web2.E01配网

网络配置的mac地址与网卡不匹配会导致获取不到ip,把这行注释即可
network:version: 2ethernets:eth0:dhcp4: true
本 writeup 题序按真实做题思路由AI重排,分五个阶段。两台主机角色:
标记 主机名 IP 角色 🅰 主机A iZj6cehpz92qnnkayb2yjyZ192.168.146.179 星球商城主站(Next.js + Postgres + Docker faka镜像)🅱 主机B VM-0-15-ubuntu192.168.146.180 captcha-bot、加密备份、openclaw 嫌疑人工作环境 关键证据:openclaw 会话 jsonl 等于完整操作日志 — 即便嫌疑人清空
.bash_history、删.env、抹 agent session,jsonl 仍保留所有exec工具调用、参数与口令,足以还原全部行为。
仿真进去可以发现web1.E01是阿里云的服务器


✅ 答案:
119FCF5D8F8F69336656B8E93A4C00838BC5A6C1FD82878F9C8EDFA1FE437F0D
从这里进入分析部分,提取docker镜像
[root@iZj6cehpz92qnnkayb2yjyZ ~]# docker image lsREPOSITORY TAG IMAGE ID CREATED SIZEfaka latest a8e905f7421d 10 days ago 296MBnode latest 7c42ab2c9553 4 weeks ago 1.13GBpostgres 16 188ac51266eb 4 weeks ago 451MB[root@iZj6cehpz92qnnkayb2yjyZ ~]# docker save -o faka.tar faka


package.json 关键字段 "next": "16.2.4"。
✅ 答案:
Next.js
faka 镜像里 /app/prisma/seed.ts:
constusername=process.env.ADMIN_USERNAME||"admin";constpassword=process.env.ADMIN_PASSWORD||"admin123456";constsalt="Honglian2026FIC";consthashedPassword=awaithash(password+salt, 12);

✅ 答案:
Honglian2026FIC
主机 A 的 ~/.env 已被删除但残留 ~/.env.swp,vim -r 恢复后一次性拿到 NOWPayments、SMTP、数据库 URL:
DATABASE_URL=postgresql://fk:Honglian%402026fic@www.storek.top:5432/fkdb?sslmode=disableNOWPAYMENTS_API_KEY=934P23T-FZVMBDE-Q1R06NJ-4E6HZTMNOWPAYMENTS_IPN_SECRET=7gk48N8+OpKd8vEY9mnqZ8hIi+YiKDCx

✅ 答案:
934P23T-FZVMBDE-Q1R06NJ-4E6HZTM
同一份恢复出的 .env,DATABASE_URL 字段 %40 URL 解码 = @:


✅ 答案:
Honglian@2026fic
主机 A 的 /data/postgres 已被清空,转向主机 B:
openclaw gateway --port18789openclaw dashboardssh-N-L13501:127.0.0.1:13501 root@192.168.146.180 #端口转发一下


做到这里就明了了:
🅰 主机A:星球商城主站(Next.js + Postgres + Docker faka 镜像)
🅱 主机B:captcha-bot、加密备份、openclaw 嫌疑人工作环境
/data/bakup/fkdb_20260507.sql.gpg 为 AES-256 对称加密的 PG dump,passphrase 需从 openclaw 会话日志取(见 Phase 3)。
✅ 答案:
fkdb_20260507.sql.gpg
/root/.openclaw/openclaw.json:

✅ 答案: DeepSeek V4 Flash(
deepseek-v4-flash)
同一份 openclaw.json:

✅ 答案:
sk-b203197a32804a669495973886ca8760
/root/.openclaw/cron/jobs.json:

✅ 答案:
https://t.me/+kzTXt-NO34QwNWJh
ls /root/.openclaw/workspace/skills:

✅ 答案: 11
/root/.openclaw/workspace/IDENTITY.md:

✅ 答案:
小星(Xiǎo Xīng)
技能目录里列出的 password-manager:

✅ 答案:
password-manager
grep -hi 'PASSWORD_MANAGER_MASTER_PASSWORD' /root/.openclaw/agents/main/sessions/*.jsonl*,初始化命令里明文露出:

✅ 答案:
Honglian@Fic2026Password(同时也是 gpg 备份的 passphrase)
用主密码 unlock vault:
root@VM-0-15-ubuntu:~# PASSWORD_MANAGER_MASTER_PASSWORD='Honglian@Fic2026Password' password-manager list🔒 Cache missing, attempting to rebuild from environment variable...✅ Cache rebuilt successfully📋 Vault (2 entries):SqlcipherPassword password [No tags]8.217.145.152-root password [No tags]root@VM-0-15-ubuntu:~# PASSWORD_MANAGER_MASTER_PASSWORD='Honglian@Fic2026Password' password-manager get --name "8.217.145.152-root" --show-password🔒 Cache missing, attempting to rebuild from environment variable...✅ Cache rebuilt successfully📋 8.217.145.152-rootType: passwordUsername: -Tags: -Created: 2026-05-07T03:31:51.043ZUpdated: 2026-05-07T03:31:51.044ZPassword/Value: e&eqYEbu5bM~8iA
注意 vault 里还有个
SqlcipherPassword条目 — 后面解/root/faka/.env/db.db时会用到。
✅ 答案:
e&eqYEbu5bM~8iA
会话日志里 sshpass 调用直接给出第二台 IP:
root@VM-0-15-ubuntu:~/.openclaw/agents/main/sessions# grep 'docker' /root/.openclaw/agents/main/sessions/*.jsonl*.../root/.openclaw/agents/main/sessions/a5fc40f5-285e-4576-a29a-1d0d0429ca3c.jsonl:{"type":"message","id":"211f55ec","parentId":"ab76955e","timestamp":"2026-05-07T15:16:18.292Z","message":{"role":"assistant","content":[{"type":"thinking","thinking":"So there's a bind mount: `/path/to/postgres/data` -> `/var/lib/postgresql/data`. The data is persisted on the host. Let me now stop and remove the container, but leave the data directory intact.","thinkingSignature":"reasoning_content"},{"type":"text","text":"数据目录挂载在 `/path/to/postgres/data`,删除容器不影响数据。"},{"type":"toolCall","id":"call_00_Uwppgm0Ft912vfiGANWB2231","name":"exec","arguments":{"command":"sshpass -p 'e&eqYEbu5bM~8iA' ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@8.217.145.152 \"docker stop postgres-server && docker rm postgres-server && echo '容器已删除,数据目录保留'\" 2>&1","timeout":15}}],"api":"openai-completions","provider":"deepseek","model":"deepseek-v4-flash","usage":{"input":177,"output":243,"cacheRead":91648,"cacheWrite":0,"totalTokens":92068,"cost":{"input":0,"output":0,"cacheRead":0,"cacheWrite":0,"total":0}},"stopReason":"toolUse","timestamp":1778166973567,"responseId":"5585f79d-d33e-4b8f-b548-efbf25f1effb"}}/root/.openclaw/agents/main/sessions/a5fc40f5-285e-4576-a29a-1d0d0429ca3c.jsonl:{"type":"message","id":"26873a63","parentId":"98cd242a","timestamp":"2026-05-07T15:16:22.023Z","message":{"role":"assistant","content":[{"type":"toolCall","id":"call_00_ET_rfMQf1CuwbICVm2F05Ta8246","name":"exec","arguments":{"command":"sshpass -p 'e&eqYEbu5bM~8iA' ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@8.217.145.152 \"docker ps -a --format 'table {{.ID}}\\t{{.Names}}\\t{{.Status}}'\" 2>&1","timeout":15}}],"api":"openai-completions","provider":"deepseek","model":"deepseek-v4-flash","usage":{"input":173,"output":133,"cacheRead":91904,"cacheWrite":0,"totalTokens":92210,"cost":{"input":0,"output":0,"cacheRead":0,"cacheWrite":0,"total":0}},"stopReason":"toolUse","timestamp":1778166978789,"responseId":"f7926104-d904-4c3c-ae01-3744bc77b23d"}}
✅ 答案:
8.217.145.152
grep -h 'gpg --symmetric' /root/.openclaw/agents/main/sessions/*.jsonl* 拿到 passphrase(与 Phase 3 主密码同一个:Honglian@Fic2026Password),解密:
root@VM-0-15-ubuntu:/data/bakup# gpg --batch \--passphrase'Honglian@Fic2026Password' \-o /data/bakup/fkdb_20260507.sql \-d /data/bakup/fkdb_20260507.sql.gpggpg: AES256.CFB encrypted datagpg: encrypted with 1 passphrase
docker run -d--name zaoqiwang \-ePOSTGRES_USER=fk -ePOSTGRES_PASSWORD=fk123456 -ePOSTGRES_DB=fkdb \-p5432:5432 \postgres:16


COMPLETED 总金额 = 30+30+20+10+10+30。
✅ 答案: 130(元)
同一张 Order 表 COPY 段筛 COMPLETED:

✅ 答案: 6
Card 表 + Product 表联表:


✅ 答案: 100(积分)
SiteConfig.announcement:

✅ 答案:
qeqe
⚠️ 此题易踩坑:星球商城主库 Order 表里订单 8FKXMF1OXOL3ZZ0H 的 contactInfo 只存 TG ID telegram:8352561756,email 字段是 davi@gmail.com:

赖皮一点直接搜邮箱前缀,会误得"davi"——但这是邮箱前缀,不是真正的 TG 昵称:

正经做法:主机 B 上 tg_faka Bot 自己的本地数据库 /root/faka/.env/(伪装成 .env 的目录!)里有加密 SQLite:
root@VM-0-15-ubuntu:~# ls /root/faka/.env/config.json db.db .secretroot@VM-0-15-ubuntu:~# file /root/faka/.env/db.db/root/faka/.env/db.db: data # 实为 SQLCipher 加密 SQLite
密码来自 Phase 3 vault 的 SqlcipherPassword 条目:
root@VM-0-15-ubuntu:~# PASSWORD_MANAGER_MASTER_PASSWORD='Honglian@Fic2026Password' password-manager get --name "SqlcipherPassword" --show-password🔒 Cache missing, attempting to rebuild from environment variable...✅ Cache rebuilt successfully📋 SqlcipherPasswordType: passwordUsername: -Tags: -Created: 2026-05-07T03:21:54.128ZUpdated: 2026-05-07T03:21:54.128ZPassword/Value: honglian_2026fic
把 db.db 拷回本地用

| 字段 | 值 |
|---|---|
| TG ID | 8352561756 |
| TG username | @zhituma |
| TG 昵称(nickname) | Kane Davis |
| 邮箱 |
✅ 答案:
Kane Davis(双重验证:order.buyer_nickname与dialog_log.nickname一致)
/root/captcha-bot/config/config.toml:

✅ 答案:
8514062821:AAHzdIL52vtuR9Y3ItBqtfAZdMwZ-YjPzms
/root/captcha-bot/db/geecaptcha.db 的 advertise 表:

✅ 答案:
http://www.baiguo.com/
user_captcha_record.telegram_chat_name:

✅ 答案:
星球商店交流
captcha_status = 1 即"通过验证":

✅ 答案:
3045
advertise 表行数:

✅ 答案:
3
SELECT captcha_success_time FROM user_captcha_recordWHERE telegram_user_first_name='milo'AND telegram_user_id=6213151597;

✅ 答案:
2026-05-06 17:30:56
群管 DB 中 milo|6213151597 通过认证;订单表中 contactInfo='telegram:6213151597' 对应订单 15,购买者邮箱 1143617983@qq.com 即支付宝绑定的 QQ 邮箱:

✅ 答案:
1143617983@qq.com