index.html

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/favicon.png">
  <link rel="icon" href="/img/favicon.png">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="description" content="">
  <meta name="author" content="yougar">
  <meta name="keywords" content="">
  <meta property="og:type" content="website">
<meta property="og:title" content="go hacking">
<meta property="og:url" content="http://yougar0.github.io/index.html">
<meta property="og:site_name" content="go hacking">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="yougar">
<meta name="twitter:card" content="summary_large_image">
  
  <title>go hacking</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />



<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"yougar0.github.io","root":"/","version":"1.8.12","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":""},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"/img/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":false,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":null,"app_key":null,"server_url":null,"path":"window.location.pathname"}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
<meta name="generator" content="Hexo 5.4.0"></head>


<body>
  <header style="height: 100vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>Go Hacking</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('/img/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="On hacking way...">
              
            </span>

            
          </div>

          
            <div class="scroll-down-bar">
              <i class="iconfont icon-arrowdown"></i>
            </div>
          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      <div class="container nopadding-x-md">
        <div class="py-5" id="board"
          style=margin-top:0>
          
          <div class="container">
            <div class="row">
              <div class="col-12 col-md-10 m-auto">
                


  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2022/05/29/2022%E6%9F%90%E7%BA%BF%E4%B8%8A%E8%B5%9B%E6%AF%94%E8%B5%9B%E5%A4%8D%E7%9B%98/" target="_self">
          2022某线上赛比赛复盘
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2022/05/29/2022%E6%9F%90%E7%BA%BF%E4%B8%8A%E8%B5%9B%E6%AF%94%E8%B5%9B%E5%A4%8D%E7%9B%98/" target="_self">
          
          
            
          
          re要求掌握的基础知识技能: IDA使用、程序编译框架识别、go语言开发、go编译后程序的特点、aes加解密用到的工具：ida 7.6 sp1及以上、file命令
首先打开压缩包解压，查看下程序是什么语言、架构的程序。使用file命令可以查看程序的目标系统名称、文件格式以及部分编译语言信息，从这里可以看出来程序是x64 linux系统上的ELF格式的文件，采用go语言编译，没有调试符号。IDA 7
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2022-05-29 19:30" pubdate>
              2022-05-29
            </time>
          </div>
        
        
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/12/30/JSP%E5%85%8D%E6%9D%80%E7%BB%95%E8%BF%87%E6%B5%8B%E8%AF%95%E8%AE%B0%E5%BD%95/" target="_self">
          JSP免杀绕过测试记录
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/12/30/JSP%E5%85%8D%E6%9D%80%E7%BB%95%E8%BF%87%E6%B5%8B%E8%AF%95%E8%AE%B0%E5%BD%95/" target="_self">
          
          
            
          
          测试环境
windows server 2008
杀软：360、火绒、某藤
jsp运行环境：java11、tomcat 10
payload编译环境：java8

过程记录首先将冰蝎默认的木马经过一定的完善，360扫描没有提示jsp后门，火绒扫描提示存在后门。备注：这里笔者强烈怀疑360杀毒检测到在虚拟机中运行就不正常干活了，故意迷惑病毒后门测试人员。

当前jsp shell代码：
123456
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-12-30 19:45" pubdate>
              2021-12-30
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E5%85%8D%E6%9D%80/">免杀</a>
            
              <a href="/tags/Webshell/">Webshell</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/12/22/IOS%E7%AB%AF%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%BB%8E0%E5%88%B01/" target="_self">
          IOS端渗透测试从0到1
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/12/22/IOS%E7%AB%AF%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%BB%8E0%E5%88%B01/" target="_self">
          
          
            
          
          这篇文章记录下此次APP渗透测试过程，包括从0搭建渗透测试环境，程序hook检测绕过，绕过原理。
渗透测试环境搭建越狱工具环境
IPhone 7，固件版本为12.4.1

爱思助手7.0官方最新版本


操作步骤在进行越狱前，请先确保设备上的重要数据已经备份，比如通讯录等，因为越狱过程无法保证不出现问题，而一旦出现意外设备上的重要数据可能会丢失。
首先连接手机到PC电脑，在手机上弹出的允许设备访问
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-12-22 17:43" pubdate>
              2021-12-22
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/">渗透测试</a>
            
              <a href="/tags/%E9%80%86%E5%90%91/">逆向</a>
            
              <a href="/tags/IOS%E5%AE%89%E5%85%A8/">IOS安全</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/12/03/Hell-s-Gate%E6%8A%80%E6%9C%AF/" target="_self">
          Hell&#39;s Gate技术
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/12/03/Hell-s-Gate%E6%8A%80%E6%9C%AF/" target="_self">
          
          
            
          
          EDR检测与绕过原理在创建R3进程的时候，EDR会hook用户层的相关windows API调用，从而完成对进程动态行为的监控。比如，hook VirtualAlloc，监控内存分配。hook CreateProcess，监控进程创建。可以在用户层完成hook，也可以在内核层hook。用户层hook的好处是对性能的影响较小，相对于内核层hook更稳定，不容易导致系统蓝屏，所以很多EDR会选择在用户
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-12-03 10:49" pubdate>
              2021-12-03
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/anti-bypass/">anti-bypass</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/12/02/CS%E4%BA%8C%E5%BC%80%E7%9B%B8%E5%85%B3/" target="_self">
          CS二开相关
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/12/02/CS%E4%BA%8C%E5%BC%80%E7%9B%B8%E5%85%B3/" target="_self">
          
          
            
          
          计算HASH，使用windows命令行
1certutil -hashfile cobaltstrike.jar SHA256

验证HASH官方地址
1https://verify.cobaltstrike.com/

CS 4.3相关
12345678910111213141516171819202122232425262728293031323334353637383940414243444
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-12-02 16:04" pubdate>
              2021-12-02
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E4%BA%8C%E5%BC%80/">二开</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/12/02/CS%E9%AD%94%E6%94%B9%E4%B8%8E%E5%A2%9E%E5%BC%BA/" target="_self">
          CS魔改与增强
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/12/02/CS%E9%AD%94%E6%94%B9%E4%B8%8E%E5%A2%9E%E5%BC%BA/" target="_self">
          
          
            
          
          CobaltStrike魔改与增强写这篇文档的目的在于记录CS客户端和服务器的魔改过程，因为有些点随着时间的过去会逐渐淡忘，有这么一篇详实的魔改过程记录文档，无疑对团队和个人来说都是件益事。这篇文档将记录CS4.4版本的破解使用，特征消除，功能改造增强的实现过程。
第一部分-破解使用网上已经有人公开了4.4版本的原版jar包和破解方法，见CobaltStrike 4.4原版+通用白嫖破解及汉化加载
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-12-02 15:12" pubdate>
              2021-12-02
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E4%BA%8C%E5%BC%80/">二开</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/11/21/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91%E4%B8%A4%E9%81%93%E9%80%86%E5%90%91%E9%A2%98%E7%9B%AEWP/" target="_self">
          2021西湖论剑两道逆向题目WP
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/11/21/%E8%A5%BF%E6%B9%96%E8%AE%BA%E5%89%91%E4%B8%A4%E9%81%93%E9%80%86%E5%90%91%E9%A2%98%E7%9B%AEWP/" target="_self">
          
          
            
          
          TacticalArmed函数sub_401160反调试，通过清空Dr7寄存器反调试。直接nop掉调用反调试的地方即可bypass。

接下来main函数先申请一段执行内存，然后对内存进行修改，最后添加ret指令返回。

通过调试，查看这一块执行的指令内容

经过分析，发现这一块指令执行的处理流程正是tea加密算法，其中四个密钥地址是405000到40500C，dump下来是[0x7CE45630
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-11-21 07:00" pubdate>
              2021-11-21
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/CTF/">CTF</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/11/19/IDA%E6%8F%92%E4%BB%B6JNI-Helper%E9%80%82%E9%85%8D/" target="_self">
          IDA插件JNI-Helper适配
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/11/19/IDA%E6%8F%92%E4%BB%B6JNI-Helper%E9%80%82%E9%85%8D/" target="_self">
          
          
            
          
          前言今天打算把IDA搞得更智能一点，方便我这个懒人后面更快的进行分析工作。俗话说好事多磨，好工具的代码也需要多改才行。JNI_Helper这款插件，能满足我这个懒人自动修改JNI导出函数签名的目的，只是需要python2版本，并且存在代码还存在bug，另外自动化导出java native函数签名的方式也实在麻烦。为了满足我这个懒人刻薄的要求，那就只能自己动手改代码咯。项目地址:https://gi
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-11-19 21:52" pubdate>
              2021-11-19
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E9%80%86%E5%90%91/">逆向</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/11/15/SRC%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86%E6%80%BB%E7%BB%93/" target="_self">
          SRC信息收集总结
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/11/15/SRC%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86%E6%80%BB%E7%BB%93/" target="_self">
          
          
            
          
          前言信息收集是渗透测试当中最重要的环节，在SRC漏洞挖掘过程中，挖掘的漏洞的多少很大程度上取决于信息收集是否全面。SRC信息收集一般从5个方面入手，分别是公司架构、子域名、C段、APP和小程序以及PC客户端和微信公众号、文档源码账号。
实践公司架构公司架构可以通过爱查查、企查查、天眼查这些企业关系图谱网站获得。以唯品会举例，通过爱企查等公司架构网站，查询得到唯品会的子公司、APP、公众号、微博等相
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-11-15 19:05" pubdate>
              2021-11-15
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/">渗透测试</a>
            
          </div>
        
      </div>
    </article>
  </div>

  <div class="row mx-auto index-card">
    
    
    <article class="col-12 col-md-12 mx-auto index-info">
      <h1 class="index-header">
        
        <a href="/2021/11/05/WebShell%E7%AE%A1%E7%90%86%E5%B7%A5%E5%85%B7%E5%86%B0%E8%9D%8E3-0%E5%88%86%E6%9E%90/" target="_self">
          WebShell管理工具冰蝎3.0分析
        </a>
      </h1>

      <p class="index-excerpt">
        <a href="/2021/11/05/WebShell%E7%AE%A1%E7%90%86%E5%B7%A5%E5%85%B7%E5%86%B0%E8%9D%8E3-0%E5%88%86%E6%9E%90/" target="_self">
          
          
            
          
          目的
远程管理功能的实现细节，做到使用工具的过程中知其所以然。
二开

环境准备
IDEA
tomcat
php
ASP
dnspy
3.0t00ls专版

源码获取通过使用IDEA自带的java反编译工具反编译冰蝎jar包获得java源码
1java -cp /home/kali/Tools/idea-IC-212.5457.46/plugins/java-decompiler/lib/java
        </a>
      </p>

      <div class="index-btm post-metas">
        
          <div class="post-meta mr-3">
            <i class="iconfont icon-date"></i>
            <time datetime="2021-11-05 16:29" pubdate>
              2021-11-05
            </time>
          </div>
        
        
        
          <div class="post-meta">
            <i class="iconfont icon-tags"></i>
            
              <a href="/tags/%E4%BA%8C%E5%BC%80/">二开</a>
            
          </div>
        
      </div>
    </article>
  </div>



  <nav aria-label="navigation">
    <span class="pagination" id="pagination">
      <span class="page-number current">1</span><a class="page-number" href="/page/2/#board">2</a><a class="extend next" rel="next" href="/page/2/#board"><i class="iconfont icon-arrowright"></i></a>
    </span>
  </nav>



              </div>
            </div>
          </div>
        </div>
      </div>
    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
  </div>
  

  

  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  








  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
      typing(title)
      
    })(window, document);
  </script>















<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>