Webshell_pro
简单的流量分析
追踪tcp流,发现回显全都是base32方式隐写
收集全部的回显数据:
0:
root
1:
/bin/sh: 1: ipconfig: not found
2:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1460
inet 172.22.161.159 netmask 255.255.240.0 broadcast 172.22.175.255
inet6 fe80::215:5dff:fe18:b845 prefixlen 64 scopeid 0x20<link>
ether 00:15:5d:18:b8:45 txqueuelen 1000 (Ethernet)
RX packets 26778 bytes 10199358 (10.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1240 bytes 175322 (175.3 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3:
init
lib
lib32
lib64
libx32
lost+found
media
mnt
mysql_data
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
wslOHicoG
wslbmJCJF
wslgCJNfE
wslhaGDbD
4:
Compressed
Desktop
Documents
Downloads
FLAG
Music
Pictures
Public
Templates
Videos
WSL
5:
hint.py
小明的日记.txt
6:无回显数据
7:
cat: 小明的日记.txt: No such file or directory
8:多加了一层base64
FLAG is NOT HERE!!!!!!!!!!!
PASSWORD:
Password-based-encryption
9:也多加了一层base64
import base64
import libnum
from Crypto.PublicKey import RSA
pubkey = """-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK/qv5P8ixWjoFI2rzF62tm6sDFnRsKsGhVSCuxQIxuehMWQLmv6TPxyTQPefIKufzfUFaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41QIDAQAB
-----END PUBLIC KEY-----
"""
prikey = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIr+q/k/yLFaOgUjavMXra2bqwMWdGwqwaFVIK7FAjG56ExZAua/pM/HJNA958gq5/N9QVpxr9geQhUgLX2iGYTlfvfxO3EZs6CIZ5/hu932xTozjaTy8yUI8mnXCgMUM4WgFCmvhjMfhlNHo+z4c/xUQgkwbm6ItA4vF0p3GLjVAgMBAAECgYBDsqawT5DAUOHRft6oZ+//jsJMTrOFu41ztrKkbPAUqCesh+4R1WXAjY4wnvY1WDCBN5CNLLIo4RPuli2R81HZ4OpZuiHv81sNMccauhrJrioDdbxhxbM7/jQ6M9YajwdNisL5zClXCOs1/y01+9vDiMDk0kX8hiIYlpPKDwjqQQJBAL6Y0fuoJng57GGhdwvN2c656tLDPj9GRi0sfeeMqavRTMz6/qea1LdAuzDhRoS2Wb8ArhOkYns0GMazzc1q428CQQC6sM9OiVR4EV/ewGnBnF+0p3alcYr//Gp1wZ6fKIrFJQpbHTzf27AhKgOJ1qB6A7P/mQS6JvYDPsgrVkPLRnX7AkEAr/xpfyXfB4nsUqWFR3f2UiRmx98RfdlEePeo9YFzNTvX3zkuo9GZ8e8qKNMJiwbYzT0yft59NGeBLQ/eynqUrwJAE6Nxy0Mq/Y5mVVpMRa+babeMBY9SHeeBk22QsBFlt6NT2Y3Tz4CeoH547NEFBJDLKIICO0rJ6kF6cQScERASbQJAZy088sVY6DJtGRLPuysv3NiyfEvikmczCEkDPex4shvFLddwNUlmhzml5pscIie44mBOJ0uX37y+co3q6UoRQg==
-----END PRIVATE KEY-----
"""
pubkey = RSA.import_key(pubkey)
prikey = RSA.import_key(prikey)
n = pubkey.n
def enc_replace(base64_str: str):
base64_str = base64_str.replace("/", "e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM")
base64_str = base64_str.replace("+", "n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W")
return base64_str.replace("=", "JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2")
def encrypt(plain_text):
# 私钥加密
cipher_text = b""
for i in range(0, len(plain_text), 128):
part = plain_text[i:i+128]
enc = libnum.n2s(pow(libnum.s2n(part), prikey.d, n))
cipher_text += enc
return enc_replace(base64.b64encode(cipher_text).decode())
if __name__ == '__main__':
m = b"-RSA-" * 30
print(f"原始数据: {m}")
c = encrypt(m)
print(f"加密数据: {c}")
10:无回显数据
11:
flag.txt
hint.py
小明的日记.txt
12:
Good Luck! ByeBye~
第九个流里面的数据是一个RSA加密逃base64,并且把base64的标准特征用一些字符串替换的加密脚本
写出这个RSA解密脚本(别忘了解密url)
from Crypto.PublicKey import RSA
import base64
import libnum
import urllib.parse
# 公钥
pubkey = RSA.importKey(open('public.pem').read())
n = pubkey.n
def dec_replace(encoded_str: str):
# URL 解码
encoded_str = urllib.parse.unquote(encoded_str)
encoded_str = encoded_str.replace("JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2", "=")
encoded_str = encoded_str.replace("n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W", "+")
encoded_str = encoded_str.replace("e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM", "/")
# 添加足够的等号 "=" 以满足 base64 编码的要求
while len(encoded_str) % 4 != 0:
encoded_str += "="
return encoded_str
def decrypt(cipher_text):
# 公钥解密
cipher_text = base64.b64decode(dec_replace(cipher_text))
plain_text = b""
for i in range(0, len(cipher_text), 128):
part = cipher_text[i:i+128]
dec = libnum.n2s(pow(libnum.s2n(part), pubkey.e, n))
plain_text += dec
return plain_text
if __name__ == '__main__':
c = input("请输入要解密的数据: ")
d = decrypt(c)
print(f"解密数据: {d}")
通过研究URL解密后的shell=
后面的内容可以发现这个加密脚本貌似加密的是用户传入的内容,整理出解密后的内容
0:
whoami
1:
ipconfig
2:
ifconfig
3:
ls /
4:
ls /root
5:
ls /root/FLAG
6:
cd /root/FLAG
7:
cat \xe5\xb0\x8f\xe6\x98\x8e\xe7\x9a\x84\xe6\x97\xa5\xe8\xae\xb0.txt
(查看的是”小明的日记.txt“)
8:
cd /root/FLAG && base64 \xe5\xb0\x8f\xe6\x98\x8e\xe7\x9a\x84\xe6\x97\xa5\xe8\xae\xb0.txt
9:
cd /root/FLAG && base64 hint.py
10:
echo U2FsdGVkX1+SslS2BbHfe3c4/t/KxLaM6ZFlOdbtfMHnG8lepnhMnde40tNOYjSvoErLzy0csL7c5d4TlMntBQ== > /root/FLAG/flag.txt
11:
ls /root/FLAG
12:
echo Good Luck! ByeBye~
其中最重要的应该是U2FsdGVkX1+SslS2BbHfe3c4/t/KxLaM6ZFlOdbtfMHnG8lepnhMnde40tNOYjSvoErLzy0csL7c5d4TlMntBQ==
这个数据,结合小明的日记.txt
中的password:Password-based-encryption
映入眼帘了一个AES,用AES解密试试
flag{d0e1183c-07c3-49ea-b048-addbe6cc1b20}