# 题目 1
1. 将黑客成功登录系统所使用的 IP 地址作为 Flag 值提交;
windows 下使用 logpraser 查阅日志:
D:\Desktop\Defense-Tool\Windows>LogParser -i:EVT "SELECT EXTRACT_TOKEN(Strings, 18, '|') FROM 安全.evtx WHERE NOT EXTRACT_TOKEN(Strings, 18, '|')='-' AND EventID = 4624" -q:ON | |
127.0.0.1 | |
127.0.0.1 | |
192.168.36.133 | |
127.0.0.1 | |
127.0.0.1 | |
192.168.36.133 | |
127.0.0.1 | |
127.0.0.1 | |
192.168.36.133 | |
127.0.0.1 | |
127.0.0.1 | |
192.168.36.133 | |
192.168.36.133 | |
127.0.0.1 | |
127.0.0.1 | |
172.16.1.1 |
flag: flag{192.168.36.133}
# 题目 2
2. 黑客成功登录系统后修改了登录用户的用户名,将修改后的用户名作为 Flag 值提交;
登录的用户名 Administrator ,查找将 Administrator 修改成了什么
D:\Desktop\Defense-Tool\Windows>LogParser -i:EVT "SELECT EXTRACT_TOKEN(Strings, 1, '|') FROM 安全.evtx WHERE EXTRACT_TOKEN(Strings, 0, '|')='Administrator' AND EventID=4781" -q:ON | |
Adnimistartro |
flag: flag{Adnimistartro}
# 题目 3
3. 黑客成功登录系统后成功访问了一个关键位置的文件,将该文件名称(文件名称不包含后缀)作为 Flag 值提交;
D:\Desktop\Defense-Tool\Windows>LogParser -i:EVT "SELECT DISTINCT EXTRACT_TOKEN(Strings,6,'|') FROM 安全.evtx WHERE EventID=4663" -q:ON | |
C:\Windows\Boot | |
C:\Windows\diagnostics | |
C:\Windows\rescache | |
C:\Windows\servicing | |
C:\Windows\System32\AdvancedInstallers | |
C:\Windows\System32\Boot | |
C:\Windows\System32\config\COMPONENTS | |
C:\Windows\System32\icsxml | |
C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT |
flag: flag{SCHEMA}
# 题目 4
4. 黑客成功登录系统后重启过几次数据库服务,将最后一次重启数据库服务后数据库服务的进程 ID 号作为 Flag 值提交;
D:\Desktop\Defense-Tool\Windows>LogParser -i:EVT "SELECT Strings FROM 应用程序.evtx WHERE EventID=100" -q:ON | findstr process | |
mysqld (mysqld 5.5.62-log) starting as process 2228 ... | |
mysqld (mysqld 5.5.62-log) starting as process 1532 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 752 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 2724 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 9884 ... | |
mysqld (mysqld 5.5.62-log) starting as process 9796 ... | |
mysqld (mysqld 5.5.62-log) starting as process 9372 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 9924 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 2624 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 10168 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 8820 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 1096 ... | |
.phpcustom_mysql (mysqld 5.5.62-log) starting as process 1052 ... |
倒着往上试
flag: flag{8820}
# 题目 5
5. 黑客成功登录系统后修改了登录用户的用户名并对系统执行了多次重启操作,将黑客使用修改后的用户重启系统的次数作为 Flag 值提交。
D:\Desktop\Defense-Tool\Windows>LogParser -i:EVT "SELECT Strings FROM 系统.evtx WHERE EventID=1074 AND EXTRACT_TOKEN(Strings,4,'|')='重新启动'" -q:ON | findstr winlogon | find /c /v "" | |
3 |
flag: flag{3}
