The worship of the bird Brother's masterpiece Cnbird. Mark.

Docker Malware Analysis Series V:ALICTF final title design

Original link: http://www.weibo.com/p/1001603835206674039802

April 24, 2015 17:33 reading 1554 0x00 Introduction  

ALICTF (http://www.alictf.com/) I designed four questions, a Nagios plug-in Nrpe vulnerability, a activemqjmx of loopholes, a nconf add cacti right loophole, The last one is this article written zookeeper the title of the right, this topic altogether designed four.

The first off from the zookeeper to obtain the compressed file, the second off to get to key, the third off to get admin ssh key, fourth off to carry out the right operation, finally get flag.

This article explains two parts:

A. Topic Design

B. Ideas for problem-solving

0x01 Configure Docker Environment

1. Docker Installation

Refer to the first knowledge of the Docker malware analysis series

Docker (http://weibo.com/p/230418e8e60bc00102vl37)

2. Select the operating system

Operating system Select CentOS 6.5

Docker Pull Centos:6

0x02 Build Zookeeper Environment

1. Create a new Docker image

In order not to destroy the underlying image we need to create a new Docker image

Docker run-it Centos:centos6/bin/bash

2. Save the Docker image

Docker commit 7e2efe536336 ZK

All of our operations are on the ZK.

3. Zookeeper Configuration

A) Enter ZK mirror

Docker run-it Zk/bin/bash

b) Installing the JDK

Yum Install-y java-1.7.0-openjdk.x86_64

c) Create a ZK user

Useradd ZK

d) switch to ZK configuration related information

Su–zk

VI. bash_profile

Increase

Export Java_home= "/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/"

Export path= $PATH: $JAVA _home/bin

e) Installation Configuration zookeeper

1. wget http://www.eu.apache.org/dist/zookeeper/zookeeper-3.4.6/zookeeper-3.4.6.tar.gz

2. Tar xvzf zookeeper-3.4.6.tar.gz

3. CD zookeeper-3.4.6

4. MV Conf/zoo_sample.cfg Conf/zoo.cfg

5. VI ~zk/.bash_profile

Add Content:

Export zookeeper_home=/home/zk/zookeeper-3.4.6

Export path= $PATH: $ZOOKEEPER _home/bin: $ZOOKEEPER _home/conf

6.. ~zk/.bash_profile

f) Start

zkserver.sh start

0x03 Topic Environment Deployment

1. Configure Ssh-key

Note: This operation operates on your own notebook and the private key cannot be uploaded to the server

SSH-KEYGEN-T RSA

2. zlib Library compressed SSH private key

Package Com.nuwa;

Import Java.io.BufferedInputStream;

Import Java.io.BufferedOutputStream;

Import Java.io.BufferedReader;

Import Java.io.File;

Import Java.io.FileInputStream;

Import java.io.FileNotFoundException;

Import Java.io.FileOutputStream;

Import Java.io.FileReader;

Import java.io.IOException;

Import Java.io.InputStream;

Import Java.io.OutputStream;

Import java.net.ConnectException;

Import Java.nio.file.Files;

Import Java.nio.file.Path;

Import java.nio.file.Paths;

Import java.util.List;

Import Java.util.zip.Deflater;

Import Java.util.zip.DeflaterOutputStream;

Import Java.util.zip.InflaterInputStream;

Import org.apache.zookeeper.*;

Import org.apache.commons.*;

Nuwa Zookeeper using code Cnbird@alibaba

public class Nuwazookeeper {

public static final int session_timeout = 30000;

public static ZooKeeper ZooKeeper;

/**

* Compresses a file with zlib compression.

*/

public static void Compressfile (file raw, file compressed)

Throws IOException

{

InputStream in = new FileInputStream (raw);

OutputStream out =

New Deflateroutputstream (new FileOutputStream (compressed));

Shovelintoout (in, out);

In.close ();

Out.close ();

}

/**

* decompresses a zlib compressed file.

*/

public static void Decompressfile (file compressed, file raw)

Throws IOException

{

InputStream in =

New Inflaterinputstream (new FileInputStream (compressed));

OutputStream out = new FileOutputStream (raw);

Shovelintoout (in, out);

In.close ();

Out.close ();

}

/**

* Shovels all data from a input stream to an output stream.

*/

private static void Shovelintoout (InputStream in, outputstream out)

Throws IOException

{

byte[] buffer = new byte[1000];

int Len;

while (len = in.read (buffer)) > 0) {

Out.write (buffer, 0, Len);

}

}

public static void Main (string[] args) throws IOException {

TODO auto-generated Method Stub

Nuwazookeeper NZ = new Nuwazookeeper ();

Nz.compressfile (New file ("/users/cnbird/documents/alibaba/alictf/testkey/testkey"), New file ("/users/cnbird/ Documents/alibaba/alictf/testkey/testkey.compress "));

}

}

3. Create the Admin account and copy the SSH certificate

Useradd Admin

Su-admin

mkdir ~admin/.ssh/

MV Testkey.pub ~admin/.ssh/authorized_keys

4. Configure SSH

a). Vi/etc/ssh/sshd_config

To be replaced by:

Pubkeyauthentication Yes

Authorizedkeysfile. Ssh/authorized_keys

b). Service sshd Restart

5. Test SSH Certificate Login

Chown Admin.admin TestKey

Chown TestKey

Ssh-i TestKey [email protected]

Note:

A) Docker must have SSH service turned on

b) Docker IP use Dockerinspect to get

6. Upload the compressed SSH certificate to Zookeeper

A) set the zookeeper path

zkcli.sh

CREATE/ALICTF "ALICTF"

Note: Create a directory/Alictf/server/host/zookeeperhost/key/sshprivkey in turn.

b) Speak Zlib compressed certificate uploaded to Zookeeper

Package Com.nuwa;

Import Java.io.BufferedInputStream;

Import Java.io.BufferedOutputStream;

Import Java.io.BufferedReader;

Import Java.io.File;

Import Java.io.FileInputStream;

Import java.io.FileNotFoundException;

Import Java.io.FileOutputStream;

Import Java.io.FileReader;

Import java.io.IOException;

Import Java.io.InputStream;

Import Java.io.OutputStream;

Import java.net.ConnectException;

Import Java.nio.file.Files;

Import Java.nio.file.Path;

Import java.nio.file.Paths;

Import java.util.List;

Import Java.util.zip.Deflater;

Import Java.util.zip.DeflaterOutputStream;

Import Java.util.zip.InflaterInputStream;

Import org.apache.zookeeper.*;

Import org.apache.commons.*;

Nuwa Zookeeper using code Cnbird@alibaba

public class Nuwazookeeper {

public static final int session_timeout = 30000;

public static ZooKeeper ZooKeeper;

public static void GetFile (byte[] bfile, String filepath,string fileName) {

Bufferedoutputstream BOS = NULL;

FileOutputStream fos = null;

File file = null;

try {

File dir = new file (FilePath);

if (!dir.exists () &&dir.isdirectory ()) {//Determine if the file directory exists

Dir.mkdirs ();

}

File = new file (filepath+ "\ \" +filename);

FOS = new FileOutputStream (file);

BOS = new Bufferedoutputstream (FOS);

Bos.write (bfile);

} catch (Exception e) {

E.printstacktrace ();

} finally {

if (BOS! = NULL) {

try {

Bos.close ();

} catch (IOException E1) {

E1.printstacktrace ();

}

}

if (fos! = null) {

try {

Fos.close ();

} catch (IOException E1) {

E1.printstacktrace ();

}

}

}

}

/**

* Get information about a node

* @param path

* @throws keeperexception

* @throws interruptedexception

*/

public void Getchild (String path) throws Keeperexception, interruptedexception{

try {

list<string> children = This.zooKeeper.getChildren (path, false);

if (Children.isempty ()) {

System.out.printf ("No nodes in%s.", path);

Return

}else{

SYSTEM.OUT.PRINTF (node in node%s: \ n ", path);

for (String Child:children) {

SYSTEM.OUT.PRINTLN (child);

}

}

} catch (Keeperexception.nonodeexception e) {

System.out.printf ("%s node does not exist.", path);

Throw e;

}

}

Public byte[] GetData (String path) throws Keeperexception, Interruptedexception {

return This.zooKeeper.getData (path, false,null);

}

private static Watcher Watcher = New Watcher () {

public void process (Watchedevent event) {

Return

}

};

public static void Main (string[] args) throws IOException {

TODO auto-generated Method Stub

String Path = "/alictf/server/host/zookeeperhost/key/sshprivkey";

Nuwazookeeper NZ = new Nuwazookeeper ();

ZooKeeper = new ZooKeeper ("192.168.42.9:2181", Session_timeout,watcher);

try {

Path Compath = Paths.get ("/alictf/testkey.compress");

byte[] data = Files.readallbytes (Compath);

Zookeeper.setdata (path,data,-1);

} catch (Keeperexception E1) {

TODO auto-generated Catch block

E1.printstacktrace ();

} catch (Interruptedexception e) {

TODO auto-generated Catch block

Throwable e1 = null;

E1.printstacktrace ();

}

}

}

Compiled and uploaded to the host and executed, we can see that the compressed file has been uploaded.

7. Installation of anti-lift rights

1. wget http://forkbomb.org/ninja/src/ninja-0.1.3.tar.bz2

2. Tar xjvf ninja-0.1.3.tar.bz2

3. Make

4. Make install

5./usr/local/bin/ninja &

Whether the test can defend against the right to raise

Switch to Su–admin and then execute su–root you can see the direct ban off.

8. Configure sudo whitelist (only allow Nmap,python,perl,java to be used)

Cmnd_alias allow =/usr/bin/perl,/usr/bin/python,/usr/bin/java,/usr/bin/id,/bin/uname,/usr/bin/nmap

Defaults Requiretty

Defaults!VISIBLEPW

Defaults Always_set_home

Defaults Env_reset

Defaults env_keep = "COLORS DISPLAY HOSTNAME histsize INPUTRC kdedir ls_colors"

Defaults Env_keep + = "MAIL PS1 PS2 qtdir USERNAME LANG lc_address lc_ctype"

Defaults Env_keep + = "Lc_collate lc_identification lc_measurement lc_messages"

Defaults Env_keep + = "Lc_monetary lc_name lc_numeric lc_paper lc_telephone"

Defaults Env_keep + = "Lc_time lc_all LANGUAGE linguas _xkb_charset xauthority"

Defaults Secure_path =/sbin:/bin:/usr/sbin:/usr/bin

Root all= (All) all

Admin all= (All) nopasswd:allow

9. Install Supervisord Auto-run

Yum Install Epel-release

Yum install-y Supervisor

Configure Supervisor

Vi/etc/supervisord.conf

[Program:openssh]

Command=service sshd Start

[Program:rsyslog]

Command=service Rsyslog Start

[PROGRAM:ZK]

Command=/bin/bash-c "/home/zk/zookeeper-3.4.6/bin/zkserver.sh Start-foreground"

User=zk

[Program:ninja]

Command=/usr/local/bin/ninja

10. Automated Run Test

Docker run-it-d=true zk/bin/bash-c "Supervisord &&/bin/bash"

The worship of the bird Brother's masterpiece Cnbird. Mark.