Basic topology
image.png
Environment
0x00 System
-----> CentOS7
0X01 Question
-----> Docker
0x02 Cache
-----> Redis * 3 * 3
0x03 Databases
-----> Mysql 5.7.24
0x04 Git
-----> GitLab
0x05 Nginx
-----> VeryNginx (Bad experience)
0x06 Firewall
-----> iptables
Script
0x00 ssh
-----> root => W8gHgwYt5BoUirRfmVjWUw
-----> ssh no login
ssh-keygen
cd ~/.ssh
vim authorized_keys
# ssh-rsa
chmod 600 authorized_keys
0x01 Online authentication
curl -d "opr=pwdLogin&userName=181270021&pwd=0021120313&rememberPwd=1" "http://2.2.2.2/ac_portal/login.php" >/dev/null 2>&1
crontab -e
0 */1 * * * curl -d "opr=pwdLogin&userName=181270021&pwd=0021120313&rememberPwd=1" "http://2.2.2.2/ac_portal/login.php" >/dev/null 2>&1
0x02 Change source
sudo mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
sudo curl http://mirrors.163.com/.help/CentOS7-Base-163.repo -o /etc/yum.repos.d/CentOS7-Base-163.repo
sudo yum clean all && yum makecache
sudo yum update -y
0x03 zsh
yum install zsh -y
yum install git -y
sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
0x04 iptables
systemctl stop firewalld
systemctl disable firewalld
yum install iptables-services -y
systemctl enable iptables
yum install vim -y
vim /etc/sysconfig/iptables
-A INPUT -p tcp -s $IP -m state --state NEW -m tcp --dport $PORT -j ACCEPT
# iptables confuration
systemctl restart iptables
0x05 maven
yum install maven -y
mvn clean package -Pprod
#or dev
nohup java -jar /opt/ZJCTF-Contest-2018/target/dist/contest/contest-0.0.1-SNAPSHOT.jar >> ./nohup.out 2>&1 &
nohup java -jar /opt/watchingPlatform/target/dist/watch/watch-0.0.1-SNAPSHOT.jar >> ./nohup.out 2>&1 &
#! use a suitable location
tail -f nohup.out
0x06 proxychain
cd
git clone https://github.com/rofl0r/proxychains-ng.git
yum install gcc -y
cd proxychains-ng
./configure
make && make install
sudo make install-config
vim /etc/proxychains.conf
socks5 192.168.152.253 1090
#10.1.1.1 1090
proxychains4 ping google.com
0x07 Change time zone
yum install ntpdate -y
tzselect
TZ='Asia/Shanghai'; export TZ
/usr/sbin/ntpdate cn.pool.ntp.org
crontab -e
0 */1 * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1 &
0 */4 * * * cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime > /dev/null 2>&1 &
0x08 Maximum number of files
ulimit -a
ulimit -n 65535
#! temporary change until next login
echo "* soft nofile 65535" >> /etc/security/limits.conf
echo "* hard nofile 65535" >> /etc/security/limits.conf
echo "* soft nproc 65535" >> /etc/security/limits.conf
echo "* hard nproc 65535" >> /etc/security/limits.conf
echo fs.file-max = 204800 >> /etc/sysctl.conf
0x09 Mysql connection
vim /etc/my.cnf
max_connections=4096
vim /usr/lib/systemd/system/mysqld.service
LimitNOFILE=65535
LimitNPROC=65535
systemctl daemon-reload
systemctl restart mysqld.service
0x0A TCP Cycle
echo "net.ipv4.tcp_fin_timeout=30" >> /etc/sysctl.conf
echo "net.ipv4.ip_local_port_range=10240 65535" >> /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_tw_reuse=1" >> /etc/sysctl.conf
echo "net.ipv4.tcp_tw_recycle=1" >> /etc/sysctl.conf
sysctl -p
0x0B Docker
yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
proxychain4 yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
proxychain4 yum list docker-ce --showduplicates | sort -r
yum-config-manager --enable docker-ce-edge
# yum-config-manager --enable docker-ce-test
proxychain4 yum install docker-ce
systemctl start docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"registry-mirrors": ["https://hkdkcqqo.mirror.aliyuncs.com"],
"insecure-registries":["10.25.13.233:5000"]
}
EOF
systemctl daemon-reload
systemctl restart docker
0x0C VeryNginx
https://github.com/alexazhou/VeryNginx
0x0D PWN_Docker
https://github.com/Eadom/ctf_xinetd
0x0E Web_Docker
docker pull tutum/lamp
docker run -dt --restart=always --name=$NAME -p $PORT:80 -v $PATH:/var/www/html/ tutum/lamp
docker exec -it $conid /bin/bash
ps aux|grep apache2
kill -9 $allapache2
***************************************************************
~~~~~ APACHE2 ~~~~~
tee /etc/apache2/mods-available/mpm_prefork.conf <<-'EOF'
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
ServerLimit 1500
StartServers 60
MinSpareServers 60
MaxSpareServers 100
MaxRequestWorkers 1500
MaxConnectionsPerChild 200000
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOF
****************************OR**********************************
tee /etc/apache2/mods-available/mpm_prefork.conf <<-'EOF'
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
ServerLimit 800
StartServers 20
MinSpareServers 20
MaxSpareServers 50
MaxRequestWorkers 800
MaxConnectionsPerChild 5000
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
EOF
**************************************************************
###### access.log #### in ########
/etc/apache2/conf-available/other-vhosts-access-log.conf
/etc/apache2/sites-available/000-default.conf
service apache2 start
##### Change configuration of apache2
**************************************************************
~~~~~~ MYSQL ~~~~~~~
select Host,User,Password from mysql.user;
drop user $(USER@ADDRESS)
delete from mysql.user where user='root' and host='::1';
set password for root@localhost = password('eySvyLyA5U');
flush privileges;
insert into mysql.user(Host,User,Password) values("localhost","sqlipre",password("OFgbig6vkK"));
flush privileges;
grant all privileges on userDB.* to sqlipre@localhost identified by 'OFgbig6vkK';
flush privileges;
##### just for example!!
mysql -uroot -peySvyLyA5U -e "set GLOBAL max_connections=512"
mysql -uroot -peySvyLyA5U -e "show variables" |grep max_connection
### Change configuration of Mysql
#### Question!!! : How to change mysql configuration in contain forever???
************************************************************
0x0F Nginx configuration example
server {
listen 80;
server_name localhost;
access_log logs/zzq_q2/access.log;
error_log logs/zzq_q2/error.log;
index index.html index.htm index.php;
## send request back to apache ##
location /zoTdRB4sBp {
proxy_pass http://10.25.13.111:8001/;
#Proxy Settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_max_temp_file_size 0;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
0x10 Mysql
wget https://repo.mysql.com//mysql57-community-release-el7-11.noarch.rpm
yum localinstall mysql57-community-release-el7-11.noarch.rpm
sudo yum install mysql-server
systemctl enable mysqld.service
systemctl start mysqld.service
tee /etc/my.cnf <<-'EOF'
# For advice on how to change settings please see
# http://dev.mysql.com/doc/refman/5.7/en/server-configuration-defaults.html
[mysqld]
lower_case_table_names=1
#
# Remove leading # and set to the amount of RAM for the most important data
# cache in MySQL. Start at 70% of total RAM for dedicated server, else 10%.
# innodb_buffer_pool_size = 128M
#
# Remove leading # to turn on a very important data integrity option: logging
# changes to the binary log between backups.
# log_bin
#
# Remove leading # to set options mainly useful for reporting servers.
# The server defaults are faster for transactions and fast SELECTs.
# Adjust sizes as needed, experiment to find the optimal values.
# join_buffer_size = 128M
# sort_buffer_size = 2M
# read_rnd_buffer_size = 2M
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
sql_mode='NO_AUTO_VALUE_ON_ZERO,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION,PIPES_AS_CONCAT,ANSI_QUOTES'
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
max_connections = 2048
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
EOF
systemctl restart mysqld
####! about password
skip-grant-tables = 1
##### then change the password
0x11 Dockerfile
FROM ubuntu:16.04
RUN dpkg --add-architecture i386
RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.aliyun.com/g" /etc/apt/sources.list
RUN apt-get update && apt-get -y dist-upgrade
RUN apt-get install -y xinetd libc6:i386 libncurses5:i386 libstdc++6:i386 socat
RUN apt-get install -y python2.7 python-pip
RUN useradd -m ctf
ADD ./CollisionsGame/ /home/ctf/
# xinted 连接失败信息
RUN echo "Blocked by xinetd" > /etc/banner_fail
RUN chown -R root:ctf /home/ctf &&\
chmod -R 750 /home/ctf &&\
pip install -r /home/ctf/requirements.txt -i https://pypi.doubanio.com/simple &&\
rm -f /home/ctf/requirements.txt &&\
rm -f /home/ctf/.sec_key &&\
rm -f /home/ctf/*.pyc &&\
chmod 740 /home/ctf/*.py &&\
chmod 740 /home/ctf/*.js &&\
chmod 740 /home/ctf/*.txt
WORKDIR /home/ctf
CMD ["python", "43ababd8a4588d639330bf35abdc6e05.py"]
EXPOSE 9999
0x12 Redis
网友评论