1 题目名称:hard_web-1
题目内容:1.服务器开放了哪些端口,请按照端口大小顺序提交答案,并以英文逗号隔开(如服务器开放了80 81 82 83端口,则答案为80,81,82,83)
题目分值:100.0
题目难度:容易
相关附件:hard_web-1.zip下载
https://blog.csdn.net/qq_38626043/article/details/132703167
tcp.flags.syn==1 and ip.dst == 192.168.162.188
https://www.cnblogs.com/WXjzc/p/17674469.html
统计会话,60字节的为连接失败
2 题目名称:hard_web-2
题目内容:2.服务器中根目录下的flag值是多少?
题目分值:100.0
题目难度:容易
相关附件:hard_web-2.zip下载
https://blog.csdn.net/qq_38626043/article/details/132703167
b5c1fadbb7e28da08572486d8e6933a84c5144463f178b352c5bda71cff4e8ffe919f0f115a528ebfc4a79b03aea0e31cb22d460ada998c7657d4d0f1be71ffa
https://www.cnblogs.com/WXjzc/p/17674469.html
分析流量包,找到shell.jsp中的java代码
很明显的哥斯拉jspshell,可以自己生成一个对比看看
传输内容aes加密,密钥为748007e861908c03,gzip压缩,解密即可
3 题目名称:hard_web-3
题目内容:3.该webshell的连接密码是多少?
题目分值:100.0
题目难度:容易
相关附件:hard_web-3.zip下载
慢慢找请求和返回包,可以找到密码组成1***y
哥斯拉加密流量中的key是密码的md5值的前16位或后16位,暴力跑
import requests
import hashlib
dic = "abcdefghijklmnopqrstuvwxyz0123456789"
for i in dic:for j in dic:for k in dic:for l in dic:s='1'+i+j+k+l+'y'md5=hashlib.md5(s.encode('utf-8')).hexdigest()if '748007e861908c03' in md5[:16]:print(s)print(md5)break
4 题目名称:baby_forensics-1
题目内容:1.磁盘中的key是多少?
题目附件: 链接:https://pan.baidu.com/s/1nXi3MgoxYfIUZTgxiqlwHg 提取码:b5ld
题目分值:100.0
题目难度:容易
https://zhuanlan.zhihu.com/p/692447949
https://blog.51cto.com/u_16213568/7848056
┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility_2.6_lin64_standalone]
└─$ ./volatility -f baby_forensics.raw --profile=Win7SP1x64 filescan | grep -iE "flag|.zip$|.rar$|.7z$|.txt$|.png$|.jpg$|.gif$|.pdf$|.doc$|.docx$|.pcap$|.pcapng$|.raw$|.kdbx$|Desktop\\\{1}.+"
Volatility Foundation Volatility Framework 2.6
0x000000003dc63430 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cKyy[1].png
0x000000003dc8e360 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\AANus0L[1].jpg
0x000000003dc978f0 1 1 -W-rw- \Device\HarddiskVolume2\Users\admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt
0x000000003dcb3530 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BBZQoYU[1].png
0x000000003dcb3a20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\AAQYJoh[1].png
0x000000003ddbbce0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB196zoa[1].jpg
0x000000003ddea4d0 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@cn.bing[1].txt
0x000000003df02340 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cP2X[1].png
0x000000003df06320 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BB1409dH[1].png
0x000000003df80070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Temp\vmware-admin\VMwareDnD\abafa01a\key.txt
0x000000003df94070 16 0 RW---- \Device\HarddiskVolume3\key.txt
0x000000003dff69d0 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@msn[2].txt
0x000000003e041f20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12dVk6[1].png
0x000000003e293580 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@www.bing[1].txt
0x000000003e296540 11 0 R--r-d \Device\HarddiskVolume2\Users\admin\Desktop\DumpIt.exe
0x000000003e2994e0 1 0 R--rwd \Device\HarddiskVolume2\Users\Public\Desktop\desktop.ini
0x000000003e2a02c0 1 0 R--rwd \Device\HarddiskVolume2\Users\admin\Desktop\desktop.ini
0x000000003e3da2a0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\jl9Nzz9dk-DuvjS8ch8tEboJITE[1].png
0x000000003e510130 18 1 RW-r-- \Device\HarddiskVolume2\Windows\Tasks\SCHEDLGU.TXT
0x000000003e5edcc0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BB12cMS3[1].png
0x000000003e739a90 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\AAMiLWy[1].png
0x000000003ee04780 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB1aWEfS[1].png
0x000000003ee075f0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12cNex[1].png
0x000000003ee0c4f0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BBiwNf[1].png
0x000000003ee0e6a0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cRlt[1].png
0x000000003ee233c0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12bwQ4[1].png
0x000000003ee23610 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\AASpq9W[1].jpg
0x000000003ee363e0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\AAQYCDv[1].png
0x000000003ee43070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB12cAZz[1].png
0x000000003ee4c5f0 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
0x000000003ee536b0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\AASZJoi[2].jpg
0x000000003ee5d5c0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\eb-c31c9a-3cb8f63e[1].txt
0x000000003ee69c80 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB12cfTd[2].png
0x000000003ee6dae0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\eRSssgJNCIKK78RNaStBR_weVTc[1].png
0x000000003ee6ddc0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\vFftxgKPLFTSzmZyG8R-jj68tBQ[1].png
0x000000003ee75680 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BB1aCdhW[2].png
0x000000003eea3c50 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\ar_9isCNU2Q-VG1yEDDHnx8HAFQ[1].png
0x000000003eec28e0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB18EBbp[2].png
0x000000003eecfd10 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\AARDHLP[2].png
0x000000003eee6340 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\AAViPvT[1].jpg
0x000000003eeeaf20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cBeO[1].png
0x000000003eefa860 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\AAQYQMg[1].png
0x000000003ef0c200 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB1aWuV2[1].jpg
0x000000003ef1af20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cTXD[1].png
0x000000003ef24f20 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ieonline.microsoft[1].txt
0x000000003ef259a0 1 1 RW-rw- \Device\HarddiskVolume2\Users\admin\Desktop\ADMIN-PC-20220529-121413.raw
0x000000003ef27de0 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@microsoft[1].txt
0x000000003ef295c0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\kfOlUlZWFmmvOElW-pmNhjCSNfI[1].png
0x000000003ef50dd0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12cRUu[1].png
0x000000003efcb200 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB1aWuV2[1].jpg
0x000000003efd9f20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12cTXD[1].png
0x000000003efe3f20 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@ieonline.microsoft[1].txt
0x000000003efe49a0 1 1 RW-rw- \Device\HarddiskVolume2\Users\admin\Desktop\ADMIN-PC-20220529-121413.raw
0x000000003efe6de0 2 0 -W---- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@microsoft[1].txt
0x000000003efe85c0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\kfOlUlZWFmmvOElW-pmNhjCSNfI[1].png
0x000000003f172070 4 0 R--rwd \Device\HarddiskVolume2\Users\admin\Desktop\DumpIt.exe
0x000000003f176070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\AAMiWZU[1].jpg
0x000000003f1a7ab0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12bBrq[1].png
0x000000003f1b0700 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\JJKnDArbyLYG6f98enb1Hx-Uzps[1].png
0x000000003f1b9710 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\3YUbGQ75v1RodneurDqn2YE2SLI[1].png
0x000000003f1c2cd0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BBNHhtK[1].png
0x000000003f1d92d0 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12byUE[1].png
0x000000003f1f6070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12cE9Q[2].png
0x000000003f1f9070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\BB12b8sr[2].png
0x000000003f311d50 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\e151e5[1].gif
0x000000003f5b0b50 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LNMSZOKX\HljicO-IgxnroUfdFHPj3KUcJVU[1].png
0x000000003f5f1f20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RI8RYLXD\BB12cRvE[1].png
0x000000003fb09a20 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB12cBcS[1].png
0x000000003fb09d10 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\BB12bsAD[2].png
0x000000003fe03620 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DM6L2Y70\AARmXIK[1].png
0x000000003ff24360 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WJVY3EO7\BB1aWITC[2].png┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility_2.6_lin64_standalone]
└─$ ./volatility -f baby_forensics.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003df94070 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3df94070 None \Device\HarddiskVolume3\key.txt┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility_2.6_lin64_standalone]
└─$ ./volatility -f baby_forensics.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003df94070 -D ./
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3df94070 None \Device\HarddiskVolume3\key.txt┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility_2.6_lin64_standalone]
└─$ ls
AUTHORS.txt LICENSE.txt baby_forensics.vmdk
CREDITS.txt README.txt file.None.0xfffffa800e7306b0.dat
LEGAL.txt baby_forensics.raw volatility┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility_2.6_lin64_standalone]
└─$ cat file.None.0xfffffa800e7306b0.dat
E96<6J:Da6g_b_f_gd75a3d4ch4heg4bab66ad5d
thekeyis2e80307085fd2b5c49c968c323ee25d5
方法2
E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>.\volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 filescan | findstr "key"
Volatility Foundation Volatility Framework 2.6
0x000000003df80070 2 0 -W-rwd \Device\HarddiskVolume2\Users\admin\AppData\Local\Temp\vmware-admin\VMwareDnD\abafa01a\key.txt
0x000000003df94070 16 0 RW---- \Device\HarddiskVolume3\key.txt
0x000000003e332e60 1 1 ------ \Device\NamedPipe\keysvc
0x000000003e3345b0 1 1 ------ \Device\NamedPipe\keysvc
0x000000003e7dca60 2 1 ------ \Device\NamedPipe\keysvcE:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>.\volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003df94070 -D E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x3df94070 None \Device\HarddiskVolume3\key.txtE:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>
导出来 重新命名为key.txt 内容是
E96<6J:Da6g_b_f_gd75a3d4ch4heg4bab66ad5d
5 题目名称:baby_forensics-2
题目内容:2.电脑中正在运行的计算器的运行结果是多少?
题目附件: 链接:https://pan.baidu.com/s/1nXi3MgoxYfIUZTgxiqlwHg 提取码:b5ld
题目分值:300.0
题目难度:中等
方法1
获取所有的进程信息,找到
calc.exe
进程;
┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.pslist.PsList >> pslist.txt┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ cat pslist.txt | grep calc
2844 2552 calc.exe 0xfa800ef2cb30 5 97 1 False2022-05-29 11:50:36.000000 N/A Disabled
将该进程的内存文件下载下来;
┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.memmap.Memmap --pid 2844 --dump
Volatility 3 Framework 2.7.2
Progress: 100.00 PDB scanning finished
Virtual Physical Size Offset in File File output0x10000 0x34aa8000 0x1000 0x0 pid.2844.dmp
0x11000 0x22508000 0x1000 0x1000 pid.2844.dmp
将文件后缀名更改为
.data
,使用GIMP软件打开,修改宽和高;
https://www.gimp.org/downloads/
方法2
E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>volatility.exe -f baby_forensics.raw --profile=Win7SP1x64 windows > windows
Volatility Foundation Volatility Framework 2.6
Window Handle: #b01f8 at 0xfffff900c0834a60, Name: 7598632541
ClassAtom: 0xc0a2, Class: audio/basic
SuperClassAtom: 0xc019, SuperClass: Static
pti: 0xfffff900c07a9010, Tid: 2656 at 0xfffffa800ee25b60
ppi: 0xfffff900c1fda010, Process: calc.exe, Pid: 2844
7598632541
方法3
要计算机就提取计算器的进程
积累一下 计算器在计算机中的进程是calc.exe
E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>.\volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 pslist | findstr "calc"
Volatility Foundation Volatility Framework 2.6
0xfffffa800ef2cb30 calc.exe 2844 2552 5 97 1 0 2022-05-29 11:50:36 UTC+0000 E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>.\volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 memdump -p 2844 -D E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing calc.exe [ 2844] to 2844.dmp
6 题目名称:baby_forensics-3
题目内容:3.该内存文件中存在的flag值是多少?以flag{}上传。
题目附件: 链接:https://pan.baidu.com/s/1nXi3MgoxYfIUZTgxiqlwHg 提取码:b5ld
题目分值:300.0
题目难度:中等
方法1
在使用r-studio翻找关键文件的时候 在Music文件夹找到一个i4ak3y文件 打开查看内容 应该是一个解密密钥
qwerasdf
这道题我们需要用到计算机中便签的进程 也就是StikyNot.exe
StikyNot.exe 是Windows操作系统中的一个应用程序,也就是桌面上的便签小工具。它的主要作用是提供一个简单的方式来创建、编辑和管理便签,以便用户可以在桌面上快速记录和查看重要的信息、提醒事项或备忘录。
关于StikyNot.exe 的内存的作用,它主要用于存储和管理用户创建的便签内容。当用户打开StikyNot.exe 应用程序时,操作系统会为该程序分配一定的内存空间,用于存储便签的文本、颜色、位置等信息。这样,当用户关闭应用程序或重新启动计算机时,便签的内容仍然可以被保存下来,以便下次使用时能够恢复之前的状态。
总结来说,StikyNot.exe 的内存的作用是为了存储和管理用户创建的便签内容,确保便签信息的持久性和可恢复性。
看到程序列表中便签程序运行着,查看下便签文件,便签文件的后缀名是.snt
E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa800ccc1b30 System 4 0 107 568 ------ 0 2022-04-14 11:13:59 UTC+0000
0xfffffa800d7fb650 smss.exe 268 4 2 32 ------ 0 2022-04-14 11:13:59 UTC+0000
0xfffffa800d7a6b30 csrss.exe 360 344 10 490 0 0 2022-04-14 11:14:00 UTC+0000
0xfffffa800e55d510 wininit.exe 412 344 3 82 0 0 2022-04-14 11:14:00 UTC+0000
0xfffffa800e568460 csrss.exe 420 404 11 358 1 0 2022-04-14 11:14:00 UTC+0000
0xfffffa800e598b30 winlogon.exe 468 404 5 122 1 0 2022-04-14 11:14:00 UTC+0000
0xfffffa800e5ba7c0 services.exe 520 412 8 238 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e5c4b30 lsass.exe 536 412 12 629 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e5cb7b0 lsm.exe 544 412 10 144 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e636b30 svchost.exe 644 520 11 377 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e65f460 vmacthlp.exe 708 520 3 59 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e67e5f0 svchost.exe 752 520 8 314 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e6bb740 svchost.exe 840 520 21 484 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e6e4b30 svchost.exe 884 520 18 402 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e6edb30 svchost.exe 908 520 39 1001 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e766830 svchost.exe 368 520 12 612 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e79eb30 svchost.exe 988 520 18 506 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e843b30 spoolsv.exe 1148 520 12 284 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e875b30 svchost.exe 1180 520 18 337 0 0 2022-04-14 11:14:01 UTC+0000
0xfffffa800e935b30 svchost.exe 1320 520 15 277 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800e9aab30 VGAuthService. 1404 520 3 87 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800ea21b30 vmtoolsd.exe 1544 520 10 270 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800ea75b30 taskhost.exe 1696 520 9 215 1 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800eb0f630 sppsvc.exe 1952 520 4 158 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800eb48820 svchost.exe 2016 520 6 94 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800eb97630 dllhost.exe 1792 520 13 203 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800e533b30 msdtc.exe 2092 520 12 148 0 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800ea14060 rundll32.exe 2104 644 3 80 1 0 2022-04-14 11:14:02 UTC+0000
0xfffffa800ec4b6b0 WmiPrvSE.exe 2312 644 12 223 0 0 2022-04-14 11:14:03 UTC+0000
0xfffffa800ec22060 dwm.exe 2528 884 5 155 1 0 2022-04-14 11:14:06 UTC+0000
0xfffffa800ec20910 explorer.exe 2552 2516 43 1113 1 0 2022-04-14 11:14:06 UTC+0000
0xfffffa800ed62890 vmtoolsd.exe 2660 2552 10 212 1 0 2022-04-14 11:14:07 UTC+0000
0xfffffa800edda910 SearchIndexer. 2884 520 14 786 0 0 2022-04-14 11:14:13 UTC+0000
0xfffffa800e902440 taskhost.exe 1748 520 5 103 1 0 2022-05-29 11:43:51 UTC+0000
0xfffffa800e9f9400 svchost.exe 2976 520 12 327 0 0 2022-05-29 11:44:06 UTC+0000
0xfffffa800e630360 wmpnetwk.exe 1064 520 9 208 0 0 2022-05-29 11:44:07 UTC+0000
0xfffffa800ef2cb30 calc.exe 2844 2552 5 97 1 0 2022-05-29 11:50:36 UTC+0000
0xfffffa800efbeb30 StikyNot.exe 2968 2552 10 184 1 0 2022-05-29 12:05:25 UTC+0000
0xfffffa800d7af6f0 audiodg.exe 1276 840 6 138 0 0 2022-05-29 12:07:28 UTC+0000
0xfffffa800dbe0060 taskhost.exe 3244 520 9 174 0 0 2022-05-29 12:13:06 UTC+0000
0xfffffa800dbab060 dllhost.exe 3364 644 9 172 1 0 2022-05-29 12:13:10 UTC+0000
0xfffffa800d8e7780 iexplore.exe 3480 2552 23 642 1 1 2022-05-29 12:13:21 UTC+0000
0xfffffa800dbe9060 iexplore.exe 3532 3480 34 661 1 1 2022-05-29 12:13:21 UTC+0000
0xfffffa800cdba060 iexplore.exe 3824 3480 23 591 1 1 2022-05-29 12:13:59 UTC+0000
0xfffffa800dbf6b30 SearchProtocol 3916 2884 7 255 1 0 2022-05-29 12:14:00 UTC+0000
0xfffffa800dbadb30 SearchFilterHo 3936 2884 5 88 0 0 2022-05-29 12:14:00 UTC+0000
0xfffffa800dda76f0 dllhost.exe 2836 644 6 86 1 0 2022-05-29 12:14:13 UTC+0000
0xfffffa800dd11790 dllhost.exe 2488 644 6 81 0 0 2022-05-29 12:14:13 UTC+0000
0xfffffa800dc8d590 DumpIt.exe 3212 2552 2 51 1 1 2022-05-29 12:14:13 UTC+0000
0xfffffa800dc92060 conhost.exe 3236 420 2 59 1 0 2022-05-29 12:14:13 UTC+0000
0xfffffa800dc32530 dllhost.exe 3420 644 6 7274596 ------ 0 2022-05-29 12:14:17 UTC+0000
找到StikyNot.exe进程并将其提取出来 PID是2968
E:\逐鹿\MISC\tools\volatility_2.6_win64_standalone>.\volatility.exe -f E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1\baby_forensics.raw --profile=Win7SP1x64 memdump -p 2968 -D E:\逐鹿\第二界陇剑杯赛事练习场一\baby_forensics_1
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing StikyNot.exe [ 2968] to 2968.dmp
将后缀改为data 使用gimp打开 调一下宽高
看到一串字符
U2FsdGVkX195MCsw0ANs6/Vkjibq89YlmnDdY/dCNKRkixvAP6+B5ImXr2VIqBSp94qfIcjQhDxPgr9G4u++pA==
https://zhuanlan.zhihu.com/p/692447949
发现解密失败,那应该是AES加密,需要在内存文件中查找密码,用R-Studio打开内存文件
进行扫描
开始查找,在/root/Users/admin/Music 目录下找到密钥文件
使用 qwerasdf 密码进行破解
010 打开 发现有串字符串 多次出现
U2FsdGVkX195MCsw0ANs6/Vkjibq89YlmnDdY/dCNKRkixvAP6+B5ImXr2VIqBSp94qfIcjQhDxPgr9G4u++pA==
同时发现一个类似 key 的东西 qwerasdf
直接 AES 解密即可
flag{ad9bca48-c7b0-4bd6-b6fb-aef90090bb98}
找到系统的
SearchIndexer.exe
进程;
──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.pslist.PsList | grep SearchIndexer
2884ress520100.0SearchIndexer. 0xfa800edda910 14 786 0 False 2022-04-14 11:14:13.000000 N/A Disabled──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.memmap.Memmap --pid 2884 --dump
扫描磁盘文件,查找特殊文件,发现存在疑似key文件;
┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.filescan.FileScan >> filescan.txt
将该文件下载下来,成功获取到密钥;
──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ python3 ./vol.py -f baby_forensics.raw windows.dumpfiles.DumpFiles --physaddr 0x3ef3a310
Volatility 3 Framework 2.7.2
Progress: 100.00 PDB scanning finished
Cache FileObject FileName ResultDataSectionObject 0x3ef3a310 i4ak3y file.0x3ef3a310.0xfa800dbfe0d0.DataSectionObject.i4ak3y.dat┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ cat file.0x3ef3a310.0xfa800dbfe0d0.DataSectionObject.i4ak3y.dat
qwerasdf
也可以直接在内存文件里面翻 有U2Fsd头的内容进行解密 但是多少还是有点草率
也可以写个check函数帮助筛选内存文件中可能是flag的内容 参考下面文章
#!/bin/bashcheck() {pattern="flag|==|10210897103|666c6167|464C4147|Zmxh|Wm14aFoz|f|58s4vb|2uk2h3|key|pass|pwd|password|hint|U2FsdGVkX1"> check.txt # 清空或创建 check.txt 文件grep -irlE "$pattern" 1.raw | while read -r file; doecho -e "File: $file" >> check.txtstrings "$file" | grep -iE "$pattern" >> check.txtecho -e "" >> check.txtdone
}check # 调用 check 函数echo "检查完成,请查看 check.txt 文件"
┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ chmod +x check┌──(holyeyes㉿kali2023)-[~/Misc/tool-misc/volatility3-develop]
└─$ ./check > check.txt