1.登录
账号:defend
密码:defend
2.打开终端,查看history
JavaScript
复制
标题
1 ls
2 chmod +x /etc/rc.d/rc.local
3 cat /etc/rc.d/rc.local
4 vim /etc/rc.d/rc.local
5 echo flag{thisismybaby}
6 exit
7 ls
8 history
得到第一个flag
JavaScript
复制
标题
flag{thisismybaby}
3.查看修改后的rc.local
JavaScript
复制
标题
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.
flag
{kfcvme50}touch
/var/lock/subsys/local得到第二个flag
JavaScript
复制
标题
flag{kfcvme50}
4.端口、进程排查
JavaScript
复制
标题
netstat -antlp | more
ps -aux #查看进程
top -c -o %CPU #实时查看高CPU进程
ps -aux #查看进程
top -c -o %CPU #实时查看高CPU进程
5.开机启动项查看
JavaScript
复制
标题
rc.local(此时又绕回了开始)
6.查看是否存在可疑用户
JavaScript
复制
标题
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
libstoragemgmt:x:998:996:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
colord:x:997:995:User for colord:/var/lib/colord:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
saned:x:996:993:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
chrony:x:993:988::/var/lib/chrony:/sbin/nologin
unbound:x:992:987:Unbound DNS resolver:/etc/unbound:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:991:985:User for geoclue:/var/lib/geoclue:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
gluster:x:990:984:GlusterFS daemons:/run/gluster:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
defend:x:1000:1000:defend:/home/defend:/bin/bash
redis:x:988:982:Redis Database Server:/var/lib/redis:/sbin/nologin
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
libstoragemgmt:x:998:996:daemon account for libstoragemgmt:/var/run/lsm:/sbin/nologin
colord:x:997:995:User for colord:/var/lib/colord:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
saned:x:996:993:SANE scanner daemon user:/usr/share/sane:/sbin/nologin
saslauth:x:995:76:Saslauthd user:/run/saslauthd:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
setroubleshoot:x:994:991::/var/lib/setroubleshoot:/sbin/nologin
rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
chrony:x:993:988::/var/lib/chrony:/sbin/nologin
unbound:x:992:987:Unbound DNS resolver:/etc/unbound:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
geoclue:x:991:985:User for geoclue:/var/lib/geoclue:/sbin/nologin
qemu:x:107:107:qemu user:/:/sbin/nologin
gluster:x:990:984:GlusterFS daemons:/run/gluster:/sbin/nologin
gdm:x:42:42::/var/lib/gdm:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
gnome-initial-setup:x:989:983::/run/gnome-initial-setup/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
avahi:x:70:70:Avahi mDNS/DNS-SD Stack:/var/run/avahi-daemon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
defend:x:1000:1000:defend:/home/defend:/bin/bash
redis:x:988:982:Redis Database Server:/var/lib/redis:/sbin/nologin
7.定时任务查看
JavaScript
复制
标题
crontab -l
ls -alsh /var/spool/cron/ [root@localhost log]# crontab -l
no crontab for root
[root@localhost log]# ls -alsh /var/spool/cron
总用量 0
0 drwx–––. 2 root root 6 8月 9 2019 .
0 drwxr-xr-x. 12 root root 140 3月 19 2024 ..
ls -alsh /var/spool/cron/ [root@localhost log]# crontab -l
no crontab for root
[root@localhost log]# ls -alsh /var/spool/cron
总用量 0
0 drwx–––. 2 root root 6 8月 9 2019 .
0 drwxr-xr-x. 12 root root 140 3月 19 2024 ..
8.异常文件查询
JavaScript
复制
标题
如/tmp目录下的隐藏文件
ssh密钥等
ls -alsh
发现ssh存在authorized_keys
查看文件详细信息
stat /.ssh/authorized_keys
发现文件被修改,时间:20:22
ssh密钥等
ls -alsh
发现ssh存在authorized_keys
查看文件详细信息
stat /.ssh/authorized_keys
发现文件被修改,时间:20:22
9.日志排查
安全日志文件存放路径:/var/log/secure,是ssh登陆成功与否的一个安全日志
JavaScript
复制
标题
#统计IP爆破次数
cat secure | grep “Accepted” | awk ‘{print $11}’ | sort | uniq -c | sort -nr
cat secure | grep “Failed password for root” | awk ‘{print $11}’ | sort | uniq -c | sort -nr
cat secure | grep “Accepted” | awk ‘{print $11}’ | sort | uniq -c | sort -nr
cat secure | grep “Failed password for root” | awk ‘{print $11}’ | sort | uniq -c | sort -nr
进一步排查
JavaScript
复制
标题
#查看具体时间
cat secure | grep “Failed password for root” | awk ‘{print $1,$2,$3,$11}’
cat secure | grep “Accepted” | awk ‘{print $1,$2,$3,$11}’
成功时间20:23,可以确定是黑客登录
cat secure | grep “Failed password for root” | awk ‘{print $1,$2,$3,$11}’
cat secure | grep “Accepted” | awk ‘{print $1,$2,$3,$11}’
成功时间20:23,可以确定是黑客登录
10.命令替换查询
JavaScript
复制
标题
echo $PATH
rpm -Vf /usr/bin/*
rpm -Vf /usr/bin/*
//结果说明
#S 关键字代表文件大小发生了变化
#5 关键字代表文件的 md5 值发生了变化
#T 代表文件时间发生了变化
查看redis.conf
发现flag
JavaScript
复制
标题
flag{P@ssW0rd_redis}
排查redis漏洞条件
JavaScript
复制
标题
cat /etc/redis.conf | grep bind
发现符合redis未授权漏洞
查看恶意IP的访问日志
JavaScript
复制
标题
cat /var/log/redis/redis.log |grep 192.168.75.129
11.溯源追踪
JavaScript
复制
标题
我们通过对linux登录日志分析,黑客从三月18日19:29:43开始进行了ssh爆破行为,持续到19:29:51
通过redis 日志分析,黑客从三月
18日19:27:57通过redis 未授权访问持续到20:21:58在异常文件中发现,root账户下的authorized_keys公钥是
3月18日20:22:39的时间被改动在
20:23:07,黑客通过ssh私钥通过远程虚拟终端登陆,持续时间两分钟最后,黑客通过对开机启动文件
/etc/rc.d/rc.local做了后门维持
