cyberdefenders练习1

Posted on | In

前言

好久没写博客了,学长给了个取证网站来练习,备战美亚杯。

Eli(浏览器取证)

question1

1
The folder to store all your data in - How many files are in Eli's downloads directory?

直接把文件解压出来,搜索Downloads文件夹,找到后发现里面有6个文件。

answer:6

question2

1
Smile for the camera - What is the MD5 hash of the user's profile photo?

刚开始在takeout文件夹中找到profile文件夹,发现两个ProfilePhoto.jpg,计算其md5值并提交后都不对,人就有点麻。然后回另一个文件里面找,结果发现\decrypted\mount\user\Accounts\Avatar Imageseflatt610@gmail.com文件是个png,挺无语的。

answer:5ddd4fe0041839deb0a4b0252002127b

question3

1
Road Trip! - What city was Eli's destination in?

题目问我们目的地的位置,之前看Download文件夹就看到一张google地图的图,发现目的地是Plattsburgh,经查询是美国纽约州东北部的一个城市,叫做普拉茨堡,那么答案就是这个了。

answer:Plattsburgh

question4

1
Promise Me - How many promises does Wickr make?

同样是在Downloads文件夹,有一个叫做Wickr-Customer-Security-Promises-November-2020.pdf的文件,翻阅一下发现在p3有列出承诺内容,总共9条,因此答案就是9。

answer:9

question5

1
Key-ty Cat - What are the last five characters of the key for the Tabby Cat extension?

定位文件夹\decrypted\mount\user\Extensions,然后一看一堆全是乱码的文件夹,我的思路是直接搜索tobby,然后定位到\decrypted\mount\user\Extensions\mefhakmgclhhfbdadeojlkbllmecialg\2.0.0_0。最后在manifest.json找到key,并且确认了name为Tabby Cat。

answer:DAQAB

question6

1
Time to jam out - How many songs does Eli have downloaded?

这个我之前搜索Downloads是就发现了这个文件夹,在\decrypted\mount\user\MyFiles\Music中,里面有2首歌。

answer:2

question7

1
Autofill, roll out - Which word was Autofilled the most?

搜索了一下发现Autofill是chrome表单自动填写的插件,web data文件是一个sqlite文件,使用工具查看,发现有三个填充,2次是email。

answer:email

question8

1
Dress for success - What is this bird's image's logical size in bytes?

不知道鸟图是啥,就随便试了几个图,结果试出来是Downloads里面那张企鹅,企鹅也是鸟,合理。

answer:46,791

question9

1
Repeat customer - What was Eli's top visited site?

直接找\Takeout\My Activity\Chrome,然后发现浏览最多的是protonmail.com,那这个就是答案了。

answer:protonmail.com

question10

1
Vroom Vroom, What is the name of the car-related theme?

搜索png找到汽车有关的主题图片,定位到对应目录\decrypted\mount\user\Extensions\dkkklbgbfaeockpgbkleblklmcjdbnbj\1_0下,然后翻看manifest.json找到名字。

answer:Lamborghini Cherry

question11

1
You got mail - How many emails were received from notification@service.tiktok.com?

定位\Takeout\Mail文件夹下,用notepad++搜索From: "TikTok",总共有6条结果,说明总共收到了6封邮件。

answer:6

question12

1
Hungry for directions - Where did the user request directions to on Mar 4, 2021, at 4:15:18 AM EDT

因为要找一个地方吃饭(大概),所以应该是搜索地图,因此定位\Takeout\My Activity\Maps,然后找到答案:

1
2
3
4
Directions to Chick-fil-A, 400 NY-3, Plattsburgh, NY 12901
Burlington, VT
Chick-fil-A, 400 NY-3, Plattsburgh, NY 12901
Mar 4, 2021, 4:15:18 AM EDT

answer:Chick-fil-A

question13

1
Who defines essential? - What was searched on Mar 4, 2021, at 4:09:35 AM EDT

和上一题思路差不多,定位\Takeout\My Activity\Search,翻一翻就能找到答案:

1
2
Searched for is travelling to get chicken essential travel
Mar 4, 2021, 4:09:35 AM EDT

answer:is travelling to get chicken essential travel

question14

1
I got three subscribers, and counting - How many YouYube channels is the user subscribed to?

定位\Takeout\YouTube and YouTube Music\subscriptions,然后这题无语的点是,里面的文件是空的,然后我还在想为什么,结果就是没有关注,蒸无语啊。

answer:0

question15

1
Time flies when you're watching YT - What date was the first YouTube video the user watched uploaded?

定位\Takeout\YouTube and YouTube Music\history,看watch-histroy.html中最早的记录,然后科学上网看看那个视频的发布时间。

answer:27/01/2021

question16

1
How much? - What is the price of the belt?

定位 \Takeout\Drive\To-Purchase.xlsx就行了,里面直接写了价格,这玩意我还找了老半天,麻。

answer:98.5

Spotlight(mac磁盘取证)

question1

1
What version of macOS is running on this image?

告诉我们使用FTK挂载,挂载后在E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina [volume_4]\root\System\Library\CoreServices\SystemVersion.plist中找到版本号。

answer:10.15

question2

1
What "competitive advantage" did Hansel lie about in the file AnotherExample.jpg? (two words)

E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\Users\Shared找到那个png文件,查看hex得到答案。

answer:flip phone

question3

1
How many bookmarks are registered in safari?

定位E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\Users\hansel.apricot\Library\Safari\Bookmarks.plist文件,直接数里面有多少个url,可以用在线网站解包看的更清楚。
iOS plist 文件信息查看

answer:13

question4

1
What's the content of the note titled "Passwords"?

搜索note,定位E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\Users\hansel.apricot\Library\Group Containers\group.com.apple.notes,mac的note就记录在这个文件下的sqlite中。

answer:Passwords

question5

1
Provide the MAC address of the ethernet adapter for this machine.

经查询,发现E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\private\var\log\daily.out这个日志会记录磁盘使用和网络情况,所以直接去这个里面找,学到了。

answer:00:0c:29:c4:65:77

question6

1
Name the data URL of the quarantined item.

搜索quarantine发现有一个文件,定位E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\Users\sneaky\Library\Preferences\com.apple.LaunchServices.QuarantineEventsV2,直接搜索http就可以找到了。

answer:https://futureboy.us/stegano/encode.pl

question7

1
What app did the user "sneaky" try to install via a .dmg file? (one word)

直接搜索dmg文件,发现文件名叫silenteye-0.4.1b-snowleopard.dmg,那答案不就显而易见了。

answer:silenteye

question8

1
What was the file 'Examplesteg.jpg' renamed to?

因为整个文档就三个jpg,还只有一个G开头的,所以这题就没去找具体的过程了,直接交了。

answer:GoodExample.jpg

question9

1
How much time was spent on mail.zoho.com on 4/20/2020?

这题定位的数据库存在问题,最简单就是用mac_apt跑一遍:

1
python3 mac_apt.py E01 FruitBook.E01 -o result DOMAINS NETUSAGE SAFARI SCREENTIME -x

answer:20:58

question10

1
What's hansel.apricot's password hint? (two words)

mac_apt梭USERS也能做,我们就找文件吧。本来是想搜这种东西存在哪个文件里的,结果没搜出来,那就文件搜索hansel.apricot,然后在一个plist中发现了答案。定位点E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\private\var\db\dslocal\nodes\Default\users\hansel.apricot.plist

answer:Family Opinion

question11

1
The main file that stores Hansel's iMessages had a few permissions changes. How many times did the permissions change?

应该要有一个Users/username/Library/Messages/chat.db文件,但是我挂载了发现没有,离谱,就0-9一个个试过去了。

answer:7

question12

1
What's the UID of the user who is responsible for connecting mobile devices?

相关文件定位到E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\private\var\db\dslocal\nodes\Default\users,然后可以直接文件夹搜索一些常见移动设备,例如iphone,就找到唯一uid了。

answer:213

question13

1
Find the flag in the GoodExample.jpg image. It's hidden with better tools.

测试完是steghide,无密码,直接跑工具就出来了。

answer:helicopter

question14

1
What was exactly typed in the Spotlight search bar on 4/20/2020 02:09:48

搜spotlight,定位E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\Users\sneaky\Library\Application Support\com.apple.spotlight\com.apple.spotlight.Shortcuts,看这个文件就可以拿到key了。

answer:term

question15

1
What is hansel.apricot's Open Directory user UUID?

搜hansel.apricot,然后定位到E:\FruitBook.E01_Partition 2 [102071MB]_[APFS Container] (5_5) [APFS]\macOS Catalina - Data [volume_0]\root\private\var\db\dslocal\nodes\Default\sharepoints\Hansel Apricot’s Public Folder.plist文件,找到:

1
2
3
"com_apple_sharing_uuid": [
     "5BB00259-4F58-4FDE-BC67-C2659BA0A5A4"
   ],

就此得到答案。

answer:5BB00259-4F58-4FDE-BC67-C2659BA0A5A4