Blue Hat Cup 2022 part WP

MISCdomainhackerdomainhacker2 Electronic forensics, mobile forensics 1 Mobile forensics 2 Computer forensics 1 Computer forensics 2 Computer forensics 3 Computer forensics 4 Program analysis 1 Program analysis 2 Program analysis 3 Program analysis 4 Website forensics 1 Website forensics 2 Website forensics 3

MISC

domainhacker

Filter http

file -> Export object http

Then there is

Or directly

Transfer and store the original data to 010 Editor gets rar Compressed package

It is speculated that the decryption password is not far ahead of this stream The first 14 A flow

password SecretsPassw0rds

domainhacker2

The steps are the same as above , The difference is ntds.rar The title already exists password ：FakePassword123$

Then Baidu searched how to analyze ntds, find github Last script

GitHub - SecureAuthCorp/impacket: Impacket is a collection of Python classes for working with network protocols.

python secretsdump.py -ntds C:\Users\86181\Desktop\ Blue Hat Cup \ntds\new\ActiveDirectory\ntds.dit -system C:\Users\86181\Desktop\ Blue Hat Cup \ntds\new\registry\system -security  C:\Users\86181\Desktop\ Blue Hat Cup \ntds\new\registry\security -history local

Electronic forensics

Mobile forensics 1

open Apple test see exe Pangu stone reader

Direct search

export , Look at the resolution 360x360

Mobile forensics 2

First, I found the express delivery without any results , Mr. Cha Jiang checked the chat records and found

Computer forensics 1

python vol.py -f ../1.dmp --profile=Win7SP1x64 mimikatz

Computer forensics 2

python vol.py -f ../1.dmp --profile=Win7SP1x64 pslist

Computer forensics 3

E01 With forensics master , Found to have bitlocker, But there is no recovery key , therefore passware shuttle

368346-029557-428142-651420-492261-552431-515438-338239

Get the key With forensics master Bitlocker Decryption on Or open it directly passware Decrypted image

Get four files

hold pass.txt Import tool->Dictionary Manager

Custom attack

Computer forensics 4

Direct shuttle

No password found , But the file has been decrypted .

foremost file obtain zip Then violent solution

Program analysis 1

jadx open

Program analysis 2

minmtta.hemjcbm.ahibyws.MainActivity

Program analysis 3

Program analysis 4

There are thousands of dangers ,root Article 1 with a

Safety inspection , Guess is detecting root

answer : a

Website forensics 1

Website forensics 2

look for sql Connect the page , You can find it globally localhost perhaps (127.0.0.1) Find out

Website forensics 3

First find the name of the database where the data is stored , Global search