x000000007ca92968      8      0 R--r-- \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-DesktopWindowManager-uDWM-Package~31bf3856ad364e35~x86~~6.1.7600.16385.cat
  4. 0x000000007d105990      8      0 R--r-- \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Display-ChangeDesktopBackground-Disabled-Package~31bf3856ad364e35~x86~~6.1.7600.16385.cat
  5. 0x000000007df334f0      2      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
  6. 0x000000007df335a8      2      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
  7. 0x000000007df33660      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
  8. 0x000000007df33910      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
  9. 0x000000007df33a80      2      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
  10. 0x000000007df34f80      2      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini
  11. 0x000000007df36800      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini
  12. 0x000000007df36e18      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini
  13. 0x000000007df3e548      2      1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
  14. 0x000000007df3e820      2      1 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop
  15. 0x000000007df3eab8      2      1 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\Desktop
  16. 0x000000007df3f4a8      2      1 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\Desktop
  17. 0x000000007e02af80      8      0 -W---- \Device\HarddiskVolume2\Users\RockAndRoll\Desktop\BitLocker ??? ??168F1291-82C1-4BF2-B634-9CCCEC63E9ED.txt
  18. 0x000000007e61f268      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini
  19. 0x000000007e61f718      2      0 R--rwd \Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini
  20. 0x000000007e7e1310      8      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\Links\Desktop.lnk
  21. 0x000000007eaf5198      8      0 R--rw- \Device\HarddiskVolume2\Users\Public\Desktop\Messenger Center.lnk
  22. 0x000000007eaf5290      8      0 R--rw- \Device\HarddiskVolume2\Users\Public\Desktop\Media Player Center.lnk
  23. 0x000000007eea3760      8      0 R--r-- \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Display-ChangeDesktopBackground-Disabled-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
  24. 0x000000007eed7a68      8      0 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
  25. 0x000000007f534cd8      8      0 R--rwd \Device\HarddiskVolume2\Users\RockAndRoll\Desktop\desktop.ini

可以看到有Bitlocker关键字:
image.png
提取出来看下:
image.png
虽然乱码了,但还是可以看出来是Bitlocker的密钥。
用Elecomsoft Forenisc Disk Decryptor解密Secret文件。
解密后挂载,打开后发现有个README.txt
内容就是flag
image.png

解法2

bitlocker加密后的硬盘都会有一个-FVE-FS-标志,010 editor打开后搜索,发现
image.png
确定是bitlocker,使用插件https://github.com/elceef/bitlocker
直接读取bitlocker密钥

  1. volatility -f memory --profile Win7SP1x86_23418 bitlocker
  2. Volatility Foundation Volatility Framework 2.6
  3. Address : 0x86863bc8
  4. Cipher : AES-128
  5. FVEK : 7c9e29b3708f344e4041271dc54175c5
  6. TWEAK : 4e3ef340dd377cea9c643951ce1e56c6

用Elecomsoft Forenisc Disk Decryptor解密Secret文件,拿到README.txt。