春猿火
春猿火

【Sherlocks圣诞节特辑】htb OpTinselTrace-2 wp

圣诞系列5台的文件信息是复用的,这里先更一下OpTinselTrace-2,OpTinselTrace-1会这周内更新。

task1
What is the MD5 sum of the binary the Threat Actor found the S3
bucket location in?
aws的bucket里的二进制程序md5

task2
What time did the Threat Actor begin their automated retrieval
of the contents of our exposed S3 bucket?
威胁行为者是在什么时间开始自动检索我们暴露的 S3 存储桶内容的?

task3
What time did the Threat Actor complete their automated
retrieval of the contents of our exposed S3 bucket?
在什么时间完成了对我们暴露的 S3 存储桶内容的自动检索?

task4
Based on the Threat Actor’s user agent - what scripting language
did the TA likely utilise to retrieve the files?
根据威胁行为者的用户代理 - TA 可能使用什么脚本语言来检索文件?

task5
Which file did the Threat Actor locate some hard coded
credentials within?
威胁行为者在哪个文件中找到了一些硬编码凭据?

task6
Please detail all confirmed malicious IP addresses. (Ascending
Order)
请详细说明所有已确认的恶意 IP 地址。(升序排列)

task7
We are extremely concerned the TA managed to compromise our
private S3 bucket, which contains an important VPN file. Please
confirm the name of this VPN file and the time it was retrieved by the
TA.
我们非常担心 TA 成功入侵了我们的私人 S3 存储桶,其中包含一个重要的 VPN 文件。请确认该 VPN 文件的名称以及 TA 获取该文件的时间。

task8
Please confirm the username of the compromised AWS account?
请确认被入侵的 AWS 账户的用户名?

task9
Based on the analysis completed Santa Claus has asked for some
advice. What is the ARN of the S3 Bucket that requires locking down?
根据已完成的分析,圣诞老人征求了一些建议。需要锁定的 S3 Bucket 的 ARN 是什么?

task 1
在这里插入图片描述

aws的bucket里的二进制程序md5

其实它本题给的文件全是aws CloudTrail的log,并没有包含第一题的二进制文件,所以需要结合OpTinselTrace-1的信息来做。
于是我们找到/elfidence_collection/TriageData/C/users/Elfin/Appdata/Roaming/top-secret目录下的二进制文件,如果有对他re过就会看到他其中包含一个桶地址。当然strings也可以看到。在这里插入图片描述
在对他的目录下.git进行还原就可以看到 其实bucket中所指的binary指的就是这个

task 2
What time did the Threat Actor begin their automated retrieval of the contents of our exposed S3 bucket?

威胁行为者是在什么时间开始自动检索我们暴露的 S3 存储桶内容的?

做这道题前,我们首先要确定的是威胁行为者是谁,这也应对了task6的
请详细说明所有已确认的恶意 IP 地址。(升序排列)
于是我们先找到所有的恶意ip,
先导出来在这里插入图片描述
我用sort去了下重最后是下面这样

└─$ cat ipa2
"109.205.185.126[Go-http-client/1.1]"
"138.199.59.46[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26AWS Internal"
"191.101.31.26[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"191.101.31.26resource-explorer-2.amazonaws.com"
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"191.101.31.57[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.57cloudtrail.amazonaws.com"
"191.101.31.57dynamodb.application-autoscaling.amazonaws.com"
"191.101.31.57[python-requests/2.25.1]"
"191.101.31.57[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"195.181.170.226AWS Internal"
"195.181.170.226[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"195.181.170.226[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"195.181.170.226resource-explorer-2.amazonaws.com"
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"3.236.115.9[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"3.236.115.9[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.115.9[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"3.236.226.247[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"45.133.193.41[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"45.133.193.41cloudtrail.amazonaws.com"
"45.133.193.41[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"45.148.104.164[Go-http-client/1.1]"
"86.5.206.121[]"
"86.5.206.121access-analyzer.amazonaws.com"
"86.5.206.121[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]"
"86.5.206.121[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"86.5.206.121[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"86.5.206.121[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"
"86.5.206.121AWS Internal"
"86.5.206.121[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"86.5.206.121[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]"
"86.5.206.121cloudtrail.amazonaws.com"
"86.5.206.121dynamodb.application-autoscaling.amazonaws.com"
"86.5.206.121[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"86.5.206.121Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"86.5.206.121[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"86.5.206.121resource-explorer-2.amazonaws.com"
"86.5.206.121[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"86.5.206.121[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"86.5.206.121[Slackbot 1.0 (+https://api.slack.com/robots)]"
"86.5.206.121[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"access-analyzer.amazonaws.comaccess-analyzer.amazonaws.com"
"access-analyzer.amazonaws.com[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"
"access-analyzer.amazonaws.comAWS Internal"
"access-analyzer.amazonaws.comcloudtrail.amazonaws.com"
"access-analyzer.amazonaws.comdynamodb.application-autoscaling.amazonaws.com"
"access-analyzer.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"access-analyzer.amazonaws.comresource-explorer-2.amazonaws.com"
"access-analyzer.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"cloudtrail.amazonaws.comaccess-analyzer.amazonaws.com"
"cloudtrail.amazonaws.com[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]"
"cloudtrail.amazonaws.com[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"cloudtrail.amazonaws.com[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"cloudtrail.amazonaws.com[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"
"cloudtrail.amazonaws.comAWS Internal"
"cloudtrail.amazonaws.com[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"cloudtrail.amazonaws.com[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]"
"cloudtrail.amazonaws.comcloudtrail.amazonaws.com"
"cloudtrail.amazonaws.comdynamodb.application-autoscaling.amazonaws.com"
"cloudtrail.amazonaws.comMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"cloudtrail.amazonaws.com[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"cloudtrail.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"cloudtrail.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"cloudtrail.amazonaws.comresource-explorer-2.amazonaws.com"
"cloudtrail.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"cloudtrail.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"dynamodb.application-autoscaling.amazonaws.comaccess-analyzer.amazonaws.com"
"dynamodb.application-autoscaling.amazonaws.com[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]"
"dynamodb.application-autoscaling.amazonaws.com[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"
"dynamodb.application-autoscaling.amazonaws.comAWS Internal"
"dynamodb.application-autoscaling.amazonaws.com[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"dynamodb.application-autoscaling.amazonaws.com[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]"
"dynamodb.application-autoscaling.amazonaws.comcloudtrail.amazonaws.com"
"dynamodb.application-autoscaling.amazonaws.comdynamodb.application-autoscaling.amazonaws.com"
"dynamodb.application-autoscaling.amazonaws.comMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"dynamodb.application-autoscaling.amazonaws.com[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"dynamodb.application-autoscaling.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"dynamodb.application-autoscaling.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"dynamodb.application-autoscaling.amazonaws.comresource-explorer-2.amazonaws.com"
"dynamodb.application-autoscaling.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"resource-explorer-2.amazonaws.comaccess-analyzer.amazonaws.com"
"resource-explorer-2.amazonaws.comAWS Internal"
"resource-explorer-2.amazonaws.com[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"resource-explorer-2.amazonaws.com[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]"
"resource-explorer-2.amazonaws.comcloudtrail.amazonaws.com"
"resource-explorer-2.amazonaws.comdynamodb.application-autoscaling.amazonaws.com"
"resource-explorer-2.amazonaws.comMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"resource-explorer-2.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"resource-explorer-2.amazonaws.comMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"resource-explorer-2.amazonaws.comresource-explorer-2.amazonaws.com"
"resource-explorer-2.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"resource-explorer-2.amazonaws.com[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"X.X.X.X[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"
"X.X.X.XAWS Internal"
"X.X.X.Xcloudtrail.amazonaws.com"
"X.X.X.Xdynamodb.application-autoscaling.amazonaws.com"
"X.X.X.XMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"X.X.X.XMozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"
"X.X.X.Xresource-explorer-2.amazonaws.com"
"X.X.X.X[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"
"X.X.X.X[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"

再进一步去除一些明显不像的IP比如X.X.X.X resource-explorer-2.amazonaws.com dynamodb.application-autoscaling.amazonaws.com cloudtrail.amazonaws.com access-analyzer.amazonaws.com
得到如下

└─$ cat ipa2 |grep -v -e 'X.X.X.X' -e 'resource-explorer-2.amazonaws.com' -e 'dynamodb.application-autoscaling.amazonaws.com' -e 'cloudtrail.amazonaws.com' -e 'access-analyzer.amazonaws.com'|jq
"109.205.185.126[Go-http-client/1.1]"
"138.199.59.46[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26AWS Internal"
"191.101.31.26[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"191.101.31.57[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.57[python-requests/2.25.1]"
"191.101.31.57[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"195.181.170.226AWS Internal"
"195.181.170.226[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"195.181.170.226[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                      
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                      
"3.236.115.9[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                          
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                          
"3.236.115.9[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.115.9[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"3.236.226.247[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"45.133.193.41[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"45.133.193.41[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"45.148.104.164[Go-http-client/1.1]"
"86.5.206.121[]"
"86.5.206.121[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]"
"86.5.206.121[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"86.5.206.121[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"86.5.206.121[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]"                                                                                      
"86.5.206.121AWS Internal"
"86.5.206.121[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"86.5.206.121[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]"                                                                                                             
"86.5.206.121[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"86.5.206.121Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36"
"86.5.206.121[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"86.5.206.121[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                         
"86.5.206.121[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                         
"86.5.206.121[Slackbot 1.0 (+https://api.slack.com/robots)]"
"86.5.206.121[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"

然后我们结合ua头和历史日志来看一下他们对应的操作

cat ./*/*/*/*/*|jq '.Records[] | select (.sourceIPAddress == "86.5.206.121")|"\(.sourceIPAddress)--\(.userAgent)--\(.eventName)"'|sort -u
"86.5.206.121--[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]--GetObject"
"86.5.206.121--[aws-cli/1.15.58 Python/3.5.2 Linux/6.2.0-37-generic botocore/1.10.57]--ListObjects"
"86.5.206.121--[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]--CreateBucket"
"86.5.206.121--[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]--ListBuckets"
"86.5.206.121--[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]--PutBucketPolicy"
"86.5.206.121--[AWSCloudTrail, aws-internal/3 aws-sdk-java/1.12.583 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/17.0.9+9-LTS java/1.8.0_392 vendor/N/A cfg/retry-mode/standard]--PutBucketPublicAccessBlock"
"86.5.206.121--AWS Internal--CreateTrail"
"86.5.206.121--AWS Internal--DescribeAccountAttributes"
"86.5.206.121--AWS Internal--DescribeAddresses"
"86.5.206.121--AWS Internal--DescribeAlarms"
"86.5.206.121--AWS Internal--DescribeAutoScalingGroups"
"86.5.206.121--AWS Internal--DescribeAvailabilityZones"
"86.5.206.121--AWS Internal--DescribeConfigurationRecorders"
"86.5.206.121--AWS Internal--DescribeConfigurationRecorderStatus"
"86.5.206.121--AWS Internal--DescribeHosts"
"86.5.206.121--AWS Internal--DescribeImages"
"86.5.206.121--AWS Internal--DescribeInstanceAttribute"
"86.5.206.121--AWS Internal--DescribeInstanceCreditSpecifications"
"86.5.206.121--AWS Internal--DescribeInstanceInformation"
"86.5.206.121--AWS Internal--DescribeInstances"
"86.5.206.121--AWS Internal--DescribeInstanceStatus"
"86.5.206.121--AWS Internal--DescribeInstanceTypes"
"86.5.206.121--AWS Internal--DescribeKeyPairs"
"86.5.206.121--AWS Internal--DescribeLaunchTemplates"
"86.5.206.121--AWS Internal--DescribeLoadBalancers"
"86.5.206.121--AWS Internal--DescribeMetricFilters"
"86.5.206.121--AWS Internal--DescribeNetworkInterfaces"
"86.5.206.121--AWS Internal--DescribePlacementGroups"
"86.5.206.121--AWS Internal--DescribeSecurityGroupRules"
"86.5.206.121--AWS Internal--DescribeSecurityGroups"
"86.5.206.121--AWS Internal--DescribeSnapshots"
"86.5.206.121--AWS Internal--DescribeSubnets"
"86.5.206.121--AWS Internal--DescribeTags"
"86.5.206.121--AWS Internal--DescribeTrails"
"86.5.206.121--AWS Internal--DescribeVolumes"
"86.5.206.121--AWS Internal--DescribeVolumeStatus"
"86.5.206.121--AWS Internal--DescribeVpcs"
"86.5.206.121--AWS Internal--GetEnrollmentStatus"
"86.5.206.121--AWS Internal--GetEventSelectors"
"86.5.206.121--AWS Internal--GetInsightSelectors"
"86.5.206.121--AWS Internal--GetResources"
"86.5.206.121--AWS Internal--GetTrailStatus"
"86.5.206.121--AWS Internal--ListTags"
"86.5.206.121--AWS Internal--LookupEvents"
"86.5.206.121--AWS Internal--PutEventSelectors"
"86.5.206.121--AWS Internal--PutInsightSelectors"
"86.5.206.121--AWS Internal--StartLogging"
"86.5.206.121--AWS Internal--TerminateInstances"
"86.5.206.121--[Boto3/1.29.7 md/Botocore#1.32.7 ua/2.0 os/linux#6.2.0-37-generic md/arch#x86_64 lang/python#3.10.12 md/pyimpl#CPython cfg/retry-mode#legacy Botocore/1.32.7]--PutObject"
"86.5.206.121--[]--GetObject"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--DescribeHub"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--DescribeRegions"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--GetInvitationsCount"
"86.5.206.121--[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]--GetObject"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--GetTrail"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--GetTrailStatus"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListAliases"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListApplications"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListDetectors"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListEventDataStores"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListKeys"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListNotificationHubs"
"86.5.206.121--[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]--ListObjects"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListResources"
"86.5.206.121--Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36--ListTrails"
"86.5.206.121--[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]--PreflightRequest"
"86.5.206.121--[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]--PutObject"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--CreateBucket"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--DeleteObjects"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetAccelerateConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetAccountPublicAccessBlock"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketAcl"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketAnalyticsConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketCors"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketEncryption"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketIntelligentTieringConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketInventoryConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketLifecycle"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketLogging"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketNotification"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketObjectLockConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketOwnershipControls"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPolicy"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPolicyStatus"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPublicAccessBlock"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketReplication"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketRequestPayment"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketTagging"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketVersioning"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketWebsite"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetObjectTagging"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--HeadBucket"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--HeadObject"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--ListAccessPoints"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--ListBuckets"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--ListObjects"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--PutBucketAcl"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--PutBucketEncryption"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--PutBucketPublicAccessBlock"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetAccelerateConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetAccountPublicAccessBlock"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketAcl"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketCors"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketEncryption"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketIntelligentTieringConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketLogging"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketNotification"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketObjectLockConfiguration"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketOwnershipControls"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPolicy"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPolicyStatus"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketPublicAccessBlock"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketRequestPayment"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketTagging"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketVersioning"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--GetBucketWebsite"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--HeadBucket"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--HeadObject"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--ListAccessPoints"
"86.5.206.121--[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]--ListObjects"

可以看出应该是一位管理者在用,于是pass掉86.5.206.121
目前

└─$ cat ipa2 |grep -v -e 'X.X.X.X' -e 'resource-explorer-2.amazonaws.com' -e 'dynamodb.application-autoscaling.amazonaws.com' -e 'cloudtrail.amazonaws.com' -e 'access-analyzer.amazonaws.com' -e '86.5.206.121'|jq
"109.205.185.126[Go-http-client/1.1]"
"138.199.59.46[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26AWS Internal"
"191.101.31.26[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.26[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"191.101.31.26[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"191.101.31.57[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.57[python-requests/2.25.1]"
"191.101.31.57[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"195.181.170.226AWS Internal"
"195.181.170.226[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"195.181.170.226[Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0]"
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                      
"195.181.170.226[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                      
"3.236.115.9[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                          
"3.236.115.9[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                          
"3.236.115.9[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.115.9[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36]"
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.198-165.748.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"3.236.226.247[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"3.236.226.247[Slackbot 1.0 (+https://api.slack.com/robots)]"
"3.236.226.247[Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"45.133.193.41[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"45.133.193.41[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"                                                                        
"45.148.104.164[Go-http-client/1.1]"

然后瞟了眼发现ua有问题,其中有包含kali的
在这里插入图片描述
于是筛选一下包含kali的

┌──(fonllge㉿harusaru)-[~/Desktop/htblue/test17/optinseltrace2-cloudtrail]
└─$ cat ipa2 |grep -v -e 'X.X.X.X' -e 'resource-explorer-2.amazonaws.com' -e 'dynamodb.application-autoscaling.amazonaws.com' -e 'cloudtrail.amazonaws.com' -e 'access-analyzer.amazonaws.com' -e '86.5.206.121'|grep kali|jq
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"45.133.193.41[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"

task 6的答案在这呼之欲出
接下来我们只需要看着两个ip最早什么时候进行的桶访问就可以得到TASK2的答案

─$ cat eu-west-*/*/*/*/*|jq '.Records[] | select (.sourceIPAddress == "191.101.31.57")|"\(.eventTime)--\(.eventName)"'|sort -n
"2023-11-29T08:24:07Z--GetObject"
"2023-11-29T08:24:07Z--GetObject"
"2023-11-29T08:24:07Z--GetObject"
"2023-11-29T08:24:07Z--GetObject"
"2023-11-29T08:24:07Z--GetObject"
"2023-11-29T08:24:08Z--GetObject"
"2023-11-29T08:24:08Z--GetObject"
"2023-11-29T08:24:08Z--GetObject"
"2023-11-29T08:24:08Z--GetObject"
"2023-11-29T08:24:09Z--GetObject"
"2023-11-29T08:24:09Z--GetObject"
"2023-11-29T08:24:09Z--GetObject"
"2023-11-29T08:24:09Z--GetObject"
"2023-11-29T08:24:09Z--GetObject"
"2023-11-29T08:24:10Z--GetObject"
"2023-11-29T08:24:10Z--GetObject"
"2023-11-29T08:24:10Z--GetObject"
"2023-11-29T08:24:10Z--GetObject"
"2023-11-29T08:24:10Z--GetObject"
"2023-11-29T08:24:11Z--GetObject"
"2023-11-29T08:24:11Z--GetObject"
"2023-11-29T08:24:11Z--GetObject"
"2023-11-29T08:24:11Z--GetObject"
"2023-11-29T08:24:12Z--GetObject"
"2023-11-29T08:24:12Z--GetObject"
"2023-11-29T08:24:12Z--GetObject"
"2023-11-29T08:24:12Z--GetObject"
"2023-11-29T08:24:13Z--GetObject"
"2023-11-29T08:24:13Z--GetObject"
"2023-11-29T08:24:13Z--GetObject"
"2023-11-29T08:24:13Z--GetObject"
"2023-11-29T08:24:13Z--GetObject"
"2023-11-29T08:24:14Z--GetObject"
"2023-11-29T08:24:14Z--GetObject"
"2023-11-29T08:24:14Z--GetObject"
"2023-11-29T08:24:14Z--GetObject"
"2023-11-29T08:24:14Z--GetObject"
"2023-11-29T08:24:15Z--GetObject"
"2023-11-29T08:24:15Z--GetObject"
"2023-11-29T08:24:15Z--GetObject"
"2023-11-29T08:24:15Z--GetObject"
"2023-11-29T08:24:16Z--GetObject"
"2023-11-29T08:24:16Z--GetObject"
"2023-11-29T10:15:02Z--GetBucketAcl"
"2023-11-29T10:15:02Z--HeadBucket"
"2023-11-29T10:15:02Z--HeadBucket"
"2023-11-29T10:15:09Z--GetBucketAcl"
"2023-11-29T10:15:09Z--HeadBucket"
"2023-11-29T10:15:09Z--HeadBucket"
"2023-11-29T10:15:28Z--ListObjects"

TASK3Threat Actor 在什么时间完成了对我们暴露的 S3 存储桶内容的自动检索?
的答案可以看到也包含在内

TASK4
根据威胁行为者的用户代理 - TA 可能使用什么脚本语言来检索文件?
这里我们可以根据task2的useragent记录搜一下就行

└─$ grep '"191.101.31.57' ipa2                       
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.ls]"
"191.101.31.57[aws-cli/2.12.0 Python/3.11.5 Linux/6.1.0-kali9-amd64 source/x86_64.kali.2023 prompt/off command/s3.sync]"
"191.101.31.57[aws-sdk-go-v2/1.17.8 os/linux lang/go/1.20.7 md/GOOS/linux md/GOARCH/amd64 api/s3/1.31.2]"
"191.101.31.57cloudtrail.amazonaws.com"
"191.101.31.57dynamodb.application-autoscaling.amazonaws.com"
"191.101.31.57[python-requests/2.25.1]"
"191.101.31.57[S3Console/0.4, aws-internal/3 aws-sdk-java/1.12.488 Linux/5.10.199-167.747.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.372-b08 java/1.8.0_372 vendor/Oracle_Corporation cfg/retry-mode/standard]"

可以看到是python的request库

TASK 5
威胁行为者在哪个文件中找到了一些硬编码凭据?

搜一下他访问了哪些文件先,搜ARN就行

└─$ cat eu-west-*/*/*/*/*|jq '.Records[]|select (.sourceIPAddress=="191.101.31.57")|.resources[].ARN' -r|sort -u
arn:aws:s3:::north-pole-private
arn:aws:s3:::papa-noel
arn:aws:s3:::papa-noel/NPoleScripts/backup.py
arn:aws:s3:::papa-noel/NPoleScripts/check.js
arn:aws:s3:::papa-noel/NPoleScripts/claus.py
arn:aws:s3:::papa-noel/NPoleScripts/disk.ps
arn:aws:s3:::papa-noel/NPoleScripts/.git/COMMIT_EDITMSG
arn:aws:s3:::papa-noel/NPoleScripts/.git/config
arn:aws:s3:::papa-noel/NPoleScripts/.git/description
arn:aws:s3:::papa-noel/NPoleScripts/.git/HEAD
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/applypatch-msg.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/commit-msg.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/fsmonitor-watchman.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/post-update.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-applypatch.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-commit.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-merge-commit.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/prepare-commit-msg.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-push.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-rebase.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-receive.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/push-to-checkout.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/update.sample
arn:aws:s3:::papa-noel/NPoleScripts/.git/index
arn:aws:s3:::papa-noel/NPoleScripts/.git/info/exclude
arn:aws:s3:::papa-noel/NPoleScripts/.git/logs/HEAD
arn:aws:s3:::papa-noel/NPoleScripts/.git/logs/refs/heads/master
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/38/938fa8723c40cedfb7819340563c81961d7712
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/5d/24a8f411fc931b54fb9a4b58b6b55f1016c34d
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/62/13ad5b238260339ce346bf8f9063a8559c538a
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/69/a6bf0c5763a8cfc8d52d123e29986441869eab
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/6e/e67e3c147c7b310ea95271f07165056a84a1aa
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/8f/3ebb72ee80ee21f35e64ff2040ffbfb8d78d90
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/99/9775de5661604d8b3e7b5929d1fd1818db40ac
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/99/dbe4b3d52641ecb95dc3361bc7c324ba20f8e1
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/a9/2e975c8c52221d5c1c371d5595f65eb13f8be5
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/d5/4035991ea077b39062f858dfab56ea4fc1eb32
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/da/4d9a7c2824a50b8615b0149da53df83e812529
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/f1/3ae004942c081e8a345a35bc4c1a006fb9a9d6
arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/ff/46564b94ef03aca8f76224d3286e7e608276e4
arn:aws:s3:::papa-noel/NPoleScripts/.git/refs/heads/master
arn:aws:s3:::papa-noel/NPoleScripts/organise.rb
arn:aws:s3:::papa-noel/NPoleScripts/santa_journey_log.csv
arn:aws:s3:::papa-noel/NPoleScripts/update.sh
arn:aws:s3:::papa-noel/santa-list.csv
null

但是我思考了一下我也不知道他哪个是包含了硬编码的文件…
于是去桶那gitdump了一下,挨个翻了翻,这个其中有桶地址的py文件最符合特征

└─$ cat claus.py                                                                               
import os
import time
import platform
import csv
import boto3
from botocore.exceptions import NoCredentialsError, ClientError

# Removed keys for safer method
BUCKET_NAME = 'north-pole-private'
REGION_NAME = 'eu-west-2'

def clear_screen():
    if platform.system() == "Windows":
        os.system('cls')
    else:
        os.system('clear')

def colored(text, color):
    colors = {
        "blue": "\033[34m",
        "green": "\033[32m",
        "reset": "\033[0m"
    }
    return colors.get(color, colors["reset"]) + text + colors["reset"]

globe = [
    "                      _____",
    "             ,-:` \\;',`'-, ",
    "           .'-;_,;  ':-;_,'.",
    "          /;   '/    ,  _`.-\\",
    "         | '`. (`     /` ` \\`|",
    "         |:.  `\\`-.   \\_   / |",
    "         |     (   `,  .`\\ ;'|",
    "          \\     | .'     `-'/",
    "           `.   ;/        .'",
    "             `'-._____.,-'`"
]

cities = [
    {"name": "New York", "position": (23, 2)},
    {"name": "London", "position": (21, 1)},
    {"name": "Paris", "position": (20, 2)},
    {"name": "Berlin", "position": (19, 1)},
    {"name": "Tokyo", "position": (18, 2)},
    {"name": "Sydney", "position": (17, 3)},
    {"name": "Cape Town", "position": (18, 4)},
]

def print_colored_globe_with_santa(position):
    for y, line in enumerate(globe):
        colored_line = ""
        for x, char in enumerate(line):
            if (x, y) == position:
                colored_line += "\U0001F385"  # Santa emoji
            elif char in ".-',;:|/\\":
                colored_line += colored(char, "blue")  # Ocean
            else:
                colored_line += colored(char, "green")  # Land
        print(colored_line)

def log_to_csv(city_name):
    with open('santa_journey_log.csv', 'a', newline='') as file:
        writer = csv.writer(file)
        writer.writerow([city_name, time.strftime("%Y-%m-%d %H:%M:%S")])

def upload_to_s3(file_name, bucket, region=None, object_name=None):
    if object_name is None:
        object_name = file_name
    try:
        s3_client = boto3.client('s3', region_name=region,
                                 aws_access_key_id=AWS_ACCESS_KEY, 
                                 aws_secret_access_key=AWS_SECRET_KEY)
        s3_client.upload_file(file_name, bucket, object_name)
        print(f"File {file_name} uploaded to {bucket}/{object_name}")
    except NoCredentialsError:
        print("Credentials not available")
    except ClientError as e:
        print(f"An error occurred: {e}")

def simulate_santa_journey(cities):
    last_upload_time = time.time()
    while True:  
        for city in cities:
            current_time = time.time()
            if current_time - last_upload_time >= 25:  # Check if 25 seconds have passed
                upload_to_s3('santa_journey_log.csv', BUCKET_NAME, REGION_NAME)
                last_upload_time = current_time  # Reset the last upload time

            clear_screen()
            position = city["position"]
            print("\nSanta is flying to", city["name"])
            print_colored_globe_with_santa(position)
            log_to_csv(city["name"])  # Log city visit to CSV
            time.sleep(1)  # Pause to simulate travel time

if __name__ == "__main__":
    print("Santa's Christmas Eve Journey!")
    simulate_santa_journey(cities)
    upload_to_s3('santa_journey_log.csv', BUCKET_NAME, REGION_NAME)

TASK 7
We are extremely concerned the TA managed to compromise our private S3 bucket, which contains an important VPN file. Please confirm the name of this VPN file and the time it was retrieved by the TA.
我们非常担心 TA 成功入侵了我们的私人 S3 存储桶,其中包含一个重要的 VPN 文件。请确认该 VPN 文件的名称以及 TA 获取该文件的时间。

这里直接搜一下管理者的文件

└─$ cat eu-west-*/*/*/*/*|jq '.Records[] | select(.sourceIPAddress == "86.5.206.121") | .resources[].ARN|select(test("\\.json\\.gz$") | not)' -r 2>/dev/null|sort -u
arn:aws:s3:::north-pole-logs
arn:aws:s3:::north-pole-logs/favicon.ico
arn:aws:s3:::north-pole-private
arn:aws:s3:::north-pole-private/bytesparkle.o
arn:aws:s3:::north-pole-private/santa_journey_log.csv
arn:aws:s3:::npole-cloud-infra
arn:aws:s3:::npole-vm-setup
arn:aws:s3:::papa-noel
arn:aws:s3:::papa-noel/santa-list.csv
arn:aws:s3:::snow-infra-terraform

答案显而易见
直接就是加上时间和行为就行,再筛选一下

└─$ cat eu-west-*/*/*/*/*|jq '.Records[] | select(.sourceIPAddress == "86.5.206.121") | "\(.eventTime)--\(.eventName)" +"---"+.resources[].ARN|select(test("\\.json\\.gz$") | not)' -r 2>/dev/null|sort -u|grep north-pole-private/bytesparkle.o
2023-11-28T09:54:56Z--PreflightRequest---arn:aws:s3:::north-pole-private/bytesparkle.o
2023-11-28T09:54:56Z--PutObject---arn:aws:s3:::north-pole-private/bytesparkle.o

putobject时间就是我们要的

TASK8
请确认被入侵的 AWS 账户的用户名?

筛选出现的用户名,显而易见

└─$ cat ./*/*/*/*/*|jq '.Records[].userIdentity.userName|select(.!= null)' -r |sort -u
elfadmin
elfin
snowball
terraform-gumdrop

TASK9
根据已完成的分析,圣诞老人征求了一些建议。需要锁定的 S3 Bucket 的 ARN 是什么?

看一下191.101.31.57访问过哪些bucket ARN

└─$ cat ./*/*/*/*/*|jq '.Records[]|select(.sourceIPAddress=="191.101.31.57")|.resources[].ARN|select(.!= null)' 2>/dev/null |sort -u
"arn:aws:s3:::north-pole-private"
"arn:aws:s3:::papa-noel"
"arn:aws:s3:::papa-noel/NPoleScripts/backup.py"
"arn:aws:s3:::papa-noel/NPoleScripts/check.js"
"arn:aws:s3:::papa-noel/NPoleScripts/claus.py"
"arn:aws:s3:::papa-noel/NPoleScripts/disk.ps"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/COMMIT_EDITMSG"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/config"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/description"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/HEAD"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/applypatch-msg.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/commit-msg.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/fsmonitor-watchman.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/post-update.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-applypatch.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-commit.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-merge-commit.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/prepare-commit-msg.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-push.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-rebase.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/pre-receive.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/push-to-checkout.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/hooks/update.sample"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/index"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/info/exclude"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/logs/HEAD"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/logs/refs/heads/master"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/38/938fa8723c40cedfb7819340563c81961d7712"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/5d/24a8f411fc931b54fb9a4b58b6b55f1016c34d"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/62/13ad5b238260339ce346bf8f9063a8559c538a"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/69/a6bf0c5763a8cfc8d52d123e29986441869eab"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/6e/e67e3c147c7b310ea95271f07165056a84a1aa"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/8f/3ebb72ee80ee21f35e64ff2040ffbfb8d78d90"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/99/9775de5661604d8b3e7b5929d1fd1818db40ac"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/99/dbe4b3d52641ecb95dc3361bc7c324ba20f8e1"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/a9/2e975c8c52221d5c1c371d5595f65eb13f8be5"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/d5/4035991ea077b39062f858dfab56ea4fc1eb32"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/da/4d9a7c2824a50b8615b0149da53df83e812529"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/f1/3ae004942c081e8a345a35bc4c1a006fb9a9d6"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/objects/ff/46564b94ef03aca8f76224d3286e7e608276e4"
"arn:aws:s3:::papa-noel/NPoleScripts/.git/refs/heads/master"
"arn:aws:s3:::papa-noel/NPoleScripts/organise.rb"
"arn:aws:s3:::papa-noel/NPoleScripts/santa_journey_log.csv"
"arn:aws:s3:::papa-noel/NPoleScripts/update.sh"
"arn:aws:s3:::papa-noel/santa-list.csv"

【Sherlocks圣诞节特辑】htb OpTinselTrace-2 wp_第1张图片

你可能感兴趣的:(安全,aws)

  • 信任 饮冰伊乔
    随着社会的发展,微信和支付宝交易给人们带来了极大的方便,越来越多的人出门都只选择拿一部手机即可,方便安全,可昨天我就遇到了一件比较尴尬的事。昨天傍晚,我从公司出来,感觉有点饿,决定索性吃了饭再回去,来到去过几次的一个店里,如往常一样叫了餐,当时店里吃饭的不多,老板麻利的先去做了,正要扫微信付账的时候发现手机没电了,迷之尴尬,我只好跟老板说不用做了,手机没电了,我身上又没现金,付不了帐了。老板娘很热
  • 为千 佩蓉:为家庭放弃事业的男人没出息吗? 北京朵多教育
    为家庭放弃事业的男人没出息吗我们在搭档的过程中会遇到一些问题,因此要做好心理准备,这样才不会陷入抱怨或双输的局面。关键不是谁比谁能力强,而是夫妻之间如何取长补短。家庭要赢需要每个人的付出和牺牲,大家一起分担和负责,这样才能享受相爱的自由、安全和归属感。我们需要做的牺牲包括自己的时间、自己的一些爱好,甚至事业发展。为千认为做好父亲是非常重要的事,所以他不仅要出席在孩子们的生活中,还要积极地参与和带领
  • ChatGPT一路狂飙? 何鲸洛
    2月2日。根据投行瑞银集团在周三发布的一份研究报告。爆红聊天机器人ChatGPT的月活跃用户在今年1月份预计达到了1亿,这距离它推出只有2个月时间,成为史上增长最快的消费者应用。①ChatGPT一路火花带闪电?▽2014年。OpenAI创始人SamAltman早年曾执掌著名的硅谷孵化器YCombinator。2015年。Altman联合马斯克、彼得·泰尔、AWS、印度Infosys和YC等作为出资
  • yarn的安装和使用全网最详细教程 zxj19880502 yarnnpm
    一、yarn的简介:Yarn是facebook发布的一款取代npm的包管理工具。二、yarn的特点:速度超快。Yarn缓存了每个下载过的包,所以再次使用时无需重复下载。同时利用并行下载以最大化资源利用率,因此安装速度更快。超级安全。在执行代码之前,Yarn会通过算法校验每个安装包的完整性。超级可靠。使用详细、简洁的锁文件格式和明确的安装算法,Yarn能够保证在不同系统上无差异的工作。三、yarn的
  • 请简单介绍一下Shiro框架是什么?Shiro在Java安全领域的主要作用是什么?Shiro主要提供了哪些安全功能? AaronWang94 shirojavajava安全开发语言
    请简单介绍一下Shiro框架是什么?Shiro框架是一个强大且灵活的开源安全框架,为Java应用程序提供了全面的安全解决方案。它主要用于身份验证、授权、加密和会话管理等功能,可以轻松地集成到任何JavaWeb应用程序中,并提供了易于理解和使用的API,使开发人员能够快速实现安全特性。Shiro的核心组件包括Subject、SecurityManager和Realms。Subject代表了当前与应用
  • 网络安全(黑客)——自学2024 小言同学喜欢挖漏洞 web安全安全网络学习网络安全信息安全渗透测试
    01什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。02怎样规划网络安全如果你是一
  • 黑客(网络安全)技术自学30天 一个迷人的黑客 web安全安全网络笔记网络安全信息安全渗透测试
    01什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。02怎样规划网络安全如果你是一
  • 2.5 项目讲解流程 王守谦26 项目资料数据库
    一、项目讲解1、自我介绍2、项目流程-===============================二、自我介绍(一)、学员自我介绍,讲解存在的问题比如:讲解年份、卡顿、重点学历、忘记(二)自我规则内容1、开场白:礼貌用语2、时间:自我介绍1-2分钟以内3、内容:姓名、籍贯、毕业院校、(拉进面试官距离)4、技能:功能测试、接口测试、自动化测试、app测试、性能测试、安全测试黑盒测试、白盒测试、灰盒
  • 物联网边缘网关有哪些优势?-天拓四方 北京天拓四方科技股份有限公司 物联网其他边缘计算
    随着物联网技术的快速发展,越来越多的设备接入网络,数据交互日益频繁,对数据处理和传输的要求也越来越高。在这样的背景下,物联网边缘网关应运而生,以其低延迟、减少带宽消耗、提高数据质量和安全性等优势,为物联网应用提供了强大的支持。物联网边缘网关的应用场景广泛,几乎涵盖了所有需要实时数据处理和传输的领域。在工业场景中,边缘计算网关可以实时处理海量传感器和设备的数据,实现对运行、制造过程的全环节实时监控、
  • Android 系统应用 pk8签名文件转jks或keystore教程 蜗牛、Z AOSPandroidFrameworkandroidaosp系统应用开发
    一、介绍签名文件对于我们在做应用开发中,经常遇到,且签名文件不仅仅是保护应用安全,还会涉及到应用与底层之间的数据共享和API文件等问题。在Android中,签名文件同样也存在这个问题。但是android中又区分系统应用和普通应用。系统应用可以通过android:sharedUserId="android.uid.system"同享系统uid,可以获取更高的权限。所以在做系统应用开发的时候,经常需要
  • 自学黑客(网络安全)技术——2024最新 九九归二 web安全安全学习笔记网络网络安全信息安全
    01什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。02怎样规划网络安全如果你是一
  • 计算机常用端口号 王依硕 linux服务器ssh
    ftp:(20端口)用于ftp服务,用于数据传输。ftp:(21端口)用于文件上传和下载。ssh:(22端口)用于安全Shell访问和文件传输。telnet:(23端口)用于远程命令行计算机管理。smtp:(25端口)用于发送电子邮件。dns:(53端口)用于域名解析。dhcp:(67和68端口)用于动态分配IP地址和配置网络参数。tftp:(69端口)使用udp连接。finger:(79端口)是
  • php 快速入门(六) 王依硕 PHPphp开发语言
    一、前后台交互1.1$_GET用来获取浏览器通过GET方法提交的数据GET方法它是通过把参数数据加在提交表单的action属性所指的URL中,值和表单内每个字段一一对应,然后在URL中可以看到,但是有如下缺点1.安全性不好,在URL中可以看得到2.传送数据量较小,不能大于2KB1.2$_POST用来获取浏览器通过POST方法提交的数据。POST方法它是通过HTTPPOST机制,将表单的各个字段放置
  • GROM学习 码小白l golang
    什么是GROMGo语言ORM(对象关系映射)库,它提供了一种高效、简洁的方式来操作数据库。通过将数据库表映射为Go语言的结构体,GORM让数据库操作变得更加直观和类型安全。GORM支持主流的数据库系统,包括MySQL、PostgreSQL、SQLite和SQLServer等GORM提供了一系列的API来操作MySQL数据库。以下是一些常用的GORMAPI操作,以及它们在操作MySQL时的用法:安装
  • 山东省大数据局副局长禹金涛一行莅临聚合数据走访调研 聚合数据 API大数据人工智能API
    3月19日,山东省大数据局党组成员、副局长禹金涛莅临聚合数据展开考察调研。山东省大数据局数据应用管理与安全处处长杨峰,副处长都海明参加调研,苏州市大数据局副局长汤晶陪同。聚合数据董事长左磊等人接待来访。调研组一行参观了聚合数据展厅,了解了聚合数据的发展历程、数据产品、应用案例、奖项荣誉等情况。并就企业在数据处理和应用方面取得的成绩进行了深入交流。作为最早一批进入大数据行业的企业,聚合数据深耕行业十
  • 什么软件可以改IP地址 bafnpa123 服务器运维
    什么软件可以改IP地址在现代网络环境中,有时候我们需要更换IP地址来进行网络操作。IP地址是网络通信的基石,它标识了计算机在互联网上的唯一身份。下面,我将向您介绍几种常见的换IP地址的方法:方法一:使用深度ip转换器ip转换器是一种可以在公共网络上建立加密通道的技术。通过ip转换器,您可以更换您的IP地址,从而隐藏您的真实IP,提高网络安全性。在选择ip转换器服务时,请务必选择信誉良好、速度稳定的
  • 网络安全(黑客技术)—自学 德西德西 web安全安全网络安全学习python开发语言php
    1.网络安全是什么网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。2.网络安全市场一、是市场需求量高;二、则是发展相对成熟入门比较容易。3.所需要的技术水平需要掌握的知识点偏多(举例):4.国家政策环境对于国家与企业的地位愈发重要,没有网络安全就没有国家安全更有为国效力的正义黑客—红客联盟可见其重视
  • 2024年健康教育、食品安全与社会科学国际会议(ICHEFSSS 2024) GuGu_chen 创业创新
    2024年健康教育、食品安全与社会科学国际会议(ICHEFSSS2024)2024InternationalConferenceonHealthEducation,FoodSafetyandSocialSciences会议简介:食品安全社会科学是一个综合性的研究领域,旨在从社会科学的角度深入探究食品安全问题。它涉及到法学、经济学、管理学、社会学、伦理学、新闻学和国际关系学等多个学科的知识和方法。通
  • 金英沧州焦点解决初64中17,本周第二次、第三次约练,总第440次、第441次分享,坚持分享第187天 守护甜心
    第440次分享青春期顾左右而言他的女生,可以和她聊她的小说,也许是她杜撰的小说,但是可以从中看出她的投射。通过谈论小说中主人公的情感、经历、认知、感受,了解她,走进她的脉络。当了解的足够多了,情绪宣泄的差不多了,可以联系到现实生活中,再聊现实生活,她就不那么防御了,因为她觉得咨询师理解她,她感到安全。一个外表阳光帅气自立的女孩子,内心一片柔情似水,渴望爱情,渴望被呵护,却羞于说出口,当她能说出来,
  • 分布式应用下登录检验解决方案 敲键盘的小夜猫 分布式java
    优缺点JWT是一个开放标准,它定义了一种用于简洁,自包含的用于通信双方之间以JSON对象的形式安全传递信息的方法。可以使用HMAC算法或者是RSA的公钥密钥对进行签名。说白了就是通过一定规范来生成token,然后可以通过解密算法逆向解密token,这样就可以获取用户信息。生产的token可以包含基本信息,比如id、用户昵称、头像等信息,避免再次查库,可以存储在客户端,不占用服务端的内存资源,在前后
  • 麦吉丽贵妇膏代理多少钱 麦吉丽小芹
    麦吉丽、麦吉丽贵妇膏、麦吉丽代理、麦吉丽素颜三部曲、贵妇膏详细咨询请添加V信:18688885511国内首个拥有完善代理商管理以及培训系统。旗下四十几款产品,涵盖护肤、彩妆、身体护理、问题肌肤修复护理等方面,其中【素颜三部曲】更是因为被人口碑称赞而迅速蹿红朋友圈及各大微博头条!麦吉丽因其天然、安全有效、高品质立足中国高端护肤品市场,线下专柜体验店遍地开花。大半个娱乐圈明星都在用的护肤佳品。麦吉丽贵
  • Java学习笔记:atomic的实现原理? 曲钟人散
    在多线程的场景中,我们需要保证数据安全,就会考虑同步的方案,通常会使用synchronized或者lock来处理,使用了synchronized意味着内核态的一次切换。这是一个很重的操作。有没有一种方式,可以比较便利的实现一些简单的数据同步,比如计数器等等。concurrent包下的atomic提供我们这么一种轻量级的数据同步的选择。classMyThreadimplementsRunnable{
  • 安全点安全区的通俗理解 来自宇宙的曹先生 JVM垃圾回收GC
    想象一下,JVM(Java虚拟机)是一个忙碌的工厂,而Java程序中的线程就像是工厂里的工人。在这个工厂中,有时需要进行一些大规模的清理工作,比如垃圾回收,来确保工厂运行得更加高效。但是,如果在清理过程中所有的工人都继续他们的工作,可能会引发一些问题,比如有些工人可能正在使用一些即将被清理的资源。为了避免这类问题,JVM引入了“安全点(Safepoint)”和“安全区(SafeRegion)”的概
  • 网络安全(黑客技术)—2024自学 德西德西 开发语言php安全web安全网络安全python网络
    1.网络安全是什么网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。2.网络安全市场一、是市场需求量高;二、则是发展相对成熟入门比较容易。3.所需要的技术水平需要掌握的知识点偏多(举例):4.国家政策环境对于国家与企业的地位愈发重要,没有网络安全就没有国家安全更有为国效力的正义黑客—红客联盟可见其重视
  • 京东优惠券,京东内部优惠券免费领取?探秘优惠券背后的真相 高省爱氧惠
    随着网络购物的日益普及,电商平台上的各种优惠券也成了消费者们竞相追逐的焦点。其中,京东作为国内电商领域的佼佼者,其优惠券的发放和领取更是备受关注。特别是在网络上流传着“京东内部优惠券免费领取”的消息,更是让不少消费者心动不已。那么,这些优惠券真的存在吗?我们又该如何正确、安全地领取和使用它们呢?首先,我们需要明确的是,京东优惠券确实存在,并且种类繁多。这些优惠券包括满减券、折扣券、免邮券等多种形式
  • 网络安全(黑客)—2024自学笔记 羊村最强沸羊羊 web安全笔记安全网络安全网络python开发语言
    前言一、什么是网络安全网络安全可以基于攻击和防御视角来分类,我们经常听到的“红队”、“渗透测试”等就是研究攻击技术,而“蓝队”、“安全运营”、“安全运维”则研究防御技术。无论网络、Web、移动、桌面、云等哪个领域,都有攻与防两面性,例如Web安全技术,既有Web渗透,也有Web防御技术(WAF)。作为一个合格的网络安全工程师,应该做到攻守兼备,毕竟知己知彼,才能百战百胜。二、怎样规划网络安全如果你
  • Nagios安装部署全攻略 weixin_34109408 memcachedphp操作系统
    概述:公司的生产机器一共有12台,2台LVS(主备)、2台nginx、2台tomcat、1台后台服务器(nginx_tomcat)、3台mysql(主+备+异地灾备)、1台图片服务器、2台memcached.可以看出网站的架构就是基于高可用的原理的,每个层面都做了主备、系统的PV不高,对于并发布,高性能没有那么苛求,对于系统安全、稳定有较高要求,前期已经对系统做了各种日志分析,WAF配置,漏洞扫面
  • 苑九芬1601:内在小孩 苑九芬家庭教育心理咨询
    内在小孩是什么?内在小孩是一个人内在最纯然最本真的样子,他的状态取决于我们小时候的经历。如果童年时没有被好好对待,那内在小孩就会匮乏、缺爱、自卑,只有童年时有被好好爱过的人,才会有一个健康快乐的内在小孩,与之相对的,就是满满的安全感、自信和踏实感。绝大多数人都不知道自己内在小孩的存在,更不会去疗愈、照顾自己的内在小孩,于是,这个被忽视的孩子就会是不是跳出来提醒你:我想要爱,想要关注,想要安慰。所有
  • 315晚会刚过,币圈还需自我净化 区块琪迹
    昨天315晚会,相信币圈至少贡献了一半的收视率。然而,整个315晚会一个跟币圈、一个跟区块链相关的案例都没提。很多危机项目方长舒一口气,暂时安全了;套牢韭菜长叹一口气,暂时还得继续维权了。前几年的市场大跌,国内其实并没有看过这么多经典剧情,最多是矿池交易所跑个路,也没大规模维权,因为参与人数有限,一般损失量不大,大家也都不Care。但今年不同了,项目方参与进来,产业链条变得越来越长,环节变得越来越
  • 论文整理:隐私签名 yixvxi Survey文档资料学习
    最近准备开题了(苦恼…),整理一些看过/没看过的论文。持续更新…数字签名:隐私数字签名的定义&安全性(book)0.Deffie-Hellman.NewDirectionsinCryptography.1976Katz,J.(2010).DigitalSignatures:BackgroundandDefinitions.In:DigitalSignatures.Springer,Boston,M
  • java类加载顺序 3213213333332132 java
    package com.demo; /** * @Description 类加载顺序 * @author FuJianyong * 2015-2-6上午11:21:37 */ public class ClassLoaderSequence { String s1 = "成员属性"; static String s2 = "
  • Hibernate与mybitas的比较 BlueSkator sqlHibernate框架ibatisorm
    第一章     Hibernate与MyBatis Hibernate 是当前最流行的O/R mapping框架,它出身于sf.net,现在已经成为Jboss的一部分。 Mybatis 是另外一种优秀的O/R mapping框架。目前属于apache的一个子项目。 MyBatis 参考资料官网:http:
  • php多维数组排序以及实际工作中的应用 dcj3sjt126com PHPusortuasort
    自定义排序函数返回false或负数意味着第一个参数应该排在第二个参数的前面, 正数或true反之, 0相等usort不保存键名uasort 键名会保存下来uksort 排序是对键名进行的 <!doctype html> <html lang="en"> <head> <meta charset="utf-8&q
  • DOM改变字体大小 周华华 前端
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml&q
  • c3p0的配置 g21121 c3p0
    c3p0是一个开源的JDBC连接池,它实现了数据源和JNDI绑定,支持JDBC3规范和JDBC2的标准扩展。c3p0的下载地址是:http://sourceforge.net/projects/c3p0/这里可以下载到c3p0最新版本。 以在spring中配置dataSource为例: <!-- spring加载资源文件 --> <bean name="prope
  • Java获取工程路径的几种方法 510888780 java
    第一种: File f = new File(this.getClass().getResource("/").getPath()); System.out.println(f); 结果: C:\Documents%20and%20Settings\Administrator\workspace\projectName\bin 获取当前类的所在工程路径; 如果不加“
  • 在类Unix系统下实现SSH免密码登录服务器 Harry642 免密ssh
    1.客户机     (1)执行ssh-keygen -t rsa -C "[email protected]"生成公钥,xxx为自定义大email地址     (2)执行scp ~/.ssh/id_rsa.pub root@xxxxxxxxx:/tmp将公钥拷贝到服务器上,xxx为服务器地址     (3)执行cat
  • Java新手入门的30个基本概念一 aijuans javajava 入门新手
    在我们学习Java的过程中,掌握其中的基本概念对我们的学习无论是J2SE,J2EE,J2ME都是很重要的,J2SE是Java的基础,所以有必要对其中的基本概念做以归纳,以便大家在以后的学习过程中更好的理解java的精髓,在此我总结了30条基本的概念。  Java概述:  目前Java主要应用于中间件的开发(middleware)---处理客户机于服务器之间的通信技术,早期的实践证明,Java不适合
  • Memcached for windows 简单介绍 antlove javaWebwindowscachememcached
    1. 安装memcached server a. 下载memcached-1.2.6-win32-bin.zip b. 解压缩,dos 窗口切换到 memcached.exe所在目录,运行memcached.exe -d install c.启动memcached Server,直接在dos窗口键入 net start "memcached Server&quo
  • 数据库对象的视图和索引 百合不是茶 索引oeacle数据库视图
      视图     视图是从一个表或视图导出的表,也可以是从多个表或视图导出的表。视图是一个虚表,数据库不对视图所对应的数据进行实际存储,只存储视图的定义,对视图的数据进行操作时,只能将字段定义为视图,不能将具体的数据定义为视图       为什么oracle需要视图;    &
  • Mockito(一) --入门篇 bijian1013 持续集成mockito单元测试
            Mockito是一个针对Java的mocking框架,它与EasyMock和jMock很相似,但是通过在执行后校验什么已经被调用,它消除了对期望 行为(expectations)的需要。其它的mocking库需要你在执行前记录期望行为(expectations),而这导致了丑陋的初始化代码。  &nb
  • 精通Oracle10编程SQL(5)SQL函数 bijian1013 oracle数据库plsql
    /* * SQL函数 */ --数字函数 --ABS(n):返回数字n的绝对值 declare v_abs number(6,2); begin v_abs:=abs(&no); dbms_output.put_line('绝对值:'||v_abs); end; --ACOS(n):返回数字n的反余弦值,输入值的范围是-1~1,输出值的单位为弧度
  • 【Log4j一】Log4j总体介绍 bit1129 log4j
    Log4j组件:Logger、Appender、Layout   Log4j核心包含三个组件:logger、appender和layout。这三个组件协作提供日志功能: 日志的输出目标 日志的输出格式 日志的输出级别(是否抑制日志的输出)  logger继承特性 A logger is said to be an ancestor of anothe
  • Java IO笔记 白糖_ java
    public static void main(String[] args) throws IOException { //输入流 InputStream in = Test.class.getResourceAsStream("/test"); InputStreamReader isr = new InputStreamReader(in); Bu
  • Docker 监控 ronin47 docker监控
             目前项目内部署了docker,于是涉及到关于监控的事情,参考一些经典实例以及一些自己的想法,总结一下思路。 1、关于监控的内容 监控宿主机本身 监控宿主机本身还是比较简单的,同其他服务器监控类似,对cpu、network、io、disk等做通用的检查,这里不再细说。 额外的,因为是docker的
  • java-顺时针打印图形 bylijinnan java
    一个画图程序 要求打印出: 1.int i=5; 2.1 2 3 4 5 3.16 17 18 19 6 4.15 24 25 20 7 5.14 23 22 21 8 6.13 12 11 10 9 7. 8.int i=6 9.1 2 3 4 5 6 10.20 21 22 23 24 7 11.19
  • 关于iReport汉化版强制使用英文的配置方法 Kai_Ge iReport汉化英文版
    对于那些具有强迫症的工程师来说,软件汉化固然好用,但是汉化不完整却极为头疼,本方法针对iReport汉化不完整的情况,强制使用英文版,方法如下: 在 iReport 安装路径下的 etc/ireport.conf 里增加红色部分启动参数,即可变为英文版。   # ${HOME} will be replaced by user home directory accordin
  • [并行计算]论宇宙的可计算性 comsci 并行计算
          现在我们知道,一个涡旋系统具有并行计算能力.按照自然运动理论,这个系统也同时具有存储能力,同时具备计算和存储能力的系统,在某种条件下一般都会产生意识......       那么,这种概念让我们推论出一个结论     &nb
  • 用OpenGL实现无限循环的coverflow dai_lm androidcoverflow
    网上找了很久,都是用Gallery实现的,效果不是很满意,结果发现这个用OpenGL实现的,稍微修改了一下源码,实现了无限循环功能 源码地址: https://github.com/jackfengji/glcoverflow public class CoverFlowOpenGL extends GLSurfaceView implements GLSurfaceV
  • JAVA数据计算的几个解决方案1 datamachine javaHibernate计算
    老大丢过来的软件跑了10天,摸到点门道,正好跟以前攒的私房有关联,整理存档。 -----------------------------华丽的分割线-------------------------------------     数据计算层是指介于数据存储和应用程序之间,负责计算数据存储层的数据,并将计算结果返回应用程序的层次。J  &nbs
  • 简单的用户授权系统,利用给user表添加一个字段标识管理员的方式 dcj3sjt126com yii
    怎么创建一个简单的(非 RBAC)用户授权系统 通过查看论坛,我发现这是一个常见的问题,所以我决定写这篇文章。 本文只包括授权系统.假设你已经知道怎么创建身份验证系统(登录)。 数据库 首先在 user 表创建一个新的字段(integer 类型),字段名 'accessLevel',它定义了用户的访问权限 扩展 CWebUser 类 在配置文件(一般为 protecte
  • 未选之路 dcj3sjt126com
    作者:罗伯特*费罗斯特   黄色的树林里分出两条路, 可惜我不能同时去涉足, 我在那路口久久伫立, 我向着一条路极目望去, 直到它消失在丛林深处.   但我却选了另外一条路, 它荒草萋萋,十分幽寂; 显得更诱人,更美丽, 虽然在这两条小路上, 都很少留下旅人的足迹.   那天清晨落叶满地, 两条路都未见脚印痕迹. 呵,留下一条路等改日再
  • Java处理15位身份证变18位 蕃薯耀 18位身份证变15位15位身份证变18位身份证转换
      15位身份证变18位,18位身份证变15位 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 蕃薯耀 201
  • SpringMVC4零配置--应用上下文配置【AppConfig】 hanqunfeng springmvc4
    从spring3.0开始,Spring将JavaConfig整合到核心模块,普通的POJO只需要标注@Configuration注解,就可以成为spring配置类,并通过在方法上标注@Bean注解的方式注入bean。   Xml配置和Java类配置对比如下: applicationContext-AppConfig.xml   <!-- 激活自动代理功能 参看:
  • Android中webview跟JAVASCRIPT中的交互 jackyrong JavaScripthtmlandroid脚本
      在android的应用程序中,可以直接调用webview中的javascript代码,而webview中的javascript代码,也可以去调用ANDROID应用程序(也就是JAVA部分的代码).下面举例说明之: 1 JAVASCRIPT脚本调用android程序    要在webview中,调用addJavascriptInterface(OBJ,int
  • 8个最佳Web开发资源推荐 lampcy 编程Web程序员
    Web开发对程序员来说是一项较为复杂的工作,程序员需要快速地满足用户需求。如今很多的在线资源可以给程序员提供帮助,比如指导手册、在线课程和一些参考资料,而且这些资源基本都是免费和适合初学者的。无论你是需要选择一门新的编程语言,或是了解最新的标准,还是需要从其他地方找到一些灵感,我们这里为你整理了一些很好的Web开发资源,帮助你更成功地进行Web开发。 这里列出10个最佳Web开发资源,它们都是受
  • 架构师之面试------jdk的hashMap实现 nannan408 HashMap
    1.前言。   如题。 2.详述。   (1)hashMap算法就是数组链表。数组存放的元素是键值对。jdk通过移位算法(其实也就是简单的加乘算法),如下代码来生成数组下标(生成后indexFor一下就成下标了)。 static int hash(int h) { h ^= (h >>> 20) ^ (h >>>
  • html禁止清除input文本输入缓存 Rainbow702 html缓存input输入框change
    多数浏览器默认会缓存input的值,只有使用ctl+F5强制刷新的才可以清除缓存记录。 如果不想让浏览器缓存input的值,有2种方法: 方法一: 在不想使用缓存的input中添加 autocomplete="off";  <input type="text" autocomplete="off" n
  • POJO和JavaBean的区别和联系 tjmljw POJOjava beans
    POJO 和JavaBean是我们常见的两个关键字,一般容易混淆,POJO全称是Plain Ordinary Java Object / Pure Old Java Object,中文可以翻译成:普通Java类,具有一部分getter/setter方法的那种类就可以称作POJO,但是JavaBean则比 POJO复杂很多, Java Bean 是可复用的组件,对 Java Bean 并没有严格的规
  • java中单例的五种写法 liuxiaoling java单例
    /** * 单例模式的五种写法: * 1、懒汉 * 2、恶汉 * 3、静态内部类 * 4、枚举 * 5、双重校验锁 */ /** * 五、 双重校验锁,在当前的内存模型中无效 */ class LockSingleton { private volatile static LockSingleton singleton; pri
按字母分类: ABCDEFGHIJKLMNOPQRSTUVWXYZ其他