cyber security class demo

cyber security class demo

L3gend_Chen 10 2023-12-13

Today, let's sort out the blue hat cup preliminary round evidence and misc, slow and long-term update.

After playing, I lamented that I had studied web for almost a year or relied on defense, and the penetration of the final was like a piece of

First write a memo: container password:Hpp^V@FQ6bdWYKMjX=gUPG#hHxw!j@M9

Brief introduction of the case.

In May 2021, the public security organs cracked a case of investment and financial fraud. The victim, Chen Haomin, reported to the public security organs that he knew a netizen nicknamed yang88 on Wechat and was induced to conduct investment and financial management through an APP called Vestas. He was defrauded of more than 60, 000 yuan.

After receiving the alarm, after the analysis of the public security organs, the APP background server involved in the case was locked.

After investigation and judgment by the public security organs, it was found that Yang was suspected of a major crime. after touching and arranging for many times, the public security organs arrested him at Yang's residence and seized Yang's mobile phone and computer. According to Yang's explanation, its website server is a rented cloud server.

The above samples have been mirrored and verified respectively. Assuming that you are responsible for the investigation of the electronic data in this case, please combine the case with the case to complete the collection of evidence.

Computer forensics.

1. Please give the SHA- 1 value of the computer image pc.e01.

Just calculate sha1: 23f861b2e9c5ce9135afc520cbd849677522f54c.

2.Give the inspector of pc.e01 at the time of extraction?

This can only be seen by software. Pangu stone is out of date. Now I use axiom+vol, so I can't see it.

3. Please give the home address of the IE browser in the suspect's computer?

I didn't find it during the game, filled in a bing, and didn't find the correct home page when I reproduced it, until a master said that the home page was in forensics and the master could read it (so why didn't I see it at that time. ).

At the time of reproduction, I analyzed the recovered url, as well as historical records, and found that every time I started with a bing web page, then the browser's home page would probably be bing.

Please give the current version number of the program that opens the pdf file by default on the suspect's computer?

Please give the SHA-1 of the suspect's computer file named "C disk cleanup .bat"?

During the competition, because there was no valuable information, I began to look through the file list, turned to a disk.img, pulled it out and looked at it, and saw the target file.

Here is a point. If you try to hang up the mirror but the image is mailed, never mind, just open it with the disk wizard. Win11 always has some strange bug.

After exporting the file, calculate it and get flag24cfcfdf1fa894244f904067838e7e01e28ff450

Please give the decryption password of the suspect's VeraCrypt encryption container?

Considering that the general forensics questions would leave vk on the computer, it was a success.

Please give the number of the iSCSI server on the suspect's computer to the outside port?

I originally intended to use the simulation method to do it, but for some reason, the mirror image just couldn't be simulated (annoyed, so I used the way of searching the network connection, focusing on the connection owned by StarWindService.exe. As a result, I saw 3216, that is, flag.

Please give the password of the CHAP authentication account of the iSCSI server in the suspect's computer?

Look for the configuration file, see the StartWind.cfg, open it

username:user

password:panguite.com

According to the analysis of the withdrawal record form in the suspect's computer, how much is the total amount of withdrawal by the user "mi51888"?

Before looking for disk C to clean up the disk of .bat, I noticed that whose txt had 2 Gigabyte.

Through the tool to determine, vc container, the password is the previous key

You can see a list of excel files

open the excel

get the sum

Please give me the time when the computer memory was created in Beijing?

volatility.exe -f xxx.mem imageinfo

Rapid customs clearance

Please give the boot password of the user yang88 in the computer?

It is also possible to use mimikatz. In fact, the above vc password is also given there. Forget it.

Please give the LMHASH value of the user yang88?

hashdump

Please give the Beijing time when the user yang88 visited the file "withdrawal record .xlsx"?

Mftparser command, set this description in the wolf group library

MFT is defined as:

Master file table (local file system). 
The NTFS file system contains files called the master file table or MFT. 
For each file on the NTFS file system volume, there is at least one entry in the MFT, including the MFT itself. 
All information about the file, including its size, time and date stamp, permissions, and data contents, is stored in the MFT entry or in space outside the MFT described by the MFT entry.

Note that the timestamp mentioned includes the access time.

Oddly enough, what vol scanned is different from what axiom scanned.

I don't know why.

Please give the Beijing time of the last execution of "VeraCrypt"?

pslist can solve

To analyze the memory image, please show how many times the user visited the background of "Vestas" at "2023-06-20 16:56:57 UTC+0"?

2 times

Please give the process PID? the last time the user visited the chrome browser.

still pslist

At this point, the computer forensics chapter is over, and the server chapter will continue to be repeated in a few days.