应急响应靶机训练-Linux1

总字符数: 12.28K

代码: 11.40K, 文本: 0.32K

预计阅读时间: 51 分钟

背景

前景需要：小王急匆匆地找到小张，小王说”李哥，我dev服务器被黑了”,快救救我！！

这是他的服务器，请你找出以下内容作为通关条件：

黑客的IP地址 192.168.75.129
黑客遗留下的flag【3个】
- flag{thisismybaby}
- flag{kfcvme50}
- flag{P@ssW0rd_redis}

靶机环境

使用Vmware启动即可,如启动错误,请升级至Vmware17.5以上

信息收集

查看端口

# 查看运行了哪些服务,有无外联端口
[root@localhost ~]# netstat -atup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 localhost.locald:domain 0.0.0.0:*               LISTEN      1656/dnsmasq        
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      1093/sshd           
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN      1096/cupsd          
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      1331/master         
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      749/rpcbind         
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1093/sshd           
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN      1096/cupsd          
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      1331/master         
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      749/rpcbind         
udp        0      0 0.0.0.0:922             0.0.0.0:*                           749/rpcbind         
udp        0      0 0.0.0.0:34003           0.0.0.0:*                           781/avahi-daemon: r 
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           781/avahi-daemon: r 
udp        0      0 localhost.locald:domain 0.0.0.0:*                           1656/dnsmasq        
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           1656/dnsmasq        
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                           749/rpcbind         
udp        0      0 localhost:323           0.0.0.0:*                           801/chronyd         
udp6       0      0 [::]:922                [::]:*                              749/rpcbind         
udp6       0      0 [::]:sunrpc             [::]:*                              749/rpcbind         
udp6       0      0 localhost:323           [::]:*                              801/chronyd

查看服务

[root@localhost etc]# ll -a /etc/systemd/system/
总用量 12
drwxr-xr-x. 20 root root 4096 3月  18 19:24 .
drwxr-xr-x.  4 root root  151 3月  19 03:08 ..
drwxr-xr-x.  2 root root   57 3月  19 03:10 basic.target.wants
drwxr-xr-x.  2 root root   31 3月  19 03:08 bluetooth.target.wants
lrwxrwxrwx.  1 root root   41 3月  19 03:08 dbus-org.bluez.service -> /usr/lib/systemd/system/bluetooth.service
lrwxrwxrwx.  1 root root   44 3月  19 03:10 dbus-org.freedesktop.Avahi.service -> /usr/lib/systemd/system/avahi-daemon.service
lrwxrwxrwx.  1 root root   44 3月  19 03:10 dbus-org.freedesktop.ModemManager1.service -> /usr/lib/systemd/system/ModemManager.service
lrwxrwxrwx.  1 root root   57 3月  19 03:08 dbus-org.freedesktop.nm-dispatcher.service -> /usr/lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx.  1 root root   36 3月  19 03:13 default.target -> /lib/systemd/system/graphical.target
drwxr-xr-x.  2 root root   87 3月  19 03:08 default.target.wants
drwxr-xr-x.  2 root root   38 3月  19 03:10 dev-virtio\x2dports-org.qemu.guest_agent.0.device.wants
lrwxrwxrwx.  1 root root   35 3月  19 03:09 display-manager.service -> /usr/lib/systemd/system/gdm.service
drwxr-xr-x.  2 root root   32 3月  19 03:08 getty.target.wants
drwxr-xr-x.  2 root root  133 3月  19 03:15 graphical.target.wants
drwxr-xr-x.  2 root root   35 3月  19 03:08 local-fs.target.wants
drwxr-xr-x.  2 root root 4096 3月  18 19:24 multi-user.target.wants
drwxr-xr-x.  2 root root   48 3月  19 03:08 network-online.target.wants
drwxr-xr-x.  2 root root   26 3月  19 03:09 printer.target.wants
drwxr-xr-x.  2 root root   24 3月  18 19:19 redis-sentinel.service.d
drwxr-xr-x.  2 root root   24 3月  18 19:19 redis.service.d
drwxr-xr-x.  2 root root   52 3月  19 03:09 remote-fs.target.wants
drwxr-xr-x.  2 root root  188 3月  19 03:10 sockets.target.wants
drwxr-xr-x.  2 root root 4096 3月  19 03:10 sysinit.target.wants
drwxr-xr-x.  2 root root   44 3月  19 03:08 system-update.target.wants
drwxr-xr-x.  2 root root   34 3月  19 03:09 timers.target.wants
drwxr-xr-x.  2 root root   29 3月  19 03:08 vmtoolsd.service.requires

历史命令

[root@localhost etc]# history 
   ls
   chmod +x /etc/rc.d/rc.local
   cat /etc/rc.d/rc.local
   vim /etc/rc.d/rc.local 
   echo flag{thisismybaby}
   exit
   netstat -atup
   ls -a /etc/systemd/system/
   ls -a /usr/lib/systemd/system
   cd /usr/local/
   ls
   cd share/
   ls
   cd /etc/
   ls
   ls -a /usr/lib/systemd/system
   ls -a /etc/systemd/system/
   ll -a /etc/systemd/system/
   history

可以发现还执行过vim /etc/rc.d/rc.local命令.应该是开机自启

查看账号

[root@localhost etc]# cat /etc/passwd |grep -v "nologin"
root:x:0:0:root:/root:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
defend:x:1000:1000:defend:/home/defend:/bin/bash

# 该用户创建时间为 2024年3月18 20:26 
[root@localhost defend]# cd /home/defend/
[root@localhost defend]# ll -a
总用量 36
drwx------. 15 defend defend 4096 3月  18 20:26 .
drwxr-xr-x.  3 root   root     20 3月  19 03:13 ..
-rw-------.  1 defend defend    8 3月  18 20:26 .bash_history
-rw-r--r--.  1 defend defend   18 4月   1 2020 .bash_logout
-rw-r--r--.  1 defend defend  193 4月   1 2020 .bash_profile
-rw-r--r--.  1 defend defend  231 4月   1 2020 .bashrc
drwx------. 15 defend defend 4096 3月  19 10:17 .cache
drwxr-xr-x. 14 defend defend  261 3月  19 03:16 .config
drwx------.  3 defend defend   25 3月  19 03:15 .dbus
-rw-r--r--.  1 root   root     77 3月  18 19:45 dump.rdb
-rw-------.  1 defend defend   16 3月  19 03:15 .esd_auth
-rw-------.  1 defend defend  310 3月  19 03:15 .ICEauthority
drwx------.  3 defend defend   19 3月  19 03:15 .local
drwxr-xr-x.  4 defend defend   39 3月  19 03:07 .mozilla
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 公共
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 模板
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 视频
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 图片
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 文档
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 下载
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 音乐
drwxr-xr-x.  3 defend defend   20 3月  19 10:17 桌面

看该用户相关文件

[root@localhost defend]# ll -a
总用量 36
drwx------. 15 defend defend 4096 3月  18 20:26 .
drwxr-xr-x.  3 root   root     20 3月  19 03:13 ..
-rw-------.  1 defend defend    8 3月  18 20:26 .bash_history
-rw-r--r--.  1 defend defend   18 4月   1 2020 .bash_logout
-rw-r--r--.  1 defend defend  193 4月   1 2020 .bash_profile
-rw-r--r--.  1 defend defend  231 4月   1 2020 .bashrc
drwx------. 15 defend defend 4096 3月  19 10:17 .cache
drwxr-xr-x. 14 defend defend  261 3月  19 03:16 .config
drwx------.  3 defend defend   25 3月  19 03:15 .dbus
-rw-r--r--.  1 root   root     77 3月  18 19:45 dump.rdb
-rw-------.  1 defend defend   16 3月  19 03:15 .esd_auth
-rw-------.  1 defend defend  310 3月  19 03:15 .ICEauthority
drwx------.  3 defend defend   19 3月  19 03:15 .local
drwxr-xr-x.  4 defend defend   39 3月  19 03:07 .mozilla
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 公共
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 模板
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 视频
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 图片
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 文档
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 下载
drwxr-xr-x.  2 defend defend    6 3月  19 03:15 音乐
drwxr-xr-x.  3 defend defend   20 3月  19 10:17 桌面
[root@localhost defend]# cat .bash_history 
history
[root@localhost defend]# cat dump.rdb 
REDIS0007�	redis-ver3.2.12�
redis-bits�@�ctime�l)�eused-mem°�
                                 ���,���

此redis指纹结合上方服务可得本机存在redis服务

分析开机自启程序

[root@localhost etc]# cat /etc/rc.d/rc*
cat: /etc/rc.d/rc0.d: 是一个目录
cat: /etc/rc.d/rc1.d: 是一个目录
cat: /etc/rc.d/rc2.d: 是一个目录
cat: /etc/rc.d/rc3.d: 是一个目录
cat: /etc/rc.d/rc4.d: 是一个目录
cat: /etc/rc.d/rc5.d: 是一个目录
cat: /etc/rc.d/rc6.d: 是一个目录
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
# flag{kfcvme50}
touch /var/lock/subsys/local

查看计划或定时任务

1
2
3

cat /etc/crontab 
cat /etc/cron.d/*
cat /var/spool/cron/root

Redis应急响应

[root@localhost defend]# find / -name redis*
find: ‘/proc/3456’: 没有那个文件或目录
/sys/fs/selinux/booleans/redis_enable_notify
/etc/logrotate.d/redis
/etc/systemd/system/redis-sentinel.service.d
/etc/systemd/system/redis.service.d
/etc/selinux/targeted/active/modules/100/redis
/etc/redis.conf
/etc/redis-sentinel.conf
/var/lib/redis
/var/log/redis
/var/log/redis/redis.log
/usr/bin/redis-benchmark
/usr/bin/redis-check-aof
/usr/bin/redis-check-rdb
/usr/bin/redis-cli
/usr/bin/redis-sentinel
/usr/bin/redis-server
/usr/lib/systemd/system/redis-sentinel.service
/usr/lib/systemd/system/redis.service
/usr/lib/python2.7/site-packages/sos/plugins/redis.py
/usr/lib/python2.7/site-packages/sos/plugins/redis.pyc
/usr/lib/python2.7/site-packages/sos/plugins/redis.pyo
/usr/lib/firewalld/services/redis.xml
/usr/share/doc/redis-3.2.12
/usr/share/licenses/redis-3.2.12
/usr/share/augeas/lenses/dist/redis.aug
/usr/share/man/man1/redis-benchmark.1.gz
/usr/share/man/man1/redis-check-aof.1.gz
/usr/share/man/man1/redis-check-rdb.1.gz
/usr/share/man/man1/redis-cli.1.gz
/usr/share/man/man1/redis-sentinel.1.gz
/usr/share/man/man1/redis-server.1.gz
/usr/share/man/man5/redis-sentinel.conf.5.gz
/usr/share/man/man5/redis.conf.5.gz
/usr/libexec/redis-shutdown


[root@localhost defend]# more /etc/redis.conf
flag{P@ssW0rd_redis}

# 查看一下有没有设置密码
[root@localhost defend]# cat /etc/redis.conf |grep requirepass
# If the master is password protected (using the "requirepass" configuration
# requirepass foobared

# 并且是监听所有网卡.怀疑是未授权访问.查看redis日志
[root@localhost defend]# cat /etc/redis.conf |grep bind
# By default, if no "bind" configuration directive is specified, Redis listens
# the "bind" configuration directive, followed by one or more IP addresses.
# bind 192.168.1.100 10.0.0.1
# bind 127.0.0.1 ::1
# internet, binding to all the interfaces is dangerous and will expose the
# following bind directive, that will force Redis to listen only into
bind 0.0.0.0
# 1) The server is not binding explicitly to a set of addresses using the
#    "bind" directive.
# are explicitly listed using the "bind" directive.

# 查看日志
[root@localhost defend]# cat /var/log/redis/redis.log |grep Acc
11111:M 18 Mar 19:27:54.895 - Accepted 127.0.0.1:41590
11595:M 18 Mar 19:27:57.321 - Accepted 192.168.75.129:54766
11595:M 18 Mar 19:39:31.996 - Accepted 192.168.75.129:53104
11595:M 18 Mar 19:39:34.052 - Accepted 192.168.75.129:57672
11595:M 18 Mar 19:44:53.399 - Accepted 127.0.0.1:41594
12234:M 18 Mar 19:47:02.153 - Accepted 192.168.75.129:45240
12234:M 18 Mar 19:47:03.612 - Accepted 192.168.75.129:53124
12234:M 18 Mar 19:53:40.994 - Accepted 127.0.0.1:41596
12559:M 18 Mar 19:53:45.397 - Accepted 192.168.75.129:44572
12559:M 18 Mar 19:53:46.807 - Accepted 192.168.75.129:44582
12559:M 18 Mar 20:20:57.221 - Accepted 127.0.0.1:41598
13274:M 18 Mar 20:21:56.411 - Accepted 192.168.75.129:54826
13274:M 18 Mar 20:21:58.333 - Accepted 192.168.75.129:54836

系统应急响应

1
2
3

# 登录成功的日期、用户名、IP:
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}' 
# last

本文由 kill3r 原创,采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。