{"id":488,"date":"2026-05-12T23:08:50","date_gmt":"2026-05-12T15:08:50","guid":{"rendered":"https:\/\/cloverdayssss.top\/?p=488"},"modified":"2026-05-12T23:08:50","modified_gmt":"2026-05-12T15:08:50","slug":"%e4%bb%8e%e9%9b%b6%e5%bc%80%e5%a7%8b%e7%9a%84%e5%8f%96%e8%af%81%e4%b9%8b%e6%97%85%ef%bc%88%e4%b8%80%ef%bc%89-newstarctf2025-week3%ef%bc%9a%e5%86%85%e5%ad%98%e5%8f%96%e8%af%81%ef%bc%9a","status":"publish","type":"post","link":"https:\/\/cloverdayssss.top\/index.php\/2026\/05\/12\/%e4%bb%8e%e9%9b%b6%e5%bc%80%e5%a7%8b%e7%9a%84%e5%8f%96%e8%af%81%e4%b9%8b%e6%97%85%ef%bc%88%e4%b8%80%ef%bc%89-newstarctf2025-week3%ef%bc%9a%e5%86%85%e5%ad%98%e5%8f%96%e8%af%81%ef%bc%9a\/","title":{"rendered":"\u4ece\u96f6\u5f00\u59cb\u7684\u53d6\u8bc1\u4e4b\u65c5\uff08\u4e00\uff09\u2014\u2014NewstarCTF2025 Week3\uff1a\u5185\u5b58\u53d6\u8bc1\uff1aWindows \u7bc7"},"content":{"rendered":"<pre><code class=\"line-numbers\">\u539f\u9898\u5982\u4e0b\uff1a\u672c\u5173\u8003\u9a8c\u4f60\u5185\u5b58\u53d6\u8bc1\u672c\u9886\uff0c\u8bf7\u8003\u751f\u643a\u5e26\u597d\u6587\u5177\uff08kali \u865a\u62df\u673a\u548c Volatility2\uff09\uff0c\u505a\u597d\u51c6\u5907\uff0c\u8fce\u63a5\u6311\u6218\u3002\n\n\u672c\u9898\u7684 FLAG \u7531\u591a\u4e2a\u95ee\u9898\u7684\u7b54\u6848\u7ec4\u6210\uff0c\u4f7f\u7528\u4e0b\u5212\u7ebf _ \u5c06\u7b54\u6848\u5404\u90e8\u5206\u8fde\u63a5\uff0c\u5c31\u80fd\u5f97\u5230 FLAG\uff1a\n\n\u6076\u610f\u8fdb\u7a0b\u7684\u5916\u8054 ip:port\n\u6076\u610f\u8fdb\u7a0b\u6240\u5728\u7684\u6587\u4ef6\u5939\u540d\u79f0\n\u7528\u6237\u7684\u4e3b\u673a\u767b\u5f55\u5bc6\u7801\n\u7535\u8111\u4e3b\u673a\u7684\u540d\u79f0\n\u6d89\u53ca\u5b57\u6bcd\u7684\u90e8\u5206\u7edf\u4e00\u5c0f\u5199\uff0c\u9898\u76ee\u9644\u4ef6\u5305\u542b FLAG \u7684\u4e3e\u4f8b\u3002\n<\/code><\/pre>\n<p>\u9898\u76ee\u9644\u4ef6\u5df2\u4e0a\u4f20\u81f3<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/pan.cloverdayssss.top\/#s\/EC0eZOMT\" target=\"_blank\"  rel=\"nofollow\" >\u672c\u7ad9<\/a>,\u63d0\u53d6\u5bc6\u7801: 1145\uff0c\u53ef\u4f9b\u5927\u4f19\u81ea\u884c\u590d\u73b0\u9898\u76ee\u3002<\/p>\n<p>\u5173\u4e8eVMware\u865a\u62df\u673a\u548ckali Linux\u7684\u5b89\u88c5\u5728\u6b64\u4e0d\u4f5c\u8d58\u8ff0\uff0c\u7f51\u4e0a\u6709\u8db3\u591f\u591a\u7684\u6559\u7a0b\uff0c\u6b64\u5904\u4ec5\u8bb0\u5f55\u4e00\u4e0b\u6700\u57fa\u672c\u7684\u5185\u5b58\u53d6\u8bc1\u601d\u8def\u3002<\/p>\n<h4>\u4e00\u3001\u521d\u8bc6\u5185\u5b58\u53d6\u8bc1\u4e0e\u5de5\u5177<\/h4>\n<p>\u5185\u5b58\u53d6\u8bc1\uff0c\u7b80\u5355\u6765\u8bf4\u5c31\u662f<strong>\u5206\u6790\u7535\u8111\u5173\u673a\u524d\u7684\u5185\u5b58\u955c\u50cf\u6587\u4ef6<\/strong>\uff0c\u628a\u5f53\u65f6\u7535\u8111\u8fd0\u884c\u7684\u8fdb\u7a0b\u3001\u7f51\u7edc\u8fde\u63a5\u3001\u7528\u6237\u8d26\u53f7\u5bc6\u7801\u3001\u8ba1\u7b97\u673a\u540d\u79f0\u7b49\u9690\u85cf\u7ebf\u7d22\u5168\u90e8\u6316\u51fa\u6765\u3002<\/p>\n<p>\u672c\u6b21\u505a\u9898\u53ea\u7528\u4e24\u4e2a\u6838\u5fc3\u6761\u4ef6\uff1a<\/p>\n<ol>\n<li>\u53d6\u8bc1\u5de5\u5177\uff1aVolatility 2.6<\/li>\n<li>\u9898\u76ee\u9644\u4ef6\uff1a<code>hellohacker.raw<\/code> \u5185\u5b58\u955c\u50cf\u6587\u4ef6<\/li>\n<\/ol>\n<p>\u9898\u76ee\u7684\u8981\u6c42\u5f88\u660e\u786e\uff1aFLAG \u7531\u56db\u4e2a\u90e8\u5206\u7528\u4e0b\u5212\u7ebf\u62fc\u63a5\u800c\u6210\uff0c\u5206\u522b\u662f<strong>\u6076\u610f\u8fdb\u7a0b\u5916\u8054 IP \u7aef\u53e3\u3001\u6076\u610f\u8fdb\u7a0b\u6240\u5728\u6587\u4ef6\u5939\u540d\u3001\u4e3b\u673a\u767b\u5f55\u5bc6\u7801\u3001\u7535\u8111\u4e3b\u673a\u540d<\/strong>\uff0c\u4e14\u5b57\u6bcd\u7edf\u4e00\u5c0f\u5199\u3002<\/p>\n<h4>\u4e8c\u3001\u65b0\u624b\u5b8c\u6574\u53d6\u8bc1\u6d41\u7a0b\u590d\u76d8<\/h4>\n<p><strong>\u7b2c\u4e00\u6b65\uff1a\u8bc6\u522b\u5185\u5b58\u955c\u50cf\u7cfb\u7edf\u7248\u672c<\/strong><\/p>\n<p>\u62ff\u5230 raw \u955c\u50cf\u7b2c\u4e00\u4ef6\u4e8b\uff0c\u5fc5\u987b\u5148\u786e\u5b9a\u7cfb\u7edf\u7248\u672c\uff0c\u540e\u7eed\u6240\u6709\u5206\u6790\u547d\u4ee4\u90fd\u8981\u4f9d\u8d56\u5bf9\u5e94<code>profile<\/code>\u914d\u7f6e\u3002<\/p>\n<p>\u4f7f\u7528\u547d\u4ee4\uff1a<\/p>\n<pre><code class=\"language-bash line-numbers\">volatility -f hellohacker.raw imageinfo\n<\/code><\/pre>\n<p>\u5f97\u5230<\/p>\n<pre><code class=\"line-numbers\">INFO    : volatility.debug    : Determining profile based on KDBG search...\n          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418\n                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)\n                     AS Layer2 : FileAddressSpace (\/home\/kali\/Desktop\/hellohacker.raw)\n                      PAE type : No PAE\n                           DTB : 0x187000L\n                          KDBG : 0xf8000403e120L\n          Number of Processors : 2\n     Image Type (Service Pack) : 1\n                KPCR for CPU 0 : 0xfffff80004040000L\n                KPCR for CPU 1 : 0xfffff88004500000L\n             KUSER_SHARED_DATA : 0xfffff78000000000L\n           Image date and time : 2025-09-30 11:32:54 UTC+0000\n     Image local date and time : 2025-09-30 19:32:54 +0800\n\n<\/code><\/pre>\n<p>\u5de5\u5177\u81ea\u52a8\u8bc6\u522b\u51fa\u63a8\u8350\u914d\u7f6e <code>Win7SP1x64<\/code>\uff0c\u540e\u7eed\u6240\u6709\u547d\u4ee4\u90fd\u5e26\u4e0a\u8fd9\u4e2a\u914d\u7f6e\u53c2\u6570\uff0c\u8fd9\u662f\u6240\u6709\u53d6\u8bc1\u64cd\u4f5c\u7684\u57fa\u7840\uff0c\u65b0\u624b\u5207\u8bb0\u4e0d\u80fd\u8df3\u8fc7\u8fd9\u4e00\u6b65\u3002<\/p>\n<p><strong>\u7b2c\u4e8c\u6b65\uff1a\u67e5\u627e\u6076\u610f\u8fdb\u7a0b\u5916\u8054 IP:PORT<\/strong><\/p>\n<p>\u60f3\u8981\u627e\u6076\u610f\u6728\u9a6c\u7684\u5916\u8054\u5730\u5740\uff0c\u7528<code>netscan<\/code>\u626b\u63cf\u5185\u5b58\u4e2d\u6240\u6709\u7f51\u7edc\u8fde\u63a5\uff1a<\/p>\n<pre><code class=\"language-bash line-numbers\">volatility -f hellohacker.raw --profile=Win7SP1x64 netscan\n<\/code><\/pre>\n<p>\u7740\u91cd\u770bForeign Address\u5217\uff0c\u53d1\u73b0\u4e00\u4e2a\u7279\u6b8a\u7684ip\uff1a<\/p>\n<pre><code class=\"line-numbers\">0x7fe07560         UDPv4    0.0.0.0:3702                   *:*                                   1304     svchost.exe    2025-09-30 11:28:21 UTC+0000\n0x7fd69ac0         TCPv4    192.168.20.131:49158           125.216.248.74:11451 ESTABLISHED      2864     svchost.exe    \n<\/code><\/pre>\n<p>\u6076\u610f\u5916\u8054\uff1a125.216.248.74:11451\uff0c\u5bf9\u5e94\u7684\u8fdb\u7a0bPID\u4e3a2864.<\/p>\n<p><strong>\u7b2c\u4e09\u6b65\uff1a\u5b9a\u4f4d\u6076\u610f\u8fdb\u7a0b\u6240\u5728\u6587\u4ef6\u5939<\/strong><\/p>\n<p>\u8bb0\u4e0b\u6076\u610f\u8fdb\u7a0b PID=2864\uff0c\u7528<code>cmdline<\/code>\u63d2\u4ef6\u67e5\u770b\u8fdb\u7a0b\u5b8c\u6574\u542f\u52a8\u8def\u5f84\uff1a<\/p>\n<pre><code class=\"language-bash line-numbers\">volatility -f hellohacker.raw --profile=Win7SP1x64 cmdline -p 2864\n<\/code><\/pre>\n<p>\u5f97\u5230\uff1a<\/p>\n<pre><code class=\"line-numbers\">svchost.exe pid:   2864\nCommand line : \"C:\\Windows\\Temp\\svchost.exe\" \n<\/code><\/pre>\n<p>\u6240\u4ee5\u6587\u4ef6\u5939\uff1aTemp\u3002<\/p>\n<p><strong>\u7b2c\u56db\u6b65\uff1a\u63d0\u53d6\u7cfb\u7edf\u7528\u6237\u767b\u5f55\u5bc6\u7801<\/strong><\/p>\n<p>\u7528<code>hashdump<\/code>\u6293\u53d6\u7cfb\u7edf\u6240\u6709\u7528\u6237\u7684 NTLM \u5bc6\u7801\u54c8\u5e0c\uff1a<\/p>\n<pre><code class=\"language-bash line-numbers\">volatility -f hellohacker.raw --profile=Win7SP1x64 hashdump\n<\/code><\/pre>\n<p>\u5f97\u5230<\/p>\n<pre><code class=\"line-numbers\">Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nJustAGuestAwA:1000:aad3b435b51404eeaad3b435b51404ee:3008c87294511142799dca1191e69a0f:::\n<\/code><\/pre>\n<p>\u8f93\u51fa\u683c\u5f0f\u4e3a<code>\u7528\u6237\u540d:RID:LM\u54c8\u5e0c:NTLM\u54c8\u5e0c:::<\/code>\u3002RID\u662f\u7cfb\u7edf\u5206\u914d\u7684\u8eab\u4efd\u7f16\u53f7\uff0c\u4e00\u822c500\u6307\u7684\u662f\u7cfb\u7edf\u9ed8\u8ba4\u7ba1\u7406\u5458\uff0c501\u6307\u7684\u662f\u6765\u5bbe\u8d26\u53f7\uff0c\u5176\u4f59\u4e3a\u81ea\u5efa\u3002\u800cLM \u54c8\u5e0c\u662fWindows \u5f88\u65e9\u7684\u8001\u65e7\u52a0\u5bc6\u7b97\u6cd5\uff0c\u5b89\u5168\u6027\u6781\u5dee\u3002\u4ece Win7 \u5f00\u59cb\u9ed8\u8ba4\u76f4\u63a5\u7981\u7528\uff0c\u6240\u4ee5\u4f60\u770b\u5230\u6240\u6709\u4eba\u7684 LM \u54c8\u5e0c\u90fd\u662f\u540c\u4e00\u4e2a\u56fa\u5b9a\u503c\u3002\u53ea\u6709NTLM\u54c8\u5e0c\u662f\u5bc6\u7801\u7684\u52a0\u5bc6\u503c\u3002\u622a\u53d6NTLM\u54c8\u5e0c\u5e76\u5728\u4e92\u8054\u7f51\uff08cmd5.com\u7b49\u7f51\u7ad9)\u4e0a\u627e\u78b0\u649e\u3002Administrator\u548cGuest\u5747\u65e0\u5bc6\u7801\uff0cJustAGuestAwA\u4e3aadmin123\u3002<\/p>\n<p>\u6240\u4ee5\u5bc6\u7801\uff1aadmin123<\/p>\n<p><strong>\u7b2c\u4e94\u6b65\uff1a\u8bfb\u53d6\u6ce8\u518c\u8868\u83b7\u53d6\u4e3b\u673a\u540d<\/strong><\/p>\n<p>\u8ba1\u7b97\u673a\u540d\u79f0\u5b58\u653e\u5728\u7cfb\u7edf\u6ce8\u518c\u8868\u4e2d\uff0c\u5206\u4e24\u6b65\u8bfb\u53d6\uff1a<\/p>\n<p>\u5148\u7528<code>hivelist<\/code>\u627e\u5230 SYSTEM \u6ce8\u518c\u8868\u865a\u62df\u5730\u5740\uff1a<\/p>\n<pre><code class=\"line-numbers\">volatility -f hellohacker.raw --profile=Win7SP1x64 hivelist | grep SYSTEM\n<\/code><\/pre>\n<p>\u5f97\u5230\uff1a<\/p>\n<pre><code class=\"line-numbers\">0xfffff8a000024010 0x000000002c5cc010 \\REGISTRY\\MACHINE\\SYSTEM\n<\/code><\/pre>\n<p>\u5206\u522b\u4e3a\u865a\u62df\u5730\u5740\uff0c\u7269\u7406\u5730\u5740\u548c\u6ce8\u518c\u8868\u8def\u5f84\u3002\u5e26\u5165\u5730\u5740\u4f7f\u7528\u4e0b\u4e00\u6b65\uff1a<\/p>\n<pre><code class=\"line-numbers\">volatility -f hellohacker.raw --profile=Win7SP1x64 printkey -o \u5730\u5740 -K \"ControlSet001\\Control\\ComputerName\\ComputerName\"\n<\/code><\/pre>\n<p>\u8fd4\u56de\uff1a<\/p>\n<pre><code class=\"line-numbers\">Legend: (S) = Stable   (V) = Volatile\n\n----------------------------\nRegistry: \\REGISTRY\\MACHINE\\SYSTEM\nKey name: ComputerName (S)\nLast updated: 2025-09-30 09:17:16 UTC+0000\n\nSubkeys:\n\nValues:\nREG_SZ                        : (S) mnmsrvc\nREG_SZ        ComputerName    : (S) ARISAMIK\n<\/code><\/pre>\n<p>\u8f93\u51fa\u6709\u4e24\u4e2a\u6ce8\u518c\u8868\u503c\uff0c\u65e0\u540d\u79f0\u9ed8\u8ba4\u503c\u4e3a\u7cfb\u7edf\u65e0\u5173\u53c2\u6570\uff0c\u5e26<code>ComputerName<\/code>\u6807\u8bc6\u7684\u624d\u662f\u771f\u5b9e\u4e3b\u673a\u540d<code>ARISAMIK<\/code>\u3002<\/p>\n<p>\u6700\u7ec8flag{125.216.248.74:11451_temp_admin123_arisamik}<\/p>\n<p>\u501f\u7528AI\u505a\u4e2a\u603b\u7ed3\uff1a\u5185\u5b58\u53d6\u8bc1\u5e76\u4e0d\u662f\u9760\u9ad8\u6df1\u77e5\u8bc6\u6b7b\u78d5\uff0c\u800c\u662f<strong>\u56fa\u5b9a\u5de5\u5177 + \u56fa\u5b9a\u6d41\u7a0b<\/strong>\u7684\u5957\u8def\u5316\u89e3\u9898\u3002\u4ece\u8bc6\u522b\u955c\u50cf\u3001\u626b\u63cf\u7f51\u7edc\u3001\u67e5\u8fdb\u7a0b\u8def\u5f84\uff0c\u5230\u6293\u53d6\u5bc6\u7801\u54c8\u5e0c\u3001\u8bfb\u53d6\u6ce8\u518c\u8868\uff0c\u6bcf\u4e00\u6b65\u90fd\u6709\u5bf9\u5e94\u7684 Volatility \u63d2\u4ef6\u3002\u5bf9\u4e8e CTF \u65b0\u624b\u6765\u8bf4\uff0c\u4e0d\u7528\u5bb3\u6015\u5185\u5b58\u53d6\u8bc1\uff0c\u4ece\u8fd9\u7c7b\u57fa\u7840 MISC \u9898\u76ee\u5165\u624b\uff0c\u719f\u8bb0\u5e38\u7528\u547d\u4ee4\u3001\u7406\u6e05\u6392\u67e5\u903b\u8f91\uff0c\u5c31\u80fd\u8f7b\u677e\u5165\u95e8\uff0c\u6162\u6162\u89e3\u9501\u66f4\u591a\u8fdb\u9636\u53d6\u8bc1\u9898\u578b\u3002<\/p>\n<p><del>\u8981\u662f\u771f\u6709\u8fd9\u4e48\u8f7b\u677e\u5c31\u597d\u4e86<\/del><\/p>\n<p>\u9644\u4e2a\u4f9d\u65e7\u662fAI\u603b\u7ed3\u51fa\u6765\u7684Volatility\u547d\u4ee4\u96c6\uff1a<\/p>\n<p>\u901a\u7528\u683c\u5f0f\uff1a<code>volatility -f \u5185\u5b58\u955c\u50cf --profile=\u7cfb\u7edf\u914d\u7f6e \u63d2\u4ef6\u540d<\/code><\/p>\n<p>\u4f60\u8fd9\u9053\u9898\u7684\u56fa\u5b9a\u914d\u7f6e\uff1a<code>--profile=Win7SP1x64<\/code><\/p>\n<p>\u4e00\u3001\u57fa\u7840\u5fc5\u7528\uff08\u7b2c\u4e00\u6b65\u5fc5\u6267\u884c\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>volatility -f xxx.raw imageinfo<\/code><\/td>\n<td align=\"center\"><strong>\u8bc6\u522b\u5185\u5b58\u955c\u50cf\u7684\u7cfb\u7edf\u7248\u672c<\/strong><\/td>\n<td align=\"center\">\u6240\u6709\u64cd\u4f5c\u7684\u524d\u63d0\uff0c\u83b7\u53d6<code>profile<\/code><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>volatility -f xxx.raw kdbgscan<\/code><\/td>\n<td align=\"center\">\u8f85\u52a9\u8bc6\u522b\u7cfb\u7edf\u914d\u7f6e<\/td>\n<td align=\"center\">imageinfo \u8bc6\u522b\u5931\u8d25\u65f6\u7528<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e8c\u3001\u8fdb\u7a0b\u5206\u6790\uff08\u627e\u6076\u610f\u7a0b\u5e8f \/ \u6728\u9a6c\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>pslist<\/code><\/td>\n<td align=\"center\">\u5217\u51fa\u6240\u6709\u8fd0\u884c\u7684\u8fdb\u7a0b<\/td>\n<td align=\"center\">\u67e5\u770b PID\u3001\u8fdb\u7a0b\u540d\u3001\u7236\u8fdb\u7a0b<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>psscan<\/code><\/td>\n<td align=\"center\">\u626b\u63cf<strong>\u9690\u85cf\u8fdb\u7a0b<\/strong><\/td>\n<td align=\"center\">\u6392\u67e5\u88ab\u6728\u9a6c\u9690\u85cf\u7684\u6076\u610f\u8fdb\u7a0b<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>cmdline -p PID<\/code><\/td>\n<td align=\"center\">\u67e5\u770b\u8fdb\u7a0b<strong>\u5b8c\u6574\u8def\u5f84 \/ \u542f\u52a8\u547d\u4ee4<\/strong><\/td>\n<td align=\"center\">\u672c\u9898\u7528\u5b83\u627e\u5230\u6076\u610f\u7a0b\u5e8f\u5728<code>Temp<\/code>\u6587\u4ef6\u5939<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>dlllist -p PID<\/code><\/td>\n<td align=\"center\">\u67e5\u770b\u8fdb\u7a0b\u52a0\u8f7d\u7684\u52a8\u6001\u5e93<\/td>\n<td align=\"center\">\u6392\u67e5\u6076\u610f DLL \u6ce8\u5165<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e09\u3001\u7f51\u7edc\u5206\u6790\uff08\u627e\u5916\u8054 IP \/ \u7aef\u53e3\uff0c\u672c\u9898\u6838\u5fc3\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>netscan<\/code><\/td>\n<td align=\"center\"><strong>\u626b\u63cf\u6240\u6709\u7f51\u7edc\u8fde\u63a5<\/strong><\/td>\n<td align=\"center\">\u672c\u9898\u7528\u5b83\u627e\u5230<code>125.216.248.74:11451<\/code><\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>connections<\/code><\/td>\n<td align=\"center\">\u67e5\u770b TCP \u6d3b\u8dc3\u8fde\u63a5<\/td>\n<td align=\"center\">\u4ec5\u652f\u6301\u65e7\u7248 Windows<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>connscan<\/code><\/td>\n<td align=\"center\">\u626b\u63cf\u5df2\u65ad\u5f00\u7684\u7f51\u7edc\u8fde\u63a5<\/td>\n<td align=\"center\">\u8865\u5168 netscan \u9057\u6f0f\u7684\u8fde\u63a5<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u56db\u3001\u6587\u4ef6\u626b\u63cf\uff08\u627e\u9690\u85cf\u6587\u4ef6\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>filescan<\/code><\/td>\n<td align=\"center\"><strong>\u626b\u63cf\u5185\u5b58\u4e2d\u6240\u6709\u6587\u4ef6<\/strong><\/td>\n<td align=\"center\">CTF \u9ad8\u9891\uff0c\u8fc7\u6ee4 flag\/txt\/exe \u6587\u4ef6<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>dumpfiles -Q \u5730\u5740 -D .\/<\/code><\/td>\n<td align=\"center\">\u63d0\u53d6\u5185\u5b58\u4e2d\u7684\u6587\u4ef6<\/td>\n<td align=\"center\">\u628a\u626b\u63cf\u5230\u7684\u6587\u4ef6\u5bfc\u51fa\u5230\u672c\u5730<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e94\u3001\u6ce8\u518c\u8868\u5206\u6790\uff08\u627e\u4e3b\u673a\u540d \/ \u7cfb\u7edf\u914d\u7f6e\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>hivelist<\/code><\/td>\n<td align=\"center\">\u5217\u51fa\u6240\u6709\u6ce8\u518c\u8868\u914d\u7f6e\u5355\u5143<\/td>\n<td align=\"center\">\u672c\u9898\u7528\u5b83\u627e SYSTEM \u6ce8\u518c\u8868\u5730\u5740<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>printkey -o \u5730\u5740 -K \u6ce8\u518c\u8868\u8def\u5f84<\/code><\/td>\n<td align=\"center\"><strong>\u8bfb\u53d6\u6ce8\u518c\u8868\u952e\u503c<\/strong><\/td>\n<td align=\"center\">\u672c\u9898\u7528\u5b83\u83b7\u53d6\u4e3b\u673a\u540d<code>ARISAMIK<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u516d\u3001\u5bc6\u7801\u53d6\u8bc1\uff08\u672c\u9898\u6838\u5fc3\u8003\u70b9\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>hashdump<\/code><\/td>\n<td align=\"center\"><strong>\u63d0\u53d6\u7cfb\u7edf\u7528\u6237\u5bc6\u7801\u54c8\u5e0c<\/strong><\/td>\n<td align=\"center\">\u672c\u9898\u7528\u5b83\u62ff\u5230\u7ba1\u7406\u5458\u5bc6\u7801\u54c8\u5e0c<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>lsadump<\/code><\/td>\n<td align=\"center\">\u63d0\u53d6 LSA \u5b58\u50a8\u7684\u5bc6\u7801<\/td>\n<td align=\"center\">\u67e5\u770b\u7cfb\u7edf\u660e\u6587\u5bc6\u7801 \/ \u5bc6\u94a5<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>cachedump<\/code><\/td>\n<td align=\"center\">\u63d0\u53d6\u57df\u7f13\u5b58\u5bc6\u7801<\/td>\n<td align=\"center\">\u57df\u73af\u5883\u53d6\u8bc1\u5e38\u7528<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u4e03\u3001\u547d\u4ee4\u884c\u5386\u53f2\uff08\u627e flag \u9ad8\u9891\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>consoles<\/code><\/td>\n<td align=\"center\"><strong>\u63d0\u53d6 CMD \u547d\u4ee4\u884c\u5b8c\u6574\u8bb0\u5f55<\/strong><\/td>\n<td align=\"center\">\u5f88\u591a\u9898 flag \u76f4\u63a5\u85cf\u5728\u8fd9\u91cc<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>cmdscan<\/code><\/td>\n<td align=\"center\">\u626b\u63cf\u547d\u4ee4\u884c\u64cd\u4f5c\u5386\u53f2<\/td>\n<td align=\"center\">\u8865\u5145 consoles \u7684\u5185\u5bb9<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>\u516b\u3001\u5185\u5b58 \/ \u8fdb\u7a0b\u63d0\u53d6\uff08\u8fdb\u9636\uff09<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">\u547d\u4ee4<\/th>\n<th align=\"center\">\u6838\u5fc3\u4f5c\u7528<\/th>\n<th align=\"center\">\u65b0\u624b\u5907\u6ce8<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\"><code>memdump -p PID -D .\/<\/code><\/td>\n<td align=\"center\">\u5bfc\u51fa\u6307\u5b9a\u8fdb\u7a0b\u7684\u5185\u5b58<\/td>\n<td align=\"center\">\u7528<code>strings<\/code>\u641c\u7d22\u5173\u952e\u8bcd<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><code>procdump -p PID -D .\/<\/code><\/td>\n<td align=\"center\">\u5bfc\u51fa\u8fdb\u7a0b\u7684\u53ef\u6267\u884c\u7a0b\u5e8f<\/td>\n<td align=\"center\">\u628a\u6728\u9a6c\u7a0b\u5e8f\u5bfc\u51fa\u5206\u6790<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>\u539f\u9898\u5982\u4e0b\uff1a\u672c\u5173\u8003\u9a8c\u4f60\u5185\u5b58\u53d6\u8bc1\u672c\u9886\uff0c\u8bf7\u8003\u751f\u643a\u5e26\u597d\u6587\u5177\uff08kali \u865a\u62df\u673a\u548c Volatility2\uff09\uff0c\u505a\u597d\u51c6\u5907\uff0c\u8fce\u63a5\u6311\u6218\u3002 \u672c\u9898\u7684 F &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-488","post","type-post","status-publish","format-standard","hentry","category-javascriptvoid0"],"_links":{"self":[{"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/posts\/488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/comments?post=488"}],"version-history":[{"count":2,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/posts\/488\/revisions"}],"predecessor-version":[{"id":490,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/posts\/488\/revisions\/490"}],"wp:attachment":[{"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/media?parent=488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/categories?post=488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloverdayssss.top\/index.php\/wp-json\/wp\/v2\/tags?post=488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}