-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsearch.xml
More file actions
59 lines (28 loc) · 11 KB
/
search.xml
File metadata and controls
59 lines (28 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
<?xml version="1.0" encoding="utf-8"?>
<search>
<entry>
<title>edusrc漏洞挖掘之支付逻辑漏洞</title>
<link href="/2026/01/27/edusrc%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E4%B9%8B%E6%94%AF%E4%BB%98%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/"/>
<url>/2026/01/27/edusrc%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E4%B9%8B%E6%94%AF%E4%BB%98%E9%80%BB%E8%BE%91%E6%BC%8F%E6%B4%9E/</url>
<content type="html"><![CDATA[<p><strong>注:</strong>文中内容仅限学习交流,严禁用于商业及非法用途,涉及网络安全相关未经授权不得测试,违规使用后果自负,与作者无关 。</p>]]></content>
<categories>
<category> baseTest </category>
</categories>
<tags>
<tag> EDUSRC </tag>
</tags>
</entry>
<entry>
<title>玄机应急响应靶场ssh日志分析</title>
<link href="/2025/08/05/%E7%8E%84%E6%9C%BA%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/"/>
<url>/2025/08/05/%E7%8E%84%E6%9C%BA%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/</url>
<content type="html"><![CDATA[<h1><span id="ssh日志分析">ssh日志分析</span></h1><h2><span id="1-可以登录-ssh-的账号数量是多少">1、可以登录 SSH 的账号数量是多少</span></h2><p>先看ssh配置信息</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#cat /etc/ssh/sshd_config</span></span><br><span class="line">AllowGroups SSHD_USER root</span><br><span class="line">Match Group SSHD_USER</span><br></pre></td></tr></table></figure><p>运行用户组SSHD_USER中的用户登录</p><p>查看用户组信息</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#cat /etc/group</span></span><br><span class="line">SSHD_USER:x:<span class="number">1001</span>:toor,root</span><br></pre></td></tr></table></figure><p>flag{2}</p><h2><span id="2-ssh日志中登录成功的日志条数是多少去除自己登陆产生的两次">2、SSH日志中登录成功的日志条数是多少(去除自己登陆产生的两次)</span></h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">1</span>:/var/log<span class="comment"># ls</span></span><br><span class="line">alternatives.log auth.log<span class="number">.1</span> cloud-init.log debug dpkg.log<span class="number">.2</span>.gz kern.log<span class="number">.1</span> messages<span class="number">.2</span>.gz syslog<span class="number">.3</span>.gz wtmp</span><br><span class="line">alternatives.log<span class="number">.1</span> auth.log<span class="number">.2</span>.gz </span><br></pre></td></tr></table></figure><p>存在auth.log.1和auth.log.2.gz</p><p>先解压auth.log.2.gz</p><p>然后用grep去计数</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># grep -o -i "Accepted pass" auth.log.1 auth.log.2 | wc -l</span></span><br><span class="line"><span class="number">100</span></span><br><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># grep -o -i "Accepted" auth.log.1 auth.log.2 | wc -l</span></span><br><span class="line"><span class="number">110</span></span><br></pre></td></tr></table></figure><p>这里测出来的数据都无法正确提交</p><p>换一种思路,筛选计数得到成功登录的ip次数</p><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># grep 'Accepted' /var/log/auth.log.1 auth.log.2 | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort | uniq -c</span></span><br><span class="line"> <span class="number">2</span> <span class="number">111.39</span><span class="number">.249</span><span class="number">.77</span></span><br><span class="line"> <span class="number">66</span> <span class="number">192.168</span><span class="number">.11</span><span class="number">.1</span></span><br><span class="line"> <span class="number">28</span> <span class="number">192.168</span><span class="number">.70</span><span class="number">.1</span></span><br><span class="line"> <span class="number">7</span> <span class="number">60.174</span><span class="number">.207</span><span class="number">.118</span></span><br></pre></td></tr></table></figure><p>flag{103}</p><h2><span id="3-ssh日志中登录成功次数最多的用户的用户名是什么">3、SSH日志中登录成功次数最多的用户的用户名是什么</span></h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># sudo grep 'Accepted' /var/log/auth.log.1 auth.log.2 | grep -oP 'Accepted password for \K\w+' | sort | uniq -c</span></span><br><span class="line">sudo: unable to resolve host ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>: Name <span class="keyword">or</span> service <span class="keyword">not</span> known</span><br><span class="line"> <span class="number">21</span> root</span><br><span class="line"> <span class="number">74</span> toor</span><br><span class="line"> <span class="number">5</span> ubuntu</span><br></pre></td></tr></table></figure><p>flag{toor}</p><h2><span id="4-ssh日志中登录失败次数最多的用户以及登录使用的ip是什么flagflag用户名ip">4、SSH日志中登录失败次数最多的用户以及登录使用的ip是什么(flag:flag{用户名,ip})</span></h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># grep 'Failed password' /var/log/auth.log.1 auth.log.2 | grep -oP 'Failed password for \K\w+' | sort | uniq -c</span></span><br><span class="line"> <span class="number">10</span> backup</span><br><span class="line"> <span class="number">10</span> <span class="built_in">bin</span></span><br><span class="line"> <span class="number">15</span> daemon</span><br><span class="line"> <span class="number">2</span> games</span><br><span class="line"> <span class="number">2</span> gnats</span><br><span class="line"> <span class="number">12167</span> invalid</span><br><span class="line"> <span class="number">2</span> irc</span><br><span class="line"> <span class="number">1</span> mail</span><br><span class="line"> <span class="number">17</span> mongodb</span><br><span class="line"> <span class="number">11</span> nobody</span><br><span class="line"> <span class="number">4</span> proxy</span><br><span class="line"> <span class="number">6</span> rabbitmq</span><br><span class="line"> <span class="number">58189</span> root</span><br><span class="line"> <span class="number">10</span> sshd</span><br><span class="line"> <span class="number">6</span> sync</span><br><span class="line"> <span class="number">5</span> sys</span><br><span class="line"> <span class="number">1</span> toor</span><br><span class="line"> <span class="number">11</span> uucp</span><br><span class="line"> <span class="number">50</span> www</span><br><span class="line">root@ip-<span class="number">10</span>-<span class="number">0</span>-<span class="number">10</span>-<span class="number">6</span>:/var/log<span class="comment"># grep 'root' /var/log/auth.log.1 auth.log.2 | grep -oP 'from \K([0-9]{1,3}\.){3}[0-9]{1,3}' | sort | uniq -c</span></span><br><span class="line"> <span class="number">3379</span> <span class="number">87.163</span><span class="number">.106</span><span class="number">.41</span></span><br><span class="line"> <span class="number">18181</span> <span class="number">87.163</span><span class="number">.111</span><span class="number">.11</span></span><br><span class="line"> <span class="number">22</span> <span class="number">88.142</span><span class="number">.46</span><span class="number">.185</span></span><br><span class="line"> <span class="number">14</span> <span class="number">89.252</span><span class="number">.140</span><span class="number">.204</span></span><br></pre></td></tr></table></figure><p>flag{root,87.163.111.11}</p>]]></content>
<categories>
<category> writeup </category>
</categories>
<tags>
<tag> 应急响应 </tag>
<tag> ssh日志分析 </tag>
</tags>
</entry>
</search>