背景
前景需要:看监控的时候发现webshell告警,领导让你上机检查你可以救救安服仔吗!!
挑战内容:
(1)提交攻击者IP192.168.20.1
(2)提交攻击者修改的管理员密码(明文)Network@2020
(3)提交第一次Webshell的连接URLPOST /index.php?user-app-register HTTP/1.1
(4)提交Webshell连接密码Network2020
(5)提交数据包的flag1{Network@_2020_Hack}
(6)提交攻击者使用的后续上传的木马文件名称version2.php
(7)提交攻击者隐藏的flag2
(8)提交攻击者隐藏的flag3
解题
首先,需要查看一下当前主机的用户登录情况,查看登录成功记录
[root@web-server ~]# grep "Accepted " /var/log/secure* | awk '{print $1,$2,$3,$9,$11}'
/var/log/secure: 20 10:30:25 root 127.0.0.1
/var/log/secure:Mar 20 14:30:21 root 192.168.20.1
/var/log/secure:Mar 20 15:04:22 root 192.168.20.1
/var/log/secure
Mar 20 15:36:28 root 192.168.20.1
/var/log/secure:Mar 21 23:42:49 root 192.168.138.1
/var/log/secure:Mar 22 00:20:52 root 192.168.138.1
/var/log/secure:Mar 22 00:26:23 root 192.168.138.1
/var/log/secure:Apr 4 02:02:21 root 192.168.138.1
/var/log/secure:Apr 4 02:20:19 root 192.168.138.1
/var/log/secure-20240320:Mar 4 09:48:23 root 192.168.20.1
/var/log/secure-20240320:Mar 7 11:37:01 root 192.168.20.1
/var/log/secure-20240320:Mar 7 14:07:42 root 192.168.20.1
/var/log/secure-20240320:Mar 7 14:39:51 root 192.168.20.1
/var/log/secure-20240320:Mar 7 15:25:23 root 192.168.20.1
/var/log/secure-20240320:Mar 7 15:36:49 root 192.168.20.1
/var/log/secure-20240320:Mar 20 07:59:13 root 192.168.20.1
登录成功的ip地址,除了我的本机地址外,发现一个192.168.20.1
登录成功的时间为3月7日 3月20日
在机器的文件中发现一个数据包文件,下载该文件后使用wrishark打开文件
在数据包中发现第一个flag,追踪http流,发现第一个flag
flag1{Network@_2020_Hack}
除了访问上述文件,还访问了index.php?user-app-register和version2.php
同样的追踪数据流,发现蚁剑的特征
在其他的返回的响应包中,发现了返回的执行后的命令,查看当前目录的文件
使用http过滤数据包的第一个为第一次成功连接webshell
POST /index.php?user-app-register HTTP/1.1
同时猜测/www/wwwroot/127.0.0.1是网站的根目录
在最后一个数据包中发现上传蚁剑的流量
第二个问题是获得管理员的密码,在数据包中未发现,在服务器中寻找配置文件
/**接口加密设置**/
define('APIKEY','356d9abc2532ceb0945b615a922c3370');
define('APIIV','#phpems90iv*');
/**composer开关**/
define('COMPOSER',0);
/** 数据库设置 */
define('SQLDEBUG',0);
define('DB','kaoshi');//MYSQL数据库名
define('DH','127.0.0.1');//MYSQL主机名,不用改
define('DU','kaoshi');//MYSQL数据库用户名
define('DP','5Sx8mK5ieyLPb84m');//MYSQL数据库用户密码
define('DTH','x2_');//系统表前缀,不用改
/** 微信相关设置 */
发现数据库账号:kaoshi,数据库的密码,5Sx8mK5ieyLPb84m,登录数据库,查看登录
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| kaoshi |
+--------------------+
2 rows in set (0.01 sec)
mysql> use kaoshi;
Database changed
mysql> show tables;
+---------------------+
| Tables_in_kaoshi |
+---------------------+
|....省略 |
| x2_user |
| x2_user_group |
| x2_wxlogin |
+---------------------+
61 rows in set (0.00 sec)
mysql> select * from x2_user;
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+------------+------------+
| userid | useropenid | userunionid | username | useremail | userpassword | usercoin | userregip useranswer | manager_apps | userphoto | userstatus | normal_sfz |
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+------------+------------+
| 1 | | NULL | peadmin | 958074@163.com | f6f6eb5ace977d7e114377cc7098b7e3 | 279 | 127.0.0.1 NULL | a:7:{i:0;s:4:"user";i:1;s:7:"content";i:2;s:4:"exam";i:3;s:8:"document";i:4;s:6:"course";i:5;s:4:"bank";i:6;s:8:"auto | files/attach/images/content/20230802/16909740072788.jpg | 3 | |
| 2 | | NULL | 教师管理员 | 958074@126.com | 96e79218965eb72c92a549dd5a330112 | 98 | 127.0.0.1 NULL | i:2;s:1:"5";i:3;s:1:"4";i:4;s:1:"3";i:5;s:1:"1";i:6;s:1:"2";i:7;s:2:"17";i:8;s:2:"15";i:9;s:2:"16";i:10;s:2:"18";i:11;s:2:"19";i:12 | | 3 | |
| 3 | | | zgsf | zgsf@Admin.com | af0c68603004a1b5af4d87a71a813057 | 0 | 192.168.20.1 | | | 0 | |
| 4 | | | zgsfAdmin | zgsf@zgsf.com | ed2b3e3ce2425550d8bfdea8b80cc89a | 0 | 192.168.20.1 | | | 0 | |
+--------+------------+-------------+-----------------+----------------+----------------------------------+----------+-------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------+------------+------------+
4 rows in set (0.02 sec)
发现用户peadmin和密码f6f6eb5ace977d7e114377cc7098b7e3,使用解密网站对系统进行解密Network@2020
剩余的flag在内网中寻找
使用history查看历史命令,发现在环境变量中写入了flag3,同时修改了alinotify.php
查看该文件进行了什么操作,发现最后一个flag
[root@web-server .api]# cat alinotify.php
<?php
namespace PHPEMS;
/*
* Created on 2013-12-26
*
* To change the template for this generated file go to
* Window - Preferences - PHPeclipse - PHP - Code Templates
*/
define('PEPATH',dirname(dirname(__FILE__)));
class app
{
public $G;
public function __construct()
{
$this->ev = \PHPEMS\ginkgo::make('ev');
$this->order = \PHPEMS\ginkgo::make('orders','bank');
}
public function run()
{
$alipay = \PHPEMS\ginkgo::make('alipay');
$orderid = $this->ev->get('out_trade_no');
$order = $this->order->getOrderById($orderid);
$verify_result = $alipay->alinotify();
if($verify_result)
{
if($this->ev->get('trade_status') == 'TRADE_FINISHED' ||$this->ev->get('trade_status') == 'TRADE_SUCCESS')
{
if($order['orderstatus'] != 2)
{
$this->order->payforOrder($orderid,'alipay');
}
exit('sucess');
}
elseif($_POST['trade_status'] == 'WAIT_BUYER_PAY')
{
exit('fail');
}
else
{
exit('fail');
}
}
else
{
exit('fail');
}
}
}
include PEPATH.'/lib/init.cls.php';
$app = new app(new ginkgo);
$app->run();
$flag2 = "flag{bL5Frin6JVwVw7tJBdqXlHCMVpAenXI9In9}";
?>