膜拜下鸟哥的大作cnbird . mark.

Docker恶意软件分析系列V:ALICTF决赛题目设计

原文链接:http://www.weibo.com/p/1001603835206674039802

2015年4月24日 17:33 阅读 1554
0x00 简介
 

       ALICTF(http://www.alictf.com/)中我设计了四道题目,一道Nagios插件NRPE的漏洞,一道ActiveMQjmx的漏洞,一道nconf加cacti提权的漏洞,最后一道就是这篇文章写的zookeeper提权的题目,本题目一共设计了四关。

        第一关从zookeeper获取压缩文件、第二关解压获取到key、第三关获取admin ssh的key,第四关进行提权操作,最后拿到Flag。

       本篇文章讲解两个部分:

A.     题目设计

B.     题目解题思路

 0x01配置docker环境

1.     docker安装

参考第一篇Docker恶意软件分析系列之初识

Docker(http://weibo.com/p/230418e8e60bc00102vl37)

 2.     选择操作系统

操作系统选择centos 6.5

docker pull centos:6

 


膜拜下鸟哥的大作cnbird . mark.

 

0x02搭建zookeeper环境

1.     新建docker镜像

为了不破坏基础镜像我们需要新建一个docker镜像

docker run -it centos:centos6 /bin/bash

膜拜下鸟哥的大作cnbird . mark.

 

 

 
2.     保存docker镜像

 

docker commit 7e2efe536336 zk

 

我们所有的操作在zk上即可。 

3.     zookeeper配置 

a)    进入zk镜像

docker run -it zk /bin/bash

b)    安装jdk

yum install -y java-1.7.0-openjdk.x86_64

c)     创建zk用户

useradd zk

d)    切换到zk配置相关信息

su – zk

vi .bash_profile

增加

export JAVA_HOME="/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/"

export PATH=$PATH:$JAVA_HOME/bin

e)    安装配置zookeeper

1. wget http://www.eu.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz

2. tar xvzf zookeeper-3.4.6.tar.gz

3. cd zookeeper-3.4.6

4. mv conf/zoo_sample.cfg conf/zoo.cfg

5. vi  ~zk/.bash_profile

增加内容:

export ZOOKEEPER_HOME=/home/zk/zookeeper-3.4.6

export PATH=$PATH:$ZOOKEEPER_HOME/bin:$ZOOKEEPER_HOME/conf

6. . ~zk/.bash_profile

f)      启动

zkServer.sh start

膜拜下鸟哥的大作cnbird . mark.
 

0x03题目环境部署

1.     配置ssh-key

注:此操作在自己的笔记本上进行操作,并且私钥不能传到服务器

ssh-keygen -t rsa

膜拜下鸟哥的大作cnbird . mark.2.     zlib库压缩ssh私钥

package com.nuwa;

import java.io.BufferedInputStream;

import java.io.BufferedOutputStream;

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.FileReader;

import java.io.IOException;

import java.io.InputStream;

import java.io.OutputStream;

import java.net.ConnectException;

import java.nio.file.Files;

import java.nio.file.Path;

import java.nio.file.Paths;

import java.util.List;

import java.util.zip.Deflater;

import java.util.zip.DeflaterOutputStream;

import java.util.zip.InflaterInputStream;

 

import org.apache.zookeeper.*;

import org.apache.commons.*;

// nuwa zookeeper利用代码   cnbird@alibaba

public class nuwaZookeeper {

    public static final int SESSION_TIMEOUT = 30000;

    public static ZooKeeper zooKeeper;

    /**

     * Compresses a file with zlib compression.

     */

    public static void compressFile(File raw, File compressed)

        throws IOException

    {

        InputStream in = new FileInputStream(raw);

        OutputStream out =

            new DeflaterOutputStream(new FileOutputStream(compressed));

        shovelInToOut(in, out);

        in.close();

        out.close();

    }

    /**

     * Decompresses a zlib compressed file.

     */

    public static void decompressFile(File compressed, File raw)

        throws IOException

    {

        InputStream in =

            new InflaterInputStream(new FileInputStream(compressed));

        OutputStream out = new FileOutputStream(raw);

        shovelInToOut(in, out);

        in.close();

        out.close();

    }

    /**

     * Shovels all data from an input stream to an output stream.

     */

    private static void shovelInToOut(InputStream in, OutputStream out)

        throws IOException

    {

        byte[] buffer = new byte[1000];

        int len;

        while((len = in.read(buffer)) > 0) {

            out.write(buffer, 0, len);

        }

    } 

       public static void main(String[] args) throws IOException {

              // TODO Auto-generated method stub

              nuwaZookeeper nz = new nuwaZookeeper();

              nz.compressFile(new File("/Users/cnbird/Documents/alibaba/alictf/testkey/testkey"), new File("/Users/cnbird/Documents/alibaba/alictf/testkey/testkey.compress"));

       }

}

膜拜下鸟哥的大作cnbird . mark.

 

 

3.     创建admin账号并且拷贝SSH证书

 

useradd admin

su - admin

mkdir ~admin/.ssh/

mv testkey.pub ~admin/.ssh/authorized_keys

 

4.     配置ssh

a). vi /etc/ssh/sshd_config

替换为:

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

b). service sshd restart

 

5.     测试ssh证书登陆

chown admin.admin testkey

chown 600 testkey

ssh -i testkey [email protected]

 
注:

a) docker必须开启ssh服务

b) docker的ip使用dockerinspect即可获取

 

6.     上传压缩的ssh证书到zookeeper

a) 设置zookeeper路径

zkCli.sh

create /ALICTF "ALICTF"

  

 

 

注:依次创建目录/ ALICTF/Server/Host/ZookeeperHost/Key/SSHPrivKey。 

 

 

膜拜下鸟哥的大作cnbird . mark. 
b) 讲zlib压缩的证书上传到zookeeper

 

package com.nuwa;

import java.io.BufferedInputStream;

import java.io.BufferedOutputStream;

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.FileReader;

import java.io.IOException;

import java.io.InputStream;

import java.io.OutputStream;

import java.net.ConnectException;

import java.nio.file.Files;

import java.nio.file.Path;

import java.nio.file.Paths;

import java.util.List;

import java.util.zip.Deflater;

import java.util.zip.DeflaterOutputStream;

import java.util.zip.InflaterInputStream;

 

import org.apache.zookeeper.*;

import org.apache.commons.*;

// nuwa zookeeper利用代码   cnbird@alibaba

public class nuwaZookeeper {   

    public static final int SESSION_TIMEOUT = 30000;

    public static ZooKeeper zooKeeper;

    public static void getFile(byte[] bfile, String filePath,String fileName) { 

        BufferedOutputStream bos = null; 

        FileOutputStream fos = null; 

        File file = null; 

        try { 

            File dir = new File(filePath); 

            if(!dir.exists()&&dir.isDirectory()){//判断文件目录是否存在 

                dir.mkdirs(); 

            } 

            file = new File(filePath+"\\"+fileName); 

            fos = new FileOutputStream(file); 

            bos = new BufferedOutputStream(fos); 

            bos.write(bfile); 

        } catch (Exception e) { 

            e.printStackTrace(); 

        } finally { 

            if (bos != null) { 

                try { 

                    bos.close(); 

                } catch (IOException e1) { 

                    e1.printStackTrace(); 

                } 

            } 

            if (fos != null) { 

                try { 

                    fos.close(); 

                } catch (IOException e1) { 

                    e1.printStackTrace(); 

                } 

            } 

        } 

    }

   

    /**

     * 获取节点的信息

     * @param path

     * @throws KeeperException

     * @throws InterruptedException

     */ 

    public void getChild(String path) throws KeeperException, InterruptedException{ 

        try { 

            List<String> children = this.zooKeeper.getChildren(path, false); 

            if (children.isEmpty()) { 

                System.out.printf("没有节点在%s中.", path); 

                return; 

            }else{ 

                System.out.printf("节点%s中存在的节点:\n", path); 

                for(String child: children){ 

                    System.out.println(child); 

                } 

            } 

        } catch (KeeperException.NoNodeException e) { 

            System.out.printf("%s节点不存在.", path); 

            throw e; 

        } 

    } 

    public byte[] getData(String path) throws KeeperException, InterruptedException { 

        return  this.zooKeeper.getData(path, false,null); 

    } 

    private static Watcher watcher =  new Watcher() {   

        public void process(WatchedEvent event) { 

            return;

        } 

    }; 

       public static void main(String[] args) throws IOException {

              // TODO Auto-generated method stub

              String path = "/ALICTF/Server/Host/ZookeeperHost/Key/SSHPrivKey";

              nuwaZookeeper nz = new nuwaZookeeper();

              zooKeeper = new ZooKeeper("192.168.42.9:2181",SESSION_TIMEOUT,watcher);

              try {

                     Path comPath = Paths.get("/alictf/testkey.compress");

                     byte[] data = Files.readAllBytes(comPath);

                     zooKeeper.setData(path,data,-1);

             

              } catch (KeeperException e1) {

                     // TODO Auto-generated catch block

                     e1.printStackTrace();

              } catch (InterruptedException e) {

                     // TODO Auto-generated catch block

                     Throwable e1 = null;

                     e1.printStackTrace();

              }

       }

}

编译并且上传到宿主机并且执行,我们可以看到压缩文件已经上传上去了。

膜拜下鸟哥的大作cnbird . mark.

 

7.     安装防提权

 

1. wget http://forkbomb.org/ninja/src/ninja-0.1.3.tar.bz2

2. tar xjvf ninja-0.1.3.tar.bz2

3. make

4. make install

5. /usr/local/bin/ninja &

测试是否可以防御提权

切换到su – admin然后执行su – root可以看到直接禁止掉了。

膜拜下鸟哥的大作cnbird . mark.

 

 

 

8.     配置sudo白名单(只允许用nmap,python,perl,java来进行提权)

 

Cmnd_Alias ALLOW = /usr/bin/perl,/usr/bin/python,/usr/bin/java,/usr/bin/id,/bin/uname,/usr/bin/nmap

Defaults    requiretty

Defaults   !visiblepw

Defaults    always_set_home

Defaults    env_reset

Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"

Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"

Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"

Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"

Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

root       ALL=(ALL)        ALL

admin   ALL=(ALL)      NOPASSWD:ALLOW

 

9.     安装supervisord自动运行

yum install epel-release

yum install -y supervisor

配置supervisor

vi /etc/supervisord.conf

[program:openssh]

command=service sshd start

[program:rsyslog]

command=service rsyslog start

[program:zk]

command=/bin/bash -c "/home/zk/zookeeper-3.4.6/bin/zkServer.sh start-foreground"

user=zk

[program:ninja]

command=/usr/local/bin/ninja

 

10.  自动化运行测试

 

docker run -it -d=true zk /bin/bash -c "supervisord && /bin/bash"

你可能感兴趣的:(mark)