题目文件:
文件类型确认
file HZ
HZ: Linux rev 1.0 ext3 filesystem data, UUID=ca014691-c6ea-4a5a-8da4-74a1aa1c9a80
确定是Linux ext3文件系统镜像
Linux直接挂载
sudo mkdir /mnt/aaa
sudo mount ./HZ /mnt/aaa -o loop,ro # ro防止变更文件
# ./HZ 为要挂载的镜像文件
# /mnt/aaa是挂载到的目录点
# -o指定挂载模式,loop指的是针对镜像文件挂载,ro为read only也就是只读模式
指令操作
sudo apt install extundelete # 安装磁盘文件扫描器
df -lh # 查看所有挂载点,发现镜像文件对应的虚拟硬盘设备为/dev/loop0
sudo extundelete /dev/loop0 --inode 2 # 执行恢复,inode 2为文件索引节点
扫描结果如下
NOTICE: Extended attributes are not restored.
Loading filesystem metadata ... 1 groups loaded.
Group: 0
Contents of inode 2:
0000 | ed 41 f4 01 00 04 00 00 ed 24 7c 5f e9 43 fa 5a | .A.......$|_.C.Z
0010 | e9 43 fa 5a 00 00 00 00 f4 01 05 00 02 00 00 00 | .C.Z............
0020 | 00 00 00 00 5f 00 00 00 b8 00 00 00 00 00 00 00 | ...._...........
0030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
0070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
Inode is Allocated
File mode: 16877
Low 16 bits of Owner Uid: 500
Size in bytes: 1024
Access time: 1601971437
Creation time: 1526350825
Modification time: 1526350825
Deletion Time: 0
Low 16 bits of Group Id: 500
Links count: 5
Blocks count: 2
File flags: 0
File version (for NFS): 0
File ACL: 0
High 32 bits of Size: 0
Fragment address: 0
Direct blocks: 184, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
Indirect block: 0
Double indirect block: 0
Triple indirect block: 0
File name | Inode number | Deleted status
. 2
.. 2
lost+found 11
TODO.me 14
.aaa.swp 12 Deleted
.hide 13
.ls 17
.f1@gggggggggggg.swp 16 Deleted
aaa 18
发现敏感文件.f1@gggggggggggg.swp,状态为已删除,我们来把它恢复
sudo extundelete /dev/loop0 --restore-file .f1@gggggggggggg.swp
# vim临时文件恢复
vim -r RECOVERED_FILES/.f1@gggggggggggg.swp
下面是Vim指令操作
"+yy
:q!
"+yy表示将当前行复制到系统剪切板:q!表示强制退出vim- 然后直接粘贴,就能得到flag了,flag如下
5bd2510a83e82d271b7bf7fa4e0970d1