반응형
나중에 제대로 정리하갯음.
대충 디렉토리 안에 올릴 파일들 다 만들어줌.
각 각마다 xinetd 파일 하나씩, 디렉토리 이동에 필요한 스크립트 하나, 바이너리 파일과 플래그를 만들어줌.
그리고 Dockerfile도 하나씩 만듬.
root@kuality:/home/master/home/misc1# cat misc1.sh
#! /bin/bash
path="/home/misc1/";
cd $path;
/home/misc1/misc1
root@kuality:/home/master/home/misc1# cat xinetd
service misc1
{
disable = no
type = UNLISTED
wait = no
server = /home/misc1/misc1
socket_type = stream
protocol = tcp
user = misc1
port = 12345
flags = REUSE
}
$ docker pull ubuntu:latest
$ docker run -it --name pwn ubuntu /bin/bash
$ docker ps -a
사용할 이미지 세팅
저장소 바꿔주고
xinetd, net-tools, vim 설치
도중에 exit로 나가서 컨테이너를 껏다면 다음 명령어로 다시 켤 수 있음. 컨테이너 안끄고 나가기는 ctrl+p & ctrl + q
$ docker start pwn
$ docker attach pwn
commit
세팅된 컨테이너를 커밋하여 이미지로 만들기
root@kuality:/home/master/home/misc1# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e90cea516d9f ubuntu "/bin/bash" 29 minutes ago Up 2 minutes pwn
root@kuality:/home/master/home/misc1# docker stop pwn
pwn
root@kuality:/home/master/home/misc1# docker commit pwn ubuntu:pwn
sha256:d44406607f756b2adec065ef4613c29f2f34f36827051270a09373362a4e9bcd
root@kuality:/home/master/home/misc1# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
ubuntu pwn d44406607f75 7 seconds ago 213MB
ubuntu latest 93fd78260bd1 12 days ago 86.2MB
원하는 환경 대충 만들어주고 컨터에너를 이미지로 만듬담에, 그 이미지로 이제 다른 이미지들을 만들어주는 거임. 나중에 사고났을 경우를 대비해서 각 각의 문제마다 이미지로 만들기로 함.
root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn_env
RUN apt update
RUN useradd -mU misc1
WORKDIR /home/misc1
COPY ./servicefile_xinetd /etc/xinetd.d/servicefile_xinetd
RUN chown -R root:misc1 /home/misc1
CMD ["/usr/sbin/xinetd","-dontfork"]
root@kuality:/home/master/home# cat servicefile_xinetd
service !name
{
disable = no
type = UNLISTED
wait = no
server =/home/misc1/misc1
socket_type = stream
protocol = tcp
user = misc1
port = 12345
flags = REUSE
}
일단 저 파일들을 모두 만든 뒤에 각자 이미지 생성.
root@kuality:/home/master/home# docker build --tag misc:1 . # 이미지 빌드
...
...
root@kuality:/home/master/home# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
misc 1 da47d4baf4e5 5 seconds ago 214MB
ubuntu pwn d44406607f75 3 hours ago 213MB
ubuntu latest 93fd78260bd1 12 days ago 86.2MB
이제 파일을 옮겨주고 포트연결해주고, 디렉토리?도 연결해서 컨테이너 생성할거임
root@kuality:/home/master/home# docker run -it -p 12345:12345 -v /home/master/home/misc1:/home/misc1 --name misc1 misc:1 /bin/bash
혹시나 이런 에러가 발생한다면
root@kuality:/home/master/home# docker run -it --name misc1 misc:1 -p 12345:12345 -v /home/master/home/misc1:/home/misc1 /bin/bash
docker: Error response from daemon: OCI runtime create failed: container_linux.go:348: starting container process caused "exec: \"-p\": executable file not found in $PATH": unknown.
명령어 인자의 순서를 바꿔보도록 해라.
이제 /etc/xinetd.d/servicefile_xinetd 파일 내용을 수정해주고, 파일이름도 적당하게 바꿔준다.
다음으로 /etc/init.d/xinetd restart로 다시 실행해줌.
그리고 이제 /etc/services 파일에 포트내용을 추가해줌.
실행파일 실행권한 주의하기!, 폴더에 그룹권한 조절!
#! /bin/bash
path="/home/misc1";
cd $path;
/home/misc1/misc1
root@022c0e2d72c6:/home/misc1# chown root:misc1 *
root@022c0e2d72c6:/home/misc1# chmod o-rx *
root@022c0e2d72c6:/home/misc1# ls -al # 최종적으로 이렇게 되게 함!
total 32
drwxr-x--- 2 root misc1 4096 Dec 2 15:49 .
drwxr-xr-x 1 root root 4096 Dec 2 14:40 ..
-rw-r----- 1 root misc1 36 Dec 2 15:14 flag.txt
-rwxr-x--- 1 root misc1 13632 Dec 2 15:12 misc1
-rw-r-x--- 1 root misc1 61 Dec 2 15:49 misc1.sh
문제 파일 권한/setuid 확인
key 파일 권한 확인
주요 파일 chattr 걸기
문제 파일, 키 파일, 해당 디렉토리, .bash_history 등
chattr을 안 걸어 놓으면 권한획득 후 키 파일이나 문제파일을 고의로 삭제해 버릴 수 있음
chattr 대신 owner user를 root로 바꿔도 되겠죠
chattr 거시려면 chattr +ai ./* ; chattr +ai . 해주시면 됩니다
/tmp, /var/tmp/, /dev/shm 권한 확인 (chmod o-r /tmp 등)
read 권한이 열려있으면 다른 사용자들의 exploit이 노출됨
일반 유저가 dmesg 명령을 통해 segfault 정보를 볼 수 있음
chmod o-r /var/log/dmesg
문제 바이너리 strip 여부 체크
- 공개하는 파일이 의도했던대로 공개됐는지
- 플래그가 문제에 있는 것과 일치하는지
- 본인 익스플로잇 제대로 돌아가는지
두번째 문제 추가
root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn
RUN apt update
RUN useradd -mU misc2
WORKDIR /home/misc2
COPY ./servicefile_xinetd /etc/xinetd.d/misc2
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown -R root:misc2 /home/misc2
CMD ["/usr/sbin/xinetd","-dontfork"]
root@kuality:/home/master/home# docker build --tag misc:2 .
root@kuality:/home/master/home# docker run -it -p 12346:12346 -v /home/master/home/misc2:/home/misc2 --name misc2 misc:2 /bin/bash
권한 설정 잘해주고,
xinetd 재시작해주면 잘 됨.
pwn1
$ docker build --tag pwn:1 .
그대로 쭉쭉 함
root@kuality:/home/master/home# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
pwn 5 132be44d99af 14 seconds ago 214MB
pwn 4 3912e17cd3cb About a minute ago 214MB
pwn 3 6895a42c0863 About a minute ago 214MB
pwn 2 d9202c41f05f 2 minutes ago 214MB
pwn 1 2058b2cb88bc 13 minutes ago 214MB
misc 2 1d8a9a3b0c27 27 minutes ago 214MB
misc 1 da47d4baf4e5 2 hours ago 214MB
ubuntu pwn d44406607f75 5 hours ago 213MB
ubuntu latest 93fd78260bd1 12 days ago 86.2MB
root@kuality:/home/master/home# cat Dockerfile
FROM ubuntu:pwn
RUN apt update
RUN useradd -mU pwn5
WORKDIR /home/pwn5
COPY ./pwn5/pwn5 /etc/xinetd.d/pwn5
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown root:pwn5 .
RUN echo "pwn5 12354/tcp" >> /etc/services
CMD ["/usr/sbin/xinetd","-dontfork"]
=======================================================
126 vim Dockerfile
127 docker build --tag pwn:2 .
128 vim Dockerfile
129 docker build --tag pwn:3 .
130 vim Dockerfile
131 docker build --tag pwn:4 .
132 vim Dockerfile
133 docker build --tag pwn:5 .
134 docker images
135 docker run -it -p 12351:12351 -v /home/master/home/pwn2:/home/pwn2 --name pwn2 pwn:2 /bin/bash
136 docker run -it -p 12352:12352 -v /home/master/home/pwn3:/home/pwn3 --name pwn3 pwn:3 /bin/bash
137 docker run -it -p 12353:12353 -v /home/master/home/pwn4:/home/pwn4 --name pwn4 pwn:4 /bin/bash
138 docker run -it -p 12354:12354 -v /home/master/home/pwn5:/home/pwn5 --name pwn5 pwn:5 /bin/bash
139 docker ps -a
=========================================================
root@kuality:/home/master/home# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
84a9c1df1216 pwn:5 "/bin/bash" About a minute ago Up About a minute 0.0.0.0:12354->12354/tcp pwn5
1e999cdcb6d4 pwn:4 "/bin/bash" About a minute ago Up About a minute 0.0.0.0:12353->12353/tcp pwn4
9a15d7e92d9e pwn:3 "/bin/bash" 2 minutes ago Up 2 minutes 0.0.0.0:12352->12352/tcp pwn3
7162967f6bc0 pwn:2 "/bin/bash" 2 minutes ago Up 2 minutes 0.0.0.0:12351->12351/tcp pwn2
08266f243825 pwn:1 "/bin/bash" 15 minutes ago Up 15 minutes 0.0.0.0:12350->12350/tcp pwn1
cd62d7c1e98d misc:2 "/bin/bash" 30 minutes ago Up 30 minutes 0.0.0.0:12346->12346/tcp misc2
022c0e2d72c6 misc:1 "/bin/bash" About an hour ago Up About an hour 0.0.0.0:12345->12345/tcp misc1
웹사이트를 바꿔주도록 하자. docker로
/etc/os-release 를 보면 alpine linux라는 것을 알 수 있다.
알파인 리눅스는 가볍고 간단하고 보안성을 목적으로 개발한 리눅스 배포판입니다.
용량을 줄이기 위해 시스템의 기본 C runtime을 glibc 대신 musl libc를 사용하며 다양한 쉘 명령어는 GNU util 대신 busybox 를 탑재하였습니다.
용량이 80M인 경량화된 배포판이므로 Embbeded 나 네트웍 서버등 특정 용도에 적합하며 특히 도커(docker)에 채택되어 5M 크기의 리눅스 이미지로 유명합니다.
apk add git
apk del git 이런식으로 사용
root@kuality:/home/kuality/CTFd# docker run -it -d -p 8000:8000 ctfd/ctfd /bin/bash
root@kuality:/home/kuality/CTFd# docker exec -it 896fa91c0c8d sh
뭐냐
파일 옮기고, 옮길 때 docker cp 명령어 사용하면 편함.
확인할 것!
/etc/xinetd.d/pwn4
/etc/services
pwn4.sh
디렉토리 권한
web 문제 올리기 ----
일단 winscp로 해당 파일들을 서버로 업로드했음.
root@kuality:/home/master/home/web1# ls -al
total 24
drwxr-xr-x 3 kuality kuality 4096 12월 6 17:22 .
drwxr-x--- 14 root root 4096 12월 6 17:22 ..
drwxr-xr-x 3 kuality kuality 4096 12월 6 17:17 Can
-rw-r--r-- 1 kuality kuality 405 12월 6 17:22 Dockerfile
-rw-r--r-- 1 kuality kuality 169 12월 1 22:15 httpd-foreground
-rw-r--r-- 1 kuality kuality 32 12월 4 23:15 index.html
root@kuality:/home/master/home/web1# docker build --tag web:1 .
'''
'''
root@kuality:/home/master/home/web1# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
web 1 30fff891138f 3 minutes ago 227MB
pwn 5 2b8a852da5b6 2 hours ago 269MB
root@kuality:/home/master/home/web3# chmod +x httpd-foreground
형준이가 한거에서 expose 다 빼줌.
### history
956 docker images
957 ls
958 vim Dockerfile
959 docker build --tag web:1 .
960 docker run -it -p 12362:80 --name web1 web:1 /bin/bash
961 cd ..
962 ls
963 cd web2
964 ls
965 chmod +x httpd-foreground
966 ls
967 vim Dockerfile
968 docker build --tag web:2 .
969 docker run -it -p 12363:80 --name web2 web:2 /bin/bash
970 ls
971 vim Dockerfile
972 cat Dockerfile
973 ls
974 docker cp hunter.png web2:/var/www/html/.
975 cd ..
976 ls
977 cd web3
978 ls
979 chmod +x httpd-foreground
980 vim Dockerfile
981 ls
982 docker build --tag web:3 .
983 ls
984 docker images
985 docker ps -a
986 docker run -it -p 12364:80 --name web3 web:3 /bin/bash
987 ls
988 docker ps -a
989 cd ..
990 ls
991 cd web4
992 ls
993 chmod +x httpd-foreground
994 ls
995 vim Dockerfile
996* docker run -i
997 docker run -it -p 12365:80 --name web4 web:4 /bin/bash
pwn1 하는중
pwn1 안에 디렉토리를 또 만들어서 shared 용으로 만들어 놓으면 편함. pwn1 안에 Dockerfile이랑 xinetd 파일을 만들어 놓고 쓰면 좋음. shared 안에는 pwn1이랑 pwn1.sh 넣어놓고.
root@kuality:/home/master/home/pwn1# ls
Dockerfile pwn1_xinetd shared
root@kuality:/home/master/home/pwn1# docker build --tag pwn:1 .
root@kuality:/home/master/home/pwn1# docker run -it -p 12350:12350 -v /home/master/home/pwn1/shared/:/home/pwn1 --name pwn1 pwn:1 /bin/bash
/etc/init.d/xinetd start
* Starting internet superserver xinetd [ OK ]
pwn2
889 mv pwn1_xinetd pwn2_xinetd
890 vim pwn2_xinetd
891 ls -al
892 cd shared/
893 ls
894 cd ..
895 ls
896 mv pwn2 shared/.
897 cp ../pwn1/shared/pwn1.sh .
898 ls
899 vim pwn1.sh
900 mv pwn1.sh pwn2.sh
901 cp pwn2.sh ./shared/.
902 cd shared/
903 ls
904 ls -al
905 cd ..
906 ls
907 vim Dockerfile
908 docker build --tag pwn:2 .
909 docker ps -a
910 docker images
root@f065fb4bf57b:/home/pwn2# /etc/init.d/xinetd start
* Starting internet superserver xinetd [ OK ]
root@f065fb4bf57b:/home/pwn2# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:12351 0.0.0.0:* LISTEN 67/xinetd
misc1
root@732906120f2c:/home/misc1# history
1 ls
2 ls -al
3 chgrp misc1 .
4 ls -al
5 chgrp misc1 *
6 ls -al
7 su misc1
8 /etc/init.d/xinetd start
9 netstat -tnlp
10 history
crypto1
root@kuality:/home/master/home# ls
Dockerfile libc.so.6 misc1 misc1.sh misc2 misc3 pwn1 pwn2 pwn3 pwn4 pwn5 servicefile_xinetd web1 web2 web3 web4
root@kuality:/home/master/home# mkdir crypto1
root@kuality:/home/master/home# cd crypto1/
root@kuality:/home/master/home/crypto1# cp ../Dockerfile .
root@kuality:/home/master/home/crypto1# cp ../servicefile_xinetd .
root@kuality:/home/master/home/crypto1# mkdir shared
root@kuality:/home/master/home/crypto1# vim Dockerfile
root@kuality:/home/master/home/crypto1# mv servicefile_xinetd crypto1_xinetd
root@kuality:/home/master/home/crypto1# vim crypto1_xinetd
root@kuality:/home/master/home/crypto1# cat Dockerfile
FROM ubuntu:pwn_env
RUN apt update
RUN useradd -mU crypto1
WORKDIR /home/crypto1
COPY ./crypto1_xinetd /etc/xinetd.d/crypto1
RUN chmod og-rwx /var/log
RUN chmod og-rwx /tmp
RUN chmod og-rwx /var/tmp
RUN chmod og-rwx /dev/shm
RUN chown root:crypto1 .
RUN echo "crypto1 12358/tcp" >> /etc/services
CMD ["/usr/sbin/xinetd","-dontfork"]
root@kuality:/home/master/home/crypto1# cat crypto1_xinetd
service crypto1
{
disable = no
type = UNLISTED
wait = no
server = /home/crypto1/crypto1.sh
socket_type = stream
protocol = tcp
user = crypto1
port = 12358
flags = REUSE
}
root@kuality:/home/master/home/crypto1#
root@kuality:/home/master/home/crypto1# docker build --tag crypto:1 .
Sending build context to Docker daemon 3.584kB
Step 1/12 : FROM ubuntu:pwn_env
---> 2982f2dd0e73
Step 2/12 : RUN apt update
---> Using cache
---> 3811b63ef52c
Step 3/12 : RUN useradd -mU crypto1
---> Running in 5a810927ae8a
Removing intermediate container 5a810927ae8a
---> 763d9ad8fca8
Step 4/12 : WORKDIR /home/crypto1
---> Running in 9e04f20da228
Removing intermediate container 9e04f20da228
---> f89601cb8a9f
Step 5/12 : COPY ./crypto1_xinetd /etc/xinetd.d/crypto1
---> ac9966a4bbf7
Step 6/12 : RUN chmod og-rwx /var/log
---> Running in adb15102437e
Removing intermediate container adb15102437e
---> 9764196c9388
Step 7/12 : RUN chmod og-rwx /tmp
---> Running in 5c521a9b74ef
Removing intermediate container 5c521a9b74ef
---> 00aefac6dd43
Step 8/12 : RUN chmod og-rwx /var/tmp
---> Running in 2f55acaf8512
Removing intermediate container 2f55acaf8512
---> 575e61c3caf3
Step 9/12 : RUN chmod og-rwx /dev/shm
---> Running in 06911586cd45
Removing intermediate container 06911586cd45
---> 3d39f2ee4662
Step 10/12 : RUN chown root:crypto1 .
---> Running in 8a8eff50da95
Removing intermediate container 8a8eff50da95
---> 76c1bf086766
Step 11/12 : RUN echo "crypto1 12358/tcp" >> /etc/services
---> Running in cebb5880b8ea
Removing intermediate container cebb5880b8ea
---> 3b00b838d42d
Step 12/12 : CMD ["/usr/sbin/xinetd","-dontfork"]
---> Running in 15c420b3673d
Removing intermediate container 15c420b3673d
---> de3a181187f5
Successfully built de3a181187f5
Successfully tagged crypto:1
root@kuality:/home/master/home/crypto1# ls
crypto1_xinetd Dockerfile shared
root@kuality:/home/master/home/crypto1# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
crypto 1 de3a181187f5 11 seconds ago 269MB
misc 2 2642ab45889c About an hour ago 269MB
misc 1 2a2d7aa7d287 2 hours ago 269MB
pwn 2 868609076b2d 2 hours ago 269MB
pwn 1 4b44eb127d63 3 hours ago 269MB
web 4 d2153f10e0d1 8 hours ago 227MB
web 3 f489ac80ea7e 8 hours ago 227MB
web 2 7ee58a4000c4 8 hours ago 227MB
web 1 2ea48df1d684 8 hours ago 227MB
pwn 5 2b8a852da5b6 11 hours ago 269MB
pwn 4 595e99368599 13 hours ago 269MB
ubuntu pwn_env 2982f2dd0e73 13 hours ago 268MB
ctfd 01 880e760e6d81 3 days ago 460MB
ctfd_ctfd latest d00440f9d292 3 days ago 460MB
ctfd/ctfd latest 276fd8db9ecb 4 days ago 454MB
<none> <none> 3912e17cd3cb 4 days ago 214MB
ubuntu pwn d44406607f75 4 days ago 213MB
mariadb 10.4 a310b633fb41 2 weeks ago 369MB
ubuntu 16.04 a51debf7e1eb 2 weeks ago 116MB
ubuntu trusty f17b6a61de28 2 weeks ago 188MB
ubuntu latest 93fd78260bd1 2 weeks ago 86.2MB
redis 4 a38ee13679d8 2 weeks ago 83.4MB
python 2.7-alpine f901fc789b69 2 weeks ago 58.8MB
반응형
'Information* > 알면도움됨' 카테고리의 다른 글
| Atom syntax theme 잘 적용이 안될 때 (0) | 2019.02.25 |
|---|---|
| Visual Studio Code 환경 세팅 (0) | 2019.02.13 |
| Docker 사용법 (0) | 2018.12.28 |
| CUPS 와 ipp protocol (0) | 2018.11.30 |
| Kali linux sources.list repositories 수정 (0) | 2018.11.19 |