{"id":191,"date":"2023-12-20T21:28:00","date_gmt":"2023-12-20T13:28:00","guid":{"rendered":"http:\/\/www.s1mh0.xyz\/blog\/?p=191"},"modified":"2024-04-18T21:32:42","modified_gmt":"2024-04-18T13:32:42","slug":"linux_ncqz","status":"publish","type":"post","link":"https:\/\/www.s1mh0.cn\/blog\/index.php\/2023\/12\/20\/linux_ncqz\/","title":{"rendered":"Linux\u5185\u5b58\u53d6\u8bc1"},"content":{"rendered":"<h2>Linux\u5185\u5b58\u53d6\u8bc1<\/h2>\n<p>Linux\u5185\u5b58\u53d6\u8bc1\u4e00\u822c\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a<\/p>\n<ul>\n<li>\u5236\u4f5cprofile\u6587\u4ef6\u5e76\u914d\u5408vol2\u8fdb\u884c\u53d6\u8bc1<\/li>\n<li>\u5236\u4f5c\u7b26\u53f7\u8868\u5e76\u914d\u5408vol3\u8fdb\u884c\u53d6\u8bc1<\/li>\n<\/ul>\n<p><em>\u4e0b\u9762\u4ee5<strong>\u201c\u7b2c\u4e03\u5c4a\u5f3a\u7f51\u676f-\u5f3a\u7f51\u5148\u950b-\u627e\u5230PNG\u4e86\u5417\u201d<\/strong>\u4e3a\u4f8b\uff0c\u901a\u8fc7\u5236\u4f5cprofile\u6587\u4ef6\u8fdb\u884c\u53d6\u8bc1<\/em><\/p>\n<h3>\u8bc6\u522b\u955c\u50cf\u6587\u4ef6\u955c\u50cf\u7248\u672c\u548c\u5185\u6838\u7248\u672c<\/h3>\n<p>\u67e5\u770b\u9644\u4ef6\uff0c\u955c\u50cf\u7248\u672c\u4e3a\uff1aubuntu 20.04\uff0c\u5185\u6838\u7248\u672c\u4e3a\uff1aLinux version 5.4.0-100-generic<\/p>\n<pre><code class=\"language-bash\">strings png.mem | grep &quot;Linux version&quot;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc0.png\" alt=\"\" \/><\/p>\n<p>\u5b89\u88c5ubuntu20.04\u7684\u865a\u62df\u673a\uff0c\u5e76\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u67e5\u770b\u5df2\u7ecf\u5b89\u88c5\u7684\u5185\u6838\u955c\u50cf<\/p>\n<pre><code class=\"language-bash\">dpkg --get-selections | grep linux-image<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc1.png\" alt=\"\" \/><\/p>\n<p>\u5728\u865a\u62df\u673a\u4e2d\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u5b89\u88c5\u5bf9\u5e94\u5185\u6838\u7248\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">sudo apt install linux-image-x.x.x-xx-lowlatency linux-headers-x.x.x-xx-lowlatency\n# apt install linux-image-5.4.0-100-generic linux-headers-5.4.0-100-generic<\/code><\/pre>\n<p>\u5b89\u88c5\u5b8c\u6210\u540e\u518d\u67e5\u770b\u53d1\u73b0\u5bf9\u5e94\u5185\u6838\u5df2\u5b89\u88c5\u5b8c\u6210\uff08ps\uff1a5.4.0-100-lowlatency\u90a3\u4e2a\u5b89\u88c5\u9519\u4e86\uff0c\u53ef\u4ee5\u5ffd\u7565\uff09<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc2.png\" alt=\"\" \/><\/p>\n<h3>\u5207\u6362\u5185\u6838\u7248\u672c<\/h3>\n<p>\u4fee\u6539grub\u6587\u4ef6\uff0c\u4f7f\u5f97\u6bcf\u6b21\u5f00\u673a\u53ef\u4ee5\u81ea\u5df1\u9009\u62e9\u8981\u542f\u52a8\u7684\u5185\u6838\u7248\u672c<\/p>\n<pre><code class=\"language-text\">vim  \/etc\/default\/grub\n\nGRUB_TIMEOUT_STYLE=hidden\nGRUB_TIMEOUT=0\n\u2193\u2193\u2193\n#GRUB_TIMEOUT_STYLE=hidden\nGRUB_TIMEOUT=10<\/code><\/pre>\n<p>\u4fee\u6539\u5b8c\u6210\u540e\u66f4\u65b0grub\u6587\u4ef6\u5e76\u91cd\u542f\uff0c\u53ef\u4ee5\u5728Advanced options\u4e2d\u9009\u62e9\u4e0b\u8f7d\u597d\u7684\u5185\u6838\u7248\u672c<\/p>\n<pre><code class=\"language-bash\">sudo update-grub\nsudo reboot<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc3.png\" alt=\"\" \/><\/p>\n<p>\u8fdb\u5165\u540e\u53d1\u73b0\u5185\u6838\u5df2\u7ecf\u5207\u6362\u5b8c\u6210<\/p>\n<pre><code class=\"language-text\">simho@simho-virtual-machine:~\/Desktop$ uname -a\nLinux simho-virtual-machine 5.4.0-100-lowlatency #113-Ubuntu SMP PREEMPT Thu Feb 3 19:24:13 UTC 2022 x86_64 x86_64 x86_64 GNU\/Linux<\/code><\/pre>\n<h3>\u5236\u4f5cprofiile\u6587\u4ef6<\/h3>\n<p>\u9996\u5148\u5b89\u88c5<code>build-essential<\/code>\u548c<code>dwarfdump<\/code>\uff0c\u5728<code>\/boot<\/code>\u76ee\u5f55\u4e0b\u627e\u5230\u5bf9\u5e94\u5185\u6838\u7248\u672c\u7684<code>System.map-xx<\/code>\u6587\u4ef6<\/p>\n<p>\u7136\u540e\u4f20\u8f93 dwarf \u5185\u6838\u8c03\u8bd5\u6587\u4ef6\u7684<a href=\"https:\/\/github.com\/volatilityfoundation\/volatility\/tree\/master\/tools\/linux\">\u7f16\u8bd1\u6587\u4ef6<\/a>\uff0c\u5e76\u8fdb\u884c\u7f16\u8bd1\uff0c\u7f16\u8bd1\u540e\u4f1a\u5728\u5f53\u524d\u76ee\u5f55\u751f\u6210<code>module.dwarf<\/code>\u6587\u4ef6<\/p>\n<p>\u63a5\u7740\u5c06\u4ee5\u4e0a\u4e24\u4e2a\u6587\u4ef6\u6253\u5305\u6210zip\uff0c\u653e\u5230<code>volatility\/plugins\/overlays\/linux<\/code>\u4e0b<\/p>\n<pre><code class=\"language-bash\">apt install build-essential dwarfdump\ncd volatility\/tools\/linux\nmake\nzip .\/Ubuntu_5_4_0-100-generic_profile.zip .\/module.dwarf \/boot\/System.map-`uname -r`<\/code><\/pre>\n<h3>\u5229\u7528vol2\u8fdb\u884c\u53d6\u8bc1<\/h3>\n<p>\u67e5\u770b profile \u6587\u4ef6\u662f\u5426\u5df2\u7ecf\u80fd\u591f\u8bc6\u522b\uff0c\u8bc6\u522b\u5230\u540e\u5c31\u53ef\u4ee5\u4f7f\u7528 profile \u8fdb\u884c\u5185\u5b58\u955c\u50cf\u7684\u89e3\u6790<\/p>\n<pre><code class=\"language-bash\">python2 vol.py --info | grep Profile<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc4.png\" alt=\"\" \/><\/p>\n<p>\u67e5\u770bbanner\u4fe1\u606f<\/p>\n<pre><code class=\"language-bash\">python2 vol.py -f png.mem --profile=LinuxUbuntu_5_4_0-100-generic_profilex64 linux_banner<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc5.png\" alt=\"\" \/><\/p>\n<p><strong>PS\uff1a\u8fd9\u91cc\u6839\u636e\u5de8\u9b54\u7684\u535a\u5ba2\uff0c\u89e3\u6790\u8fc7\u7a0b\u4e2d\u53ef\u80fd\u4f1a\u51fa\u73b0\u62a5\u9519\uff0c\u9700\u8981\u5bf9\u76f8\u5e94\u6587\u4ef6\u8fdb\u884cpatch\uff0c\u4e0d\u8fc7\u6211\u8fd9\u91cc\u80fd\u76f4\u63a5\u6b63\u5e38\u89e3\u6790<\/strong><\/p>\n<p>\u67e5\u770b\u6587\u4ef6<\/p>\n<pre><code class=\"language-bash\">python2 vol.py -f png.mem --profile=LinuxUbuntu_5_4_0-100-generic_profilex64  linux_enumerate_files | grep &quot;Desktop&quot;<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc6.png\" alt=\"\" \/><\/p>\n<p>\u63d0\u53d6\u6587\u4ef6<\/p>\n<pre><code class=\"language-bash\">python2 vol.py -f png.mem --profile=LinuxUbuntu_5_4_0-100-generic_profilex64 linux_find_file -i 0xffff9ce28fe300e8 -O .\/have_your_fun.jocker<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc7.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u6587\u4ef6\u4e3a\u7a7a\uff0c\u76f4\u63a5winhex\u5168\u5c40\u641c\u7d22<code>have_your_fun.jocker<\/code>\u6587\u4ef6\uff0c\u5f97\u5230\u5b8c\u6574\u4ee3\u7801<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc8.png\" alt=\"\" \/><\/p>\n<pre><code class=\"language-c\">#include &lt;stdio.h&gt;\n#include &lt;stdlib.h&gt;\n#include &lt;string.h&gt;\n#include &lt;sys\/socket.h&gt;\n#include &lt;arpa\/inet.h&gt;\n#include &lt;unistd.h&gt;\n\n#define SERVER_IP &quot;192.168.6.1&quot;\n#define SERVER_PORT 110\nunsigned char buff[20000];\nvoid swap(char* a, char* b) {\n    char temp = *a;\n    *a = *b;\n    *b = temp;\n}\nvoid rc4_encrypt_decrypt(unsigned char* key, unsigned char* data, int data_length) {\n    int i, j = 0, t;\n    int s[256];\n    int key_length = strlen((const char*)key);\n\n    for (i = 0; i &lt; 256; i++) {\n        s[i] = i;\n    }\n\n    for (i = 0; i &lt; 256; i++) {\n        j = (j + s[i] + key[i % key_length]) % 256;\n        t = s[i];\n        s[i] = s[j];\n        s[j] = t;\n    }\n\n    i = j = 0;\n    for (int k = 0; k &lt; data_length; k++) {\n        i = (i + 1) % 256;\n        j = (j + s[i]) % 256;\n        t = s[i];\n        s[i] = s[j];\n        s[j] = t;\n        data[k] ^= s[(s[i] + s[j]) % 256];\n    }\n}\nint main()\n{\n    int clientSocket = socket(AF_INET, SOCK_STREAM, 0);\n    if (clientSocket == -1) {\n        printf(&quot;socket failed!\\n&quot;);\n        return 1;\n    }\n    struct sockaddr_in serverAddr;\n    serverAddr.sin_family = AF_INET;\n    serverAddr.sin_port = htons(SERVER_PORT);\n    serverAddr.sin_addr.s_addr = inet_addr(SERVER_IP);\n    connect(clientSocket, (struct sockaddr*)&amp;serverAddr, sizeof(serverAddr));\n    int result = recv(clientSocket, buff, sizeof(buff), 0);\n    int a=0;\n    char q[10];\n    unsigned char key[]=&quot;do_not_care&quot;;\n    unsigned char key2[] = &quot;where_is_the_key&quot;;\n    FILE* file = fopen(&quot;have_your_fun.jocker&quot;, &quot;wb&quot;);\n    if (file == NULL) {\n        printf(&quot;open file failed!\\n&quot;);\n        return 1;\n    }\n    unsigned char *str;\n    str = (char *) malloc(20000);\n    memcpy(str, buff, 20000);\n    rc4_encrypt_decrypt(key2, str, 20000);\n    printf(&quot;please give me the key of fun:&quot;);\n    scanf(&quot;%s&quot;,q);\n    rc4_encrypt_decrypt(key, str, 20000);\n\n    fwrite(buff, 1, 20000, file);\n    printf(&quot;maybe you go wrong&quot;);\n    fclose(file);\n    close(clientSocket);\n    return 0;\n}<\/code><\/pre>\n<p>\u4e3b\u8981\u529f\u80fd\u662f\u5c06 png \u8fdb\u884c\u4e24\u6b21RC4\u52a0\u5bc6\uff0c\u5f97\u5230\u7684\u6587\u4ef6\u5c31\u662f have_your_fun.jocker\uff0c\u5c06 png \u6587\u4ef6\u5934\u8fdb\u884cRC4\u52a0\u5bc6\u5f97\u5230<code>e5afbeba<\/code><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc9.png\" alt=\"\" \/><\/p>\n<p>\u63a5\u7740\u5168\u5c40\u641c\u7d22\uff0c\u5c06\u542b\u8be5\u5934\u7684\u5b57\u7b26\u4e32\u590d\u5236\uff0cRC4\u89e3\u5bc6\u5f97\u5230flag<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc10.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/www.s1mh0.cn\/blog\/wp-content\/uploads\/2023\/12\/nc11.png\" alt=\"\" \/><\/p>\n<p>flag{It's_So_Hard_To_Find_A_Picture}<\/p>\n<p>\u53c2\u8003\u535a\u5ba2\uff1a<\/p>\n<p><a href=\"https:\/\/treasure-house.randark.site\/blog\/2023-10-25-MemoryForensic-Test\/\">\u5185\u5b58\u53d6\u8bc1\u5b9e\u9a8c - \u955c\u50cf + \u914d\u7f6e\u6587\u4ef6 | Randark_JMT - \u9648\u6a58\u58a8<\/a><\/p>\n<p><a href=\"https:\/\/ipartmentxhc.github.io\/2022\/11\/06\/%E5%88%B6%E4%BD%9CLinux%E5%86%85%E5%AD%98%E9%95%9C%E5%83%8F-%E5%88%B6%E4%BD%9C%E5%AF%B9%E5%BA%94%E7%9A%84volatility-profile\/\">\u5236\u4f5cLinux\u5185\u5b58\u955c\u50cf+\u5236\u4f5c\u5bf9\u5e94\u7684volatility_profile<\/a><\/p>\n<div class=\"clearfix\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Linux\u5185\u5b58\u53d6\u8bc1 Linux\u5185\u5b58\u53d6\u8bc1\u4e00\u822c\u6709\u4e24\u79cd\u65b9\u6cd5\uff1a \u5236\u4f5cprofile\u6587\u4ef6\u5e76\u914d\u5408vol2\u8fdb\u884c\u53d6\u8bc1 \u5236\u4f5c\u7b26\u53f7 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-191","post","type-post","status-publish","format-standard","hentry","category-misc"],"views":1000,"_links":{"self":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=191"}],"version-history":[{"count":11,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/191\/revisions"}],"predecessor-version":[{"id":320,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/posts\/191\/revisions\/320"}],"wp:attachment":[{"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.s1mh0.cn\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}