服务器取证
先对网站进行重构
[root@study ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
643626ab3d8b mattermost/mattermost-preview "/bin/sh -c ./docker…" 2 weeks ago Up 9 minutes 5432/tcp, 0.0.0.0:8065->8065/tcp, :::8065->8065/tcp mattermost-preview
需要绕密,dockerhub找一下dockerfile
# Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
# See License.txt for license information.
FROM postgres:12RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update && apt-get install -y ca-certificates#
# Configure SQL
#ENV POSTGRES_USER=mmuser
ENV POSTGRES_PASSWORD=mostest
ENV POSTGRES_DB=mattermost_test#
# Configure Mattermost
#
WORKDIR /mm# Copy over files
ADD https://releases.mattermost.com/9.7.1/mattermost-team-9.7.1-linux-amd64.tar.gz .
RUN tar -zxvf mattermost-team-*-linux-amd64.tar.gz
ADD config_docker.json ./mattermost/config/config_docker.json
ADD docker-entry.sh .RUN chmod +x ./docker-entry.sh
ENTRYPOINT ./docker-entry.sh# Mattermost environment variables
ENV PATH="/mm/mattermost/bin:${PATH}"# Create default storage directory
RUN mkdir ./mattermost-data
VOLUME /mm/mattermost-data# Ports
EXPOSE 8065
[root@study ~]# docker inspect 64
[{"Id": "643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526","Created": "2024-04-24T02:21:19.985981238Z","Path": "/bin/sh","Args": ["-c","./docker-entry.sh"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"OOMKilled": false,"Dead": false,"Pid": 2463,"ExitCode": 0,"Error": "","StartedAt": "2024-05-11T08:58:55.485926293Z","FinishedAt": "2024-04-26T03:00:09.909047728Z"},"Image": "sha256:5837cec062188c67f040bce24559c299a1745ccda8793ebe56b9e72e66c3b7ce","ResolvConfPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/resolv.conf","HostnamePath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hostname","HostsPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hosts","LogPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526-json.log","Name": "/mattermost-preview","RestartCount": 0,"Driver": "overlay2","Platform": "linux","MountLabel": "","ProcessLabel": "","AppArmorProfile": "","ExecIDs": null,"HostConfig": {"Binds": null,"ContainerIDFile": "","LogConfig": {"Type": "json-file","Config": {}},"NetworkMode": "bridge","PortBindings": {"8065/tcp": [{"HostIp": "","HostPort": "8065"}]},"RestartPolicy": {"Name": "always","MaximumRetryCount": 0},"AutoRemove": false,"VolumeDriver": "","VolumesFrom": null,"ConsoleSize": [50,180],"CapAdd": null,"CapDrop": null,"CgroupnsMode": "host","Dns": [],"DnsOptions": [],"DnsSearch": [],"ExtraHosts": null,"GroupAdd": null,"IpcMode": "private","Cgroup": "","Links": null,"OomScoreAdj": 0,"PidMode": "","Privileged": false,"PublishAllPorts": false,"ReadonlyRootfs": false,"SecurityOpt": null,"UTSMode": "","UsernsMode": "","ShmSize": 67108864,"Runtime": "runc","Isolation": "","CpuShares": 0,"Memory": 0,"NanoCpus": 0,"CgroupParent": "","BlkioWeight": 0,"BlkioWeightDevice": [],"BlkioDeviceReadBps": [],"BlkioDeviceWriteBps": [],"BlkioDeviceReadIOps": [],"BlkioDeviceWriteIOps": [],"CpuPeriod": 0,"CpuQuota": 0,"CpuRealtimePeriod": 0,"CpuRealtimeRuntime": 0,"CpusetCpus": "","CpusetMems": "","Devices": [],"DeviceCgroupRules": null,"DeviceRequests": null,"MemoryReservation": 0,"MemorySwap": 0,"MemorySwappiness": null,"OomKillDisable": false,"PidsLimit": null,"Ulimits": [],"CpuCount": 0,"CpuPercent": 0,"IOMaximumIOps": 0,"IOMaximumBandwidth": 0,"MaskedPaths": ["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware","/sys/devices/virtual/powercap"],"ReadonlyPaths": ["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver": {"Data": {"LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff","MergedDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/merged","UpperDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/diff","WorkDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/work"},"Name": "overlay2"},"Mounts": [{"Type": "volume","Name": "058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388","Source": "/var/lib/docker/volumes/058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388/_data","Destination": "/mm/mattermost-data","Driver": "local","Mode": "","RW": true,"Propagation": ""},{"Type": "volume","Name": "0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2","Source": "/var/lib/docker/volumes/0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2/_data","Destination": "/var/lib/postgresql/data","Driver": "local","Mode": "","RW": true,"Propagation": ""}],"Config": {"Hostname": "643626ab3d8b","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"ExposedPorts": {"5432/tcp": {},"8065/tcp": {}},"Tty": false,"OpenStdin": false,"StdinOnce": false,"Env": ["PATH=/mm/mattermost/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/postgresql/12/bin","GOSU_VERSION=1.17","LANG=en_US.utf8","PG_MAJOR=12","PG_VERSION=12.18-1.pgdg120+2","PGDATA=/var/lib/postgresql/data","POSTGRES_USER=mmuser","POSTGRES_PASSWORD=mostest","POSTGRES_DB=mattermost_test"],"Cmd": null,"Image": "mattermost/mattermost-preview","Volumes": {"/mm/mattermost-data": {},"/var/lib/postgresql/data": {}},"WorkingDir": "/mm","Entrypoint": ["/bin/sh","-c","./docker-entry.sh"],"OnBuild": null,"Labels": {},"StopSignal": "SIGINT"},"NetworkSettings": {"Bridge": "","SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0","SandboxKey": "/var/run/docker/netns/65103f1a1a02","Ports": {"5432/tcp": null,"8065/tcp": [{"HostIp": "0.0.0.0","HostPort": "8065"},{"HostIp": "::","HostPort": "8065"}]},"HairpinMode": false,"LinkLocalIPv6Address": "","LinkLocalIPv6PrefixLen": 0,"SecondaryIPAddresses": null,"SecondaryIPv6Addresses": null,"EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4","Gateway": "172.17.0.1","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","MacAddress": "02:42:ac:11:00:02","Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"MacAddress": "02:42:ac:11:00:02","NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547","EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4","Gateway": "172.17.0.1","IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"DriverOpts": null,"DNSNames": null}}}}
]
进数据库
这似曾相识的密码,bcrypt
至此IM服务器重构成功,接着重构web服务器
加个hosts直接访问
但是数据库没东西,看后面题目知道做了备份
[root@wns ~]# crontab -l
*/5 * * * * flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&10 0 * * 0 /root/backup.sh
/root/backup.sh
#!/bin/bashDB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"cd $BACKUP_PATHDATE=$(date +%Y%m%d%H%M%S)AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)BACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAMEFile_Name="${DB_NAME}.sql.gz"tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Namerm -rf $BACKUP_FILE_NAMEmysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force
稍微修改一下
#!/bin/bashDB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"cd $BACKUP_PATHDATE=$(date +%Y%m%d%H%M%S)AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)echo $AES_PASSBACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"#mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAMEFile_Name="${DB_NAME}.sql.gz"#tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Name#rm -rf $BACKUP_FILE_NAME#mysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force
[root@wns backup]# openssl des3 -d -salt -k "IvPGP/8vfTLtzQfJTmQhYg==" -in 2828.sql.gz -out 2828_decrypted.sql.gz
[root@wns backup]# gunzip 2828_decrypted.sql.gz
[root@wns backup]# ls
2828_decrypted.sql 2828.sql.gz
[root@wns backup]# cat 2828_decrypted.sql | head -n 10
2828_20240427154000.sql0000644000000000000000216675436014613125726012403 0ustar rootroot-- MySQL dump 10.13 Distrib 5.7.40, for Linux (x86_64)
--
-- Host: localhost Database: 2828
-- ------------------------------------------------------
-- Server version 5.7.40-log/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
常规后台绕密
自己手动重定向一下
这两个服务器都重构好了
分析内部IM服务器检材,在搭建的内部即时通讯平台中,客户端与服务器的通讯端口是:[答案格式:8888][★☆☆☆☆]
[root@study ~]# docker inspect 643626ab3d8b | grep -i port"PortBindings": {"HostPort": "8065""PublishAllPorts": false,"ExposedPorts": {"Ports": {"HostPort": "8065""HostPort": "8065"
分析内部IM服务器检材,该内部IM平台使用的数据库版本是: [答案格式:12.34][★★☆☆☆]
[root@study ~]# docker inspect 643626ab3d8b | grep -i version"GOSU_VERSION=1.17","PG_VERSION=12.18-1.pgdg120+2",
分析内部IM服务器检材,该内部IM平台中数据库的名称是:[答案格式:小写][★★☆☆☆]
[root@study ~]# docker inspect 643626ab3d8b | grep -i db"BlkioDeviceReadBps": [],"LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff","POSTGRES_DB=mattermost_test""SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0","SandboxKey": "/var/run/docker/netns/65103f1a1a02","NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547",
分析内部IM服务器检材,该内部IM平台中当前数据库一共有多少张表:[答案格式:1][★★☆☆☆]
分析内部IM服务器检材,员工注册的邀请链接中,邀请码是:[答案格式:小写数字字母][★★★☆☆]
分析内部IM服务器检材,用户yiyan一共给fujiya发送了几个视频文件:[答案格式:数字][★★★☆☆]
分析内部IM服务器检材,用户yiyan在团队群组中发送的视频文件的MD5值是:[答案格式:小写][★★★☆☆]
分析内部IM服务器检材,一个团队中允许的最大用户数是:[答案格式:数字][★★★★☆]
分析内部IM服务器检材,黑客是什么时候开始攻击:[答案格式:2024-01-01-04-05][★★★☆☆]
分析网站服务器检材,网站搭建使用的服务器管理软件当前版本是否支持32位系统:[答案格式:是/否][★☆☆☆☆]
[root@wns ~]# cat install.sh | grep 32位Red_Error "抱歉, 当前面板版本不支持32位系统, 请使用64位系统或安装宝塔5.9!";echo -e "宝塔面板不支持32位系统进行安装,请使用64位系统/服务器架构进行安装宝塔"
分析网站服务器检材,数据库备份的频率是一周多少次:[答案格式:1][★★☆☆☆]
[root@wns ~]# crontab -l
*/5 * * * * flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&10 0 * * 0 /root/backup.sh
分析网站服务器检材,数据库备份生成的文件的密码是:[答案格式:admin][★★☆☆☆]
[root@wns ~]# sh backup.sh
IvPGP/8vfTLtzQfJTmQhYg==
分析网站服务器检材,网站前台首页的网站标题是:[答案格式:百度][★★★☆☆]
分析网站服务器检材,受害人第一次成功登录网站的时间是:[答案格式:2024-01-01-04-05][★★★☆☆]
分析网站服务器检材,前台页面中,港澳数字竞猜游戏中,进入贵宾厅最低点数是:[答案格式:1234][★★★☆☆]
找个用户,密码哈希替换一下
分析网站服务器检材,受害人在平台一共盈利了多少钱:[答案格式:12][★★☆☆☆]
分析网站服务器检材,网站根目录下,哪个路径存在漏洞:[答案格式:/Admin/User/register.php][★★★☆☆]
分析网站服务器检材,黑客通过哪个文件上传的木马文件:[答案格式:test.php][★☆☆☆☆]
分析网站服务器检材,网站使用的数据库前缀是:[答案格式:test_][★☆☆☆☆]
分析网站服务器检材,木马文件的密码是:[答案格式:123] [★☆☆☆☆]
d盾那里有
人工智能取证
本系列题需要bitlocker解开后才能作答
GPT-SoVITS整合包部署及使用教程 - 哔哩哔哩 (bilibili.com)
拿到后粗略看一眼,GPT是换声音的,Rope是换脸的,里面还有个secret是一个爆炸策划
软件里面有个encrypt.exe加密后的文件后面会带-cn
分析义言的计算机检材,一共训练了多少个声音模型:[答案格式:123][★★☆☆☆]
每一个点进去都是由train.log的
分析义言的计算机检材,声音模型voice2,一共训练了多少条声音素材:[答案格式:123][★★☆☆☆]
分析义言的计算机检材,声音模型voice3,一共训练了多少轮:[答案格式:123][★★★☆☆]
分析义言的计算机检材,声音克隆工具推理生成语音界面的监听端口是:[答案格式:1234][★★★★☆]
分析义言的计算机检材,电脑中视频文件有几个被换过脸:[答案格式:10][★★★★★]
分析义言的计算机检材,换脸AI程序默认换脸视频文件名是:[答案格式:test.mp4][★★☆☆☆]
分析义言的计算机检材,换脸AI程序默认换脸图片的文件名称:[答案格式:abc.abc][★★☆☆☆]
分析义言的计算机检材,换脸AI程序模型文件数量是多少个:[答案格式:10][★★☆☆☆]
计算机取证
分析伏季雅的计算机检材,计算机最后一次错误登录时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]
分析伏季雅的计算机检材,计算机中曾经浏览过的电影名字是:[答案格式:《奥本海默》] [★☆☆☆☆]
分析伏季雅的计算机检材,计算机中团队内部即时通讯软件的最后一次打开的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]
分析伏季雅的计算机检材,计算机中有一款具备虚拟视频功能的软件,该软件合计播放了多少个视频:[答案格式:3][★☆☆☆☆]
接上题,该软件的官网地址是:[答案格式:https://www.baidu.com][★☆☆☆☆]
接上题,该软件录制数据时,设置的帧率是:[答案格式:20][★☆☆☆☆]
分析伏季雅的计算机检材,在团队内部使用的即时通讯软件中,其一共接收了多少条虚拟语音:[答案格式:2][★☆☆☆☆]
分析毛雪柳的计算机检材,计算机插入三星固态盘的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]
分析毛雪柳的计算机检材,计算机操作系统当前的Build版本是:[答案格式:17786][★☆☆☆☆]
分析毛雪柳的计算机检材,团队内部使用的即时通讯软件在计算机上存储日志的文件名是:[答案格式:log.log,区分大小写][★☆☆☆☆]
分析毛雪柳的计算机检材,伏季雅一月份实发工资的金额是:[答案格式:1234][★★★☆☆]
回收站里有一个密码一个账本,密码.doc是假的
输错两次后会提示梭哈,尝试了各种隐写之后发现。。。真正的密码在毛雪柳的手机的图片里
共有5个sheet
分析毛雪柳的计算机检材,该团伙三月份的盈余多少:[答案格式:1234][★★★☆☆]
分析义言的计算机检材,计算机连接过的三星移动硬盘T7的序列号是:[答案格式:大写字母和数字][★☆☆☆☆]
分析义言的计算机检材,计算机的最后一次正常关机时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]
分析义言的计算机检材,曾经使用工具连接过数据库,该数据库的密码是:[答案格式:admin][★☆☆☆☆]
分析义言的计算机检材,计算机中安装的xshell软件的版本号是:[答案格式:Build-0000][★☆☆☆☆]
分析义言的计算机检材,曾使用shell工具连接过服务器,该服务器root用户的密码是:[答案格式:admin][★★★☆☆]
还有一种手工方法
FinalShell默认配置文件地址:
%userprofile%\AppData\Local\finalshell\conn\xxx.json
工具下载地址:https://github.com/passer-W/FinalShell-Decoder
分析义言的计算机检材,计算机曾接收到一封钓鱼邮件,该邮件发件人是:[答案格式: abc@abc.abc][★★☆☆☆]
接上题,钓鱼邮件中附件的大小是多少MB:[答案格式:12.3][★★☆☆☆]
接上题,上述附件解压运行后,文件的释放位置是:[答案格式:D:\Download\test][★★☆☆☆]
接上题,恶意木马文件的MD5 值是:[答案格式:小写][★★☆☆☆]
接上题,恶意木马文件的回连IP地址是:[答案格式:127.0.0.1][★★☆☆☆]
分析伏季雅的计算机检材,计算机中团队内部即时通讯软件的最后一次打开的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]
分析义言的计算机检材,计算机中保存的有隐写痕迹的文件名:[答案格式:abc.abc][★★★☆☆]
bitlocker解开后重新跑一次取证
分析义言的计算机检材,保存容器密码的文件大小是多少字节:[答案格式:123][★★★☆☆]
回收站有个lsb隐写工具
在本地测试后隐写后的图片会变成bmp格式
提取
火眼爆搜bmp格式,从大往下,有几个感觉比较可疑
导出后解密
解密vc
里面都是encrypt.exe里加密过的
答案
分析义言的计算机内存检材,该内存镜像制作时间(UTC+8)是:[答案格式:2024-01-01-04-05][★★☆☆☆]
分析义言的计算机内存检材,navicat.exe的进程ID是:[答案格式:123][★★☆☆☆]
IPA取证
分析毛雪柳的手机检材,记账APP存储记账信息的数据库文件名称是:[答案格式:tmp.db,区分大小写][★★★★☆]
分析毛雪柳的手机检材,记账APP中,2月份总收入金额是多少:[答案格式:1234][★★★★★]
这个文件需要用realm studio打开
分析毛雪柳的手机检材,手机中团队内部使用的即时通讯软件中,团队老板的邮箱账号是:[答案格式:abc@abc.com][★★★☆☆]
服务器顺下来就知道,也不用看数据库
gxyt@163.com
接上题,该内部即时通讯软件中,毛雪柳和老板的私聊频道中,老板加入私聊频道的时间是:[答案格式:2024-01-01-04-05-06][★★★☆☆]
接上题,该私聊频道中,老板最后一次发送聊天内容的时间是:[答案格式:2024-01-01-04-05-06][★★★☆☆]
APK取证
分析伏季雅的手机检材,手机中诈骗APP的包名是:[答案格式:abc.abc.abc,区分大小写][★☆☆☆☆]
分析伏季雅的手机检材,手机中诈骗APP连接的服务器地址是:[答案格式:127.0.0.1][★☆☆☆☆]
别的忽略,,,我们校园网的包
分析伏季雅的手机检材,手机中诈骗APP的打包ID是:[答案格式:_abc_abc.abc,区分大小写][★☆☆☆☆]
分析伏季雅的手机检材,手机中诈骗APP的主启动项是:[答案格式:abc.abc.abc,区分大小写][★☆☆☆☆]
分析义言的手机检材,分析团队内部使用的即时通讯软件,该软件连接服务器的地址是:[答案格式:127.0.0.1][★★☆☆☆]
IM服务器的ip地址:192.168.137.97
接上题,该软件存储聊天信息的数据库文件名称是:[答案格式:abc.abc,区分大小写][★★☆☆☆]
接上题,该即时通讯软件中,团队内部沟通群中,一共有多少个用户:[答案格式:1][★★☆☆☆]
接上题,该即时通讯应用的版本号是:[答案格式:1.1.1][★★☆☆☆]
接上题,该即时通讯应用中,团队内部沟通中曾发送了一个视频文件,该视频文件发送者的用户名是:[答案格式:abc][★★★★☆]
yiyan
file表格里面,每个文件都有对应的发送id
带着post_id到post表里面去查,找到对应消息记录的user_id
带着user_id去user表里面去查,得到username
接上题,分析该即时通讯的聊天记录,团队购买了一个高性能显卡,该显卡的显存大小是:[答案格式:20G][★★☆☆☆]
分析义言的手机检材,手机中装有一个具备隐藏功能的APP,该APP启动设置了密码,设置的密码长度是多少位:[答案格式:5][★★★★☆]
这边是搜包名的时候运气好碰到老外的分析记录,直接把其成果拿来用了
https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/
实际上有更明了的做法——直接hook安卓加密库,然后就能发现几乎所有的字符串都是使用AES(而且是使用同一个密钥和iv解的)
除此之外,hook文件操作方法,还有大量对/data/user/0/com.hld.anzenbokusufake/shared_prefs/share_privacy_safe.xml的写入操作
所以可以定位到share_privacy_safe.xml这个文件,把里面的字符串进行解密即可
接上题,分析上述隐藏功能的APP,一共隐藏了多少个应用:[答案格式:1][★★★★☆]
这里是文章里面没有的。静态分析因为强混淆所以不是很好搞,这里继续hook文件操作方法,随便加密几个文件之后就能hook到写出文件的路径了——/storage/emulated/0/.privacy_safe
接上题,分析上述隐藏功能的APP,该APP一共加密了多少个文件:[答案格式:][★★★★☆]
数据库是加密的,需要使用DB Browser for SQLCipher.exe加上密码Rny48Ni8aPjYCnUI去打开这个db文件
接上题,分析上述隐藏功能的APP,该APP加密了一份含有公民隐私信息的文件,该文件的原始名称是:[答案格式:abc.txt][★★★★☆]
公民信息.xlsx
分析义言的手机检材,马伟的手机号码是:[答案格式:13012341234][★★★★☆]
解密也是使用Rny48Ni8aPjYCnUI加上AES算法即可
分析义言的手机检材,手机中存有一个BitLocker恢复密钥文件,文件已被加密,原始文件的MD5值是:[答案格式:小写字母和数字][★★★★☆]
解出来的结果里是gb2312编码存储的bitlocker文件
手机取证
分析伏季雅的手机检材,手机的安卓ID是:[答案格式:小写字母和数字][★☆☆☆☆]
分析伏季雅的手机检材,手机型号是:[答案格式:HUAWEI-FL56T][★☆☆☆☆]
分析伏季雅的手机检材,其和受害人视频通话的时间是:[答案格式:2024-01-01-04-05][★☆☆☆☆]
分析伏季雅的手机检材,手机中安装了一款记账APP,该记账APP存储记账信息的数据库名称是:[答案格式:abcabc,区分大小写][★☆☆☆☆]
\嫌疑人\伏季雅\手机\Samsung\data\data\com.bookmark.money\databases\MoneyLoverS2
接上题,该记账APP登录的邮箱账号是:[答案格式:abc@abc.com][★★★☆☆]
接上题,该记账APP中记录的所有收入金额合计是:[答案格式:1234][★★★☆☆]
SELECTSUM( transactions.amount )
FROM"transactions",categories
WHEREcategories.cat_id == transactions.cat_id AND categories.cat_type == 1;
接上题,分析该记账APP中的消费记录,统计从2022-3-1(含)到2023-12-1(含)期间,用于交通的支出费用合计是:[答案格式:1234][★★★☆☆]
SELECTSUM( transactions.amount )
FROM"transactions",categories
WHEREcategories.cat_id == transactions.cat_id AND categories.cat_type == 2 AND categories.cat_id == 19 AND transactions.created_date >= '2022-03-01' AND transactions.created_date <= '2023-12-01';
分析毛雪柳的手机检材,手机中有一个记账APP,该APP的应用名称是:[答案格式:Telegram,区分大小写][★☆☆☆☆]
分析义言的手机检材,手机中登录的谷歌邮箱账号是:[答案格式:abc@gmail.com][★★☆☆☆]
分析义言的手机检材,手机的MTP序列号是:[答案格式:大写字母和数字][★★☆☆☆]
分析义言的手机检材,除系统自带的浏览器外,手机中安装了一款第三方浏览器,该浏览器的应用名称是:[答案格式:百度浏览器][★★☆☆☆]
接上题,上述浏览器最后一次搜索的关键字是:[答案格式:百度][★★☆☆☆]
见上
接上题,该浏览器最后一次收藏的网址是:[答案格式:https://baidu.com/acc/123412341234123/][★★★☆☆]
分析义言的手机检材,其所购买的公民信息数据,该数据提供者的手机号码是:[答案格式:13012341234][★☆☆☆☆]
接上题,卖家的收款地址:[答案格式:小写字母和数字][★☆☆☆☆]
接上题,购买上述公民信息,义言一共支付了多少钱:[答案格式:0.000123BTC][★☆☆☆☆]
交易hash:4630a72ad8e7339e553cdba67a1dc7d33716a1db0cf7b44ec281ae08ac6249f8
发送地址:bc1puq3evrtuaky9sk08sf5dnmjfx4yuwc5c63ylzy05jcc9nqx267aqcv7fjf
因为答案格式为精度到小数点后6位,所以把交易记录导出然后精确计算
接上题,该笔交易产生的手续费是多少:[答案格式:0.000123BTC][★★☆☆☆]
手续费链必追没法直接查高精度,直接拿交易哈希去官网浏览器查
0.000061
0.000061
总共0.000122BTC
总结
有两位蓝桥杯人才在,我躺的很舒服
如有纰漏,欢迎微信交流:WQZ1127786222
Galaxy#b3nguang
2024.5.12
