服务器取证

先对网站进行重构

1
2
3
[root@study ~]# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED       STATUS         PORTS                                                 NAMES
643626ab3d8b   mattermost/mattermost-preview   "/bin/sh -c ./docker…"   2 weeks ago   Up 9 minutes   5432/tcp, 0.0.0.0:8065->8065/tcp, :::8065->8065/tcp   mattermost-preview

image-20240511171137517

需要绕密,dockerhub找一下dockerfile

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
# See License.txt for license information.
FROM postgres:12

RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update && apt-get install -y ca-certificates

#
# Configure SQL
#

ENV POSTGRES_USER=mmuser
ENV POSTGRES_PASSWORD=mostest
ENV POSTGRES_DB=mattermost_test

#
# Configure Mattermost
#
WORKDIR /mm

# Copy over files
ADD https://releases.mattermost.com/9.7.1/mattermost-team-9.7.1-linux-amd64.tar.gz .
RUN tar -zxvf mattermost-team-*-linux-amd64.tar.gz
ADD config_docker.json ./mattermost/config/config_docker.json
ADD docker-entry.sh .

RUN chmod +x ./docker-entry.sh
ENTRYPOINT ./docker-entry.sh

# Mattermost environment variables
ENV PATH="/mm/mattermost/bin:${PATH}"

# Create default storage directory
RUN mkdir ./mattermost-data
VOLUME /mm/mattermost-data

# Ports
EXPOSE 8065
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
[root@study ~]# docker inspect 64
[
    {
        "Id": "643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526",
        "Created": "2024-04-24T02:21:19.985981238Z",
        "Path": "/bin/sh",
        "Args": [
            "-c",
            "./docker-entry.sh"
        ],
        "State": {
            "Status": "running",
            "Running": true,
            "Paused": false,
            "Restarting": false,
            "OOMKilled": false,
            "Dead": false,
            "Pid": 2463,
            "ExitCode": 0,
            "Error": "",
            "StartedAt": "2024-05-11T08:58:55.485926293Z",
            "FinishedAt": "2024-04-26T03:00:09.909047728Z"
        },
        "Image": "sha256:5837cec062188c67f040bce24559c299a1745ccda8793ebe56b9e72e66c3b7ce",
        "ResolvConfPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/resolv.conf",
        "HostnamePath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hostname",
        "HostsPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hosts",
        "LogPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526-json.log",
        "Name": "/mattermost-preview",
        "RestartCount": 0,
        "Driver": "overlay2",
        "Platform": "linux",
        "MountLabel": "",
        "ProcessLabel": "",
        "AppArmorProfile": "",
        "ExecIDs": null,
        "HostConfig": {
            "Binds": null,
            "ContainerIDFile": "",
            "LogConfig": {
                "Type": "json-file",
                "Config": {}
            },
            "NetworkMode": "bridge",
            "PortBindings": {
                "8065/tcp": [
                    {
                        "HostIp": "",
                        "HostPort": "8065"
                    }
                ]
            },
            "RestartPolicy": {
                "Name": "always",
                "MaximumRetryCount": 0
            },
            "AutoRemove": false,
            "VolumeDriver": "",
            "VolumesFrom": null,
            "ConsoleSize": [
                50,
                180
            ],
            "CapAdd": null,
            "CapDrop": null,
            "CgroupnsMode": "host",
            "Dns": [],
            "DnsOptions": [],
            "DnsSearch": [],
            "ExtraHosts": null,
            "GroupAdd": null,
            "IpcMode": "private",
            "Cgroup": "",
            "Links": null,
            "OomScoreAdj": 0,
            "PidMode": "",
            "Privileged": false,
            "PublishAllPorts": false,
            "ReadonlyRootfs": false,
            "SecurityOpt": null,
            "UTSMode": "",
            "UsernsMode": "",
            "ShmSize": 67108864,
            "Runtime": "runc",
            "Isolation": "",
            "CpuShares": 0,
            "Memory": 0,
            "NanoCpus": 0,
            "CgroupParent": "",
            "BlkioWeight": 0,
            "BlkioWeightDevice": [],
            "BlkioDeviceReadBps": [],
            "BlkioDeviceWriteBps": [],
            "BlkioDeviceReadIOps": [],
            "BlkioDeviceWriteIOps": [],
            "CpuPeriod": 0,
            "CpuQuota": 0,
            "CpuRealtimePeriod": 0,
            "CpuRealtimeRuntime": 0,
            "CpusetCpus": "",
            "CpusetMems": "",
            "Devices": [],
            "DeviceCgroupRules": null,
            "DeviceRequests": null,
            "MemoryReservation": 0,
            "MemorySwap": 0,
            "MemorySwappiness": null,
            "OomKillDisable": false,
            "PidsLimit": null,
            "Ulimits": [],
            "CpuCount": 0,
            "CpuPercent": 0,
            "IOMaximumIOps": 0,
            "IOMaximumBandwidth": 0,
            "MaskedPaths": [
                "/proc/asound",
                "/proc/acpi",
                "/proc/kcore",
                "/proc/keys",
                "/proc/latency_stats",
                "/proc/timer_list",
                "/proc/timer_stats",
                "/proc/sched_debug",
                "/proc/scsi",
                "/sys/firmware",
                "/sys/devices/virtual/powercap"
            ],
            "ReadonlyPaths": [
                "/proc/bus",
                "/proc/fs",
                "/proc/irq",
                "/proc/sys",
                "/proc/sysrq-trigger"
            ]
        },
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff",
                "MergedDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/merged",
                "UpperDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/diff",
                "WorkDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/work"
            },
            "Name": "overlay2"
        },
        "Mounts": [
            {
                "Type": "volume",
                "Name": "058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388",
                "Source": "/var/lib/docker/volumes/058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388/_data",
                "Destination": "/mm/mattermost-data",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            },
            {
                "Type": "volume",
                "Name": "0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2",
                "Source": "/var/lib/docker/volumes/0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2/_data",
                "Destination": "/var/lib/postgresql/data",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            }
        ],
        "Config": {
            "Hostname": "643626ab3d8b",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "5432/tcp": {},
                "8065/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/mm/mattermost/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/postgresql/12/bin",
                "GOSU_VERSION=1.17",
                "LANG=en_US.utf8",
                "PG_MAJOR=12",
                "PG_VERSION=12.18-1.pgdg120+2",
                "PGDATA=/var/lib/postgresql/data",
                "POSTGRES_USER=mmuser",
                "POSTGRES_PASSWORD=mostest",
                "POSTGRES_DB=mattermost_test"
            ],
            "Cmd": null,
            "Image": "mattermost/mattermost-preview",
            "Volumes": {
                "/mm/mattermost-data": {},
                "/var/lib/postgresql/data": {}
            },
            "WorkingDir": "/mm",
            "Entrypoint": [
                "/bin/sh",
                "-c",
                "./docker-entry.sh"
            ],
            "OnBuild": null,
            "Labels": {},
            "StopSignal": "SIGINT"
        },
        "NetworkSettings": {
            "Bridge": "",
            "SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0",
            "SandboxKey": "/var/run/docker/netns/65103f1a1a02",
            "Ports": {
                "5432/tcp": null,
                "8065/tcp": [
                    {
                        "HostIp": "0.0.0.0",
                        "HostPort": "8065"
                    },
                    {
                        "HostIp": "::",
                        "HostPort": "8065"
                    }
                ]
            },
            "HairpinMode": false,
            "LinkLocalIPv6Address": "",
            "LinkLocalIPv6PrefixLen": 0,
            "SecondaryIPAddresses": null,
            "SecondaryIPv6Addresses": null,
            "EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4",
            "Gateway": "172.17.0.1",
            "GlobalIPv6Address": "",
            "GlobalIPv6PrefixLen": 0,
            "IPAddress": "172.17.0.2",
            "IPPrefixLen": 16,
            "IPv6Gateway": "",
            "MacAddress": "02:42:ac:11:00:02",
            "Networks": {
                "bridge": {
                    "IPAMConfig": null,
                    "Links": null,
                    "Aliases": null,
                    "MacAddress": "02:42:ac:11:00:02",
                    "NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547",
                    "EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4",
                    "Gateway": "172.17.0.1",
                    "IPAddress": "172.17.0.2",
                    "IPPrefixLen": 16,
                    "IPv6Gateway": "",
                    "GlobalIPv6Address": "",
                    "GlobalIPv6PrefixLen": 0,
                    "DriverOpts": null,
                    "DNSNames": null
                }
            }
        }
    }
]

进数据库

image-20240511172423905

这似曾相识的密码,bcrypt

image-20240511172525643

image-20240511172715881

至此IM服务器重构成功,接着重构web服务器

image-20240511173122333

加个hosts直接访问

image-20240511173153380

但是数据库没东西,看后面题目知道做了备份

image-20240511173258813

1
2
3
4
[root@wns ~]# crontab -l
*/5 * * * *  flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&1

0 0 * * 0 /root/backup.sh

/root/backup.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#!/bin/bash

DB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"

cd $BACKUP_PATH

DATE=$(date +%Y%m%d%H%M%S)

AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)

BACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"

mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAME

File_Name="${DB_NAME}.sql.gz"

tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Name

rm -rf  $BACKUP_FILE_NAME

mysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force

稍微修改一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash

DB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"

cd $BACKUP_PATH

DATE=$(date +%Y%m%d%H%M%S)

AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)

echo $AES_PASS

BACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"

#mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAME

File_Name="${DB_NAME}.sql.gz"

#tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Name

#rm -rf  $BACKUP_FILE_NAME

#mysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@wns backup]# openssl des3 -d -salt -k "IvPGP/8vfTLtzQfJTmQhYg==" -in 2828.sql.gz -out 2828_decrypted.sql.gz
[root@wns backup]# gunzip 2828_decrypted.sql.gz
[root@wns backup]# ls
2828_decrypted.sql  2828.sql.gz
[root@wns backup]# cat 2828_decrypted.sql | head -n 10
2828_20240427154000.sql0000644000000000000000216675436014613125726012403 0ustar  rootroot-- MySQL dump 10.13  Distrib 5.7.40, for Linux (x86_64)
--
-- Host: localhost    Database: 2828
-- ------------------------------------------------------
-- Server version       5.7.40-log

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

image-20240511174638934

image-20240511180022950

常规后台绕密

image-20240511180102098

自己手动重定向一下

image-20240511180147116

这两个服务器都重构好了

分析内部IM服务器检材,在搭建的内部即时通讯平台中,客户端与服务器的通讯端口是:[答案格式:8888][★☆☆☆☆]

1
2
3
4
5
6
7
8
[root@study ~]# docker inspect 643626ab3d8b | grep -i port
            "PortBindings": {
                        "HostPort": "8065"
            "PublishAllPorts": false,
            "ExposedPorts": {
            "Ports": {
                        "HostPort": "8065"
                        "HostPort": "8065"

分析内部IM服务器检材,该内部IM平台使用的数据库版本是: [答案格式:12.34][★★☆☆☆]

1
2
3
[root@study ~]# docker inspect 643626ab3d8b | grep -i version
                "GOSU_VERSION=1.17",
                "PG_VERSION=12.18-1.pgdg120+2",

分析内部IM服务器检材,该内部IM平台中数据库的名称是:[答案格式:小写][★★☆☆☆]

1
2
3
4
5
6
7
[root@study ~]# docker inspect 643626ab3d8b | grep -i db
            "BlkioDeviceReadBps": [],
                "LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff",
                "POSTGRES_DB=mattermost_test"
            "SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0",
            "SandboxKey": "/var/run/docker/netns/65103f1a1a02",
                    "NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547",

分析内部IM服务器检材,该内部IM平台中当前数据库一共有多少张表:[答案格式:1][★★☆☆☆]

image-20240511180454768

分析内部IM服务器检材,员工注册的邀请链接中,邀请码是:[答案格式:小写数字字母][★★★☆☆]

image-20240511180524871

分析内部IM服务器检材,用户yiyan一共给fujiya发送了几个视频文件:[答案格式:数字][★★★☆☆]

image-20240511180628537

分析内部IM服务器检材,用户yiyan在团队群组中发送的视频文件的MD5值是:[答案格式:小写][★★★☆☆]

image-20240511180652625

分析内部IM服务器检材,一个团队中允许的最大用户数是:[答案格式:数字][★★★★☆]

image-20240511180745975

分析内部IM服务器检材,黑客是什么时候开始攻击:[答案格式:2024-01-01-04-05][★★★☆☆]

image-20240511180953234

分析网站服务器检材,网站搭建使用的服务器管理软件当前版本是否支持32位系统:[答案格式:是/否][★☆☆☆☆]

1
2
3
[root@wns ~]# cat install.sh | grep 32位
        Red_Error "抱歉, 当前面板版本不支持32位系统, 请使用64位系统或安装宝塔5.9!";
                echo -e "宝塔面板不支持32位系统进行安装,请使用64位系统/服务器架构进行安装宝塔"

分析网站服务器检材,数据库备份的频率是一周多少次:[答案格式:1][★★☆☆☆]

1
2
3
4
[root@wns ~]# crontab -l
*/5 * * * *  flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&1

0 0 * * 0 /root/backup.sh

分析网站服务器检材,数据库备份生成的文件的密码是:[答案格式:admin][★★☆☆☆]

1
2
[root@wns ~]# sh backup.sh 
IvPGP/8vfTLtzQfJTmQhYg==

分析网站服务器检材,网站前台首页的网站标题是:[答案格式:百度][★★★☆☆]

image-20240511181141684

分析网站服务器检材,受害人第一次成功登录网站的时间是:[答案格式:2024-01-01-04-05][★★★☆☆]

image-20240511181455658

分析网站服务器检材,前台页面中,港澳数字竞猜游戏中,进入贵宾厅最低点数是:[答案格式:1234][★★★☆☆]

找个用户,密码哈希替换一下

image-20240511181641470

分析网站服务器检材,受害人在平台一共盈利了多少钱:[答案格式:12][★★☆☆☆]

image-20240511181717479

分析网站服务器检材,网站根目录下,哪个路径存在漏洞:[答案格式:/Admin/User/register.php][★★★☆☆]

image-20240511181659150

image-20240511181932027

image-20240511222421241

image-20240511222234460

分析网站服务器检材,黑客通过哪个文件上传的木马文件:[答案格式:test.php][★☆☆☆☆]

image-20240511182254858

分析网站服务器检材,网站使用的数据库前缀是:[答案格式:test_][★☆☆☆☆]

image-20240511181810630

分析网站服务器检材,木马文件的密码是:[答案格式:123] [★☆☆☆☆]

d盾那里有

人工智能取证

本系列题需要bitlocker解开后才能作答

GPT-SoVITS整合包部署及使用教程 - 哔哩哔哩 (bilibili.com)

拿到后粗略看一眼,GPT是换声音的,Rope是换脸的,里面还有个secret是一个爆炸策划

软件里面有个encrypt.exe加密后的文件后面会带-cn

分析义言的计算机检材,一共训练了多少个声音模型:[答案格式:123][★★☆☆☆]

每一个点进去都是由train.log的

分析义言的计算机检材,声音模型voice2,一共训练了多少条声音素材:[答案格式:123][★★☆☆☆]

image-20240511182920360

分析义言的计算机检材,声音模型voice3,一共训练了多少轮:[答案格式:123][★★★☆☆]

image-20240511183021101

分析义言的计算机检材,声音克隆工具推理生成语音界面的监听端口是:[答案格式:1234][★★★★☆]

image-20240511183651954

分析义言的计算机检材,电脑中视频文件有几个被换过脸:[答案格式:10][★★★★★]

image-20240511135743950

分析义言的计算机检材,换脸AI程序默认换脸视频文件名是:[答案格式:test.mp4][★★☆☆☆]

image-20240511184135202

分析义言的计算机检材,换脸AI程序默认换脸图片的文件名称:[答案格式:abc.abc][★★☆☆☆]

image-20240511184118427

分析义言的计算机检材,换脸AI程序模型文件数量是多少个:[答案格式:10][★★☆☆☆]

image-20240511190107568

计算机取证

分析伏季雅的计算机检材,计算机最后一次错误登录时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]

image-20240511191623835

分析伏季雅的计算机检材,计算机中曾经浏览过的电影名字是:[答案格式:《奥本海默》] [★☆☆☆☆]

image-20240511191640833

分析伏季雅的计算机检材,计算机中团队内部即时通讯软件的最后一次打开的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]

image-20240511191845112

分析伏季雅的计算机检材,计算机中有一款具备虚拟视频功能的软件,该软件合计播放了多少个视频:[答案格式:3][★☆☆☆☆]

image-20240511193055717

接上题,该软件的官网地址是:[答案格式:https://www.baidu.com][★☆☆☆☆]

接上题,该软件录制数据时,设置的帧率是:[答案格式:20][★☆☆☆☆]

image-20240511193307378

分析伏季雅的计算机检材,在团队内部使用的即时通讯软件中,其一共接收了多少条虚拟语音:[答案格式:2][★☆☆☆☆]

分析毛雪柳的计算机检材,计算机插入三星固态盘的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]

image-20240511193354378

分析毛雪柳的计算机检材,计算机操作系统当前的Build版本是:[答案格式:17786][★☆☆☆☆]

image-20240511193410030

分析毛雪柳的计算机检材,团队内部使用的即时通讯软件在计算机上存储日志的文件名是:[答案格式:log.log,区分大小写][★☆☆☆☆]

image-20240511193455728

分析毛雪柳的计算机检材,伏季雅一月份实发工资的金额是:[答案格式:1234][★★★☆☆]

回收站里有一个密码一个账本,密码.doc是假的

输错两次后会提示梭哈,尝试了各种隐写之后发现。。。真正的密码在毛雪柳的手机的图片里

共有5个sheet

分析毛雪柳的计算机检材,该团伙三月份的盈余多少:[答案格式:1234][★★★☆☆]

分析义言的计算机检材,计算机连接过的三星移动硬盘T7的序列号是:[答案格式:大写字母和数字][★☆☆☆☆]

image-20240511193555567

分析义言的计算机检材,计算机的最后一次正常关机时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]

image-20240511193608567

分析义言的计算机检材,曾经使用工具连接过数据库,该数据库的密码是:[答案格式:admin][★☆☆☆☆]

image-20240511193659034

分析义言的计算机检材,计算机中安装的xshell软件的版本号是:[答案格式:Build-0000][★☆☆☆☆]

image-20240511193641822

分析义言的计算机检材,曾使用shell工具连接过服务器,该服务器root用户的密码是:[答案格式:admin][★★★☆☆]

image-20240511193621957

还有一种手工方法

FinalShell默认配置文件地址:

1
%userprofile%\AppData\Local\finalshell\conn\xxx.json

工具下载地址:https://github.com/passer-W/FinalShell-Decoder

分析义言的计算机检材,计算机曾接收到一封钓鱼邮件,该邮件发件人是:[答案格式: abc@abc.abc][★★☆☆☆]

image-20240511194112996

接上题,钓鱼邮件中附件的大小是多少MB:[答案格式:12.3][★★☆☆☆]

image-20240511194122991

接上题,上述附件解压运行后,文件的释放位置是:[答案格式:D:\Download\test][★★☆☆☆]

image-20240511194446050

接上题,恶意木马文件的MD5 值是:[答案格式:小写][★★☆☆☆]

image-20240511194454694

接上题,恶意木马文件的回连IP地址是:[答案格式:127.0.0.1][★★☆☆☆]

image-20240511194535458

分析伏季雅的计算机检材,计算机中团队内部即时通讯软件的最后一次打开的时间是:[答案格式:2024-01-01-04-05-06][★☆☆☆☆]

image-20240511200205735

分析义言的计算机检材,计算机中保存的有隐写痕迹的文件名:[答案格式:abc.abc][★★★☆☆]

bitlocker解开后重新跑一次取证

分析义言的计算机检材,保存容器密码的文件大小是多少字节:[答案格式:123][★★★☆☆]

回收站有个lsb隐写工具

在本地测试后隐写后的图片会变成bmp格式

提取

火眼爆搜bmp格式,从大往下,有几个感觉比较可疑

导出后解密

解密vc

里面都是encrypt.exe里加密过的

答案

分析义言的计算机内存检材,该内存镜像制作时间(UTC+8)是:[答案格式:2024-01-01-04-05][★★☆☆☆]

image-20240511195629889

分析义言的计算机内存检材,navicat.exe的进程ID是:[答案格式:123][★★☆☆☆]

image-20240511195913428

IPA取证

分析毛雪柳的手机检材,记账APP存储记账信息的数据库文件名称是:[答案格式:tmp.db,区分大小写][★★★★☆]

image-20240511231839941

分析毛雪柳的手机检材,记账APP中,2月份总收入金额是多少:[答案格式:1234][★★★★★]

这个文件需要用realm studio打开

image-20240511231849449

image-20240511235121883

分析毛雪柳的手机检材,手机中团队内部使用的即时通讯软件中,团队老板的邮箱账号是:[答案格式:abc@abc.com][★★★☆☆]

服务器顺下来就知道,也不用看数据库

gxyt@163.com

接上题,该内部即时通讯软件中,毛雪柳和老板的私聊频道中,老板加入私聊频道的时间是:[答案格式:2024-01-01-04-05-06][★★★☆☆]

image-20240511231954772

image-20240511232002440

image-20240511232011325

接上题,该私聊频道中,老板最后一次发送聊天内容的时间是:[答案格式:2024-01-01-04-05-06][★★★☆☆]

image-20240511232016686

image-20240511232024459

APK取证

分析伏季雅的手机检材,手机中诈骗APP的包名是:[答案格式:abc.abc.abc,区分大小写][★☆☆☆☆]

image-20240511214301221

分析伏季雅的手机检材,手机中诈骗APP连接的服务器地址是:[答案格式:127.0.0.1][★☆☆☆☆]

别的忽略,,,我们校园网的包

image-20240511215524922

分析伏季雅的手机检材,手机中诈骗APP的打包ID是:[答案格式:_abc_abc.abc,区分大小写][★☆☆☆☆]

image-20240511214348411

分析伏季雅的手机检材,手机中诈骗APP的主启动项是:[答案格式:abc.abc.abc,区分大小写][★☆☆☆☆]

image-20240511220055961

分析义言的手机检材,分析团队内部使用的即时通讯软件,该软件连接服务器的地址是:[答案格式:127.0.0.1][★★☆☆☆]

IM服务器的ip地址:192.168.137.97

接上题,该软件存储聊天信息的数据库文件名称是:[答案格式:abc.abc,区分大小写][★★☆☆☆]

image-20240511232046993

接上题,该即时通讯软件中,团队内部沟通群中,一共有多少个用户:[答案格式:1][★★☆☆☆]

image-20240511232100958

接上题,该即时通讯应用的版本号是:[答案格式:1.1.1][★★☆☆☆]

image-20240511232106702

接上题,该即时通讯应用中,团队内部沟通中曾发送了一个视频文件,该视频文件发送者的用户名是:[答案格式:abc][★★★★☆]

yiyan

file表格里面,每个文件都有对应的发送id

image-20240511235707358

带着post_id到post表里面去查,找到对应消息记录的user_id

image-20240511235709576

带着user_id去user表里面去查,得到username

image-20240511235711907

接上题,分析该即时通讯的聊天记录,团队购买了一个高性能显卡,该显卡的显存大小是:[答案格式:20G][★★☆☆☆]

image-20240511232135086

image-20240511235734356

分析义言的手机检材,手机中装有一个具备隐藏功能的APP,该APP启动设置了密码,设置的密码长度是多少位:[答案格式:5][★★★★☆]

这边是搜包名的时候运气好碰到老外的分析记录,直接把其成果拿来用了

image-20240511235742433

https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

image-20240511235749121

实际上有更明了的做法——直接hook安卓加密库,然后就能发现几乎所有的字符串都是使用AES(而且是使用同一个密钥和iv解的)

image-20240511235759686

image-20240511235826624

image-20240511235831746

除此之外,hook文件操作方法,还有大量对/data/user/0/com.hld.anzenbokusufake/shared_prefs/share_privacy_safe.xml的写入操作

img

所以可以定位到share_privacy_safe.xml这个文件,把里面的字符串进行解密即可

img

img

接上题,分析上述隐藏功能的APP,一共隐藏了多少个应用:[答案格式:1][★★★★☆]

这里是文章里面没有的。静态分析因为强混淆所以不是很好搞,这里继续hook文件操作方法,随便加密几个文件之后就能hook到写出文件的路径了——/storage/emulated/0/.privacy_safe

image-20240511235846312

image-20240511235851571

接上题,分析上述隐藏功能的APP,该APP一共加密了多少个文件:[答案格式:][★★★★☆]

数据库是加密的,需要使用DB Browser for SQLCipher.exe加上密码Rny48Ni8aPjYCnUI去打开这个db文件

image-20240511235857262

image-20240511235902805

接上题,分析上述隐藏功能的APP,该APP加密了一份含有公民隐私信息的文件,该文件的原始名称是:[答案格式:abc.txt][★★★★☆]

公民信息.xlsx

分析义言的手机检材,马伟的手机号码是:[答案格式:13012341234][★★★★☆]

解密也是使用Rny48Ni8aPjYCnUI加上AES算法即可

image-20240511232359767

分析义言的手机检材,手机中存有一个BitLocker恢复密钥文件,文件已被加密,原始文件的MD5值是:[答案格式:小写字母和数字][★★★★☆]

image-20240511232407380

解出来的结果里是gb2312编码存储的bitlocker文件

image-20240511232434948

手机取证

分析伏季雅的手机检材,手机的安卓ID是:[答案格式:小写字母和数字][★☆☆☆☆]

image-20240511202355780

分析伏季雅的手机检材,手机型号是:[答案格式:HUAWEI-FL56T][★☆☆☆☆]

image-20240511202406535

分析伏季雅的手机检材,其和受害人视频通话的时间是:[答案格式:2024-01-01-04-05][★☆☆☆☆]

image-20240511202457487

分析伏季雅的手机检材,手机中安装了一款记账APP,该记账APP存储记账信息的数据库名称是:[答案格式:abcabc,区分大小写][★☆☆☆☆]

image-20240511210724611

image-20240511210739912

\嫌疑人\伏季雅\手机\Samsung\data\data\com.bookmark.money\databases\MoneyLoverS2

接上题,该记账APP登录的邮箱账号是:[答案格式:abc@abc.com][★★★☆☆]

image-20240511213729441

接上题,该记账APP中记录的所有收入金额合计是:[答案格式:1234][★★★☆☆]

1
2
3
4
5
6
7
8
SELECT
	SUM( transactions.amount ) 
FROM
	"transactions",
	categories 
WHERE
	categories.cat_id == transactions.cat_id 
	AND categories.cat_type == 1;

image-20240511213919495

接上题,分析该记账APP中的消费记录,统计从2022-3-1(含)到2023-12-1(含)期间,用于交通的支出费用合计是:[答案格式:1234][★★★☆☆]

1
2
3
4
5
6
7
8
9
10
11
SELECT
	SUM( transactions.amount ) 
FROM
	"transactions",
	categories 
WHERE
	categories.cat_id == transactions.cat_id 
	AND categories.cat_type == 2 
	AND categories.cat_id == 19 
	AND transactions.created_date >= '2022-03-01' 
	AND transactions.created_date <= '2023-12-01';

image-20240511213956667

分析毛雪柳的手机检材,手机中有一个记账APP,该APP的应用名称是:[答案格式:Telegram,区分大小写][★☆☆☆☆]

image-20240511210536493

image-20240511210548922

分析义言的手机检材,手机中登录的谷歌邮箱账号是:[答案格式:abc@gmail.com][★★☆☆☆]

image-20240511210300301

分析义言的手机检材,手机的MTP序列号是:[答案格式:大写字母和数字][★★☆☆☆]

image-20240511210241953

分析义言的手机检材,除系统自带的浏览器外,手机中安装了一款第三方浏览器,该浏览器的应用名称是:[答案格式:百度浏览器][★★☆☆☆]

image-20240511204227289

接上题,上述浏览器最后一次搜索的关键字是:[答案格式:百度][★★☆☆☆]

见上

接上题,该浏览器最后一次收藏的网址是:[答案格式:https://baidu.com/acc/123412341234123/][★★★☆☆]

image-20240511204316450

分析义言的手机检材,其所购买的公民信息数据,该数据提供者的手机号码是:[答案格式:13012341234][★☆☆☆☆]

image-20240511204709455

接上题,卖家的收款地址:[答案格式:小写字母和数字][★☆☆☆☆]

image-20240511230643890

接上题,购买上述公民信息,义言一共支付了多少钱:[答案格式:0.000123BTC][★☆☆☆☆]

交易hash:4630a72ad8e7339e553cdba67a1dc7d33716a1db0cf7b44ec281ae08ac6249f8

发送地址:bc1puq3evrtuaky9sk08sf5dnmjfx4yuwc5c63ylzy05jcc9nqx267aqcv7fjf

image-20240511232523763

image-20240511232531322

因为答案格式为精度到小数点后6位,所以把交易记录导出然后精确计算

image-20240511232544456

接上题,该笔交易产生的手续费是多少:[答案格式:0.000123BTC][★★☆☆☆]

手续费链必追没法直接查高精度,直接拿交易哈希去官网浏览器查

0.000061

image-20240511232601588

0.000061

image-20240511232613503

总共0.000122BTC

总结

有两位蓝桥杯人才在,我躺的很舒服

f6173d87402082f0943db5c22c820249

如有纰漏,欢迎微信交流:WQZ1127786222

Galaxy#b3nguang

2024.5.12