服务器取证

先对网站进行重构

[root@study ~]# docker ps
CONTAINER ID   IMAGE                           COMMAND                  CREATED       STATUS         PORTS                                                 NAMES
643626ab3d8b   mattermost/mattermost-preview   "/bin/sh -c ./docker…"   2 weeks ago   Up 9 minutes   5432/tcp, 0.0.0.0:8065->8065/tcp, :::8065->8065/tcp   mattermost-preview

需要绕密，dockerhub找一下dockerfile

# Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
# See License.txt for license information.
FROM postgres:12RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update && apt-get install -y ca-certificates#
# Configure SQL
#ENV POSTGRES_USER=mmuser
ENV POSTGRES_PASSWORD=mostest
ENV POSTGRES_DB=mattermost_test#
# Configure Mattermost
#
WORKDIR /mm# Copy over files
ADD https://releases.mattermost.com/9.7.1/mattermost-team-9.7.1-linux-amd64.tar.gz .
RUN tar -zxvf mattermost-team-*-linux-amd64.tar.gz
ADD config_docker.json ./mattermost/config/config_docker.json
ADD docker-entry.sh .RUN chmod +x ./docker-entry.sh
ENTRYPOINT ./docker-entry.sh# Mattermost environment variables
ENV PATH="/mm/mattermost/bin:${PATH}"# Create default storage directory
RUN mkdir ./mattermost-data
VOLUME /mm/mattermost-data# Ports
EXPOSE 8065

[root@study ~]# docker inspect 64
[{"Id": "643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526","Created": "2024-04-24T02:21:19.985981238Z","Path": "/bin/sh","Args": ["-c","./docker-entry.sh"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"OOMKilled": false,"Dead": false,"Pid": 2463,"ExitCode": 0,"Error": "","StartedAt": "2024-05-11T08:58:55.485926293Z","FinishedAt": "2024-04-26T03:00:09.909047728Z"},"Image": "sha256:5837cec062188c67f040bce24559c299a1745ccda8793ebe56b9e72e66c3b7ce","ResolvConfPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/resolv.conf","HostnamePath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hostname","HostsPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/hosts","LogPath": "/var/lib/docker/containers/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526/643626ab3d8b5930412e228e024172af9808aa456d155044e9feeb2b97711526-json.log","Name": "/mattermost-preview","RestartCount": 0,"Driver": "overlay2","Platform": "linux","MountLabel": "","ProcessLabel": "","AppArmorProfile": "","ExecIDs": null,"HostConfig": {"Binds": null,"ContainerIDFile": "","LogConfig": {"Type": "json-file","Config": {}},"NetworkMode": "bridge","PortBindings": {"8065/tcp": [{"HostIp": "","HostPort": "8065"}]},"RestartPolicy": {"Name": "always","MaximumRetryCount": 0},"AutoRemove": false,"VolumeDriver": "","VolumesFrom": null,"ConsoleSize": [50,180],"CapAdd": null,"CapDrop": null,"CgroupnsMode": "host","Dns": [],"DnsOptions": [],"DnsSearch": [],"ExtraHosts": null,"GroupAdd": null,"IpcMode": "private","Cgroup": "","Links": null,"OomScoreAdj": 0,"PidMode": "","Privileged": false,"PublishAllPorts": false,"ReadonlyRootfs": false,"SecurityOpt": null,"UTSMode": "","UsernsMode": "","ShmSize": 67108864,"Runtime": "runc","Isolation": "","CpuShares": 0,"Memory": 0,"NanoCpus": 0,"CgroupParent": "","BlkioWeight": 0,"BlkioWeightDevice": [],"BlkioDeviceReadBps": [],"BlkioDeviceWriteBps": [],"BlkioDeviceReadIOps": [],"BlkioDeviceWriteIOps": [],"CpuPeriod": 0,"CpuQuota": 0,"CpuRealtimePeriod": 0,"CpuRealtimeRuntime": 0,"CpusetCpus": "","CpusetMems": "","Devices": [],"DeviceCgroupRules": null,"DeviceRequests": null,"MemoryReservation": 0,"MemorySwap": 0,"MemorySwappiness": null,"OomKillDisable": false,"PidsLimit": null,"Ulimits": [],"CpuCount": 0,"CpuPercent": 0,"IOMaximumIOps": 0,"IOMaximumBandwidth": 0,"MaskedPaths": ["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware","/sys/devices/virtual/powercap"],"ReadonlyPaths": ["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver": {"Data": {"LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff","MergedDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/merged","UpperDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/diff","WorkDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357/work"},"Name": "overlay2"},"Mounts": [{"Type": "volume","Name": "058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388","Source": "/var/lib/docker/volumes/058817fe9d6fb657d5d572e35f3ef4509971821789934c4926d4243b10323388/_data","Destination": "/mm/mattermost-data","Driver": "local","Mode": "","RW": true,"Propagation": ""},{"Type": "volume","Name": "0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2","Source": "/var/lib/docker/volumes/0191a7eb6e2b65e7261d97b3e3d27ddeced2907e44251e2cc012c09ccb1592f2/_data","Destination": "/var/lib/postgresql/data","Driver": "local","Mode": "","RW": true,"Propagation": ""}],"Config": {"Hostname": "643626ab3d8b","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"ExposedPorts": {"5432/tcp": {},"8065/tcp": {}},"Tty": false,"OpenStdin": false,"StdinOnce": false,"Env": ["PATH=/mm/mattermost/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/lib/postgresql/12/bin","GOSU_VERSION=1.17","LANG=en_US.utf8","PG_MAJOR=12","PG_VERSION=12.18-1.pgdg120+2","PGDATA=/var/lib/postgresql/data","POSTGRES_USER=mmuser","POSTGRES_PASSWORD=mostest","POSTGRES_DB=mattermost_test"],"Cmd": null,"Image": "mattermost/mattermost-preview","Volumes": {"/mm/mattermost-data": {},"/var/lib/postgresql/data": {}},"WorkingDir": "/mm","Entrypoint": ["/bin/sh","-c","./docker-entry.sh"],"OnBuild": null,"Labels": {},"StopSignal": "SIGINT"},"NetworkSettings": {"Bridge": "","SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0","SandboxKey": "/var/run/docker/netns/65103f1a1a02","Ports": {"5432/tcp": null,"8065/tcp": [{"HostIp": "0.0.0.0","HostPort": "8065"},{"HostIp": "::","HostPort": "8065"}]},"HairpinMode": false,"LinkLocalIPv6Address": "","LinkLocalIPv6PrefixLen": 0,"SecondaryIPAddresses": null,"SecondaryIPv6Addresses": null,"EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4","Gateway": "172.17.0.1","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","MacAddress": "02:42:ac:11:00:02","Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"MacAddress": "02:42:ac:11:00:02","NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547","EndpointID": "5ab473e8313fe68acf442f4e44948ff480ae46322727789828668443d16c0ea4","Gateway": "172.17.0.1","IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"DriverOpts": null,"DNSNames": null}}}}
]

进数据库

这似曾相识的密码，bcrypt

至此IM服务器重构成功，接着重构web服务器

加个hosts直接访问

但是数据库没东西，看后面题目知道做了备份

[root@wns ~]# crontab -l
*/5 * * * *  flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&10 0 * * 0 /root/backup.sh

/root/backup.sh

#!/bin/bashDB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"cd $BACKUP_PATHDATE=$(date +%Y%m%d%H%M%S)AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)BACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAMEFile_Name="${DB_NAME}.sql.gz"tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Namerm -rf  $BACKUP_FILE_NAMEmysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force

稍微修改一下

#!/bin/bashDB_USER="root"
DB_PASSWORD="root"
DB_NAME="2828"
BACKUP_PATH="/root/backup"cd $BACKUP_PATHDATE=$(date +%Y%m%d%H%M%S)AES_PASS=$(echo -n "$DB_NAME" | openssl enc -aes-256-cbc -a -salt -pass pass:mysecretpassword -nosalt)echo $AES_PASSBACKUP_FILE_NAME="${DB_NAME}_${DATE}.sql"#mysqldump -u $DB_USER -p$DB_PASSWORD $DB_NAME > $BACKUP_FILE_NAMEFile_Name="${DB_NAME}.sql.gz"#tar -czvf - $BACKUP_FILE_NAME | openssl des3 -salt -k $AES_PASS -out $File_Name#rm -rf  $BACKUP_FILE_NAME#mysqladmin -u $DB_USER -p$DB_PASSWORD drop $DB_NAME --force

[root@wns backup]# openssl des3 -d -salt -k "IvPGP/8vfTLtzQfJTmQhYg==" -in 2828.sql.gz -out 2828_decrypted.sql.gz
[root@wns backup]# gunzip 2828_decrypted.sql.gz
[root@wns backup]# ls
2828_decrypted.sql  2828.sql.gz
[root@wns backup]# cat 2828_decrypted.sql | head -n 10
2828_20240427154000.sql0000644000000000000000216675436014613125726012403 0ustar  rootroot-- MySQL dump 10.13  Distrib 5.7.40, for Linux (x86_64)
--
-- Host: localhost    Database: 2828
-- ------------------------------------------------------
-- Server version       5.7.40-log/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;

常规后台绕密

自己手动重定向一下

这两个服务器都重构好了

分析内部IM服务器检材，在搭建的内部即时通讯平台中，客户端与服务器的通讯端口是：[答案格式：8888][★☆☆☆☆]

[root@study ~]# docker inspect 643626ab3d8b | grep -i port"PortBindings": {"HostPort": "8065""PublishAllPorts": false,"ExposedPorts": {"Ports": {"HostPort": "8065""HostPort": "8065"

分析内部IM服务器检材，该内部IM平台使用的数据库版本是： [答案格式：12.34][★★☆☆☆]

[root@study ~]# docker inspect 643626ab3d8b | grep -i version"GOSU_VERSION=1.17","PG_VERSION=12.18-1.pgdg120+2",

分析内部IM服务器检材，该内部IM平台中数据库的名称是：[答案格式：小写][★★☆☆☆]

[root@study ~]# docker inspect 643626ab3d8b | grep -i db"BlkioDeviceReadBps": [],"LowerDir": "/var/lib/docker/overlay2/71b9be5f1a80cd6fc1d90755adfd24feafdeef72868827c602da7e6269ba7357-init/diff:/var/lib/docker/overlay2/b12cb00e51f445afd8da7a70f32a1d5ecede54d6008650db22ef0d963e3b0750/diff:/var/lib/docker/overlay2/3ad290538d2e6e47048493bc73f18ac88ffa5e60b6690d70be9ba6d0ace4def0/diff:/var/lib/docker/overlay2/0f826b0d9a37938457854661a0f6dfff310a8b42b5309593bc3310453d301438/diff:/var/lib/docker/overlay2/13649905eef69084552c8ceeb5efa0e7d5dad075c2484cb6b35a57c1e1cc5f0a/diff:/var/lib/docker/overlay2/cb87a5a839d21f40d5872f078352c0bac1265926d07dd981a99afc48bd7ba2b9/diff:/var/lib/docker/overlay2/bc95db335b6262cfb52d350f32194d3bfad897674eff2a60217252357564b4e2/diff:/var/lib/docker/overlay2/a8429a37877ac7ba2f698642856d51cd904679ddcaaf9647d3a3c8a9b3dce797/diff:/var/lib/docker/overlay2/1c86ae8ef7388378ae91475a2db24910a0d889427f76a2272408e890b330d170/diff:/var/lib/docker/overlay2/d40a787f00c6e599e908c76d3d4e9e1406a4f7f40c02af78d6fa14d945862b2d/diff:/var/lib/docker/overlay2/e4fce9779794d80acb0d85325e129a218bd6c41c8cb71d238ef869ec173c0314/diff:/var/lib/docker/overlay2/6ce5159b8a30b86803f86daa0c3fd339aff6e115c896516a6197daea982ef6bf/diff:/var/lib/docker/overlay2/7463eecf1ff79567e61d119af16b6b1abb9de71001cdeb9bc7bd2593eae308d8/diff:/var/lib/docker/overlay2/2a1faa98aa8157720bf999caa5a5e42518b28531aefa0dbd12f178f674c96441/diff:/var/lib/docker/overlay2/ce745a21a53f7f5b1d6ed78056bb8330690e038a558bc8ce582ad60ab76b6b7c/diff:/var/lib/docker/overlay2/02985b05c68f2ac389bf285324b2a2ed838e31b05fd370469ecc9bb385cb0c60/diff:/var/lib/docker/overlay2/8f136f0c593d4b9d74d284bd258bc3261050575c6cf6dea63ebf56513c1996f7/diff:/var/lib/docker/overlay2/afbb37f8d7cab97b702d582bbea1fcf3b611f92f0807d7ea4a1d5d7dd66738d2/diff:/var/lib/docker/overlay2/b9ea5c12870589b8bacc2edf8f27c5126d782e766d1b114b422420051392ca3d/diff:/var/lib/docker/overlay2/2fe9c20c382a4c4288f42d7876a1e9b610b809ac9c7e711bf78fdea2c4191e73/diff:/var/lib/docker/overlay2/3fb2ba45147b305f4cb811660f44c514b96c7565039bc0b0b475ce89f298aa5c/diff:/var/lib/docker/overlay2/63b8deae07e319a92b51ba7636506207ab299aeac6134f6dc4462e97f4d90bd6/diff:/var/lib/docker/overlay2/32df7c0b96e23cdeb134a1c1f6369afbdfaced9563c5dec05dba5722ccd70988/diff:/var/lib/docker/overlay2/7d8a3a4b10a26c7d31398139a71f00a7e48e3c266a79ceb04ce83be0a45ccea3/diff","POSTGRES_DB=mattermost_test""SandboxID": "65103f1a1a02027fd9580df1876f0fefef641296e363607fa43271d67fe30ca0","SandboxKey": "/var/run/docker/netns/65103f1a1a02","NetworkID": "0ddfa819cbcdbceb6d20ee3efd7140bad6a138bf58404943deda3394867ba547",

分析内部IM服务器检材，该内部IM平台中当前数据库一共有多少张表：[答案格式：1][★★☆☆☆]

分析内部IM服务器检材，员工注册的邀请链接中，邀请码是：[答案格式：小写数字字母][★★★☆☆]

分析内部IM服务器检材，用户yiyan一共给fujiya发送了几个视频文件：[答案格式：数字][★★★☆☆]

分析内部IM服务器检材，用户yiyan在团队群组中发送的视频文件的MD5值是：[答案格式：小写][★★★☆☆]

分析内部IM服务器检材，一个团队中允许的最大用户数是：[答案格式：数字][★★★★☆]

分析内部IM服务器检材，黑客是什么时候开始攻击：[答案格式：2024-01-01-04-05][★★★☆☆]

分析网站服务器检材，网站搭建使用的服务器管理软件当前版本是否支持32位系统：[答案格式：是/否][★☆☆☆☆]

[root@wns ~]# cat install.sh | grep 32位Red_Error "抱歉, 当前面板版本不支持32位系统, 请使用64位系统或安装宝塔5.9!";echo -e "宝塔面板不支持32位系统进行安装，请使用64位系统/服务器架构进行安装宝塔"

分析网站服务器检材，数据库备份的频率是一周多少次：[答案格式：1][★★☆☆☆]

[root@wns ~]# crontab -l
*/5 * * * *  flock -xn /www/server/cron/e5b996fee678856191a1f336d0996b33.lock -c /www/server/cron/e5b996fee678856191a1f336d0996b33 >> /www/server/cron/e5b996fee678856191a1f336d0996b33.log 2>&10 0 * * 0 /root/backup.sh

分析网站服务器检材，数据库备份生成的文件的密码是：[答案格式：admin][★★☆☆☆]

[root@wns ~]# sh backup.sh 
IvPGP/8vfTLtzQfJTmQhYg==

分析网站服务器检材，网站前台首页的网站标题是：[答案格式：百度][★★★☆☆]

分析网站服务器检材，受害人第一次成功登录网站的时间是：[答案格式：2024-01-01-04-05][★★★☆☆]

分析网站服务器检材，前台页面中，港澳数字竞猜游戏中，进入贵宾厅最低点数是：[答案格式：1234][★★★☆☆]

找个用户，密码哈希替换一下

分析网站服务器检材，受害人在平台一共盈利了多少钱：[答案格式：12][★★☆☆☆]

分析网站服务器检材，网站根目录下，哪个路径存在漏洞：[答案格式：/Admin/User/register.php][★★★☆☆]

分析网站服务器检材，黑客通过哪个文件上传的木马文件：[答案格式：test.php][★☆☆☆☆]

分析网站服务器检材，网站使用的数据库前缀是：[答案格式：test_][★☆☆☆☆]

分析网站服务器检材，木马文件的密码是：[答案格式：123] [★☆☆☆☆]

d盾那里有

人工智能取证

本系列题需要bitlocker解开后才能作答

GPT-SoVITS整合包部署及使用教程 - 哔哩哔哩 (bilibili.com)

拿到后粗略看一眼，GPT是换声音的，Rope是换脸的，里面还有个secret是一个爆炸策划

软件里面有个encrypt.exe加密后的文件后面会带-cn

分析义言的计算机检材，一共训练了多少个声音模型：[答案格式：123][★★☆☆☆]

每一个点进去都是由train.log的

分析义言的计算机检材，声音模型voice2，一共训练了多少条声音素材：[答案格式：123][★★☆☆☆]

分析义言的计算机检材，声音模型voice3，一共训练了多少轮：[答案格式：123][★★★☆☆]

分析义言的计算机检材，声音克隆工具推理生成语音界面的监听端口是：[答案格式：1234][★★★★☆]

分析义言的计算机检材，电脑中视频文件有几个被换过脸：[答案格式:10][★★★★★]

分析义言的计算机检材，换脸AI程序默认换脸视频文件名是：[答案格式：test.mp4][★★☆☆☆]

分析义言的计算机检材，换脸AI程序默认换脸图片的文件名称：[答案格式：abc.abc][★★☆☆☆]

分析义言的计算机检材，换脸AI程序模型文件数量是多少个：[答案格式：10][★★☆☆☆]

计算机取证

分析伏季雅的计算机检材，计算机最后一次错误登录时间是：[答案格式：2024-01-01-04-05-06][★☆☆☆☆]

分析伏季雅的计算机检材，计算机中曾经浏览过的电影名字是：[答案格式：《奥本海默》] [★☆☆☆☆]

分析伏季雅的计算机检材，计算机中团队内部即时通讯软件的最后一次打开的时间是：[答案格式：2024-01-01-04-05-06][★☆☆☆☆]

分析伏季雅的计算机检材，计算机中有一款具备虚拟视频功能的软件，该软件合计播放了多少个视频：[答案格式：3][★☆☆☆☆]

接上题，该软件的官网地址是：[答案格式：https://www.baidu.com][★☆☆☆☆]

接上题，该软件录制数据时，设置的帧率是：[答案格式：20][★☆☆☆☆]

分析伏季雅的计算机检材，在团队内部使用的即时通讯软件中，其一共接收了多少条虚拟语音：[答案格式：2][★☆☆☆☆]

分析毛雪柳的计算机检材，计算机插入三星固态盘的时间是：[答案格式：2024-01-01-04-05-06][★☆☆☆☆]

分析毛雪柳的计算机检材，计算机操作系统当前的Build版本是：[答案格式：17786][★☆☆☆☆]

分析毛雪柳的计算机检材，团队内部使用的即时通讯软件在计算机上存储日志的文件名是：[答案格式：log.log，区分大小写][★☆☆☆☆]

分析毛雪柳的计算机检材，伏季雅一月份实发工资的金额是：[答案格式：1234][★★★☆☆]

回收站里有一个密码一个账本，密码.doc是假的

输错两次后会提示梭哈，尝试了各种隐写之后发现。。。真正的密码在毛雪柳的手机的图片里

共有5个sheet

分析毛雪柳的计算机检材，该团伙三月份的盈余多少：[答案格式：1234][★★★☆☆]

分析义言的计算机检材，计算机连接过的三星移动硬盘T7的序列号是：[答案格式：大写字母和数字][★☆☆☆☆]

分析义言的计算机检材，计算机的最后一次正常关机时间是：[答案格式：2024-01-01-04-05-06][★☆☆☆☆]

分析义言的计算机检材，曾经使用工具连接过数据库，该数据库的密码是：[答案格式：admin][★☆☆☆☆]

分析义言的计算机检材，计算机中安装的xshell软件的版本号是：[答案格式：Build-0000][★☆☆☆☆]

分析义言的计算机检材，曾使用shell工具连接过服务器，该服务器root用户的密码是：[答案格式：admin][★★★☆☆]

还有一种手工方法

FinalShell默认配置文件地址：

%userprofile%\AppData\Local\finalshell\conn\xxx.json

工具下载地址：https://github.com/passer-W/FinalShell-Decoder

分析义言的计算机检材，计算机曾接收到一封钓鱼邮件，该邮件发件人是：[答案格式： abc@abc.abc][★★☆☆☆]

接上题，钓鱼邮件中附件的大小是多少MB：[答案格式：12.3][★★☆☆☆]

接上题，上述附件解压运行后，文件的释放位置是：[答案格式：D:\Download\test][★★☆☆☆]

接上题，恶意木马文件的MD5 值是：[答案格式：小写][★★☆☆☆]

接上题，恶意木马文件的回连IP地址是：[答案格式：127.0.0.1][★★☆☆☆]

分析伏季雅的计算机检材，计算机中团队内部即时通讯软件的最后一次打开的时间是：[答案格式：2024-01-01-04-05-06][★☆☆☆☆]

分析义言的计算机检材，计算机中保存的有隐写痕迹的文件名：[答案格式：abc.abc][★★★☆☆]

bitlocker解开后重新跑一次取证

分析义言的计算机检材，保存容器密码的文件大小是多少字节：[答案格式：123][★★★☆☆]

回收站有个lsb隐写工具

在本地测试后隐写后的图片会变成bmp格式

提取

火眼爆搜bmp格式，从大往下，有几个感觉比较可疑

导出后解密

解密vc

里面都是encrypt.exe里加密过的

答案

分析义言的计算机内存检材，该内存镜像制作时间(UTC+8)是：[答案格式：2024-01-01-04-05][★★☆☆☆]

分析义言的计算机内存检材，navicat.exe的进程ID是：[答案格式：123][★★☆☆☆]

IPA取证

分析毛雪柳的手机检材，记账APP存储记账信息的数据库文件名称是：[答案格式：tmp.db，区分大小写][★★★★☆]

分析毛雪柳的手机检材，记账APP中，2月份总收入金额是多少：[答案格式：1234][★★★★★]

这个文件需要用realm studio打开

分析毛雪柳的手机检材，手机中团队内部使用的即时通讯软件中，团队老板的邮箱账号是：[答案格式：abc@abc.com][★★★☆☆]

服务器顺下来就知道，也不用看数据库

gxyt@163.com

接上题，该内部即时通讯软件中，毛雪柳和老板的私聊频道中，老板加入私聊频道的时间是：[答案格式：2024-01-01-04-05-06][★★★☆☆]

接上题，该私聊频道中，老板最后一次发送聊天内容的时间是：[答案格式：2024-01-01-04-05-06][★★★☆☆]

APK取证

分析伏季雅的手机检材，手机中诈骗APP的包名是：[答案格式：abc.abc.abc，区分大小写][★☆☆☆☆]

分析伏季雅的手机检材，手机中诈骗APP连接的服务器地址是：[答案格式：127.0.0.1][★☆☆☆☆]

别的忽略，，，我们校园网的包

分析伏季雅的手机检材，手机中诈骗APP的打包ID是：[答案格式：_abc_abc.abc，区分大小写][★☆☆☆☆]

分析伏季雅的手机检材，手机中诈骗APP的主启动项是：[答案格式：abc.abc.abc，区分大小写][★☆☆☆☆]

分析义言的手机检材，分析团队内部使用的即时通讯软件，该软件连接服务器的地址是：[答案格式：127.0.0.1][★★☆☆☆]

IM服务器的ip地址：192.168.137.97

接上题，该软件存储聊天信息的数据库文件名称是：[答案格式：abc.abc，区分大小写][★★☆☆☆]

接上题，该即时通讯软件中，团队内部沟通群中，一共有多少个用户：[答案格式：1][★★☆☆☆]

接上题，该即时通讯应用的版本号是：[答案格式：1.1.1][★★☆☆☆]

接上题，该即时通讯应用中，团队内部沟通中曾发送了一个视频文件，该视频文件发送者的用户名是：[答案格式：abc][★★★★☆]

yiyan

file表格里面，每个文件都有对应的发送id

带着post_id到post表里面去查，找到对应消息记录的user_id

带着user_id去user表里面去查，得到username

接上题，分析该即时通讯的聊天记录，团队购买了一个高性能显卡，该显卡的显存大小是：[答案格式：20G][★★☆☆☆]

分析义言的手机检材，手机中装有一个具备隐藏功能的APP，该APP启动设置了密码，设置的密码长度是多少位：[答案格式：5][★★★★☆]

这边是搜包名的时候运气好碰到老外的分析记录，直接把其成果拿来用了

https://theincidentalchewtoy.wordpress.com/2021/12/07/decrypting-the-calculator-apps/

实际上有更明了的做法——直接hook安卓加密库，然后就能发现几乎所有的字符串都是使用AES(而且是使用同一个密钥和iv解的)

除此之外，hook文件操作方法，还有大量对/data/user/0/com.hld.anzenbokusufake/shared_prefs/share_privacy_safe.xml的写入操作

所以可以定位到share_privacy_safe.xml这个文件，把里面的字符串进行解密即可

接上题，分析上述隐藏功能的APP，一共隐藏了多少个应用：[答案格式：1][★★★★☆]

这里是文章里面没有的。静态分析因为强混淆所以不是很好搞，这里继续hook文件操作方法，随便加密几个文件之后就能hook到写出文件的路径了——/storage/emulated/0/.privacy_safe

接上题，分析上述隐藏功能的APP，该APP一共加密了多少个文件：[答案格式：][★★★★☆]

数据库是加密的，需要使用DB Browser for SQLCipher.exe加上密码Rny48Ni8aPjYCnUI去打开这个db文件

接上题，分析上述隐藏功能的APP，该APP加密了一份含有公民隐私信息的文件，该文件的原始名称是：[答案格式：abc.txt][★★★★☆]

公民信息.xlsx

分析义言的手机检材，马伟的手机号码是：[答案格式：13012341234][★★★★☆]

解密也是使用Rny48Ni8aPjYCnUI加上AES算法即可

分析义言的手机检材，手机中存有一个BitLocker恢复密钥文件，文件已被加密，原始文件的MD5值是：[答案格式：小写字母和数字][★★★★☆]

解出来的结果里是gb2312编码存储的bitlocker文件

手机取证

分析伏季雅的手机检材，手机的安卓ID是：[答案格式：小写字母和数字][★☆☆☆☆]

分析伏季雅的手机检材，手机型号是：[答案格式：HUAWEI-FL56T][★☆☆☆☆]

分析伏季雅的手机检材，其和受害人视频通话的时间是：[答案格式：2024-01-01-04-05][★☆☆☆☆]

分析伏季雅的手机检材，手机中安装了一款记账APP，该记账APP存储记账信息的数据库名称是：[答案格式：abcabc，区分大小写][★☆☆☆☆]

\嫌疑人\伏季雅\手机\Samsung\data\data\com.bookmark.money\databases\MoneyLoverS2

接上题，该记账APP登录的邮箱账号是：[答案格式：abc@abc.com][★★★☆☆]

接上题，该记账APP中记录的所有收入金额合计是：[答案格式：1234][★★★☆☆]

SELECTSUM( transactions.amount ) 
FROM"transactions",categories 
WHEREcategories.cat_id == transactions.cat_id AND categories.cat_type == 1;

接上题，分析该记账APP中的消费记录，统计从2022-3-1（含）到2023-12-1（含）期间，用于交通的支出费用合计是：[答案格式：1234][★★★☆☆]

SELECTSUM( transactions.amount ) 
FROM"transactions",categories 
WHEREcategories.cat_id == transactions.cat_id AND categories.cat_type == 2 AND categories.cat_id == 19 AND transactions.created_date >= '2022-03-01' AND transactions.created_date <= '2023-12-01';

分析毛雪柳的手机检材，手机中有一个记账APP，该APP的应用名称是：[答案格式：Telegram，区分大小写][★☆☆☆☆]

分析义言的手机检材，手机中登录的谷歌邮箱账号是：[答案格式：abc@gmail.com][★★☆☆☆]

分析义言的手机检材，手机的MTP序列号是：[答案格式：大写字母和数字][★★☆☆☆]

分析义言的手机检材，除系统自带的浏览器外，手机中安装了一款第三方浏览器，该浏览器的应用名称是：[答案格式：百度浏览器][★★☆☆☆]

接上题，上述浏览器最后一次搜索的关键字是：[答案格式：百度][★★☆☆☆]

见上

接上题，该浏览器最后一次收藏的网址是：[答案格式：https://baidu.com/acc/123412341234123/][★★★☆☆]

分析义言的手机检材，其所购买的公民信息数据，该数据提供者的手机号码是：[答案格式：13012341234][★☆☆☆☆]

接上题，卖家的收款地址：[答案格式：小写字母和数字][★☆☆☆☆]

接上题，购买上述公民信息，义言一共支付了多少钱：[答案格式：0.000123BTC][★☆☆☆☆]

交易hash:4630a72ad8e7339e553cdba67a1dc7d33716a1db0cf7b44ec281ae08ac6249f8

发送地址：bc1puq3evrtuaky9sk08sf5dnmjfx4yuwc5c63ylzy05jcc9nqx267aqcv7fjf

因为答案格式为精度到小数点后6位，所以把交易记录导出然后精确计算

接上题，该笔交易产生的手续费是多少：[答案格式：0.000123BTC][★★☆☆☆]

手续费链必追没法直接查高精度，直接拿交易哈希去官网浏览器查

0.000061

0.000061

总共0.000122BTC

总结

有两位蓝桥杯人才在，我躺的很舒服

如有纰漏，欢迎微信交流：WQZ1127786222

Galaxy#b3nguang

2024.5.12