-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
501 lines (263 loc) · 595 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>r1ng_13🥝</title>
<link href="https://blog.r1ng13.top/atom.xml" rel="self"/>
<link href="https://blog.r1ng13.top/"/>
<updated>2023-08-16T14:19:00.000Z</updated>
<id>https://blog.r1ng13.top/</id>
<author>
<name>r1ng_13🥝</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>排序知识点总结(待更新.....)</title>
<link href="https://blog.r1ng13.top/posts/d9d41353.html"/>
<id>https://blog.r1ng13.top/posts/d9d41353.html</id>
<published>2023-08-16T14:19:03.000Z</published>
<updated>2023-08-16T14:19:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="排序的基本概念"><a href="#排序的基本概念" class="headerlink" title="排序的基本概念"></a>排序的基本概念</h1><h2 id="概念"><a href="#概念" class="headerlink" title="概念"></a>概念</h2><ul><li><strong>排序:</strong>将各元素按照关键字的增序或者降序进行排列</li></ul><h2 id="评估标准"><a href="#评估标准" class="headerlink" title="评估标准"></a>评估标准</h2><ul><li><strong>稳定性:</strong>稳定性指的是相同的关键字在进行排列之后,相对位置未发生改变。</li><li>时间复杂度和空间复杂度</li></ul><h2 id="分类"><a href="#分类" class="headerlink" title="分类"></a>分类</h2><ul><li>外部排序:外部排序是数据集的麻烦,无法全部加载到内存中,需要借助外部存储进行排序的算法。外部排序通常因此需要进行多次读写外部存储,<strong>IO 成本比较高</strong>。常见的外部排序算法有<strong>多路归并排序</strong>、<strong>置换-选择排序</strong>等。</li><li>内部排序:内部排序是在内存中完成的排序算法,假设整个数据集都可以加载到内存中。常见的内部排序算法有<strong>快速排序、堆排序、归并排序</strong>等。</li></ul><h1 id="插入排序"><a href="#插入排序" class="headerlink" title="插入排序"></a>插入排序</h1><h2 id="直接插入排序"><a href="#直接插入排序" class="headerlink" title="直接插入排序"></a>直接插入排序</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">插入排序是将一个待排序的记录按其关键字的大小插入到前面已经排列好的子序列中去,直到全部的关键字都插入完成。</span><br></pre></td></tr></table></figure><ul><li>最好时间复杂度是O(n),序列是顺序排放的。</li><li>最坏时间复杂度是O(nxn),序列是逆序排放的。</li><li>平均时间复杂度是O(nxn)。</li><li>空间复杂度是O(1)</li><li>直接插入排序是<strong>稳定算法</strong>。</li><li><strong>注:</strong>对链表进行插入排序的话,同样时间复杂度是O(nxn),因为比较的次数仍然是O(nxn)的量级。链表的话,移动元素确实是变少了,只需要修改指针。</li></ul><h2 id="折半插入排序"><a href="#折半插入排序" class="headerlink" title="折半插入排序"></a>折半插入排序</h2><ul><li>先使用折半查找找到待插入的位置</li><li>再移动元素,当low>high时,将[low,i-1]的元素全部右移,将空出来的位置用来存放哨兵中待插入的元素。</li><li>折半插入排序是<strong>稳定的排序算法</strong>。</li><li>时间复杂度仍然是O(nxn)。</li></ul><h2 id="希尔排序(缩小增量排序"><a href="#希尔排序(缩小增量排序" class="headerlink" title="希尔排序(缩小增量排序)"></a>希尔排序(缩小增量排序)</h2><ul><li>每次将增量缩小一半,直到增量变为1。</li><li>最后使用直接插入排序对序列进行最后一次排序。</li><li>空间复杂度是O(1)</li><li>目前无法使用数学手段证明这个算法的确切的时间复杂度</li><li>最坏时间复杂度是O(nxn)</li><li><strong>仅适用于顺序表,不适合链表。</strong></li><li><strong>注意:</strong>希尔排序<strong>不是稳定的排序算法</strong>。</li></ul><h1 id="冒泡排序"><a href="#冒泡排序" class="headerlink" title="冒泡排序"></a>冒泡排序</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">冒泡排序是从后往前,如果这个元素比前面的元素,交换这两个元素的位置,每一趟冒泡排序都将待排序的元素中最小的元素冒泡到这些剩余元素的最前面。</span><br></pre></td></tr></table></figure><ul><li>空间复杂度是O(1)</li><li>最好时间复杂度是O(n)</li><li>最坏时间复杂度是O(nxn)</li><li>冒泡排序是<strong>稳定的排序算法</strong>。</li><li>冒牌排序同时适用于顺序表(从后往前)和链表(从头到尾)</li></ul><h1 id="题目总结"><a href="#题目总结" class="headerlink" title="题目总结"></a>题目总结</h1><h2 id="8-2-4"><a href="#8-2-4" class="headerlink" title="8.2.4"></a>8.2.4</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230816223000271.png" alt="image-20230816223000271" style="zoom:200%;" /></p><p><strong>解析:</strong><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/847D40F120BDCEECE627D1301553F829.jpg" alt="847D40F120BDCEECE627D1301553F829"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230816223156889.png" alt="image-20230816223156889" style="zoom:200%;" /></p><p><strong>解析:</strong>对于希尔排序的每一趟的结果都是:按增量进行分组后,分组内应该是有序的序列,所以本题第一次的增量是5,第二次的增量是3。</p>]]></content>
<summary type="html">🥧本文是排序知识点总结(待更新.....)。</summary>
<category term="考研" scheme="https://blog.r1ng13.top/categories/%E8%80%83%E7%A0%94/"/>
<category term="数据结构" scheme="https://blog.r1ng13.top/tags/%E6%95%B0%E6%8D%AE%E7%BB%93%E6%9E%84/"/>
<category term="考研" scheme="https://blog.r1ng13.top/tags/%E8%80%83%E7%A0%94/"/>
</entry>
<entry>
<title>查找知识点总结(待更新.....)</title>
<link href="https://blog.r1ng13.top/posts/386de93e.html"/>
<id>https://blog.r1ng13.top/posts/386de93e.html</id>
<published>2023-08-10T14:19:03.000Z</published>
<updated>2023-08-10T14:19:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="基本概念"><a href="#基本概念" class="headerlink" title="基本概念"></a>基本概念</h1><ul><li>查找是在数据集合中寻找满足某种条件的数据元素的过程</li><li>查找表:用于查找的数据集合称为查找表</li><li>关键字:数据元素中可以唯一标识某个数据项的值</li><li>平均查找长度(ASL):在所有的查找的过程中进行比较的次数,ASL反应了查找算法的时间复杂度</li></ul><h1 id="顺序查找"><a href="#顺序查找" class="headerlink" title="顺序查找"></a>顺序查找</h1><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">从头到尾进行查找的操作</span><br></pre></td></tr></table></figure><ul><li>适用于顺序表、链表,元素是否无序无关紧要</li><li>不管怎样对顺序查找进行优化,时间复杂度的量级都是O(n)</li><li>查找成功时的平均查找长度是(n+1)/2</li></ul><h1 id="二分查找(折半查找)"><a href="#二分查找(折半查找)" class="headerlink" title="二分查找(折半查找)"></a>二分查找(折半查找)</h1><ul><li><strong>必须是有序的顺序表</strong></li><li>仅适合顺序存储的结构</li><li>二分查找的时间复杂度是<strong>O(log2n)</strong></li><li>折半查找的判定树log(2(n+1))向上取整</li><li>折半查找查找成功时的平均查找长度是 <strong>log2(n+1)-1</strong></li></ul><h2 id="核心代码"><a href="#核心代码" class="headerlink" title="核心代码"></a>核心代码</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">//折半查找核心代码</span></span><br><span class="line"><span class="type">int</span> <span class="title function_">Binary_Search</span><span class="params">(SeqList L,Elemtype key)</span></span><br><span class="line">{</span><br><span class="line"><span class="type">int</span> low=<span class="number">0</span>,high=L.length<span class="number">-1</span>,mid;</span><br><span class="line"><span class="keyword">while</span>(key<=high)</span><br><span class="line">{</span><br><span class="line">mid=(low+high)/<span class="number">2</span>;</span><br><span class="line"><span class="keyword">if</span>(key==mid)</span><br><span class="line"><span class="keyword">return</span> mid;</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(L.elem[mid]>key)</span><br><span class="line">high=mid<span class="number">-1</span>; <span class="comment">//在左半部分进行查找 </span></span><br><span class="line"><span class="keyword">else</span> </span><br><span class="line"> low=mid+<span class="number">1</span>; <span class="comment">//在右半部分进行查找 </span></span><br><span class="line">}</span><br><span class="line"> } </span><br></pre></td></tr></table></figure><h1 id="分块查找(索引顺序查找)"><a href="#分块查找(索引顺序查找)" class="headerlink" title="分块查找(索引顺序查找)"></a>分块查找(索引顺序查找)</h1><ul><li>块内是无序的,但是块间是有序的</li><li>每个块内有一个最大关键字</li></ul><h1 id="二叉排序树"><a href="#二叉排序树" class="headerlink" title="二叉排序树"></a>二叉排序树</h1><p>二叉排序树又称为二叉查找树</p><ul><li>左子树结点值<根节点值<右子树结点值</li><li>通过中序遍历(左根右)可以得到一个递增的序列</li></ul><h2 id="二叉排序树的实现"><a href="#二叉排序树的实现" class="headerlink" title="二叉排序树的实现"></a>二叉排序树的实现</h2><ul><li>采用非递归方式时的最坏的空间复杂度是O(1)</li><li>采用递归方式时的最坏时间复杂度是O(n)</li></ul><h2 id="二叉排序树的插入"><a href="#二叉排序树的插入" class="headerlink" title="二叉排序树的插入"></a>二叉排序树的插入</h2><ul><li>新插入的结点都是叶子结点</li><li>不能存在相同的结点,若树中已经存在了,就插入失败。</li></ul><h2 id="二叉排序树的删除"><a href="#二叉排序树的删除" class="headerlink" title="二叉排序树的删除"></a>二叉排序树的删除</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">二叉排序树的删除后的结果需要仍然保持二叉排序树的特性</span><br></pre></td></tr></table></figure><ul><li>如果删除的是叶子结点,可以直接删除,不会破坏二叉排序树的性质</li><li>如果删除的结点有左孩子或者是右孩子,那么让其子代替它的位置。</li><li>若果删除的这个结点同时含有左子树和右子树,将这个结点的直接后继或者直接前驱替代这个节点,然后要保证仍然维持二叉排序树的特性。(<strong>注:</strong>二叉排序树的中序遍历去求后继和前驱)</li></ul><h2 id="二叉排序树的查找效率"><a href="#二叉排序树的查找效率" class="headerlink" title="二叉排序树的查找效率"></a>二叉排序树的查找效率</h2><ul><li>最坏的情况,每个结点都只有一个分支,树高h=结点数n,平均查找长度为O(n)</li><li>平均的查找长度是<strong>O(log2n)</strong></li><li>树的最小的高度是log2n向下取整+1</li><li>二叉排序树的最理想的深度是log2(n+1)向上取整</li><li>具有n个结点的二叉排序树查找某个关键词时,最多进行n次比较(注意:不是平衡二叉树)</li></ul><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810195638522.png" alt="image-20230810195638522"></p><h1 id="平衡二叉树"><a href="#平衡二叉树" class="headerlink" title="平衡二叉树"></a>平衡二叉树</h1><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">平衡二叉树,简称平衡树,树上的任一结点的左子树和右子树的高度只差不超过1</span><br></pre></td></tr></table></figure><ul><li>结点的平衡因子=左子树高度-右子树高度</li><li>平衡二叉树的平衡因子只能是-1、0、1</li><li>当平衡因子的绝对值大于1时,就不能构成平衡二叉树</li></ul><h2 id="平衡二叉树的插入"><a href="#平衡二叉树的插入" class="headerlink" title="平衡二叉树的插入"></a>平衡二叉树的插入</h2><p><strong>注:</strong>每次调整的对象是“最小的不平衡子树”</p><ul><li><p>LL型(右旋):A结点的左孩子的左子树插入了新的结点导致了不平衡,需要让A的左孩子B向右上旋转,B称为根结点,A称为B的右孩子,BL不动,BR变成A的左子树。(<strong>操作的点是最小不平衡子树的根结点的左孩子结点</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810210944608.png" alt="image-20230810210944608"></p></li><li><p>RR型(左旋):在结点A的右孩子的右子树上插入了新结点,将A的右孩子进行左上旋操作,B变为根结点,A变为B的左孩子结点,其余的按平衡二叉树的性质进行排序存放。(<strong>操作的点是最小不平衡子树的根结点的右孩子结点</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810211430960.png" alt="image-20230810211430960"></p></li><li><p>LR型(先左旋后右旋):平衡二叉树根结点的左孩子的右子树上插入了新的元素导致了不平衡。先让C进行左旋操作,B称为C的左孩子,接着让C进行右旋操作,此时C变为树的根结点,A成为C的右孩子结点,其余按平衡二叉树进行填充。(<strong>操作的点是最小不平衡子树的根结点的左子树的右孩子结点</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810212121795.png" alt="image-20230810212121795"></p></li><li><p>RL型(先右旋后左旋):平衡二叉树根结点的右孩子的左子树上插入了新的元素导致了不平衡。先让C进行右旋操作,B称为C的右孩子,接着让C进行左旋操作,此时C变为树的根结点,A成为C的左孩子结点,其余按平衡二叉树进行填充。(<strong>操作的点是最小不平衡子树的根结点的右子树的左孩子结点</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810212352805.png" alt="image-20230810212352805"></p></li></ul><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810212448701.png" alt="image-20230810212448701"></p><p><strong>注:</strong>在插入操作中,只要将最小不平衡调整为平衡,则其他的祖先结点都会恢复平衡。</p><h2 id="练习"><a href="#练习" class="headerlink" title="练习"></a>练习</h2><h3 id="RR型调整"><a href="#RR型调整" class="headerlink" title="RR型调整"></a>RR型调整</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810221126409.png" alt="image-20230810221126409"></p><h3 id="LR型调整"><a href="#LR型调整" class="headerlink" title="LR型调整"></a>LR型调整</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810221141000.png" alt="image-20230810221141000"></p><h3 id="RL型调整"><a href="#RL型调整" class="headerlink" title="RL型调整"></a>RL型调整</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810221110628.png" alt="image-20230810221110628"></p><h1 id="散列查找"><a href="#散列查找" class="headerlink" title="散列查找"></a>散列查找</h1><h2 id="hash函数"><a href="#hash函数" class="headerlink" title="hash函数"></a>hash函数</h2><p>hash函数又叫散列函数,可以将关键字按照关键字的值映射成关键字对应地址上的函数。</p><p><strong>注:</strong>散列查找是典型的用空间换取时间的查找操作,只要涉及的散列函数是合理的,则散列表的长度 越长,冲突的概率就会越低。</p><h2 id="冲突"><a href="#冲突" class="headerlink" title="冲突"></a>冲突</h2><p>关键经过hash函数的作用后,结果一样,就发生了冲突。发生冲突的关键字称为“<strong>同义词</strong>”</p><h2 id="散列表"><a href="#散列表" class="headerlink" title="散列表"></a>散列表</h2><p>散列表进行查找的时间复杂度是O(1)</p><h2 id="直接定址法"><a href="#直接定址法" class="headerlink" title="直接定址法"></a>直接定址法</h2><p>H(key)=key</p><h2 id="除留余数法"><a href="#除留余数法" class="headerlink" title="除留余数法"></a>除留余数法</h2><p>H(key)=key%p,其中p取的是小于等于散列表长的最大质数。</p><h2 id="平方取中法"><a href="#平方取中法" class="headerlink" title="平方取中法"></a>平方取中法</h2><h2 id="数字分析法"><a href="#数字分析法" class="headerlink" title="数字分析法"></a>数字分析法</h2><h1 id="处理冲突的方法"><a href="#处理冲突的方法" class="headerlink" title="处理冲突的方法"></a>处理冲突的方法</h1><h2 id="开放地址法"><a href="#开放地址法" class="headerlink" title="开放地址法"></a>开放地址法</h2><p>所谓的开放定值法就是存放新表项的空闲地址既向它的同义词开放,又向它的非同义词进行开放。</p><p>H=((h(key)+di))%m</p><p>d取0到m-1</p><h3 id="线性探测法"><a href="#线性探测法" class="headerlink" title="线性探测法"></a>线性探测法</h3><h3 id="平方探测法"><a href="#平方探测法" class="headerlink" title="平方探测法"></a>平方探测法</h3><h3 id="伪随机序列法"><a href="#伪随机序列法" class="headerlink" title="伪随机序列法"></a>伪随机序列法</h3><h2 id="拉链法"><a href="#拉链法" class="headerlink" title="拉链法"></a>拉链法</h2><h1 id="题目总结"><a href="#题目总结" class="headerlink" title="题目总结"></a>题目总结</h1><h2 id="7-2-4"><a href="#7-2-4" class="headerlink" title="7.2.4"></a>7.2.4</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809214301171.png" alt="image-20230809214301171"></p><p><strong>解析:</strong>折半查找一般情况下是优于顺序查找的</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809214456847.png" alt="image-20230809214456847"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809214514697.png" alt="image-20230809214514697"></p><p><strong>解析:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809220020432.png" alt="image-20230809220020432"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809220035686.png" alt="image-20230809220035686"></p><p><strong>解析:</strong>使用平衡二叉树进行思考,比较简单</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809220057543.png" alt="image-20230809220057543"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230809220149509.png" alt="image-20230809220149509"></p><p><strong>解析:</strong>ASL=(s*s+2s+n)/(2s),s=123/3,n=123 ,解得ASL=23</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815210638110.png" alt="image-20230815210638110"></p><p><strong>解析:</strong>索引顺序结构就是分块查找,分块的个数是根号n,所以是255块,接着在块内使用二分查找,二分查找最多是二分查找判定树的树高为log2(n+1)向下取整</p><p>下面这个二叉排序树的查找失败的平均查找长度是</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230810195238714.png" alt="image-20230810195238714" style="zoom:150%;" /></p><p><strong>解析:</strong>最左下面的那个方框失败的话是比较了3次,同理同行的元素都是比较3次</p><p>查找失败:ASL=(7x3+2x4)/9=29/9</p><h2 id="7-3-4"><a href="#7-3-4" class="headerlink" title="7.3.4"></a>7.3.4</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815224329606.png" alt="image-20230815224329606"></p><p><strong>解析:</strong>因为二叉排序树的查找是从根结点出发向下进行的,其查找的长度取决于树的高度</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811221306621.png" alt="image-20230811221306621" style="zoom: 200%;" /></p><p><strong>解析:</strong>注意这是二叉排序树,不是平衡二叉树,高度可以是n,所以最多进行n次比较</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811221421944.png" alt="image-20230811221421944"></p><p><strong>解析:</strong>n个结点的二叉排序树的最理想的深度是log2(n+1)向上取整</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811221542650.png" alt="image-20230811221542650"></p><p><strong>解析:</strong></p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">递推公式</span><br><span class="line"><span class="attribute">n0</span>=0</span><br><span class="line"><span class="attribute">n1</span>=1</span><br><span class="line"><span class="attribute">n2</span>=2</span><br><span class="line"><span class="attribute">nh</span>=1+nh-1+nh-2</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811221635946.png" alt="image-20230811221635946"></p><figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">递推公式</span><br><span class="line"><span class="attribute">n0</span>=0</span><br><span class="line"><span class="attribute">n1</span>=1</span><br><span class="line"><span class="attribute">n2</span>=2</span><br><span class="line"><span class="attribute">nh</span>=1+nh-1+nh-2</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811222336678.png" alt="image-20230811222336678"></p><p><strong>解析:</strong>A选项是因为在访问91之后又访问24说明后面不会大于91,但是又出现了94比91大</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230811222357104.png" alt="image-20230811222357104"></p><p><strong>解析:</strong>A选项的的911后面是240,说明后面没有比911大的数字,但是出现了912</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815224603643.png" alt="image-20230815224603643"></p><p><strong>解析:</strong>因为是二叉排序树不是平衡二叉树,不需要重新分裂和组合</p><h2 id="7-5-4"><a href="#7-5-4" class="headerlink" title="7.5.4"></a>7.5.4</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815230320590.png" alt="image-20230815230320590"></p><p><strong>解析:</strong>散列表的堆积现象可以发生在同义词之间或者非同义词之间</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815230421367.png" alt="image-20230815230421367"></p><p><strong>解析:</strong>同义词之间的冲突不是聚集现象,链地址法处理冲突是同义词放在一起的不会造成聚集现象</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230815230748033.png" alt="image-20230815230748033"></p><p><strong>解析:</strong>装填因子是记录个数比上散列表的长度,装填因子增大记录数增多,更加容易发生冲突。所应该减小装填因子。</p>]]></content>
<summary type="html">🥧本文是查找知识点总结(待更新.....)。</summary>
<category term="考研" scheme="https://blog.r1ng13.top/categories/%E8%80%83%E7%A0%94/"/>
<category term="数据结构" scheme="https://blog.r1ng13.top/tags/%E6%95%B0%E6%8D%AE%E7%BB%93%E6%9E%84/"/>
<category term="考研" scheme="https://blog.r1ng13.top/tags/%E8%80%83%E7%A0%94/"/>
</entry>
<entry>
<title>图知识点总结(待更新.....)</title>
<link href="https://blog.r1ng13.top/posts/a9d3c7a6.html"/>
<id>https://blog.r1ng13.top/posts/a9d3c7a6.html</id>
<published>2023-08-03T13:19:03.000Z</published>
<updated>2023-08-03T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="6-1-图的基本概念"><a href="#6-1-图的基本概念" class="headerlink" title="6.1 图的基本概念"></a>6.1 图的基本概念</h1><ol><li><p><strong>图:</strong>图由顶点集和边集组成:G=(V,E),V是有限非空集合,E表示的是有穷的集合可以为空,所以图中的边可以为空,但是必须存在点。</p></li><li><p><strong>有向图:</strong>有向图是每个边都带有方向的图。</p></li><li><p><strong>无向图:</strong>每条边都是没有方向的图。</p></li><li><p><strong>完全图:</strong>完全图是图中的任意两个节点之间都存在一个连线,一个节点与另外的n-1个节点之间都有连线,所以无线完全图一共是n(n-1)/2条边,而有向完全图是n(n-1)条边。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230728204115833.png" style="zoom:150%;" /></p></li><li><p><strong>网:</strong>带有权值的图叫做网。</p></li><li><p><strong>邻接:</strong>存在边或者弧连接的两个顶点叫做邻接。</p></li><li><p><strong>关联(依附):</strong>边/弧与顶点之间的关系。<vi,vj>称之为边<vi,vj>依附于这两个顶点vi和vj。</p></li><li><p><strong>顶点的度:</strong>与该节点相关联的边的数目,在有向图中顶点的度是出度和入度的和。</p></li><li><p><strong>有向树:</strong>一个顶点的入度为0,其余顶点的入度为1的有向图称之为有向树。</p></li><li><p><strong>简单路径:</strong>除了第一个和最后一个顶点外,其余顶点不会重复出现的路径。</p></li><li><p><strong>简单回路:</strong>除了第一个和最后一个顶点外,其余顶点不会重复出现的回路。</p></li><li><p><strong>连通图(强连通图):</strong>对于任何两个节点u和v之间的都存在从v到u的路径。<strong>无向图说是连通图,有向图说是强连通图。</strong></p></li><li><p><strong>权和网:</strong>将图上边或者弧的数字代表权,带有权的图称之为网。</p></li><li><p><strong>子图:</strong>顶点和边的集合是图中的边和点的子集,那就是子图。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230728211317921.png" alt="image-20230728211317921" style="zoom:150%;" /></p></li><li><p><strong>极大连通子图:</strong>该子图是G连通子图,将G的任何不在该子图的顶点加入,子图就不连通了。(就是这个子图中的顶点的数目已经达到了最大值,再加入新的节点就不联通了)。</p></li><li><p>无向图的极大连通子图称之为连通分量。</p><p>下面的这两个都是极大连通子图</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230728212026248.png" alt="image-20230728212026248" style="zoom:150%;" /></p></li><li><p>有向图中的极大连通子图称之为强连通分量。这里的极大连通子图的概念是:该子图是强连通子图,再加入任何一个顶点就不联通了。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230728212510554.png" alt="image-20230728212510554" style="zoom:150%;" /></p></li><li><p><strong>极小连通子图:</strong>该子图是连通子图,在该子树中删除一条边就不再是连通。(<strong>极小连通子图是无环的图,因为存在环的话,你删除一个环中的边,还是连通的</strong>)。</p></li><li><p><strong>生成树:</strong>包含无向图中的所有顶点的极小连通子图。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230728213029141.png" alt="image-20230728213029141" style="zoom:150%;" /></p></li><li><p><strong>生成森林:</strong>对于非连通图,由各个连通分量的生成树的集合。</p></li></ol><h1 id="6-2-图的存储及基本操作"><a href="#6-2-图的存储及基本操作" class="headerlink" title="6.2 图的存储及基本操作"></a>6.2 图的存储及基本操作</h1><p>图的存储必须要保证能够表示出顶点集和边集的信息。</p><p>多对多的逻辑关系</p><p>没有储存结构,但是可以使用二维数组来表示元素之间的关系。</p><p>链式存储结构,因为图是多对多,无法确定结点的指针域的个数。可以使用邻接表、十字链表、邻接多重表进行表示。</p><h2 id="6-2-1-邻接矩阵表示法"><a href="#6-2-1-邻接矩阵表示法" class="headerlink" title="6.2.1 邻接矩阵表示法"></a>6.2.1 邻接矩阵表示法</h2><ul><li>用一维数组存储顶点的信息</li><li>用二维数组存储边的信息(顶点之间的邻接关系)</li></ul><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">含有结点数为n的图的邻接矩阵是nxn的矩阵</span><br><span class="line">A[i][j]=<span class="number">1</span> <span class="comment">//表示的是点i和点j之间存在边。</span></span><br><span class="line">A[i][j]=<span class="number">0</span> <span class="comment">//表示的是点i和点j之间不存在边。</span></span><br></pre></td></tr></table></figure><p><strong>例子:</strong></p><p><strong>总结</strong>:</p><ol><li>无向图的邻接矩阵一定是一个对称矩阵,斜对角线上全部是0,并且是唯一的。</li><li>完全图的邻接矩阵中,对角元素为0,其余为1。</li><li>对于无向图来说,顶点所在的第i行或者第i列上的非零或者非无穷的个数代表的是顶点的度。</li><li>对于有向图来说,顶点第i行的个数代表的是顶点的出度,顶点所在的第i列的个数代表的是顶点的入度。(<strong>行出列入</strong>)</li><li>邻接矩阵的优点:非常适合<strong>存储稠密图</strong>,用邻接矩阵存储图的有点是<strong>能够快速知道两个顶点是否连通并取到权值</strong>。缺点:如果顶点比较多,边比较少时,矩阵中存储了大量的0 成为系数矩阵,比较浪费空间,并且要求两个节点之间的路径不是很好求。(<strong>就是边比较多的情况</strong>)</li></ol><h2 id="6-2-2-邻接表表示法"><a href="#6-2-2-邻接表表示法" class="headerlink" title="6.2.2 邻接表表示法"></a>6.2.2 邻接表表示法</h2><p> 邻接表的方法结合了顺序存储和链式存储的等优点,适合与存储稀疏图。</p><ol><li>首先建立一个顶点的单链表,然后单链表中的各节点,连着一个边表。</li><li>邻接表中存在两种表,顶点表节点和边表节点。</li><li>顶点表的构成是顶点域和指向第一邻接的边的指针域(<strong>也就是指向的是边表</strong>)。</li><li>边表的构成是邻接点和指针域。</li></ol><h1 id="图的遍历"><a href="#图的遍历" class="headerlink" title="图的遍历"></a>图的遍历</h1><h2 id="BFS(广度优先遍历)"><a href="#BFS(广度优先遍历)" class="headerlink" title="BFS(广度优先遍历)"></a>BFS(广度优先遍历)</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">广度优先遍历是一种由近及远的遍历方式,从距离最近的顶点开始访问,并一层层向外扩张。具体来说,从某个顶点出发,先遍历该顶点的所有邻接顶点,然后遍历下一个顶点的所有邻接顶点,以此类推,直至所有顶点访问完毕。 -----来源于hello 算法</span><br></pre></td></tr></table></figure><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">广度优先遍历按层次进行遍历,一层层往外进行,相当于二叉树的层次遍历。</span><br></pre></td></tr></table></figure><p><strong>样例:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230801215721154.png" alt="image-20230801215721154" style="zoom:150%;" /></p><p><strong>遍历的结果为:</strong>0,3,1,6,4,2,7,5,8</p><p><strong>注:</strong>广度优先的顺序是不唯一的。广度优先遍历只要求按“由近及远”的顺序遍历,<strong>而多个相同距离的顶点的遍历顺序是允许被任意打乱的</strong>。以上图为例,顶点 1 , 3 的访问顺序可以交换、顶点 2 , 4 , 6 的访问顺序也可以任意交换。</p><ul><li>采用邻接矩阵的存储方式对应的广度优先的时间复杂度O(v+e)</li><li>采用邻接矩阵的存储方式对应的广度优先的时间复杂度O(v*v)</li></ul><h3 id="广度优先生成树"><a href="#广度优先生成树" class="headerlink" title="广度优先生成树"></a>广度优先生成树</h3><p>对于一个图的邻接矩阵是唯一的,所以其广度优先生成树是唯一的。</p><p>对于一个图的邻接表是不唯一的,所以其广度优先生成树也是不唯一的。<br><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/%E5%B9%BF%E5%BA%A6%E4%BC%98%E5%85%88%E7%94%9F%E6%88%90%E6%A0%91.jpg" alt="广度优先生成树"></p><h2 id="DFS-深度优先遍历"><a href="#DFS-深度优先遍历" class="headerlink" title="DFS(深度优先遍历)"></a>DFS(深度优先遍历)</h2><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">深度优先遍历是一种优先走到底、无路可走再回头的遍历方式。具体地,从某个顶点出发,访问当前顶点的某个邻接顶点,直到走到尽头时返回,再继续走到尽头并返回,以此类推,直至所有顶点遍历完成。 <span class="comment">----hello 算法</span></span><br></pre></td></tr></table></figure><p><strong>注:**</strong>DFS相当于树的先根遍历算法的实现**</p><p><strong>样例:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230801220141696.png" alt="image-20230801220141696" style="zoom:150%;" /></p><p><strong>遍历的结果为:</strong>0,3,1,2,5,4,6</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802202438589.png" alt="image-20230802202438589"></p><p>对于定了<strong>邻接矩阵存储的深度优先遍历顺序是唯一的</strong>。</p><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">与广度优先遍历类似,深度优先遍历序列的顺序也不是唯一的。给定某顶点,先往哪个方向探索都可以,即邻接顶点的顺序可以任意打乱,都是深度优先遍历。</span><br></pre></td></tr></table></figure><h3 id="算法实现"><a href="#算法实现" class="headerlink" title="算法实现"></a>算法实现</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802202932912.png" alt="image-20230802202932912" style="zoom:150%;" /></p><p>采用的是定义调用的方式进行的,递归调用的次数是图的连通分量的个数。</p><h3 id="时间复杂度和空间复杂度"><a href="#时间复杂度和空间复杂度" class="headerlink" title="时间复杂度和空间复杂度"></a>时间复杂度和空间复杂度</h3><p><strong>时间复杂度:</strong></p><ul><li>当使用邻接矩阵表示图时,遍历图中的每一个顶点都要从头扫描该顶点所在的行(nxn),时间复杂度是O(nxn)。</li><li>当用邻接表来表示的时候,虽然有2e个边表结点,但是只需要扫描e个结点即可,加上n个表头节点的访问,时间复杂度是O(n+e)。</li></ul><h3 id="深度优先生成树"><a href="#深度优先生成树" class="headerlink" title="深度优先生成树"></a>深度优先生成树</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/%E6%B7%B1%E5%BA%A6%E4%BC%98%E5%85%88%E6%88%90%E6%A0%91.jpg" alt="深度优先成树"></p><h1 id="图的应用"><a href="#图的应用" class="headerlink" title="图的应用"></a>图的应用</h1><h2 id="生成树"><a href="#生成树" class="headerlink" title="生成树"></a>生成树</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">所有顶点均连接在一起,但是不存在回路。(故不能少,也不能多)</span><br><span class="line">包含图中的所有顶点</span><br><span class="line">一个图可以有很多的生成树</span><br><span class="line">生成树的点是n个,边数是n<span class="number">-1</span></span><br><span class="line">生成树中的任意两个定之间的路径是唯一的</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802204342351.png" alt="image-20230802204342351" style="zoom:150%;" /></p><h2 id="最小生成树问题"><a href="#最小生成树问题" class="headerlink" title="最小生成树问题"></a>最小生成树问题</h2><p>最小生成树是对网这种数据结构来说的,最小生成树是权值最小的生成树(不唯一,但是权值都是一样的)。</p><h3 id="MST性质"><a href="#MST性质" class="headerlink" title="MST性质"></a>MST性质</h3><p>MST算法的性质类似于典型的贪心算法</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802211857266.png" alt="image-20230802211857266" style="zoom:150%;" /></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802211903092.png" alt="image-20230802211903092"></p><h3 id="普利姆Prim算法(选点)"><a href="#普利姆Prim算法(选点)" class="headerlink" title="普利姆Prim算法(选点)"></a>普利姆Prim算法(选点)</h3><p>Prims算法同样是遵循MST性质的,<strong>选点:</strong>每次选一个点是v-u(<strong>所有点-已经加入生成树的点</strong>)到u(<strong>已经加入生成树的点</strong>)的集合中的连线的权值最小的那个点。</p><p>注:<strong>适用于稠密图(邻接矩阵也是的(主要是与点有关))</strong></p><h4 id="时间复杂度"><a href="#时间复杂度" class="headerlink" title="时间复杂度"></a>时间复杂度</h4><p>因为选择的是点,所以时间复杂度是O(nxn):因为每个顶点都是需要找其他的n-1个顶点去进行判断,所以是O(nxn)</p><h3 id="克鲁斯卡尔Kruskal算法(选边)"><a href="#克鲁斯卡尔Kruskal算法(选边)" class="headerlink" title="克鲁斯卡尔Kruskal算法(选边)"></a>克鲁斯卡尔Kruskal算法(选边)</h3><p>这个算法一开始就将图的所有顶点加入到了生成树中去了,首先将边根据权值进行排序,每次选择权值最小的边,不能形成环路,最后所有的点是需要在同一个连通分量里的。</p><p>注:<strong>适用于稀疏图(邻接表也是的)</strong></p><h4 id="时间复杂度-1"><a href="#时间复杂度-1" class="headerlink" title="时间复杂度"></a>时间复杂度</h4><p>因为选择的是有序的边,所以时间复杂度是O(ElogE)</p><h2 id="最短路径问题"><a href="#最短路径问题" class="headerlink" title="最短路径问题"></a>最短路径问题</h2><ul><li><strong>单源最短路径</strong>:即图中的任一顶点到其他各个顶点的之间的最短路径。(<strong>迪杰斯特拉算法</strong>)</li><li>求每对顶点之间的最短路径问题。(<strong>佛洛依德算法</strong>)</li></ul><h3 id="迪杰斯特拉算法"><a href="#迪杰斯特拉算法" class="headerlink" title="迪杰斯特拉算法"></a>迪杰斯特拉算法</h3><ul><li>初始化:先找出从源点到各个终点的直达路径,使用权值表示,不能直达的记为无穷。</li><li>选择:从这些路径中选择一条长度最短的路径。</li><li>更新:然后对其余的路径进行调整。</li></ul><figure class="highlight excel"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">迪杰斯特拉算法将顶点集合V分成两组:</span><br><span class="line">S集合:已经求出最短路径的顶点集合</span><br><span class="line"><span class="built_in">T</span>=V-S:尚未确定最短路劲的顶点集合。</span><br><span class="line">保证:</span><br><span class="line">从原点v到集合S中的最短路径长度都不大于从v到集合<span class="built_in">T</span>中的任何顶点的最短路径长度。</span><br><span class="line"><span class="number">2</span>.将未加入最短路径集合的集合<span class="built_in">T</span>中的点依次地加入S集合中去。</span><br><span class="line">每个顶点对应一个距离值:</span><br><span class="line">S中的顶点:从v到此顶点的最短路径长度</span><br><span class="line"><span class="built_in">T</span>中顶点:从v到此顶点的只包括S中作为中间结点的最短路径。</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230803195738792.png" alt="image-20230803195738792"></p><p> <img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230803201443823.png" alt="image-20230803201443823"></p><p><strong>注:</strong>因为每个顶点加入都要和其余的n个结点进行比较,所以迪杰斯特拉算法求单源最短路径的时间复杂度是O(nxn)</p><h3 id="佛洛依德算法"><a href="#佛洛依德算法" class="headerlink" title="佛洛依德算法"></a>佛洛依德算法</h3><ul><li>初始设置一个n阶方阵,对角线上的元素是0,若存在弧则为权值,否则为无穷。</li><li>然后逐步加入点,去改变矩阵中的值,直到所有的顶点都试探后结束。</li></ul><p><strong>注:</strong>佛洛依德算法求所有顶点之间的最短路劲的时间复杂度是O(nxnxn)</p><h2 id="拓扑排序问题"><a href="#拓扑排序问题" class="headerlink" title="拓扑排序问题"></a>拓扑排序问题</h2><p>以有向无环图为基础,顶点代表的是活动,</p><h3 id="有向无环图(DAG图)"><a href="#有向无环图(DAG图)" class="headerlink" title="有向无环图(DAG图)"></a>有向无环图(DAG图)</h3><p><strong>概念:</strong>无环的有向图,不存在回路。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230803205037370.png" alt="image-20230803205037370" style="zoom:150%;" /></p><h2 id="关键路径问题"><a href="#关键路径问题" class="headerlink" title="关键路径问题"></a>关键路径问题</h2><p>从源点到汇点的最大的路径长度是<strong>关键路径</strong>,关键路径上的活动称之为<strong>关键活动</strong>。</p><ul><li>顶点表示事件</li><li>边表示活动,边的权值表示的是进行活动带来的花销。</li><li>用边表示活动的网络称之为AOE网</li><li>AOE网也是有向无环图。</li><li>事件表示:在它之前的活动已经完成了之后,在它之后的活动才可以开始。</li></ul><p><strong>AOE网的性质</strong>:</p><ol><li>源点:入度为0的点(工程的开始)</li><li>汇点:出度为0的点(工程的结束)</li></ol><p><strong>关键路径:</strong>从源点到汇点的路径程度最长(就是路径上的各活动的持续时间之和最大的)的一个路径。关键路径的长度就是工程或者事件的至少需要多少时间。</p><p>关键路径上的活动是影响工程进度的关键,要想缩短工期或者时间,必须对关键路径上的事件的时间进行缩减。</p><h3 id="如何求解关键路径"><a href="#如何求解关键路径" class="headerlink" title="如何求解关键路径"></a>如何求解关键路径</h3><p>4个关键的描述量:</p><ul><li>事件的最早发生事件</li><li>事件的最晚发生时间</li><li>活动的最早发生时间:上个事件的最早开始时间</li><li>活动的最晚发生时间:后面的事件的最晚开始事件-权值</li></ul><p>事件的最早和最晚发生时间:</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804204125469.png" alt="image-20230804204125469" style="zoom:150%;" /></p><p><strong>时间余量:</strong>是活动的最早开始时间-最晚开始时间</p><p><strong>关键活动:时间余量为0</strong>,即最早开始事件-最晚开始时间=0</p><h3 id="举例"><a href="#举例" class="headerlink" title="举例"></a>举例</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804210337598.png" alt="image-20230804210337598"></p><p><strong>事件的最早和最晚开始时间如下:</strong></p><div class="table-container"><table><thead><tr><th></th><th>v1</th><th>v2</th><th>v3</th><th>v4</th><th>v5</th><th>v6</th><th>v7</th><th>v8</th><th>v9</th></tr></thead><tbody><tr><td>ve</td><td>0</td><td>6</td><td>4</td><td>5</td><td>7</td><td>7</td><td>16</td><td>14</td><td>18</td></tr><tr><td>vl</td><td>0</td><td>6</td><td>6</td><td>8</td><td>7</td><td>10</td><td>16</td><td>14</td><td>18</td></tr></tbody></table></div><p><strong>活动的最早和最晚开始时间如下:</strong></p><div class="table-container"><table><thead><tr><th></th><th>a1</th><th>a2</th><th>a3</th><th>a4</th><th>a5</th><th>a6</th><th>a7</th><th>a8</th><th>a9</th><th>a10</th><th>a11</th></tr></thead><tbody><tr><td>e</td><td>0</td><td>0</td><td>0</td><td>6</td><td>4</td><td>5</td><td>7</td><td>7</td><td>7</td><td>16</td><td>14</td></tr><tr><td>l</td><td>0</td><td>2</td><td>3</td><td>6</td><td>6</td><td>8</td><td>7</td><td>7</td><td>10</td><td>16</td><td>14</td></tr><tr><td>l-e</td><td>0</td><td>2</td><td>3</td><td>0</td><td>2</td><td>3</td><td>0</td><td>0</td><td>3</td><td>0</td><td>0</td></tr></tbody></table></div><p><strong>关键活动为:a1、a4、a7、a8、a10、a11</strong></p><p><strong>存在两条关键路径,要想加快整个工程的进度,就需要压缩两条路径上同时包含的路径,本例中的即是a1和a4,这两个活动的时间。</strong></p><p>766</p><h1 id="图——例题总结"><a href="#图——例题总结" class="headerlink" title="图——例题总结"></a>图——例题总结</h1><h2 id="6-1-2-图的基本概念"><a href="#6-1-2-图的基本概念" class="headerlink" title="6.1.2 图的基本概念"></a>6.1.2 图的基本概念</h2><h2 id="6-2-图的存储及基本操作-1"><a href="#6-2-图的存储及基本操作-1" class="headerlink" title="6.2 图的存储及基本操作"></a>6.2 图的存储及基本操作</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230731222417809.png" alt="image-20230731222417809"></p><p><strong>解析:</strong>因为无向图的邻接表的边表结点是2n,一定是个偶数,所以只能是有向图。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230801195009954.png" alt="image-20230801195009954"></p><p><strong>解析:</strong>因为无向图的边最多是(n-1)n/2.所以无向图的邻接表的边表结点的个数是(n-1)n</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230801195214584.png" alt="image-20230801195214584"></p><p><strong>解析:</strong>有向图的邻接表的存储结构中,顶点v在边表结点中出现的次数代表的是顶点v的入度。</p><h2 id="6-3-图的遍历"><a href="#6-3-图的遍历" class="headerlink" title="6.3 图的遍历"></a>6.3 图的遍历</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802193520187.png" alt=""></p><p><strong>解析:</strong>深度优先调用递归的次数是连通分量的次数<img src="C:\Users\25337\AppData\Roaming\Typora\typora-user-images\image-20230802193648120.png" alt="image-20230802193648120"></p><p><strong>解析:</strong>DFS和BFS算法进行邻接表的时间复杂度都是O(n+e),空间复杂度都是O(n)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802193926614.png" alt="image-20230802193926614"></p><p><strong>解析:</strong>DFS和BFS算法进行邻接矩阵的表示时,时间复杂度都是O(n*n)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802194056271.png" alt="image-20230802194056271"></p><p><strong>解析:</strong>邻接表的深度优先类似于树的先序遍历,广度优先遍历相当于树的层次遍历。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802194226125.png" alt="image-20230802194226125"></p><p><strong>解析:</strong>按照深度优先遍历的序列是125436,按照广度优先遍历的序列是124536</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802194525573.png" alt="image-20230802194525573"></p><p><strong>解析:</strong>判断是否具有回路可以用拓扑排序和深度优先遍历</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802194635952.png" alt="image-20230802194635952"></p><p><strong>解析:</strong>生成树是极小连通子图,而连通分量是极大连通子图</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230802194745995.png" alt="image-20230802194745995"></p><p><strong>解析:</strong>深度优先生成树的高度一般是大于等于广度优先生成树的高度的。</p><h2 id="6-4-图的应用"><a href="#6-4-图的应用" class="headerlink" title="6.4 图的应用"></a>6.4 图的应用</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230803222420986.png" alt="image-20230803222420986"></p><p><strong>解析:</strong>使用迪杰斯特拉算法,加入的顺序应当是152364</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230803222508376.png" alt="image-20230803222508376"></p><p><strong>解析:</strong>在邻接表的存储形式下,进行拓扑排序的操作时,首先是对n个结点进行操作,时间复杂度是O(n),接着对n个顶点的链表的边进行操作为O(E),所以时间复杂度是O(n+E),同理,当使用邻接矩阵进行存储时的拓扑排序的时间复杂度是O(nxn)。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804223652283.png" alt="image-20230804223652283" style="zoom:150%;" /></p><p><strong>解析:</strong>因为关键路径有三条,其中包括:bfh、bdcg、bdeh,对于关键路径上的时间压缩:当存在多条路径时,进行压缩的话,必须压缩三条中要存在的。只有f和d是包括这条边的,而ABD选项是不能的。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804223740224.png" alt="image-20230804223740224"></p><p><strong>解析:</strong>关键路径是从源点到汇点路径长度最长的路径。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804224004314.png" alt="image-20230804224004314" style="zoom:150%;" /></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804224047703.png" alt="image-20230804224047703" style="zoom:150%;" /></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804224129672.png" alt="image-20230804224129672" style="zoom:150%;" /></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230804224152042.png" alt="image-20230804224152042" style="zoom:150%;" /></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807215325462.png" alt=""></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807211655320.png" alt="image-20230807211655320"></p><p><strong>解析:</strong>深度优先遍历、拓扑排序、求关键路径是可以判断一个有向图是否存在环路的。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807220236525.png" alt="image-20230807220236525"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807220220211.png" alt="image-20230807220220211"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807220513687.png" alt="image-20230807220513687"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807220926356.png" alt="image-20230807220926356"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807223152123.png" alt="image-20230807223152123"></p><p><strong>解析:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807223130149.png" alt="image-20230807223130149"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230807223225496.png" alt="image-20230807223225496"></p><p>存在两条关键路径,关键路径的长度是21,关键路径可以有多条,长度不一定相等。</p>]]></content>
<summary type="html">🥧本文是图知识点总结(待更新.....)。</summary>
<category term="考研" scheme="https://blog.r1ng13.top/categories/%E8%80%83%E7%A0%94/"/>
<category term="数据结构" scheme="https://blog.r1ng13.top/tags/%E6%95%B0%E6%8D%AE%E7%BB%93%E6%9E%84/"/>
<category term="考研" scheme="https://blog.r1ng13.top/tags/%E8%80%83%E7%A0%94/"/>
</entry>
<entry>
<title>算法与数据结构考研试题精细析题目总结(待更新.....)</title>
<link href="https://blog.r1ng13.top/posts/5534ffb9.html"/>
<id>https://blog.r1ng13.top/posts/5534ffb9.html</id>
<published>2023-07-19T02:19:03.000Z</published>
<updated>2023-07-19T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="绪论"><a href="#绪论" class="headerlink" title="绪论"></a>绪论</h1><h2 id="选择题"><a href="#选择题" class="headerlink" title="选择题"></a>选择题</h2><ol><li><p>数据对象:<strong>具有相同性质的数据成员(数据元素)的集合,是数据的一个子集。</strong></p></li><li><p><strong>数据元素</strong>是数据的<strong>基本单位</strong>,其中数据元素可以由类型互不相同的数据项构成。</p></li><li><p><strong>数据项</strong>是数据的<strong>最小单位。</strong></p></li><li><p>数据元素相互之间的关系称为<strong>结构(Structure)</strong>。</p></li><li><p><strong>计算算法的时间复杂度</strong>是属于一种<strong>事前分析估算的方法</strong>。</p></li><li><p><strong>算法分析的目的</strong>是<strong>分析算法的效率以求改进。</strong></p></li><li><p><strong>算法的时间复杂度</strong>是与<strong>指执行时间成正比</strong>,例如:时间复杂度为O(n)表示算法的执行时间和n成正比。</p></li><li><p>下列数据结构不是多型数据类型的是()</p><p>A.堆</p><p>B.栈</p><p>C.字符串</p><p>D.有向图</p><p>题解: <strong>多型就是数据元素的类型不确定,字符串的每个元素始终都是字符(char),而不会是别的类型。</strong></p></li></ol><h2 id="判断题"><a href="#判断题" class="headerlink" title="判断题"></a>判断题</h2><ol><li><strong>哈夫曼树和平衡二叉树都是数据的逻辑结构。</strong></li><li>算法可以没有输入,但是必须有输出:<strong>一个算法有0个或多个输入 有一个或多个输出</strong>。</li><li>数据元素可以由数据类型互不相同的数据项构成。</li></ol><h1 id="线性表"><a href="#线性表" class="headerlink" title="线性表"></a>线性表</h1><h2 id="选择题-1"><a href="#选择题-1" class="headerlink" title="选择题"></a>选择题</h2><p><strong>1.(多选)在下列叙述中,(ABD)是错误的。</strong></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">A.线性表的逻辑顺序与物理顺序总是一致的 <span class="comment">//链表的逻辑顺序和物理顺序是不一致的</span></span><br><span class="line">B.二叉树的顺序存储结构比链式存储结构节省存储空问 <span class="comment">//链式存储相对于顺序存储更加节省空间</span></span><br><span class="line">C.二叉树的度小于等于<span class="number">2</span></span><br><span class="line">D.每种数据结构都具有两种基本运算(操作):插人、删除元素(结点) <span class="comment">//通常都具有这两个操作,不是都具有</span></span><br></pre></td></tr></table></figure><p><strong>2.若某线性表中最常用的操作是取第i 个元素和找第i个元素的前趋,则采用(A)存储方法最节省时间</strong></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A. 顺序表B. 单链表C. 双链表D. 单循环链表</span><br></pre></td></tr></table></figure><p><strong>解析:</strong>从本题目中的取第i个元素可以发现只有顺序表最节省时间。</p><p><strong>3.若长度为n的线性表采用顺序存储结构,在其第i个位置之前插入一个新元素的算法的移动结点的平均次数为(B)</strong></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">A.n B.n/<span class="number">2</span> C.(n<span class="number">-1</span>)/<span class="number">2</span> D.(n+<span class="number">1</span>)/<span class="number">2</span></span><br></pre></td></tr></table></figure><p><strong>解析:</strong>因为需要移动的元素是(n<em>(n+1))/2个,而此时插入一个元素的话,总的元素个数是n+1个,算法的移动结点的平均次数为(n</em>(n+1))/(2*(n+1)),即是 n/2次。</p><p><strong>4.在一个单链表中,已知指针p指向其中的某个结点,若该节点之前插入一个由指针s指向的节点,则需指行(D)?????</strong></p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">A.s->next=p->next=s;p->next=s;</span><br><span class="line">B.p->next=s;s->next=p; </span><br><span class="line">C.r=p->next;p->next=s;s->next=r;</span><br><span class="line">D.仅靠已知条件无法实现。</span><br></pre></td></tr></table></figure><h2 id="判断题-1"><a href="#判断题-1" class="headerlink" title="判断题"></a>判断题</h2><p><strong>1.集合与线性表的区别在于是否按关键字排序(错)</strong></p><figure class="highlight c#"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">线性表可以是有序的,也可以是无序的</span><br><span class="line">集合与线性表的区别是是否允许元素重复</span><br><span class="line">集合不允许元素重复,线性表允许元素重复</span><br></pre></td></tr></table></figure><p><strong>2.线性表中的所有数据类型必须相同</strong></p><p><strong>3.带头结点的单循环链表中,任一结点的后继结点的指针域均不空。</strong></p><h2 id="填空题"><a href="#填空题" class="headerlink" title="填空题"></a>填空题</h2><p>1.循环单链表的最大优点是:从任何一个元素出发,均可以访问到链表中的任何一个元素。</p><p>2.顺序存储结构是通过结点的物理顺序上相邻表示元素之间的关系的,链式存储结构是通过结点的指针来表示元素之间的关系的。</p><p>3.设单链表的结点的结构为(data,next),next为指针域,已知指针px指向单链表中data为x的结点,指针py指向单链表中data为y的结点,若将结点y插入结点x之后,则需要执行以下语句:</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">py->next=px->next;</span><br><span class="line">px->next=py;</span><br></pre></td></tr></table></figure>]]></content>
<summary type="html">🥧本文是算法与数据结构考研试题精细析题目总结(待更新.....)。</summary>
<category term="考研" scheme="https://blog.r1ng13.top/categories/%E8%80%83%E7%A0%94/"/>
<category term="数据结构" scheme="https://blog.r1ng13.top/tags/%E6%95%B0%E6%8D%AE%E7%BB%93%E6%9E%84/"/>
<category term="考研" scheme="https://blog.r1ng13.top/tags/%E8%80%83%E7%A0%94/"/>
</entry>
<entry>
<title>2022年HZ-AZD1大比武----WP(待更新.....)</title>
<link href="https://blog.r1ng13.top/posts/de7b2ef0.html"/>
<id>https://blog.r1ng13.top/posts/de7b2ef0.html</id>
<published>2023-07-15T02:19:03.000Z</published>
<updated>2023-07-15T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="网络流量分析部分"><a href="#网络流量分析部分" class="headerlink" title="网络流量分析部分"></a><strong>网络流量分析部分</strong></h1><h2 id="01-通过对流量包attack进行分析,该数据流量包的sha1的是多少?(格式填写小写字母与数字组合-如abc23dedf445)"><a href="#01-通过对流量包attack进行分析,该数据流量包的sha1的是多少?(格式填写小写字母与数字组合-如abc23dedf445)" class="headerlink" title="01.通过对流量包attack进行分析,该数据流量包的sha1的是多少?(格式填写小写字母与数字组合 如abc23dedf445)"></a>01.通过对流量包attack进行分析,该数据流量包的sha1的是多少?(格式填写小写字母与数字组合 如abc23dedf445)</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p><strong>思路:</strong>使用<strong>HashCalc</strong>对数据流量包进行计算</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230715215147415.png" alt="image-20230715215147415"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p>所以该数据流量包的sha1的是<strong>7f66df0b59bb5d633a1cb3dbe7acfbb7455458cc</strong></p><h2 id="02-通过对流量包attack进行分析,捕获第一个数据报文的时间是?(格式按年-月-日-填写-如:yyyy-mm-dd-如2000-01-23)"><a href="#02-通过对流量包attack进行分析,捕获第一个数据报文的时间是?(格式按年-月-日-填写-如:yyyy-mm-dd-如2000-01-23)" class="headerlink" title="02.通过对流量包attack进行分析,捕获第一个数据报文的时间是?(格式按年-月-日 填写 如:yyyy-mm-dd 如2000-01-23)"></a>02.通过对流量包attack进行分析,捕获第一个数据报文的时间是?(格式按年-月-日 填写 如:yyyy-mm-dd 如2000-01-23)</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p><strong>思路:</strong></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p>第一个报文的时间是2018-08-08</p><h2 id="03-通过对流量包attack进行分析,捕获流量包时使用的接口数量(格式填写数字-如:10)"><a href="#03-通过对流量包attack进行分析,捕获流量包时使用的接口数量(格式填写数字-如:10)" class="headerlink" title="03.通过对流量包attack进行分析,捕获流量包时使用的接口数量(格式填写数字 如:10)"></a>03.通过对流量包attack进行分析,捕获流量包时使用的接口数量(格式填写数字 如:10)</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><h2 id="04-通过对流量包attack进行分析,获取被攻击的服务IP是多少?(格式数字与-组合填写-如:10-10-1-1)"><a href="#04-通过对流量包attack进行分析,获取被攻击的服务IP是多少?(格式数字与-组合填写-如:10-10-1-1)" class="headerlink" title="04.通过对流量包attack进行分析,获取被攻击的服务IP是多少?(格式数字与.组合填写 如:10.10.1.1)"></a><strong>04.通过对流量包attack进行分析,获取被攻击的服务IP是多少?(格式数字与.组合填写 如:10.10.1.1)</strong></h2><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p><strong>思路:</strong>通过检索发现需要过滤POST的协议,会发现一个登录的信息,里面有攻击者的IP信息,过滤的命令如下</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http.request.method==POST</span><br></pre></td></tr></table></figure><p>发现存在一个存在login.php的url,在里面发现了登录信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230715222151277.png" alt="image-20230715222151277"></p><p>从上图可知被攻击的IP是192.168.32.189</p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p>所以被攻击的服务IP是<strong>192.168.32.189</strong></p><h2 id="05-通过对流量包attack进行分析,得知攻击者IP是多少?(格式数字与-组合填写-如:10-10-1-1)"><a href="#05-通过对流量包attack进行分析,得知攻击者IP是多少?(格式数字与-组合填写-如:10-10-1-1)" class="headerlink" title="05.通过对流量包attack进行分析,得知攻击者IP是多少?(格式数字与.组合填写 如:10.10.1.1)"></a>05.通过对流量包attack进行分析,得知攻击者IP是多少?(格式数字与.组合填写 如:10.10.1.1)</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p><strong>思路:</strong>通过检索发现需要过滤POST的协议,会发现一个登录的信息,里面有攻击者的IP信息,过滤的命令如下</p><figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http.request.method==POST</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230715222151277.png" alt="image-20230715222151277"></p><p>发现攻击行为的源IP为192.168.94.59</p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p>所以攻击者IP是<strong>192.168.94.59</strong></p><h2 id="06-通过对流量包attack进行分析,得知黑客使用的扫描器是?"><a href="#06-通过对流量包attack进行分析,得知黑客使用的扫描器是?" class="headerlink" title="06.通过对流量包attack进行分析,得知黑客使用的扫描器是?"></a>06.通过对流量包attack进行分析,得知黑客使用的扫描器是?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><h2 id="07-通过对流量包attack进行分析,得到黑客对服务器网站扫描到的登录后台是:(格式填写相对路径-,使用小写字母、-和其他字符组合-如:-www-wwwroot)"><a href="#07-通过对流量包attack进行分析,得到黑客对服务器网站扫描到的登录后台是:(格式填写相对路径-,使用小写字母、-和其他字符组合-如:-www-wwwroot)" class="headerlink" title="07.通过对流量包attack进行分析,得到黑客对服务器网站扫描到的登录后台是:(格式填写相对路径 ,使用小写字母、 / 和其他字符组合 如: /www/wwwroot)"></a>07.通过对流量包attack进行分析,得到黑客对服务器网站扫描到的登录后台是:(格式填写相对路径 ,使用小写字母、 / 和其他字符组合 如: /www/wwwroot)</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><h2 id="08-通过对流量包attack进行分析,得知黑客使用什么账号密码进行登录网站后台?(格式填写小写字母-、数字、-、其它字符组合-如:username-password)"><a href="#08-通过对流量包attack进行分析,得知黑客使用什么账号密码进行登录网站后台?(格式填写小写字母-、数字、-、其它字符组合-如:username-password)" class="headerlink" title="08.通过对流量包attack进行分析,得知黑客使用什么账号密码进行登录网站后台?(格式填写小写字母 、数字、 / 、其它字符组合 如:username/password)"></a>08.通过对流量包attack进行分析,得知黑客使用什么账号密码进行登录网站后台?(格式填写小写字母 、数字、 / 、其它字符组合 如:username/password)</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><h2 id="09-接着上题分析,黑客上传的内容是什么?(格式填写数字-如:123456)"><a href="#09-接着上题分析,黑客上传的内容是什么?(格式填写数字-如:123456)" class="headerlink" title="09.接着上题分析,黑客上传的内容是什么?(格式填写数字 如:123456)"></a>09.接着上题分析,黑客上传的内容是什么?(格式填写数字 如:123456)</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><h2 id="10-通过对流量包attack进行分析,捕获这些数据报文的一共时间是?(格式-按小时-分-秒-填写-如:hh-mm-ss-如00-01-23)"><a href="#10-通过对流量包attack进行分析,捕获这些数据报文的一共时间是?(格式-按小时-分-秒-填写-如:hh-mm-ss-如00-01-23)" class="headerlink" title="10.通过对流量包attack进行分析,捕获这些数据报文的一共时间是?(格式 按小时:分:秒 填写 如:hh:mm:ss 如00:01:23)"></a>10.通过对流量包attack进行分析,捕获这些数据报文的一共时间是?(格式 按小时:分:秒 填写 如:hh:mm:ss 如00:01:23)</h2><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><h2 id="11-通过对流量包attack进行分析,HTTP-Request-Packets占总的HTTP-Packets百分比多少?(格式填写数字、-组合-如:11-11-百分比保留小数点后二位)"><a href="#11-通过对流量包attack进行分析,HTTP-Request-Packets占总的HTTP-Packets百分比多少?(格式填写数字、-组合-如:11-11-百分比保留小数点后二位)" class="headerlink" title="11.通过对流量包attack进行分析,HTTP Request Packets占总的HTTP Packets百分比多少?(格式填写数字、. % 组合 如:11.11% 百分比保留小数点后二位)"></a>11.通过对流量包attack进行分析,HTTP Request Packets占总的HTTP Packets百分比多少?(格式填写数字、. % 组合 如:11.11% 百分比保留小数点后二位)</h2><h3 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h3><h2 id="12-接上题customername为Singal-Gift-Stores的电话号码为?(格式填写数字-如:1112222222)"><a href="#12-接上题customername为Singal-Gift-Stores的电话号码为?(格式填写数字-如:1112222222)" class="headerlink" title="12.接上题customername为Singal Gift Stores的电话号码为?(格式填写数字 如:1112222222)"></a>12.接上题customername为Singal Gift Stores的电话号码为?(格式填写数字 如:1112222222)</h2><h3 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h3><h3 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h3>]]></content>
<summary type="html">🥧本文是2022年HZ-AZD1大比武----WP(待更新.....)。</summary>
<category term="比武" scheme="https://blog.r1ng13.top/categories/%E6%AF%94%E6%AD%A6/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/categories/%E6%AF%94%E6%AD%A6/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="比武" scheme="https://blog.r1ng13.top/tags/%E6%AF%94%E6%AD%A6/"/>
</entry>
<entry>
<title>BUUCTF--------逆向刷题笔记(持续更新ing)</title>
<link href="https://blog.r1ng13.top/posts/8c80b8dd.html"/>
<id>https://blog.r1ng13.top/posts/8c80b8dd.html</id>
<published>2023-07-12T10:35:03.000Z</published>
<updated>2023-07-12T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="01-easyre"><a href="#01-easyre" class="headerlink" title="01.easyre"></a>01.easyre</h1><h2 id="解题步骤"><a href="#解题步骤" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>使用IDA进行打开</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/e89d233a26d774ea926c34bb33b61a67.png" alt=""></p></li><li><p>快捷键shift+F12查询字符串,再使用Ctrl+f查询关键字符串flag</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184510339.png" alt="image-20230712184510339"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184424442.png" alt="image-20230712184424442"></p></li><li><p>得到flag</p></li></ol><h1 id="02-reverse1"><a href="#02-reverse1" class="headerlink" title="02.reverse1"></a>02.reverse1</h1><h2 id="解题步骤-1"><a href="#解题步骤-1" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>使用IDA进行打开</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184537973.png" alt="image-20230712184537973"></p></li><li><p>快捷键shift+F12查询字符串,再使用Ctrl+f查询关键字符串flag</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184556142.png" alt="image-20230712184556142"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184615531.png" alt="image-20230712184615531"></p></li><li><p>右键上图的代码,选择List cross references to</p></li><li><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184634040.png" alt="image-20230712184634040"></p><p>进入IDA view-A界面,发现输入的hello_world</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184656655.png" alt="image-20230712184656655"></p></li><li><p>使用快捷键F5查看伪代码,发现重要if条件判断</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184716247.png" alt="image-20230712184716247"></p></li><li><p>使用快捷键R,将数字转化为字符串,分析转化后的代码可以知道,这个题目是将flag里的o替换成了数字0</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184733974.png" alt="image-20230712184733974"></p></li><li><p>得到flag为flag{hell0_w0rld}</p></li></ol><h1 id="03-reverse2"><a href="#03-reverse2" class="headerlink" title="03.reverse2"></a>03.reverse2</h1><h2 id="解题步骤-2"><a href="#解题步骤-2" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>使用IDA进行打开</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184806649.png" alt="image-20230712184806649"></p></li><li><p>快捷键shift+F12查询字符串,再使用Ctrl+f查询关键字符串flag,并发现关键信息,hacking_for_fun}可能为flag的一部分。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184818342.png" alt="image-20230712184818342"></p></li><li><p>进入 this is the right flag!代码处,使用右键选择List cross references to</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184829779.png" alt="image-20230712184829779"></p></li><li><p>进入伪代码,分析函数发现一个重要的if判断语句,将if函数里的16进制替换成字符串发现代码意思是,将flag中出现的i和r字母替换成1</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184844551.png" alt="image-20230712184844551"></p></li><li><p>所以我们尝试将刚刚的得到的hacking_for_fun中的i和r替换成1,提交发现正确。</p></li><li><p>flag为flag{hack1ng_fo1_fun}</p></li></ol><h1 id="04-reverse——-内涵的软件"><a href="#04-reverse——-内涵的软件" class="headerlink" title="04.reverse——-内涵的软件"></a>04.reverse——-内涵的软件</h1><h2 id="解题步骤-3"><a href="#解题步骤-3" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>运行软件发现,flag被隐藏了,根据题目提示,使用逆向软件IDA打开文件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184902043.png" alt="image-20230712184902043"></p></li><li><p>根据题目提示,使用逆向软件IDA打开文件<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184917150.png" alt="image-20230712184917150"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184940517.png" alt="image-20230712184940517"></p></li><li><p>发现关键信息,是flag 的形式,尝试提交,发现flag正确,flag{49d3c93df25caad81232130f3d2ebfad}</p></li></ol><h1 id="05-reverse——-helloworld"><a href="#05-reverse——-helloworld" class="headerlink" title="05.reverse——-helloworld"></a>05.reverse——-helloworld</h1><h2 id="解题步骤-4"><a href="#解题步骤-4" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>下载附件发现是apk文件。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712184956774.png" alt="image-20230712184956774"></p></li><li><p>使用GDA打开</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185009235.png" alt="image-20230712185009235"></p></li><li><p>搜索flag关键字,发现flag</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185024132.png" alt="image-20230712185024132"></p></li><li><p>flag为:flag{7631a988259a00816deda84afb29430a}</p></li></ol><h1 id="06-reverse——-新年快乐"><a href="#06-reverse——-新年快乐" class="headerlink" title="06.reverse——-新年快乐"></a>06.reverse——-新年快乐</h1><h2 id="解题步骤-5"><a href="#解题步骤-5" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>查壳,使用PEID查看文件是否有壳(前几题未按照这个步骤进行),发现带有UPX壳</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185037653.png" alt="image-20230712185037653"></p></li><li><p>使用UPX脱壳工具进行脱壳</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185058013.png" alt="image-20230712185058013"></p></li><li><p>将脱壳后的文件拖入IDA中</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185110082.png" alt="image-20230712185110082"></p></li><li><p>使用shift+f12快捷键查看字符串,使用ctrl+f查询flag关键词</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185124493.png" alt="image-20230712185124493"></p></li><li><p>右键查看,接着F5查看伪代码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185136273.png" alt="image-20230712185136273"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185148632.png" alt="image-20230712185148632"></p></li><li><p>分析伪代码可以知道输入Str1需要和v1(v1的内容是HappyNewYear!)进行字符串比较,如果两者的字符串一样,则输出this is true flag!</p><figure class="highlight sas"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">qmemcpy(<span class="variable">&v1</span>, <span class="string">"HappyNewYear!"</span>, 0xEu);</span><br><span class="line"> <span class="comment">*(_WORD *)Str1 = 0;</span></span><br></pre></td></tr></table></figure><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> ( !<span class="built_in">strncmp</span>(Str1, &v1, <span class="built_in">strlen</span>(&v1)) )</span><br><span class="line"> result = <span class="built_in">puts</span>(<span class="string">"this is true flag!"</span>);</span><br></pre></td></tr></table></figure></li><li><p>经过函数的分析可知flag为flag{HappyNewYear!}</p></li></ol><h1 id="07-GWCTF-2019-pyre"><a href="#07-GWCTF-2019-pyre" class="headerlink" title="07.[GWCTF 2019]pyre"></a>07.[GWCTF 2019]pyre</h1><h2 id="解题步骤-6"><a href="#解题步骤-6" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>下载附件发现得到的是一个pyc的文件,我们可使用<a href="https://tool.lu/pyc/">python的在线解密网站</a>进行解密,将pyc的文件转化为python代码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># visit https://tool.lu/pyc/ for more information</span></span><br><span class="line"><span class="comment"># Version: Python 2.7</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> <span class="string">'Welcome to Re World!'</span></span><br><span class="line"><span class="built_in">print</span> <span class="string">'Your input1 is your flag~'</span></span><br><span class="line">l = <span class="built_in">len</span>(input1)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(l):</span><br><span class="line"> num = ((input1[i] + i) % <span class="number">128</span> + <span class="number">128</span>) % <span class="number">128</span> //主要是对code数组里的数据进行着两个运算的逆运算</span><br><span class="line"> code += num</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(l - <span class="number">1</span>):</span><br><span class="line"> code[i] = code[i] ^ code[i + <span class="number">1</span>]</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> code</span><br><span class="line">code = [</span><br><span class="line"> <span class="string">'%1f'</span>,</span><br><span class="line"> <span class="string">'%12'</span>,</span><br><span class="line"> <span class="string">'%1d'</span>,</span><br><span class="line"> <span class="string">'('</span>,</span><br><span class="line"> <span class="string">'0'</span>,</span><br><span class="line"> <span class="string">'4'</span>,</span><br><span class="line"> <span class="string">'%01'</span>,</span><br><span class="line"> <span class="string">'%06'</span>,</span><br><span class="line"> <span class="string">'%14'</span>,</span><br><span class="line"> <span class="string">'4'</span>,</span><br><span class="line"> <span class="string">','</span>,</span><br><span class="line"> <span class="string">'%1b'</span>,</span><br><span class="line"> <span class="string">'U'</span>,</span><br><span class="line"> <span class="string">'?'</span>,</span><br><span class="line"> <span class="string">'o'</span>,</span><br><span class="line"> <span class="string">'6'</span>,</span><br><span class="line"> <span class="string">'*'</span>,</span><br><span class="line"> <span class="string">':'</span>,</span><br><span class="line"> <span class="string">'%01'</span>,</span><br><span class="line"> <span class="string">'D'</span>,</span><br><span class="line"> <span class="string">';'</span>,</span><br><span class="line"> <span class="string">'%'</span>,</span><br><span class="line"> <span class="string">'%13'</span>]</span><br></pre></td></tr></table></figure></li><li><p>根据代码写出解密脚本为</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">code = [<span class="string">'\x1f'</span>, <span class="string">'\x12'</span>, <span class="string">'\x1d'</span>, <span class="string">'('</span>, <span class="string">'0'</span>, <span class="string">'4'</span>, <span class="string">'\x01'</span>, <span class="string">'\x06'</span>, <span class="string">'\x14'</span>,</span><br><span class="line"> <span class="string">'4'</span>, <span class="string">','</span>, <span class="string">'\x1b'</span>, <span class="string">'U'</span>, <span class="string">'?'</span>, <span class="string">'o'</span>, <span class="string">'6'</span>, <span class="string">'*'</span>, <span class="string">':'</span>, <span class="string">'\x01'</span>, <span class="string">'D'</span>, <span class="string">';'</span>, <span class="string">'%'</span>, <span class="string">'\x13'</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(code)-<span class="number">2</span>,-<span class="number">1</span>,-<span class="number">1</span>):</span><br><span class="line"> code[i]=<span class="built_in">chr</span>(<span class="built_in">ord</span>(code[i])^<span class="built_in">ord</span>(code[i+<span class="number">1</span>]))</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(code)):</span><br><span class="line"> <span class="built_in">print</span>(<span class="built_in">chr</span>((<span class="built_in">ord</span>(code[i])-i)%<span class="number">128</span>),end=<span class="string">""</span>)</span><br></pre></td></tr></table></figure></li><li><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230702082456688.png" alt="image-20230702082456688"></p></li><li><p>所以答案为<strong>GWHT{Just_Re_1s_Ha66y!}</strong></p></li></ol><h1 id="08-ACTF新生赛2020-easyre"><a href="#08-ACTF新生赛2020-easyre" class="headerlink" title="08.[ACTF新生赛2020]easyre"></a>08.[ACTF新生赛2020]easyre</h1><h2 id="解题步骤-7"><a href="#解题步骤-7" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>下载附件进行查壳发现存在upx壳</p></li><li><p>使用工具进行脱壳,在此处下载<a href="https://github.com/upx/upx/releases?login=from_csdn">脱壳工具</a>,执行以下两个命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upx.exe -d //进行安装upx脱壳工具</span><br></pre></td></tr></table></figure><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">upx.exe -h 文件绝对路径</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230702085844867.png" alt="image-20230702085844867"></p></li><li><p>再次进行查壳发现无壳</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712185216285.png" alt="image-20230712185216285"></p></li><li><p>使用IDA进行打开</p></li></ol><h1 id="09-WUSTCTF2020-level1"><a href="#09-WUSTCTF2020-level1" class="headerlink" title="09.[WUSTCTF2020]level1"></a>09.[WUSTCTF2020]level1</h1><h2 id="解题步骤-8"><a href="#解题步骤-8" class="headerlink" title="解题步骤"></a>解题步骤</h2><ol><li><p>查壳,将拿到的附件载入查壳工具,发现64为且无壳。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712181739840.png" alt="image-20230712181739840"></p></li><li><p>将程序载入64位IDA pro,进行关键字的检索,快捷键shift+F12,发现无关键词</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182043176.png" alt="image-20230712182043176"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182112203.png" alt="image-20230712182112203"></p></li><li><p>发现main函数,双击进入。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182148001.png" alt="image-20230712182148001"></p></li><li><p>使用tab键或者F5快捷键进行汇编代码的查看。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182253062.png" alt="image-20230712182253062"></p></li><li><p>发现关键代码,进行相关的分析</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="type">int</span> __cdecl <span class="title">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">const</span> <span class="type">char</span> **argv, <span class="type">const</span> <span class="type">char</span> **envp)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="type">int</span> i; <span class="comment">// [rsp+4h] [rbp-2Ch]</span></span><br><span class="line"> FILE *stream; <span class="comment">// [rsp+8h] [rbp-28h]</span></span><br><span class="line"> <span class="type">char</span> ptr[<span class="number">24</span>]; <span class="comment">// [rsp+10h] [rbp-20h] BYREF</span></span><br><span class="line"> <span class="type">unsigned</span> __int64 v7; <span class="comment">// [rsp+28h] [rbp-8h]</span></span><br><span class="line"></span><br><span class="line"> v7 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"> stream = <span class="built_in">fopen</span>(<span class="string">"flag"</span>, <span class="string">"r"</span>);</span><br><span class="line"> <span class="built_in">fread</span>(ptr, <span class="number">1uLL</span>, <span class="number">0x14</span>uLL, stream); <span class="comment">//对文件进行操作,正好附件中有个文件是这个算法的输出结果</span></span><br><span class="line"> <span class="built_in">fclose</span>(stream);</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">1</span>; i <= <span class="number">19</span>; ++i ) <span class="comment">//关键的循环操作,进行了19次循环</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( (i & <span class="number">1</span>) != <span class="number">0</span> ) <span class="comment">//如果数组的下标是偶数时</span></span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%ld\n"</span>, (<span class="type">unsigned</span> <span class="type">int</span>)(ptr[i] << i)); <span class="comment">//如果数组的下标是偶数时,进行这个操作移位操作,逆向的思路(ptr[i] >> i))</span></span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%ld\n"</span>, (<span class="type">unsigned</span> <span class="type">int</span>)(i * ptr[i]));<span class="comment">//如果数组的下标是奇数时,进行这个操作i * ptr[i],逆向的思路 ptr[i]/i</span></span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li><li><p>逆向代码编写之py代码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">ptr = [<span class="number">198</span>,<span class="number">232</span>,<span class="number">816</span>,<span class="number">200</span>,<span class="number">1536</span>,<span class="number">300</span>,<span class="number">6144</span>,<span class="number">984</span>,<span class="number">51200</span>,<span class="number">570</span>,<span class="number">92160</span>,<span class="number">1200</span>,<span class="number">565248</span>,<span class="number">756</span>,<span class="number">1474560</span>,<span class="number">800</span>,<span class="number">6291456</span>,<span class="number">1782</span>,<span class="number">65536000</span>]</span><br><span class="line">flag=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>, <span class="number">20</span>):</span><br><span class="line"> <span class="keyword">if</span> i % <span class="number">2</span> == <span class="number">1</span>:</span><br><span class="line"> flag =flag+<span class="built_in">chr</span>(ptr[i-<span class="number">1</span>] >> i)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> flag = flag+<span class="built_in">chr</span>(ptr[i-<span class="number">1</span>] // i)</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br></pre></td></tr></table></figure></li><li><p>逆向代码编写之C语言代码</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="type">int</span> ptr[] = {<span class="number">198</span>, <span class="number">232</span>, <span class="number">816</span>, <span class="number">200</span>, <span class="number">1536</span>, <span class="number">300</span>, <span class="number">6144</span>, <span class="number">984</span>, <span class="number">51200</span>, <span class="number">570</span>, <span class="number">92160</span>, <span class="number">1200</span>, <span class="number">565248</span>, <span class="number">756</span>, <span class="number">1474560</span>, <span class="number">800</span>, <span class="number">6291456</span>, <span class="number">1782</span>, <span class="number">65536000</span>};</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="type">char</span> flag[<span class="number">20</span>];</span><br><span class="line"> <span class="type">int</span> i;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">1</span>; i <= <span class="number">19</span>; ++i)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> (i % <span class="number">2</span> == <span class="number">1</span>)</span><br><span class="line"> {</span><br><span class="line"> flag[i<span class="number">-1</span>] = (<span class="type">char</span>)(ptr[i<span class="number">-1</span>] >> i);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> flag[i<span class="number">-1</span>] = (<span class="type">char</span>)(ptr[i<span class="number">-1</span>] / i);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> flag[<span class="number">19</span>] = <span class="string">'\0'</span>; <span class="comment">// 添加字符串结尾的空字符</span></span><br><span class="line"></span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s\n"</span>, flag);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li><li><p>运行结果截图</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182929943.png" alt="image-20230712182929943"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230712182946204.png" alt="image-20230712182946204"></p></li></ol>]]></content>
<summary type="html">🥧本文是BUUCTF逆向刷题笔记。</summary>
<category term="CTF逆向" scheme="https://blog.r1ng13.top/categories/CTF%E9%80%86%E5%90%91/"/>
<category term="CTF" scheme="https://blog.r1ng13.top/tags/CTF/"/>
<category term="reserve" scheme="https://blog.r1ng13.top/tags/reserve/"/>
<category term="逆向" scheme="https://blog.r1ng13.top/tags/%E9%80%86%E5%90%91/"/>
</entry>
<entry>
<title>服务器取证检材3.0----WP</title>
<link href="https://blog.r1ng13.top/posts/70b044d8.html"/>
<id>https://blog.r1ng13.top/posts/70b044d8.html</id>
<published>2023-06-27T13:12:21.000Z</published>
<updated>2024-01-12T07:21:13.000Z</updated>
<content type="html"><![CDATA[<div class="hbe hbe-container" id="hexo-blog-encrypt" data-wpm="抱歉, 这个密码看着不太对, 请再试试." data-whm="抱歉, 这个文章不能被校验, 不过您还是能看看解密后的内容."> <script id="hbeData" type="hbeData" data-hmacdigest="35d855fe69f2301e1f8c346923e2f2c9086f660fbd03927a7c1dda33d7dee536">a27233fac0f163d123f88351485ea3dca9b7b08fe58d7acdf8c71a3d29e704ba7deb7c0de0cd5ae30e87f4cd6cbd7842091a6759cee2bdb43df82aa3d4e463555d4da7a69767e549f416f43acb65129ac9da0aa8c6b1545227c1c7ecb691011b232e26a048df3b0d528b639cf6cbe3eea21dca82605ffa5e14b03d84d0de54ac40d0a7129851e67f689b7d0885270415d46602a93849f15cfaedce221b50045407fd17aa24e4d122d49ee7023910b1c2bfb843586ac90a22e145ed5d752fbea4f68535383d35e429b2b29f37474aadf29feabf6d1db2520dc7bfeeddcbdf0bc53d07f4099bc332623009bf447b591f1c3b15e5dc2a2cb9eecefe92ef6c8d4324ce02bb0b770b8d1981ff54e5df93f877615013704f9e96306ad7b3eeb0fc6e02b4d3882eebe14dfd41e9184a80f25546d64800cec9666cef041147bae9f91cf5036d77c473c7a2becba72ae881c091847d6e88c2f4a128052587a6c4f172e2c16b40dcd02a471e3a24d6b28eccb7eb21bba859208c60c570405e24e64814c62c7e1120e4cd2ddd6853245b0021bb76932f353cb10788b55322af56fd1e1a60b30456c5a99910124f6e166d3446eb76e2a90c7ac138e8add078a7b94ca0405c8d66c784f3008a16321e1ef9031ae6f92343491d957a1856d1c3b47dad313a8aae722354bc26975a9f66fb7ef2af07b517dd8579f0439f3bc28a8f86bf74d446e1941c647b5ac2373d5088d601465115541dcaeccce1512cd5a272e7ab57d9190502f0d8c3d63752a8e7f8d5a9df2c220b6dcab72b9778760702bfc3ccfd8d7606316d6fe310ddefa48be98f54314ca4ef4ea7e848b642d5b43aa7bfc2d141cb67b3bb6aaebac50b4730a6b6628664a11b8929d95f1910618c196c1af02cca83f7acc53515eaa67777dd1bc9f2993c345e00cb7cbc486aee643866cced22fe8e496077714e733bfdd7fcd3941f923b08361f95cad6087b019729ab95af48d4f366b95665c8b0fb4bcae2dc297dd7cbb42007ae8d7efb36c374a2c3cb32ae12a48f12281bf68656fbd242f9e293d2408f4da6d691283893d5b92fba6096800d6cbc716af7287331b7073bd932d1a9538633c5dec37fde5b868e4bbd87a8a41f9d1e2cd6895f272142a299843af9daf404df566a18c9870a248991574104e6acba4f2413b420943b44bb0e38052f009dafa3960e660d35e7ce9ae2ce405c5e9dee2e9bdf7e215a6484ea7e94e68c066bcc7e7dc3c9775cb8629d8fe0c0239739fc141dbd77a1b47858d020bc19ceaa46c0a00597f09a93b5fdba0942ad7d548acfcae1671fb200476f845487f05809f0a7dec11a3570ba125b2605d4e1a9a8b9b34d58a0c14d9174f794910a7beec2e0cacfb1fb899b3d5c91ea7702d4375862b8fc75a1f5fc3168007615dc4a7163a60a0c71f8fed8bf29cb0da113a2cb4922cbaf442bfc3b506c8021cb11c97ec9f933d7c63582234d1e02d11f9c7fd4141f28209709a641a59f06db277972c70805ae6afd04f0fe30a56493775f72f69e439fc4005661801a7d35589539667c2ea12a950c9c788afe60fcd09078479599abe6f89fb7ba2ab6dae70d4654c92fd60001d797c17fffadfb96295d871e3010f2b2256eb073bb7279224db2f1b5735413e85342678e73e8183cbc2d8924a1811e047545e35e32f5effb87c03e80c01cbef28123082f2a12b3713822449d26c9ce1578a82410e1f8396117427668eb0c2b031afba500913ad8f51087586c66c7b88abf15bdfa041b75120addd7d463382cd19effee7789e33712799a8493ca10b7e3cb9ca9751da1f13d46754cd8e7c6d8512dfa750931552505ff2aa1dfc879de7fbc131d99e4519494ad2dd1681806ed2ed9047397ca8e6374d3d42333b229bac62b9da474f461a6c543127fc9d4d8e806c82e82f55031f60bd35dc9a9177bebda11f209a3f5bbd783bc3679d4a0a3e3a3f8368f987ea9ce163e7c2cf0961ab72ada4a7cb64352fd75c6c18d329c5508a9a42168922496b16a534faf49903462f01e6d9cd3a7dfb842818e82170761d887e33d9d2809e0bb3f96ad33501d16af7a6937e394ec0e81ca35a1682160d14742361abd8fa905b5ff609e9bb760cd59cb61098e6a7ba5cff996d874c836fe3a551a00e05d50eff51ff0f2716f904f0a55b021b628524bcb94b3547debecdff0e1156d736519fd378ab770049fffa82eeba2aec7f6ed46a033996985e423dc5f1c7b0975f6c777de60f3c93a908ed2a23d40a5e0118bc29f8d07ad21a7e60ebda223ea5a2ce52cfe7d9084149981c72597487e3c6d4ee08cebdadba1a2c30ad7ae2794def909e0b1f056f58afc9ad078010a6dd0fbd9a1d0c04bc7420eb8808b008c7f0851f8ea22cddd549d265ac97dc550c54095046f0b26aff478155ffb523976c7240063e84ffb12f5854b09232e97618202d306c6a2a136d6e9ad89320eed0b61a0f3b82f9200d3bfd91f451c13354563399b1be5704116b1e892dc6bcadf4e1e3379d9fee1f3ce02f34c58a7b8596da4b696a0ece1f870e8df9ddaa2b78d36f14f116e97c3f35e4ad41c8772a6b4753de5e2f18b40a028f02340ebff583da3f3126a4619a30300e5ece71d5031a7600fffdb442aa669d0b7f82327128550e2b45c8db0b9f0f6a802e59194f8ddebee629f701ad0d3d2b8f107aaaf63b81a1a02f0538369bc9874e41072832857dc5887dadbb993c7d329bcd36f6ba9b33505662db32084a3b6749ecca5f7c2748aec0c4a24c47bd3a6964ad4678f62f3a427c67e0fafd9bdbbbc972f691eba3c749aff408d66c48daa9399f16ea2002fc2743582389f3330990cd7550bfbb50bb15476a586cb705c9bb856c45cf2f797f126d59e7ebc06917803eba7f0912faf82998b909b2cf88dc0fdb3a78393133689f54017297e05d96bc54878eb401c8b737d0e2847ba80fbb70ad3a1afc068a556eaad5662c19d649cd65d96a9f6035dda04920f9bb0f26317795fbd0cbf658fe1882894fd2ed02596b26c97a217cdc98c914c5605012392b4b276f90121e8139b0557457708186d2700ad70bbe11037da5f24fc921a3bfbef5035677639bc98fae4d6d757f334debe8acb6ce9d96c2180db8167465b61b0f63a2b0aae1171e6a9dc2b9c5a9529a2fd796ed8faa8f71665250a2a64edd85a97f3ba63972c4526d32190c1d6611abb4946f3db11acc6cdaf0d29dd1f6a803ff4d9e87c5aaed67dbf282302b5cad6b08966117373aa7062ae3c58c3f710950ffa9ef4103a2a3e3b9904fa88830763f1b4219ab5a29dede6b7a71fc3bb88c5048fe58ae1d004dc248a8be721edb99758aba4b1fa5cd9533ddf52a77442f76a2f531f94549c76fa9baace9547b0a7632cc1d3d50cc3106949d526b8a4033c52d7cfabe30ba027da357235bd4e1d396bc92b12660257fd74fe67bc6a50367bdb3f077a0ae8d44c6e54ab0daa19060329db34d831d1079448849ae88d5c722d56de5d911c8aaa4f649d8663336dc4e82311a87f1f23ad7d6dab50f0f83bffa8f80cf4b8d24c672a04dbce857221d9affe350f7977af563a4112d3b03d4e12b88972557d999fabe4d848fba13245c9ba0744c4b630df54794d73d748316f8e51316800cebf7cbe5efad083056714cec098cab54664ca61896583b55fdef5443f645e49e5268a21fbb6e6d59ba8ec16ae682440da526b79b37e3c0f7269620df6dd57c37e8e9a478d5aabc6afa6babec02b3d8b9410b6b15ba9cf229d45f9563d205efe8fee2578d431cee94a98414ee4d4242877bcd0d18388f49c9c9ed66262eeadf6959551d975a7ce6256b5e35208130eeb5e2b27aa7c9a692d7c9a94f76c6ab56b5da7338a78c562220e5fb50a87b1cb68b20d69982d838d9969789bbf9da239be7b79ad262de5475c125b9a874a2ba43419e9b3f11b5dfcbe6572a79c50d3ba58309b3d1c4ae7f11bbc27df2705ee5fb2101a242bfe2a9f4165680c7a637cc9a2248beb48a263698535302184b3aafc0447a0d4b59bdf78befe7a187e47531d11fad738f4aeb10620dbf8776397d34e354a250602853152acd8588deab3309104a9e06d94e2e8151028e195145748803a72a2d029b313cc5bc0fb6b1569df4f853d2ec0bd92c20c1f09e980d1a98018dbc656f1bd76a8c3205d353ea3ab5749dc9ee95fbd6ee2a173211d4f1c733f937826d7a528e9e9e27b1d4cc99d5952a2ef5d219961c5fa37802afb8385ca8e0607ac6015294f770c5260a65e673271de67fdea1ce0a226084ebdacf33277cdcfe8fd55ccec140f7592db5992386e06c4e320c3e0c9e1967801725b70b1582c905fee2de57e5dacf823dc4aa0695f3557f097ca6a423f88b5e8bf85b71c8764466e5bcd1dc9e6d3a57b173c85023dd6fdc8be5d5b8ee5dd94615afca79baf905ddb10d863368956bc5c760c78edc7d4d0d353ea11533bbff8c0ef369747a325125dc6114ff45b6bca81e5bd07eaff6156d7ee5e34a8a9e782b0950ee0607879be9d4dbbdbc0a7e133aa992c0e67f9874c47d20f520160d763afb2c5d78bfe9fcd64ae1e20d7336ac076918acfd3d91f27d4d8c182bd2cb4db9f1b718952f1e69ddca3566bcdcb386df9e242932d89f00257d1f81f4238c122a5444937a010c12f421ca0549c9db2669fdd0e5c84d12d5ee3f936a8e8871cd5e78c669172915c04c61164f12d7bcb50b4dbe809d190044d6d5c5e03801cf58e47662e646232f0d668b68f7427b362502dbc4b02293d504418284eb5fe17da55332080bb1a8f5cc47ee5ae5f4d5da9ceac33653d516ca427f67c453573d8611639fa77385b3a310daeb91af1cfcb262105eab4b6e6b2ac506dcac07d0165d3433ea88dd036ae94f731f6b713e133689513cba043d59a7a3c1dfd8a5c4991a47c4878896079ce4e41c8ca6e042febb4b7354cc7ae75a851384a2b940cabd06739db5721d7d9f89c8f1f775f43e491855f528adb86029d2de250488bdfd3a56147537288b00ebd2f25498ec9bfa9679c3a64eccb245c204863f174ed15a3306910f7a2f00d6170757be9225460570fbe3c6a28970a472944e522c4db07d2dbe62980f5f7e61aeb272c78150b76bd5d9b18c9a985e710f9517ba4c872339029196db85ccda61faae5702352ae0d43f1d2c0a203f05f710ac28f11b7497a2a800f64633a8086a2aab91db50e426e47ac27e0f22d1e1616b423572028d9b9dc63efa4f260aac74a547f764f4c9ad51b3634866a44684d183b2e9370aed15ec53f96154e027ecc9ede291c9e2576b5e597740dc8c8e927cc836ead1195aa40100c952dbd38c1bfcab826a835fbe9b7c71a0bffefb2899045b3f24690ecfaf185d44abecba37db6eae70889da3910ffdf5e3286272b8291c2aaa97dd2f2064d2a4eeb8e4303537e8010ec78691a8f3f0bac379d1a0119dbba9800d371e5599b2dd74c6881080c7c107a22dce0f835646983863f52be43da89f1b1e7ad639de86493213ed7e7bbc20e6a5279d0878995eeac3a2c043aac85fad206e63a4666b0c606f3b14581beb992c2f44ad03a53d17e0e3c25ed9e81d2c22a36da46ee7da60de0944fffa408b1eab4f84137f2e6825e2cf997783aeadce093af2c83fefd46b97925a69c82f37d1fb8b1042815591983d25d8bc3ddeafa15f6fdb68c1beb4ce3e3f772ba2f20f9279a1ffb9d38834bff7ec14c9e6aa927a7ea560009700c6a58cc2fd901b6589be99c2877ce3fa25267fa03df6e0cb1b138adcc07ffc3e7dca4f02c41039af48eb69035d3195a47e256291caaad490ebf666d2825d49c121d1221cc3eeca4cae04e8a338c8c3d8fb68f4168ebcb7609ec1d0c0c450d92ee0a60861f443b0b22936cdbbca8c8705e8dd80c62850001ad97de066047ee82a4893347728bc8a9b2124a9c69ad4bb19c08e2c7eae25b07c24258e4367ba4fff98887a3a53d510cf2e0ee594d2e4f6be855579436d9c2a51de73aefe36a739a493727c819ff305230a2a91b0e036e3856e4d31c846b0959eafd089f80d2c3c78050804656239250273b0852ef04c785c20cc4af1204992272a7d41d065adb2ea6f871e46282f52c7e18cbde205e168e1128b44da223a9ae5b8ef04bb93c2b65ca58f10a1d82beee46d82cedc617f38edce29db90f6ba6fd6c20f12a2f8ecf3202680c08490ed82a287a1311fc764a8565e113383b83d63cb1966560ab12692b4bd5164b1cb542e3377212bee7a3d798a74485b64a927a45257302f2ef3107209e7f06c2c056e4857e5642f76bc876042bc8631884dd6f067632efa668df699831892a3d24e8d1d4e9e7157f552bb110c19a063d57bd1123728ed0bfd239eb65fc234be36e9b09a491e0c120fe2a15bd6fd51b6a1f987c7679973d1025c699d79cb9b28681966ed5c29b3901f7601417ea6bb4374d9a5a1979c0cef1990c1b3b638a92c6db7fc33ec653fda876762bcc64ac9c51b2e6d1f832659887bc1b324789f3136da37396eb7344f7522af24de6b2406dd1adcbc05e1c0fbd30553299ecd7d171636b33935694f4ff95ffa12faedf98479dd04d4865c908cf943a56dbb46cb1fb53f2ed4d3beba9007851ae5d9653b74cf57447e07debe53c268617180cd82c458241fee99c0fadd8591d42d5525b8df29bd1ab811b882f9bc135ddaa3561fe68a8b524ca63ccd00fa412edb9f73f720f1d1d846761efe18c495968732c3d7caa506e5b17422eb9f7b767cf22f1a2d7f52d6f990ce13e3ba55fea92b1f2f3cdde2aa4a03a947a58012987f293534691849be2b9ab81c8b08613613e5d99934ba2fa3a288d26294b553d4f97deb0bde1a8abdb7be497c8577b43a6e1fce1a40727389d04186ce188161ef7e62bdb2047ba5d86060b8042422dddab9e87fdc4478c605b845edbf3bfd915595396cee92408008f7160df61fc91145c80e9815ac557c3a9a53c59d2f14ed408edbfc2313d0c9c866a69dbab13f68529f10036d7f65a3c605cb115e4809006f484a58cc9c2e54286a9005f94356588ebb39e5fd77d76760cdc4d3c69159280c6ee00ea2fd69860ce76d89d7f00f5a8c215126e38850a6e08bb0738d40dfb2e8546bc33009c66e5f4099dd449784751ee3c0032985c75366845ba6087c48b29d6bd3dfeb3ed6162bf9efdaa3a62d69940d496dcc7427d23aeea49eaad14a978fb610f159f52400fa552fbf7adaef5c5043a8aad01460f5772b4ef61cd31494be37cf8481a60e8a96518efac4d243e76512aab5555b4ffa6e97bfea68ad5b0b68eb363cc9907243c8edaaaca798d18d2c2952e230f8c2d91c69479047fd66f67774c2cbf690a3f0e0a2da1f6907d4915dfa3d00c27234dee70369263fa96eeb774eef06c703988290b09163bc7bf077fcf05b979c41473f4cecd8b1f428b6465ba4a8ba8e3cb35a696c3365a386f7dae992276185a3186ee15d284942b4749d35837be9e9eed870828877a2dabf4689c27ef09cbc7c21e8b958e1a923cf36aac8ed5f1e08bd65a3b19a32ccb7130ce4680f9f8d98307a5c70ccdb0043929eeab421b26cd0861fdb76227014b82e795b3982701fef3a570608e7fb34c90ce9248937750f619e42959888a6ffb0011cecf85a8efb3543b83072a84ca991892f5b3599b16654e2db4b3456b8b24279ada4dec8c8eaf1ee61698e9e3c76a6800b6ae9d0cf70631bcf4da233887963773eebbd438e1a350d646a20fd5d322fcc852ed6c5dae5d4e15c7bec7181058803ec9bc5c917c19021154b5fc45b5fe9bd4ce0cf9c0fee849d5d57cf9c5ce345b547bb3bde0dd5704ca1e5f46cb772e80eedb6e0b00f7f53735946cbbefa480ba653a021bdc71b782ae220179813b51eab724ac5353aabce4355a771de84fd2cad89ca864d063c7424d35a22b4ff18eed4f7fdca6a74e05754454474a2d45665ffe2183b633a61cefb79e602752fc2b76fb00f34fe44c6730d3a1a435343d8235edf2b6c37d4a9af5e9e709d52ea84cd486c2f64a58386110e34a4bce5527308fed3927170f198267a42b624eb057bda6cb1ab5577f97cca2c87f6bc67aeae550037477f792c10df0a45d20d627dfa6a4d4380df47fd452502e292d570c269a10bf7541a77a28df18b31368941e40156174d4b2c06225cb9ae633f8104ecce2ec4a222359e9edf5e35305ab77a00b25841a3ace3eb00a2dfbb72d590daf63f12cb5888f5cca09bf765e8c109b729532292f86bff952a01b79d256f0806d8a1a5c5ea165a394739e317098ff6ae1825fa62bd38e86e575a47218a61feeb7b74d1492c31f9d887f916874da23b7a97d0f17863568acf716cbd52a4b639364090194059957100903f1eccf6ad821e810dce3a18daeadaa7d8c260ae4f2aef5a8a6d479cd4d96d4159c4af609657140e98a28719c6201d9573b0f316abd7fe75aab41f262ddba23074bb8babea4677a763b247d491bc54d018ee2e19acc2402dbafddc877ec20e56a691393002bb4611751bd7e288068f0151a9be611cb6b69330014200a7d1994d606787bc1b26a49f6459db0f98149a5a754e56dc6c542561f50c1da23ecda3296b97ec642b03aa6bc78d0d59f49c369a0f6bb6b2f54119c4e92bb1f139f4e4e2f65c5c0e9416e77f90387948da3a8839ec14c90b4056191416c6b0fe951c99bc64b33eace8700dde2988225b6c299bb6b48c6361ee32c5754b1cb3f8d3f2ab6cd81ffaacd0bf3a95478d69e96447810bff391e3fdaa6892fae9543eb02a4ccf0c6e4899669351d4cad38e9cf94251bd983db6d1d473f3468a010e126a17f0450cbdbd505284c5199d6ed237cf4fa155ee316169c12741ecc7877992e9ed2cc4bb11f7a73dc7f8339f57a3dc12857119fb0ef008d75d56f39ddbc9ae2931658b5c969a5219a0de9dce1662e1b2b9474ebb74e5bedaec5aaff84ca29d93b037228526cab90b7efdb66671192b878342eb80913c14bfe198074278760025b3ff40e85722eeb1a41dce36ba28dd252f8d9d003a8c75d9530257caa77fa88a1605e94dd5e47dafae66c9d1afd36d5dce71eb70ca532484e57a91a30a957dd6ea6e0be8e3c0363b8315b44f80762bafa9460b2754616f80de9eba453a3666529d66652eacf696fb8fe605a2e8a82a626205c39650625174293970a88e31b090309ac7143ef90505857c01d442259f1bc506bc355b1ea6d03e401bee32bb47bc36bdd0ec1801696e68f3f66f1c3a58bebbb8f5c44e1dec2c623af4f8f8776971ff87dfd3a54765cef34a884c484850c453f65a1fca841f9310ba576498cc7ef84440b4fbcb0fa1ea9a8cd0574f5b29074f13d226889f02e65370a3ddf084d2683b4f446c5749a7988e9ae9610040c5461ffd896702679e2d75bdd78f867302d871ff58cefce1175e7a96baccffd17f528a73fff7ff29856e168628bd65aaded2e48356c0366cd94d338a2770d25cab10504065c0647038d630b79b0d981d18b03eb618e9f5778a44a0f3872db11bf2aa9e794d7dfeff8242dd9a8b385d88fdb027ceab32183aefa7cf570e47a9f23e8f9678c0ae3bde363010dd30bfc01b360dc84cbf62147a255c9fdf61a5c3b840e2bf72a64a37f9d1072124dbdf2dac693e05036f5bf25d06027cac8448bf748d2e611cd167d74ef7e2523010f646f924169d002189f54ffa8314c5ef31183092286f6e1ec934ecde1af260f55b8f727854f2ac4b09ecb354adfd2a955369a52a797595a81c514fb225a3708496f7a62a14e3da8b94fc3cfa7a08a2fa51dd664bdda64c24b184cec177acca981acbad0b6a9ac52fb81eab27f4ced4d115c69efac94a71d2eaa3613b7f7903b4dec597e7343b52d7eec34abb1b7790b867466b85070bf0437c2215c622ecdea5271808e6fc1619c91042083ad9fa69bda188d0b2f8bca348286bb08d444956a3e094fc41d22513d189fa9ed8d0e85e83ae79daf562f30f9a20946c91b43d97050c42e840d9e30503108ce78036d6f88472139cb8e033d6ac534cbe26d6b8dec421340937ed8b660d597f48445471bf42c42fd2060c18d77e2895b7c3b264ed9db8a175b50701a470cf51890508194bf08e3d4f87664ff5b3b293b775dc198439e4d057392dee00cf85e983e0cace09c88d4d0183246887a42eb11124066e3b5da1642758ffdf1d4a5c605a5d2e1b4d1767fee1bd883412e720421decb7f4dcfa81ac3a36026955ffbca182bd1d145c8663ab2d76af70bb66fbbe36ad7d5c3dab31ef65fc82d57b376efdc9e7e4612f43e8cb05c2b28d714d5f5d69b1c7e30d9baed322d25dd9097517ab0bba87ed389de97f23e1cbe62d976f98ac24f2610bbcba85a48a6789c861c71fc1f8e4c10869f1870fdf3f67d89706e13001647e4d3ff6129f7ea9c579d43a6e4b865f9be5b7e0f0cca797905edb838f2360d977d08fdb79fca6dab7912f162f3be94025d488c09588230679b0fc54809d42e536528c89ad69bc5d4910b826b8ea073e2e08ec2aac64e688fae1800821ebdc9abd71b0cc5ef64c4e3f571d41527fa5ebe954375b57d6d09683166512f7840ef4f1c13bbbd50d57468e04108b5ace2f6b0196a97a7d6dacb100938012576ee744dede5bda97bd52e9827a9dff23fcc55ee1e7f68c1dd76834c20031bbcc6580e7d375410201aaa7f7c5da0d0c61ba9b673e938d65c9b935f89fe6d2c2371f50900b77991b1f0f9982b39aa5dae5fe67c856fe266c1f423379040213bcb94b0e23ea2de48fb6bb130fd436dfc41e15e2f637ba05c29ed1cc39dea27e6edc5adb99407c33c81b03f28fe9b800c32dfd7a7b5479b2c93723c420b09b9f6de0d3d0d81395d2ac5f862068a4f738215871a7b9d3fb228daea79ca9eca0b8c072e58289dab59bd54e8d2ca0fd38e21c0535684d03a079968f77aa072f54c6f2bdb34134983e224f91ab0d55bbc736ec363ef4d87ebcb4690c95fa5fbbaf846b1bb48b01ce93a4748b7b90e578c7a71b3f5cd325d286b604a011d0e2cbff28bfa0d51194ff4edfd649941d59aa82f40cfbf5b2072d3ef5e261562343b7ca2082d1cb11996b4f1b548b41eb96d26a3a3df31c81ffbaa65719a8b9191e89ea34aa31dada4041dc9dbf70f4aa8ff602e901e44faabe6c2b0ceb0f33ff1103ffa548db10f4b686c7cd55603af20743045eeb5921f30002babaeaa70f674b3b532aefec0d17f330c03164fabc83b18e74e83d365d705b094ef1d04d0923bbab1ad04ba22b9f50a7029abdd80440f432c77ca27c6ea3c001f7219754f23b2ed00c1dd311f9d42e236e80243aaa8315a15670504f46dee0d1dac0820601aee108d097bcf0bd01f9ba0557be55e9103e8409cf325396f533132ffe1f69633dfd81972f715f546b4ea542b91e250fa569d81b363d458dea0fd7e79a14b058ddd676bc9e13f8be8e9e8d41227e839427c52ddf49821865cf1fb52063b09b3174224abdd7d71b8ec16b551bea70d1704edf176084b64f5035e49fc6ddc630336f8f854c9bc8d3a09760a443dc9b3a1dce72b6e36291d8b228654727574d78cb366f59cd1fcf71171c8f812b7e3d99ae64d7bd744b32deb5b65ee168c2af659a213fb63d1969a3161bf3385ae26feea38b01ec8ff7ada4d5ab0337666882c3c531f15bf4a35f7d44c32319b27cc6819b006fec57a87f3ce20aef0d254677f8cd8d29f3b0696f46b56343358269e92a07392d768254db8026fa23317a34f0f0310f5510628d3cea10bf6dff6dc54e30e2a6332cdb74afc3399562fadfcdf6287a4046311eb581442bc5458d7d39fbe688a4a52dbde5e10d3af868f2601b68d0b23048a52e08e60678b0077dfd737d250657fe6072cfa73960420ebd11cb01ddf64c1a530ef41bffe11ffad2ecb0705b61beddc098702698c057aa725de461c4420a769bde2850b77150b84969a043e8aced5bc44bac80c7bcf983171c9d4b30c0d52344a5ad9a8309ab7c816f6440af5596603098e27ad24995e4a372bfae4745eed49619e952ff8230ce9499a8199746589c61ad879bf2c7e3d66f2a0b24eb42a3e9db81abf0b195c9f59ab3156c38106c7048b784cb270e0f93262b6819f60e1bc6f2cde87f986d6ef55ff18d8726923fc91044f2c54a759d5b376af21a22d9809ca733d1a2506597af70185568f9a9c2fb89136ab7c127b9af83518c40737b0d5cfb53c2f8325ef49101b5994b91d6b10098a7f633e3362c4c568f69ce3d209081aee6e1fe3c0f8a05935e328f94b2590d678abadf858e6a164a75f134ba6d097af4bdfa7b485c6acaea1ed7445d1986768487e7f09f726e3684536db1541470d741b5bf46596f1ec99c115ac0e32bc4c74d9312b331cc7e1622179a961f394b1b8c782b8f62dfb32c383c4b3a4df58ed7f4cb70b8e75844309be057af111e8d76fb90a8ccb3a46d1d333a02036c4e01374f19f2022e3427f2c98b592aea2a5eadfdd9d915f3a79b2b2510f55089308d55edba394ad70f27aa18069b771bb71f6235bd30c2d680014541e2df02c1c3282c677defd45b0f7c61039a003983bc385bca944672867f21607f1eba02e7e618330dedf90f289544fe444036191a7a54bcdff128d3ad72bb289bbc61a99bbf8c2dfdbba1a665c4b4f6fc0c7cc5de17811f9fa7c407019f3c229334f2b42f7477b67ee98bb331f79a50362cc3eec5ece9309db6876c3b246a657f9b953cb4ec4d7a58e7b39d98c2dddaf30d30301fca1b247e619d45dbd3c2d9ce928d3c92c15b2aa5f2cce8e99a5c33538383c53d1116adba1a568397e76d4a6fd950051c4f0a73353b7be369b8b6303c28f3aeb8690c4e7ec443ffd538e67e4628daca17b5d63deebe792b30f5c24ace10f105a2f64bd0525458038f64d297a39d5171e76e210cd39b0e89d29d87cc83b9bd617d3b776abfeee67b60d0bf25a8c634720f7db314cd9eb6fd578c54cc2d2dd12a1fc4c71f3c4118dfd7a5ad3a484e9397ace665673132753ad9a2f65f581b6f7ec0a59db37b0f69dbfb8b4ea50e723c051dd30fbd50f76693f145506b6bb71e98f4414672a926ac3523620f880ef1afa2a28700bed779389912a49ca956c106e5b3a7ca05874cc2a7b62b06c38432309ad1fe19f9112c470cdebf785948898182ad9aa1643897a2f530fe572859fed945446f334c7a77c9da9184b7fb06b419d4c00ef2d9f131c13539bd581a01947cb8f0e9a0b33441e6db4ba9c29037de017624f1e4196a9863213fb73bf0c59442da4e84158b7b7cb557ce64ecdfad751d9e88a1faf4cfe47f9a409721e67754ea2f7b21b409fa1342953baf1a4b33c23caccb55e30e7fe7f20450a2f20bab1280de5ce28fdbee8bd4d861847e1acd721bbbb9142f09c8343ebacb2ff435cbdf681ab5963cea749f154eed356167ae0a2da098dd6fcc598aefc395f271a12abef0e5821497f2b36f02f6398d4577eef28837e946b3feed5a1d8783162ff33e1b97339ebd9f5d7bbff3f7e6db82ded82da74e334fd60855968c82ccde0f5c7f2255e0e868efc03c2d06bb332bee181b29eb77b468643dfa0a2aa7dba80507729b4613a4285c7b0b1ad377c60deb7cb02241626395ee73ab49d93bc6a90eb190acd2e6a74a1863f37254466e1fafd4b6d6ac97ebc65fc5399ffd8c899ac388a8db1792f8cb8c206712d45c82d33c1d49e24599f8b707f0c128f26922598e0e5aa14b69fe6a0b26cd1f9ccae569ea1b3d56b3a66998067272755627361b96646b37a4ff8aa781ae8cc70e4649f25f2f93d944d36400545cba07f1036968708d4ae559c5b6f7c71b0e765388145f709f28e1c0c06d589389d323385e1443b53bf60e567883cad85404754ddc676b4cfd709ec5e7dd6f9ea650ad72809fee1b07fe8aadc40964700d3647c486f20b3062d35078caf83339442d8101d1e6e7a2bbbf5edbba0c4308cadd3cb5ab11325f747d44891201a1c3c28eea54e5ae7336a6671cf7030d5335dc352ff09d0d6cab18241066561f7660aa95a6c83bd88096cde7830b5a3fd1b9dcc164baab188a53415563e481077630e3166858f05c054dc1fa5317f996f224a65878c3048d343611c169cbe382fc9b1644368088d9c7f1cd740034660e741d599869415245fe247db23a3ab1a0d65b124ae969f5419fd48dae43ab4ca54217fff93dad611781d1910caec59c62dbc7d8a6470bca2588529c8935abf1adb7330a3d43db18e1565ef4177dabed6331336ff6b18ec2aea4f552dca5517001368e338870b6b7f60fb3b0b158ef26f741cacab9b9cc8148b81c8ab80f132c2126c4ac4cabe6680285f81d26cd7f9363bf41e565668da03f27b91f380507a0cc5e36004359c4a3915b5a372db9d462689b493aaf60139eef7d3b496dba7a8d908d934642930b64fc8486354273b42cbf59d0987e3f8d43769af367216bbe7fd21a6d3aa41fd273a9ce88e5e9d9d401b2d4a25aab3d4b83724db6524b50dcccbb08e1827ca59a44f4bd6cb1aa0e87083ed27bfd274d2b9c5f02d49bf1c09dc9bf8e2524efe2d1bc71f235629d00fa9bbe70c441d08fd8852c1c47dd57f126b34a1e40f33c37b26631910a6d05abf4e07640b478f685d158c844cf51bbaa20686aed477de74a160e102f92f85db1e7c394aa0cd1d913936809f8141114ee68837cb4bb1d4ebe1aa564755cf3b743b10fac3c20b7585b24e5c291d2d9b7b8d806ec731f59100c5b76448b84ec5c2d951138bd0707a6a8c4aaf0e32e6685bf2117576ea757cb1bf35a55f34c8faf72fb7d81cd6590f8d6a5205a6243834c4b066b10e9f8027880f3ad40aca79cc90ee74dcad482a0a4b98d607053c858d56390a63e452c6057a899f3caeb21e75b8c1caec7e9d7698c7b4f87aae44af5bee2aae76d2186903127446340489ccb5549ec81021288f6d6e6ac62a903a76368ae87429e60585dadd42c1b6a579678f05e94c01dda41e06a688a20e416b668540f133b3d758f8d717b531caebbf5a0d4f874eca7654866e65f4dd3124be0a0c7020db7ffa197e14190da4b49b28d696388524e9fbf07d25f1f49d72c339574529df38d0e67472a948d61fb968966189a2b677f67401345ba27bbee17507b1fc1e902966487f381b537a689ea73a530ff4d79bc9030476b2742f3cdcde06f0b7ff7f5996acb54d05f69c6451e00725594034491ddc894d9f5040a2b4ace6760a7aff4cbdc989d46a08c7c6e0173d1912580e97bfacb77d4751704c12215a0a3c4486d66cac1ec6a2929ba53c02682343e7c4eb5f8963598055e00a63db4eee196d4d4e40f138fa0b4198dd0c1251c990d7ee153e26c09d60011b3fdc5661e06d87911e6ea74063954bef6b6b3aaa35915be69f0114473bae1c456ea34437d5591133819ef68bbbc75c4d65e2a41c378f4a8a52ed8a25d84efe597116a335a0c0dafe002a3ba7e0a4cc6ea39a16401d88b25d15ed7d953b168321d5280b1153c681e7a15554642a8db1d25c7c461da005e2fe94b8d8309268cacfd682b883e0d5798e6cd1b8882602e5bdb5d52e1142a92349ba475b58432e1e96ec1dad592c1da51587b876975b14f8088ac572c49c1de9d69953e162b67b33d7d76f31820e648b69f58252fc734fe609476b5e6b65441f570ee0e318ab7784b2576043bd706fa0db35a4d49f4780cf6b5ac2be09b4db37fe3ff3f8989b5e88d1b988030681e0bf30a5ec7c109c82fd349a31db3acccac78378d87eaaf2ac3905e5b65993f323f864eafe372fec3e65933a7f00409f7f843ac2271bb77494e2e8b33b82bf4773ad6240ed10a61d9fa77736588a64830bc5ca2785d3907ad869a2a5f8276785c01bb46df238ee0b972fd99708392c1e59fc932bd7a3cb9bd054ed122704213b318548950815e77d164cc9d6896b17ef6a0f1cc76e35c40cef73fcf75ec115c4314e8ba8790aec4d49e46786338122fa13c3b0c20ca5f56b9c7b196b3d9c91119b45662d25c91e84eb595c5c8cea0df3c2bc4dfcd0537cfb39f4fd71a8a015a6ba0ba7c82d912157a8217df76680b58580e7af9e7bae897ac1f330a9eefb69f2175290fc7f638c2ab22f7e621ca0296808d313e2a47d97a91a89fef7692837f56c214abc1b72f5b4bc24baa629cbb66aae808770ddd21fa609413292265286b69552db4a833fc2bfd7c6a046ee746a520fb6a0f005b261873319cdc2f53cc1cf84a21bf0a1b891f4faee50f1d02d3e7b5f5528e9782eb61904ab1b7197eec26cbc4d39f0f5272e0ac20589b9e4d3e5ba76d8b0d7061e67f9a78a9dba124f0c9968ef35fbc6c1c3a87b6265b8f606239b87fe184e23c4d53d9d15db20415f5bd015c6d744c4c1d10e7306ec52f3be886a5f721595b468b4a1d47c303121e754d01561ae811f87ea42cb871c9c7c4bfa15bc1171af75313f7a3b3877cc9a5fe5f46d39d5489dc0cebaaab0f7fec51ba226d51559bc7af926b2e5517e461021b856d355e3355183dc16db9b08da76e1160da009255e93c5fa56e2e54f945675f33cd7712f94a41b0adb9f328f620d3d613e6250387721c2c6e79296172fed2f0fc1d51cfe18e6893a5c7e4199cbca943aa7f9e65630ffa22d5932a1bb5ac7817db959b9a33e172863dcbad64d9756a085108a26de6b07c0039d407ef5f9fdb4e5f729e1a827f349a943a5fa5b3a0f71804592b4515c9b6590bc740f66a1e1bc2fda2c0581bbe4eb9fc4f87d09660b8f8cb12d03ee5ad881b54ce2e48607a1ad382751f673825576640c333581a839c96ea1a0d5a4a7092f20bb7acb498b831a5b5cd0c2b28288af26b2c6dad90f9d2b686b324569d4dc8799771db0fc7e9fd31a58d403eb3444c8b2e362ed2a7dff97e59f03009ba272750e9a9cba1bd6d49941ba4bb3b642279d10957eea9ab3119759f3dd52542df8979c30384afe3a20c529d3baf69c8375dbf752461cf4ad633819fdb511c580cb049eb1b801a2e154d24ec65258ab0a44cd3fb56f696788464d4c442c86506a14a8e86ef88f4e2ef313a6c378a5175bd961e97ce376d6eabba7e3d8da7e0c6d0546246df444a432f7ba94c5616976613b0b793f920fc385855e4771716d950e258c7202017fa11efff5450ca23a1cd4aa48cb4f3e348c6d176d706da1bb4dab7c55362cbef4a69a44de2ebc1e8a75f5dbbbadd7428551bee1ec88464cd97f8140983dab596084cd4fa5b8cbe40339dfcbbc118a2ac9e383378ea38f849dfc7fc240451ce48f0badc35f8a61fa1f0ad95cb046556431a31f1a1c2ba5ded0e44d2b0aee38a68c735a53c75f9be0f618fb5458074b011c09f0e36c2d6f8aeb7dc20a7064d06d33c35c8c3d129b8459b089bdb46d7d88f03bf667da64c12e2f36e3c01e2b94d595b1637a3962dfe74752c34b545c178c14d7d1e808d4ab3cd999112a1d018757a4cd9307f5f6f6210408242852ac9bcfb48f4238dc07f28e11832b52e5dc4b804b7080de661387d70de6dd1c72086a263c5ccd6c7b7698100cf891c8d844d60e45e9f9a44a12ccccb1d0a4faa0477af0e7e2b23e46743c0951efabed47d429290bb179b39c7c2b7e4a957d9923ca77b3356546e11ba45f3225e8ec8dc7d51bb5d5ffdcd4d3344549ec753c3bab9f5038c787a16c3a3d839dc320eab9beca0707c3dea17e523b7e07b84865c09f4dfb1a5692fb4d39ccaf09831cdc8f2254b61dab1fddaf6924d5c70fbbc6619a39280382229c6a4bda78672d7cbad8e0f442ea56a216bbe7e9d814c2e805ec1bce2fdc7f4b128bb9fba375c73c5c5f372ce1009aef79df6a40f88ff6306b341a94b6b977361383322cead0a99d3b7f3e51c7d507dcc609c656bd2d128308858fe83ecdb5fdca9468c788224dda7873a45f93eb606591b101fcafffcd02a6c4d9b317d3c9e934e5e2cc4826f614d7d4a52df91ff8a13b2b24cc6cbcd677bfe8f10c97f3d9148ef164b19b249acd0a31600c2e57e5142c873c92825d61736a6bf157865769169d0303114ab06c296ebf6a6efec6bde8c3ead16dd9d11acafcfbab6fab7b5dee46de0dacffdfd01bec8d5f248e62254ceb9fcfdaf1f483fa7b46da86dbd0f2542c37b3543b97cc8288e2089efc5d7f94523ffc180686e941943f13b94461e2b32f973c46368a443c3cfa2ff2e901f1d2cf846a4e790a88791896d35def9cfb64920cc189195fb6714eb890dfe46865934465d57e1a725f50690031f84e3dd2b4dbaa650c560981417524c283b6ac497c3afba6c479c4efea1ffcbe0324b7520a1d7a4a543cb51d24e95e00f77df244130809c8220ab633e5a36f85f92c1e514ce080ac045dc1c72e1ba1ebda45fc4648797ab2de9461f1c549b30507f2de8a90e18d89d8eaa9d96b0f79187efc71a09bcbb5d72efff670fdfa92ae3fe67f531ab1412baafd777f4effa8ffe1e29b67c75ee6cb31ff2557a3d6f20ce154b622a49f85404b803be965df9e6b17cad808a9a5f79d02f51daf55e611cf8dc3e2686c3d576cb2c3d6284c1e68cf30fdeaf5f77833423391d44f0a10a156ffab8ab353b1db83d20a8676aaf7df91b86cd9a0af81cce5145021775e634e5fa1c27aae1fc4e5649abe5dd63f0f4dcd108c9c160a5c9d47232f30913d3178fc271c28ff0452fec5fcc518aa33211fa58cd89b5732fa433684daf4a0dfb125a3125bfdfb0270d068ffc764b1d3660b7f00cfb17d657b7525c436feaf1641e3a52946703ed88735ed27431ca4bc7e8f23af5a75c3ca4758adecfaa5c7dd84c3a687d3ab0f134b078424be3caa597a089be15da7ba11213efe2731654655bf44d97d7a772e30191f076a7f2a77389ceaa1ff3b4f38a1980e2d6d60e7d9de13b2ec756750c19e2796ab222ae72430002c1dfc5cbef95c2a293f6551c3c3d9f45fe3e0bffe7634f743ba76136d9a1036ede69c45fd0e6ec41a7e54c671ee305d52f096d24fb434d1a6ae9a9855258b1fd1bbb6473f01fd024a4f30735ddd61481257408bd0eed192d463a53920c1ecffa03032a0cfca2d781286c841bbfe068ba4ebe54d5f85b71044e996eefb2a87cc416b46f91eaeb371e0bebf5a3b6d94682fef41f7662d134c0b03026589f21c68a42eb99d525bf39441e9e2c99629e07bdce24fa63d19474e580a9217618ff535f2bb33c4b8e9d8f93de67907aceed34bc5ee77fec0df652b43307b31068e58aa12594557d9332db1004ef4195bb70006b372fbda0c285cd06144333da4c51894c7d56bbf8178adf9f8444c2247de75439c9a647d3ddaf73b71e1882ff62a830e88b4f605b8007a51b099cfefb4d159d3760ca49689995ead30a41c9da2a45ac87233e1a58318ff45e30574aa50cebacecadd4bedda591ef5f12d4edc1f94b12d1202522c4b8eafbfdf71bf9bc4b68c80a97de3c74b149ecd518293f01e93f16dca34c00d80c245482ec6be1291af7db011b59cef75e2926f92a6c5b03f815250df450f3a97684b1f4d74c0e4057ec28d07506ccf73334ecfe505182680378ba4d8eaf7e477bebd74237b24f275ff0a51420db8c753d5ef3f9fec7cc894e2467e3b91b5d82d6fde4efb740fc849c7748534c58e4d09301bbdb8397f1e5f3766289cd9efeadf47d1a0de77ffba3135e551f98c20107a81d0fb1e78dad6330623b5949fb438b067bf2a4df2911f51a156fd61271691af41632ca9cde44ea380b0af67e4a257051d80f55a8e08ea8a1d0e695fb4245cb800b610e64b0df44cc6dfeeda8bfd805707e58b0f83be5c635b72659d0948e1953fe83cf4355ff1bc36064678b5e732fc5febe8bec606569e1f0f2fec2255c558a908dc9ede31169e29a5e4008e2004de50e3b07278c45985d15d768127505dc8db873f556ed373786490000d376132232001a18d76253b94b0b8b8afa42f2dba5b7ef4a9cef9cdf7fa4b4f06f75b610536de48ac26e6b7436bacd386042e223285bae58f54649a747fc2354433944c73d5adffbf017a93359074876786c9813f8e589977ccd2478c6098c9f9aa8718cf6e7ffa259667c205d63f15c519bbd2fdca0cbae24c29e1eba0537ad92a5a3120d04a94ff15805d54e68f7b10b64d20cbcb099c328a4568513d942b63c57f90eb51e46f7bf7b08c355492615597a00ea5b5a7d4062f392638a41ad9d21528068f1bfe9c163d36b49a9362393bbb90b51cef77dbce2aa2220e90ee65fdbb4cc6a82fac06744366c0989172d1d54a2ca4f38b46dc357a8e3821e353bd1f14490d0dbd033c54f90215cc521689f531b8664a6f4db56cc9227ddc09991f784b224aa8e615c763b580fa7d3463a9a9a7a6e87e6a9de5ccbedfffff3d15578c8f2401caabe808bc3894560f51e209a48a3e1dde9cea865b4b3a2ada7aeeb8f7c478b74eb0f092962b73aac0cbf0a1882fe8f7a4b41dbeba635d278923b07259fa5ee30994b0fe6973c40a97fcf07a93fe4756d5d7b15670d2c3a933791ae694e5cf638343cad71421151285dbf8cf307ace39e1c7126c33f12e22d8f58d3ecd21e63ba565281e91fff0f85bb589753514f882c5e7063ecb0c29aab3ae6293a29a5ac178b55a3ada31e48071379542e2c726263f4b0e0e1a2ccdd2a8179b598c7f5511e5515c705cd53facedb1913c252da5fda93e12e493fce23a2f43bd48f50de8ae1fa5584582471edb3adc31e34f7d95337c78711ffb9722ac081a5d8668a02008abecafca4eae909d9cd32e0fdfebb8c7fce8e782988d9b51fc022485f1c37895981c0202cf94479e6b82230b7ebe41b8d742e50f8d11732658cec52f55003c3cb13db67c37cac10a43f0f8c041e458e3a60550f8e87b5df708d2baeb688918f90b5221ca532d94e86e9c0965b0c935300a8e31d049c71063e461283cb71d983c4b68d748d98854c6dc17258805748688cb8e45df24980669b8141726c867da0e1b54ffb3deb9ba4927e1aa3a748055461a42d34d700669bfd38f744fae93a992d1c8f478cf2303a514dfca6db9ffc53618bd01e5303f7f7064a727b886bd4266a4396edf4437ff076b0887a791a6330de1eafb1a19d0b276cace3835c91374d5385020e7faf58e62b065e9f783953079b22fa0706dc3b3659ab68c962e97aa1b41bbabf6766c11edcb569adf6593def8b74cc5d1115d947eea850ab60e505fc344f8c98fca7e15719e95e1d3580df70ae2bd9d03b1f7723ce5270abbeb9abd72a23974afe1b17f8265839c1bb84c2b026ee0b2f65d7a4548fcb77e2709720257f686207d1623a0bfa3dc636d6f4c9099908773d274c81a5fd1e7c4c09a0</script> <div class="hbe hbe-content"> <div class="hbe hbe-input hbe-input-xray"> <input class="hbe hbe-input-field hbe-input-field-xray" type="password" id="hbePass"> <label class="hbe hbe-input-label hbe-input-label-xray" for="hbePass"> <span class="hbe hbe-input-label-content hbe-input-label-content-xray">这里面是我的个人简历哦,需要密码才能进入!.</span> </label> <svg class="hbe hbe-graphic hbe-graphic-xray" width="300%" height="100%" viewBox="0 0 1200 60" preserveAspectRatio="none"> <path d="M0,56.5c0,0,298.666,0,399.333,0C448.336,56.5,513.994,46,597,46c77.327,0,135,10.5,200.999,10.5c95.996,0,402.001,0,402.001,0"></path> <path d="M0,2.5c0,0,298.666,0,399.333,0C448.336,2.5,513.994,13,597,13c77.327,0,135-10.5,200.999-10.5c95.996,0,402.001,0,402.001,0"></path> </svg> </div> </div></div><script data-pjax src="/lib/hbe.js"></script><link href="/css/hbe.style.css" rel="stylesheet" type="text/css">]]></content>
<summary type="html">有东西被加密了, 请输入密码查看.</summary>
</entry>
<entry>
<title>服务器取证练习2</title>
<link href="https://blog.r1ng13.top/posts/9fa40007.html"/>
<id>https://blog.r1ng13.top/posts/9fa40007.html</id>
<published>2023-05-27T14:19:03.000Z</published>
<updated>2023-05-22T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h1><p> 2021年7月12日,上午8点左右,警方接到被害人张某(张有财)报案,声称自己被敲诈数万元;经询问,张某被嫌疑人诱导裸聊,下载了某“裸聊”软件,导致自己的通讯录和裸聊视频被嫌疑人获取,对其进行敲诈,最终张某不堪重负,选择了报警;警方从张某提供的本人手机中(手机号为18805533089),定向采集到了该“裸聊”软件,通个裸聊APK软件的分析,警方找到了后台服务器地址,并调取了服务器镜像(web.E01),请各位取证工作者回答下列问题:</p><h1 id="1-检材web-E01的操作系统版本是"><a href="#1-检材web-E01的操作系统版本是" class="headerlink" title="1.检材web.E01的操作系统版本是"></a>1.检材web.E01的操作系统版本是</h1><h2 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p>方法一:</p><p>使用仿真软件进行仿真后发现这是centos服务器,使用以下命令可以发现这个检材的操作系统的版本</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cat /etc/centos-release</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425092053149.png" alt="image-20230425092053149"></p><p>方法二:</p><p>使用盘古石计算机取证软件进行检测</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425092631826.png" alt="image-20230425092631826"></p><h2 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h2><p> 检材web.E01的操作系统版本是CentOS Linux release 7.9.2009</p><h1 id="2-检材web-E01中,操作系统的内核版本是"><a href="#2-检材web-E01中,操作系统的内核版本是" class="headerlink" title="2.检材web.E01中,操作系统的内核版本是"></a>2.检材web.E01中,操作系统的内核版本是</h1><h2 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h2><pre><code> **思路:**</code></pre><p>方法一:</p><p>使用仿真软件进行仿真,输入以下命令查看操作系统的内核版本</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uname -r</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425093026007.png" alt="image-20230425093026007"></p><p>方法二:</p><p>使用盘古石计算机取证软件进行检测操作系统的内核版本</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425092832386.png" alt="image-20230425092832386"></p><h2 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h2><p> 操作系统的内核版本是<strong>3.10.0-1160.31.1.el7.x86_64</strong></p><h1 id="3-检材web-E01服务器中,最后一条操作命令为:"><a href="#3-检材web-E01服务器中,最后一条操作命令为:" class="headerlink" title="3. 检材web.E01服务器中,最后一条操作命令为:"></a>3. 检材web.E01服务器中,最后一条操作命令为:</h1><h2 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用linux命令进行查看,除去我自己输入的命令,最后一个是下图中的</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">history</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425093503257.png" alt="image-20230425093503257"></p><h2 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h2><p> 检材web.E01服务器中,最后一条操作命令为<strong>shutdown now</strong></p><h1 id="4-检材web-E01服务器中,远程连接服务所使用的端口号为:"><a href="#4-检材web-E01服务器中,远程连接服务所使用的端口号为:" class="headerlink" title="4. 检材web.E01服务器中,远程连接服务所使用的端口号为:"></a>4. 检材web.E01服务器中,远程连接服务所使用的端口号为:</h1><h2 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>进行仿真之后使用linux的命令可以查看远程连接服务所使用的端口号</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">netstat -tunlp | grep ssh</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425094053181.png" alt="image-20230425094053181"></p><h2 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h2><p> 检材web.E01服务器中,远程连接服务所使用的端口号为:<strong>7001</strong></p><h1 id="5-该后台服务器中,在案发前,管理员最后一次登陆服务器的IP地址为(答案格式111-111-111-111)"><a href="#5-该后台服务器中,在案发前,管理员最后一次登陆服务器的IP地址为(答案格式111-111-111-111)" class="headerlink" title="5. 该后台服务器中,在案发前,管理员最后一次登陆服务器的IP地址为(答案格式111.111.111.111)"></a>5. 该后台服务器中,在案发前,管理员最后一次登陆服务器的IP地址为(答案格式111.111.111.111)</h1><h2 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用linux的命令last可以查看最近登录ip</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">last</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425141717165.png" alt="image-20230425141717165"></p><h2 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h2><p> 该后台服务器中,在案发前,管理员最后一次登陆服务器的IP地址为:<strong>192.168.72.1</strong> </p><h1 id="6-检材web-E01中,嫌疑人架设网站使用了何种工具架设了网站"><a href="#6-检材web-E01中,嫌疑人架设网站使用了何种工具架设了网站" class="headerlink" title="6. 检材web.E01中,嫌疑人架设网站使用了何种工具架设了网站"></a>6. 检材web.E01中,嫌疑人架设网站使用了何种工具架设了网站</h1><h2 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p>方法一:</p><p> 通过查询历史命令,发现宝塔的命令</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425094557701.png" alt="image-20230425094557701"></p><p>接着仿真使用宝塔命令验证</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425094652382.png" alt="image-20230425094652382"></p><p>方法二:</p><p> 通过盘古石计算机取证软件进行查看,可以发现嫌疑人使用的宝塔进行搭建的网站</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425094939700.png" alt="image-20230425094939700"></p><h2 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h2><p> 检材web.E01中,嫌疑人架设网站使用了工具<strong>宝塔</strong>架设了网站</p><h1 id="7-接上一题,请问架设网站的工具的登陆用户名为:"><a href="#7-接上一题,请问架设网站的工具的登陆用户名为:" class="headerlink" title="7. 接上一题,请问架设网站的工具的登陆用户名为:"></a>7. 接上一题,请问架设网站的工具的登陆用户名为:</h1><h2 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p>方法一:</p><p>在仿真后,输入宝塔面板的启动命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 14</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425095147998.png" alt="image-20230425095147998"></p><p>方法二:</p><p>使用盘古石计算机取证软件进行分析,也可以发现架设网站的工具的登陆用户名(此处感叹科技改变人类,取证软件太变态辣)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425095425037.png" alt="image-20230425095425037"></p><h2 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h2><p> 架设网站的工具的登陆用户名为<strong>yun9tinp</strong></p><h1 id="8-该后台网站对外提供服务所使用的端口号为:"><a href="#8-该后台网站对外提供服务所使用的端口号为:" class="headerlink" title="8. 该后台网站对外提供服务所使用的端口号为:"></a>8. 该后台网站对外提供服务所使用的端口号为:</h1><h2 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h2><p><strong>思路:</strong>这个题目我看有的博主是找的宝塔的端口,我也不知道到底是哪个,都找一下吧</p><p>网站的端口为:</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425104031778.png" alt="image-20230425104031778"></p><p>宝塔面板对外服务的端口是 </p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425140457787.png" alt="image-20230425140457747"></p><h2 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h2><pre><code> 该后台网站对外提供服务所使用的端口号为:**80**(我更倾向于网站的这个端口)</code></pre><h1 id="9-该后台网站所使用的域名为(答案格式www-abc-com):"><a href="#9-该后台网站所使用的域名为(答案格式www-abc-com):" class="headerlink" title="9. 该后台网站所使用的域名为(答案格式www.abc.com):"></a>9. 该后台网站所使用的域名为(答案格式<a href="http://www.abc.com">www.abc.com</a>):</h1><h2 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h2><p><strong>思路:</strong>打开宝塔面板的后台,在网站里可以发现该后台网站是使用的域名</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425104045585.png" alt="image-20230425104045585"></p><h2 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h2><p> 该后台网站所使用的域名为 <strong>www.honglian7001.com</strong></p><h1 id="10-请分析该网站的后台登陆地址的url为:"><a href="#10-请分析该网站的后台登陆地址的url为:" class="headerlink" title="10.请分析该网站的后台登陆地址的url为:"></a>10.请分析该网站的后台登陆地址的url为:</h1><h1 id="11-该网站后台所使用的数据库类型为:"><a href="#11-该网站后台所使用的数据库类型为:" class="headerlink" title="11.该网站后台所使用的数据库类型为:"></a>11.该网站后台所使用的数据库类型为:</h1><h2 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p>方法一:</p><p>在仿真之后查看历史命令发现使用的数据库是mysql</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425142043723.png" alt="image-20230425142043723"></p><p>方法二:</p><p>查看宝塔面板上的网站文件目录的database.php文件发现是mysql数据库</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425142347125.png" alt="image-20230425142347125"></p><h2 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h2><p> 该网站后台所使用的数据库类型为: <strong>mysql</strong></p><h1 id="12-该网站所使用的数据库的库名(database名)为"><a href="#12-该网站所使用的数据库的库名(database名)为" class="headerlink" title="12.该网站所使用的数据库的库名(database名)为"></a>12.该网站所使用的数据库的库名(database名)为</h1><h2 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>查看宝塔面板上的网站文件目录的database.php文件发现数据库名</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425142512584.png" alt="image-20230425142512584"></p><h2 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h2><p> 该网站所使用的数据库的库名(database名)为<strong>www_honglian7001</strong></p><h1 id="13-该网站所使用的数据库的root密码为"><a href="#13-该网站所使用的数据库的root密码为" class="headerlink" title="13.该网站所使用的数据库的root密码为"></a>13.该网站所使用的数据库的root密码为</h1><h2 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路</strong>:在宝塔面板里进行查看,或者查看历史命令</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429133222485.png" alt="image-20230429133222485"></p><p>输入以下命令查看</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /www/wwwroot/www.honglian7001.com/app/database.php</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429133321402.png" alt="image-20230429133321402"></p><h2 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h2><pre><code> 该网站所使用的数据库的root密码为 **15dbefa4aae110a5**</code></pre><h1 id="14-请计算-www-wwwroot-www-honglian7001-com-app目录下的文件”database-php”的SHA256值"><a href="#14-请计算-www-wwwroot-www-honglian7001-com-app目录下的文件”database-php”的SHA256值" class="headerlink" title="14.请计算/www/wwwroot/www.honglian7001.com/app目录下的文件”database.php”的SHA256值"></a>14.请计算/www/wwwroot/www.honglian7001.com/app目录下的文件”database.php”的SHA256值</h1><h2 id="解题-12"><a href="#解题-12" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在宝塔面板找到这个路径下的文件进行下载导出,并使用Windows提供的计算SHA256的方法进行计算</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425142835815.png" alt="image-20230425142835815"></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certutil -hashfile 文件路径 SHA256</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425103912702.png" alt="image-20230425103912702"></p><h2 id="答案-12"><a href="#答案-12" class="headerlink" title="答案"></a>答案</h2><p> /www/wwwroot/www.honglian7001.com/app目录下的文件”database.php”的SHA256值为 <strong>59ae8de6a241a029ac8a912fea003a5dc179e57c4cfd6ee182e6b43c71f3e9e8</strong></p><h1 id="15-已知,该网站后台对于账号的密码采用加盐加密,该salt值为:"><a href="#15-已知,该网站后台对于账号的密码采用加盐加密,该salt值为:" class="headerlink" title="15.已知,该网站后台对于账号的密码采用加盐加密,该salt值为:"></a><strong>15.已知,该网站后台对于账号的密码采用加盐加密,该salt值为:</strong></h1><h2 id="解题-13"><a href="#解题-13" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在宝塔将网站进行打包成压缩包,接着将压缩包进行导出</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425145902526.png" alt="image-20230425145902526"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425145918849.png" alt="image-20230425145918849"></p><p>接着解压文件,并把文件夹导入VScode(vscode又记一功),在整个文件夹下检索md5,发现重要信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230425145821758.png" alt="image-20230425145821758"></p><h2 id="答案-13"><a href="#答案-13" class="headerlink" title="答案"></a>答案</h2><p> 该网站后台对于账号的密码采用加盐加密,该salt值为:<strong>lshi4AsSUrUOwWV</strong></p><h1 id="16-在对后台账号的密码加密处理过程中,后台一共计算几次MD5值"><a href="#16-在对后台账号的密码加密处理过程中,后台一共计算几次MD5值" class="headerlink" title="16.在对后台账号的密码加密处理过程中,后台一共计算几次MD5值"></a>16.在对后台账号的密码加密处理过程中,后台一共计算几次MD5值</h1><h2 id="解题-14"><a href="#解题-14" class="headerlink" title="解题"></a>解题</h2><p> 通过上题我们可知进行了3次MD5值的计算</p><h3 id="答案-14"><a href="#答案-14" class="headerlink" title="答案"></a>答案</h3><p> 在对后台账号的密码加密处理过程中,后台一共计算<strong>3</strong>次MD5值</p><h1 id="17-请问,网站后台的创建时间最早的管理员账号为:"><a href="#17-请问,网站后台的创建时间最早的管理员账号为:" class="headerlink" title="17.请问,网站后台的创建时间最早的管理员账号为:"></a>17.请问,网站后台的创建时间最早的管理员账号为:</h1><h2 id="解题-15"><a href="#解题-15" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p><strong>方法一:数据库操作</strong></p><p>连接上数据库,使用以下sql语句进行查询</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> app_admin <span class="keyword">ORDER</span> <span class="keyword">BY</span> create_time <span class="keyword">ASC</span> LIMIT <span class="number">1</span>;</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428162840671.png" alt="image-20230428162840671"></p><p><strong>方法二:网站重构</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429133609709.png" alt=""></p><h2 id="答案-15"><a href="#答案-15" class="headerlink" title="答案"></a>答案</h2><p> 网站后台的创建时间最早的管理员账号为<strong>admin</strong></p><h1 id="网站重构过程"><a href="#网站重构过程" class="headerlink" title="网站重构过程"></a>网站重构过程</h1><h2 id="进入仿真"><a href="#进入仿真" class="headerlink" title="进入仿真"></a>进入仿真</h2><p> 打开仿真软件进行镜像的仿真,linux的登录账号和密码会是root和123456</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003304329.png" alt="image-20230429003304329"></p><h2 id="虚拟机网卡配置"><a href="#虚拟机网卡配置" class="headerlink" title="虚拟机网卡配置"></a>虚拟机网卡配置</h2><h3 id="1-查看虚拟机网卡信息"><a href="#1-查看虚拟机网卡信息" class="headerlink" title="1.查看虚拟机网卡信息"></a><strong>1.查看虚拟机网卡信息</strong></h3><p>点击编辑里的虚拟机网络编辑器</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003637436.png" alt="image-20230429003637436"></p><p>查看网卡VMnet8的ip(<strong>我是为了省事,直接把网卡改为和镜像的一样的了,这样后面可以直接进phpadmin里面看数据库</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003659276.png" alt="image-20230429003659276"></p><h3 id="2-修改镜像的网卡配置文件"><a href="#2-修改镜像的网卡配置文件" class="headerlink" title="2.修改镜像的网卡配置文件"></a>2.修改镜像的网卡配置文件</h3><p> 输入以下命令,修改网卡的配置信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/sysconfig/network-scripts/ifcfg-ens33</span><br></pre></td></tr></table></figure><p><strong>修改之前</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004011787.png" alt="image-20230429004011787"></p><p><strong>修改之后</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004140133.png" alt="image-20230429004140133"></p><p>接着输入命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service network restart</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004237812.png" alt="image-20230429004237812"></p><p>查看ip</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifconfig</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004333919.png" alt="image-20230429004333919"></p><h3 id="3-使用xshell进行连接"><a href="#3-使用xshell进行连接" class="headerlink" title="3.使用xshell进行连接"></a>3.使用xshell进行连接</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004420072.png" alt="image-20230429004420072"></p><p>成功连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004438840.png" alt="image-20230429004438840"></p><h2 id="网站重构"><a href="#网站重构" class="headerlink" title="网站重构"></a>网站重构</h2><h3 id="宝塔面板相关设置"><a href="#宝塔面板相关设置" class="headerlink" title="宝塔面板相关设置"></a>宝塔面板相关设置</h3><p>发现使用宝塔的命令,进行宝塔的相关配置</p><p>首先重启宝塔面板的服务,不然连接不上宝塔面板</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 1</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004754505.png" alt="image-20230429004754505"></p><p>接着使用命令修改宝塔面板的密码,之前的密码出错了,需要修改</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 5</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005002750.png" alt="image-20230429005002750"></p><p>使用命令,进入宝塔面板</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 14</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005308977.png" alt="image-20230429005308977"></p><p>进入面板</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005441372.png" alt="image-20230429005441372"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005504934.png" alt="image-20230429005504934"></p><h3 id="网站相关配置修改"><a href="#网站相关配置修改" class="headerlink" title="网站相关配置修改"></a>网站相关配置修改</h3><p>1.查看网站相关域名</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005634680.png" alt="image-20230429005634680"></p><p>2.将域名指向本地,在本地的hosts文件里进行以下相关配置</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005852022.png" alt="image-20230429005852022"></p><p>3.在宝塔面板里进行以下配置,修改网站文件夹下的database.php文件</p><p><strong>修改之前</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010113730.png" alt="image-20230429010113730"></p><p><strong>修改之后</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010215469.png" alt="image-20230429010215469"></p><h3 id="mysql、nginx、防火墙相关配置"><a href="#mysql、nginx、防火墙相关配置" class="headerlink" title="mysql、nginx、防火墙相关配置"></a>mysql、nginx、防火墙相关配置</h3><h4 id="mysql相关配置"><a href="#mysql相关配置" class="headerlink" title="mysql相关配置"></a>mysql相关配置</h4><p>尝试使用phpadmin连接数据库,发现连接不上</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010831831.png" alt="image-20230429010831831"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010855164.png" alt="image-20230429010855164"></p><p>查看历史命令是因为mysql的服务被操作过,要重启服务</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011001760.png" alt="image-20230429011001760"></p><p>执行以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">systemctl restart mysql</span><br><span class="line">systemctl restart mysqld</span><br></pre></td></tr></table></figure><p>在宝塔面板发现数据库的账号为root密码为<strong>15dbefa4aae110a5</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011641695.png" alt="image-20230429011641695"></p><p>尝试连接mysql</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql -u root -p</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011740570.png" alt="image-20230429011740570"></p><h4 id="nginx相关配置"><a href="#nginx相关配置" class="headerlink" title="nginx相关配置"></a>nginx相关配置</h4><p>查看历史命令发现关闭了nginx的服务</p><p>执行下面的命令重启nginx服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl restart nginx</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429012912083.png" alt="image-20230429012912083"></p><h4 id="防火墙相关配置"><a href="#防火墙相关配置" class="headerlink" title="防火墙相关配置"></a>防火墙相关配置</h4><p>查看历史命令发现对防火墙服务进行以下操作,我们也需要执行这个操作才行</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429100753420.png" alt="image-20230429100753420"></p><p>让我们看看ai怎么说</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429100713775.png" alt="image-20230429100713775"></p><p>接着我们执行下面的命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl stop firewalld</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429101035320.png" alt="image-20230429101035320"></p><h3 id="进入网站"><a href="#进入网站" class="headerlink" title="进入网站"></a>进入网站</h3><h4 id="后台登录地址"><a href="#后台登录地址" class="headerlink" title="后台登录地址"></a>后台登录地址</h4><p>在网站的日志文件里,发现后台登录url</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429083824173.png" alt="image-20230429083824173"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429084508308.png" alt="image-20230429084508308"></p><h4 id="登录"><a href="#登录" class="headerlink" title="登录"></a>登录</h4><p>使用<strong><a href="http://www.honglian7001.com/admin">http://www.honglian7001.com/admin</a></strong>进行访问,需要找到账号和密码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429084753417.png" alt="image-20230429084753417"></p><h5 id="网站源码获取"><a href="#网站源码获取" class="headerlink" title="网站源码获取"></a>网站源码获取</h5><p>找到下面路径进行压缩</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429090844594.png" alt="image-20230429090844594"></p><p>将压缩包,下载到本地</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429091010797.png" alt="image-20230429091010797"></p><h5 id="寻找登录密码"><a href="#寻找登录密码" class="headerlink" title="寻找登录密码"></a>寻找登录密码</h5><p> 我们想到数据库中有管理员admin的账号密码,但是这个密码是进行了md5加密的(这个是这个试题中的一个题目中知道,这里不在详述),接着我们是使用VScode进行搜索md5,查询管理员后台登录密码的加密方式,发现进行了3次的md5加密,还进行了加盐加密。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429091238834.png" alt="image-20230429091238834"></p><p>尝试在数据库中寻找账号和密码,使用navicat进行远程连接,用以查看数据库的内容,进行以下设置</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085231549.png" alt="image-20230429085231549"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085438008.png" alt="image-20230429085438008"></p><p>找到app_admin表中,发现加密后的密码,这个很难进行解密</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085647959.png" alt="image-20230429085647959"></p><h6 id="方法一:在网站源码里搜索数据库中的密码的md5值"><a href="#方法一:在网站源码里搜索数据库中的密码的md5值" class="headerlink" title="方法一:在网站源码里搜索数据库中的密码的md5值"></a>方法一:在网站源码里搜索数据库中的密码的md5值</h6><p>在数据库中发现管理员账号admin对应的密码的md5值为</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">2d17c53d0d682bbb7eac2e76828a4d79</span><br></pre></td></tr></table></figure><p>在源码检索这个值</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095312004.png" alt="image-20230429095312004"></p><p>上图在06.log这个日志文件里可知密码被修改为了<strong>ABC123456</strong>(<strong>日志文件厉害啊</strong>)</p><p>尝试登录,发现成功登录,成功进入后台</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095541271.png" alt="image-20230429095541271"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095615675.png" alt="image-20230429095615675"></p><h6 id="方法二-使用自己设置密码的加密结果替换数据库中的md5值"><a href="#方法二-使用自己设置密码的加密结果替换数据库中的md5值" class="headerlink" title="方法二:使用自己设置密码的加密结果替换数据库中的md5值"></a>方法二:使用自己设置密码的加密结果替换数据库中的md5值</h6><p><strong>加密算法</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">function password($password, $password_code='lshi4AsSUrUOwWV')</span><br><span class="line">{</span><br><span class="line"> return md5(md5($password) . md5($password_code));</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>改写为php代码,计算我们自己设置的密码的md5值(<strong>别问我为什么会php,用的ai生成的,ai改变世界好吧</strong>)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"></span><br><span class="line">function password($password, $password_code = 'lshi4AsSUrUOwWV')</span><br><span class="line">{</span><br><span class="line"> // 对密码进行两次 MD5 加密,并拼接上密码编码再次进行 MD5 加密</span><br><span class="line"> return md5(md5($password) . md5($password_code));</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// example usage:</span><br><span class="line"><span class="meta prompt_">$</span><span class="language-bash">password = <span class="string">'123456'</span>;</span></span><br><span class="line"><span class="meta prompt_">$</span><span class="language-bash">hashed_password = password(<span class="variable">$password</span>);</span></span><br><span class="line">echo $hashed_password;</span><br><span class="line">?></span><br></pre></td></tr></table></figure><p>输出结果为</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">9eb2b9ad495a75f80f9cf67ed08bbaae</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429093028441.png" alt="image-20230429093028441"></p><p>在数据库中将数据库中的密码的md5值<strong>2d17c53d0d682bbb7eac2e76828a4d79</strong>替换为<strong>9eb2b9ad495a75f80f9cf67ed08bbaae</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095845144.png" alt="image-20230429095845144"></p><p>现在登录密码被我们修改为123456,尝试登录,发现成功登录</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095940333.png" alt="image-20230429095940333"></p><h1 id="18-请综合分析并重构网站,本案中受害者张某的最后登陆IP是多少(答案格式111-111-111-111)"><a href="#18-请综合分析并重构网站,本案中受害者张某的最后登陆IP是多少(答案格式111-111-111-111)" class="headerlink" title="18.请综合分析并重构网站,本案中受害者张某的最后登陆IP是多少(答案格式111.111.111.111)"></a>18.请综合分析并重构网站,本案中受害者张某的最后登陆IP是多少(答案格式111.111.111.111)</h1><h2 id="解题-16"><a href="#解题-16" class="headerlink" title="解题"></a>解题</h2><p><strong>思路:</strong></p><p><strong>方法一:数据库操作</strong></p><p> 这个题,我一开始没重构出来,只能手搓数据库了,案情里说张某的手机号为18805533089,所以在数据库里查询(这题我是看地20题才想起来在哪个表里查询的,只有app_user表里有手机型号,这个一定要使用sql语句进行查询,软件列出来的东西不多)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM app_user WHERE name = '18805533089';</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428170237845.png" alt="image-20230428170237845"></p><p>也可以使用以下语句单独把ip字段的值和name字段的值列出来</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT name, ip FROM app_user WHERE name = '18805533089' AND ip IS NOT NULL;</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428170635102.png" alt="image-20230428170635102"></p><p><strong>方法二:网站重构</strong></p><p>在网站后台直接在设备查看这里检索案情中给的手机号:<strong>18805533089</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429130116983.png" alt="image-20230429130116983"></p><h2 id="答案-16"><a href="#答案-16" class="headerlink" title="答案"></a>答案</h2><p> 本案中受害者张某的最后登陆IP是:<strong>192.168.1.101</strong></p><h1 id="19-请综合分析并重构网站,本案中嫌疑人所掌握的后台共获取了多少设备记录"><a href="#19-请综合分析并重构网站,本案中嫌疑人所掌握的后台共获取了多少设备记录" class="headerlink" title="19.请综合分析并重构网站,本案中嫌疑人所掌握的后台共获取了多少设备记录"></a>19.请综合分析并重构网站,本案中嫌疑人所掌握的后台共获取了多少设备记录</h1><h2 id="解题-17"><a href="#解题-17" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p><strong>方法一:数据库操作</strong></p><p>通过查看表app_user可以查看到后台共捕获的设备记录,输入下面的sql语句进行查询</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT COUNT(clientid) FROM app_user;</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428175959374.png" alt="image-20230428175959374"></p><p><strong>方法二:网站重构</strong></p><p>在后台的设备查看处,可以直接看到设备数目</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429130457780.png" alt="image-20230429130457780"></p><h2 id="答案-17"><a href="#答案-17" class="headerlink" title="答案"></a>答案</h2><p> 本案中嫌疑人所掌握的后台共获取了<strong>6003</strong>条设备记录</p><h1 id="20-请综合分析并重构网站,本案中受害者张某的手机型号在后台记录中显示为"><a href="#20-请综合分析并重构网站,本案中受害者张某的手机型号在后台记录中显示为" class="headerlink" title="20.请综合分析并重构网站,本案中受害者张某的手机型号在后台记录中显示为"></a>20.请综合分析并重构网站,本案中受害者张某的手机型号在后台记录中显示为</h1><h2 id="解题-18"><a href="#解题-18" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong></p><p><strong>方法一:数据库操作</strong></p><p>使用sql语句进行查询</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT name, ip, clientid FROM app_user WHERE name = '18805533089' AND ip IS NOT NULL AND clientid IS NOT NULL;</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428171001574.png" alt="image-20230428171001574"></p><p><strong>方法二:网站重构</strong></p><p>在网站的后台直接搜索张某的手机号,就能看到设备的型号</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429130747233.png" alt="image-20230429130747233"></p><h2 id="答案-18"><a href="#答案-18" class="headerlink" title="答案"></a>答案</h2><p> 本案中受害者张某的手机型号在后台记录中显示为:<strong>HONOR-NTH-AN00</strong></p><h1 id="21-请综合分析并重构网站,本案中受害者张某的手机通讯录中,名为“许总”的电话号码为(不需要填写空格,答案格式:18811112222)"><a href="#21-请综合分析并重构网站,本案中受害者张某的手机通讯录中,名为“许总”的电话号码为(不需要填写空格,答案格式:18811112222)" class="headerlink" title="21.请综合分析并重构网站,本案中受害者张某的手机通讯录中,名为“许总”的电话号码为(不需要填写空格,答案格式:18811112222)"></a>21.请综合分析并重构网站,本案中受害者张某的手机通讯录中,名为“许总”的电话号码为(不需要填写空格,答案格式:18811112222)</h1><h2 id="解题-19"><a href="#解题-19" class="headerlink" title="解题"></a>解题</h2><p><strong>思路:</strong></p><p><strong>方法一:数据库</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM app_mobile WHERE username = '许总' AND userid = 8059;</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428174939613.png" alt="image-20230428174939613"></p><p><strong>方法二:网站重构</strong></p><p> 在网站重构之后,我们可以在通讯录查看检索张某的手机号,发现存在许总的手机号。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429132315747.png" alt="image-20230429132315747"></p><h2 id="答案-19"><a href="#答案-19" class="headerlink" title="答案"></a>答案</h2><p> 本案中受害者张某的手机通讯录中,名为“许总”的电话号码为:<strong>13917965858</strong></p><h1 id="22-请综合分析并重构网站,分析该网站第一次用于诈骗活动的时间(填写到日,格式为:2000-01-01)"><a href="#22-请综合分析并重构网站,分析该网站第一次用于诈骗活动的时间(填写到日,格式为:2000-01-01)" class="headerlink" title="22.请综合分析并重构网站,分析该网站第一次用于诈骗活动的时间(填写到日,格式为:2000-01-01)"></a>22.请综合分析并重构网站,分析该网站第一次用于诈骗活动的时间(填写到日,格式为:2000-01-01)</h1><h2 id="解题-20"><a href="#解题-20" class="headerlink" title="解题"></a>解题</h2><pre><code> **思路:**通过查看通讯录最后一个人,以及设备信息的最后一个,对比两个的时间戳是一致的</code></pre><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429132848040.png" alt="image-20230429132848040"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429132916457.png" alt="image-20230429132916457"></p><h2 id="答案-20"><a href="#答案-20" class="headerlink" title="答案"></a>答案</h2><p> 该网站第一次用于诈骗活动的时间:<strong>2020-12-11</strong></p><h1 id="23-请综合分析并重构网站,分析该网站设定的邀请码为"><a href="#23-请综合分析并重构网站,分析该网站设定的邀请码为" class="headerlink" title="23.请综合分析并重构网站,分析该网站设定的邀请码为"></a>23.请综合分析并重构网站,分析该网站设定的邀请码为</h1><h2 id="解题-21"><a href="#解题-21" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在重构网站的后台我们可以查看app设置里存在网站的邀请码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429130922146.png" alt="image-20230429130922146"></p><h2 id="答案-21"><a href="#答案-21" class="headerlink" title="答案"></a>答案</h2><p> 该网站设定的邀请码为:<strong>700001</strong></p><h1 id="24-请综合分析并重构网站,分析该网站共记录的通信录数量为"><a href="#24-请综合分析并重构网站,分析该网站共记录的通信录数量为" class="headerlink" title="24.请综合分析并重构网站,分析该网站共记录的通信录数量为"></a>24.请综合分析并重构网站,分析该网站共记录的通信录数量为</h1><h2 id="解题-22"><a href="#解题-22" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在网站进行重构之后,我们在后台的首页就可以看到网站共记录的通信录数量</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429131227393.png" alt="image-20230429131227393"></p><h2 id="答案-22"><a href="#答案-22" class="headerlink" title="答案"></a>答案</h2><p> 该网站共记录的通信录数量为<strong>1145085</strong></p><h1 id="25-请综合分析并重构网站,分析最常登录后台的角色昵称为"><a href="#25-请综合分析并重构网站,分析最常登录后台的角色昵称为" class="headerlink" title="25.请综合分析并重构网站,分析最常登录后台的角色昵称为"></a>25.请综合分析并重构网站,分析最常登录后台的角色昵称为</h1><h2 id="解题-23"><a href="#解题-23" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>查看后台的管理员操作日志,发现</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429131753468.png" alt="image-20230429131753468"></p><h2 id="答案-23"><a href="#答案-23" class="headerlink" title="答案"></a>答案</h2><p> 最常登录后台的角色昵称为:<strong>;lkl;k</strong></p>]]></content>
<summary type="html">🥧本文是服务器取证练习2。</summary>
<category term="服务器取证" scheme="https://blog.r1ng13.top/categories/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
<category term="网站重构" scheme="https://blog.r1ng13.top/categories/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/%E7%BD%91%E7%AB%99%E9%87%8D%E6%9E%84/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="服务器取证" scheme="https://blog.r1ng13.top/tags/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
<category term="网站重构" scheme="https://blog.r1ng13.top/tags/%E7%BD%91%E7%AB%99%E9%87%8D%E6%9E%84/"/>
</entry>
<entry>
<title>服务器取证之网站重构练习(持续更新)</title>
<link href="https://blog.r1ng13.top/posts/838576e0.html"/>
<id>https://blog.r1ng13.top/posts/838576e0.html</id>
<published>2023-05-27T10:19:03.000Z</published>
<updated>2023-05-27T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>技术无好坏,反而是人心。只做学习使用,无不良引导</strong></p><h1 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h1><p> 服务器的重构在取证中非常重要,网站的重构可以给我们提供更多可视化的信息。</p><h2 id="题目文件链接"><a href="#题目文件链接" class="headerlink" title="题目文件链接"></a>题目文件链接</h2><ul><li>网站重构练习1:试题特殊,需要联系我</li><li>网站重构练习2:试题特殊,需要联系我</li></ul><h1 id="网站重构练习1"><a href="#网站重构练习1" class="headerlink" title="网站重构练习1"></a>网站重构练习1</h1><h2 id="进行仿真"><a href="#进行仿真" class="headerlink" title="进行仿真"></a>进行仿真</h2><p> 打开仿真软件进行镜像的仿真,linux的登录账号和密码会是root和123456</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426105355810.png" alt="image-20230426105355810"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426105731821.png" alt="image-20230426105731821"></p><h2 id="虚拟机网卡配置"><a href="#虚拟机网卡配置" class="headerlink" title="虚拟机网卡配置"></a>虚拟机网卡配置</h2><p> 尝试使用xshell连接,但发现不行,所以我们尝试使用ping命令,发现ping不通,所以我们查阅资料,发现需要将网卡配置成和NAT模式下的虚拟机网卡的ip</p><h3 id="1-尝试连接"><a href="#1-尝试连接" class="headerlink" title="1.尝试连接"></a><strong>1.尝试连接</strong></h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426111403136.png" alt="image-20230426111403136"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426111438658.png" alt="image-20230426111438658"></p><h3 id="2-查看虚拟机网卡信息"><a href="#2-查看虚拟机网卡信息" class="headerlink" title="2.查看虚拟机网卡信息"></a><strong>2.查看虚拟机网卡信息</strong></h3><p>点击编辑里的虚拟机网络编辑器</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426111738442.png" alt="image-20230426111738442"></p><p>查看网卡VMnet8的ip</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426111914933.png" alt="image-20230426111914933"></p><h3 id="3-修改镜像的网卡配置文件"><a href="#3-修改镜像的网卡配置文件" class="headerlink" title="3.修改镜像的网卡配置文件"></a>3.修改镜像的网卡配置文件</h3><p> 输入以下命令,修改网卡的配置信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/sysconfig/network-scripts/ifcfg-ens33</span><br></pre></td></tr></table></figure><p><strong>修改之前</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426125904430.png" alt="image-20230426125904430"></p><p><strong>修改之后</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130429383.png" alt="image-20230426130429383"></p><p>接着输入命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service network restart</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130558275.png" alt="image-20230426130558275"></p><p>查看ip</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifconfig</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130709479.png" alt="image-20230426130709479"></p><h3 id="4-使用xshell进行连接"><a href="#4-使用xshell进行连接" class="headerlink" title="4.使用xshell进行连接"></a>4.使用xshell进行连接</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130821638.png" alt="image-20230426130821638"></p><p>成功连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130853465.png" alt="image-20230426130853465"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426130927163.png" alt="image-20230426130927163"></p><h2 id="网站重构"><a href="#网站重构" class="headerlink" title="网站重构"></a>网站重构</h2><p>发现使用宝塔的命令,输入宝塔命令,用以启动宝塔面板</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">bt</span> <span class="number">14</span></span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426131230214.png" alt="image-20230426131230214"></p><p>使用链接访问宝塔面板,并使用账号和密码登录,但是失败</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426131659959.png" alt="image-20230426131659959"></p><p>在xshell输入以下命令,进行密码修改</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cd /www/server/panel && btpython tools.py panel testpasswd s8nbhvgh</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426131846022.png" alt="image-20230426131846022"></p><p>testpasswd就是修改后的密码,当然你可以设置为其他的。</p><p>成功登录宝塔面板</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426131958028.png" alt="image-20230426131958028"></p><p>查看网站域名信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426132123547.png" alt="image-20230426132123547"></p><p>找到这个网站的文件中的config.php文件进行相关信息的修改</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426141331824.png" alt="image-20230426141331824"></p><p>进行访问域名,但是被定位到互联网上的一个网站,不是我们要重构的网站</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426132504519.png" alt="image-20230426132504519"></p><p>因为我们没有将域名指向我们本地,所以访问的是互联网上的资源,我们在本地的hosts文件里进行以下配置</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426132710381.png" alt="image-20230426132710381"></p><p>再次进行访问(<strong>划重点</strong>:这时要把你电脑的代理关掉,不然还是会指向互联网的资源,我也不知道为啥)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426133927304.png" alt="image-20230426133927304"></p><p>发现mysql服务没有启动,使用xshell把mysql的docker进行启动,输入以下命令,查看mysql 的docker信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps -a</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426134307286.png" alt="image-20230426134307286"></p><p>接着输入以下命令启动mysql服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker start mysql5.6</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426134454728.png" alt="image-20230426134454728"></p><h3 id="进入网站"><a href="#进入网站" class="headerlink" title="进入网站"></a>进入网站</h3><p>最后让我们再次访问这个域名吧,我第一次重构的时候以为是浏览器的原因,使用谷歌清除了cookie也进不去,这一次我进去,不知道为啥?</p><p><strong>谷歌浏览器:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426135744718.png" alt="image-20230426135744718"></p><p><strong>火狐浏览器</strong>:</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426135009093.png" alt="image-20230426135009093"></p><p><strong>brave浏览器:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426135815928.png" alt="image-20230426135815928"></p><h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><ol><li>网站配置文件的修改</li><li>将域名指向本地hosts</li><li>重启mysql的docker</li><li>在最后访问域名时候记得清楚浏览器的cookie啥的,这一点也很关键</li><li>最重要的一步:别使用代理</li></ol><h1 id="网站重构练习2"><a href="#网站重构练习2" class="headerlink" title="网站重构练习2"></a>网站重构练习2</h1><h2 id="进入仿真"><a href="#进入仿真" class="headerlink" title="进入仿真"></a>进入仿真</h2><p> 打开仿真软件进行镜像的仿真,linux的登录账号和密码会是root和123456</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003304329.png" alt="image-20230429003304329"></p><h2 id="虚拟机网卡配置-1"><a href="#虚拟机网卡配置-1" class="headerlink" title="虚拟机网卡配置"></a>虚拟机网卡配置</h2><h3 id="1-查看虚拟机网卡信息"><a href="#1-查看虚拟机网卡信息" class="headerlink" title="1.查看虚拟机网卡信息"></a><strong>1.查看虚拟机网卡信息</strong></h3><p>点击编辑里的虚拟机网络编辑器</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003637436.png" alt="image-20230429003637436"></p><p>查看网卡VMnet8的ip(<strong>我是为了省事,直接把网卡改为和镜像的一样的了,这样后面可以直接进phpadmin里面看数据库</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429003659276.png" alt="image-20230429003659276"></p><h3 id="2-修改镜像的网卡配置文件"><a href="#2-修改镜像的网卡配置文件" class="headerlink" title="2.修改镜像的网卡配置文件"></a>2.修改镜像的网卡配置文件</h3><p> 输入以下命令,修改网卡的配置信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/sysconfig/network-scripts/ifcfg-ens33</span><br></pre></td></tr></table></figure><p><strong>修改之前</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004011787.png" alt="image-20230429004011787"></p><p><strong>修改之后</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004140133.png" alt="image-20230429004140133"></p><p>接着输入命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">service network restart</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004237812.png" alt="image-20230429004237812"></p><p>查看ip</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ifconfig</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004333919.png" alt="image-20230429004333919"></p><h3 id="3-使用xshell进行连接"><a href="#3-使用xshell进行连接" class="headerlink" title="3.使用xshell进行连接"></a>3.使用xshell进行连接</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004420072.png" alt="image-20230429004420072"></p><p>成功连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004438840.png" alt="image-20230429004438840"></p><h2 id="网站重构-1"><a href="#网站重构-1" class="headerlink" title="网站重构"></a>网站重构</h2><h3 id="宝塔面板相关设置"><a href="#宝塔面板相关设置" class="headerlink" title="宝塔面板相关设置"></a>宝塔面板相关设置</h3><p>发现使用宝塔的命令,进行宝塔的相关配置</p><p>首先重启宝塔面板的服务,不然连接不上宝塔面板</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 1</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429004754505.png" alt="image-20230429004754505"></p><p>接着使用命令修改宝塔面板的密码,之前的密码出错了,需要修改</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 5</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005002750.png" alt="image-20230429005002750"></p><p>使用命令,进入宝塔面板</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 14</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005308977.png" alt="image-20230429005308977"></p><p>进入面板</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005441372.png" alt="image-20230429005441372"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005504934.png" alt="image-20230429005504934"></p><h3 id="网站相关配置修改"><a href="#网站相关配置修改" class="headerlink" title="网站相关配置修改"></a>网站相关配置修改</h3><p>1.查看网站相关域名</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005634680.png" alt="image-20230429005634680"></p><p>2.将域名指向本地,在本地的hosts文件里进行以下相关配置</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429005852022.png" alt="image-20230429005852022"></p><h3 id="mysql、nginx、防火墙相关配置"><a href="#mysql、nginx、防火墙相关配置" class="headerlink" title="mysql、nginx、防火墙相关配置"></a>mysql、nginx、防火墙相关配置</h3><h4 id="mysql相关配置"><a href="#mysql相关配置" class="headerlink" title="mysql相关配置"></a>mysql相关配置</h4><p>尝试使用phpadmin连接数据库,发现连接不上</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010831831.png" alt="image-20230429010831831"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429010855164.png" alt="image-20230429010855164"></p><p>查看历史命令是因为mysql的服务被操作过,要重启服务</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011001760.png" alt="image-20230429011001760"></p><p>执行以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">systemctl restart mysql</span><br><span class="line">systemctl restart mysqld</span><br></pre></td></tr></table></figure><p>在宝塔面板发现数据库的账号为root密码为<strong>15dbefa4aae110a5</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011641695.png" alt="image-20230429011641695"></p><p>尝试连接mysql</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mysql -u root -p</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429011740570.png" alt="image-20230429011740570"></p><h4 id="nginx相关配置"><a href="#nginx相关配置" class="headerlink" title="nginx相关配置"></a>nginx相关配置</h4><p>查看历史命令发现关闭了nginx的服务</p><p>执行下面的命令重启nginx服务</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl restart nginx</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429012912083.png" alt="image-20230429012912083"></p><p>使用命令查看nginx的状态</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo systemctl status nginx</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429121940647.png" alt="image-20230429121940647"></p><h4 id="防火墙相关配置"><a href="#防火墙相关配置" class="headerlink" title="防火墙相关配置"></a>防火墙相关配置</h4><p>查看历史命令发现对防火墙服务进行以下操作。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429100753420.png" alt="image-20230429100753420"></p><p>让我们看看ai怎么说</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429100713775.png" alt="image-20230429100713775"></p><p>使用以下命令查看当前防火墙的状态,发现为active状态</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl status firewalld</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429122309841.png" alt="image-20230429122309841"></p><p>接着我们执行下面的命令,将防火墙关闭</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">systemctl stop firewalld</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429101035320.png" alt="image-20230429101035320"></p><p>再次执行systemctl status firewalld查看状态,发现状态为inactive</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429122444336.png" alt="image-20230429122444336"></p><h3 id="进入网站-1"><a href="#进入网站-1" class="headerlink" title="进入网站"></a>进入网站</h3><h4 id="后台登录地址"><a href="#后台登录地址" class="headerlink" title="后台登录地址"></a>后台登录地址</h4><p>在网站的日志文件里,发现后台登录url</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429083824173.png" alt="image-20230429083824173"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429084508308.png" alt="image-20230429084508308"></p><h4 id="登录"><a href="#登录" class="headerlink" title="登录"></a>登录</h4><p>使用<strong><a href="http://www.honglian7001.com/admin">http://www.honglian7001.com/admin</a></strong>进行访问,需要找到账号和密码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429084753417.png" alt="image-20230429084753417"></p><h5 id="网站源码获取"><a href="#网站源码获取" class="headerlink" title="网站源码获取"></a>网站源码获取</h5><p>找到下面路径进行压缩</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429090844594.png" alt="image-20230429090844594"></p><p>将压缩包,下载到本地</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429091010797.png" alt="image-20230429091010797"></p><h5 id="寻找登录密码"><a href="#寻找登录密码" class="headerlink" title="寻找登录密码"></a>寻找登录密码</h5><p> 我们想到数据库中有管理员admin的账号密码,但是这个密码是进行了md5加密的(这个是这个试题中的一个题目中知道,这里不在详述),接着我们是使用VScode进行搜索md5,查询管理员后台登录密码的加密方式,发现进行了3次的md5加密,还进行了加盐加密。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429091238834.png" alt="image-20230429091238834"></p><p>尝试在数据库中寻找账号和密码,使用navicat进行远程连接,用以查看数据库的内容,进行以下设置</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085231549.png" alt="image-20230429085231549"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085438008.png" alt="image-20230429085438008"></p><p>找到app_admin表中,发现加密后的密码,这个很难进行解密</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429085647959.png" alt="image-20230429085647959"></p><h6 id="方法一:在网站源码里搜索数据库中的密码的md5值"><a href="#方法一:在网站源码里搜索数据库中的密码的md5值" class="headerlink" title="方法一:在网站源码里搜索数据库中的密码的md5值"></a>方法一:在网站源码里搜索数据库中的密码的md5值</h6><p>在数据库中发现管理员账号admin对应的密码的md5值为</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">2d17c53d0d682bbb7eac2e76828a4d79</span><br></pre></td></tr></table></figure><p>在源码检索这个值</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095312004.png" alt="image-20230429095312004"></p><p>上图在06.log这个日志文件里可知密码被修改为了<strong>ABC123456</strong>(<strong>日志文件厉害啊</strong>)</p><p>尝试登录,发现成功登录,成功进入后台</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095541271.png" alt="image-20230429095541271"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095615675.png" alt="image-20230429095615675"></p><h6 id="方法二-使用自己设置密码的加密结果替换数据库中的md5值"><a href="#方法二-使用自己设置密码的加密结果替换数据库中的md5值" class="headerlink" title="方法二:使用自己设置密码的加密结果替换数据库中的md5值"></a>方法二:使用自己设置密码的加密结果替换数据库中的md5值</h6><p><strong>加密算法</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">function password($password, $password_code='lshi4AsSUrUOwWV')</span><br><span class="line">{</span><br><span class="line"> return md5(md5($password) . md5($password_code));</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>改写为php代码,计算我们自己设置的密码的md5值(<strong>别问我为什么会php,用的ai生成的,ai改变世界好吧</strong>)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"></span><br><span class="line">function password($password, $password_code = 'lshi4AsSUrUOwWV')</span><br><span class="line">{</span><br><span class="line"> // 对密码进行两次 MD5 加密,并拼接上密码编码再次进行 MD5 加密</span><br><span class="line"> return md5(md5($password) . md5($password_code));</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">// example usage:</span><br><span class="line"><span class="meta prompt_">$</span><span class="language-bash">password = <span class="string">'123456'</span>;</span></span><br><span class="line"><span class="meta prompt_">$</span><span class="language-bash">hashed_password = password(<span class="variable">$password</span>);</span></span><br><span class="line">echo $hashed_password;</span><br><span class="line">?></span><br></pre></td></tr></table></figure><p>输出结果为</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">9eb2b9ad495a75f80f9cf67ed08bbaae</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429093028441.png" alt="image-20230429093028441"></p><p>在数据库中将数据库中的密码的md5值<strong>2d17c53d0d682bbb7eac2e76828a4d79</strong>替换为<strong>9eb2b9ad495a75f80f9cf67ed08bbaae</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095845144.png" alt="image-20230429095845144"></p><p>现在登录密码被我们修改为123456,尝试登录,发现成功登录</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230429095940333.png" alt="image-20230429095940333"></p><h3 id="总结-1"><a href="#总结-1" class="headerlink" title="总结"></a>总结</h3><ul><li>本次的题目进了几次复现才成功重构。</li><li>记得查看linux服务器的history记录,你的收获会很大。</li><li>记得关闭防火墙服务。(感谢学弟的提醒手动@Jokak)</li></ul>]]></content>
<summary type="html">🥧本文是服务器取证之网站重构练习,仅作为个人练习和参考。</summary>
<category term="服务器取证" scheme="https://blog.r1ng13.top/categories/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="服务器取证" scheme="https://blog.r1ng13.top/tags/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
</entry>
<entry>
<title>bugku自动签到脚本</title>
<link href="https://blog.r1ng13.top/posts/b01f6495.html"/>
<id>https://blog.r1ng13.top/posts/b01f6495.html</id>
<published>2023-05-24T02:19:03.000Z</published>
<updated>2023-05-24T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h1><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> time <span class="keyword">import</span> sleep</span><br><span class="line"><span class="keyword">import</span> json</span><br><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"><span class="keyword">import</span> logging</span><br><span class="line"><span class="keyword">import</span> ddddocr</span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"></span><br><span class="line">ocr = ddddocr.DdddOcr()</span><br><span class="line"></span><br><span class="line">LOG_FORMAT = <span class="string">'%(asctime)s %(levelname)s\t %(thread)d %(lineno)d %(funcName)s\t\t%(message)s'</span></span><br><span class="line"><span class="comment"># logging.basicConfig(handlers=[logging.FileHandler('log.log', 'a', 'utf-8')],level=logging.INFO, format=LOG_FORMAT)</span></span><br><span class="line">logging.basicConfig(level=logging.INFO, <span class="built_in">format</span>=LOG_FORMAT)</span><br><span class="line"></span><br><span class="line">headers = {</span><br><span class="line"> <span class="string">'Content-Type'</span>: <span class="string">'application/x-www-form-urlencoded; charset=UTF-8'</span>,</span><br><span class="line"> <span class="string">'User-Agent'</span>: <span class="string">'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36'</span>,</span><br><span class="line"> <span class="string">'X-Requested-With'</span>: <span class="string">'XMLHttpRequest'</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment"># 加入的钉钉通知功能</span></span><br><span class="line"><span class="comment"># def dingtalk(content):</span></span><br><span class="line"><span class="comment"># """</span></span><br><span class="line"><span class="comment"># 钉钉通知函数</span></span><br><span class="line"><span class="comment"># :param content: 要通知的内容</span></span><br><span class="line"><span class="comment"># :return: none</span></span><br><span class="line"><span class="comment"># """</span></span><br><span class="line"><span class="comment"># webhook_url = ''</span></span><br><span class="line"><span class="comment"># dd_headers = {</span></span><br><span class="line"><span class="comment"># "Content-Type": "application/json",</span></span><br><span class="line"><span class="comment"># "Charset": "UTF-8"</span></span><br><span class="line"><span class="comment"># }</span></span><br><span class="line"><span class="comment"># dd_message = {</span></span><br><span class="line"><span class="comment"># "msgtype": "text",</span></span><br><span class="line"><span class="comment"># "text": {</span></span><br><span class="line"><span class="comment"># "content": f'BugKu 签到通知\n{content}'</span></span><br><span class="line"><span class="comment"># }</span></span><br><span class="line"><span class="comment"># }</span></span><br><span class="line"><span class="comment">#</span></span><br><span class="line"><span class="comment"># r = requests.post(url=webhook_url, headers=dd_headers, data=json.dumps(dd_message))</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">class</span> <span class="title class_">bugku</span>():</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">__init__</span>(<span class="params">self</span>) -> <span class="literal">None</span>:</span><br><span class="line"> self.session = requests.session()</span><br><span class="line"> self.session.headers.update(headers)</span><br><span class="line"> self.num = <span class="number">10</span></span><br><span class="line"> self.is_login = <span class="literal">False</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># 将函数写入到类里面,直接使用openai,香的一批</span></span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">dingtalk</span>(<span class="params">self, content</span>):</span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> Send a notification to the DingTalk webhook</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> Parameters:</span></span><br><span class="line"><span class="string"> content (str): The content of the notification</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> Returns:</span></span><br><span class="line"><span class="string"> None</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> webhook_url = <span class="string">''</span></span><br><span class="line"> dd_headers = {</span><br><span class="line"> <span class="string">"Content-Type"</span>: <span class="string">"application/json"</span>,</span><br><span class="line"> <span class="string">"Charset"</span>: <span class="string">"UTF-8"</span></span><br><span class="line"> }</span><br><span class="line"> dd_message = {</span><br><span class="line"> <span class="string">"msgtype"</span>: <span class="string">"text"</span>,</span><br><span class="line"> <span class="string">"text"</span>: {</span><br><span class="line"> <span class="string">"content"</span>: <span class="string">f'BugKu 签到通知\n<span class="subst">{content}</span>'</span></span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> r = self.session.post(url=webhook_url, headers=dd_headers, data=json.dumps(dd_message))</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">get_captcha</span>(<span class="params">self</span>):</span><br><span class="line"> <span class="keyword">if</span> self.num <= <span class="number">0</span>:</span><br><span class="line"> logging.warning(<span class="string">'验证码重试次数太多'</span>)</span><br><span class="line"> exit(<span class="number">0</span>)</span><br><span class="line"> url = <span class="string">'https://ctf.bugku.com/captcha.html0.9004209313422487'</span></span><br><span class="line"> res = self.session.get(url)</span><br><span class="line"> <span class="keyword">if</span> res.status_code == <span class="number">200</span>:</span><br><span class="line"> code = ocr.classification(res.content)</span><br><span class="line"> c = <span class="string">''</span>.join(re.findall(<span class="string">'\w'</span>, code))</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(c) == <span class="number">4</span>:</span><br><span class="line"> logging.info(<span class="string">'验证码成功:'</span> + c)</span><br><span class="line"> <span class="comment"># self.session.headers.update(res.headers)</span></span><br><span class="line"> <span class="keyword">return</span> c</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> sleep(<span class="number">3</span>)</span><br><span class="line"> self.num -= <span class="number">1</span></span><br><span class="line"> self.get_captcha()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> sleep(<span class="number">3</span>)</span><br><span class="line"> self.num -= <span class="number">1</span></span><br><span class="line"> self.get_captcha()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">login</span>(<span class="params">self, username, password</span>):</span><br><span class="line"> <span class="keyword">if</span> self.num <= <span class="number">0</span>:</span><br><span class="line"> logging.warning(<span class="string">'登录重试次数太多'</span>)</span><br><span class="line"> exit(<span class="number">0</span>)</span><br><span class="line"> login_url = <span class="string">'https://ctf.bugku.com/login/check.html'</span></span><br><span class="line"> code = self.get_captcha()</span><br><span class="line"> data = {<span class="string">'username'</span>: username, <span class="string">'password'</span>: password, <span class="string">'vcode'</span>: code, <span class="string">'autologin'</span>: <span class="string">'1'</span>}</span><br><span class="line"> res = self.session.post(url=login_url, data=data, headers=headers)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'登录成功'</span> <span class="keyword">in</span> res.text:</span><br><span class="line"> logging.info(<span class="string">f'<span class="subst">{username}</span> 登录成功:<span class="subst">{res.text}</span>'</span>)</span><br><span class="line"> <span class="comment"># self.session.headers.update(res.headers)</span></span><br><span class="line"> self.is_login = <span class="literal">True</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> logging.error(<span class="string">'登录失败:'</span> + res.text)</span><br><span class="line"> sleep(<span class="number">3</span>)</span><br><span class="line"> self.num -= <span class="number">1</span></span><br><span class="line"> self.login(username, password)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">checkin</span>(<span class="params">self, username, password</span>):</span><br><span class="line"> <span class="keyword">if</span> self.is_login:</span><br><span class="line"> response = self.session.get(<span class="string">'https://ctf.bugku.com/user/checkin'</span>)</span><br><span class="line"> <span class="built_in">print</span>(response.text)</span><br><span class="line"> <span class="comment"># {"code":1,"msg":"签到成功","data":{"user_id":59654,"count":1,"coin":1},"url":"","wait":3}</span></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'成功'</span> <span class="keyword">in</span> response.text:</span><br><span class="line"> logging.info(<span class="string">'签到成功:'</span> + response.text)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> logging.error(<span class="string">'失败'</span>)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> self.login(username, password)</span><br><span class="line"> response = self.session.get(<span class="string">'https://ctf.bugku.com/user/checkin'</span>)</span><br><span class="line"> <span class="built_in">print</span>(response.text)</span><br><span class="line"> <span class="comment"># dingtalk(response.text) # 取巧在这直接调用一次就行了,反正也是自己用</span></span><br><span class="line"> bg = bugku()</span><br><span class="line"> bg.dingtalk(response.text) <span class="comment"># 调用类里面的dingtalk 函数</span></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'成功'</span> <span class="keyword">in</span> response.text:</span><br><span class="line"> logging.info(<span class="string">'签到成功:'</span> + response.text)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> logging.error(<span class="string">'失败'</span>)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> _bk = bugku()</span><br><span class="line"> _bk.checkin(<span class="string">''</span>, <span class="string">''</span>)</span><br><span class="line"></span><br></pre></td></tr></table></figure><h1 id="食用步骤"><a href="#食用步骤" class="headerlink" title="食用步骤"></a>食用步骤</h1><ol><li><p>将脚本中的 <strong>_bk.checkin(‘’, ‘’)</strong>中加上你的账号和密码</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_bk.checkin(<span class="string">'账号xxxxxx'</span>, <span class="string">'密码xxxxxx'</span>)</span><br></pre></td></tr></table></figure></li><li><p>钉钉机器人配置教程:<a href="https://blog.csdn.net/weixin_43865008/article/details/120079270">python实现钉钉机器人消息自动化通知</a>,获取到自己的钉钉机器人的token</p></li><li><p>配置钉钉机器人的token,在代码中的 webhook_url = ‘’加上自己的机器人的token</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">webhook_url = <span class="string">'xxxxxxxxxxxxxx'</span></span><br></pre></td></tr></table></figure></li></ol>]]></content>
<summary type="html">🥧本文是bugku自动签到脚本,仅供参考。</summary>
<category term="bugku签到脚本" scheme="https://blog.r1ng13.top/categories/bugku%E7%AD%BE%E5%88%B0%E8%84%9A%E6%9C%AC/"/>
<category term="bugku签到脚本" scheme="https://blog.r1ng13.top/tags/bugku%E7%AD%BE%E5%88%B0%E8%84%9A%E6%9C%AC/"/>
</entry>
<entry>
<title>abc战队----2023LitCTFwp</title>
<link href="https://blog.r1ng13.top/posts/3a8b59cb.html"/>
<id>https://blog.r1ng13.top/posts/3a8b59cb.html</id>
<published>2023-05-16T02:19:03.000Z</published>
<updated>2023-05-16T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="WEB部分"><a href="#WEB部分" class="headerlink" title="WEB部分"></a>WEB部分</h1><h2 id="就当无事发生生"><a href="#就当无事发生生" class="headerlink" title="就当无事发生生"></a>就当无事发生生</h2><p>思路:因为pull两次,又给了hint是 就当无事发生 提示 Github commit ,所以去探姬的博客去找,发现文章<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684061928011-7e07d8d6-a779-4236-bfdc-1a0da35bef3b.png" alt="image.png"><br />因为pull两次一定在一次的提交里,去找对应4月29号的日期commit<br />通过关于页面看到探姬的github地址,并进入<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684062058777-70369218-1e90-4928-a3e3-b5664c005197.png" alt="image.png"><br />接着找到博客搭建的仓库为<br /><a href="https://github.com/ProbiusOfficial/ProbiusOfficial.github.io">ProbiusOfficial.github.io</a> <br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684062311231-1c087b21-2e2c-4865-8673-da24d881a304.png" alt="image.png"><br />进入仓库查看action,找他对应4月29号,就是下面这个<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684062414021-42b986e1-69ee-4345-ab86-07aa98dcb936.png" alt="image.png"><br />找到下面这个,点进去就看到了flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684062535007-345ce117-d014-4170-8f66-98cde614b1ce.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684062591928-f506f3c7-5f5e-4b5a-a2cd-b7c07f59148c.png" alt="image.png"></p><p>所以答案为 LitCTF{g1thub_c0mmit_1s_s0_us3ful}<br><a name="DoJiD"></a></p><h2 id="Http-pro-max-plus"><a href="#Http-pro-max-plus" class="headerlink" title="Http pro max plus"></a>Http pro max plus</h2><p>本题主要是HTTP协议伪造,由于题目要求本地访问,因此可以考虑xff协议伪造,但是题目禁止使用xff伪造,因此可以考虑使用Client-IP进行伪造。成功访问后题目要求通过某网站访问当前网站,因此需要进行refer伪造。成功访问后提示需要使用谷歌浏览器,因此需要修改User-agent值。成功访问后又提示需要通过特定地址的代理服务器才能访问某网站,我们自然无法真的使用代理服务器进行访问,但是可以逆向思维考虑php等后端语言是如何检测用户是否使用代理服务器的,因此可以伪造HTTP请求头中的via值来骗过后端。成功访问后可以得到一个php文件地址,访问后通过开发这工具打开控制台即可找到flag。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684109349607-d248c55e-3ee6-452c-867e-e6c7aa60c640.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125608718-ff531c9b-801a-4540-bf89-bf1b86834d3d.png" alt="image.png"><br />接着访问下面这个路径<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125682775-8ee30d1f-12e6-45d2-aa49-bffccfca333b.png" alt="image.png"><br><a name="Atu2U"></a></p><h2 id="1zjs"><a href="#1zjs" class="headerlink" title="1zjs"></a>1zjs</h2><p>本地提示可能需要从js中寻找答案,根据往常经验,一般是通关后可以得到flag,随后查看各个js文件,但是没有找到相关提示。随后通过网页查找也没找到与flag相关的字段。本题难点在于提示藏在代码注释中,而注释往往容易被忽视,因此通过注释中的提示访问相关php文件即可得到flag。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125298645-b51e7e3b-6f88-4665-909e-cf490952bc59.png" alt="image.png"><br />得到jsfuck编码<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125330625-d0699e90-5d72-4f8c-8c22-a7288db73d55.png" alt="image.png"><br />将上面内容直接复制到控制台然后回车即可<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125400993-cb893c04-138b-4a4f-a12c-3c101ae58ef9.png" alt="image.png"><br><a name="hn97I"></a></p><h2 id="这是什么?SQL!注一下"><a href="#这是什么?SQL!注一下" class="headerlink" title="这是什么?SQL!注一下"></a>这是什么?SQL!注一下</h2><p>本题已经提示是SQL注入,只需要找到是何种注入方式即可。我们可以通过常见的注入类型来判断是那种注入方式,如果有源码则可以直接通过源码来判断。本题我们通过sqlmap进行扫描就可以直接得到答案。sqlmap一般需要先通过—dbs命令判断数据库(或—current-db判断当前查询关联的数据库),随后可以使用-D和—tables来读取指定数据库中的表,随后-D和-T以及—columns命令来查询指定数据库指定表的字段,最后在通过上面的内容就可以读取指定字段的内容。最后构造的命令如下:<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684109341857-da95fbc1-9275-4af5-b1c3-b19793b81f2b.png" alt="image.png"><br />根据构造的sqlmap语句,最终可以得到如下结果:<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684126334553-d8c0b2e1-d25a-4599-8ada-38da866890b5.png" alt="image.png"></p><h2 id="PHP是世界上最好的语言!!"><a href="#PHP是世界上最好的语言!!" class="headerlink" title="PHP是世界上最好的语言!!"></a>PHP是世界上最好的语言!!</h2><p>远程代码执行问题,通过抓包构造请求。题目提示flag在根目录,因此我们可以发送请求,首先进行尝试构造php的系统执行语句发现可行。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684124797136-507fa395-879b-4505-8ce5-853701e846c4.png" alt="image.png"><br />再设置为<?php system(“cat /flag”)?>;即可查找到flag值。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684127403376-6dc9e2df-6f76-43b2-b206-ed2c6b972c1e.png" alt="image.png"><br><a name="JlnQj"></a></p><h2 id="导弹迷踪"><a href="#导弹迷踪" class="headerlink" title="导弹迷踪"></a>导弹迷踪</h2><p>本题属于前端代码审查,题目提示玩到第六关即可得到flag,方法一就是玩到第六关直接获取到flag,方法二就是查看相关源码,查找定义游戏结束逻辑的函数并查找本题flag。<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684124323754-643acf7c-5e6f-4c60-b2e5-a4a172408d58.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684126134170-54b25d05-d4cf-4589-88cd-fcb35e55bc0a.png" alt="image.png"><br />答案是NSSCTF{y0u<em>w1n_th1s</em>!!!}<br><a name="yjN9J"></a></p><h2 id="Follow-me-and-hack-me"><a href="#Follow-me-and-hack-me" class="headerlink" title="Follow me and hack me"></a>Follow me and hack me</h2><p>本题根据题目含义直接构造POST请求并携带相应请求参数,发送请求后即可得到flag。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684109325589-bbdc07d0-a568-4a15-b1eb-3306433fabd1.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684109330310-823bff1e-a68e-4a08-963a-98046de52d97.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684126538221-dc85958c-4f63-449a-90d9-796c863dbc23.png" alt="image.png"><br><a name="sInk3"></a></p><h2 id="我Flag呢?"><a href="#我Flag呢?" class="headerlink" title="我Flag呢?"></a>我Flag呢?</h2><p>本题只需要打开开发者工具查看源码即可。需要注意的是控制台得到的是假的。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684125823872-a640bee8-5dff-4154-a4c6-acb25f75c2e5.png" alt="image.png"></p><p><a name="NJT2U"></a></p><h2 id="彩蛋"><a href="#彩蛋" class="headerlink" title="彩蛋"></a>彩蛋</h2><p>在“我Flag呢”题目中的控制台输入giveMeEgg(),得到隐藏flag<br />在“Follow me and hack me”根据提示消息,进行地址爆破,找到www.zip后下载压缩包,在.bak中发现<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684121139307-0e157fb8-27ff-42c6-b6d3-90e1ecb0de72.png" alt="image.png"><br />在“作业管理系统”通过访问github链接获得隐藏flag<br />在“狠狠的注入”搜索框中输入2即可得到隐藏flag<br />四个flag根据顺序进行拼接得到总flag<br><a name="mN8Wu"></a></p><h2 id="Vim-yyds"><a href="#Vim-yyds" class="headerlink" title="Vim yyds"></a>Vim yyds</h2><p>控制台和网页文件无法发现有用的信息,使用dirsearch.py扫描发现有“/.index.php.swp”<br />访问下载文件,火绒会识别为病毒,在kali中打开发现<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684120410585-c4a1e7d7-66a8-4170-ba8b-80085c8a835e.png" alt="image.png"><br />构造POST请求携带参数为Give_Me_Your_Flag的base64编码,且尝试携带参数ls cat等,最后输入cat /flag得到flag<br><a name="idnz5"></a></p><h2 id="ping"><a href="#ping" class="headerlink" title="ping"></a>ping</h2><h2 id="作业管理系统"><a href="#作业管理系统" class="headerlink" title="作业管理系统"></a>作业管理系统</h2><h2 id="Flag点击就送"><a href="#Flag点击就送" class="headerlink" title="Flag点击就送"></a>Flag点击就送</h2><p>开始是个输入框,随便输入个字符,回车是个一个拿flag的按钮<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684128137507-310e5975-5b6d-46d9-9c6f-25bc598da936.png" alt="image.png"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684128477644-c23fe3fb-0f3a-4a49-bf02-dcfd7f4af9d7.png" alt="image.png"><br />对其进行抓包,发现session有点特别,像是flask session<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684128329008-eb0cd49a-c575-4b8a-a121-ef60a4ebbbee.png" alt="image.png"><br />用晚上的flask session解密脚本对其尝试解密。发现能解密成功<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684128739110-5f8b797f-9436-44e2-838d-9723347d8568.png" alt="image.png"><br />根据提示,需要以admin用户权限登录进去,那就对 {“name”:”11”} 修改成 {“name”:”admin”} ,然后对其进行加密。<br />但是发现加密还需要一个关键字,尝试了几下,最后尝试出关键字为 LitCTF<br />加密后session为 eyJuYW1lIjoiYWRtaW4ifQ.ZGHA6g.qR6nGYItAoO5LfhzfyEB3u3sdbs<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684128007505-d9527662-253b-46bd-b9d4-4680fa23dd30.png" alt="image.png"><br />替换session,提交,得到flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684129022178-cd3c00e2-0442-46cd-9b56-d7649f2e71ce.png" alt="image.png"><br />flag:NSSCTF{4c1c2f5e-c7e3-4450-8ad8-11f3f143b95d}</p><p><a name="lWbpl"></a></p><h1 id="PWN部分"><a href="#PWN部分" class="headerlink" title="PWN部分"></a>PWN部分</h1><p><a name="TSwVM"></a></p><h2 id="口算题卡"><a href="#口算题卡" class="headerlink" title="口算题卡"></a>口算题卡</h2><p>nc连接上后发现需要计算,在一次手算错误后,想着用Python代码解决<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> socket</span><br><span class="line"></span><br><span class="line">HOST = <span class="string">'node6.anna.nssctf.cn'</span> <span class="comment"># 目标IP地址</span></span><br><span class="line">PORT = <span class="number">28064</span> <span class="comment"># 目标端口</span></span><br><span class="line"><span class="comment"># 创建套接字</span></span><br><span class="line">s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 连接到目标地址和端口</span></span><br><span class="line">s.connect((HOST, PORT))</span><br><span class="line"></span><br><span class="line"><span class="comment"># 发送消息</span></span><br><span class="line"><span class="comment"># s.sendall(b'Hello, world!')</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 接收响应</span></span><br><span class="line"><span class="comment"># 由于刚开始接收的不为计算,提前接收两次</span></span><br><span class="line">s.recv(<span class="number">1024</span>)</span><br><span class="line">s.recv(<span class="number">1024</span>)</span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> data = s.recv(<span class="number">1024</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> data:</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="comment"># 分割接收的内容</span></span><br><span class="line"> li = data.decode().split()</span><br><span class="line"> <span class="comment"># print(li[-3])</span></span><br><span class="line"> <span class="built_in">print</span>(data)</span><br><span class="line"> <span class="comment"># 对接收内容进行提取和分割并拼接</span></span><br><span class="line"> str1 = <span class="built_in">str</span>(<span class="built_in">str</span>(li[-<span class="number">3</span>])+<span class="string">' '</span>+<span class="built_in">str</span>(li[-<span class="number">2</span>])+<span class="string">' '</span>+li[-<span class="number">1</span>][:-<span class="number">1</span>].strip())</span><br><span class="line"> <span class="built_in">print</span>(str1.strip())</span><br><span class="line"> <span class="comment"># 使用eval进行公式计算</span></span><br><span class="line"> result = <span class="built_in">eval</span>(str1.strip())</span><br><span class="line"> <span class="built_in">print</span>(result)</span><br><span class="line"> <span class="comment"># 将结果发送</span></span><br><span class="line"> s.sendall(<span class="built_in">str</span>(result).encode())</span><br><span class="line"> <span class="comment"># 消耗掉回复</span></span><br><span class="line"> data2 = s.recv(<span class="number">1024</span>)</span><br><span class="line"> <span class="built_in">print</span>(data2)</span><br></pre></td></tr></table></figure><br>在报错信息中找到答案<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684107564285-ea733512-183f-4357-9f22-fffe87675bf0.png" alt="image.png"></p><p><a name="hpQsF"></a></p><h2 id="只需要nc一下"><a href="#只需要nc一下" class="headerlink" title="只需要nc一下~"></a>只需要nc一下~</h2><p>连接nc后执行ls发现两个文件<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684108034911-2101a734-13f9-498e-a347-1f5669178d2b.png" alt="image.png"><br />输入cat Dockerfile,根据Dockerfile文件可知,开启环境为NSSCTF{123456},开启环境后将$FLAG输入到了flag.txt中,而ls却没有该文件,只能通过echo $FLAG得到flag</p><p><a name="kiGdt"></a></p><h1 id="MISC部分"><a href="#MISC部分" class="headerlink" title="MISC部分"></a>MISC部分</h1><p><a name="Thuco"></a></p><h2 id="问卷"><a href="#问卷" class="headerlink" title="问卷"></a>问卷</h2><p>点开题目链接,问卷表里就是flag<br />NSSCTF{LitCTF_2023?It’s_time_to_g0to_zh1hu!!!}<br><a name="tdxT3"></a></p><h2 id="【Minecraft】玩的开心~~~"><a href="#【Minecraft】玩的开心~~~" class="headerlink" title="【Minecraft】玩的开心~~~"></a>【Minecraft】玩的开心~~~</h2><p>下载指定版本我的世界,加入在线游戏,通过获得钻石并与村民交易得到flag<br><a name="mNpZu"></a></p><h2 id="签到!-初级"><a href="#签到!-初级" class="headerlink" title="签到!(初级)"></a>签到!(初级)</h2><p>关注公众号发送签到,获得flag</p><p><a name="NoQUT"></a></p><h2 id="OSINT-这是什么地方?!"><a href="#OSINT-这是什么地方?!" class="headerlink" title="OSINT 这是什么地方?!"></a>OSINT 这是什么地方?!</h2><p>百度识图搜图可得到一些信息<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684120305071-08c6497b-8eba-4b6b-bc7e-433a956cb821.png" alt="image.png"><br />去谷歌搜索关键词:这条没人敢插队的路在哪里,找到知乎的一个链接<a href="https://www.zhihu.com/zvideo/1635440800472195073">https://www.zhihu.com/zvideo/1635440800472195073</a>里面有<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684120531262-f9d55077-6e91-4880-a75f-09c49265ac2b.png" alt="image.png"><br />根据视频介绍这地点在陕西有色榆林新材料集团<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684120580820-5778c8d1-defa-401f-ae70-0c2df42e2c71.png" alt="image.png"><br />所以答案是NSSCTF{陕西有色榆林新材料集团}<br><a name="Ws6ih"></a></p><h2 id="OSINT-探姬去哪了-0"><a href="#OSINT-探姬去哪了-0" class="headerlink" title="OSINT 探姬去哪了?_0"></a>OSINT 探姬去哪了?_0</h2><p>通过查看照片的详细信息,可以找到经纬度信息,<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684105077010-0e36a432-094e-4a3a-b850-699a17d43c0d.png" alt="image.png"><br />将经纬度信息输入到谷歌地图中<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684105269905-a96f5f32-8c7b-4aec-8d68-40597736ec41.png" alt="image.png"><br />再根据图片中的中国电信在该周围进行搜索得到flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684105418811-71a6db04-821e-48d6-bc7a-a93cc5b12859.png" alt="image.png"><br><a name="xuA0D"></a></p><h2 id="OSINT-探姬去哪了-1"><a href="#OSINT-探姬去哪了-1" class="headerlink" title="OSINT 探姬去哪了?_1"></a>OSINT 探姬去哪了?_1</h2><p>根据照片中模糊的SANGEL<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684063379286-22ac0caf-10b1-4e38-8a6a-26c3b101805d.png" alt="image.png"><br />在百度地图中查找发现存在SANGEL HOTEL,点击即得到松果酒店<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684063516886-52ee2eb7-0224-4df6-832f-2a46fe0f596e.png" alt="image.png"><br />由于郑州存在多家松果酒店,再于美团中查找松果酒店,比对酒店大厅图片<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684063755958-d64c294e-0bf3-486a-9252-809fcfa08242.png" alt="image.png"><br />发现农业路店的的图片和资料内的相仿,再于高德地图上查找该店的店名,即可得到 <strong>松果酒店(郑州农业路店)</strong><br><a name="sR8Eb"></a></p><h2 id="OSINT-探姬去哪了-2"><a href="#OSINT-探姬去哪了-2" class="headerlink" title="OSINT 探姬去哪了?_2"></a>OSINT 探姬去哪了?_2</h2><p>根据在CTF小组群聊天记录,可以了解到去了hackingclub,通过高德地图查找即可得到flag<br><a name="Ifj61"></a></p><h2 id="OSINT-探姬去哪了-3"><a href="#OSINT-探姬去哪了-3" class="headerlink" title="OSINT 探姬去哪了?_3"></a>OSINT 探姬去哪了?_3</h2><p>根据门牌号照片,轻大学生不会不知道吧<br><a name="YBWIc"></a></p><h2 id="这羽毛球怎么只有一半啊(恼-初级-)"><a href="#这羽毛球怎么只有一半啊(恼-初级-)" class="headerlink" title="这羽毛球怎么只有一半啊(恼 (初级))"></a>这羽毛球怎么只有一半啊(恼 (初级))</h2><p>根据提示修改图片高<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684114681722-bcc82330-e85f-4000-b286-fc1ec8181a43.png" alt="image.png"><br />保存修改后打开图片即可看到flag<br><a name="hTp1Q"></a></p><h2 id="两仪生四象-中级"><a href="#两仪生四象-中级" class="headerlink" title="两仪生四象 (中级)"></a>两仪生四象 (中级)</h2><p>根据代码调试可知,该代码将<strong><strong><strong>*</strong></strong></strong>先分别对应位ascii的数字,再转换为10位二进制,再将该转换后的共90位二进制以三位分一组与逆转后的_hash字典进行对应并拼接每三位对应的字符,最后输出拼接好的字符串。<br />解码根据编码的过程先将给的字符串与_hash字典进行对应,得到拼接好的二进制,再对拼接好的字符串每十位一组进行进行二进制转换十进制,之后根据ascii编码转换为字符,输出字符串即可得到flag<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">data = <span class="string">'坤乾兑艮兑坎坤坤巽震坤巽震艮兑坎坤震兑乾坤巽坤艮兑震巽坤巽艮坤巽艮艮兑兑艮震兑乾坤乾坤坤兑艮艮坤巽坤坤巽坎坤兑离坎震艮兑坤巽坎艮兑震坤震兑乾坤乾坎坤兑坎坤震艮离坤离乾艮震艮巽震离震坤巽兑艮兑坎坤震巽艮坤离乾艮坎离坤震巽坎坤兑坤艮兑震巽震巽坎坤巽坤艮兑兑坎震巽兑'</span></span><br><span class="line">encoded_text = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(data)):</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> encoded_text += _<span class="built_in">hash</span>[data[i]]</span><br><span class="line"> <span class="keyword">except</span> KeyError:</span><br><span class="line"> encoded_text += <span class="string">" "</span></span><br><span class="line"><span class="built_in">print</span>(encoded_text)</span><br><span class="line">ascii_str = <span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(encoded_text), <span class="number">10</span>):</span><br><span class="line"> byte = encoded_text[i:i+<span class="number">10</span>]</span><br><span class="line"> ascii_str += <span class="built_in">chr</span>(<span class="built_in">int</span>(byte, <span class="number">2</span>))</span><br><span class="line"><span class="built_in">print</span>(ascii_str)</span><br></pre></td></tr></table></figure><br><a name="V9sHm"></a></p><h2 id="喜欢我的压缩包么-初级"><a href="#喜欢我的压缩包么-初级" class="headerlink" title="喜欢我的压缩包么 (初级)"></a>喜欢我的压缩包么 (初级)</h2><p>爆破压缩包<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> zipfile</span><br><span class="line"><span class="keyword">import</span> itertools</span><br><span class="line"> </span><br><span class="line">filename = <span class="string">"学习资料啊.zip"</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">uncompress</span>(<span class="params">file_name, pass_word</span>):</span><br><span class="line"> <span class="keyword">with</span> zipfile.ZipFile(file_name) <span class="keyword">as</span> z_file:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> z_file.extractall(<span class="string">"./"</span>, pwd=<span class="built_in">bytes</span>(pass_word, <span class="string">'utf8'</span>))</span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"> </span><br><span class="line"> </span><br><span class="line"><span class="comment"># chars是密码可能的字符集</span></span><br><span class="line">chars = <span class="string">"0123456789"</span></span><br><span class="line"><span class="keyword">for</span> c <span class="keyword">in</span> itertools.product(chars, repeat=<span class="number">6</span>):</span><br><span class="line"> password = <span class="string">''</span>.join(c)</span><br><span class="line"> <span class="comment"># print(password)</span></span><br><span class="line"> result = uncompress(filename, password)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> result:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'解压失败。'</span>, password)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'解压成功。'</span>, password)</span><br><span class="line"> <span class="keyword">break</span></span><br></pre></td></tr></table></figure><br>得到密码为“解压成功。 114514”<br><a name="D5exM"></a></p><h2 id="What-1s-BASE-初级"><a href="#What-1s-BASE-初级" class="headerlink" title="What_1s_BASE (初级)"></a>What_1s_BASE (初级)</h2><p>下载附件发现base加密 TGl0Q1RGe0tGQ19DcjR6eV9UaHVyM2RheV9WX21lXzUwfQ==<br />找解码网站进行解码<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684078249624-a9fb7e0f-2af0-4876-bfa4-95ea2d98e479.png" alt="image.png"><br />答案是LitCTF{KFC_Cr4zy_Thur3day_V_me_50}<br><a name="n0DiL"></a></p><h2 id="404notfound-初级"><a href="#404notfound-初级" class="headerlink" title="404notfound (初级)"></a>404notfound (初级)</h2><p>下载附件,将图片导入到notepad这个软件打开图片,使用ctrl+F搜索ctf发现flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684078570587-578f7f04-8fa0-4c29-a24b-09b0adc21096.png" alt="image.png"><br />答案是LitCTF{Its_404_but_1ts_n0t_a_page}<br><a name="EY424"></a></p><h2 id="Osint小麦果汁"><a href="#Osint小麦果汁" class="headerlink" title="Osint小麦果汁"></a>Osint小麦果汁</h2><p>解题<br />下载附件可以发现图片上有hacker&cratf,使用百度进行搜这个关键字,发现一个浙江的酒吧<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684078789348-1936ae3a-860b-4e98-b434-13a36bab07ae.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684079203652-b1d499a6-515f-4fb6-b018-800467540a2b.png" alt="image.png"><br />答案是NSSCTF{黑客与精酿}</p><p><a name="nYtvQ"></a></p><h2 id="破损的图片-初级"><a href="#破损的图片-初级" class="headerlink" title="破损的图片(初级)"></a>破损的图片(初级)</h2><p>使用010打开附件,发现附件像是个png格式的图片,因为明文部分有IHDR字符,但是发现IHDR前面的格式不正确<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684109763133-3365820d-1174-46ab-bb3b-1c3773c3df7f.png" alt="image.png"><br />查看png图片的格式得png图片前8个字节 89 50 4E 47 0D 0A 1A 0A 为 png的文件头(固定),更改后,并将附件后缀更改为png,查看图片得到flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684110415283-c117ba6f-13a0-4c14-8650-299a229a3606.png" alt="image.png"><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684110428527-8896e5b1-5fe9-4df4-8bc2-1a48c7ef252c.png" alt="image.png"><br><a name="FnF6H"></a></p><h2 id="Take-me-hand-初级"><a href="#Take-me-hand-初级" class="headerlink" title="Take me hand (初级)"></a>Take me hand (初级)</h2><p>打开题目附件给的是一个流量包。使用wireshark进行打开<br />过滤tcp流<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684118638422-f9821f91-5e0a-41ab-bf51-8ef2d11bf4ec.png" alt="image.png"><br />打开下面这个<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684118678663-d56d2885-1121-42a1-a42a-badf70d682c2.png" alt="image.png"><br />进去发现flag为<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684118712242-1c183e43-9273-4e00-8301-ca3300cedb05.png" alt="image.png"><br><a name="oyHqo"></a></p><h1 id="REVERSE部分"><a href="#REVERSE部分" class="headerlink" title="REVERSE部分"></a>REVERSE部分</h1><p><a name="XDfPN"></a></p><h2 id="世界上最棒的程序员"><a href="#世界上最棒的程序员" class="headerlink" title="世界上最棒的程序员"></a>世界上最棒的程序员</h2><p>思路:使用IDA进行导入文,使用快捷键SHIFT+F12查看字符串发现<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684063660331-b500c615-a1c6-4f4e-9a49-e0c986a08f41.png" alt="image.png"><br />所以答案为LitCTF{I_am_the_best_programmer_ever}<br><a name="EpIe1"></a></p><h2 id="ez-XOR"><a href="#ez-XOR" class="headerlink" title="ez_XOR"></a>ez_XOR</h2><p>思路:将程序导入IDA pro ,查壳这一步我就省了。<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684063941446-bb612b25-5ee9-49a6-be59-4e3e89012b0f.png" alt="image.png"><br />接着寻找main函数<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684064020227-72643ed8-2021-4c4c-b49d-05c0db8a2e86.png" alt="image.png"><br />找到关键代码<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">int</span> __cdecl main(<span class="built_in">int</span> argc, const char **argv, const char **envp)</span><br><span class="line">{</span><br><span class="line"> char *Format; // [esp+0h] [ebp-80h]</span><br><span class="line"> char *Str2; // [esp+4h] [ebp-7Ch]</span><br><span class="line"> const char **v6; // [esp+8h] [ebp-78h]</span><br><span class="line"> char Str1[<span class="number">50</span>]; // [esp+1Ch] [ebp-64h] BYREF</span><br><span class="line"> _WORD v8[<span class="number">14</span>]; // [esp+4Eh] [ebp-32h] BYREF</span><br><span class="line"> <span class="built_in">int</span> v9; // [esp+6Ah] [ebp-16h]</span><br><span class="line"> <span class="built_in">int</span> v10; // [esp+6Eh] [ebp-12h]</span><br><span class="line"> <span class="built_in">int</span> v11; // [esp+72h] [ebp-Eh]</span><br><span class="line"> <span class="built_in">int</span> v12; // [esp+76h] [ebp-Ah]</span><br><span class="line"> <span class="built_in">int</span> v13; // [esp+7Ah] [ebp-6h]</span><br><span class="line"> __int16 v14; // [esp+7Eh] [ebp-2h]</span><br><span class="line"></span><br><span class="line"> __main();</span><br><span class="line"> strcpy((char *)v8, <span class="string">"E`}J]OrQF[V8zV:hzpV}fVF[t"</span>);</span><br><span class="line"> v8[<span class="number">13</span>] = <span class="number">0</span>;</span><br><span class="line"> v9 = <span class="number">0</span>;</span><br><span class="line"> v10 = <span class="number">0</span>;</span><br><span class="line"> v11 = <span class="number">0</span>;</span><br><span class="line"> v12 = <span class="number">0</span>;</span><br><span class="line"> v13 = <span class="number">0</span>;</span><br><span class="line"> v14 = <span class="number">0</span>;</span><br><span class="line"> printf(<span class="string">"Enter The Right FLAG:"</span>);</span><br><span class="line"> scanf(<span class="string">"%s"</span>, Str1);</span><br><span class="line"> XOR(Str1, <span class="number">3</span>);</span><br><span class="line"> <span class="keyword">if</span> ( !strcmp(Str1, (const char *)v8) )</span><br><span class="line"> {</span><br><span class="line"> printf(<span class="string">"U Saved IT!\n"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> printf(<span class="string">"Wrong!Try again!\n"</span>);</span><br><span class="line"> <span class="keyword">return</span> main((<span class="built_in">int</span>)Format, (const char **)Str2, v6);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">对代码进行分析发现是将值E`}J]OrQF[V8zV:hzpV}fVF[t给了v8,分析关键的异或函数,双击进入XOR(Str1, <span class="number">3</span>);</span><br><span class="line">size_t __cdecl XOR(char *Str, <span class="built_in">int</span> a2)</span><br><span class="line">{</span><br><span class="line"> size_t result; // eax</span><br><span class="line"> unsigned <span class="built_in">int</span> i; // [esp+2Ch] [ebp-Ch]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; ; ++i )</span><br><span class="line"> {</span><br><span class="line"> result = strlen(Str);</span><br><span class="line"> <span class="keyword">if</span> ( i >= result )</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> Str[i] ^= <span class="number">3</span> * a2; //异或的规则</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><br>因为XOR(Str1, 3);传入a2应该是3,所以发现异或的规则是对输入的每一位和9进行异或,这里就是v8的值要被异或<br /><strong>脚本</strong>为:<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">a = <span class="string">"E`}J]OrQF[V8zV:hzpV}fVF[t"</span></span><br><span class="line">b = <span class="string">""</span>.join([<span class="built_in">chr</span>(<span class="built_in">ord</span>(c) ^ <span class="number">9</span>) <span class="keyword">for</span> c <span class="keyword">in</span> a])</span><br><span class="line"><span class="built_in">print</span>(b)</span><br></pre></td></tr></table></figure><br><strong>运行结果</strong><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684108960484-e07de286-f9fe-4b49-b9a9-e8de503f11f4.png" alt="image.png"><br />所以答案是:LitCTF{XOR_1s_3asy_to_OR}<br><a name="nhQIP"></a></p><h2 id="enbase64"><a href="#enbase64" class="headerlink" title="enbase64"></a>enbase64</h2><p>将下载的附件导入IDA PRO进行代码上的逻辑分析<br />1.寻找main函数<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684110588249-43143ecf-382b-410a-8641-f2ec7f2191f1.png" alt="image.png"><br />2.分析关键代码<br />点击base函数发现了换表的函数 basechange(Source);<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684110669645-b7fbdf1c-eb2d-4dbf-b6a8-b88b7eb22259.png" alt="image.png"><br />进入basechange函数<br /><strong>发现主要进行以下操作:</strong><br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line">char *__cdecl basechange(char *Source)</span><br><span class="line">{</span><br><span class="line"> char *result; // eax</span><br><span class="line"> char Destination[<span class="number">65</span>]; // [esp+13h] [ebp-155h] BYREF</span><br><span class="line"> <span class="built_in">int</span> v3[<span class="number">65</span>]; // [esp+54h] [ebp-114h] BYREF</span><br><span class="line"> <span class="built_in">int</span> j; // [esp+158h] [ebp-10h]</span><br><span class="line"> <span class="built_in">int</span> i; // [esp+15Ch] [ebp-Ch]</span><br><span class="line"></span><br><span class="line"> memset(v3, <span class="number">0</span>, sizeof(v3));</span><br><span class="line"> v3[<span class="number">0</span>] = <span class="number">16</span>;</span><br><span class="line"> v3[<span class="number">1</span>] = <span class="number">34</span>;</span><br><span class="line"> v3[<span class="number">2</span>] = <span class="number">56</span>;</span><br><span class="line"> v3[<span class="number">3</span>] = <span class="number">7</span>;</span><br><span class="line"> v3[<span class="number">4</span>] = <span class="number">46</span>;</span><br><span class="line"> v3[<span class="number">5</span>] = <span class="number">2</span>;</span><br><span class="line"> v3[<span class="number">6</span>] = <span class="number">10</span>;</span><br><span class="line"> v3[<span class="number">7</span>] = <span class="number">44</span>;</span><br><span class="line"> v3[<span class="number">8</span>] = <span class="number">20</span>;</span><br><span class="line"> v3[<span class="number">9</span>] = <span class="number">41</span>;</span><br><span class="line"> v3[<span class="number">10</span>] = <span class="number">59</span>;</span><br><span class="line"> v3[<span class="number">11</span>] = <span class="number">31</span>;</span><br><span class="line"> v3[<span class="number">12</span>] = <span class="number">51</span>;</span><br><span class="line"> v3[<span class="number">13</span>] = <span class="number">60</span>;</span><br><span class="line"> v3[<span class="number">14</span>] = <span class="number">61</span>;</span><br><span class="line"> v3[<span class="number">15</span>] = <span class="number">26</span>;</span><br><span class="line"> v3[<span class="number">16</span>] = <span class="number">5</span>;</span><br><span class="line"> v3[<span class="number">17</span>] = <span class="number">40</span>;</span><br><span class="line"> v3[<span class="number">18</span>] = <span class="number">21</span>;</span><br><span class="line"> v3[<span class="number">19</span>] = <span class="number">38</span>;</span><br><span class="line"> v3[<span class="number">20</span>] = <span class="number">4</span>;</span><br><span class="line"> v3[<span class="number">21</span>] = <span class="number">54</span>;</span><br><span class="line"> v3[<span class="number">22</span>] = <span class="number">52</span>;</span><br><span class="line"> v3[<span class="number">23</span>] = <span class="number">47</span>;</span><br><span class="line"> v3[<span class="number">24</span>] = <span class="number">3</span>;</span><br><span class="line"> v3[<span class="number">25</span>] = <span class="number">11</span>;</span><br><span class="line"> v3[<span class="number">26</span>] = <span class="number">58</span>;</span><br><span class="line"> v3[<span class="number">27</span>] = <span class="number">48</span>;</span><br><span class="line"> v3[<span class="number">28</span>] = <span class="number">32</span>;</span><br><span class="line"> v3[<span class="number">29</span>] = <span class="number">15</span>;</span><br><span class="line"> v3[<span class="number">30</span>] = <span class="number">49</span>;</span><br><span class="line"> v3[<span class="number">31</span>] = <span class="number">14</span>;</span><br><span class="line"> v3[<span class="number">32</span>] = <span class="number">37</span>;</span><br><span class="line"> v3[<span class="number">34</span>] = <span class="number">55</span>;</span><br><span class="line"> v3[<span class="number">35</span>] = <span class="number">53</span>;</span><br><span class="line"> v3[<span class="number">36</span>] = <span class="number">24</span>;</span><br><span class="line"> v3[<span class="number">37</span>] = <span class="number">35</span>;</span><br><span class="line"> v3[<span class="number">38</span>] = <span class="number">18</span>;</span><br><span class="line"> v3[<span class="number">39</span>] = <span class="number">25</span>;</span><br><span class="line"> v3[<span class="number">40</span>] = <span class="number">33</span>;</span><br><span class="line"> v3[<span class="number">41</span>] = <span class="number">43</span>;</span><br><span class="line"> v3[<span class="number">42</span>] = <span class="number">50</span>;</span><br><span class="line"> v3[<span class="number">43</span>] = <span class="number">39</span>;</span><br><span class="line"> v3[<span class="number">44</span>] = <span class="number">12</span>;</span><br><span class="line"> v3[<span class="number">45</span>] = <span class="number">19</span>;</span><br><span class="line"> v3[<span class="number">46</span>] = <span class="number">13</span>;</span><br><span class="line"> v3[<span class="number">47</span>] = <span class="number">42</span>;</span><br><span class="line"> v3[<span class="number">48</span>] = <span class="number">9</span>;</span><br><span class="line"> v3[<span class="number">49</span>] = <span class="number">17</span>;</span><br><span class="line"> v3[<span class="number">50</span>] = <span class="number">28</span>;</span><br><span class="line"> v3[<span class="number">51</span>] = <span class="number">30</span>;</span><br><span class="line"> v3[<span class="number">52</span>] = <span class="number">23</span>;</span><br><span class="line"> v3[<span class="number">53</span>] = <span class="number">36</span>;</span><br><span class="line"> v3[<span class="number">54</span>] = <span class="number">1</span>;</span><br><span class="line"> v3[<span class="number">55</span>] = <span class="number">22</span>;</span><br><span class="line"> v3[<span class="number">56</span>] = <span class="number">57</span>;</span><br><span class="line"> v3[<span class="number">57</span>] = <span class="number">63</span>;</span><br><span class="line"> v3[<span class="number">58</span>] = <span class="number">8</span>;</span><br><span class="line"> v3[<span class="number">59</span>] = <span class="number">27</span>;</span><br><span class="line"> v3[<span class="number">60</span>] = <span class="number">6</span>;</span><br><span class="line"> v3[<span class="number">61</span>] = <span class="number">62</span>;</span><br><span class="line"> v3[<span class="number">62</span>] = <span class="number">45</span>;</span><br><span class="line"> v3[<span class="number">63</span>] = <span class="number">29</span>;</span><br><span class="line"> result = strcpy(Destination, Source);</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i <= <span class="number">47</span>; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j <= <span class="number">63</span>; ++j )</span><br><span class="line"> Source[j] = Destination[v3[j]];</span><br><span class="line"> result = strcpy(Destination, Source);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><br>发现是对初始的base64表ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/进行换表操作<br />使用python代码将替换后的表算出来,脚本为:<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">basechange</span>(<span class="params">source</span>):</span><br><span class="line"> destination = <span class="built_in">list</span>(source)</span><br><span class="line"> v3 = [</span><br><span class="line"> <span class="number">16</span>, <span class="number">34</span>, <span class="number">56</span>, <span class="number">7</span>, <span class="number">46</span>, <span class="number">2</span>, <span class="number">10</span>, <span class="number">44</span>, <span class="number">20</span>, <span class="number">41</span>, <span class="number">59</span>, <span class="number">31</span>, <span class="number">51</span>, <span class="number">60</span>, <span class="number">61</span>, <span class="number">26</span>, <span class="number">5</span>, <span class="number">40</span>, <span class="number">21</span>, <span class="number">38</span>,</span><br><span class="line"> <span class="number">4</span>, <span class="number">54</span>, <span class="number">52</span>, <span class="number">47</span>, <span class="number">3</span>, <span class="number">11</span>, <span class="number">58</span>, <span class="number">48</span>, <span class="number">32</span>, <span class="number">15</span>, <span class="number">49</span>, <span class="number">14</span>, <span class="number">37</span>, <span class="number">0</span>, <span class="number">55</span>, <span class="number">53</span>, <span class="number">24</span>, <span class="number">35</span>, <span class="number">18</span>, <span class="number">25</span>,</span><br><span class="line"> <span class="number">33</span>, <span class="number">43</span>, <span class="number">50</span>, <span class="number">39</span>, <span class="number">12</span>, <span class="number">19</span>, <span class="number">13</span>, <span class="number">42</span>, <span class="number">9</span>, <span class="number">17</span>, <span class="number">28</span>, <span class="number">30</span>, <span class="number">23</span>, <span class="number">36</span>, <span class="number">1</span>, <span class="number">22</span>, <span class="number">57</span>, <span class="number">63</span>, <span class="number">8</span>, <span class="number">27</span>,</span><br><span class="line"> <span class="number">6</span>, <span class="number">62</span>, <span class="number">45</span>, <span class="number">29</span></span><br><span class="line"> ]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>):</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">64</span>):</span><br><span class="line"> source[j] = destination[v3[j]]</span><br><span class="line"> destination = source[:]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span>.join(destination)</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> s = <span class="string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"</span></span><br><span class="line"> result = basechange(<span class="built_in">list</span>(s))</span><br><span class="line"> <span class="built_in">print</span>(result)</span><br></pre></td></tr></table></figure><br><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684111546515-f2d87fa1-97bf-4a90-bc1e-55877d49a6bf.png" alt="image.png"><br />所以替换后的base64表位gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND<br />3.分析main函数发现了 basecheck(Str1);这个操作,进入函数分析<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">int</span> __cdecl basecheck(char *Str1)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">if</span> ( !strcmp(Str1, <span class="string">"GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"</span>) )</span><br><span class="line"> <span class="keyword">return</span> puts(<span class="string">"You are right!"</span>);</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="keyword">return</span> puts(<span class="string">"False"</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure><br>加密后的结果应该是GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju<br />4.综上所述即可写出来base64的解密脚本<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">custom_base64_decode</span>(<span class="params">encoded_str, custom_chars</span>):</span><br><span class="line"> base64_chars = <span class="string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"</span></span><br><span class="line"></span><br><span class="line"> <span class="comment"># Generate translation table</span></span><br><span class="line"> trans_table = <span class="built_in">str</span>.maketrans(custom_chars, base64_chars)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Translate encoded string</span></span><br><span class="line"> translated_str = encoded_str.translate(trans_table)</span><br><span class="line"></span><br><span class="line"> <span class="comment"># Decode translated string</span></span><br><span class="line"> decoded_str = base64.b64decode(translated_str)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> decoded_str</span><br><span class="line"></span><br><span class="line"><span class="comment"># Example usage</span></span><br><span class="line">encoded_str = <span class="string">"GQTZlSqQXZ/ghxxwhju3hbuZ4wufWjujWrhYe7Rce7ju"</span></span><br><span class="line">custom_chars = <span class="string">"gJ1BRjQie/FIWhEslq7GxbnL26M4+HXUtcpmVTKaydOP38of5v90ZSwrkYzCAuND"</span></span><br><span class="line">decoded_str = custom_base64_decode(encoded_str, custom_chars)</span><br><span class="line"><span class="built_in">print</span>(decoded_str.decode(<span class="string">"utf-8"</span>))</span><br></pre></td></tr></table></figure><br>5.运行结果为:<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684112166977-7ec7dba5-3a8c-4f52-abd5-8553a47b2d82.png" alt="image.png"><br />答案是LitCTF{B@5E64_l5_tooo0_E3sy!!!!!}<br><a name="UfMTh"></a></p><h2 id="snake"><a href="#snake" class="headerlink" title="snake"></a>snake</h2><p>参考:<a href="https://blog.csdn.net/qq_44808585/article/details/104148402">https://blog.csdn.net/qq_44808585/article/details/104148402</a><br />下载文件后发现为gyc文件,进行反编译,发现无magic number,通过测试文件进行编译后查看该python版本的magic number,使用010editor添加上magic number反编译成功,成功后找到flag那块代码直接运行即可得到flag<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">flag = [</span><br><span class="line"> <span class="number">30</span>, <span class="number">196</span>, </span><br><span class="line"> <span class="number">52</span>, <span class="number">252</span>, <span class="number">49</span>, <span class="number">220</span>, <span class="number">7</span>, <span class="number">243</span>, </span><br><span class="line"> <span class="number">3</span>, <span class="number">241</span>, <span class="number">24</span>, <span class="number">224</span>, <span class="number">40</span>, <span class="number">230</span>, </span><br><span class="line"> <span class="number">25</span>, <span class="number">251</span>, <span class="number">28</span>, <span class="number">233</span>, <span class="number">40</span>, <span class="number">237</span>, </span><br><span class="line"> <span class="number">4</span>, <span class="number">225</span>, <span class="number">4</span>, <span class="number">215</span>, <span class="number">40</span>, <span class="number">231</span>, </span><br><span class="line"> <span class="number">22</span>, <span class="number">237</span>, <span class="number">14</span>, <span class="number">251</span>, <span class="number">10</span>, <span class="number">169</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(flag), <span class="number">2</span>):</span><br><span class="line"> flag[i], flag[i + <span class="number">1</span>] = flag[i + <span class="number">1</span>] ^ <span class="number">136</span>, flag[i] ^ <span class="number">119</span></span><br><span class="line"><span class="built_in">print</span>(<span class="built_in">bytes</span>(flag).decode())</span><br></pre></td></tr></table></figure></p><p><a name="p5Azz"></a></p><h1 id="CRYPTO"><a href="#CRYPTO" class="headerlink" title="CRYPTO"></a>CRYPTO</h1><p><a name="HK0wX"></a></p><h2 id="Hex?Hex!-初级"><a href="#Hex?Hex!-初级" class="headerlink" title="Hex?Hex!(初级)"></a>Hex?Hex!(初级)</h2><p>打开附件结合题目发现了是16进制编码,使用16进制转字符串的解码网站解码<a href="https://www.bejson.com/convert/ox2str/">https://www.bejson.com/convert/ox2str/</a><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684112820495-b88b2b0f-a334-4ecf-9b63-212fa0a0c34b.png" alt="image.png"><br />答案是LitCTF{tai111coollaaa!}<br><a name="XUvKR"></a></p><h2 id="家人们!谁懂啊,RSA签到都不会-初级"><a href="#家人们!谁懂啊,RSA签到都不会-初级" class="headerlink" title="家人们!谁懂啊,RSA签到都不会 (初级)"></a>家人们!谁懂啊,RSA签到都不会 (初级)</h2><p>下载附件发现了<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> secret <span class="keyword">import</span> flag</span><br><span class="line"></span><br><span class="line">m = bytes_to_long(flag)</span><br><span class="line">p = getPrime(<span class="number">512</span>)</span><br><span class="line">q = getPrime(<span class="number">512</span>)</span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">n = p*q</span><br><span class="line">c = <span class="built_in">pow</span>(m,e,n)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">f'p = <span class="subst">{p}</span>'</span>)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">f'q = <span class="subst">{q}</span>'</span>)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">f'c = <span class="subst">{c}</span>'</span>)</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">p = 12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073</span></span><br><span class="line"><span class="string">q = 12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451</span></span><br><span class="line"><span class="string">c = 108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057</span></span><br><span class="line"><span class="string">'''</span></span><br></pre></td></tr></table></figure><br>使用网上计算RSA的脚本进行计算可得<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> gmpy2 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">p = <span class="number">12567387145159119014524309071236701639759988903138784984758783651292440613056150667165602473478042486784826835732833001151645545259394365039352263846276073</span></span><br><span class="line">q = <span class="number">12716692565364681652614824033831497167911028027478195947187437474380470205859949692107216740030921664273595734808349540612759651241456765149114895216695451</span></span><br><span class="line">c = <span class="number">108691165922055382844520116328228845767222921196922506468663428855093343772017986225285637996980678749662049989519029385165514816621011058462841314243727826941569954125384522233795629521155389745713798246071907492365062512521474965012924607857440577856404307124237116387085337087671914959900909379028727767057</span></span><br><span class="line">n = p * q</span><br><span class="line"></span><br><span class="line">phi_n = (p - <span class="number">1</span>) * (q - <span class="number">1</span>)</span><br><span class="line"><span class="built_in">print</span>(gcd(e, q - <span class="number">1</span>))</span><br><span class="line">d = invert(e, (p - <span class="number">1</span>))</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, p)</span><br><span class="line"><span class="built_in">print</span>(long_to_bytes(m))</span><br></pre></td></tr></table></figure><br><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684077878167-fec370b6-50fe-47d1-9e53-3dacc84bf0cb.png" alt="image.png"><br />所以答案是LitCTF{it_is_easy_to_solve_question_when_you_know_p_and_q}<br><a name="sLLp0"></a></p><h2 id="梦想是红色的-初级"><a href="#梦想是红色的-初级" class="headerlink" title="梦想是红色的 (初级)"></a>梦想是红色的 (初级)</h2><p>打开附件是核心价值观编码,在网上找核心价值观在线解码网站<a href="http://www.hiencode.com/cvencode.html">http://www.hiencode.com/cvencode.html</a>解密:<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684112536120-708b18bc-c377-4606-9146-c8d908f0be81.png" alt="image.png"><br />答案:LitCTF{为之则易,不为则难}<br><a name="jO1ti"></a></p><h2 id="原来你也玩原神-初级"><a href="#原来你也玩原神-初级" class="headerlink" title="原来你也玩原神 (初级)"></a>原来你也玩原神 (初级)</h2><p><a href="https://www.bilibili.com/read/cv10220424">https://www.bilibili.com/read/cv10220424</a><br />挨着对照出flag<br><a name="MVr9o"></a></p><h2 id="你是我的关键词-Keyworld-初级"><a href="#你是我的关键词-Keyworld-初级" class="headerlink" title="你是我的关键词(Keyworld) (初级)"></a>你是我的关键词(Keyworld) (初级)</h2><p>根据题目猜测为维吉尼亚算法加解密,搜索在线解密工具 <a href="http://www.hiencode.com/keyword.html">http://www.hiencode.com/keyword.html</a><br />根据题目描述推测密钥为YOU尝试解密,得到flag<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684123711763-2a3d3347-9508-41f2-8fe5-bbcd506f9ebe.png" alt="image.png"><br><a name="UdIAX"></a></p><h2 id="factordb-中级"><a href="#factordb-中级" class="headerlink" title="factordb (中级)"></a>factordb (中级)</h2><p>典型的RSA<br />打开题目附件可得<br />e = 65537<br />n = 87924348264132406875276140514499937145050893665602592992418171647042491658461<br />c = 87677652386897749300638591365341016390128692783949277305987828177045932576708<br />因为题目需要分解n,且提示factordb<a href="http://factordb.com/">http://factordb.com/</a>,所以找到在线网站进行分解n可得到两个数<br /><a href="http://factordb.com/index.php?id=1100000000836631227">275127860351348928173285174381581152299</a><br /><a href="http://factordb.com/index.php?id=1100000000836631226">319576316814478949870590164193048041239</a><br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684065157380-0a1d6765-2219-422a-bc5a-fe03a57dbdd6.png" alt="image.png"><br />接着使用网上的脚本进行修改计算可得,可能与其他队伍脚本相似,我们是在csdn找的脚本<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> long_to_bytes</span><br><span class="line"></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">n = <span class="number">87924348264132406875276140514499937145050893665602592992418171647042491658461</span></span><br><span class="line">c = <span class="number">87677652386897749300638591365341016390128692783949277305987828177045932576708</span></span><br><span class="line">p1 = <span class="number">275127860351348928173285174381581152299</span></span><br><span class="line">p2 = <span class="number">319576316814478949870590164193048041239</span></span><br><span class="line">phi = (p1 - <span class="number">1</span>) * (p2 - <span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e, phi</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, n)</span><br><span class="line"><span class="built_in">print</span> (long_to_bytes(m))</span><br></pre></td></tr></table></figure><br><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684065413187-a6b05a9a-301c-4719-aa7d-4f56f7a694f6.png" alt="image.png"><br />所以答案是LitCTF{factordb!!!}<br><a name="m4Ilh"></a></p><h2 id="yafu-中级"><a href="#yafu-中级" class="headerlink" title="yafu (中级)"></a>yafu (中级)</h2><p>下载附件发现了<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> secret <span class="keyword">import</span> flag</span><br><span class="line"></span><br><span class="line">m = bytes_to_long(flag)</span><br><span class="line">n = <span class="number">1</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">15</span>):</span><br><span class="line"> n *=getPrime(<span class="number">32</span>)</span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">c = <span class="built_in">pow</span>(m,e,n)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">f'n = <span class="subst">{n}</span>'</span>)</span><br><span class="line"><span class="built_in">print</span>(<span class="string">f'c = <span class="subst">{c}</span>'</span>)</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string">n = 15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307</span></span><br><span class="line"><span class="string">c = 12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717</span></span><br><span class="line"><span class="string">'''</span></span><br></pre></td></tr></table></figure><br>又是分解n<br />在网上找的题目里说的那个yafu工具分解n,工具下载地址<a href="https://onboardcloud.dl.sourceforge.net/project/yafu/1.34/yafu-1.34.zip">https://onboardcloud.dl.sourceforge.net/project/yafu/1.34/yafu-1.34.zip</a><br />在文件夹下输入cmd可进行使用公具,接着运行命令<br />.\yafu-x64 factor(15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307)<br />可得到15个数<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684065952264-744709a1-5e25-4aea-94dc-ecaa62b88ae9.png" alt="image.png"><br />分别为<br />P10 = 2201440207<br />P10 = 3354884521<br />P10 = 4171911923<br />P10 = 2719600579<br />P10 = 4044505687<br />P10 = 2758708999<br />P10 = 2767137487<br />P10 = 2585574697<br />P10 = 2906576131<br />P10 = 2315495107<br />P10 = 3355651511<br />P10 = 3989697563<br />P10 = 4021078331<br />P10 = 2151018733<br />P10 = 2923522073<br />接着使用网上的脚本进行修改计算可得,可能与其他队伍脚本相似,我们是在csdn找的脚本<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> long_to_bytes</span><br><span class="line"></span><br><span class="line">n = <span class="number">15241208217768849887180010139590210767831431018204645415681695749294131435566140166245881287131522331092026252879324931622292179726764214435307</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">c = <span class="number">12608550100856399369399391849907846147170257754920996952259023159548789970041433744454761458030776176806265496305629236559551086998780836655717</span></span><br><span class="line">p1 = <span class="number">2201440207</span></span><br><span class="line">p2 = <span class="number">3354884521</span></span><br><span class="line">p3 = <span class="number">2719600579</span></span><br><span class="line">p4 = <span class="number">4171911923</span></span><br><span class="line">p5 = <span class="number">2315495107</span></span><br><span class="line">p6 = <span class="number">2758708999</span></span><br><span class="line">p7 = <span class="number">3989697563</span></span><br><span class="line">p8 = <span class="number">2923522073</span></span><br><span class="line">p9 = <span class="number">2151018733</span></span><br><span class="line">p10 = <span class="number">3355651511</span></span><br><span class="line">p11 = <span class="number">2906576131</span></span><br><span class="line">p12 = <span class="number">4044505687</span></span><br><span class="line">p13 = <span class="number">4021078331</span></span><br><span class="line">p14 = <span class="number">2585574697</span></span><br><span class="line">p15 = <span class="number">2767137487</span></span><br><span class="line">phi = (p1 - <span class="number">1</span>) * (p2 - <span class="number">1</span>) * (p3 - <span class="number">1</span>)* (p4 - <span class="number">1</span>) * (p5 - <span class="number">1</span>)* (p6 - <span class="number">1</span>) * (p7 - <span class="number">1</span>)* (p8 - <span class="number">1</span>) * (p9 - <span class="number">1</span>)* (p10 - <span class="number">1</span>) * (p11 - <span class="number">1</span>)* (p12 - <span class="number">1</span>) * (p13 - <span class="number">1</span>)* (p14 - <span class="number">1</span>) * (p15 - <span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e, phi)</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, n)</span><br><span class="line"><span class="built_in">print</span> (long_to_bytes(m))</span><br></pre></td></tr></table></figure><br>运行结果为<br /><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/1684066254707-e76ca123-4127-4751-b8cb-050f4519e972.png" alt="image.png"><br />所以答案是LitCTF{Mu1tiple<em>3m4ll_prim5_fac7ors</em>@re_uns4f5}<br><a name="ZludG"></a></p><h2 id="The-same-common-divisor-高级"><a href="#The-same-common-divisor-高级" class="headerlink" title="The same common divisor (高级)"></a>The same common divisor (高级)</h2><p>题目给了n1,n3,c1,c2,e,根据代码中n1、n2、n3的运算规则,首先求出n2<br />再根据网上找的脚本求出结果<br /><a href="https://www.cnblogs.com/wandervogel/p/16805990.html#esayrsa2">https://www.cnblogs.com/wandervogel/p/16805990.html#esayrsa2</a><br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">n1= <span class="number">9852079772293301283705208653824307027320071498525390578148444258198605733768947108049676831872672654449631852459503049139275329796717506126689710613873813880735666507857022786447784753088176997374711523987152412069255685005264853118880922539048290400078105858759506186417678959028622484823376958194324034590514104266608644398160457382895380141070373685334979803658172378382884352616985632157233900719194944197689860219335238499593658894630966428723660931647038577670614850305719449893199713589368780231046895222526070730152875112477675102652862254926169713030701937231206405968412044029177246460558028793385980934233</span></span><br><span class="line">n3= <span class="number">4940268030889181135441311597961813780480775970170156650560367030148383674257975796516865571557828263935532335958510269356443566533284856608454193676600884849913964971291145182724888816164723930966472329604608512023988191536173112847915884014445539739070437180314205284883149421228744714989392788108329929896637182055266508625177260492776962915873036873839946591259443753924970795669864031580632650140641456386202636466624658715315856453572441182758855085077441336516178544978457053552156714181607801760605521338788424464551796638531143900048375037218585999440622490119344971822707261432953755569507740550277088437182</span></span><br><span class="line">c1= <span class="number">7066425618980522033304943700150361912772559890076173881522840300333719222157667104461410726444725540513601550570478331917063911791020088865705346188662290524599499769112250751103647749860198318955619903728724860941709527724500004142950768744200491448875522031555564384426372047270359602780292587644737898593450148108629904854675417943165292922990980758572264063039172969633878015560735737699147707712154627358077477591293746136250207139049702201052305840453700782016480965369600667516646007546442708862429431724013679189842300429421340122052682391471347471758814138218632022564279296594279507382548264409296929401260</span></span><br><span class="line">c2= <span class="number">854668035897095127498890630660344701894030345838998465420605524714323454298819946231147930930739944351187708040037822108105697983018529921300277486094149269105712677374751164879455815185393395371001495146490416978221501351569800028842842393448555836910486037183218754013655794027528039329299851644787006463456162952383099752894635657833907958930587328480492546831654755627949756658554724024525108575961076341962292900510328611128404001877137799465932130220386963518903892403159969133882215092783063943679288192557384595152566356483424061922742307738886179947575613661171671781544283180451958232826666741028590085269</span></span><br><span class="line">n2 = n1^n3</span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line"><span class="comment"># 正确 The same common divisor (高级)</span></span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line">p = gmpy2.gcd(n1,n2) </span><br><span class="line">q = n1 // p <span class="comment">#不论是用n1还是n2整除p得到的q,最后得到的都是同一个明文m</span></span><br><span class="line">phi = (p-<span class="number">1</span>)*(q-<span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e,phi)</span><br><span class="line">m = gmpy2.powmod(c1,d,n1)</span><br><span class="line"><span class="built_in">print</span>(binascii.unhexlify(<span class="built_in">hex</span>(m)[<span class="number">2</span>:]))</span><br></pre></td></tr></table></figure><br><a name="arhMI"></a></p><h2 id=""><a href="#" class="headerlink" title=" "></a> </h2><p><a name="fVRnK"></a></p><h2 id="easy-math-中级"><a href="#easy-math-中级" class="headerlink" title="easy_math (中级)"></a>easy_math (中级)</h2><p>chat一下<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> sympy.solvers <span class="keyword">import</span> solve</span><br><span class="line"><span class="keyword">from</span> sympy <span class="keyword">import</span> Symbol</span><br><span class="line"></span><br><span class="line">n = <span class="number">2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797</span></span><br><span class="line">hint = <span class="number">392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 求解p和q</span></span><br><span class="line">x = Symbol(<span class="string">'x'</span>)</span><br><span class="line">y = Symbol(<span class="string">'y'</span>)</span><br><span class="line">equations = [x * y - n, x ** <span class="number">3</span> - y ** <span class="number">5</span> - hint]</span><br><span class="line">solutions = solve(equations, [x, y])</span><br><span class="line"></span><br><span class="line"><span class="comment"># 选取满足p > q 的解</span></span><br><span class="line">p, q = solutions[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> p < q:</span><br><span class="line"> p, q = q, p</span><br><span class="line"><span class="built_in">print</span>(p)</span><br><span class="line"><span class="built_in">print</span>(q)</span><br><span class="line">c = <span class="number">2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">p = <span class="number">7321664971326604351487965655099805117568571010588695608389113791312918573783115429227542573780838065461696504325762281209452761930184231131129306271846427</span></span><br><span class="line">q = <span class="number">304683618109085947723284393392507415311</span></span><br><span class="line">n = p * q</span><br><span class="line">phi = (p - <span class="number">1</span>) * (q - <span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e, phi)</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, n)</span><br><span class="line"><span class="built_in">print</span>(libnum.n2s(<span class="built_in">int</span>(m)))</span><br></pre></td></tr></table></figure></p><p><a name="xB8Zr"></a></p><h2 id="-1"><a href="#-1" class="headerlink" title=" "></a> </h2><p><a name="d8kUe"></a></p><h2 id="SEEM和探姬的游戏"><a href="#SEEM和探姬的游戏" class="headerlink" title="SEEM和探姬的游戏"></a>SEEM和探姬的游戏</h2><p>使用chatgpt,写的代码<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line">MOD = <span class="number">10</span>**<span class="number">9</span> + <span class="number">7</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">dfs</span>(<span class="params">u, fa</span>):</span><br><span class="line"> sz[u] = <span class="number">1</span></span><br><span class="line"> <span class="built_in">sum</span>[u] = a[u]</span><br><span class="line"> <span class="keyword">for</span> v <span class="keyword">in</span> g[u]:</span><br><span class="line"> <span class="keyword">if</span> v != fa:</span><br><span class="line"> dfs(v, u)</span><br><span class="line"> sz[u] += sz[v]</span><br><span class="line"> <span class="built_in">sum</span>[u] += <span class="built_in">sum</span>[v]</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">dp</span>(<span class="params">u, fa</span>):</span><br><span class="line"> res = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> v <span class="keyword">in</span> g[u]:</span><br><span class="line"> <span class="keyword">if</span> v != fa:</span><br><span class="line"> res += dp(v, u) + (n - sz[v]) * sz[v] * (<span class="built_in">sum</span>[v] - <span class="built_in">sum</span>[u])</span><br><span class="line"> <span class="keyword">return</span> res % MOD</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> n = <span class="built_in">int</span>(<span class="built_in">input</span>())</span><br><span class="line"> a = <span class="built_in">list</span>(<span class="built_in">map</span>(<span class="built_in">int</span>, <span class="built_in">input</span>().split()))</span><br><span class="line"> g = [[] <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(n)]</span><br><span class="line"> <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(n - <span class="number">1</span>):</span><br><span class="line"> u, v = <span class="built_in">map</span>(<span class="built_in">int</span>, <span class="built_in">input</span>().split())</span><br><span class="line"> g[u - <span class="number">1</span>].append(v - <span class="number">1</span>)</span><br><span class="line"> g[v - <span class="number">1</span>].append(u - <span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"> sz = [<span class="number">0</span>] * n</span><br><span class="line"> <span class="built_in">sum</span> = [<span class="number">0</span>] * n</span><br><span class="line"> dfs(<span class="number">0</span>, -<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"> ans = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> u <span class="keyword">in</span> <span class="built_in">range</span>(n):</span><br><span class="line"> ans += dp(u, -<span class="number">1</span>)</span><br><span class="line"> <span class="built_in">print</span>(ans % MOD)</span><br></pre></td></tr></table></figure><br><a name="NZMo9"></a></p><h2 id="Small"><a href="#Small" class="headerlink" title="Small"></a>Small</h2><p>使用chatgpt,写的代码<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">chat一下</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> sympy.solvers <span class="keyword">import</span> solve</span><br><span class="line"><span class="keyword">from</span> sympy <span class="keyword">import</span> Symbol</span><br><span class="line"></span><br><span class="line">n = <span class="number">2230791374046346835775433548641067593691369485828070649075162141394476183565187654365131822111419512477883295758461313983481545182887415447403634720326639070667688614534290859200753589300443797</span></span><br><span class="line">hint = <span class="number">392490868359411675557103683163021977774935163924606169241731307258226973701652855448542714274348304997416149742779376023311152228735117186027560227613656229190807480010615064372521942836446425717660375242197759811804760170129768647414717571386950790115746414735411766002368288743086845078803312201707960465419405926186622999423245762570917629351110970429987377475979058821154568001902541710817731089463915930932142007312230897818177067675996751110894377356758932</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 求解p和q</span></span><br><span class="line">x = Symbol(<span class="string">'x'</span>)</span><br><span class="line">y = Symbol(<span class="string">'y'</span>)</span><br><span class="line">equations = [x * y - n, x ** <span class="number">3</span> - y ** <span class="number">5</span> - hint]</span><br><span class="line">solutions = solve(equations, [x, y])</span><br><span class="line"></span><br><span class="line"><span class="comment"># 选取满足p > q 的解</span></span><br><span class="line">p, q = solutions[<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> p < q:</span><br><span class="line"> p, q = q, p</span><br><span class="line"><span class="built_in">print</span>(p)</span><br><span class="line"><span class="built_in">print</span>(q)</span><br><span class="line">c = <span class="number">2168563038335029902089976057856861885635845445863841607485310134441400500612435296818745930370268060353437465666224400129105788787423156958336380480503762222278722770240792709450637433509537280</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">p = <span class="number">7321664971326604351487965655099805117568571010588695608389113791312918573783115429227542573780838065461696504325762281209452761930184231131129306271846427</span></span><br><span class="line">q = <span class="number">304683618109085947723284393392507415311</span></span><br><span class="line">n = p * q</span><br><span class="line">phi = (p - <span class="number">1</span>) * (q - <span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e, phi)</span><br><span class="line">m = <span class="built_in">pow</span>(c, d, n)</span><br><span class="line"><span class="built_in">print</span>(libnum.n2s(<span class="built_in">int</span>(m)))</span><br><span class="line"></span><br></pre></td></tr></table></figure><br><a name="vmxWA"></a></p><h2 id="Prime"><a href="#Prime" class="headerlink" title="Prime"></a>Prime</h2><p>使用chatgpt,写的代码<br><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">solve</span>(<span class="params">m, e</span>):</span><br><span class="line"> <span class="comment"># 计算出每个质数的次数</span></span><br><span class="line"> cnt = [<span class="number">0</span>] * m</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(m):</span><br><span class="line"> cnt[i] = e[i]</span><br><span class="line"> <span class="comment"># 计算出每个质数的幂次</span></span><br><span class="line"> p = [<span class="number">0</span>] * m</span><br><span class="line"> p[<span class="number">0</span>] = <span class="number">1</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>, m):</span><br><span class="line"> p[i] = p[i - <span class="number">1</span>] * cnt[i - <span class="number">1</span>]</span><br><span class="line"> <span class="comment"># 从小到大枚举质数,计算出最小的 n</span></span><br><span class="line"> n = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(m):</span><br><span class="line"> <span class="keyword">while</span> <span class="built_in">pow</span>(i + <span class="number">1</span>, n // p[i]) % (i + <span class="number">1</span>) == <span class="number">0</span>:</span><br><span class="line"> n += p[i]</span><br><span class="line"> <span class="keyword">return</span> n</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> m = <span class="built_in">int</span>(<span class="built_in">input</span>())</span><br><span class="line"> e = <span class="built_in">list</span>(<span class="built_in">map</span>(<span class="built_in">int</span>, <span class="built_in">input</span>().split()))</span><br><span class="line"> ans = solve(m, e)</span><br><span class="line"> <span class="built_in">print</span>(ans)</span><br></pre></td></tr></table></figure></p>]]></content>
<summary type="html">🥧本文是abc战队----2023LitCTFwp,仅作为参考,非官方。</summary>
<category term="CTF" scheme="https://blog.r1ng13.top/categories/CTF/"/>
<category term="CTF" scheme="https://blog.r1ng13.top/tags/CTF/"/>
<category term="2023LitCTF" scheme="https://blog.r1ng13.top/tags/2023LitCTF/"/>
</entry>
<entry>
<title>服务器取证练习1</title>
<link href="https://blog.r1ng13.top/posts/6ad51bd.html"/>
<id>https://blog.r1ng13.top/posts/6ad51bd.html</id>
<published>2023-05-09T02:19:03.000Z</published>
<updated>2023-05-09T14:00:00.000Z</updated>
<content type="html"><![CDATA[<div class="table-container"><table><thead><tr><th><strong>案件</strong> <strong>情况</strong></th><th>在一起盗版侵权视频网站中,办案机关调取了涉案网站的数据,要求对其服务器镜像进行鉴定。</th></tr></thead><tbody><tr><td><strong>送检</strong> <strong>材料</strong></td><td>文件“ceshi.E01”为涉案网站服务器磁盘的镜像文件。</td></tr><tr><td><strong>鉴定</strong> <strong>要求</strong></td><td>1. 请计算该检材源盘的SHA256哈希值。(5分) 2. 该服务器的内核版本。(5分) 3. 请找出该服务器中监听端口11211对应的服务是。(5分) 4. 通过嫌疑人操作命令发现其曾经有删除过一个文件是(5分) 5. 请找出服务器中使用何种工具管理网站(5分) 6. 请找出该工具绑定的手机号是(5分) 7. 请找出其管理的网站域名共有多少个。(5分) 8. 请找出服务器曾经删除的一个网站,其域名是(5分) 9. 请找出该服务器docker容器共有多少个(5分) 10.请找出dokcer容器名为zealous_driscoll的容器ID是(5分) 11.请找出该视频网站的网站源码存储路径(5分) 12.请找出该视频服务器网站成功连接日志名(5分) 13.请找出该服务器中视频网站的后台url。(5分) 14.请找出该视频网站所用数据库的端口。(5分) 15.请找出该视频网站数据库“honglian”的密码。(5分) 16.请固定该视频网站中“弘连宣传视频1”中视频文件的MD5值。(5分) 17.该视频网站电子邮箱为(5分) 18.该视频网站用户有多少个(5分) 19.该视频网站后台限制视频上传最大是多少(5分) 20.找出该视频网站登录时密码采用的加密方式(5分)</td></tr></tbody></table></div><h1 id="1-请计算该检材源盘的SHA256哈希值。(5分)"><a href="#1-请计算该检材源盘的SHA256哈希值。(5分)" class="headerlink" title="1.请计算该检材源盘的SHA256哈希值。(5分)"></a>1.请计算该检材源盘的SHA256哈希值。(5分)</h1><h2 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用Windows提供命令行进行计算</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certuil -hashfile ceshi.E01 SHA256</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422232820193.png" alt="image-20230422232820193"></p><h2 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h2><p> 检材源盘的SHA256哈希值为<strong>bf3f4e9aa5a4721be72b90286cba43e6ec7b29ca33cd9d1fd00406cf950be725</strong></p><h1 id="2-该服务器的内核版本。(5分)"><a href="#2-该服务器的内核版本。(5分)" class="headerlink" title="2. 该服务器的内核版本。(5分)"></a>2. 该服务器的内核版本。(5分)</h1><h2 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h2><p> 使用系统仿真软件进行仿真,然后使用xshell进行连接输入以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uname -a</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423200952596.png" alt="image-20230423200952596"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 该服务器的内核版本为:<strong>3.10.0-957.el7.x86_64</strong></p><h1 id="3-请找出该服务器中监听端口11211对应的服务是。(5分)"><a href="#3-请找出该服务器中监听端口11211对应的服务是。(5分)" class="headerlink" title="3. 请找出该服务器中监听端口11211对应的服务是。(5分)"></a>3. 请找出该服务器中监听端口11211对应的服务是。(5分)</h1><h2 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用linux查看监听端口的命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo netstat -tunlp | grep 11211</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423201432841.png" alt="image-20230423201432841"></p><h2 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h2><p> 该服务器中监听端口11211对应的服务是 <strong>9091/memcached</strong> </p><h1 id="4-通过嫌疑人操作命令发现其曾经有删除过一个文件是(5分)"><a href="#4-通过嫌疑人操作命令发现其曾经有删除过一个文件是(5分)" class="headerlink" title="4. 通过嫌疑人操作命令发现其曾经有删除过一个文件是(5分)"></a>4. 通过嫌疑人操作命令发现其曾经有删除过一个文件是(5分)</h1><h2 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>通过查看linux的历史命令,发现删除的文件</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">history</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423231016202.png" alt="image-20230423231016202"></p><h2 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h2><p> 通过嫌疑人操作命令发现其曾经有删除过一个文件是<strong>bb10c86df29d83f4c46209dbe23de7e069e5eb9ddf13233d323b880fb5639a36</strong></p><h1 id="5-请找出服务器中使用何种工具管理网站(5分)"><a href="#5-请找出服务器中使用何种工具管理网站(5分)" class="headerlink" title="5. 请找出服务器中使用何种工具管理网站(5分)"></a>5. 请找出服务器中使用何种工具管理网站(5分)</h1><h2 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>通过发现Linux的历史命令发现宝塔的命令,并尝试输入bt查看</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423231356564.png" alt="image-20230423231356564"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423231427518.png" alt="image-20230423231427518"></p><h2 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h2><p> 服务器中使用工具<strong>宝塔</strong>管理网站</p><h1 id="6-请找出该工具绑定的手机号是(5分"><a href="#6-请找出该工具绑定的手机号是(5分" class="headerlink" title="6. 请找出该工具绑定的手机号是(5分)"></a>6. 请找出该工具绑定的手机号是(5分)</h1><h2 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用宝塔的命令,启动网站进行网站的重构</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bt 14</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423231817947.png" alt="image-20230423231817947"></p><p>但是登录提示密码不对,输入以下命令进行修改密码</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cd /www/server/panel && btpython tools.py panel testpasswd s8nbhvgh</span><br></pre></td></tr></table></figure><p>将账户为s8nbhvgh的密码重置为testpasswd</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423232006405.png" alt="image-20230423232006405"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423232108108.png" alt="image-20230423232108108"></p><p>进入面板控制发现手机号带星号</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423233732525.png" alt="image-20230423233732525"></p><p>接着使用F12大法进行定位</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423233824860.png" alt="image-20230423233824860"></p><p>接着在网络里搜索get_user_info可以发现完整手机号</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423233940439.png" alt="image-20230423233940439"></p><h2 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h2><p> 该工具绑定的手机号是<strong>18627943382</strong></p><h1 id="7-请找出其管理的网站域名共有多少个。(5分)"><a href="#7-请找出其管理的网站域名共有多少个。(5分)" class="headerlink" title="7,请找出其管理的网站域名共有多少个。(5分)"></a>7,请找出其管理的网站域名共有多少个。(5分)</h1><h2 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>通过查看宝塔面板的网站发现其管理的网站域名为3个</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230423234028474.png" alt="image-20230423234028474"></p><p>但是点开设置会发现有一个网站是两个域名</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424105039571.png" alt="image-20230424105039571"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424105111774.png" alt="image-20230424105111774"></p><h2 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h2><p> 其管理的网站域名共有<strong>3</strong>个</p><h1 id="8-请找出服务器曾经删除的一个网站,其域名是(5分)"><a href="#8-请找出服务器曾经删除的一个网站,其域名是(5分)" class="headerlink" title="8.请找出服务器曾经删除的一个网站,其域名是(5分)"></a>8.请找出服务器曾经删除的一个网站,其域名是(5分)</h1><h2 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>通过查看宝塔面板的安全里的面板操作日志</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424000448607.png" alt="image-20230424000448607"></p><h2 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h2><p> 务器曾经删除的一个网站,其域名是<strong>fastadmin.com</strong></p><h1 id="9-请找出该服务器docker容器共有多少个(5分)"><a href="#9-请找出该服务器docker容器共有多少个(5分)" class="headerlink" title="9.请找出该服务器docker容器共有多少个(5分)"></a>9.请找出该服务器docker容器共有多少个(5分)</h1><h2 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用linux的命令查看当前有多少个docker容器,包括exited,created状态的(<strong>但是这个命令的计算结果需要减去1,因为它统计标题</strong>)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps -a |wc -l</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424110214603.png" alt="image-20230424110214603"></p><p><strong>注意:</strong>4要减去1,所以是3个docker容器</p><h2 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h2><p> 该服务器docker容器共有<strong>3</strong>个</p><h1 id="10-请找出dokcer容器名为zealous-driscoll的容器ID是(5分)"><a href="#10-请找出dokcer容器名为zealous-driscoll的容器ID是(5分)" class="headerlink" title="10.请找出dokcer容器名为zealous_driscoll的容器ID是(5分)"></a>10.请找出dokcer容器名为zealous_driscoll的容器ID是(5分)</h1><p> <strong>思路:</strong>使用linux命令<strong>查看所有容器</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps -a</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424111048948.png" alt="image-20230424111048948"></p><p>也可以直接使用以下命令直接过滤容器名为zealous_driscoll的id</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps -a | grep zealous_driscoll</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424111244742.png" alt="image-20230424111244742"></p><p>但是这个获取的不全,所以我们使用下面的命令获取容器zealous_driscoll的元数据</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker inspect zealous_driscoll</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424120140352.png" alt="image-20230424120140352"></p><h2 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h2><p> dokcer容器名为zealous_driscoll的容器ID是<strong>72b3c398c8e54dc34132805acda5937976be39e578ed6bc292e134c192f16629</strong></p><h1 id="11-请找出该视频网站的网站源码存储路径(5分)"><a href="#11-请找出该视频网站的网站源码存储路径(5分)" class="headerlink" title="11.请找出该视频网站的网站源码存储路径(5分)"></a>11.请找出该视频网站的网站源码存储路径(5分)</h1><h2 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>根目录</p><h2 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h2><h1 id="12-请找出该视频服务器网站成功连接日志名(5分)"><a href="#12-请找出该视频服务器网站成功连接日志名(5分)" class="headerlink" title="12.请找出该视频服务器网站成功连接日志名(5分)"></a>12.请找出该视频服务器网站成功连接日志名(5分)</h1><h2 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h2><p><strong>思路:</strong>在服务器的www文件夹下存在文件<strong>www.app10.com-access_log</strong>保存的是网站成功连接日志名</p><h2 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h2><p> 该视频服务器网站成功连接日志名是www.app10.com-access_log</p><h1 id="13-请找出该服务器中视频网站的后台url。(5分)"><a href="#13-请找出该服务器中视频网站的后台url。(5分)" class="headerlink" title="13.请找出该服务器中视频网站的后台url。(5分)"></a>13.请找出该服务器中视频网站的后台url。(5分)</h1><h2 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>重构网站发现服务器中视频网站的后台url</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203945274.png" alt="image-20230424203945274"></p><h2 id="答案-12"><a href="#答案-12" class="headerlink" title="答案"></a>答案</h2><p> 服务器中视频网站的后台url为:<strong><a href="http://www.app10.com/admin-cp/">http://www.app10.com/admin-cp/</a></strong></p><h1 id="14-请找出该视频网站所用数据库的端口。(5分)"><a href="#14-请找出该视频网站所用数据库的端口。(5分)" class="headerlink" title="14.请找出该视频网站所用数据库的端口。(5分)"></a>14.请找出该视频网站所用数据库的端口。(5分)</h1><h2 id="解题-12"><a href="#解题-12" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在docker中启动mysql的docker,输入以下命令启动docker</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker start mysql5.6</span><br></pre></td></tr></table></figure><p>接着再执行以下命令就可以查看到端口号</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker ps -a</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424114327739.png" alt="image-20230424114327739"></p><h1 id="15-请找出该视频网站数据库“honglian”的密码。(5分)"><a href="#15-请找出该视频网站数据库“honglian”的密码。(5分)" class="headerlink" title="15.请找出该视频网站数据库“honglian”的密码。(5分)"></a>15.请找出该视频网站数据库“honglian”的密码。(5分)</h1><h2 id="解题-13"><a href="#解题-13" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>使用navicat进行ssh连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424175715983.png" alt="image-20230424175715983"></p><p>接着配置数据库但是需要知道数据库的密码,我们可以去网站的配置文件<strong>config.php</strong>里面</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424180127358.png" alt="image-20230424180127358"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424180211590.png" alt="image-20230424180211590"></p><p>成功连接数据库,在名为honglian的数据库下找到user的表进行查看</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424180629879.png" alt="image-20230424180629879"></p><p>查看到admin的账户,并看到md5加密的密码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424180834337.png" alt="image-20230424180834337"></p><p>接着使用在线md5解密网站进行解密</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424180958359.png" alt="image-20230424180958359"></p><h2 id="答案-13"><a href="#答案-13" class="headerlink" title="答案"></a>答案</h2><p> 该视频网站数据库“honglian”的密码是<strong>123456</strong></p><h1 id="16-请固定该视频网站中“弘连宣传视频1”中视频文件的MD5值。(5分)"><a href="#16-请固定该视频网站中“弘连宣传视频1”中视频文件的MD5值。(5分)" class="headerlink" title="16.请固定该视频网站中“弘连宣传视频1”中视频文件的MD5值。(5分)"></a>16.请固定该视频网站中“弘连宣传视频1”中视频文件的MD5值。(5分)</h1><h2 id="解题-14"><a href="#解题-14" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>网站进行重构后发现首页存在弘连宣传视频1</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424202537284.png" alt="image-20230424202537284"></p><p>点击视频进入后发现,可以使用IDM进行下载</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424202730090.png" alt="image-20230424202730090"></p><p>下载到本地,使用命令或者软件计算md5的值</p><p>cmd中输入以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certutil -hashfile 文件路径 MD5</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203118565.png" alt="image-20230424203118565"></p><h2 id="答案-14"><a href="#答案-14" class="headerlink" title="答案"></a>答案</h2><p> 固定该视频网站中“弘连宣传视频1”中视频文件的MD5值为:<strong>4758a0b9a9c0ca4f62aed610943052b5</strong></p><h1 id="17-该视频网站电子邮箱为(5分)"><a href="#17-该视频网站电子邮箱为(5分)" class="headerlink" title="17.该视频网站电子邮箱为(5分)"></a>17.该视频网站电子邮箱为(5分)</h1><h2 id="解题-15"><a href="#解题-15" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>这个在网站重构后,或者数据库中查看admin的邮箱都可以看到</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203529861.png" alt="image-20230424203529861"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203544725.png" alt="image-20230424203544725"></p><h2 id="答案-15"><a href="#答案-15" class="headerlink" title="答案"></a>答案</h2><p> 该视频网站电子邮箱为<strong>[email protected]</strong></p><h1 id="18-该视频网站用户有多少个(5分)"><a href="#18-该视频网站用户有多少个(5分)" class="headerlink" title="18.该视频网站用户有多少个(5分)"></a>18.该视频网站用户有多少个(5分)</h1><h2 id="解题-16"><a href="#解题-16" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>重构网站后,查看后台管理里的用户管理,或者查看数据库中的users表都可以发现</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203804926.png" alt="image-20230424203804926"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424203745523.png" alt="image-20230424203745523"></p><h2 id="答案-16"><a href="#答案-16" class="headerlink" title="答案"></a>答案</h2><p> 该视频网站用户有5个</p><h1 id="19-该视频网站后台限制视频上传最大是多少(5分)"><a href="#19-该视频网站后台限制视频上传最大是多少(5分)" class="headerlink" title="19.该视频网站后台限制视频上传最大是多少(5分)"></a>19.该视频网站后台限制视频上传最大是多少(5分)</h1><h2 id="解题-17"><a href="#解题-17" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>划重点题目说的是<strong>网站后台</strong>,所以在网站后台里进行查找发现网站管理有</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424204618817.png" alt="image-20230424204618817"></p><h2 id="答案-17"><a href="#答案-17" class="headerlink" title="答案"></a>答案</h2><p> 该视频网站后台限制视频上传最大是<strong>10G</strong></p><h1 id="20-找出该视频网站登录时密码采用的加密方式(5分)"><a href="#20-找出该视频网站登录时密码采用的加密方式(5分)" class="headerlink" title="20.找出该视频网站登录时密码采用的加密方式(5分)"></a>20.找出该视频网站登录时密码采用的加密方式(5分)</h1><h2 id="解题-18"><a href="#解题-18" class="headerlink" title="解题"></a>解题</h2><p> <strong>思路:</strong>在前面解密登录密码时,发现为<strong>sha1</strong>加密(这个想法可以)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230424205009186.png" alt="image-20230424205009186"></p><h2 id="答案-18"><a href="#答案-18" class="headerlink" title="答案"></a>答案</h2><pre><code> 该视频网站登录时密码采用的加密方式为**sha1**加密</code></pre>]]></content>
<summary type="html">🥧本文是服务器取证练习1。</summary>
<category term="服务器取证" scheme="https://blog.r1ng13.top/categories/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
<category term="网站重构" scheme="https://blog.r1ng13.top/categories/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/%E7%BD%91%E7%AB%99%E9%87%8D%E6%9E%84/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="服务器取证" scheme="https://blog.r1ng13.top/tags/%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%8F%96%E8%AF%81/"/>
<category term="网站重构" scheme="https://blog.r1ng13.top/tags/%E7%BD%91%E7%AB%99%E9%87%8D%E6%9E%84/"/>
</entry>
<entry>
<title>某比武----WP</title>
<link href="https://blog.r1ng13.top/posts/71e56fef.html"/>
<id>https://blog.r1ng13.top/posts/71e56fef.html</id>
<published>2023-05-02T02:19:03.000Z</published>
<updated>2023-05-02T14:00:00.000Z</updated>
<content type="html"><![CDATA[<h1 id="答题卡"><a href="#答题卡" class="headerlink" title="答题卡"></a>答题卡</h1><div class="table-container"><table><thead><tr><th>姓名:</th><th>单位:</th><th></th><th></th><th></th><th></th></tr></thead><tbody><tr><td>1-5(3分)</td><td>6-10(3分)</td><td>11-15(3分)</td><td>16-20(3分)</td><td>21-25(4分)</td><td>26-30(4分)</td></tr><tr><td></td><td></td><td></td><td></td><td></td><td></td></tr><tr><td>得分</td><td></td><td></td><td></td><td></td></tr></tbody></table></div><h1 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h1><p> 在一起电诈案件中,受害者称自己的银行卡被他人冒用,曾收到假冒公安的短信,因为自己在一个P2P网站中理财,假冒公安称该网站已被列入非法网站,要自己到公安备案网站填写自己的信息,并帮助自己追回本金,因此信以为真,在网站上填写了自己的信息和绑定的银行卡信息;办案机关推测嫌疑人可能是获取了P2P网站中的注册用户信息,从而进行定向诈骗,“Personal Computer.E01”为嫌疑人笔记本电脑镜像。</p><h1 id="题目"><a href="#题目" class="headerlink" title="题目"></a>题目</h1><h2 id="1、计算“Personal-Computer-E01”文件的sha256值()"><a href="#1、计算“Personal-Computer-E01”文件的sha256值()" class="headerlink" title="1、计算“Personal Computer.E01”文件的sha256值()"></a>1、计算“Personal Computer.E01”<strong>文件</strong>的sha256值()</h2><p>A. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c5</p><p>B. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c6</p><p><strong>C. e6e47e210bd56c7071ce73ab5523736120071d0f3da5335936d7beb25c3914cd</strong></p><p>D. 1e646dec202c96b72f13cc3cf224148fc4e19d6faaaf76efffc31b1ca2cdd200</p><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p>方法一:使用Windows命令计算</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certutil -hashfile "E:\试题镜像\Personal Computer.E01" SHA256</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426160352708.png" alt="image-20230426160352708"></p><p>方法二:使用工具hashcalc进行计算</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426162402127.png" alt="image-20230426162402127"></p><p>方法三:使用美亚取证大师里的工具集里的哈希值计算工具</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426164852961.png" alt="image-20230426164852961"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> “Personal Computer.E01”文件的sha256值为<strong>C. e6e47e210bd56c7071ce73ab5523736120071d0f3da5335936d7beb25c3914cd</strong></p><h2 id="2、请分析该检材的操作系统版本()"><a href="#2、请分析该检材的操作系统版本()" class="headerlink" title="2、请分析该检材的操作系统版本()"></a>2、请分析该检材的操作系统版本()</h2><p><strong>A. Windows 10 Education</strong></p><p>B. Windows 10 Home</p><p>C. Windows 10 Pro</p><p>D. Windows 10 Enterprise</p><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426160458062.png" alt="image-20230426160458062"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 该检材的操作系统版本为<strong>A. Windows 10 Education</strong></p><h2 id="3、找出该系统用户最后一次登陆时间:()"><a href="#3、找出该系统用户最后一次登陆时间:()" class="headerlink" title="3、找出该系统用户最后一次登陆时间:()"></a>3、找出该系统用户最后一次登陆时间:()</h2><p>A. 2019-07-14 10:50:02 </p><p>B. 2019-07-14 10:10:02</p><p><strong>C. 2019-07-14 10:40:02</strong> </p><p>D. 2019-07-14 10:30:02</p><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426230226235.png" alt="image-20230426230226235"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> 该系统用户最后一次登陆时间:<strong>C. 2019-07-14 10:40:02</strong> </p><h2 id="4、找出该系统最后一次正常关机时间:()"><a href="#4、找出该系统最后一次正常关机时间:()" class="headerlink" title="4、找出该系统最后一次正常关机时间:()"></a>4、找出该系统最后一次正常关机时间:()</h2><p>A. 2019-07-14 17:30:05</p><p>B. 2019-07-14 10:30:05 </p><p><strong>C. 2019-07-14 11:30:05</strong> </p><p>D. 2019-07-14 12:30:05</p><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426230939828.png" alt="image-20230426230939828"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 该系统最后一次正常关机时间:<strong>C. 2019-07-14 11:30:05</strong>(这里我不知道为啥这样)</p><h2 id="5、请计算检材桌面上文本文件的sha256值:()"><a href="#5、请计算检材桌面上文本文件的sha256值:()" class="headerlink" title="5、请计算检材桌面上文本文件的sha256值:()"></a>5、请计算检材桌面上文本文件的sha256值:()</h2><p><strong>A. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c5</strong> </p><p>B. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c6</p><p>C. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c7 </p><p>D. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c8</p><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> 使用仿真软件进行仿真</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426231532382.png" alt="image-20230426231532382"></p><p>找到桌面的文件,使用Windows的命令行进行SHA256的计算</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426231644038.png" alt="image-20230426231644038"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> 计算检材桌面上文本文件的sha256值:<strong>A. 58a4ab5ee3dc4c4a279fa8287ed7dce315090512fa87127f8f9278c7972366c5</strong> </p><h2 id="6、该系统于2019年7月13日安装的软件为:()"><a href="#6、该系统于2019年7月13日安装的软件为:()" class="headerlink" title="6、该系统于2019年7月13日安装的软件为:()"></a>6、该系统于2019年7月13日安装的软件为:()</h2><p><strong>A. Eraser</strong> </p><p>B. Putty</p><p>C. Xftp </p><p>D. Xshell</p><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426231858809.png" alt="image-20230426231858809"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> 该系统于2019年7月13日安装的软件为:<strong>A. Eraser</strong> </p><h2 id="7、找出该嫌疑人于2019-07-13-17-52-19时,使用WinRAR工具访问了-文件:()"><a href="#7、找出该嫌疑人于2019-07-13-17-52-19时,使用WinRAR工具访问了-文件:()" class="headerlink" title="7、找出该嫌疑人于2019-07-13 17:52:19时,使用WinRAR工具访问了_文件:()"></a>7、找出该嫌疑人于2019-07-13 17:52:19时,使用WinRAR工具访问了<strong>_</strong>文件:()</h2><p>A. navicat11.zip </p><p>B. we.tar.gz</p><p>C. test2-master.zip </p><p><strong>D. BitLocker.rar</strong></p><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426232655865.png" alt="image-20230426232655865"></p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> 该嫌疑人于2019-07-13 17:52:19时,使用WinRAR工具访问了<strong>_</strong>文件:<strong>D. BitLocker.rar</strong></p><h2 id="8、系统于2019-07-13-17-53-45时运行了-程序:()"><a href="#8、系统于2019-07-13-17-53-45时运行了-程序:()" class="headerlink" title="8、系统于2019-07-13 17:53:45时运行了_程序:()"></a>8、系统于2019-07-13 17:53:45时运行了<em>_</em>程序:()</h2><p>A. regedit.exe </p><p>B. WinRAR.exe</p><p>C. Xshell.exe </p><p><strong>D. Foxmail.exe</strong></p><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426233057791.png" alt="image-20230426233057791"></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> 系统于2019-07-13 17:53:45时运行了程序:<strong>D. Foxmail.exe</strong></p><h2 id="9、文件test2-master-zip是什么时间下载到本机的:()"><a href="#9、文件test2-master-zip是什么时间下载到本机的:()" class="headerlink" title="9、文件test2-master.zip是什么时间下载到本机的:()"></a>9、文件test2-master.zip是什么时间下载到本机的:()</h2><p>A. 2019-07-13 14:21:01 </p><p>B. 2019-07-13 17:22:01 </p><p>C. 2019-07-13 15:23:01 </p><p><strong>D. 2019-07-13 16:20:01</strong></p><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426233943322.png" alt="image-20230426233943322"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> 文件test2-master.zip是什么时间下载到本机的:<strong>D. 2019-07-13 16:20:01</strong></p><h2 id="10、文件test2-master-zip是使用什么工具下载到本地的:()"><a href="#10、文件test2-master-zip是使用什么工具下载到本地的:()" class="headerlink" title="10、文件test2-master.zip是使用什么工具下载到本地的:()"></a>10、文件test2-master.zip是使用什么工具下载到本地的:()</h2><p><strong>A. Chrome</strong> </p><p>B. Internet Explorer</p><p>C. edge </p><p>D. 迅雷</p><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426234036942.png" alt="image-20230426234036942"></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 文件test2-master.zip是使用什么工具下载到本地的:<strong>A. Chrome</strong> </p><h2 id="11、嫌疑人成功连接至192-168-184-128服务器的时间为:()"><a href="#11、嫌疑人成功连接至192-168-184-128服务器的时间为:()" class="headerlink" title="11、嫌疑人成功连接至192.168.184.128服务器的时间为:()"></a>11、嫌疑人成功连接至192.168.184.128服务器的时间为:()</h2><p>A. 2019-07-13 16:21:28 </p><p><strong>B. 2019-07-13 16:21:31</strong></p><p>C. 2019-07-13 16:21:35 </p><p>D. 2019-07-13 16:21:25</p><h3 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426234307780.png" alt="image-20230426234307780"></p><h3 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人成功连接至192.168.184.128服务器的时间为:<strong>B. 2019-07-13 16:21:31</strong></p><h2 id="12、嫌疑人通过远程连接到128服务器,下载了什么文件到本机:()"><a href="#12、嫌疑人通过远程连接到128服务器,下载了什么文件到本机:()" class="headerlink" title="12、嫌疑人通过远程连接到128服务器,下载了什么文件到本机:()"></a>12、嫌疑人通过远程连接到128服务器,下载了什么文件到本机:()</h2><p>A. web.tar.gz </p><p><strong>B. we.tar.gz</strong></p><p>C. home.tar.gz </p><p>D. wwwroot.tar.gz</p><h3 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h3><p> 这题我是暴力搜索的,发现只有B可以检索到,后来我又在仿真的加密盘符里找到了这个文件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427164307108.png" alt="image-20230427164307108"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427164334370.png" alt="image-20230427164334370"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427164422541.png" alt="image-20230427164422541"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427164453014.png" alt="image-20230427164453014"></p><h3 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人通过远程连接到128服务器,下载了什么文件到本机:<strong>B. we.tar.gz</strong></p><h2 id="13、承接上一题,下载该文件用了多长时间:()"><a href="#13、承接上一题,下载该文件用了多长时间:()" class="headerlink" title="13、承接上一题,下载该文件用了多长时间:()"></a>13、承接上一题,下载该文件用了多长时间:()</h2><p>A. 10秒 </p><p>B. 20秒</p><p><strong>C. 15秒</strong> </p><p>D. 25秒</p><h3 id="解题-12"><a href="#解题-12" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427165100223.png" alt="image-20230427165100223"></p><h3 id="答案-12"><a href="#答案-12" class="headerlink" title="答案"></a>答案</h3><p> 下载该文件用了多长时间:<strong>C. 15秒</strong> </p><h2 id="14、该镜像“Personal-Computer-E01”中存在几个手机备份:()"><a href="#14、该镜像“Personal-Computer-E01”中存在几个手机备份:()" class="headerlink" title="14、该镜像“Personal Computer.E01”中存在几个手机备份:()"></a>14、该镜像“Personal Computer.E01”中存在几个手机备份:()</h2><p>A. 4</p><p>B. 3</p><p>C. 2</p><p><strong>D. 1</strong></p><h3 id="解题-13"><a href="#解题-13" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230426234636326.png" alt="image-20230426234636326"></p><h3 id="答案-13"><a href="#答案-13" class="headerlink" title="答案"></a>答案</h3><p> 该镜像“Personal Computer.E01”中存在几个手机备份:<strong>D. 1</strong></p><h3 id="手机备份提取"><a href="#手机备份提取" class="headerlink" title="手机备份提取"></a>手机备份提取</h3><p>使用取证大师定位软件位置,找到文件的路径</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427085105352.png" alt="image-20230427085105352"></p><p>然后使用FTK进行导出(这里你要问为什么不用取证大师导出,因为我要用盘古石手机取证软件分析手机镜像,使用取证大师和盘古石计算机取证软件导出的文件都不行)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427085316360.png" alt="image-20230427085316360"></p><p>将导出的iTunes备份导入到盘古石手机取证软件里,但是发现备份被加密了,在仿真的桌面上我们发现一串字符,尝试输入,发现成功解密(<strong>15题有提示:备份密码请注意“Personal Computer.E01”桌面相关记录</strong>)。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427091025850.png" alt="image-20230427091025850"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427091050078.png" alt="image-20230427091050078"></p><p>打开案件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427091216324.png" alt="image-20230427091216324"></p><h2 id="15、请分析并提取手机备份文件(备份密码请注意“Personal-Computer-E01”桌面相关记录),嫌疑人所用的手机的IMEI号码:()"><a href="#15、请分析并提取手机备份文件(备份密码请注意“Personal-Computer-E01”桌面相关记录),嫌疑人所用的手机的IMEI号码:()" class="headerlink" title="15、请分析并提取手机备份文件(备份密码请注意“Personal Computer.E01”桌面相关记录),嫌疑人所用的手机的IMEI号码:()"></a>15、请分析并提取手机备份文件(备份密码请注意“Personal Computer.E01”桌面相关记录),嫌疑人所用的手机的IMEI号码:()</h2><p>A. 352021062748965 </p><p>B. 352021062748966</p><p><strong>C. 352021062748967</strong> </p><p>D. 352021062748968</p><h3 id="解题-14"><a href="#解题-14" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427091253373.png" alt="image-20230427091253373"></p><h3 id="答案-14"><a href="#答案-14" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人所用的手机的IMEI号码:<strong>C. 352021062748967</strong></p><h2 id="16、嫌疑人是通过何种方式首次联系到售卖恶意程序的卖家的:()"><a href="#16、嫌疑人是通过何种方式首次联系到售卖恶意程序的卖家的:()" class="headerlink" title="16、嫌疑人是通过何种方式首次联系到售卖恶意程序的卖家的:()"></a>16、嫌疑人是通过何种方式首次联系到售卖恶意程序的卖家的:()</h2><p>A. 微信 </p><p><strong>B. QQ</strong></p><p>C. 短信 </p><p>D. 邮件</p><h3 id="解题-15"><a href="#解题-15" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092014804.png" alt="image-20230427092014804"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092044681.png" alt="image-20230427092044681"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092106882.png" alt="image-20230427092106882"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092153195.png" alt="image-20230427092153195"></p><h3 id="答案-15"><a href="#答案-15" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人是通过<strong>B.QQ</strong>首次联系到售卖恶意程序的卖家的</p><h2 id="17、嫌疑人和卖家的资金来往是通过何种方式:()"><a href="#17、嫌疑人和卖家的资金来往是通过何种方式:()" class="headerlink" title="17、嫌疑人和卖家的资金来往是通过何种方式:()"></a>17、嫌疑人和卖家的资金来往是通过何种方式:()</h2><p><strong>A. 微信</strong> </p><p>B. QQ</p><p>C. 银行转账 </p><p>D. 支付宝</p><h3 id="解题-16"><a href="#解题-16" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092251564.png" alt="image-20230427092251564"></p><h3 id="答案-16"><a href="#答案-16" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人和卖家的资金来往是通过<strong>A. 微信</strong>进行的。</p><h2 id="18、嫌疑人在犯罪过程中所使用的QQ账号为:()"><a href="#18、嫌疑人在犯罪过程中所使用的QQ账号为:()" class="headerlink" title="18、嫌疑人在犯罪过程中所使用的QQ账号为:()"></a>18、嫌疑人在犯罪过程中所使用的QQ账号为:()</h2><p><strong>A. 1649840939</strong> </p><p>B. 1137588348</p><p>C. 364505251 </p><p>D. 1722629449</p><h3 id="解题-17"><a href="#解题-17" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092412009.png" alt="image-20230427092412009"></p><h3 id="答案-17"><a href="#答案-17" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人在犯罪过程中所使用的QQ账号为:<strong>A. 1649840939 </strong></p><h2 id="19、卖家所使用的微信账号ID为"><a href="#19、卖家所使用的微信账号ID为" class="headerlink" title="19、卖家所使用的微信账号ID为:()"></a>19、卖家所使用的微信账号ID为:()</h2><p>A. refrain_C </p><p>B. flame_guan</p><p><strong>C. chao636787</strong> </p><p>D. sword19880521</p><h3 id="解题-18"><a href="#解题-18" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427092546715.png" alt="image-20230427092546715"></p><h3 id="答案-18"><a href="#答案-18" class="headerlink" title="答案"></a>答案</h3><p> 卖家所使用的微信账号ID:<strong>C. chao636787</strong> </p><h2 id="20、嫌疑人电脑中存在Bitlocker容器(恢复秘钥通过其他方式获得:494208-639155-079684-230648-428923-176902-004312-663696),嫌疑人下载了几个恶意程序到本机“Personal-Computer-E01”加密容器中:()"><a href="#20、嫌疑人电脑中存在Bitlocker容器(恢复秘钥通过其他方式获得:494208-639155-079684-230648-428923-176902-004312-663696),嫌疑人下载了几个恶意程序到本机“Personal-Computer-E01”加密容器中:()" class="headerlink" title="20、嫌疑人电脑中存在Bitlocker容器(恢复秘钥通过其他方式获得:494208-639155-079684-230648-428923-176902-004312-663696),嫌疑人下载了几个恶意程序到本机“Personal Computer.E01”加密容器中:()"></a>20、嫌疑人电脑中存在Bitlocker容器(恢复秘钥通过其他方式获得:494208-639155-079684-230648-428923-176902-004312-663696),嫌疑人下载了几个恶意程序到本机“Personal Computer.E01”加密容器中:()</h2><p>A. 1 </p><p>B. 2</p><p><strong>C. 3</strong> </p><p>D. 4</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427152959091.png" alt="image-20230427152959091"></p><h3 id="答案-19"><a href="#答案-19" class="headerlink" title="答案"></a>答案</h3><p> 疑人下载了几个恶意程序到本机“Personal Computer.E01”加密容器中:<strong>C. 3</strong> </p><h2 id="21、嫌疑人是什么时间开始对受害者实施诈骗的:()"><a href="#21、嫌疑人是什么时间开始对受害者实施诈骗的:()" class="headerlink" title="21、嫌疑人是什么时间开始对受害者实施诈骗的:()"></a>21、嫌疑人是什么时间开始对受害者实施诈骗的:()</h2><p>A. 2019-07-13 19:14:44 </p><p>B. 2019-07-13 19:24:44</p><p><strong>C. 2019-07-13 19:04:44</strong> </p><p>D. 2019-07-13 19:44:44</p><h3 id="解题-19"><a href="#解题-19" class="headerlink" title="解题"></a>解题</h3><p> 这个不能截图,使用盘古石手机取证软件查看短信,第一个就是</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427170607576.png" alt="image-20230427170607576"></p><h3 id="答案-20"><a href="#答案-20" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人是什么时间开始对受害者实施诈骗的:<strong>C. 2019-07-13 19:04:44</strong> </p><h2 id="22、请综合分析,嫌疑人入侵服务所使用的登陆方式为:()"><a href="#22、请综合分析,嫌疑人入侵服务所使用的登陆方式为:()" class="headerlink" title="22、请综合分析,嫌疑人入侵服务所使用的登陆方式为:()"></a>22、请综合分析,嫌疑人入侵服务所使用的登陆方式为:()</h2><p>A. SSH密码登陆 </p><p><strong>B. SSH密钥登陆</strong></p><p>C. 连接后门程序 </p><p>D. FTP登陆 </p><h3 id="解题-20"><a href="#解题-20" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427162800561.png" alt="image-20230427162800561"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427170831053.png" alt="image-20230427170831053"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427171146488.png" alt="image-20230427171146488"></p><h3 id="答案-21"><a href="#答案-21" class="headerlink" title="答案"></a>答案</h3><p> 请综合分析,嫌疑人入侵服务所使用的登陆方式为:<strong>B. SSH密钥登陆</strong></p><h2 id="23、通过手机微信记录分析,涉案邮件收件人为:()"><a href="#23、通过手机微信记录分析,涉案邮件收件人为:()" class="headerlink" title="23、通过手机微信记录分析,涉案邮件收件人为:()"></a>23、通过手机微信记录分析,涉案邮件收件人为:()</h2><p>A. [email protected] </p><p><strong>B. [email protected]</strong> </p><p>C. [email protected] </p><p>D. <a href="mailto:[email protected]">[email protected]</a></p><h3 id="解题-21"><a href="#解题-21" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427093640529.png" alt="image-20230427093640529"></p><h3 id="答案-22"><a href="#答案-22" class="headerlink" title="答案"></a>答案</h3><p> 通过手机微信记录分析,涉案邮件收件人为:<strong>B. [email protected]</strong> </p><h2 id="24、压缩包test2-master-zip中的文件是什么?()"><a href="#24、压缩包test2-master-zip中的文件是什么?()" class="headerlink" title="24、压缩包test2-master.zip中的文件是什么?()"></a>24、压缩包test2-master.zip中的文件是什么?()</h2><p>A.恶意软件</p><p>B.加密程序</p><p><strong>C.密钥文件</strong></p><p>D.下载软件</p><h3 id="解题-22"><a href="#解题-22" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427153654743.png" alt="image-20230427153654743"></p><h3 id="答案-23"><a href="#答案-23" class="headerlink" title="答案"></a>答案</h3><p> 压缩包test2-master.zip中的文件是<strong>C.密钥文件</strong></p><h2 id="25、文件runit-txt从哪个域名下载的?(D)"><a href="#25、文件runit-txt从哪个域名下载的?(D)" class="headerlink" title="25、文件runit.txt从哪个域名下载的?(D)"></a>25、文件runit.txt从哪个域名下载的?(D)</h2><p>A.<a href="https://pan.forensix.cn/lib/367d7f96-299f-4029-91a8-a31594b736cf/runit">https://pan.forensix.cn/lib/367d7f96-299f-4029-91a8-a31594b736cf/runit</a></p><p>B.<a href="https://pan.baidu.com/s/19uDE7H2RtEf7LLBgs5sDmg?errno=0&errmsg=Auth">https://pan.baidu.com/s/19uDE7H2RtEf7LLBgs5sDmg?errno=0&errmsg=Auth</a> Login Sucess&&bduss=&ssnerror=0&traceid=</p><p>C.<a href="https://pan.forensix.cn/seafhttp/files/dec88b97-b2bc-414f-93a3-dcbbc15d615/runit">https://pan.forensix.cn/seafhttp/files/dec88b97-b2bc-414f-93a3-dcbbc15d615/runit</a></p><p><strong>D.<a href="https://pan.forensix.cn/seafhttp/files/8fdf1982-e323-4efe-ae28-2bba21b5162c/runit">https://pan.forensix.cn/seafhttp/files/8fdf1982-e323-4efe-ae28-2bba21b5162c/runit</a></strong></p><h3 id="解题-23"><a href="#解题-23" class="headerlink" title="解题"></a>解题</h3><p> 在取证大师搜索<strong>runit.txt</strong>,发现这个文件是在IE浏览器里下载的</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427154736650.png" alt="image-20230427154736650"></p><p>进入仿真,找到这个文件,复制链接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427154532097.png" alt="image-20230427154532097"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427154852113.png" alt="image-20230427154852113"></p><h3 id="答案-24"><a href="#答案-24" class="headerlink" title="答案"></a>答案</h3><p> 文件runit.txt从哪个域名下载的:<strong>D.<a href="https://pan.forensix.cn/seafhttp/files/8fdf1982-e323-4efe-ae28-2bba21b5162c/runit">https://pan.forensix.cn/seafhttp/files/8fdf1982-e323-4efe-ae28-2bba21b5162c/runit</a></strong></p><h2 id="26、嫌疑人在什么时间登陆PC端网页微信?()"><a href="#26、嫌疑人在什么时间登陆PC端网页微信?()" class="headerlink" title="26、嫌疑人在什么时间登陆PC端网页微信?()"></a>26、嫌疑人在什么时间登陆PC端网页微信?()</h2><p><strong>A. 2019-07-13 16:34:55</strong></p><p>B. 2019-07-13 16:40:13</p><p>C. 2019-07-13 16:45:45</p><p>D. 2019-07-13 16:53:45</p><h3 id="解题-24"><a href="#解题-24" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427165947238.png" alt="image-20230427165947238"></p><h3 id="答案-25"><a href="#答案-25" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人在什么时间登陆PC端网页微信:<strong>A. 2019-07-13 16:34:55</strong></p><h2 id="27、嫌疑人于2019-07-13-17-22-23下载了什么文件?()"><a href="#27、嫌疑人于2019-07-13-17-22-23下载了什么文件?()" class="headerlink" title="27、嫌疑人于2019-07-13 17:22:23下载了什么文件?()"></a>27、嫌疑人于2019-07-13 17:22:23下载了什么文件?()</h2><p>A.网站目录压缩文件</p><p>B.数据库备份文件</p><p>C.网站日志文件</p><p>D.数据库日志文件</p><p>不会做</p><p>看的大佬的WP,他用的火眼我没有这个软件,取证大师看不到啊</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427235223252.png" alt="image-20230427235223252"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230428000633737.png" alt="image-20230428000633737"></p><h2 id="28、硬盘C盘根目录中,文件pagefile-sys-vhd的作用是什么?()"><a href="#28、硬盘C盘根目录中,文件pagefile-sys-vhd的作用是什么?()" class="headerlink" title="28、硬盘C盘根目录中,文件pagefile.sys.vhd的作用是什么?()"></a>28、硬盘C盘根目录中,文件pagefile.sys.vhd的作用是什么?()</h2><p>A. pagefile页面交换文件</p><p>B. 虚拟机启动文件</p><p>C. 系统配置文件</p><p><strong>D. 虚拟磁盘</strong></p><h3 id="解题-25"><a href="#解题-25" class="headerlink" title="解题"></a>解题</h3><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427160234625.png" alt="image-20230427160234625"></p><h3 id="答案-26"><a href="#答案-26" class="headerlink" title="答案"></a>答案</h3><p> 硬盘C盘根目录中,文件pagefile.sys.vhd的作用是<strong>D. 虚拟磁盘</strong></p><h2 id="29、“Personal-Computer-E01”中虚拟机的密码为()"><a href="#29、“Personal-Computer-E01”中虚拟机的密码为()" class="headerlink" title="29、“Personal Computer.E01”中虚拟机的密码为()"></a>29、“Personal Computer.E01”中虚拟机的密码为()</h2><p><strong>A. admin888</strong></p><p>B. honglian123</p><p>C. root</p><p>D. 123456</p><h3 id="解题-26"><a href="#解题-26" class="headerlink" title="解题"></a>解题</h3><p> 在虚拟机文件夹下有一个<strong>网站用法.txt</strong>的文档,打开发现有虚拟账号和密码,尝试登录并且成功</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427161241146.png" alt="image-20230427161241146"></p><h3 id="答案-27"><a href="#答案-27" class="headerlink" title="答案"></a>答案</h3><p> “Personal Computer.E01”中虚拟机的密码为:<strong>A. admin888</strong></p><h2 id="30、“Personal-Computer-E01”中名为“2019bw”的虚拟机,该虚拟机操作系统内核版本是()"><a href="#30、“Personal-Computer-E01”中名为“2019bw”的虚拟机,该虚拟机操作系统内核版本是()" class="headerlink" title="30、“Personal Computer.E01”中名为“2019bw”的虚拟机,该虚拟机操作系统内核版本是()"></a>30、“Personal Computer.E01”中名为“2019bw”的虚拟机,该虚拟机操作系统内核版本是()</h2><p>A. Ubuntu 16.04.3 LTS </p><p>B. KERNEL_VERSION 4.4.1-87</p><p>C. Ubuntu 16.04.4 LTS</p><p><strong>D. KERNEL_VERSION 4.4.0-87</strong></p><h3 id="解题-27"><a href="#解题-27" class="headerlink" title="解题"></a>解题</h3><p> 进入虚拟机后,使用linux命令查看这个虚拟机的操作系统的内核</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uname -r</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230427161553333.png" alt="image-20230427161553333"></p><h3 id="答案-28"><a href="#答案-28" class="headerlink" title="答案"></a>答案</h3><p> “Personal Computer.E01”中名为“2019bw”的虚拟机,该虚拟机操作系统内核版本是:<strong>D. KERNEL_VERSION 4.4.0-87</strong></p>]]></content>
<summary type="html">🥧本文是某比武----WP。</summary>
<category term="比武" scheme="https://blog.r1ng13.top/categories/%E6%AF%94%E6%AD%A6/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/categories/%E6%AF%94%E6%AD%A6/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="比武" scheme="https://blog.r1ng13.top/tags/%E6%AF%94%E6%AD%A6/"/>
</entry>
<entry>
<title>奇安信盘古杯赛前取证样题----WP</title>
<link href="https://blog.r1ng13.top/posts/3d70b0ce.html"/>
<id>https://blog.r1ng13.top/posts/3d70b0ce.html</id>
<published>2023-04-22T02:19:03.000Z</published>
<updated>2023-04-22T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>每道题5分,共计200分</strong></p><h1 id="一、请检查窝点中的手机检材,回答以下问题"><a href="#一、请检查窝点中的手机检材,回答以下问题" class="headerlink" title="一、请检查窝点中的手机检材,回答以下问题"></a>一、请检查窝点中的手机检材,回答以下问题</h1><h2 id="1-该OPPO手机的IMEI是:"><a href="#1-该OPPO手机的IMEI是:" class="headerlink" title="1.该OPPO手机的IMEI是:"></a>1.该OPPO手机的IMEI是:</h2><p>A. 860370043989014,860370049389006</p><p>B. 860370049389014,860370049389006</p><p>C. 860370049389014,860370043989006</p><p>D. 860370049839014,860370049839006</p><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开盘古手机取证软件导入进行分析可知该OPPO手机的IMEI是<strong>860370049389014,860370049389006</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421212907486.png" alt="image-20230421212907486"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> 该OPPO手机的IMEI是<strong>B. 860370049389014,860370049389006</strong></p><h2 id="2-该涉案人所使用的的微信ID和关联的手机号是:"><a href="#2-该涉案人所使用的的微信ID和关联的手机号是:" class="headerlink" title="2.该涉案人所使用的的微信ID和关联的手机号是:"></a>2.该涉案人所使用的的微信ID和关联的手机号是:</h2><p>A. wxid_rn6kc87f1mb354 16521330311</p><p>B. wxid_rn5mjxpw1mb922 17721103461</p><p>C. wxid_wi8nf67f1lmd54 15528880561</p><p>D. wxid_kshn457f1lm123 15847880501</p><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开盘古手机取证软件里的<strong>微信</strong>》<strong>账号信息</strong>发现目标</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421213159265.png" alt="image-20230421213159265"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 该涉案人所使用的的微信ID和关联的手机号是<strong>B. wxid_rn5mjxpw1mb922 17721103461</strong></p><h2 id="3-涉案团伙的最后线下犯罪窝点地址是:"><a href="#3-涉案团伙的最后线下犯罪窝点地址是:" class="headerlink" title="3.涉案团伙的最后线下犯罪窝点地址是:"></a>3.涉案团伙的最后线下犯罪窝点地址是:</h2><p>A. 闵行区古美西路86弄44号</p><p>B. 田林路1036号科技绿洲三期16号楼101室</p><p>C. 上海市合川路科技绿洲3期5-3号楼</p><p>D. 闵行区合川路2555号</p><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开Skype这个软件的群聊记录发现目标(起初,我的思路是查看微信消息,但是在微信看到去Skype聊天)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421214325789.png" alt="image-20230421214325789"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> 涉案团伙的最后线下犯罪窝点地址是<strong>D. 闵行区合川路2555号</strong></p><h2 id="4-犯罪团伙所用的诈骗应用apk的sha256值是"><a href="#4-犯罪团伙所用的诈骗应用apk的sha256值是" class="headerlink" title="4.犯罪团伙所用的诈骗应用apk的sha256值是"></a>4.犯罪团伙所用的诈骗应用apk的sha256值是</h2><p>A. 71064939606EE601F2F5A888C75F3949CB82A8DF472D15D77EE2A3DF663FC8E9</p><p>B. DC0909D078AC1B692836BB0526E52633DDE49D1286631FA0EF9C744925DF545E</p><p>C. F67F61057828F57EA663CEBEDD638EE9A4BAF36F69DA7E002CBA54C9F8EAAF85</p><p>D. 96B1258E64DA18C323DE8ECE0F89D88B0F0B99F459F209B514F7F500D72B7D1B</p><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>在Skype发现聊天记录里发现<strong>诈骗应用apk</strong>,点击定位软件,但是不是apk文件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421220335880.png" alt="image-20230421220335880"></p><p> 接着我又在download文件夹下的WeiXin里发现了这个文件,我将文件导出,使用Windows自带的SHA256计算</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421220259219.png" alt="image-20230421220259219"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421220757119.png" alt="image-20230421220757119"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 犯罪团伙所用的诈骗应用apk的sha256值是<strong>C. F67F61057828F57EA663CEBEDD638EE9A4BAF36F69DA7E002CBA54C9F8EAAF85</strong></p><h2 id="5-该涉案人手机在3月7日除了上海还可能去过哪个城市?"><a href="#5-该涉案人手机在3月7日除了上海还可能去过哪个城市?" class="headerlink" title="5.该涉案人手机在3月7日除了上海还可能去过哪个城市?"></a>5.该涉案人手机在3月7日除了上海还可能去过哪个城市?</h2><p>A. 长春</p><p>B. 成都</p><p>C. 武汉</p><p>D. 北京 </p><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开盘古手机取证软件,找到<strong>位置信息</strong>》<strong>位置聚合</strong>,发现在3月7号这个人还去过<strong>长春</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421221134885.png" alt="image-20230421221134885"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> 该涉案人手机在3月7日除了上海还可能去过<strong>A. 长春</strong></p><h2 id="6-该涉案人可能用的输入法是和版本号:"><a href="#6-该涉案人可能用的输入法是和版本号:" class="headerlink" title="6.该涉案人可能用的输入法是和版本号:"></a>6.该涉案人可能用的输入法是和版本号:</h2><p>A. 10.9.4</p><p>B. 8.32.22.2010171749</p><p>C. 10.94</p><p>D. 8.32.22.201071749</p><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开盘古手机取证软件,查看<strong>应用列表</strong>》搜索<strong>输入</strong>》发现存在搜狗输入法,查看版本号为:</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421221836607.png" alt="image-20230421221836607"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> 该涉案人可能用的输入法是和版本号:<strong>B. 8.32.22.2010171749</strong></p><h2 id="7-该输入法没有哪项权限:"><a href="#7-该输入法没有哪项权限:" class="headerlink" title="7.该输入法没有哪项权限:"></a>7.该输入法没有哪项权限:</h2><p>A. 照相</p><p>B. 连接网络</p><p>C. 修改型号</p><p>D. 读取文件</p><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开盘古取证手机软件查看应用列表,搜索输入法查看搜狗输入法的应用权限为</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421231220181.png" alt="image-20230421231220181"></p><p>将权限复制出来为</p><figure class="highlight stylus"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line">android<span class="selector-class">.permission</span><span class="selector-class">.SYSTEM_ALERT_WINDOW</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.VIBRATE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.READ_CONTACTS</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.WRITE_SETTINGS</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.INTERNET</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.ACCESS_NETWORK_STATE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.READ_PHONE_STATE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.WAKE_LOCK</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.WRITE_EXTERNAL_STORAGE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.ACCESS_WIFI_STATE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.CHANGE_WIFI_STATE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.RECORD_AUDIO</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.CAMERA</span> <span class="comment">//照相</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.FLASHLIGHT</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.ACCESS_COARSE_LOCATION</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.ACCESS_FINE_LOCATION</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.READ_LOGS</span></span><br><span class="line"> com<span class="selector-class">.android</span><span class="selector-class">.launcher</span><span class="selector-class">.permission</span><span class="selector-class">.INSTALL_SHORTCUT</span></span><br><span class="line"> com<span class="selector-class">.android</span><span class="selector-class">.launcher</span><span class="selector-class">.permission</span><span class="selector-class">.UNINSTALL_SHORTCUT</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.CLEAR_APP_CACHE</span></span><br><span class="line"> sogou<span class="selector-class">.mobile</span><span class="selector-class">.explorer</span><span class="selector-class">.permission</span><span class="selector-class">.ACTIVATION</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.EXPAND_STATUS_BAR</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.GET_ACCOUNTS</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.MANAGE_ACCOUNTS</span></span><br><span class="line"> com<span class="selector-class">.huawei</span><span class="selector-class">.hwid</span><span class="selector-class">.permission</span><span class="selector-class">.ACCESS</span></span><br><span class="line"> com<span class="selector-class">.huawei</span><span class="selector-class">.hwid</span><span class="selector-class">.permission</span><span class="selector-class">.CONTENT_PROVIDER</span></span><br><span class="line"> com<span class="selector-class">.xiaomi</span><span class="selector-class">.permission</span><span class="selector-class">.AUTH_SERVICE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.REQUEST_INSTALL_PACKAGES</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.FOREGROUND_SERVICE</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.WRITE_APN_SETTINGS</span></span><br><span class="line"> com<span class="selector-class">.oppo</span><span class="selector-class">.permission</span><span class="selector-class">.safe</span><span class="selector-class">.SAU</span></span><br><span class="line"> oppo<span class="selector-class">.permission</span><span class="selector-class">.settings</span><span class="selector-class">.INPUT_VIBRATE_FEEDBACK</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.DOWNLOAD_WITHOUT_NOTIFICATION</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.READ_EXTERNAL_STORAGE</span> <span class="comment">//读取文件</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.USE_CREDENTIALS</span></span><br><span class="line"> nubia<span class="selector-class">.permission</span><span class="selector-class">.nbservice</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.AUTHENTICATE_ACCOUNTS</span></span><br><span class="line"> nubia<span class="selector-class">.permission</span><span class="selector-class">.nbaccountservice</span></span><br><span class="line"> android<span class="selector-class">.permission</span><span class="selector-class">.CHANGE_NETWORK_</span> <span class="comment">//连接网络</span></span><br><span class="line"> </span><br></pre></td></tr></table></figure><p>对比<strong>Android权限大全</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br></pre></td><td class="code"><pre><span class="line">1.android.permission.WRITE_USER_DICTIONARY允许应用程序向用户词典中写入新词</span><br><span class="line">2.android.permission.WRITE_SYNC_SETTINGS写入Google在线同步设置</span><br><span class="line">3.android.permission.WRITE_SOCIAL_STREAM读取用户的社交信息流</span><br><span class="line">4.android.permission.WRITE_SMS允许程序写短信</span><br><span class="line">5.android.permission.WRITE_SETTINGS允许程序读取或写入系统设置</span><br><span class="line">6.android.permission.WRITE_SECURE_SETTINGS允许应用程序读取或写入安全系统设置</span><br><span class="line">7.android.permission.WRITE_PROFILE允许程序写入个人资料数据</span><br><span class="line">8.com.android.browser.permission.WRITE_HISTORY_BOOKMARKS允许一个应用程序写(但不可读)用户的浏览历史和书签</span><br><span class="line">9.android.permission.WRITE_GSERVICES允许程序修改Google服务地图</span><br><span class="line">10.android.permission.WRITE_EXTERNAL_STORAGE允许程序写入外部存储,如SD卡上写文件</span><br><span class="line">11.android.permission.WRITE_CONTACTS写入联系人,但不可读取</span><br><span class="line">12.android.permission.WRITE_CALL_LOG允许程序写入(但是不能读)用户的联系人数据</span><br><span class="line">13.android.permission.WRITE_CALENDAR允许程序写入日程,但不可读取</span><br><span class="line">14.android.permission.WRITE_APN_SETTINGS允许程序写入网络GPRS接入点设置</span><br><span class="line">15.android.permission.WAKE_LOCK允许程序在手机屏幕关闭后后台进程仍然运行</span><br><span class="line">16.android.permission.VIBRATE允许程序振动</span><br><span class="line">17.android.permission.USE_SIP允许程序使用SIP视频服务</span><br><span class="line">18.android.permission.USE_CREDENTIALS允许程序请求验证从AccountManager</span><br><span class="line">19.android.permission.UPDATE_DEVICE_STATS允许程序更新设备状态</span><br><span class="line">20.com.android.launcher.permission.UNINSTALL_SHORTCUT删除快捷方式</span><br><span class="line">21.android.permission.TRANSMIT_IR允许使用设备的红外发射器,如果可用</span><br><span class="line">22.android.permission.SYSTEM_ALERT_WINDOW允许程序显示系统窗口</span><br><span class="line">23.android.permission.SUBSCRIBED_FEEDS_WRITE允许程序写入或修改订阅内容的数据库</span><br><span class="line">24.android.permission.SUBSCRIBED_FEEDS_READ允许程序访问订阅信息的数据库</span><br><span class="line">22.android.permission.STATUS_BAR允许程序打开、关闭、禁用状态栏</span><br><span class="line">23.android.permission.SIGNAL_PERSISTENT_PROCESSES允许程序发送一个永久的进程信号</span><br><span class="line">24.android.permission.SET_WALLPAPER_HINTS允许程序设置壁纸建议</span><br><span class="line">25.android.permission.SET_WALLPAPER允许程序设置桌面壁纸</span><br><span class="line">26.android.permission.SET_TIME_ZONE允许程序设置系统时区</span><br><span class="line">27.android.permission.SET_TIME允许程序设置系统时间</span><br><span class="line">28.android.permission.SET_PROCESS_LIMIT允许程序设置最大的进程数量的限制</span><br><span class="line">29.android.permission.SET_PREFERRED_APPLICATIONS允许程序设置应用的参数,已不再工作具体查看addPackageToPreferred(String) 介绍</span><br><span class="line">30.android.permission.SET_POINTER_SPEED无法被第三方应用获得,系统权限</span><br><span class="line">31.android.permission.SET_ORIENTATION允许程序设置屏幕方向为横屏或标准方式显示,不用于普通应用</span><br><span class="line">32.android.permission.SET_DEBUG_APP允许程序设置调试程序,一般用于开发</span><br><span class="line">33.android.permission.SET_ANIMATION_SCALE允许程序设置全局动画缩放</span><br><span class="line">34.android.permission.SET_ALWAYS_FINISH允许程序设置程序在后台是否总是退出</span><br><span class="line">36.com.android.alarm.permission.SET_ALARM允许程序设置闹铃提醒</span><br><span class="line">37.android.permission.SET_ACTIVITY_WATCHER允许程序设置Activity观察器一般用于monkey测试</span><br><span class="line">38.android.permission.SEND_SMS允许程序发送短信</span><br><span class="line">39.android.permission.SEND_RESPOND_VIA_MESSAGE允许用户在来电的时候用你的应用进行即时的短信息回复。</span><br><span class="line">40.android.permission.RESTART_PACKAGES允许程序结束任务通过restartPackage(String)方法,该方式将在外来放弃</span><br><span class="line">41.android.permission.REORDER_TASKS允许程序重新排序系统Z轴运行中的任务</span><br><span class="line">42.android.permission.RECORD_AUDIO允许程序录制声音通过手机或耳机的麦克</span><br><span class="line">43.android.permission.RECEIVE_WAP_PUSH允许程序接收WAP PUSH信息</span><br><span class="line">44.android.permission.RECEIVE_SMS允许程序接收短信</span><br><span class="line">45.android.permission.RECEIVE_MMS允许程序接收彩信</span><br><span class="line">46.android.permission.RECEIVE_BOOT_COMPLETED允许程序开机自动运行</span><br><span class="line">47.android.permission.REBOOT允许程序重新启动设备</span><br><span class="line">48.android.permission.READ_USER_DICTIONARY从一个提供器中获取数据,针对对应的提供器,应用程序需要“读访问权限”</span><br><span class="line">49.android.permission.READ_SYNC_STATS允许程序读取同步状态,获得Google在线同步状态</span><br><span class="line">50.android.permission.READ_SYNC_SETTINGS允许程序读取同步设置,读取Google在线同步设置</span><br><span class="line">51.android.permission.READ_SOCIAL_STREAM读取用户的社交信息流</span><br><span class="line">52.android.permission.READ_SMS允许程序读取短信内容</span><br><span class="line">53.android.permission.READ_PROFILE访问用户个人资料</span><br><span class="line">54.android.permission.READ_PHONE_STATE允许程序访问电话状态</span><br><span class="line">55.android.permission.READ_LOGS允许程序读取系统底层日志</span><br><span class="line">56.android.permission.READ_INPUT_STATE允许程序读取当前键的输入状态,仅用于系统</span><br><span class="line">57.com.android.browser.permission.READ_HISTORY_BOOKMARKS允许程序读取浏览器收藏夹和历史记录</span><br><span class="line">58.android.permission.READ_FRAME_BUFFER允许程序读取帧缓存用于屏幕截图</span><br><span class="line">59.android.permission.READ_EXTERNAL_STORAGE程序可以读取设备外部存储空间(内置SDcard和外置SDCard)的文件,如果您的App已经添加了“WRITE_EXTERNAL_STORAGE ”权限 ,则就没必要添加读的权限了,写权限已经包含了读权限了。</span><br><span class="line">60.android.permission.READ_CONTACTS允许程序访问联系人通讯录信息</span><br><span class="line">61.android.permission.READ_CALL_LOG读取通话记录</span><br><span class="line">62.android.permission.READ_CALENDAR允许程序读取用户的日程信息</span><br><span class="line">63.android.permission.PROCESS_OUTGOING_CALLS允许程序监视,修改或放弃播出电话</span><br><span class="line">64.android.permission.PERSISTENT_ACTIVITY允许程序创建一个永久的Activity,该功能标记为将来将被移除</span><br><span class="line">65.android.permission.NFC允许程序执行NFC近距离通讯操作,用于移动支持</span><br><span class="line">66.android.permission.MOUNT_UNMOUNT_FILESYSTEMS允许程序挂载、反挂载外部文件系统</span><br><span class="line">67.android.permission.MOUNT_FORMAT_FILESYSTEMS允许程序格式化可移动文件系统,比如格式化清空SD卡</span><br><span class="line">68.android.permission.MODIFY_PHONE_STATE允许程序修改电话状态,如飞行模式,但不包含替换系统拨号器界面</span><br><span class="line">69.android.permission.MODIFY_AUDIO_SETTINGS允许程序修改声音设置信息</span><br><span class="line">70.android.permission.MEDIA_CONTENT_CONTROL允许一个应用程序知道什么是播放和控制其内容。不被第三方应用使用。</span><br><span class="line">71.android.permission.MASTER_CLEAR允许程序执行软格式化,删除系统配置信息</span><br><span class="line">72.android.permission.MANAGE_DOCUMENTS允许一个应用程序来管理文档的访问,通常是一个文档选择器部分</span><br><span class="line">73.android.permission.MANAGE_APP_TOKENS管理创建、摧毁、Z轴顺序,仅用于系统</span><br><span class="line">74.android.permission.MANAGE_ACCOUNTS允许程序管理AccountManager中的账户列表</span><br><span class="line">75.android.permission.LOCATION_HARDWARE允许一个应用程序中使用定位功能的硬件,不使用第三方应用</span><br><span class="line">76.android.permission.KILL_BACKGROUND_PROCESSES允许程序调用killBackgroundProcesses(String).方法结束后台进程</span><br><span class="line">77.android.permission.INTERNET允许程序访问网络连接,可能产生GPRS流量</span><br><span class="line">78.android.permission.INTERNAL_SYSTEM_WINDOW允许程序打开内部窗口,不对第三方应用程序开放此权限</span><br><span class="line">79.com.android.launcher.permission.INSTALL_SHORTCUT创建快捷方式</span><br><span class="line">80.android.permission.INSTALL_PACKAGES允许程序安装应用</span><br><span class="line">81.android.permission.INSTALL_LOCATION_PROVIDER允许程序安装定位提供</span><br><span class="line">82.android.permission.INJECT_EVENTS允许程序访问本程序的底层事件,获取按键、轨迹球的事件流</span><br><span class="line">83.android.permission.HARDWARE_TEST允许程序访问硬件辅助设备,用于硬件测试</span><br><span class="line">84.android.permission.GLOBAL_SEARCH允许程序允许全局搜索</span><br><span class="line">85.android.permission.GET_TOP_ACTIVITY_INFO允许一个应用程序检索私有信息是当前最顶级的活动,不被第三方应用使用</span><br><span class="line">86.android.permission.GET_TASKS允许程序获取任务信息</span><br><span class="line">87.android.permission.GET_PACKAGE_SIZE允许程序获取应用的文件大小</span><br><span class="line">88.android.permission.GET_ACCOUNTS允许程序访问账户Gmail列表</span><br><span class="line">89.android.permission.FORCE_BACK允许程序强制使用back后退按键,无论Activity是否在顶层</span><br><span class="line">90.android.permission.FLASHLIGHT允许访问闪光灯</span><br><span class="line">91.android.permission.FACTORY_TEST允许程序运行工厂测试模式</span><br><span class="line">92.android.permission.EXPAND_STATUS_BAR允许程序扩展或收缩状态栏</span><br><span class="line">93.android.permission.DUMP允许程序获取系统dump信息从系统服务</span><br><span class="line">94.android.permission.DISABLE_KEYGUARD允许程序禁用键盘锁</span><br><span class="line">95.android.permission.DIAGNOSTIC允许程序到RW到诊断资源</span><br><span class="line">96.android.permission.DEVICE_POWER允许程序访问底层电源管理</span><br><span class="line">97.android.permission.DELETE_PACKAGES允许程序删除应用</span><br><span class="line">98.android.permission.DELETE_CACHE_FILES允许程序删除缓存文件</span><br><span class="line">99.android.permission.CONTROL_LOCATION_UPDATES允许程序获得移动网络定位信息改变</span><br><span class="line">100.android.permission.CLEAR_APP_USER_DATA允许程序清除用户数据</span><br><span class="line">101.android.permission.CLEAR_APP_CACHE允许程序清除应用缓存</span><br><span class="line">102.android.permission.CHANGE_WIFI_STATE允许程序改变WiFi状态</span><br><span class="line">103.android.permission.CHANGE_WIFI_MULTICAST_STATE允许程序改变WiFi多播状态</span><br><span class="line">104.android.permission.CHANGE_NETWORK_STATE允许程序改变网络状态,如是否联网</span><br><span class="line">105.android.permission.CHANGE_CONFIGURATION允许当前应用改变配置,如定位</span><br><span class="line">106.android.permission.CHANGE_COMPONENT_ENABLED_STATE改变组件是否启用状态</span><br><span class="line">107.android.permission.CAPTURE_VIDEO_OUTPUT允许一个应用程序捕获视频输出,不被第三方应用使用</span><br><span class="line">108.android.permission.CAPTURE_SECURE_VIDEO_OUTPUT允许一个应用程序捕获视频输出。不被第三方应用使用</span><br><span class="line">109.android.permission.CAPTURE_AUDIO_OUTPUT允许一个应用程序捕获音频输出。不被第三方应用使用</span><br><span class="line">110.android.permission.CAMERA允许程序访问摄像头进行拍照</span><br><span class="line">111.android.permission.CALL_PRIVILEGED允许程序拨打电话,替换系统的拨号器界面</span><br><span class="line">112.android.permission.CALL_PHONE允许程序从非系统拨号器里拨打电话</span><br><span class="line">113.android.permission.BROADCAST_WAP_PUSHWAP PUSH服务收到后触发一个广播</span><br><span class="line">114.android.permission.BROADCAST_STICKY允许程序收到广播后快速收到下一个广播</span><br><span class="line">115.android.permission.BROADCAST_SMS允许程序当收到短信时触发一个广播</span><br><span class="line">116.android.permission.BROADCAST_PACKAGE_REMOVED允许程序删除时广播</span><br><span class="line">117.android.permission.BRICK能够禁用手机,非常危险,顾名思义就是让手机变成砖头</span><br><span class="line">118.android.permission.BLUETOOTH_PRIVILEGED允许应用程序配对蓝牙设备,而无需用户交互。这不是第三方应用程序可用。</span><br><span class="line">119.android.permission.BLUETOOTH_ADMIN允许程序进行发现和配对新的蓝牙设备</span><br><span class="line">120.android.permission.BLUETOOTH允许程序连接配对过的蓝牙设备</span><br><span class="line">121.android.permission.BIND_WALLPAPER必须通过WallpaperService服务来请求,只有系统才能用</span><br><span class="line">122.android.permission.BIND_VPN_SERVICE绑定VPN服务必须通过VpnService服务来请求,只有系统才能用</span><br><span class="line">123.android.permission.BIND_TEXT_SERVICE必须要求textservice(例如吗 spellcheckerservice),以确保只有系统可以绑定到它。</span><br><span class="line">124.android.permission.BIND_REMOTEVIEWS必须通过RemoteViewsService服务来请求,只有系统才能用</span><br><span class="line">125.android.permission.BIND_PRINT_SERVICE必须要求由printservice,以确保只有系统可以绑定到它。</span><br><span class="line">126.android.permission.BIND_NOTIFICATION_LISTENER_SERVICE必须要求由notificationlistenerservice,以确保只有系统可以绑定到它。</span><br><span class="line">127.android.permission.BIND_NFC_SERVICE由hostapduservice或offhostapduservice必须确保只有系统可以绑定到它。</span><br><span class="line">128.android.permission.BIND_INPUT_METHOD请求InputMethodService服务,只有系统才能使用</span><br><span class="line">129.android.permission.BIND_DEVICE_ADMIN请求系统管理员接收者receiver,只有系统才能使用</span><br><span class="line">130.android.permission.BIND_APPWIDGET允许程序告诉appWidget服务需要访问小插件的数据库,只有非常少的应用才用到此权限</span><br><span class="line">131.android.permission.BIND_ACCESSIBILITY_SERVICE请求accessibilityservice服务,以确保只有系统可以绑定到它。</span><br><span class="line">132.android.permission.AUTHENTICATE_ACCOUNTS允许程序通过账户验证方式访问账户管理ACCOUNT_MANAGER相关信息</span><br><span class="line">133.com.android.voicemail.permission.ADD_VOICEMAIL允许一个应用程序添加语音邮件系统</span><br><span class="line">134.android.permission.ACCOUNT_MANAGER允许程序获取账户验证信息,主要为GMail账户信息,只有系统级进程才能访问的权限</span><br><span class="line">135.android.permission.ACCESS_WIFI_STATE允许程序获取当前WiFi接入的状态以及WLAN热点的信息</span><br><span class="line">136.android.permission.ACCESS_SURFACE_FLINGERAndroid平台上底层的图形显示支持,一般用于游戏或照相机预览界面和底层模式的屏幕截图</span><br><span class="line">137.android.permission.ACCESS_NETWORK_STATE允许程序获取网络信息状态,如当前的网络连接是否有效</span><br><span class="line">138.android.permission.ACCESS_MOCK_LOCATION允许程序获取模拟定位信息,一般用于帮助开发者调试应用</span><br><span class="line">139.android.permission.ACCESS_LOCATION_EXTRA_COMMANDS允许程序访问额外的定位提供者指令</span><br><span class="line">140.android.permission.ACCESS_FINE_LOCATION允许程序通过GPS芯片接收卫星的定位信息</span><br><span class="line">141.android.permission.ACCESS_COARSE_LOCATION允许程序通过WiFi或移动基站的方式获取用户错略的经纬度信息</span><br><span class="line">142.android.permission.ACCESS_CHECKIN_PROPERTIES允许程序读取或写入登记check-in数据库属性表的权限</span><br><span class="line"></span><br></pre></td></tr></table></figure><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p>该输入法没有权限<strong>C. 修改型号</strong></p><h2 id="8-该涉案人和被害人聊天使用skype软件的版本号是?"><a href="#8-该涉案人和被害人聊天使用skype软件的版本号是?" class="headerlink" title="8.该涉案人和被害人聊天使用skype软件的版本号是?"></a>8.该涉案人和被害人聊天使用skype软件的版本号是?</h2><p>A. 8.80.0.137</p><p>B. 7.37.99.40</p><p>C. 6.65.12.1111</p><p>D. 5.76.34.12</p><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> 现在文件里查看,是什么文件(因为我在搜索应用时发现两个文件)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421223109045.png" alt="image-20230421223109045"></p><p><img src="C:\Users\25337\AppData\Roaming\Typora\typora-user-images\image-20230421222954981.png" alt="image-20230421222954981"></p><p>所以我们查看名为<strong>com.skype.raider</strong>的版本号</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421232126278.png" alt="image-20230421232126278"></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> 该涉案人和被害人聊天使用skype软件的版本号是<strong>A. 8.80.0.137</strong></p><h2 id="9-哪个不是该涉案手机连接过其他手机的蓝牙物理地址"><a href="#9-哪个不是该涉案手机连接过其他手机的蓝牙物理地址" class="headerlink" title="9.哪个不是该涉案手机连接过其他手机的蓝牙物理地址:"></a>9.哪个不是该涉案手机连接过其他手机的蓝牙物理地址:</h2><p>A. E0:9D:FA:3A:BB:3C</p><p>B. E0:64:FA:3A:8B:11</p><p>C. 00:45:E2:02:50:BC</p><p>D. 00:1A:7D:DA:71:11</p><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开Basic发先bluetoothinfo文件夹下有想要的目标</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421224601060.png" alt="image-20230421224601060"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> <strong>B. E0:64:FA:3A:8B:11</strong>不是该涉案手机连接过其他手机的蓝牙物理地址</p><h2 id="10-涉案APK的程序入口?"><a href="#10-涉案APK的程序入口?" class="headerlink" title="10.涉案APK的程序入口?"></a>10.涉案APK的程序入口?</h2><p>A. W2a.W2Ah5.jsgjzfx.org.cn</p><p>B. io.dcloud.PandoraEntryx</p><p>C. w2a.W2Ah5.jsgjzfx.org</p><p>D. io.dcloud.PandoraEntry</p><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用Jeb打开文件发现涉案APK的程序入口为io.dcloud.PandoraEntryx</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422002112757.png" alt="image-20230422002112757"></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 涉案APK的程序入口为<strong>B. io.dcloud.PandoraEntryx</strong></p><h2 id="11-涉案APK连接的服务器地址是?"><a href="#11-涉案APK连接的服务器地址是?" class="headerlink" title="11.涉案APK连接的服务器地址是?"></a>11.涉案APK连接的服务器地址是?</h2><p>A.h5.gjzfx.org.cn B.bspapp.com C.yhjj.com D.api.meiqia.com</p><h3 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a><strong>解题</strong></h3><p> <strong>思路:</strong>使用小黄鸟进行抓包</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422160058763.png" alt="image-20230422160058763"></p><h3 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h3><p> 涉案APK连接的服务器地址是<strong>B.bspapp.com</strong></p><h2 id="12-以下哪个是APK申请的权限?"><a href="#12-以下哪个是APK申请的权限?" class="headerlink" title="12.以下哪个是APK申请的权限?"></a>12.以下哪个是APK申请的权限?</h2><p>A. 测试对受保护存储空间的访问权限</p><p>B. 申请系统管理权限</p><p>C. 修改手机状态和身份</p><p>D. 修改位置信息</p><h3 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>在jeb中找到权限</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422002400078.png" alt="image-20230422002400078"></p><figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.INTERNET"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.WRITE_EXTERNAL_STORAGE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.ACCESS_NETWORK_STATE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.ACCESS_WIFI_STATE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.INSTALL_PACKAGES"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.REQUEST_INSTALL_PACKAGES"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.CHANGE_NETWORK_STATE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.READ_PHONE_STATE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.RECORD_AUDIO"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"com.asus.msa.SupplementaryDID.ACCESS"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"android.permission.READ_EXTERNAL_STORAGE"</span> /></span> //A. 测试对受保护存储空间的访问权限</span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"com.huawei.android.launcher.permission.CHANGE_BADGE"</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">uses-permission</span> <span class="attr">android:name</span>=<span class="string">"com.vivo.notification.permission.BADGE_ICON"</span> /></span></span><br><span class="line"> </span><br></pre></td></tr></table></figure><h3 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h3><p> <strong>A. 测试对受保护存储空间的访问权限</strong>是APK申请的权限</p><h2 id="13-APK向服务器传送的数据中,包含以下哪个字段?"><a href="#13-APK向服务器传送的数据中,包含以下哪个字段?" class="headerlink" title="13.APK向服务器传送的数据中,包含以下哪个字段?"></a>13.APK向服务器传送的数据中,包含以下哪个字段?</h2><p>A. mc</p><p>B. address</p><p>C. number</p><p>D. dc</p><h3 id="解题-12"><a href="#解题-12" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用小黄鸟进行数据交互时的抓包</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422160211996.png" alt="image-20230422160211996"></p><h3 id="答案-12"><a href="#答案-12" class="headerlink" title="答案"></a>答案</h3><p> APK向服务器传送的数据中,包含<strong>A. mc</strong>字段</p><h1 id="二、请检查窝点中的计算机检材,回答以下问题"><a href="#二、请检查窝点中的计算机检材,回答以下问题" class="headerlink" title="二、请检查窝点中的计算机检材,回答以下问题"></a>二、请检查窝点中的计算机检材,回答以下问题</h1><h2 id="14-涉案计算机的计算机全名是?"><a href="#14-涉案计算机的计算机全名是?" class="headerlink" title="14.涉案计算机的计算机全名是?"></a>14.涉案计算机的计算机全名是?</h2><p>A. DESKTOP-VC69QPB </p><p>B. DESKTOP-KDN38R5</p><p>C. DESKTOP-SLU384N</p><p>D. DESKTOP-I92E87D</p><h3 id="解题-13"><a href="#解题-13" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用盘古计算机取证发现账户信息里存在用户域</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422003509522.png" alt="image-20230422003509522"></p><h3 id="答案-13"><a href="#答案-13" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机的计算机全名是<strong>A. DESKTOP-VC69QPB</strong> </p><h2 id="15-涉案计算机有效账户最后一次登录时间是?"><a href="#15-涉案计算机有效账户最后一次登录时间是?" class="headerlink" title="15.涉案计算机有效账户最后一次登录时间是?"></a>15.涉案计算机有效账户最后一次登录时间是?</h2><p>A. 2022-03-15 09:43:04 +08</p><p>B. 2022-03-15 09:43:04 +00</p><p>C. 2022-03-15 17:43:04 +08</p><p>D. 2022-03-15 17:48:04 +00</p><h3 id="解题-14"><a href="#解题-14" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看账户登录信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422003828066.png" alt="image-20230422003828066"></p><h3 id="答案-14"><a href="#答案-14" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机有效账户最后一次登录时间是? <strong>A. 2022-03-15 09:43:04 +08</strong></p><h2 id="16-涉案计算机登录次数最多的账户是什么?登录了多少次?"><a href="#16-涉案计算机登录次数最多的账户是什么?登录了多少次?" class="headerlink" title="16.涉案计算机登录次数最多的账户是什么?登录了多少次?"></a>16.涉案计算机登录次数最多的账户是什么?登录了多少次?</h2><p>A. admin 16</p><p>B. admin 19</p><p>C. administrator 16</p><p>D. administrator 19</p><h3 id="解题-15"><a href="#解题-15" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看用户信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422004119799.png" alt="image-20230422004119799"></p><h3 id="答案-15"><a href="#答案-15" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机登录次数最多的账户是<strong>admin</strong> 登录了<strong>19</strong>次</p><h2 id="17-涉案计算机是否连接过SanDisk优盘,该优盘的序列号是什么?"><a href="#17-涉案计算机是否连接过SanDisk优盘,该优盘的序列号是什么?" class="headerlink" title="17.涉案计算机是否连接过SanDisk优盘,该优盘的序列号是什么?"></a>17.涉案计算机是否连接过SanDisk优盘,该优盘的序列号是什么?</h2><p>A. 4C530001180221100781</p><p>B. 4C530001180221109491</p><p>C. 5D7E0001180221100781</p><p>D. 5D7E 0001180221109491</p><h3 id="解题-16"><a href="#解题-16" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看USB设备<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422004601665.png" alt="image-20230422004601665"></p><h3 id="答案-16"><a href="#答案-16" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机是否连接过SanDisk优盘,该优盘的序列号是<strong>B. 4C530001180221109491</strong></p><h2 id="18-涉案计算机以太网的Ip地址是?"><a href="#18-涉案计算机以太网的Ip地址是?" class="headerlink" title="18.涉案计算机以太网的Ip地址是?"></a>18.涉案计算机以太网的Ip地址是?</h2><p>A. 192.168.1.100</p><p>B. 192.168.1.101</p><p>C. 172.168.1.100</p><p>D. 172.168.1.101</p><h3 id="解题-17"><a href="#解题-17" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看网络配置里的网络连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422004710941.png" alt="image-20230422004710941"></p><h3 id="答案-17"><a href="#答案-17" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机以太网的Ip地址是<strong>B. 192.168.1.101</strong></p><h2 id="19-涉案Windows计算机通过浏览器是否下载过哪个软件?"><a href="#19-涉案Windows计算机通过浏览器是否下载过哪个软件?" class="headerlink" title="19.涉案Windows计算机通过浏览器是否下载过哪个软件?"></a>19.涉案Windows计算机通过浏览器是否下载过哪个软件?</h2><p>A. QQ</p><p>B. Navicat</p><p>C. Clash</p><p>D. wireshark</p><h3 id="解题-18"><a href="#解题-18" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看浏览器里的IE浏览器的下载记录发现<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422004953250.png" alt="image-20230422004953250"></p><h3 id="答案-18"><a href="#答案-18" class="headerlink" title="答案"></a>答案</h3><p> 涉案Windows计算机通过浏览器是否下载过<strong>B. Navicat</strong></p><h2 id="20-嫌疑人使用navicat远程连接数据的IP是?"><a href="#20-嫌疑人使用navicat远程连接数据的IP是?" class="headerlink" title="20.嫌疑人使用navicat远程连接数据的IP是?"></a>20.嫌疑人使用navicat远程连接数据的IP是?</h2><p>A. 45.77.15.219</p><p>B. 45.77.16.229</p><p>C. 35.66.15.219</p><p>D. 35.66.16.229</p><h3 id="解题-19"><a href="#解题-19" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>这个题不知道为啥我和学弟的盘古石都没出来,所以我直接看答案了,是不难的</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422214442627.png" alt="image-20230422214442627"></p><h3 id="答案-19"><a href="#答案-19" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人使用navicat远程连接数据的IP是<strong>B. 45.77.16.229</strong></p><h2 id="21-涉案计算机是否存在加密分区,采用了什么加密方式?"><a href="#21-涉案计算机是否存在加密分区,采用了什么加密方式?" class="headerlink" title="21.涉案计算机是否存在加密分区,采用了什么加密方式?"></a>21.涉案计算机是否存在加密分区,采用了什么加密方式?</h2><p>A. Bitlocker</p><p>B. TrueCrypt</p><p>C. VeraCrypt</p><p>D. CnCrypt</p><h3 id="解题-20"><a href="#解题-20" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用盘古石手机取证软件发现加密为<strong>Bitlocker</strong>加密</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422005426426.png" alt="image-20230422005426426"></p><h3 id="答案-20"><a href="#答案-20" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机是否存在加密分区,采用了<strong>A. Bitlocker</strong>加密方式</p><h2 id="22-涉案计算机加密分区里面word文档文件最后访问时间是什么"><a href="#22-涉案计算机加密分区里面word文档文件最后访问时间是什么" class="headerlink" title="22.涉案计算机加密分区里面word文档文件最后访问时间是什么?"></a>22.涉案计算机加密分区里面word文档文件最后访问时间是什么?</h2><p>A. 2022-03-14 19:14:45 +08</p><p>B. 2022-03-14 19:14:45 +00</p><p>C. 2022-03-14 19:10:53 +08</p><p>D. 2022-03-14 19:10:53 +00</p><h3 id="解题-21"><a href="#解题-21" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>在解密分区里搜索doc,发现存在<strong>我天.doc</strong>这个文件,可以查看到最后的访问时间</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422132302318.png" alt="image-20230422132302318"></p><h3 id="答案-21"><a href="#答案-21" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机加密分区里面word文档文件最后访问时间是<strong>A. 2022-03-14 19:14:45 +08</strong></p><h2 id="23-涉案计算机加密分区中的txt文件SHA256值为?"><a href="#23-涉案计算机加密分区中的txt文件SHA256值为?" class="headerlink" title="23.涉案计算机加密分区中的txt文件SHA256值为?"></a>23.涉案计算机加密分区中的txt文件SHA256值为?</h2><p>计算hash值</p><p>A.da54693b5f04ea703e23065b53d01d89ca36e0444dee62ba01622e6d186e4712 </p><p>B.fa7a3b601325cfe85a9d6fff6514804d06754795175c87c3af162eac7dcf693a </p><p>C.972403b4b8fdfc211d5a14178be7e02e792cbe6a7bd6ff827ebb2c8909f4e2b8 </p><p>D.b7254757595ce0228801bd53417895c2b6f28781d98bec8d854f4772c06aea29</p><h3 id="解题-22"><a href="#解题-22" class="headerlink" title="解题"></a>解题</h3><p> <strong>方法一:</strong></p><p> <strong>思路:</strong>在盘古软件里我没找到这个文件(我太菜了)但是一开始我在盘古取证软件里找到了<strong>BitLocker 恢复密钥</strong>,接着我使用仿真系统,进入系统,对加密分区进行解密,找到txt文件,并使用windows提供的命令行计算该文件SHA256</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422130603565.png" alt="image-20230422130603565"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422130755080.png" alt="image-20230422130755080"></p><p><strong>方法二:</strong></p><p> 在盘古取证软件里找到了<strong>BitLocker 恢复密钥</strong>,并在取证软件里解密加密分区,并搜索txt出现目标文件,并且右键此文件计算SHA256</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422132058439.png" alt="image-20230422132058439"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422132022371.png" alt="image-20230422132022371"></p><h3 id="答案-22"><a href="#答案-22" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机加密分区中的txt文件SHA256值为<strong>C.972403b4b8fdfc211d5a14178be7e02e792cbe6a7bd6ff827ebb2c8909f4e2b8</strong> </p><h2 id="24-涉案计算机使用的远程连接工具ToDesk的版本是?"><a href="#24-涉案计算机使用的远程连接工具ToDesk的版本是?" class="headerlink" title="24.涉案计算机使用的远程连接工具ToDesk的版本是?"></a>24.涉案计算机使用的远程连接工具ToDesk的版本是?</h2><p>A. 4.2.6.03021556</p><p>B. 12.5.1.44969</p><p>C. 14.28.2935.2</p><p>D. 11.0.61030</p><h3 id="解题-23"><a href="#解题-23" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开美亚的取证大师查看安装文件发现ToDesk的版本</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422102846769.png" alt="image-20230422102846769"></p><h3 id="答案-23"><a href="#答案-23" class="headerlink" title="答案"></a>答案</h3><p> 涉案计算机使用的远程连接工具ToDesk的版本是<strong>A. 4.2.6.03021556</strong></p><h2 id="25-哪个设备的IP曾经通过向日葵连接到本地计算机?"><a href="#25-哪个设备的IP曾经通过向日葵连接到本地计算机?" class="headerlink" title="25.哪个设备的IP曾经通过向日葵连接到本地计算机?"></a>25.哪个设备的IP曾经通过向日葵连接到本地计算机?</h2><p>A. 11.91.214.117</p><p>B. 116.246.0.90</p><p>C. 58.244.39.225</p><p>D. 10.91.215.14</p><h3 id="解题-24"><a href="#解题-24" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看远程连接里的向日葵,查看接受远程记录,接着可以看到公网ip</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422101703012.png" alt="image-20230422101703012"></p><h3 id="答案-24"><a href="#答案-24" class="headerlink" title="答案"></a>答案</h3><p> <strong>B. 116.246.0.90</strong>的IP曾经通过向日葵连接到本地计算机</p><h2 id="26-嫌疑人使用的VPN使用了哪种加密算法"><a href="#26-嫌疑人使用的VPN使用了哪种加密算法" class="headerlink" title="26.嫌疑人使用的VPN使用了哪种加密算法"></a>26.嫌疑人使用的VPN使用了哪种加密算法</h2><p>A. DES-128-CFB</p><p>B. AES-256-cfb</p><p>C. MD5</p><p>D. SHA</p><h3 id="解题-25"><a href="#解题-25" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开时盘古计算机取证软件查看VPN发现嫌疑人使用的VPN使用的加密方式</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422102047163.png" alt="image-20230422102047163"></p><h3 id="答案-25"><a href="#答案-25" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人使用的VPN使用了<strong>B. AES-256-cfb</strong>的加密算法</p><h2 id="27-以下哪个地址不会被自动识别走代理通道?"><a href="#27-以下哪个地址不会被自动识别走代理通道?" class="headerlink" title="27.以下哪个地址不会被自动识别走代理通道?"></a>27.以下哪个地址不会被自动识别走代理通道?</h2><p>A. carfax.com/index.html</p><p>B. api.expekt.com</p><p>C. huluim.com/login</p><p>D. api.dns100.com</p><h3 id="解题-26"><a href="#解题-26" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用盘古的计算机仿真软件打开镜像,去查看VPN软件Shadowsocket的文件,里面的pac.txt里有代理规则</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422120841746.png" alt="image-20230422120841746"></p><p>接着在这个文件里进行搜索</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422110551248.png" alt="image-20230422110551248"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422110258979.png" alt="image-20230422110258979"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422110439304.png" alt="image-20230422110439304"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422110646413.png" alt="image-20230422110646413"></p><h3 id="答案-26"><a href="#答案-26" class="headerlink" title="答案"></a>答案</h3><p> <strong>D. api.dns100.com</strong>不会被自动识别走代理通道</p><h2 id="28-以下哪个IP会被代理软件识别为国内IP段进行直连。"><a href="#28-以下哪个IP会被代理软件识别为国内IP段进行直连。" class="headerlink" title="28.以下哪个IP会被代理软件识别为国内IP段进行直连。"></a>28.以下哪个IP会被代理软件识别为国内IP段进行直连。</h2><p>A. 1.16.0.1</p><p>B. 1.205.0.1</p><p>C. 35.2.0.1</p><p>D. 56.11.0.1</p><h3 id="解题-27"><a href="#解题-27" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>使用仿真系统进入,检索shadowsockets的<strong>chn_ip.txt</strong>文件检索这4个选项</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422213251259.png" alt="image-20230422213251259"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422212741329.png" alt="image-20230422212741329"></p><p>因为是ip段所以我在检索1.204时发现<strong>B. 1.205.0.1</strong>在ip段<strong>1.204.0.0——1.207.255.255</strong>里面</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422213714321.png" alt="image-20230422213714321"></p><h3 id="答案-27"><a href="#答案-27" class="headerlink" title="答案"></a>答案</h3><p> IP:<strong>B. 1.205.0.1</strong>会被代理软件识别为国内IP段进行直连。</p><h2 id="29-查看涉案计算机系统日志,判断该涉案计算机最后一次刷新时区信息是什么时间?"><a href="#29-查看涉案计算机系统日志,判断该涉案计算机最后一次刷新时区信息是什么时间?" class="headerlink" title="29.查看涉案计算机系统日志,判断该涉案计算机最后一次刷新时区信息是什么时间?"></a>29.查看涉案计算机系统日志,判断该涉案计算机最后一次刷新时区信息是什么时间?</h2><p>A. 2022-3-17 9:59:14</p><p>B. 2022-3-16 10:02:13</p><p>C. 2022-3-15 12:54:44</p><p>D. 2022-3-17 10:06:38</p><h3 id="解题-28"><a href="#解题-28" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422120216349.png" alt="image-20230422120216349"></p><p>在仿真镜像后win+R输入eventvwr.msc,查看系统(但是里面有你仿真时的时间信息,需要自己甄别)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422120143408.png" alt="image-20230422120143408"></p><h3 id="答案-28"><a href="#答案-28" class="headerlink" title="答案"></a>答案</h3><p> 查看涉案计算机系统日志,判断该涉案计算机最后一次刷新时区信息是<strong>C. 2022-3-15 12:54:44</strong></p><h1 id="三、请检查窝点中的服务器检材,回答以下问题"><a href="#三、请检查窝点中的服务器检材,回答以下问题" class="headerlink" title="三、请检查窝点中的服务器检材,回答以下问题"></a>三、请检查窝点中的服务器检材,回答以下问题</h1><h2 id="网站搭建过程"><a href="#网站搭建过程" class="headerlink" title="网站搭建过程"></a>网站搭建过程</h2><ul><li><p>首先使用仿真软件进行镜像仿真</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422201919303.png" alt="image-20230422201919303"></p><p>账号和密码分别被置为root和123456</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422201940160.png" alt="image-20230422201940160"></p></li><li><p>接着使用xshell进行连接</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422202130515.png" alt="image-20230422202130515"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422202157409.png" alt="image-20230422202157409"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422202319182.png" alt="image-20230422202319182"></p></li><li><p>接着使用命令<strong>bt 14</strong>进行启动</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422202502282.png" alt="image-20230422202502282"></p></li><li><p>接着在本地的hosts文件里加入下面的内容,不然是无法通过域名进行访问的</p><figure class="highlight accesslog"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">192.168.146.129</span> h1.jsgjzfx.cn </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203033142.png" alt="image-20230422203033142"></p></li><li><p>外网面板地址: <a href="http://h1.jsgjzfx.cn:8888/3ba5d170这个链接进入,但是这个会报错你使用面板给的密码,你可以使用下面的命令修改密码">http://h1.jsgjzfx.cn:8888/3ba5d170这个链接进入,但是这个会报错你使用面板给的密码,你可以使用下面的命令修改密码</a></p><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">cd <span class="regexp">/www/</span>server/panel && btpython tools.py panel testpasswd pxosm4tw</span><br></pre></td></tr></table></figure><p>testpasswd就是密码。你可以换成其他的</p></li><li><p>登录进去</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203145048.png" alt="image-20230422203145048"></p></li><li><p>查看数据库登录名和密码,点击phpadmin进入数据库</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203333191.png" alt="image-20230422203333191"></p></li><li><p>在数据库找到后台管理员的登录账号和密码</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203439311.png" alt="image-20230422203439311"></p></li><li><p>查看日志发现后台登录路径为<a href="http://h1.jsgjzfx.cn/login,不过发现管理员验证这个">http://h1.jsgjzfx.cn/login,不过发现管理员验证这个</a></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203642126.png" alt="image-20230422203642126"></p></li><li><p>将网站的源码down下来,放入VScode搜索<strong>管理员验证</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422203926805.png" alt="image-20230422203926805"></p><p>接着找到文件夹为<strong>h1.jsgjzfx.cn</strong>的文件进入,发现存在网站源码<strong>h1.jsgjzfx.cn.zip</strong>,将其下载到本地。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422204052431.png" alt="image-20230422204052431"></p></li><li><p>将文件使用VScode打开搜索管理员验证</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422204422459.png" alt="image-20230422204422459"></p></li><li><p>接着搜索<strong>yzsj</strong>,发现验证码为<strong>124758</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422204534423.png" alt="image-20230422204534423"></p></li><li><p>接着尝试登录并成功进入后台</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422205137958.png" alt=""></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422204628624.png" alt="image-20230422204628624"></p></li></ul><h2 id="30-Liunx服务器的系统内核版本"><a href="#30-Liunx服务器的系统内核版本" class="headerlink" title="30.Liunx服务器的系统内核版本"></a>30.Liunx服务器的系统内核版本</h2><p>A. 3.10.0-1127.el7.x86</p><p>B. 3.10.0-1127.el7.x86_64</p><p>C. 3.11.0-1127.el7.x86_64</p><p>D. 3.11.0-1127.el7.x86</p><h3 id="解题-29"><a href="#解题-29" class="headerlink" title="解题"></a><strong>解题</strong></h3><p> <strong>思路:</strong>怎么查看linux服务器的系统内核版本?</p><p>uname 命令显示一些系统信息,包括Linux内核体系结构,版本号和发行版名称。 要了解您的系统正在运行Linux内核版本,请<strong>运行命令 uname -srm</strong> </p><p>在SSH工具中输入<strong>uname -srm</strong>命令</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421145353156.png" alt="image-20230421145353156"></p><h3 id="答案-29"><a href="#答案-29" class="headerlink" title="答案"></a><strong>答案</strong></h3><p> Liunx服务器的系统内核版本是<strong>Linux 3.10.0-1127.el7.x86_64 x86_64</strong>,所以选<strong>B. 3.10.0-1127.el7.x86_64</strong></p><h2 id="31-该涉案服务器宝塔面板的访问限制域名是什么?"><a href="#31-该涉案服务器宝塔面板的访问限制域名是什么?" class="headerlink" title="31.该涉案服务器宝塔面板的访问限制域名是什么?"></a>31.该涉案服务器宝塔面板的访问限制域名是什么?</h2><p>A. h1.jsgjzfx.cn</p><p>B. gjjszfx.cn</p><p>C. h5.jsgjzfx.cn</p><p>D. h5. gjjszfx.cn</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422182101255.png" alt="image-20230422182101255"></p><h2 id="32-涉诈网站目录中数据库连接配置文件的路径"><a href="#32-涉诈网站目录中数据库连接配置文件的路径" class="headerlink" title="32.涉诈网站目录中数据库连接配置文件的路径"></a>32.涉诈网站目录中数据库连接配置文件的路径</h2><p>A./www/backup/file_history/www/wwwroot/h1.jsgjzfx.cn/Application/config.php </p><p>B./www/backup/file_history/www/wwwroot/h1.jsgjzfx.cn/Application/Home/View/Qts/User/config.php </p><p>C./www/wwwroot/h1.jsgjzfx.cn/Application/Common/Conf/config.php </p><p>D./www/wwwroot/config.php</p><h3 id="解题-30"><a href="#解题-30" class="headerlink" title="解题"></a><strong>解题</strong></h3><p> <strong>思路:</strong>查看宝塔面板的<strong>文件</strong>,进入网站文件目录</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421150944010.png" alt="image-20230421150944010"></p><p>接着查看/www/wwwroot/h1.jsgjzfx.cn/Application/Common/Conf/config.php </p><p><img src="C:\Users\25337\AppData\Roaming\Typora\typora-user-images\image-20230421151053816.png" alt="image-20230421151053816"></p><h3 id="答案-30"><a href="#答案-30" class="headerlink" title="答案"></a>答案</h3><p> 涉诈网站目录中数据库连接配置文件的路径为<strong>C./www/wwwroot/h1.jsgjzfx.cn/Application/Common/Conf/config.php</strong> </p><h2 id="33-登录涉案网站后台,显示有多少用户"><a href="#33-登录涉案网站后台,显示有多少用户" class="headerlink" title="33.登录涉案网站后台,显示有多少用户"></a>33.登录涉案网站后台,显示有多少用户</h2><p>A. 922</p><p>B. 921</p><p>C. 920</p><p>D. 919</p><h3 id="解题-31"><a href="#解题-31" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>登录系统后台发现有921个用户</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422200805277.png" alt="image-20230422200805277"></p><h3 id="答案-31"><a href="#答案-31" class="headerlink" title="答案"></a>答案</h3><p> 登录涉案网站后台,显示有<strong>B. 921</strong>用户 </p><h2 id="34-受害人“好大哥”在涉案网站2022-03-04-14-39-26-充值金额状态"><a href="#34-受害人“好大哥”在涉案网站2022-03-04-14-39-26-充值金额状态" class="headerlink" title="34.受害人“好大哥”在涉案网站2022-03-04 14:39:26 充值金额状态"></a>34.受害人“好大哥”在涉案网站2022-03-04 14:39:26 充值金额状态</h2><p>A.重置失败 B.交易中 C.充值完成 D.已充值</p><h3 id="解题-32"><a href="#解题-32" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>登录网站后台检索充值记录,查询2022-03-04的充值记录可以发现目标<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422201420571.png" alt="image-20230422201420571"></p><h3 id="答案-32"><a href="#答案-32" class="headerlink" title="答案"></a>答案</h3><p> 受害人“好大哥”在涉案网站2022-03-04 14:39:26 充值金额状态为<strong>C.充值完成</strong></p><h2 id="35-涉案网站总成功提现金额"><a href="#35-涉案网站总成功提现金额" class="headerlink" title="35.涉案网站总成功提现金额"></a>35.涉案网站总成功提现金额</h2><p>A. 33808154.28</p><p>B. 338081541.28</p><p>C. 338081653.97</p><p>D. 33808165.97</p><h3 id="解题-33"><a href="#解题-33" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>登录网站后台检索提现申请。检索时间段(尽量往后时间),发现成功提现总金额为 <strong>338081541.28</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422201212337.png" alt="image-20230422201212337"></p><h3 id="答案-33"><a href="#答案-33" class="headerlink" title="答案"></a>答案</h3><p> 涉案网站总成功提现金额为<strong>B. 338081541.28</strong></p><h2 id="36-涉案网站的数据库中管理员登录次数最多的ip是哪个"><a href="#36-涉案网站的数据库中管理员登录次数最多的ip是哪个" class="headerlink" title="36.涉案网站的数据库中管理员登录次数最多的ip是哪个"></a>36.涉案网站的数据库中管理员登录次数最多的ip是哪个</h2><p>A.112.114.103.205 B.13.124.79.70 </p><p>C.43.254.219.161 D.14.204.0.87 </p><h3 id="解题-34"><a href="#解题-34" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开数据库里的wp_login_log发现登录ip最多的是<strong>14.204.0.87</strong>(我是手查得,我是菜狗,哈哈哈,大佬请用sql查询)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422183606221.png" alt="image-20230422183606221"></p><h3 id="答案-34"><a href="#答案-34" class="headerlink" title="答案"></a>答案</h3><p> 涉案网站的数据库中管理员登录次数最多的ip是<strong>D.14.204.0.87</strong> </p><h2 id="37-涉案网站数据库中平仓时间在2020年1月1日-2020年12月31日的实盘交易订单数量"><a href="#37-涉案网站数据库中平仓时间在2020年1月1日-2020年12月31日的实盘交易订单数量" class="headerlink" title="37.涉案网站数据库中平仓时间在2020年1月1日-2020年12月31日的实盘交易订单数量"></a>37.涉案网站数据库中平仓时间在2020年1月1日-2020年12月31日的实盘交易订单数量</h2><p>A. 5159 </p><p>B. 2567</p><p>C. 3536</p><p>D. 4684</p><h3 id="解题-35"><a href="#解题-35" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>进入网站数据库,使用sql语句进行检索</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="built_in">COUNT</span>(<span class="operator">*</span>) <span class="keyword">FROM</span> `wp_order` <span class="keyword">WHERE</span> selltime <span class="keyword">BETWEEN</span> <span class="number">1577808000</span> <span class="keyword">AND</span> <span class="number">1609430400</span></span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422211143832.png" alt="image-20230422211143832"></p><h3 id="答案-35"><a href="#答案-35" class="headerlink" title="答案"></a>答案</h3><p> 涉案网站数据库中平仓时间在2020年1月1日-2020年12月31日的实盘交易订单数量为<strong>A. 5159</strong> </p><h2 id="38-涉案网站数据库中购买”以太坊”交易产品的用户绑定银行名称为”中国工商银行”的用户有多少"><a href="#38-涉案网站数据库中购买”以太坊”交易产品的用户绑定银行名称为”中国工商银行”的用户有多少" class="headerlink" title="38.涉案网站数据库中购买”以太坊”交易产品的用户绑定银行名称为”中国工商银行”的用户有多少"></a>38.涉案网站数据库中购买”以太坊”交易产品的用户绑定银行名称为”中国工商银行”的用户有多少</h2><p>A. 4</p><p>B. 3</p><p>C. 5</p><p>D. 7</p><h3 id="解题-36"><a href="#解题-36" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>输入下面的sql查询语句</p><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="built_in">COUNT</span>(<span class="keyword">DISTINCT</span> o.uid) <span class="keyword">from</span> (<span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">FROM</span> wp_bankinfo <span class="keyword">WHERE</span> bankname <span class="operator">=</span> <span class="string">'中国工商银行'</span>) <span class="keyword">as</span> b,(<span class="keyword">SELECT</span> uid <span class="keyword">FROM</span> wp_order <span class="keyword">WHERE</span> option_name <span class="operator">=</span> <span class="string">'以太坊'</span>) <span class="keyword">AS</span> o <span class="keyword">WHERE</span> b.uid <span class="operator">=</span> o.uid</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230422210310636.png" alt="image-20230422210310636"></p><h3 id="答案-36"><a href="#答案-36" class="headerlink" title="答案"></a>答案</h3><p> 涉案网站数据库中购买”以太坊”交易产品的用户绑定银行名称为”中国工商银行”的用户有<strong>A.4</strong>个</p><h1 id="四、请检查窝点中的路由器检材导出报告,回答以下问题"><a href="#四、请检查窝点中的路由器检材导出报告,回答以下问题" class="headerlink" title="四、请检查窝点中的路由器检材导出报告,回答以下问题"></a>四、请检查窝点中的路由器检材导出报告,回答以下问题</h1><h2 id="39-该窝点中使用路由器的WiFi密码是?"><a href="#39-该窝点中使用路由器的WiFi密码是?" class="headerlink" title="39.该窝点中使用路由器的WiFi密码是?"></a>39.该窝点中使用路由器的WiFi密码是?</h2><p>A. TPGuest_8D70</p><p>B. admin123</p><p>C. TPLink_TL</p><p>D. 688561qi</p><h3 id="解题-37"><a href="#解题-37" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开取证报告文件夹的<strong>取证报告.html</strong>文件,进入网页,查看<strong>路由设置</strong>》<strong>无线设置</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421134053655.png" alt="image-20230421134053655"></p><h3 id="答案-37"><a href="#答案-37" class="headerlink" title="答案"></a>答案</h3><p> 该窝点中使用路由器的WiFi密码是<strong>D. 688561qi</strong></p><h2 id="40-在该窝点中勘验时分配IP为192-168-1-102的设备mac地址是?"><a href="#40-在该窝点中勘验时分配IP为192-168-1-102的设备mac地址是?" class="headerlink" title="40.在该窝点中勘验时分配IP为192.168.1.102的设备mac地址是?"></a>40.在该窝点中勘验时分配IP为192.168.1.102的设备mac地址是?</h2><p>A. 84-a9-38-28-f5-95</p><p>B. 6c-4b-90-8c-87-8c</p><p>C. 80-b6-55-26-f4-4e</p><p>D. 00-25-90-83-af-f2</p><h3 id="解题-38"><a href="#解题-38" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路:</strong>打开取证报告文件夹的<strong>取证报告.html</strong>文件,进入网页,查看<strong>DHCP设备</strong>》寻找ip为<strong>192.168.1.102</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230421134418732.png" alt="image-20230421134418732"></p><h3 id="答案-38"><a href="#答案-38" class="headerlink" title="答案"></a>答案</h3><p> 在该窝点中勘验时分配IP为192.168.1.102的设备mac地址是<strong>A. 84-a9-38-28-f5-95</strong></p>]]></content>
<summary type="html">🥧本文是奇安信盘古杯赛前取证样题的复现,仅作为个人练习和参考。</summary>
<category term="盘古杯" scheme="https://blog.r1ng13.top/categories/%E7%9B%98%E5%8F%A4%E6%9D%AF/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="盘古杯" scheme="https://blog.r1ng13.top/tags/%E7%9B%98%E5%8F%A4%E6%9D%AF/"/>
</entry>
<entry>
<title>cyberdefenders----Brave</title>
<link href="https://blog.r1ng13.top/posts/d18a9583.html"/>
<id>https://blog.r1ng13.top/posts/d18a9583.html</id>
<published>2023-04-19T02:19:03.000Z</published>
<updated>2023-04-19T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>防守更聪明,而不是更难</strong></p><h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p> <a href="https://cyberdefenders.org/">CyberDefenders</a> 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</p><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><h2 id="题目链接"><a href="#题目链接" class="headerlink" title="题目链接"></a>题目链接</h2><div class="tag link"><a class="link-card" title="Brave" href="https://cyberdefenders.org/blueteam-ctf-challenges/67#nav-questions/"><div class="left"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/Twitter-banner.png"/></div><div class="right"><p class="text">Brave</p><p class="url">https://cyberdefenders.org/blueteam-ctf-challenges/67#nav-questions/</p></div></a></div><h2 id="难度"><a href="#难度" class="headerlink" title="难度"></a>难度</h2><p><strong>中等</strong></p><h2 id="解压密码"><a href="#解压密码" class="headerlink" title="解压密码"></a>解压密码</h2><p><strong>cyberdefenders.org</strong> </p><h2 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h2><figure class="highlight livecodeserver"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">A memory image was taken <span class="built_in">from</span> <span class="keyword">a</span> seized Windows machine. Analyze <span class="keyword">the</span> image <span class="keyword">and</span> answer <span class="keyword">the</span> provided questions.</span><br><span class="line">从被扣押的Windows机器中获取了内存图像。分析图像并回答提供的问题。</span><br></pre></td></tr></table></figure><h2 id="推荐工具"><a href="#推荐工具" class="headerlink" title="推荐工具"></a>推荐工具</h2><ul><li><a href="https://github.com/volatilityfoundation/volatility3">Volatility 3</a></li><li><a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil">CertUtil</a></li><li><a href="https://mh-nexus.de/en/hxd/">HxD</a></li></ul><h2 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h2><p><strong>volatility 3语法</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py [plugin] -f [image]</span><br><span class="line"></span><br><span class="line">常用插件:</span><br><span class="line"> layerwriter:列出内存镜像platform信息</span><br><span class="line"> linux.bash:从内存中恢复bash命令历史记录</span><br><span class="line"> linux.check_afinfo:验证网络协议的操作功能指针</span><br><span class="line"> linux.check_syscall:检查系统调用表中的挂钩</span><br><span class="line"> linux.elfs:列出所有进程的所有内存映射ELF文件</span><br><span class="line"> linux.lsmod:列出加载的内核模块</span><br><span class="line"> linux.lsof:列出所有进程的所有内存映射</span><br><span class="line"> linux.malfind:列出可能包含注入代码的进程内存范围</span><br><span class="line"> linux.proc:列出所有进程的所有内存映射</span><br><span class="line"> linux.pslist:列出linux内存映像中存在的进程</span><br><span class="line"> linux.pstree:列出进程树</span><br><span class="line"> mac.bash:从内存中恢复bash命令历史记录</span><br><span class="line"> mac.check_syscall:检查系统调用表中的挂钩</span><br><span class="line"> mac.check_sysctl:检查sysctl处理程序的挂钩</span><br><span class="line"> mac.check_trap_table:检查trap表中的挂钩</span><br><span class="line"> mac.ifconfig:列出网卡信息</span><br><span class="line"> mac.lsmod:列出加载的内核模块</span><br><span class="line"> mac.lsof:列出所有进程的所有内存映射</span><br><span class="line"> mac.malfind:列出可能包含注入代码的进程内存范围</span><br><span class="line"> mac.netstat:列出所有进程的所有网络连接</span><br><span class="line"> mac.psaux:恢复程序命令行参数</span><br><span class="line"> mac.pslist:列出linux内存映像中存在的进程</span><br><span class="line"> mac.pstree:列出进程树</span><br><span class="line"> mac.tasks:列出Mac内存映像中存在的进程</span><br><span class="line"> windows.info:显示正在分析的内存样本的OS和内核详细信息</span><br><span class="line"> windows.callbacks:列出内核回调和通知例程</span><br><span class="line"> windows.cmdline:列出进程命令行参数</span><br><span class="line"> windows.dlldump:将进程内存范围DLL转储</span><br><span class="line"> windows.dlllist:列出Windows内存映像中已加载的dll模块</span><br><span class="line"> windows.driverirp:在Windows内存映像中列出驱动程序的IRP</span><br><span class="line"> windows.driverscan:扫描Windows内存映像中存在的驱动程序</span><br><span class="line"> windows.filescan:扫描Windows内存映像中存在的文件对象</span><br><span class="line"> windows.handles:列出进程打开的句柄</span><br><span class="line"> windows.malfind:列出可能包含注入代码的进程内存范围</span><br><span class="line"> windows.moddump:转储内核模块</span><br><span class="line"> windows.modscan:扫描Windows内存映像中存在的模块</span><br><span class="line"> windows.mutantscan:扫描Windows内存映像中存在的互斥锁</span><br><span class="line"> windows.pslist:列出Windows内存映像中存在的进程</span><br><span class="line"> windows.psscan:扫描Windows内存映像中存在的进程</span><br><span class="line"> windows.pstree:列出进程树</span><br><span class="line"> windows.procdump:转储处理可执行映像</span><br><span class="line"> windows.registry.certificates:列出注册表中存储的证书</span><br><span class="line"> windows.registry.hivelist:列出内存映像中存在的注册表配置单元</span><br><span class="line"> windows.registry.hivescan:扫描Windows内存映像中存在的注册表配置单元</span><br><span class="line"> windows.registry.printkey:在配置单元或特定键值下列出注册表项</span><br><span class="line"> windows.registry.userassist:打印用户助手注册表项和信息</span><br><span class="line"> windows.ssdt:列出系统调用表</span><br><span class="line"> windows.strings:读取字符串命令的输出,并指示每个字符串属于哪个进程</span><br><span class="line"> windows.svcscan:扫描Windows服务</span><br><span class="line"> windows.symlinkscan:扫描Windows内存映像中存在的链接</span><br></pre></td></tr></table></figure><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-What-time-was-the-RAM-image-acquired-according-to-the-suspect-system-YYYY-MM-DD-HH-MM-SS"><a href="#0x03-1-What-time-was-the-RAM-image-acquired-according-to-the-suspect-system-YYYY-MM-DD-HH-MM-SS" class="headerlink" title="0x03_1 What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)"></a>0x03_1 What time was the RAM image acquired according to the suspect system? (YYYY-MM-DD HH:MM:SS)</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 3输入以下命令查看machine的信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.info</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419152248806.png" alt=""></p><p>从上图可知RAM镜像采集的时间是<strong>SystemTime 2021-04-30 17:52:19</strong></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> 根据可疑系统,RAM镜像<strong>2021-04-30 17:52:19</strong>采集的</p><h2 id="0x03-2-What-is-the-SHA256-hash-value-of-the-RAM-image"><a href="#0x03-2-What-is-the-SHA256-hash-value-of-the-RAM-image" class="headerlink" title="0x03_2 What is the SHA256 hash value of the RAM image?"></a>0x03_2 What is the SHA256 hash value of the RAM image?</h2><p> <strong>思路</strong>:因为镜像的SHA256是不改变的,我们可以使用Windows或者linux提供的命令行进行计算SHA256</p><p><strong>方法一:在Windows系统中输入下面的命令</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certutil -hashfile C:\Users\XXXXX\Desktop\1.mem SHA256</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419152944021.png" alt="image-20230419152944021"></p><p><strong>方法一:在Linux系统中输入下面的命令</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sudo sha256sum /home/kali/桌面/1.me</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419153219880.png" alt="image-20230419153219880"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> RAM 映像的 SHA256 哈希值是<strong>9db01b1e7b19a3b2113bfb65e860fffd7a1630bdf2b18613d206ebf2aa0ea172</strong></p><h2 id="0x03-3-What-is-the-process-ID-of-“brave-exe”"><a href="#0x03-3-What-is-the-process-ID-of-“brave-exe”" class="headerlink" title="0x03_3 What is the process ID of “brave.exe”?"></a>0x03_3 What is the process ID of “brave.exe”?</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 3输入以下命令查看brave.exe进程的信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.pslist.PsList | grep brave.exe</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419153659520.png" alt="image-20230419153659520"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> <strong>brave.exe</strong>的<strong>进程ID</strong>为<strong>4856</strong></p><h2 id="0x03-4-How-many-established-network-connections-were-there-at-the-time-of-acquisition-number"><a href="#0x03-4-How-many-established-network-connections-were-there-at-the-time-of-acquisition-number" class="headerlink" title="0x03_4 How many established network connections were there at the time of acquisition? (number)"></a>0x03_4 How many established network connections were there at the time of acquisition? (number)</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:</p><p><strong>方法一:</strong></p><p>使用volatility 3输入以下命令查看已经建立(<strong>established</strong>)的网络的信息,将输出的信息放到1.txt中</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.netscan.NetScan > 1.txt </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419154708887.png" alt="image-20230419154708887"></p><p>使用软件查看established字段的数量</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419154623424.png" alt="image-20230419154623424"></p><p>方法二:</p><p>使用<strong>volatility 3</strong>输入以下命令查看已经建立(<strong>established</strong>)的网络的信息(在<strong>linux</strong>系统下注意大小写<strong>ESTABLISHED</strong>为全大写)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.netscan.NetScan | grep 'ESTABLISHED' </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419160000518.png" alt="image-20230419160000518"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 已建立<strong>10</strong>个网络连接</p><h2 id="0x03-5-What-FQDN-does-Chrome-have-an-established-network-connection-with"><a href="#0x03-5-What-FQDN-does-Chrome-have-an-established-network-connection-with" class="headerlink" title="0x03_5 What FQDN does Chrome have an established network connection with?"></a>0x03_5 What FQDN does Chrome have an established network connection with?</h2><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 3输入以下命令查看Chrome 已经建立的网络连接</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.netscan.NetScan | grep 'ESTABLISHED' </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419160310705.png" alt="image-20230419160310705"></p><p>从上图可知Chrome建立的链接的ip是<strong>185.70.41.130</strong>,使用<a href="https://www.ipaddress.com/">在线ip解析网站</a>查询信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419160454668.png" alt="image-20230419160454668"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> Chrome 与 FQDN为<strong>protonmail.ch</strong>建立了网络连接</p><h2 id="0x03-6-What-is-the-MD5-hash-value-of-process-executable-for-PID-6988"><a href="#0x03-6-What-is-the-MD5-hash-value-of-process-executable-for-PID-6988" class="headerlink" title="0x03_6 What is the MD5 hash value of process executable for PID 6988?"></a>0x03_6 What is the MD5 hash value of process executable for PID 6988?</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 3输入以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.pslist.PsList --pid=6988 --dump </span><br></pre></td></tr></table></figure><p>生成了pid.6988.0x1c0000.dmp,接着使用linux提供的MD5 hash计算命令计算</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">md5sum pid.6988.0x1c0000.dmp </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419161038140.png" alt="image-20230419161038140"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> PID 6988 的进程可执行文件的 MD5 哈希值是<strong>0b493d8e26f03ccd2060e0be85f430af</strong></p><h2 id="0x03-7-What-is-the-word-starting-at-offset-0x45BE876-with-a-length-of-6-bytes"><a href="#0x03-7-What-is-the-word-starting-at-offset-0x45BE876-with-a-length-of-6-bytes" class="headerlink" title="0x03_7 What is the word starting at offset 0x45BE876 with a length of 6 bytes?"></a>0x03_7 What is the word starting at offset 0x45BE876 with a length of 6 bytes?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用HDX工具加载镜像文件,搜索0x45BE876</p><p>选择跳转选项</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419161450941.png" alt="image-20230419161450941"></p><p>输入地址,选择下面的内容</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419161554718.png" alt="image-20230419161554718"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419161628922.png" alt="image-20230419161628922"></p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> 从偏移量<strong>0x45BE876</strong>开始,长度为 <strong>6 个字节</strong>的单词是<strong>hacker</strong></p><h2 id="0x03-8-What-is-the-creation-date-and-time-of-the-parent-process-of-“powershell-exe”-YYYY-MM-DD-HH-MM-SS"><a href="#0x03-8-What-is-the-creation-date-and-time-of-the-parent-process-of-“powershell-exe”-YYYY-MM-DD-HH-MM-SS" class="headerlink" title="0x03_8 What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)"></a>0x03_8 What is the creation date and time of the parent process of “powershell.exe”? (YYYY-MM-DD HH:MM:SS)</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:</p><p><strong>pid: 本进程</strong></p><p><strong>ppid:进程的父进程</strong></p><p>首先使用volatility 3输入以下命令查看powershell.exe的父进程ppid</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.pslist.PsList</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419162225060.png" alt="image-20230419162225060"></p><p>接着使用volatility 3输入以下命令查看ppid为<strong>4352</strong>的信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.pslist.PsList | grep 4352 </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419163050287.png" alt="image-20230419163050287"></p><p>第一列对应的是pid,我们查看pid为4352的,可以看到创建时间为<strong>2021-04-30 17:39:48</strong></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> “powershell.exe”父进程的创建日期和时间是<strong>2021-04-30 17:39:48</strong></p><h2 id="0x03-9-What-is-the-full-path-and-name-of-the-last-file-opened-in-notepad?"><a href="#0x03-9-What-is-the-full-path-and-name-of-the-last-file-opened-in-notepad?" class="headerlink" title="0x03_9 What is the full path and name of the last file opened in notepad?"></a>0x03_9 What is the full path and name of the last file opened in notepad?</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:因为cmd中可以查看到notepad打开的内容是什么,所以使用volatility 3输入以下命令</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.cmdline.CmdLine | grep notepad</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419163600865.png" alt="image-20230419163600865"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> 在记事本中打开的最后一个文件的完整路径和名称是<strong>C:\Users\JOHNDO~1\AppData\Local\Temp\7zO4FB31F24\accountNum</strong></p><h2 id="0x03-10-How-long-did-the-suspect-use-Brave-browser-hh-mm-ss"><a href="#0x03-10-How-long-did-the-suspect-use-Brave-browser-hh-mm-ss" class="headerlink" title="0x03_10 How long did the suspect use Brave browser? (hh:mm:ss)"></a>0x03_10 How long did the suspect use Brave browser? (hh:mm:ss)</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p><strong>知识</strong></p><p><strong>什么是注册表?</strong></p><p>注册表是用于存储Windows系统用户,硬件和软件的存储配置信息的数据库。虽然注册表是为了配置系统而设计的,但它可以跟踪用户的活动,连接到系统的设备,什么时间什么软件被使用过等都将被记录在案。所有这些都可用于取证人员,分析溯源用户的恶意或非恶意行为。</p><p><strong>UserAssist</strong>可以追踪可执行程序以及资源管理器中打开的链接,UserAssist键能够追踪文件的最后一次执行时间以及执行次数,并将信息存储在下面这个注册表键中.</p><p> <strong>思路</strong>:使用volatility 3输入以下命令,查看注册表中的userassist</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python3 vol.py -f /home/kali/桌面/1.mem windows.registry.userassist.UserAssist | grep -i brave</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230419170056346.png" alt="image-20230419170056346"></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 嫌疑人使用brave浏览器的时长为:<strong>04:01:54</strong></p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目Brave。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="内存取证" scheme="https://blog.r1ng13.top/tags/%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81/"/>
<category term="volatility" scheme="https://blog.r1ng13.top/tags/volatility/"/>
</entry>
<entry>
<title>cyberdefenders----BlackEnergy</title>
<link href="https://blog.r1ng13.top/posts/42d34ea0.html"/>
<id>https://blog.r1ng13.top/posts/42d34ea0.html</id>
<published>2023-04-17T02:19:03.000Z</published>
<updated>2023-04-17T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>防守更聪明,而不是更难</strong></p><h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p> <a href="https://cyberdefenders.org/">CyberDefenders</a> 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</p><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><h2 id="题目链接"><a href="#题目链接" class="headerlink" title="题目链接"></a>题目链接</h2><div class="tag link"><a class="link-card" title="BlackEnergy" href="https://cyberdefenders.org/blueteam-ctf-challenges/99#nav-questions/"><div class="left"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/Twitter-banner.png"/></div><div class="right"><p class="text">BlackEnergy</p><p class="url">https://cyberdefenders.org/blueteam-ctf-challenges/99#nav-questions/</p></div></a></div><h2 id="难度"><a href="#难度" class="headerlink" title="难度"></a>难度</h2><p><strong>中等</strong></p><h2 id="解压密码"><a href="#解压密码" class="headerlink" title="解压密码"></a>解压密码</h2><p><strong>cyberdefenders.org</strong> </p><h2 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h2><figure class="highlight applescript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">A multinational corporation has been hit <span class="keyword">by</span> a cyber attack <span class="keyword">that</span> has led <span class="keyword">to</span> <span class="keyword">the</span> theft <span class="keyword">of</span> sensitive data. The attack was carried out using a variant <span class="keyword">of</span> <span class="keyword">the</span> BlackEnergy v2 malware <span class="keyword">that</span> has never been seen <span class="keyword">before</span>.</span><br><span class="line">一家跨国公司遭到网络攻击,导致敏感数据被盗。该攻击是使用以前从未见过的 BlackEnergy v2 恶意软件变体进行的。</span><br><span class="line">The company's security team has acquired a memory dump <span class="keyword">of</span> <span class="keyword">the</span> infected machine, <span class="keyword">and</span> they want you <span class="keyword">to</span> analyze <span class="keyword">the</span> dump <span class="keyword">to</span> understand <span class="keyword">the</span> attack scope <span class="keyword">and</span> impact.</span><br><span class="line">公司安全团队已获取受感染机器的内存转储,希望您分析转储以了解攻击范围和影响。</span><br></pre></td></tr></table></figure><h2 id="推荐工具"><a href="#推荐工具" class="headerlink" title="推荐工具"></a>推荐工具</h2><p><a href="https://github.com/volatilityfoundation/volatility">volatility2.X</a></p><h2 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h2><p><strong>volatility语法</strong></p><pre><code>amcache - 打印 AmCache 信息</code></pre><p>apihooks - 检测进程和内核内存中的 API 挂钩<br>atoms - 打印会话和窗口站原子表<br>atomscan - 原子表的池扫描器<br>auditpol - 从 HKLM\SECURITY\Policy\PolAdtEv 打印审计策略<br>bigpools - 使用 BigPagePoolScanner 转储大页面池<br>bioskbd - 从实模式内存中读取键盘缓冲区<br>cachedump - 从内存中转储缓存的域哈希<br>callbacks - 打印系统范围的通知例程<br>clipboard - 提取 windows 剪贴板的内容<br>cmdline - 显示进程命令行参数<br>cmdscan - 通过扫描 _COMMAND_HISTORY 来提取命令历史记录<br>connections - 打印打开的连接列表 [仅限 Windows XP 和 2003]<br>connscan - 用于 tcp 连接的池扫描器<br>consoles- 通过扫描 _CONSOLE_INFORMATION 来提取命令历史记录<br>crashinfo - 转储故障转储信息<br>deskscan - 用于 tagDESKTOP(桌面)的池扫描器<br>devicetree - 显示设备树<br>dlldump - 从进程地址空间转储 DLL<br>dlllist - 打印每个进程加载的 dll 列表<br>driverirp - 驱动程序 IRP 钩子检测<br>drivermodule - 将驱动程序对象关联到内核模块<br>driverscan - 驱动程序对象的池扫描器<br>dumpcerts - 转储 RSA 私有和公共 SSL 密钥<br>dumpfiles - 提取内存映射和缓存文件<br>dumpregistry - 将注册表文件转储到磁盘<br>editbox - 显示有关编辑控件的信息。(列表框实验性的。)<br>envars - 显示进程环境变量<br>eventhooks - 打印有关 Windows 事件挂钩的详细信息<br>evtlogs - 提取 Windows 事件日志(仅限 XP/2003)<br>filescan - 文件对象的池扫描器<br>gahti - 转储 USER 句柄类型信息<br>gditimers - 打印已安装的 GDI 计时器和回调<br>gdt - 显示全局描述符表<br>getservicesids - 获取注册表中的服务名称并返回计算的 SID<br>getsids - 打印拥有每个进程的 SID<br>handles - 打印每个进程的打开句柄列表/可以查看进程打开的文件 handles -t file<br>hashdump - 从内存中转储密码哈希 (LM/NTLM)<br>hibinfo - 转储休眠文件信息<br>hivedump - 打印出一个蜂巢<br>hivelist - 打印注册表配置单元列表。<br>hivescan - 注册表配置单元的池扫描器<br>hpakextract - 从 HPAK 文件中提取物理内存<br>hpakinfo - HPAK 文件的信息<br>idt - 显示中断描述符表<br>iehistory - 重建 Internet Explorer 缓存/历史记录<br>imagecopy - 将物理地址空间复制为原始 DD 映像<br>imageinfo - 识别图像的信息<br>impscan - 扫描对导入函数的调用<br>joblinks - 打印进程作业链接信息<br>kdbgscan - 搜索并转储潜在的 KDBG 值<br>kpcrscan - 搜索并转储潜在的 KPCR 值<br>ldrmodules - 检测未链接的 DLL<br>limeinfo - 转储 Lime 文件格式信息<br>linux_apihooks - 检查 userland apihooks<br>linux_arp - 打印 ARP 表<br>linux_aslr_shift - 自动检测 Linux ASLR 移位<br>linux_banner - 打印 Linux 横幅信息<br>linux_bash - 从 bash 进程内存中恢复 bash 历史<br>linux_bash_env - 恢复进程的动态环境变量<br>linux_bash_hash - 从 bash 进程内存中恢复 bash 哈希表<br>linux_check_afinfo - 验证网络协议的操作函数指针<br>linux_check_creds - 检查是否有任何进程正在共享凭证结构<br>linux_check_evt_arm - 检查异常向量表以查找系统调用表挂钩<br>linux_check_fop - 检查 rootkit 修改的文件操作结构<br>linux_check_idt - 检查 IDT 是否被更改<br>linux_check_inline_kernel - 检查内联内核挂钩<br>linux_check_modules - 将模块列表与 sysfs 信息进行比较(如果可用)<br>linux_check_syscall - 检查系统调用表是否被修改<br>linux_check_syscall_arm - 检查系统调用表是否被更改<br>linux_check_tty - 检查 tty 设备的挂钩<br>linux_cpuinfo - 打印有关每个活动处理器的信息<br>linux_dentry_cache - 从 dentry 缓存中收集文件<br>linux_dmesg - 收集 dmesg 缓冲区<br>linux_dump_map - 将选定的内存映射写入磁盘<br>linux_dynamic_env - 恢复进程的动态环境变量<br>linux_elfs - 在进程映射中查找 ELF 二进制文件<br>linux_enumerate_files - 列出文件系统缓存引用的文件<br>linux_find_file - 从内存中列出和恢复文件<br>linux_getcwd - 列出每个进程的当前工作目录<br>linux_hidden_modules - 雕刻内存以找到隐藏的内核模块<br>linux_ifconfig - 收集活动接口<br>linux_info_regs - 就像 GDB 中的“信息寄存器”。它打印出所有<br>linux_iomem - 提供类似于 /proc/iomem 的输出<br>linux_kernel_opened_files - 列出从内核中打开的文件<br>linux_keyboard_notifiers - 解析键盘通知程序调用链<br>linux_ldrmodules - 将 proc 映射的输出与 libdl 的库列表进行比较<br>linux_library_list - 列出加载到进程中的库<br>linux_librarydump - 将进程内存中的共享库转储到磁盘<br>linux_list_raw - 列出具有混杂套接字的应用程序<br>linux_lsmod - 收集加载的内核模块<br>linux_lsof - 列出文件描述符及其路径<br>linux_malfind - 寻找可疑的进程映射<br>linux_memmap - 转储 linux 任务的内存映射<br>linux_moddump - 提取加载的内核模块<br>linux_mount - 收集挂载的文件系统/设备<br>linux_mount_cache - 从 kmem_cache 收集挂载的文件系统/设备<br>linux_netfilter - 列出 Netfilter 挂钩<br>linux_netscan - 雕刻网络连接结构<br>linux_netstat - 列出打开的套接字<br>linux_pidhashtable - 通过 PID 哈希表枚举进程<br>linux_pkt_queues - 将每个进程的数据包队列写入磁盘<br>linux_plthook - 扫描 ELF 二进制文件的 PLT 以查找不需要的图像的挂钩<br>linux_proc_maps - 收集进程内存映射<br>linux_proc_maps_rb - 通过映射红黑树为 linux 收集进程映射<br>linux_procdump - 将进程的可执行映像转储到磁盘<br>linux_process_hollow - 检查进程中空的迹象<br>linux_psaux - 收集进程以及完整的命令行和启动时间<br>linux_psenv - 收集进程及其静态环境变量<br>linux_pslist - 通过遍历 task_struct->task 列表来收集活动任务<br>linux_pslist_cache - 从 kmem_cache 收集任务<br>linux_psscan - 扫描进程的物理内存<br>linux_pstree - 显示进程之间的父/子关系<br>linux_psxview - 使用各种进程列表查找隐藏进程<br>linux_recover_filesystem - 从内存中恢复整个缓存文件系统<br>linux_route_cache - 从内存中恢复路由缓存<br>linux_sk_buff_cache - 从 sk_buff kmem_cache 恢复数据包<br>linux_slabinfo - 模拟正在运行的机器上的 /proc/slabinfo<br>linux_strings - 将物理偏移量与虚拟地址匹配(可能需要一段时间,非常冗长)<br>linux_threads - 打印进程线程<br>linux_tmpfs - 从内存中恢复 tmpfs 文件系统<br>linux_truecrypt_passphrase - 恢复缓存的 Truecrypt 密码<br>linux_vma_cache - 从 vm_area_struct 缓存中收集 VMA<br>linux_volshell - 内存映像中的 Shell<br>linux_yarascan - Linux 内存映像中的 shell<br>lsadump - 从注册表中转储(解密的)LSA 机密<br>mac_adium - 列出 Adium 消息<br>mac_apihooks - 检查进程中的 API 挂钩<br>mac_apihooks_kernel - 检查系统调用和内核函数是否挂钩<br>mac_arp - 打印 arp 表<br>mac_bash - 从 bash 进程内存中恢复 bash 历史<br>mac_bash_env - 恢复 bash 的环境变量<br>mac_bash_hash - 从 bash 进程内存中恢复 bash 哈希表<br>mac_calendar - 从 Calendar.app 获取日历事件<br>mac_check_fop - 验证文件操作指针<br>mac_check_mig_table - 列出内核的 MIG 表中的所有内容<br>mac_check_syscall_shadow - 寻找影子系统调用表<br>mac_check_syscalls - 检查系统调用表条目是否被挂钩<br>mac_check_sysctl - 检查未知的 sysctl 处理程序<br>mac_check_trap_table - 检查是否挂钩了 mach 陷阱表条目<br>mac_compressed_swap - 打印 Mac OS X VM 压缩器统计信息并转储所有压缩页面<br>mac_contacts - 从 Contacts.app 获取联系人姓名<br>mac_dead_procs - 打印终止/取消分配的进程<br>mac_dead_sockets - 打印终止/取消分配的网络套接字<br>mac_dead_vnodes - 列出释放的 vnode 结构<br>mac_devfs - 列出文件缓存中的文件<br>mac_dmesg - 打印内核调试缓冲区<br>mac_dump_file - 转储指定文件<br>mac_dump_maps - 转储进程的内存范围,可选地包括压缩交换中的页面<br>mac_dyld_maps - 从 dyld 数据结构中获取进程的内存映射<br>mac_find_aslr_shift - 查找 10.8+ 图像的 ASLR 移位值<br>mac_get_profile - 自动检测 Mac 配置文件<br>mac_ifconfig - 列出所有设备的网络接口信息<br>mac_interest_handlers - 列出 IOKit 兴趣处理程序<br>mac_ip_filters - 报告任何挂钩的 IP 过滤器<br>mac_kernel_classes - 列出内核中加载的 C++ 类<br>mac_kevents - 显示进程的父/子关系<br>mac_keychaindump - 恢复可能的钥匙串密钥。使用chainbreaker打开相关keychain文件<br>mac_ldrmodules - 将 proc 映射的输出与 libdl 的库列表进行比较<br>mac_librarydump - 转储进程的可执行文件<br>mac_list_files - 列出文件缓存中的文件<br>mac_list_kauth_listeners - 列出 Kauth Scope 侦听器<br>mac_list_kauth_scopes - 列出 Kauth 范围及其状态<br>mac_list_raw - 列出具有混杂套接字的应用程序<br>mac_list_sessions - 枚举会话<br>mac_list_zones - 打印活动区域<br>mac_lsmod - 列出加载的内核模块<br>mac_lsmod_iokit - 列出通过 IOkit 加载的内核模块<br>mac_lsmod_kext_map - 列出加载的内核模块<br>mac_lsof - 列出每个进程打开的文件<br>mac_machine_info - 打印关于样本的机器信息<br>mac_malfind - 寻找可疑的进程映射<br>mac_memdump - 将可寻址内存页转储到文件<br>mac_moddump - 将指定的内核扩展写入磁盘<br>mac_mount - 打印挂载的设备信息<br>mac_netstat - 列出每个进程的活动网络连接<br>mac_network_conns - 列出来自内核网络结构的网络连接<br>mac_notesapp - 查找 Notes 消息的内容<br>mac_notifiers - 检测将挂钩添加到 I/O Kit 中的 Rootkit(例如 LogKext)<br>mac_orphan_threads - 列出未映射回已知模块/进程的线程<br>mac_pgrp_hash_table - 遍历进程组哈希表<br>mac_pid_hash_table - 遍历 pid 哈希表<br>mac_print_boot_cmdline - 打印内核引导参数<br>mac_proc_maps - 获取进程的内存映射<br>mac_procdump - 转储进程的可执行文件<br>mac_psaux - 在用户空间中打印带有参数的进程 (<strong>argv)<br>mac_psenv - 打印用户空间中的环境进程 (</strong>envp)<br>mac_pslist - 列出正在运行的进程<br>mac_pstree - 显示进程的父/子关系<br>mac_psxview - 使用各种进程列表查找隐藏进程<br>mac_recover_filesystem - 恢复缓存的文件系统<br>mac_route - 打印路由表<br>mac_socket_filters - 报告套接字过滤器<br>mac_strings - 将物理偏移量与虚拟地址匹配(可能需要一段时间,非常冗长)<br>mac_tasks - 列出活动任务<br>mac_threads - 列出进程线程<br>mac_threads_simple - 列出线程及其开始时间和优先级<br>mac_timers - 报告由内核驱动程序设置的计时器<br>mac_trustedbsd - 列出恶意的 trustedbsd 策略<br>mac_version - 打印 Mac 版本<br>mac_vfsevents - 列出进程过滤文件系统事件<br>mac_volshell - 内存映像中的 Shell<br>mac_yarascan - 扫描内存以获取 yara 签名<br>machoinfo - 转储 Mach-O 文件格式信息<br>malfind - 查找隐藏和注入的代码<br>mbrparser - 扫描并解析潜在的主引导记录 (MBR)<br>memdump - 转储进程的可寻址内存<br>memmap - 打印内存映射<br>messagehooks - 列出桌面和线程窗口消息挂钩<br>mftparser - 扫描并解析潜在的 MFT 条目<br>moddump - 将内核驱动程序转储到可执行文件示例<br>modscan - 内核模块的池扫描器<br>modules - 加载模块的打印列表<br>multiscan - 一次扫描各种对象<br>mututscan - 互斥对象的池扫描器<br>netscan - 扫描 Vista(或更高版本)图像以查找连接和套接字<br>notepad - 列出当前显示的记事本文本<br>objtypescan - 扫描 Windows 对象类型对象<br>patcher - 根据页面扫描修补内存<br>poolpeek - 可配置的池扫描器插件<br>pooltracker - 显示池标签使用情况的摘要<br>printkey - 打印注册表项及其子项和值<br>privs - 显示进程权限<br>procdump - 将进程转储到可执行文件示例<br>pslist - 按照 EPROCESS 列表打印所有正在运行的进程<br>psscan - 进程对象的池扫描器<br>pstree - 将进程列表打印为树<br>psxview - 使用各种进程列表查找隐藏进程<br>qemuinfo - 转储 Qemu 信息<br>raw2dmp - 将物理内存样本转换为 windbg 崩溃转储<br>screenshot - 保存一个基于 GDI 窗口的伪截图<br>servicediff - 列出 Windows 服务(ala Plugx)<br>sessions - 列出 _MM_SESSION_SPACE 的详细信息(用户登录会话)<br>shellbags - 打印 ShellBags 信息<br>shimcache - 解析应用程序兼容性填充缓存注册表项<br>shutdowntime - 从注册表打印机器的关机时间<br>sockets - 打印打开的套接字列表<br>sockscan - 用于 tcp 套接字对象的池扫描器<br>ssdt - 显示 SSDT 条目<br>strings - 将物理偏移量与虚拟地址匹配(可能需要一段时间,非常冗长)<br>svcscan - 扫描 Windows 服务<br>symlinkscan - 符号链接对象的池扫描器<br>thrdscan - 线程对象的池扫描器<br>线程 - 调查 _ETHREAD 和 _KTHREADs<br>timeliner - 从内存中的各种工件创建时间线<br>timers - 打印内核定时器和相关模块 DPC<br>truecryptmaster - 恢复 TrueCrypt 7.1a 主密钥<br>truecryptpassphrase - TrueCrypt 缓存密码查找器<br>truecryptsummary - TrueCrypt 摘要<br>unloadedmodules - 打印卸载模块列表<br>userassist - 打印 userassist 注册表项和信息<br>userhandles - 转储用户句柄表<br>vaddump - 将 vad 部分转储到文件中<br>vadinfo - 转储 VAD 信息<br>vadtree - 遍历 VAD 树并以树格式显示<br>vadwalk - 遍历 VAD 树<br>vboxinfo - 转储 virtualbox 信息<br>verinfo - 打印出 PE 镜像的版本信息<br>vmwareinfo - 转储 VMware VMSS/VMSN 信息<br>volshell - 内存映像中的 Shell<br>win10cookie - 查找 Windows 10 的 ObHeaderCookie 值<br>windows - 打印桌面 Windows(详细信息)<br>wintree - 打印 Z-Order 桌面 Windows 树<br>wndscan - 窗口站的池扫描器<br>yarascan - 使用 Yara 签名扫描进程或内核内存</p><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-Which-volatility-profile-would-be-best-for-this-machine"><a href="#0x03-1-Which-volatility-profile-would-be-best-for-this-machine" class="headerlink" title="0x03_1 Which volatility profile would be best for this machine?"></a>0x03_1 Which volatility profile would be best for this machine?</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 2.6输入以下命令查看machine的信息</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">volatility -f F:\取证\c79-BE\CYBERDEF-567078-20230213-171333.raw imageinfo</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416184353964.png" alt="image-20230416184353964"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> <strong>Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)</strong>所以这个机器的profile 是WinXPSP2x86</p><h2 id="0x03-2-How-many-processes-were-running-when-the-image-was-acquired"><a href="#0x03-2-How-many-processes-were-running-when-the-image-was-acquired" class="headerlink" title="0x03_2 How many processes were running when the image was acquired?"></a>0x03_2 How many processes were running when the image was acquired?</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 2.6输入以下命令查看进程的信息,并将结果输出1.txt文件中去</p><figure class="highlight apache"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="attribute">volatility</span> -f F:\取证\c79-BE\CYBERDEF-<span class="number">567078</span>-<span class="number">20230213</span>-<span class="number">171333</span>.raw --profile=WinXPSP2x86 pslist ><span class="number">1</span>.txt</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416184716772.png" alt="image-20230416184716772"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416184746792.png" alt="image-20230416184746792"></p><p>从上图可以看出有25个进程,但是题目要的是running 的进程,所以exit的6个进程进行减去,所以正在运行的进程数目为19个</p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 正在运行的进程数目为<strong>19</strong>个</p><h2 id="0x03-3-What-is-the-process-ID-of-cmd-exe"><a href="#0x03-3-What-is-the-process-ID-of-cmd-exe" class="headerlink" title="0x03_3 What is the process ID of cmd.exe?"></a>0x03_3 What is the process ID of cmd.exe?</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:<strong>FTK</strong> 检索<strong>/root/root/Downlods/</strong>路径下的文件发现仅有<strong>mimikatz_trunk.zip</strong></p><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:在上题的<strong>1.tx</strong>t文件里查看<strong>cmd</strong>的<strong>进程ID</strong>,在文件中进程ID对应的是<strong>PID</strong><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416185229201.png" alt="image-20230416185229201"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> <strong>cmd.exe</strong>的<strong>进程ID</strong>为<strong>1960</strong></p><h2 id="0x03-4-What-is-the-name-of-the-most-suspicious-process"><a href="#0x03-4-What-is-the-name-of-the-most-suspicious-process" class="headerlink" title="0x03_4 What is the name of the most suspicious process?"></a>0x03_4 What is the name of the most suspicious process?</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:同样是使用题目生成1.txt文件,发现不属于win系统的进程<strong>rootkit.exe</strong> </p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416185435627.png" alt="image-20230416185435627"></p><p>下面是维基百科给出的关于<strong>rootkit.exe</strong>的信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416185657352.png" alt="image-20230416185657352"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 最可疑的进程叫<strong>rootkit.exe</strong> </p><h2 id="0x03-5-Which-process-shows-the-highest-likelihood-of-code-injection?"><a href="#0x03-5-Which-process-shows-the-highest-likelihood-of-code-injection?" class="headerlink" title="0x03_5 Which process shows the highest likelihood of code injection?"></a>0x03_5 Which process shows the highest likelihood of code injection?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p><strong>malfind - 查找隐藏和注入的代码</strong></p><p> <strong>思路</strong>:使用volatility 2.6输入以下命令查看代码注入的信息,将生成的信息输出到4.txt的文件里</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">volatility -f F:\取证\c79-BE\CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 malfind > 4.txt</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230416190552669.png" alt="image-20230416190552669"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> 进程<strong>svchost.exe</strong>显示代码注入的可能性最高</p><h2 id="0x03-6-There-is-an-odd-file-referenced-in-the-recent-process-Provide-the-full-path-of-that-file"><a href="#0x03-6-There-is-an-odd-file-referenced-in-the-recent-process-Provide-the-full-path-of-that-file" class="headerlink" title="0x03_6 There is an odd file referenced in the recent process. Provide the full path of that file."></a>0x03_6 There is an odd file referenced in the recent process. Provide the full path of that file.</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 2.6输入以下命令查看最近的进程引用的文件名。因为题目说的是在最近的进程中引用了一个奇怪的文件,所以这个进程肯定是上题中的那个进程,那个进程的pid是880,所以我们使用handles命令去查询进程:<strong>handles - 打印每个进程的打开句柄列表/可以查看进程打开的文件 handles -t file</strong></p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">volatility -f F:\取证\c79-BE\CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 -p 880 handles -t file</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230417093859810.png" alt=""></p><p>发现文件就3个文件</p><p>\Device\HarddiskVolume1\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat<br>\Device\HarddiskVolume1\WINDOWS\system32\config\systemprofile\Cookies\index.dat</p><p>\Device\HarddiskVolume1\WINDOWS\system32\drivers\str.sys</p><p>我们应该知道前两个都是win系统中的,后一个不确定,所以我们使用谷歌进行检索发现这是个异常的文件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230417101434172.png" alt="image-20230417101434172"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> 该文件的完整路径:<strong>C:\WINDOWS\system32\drivers\str.sys</strong></p><h2 id="0x03-7-What-is-the-name-of-the-injected-dll-file-loaded-from-the-recent-process"><a href="#0x03-7-What-is-the-name-of-the-injected-dll-file-loaded-from-the-recent-process" class="headerlink" title="0x03_7 What is the name of the injected dll file loaded from the recent process?"></a>0x03_7 What is the name of the injected dll file loaded from the recent process?</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 2.6输入以下命令查看最近进程中加载的注入的dll文件的名称</p><p>因为注入的dll文件是为了对系统进行隐藏,所以使用命令ldrmodules - 检测未链接的 DLL</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">volatility -f F:\取证\c79-BE\CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 -p 880 ldrmodules</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230417102944737.png" alt="image-20230417102944737"></p><p>我们应该查询的是 InLoad InInit这两个参数都是false的</p><p>所以发现 880 svchost.exe 0x009a0000 False False False \WINDOWS\system32\msxml3r.dll这个dll符合</p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> 最近进程中加载的注入的dll文件的名称是<strong>msxml3r.dll</strong></p><h2 id="0x03-8-What-is-the-base-address-of-the-injected-dll"><a href="#0x03-8-What-is-the-base-address-of-the-injected-dll" class="headerlink" title="0x03_8 What is the base address of the injected dll?"></a>0x03_8 What is the base address of the injected dll?</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用volatility 2.6输入以下命令注入dll的基址,因为在第五题我们已经知道进程<strong>svchost.exe</strong>显示代码注入的可能性最高,所以我们使用malfind指定参数-p 880(<strong>svchost的pid</strong>)</p><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">volatility -f F:\取证\c79-BE\CYBERDEF-567078-20230213-171333.raw --profile=WinXPSP2x86 -p 880 malfind</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230417103644611.png" alt="image-20230417103644611"></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> 注入的 dll 的基址是<strong>0x980000</strong></p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目BlackEnergy。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="内存取证" scheme="https://blog.r1ng13.top/tags/%E5%86%85%E5%AD%98%E5%8F%96%E8%AF%81/"/>
<category term="volatility" scheme="https://blog.r1ng13.top/tags/volatility/"/>
</entry>
<entry>
<title>cyberdefenders----L'espion</title>
<link href="https://blog.r1ng13.top/posts/42d11d0a.html"/>
<id>https://blog.r1ng13.top/posts/42d11d0a.html</id>
<published>2023-04-13T02:19:03.000Z</published>
<updated>2023-04-13T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>防守更聪明,而不是更难</strong></p><h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p> <a href="https://cyberdefenders.org/">CyberDefenders</a> 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</p><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><h2 id="题目链接"><a href="#题目链接" class="headerlink" title="题目链接"></a>题目链接</h2><div class="tag link"><a class="link-card" title="L'espion" href="https://cyberdefenders.org/blueteam-ctf-challenges/73"><div class="left"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/Twitter-banner.png"/></div><div class="right"><p class="text">L'espion</p><p class="url">https://cyberdefenders.org/blueteam-ctf-challenges/73</p></div></a></div><h2 id="解压密码"><a href="#解压密码" class="headerlink" title="解压密码"></a>解压密码</h2><p>cyberdefenders.org </p><h2 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h2><figure class="highlight vbnet"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">You have been tasked <span class="keyword">by</span> a client whose network was compromised <span class="built_in">and</span> brought offline <span class="keyword">to</span> investigate the incident <span class="built_in">and</span> determine the attacker<span class="comment">'s identity.Incident responders and digital forensic investigators are currently on the scene and have conducted a preliminary investigation. Their findings show that the attack originated from a single user account, probably, an insider.Investigate the incident, find the insider, and uncover the attack actions.</span></span><br><span class="line">一位客户委托您调查事件并确定攻击者的身份,该客户的网络遭到破坏并脱机。事件响应人员和数字取证调查人员目前正在现场并进行了初步调查。他们的发现表明,攻击源自单个用户帐户,可能是内部人员。调查事件,找到内幕,并揭露攻击行动。</span><br></pre></td></tr></table></figure><h2 id="推荐工具"><a href="#推荐工具" class="headerlink" title="推荐工具"></a>推荐工具</h2><ol><li><a href="https://www.google.com/maps">Google Maps</a></li><li><a href="https://www.google.com/imghp">Google Image search 谷歌图片搜索</a></li><li><a href="https://github.com/sherlock-project/sherlock">sherlock</a></li></ol><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-File-gt-Github-txt-What-is-the-API-key-the-insider-added-to-his-GitHub-repositories-内部人员添加到他的-GitHub-存储库的-API-密钥是什么?"><a href="#0x03-1-File-gt-Github-txt-What-is-the-API-key-the-insider-added-to-his-GitHub-repositories-内部人员添加到他的-GitHub-存储库的-API-密钥是什么?" class="headerlink" title="0x03_1 File -> Github.txt,What is the API key the insider added to his GitHub repositories?(内部人员添加到他的 GitHub 存储库的 API 密钥是什么?)"></a>0x03_1 File -> Github.txt,What is the API key the insider added to his GitHub repositories?(内部人员添加到他的 GitHub 存储库的 API 密钥是什么?)</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p> 下载的题目文件里存在一个<strong>Github.txt</strong>文件,打开发现了the insider的GitHub 存储库,进入github仓库发现<strong>Project-Build—-Custom-Login-Page/Login Page.js</strong> 文件存在我们想要的api密钥</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413093625230.png" alt="image-20230413093625230"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413094009746.png" alt="image-20230413094009746"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> 他的 GitHub 存储库的 API 密钥是<strong>aJFRaLHjMXvYZgLPwiJkroYLGRkNBW</strong></p><h2 id="0x03-2-File-gt-Github-txt,What-is-the-plaintext-password-the-insider-added-to-his-GitHub-repositories-内部人员添加到他的-GitHub-存储库的明文密码是什么?"><a href="#0x03-2-File-gt-Github-txt,What-is-the-plaintext-password-the-insider-added-to-his-GitHub-repositories-内部人员添加到他的-GitHub-存储库的明文密码是什么?" class="headerlink" title="0x03_2 File -> Github.txt,What is the plaintext password the insider added to his GitHub repositories?内部人员添加到他的 GitHub 存储库的明文密码是什么?"></a>0x03_2 File -> Github.txt,What is the plaintext password the insider added to his GitHub repositories?内部人员添加到他的 GitHub 存储库的明文密码是什么?</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p> 同样是在<strong>Project-Build—-Custom-Login-Page/Login Page.js</strong> 文件里发现登录密码Password: UGljYXNzb0JhZ3VldHRlOTk=,但是通过base64进行加密,所以我们受用base64<a href="https://tool.oschina.net/encrypt?type=3">在线解密网站</a>进行解密。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413094636087.png" alt="image-20230413094636087"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413094801763.png" alt="image-20230413094801763"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 内部人员添加到他的 GitHub 存储库的明文密码是<strong>PicassoBaguette99</strong></p><h2 id="0x03-3-File-gt-Github-txt,What-cryptocurrency-mining-tool-did-the-insider-use-知情人使用了什么加密货币挖矿工具?"><a href="#0x03-3-File-gt-Github-txt,What-cryptocurrency-mining-tool-did-the-insider-use-知情人使用了什么加密货币挖矿工具?" class="headerlink" title="0x03_3 File -> Github.txt,What cryptocurrency mining tool did the insider use?知情人使用了什么加密货币挖矿工具?"></a>0x03_3 File -> Github.txt,What cryptocurrency mining tool did the insider use?知情人使用了什么加密货币挖矿工具?</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> 在github仓库中发现一个为矿工的仓库,发现这是一个挖矿的工具,下拉发现使用的比特币的挖矿工具</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413095134767.png" alt="image-20230413095134767"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413095304152.png" alt="image-20230413095304152"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413095315444.png" alt="image-20230413095315444"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> 知情人使用的加密货币挖矿工具是<strong>BTC</strong></p><h2 id="0x03-4-What-university-did-the-insider-go-to-知情人上的是什么大学?"><a href="#0x03-4-What-university-did-the-insider-go-to-知情人上的是什么大学?" class="headerlink" title="0x03_4 What university did the insider go to?知情人上的是什么大学?"></a>0x03_4 What university did the insider go to?知情人上的是什么大学?</h2><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p> 通过领英这个这个网站,去使用关键字限定的方法去查询(<strong>基于github上给出的这个人的信息去查询</strong>)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413095748935.png" alt="image-20230413095748935"></p><p>根据github我们可以用来限定的有:</p><ol><li>姓名:Marseille</li><li>职位:Back end(<strong>后端开发工程师</strong>)</li></ol><p><strong>使用领英进行检索</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413101021777.png" alt="image-20230413101021777"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413101051441.png" alt="image-20230413101051441"></p><p>点击进入发现此人的大学信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413101201399.png" alt="image-20230413101201399"></p><ol><li><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3></li></ol><p> 知情人上的大学是<strong>Sorbonne Université</strong></p><h2 id="0x03-5-What-gaming-website-the-insider-had-an-account-on-内部人员在哪个游戏网站上有帐户?"><a href="#0x03-5-What-gaming-website-the-insider-had-an-account-on-内部人员在哪个游戏网站上有帐户?" class="headerlink" title="0x03_5 What gaming website the insider had an account on?内部人员在哪个游戏网站上有帐户?"></a>0x03_5 What gaming website the insider had an account on?内部人员在哪个游戏网站上有帐户?</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> 在此人的领英自我介绍上说可以在steam上联系她</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413101451046.png" alt="image-20230413101451046"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> 内部人员在<strong>Steam</strong>游戏网站上有帐户</p><h2 id="0x03-6-What-is-the-link-to-the-insider-Instagram-profile-内部人员-Instagram-个人资料的链接是什么?"><a href="#0x03-6-What-is-the-link-to-the-insider-Instagram-profile-内部人员-Instagram-个人资料的链接是什么?" class="headerlink" title="0x03_6 What is the link to the insider Instagram profile?内部人员 Instagram 个人资料的链接是什么?"></a>0x03_6 What is the link to the insider Instagram profile?内部人员 Instagram 个人资料的链接是什么?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p> 在<strong>Instagram</strong> 上搜索<strong>Émilie Marseille</strong>,发现存在账户,且头像与领英和Github上一样,所以可以基本确定是她<img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413110622724.png" alt="image-20230413110622724"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><pre><code> 所以知情人的**Instagram** 个人资料的链接是**https://www.instagram.com/emarseille99/**</code></pre><h2 id="0x03-7-Where-did-the-insider-go-on-the-holiday-Country-only-知情人假期去哪儿了?-(仅限国家-地区)"><a href="#0x03-7-Where-did-the-insider-go-on-the-holiday-Country-only-知情人假期去哪儿了?-(仅限国家-地区)" class="headerlink" title="0x03_7 Where did the insider go on the holiday? (Country only)知情人假期去哪儿了? (仅限国家/地区)"></a>0x03_7 Where did the insider go on the holiday? (Country only)知情人假期去哪儿了? (仅限国家/地区)</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p> 通过检索ins上的旅游的图片,通过使用谷歌识图进行检索,我们发现知情人假期去新加坡旅游了。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413102126558.png" alt="image-20230413102126558"></p><p>通过谷歌识图,我们发现这个是新加坡的<a href="https://www.bring-you.info/zh-hans/marina-bay">滨海湾金沙酒店</a></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413102343883.png" alt="image-20230413102343883"></p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> 知情人假期去了<strong>Singapore</strong></p><h2 id="0x03-8-Where-is-the-insider’s-family-live-City-only-知情人的家人住在哪里?-(仅限城市)"><a href="#0x03-8-Where-is-the-insider’s-family-live-City-only-知情人的家人住在哪里?-(仅限城市)" class="headerlink" title="0x03_8 Where is the insider’s family live? (City only)知情人的家人住在哪里? (仅限城市)"></a>0x03_8 Where is the insider’s family live? (City only)知情人的家人住在哪里? (仅限城市)</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> 通过检索知情人的ins发现一个回家的动态,我们通过检索上面的国旗发现是迪拜</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413110127966.png" alt="image-20230413110127966"></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> 知情人的家人住在<strong>Dubai</strong></p><h2 id="0x03-9-File-gt-office-jpg-You-have-been-provided-with-a-picture-of-the-building-in-which-the-company-has-an-office-Which-city-is-the-company-located-in-您已收到一张公司办公大楼的照片。公司位于哪个城市?"><a href="#0x03-9-File-gt-office-jpg-You-have-been-provided-with-a-picture-of-the-building-in-which-the-company-has-an-office-Which-city-is-the-company-located-in-您已收到一张公司办公大楼的照片。公司位于哪个城市?" class="headerlink" title="0x03_9 File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?您已收到一张公司办公大楼的照片。公司位于哪个城市?"></a>0x03_9 File -> office.jpg: You have been provided with a picture of the building in which the company has an office. Which city is the company located in?您已收到一张公司办公大楼的照片。公司位于哪个城市?</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p><strong>office.jpg</strong>为</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413103346551.png" alt="image-20230413103346551"></p><p> 通过谷歌识图,对<strong>office.jpg</strong>进行检索发现,也可以对图片上的街道直接进行检索</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413103145299.png" alt="image-20230413103145299"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413103221471.png" alt="image-20230413103221471"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> 公司位于的城市为<strong>Birmingham</strong></p><h2 id="0x03-10-File-gt-Webcam-png-With-the-intel-you-have-provided-our-ground-surveillance-unit-is-now-overlooking-the-person-of-interest’s-suspected-address-They-saw-them-leaving-their-apartment-and-followed-them-to-the-airport-Their-plane-took-off-and-has-landed-in-another-country-Our-intelligence-team-spotted-the-target-with-this-IP-camera-Which-state-is-this-camera-in-根据你提供的情报,我们的地面监视单位现在正在监视相关人员的可疑地址。他们看到他们离开公寓,就跟着他们去了机场。他们的飞机起飞并降落在另一个国家。我们的情报小组用这个-IP-摄像机发现了目标。这个相机处于什么州?"><a href="#0x03-10-File-gt-Webcam-png-With-the-intel-you-have-provided-our-ground-surveillance-unit-is-now-overlooking-the-person-of-interest’s-suspected-address-They-saw-them-leaving-their-apartment-and-followed-them-to-the-airport-Their-plane-took-off-and-has-landed-in-another-country-Our-intelligence-team-spotted-the-target-with-this-IP-camera-Which-state-is-this-camera-in-根据你提供的情报,我们的地面监视单位现在正在监视相关人员的可疑地址。他们看到他们离开公寓,就跟着他们去了机场。他们的飞机起飞并降落在另一个国家。我们的情报小组用这个-IP-摄像机发现了目标。这个相机处于什么州?" class="headerlink" title="0x03_10 File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country.Our intelligence team spotted the target with this IP camera. Which state is this camera in?根据你提供的情报,我们的地面监视单位现在正在监视相关人员的可疑地址。他们看到他们离开公寓,就跟着他们去了机场。他们的飞机起飞并降落在另一个国家。我们的情报小组用这个 IP 摄像机发现了目标。这个相机处于什么州?"></a>0x03_10 File -> Webcam.png: With the intel, you have provided, our ground surveillance unit is now overlooking the person of interest’s suspected address. They saw them leaving their apartment and followed them to the airport. Their plane took off and has landed in another country.Our intelligence team spotted the target with this IP camera. Which state is this camera in?根据你提供的情报,我们的地面监视单位现在正在监视相关人员的可疑地址。他们看到他们离开公寓,就跟着他们去了机场。他们的飞机起飞并降落在另一个国家。我们的情报小组用这个 IP 摄像机发现了目标。这个相机处于什么州?</h2><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><p> <strong>Webcam.png</strong>为:</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413110538596.png" alt="image-20230413110538596"></p><p>在图片上我们发现了关键的字符串<strong>A View from the Dome</strong>,我们使用谷歌进行检索</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413103840193.png" alt="image-20230413103840193"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413104117092.png" alt="image-20230413104117092"></p><p>从上面可知这是University of Notre Dame,我们接着使用维基百科查询这个学校的具体信息,找寻在哪个州,发现在<strong>Indiana</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230413104402003.png" alt="image-20230413104402003"></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 这个相机处于<strong>Indiana</strong></p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目L'espion。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="OSINT(开源情报)" scheme="https://blog.r1ng13.top/tags/OSINT-%E5%BC%80%E6%BA%90%E6%83%85%E6%8A%A5/"/>
</entry>
<entry>
<title>cyberdefenders----Insider</title>
<link href="https://blog.r1ng13.top/posts/12189fc2.html"/>
<id>https://blog.r1ng13.top/posts/12189fc2.html</id>
<published>2023-04-12T02:19:03.000Z</published>
<updated>2023-04-12T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>防守更聪明,而不是更难</strong></p><h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p> <a href="https://cyberdefenders.org/">CyberDefenders</a> 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</p><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><h2 id="题目链接"><a href="#题目链接" class="headerlink" title="题目链接"></a>题目链接</h2><div class="tag link"><a class="link-card" title="Insider" href="https://cyberdefenders.org/blueteam-ctf-challenges/64#nav-questions/"><div class="left"><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/Twitter-banner.png"/></div><div class="right"><p class="text">Insider</p><p class="url">https://cyberdefenders.org/blueteam-ctf-challenges/64#nav-questions/</p></div></a></div><h2 id="解压密码"><a href="#解压密码" class="headerlink" title="解压密码"></a>解压密码</h2><p>cyberdefenders.org </p><h2 id="案情介绍"><a href="#案情介绍" class="headerlink" title="案情介绍"></a>案情介绍</h2><figure class="highlight"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Karen进入“TAAUSAI”工作后,开始在公司内部进行一些不法活动。“TAAUSAI”聘请你开始调查此案。您获取了一个磁盘映像,发现 Karen 在她的机器上使用 Linux 操作系统。分析 Karen 计算机的磁盘映像并回答提供的问题。</span><br></pre></td></tr></table></figure><h2 id="推荐工具"><a href="#推荐工具" class="headerlink" title="推荐工具"></a>推荐工具</h2><ol><li><strong>谷歌</strong></li><li><strong>FTK</strong></li></ol><h2 id="前置知识"><a href="#前置知识" class="headerlink" title="前置知识"></a>前置知识</h2><p><strong>linux的目录结构</strong></p><ul><li><p><strong>/bin</strong>:<br>bin 是 Binaries (二进制文件) 的缩写, 这个目录存放着最经常使用的命令。</p></li><li><p><strong>/boot:</strong><br>这里存放的是启动 Linux 时使用的一些核心文件,包括一些连接文件以及镜像文件。</p></li><li><p><strong>/dev :</strong><br>dev 是 Device(设备) 的缩写, 该目录下存放的是 Linux 的外部设备,在 Linux 中访问设备的方式和访问文件的方式是相同的。</p></li><li><p><strong>/etc:</strong><br>etc 是 Etcetera(等等) 的缩写,这个目录用来存放所有的系统管理所需要的配置文件和子目录。</p></li><li><p><strong>/home</strong>:<br>用户的主目录,在 Linux 中,每个用户都有一个自己的目录,一般该目录名是以用户的账号命名的,如上图中的 alice、bob 和 eve。</p></li><li><p><strong>/lib</strong>:<br>lib 是 Library(库) 的缩写这个目录里存放着系统最基本的动态连接共享库,其作用类似于 Windows 里的 DLL 文件。几乎所有的应用程序都需要用到这些共享库。</p></li><li><p><strong>/lost+found</strong>:<br>这个目录一般情况下是空的,当系统非法关机后,这里就存放了一些文件。</p></li><li><p><strong>/media</strong>:<br>linux 系统会自动识别一些设备,例如U盘、光驱等等,当识别后,Linux 会把识别的设备挂载到这个目录下。</p></li><li><p><strong>/mnt</strong>:<br>系统提供该目录是为了让用户临时挂载别的文件系统的,我们可以将光驱挂载在 /mnt/ 上,然后进入该目录就可以查看光驱里的内容了。</p></li><li><p><strong>/opt</strong>:<br>opt 是 optional(可选) 的缩写,这是给主机额外安装软件所摆放的目录。比如你安装一个ORACLE数据库则就可以放到这个目录下。默认是空的。</p></li><li><p><strong>/proc</strong>:<br>proc 是 Processes(进程) 的缩写,/proc 是一种伪文件系统(也即虚拟文件系统),存储的是当前内核运行状态的一系列特殊文件,这个目录是一个虚拟的目录,它是系统内存的映射,我们可以通过直接访问这个目录来获取系统信息。<br>这个目录的内容不在硬盘上而是在内存里,我们也可以直接修改里面的某些文件,比如可以通过下面的命令来屏蔽主机的ping命令,使别人无法ping你的机器:</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">echo</span> 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all</span><br></pre></td></tr></table></figure></li><li><p><strong>/root</strong>:<br>该目录为系统管理员,也称作超级权限者的用户主目录。</p></li><li><p><strong>/sbin</strong>:<br>s 就是 Super User 的意思,是 Superuser Binaries (超级用户的二进制文件) 的缩写,这里存放的是系统管理员使用的系统管理程序。</p></li><li><p><strong>/selinux</strong>:<br> 这个目录是 Redhat/CentOS 所特有的目录,Selinux 是一个安全机制,类似于 windows 的防火墙,但是这套机制比较复杂,这个目录就是存放selinux相关的文件的。</p></li><li><p><strong>/srv</strong>:<br> 该目录存放一些服务启动之后需要提取的数据。</p></li><li><p><strong>/sys</strong>:</p><p>这是 Linux2.6 内核的一个很大的变化。该目录下安装了 2.6 内核中新出现的一个文件系统 sysfs 。</p><p>sysfs 文件系统集成了下面3种文件系统的信息:针对进程信息的 proc 文件系统、针对设备的 devfs 文件系统以及针对伪终端的 devpts 文件系统。</p><p>该文件系统是内核设备树的一个直观反映。</p><p>当一个内核对象被创建的时候,对应的文件和目录也在内核对象子系统中被创建。</p></li><li><p><strong>/tmp</strong>:<br>tmp 是 temporary(临时) 的缩写这个目录是用来存放一些临时文件的。</p></li><li><p><strong>/usr</strong>:<br> usr 是 unix shared resources(共享资源) 的缩写,这是一个非常重要的目录,用户的很多应用程序和文件都放在这个目录下,类似于 windows 下的 program files 目录。</p></li><li><p><strong>/usr/bin:</strong><br>系统用户使用的应用程序。</p></li><li><p><strong>/usr/sbin:</strong><br>超级用户使用的比较高级的管理程序和系统守护程序。</p></li><li><p><strong>/usr/src:</strong><br>内核源代码默认的放置目录。</p></li><li><p><strong>/var</strong>:<br>var 是 variable(变量) 的缩写,这个目录中存放着在不断扩充着的东西,我们习惯将那些经常被修改的目录放在这个目录下。包括各种日志文件。</p></li><li><p><strong>/run</strong>:<br>是一个临时文件系统,存储系统启动以来的信息。当系统重启时,这个目录下的文件应该被删掉或清除。如果你的系统上有 /var/run 目录,应该让它指向 run。</p></li></ul><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-这台机器上使用的是什么-Linux-发行版?"><a href="#0x03-1-这台机器上使用的是什么-Linux-发行版?" class="headerlink" title="0x03_1 这台机器上使用的是什么 Linux 发行版?"></a>0x03_1 这台机器上使用的是什么 Linux 发行版?</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:打开FTK软件查看<strong>boot</strong>文件夹下发现机器使用的<strong>linux</strong>发行版本为<strong>kali</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412110903978.png" alt="image-20230412110903978"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p>台机器上使用的 <strong>Linux</strong> 发行版是<strong>kali</strong></p><h2 id="0x03-2-apache-access-log-的-MD5-散列值是多少?"><a href="#0x03-2-apache-access-log-的-MD5-散列值是多少?" class="headerlink" title="0x03_2 apache access.log 的 MD5 散列值是多少?"></a>0x03_2 apache access.log 的 MD5 散列值是多少?</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用FTK软件发现路径<strong>/root/root/var/log/apache2</strong>下的<strong>log</strong>文件,计算文件的<strong>hash</strong>并导出到本地。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412144143979.png" alt="image-20230412144143979"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412111458321.png" alt="image-20230412111458321"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> <strong>apache access.log</strong> 的 <strong>MD5</strong> 散列值为<strong>d41d8cd98f00b204e9800998ecf8427e</strong></p><h2 id="0x03-3-据信下载了凭证转储工具?下载的文件名是什么?"><a href="#0x03-3-据信下载了凭证转储工具?下载的文件名是什么?" class="headerlink" title="0x03_3 据信下载了凭证转储工具?下载的文件名是什么?"></a>0x03_3 据信下载了凭证转储工具?下载的文件名是什么?</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:<strong>FTK</strong> 检索<strong>/root/root/Downlods/</strong>路径下的文件发现仅有<strong>mimikatz_trunk.zip</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412111813771.png" alt="image-20230412111813771"></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412112002774.png" alt="image-20230412112002774"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> 下载的文件名为<strong>mimikatz_trunk.zip</strong></p><h2 id="0x03-4-创建了一个超级机密文件。什么是绝对路径?"><a href="#0x03-4-创建了一个超级机密文件。什么是绝对路径?" class="headerlink" title="0x03_4 创建了一个超级机密文件。什么是绝对路径?"></a>0x03_4 创建了一个超级机密文件。什么是绝对路径?</h2><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用<strong>FTK</strong>查看<strong>history.sh</strong>可以看到<strong>linux</strong>终端上进行的一系列操作,发现创建了超级机密文件,绝对路径为:<strong>/root/Desktop/SuperSecretFile.txt</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412112402897.png" alt="image-20230412112402897"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 绝对路径为:<strong>/root/Desktop/SuperSecretFile.txt</strong></p><h2 id="0x03-5-什么程序在执行过程中使用了diyouthinkwedmakeiteasy-jpg?"><a href="#0x03-5-什么程序在执行过程中使用了diyouthinkwedmakeiteasy-jpg?" class="headerlink" title="0x03_5 什么程序在执行过程中使用了diyouthinkwedmakeiteasy.jpg?"></a>0x03_5 什么程序在执行过程中使用了diyouthinkwedmakeiteasy.jpg?</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用FTK查看<strong>history.sh</strong>可以看到<strong>linux</strong>终端上进行的一系列操作,发现<strong>binwalk</strong> 在执行的过程中使用了<strong>diyouthinkwedmakeiteasy.jpg</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412135253992.png" alt="image-20230412135253992"></p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> <strong>binwalk</strong>程序在执行过程中使用了<strong>diyouthinkwedmakeiteasy.jpg</strong></p><h2 id="0x03-6-凯伦创建的清单中的第三个目标是什么?"><a href="#0x03-6-凯伦创建的清单中的第三个目标是什么?" class="headerlink" title="0x03_6 凯伦创建的清单中的第三个目标是什么?"></a>0x03_6 凯伦创建的清单中的第三个目标是什么?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:在<strong>Desktop</strong>文件夹下发<strong>checklist</strong>文件,里面有凯伦的清单</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412135917322.png" alt="image-20230412135917322"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> 凯伦创建的清单中的第三个目标是<strong>Profit</strong></p><h2 id="0x03-7-apache-运行了多少次?"><a href="#0x03-7-apache-运行了多少次?" class="headerlink" title="0x03_7 apache 运行了多少次?"></a>0x03_7 apache 运行了多少次?</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:查看<strong>Log</strong>文件夹下的<strong>apache2</strong>文件夹下的日志文件,发现文件大小均为<strong>0</strong>,所以猜测<strong>Apache</strong>运行了<strong>0</strong>次,输入答案正确</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412140304823.png" alt="image-20230412140304823"></p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> <strong>apache</strong> 运行了<strong>0</strong>次</p><h2 id="0x03-8-据信这台机器被用来攻击另一台机器。什么文件可以证明这一点?"><a href="#0x03-8-据信这台机器被用来攻击另一台机器。什么文件可以证明这一点?" class="headerlink" title="0x03_8 据信这台机器被用来攻击另一台机器。什么文件可以证明这一点?"></a>0x03_8 据信这台机器被用来攻击另一台机器。什么文件可以证明这一点?</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:在<strong>root</strong> 文件下存在一个图片文件可看出这台机器正在攻击别的机器</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412140623326.png" alt="image-20230412140623326"></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> <strong>irZLAohL.jpeg</strong>可以证明这一点。</p><h2 id="0x03-9-在-Documents-文件路径中,据信-Karen-通过-bash-脚本嘲讽了一位计算机专家同行。卡伦在嘲讽谁?"><a href="#0x03-9-在-Documents-文件路径中,据信-Karen-通过-bash-脚本嘲讽了一位计算机专家同行。卡伦在嘲讽谁?" class="headerlink" title="0x03_9 在 Documents 文件路径中,据信 Karen 通过 bash 脚本嘲讽了一位计算机专家同行。卡伦在嘲讽谁?"></a>0x03_9 在 Documents 文件路径中,据信 Karen 通过 bash 脚本嘲讽了一位计算机专家同行。卡伦在嘲讽谁?</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:查看<strong>Documents</strong> 里的<strong>bash</strong>脚本,发现Karen 正在嘲笑<strong>Young</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412140911563.png" alt="image-20230412140911563"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> 卡伦在嘲讽<strong>Young</strong></p><h2 id="0x03-10-用户-su-多次在-11-26-root。他是谁?"><a href="#0x03-10-用户-su-多次在-11-26-root。他是谁?" class="headerlink" title="0x03_10 用户 su 多次在 11:26 root。他是谁?"></a>0x03_10 用户 su 多次在 11:26 root。他是谁?</h2><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:想要查看<strong>root</strong>信息,需要查看日志<strong>log</strong>信息,在<strong>log</strong>文件夹下的<strong>auth.log</strong>,我们查询<strong>11:26</strong>,发现存在</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412141433513.png" alt="image-20230412141433513"></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 用户 <strong>su</strong> 多次在 <strong>11:26</strong> <strong>root</strong>。他是<strong>postgres</strong> </p><h2 id="0x03-11-根据-bash-历史,当前工作目录是什么?"><a href="#0x03-11-根据-bash-历史,当前工作目录是什么?" class="headerlink" title="0x03_11 根据 bash 历史,当前工作目录是什么?"></a>0x03_11 根据 bash 历史,当前工作目录是什么?</h2><h3 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h3><p> <strong>思路</strong>:使用FTK查看<strong>.history.sh</strong>可以看到<strong>linux</strong>终端上进行的一系列操作,发现当前的工作目录为</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230412142004497.png" alt="image-20230412142004497"></p><h3 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h3><p> 当前的工作目录为<strong>/root/Documents/myfirsthack/</strong></p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目Insider。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="linux取证" scheme="https://blog.r1ng13.top/tags/linux%E5%8F%96%E8%AF%81/"/>
</entry>
<entry>
<title>cyberdefenders----恶意软件流量分析 1</title>
<link href="https://blog.r1ng13.top/posts/680ae7e5.html"/>
<id>https://blog.r1ng13.top/posts/680ae7e5.html</id>
<published>2023-04-09T02:19:03.000Z</published>
<updated>2023-04-09T14:00:00.000Z</updated>
<content type="html"><![CDATA[<p><strong>防守更聪明,而不是更难</strong></p><h1 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h1><p> <a href="https://cyberdefenders.org/">CyberDefenders</a> 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</p><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><p>题目链接:<a href="https://cyberdefenders.org/blueteam-ctf-challenges/17#nav-questions">恶意软件流量分析 1</a></p><p>解压密码:cyberdefenders.org</p><p>通过对给出的流量包进行分析回答下面1-12的相关问题</p><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-被感染的-Windows-虚拟机的-IP-地址是什么?"><a href="#0x03-1-被感染的-Windows-虚拟机的-IP-地址是什么?" class="headerlink" title="0x03_1 被感染的 Windows 虚拟机的 IP 地址是什么?"></a>0x03_1 被感染的 Windows 虚拟机的 IP 地址是什么?</h2><h3 id="解题"><a href="#解题" class="headerlink" title="解题"></a>解题</h3><p><strong>方法一</strong>:使用wireshark分析</p><p>因为题目问的是被感染的Windows 虚拟机的IP地址,所以使用wireshark将流量包打开,检索dhcp流。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329163344165.png" alt=""></p><p><strong>方法二</strong>:使用<a href="https://apackets.com/">可视化流量分析网站</a>对流量包进行分析</p><p>1.打开流量包分析网站将流量包载入</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329170046828.png" alt="image-20230329170046828"></p><p>2.查看network选项,发现仅有一个172开头的ip,其他都是来自外部网站的或者DNS服务器、广播地址的ip,所以172.16.165.165为虚拟机的ip</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329172143483.png" alt="image-20230329172143483"></p><h3 id="答案"><a href="#答案" class="headerlink" title="答案"></a>答案</h3><p> 被感染的Windows 虚拟机的IP地址为:<strong>172.16.165.165</strong></p><h2 id="0x03-2-被感染的-Windows-VM-的主机名是什么?"><a href="#0x03-2-被感染的-Windows-VM-的主机名是什么?" class="headerlink" title="0x03_2 被感染的 Windows VM 的主机名是什么?"></a>0x03_2 被感染的 Windows VM 的主机名是什么?</h2><h3 id="解题-1"><a href="#解题-1" class="headerlink" title="解题"></a>解题</h3><pre><code> 通过点击wireshark过滤的信息后,我们下拉可以发现host name 的字段</code></pre><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329173043251.png" alt="image-20230329173043251"></p><h3 id="答案-1"><a href="#答案-1" class="headerlink" title="答案"></a>答案</h3><p> 被感染的 Windows VM 的主机名是:<strong>K34EN6W3N-PC</strong></p><h2 id="0x03-3-受感染虚拟机的-MAC-地址是什么?"><a href="#0x03-3-受感染虚拟机的-MAC-地址是什么?" class="headerlink" title="0x03_3 受感染虚拟机的 MAC 地址是什么?"></a>0x03_3 受感染虚拟机的 MAC 地址是什么?</h2><h3 id="解题-2"><a href="#解题-2" class="headerlink" title="解题"></a>解题</h3><p> 同上题,172.16.165.165为source ip ,我们点击进入wireshark过滤后的信息,发现Client MAC address的字段</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329173615450.png" alt="image-20230329173615450"></p><h3 id="答案-2"><a href="#答案-2" class="headerlink" title="答案"></a>答案</h3><p> 受感染虚拟机的 MAC 地址是:<strong>f0:19:af:02:9b:f1</strong></p><h2 id="0x03-4-受感染网站的-IP-地址是什么?"><a href="#0x03-4-受感染网站的-IP-地址是什么?" class="headerlink" title="0x03_4 受感染网站的 IP 地址是什么?"></a>0x03_4 受感染网站的 IP 地址是什么?</h2><h3 id="解题-3"><a href="#解题-3" class="headerlink" title="解题"></a>解题</h3><p>1.追踪http流,检查包发现第二个GET 请求包,查看内容发现这个包中进行了重定向操作,重定向到24cXXXXXXXXX这个网站,所以受感染的是这个网站。</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409110755034.png" alt="image-20230409110755034"></p><p>查看内容,发现重定向内容</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409110817976.png" alt="image-20230409110817976"></p><p>这个受感染网站为www.cinhlxxaaasand.nl </p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329204554813.png" alt="image-20230329204554813"></p><p>IP地址为82.150.140.30</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409110851960.png" alt="image-20230409110851960"></p><h3 id="答案-3"><a href="#答案-3" class="headerlink" title="答案"></a>答案</h3><p> 受感染网站IP地址为<strong>82.150.140.30</strong></p><h2 id="0x03-5-受感染网站的-FQDN-是什么?"><a href="#0x03-5-受感染网站的-FQDN-是什么?" class="headerlink" title="0x03_5 受感染网站的 FQDN 是什么?"></a>0x03_5 受感染网站的 FQDN 是什么?</h2><h3 id="解题-4"><a href="#解题-4" class="headerlink" title="解题"></a>解题</h3><p> 由上题可知受感染网站的 FQDN为:<strong>www.cixxchlxxxnd.nl</strong> </p><h3 id="答案-4"><a href="#答案-4" class="headerlink" title="答案"></a>答案</h3><p> 受感染网站的 FQDN为:www.cinxxhxxxxnd.nl(<strong>进行了打码)</strong></p><h2 id="0x03-6-传送漏洞利用工具包和恶意软件的服务器的-IP-地址是什么?"><a href="#0x03-6-传送漏洞利用工具包和恶意软件的服务器的-IP-地址是什么?" class="headerlink" title="0x03_6 传送漏洞利用工具包和恶意软件的服务器的 IP 地址是什么?"></a>0x03_6 传送漏洞利用工具包和恶意软件的服务器的 IP 地址是什么?</h2><h3 id="解题-5"><a href="#解题-5" class="headerlink" title="解题"></a>解题</h3><p>1.使用brim搭配zui进行分析,输入命令以下命令过滤利用(exploit)事件,得到利用漏洞的服务器的ip</p><figure class="highlight 1c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">exploit <span class="string">| fuse</span></span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329205429610.png" alt="image-20230329205429610"></p><h3 id="答案-5"><a href="#答案-5" class="headerlink" title="答案"></a>答案</h3><p> 传送漏洞利用工具包和恶意软件的服务器的 IP 地址是:<strong>37.200.69.143</strong></p><h2 id="0x03-7-传送漏洞利用工具包和恶意软件的-FQDN-是什么?"><a href="#0x03-7-传送漏洞利用工具包和恶意软件的-FQDN-是什么?" class="headerlink" title="0x03_7 传送漏洞利用工具包和恶意软件的 FQDN 是什么?"></a>0x03_7 传送漏洞利用工具包和恶意软件的 FQDN 是什么?</h2><h3 id="解题-6"><a href="#解题-6" class="headerlink" title="解题"></a>解题</h3><p>1.使用在线流量包分析网站查看传送漏洞利用工具包和恶意软件的IP为37.200.69.143所对应的FQDN <img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329205931351.png" alt="image-20230329205931351"></p><h3 id="答案-6"><a href="#答案-6" class="headerlink" title="答案"></a>答案</h3><p> 传送漏洞利用工具包和恶意软件的 FQDN是:<strong>stand.trustandshsojjdnkmlobaterealty.com</strong></p><h2 id="0x03-8-指向漏洞利用工具包-EK-登录页面的重定向-URL-是什么?"><a href="#0x03-8-指向漏洞利用工具包-EK-登录页面的重定向-URL-是什么?" class="headerlink" title="0x03_8 指向漏洞利用工具包 (EK) 登录页面的重定向 URL 是什么?"></a>0x03_8 指向漏洞利用工具包 (EK) 登录页面的重定向 URL 是什么?</h2><h3 id="解题-7"><a href="#解题-7" class="headerlink" title="解题"></a>解题</h3><p> 从题目四在分析受感染的网站时,我们发现了重定向的网站为:<a href="http://24xxnwmsnn.com">http://24xxnwmsnn.com</a></p><h3 id="答案-7"><a href="#答案-7" class="headerlink" title="答案"></a>答案</h3><p> 指向漏洞利用工具包 (EK) 登录页面的重定向 URL 是:<a href="http://24xxnwmsnn.com">http://24xxnwmsnn.com</a></p><h2 id="0x03-9-除了-CVE-2013-2551-IE-exploit-之外,EK-还针对另一个以“J”开头的应用程序。提供完整的应用程序名称。"><a href="#0x03-9-除了-CVE-2013-2551-IE-exploit-之外,EK-还针对另一个以“J”开头的应用程序。提供完整的应用程序名称。" class="headerlink" title="0x03_9 除了 CVE-2013-2551 IE exploit 之外,EK 还针对另一个以“J”开头的应用程序。提供完整的应用程序名称。"></a>0x03_9 除了 CVE-2013-2551 IE exploit 之外,EK 还针对另一个以“J”开头的应用程序。提供完整的应用程序名称。</h2><h3 id="解题-8"><a href="#解题-8" class="headerlink" title="解题"></a>解题</h3><p>1.打开brim和zui输入exploit查看alert属性发现J开头的应用程序为Java</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329212012457.png" alt="image-20230329212012457"></p><h3 id="答案-8"><a href="#答案-8" class="headerlink" title="答案"></a>答案</h3><p> EK 还针对另一个以“J”开头的应用程序,完整的应用程序名称为:<strong>Java</strong></p><h2 id="0x03-10-有效载荷交付了多少次?"><a href="#0x03-10-有效载荷交付了多少次?" class="headerlink" title="0x03_10 有效载荷交付了多少次?"></a>0x03_10 有效载荷交付了多少次?</h2><h3 id="解题-9"><a href="#解题-9" class="headerlink" title="解题"></a>解题</h3><p>1.使用vt发现检测到三个威胁的木马程序,所以进行了3次有效载荷交付</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329212612488.png" alt=""></p><h3 id="答案-9"><a href="#答案-9" class="headerlink" title="答案"></a>答案</h3><p> 有效载荷交付了<strong>3</strong>次</p><h2 id="0x03-11-受感染的网站有一个带有-URL-的恶意脚本。这个网址是什么?"><a href="#0x03-11-受感染的网站有一个带有-URL-的恶意脚本。这个网址是什么?" class="headerlink" title="0x03_11 受感染的网站有一个带有 URL 的恶意脚本。这个网址是什么?"></a>0x03_11 受感染的网站有一个带有 URL 的恶意脚本。这个网址是什么?</h2><h3 id="解题-10"><a href="#解题-10" class="headerlink" title="解题"></a>解题</h3><p>1.从题目四在分析受感染的网站时,带有 URL 的恶意脚本的网站为:<a href="http://24xxnwmsnn.com">http://24xxnwmsnn.com</a></p><p>2.使用VT对这个网站进行检测,发现很多威胁,说明推测是正确的</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329213215007.png" alt="image-20230329213215007"></p><h3 id="答案-10"><a href="#答案-10" class="headerlink" title="答案"></a>答案</h3><p> 带有 URL 的恶意脚本的网站为:<strong><a href="http://24xxnwmsnn.com">http://24xxnwmsnn.com</a></strong></p><h2 id="0x03-12-提取两个漏洞利用文件的-MD5-文件哈希值?(逗号分隔)"><a href="#0x03-12-提取两个漏洞利用文件的-MD5-文件哈希值?(逗号分隔)" class="headerlink" title="0x03_12 提取两个漏洞利用文件的 MD5 文件哈希值?(逗号分隔)"></a>0x03_12 提取两个漏洞利用文件的 MD5 文件哈希值?(逗号分隔)</h2><h3 id="解题-11"><a href="#解题-11" class="headerlink" title="解题"></a>解题</h3><p>1.使用brim输入以下命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"files"</span> <span class="built_in">source</span>==<span class="string">"HTTP"</span> 37.200.69.143 <span class="keyword">in</span> tx_hosts | <span class="built_in">cut</span> tx_hosts, rx_hosts, md5, mime_type</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230329215623640.png" alt="image-20230329215623640"></p><p>2.看到application/java-archive为java漏洞以及application/x-shockwave-flash为flash漏洞利用文件,所以证明是漏洞利用文件</p><h3 id="答案-11"><a href="#答案-11" class="headerlink" title="答案"></a>答案</h3><p> 提取两个漏洞利用文件的 MD5 文件哈希值为:1e34fdebbf655cebea78b45e43520ddf,7b3baa7d6bb3720f369219789e38d6ab</p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目恶意软件流量分析 1。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="恶意软件流量分析" scheme="https://blog.r1ng13.top/tags/%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90/"/>
</entry>
<entry>
<title>cyberdefenders----恶意软件流量分析 2</title>
<link href="https://blog.r1ng13.top/posts/f103b65f.html"/>
<id>https://blog.r1ng13.top/posts/f103b65f.html</id>
<published>2023-04-09T02:19:03.000Z</published>
<updated>2023-04-09T14:00:00.000Z</updated>
<content type="html">< 是一个蓝队培训平台,专注于网络安全的防御方面,以学习、验证和提升网络防御技能。使用cyberdefenders的题目来学习恶意流量取证,题目来自真实环境下产生的流量,更有益于我们掌握取证的流程和相关工具的使用,学习攻击者的攻击思路以便于防御者给出更好的解决办法。</code></pre><h1 id="0x02-题目简介"><a href="#0x02-题目简介" class="headerlink" title="0x02 题目简介"></a>0x02 题目简介</h1><p>题目链接:<a href="https://cyberdefenders.org/blueteam-ctf-challenges/20#nav-questions">恶意软件流量分析</a></p><p>解压密码:<strong>cyberdefenders.org</strong></p><p>通过题目给出的流量包进行分析并回答下面1-17的问题。</p><h1 id="0x03-解题过程"><a href="#0x03-解题过程" class="headerlink" title="0x03 解题过程"></a>0x03 解题过程</h1><h2 id="0x03-1-被感染的-Windows-虚拟机的-IP-地址是什么?"><a href="#0x03-1-被感染的-Windows-虚拟机的-IP-地址是什么?" class="headerlink" title="0x03_1 被感染的 Windows 虚拟机的 IP 地址是什么?"></a>0x03_1 被感染的 Windows 虚拟机的 IP 地址是什么?</h2><p><strong>解题</strong></p><p>使用brim打开流量包,输入命令</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">event_type==<span class="string">"alert"</span> | alerts := <span class="keyword">union</span>(alert.category) by src_ip, dest_ip</span><br></pre></td></tr></table></figure><p>发现别漏洞利用的主机ip为:172.16.165.132</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111611528.png" alt="image-20230409111611528"></p><p><strong>答案</strong></p><p>被感染的 Windows 虚拟机的 IP 地址是:<strong>172.16.165.132</strong></p><h2 id="0x03-2-受感染虚拟机的-MAC-地址是什么?"><a href="#0x03-2-受感染虚拟机的-MAC-地址是什么?" class="headerlink" title="0x03_2 受感染虚拟机的 MAC 地址是什么?"></a>0x03_2 受感染虚拟机的 MAC 地址是什么?</h2><p><strong>解题</strong></p><p>我们使用wireshark检索一个ip为172.16.165.132的IP查看其MAC地址就可以</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111705323.png" alt="image-20230409111705323"></p><p><strong>答案</strong></p><p>受感染虚拟机的 MAC 地址是:<strong>00:0c:29:c5:b7:a1</strong></p><h2 id="0x03-3-传送漏洞利用工具包和恶意软件的-IP-地址和端口号是什么?"><a href="#0x03-3-传送漏洞利用工具包和恶意软件的-IP-地址和端口号是什么?" class="headerlink" title="0x03_3 传送漏洞利用工具包和恶意软件的 IP 地址和端口号是什么?"></a>0x03_3 传送漏洞利用工具包和恶意软件的 IP 地址和端口号是什么?</h2><p><strong>解题</strong></p><p> 由于从上题我们知道受感染虚拟机(ip为172.16.165.132)和传送漏洞工具的主机(ip为37.143.15.180)所以我的思路是通过连接的建立,使用conn的相关命令,因此使用brim输入以下命令</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"conn"</span> | put total_bytes := orig_bytes + resp_bytes | sort -r total_bytes | cut uid, id, orig_bytes, resp_bytes, total_bytes</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111722705.png" alt="image-20230409111722705"></p><p><strong>答案</strong></p><p> 传送漏洞利用工具包和恶意软件的 IP 地址和端口号是:<strong>37.143.15.180</strong>和<strong>51439</strong></p><h2 id="0x03-4-提供漏洞利用工具包的两个-FQDN-是什么?按字母顺序以逗号分隔。"><a href="#0x03-4-提供漏洞利用工具包的两个-FQDN-是什么?按字母顺序以逗号分隔。" class="headerlink" title="0x03_4 提供漏洞利用工具包的两个 FQDN 是什么?按字母顺序以逗号分隔。"></a>0x03_4 提供漏洞利用工具包的两个 FQDN 是什么?按字母顺序以逗号分隔。</h2><p><strong>解题</strong></p><p> 使用在线<a href="https://packettotal.com/">流量分析网站</a>解析流量包,发现恶意活动,检索来自于网站ip为37.143.15.180的信息发现有用信息</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111737902.png" alt="image-20230409111737902"><br><strong>答案</strong></p><p> 提供漏洞利用工具包的两个 FQDN 是g.trinketking.com和h.trinketking.com</p><h2 id="0x03-5-受感染网站的-IP-地址是什么?"><a href="#0x03-5-受感染网站的-IP-地址是什么?" class="headerlink" title="0x03_5 受感染网站的 IP 地址是什么?"></a>0x03_5 受感染网站的 IP 地址是什么?</h2><p><strong>解题</strong></p><p>要查询受感染网站的 IP 地址,所以我们要查看的是与漏洞利用主机(37.143.15.180)的referer信息,输入以下命令</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"http"</span> <span class="number">37.143</span><span class="number">.15</span><span class="number">.180</span> referrer status_msg==<span class="string">"OK”</span></span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111756074.png" alt="image-20230409111756074"></p><p> 接着使用dns命令查询这个受感染网站的IP</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"dns"</span> hijinksensue.com</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111810918.png" alt="image-20230409111810918"></p><p><strong>答案</strong></p><p>受感染网站的 IP 地址是<strong>192.30.138.146</strong></p><h2 id="0x03-6-受感染网站的-FQDN-是什么?"><a href="#0x03-6-受感染网站的-FQDN-是什么?" class="headerlink" title="0x03_6 受感染网站的 FQDN 是什么?"></a>0x03_6 受感染网站的 FQDN 是什么?</h2><p><strong>解题</strong></p><p>有上题可知受感染网站的 FQDN </p><p><strong>答案</strong></p><p>受感染网站的 FQDN 是<strong>hijinksensue.com</strong></p><h2 id="0x03-7-传送恶意软件的漏洞利用工具包-EK-的名称是什么?(两个字)"><a href="#0x03-7-传送恶意软件的漏洞利用工具包-EK-的名称是什么?(两个字)" class="headerlink" title="0x03_7 传送恶意软件的漏洞利用工具包 (EK) 的名称是什么?(两个字)"></a>0x03_7 传送恶意软件的漏洞利用工具包 (EK) 的名称是什么?(两个字)</h2><p><strong>解题</strong></p><p>使用<a href="https://packettotal.com/">流量分析网站</a>可以发现传送恶意软件的漏洞利用工具包 (EK) 的名称</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111822809.png" alt="image-20230409111822809"></p><p><strong>答案</strong></p><p>传送恶意软件的漏洞利用工具包 (EK) 的名称是:<strong>Sweet Orange</strong></p><h2 id="0x03-8-指向漏洞攻击包登录页面的重定向-URL-是什么?"><a href="#0x03-8-指向漏洞攻击包登录页面的重定向-URL-是什么?" class="headerlink" title="0x03_8 指向漏洞攻击包登录页面的重定向 URL 是什么?"></a>0x03_8 指向漏洞攻击包登录页面的重定向 URL 是什么?</h2><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111835720.png" alt="image-20230409111835720"></p><h2 id="0x03-9-指向漏洞利用工具包登录页面的重定向-URL-的-IP-地址是什么?"><a href="#0x03-9-指向漏洞利用工具包登录页面的重定向-URL-的-IP-地址是什么?" class="headerlink" title="0x03_9 指向漏洞利用工具包登录页面的重定向 URL 的 IP 地址是什么?"></a>0x03_9 指向漏洞利用工具包登录页面的重定向 URL 的 IP 地址是什么?</h2><p><strong>解题</strong></p><p>使用brim输入以下命令</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"dns"</span> <span class="type">static</span>.charlotteretirementcommunities.com</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111848847.png" alt="image-20230409111848847"></p><p><strong>答案</strong></p><p>向漏洞利用工具包登录页面的重定向 URL 的 IP 地址是:<strong>50.87.149.90</strong></p><h2 id="0x03-10-从-PCAP-中提取恶意软件负载(PE-文件)的MD5-哈希?"><a href="#0x03-10-从-PCAP-中提取恶意软件负载(PE-文件)的MD5-哈希?" class="headerlink" title="0x03_10 从 PCAP 中提取恶意软件负载(PE 文件)的MD5 哈希?"></a>0x03_10 从 PCAP 中提取恶意软件负载(PE 文件)的MD5 哈希?</h2><p>使用brim发现之后一个pe文件</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111900577.png" alt="image-20230409111900577"></p><p>接着使用<a href="https://packettotal.com/">流量分析网站</a>提取可执行的文件,将其导出(注意在虚拟机中进行)</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111912306.png" alt="image-20230409111912306"></p><p>使用Windows下的命令查看这个pe文件的md5值</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">certutil -hashfile 绝对路径 MD5</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111924716.png" alt="image-20230409111924716"></p><p><strong>答案</strong></p><p>从 PCAP 中提取恶意软件负载(PE 文件)的MD5 哈希为:<strong>1408275c2e2c8fe5e83227ba371ac6b3</strong></p><h2 id="0x03-11-被利用漏洞的CVE是多少?"><a href="#0x03-11-被利用漏洞的CVE是多少?" class="headerlink" title="0x03_11 被利用漏洞的CVE是多少?"></a>0x03_11 被利用漏洞的CVE是多少?</h2><p><strong>解题</strong></p><p>由题0x03_7我们可知漏洞利用成功的包为Sweet Orange,所以使用浏览器检索Sweet Orange对应的cve编号</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409111942408.png" alt="image-20230409111942408"></p><p><strong>答案</strong></p><p>被利用漏洞的CVE是:<strong>cve-2014-6332</strong></p><h2 id="0x03-12-使用-Zeek-分析花费最长时间(持续时间)的文件的-MIME-类型是什么?"><a href="#0x03-12-使用-Zeek-分析花费最长时间(持续时间)的文件的-MIME-类型是什么?" class="headerlink" title="0x03_12 使用 Zeek 分析花费最长时间(持续时间)的文件的 MIME 类型是什么?"></a>0x03_12 使用 Zeek 分析花费最长时间(持续时间)的文件的 MIME 类型是什么?</h2><p><strong>解题</strong></p><p>使用brim过滤files并按duration(持续时间)排序,输入以下命令</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"files"</span> | sort -r duration</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112044080.png" alt="image-20230409112044080"></p><p><strong>答案</strong></p><p>用 Zeek 分析花费最长时间(持续时间)的文件的 MIME 类型是<strong>application/x-dosexec</strong></p><h2 id="0x03-13-返回文件“f-txt”的已访问-URI-的引荐来源网址是什么?"><a href="#0x03-13-返回文件“f-txt”的已访问-URI-的引荐来源网址是什么?" class="headerlink" title="0x03_13 返回文件“f.txt”的已访问 URI 的引荐来源网址是什么?"></a>0x03_13 返回文件“f.txt”的已访问 URI 的引荐来源网址是什么?</h2><p><strong>解题</strong></p><p>在brim中使用以下命令查看referer信息发现仅有一个网站</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">f.txt | fuse</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112008879.png" alt="image-20230409112008879"></p><p><strong>答案</strong></p><p>返回文件“f.txt”的已访问 URI 的引荐来源网址是<strong><a href="http://hijinksensue.com/assets/verts/hiveworks/ad1.html">http://hijinksensue.com/assets/verts/hiveworks/ad1.html</a></strong></p><h2 id="0x03-14-这个-PCAP-是什么时候捕获的?"><a href="#0x03-14-这个-PCAP-是什么时候捕获的?" class="headerlink" title="0x03_14 这个 PCAP 是什么时候捕获的?"></a>0x03_14 这个 PCAP 是什么时候捕获的?</h2><p><strong>解题</strong></p><p>使用brim输入以下命令,达到按时间排序的目的,可以发现流量包最早存在的时间</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sort -r ts</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112146186.png" alt="image-20230409112146186"></p><p><strong>答案</strong><br> 这个 PCAP 是2014-11-23的时候捕获的。</p><h2 id="0x03-15-PE文件是什么时候编译的?"><a href="#0x03-15-PE文件是什么时候编译的?" class="headerlink" title="0x03_15 PE文件是什么时候编译的?"></a>0x03_15 PE文件是什么时候编译的?</h2><p><strong>解题</strong></p><p>通过对pe文件的检索,在brim上可以发现编译时间,对应的属性为<strong>compile_ts</strong></p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112132785.png" alt="image-20230409112132785"></p><p><strong>答案</strong></p><p>PE文件是编译时间为:<strong>2014-11-23</strong></p><h2 id="0x03-16-只出现一次的-SSL-证书颁发者的名称是什么?(一个词)"><a href="#0x03-16-只出现一次的-SSL-证书颁发者的名称是什么?(一个词)" class="headerlink" title="0x03_16 只出现一次的 SSL 证书颁发者的名称是什么?(一个词)"></a>0x03_16 只出现一次的 SSL 证书颁发者的名称是什么?(一个词)</h2><p><strong>解题</strong></p><p>使用brim过滤ssl,使用以下命令发现只有一个出现一次</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">_path==<span class="string">"ssl"</span> </span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112241697.png" alt="image-20230409112241697"></p><p><strong>答案</strong></p><p>只出现一次的 SSL 证书颁发者的名称是<strong>Cybertrust</strong></p><h2 id="0x03-17-当前PE文件编译时启用的两种保护方式是什么?格式:按字母顺序逗号分隔"><a href="#0x03-17-当前PE文件编译时启用的两种保护方式是什么?格式:按字母顺序逗号分隔" class="headerlink" title="0x03_17 当前PE文件编译时启用的两种保护方式是什么?格式:按字母顺序逗号分隔"></a>0x03_17 当前PE文件编译时启用的两种保护方式是什么?格式:按字母顺序逗号分隔</h2><p><strong>解题</strong></p><p>将0x03_10题目中导出的pe文件放入<a href="https://pev.sourceforge.io/">pev</a>的安装目录中去</p><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112230858.png" alt="image-20230409112230858"></p><p>在这个目录下打开cmd输入以下命令,可以发现两个保护机制是yes</p><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.\pesec.exe .\extract<span class="number">-1416704329.292659</span>-HTTP-F3Y0AS35Og90cuDZH3.raw</span><br></pre></td></tr></table></figure><p><img src="https://cdn.staticaly.com/gh/r1ng13/screenshot@main/img/image-20230409112221094.png" alt="image-20230409112221094"></p><p><strong>答案</strong></p><p>当前PE文件编译时启用的两种保护方式是DEP和SEH。</p>]]></content>
<summary type="html">🥧本文来自cyberdefenders靶场题目恶意软件流量分析 2。</summary>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/categories/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="电子取证" scheme="https://blog.r1ng13.top/tags/%E7%94%B5%E5%AD%90%E5%8F%96%E8%AF%81/"/>
<category term="cyberdefenders靶场" scheme="https://blog.r1ng13.top/tags/cyberdefenders%E9%9D%B6%E5%9C%BA/"/>
<category term="恶意软件流量分析" scheme="https://blog.r1ng13.top/tags/%E6%81%B6%E6%84%8F%E8%BD%AF%E4%BB%B6%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90/"/>
</entry>
</feed>