DS3 easyrawencode
使用工具
- LovelyMem V0.91(推荐)
- Python 3(需要安装pycryptodome pandas)
详细操作
Lovelymem加载镜像,使用vol2的consoles plugin发现在rsa文件夹下运行了hack.py,并得到hack.py的运行结果
1
| python2 vol.py --plugin=volatility2_plugin -f easyrawencode.raw --profile=Win7SP1x64 consoles
ROUTEROS
|
image-20250118204926079
使用vol3提取hack.py private.pem encrypted_data.bin三个文件
1
2
3
| python vol.py -f easyrawencode.raw -o output windows.dumpfile --physaddr 0x3dfdf070
python vol.py -f easyrawencode.raw -o output windows.dumpfile --physaddr 0x61f5630
python vol.py -f easyrawencode.raw -o output windows.dumpfile --virtaddr 0x3fd5bf20
STYLUS
|
image-20250118210327740
hack.py:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| import os
import hashlib
from Crypto.Cipher import AES, PKCS1_OAEP
from Crypto.PublicKey import RSA
hackkey = os.getenv('hackkey')
if not hackkey:
raise ValueError("Environment variable 'hackkey' is not set")
with open('private.pem', 'r') as f:
private_key = RSA.import_key(f.read())
public_key = private_key.publickey().export_key()
aes_key = hashlib.sha256(hackkey.encode()).digest()
with open('data.csv', 'rb') as f:
data = f.read()
cipher_aes = AES.new(aes_key, AES.MODE_EAX)
ciphertext, tag = cipher_aes.encrypt_and_digest(data)
cipher_rsa = PKCS1_OAEP.new(RSA.import_key(public_key))
enc_aes_key = cipher_rsa.encrypt(aes_key)
with open('encrypted_data.bin', 'wb') as f:
f.write(ciphertext)
print(enc_aes_key.hex())
print(cipher_aes.nonce.hex())
print(tag.hex())
PYTHON
|
查看hack.py,发现hack.py是用于加密data.csv的加密代码,从环境变量中取hackkey生成aes_key
如果上一步没有从内存中取得hack.py的运行结果,可以从环境变量中提取出hackkey,hackkey: 4etz0hHbU3TgKqduFL
1
| python2 vol.py --plugin=volatility2_plugin -f easyrawencode.raw --profile=Win7SP1x64 envars
ROUTEROS
|
image-20250118205751360
编写代码从encrypted_data.bin逆向解密出data.csv
需要安装pycryptodome pandas
1
| python3 -m pip install pycryptodome pandas
CMAKE
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| from Crypto.Cipher import AES, PKCS1_OAEP
from Crypto.PublicKey import RSA
enc_aes_key_hex = "20d96098010eb9b326be6c46e1ce1ca679e29f1d65dec055cf8c46c6436c3356af2dc312b2d35466308b9fff0dd427b44a37e34fca12992e45db2ddd81884bd8eb5bccd3c595e8a9a352bd61322e1d52329d6c8638bbfce65edffbc4d3a5759e88c0f90e31ce518837552a3a09d8e7e3c374f3857bfe501cce2066fb233ff1f5faac18d73c3b665a54e8c55574f16bf4678c5ce835d2a14a65f8c1cec012435a8c06314cbe727a3a9b6060dfd6cdb850073423841178f6f409bb7ce8d4863c6f58855954d34af3d2964c488c9057c8c5072a54e43f1f8039d32409eb1ff3abca41c0b302788c4c56c1a4be4506ff5b8aff0242e21c0ee7ffee2da20ed9434334"
nonce_hex = "d919c229aab6535efa09a52c589c8f47"
tag_hex = "5b204675b1b173c32c04b0b8a100ee29"
enc_aes_key = bytes.fromhex(enc_aes_key_hex)
nonce = bytes.fromhex(nonce_hex)
tag = bytes.fromhex(tag_hex)
with open('private.pem', 'r') as f:
private_key = RSA.import_key(f.read())
cipher_rsa = PKCS1_OAEP.new(private_key)
aes_key = cipher_rsa.decrypt(enc_aes_key)
with open('encrypted_data.bin', 'rb') as f:
ciphertext = f.read()
cipher_aes = AES.new(aes_key, AES.MODE_EAX, nonce=nonce)
data = cipher_aes.decrypt_and_verify(ciphertext, tag)
with open('decrypted_data.csv', 'wb') as f:
f.write(data)
PY
|
解密出csv后,发现个性签名列被加密,使用密码列内容对个性签名列进行解密,得到flag
image-20250118210522737
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| import pandas as pd
from Crypto.Cipher import ARC4
from base64 import b64decode
def rc4_decrypt(key, data):
cipher = ARC4.new(key)
return cipher.decrypt(data)
df = pd.read_csv("decrypted_data.csv")
df['个性签名'] = ''
for index, row in df.iterrows():
enc = row['个性签名(加密版)']
password = row['密码']
try:
ens = b64decode(enc)
dec_s = rc4_decrypt(password.encode(), ens)
df.at[index, '个性签名'] = dec_s.decode('utf-8')
except:
print(index)
df.to_csv("data.csv",index=False)
PY
|
image-20250118160518231