2025獬豸杯 on Nan0inPsyLoghttps://nan0in27.cn/categories/2025%E7%8D%AC%E8%B1%B8%E6%9D%AF/Recent content in 2025獬豸杯 on Nan0inPsyLogHugo -- gohugo.iozh-cn楠牧音 | glow Nan0in2025獬豸杯https://nan0in27.cn/p/2025%E7%8D%AC%E8%B1%B8%E6%9D%AF/Sun, 30 Mar 2025 00:10:00 +0000https://nan0in27.cn/p/2025%E7%8D%AC%E8%B1%B8%E6%9D%AF/<img src="https://nan0in27.cn/p/2025%E7%8D%AC%E8%B1%B8%E6%9D%AF/banner2.png" alt="Featured image of post 2025獬豸杯" /><blockquote> <p>检材&amp;题目来源https://forensics.didctf.com/</p> </blockquote> <p>官网没提供容器密码,veracrypt或FTK挂载,密码为:<code>}2N|n_yxdt!G/Ru}|_zdn$@?6@CD8E</code></p> <h1 id="手机">手机 </h1><p>data.dd-&gt;data.dd.tar解压</p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="1.png"> <img src="1.png" alt="" /> </a> </div> 没有一把梭软件,只能硬翻,在axiom中我们先筛选非system程序,再看从小米市场下载的程序,最后定位到 <div class="post-img-view"> <a data-fancybox="gallery" href="3.png"> <img src="3.png" alt="" /> </a> </div> 几个软件中寻找后判断出com.huodong.yanyu应该是烟雨直播软件,也就是我们所要找的直播软件,然后进入文件夹中的database后<br> <div class="post-img-view"> <a data-fancybox="gallery" href="2.png"> <img src="2.png" alt="" /> </a> </div> miao.db中找到login,id为<code>35248617</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile2.png"> <img src="mobile2.png" alt="" /> </a> </div> 打开软件看看,发现正好是<code>一无所有</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile3.png"> <img src="mobile3.png" alt="" /> </a> </div> 难绷,直接搜,一个大阳山一个武功山(后面这个难搜到),结果是<code>武功山</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4.png"> <img src="mobile4.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-1.png"> <img src="mobile4-1.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-2.png"> <img src="mobile4-2.png" alt="" /> </a> </div> 前一个是系统设置,数据库里可以找到初始化IMSI,第二个问AI知道的,查查看 <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-3.png"> <img src="mobile4-3.png" alt="" /> </a> </div> 在<code>E:\手机\user_de\0\com.android.providers.telephony\databases</code>中找到<br> <code>460115143563428</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-4.png"> <img src="mobile4-4.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-5.png"> <img src="mobile4-5.png" alt="" /> </a> </div> 5\6放一起看,可以得知是网易会议,在<code>shared_prefs</code>中查看残留信息<br> <code>FlutterSharedPreferences.xml</code>中找到 <div class="post-img-view"> <a data-fancybox="gallery" href="mobile4-6.png"> <img src="mobile4-6.png" alt="" /> </a> </div> 找到mettingID和meetingNum<br> 搜索官网得知会议ID是meetingNum,提交是正确的,但是时间没有确定<br> <code>312-118-071</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile6.png"> <img src="mobile6.png" alt="" /> </a> </div> 在<code>手机\media\0\Android\data\com.netease.yunxin.meeting\files\nim\extra_log\imkit_log</code><br> 中可以找到log文件,根据官方github中对应Privatemeeting,搜索得到<br> <code>2679823922</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile7.png"> <img src="mobile7.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile7-1.png"> <img src="mobile7-1.png" alt="" /> </a> </div> 记账小能手<br> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile7-2.png"> <img src="mobile7-2.png" alt="" /> </a> </div> <code>4</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile8.png"> <img src="mobile8.png" alt="" /> </a> </div> 上图往后滑一下就有<br> <code>勇哥</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile9.png"> <img src="mobile9.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile9-1.png"> <img src="mobile9-1.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile9-2.png"> <img src="mobile9-2.png" alt="" /> </a> </div> DC_store中看到没有手机号 <code>否</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile10.png"> <img src="mobile10.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile10-1.png"> <img src="mobile10-1.png" alt="" /> </a> </div> chats-app-10950-private中能看到消息 <code>30000</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile11.png"> <img src="mobile11.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="inde.png"> <img src="inde.png" alt="" /> </a> </div> 上面有 <code>17751125237</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="mobile12.png"> <img src="mobile12.png" alt="" /> </a> </div> 这是&hellip; 这我真不知道了<br> 看网上在<code>/user_de/0/com.android.phone/shared_prefs/com.android.phone_preferences.xml</code>中, <div class="post-img-view"> <a data-fancybox="gallery" href="mobile12-1.png"> <img src="mobile12-1.png" alt="" /> </a> </div> <code>1055</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="movile13.png"> <img src="movile13.png" alt="" /> </a> </div> 白马蔚蓝百度3个</p> <h1 id="计算机">计算机 </h1><p> <div class="post-img-view"> <a data-fancybox="gallery" href="c1-1.png"> <img src="c1-1.png" alt="" /> </a> </div> 取证大师一把梭 <div class="post-img-view"> <a data-fancybox="gallery" href="c1.png"> <img src="c1.png" alt="" /> </a> </div> <code>00-0C-29-BF-8B-30</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c2.png"> <img src="c2.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c2-1.png"> <img src="c2-1.png" alt="" /> </a> </div> <code>18363</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c3.png"> <img src="c3.png" alt="" /> </a> </div> 查找发现有个mm.txt,密码或许在新建文本文档.txt里?但是内容清空了,注意到<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c3-1.png"> <img src="c3-1.png" alt="" /> </a> </div> 2.10号这一天既有输入法输入密码的操作,又有日志分析中修改密码成功的操作,我们缩减范围到2.10号这段时间内<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c4.png"> <img src="c4.png" alt="" /> </a> </div> 除了文本文档外还对便笺进行了操作,文本文档没找到密码,我们看一下便笺<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c4-1.png"> <img src="c4-1.png" alt="" /> </a> </div> ps:forensictools也提示我们在备忘录里</p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="index.png"> <img src="index.png" alt="" /> </a> </div> 查找得知便签数据库文件位置<code>&quot;I:\Users\TTT\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite&quot;</code> sqlitebrowser打开 <div class="post-img-view"> <a data-fancybox="gallery" href="c4-2.png"> <img src="c4-2.png" alt="" /> </a> </div> <code>WAXD9128@</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c4-3.png"> <img src="c4-3.png" alt="" /> </a> </div> 这是什么玩意?我不会了<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c5-1.png"> <img src="c5-1.png" alt="" /> </a> </div> 在document下看到一个.npbk文件,夜神模拟器的文件格式之一,还有一个dididi.saz<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c5-2.png"> <img src="c5-2.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c5-3.png"> <img src="c5-3.png" alt="" /> </a> </div> 这里进行了登录操作<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c5-4.png"> <img src="c5-4.png" alt="" /> </a> </div> 找到password,<br> <code>a12345678</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c5.png"> <img src="c5.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c6.png"> <img src="c6.png" alt="" /> </a> </div> 流量包搜yeshen,看包就找到了<br> <code>SM-G955N</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c6-1.png"> <img src="c6-1.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c6-2.png"> <img src="c6-2.png" alt="" /> </a> </div> 搜video,然后随便点开一个流量包就能看到月份,抖音的视频 <code>5</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c7.png"> <img src="c7.png" alt="" /> </a> </div> 说实话这个上网都行吧。。<br> <div class="post-img-view"> <a data-fancybox="gallery" href="inde-1.png"> <img src="inde-1.png" alt="" /> </a> </div> <code>起点中文网</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c8.png"> <img src="c8.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c8-1.png"> <img src="c8-1.png" alt="" /> </a> </div> 火眼分析看到,大概就是这个许羽了, 到雷电分析一下 <div class="post-img-view"> <a data-fancybox="gallery" href="c8-2.png"> <img src="c8-2.png" alt="" /> </a> </div> </p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c9.png"> <img src="c9.png" alt="" /> </a> </div> jadx看一下<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c8-3.png"> <img src="c8-3.png" alt="" /> </a> </div> <code>anzhuo.com</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c10.png"> <img src="c10.png" alt="" /> </a> </div> </p> <blockquote> <p>草之前那道题mm.txt里容器的密码就是这玩意的: <code>新建文本文档.txt</code></p> </blockquote> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="z10.png"> <img src="z10.png" alt="" /> </a> </div> 貌似是这个<br> <div class="post-img-view"> <a data-fancybox="gallery" href="c10-1.png"> <img src="c10-1.png" alt="" /> </a> </div> 7zip看一下 <code>8955b1</code></p> <blockquote> <p>这里还可参考大佬做法找容器 大小一个g(找容器主要就是根据大小来找,一个g就很明显,其次是个“白图标文件”)</p> </blockquote> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c10-2.png"> <img src="c10-2.png" alt="" /> </a> </div> 没错就是这个,用密钥在veracrypt打开即可</p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c11.png"> <img src="c11.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c11-1.png"> <img src="c11-1.png" alt="" /> </a> </div> IDA中快速搜索找到<br> <code>0x4393c0</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c12.png"> <img src="c12.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c11-2.png"> <img src="c11-2.png" alt="" /> </a> </div> DIE里看<br> <code>0x035b5000</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c13.png"> <img src="c13.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c13-1.png"> <img src="c13-1.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c13-2.png"> <img src="c13-2.png" alt="" /> </a> </div> <code>com.suijideszzuiji.cocosandroid</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c14.png"> <img src="c14.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c13-3.png"> <img src="c13-3.png" alt="" /> </a> </div> 没加固</p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c16.png"> <img src="c16.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c14-1.png"> <img src="c14-1.png" alt="" /> </a> </div> 大概是这个?<br> <code>android.permission.WRITE_EXTERNAL_STORAGE</code><br> 还真是</p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c16-1.png"> <img src="c16-1.png" alt="" /> </a> </div> 雷电里面抓包,login的时候就可以看到了 <div class="post-img-view"> <a data-fancybox="gallery" href="c16-2.png"> <img src="c16-2.png" alt="" /> </a> </div> </p> <p><code>https://47bc63ed04500151.com/ky188/member/memberManager/login</code> 但是好像不对,原来是因为开了代理模式的原因,合理猜测是<code>168js.bhibfy.com</code>或者<code>168js.bvocftd.com</code> <code>https://168js.bvocftd.com/ky188/member/memberManager/login</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="c17-1.png"> <img src="c17-1.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="c17.png"> <img src="c17.png" alt="" /> </a> </div> 雷电里直接搜敏感信息或者然后源码中确认qqID即可<br> <code>1108221663</code></p> <p> <div class="post-img-view"> <a data-fancybox="gallery" href="Pasted%20image%2020250406225457.png"> <img src="Pasted%20image%2020250406225457.png" alt="" /> </a> </div> <div class="post-img-view"> <a data-fancybox="gallery" href="C18.png"> <img src="C18.png" alt="" /> </a> </div> <code>(=3]Zwjt#W</code></p>