原文链接:http://www.weibo.com/p/1001603835206674039802
ALICTF(http://www.alictf.com/)中我设计了四道题目,一道Nagios插件NRPE的漏洞,一道ActiveMQjmx的漏洞,一道nconf加cacti提权的漏洞,最后一道就是这篇文章写的zookeeper提权的题目,本题目一共设计了四关。
第一关从zookeeper获取压缩文件、第二关解压获取到key、第三关获取admin ssh的key,第四关进行提权操作,最后拿到Flag。
本篇文章讲解两个部分:
A. 题目设计
B. 题目解题思路
0x01配置docker环境
1. docker安装
参考第一篇Docker恶意软件分析系列之初识
Docker(http://weibo.com/p/230418e8e60bc00102vl37)
2. 选择操作系统
操作系统选择centos 6.5
docker pull centos:6
0x02搭建zookeeper环境
1. 新建docker镜像
为了不破坏基础镜像我们需要新建一个docker镜像
docker run -it centos:centos6 /bin/bash
docker commit 7e2efe536336 zk
我们所有的操作在zk上即可。
3. zookeeper配置
a) 进入zk镜像
docker run -it zk /bin/bash
b) 安装jdk
yum install -y java-1.7.0-openjdk.x86_64
c) 创建zk用户
useradd zk
d) 切换到zk配置相关信息
su – zk
vi .bash_profile
增加
export JAVA_HOME="/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/"
export PATH=$PATH:$JAVA_HOME/bin
e) 安装配置zookeeper
1. wget http://www.eu.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz
2. tar xvzf zookeeper-3.4.6.tar.gz
3. cd zookeeper-3.4.6
4. mv conf/zoo_sample.cfg conf/zoo.cfg
5. vi ~zk/.bash_profile
增加内容:
export ZOOKEEPER_HOME=/home/zk/zookeeper-3.4.6
export PATH=$PATH:$ZOOKEEPER_HOME/bin:$ZOOKEEPER_HOME/conf
6. . ~zk/.bash_profile
f) 启动
zkServer.sh start
0x03题目环境部署
1. 配置ssh-key
注:此操作在自己的笔记本上进行操作,并且私钥不能传到服务器
ssh-keygen -t rsa
2. zlib库压缩ssh私钥
package com.nuwa;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.ConnectException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.InflaterInputStream;
import org.apache.zookeeper.*;
import org.apache.commons.*;
// nuwa zookeeper利用代码 cnbird@alibaba
public class nuwaZookeeper {
public static final int SESSION_TIMEOUT = 30000;
public static ZooKeeper zooKeeper;
/**
* Compresses a file with zlib compression.
*/
public static void compressFile(File raw, File compressed)
throws IOException
{
InputStream in = new FileInputStream(raw);
OutputStream out =
new DeflaterOutputStream(new FileOutputStream(compressed));
shovelInToOut(in, out);
in.close();
out.close();
}
/**
* Decompresses a zlib compressed file.
*/
public static void decompressFile(File compressed, File raw)
throws IOException
{
InputStream in =
new InflaterInputStream(new FileInputStream(compressed));
OutputStream out = new FileOutputStream(raw);
shovelInToOut(in, out);
in.close();
out.close();
}
/**
* Shovels all data from an input stream to an output stream.
*/
private static void shovelInToOut(InputStream in, OutputStream out)
throws IOException
{
byte[] buffer = new byte[1000];
int len;
while((len = in.read(buffer)) > 0) {
out.write(buffer, 0, len);
}
}
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
nuwaZookeeper nz = new nuwaZookeeper();
nz.compressFile(new File("/Users/cnbird/Documents/alibaba/alictf/testkey/testkey"), new File("/Users/cnbird/Documents/alibaba/alictf/testkey/testkey.compress"));
}
}
useradd admin
su - admin
mkdir ~admin/.ssh/
mv testkey.pub ~admin/.ssh/authorized_keys
4. 配置ssh
a). vi /etc/ssh/sshd_config
替换为:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
b). service sshd restart
5. 测试ssh证书登陆
chown admin.admin testkey
chown 600 testkey
ssh -i testkey [email protected]
a) docker必须开启ssh服务
b) docker的ip使用dockerinspect即可获取
6. 上传压缩的ssh证书到zookeeper
a) 设置zookeeper路径
zkCli.sh
create /ALICTF "ALICTF"
package com.nuwa;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.ConnectException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.InflaterInputStream;
import org.apache.zookeeper.*;
import org.apache.commons.*;
// nuwa zookeeper利用代码 cnbird@alibaba
public class nuwaZookeeper {
public static final int SESSION_TIMEOUT = 30000;
public static ZooKeeper zooKeeper;
public static void getFile(byte[] bfile, String filePath,String fileName) {
BufferedOutputStream bos = null;
FileOutputStream fos = null;
File file = null;
try {
File dir = new File(filePath);
if(!dir.exists()&&dir.isDirectory()){//判断文件目录是否存在
dir.mkdirs();
}
file = new File(filePath+"\\"+fileName);
fos = new FileOutputStream(file);
bos = new BufferedOutputStream(fos);
bos.write(bfile);
} catch (Exception e) {
e.printStackTrace();
} finally {
if (bos != null) {
try {
bos.close();
} catch (IOException e1) {
e1.printStackTrace();
}
}
if (fos != null) {
try {
fos.close();
} catch (IOException e1) {
e1.printStackTrace();
}
}
}
}
/**
* 获取节点的信息
* @param path
* @throws KeeperException
* @throws InterruptedException
*/
public void getChild(String path) throws KeeperException, InterruptedException{
try {
List<String> children = this.zooKeeper.getChildren(path, false);
if (children.isEmpty()) {
System.out.printf("没有节点在%s中.", path);
return;
}else{
System.out.printf("节点%s中存在的节点:\n", path);
for(String child: children){
System.out.println(child);
}
}
} catch (KeeperException.NoNodeException e) {
System.out.printf("%s节点不存在.", path);
throw e;
}
}
public byte[] getData(String path) throws KeeperException, InterruptedException {
return this.zooKeeper.getData(path, false,null);
}
private static Watcher watcher = new Watcher() {
public void process(WatchedEvent event) {
return;
}
};
public static void main(String[] args) throws IOException {
// TODO Auto-generated method stub
String path = "/ALICTF/Server/Host/ZookeeperHost/Key/SSHPrivKey";
nuwaZookeeper nz = new nuwaZookeeper();
zooKeeper = new ZooKeeper("192.168.42.9:2181",SESSION_TIMEOUT,watcher);
try {
Path comPath = Paths.get("/alictf/testkey.compress");
byte[] data = Files.readAllBytes(comPath);
zooKeeper.setData(path,data,-1);
} catch (KeeperException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (InterruptedException e) {
// TODO Auto-generated catch block
Throwable e1 = null;
e1.printStackTrace();
}
}
}
编译并且上传到宿主机并且执行,我们可以看到压缩文件已经上传上去了。
1. wget http://forkbomb.org/ninja/src/ninja-0.1.3.tar.bz2
2. tar xjvf ninja-0.1.3.tar.bz2
3. make
4. make install
5. /usr/local/bin/ninja &
测试是否可以防御提权
切换到su – admin然后执行su – root可以看到直接禁止掉了。
Cmnd_Alias ALLOW = /usr/bin/perl,/usr/bin/python,/usr/bin/java,/usr/bin/id,/bin/uname,/usr/bin/nmap
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
admin ALL=(ALL) NOPASSWD:ALLOW
9. 安装supervisord自动运行
yum install epel-release
yum install -y supervisor
配置supervisor
vi /etc/supervisord.conf
[program:openssh]
command=service sshd start
[program:rsyslog]
command=service rsyslog start
[program:zk]
command=/bin/bash -c "/home/zk/zookeeper-3.4.6/bin/zkServer.sh start-foreground"
user=zk
[program:ninja]
command=/usr/local/bin/ninja
10. 自动化运行测试
docker run -it -d=true zk /bin/bash -c "supervisord && /bin/bash"