Linux Infiltration +ssh Intranet forwarding

Http://www.jb51.net/hack/58514.htmlhttp://blog.chinaunix.net/uid-756931-id-353243.html

Http://blog.163.com/czg_e/blog/static/46104561201552423342331?ignoreua
Http://www.noah.org/wiki/SSH_tunnel
Http://www.myhack58.com/Article/60/63/2013/38396_3.htm
Http://www.chinaitlab.com/cisco/others/923866.html
http://blog.csdn.net/death_spank/article/details/7403554http://blog.chinaunix.net/ uid-20761674-id-74962.htmlhttps://www.baidu.com/s?wd=ssh%20-cfnnt%20-r%202222%3alocalhost%3a22&pn=20& oq=ssh%20-cfnnt%20-r%202222%3alocalhost%3a22&tn=baiduhome_pg&ie=utf-8&rsv_idx=2&rsv_pq= D80af9630005118b&rsv_t=1c29hrqjwlu46wctkmmtdvvo8cugnkbe5ett5rptft7dzgwarf%2bag8zqtmgco%2fz1%2fpqu&rsv_ page=1 http://www.chenyudong.com/archives/linux-ssh-port-dynamic-forward.html https://lesca.me/ archives/ssh-port-forwarding-principle-and-praticle-application.htmlhttp://qubaoquan.blog.51cto.com/1246748/ 292497http://linux-wiki.cn/wiki/zh-hans/ssh%e7%ab%af%e5%8f%a3%e8%bd%ac%e5%8f%91%ef%bc%88%e9%9a%a7%e9%81%93%ef% bc%89http://lvii.github.io/system/2013/10/08/ssh-remote-port-forwarding/http://www.361way.com/sshswitch/148. Htmlhttp://www.ruanyifeng.com/blog/2011/12/ssh_port_forwarding.htmlhttps://www.ibm.com/developerworks/cn/linux /l-cn-sshforward/    I. Preface
Two days ago, bored, think of the day stand, casually searched a key word, find a station, directly open engage. So, with the following:
(Description: The feeling is the first real day Linux, a lot of do not understand, write more detailed.) Daniel drifting over) two. Information detection, take the shell (Nagio)
First of all, look at the link, and found that there is no suffix name. Feel difficult to start, 114 check, found the same service or there are many stations ~ ~. This heart more relieved, thought that if the main station can not make, will be next note. Continue from the main station. To understand the server information first, and then grab the packet to observe:
The discovery server is Dnionos. Is this god horse thing? Have never seen, Baidu's. There are two kinds of saying, one is the Cdn of the Alliance, one is nginx. But I feel the CDN is more likely. If it is nginx good. If it is a CDN, the eggs are broken, the legend is very difficult to do. The server information is placed first. Check out the website again.

See the site above a member login, register the place:

In this case, register it, because the general member has the upload function. Random registration of A, found are not verified, directly to pass. After registering, come to my space:

Discover that you can upload pictures. So casually upload a picture, and then access the connection, the hint picture does not exist.

Don't know is God horse reason, didn't upload up? Think of the Nginx parsing vulnerability, handy in the back add a/x.php, found incredibly show the resolution of the picture. It seems to be really nginx. Sure enough to upload the horse and then visit it:

OK to get the shell successfully. Also written on the server, is Nginx. Check permissions:

is actually root permission. Operating system: CentOS 5.4

Linux generally wants SSH login. Let's look at the open port:

The ok,22 port is open. Look at the server IP to determine if the intranet:

The test host can then sisu the network. Ping outside network try:

Found can. Then scan the port:

Found only 80 and 8080 ports were opened.

Consider port forwarding to log in to SSH.

Three. Intranet SSH forwarding:
Upload the tool to a host outside the network:

Since the target host is Linux,-listen is followed by the-linux:

The SSH client then remotely connects to the host's 3001 port, and the extranet host displays a connection:

Then bounce ssh:

Outside the network, you can see that the connection has been received:

Soon, the SSH client also reacted, stating that the rebound SSH was successful. I don't know the password, and I can't add the password under Webshell. Let's take a look at the SSH configuration file:

As we can see, root login is not allowed. Do you want to run a blank password to log in? The configuration file is displayed and is not allowed.

Create a new root account
[Code]bash Code:

useradd -u 0 -o -g root -G root -d /home/game game

And then add a password to it

[Code]bash Code:

echo xxx | passwd --stdin game

Password modified successfully

Then, log in with this user: SSH login, or failed. Tried n long, the SSH configuration file is not found to allow only specific user access. It suddenly occurred to me that there was no root access allowed. Does root mean the root user group??

OK, we can try to create a new normal user. Then login, successful SSH login, login successful

But getting an ssh with normal permissions is obviously not what we want. The SSH configuration file cannot be modified directly under Webshell, and it is estimated that normal user rights cannot be modified. What do we do? In fact, it is very simple, copy the configuration file, modify, then copy back, and then restart SSH, you can.

OK, let's change root to allow login:

Copy the Past:

[Code]bash Code:

cp /tmp/sshd_config /etc/ssh/sshd_config

Then, restart the SSH service:
[Code]bash Code:

service sshd restart

Then, log in again using Root, OK, success:

Try ssh and find it really powerful, just as handy as a local operation Shell ...

Four. Intranet infiltration attempt
First, the above said that the proxy server opened 80 and 8080 ports, access to 80 ports, found to be arbitrary access. Content is the network of each host traffic statistics. There are about 10 units:

Choose Node, as you can see, uses the host as a proxy for each server. (This includes a lot of information, Mysql,nginx, information about each system, etc.)

Seemingly intranet hosts are all CentOS. The MySQL account number and password of two intranet hosts are obtained by locating the configuration file. After that, we get the account number and password of all MySQL databases in the intranet host, and can log in successfully. Only the root account password cannot be opened. But the other passwords are 123456 simple passwords. And the intranet hosts all open 22 ports. With this password and account to log in, all failed ... Visual Account Black is the administrator of the entire site. But its SSH password does not come out.

Later, after a few days of groping, found a thing: Web host is actually two CentOS, the morning with IP for xxx.10, PM with xxx.251 host. I didn't know it at the time, and I struggled with it for so long.

Now the situation of the Intranet, basically is: I have two host root permissions, you can log in all MySQL database, and some host MySQL database can read and write files, but can not read/etc/shadow and other important files.

After you unlock your MySQL account password, you cannot ssh to another host.

Intranet has two hosts is also running Nagix, if can access, may also be killed in seconds. However, I do not have an extranet Linux host, and do not want to install SSH on Windows Broiler, so I can not use the SSH tunnel to access the intranet server.

Finally, at his wits ' end, he had to plant a rootkit and wait for the keyboard to record. Although I do not want to use this method, but at present can only be so.

Five. PostScript
This intranet is relatively large, and feel the C segment and this site relationship is also relatively large. So, if the keylogger gets something valid, it will continue ...
(In fact, the actual process, more twists and turns than writing, but it is too much, writing good tired, some places abbreviated a little bit.) ）

Linux Infiltration +ssh Intranet forwarding