
前情摘要前景需要小王急匆匆地找到小张小王说李哥我dev服务器被黑了,快救救我挑战内容黑客的IP地址遗留下的三个flag普通用户defend/defendroot用户root/defend流程1.先查看了toptop - 19:35:53 up 15 min, 2 users, load average: 0.01, 0.04, 0.05 Tasks: 223 total, 1 running, 222 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.6 us, 1.1 sy, 0.0 ni, 98.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 3861296 total, 2172988 free, 890192 used, 798116 buff/cache KiB Swap: 3354620 total, 3354620 free, 0 used. 2698592 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME COMMAND 2330 defend 20 0 3824332 247996 93120 S 4.0 6.4 0:17.19 gnome-she 1750 root 20 0 409700 93984 46916 S 3.3 2.4 0:04.15 X 3260 defend 20 0 687748 28140 17628 S 1.3 0.7 0:00.32 gnome-ter 63 root 20 0 0 0 0 S 0.3 0.0 0:00.84 kworker/0 2300 defend 20 0 233104 3944 3180 S 0.3 0.1 0:00.05 at-spi2-r 2854 root 20 0 586504 8616 6356 S 0.3 0.2 0:00.11 fwupd 3315 defend 20 0 162100 2344 1580 R 0.3 0.1 0:00.06 top 1 root 20 0 193824 6996 4184 S 0.0 0.2 0:02.31 systemd 2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd 4 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0 6 root 20 0 0 0 0 S 0.0 0.0 0:00.02 ksoftirqd 7 root rt 0 0 0 0 S 0.0 0.0 0:00.09 migration 8 root 20 0 0 0 0 S 0.0 0.0 0:00.00 rcu_bh 9 root 20 0 0 0 0 S 0.0 0.0 0:00.27 rcu_sched 10 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 lru-add-d 11 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/0 12 root rt 0 0 0 0 S 0.0 0.0 0:00.01 watchdog/1没发现什么可疑进程去看看历史命令。2.查看历史命令普通用户没看到啥东西切换到root用户[rootlocalhost 桌面]# history 1 ls 2 chmod x /etc/rc.d/rc.local 3 cat /etc/rc.d/rc.local 4 vim /etc/rc.d/rc.local 5 echo flag{thisismybaby} 6 exit 7 sudo redis-server /etc/redis.conf 8 systemctl status redis 9 systemctl stop redis.service 10 systemctl status redis 11 sudo redis-server /etc/redis.conf 12 /etc/redis.conf 13 cat /etc/redis.conf 14 history [rootlocalhost 桌面]# 发现了第一个flag看到给rc.local赋予了执行权限。3.rc.local什么是rc.local呢问问ai大人rc.local 用户自定义的启动命令脚本是 Linux 系统中的一个传统启动脚本用于在系统启动过程的最后阶段执行用户自定义的命令。执行特点只执行一次仅在系统启动时执行以 root 权限运行拥有最高权限执行时机在所有标准服务之后现代系统不保证在所有服务之后并行启动这可能是一种权限维持手段目的是开机自启动算是维持手段中启动项一类吧查看该文件重要变化Systemd 260 彻底移除支持根据 2026 年 3 月的最新消息systemd 260 版本已彻底移除了对 SysV init 的兼容层包括rc-local.service可能以后只能在旧版本看到了大部分也要手动开机并给予权限查看rc.local,看到第二个flag——flag{kfcvme50}cat /etc/rc.d/rc.local #!/bin/bash # THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES # # It is highly advisable to create own systemd services or udev rules # to run scripts during boot instead of using this file. # # In contrast to previous versions due to parallel execution during boot # this script will NOT be run after all other services. # # Please note that you must run chmod x /etc/rc.d/rc.local to ensure # that this script will be executed during boot. # flag{kfcvme50} touch /var/lock/subsys/local 4.Redis查看历史命令发现入侵者貌似再攻击redis服务7 sudo redis-server /etc/redis.conf 8 systemctl status redis 9 systemctl stop redis.service 10 systemctl status redis 11 sudo redis-server /etc/redis.conf 12 /etc/redis.conf 13 cat /etc/redis.conf查看配置文件发现第三个flagat /etc/redis.conf # flag{PssW0rd_redis} # Redis configuration file example.读了几个日志没看到信息 找到所有带有redis服务的文件根据rc.local改变的时间读取在那段时间内改变的文件find /etc -type f -newermt 2024-03-18 19:00:00 ! -newermt 2024-03-18 22:00:00 -ls 2/dev/null结果可能结果会不一样因为我的靶机有点问题。17967435 4 -rw-r--r-- 1 root root 988 3月 18 2024 /etc/group 17690866 4 ---------- 1 root root 797 3月 18 2024 /etc/gshadow 17967439 4 -rw-r--r-- 1 root root 2332 3月 18 2024 /etc/passwd 17967440 4 ---------- 1 root root 1266 3月 18 2024 /etc/shadow 17967430 80 -rw-r--r-- 1 root root 80098 3月 18 2024 /etc/ld.so.cache 80207 4 -rwxr-xr-x 1 root root 493 3月 18 2024 /etc/rc.d/rc.local 17967436 48 -rw-r----- 1 redis root 46750 3月 18 2024 /etc/redis.conf 51847076 4 -rw-r--r-- 1 root root 661 3月 18 2024 17967435 4 -rw-r--r-- 1 root root 988 3月 18 2024 /etc/group 17690866 4 ---------- 1 root root 797 3月 18 2024 /etc/gshadow 17967439 4 -rw-r--r-- 1 root root 2332 3月 18 2024 /etc/passwd 17967440 4 ---------- 1 root root 1266 3月 18 2024 /etc/shadow 17967430 80 -rw-r--r-- 1 root root 80098 3月 18 2024 /etc/ld.so.cache 80207 4 -rwxr-xr-x 1 root root 493 3月 18 2024 /etc/rc.d/rc.local 17967436 48 -rw-r----- 1 redis root 46750 3月 18 2024 /etc/redis.conf 51847076 4 -rw-r--r-- 1 root root 661 3月 18 2024 /root/.ssh/authorized_keys 33583022 4 -rw------- 1 root root 132 3月 18 2024 /root/.xauthnuoOYS 33583023 4 -rw------- 1 root root 1240 3月 18 2024 /root/.viminfo 17967426 1548 -rw-rw-r-- 1 defend defend 1584027 3月 18 2024 /home/defend/.cache/gnome-software/odrs/ratings.json 33796564 12 -rw-r--r-- 1 defend defend 12288 3月 18 2024 /home/defend/.config/pulse/5273f7d4e755487aafc2bb0da4f69cae-stream-volumes.tdb 51847042 4 -rw-r--r-- 1 root root 77 3月 18 2024 /home/defend/dump.rdb 33583022 4 -rw------- 1 root root 132 3月 18 2024 /root/.xauthnuoOYS 33583023 4 -rw------- 1 root root 1240 3月 18 2024 /root/.viminfo 17967426 1548 -rw-rw-r-- 1 defend defend 1584027 3月 18 2024 /home/defend/.cache/gnome-software/odrs/ratings.json 33796564 12 -rw-r--r-- 1 defend defend 12288 3月 18 2024 /home/defend/.config/pulse/5273f7d4e755487aafc2bb0da4f69cae-stream-volumes.tdb 51847042 4 -rw-r--r-- 1 root root 77 3月 18 2024 /home/defend/dump.rdb发现51847076 4 -rw-r--r-- 1 root root 661 3月 18 2024 /root/.ssh/authorized_keys发现SSH 授权密钥被添加我们查看ssh登录日志grep Mar 18 /var/log/secure* | grep -E Accepted|Failed|ssh2 Mar 18 19:29:20 localhost sshd[11621]: Failed password for root from 192.168.75.129 port 55904 ssh2 Mar 18 19:29:43 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:43 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:43 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:43 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:43 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:43 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:43 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:43 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:43 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:43 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:43 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:43 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:43 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:43 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:43 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:45 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:45 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:45 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:45 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:45 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:45 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:45 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:45 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:45 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:45 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:45 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:45 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:45 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:45 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:45 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:46 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:46 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:46 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:46 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:46 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:46 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:46 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:46 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:46 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:46 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:46 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:46 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:46 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:46 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:46 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:48 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:48 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:48 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:48 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:48 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:48 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:48 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:48 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:48 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:48 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:48 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:48 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:48 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:48 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:48 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:50 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:50 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:50 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:50 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:50 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:50 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:50 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:50 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:50 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:50 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:50 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:50 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:50 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:50 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:50 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:51 localhost sshd[11634]: Failed password for root from 192.168.75.129 port 40066 ssh2 Mar 18 19:29:51 localhost sshd[11634]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40066 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11646]: Failed password for root from 192.168.75.129 port 40188 ssh2 Mar 18 19:29:51 localhost sshd[11646]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40188 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11640]: Failed password for root from 192.168.75.129 port 40120 ssh2 Mar 18 19:29:51 localhost sshd[11640]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40120 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11644]: Failed password for root from 192.168.75.129 port 40160 ssh2 Mar 18 19:29:51 localhost sshd[11644]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40160 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11637]: Failed password for root from 192.168.75.129 port 40088 ssh2 Mar 18 19:29:51 localhost sshd[11637]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40088 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11643]: Failed password for root from 192.168.75.129 port 40154 ssh2 Mar 18 19:29:51 localhost sshd[11643]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40154 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11635]: Failed password for root from 192.168.75.129 port 40064 ssh2 Mar 18 19:29:51 localhost sshd[11635]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40064 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11642]: Failed password for root from 192.168.75.129 port 40150 ssh2 Mar 18 19:29:51 localhost sshd[11645]: Failed password for root from 192.168.75.129 port 40176 ssh2 Mar 18 19:29:51 localhost sshd[11645]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40176 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11642]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40150 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11648]: Failed password for root from 192.168.75.129 port 40216 ssh2 Mar 18 19:29:51 localhost sshd[11647]: Failed password for root from 192.168.75.129 port 40204 ssh2 Mar 18 19:29:51 localhost sshd[11648]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40216 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11638]: Failed password for root from 192.168.75.129 port 40104 ssh2 Mar 18 19:29:51 localhost sshd[11647]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40204 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11638]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40104 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11639]: Failed password for root from 192.168.75.129 port 40118 ssh2 Mar 18 19:29:51 localhost sshd[11641]: Failed password for root from 192.168.75.129 port 40134 ssh2 Mar 18 19:29:51 localhost sshd[11641]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40134 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11639]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40118 ssh2 [preauth] Mar 18 19:29:51 localhost sshd[11636]: Failed password for root from 192.168.75.129 port 40074 ssh2 Mar 18 19:29:51 localhost sshd[11636]: error: maximum authentication attempts exceeded for root from 192.168.75.129 port 40074 ssh2 [preauth] Mar 18 20:23:07 localhost sshd[13285]: Accepted publickey for root from 192.168.75.129 port 42162 ssh2: RSA SHA256:CntyDg/6Rprau//z63898uxnuJxK3XooqdUZJfQmlUo [rootlocalhost defend]#成功发现攻击者IP192.168.75.129尝试进行多次ssh爆破攻击失败了很多次最后通过密钥登录。攻击者更改了redis配置怀疑是redis有问题查看配置看是否有未授权。grep -E ^bind|^protected-mode|^requirepass /etc/redis.conf得到结果bind 0.0.0.0 #任何ip都可以登录 protected-mode no #不需要密码就能登陆服务至此ip也被找到成功完成任务。推测入侵手段仅供参考1.先尝试了ssh登录爆破—2.通过redis未授权漏洞远程登录—3.写入authorized_keys密钥 —4.ssh远程登录—5.启用rc.local服务这可能是权限维持的手段。这是我的第一篇文章可能有不足之处欢迎指出。