Toc
  1. 2020长安杯
    1. 阶段1
    2. 第二阶段
    3. 第三阶段
    4. 第四阶段
Toc
0 results found
Rayi
2020长安杯取证大赛部分wp
2020/10/28 WriteUp 取证

2020长安杯

阶段1

案情简介:接群众举报,网站“www.kkzjc.com”可能涉嫌非法交易,警方调取了该网站的云服务器镜像(检材 1.DD)

请对检材 1 进行分析,获取证据,并根据线索解锁更多检材,深入挖掘出更多与案件有关的信息。

image-20201024170644877

仿真的时候看到了

image-20201024170710096

最后因为hyper-v的原因开不了仿真。。。。

从文件系统看了看确实也是

image-20201024170802839

image-20201024170815567

为啥不是3.10.0-957?

image-20201024172017497

image-20201024171348994

取证大师可知分区2为LVM

硬盘总扇区数为:

image-20201024212358570

相减得

image-20201024212510740

image-20201024171356347

查看nginx配置文件

image-20201024171736066`

image-20201024171402446

查看nginx的配置文件,可以看到三个网站的配置文件

image-20201024171635085

image-20201024171408674

因为nginx转发请求到docker了,所以想到查看docker容器的nginx日志,容器内nginx的日志与/dev/stdout做了软连接,所以要用主机中docker logs命令查看日志

image-20201024214054240

docker logs 容器id

查看docker日志,可以看到Referer是从192.168.99.3来的

image-20201024213746803

image-20201024171417994

image-20201024215605260

ssh日志中有俩ip,但是我结合第九题可知为192.168.99.222

image-20201024213848250

image-20201024171424683

进到docker里,查看nginx的配置

image-20201024210002457

image-20201024171430566

依旧是利用docker日志,但是不知道为啥我数的是18个?

image-20201024214729481

第二阶段

image-20201024214256878

image-20201024214303238

image-20201025101215294

image-20201024214309065

image-20201025101900662

image-20201024214314316

运行安装包的时间是:

image-20201025102132530

但是取证大师给出的安装日期是?

image-20201025101954533

弘连的日期更。。。

image-20201025102425876

image-20201024214323048

玄学

image-20201025102115249

image-20201024214330028

image-20201025102241622

image-20201024214335888

image-20201025112657339

image-20201025095755110

见15题

image-20201025095800630

找到iPhone备份

image-20201025103508672

image-20201025112713877

image-20201025095807604

image-20201025112906750

image-20201025095813432

image-20201025112938357

使用的是doge收款,就是狗狗币了

image-20201025112954046

image-20201025095820451

见上图

image-20201025095826670

image-20201025115734678

image-20201025095833493

不会

image-20201025095839892

github有个爆破虚拟机密码的脚本

https://www.ershicimi.com/p/a85955bf672a9dc6e412ad70648870fd

https://github.com/axcheron/pyvmx-cracker

按照说明运行即可

image-20201025132003987

image-20201025095846362

image-20201025134105402

解密后即可取证

image-20201025164252226

image-20201025095852374

image-20201025164304512

image-20201025095858720

image-20201025095904423

image-20201025164327059

image-20201025164744704

image-20201025095913250

查找xshell的用户配置文件

Xshell的凭证存储用到了当前用户名与SID,以二者组合的SHA256 hash值作为密钥,加密算法是ARC4。

用户名和SID可以用whoami /user获取:

解密工具或脚本:

https://github.com/DoubleLabyrinth/how-does-Xmanager-encrypt-password

https://github.com/jnewing/xdec

https://github.com/dzxs/Xdecrypt

获取sid

image-20201025165800953

S-1-5-21-1539269504-2238408660-2242313689-1000

解密:

image-20201025171215776

第三阶段

image-20201024214844958

image-20201024221139518

image-20201024215017537

仿真可得

image-20201024220001792

image-20201024215026929

image-20201024220102989

image-20201024215033537

image-20201024220123069

image-20201024215039848

image-20201024220529297

image-20201024215045488

经测试,就这一个好使的

image-20201024221324851

image-20201024215050160

image-20201024221525968

image-20201024215102868

image-20201024221610205

image-20201024215340782

image-20201024222542550

image-20201024215344938

找到数据库管理类和解密函数

image-20201025094737940

跟进

image-20201025094753946

查看填充字符是啥

image-20201025094819920

空格,妥了

image-20201025094653561

image-20201024215352586

同上

image-20201024215358848

同上上

第四阶段

image-20201025165949857

image-20201025165956253

image-20201025170000920

image-20201025170005856

image-20201025170010355

image-20201025170015106

image-20201025170019243

image-20201025170023914

image-20201025170029143

本文作者:Rayi
版权声明:本文首发于Rayi的博客,转载请注明出处!