linux文件提取
date
Mar 25, 2022
slug
take-out-file-from-linux
status
Published
tags
固件安全
summary
实习时候的学习笔记。。。。
type
Post
总体启动流程
BIOS → MBR → LILO,GRUB → Linux →User Space
MBR 这块就是属于引导磁盘头部一段小数据,一段机器码,引导加载Stage 2,一共512字节
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F847bc0b4-3a9b-43b7-90e6-3193cc6d084e%2FUntitled.png%3Fid%3Dd58697e1-56db-478e-b308-4b6bbe774bbe%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3Dx5XyUGTttYRCVm9phgapVLNUKtK8QhhPYlPxi7gR-9c?table=block&id=d58697e1-56db-478e-b308-4b6bbe774bbe&cache=v2)
GRUB通常启动到下面这个界面的时候一般都是,stage1.5或者是Stage2这个阶段 ,到Stage 2这个 阶段已经把文件系统读取出来了,下图这个界面进去之后会存在一系列的命令,相当于开始执行Stage 2 里面的内容
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fffcd5882-74bc-4be2-bfd5-c0a675a06141%2FUntitled.png%3Fid%3D24201e0f-f305-4e71-a52c-576a8f6dc0b5%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3Df0WlaOJotbZJQqoTA3jy2bugjXp3ByrAh7InSer7XWM?table=block&id=24201e0f-f305-4e71-a52c-576a8f6dc0b5&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F8420ce93-fa41-422f-922c-662847c691c9%2FUntitled.png%3Fid%3D3cbd4949-41d0-4a14-8bed-0974fbb60bb8%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DN1t5KuPW_aCS03FF5viKLCe-UjfBO_7HJVPLtpbZmRs?table=block&id=3cbd4949-41d0-4a14-8bed-0974fbb60bb8&cache=v2)
GRUB下对应上述阶段的一些文件
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fa3bf8bac-cded-4a2c-90a5-3ad0fa82f41c%2FUntitled.png%3Fid%3D510679a0-9e44-494a-8be7-c35a9e36f7e0%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3D7mq3HCTUxwBCDwnR3DsEZzPVRaGM3OUaHlrv7QfQ6cs?table=block&id=510679a0-9e44-494a-8be7-c35a9e36f7e0&cache=v2)
可以从这个图中可以看出,在grub目录下,存在各种各样的mod文件,可用于加载,此外Linux系统是从第2048个扇区开始的,这表明在前面的扇区中就是放置stage 1和 1.5 阶段的内容,在这个目录下分别就是boot.img和core.img
GRUB 详细页面如下:
一般主要是有几条命令组成,不同系统就会存在不同的命令,下图中linux命令就是加载linux的内核,后面跟上的就应是一些options参数 ,都是这样的一些形式,initrd 用于加载一些内存盘
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fae697e52-f2b2-462b-9551-05c4967bfa71%2FUntitled.png%3Fid%3D8e219a14-a826-4df7-8bf1-7388ac6d9920%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3Dn32Bn88V5Mti4hXC8y9_cWQlDAzPCMpH836_mKVRIAo?table=block&id=8e219a14-a826-4df7-8bf1-7388ac6d9920&cache=v2)
初始化的相关参数
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Ff37cfc9d-1450-4eb8-8f7d-3b3f37947267%2FUntitled.png%3Fid%3D35163b59-d099-4532-a8dd-3a31fa26ac54%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DMrWFgHxg-_FhoXrKOIrox46uKa2mKs-XlLA-UXdAAWU?table=block&id=35163b59-d099-4532-a8dd-3a31fa26ac54&cache=v2)
有rd的是在内存的时候加载初始化的程序,没有的是另外阶段加载初始化的程序,反正就是用来指定初始化程序的
单用户模式
是在Unix系统上工作时拥有的超级用户的权限,通常只有在面对实体主机的时候通过引导菜单进入,是否进入单用户模式的处理逻辑是在init程序中
指定rdinit程序获取shell
使用前提:
1.跟文件系统未加密
2.grub菜单未使用密码保护
3.内核支持rdinit=命令行
4.使用了initrd/initramfs,也就是命令中存在initrd的使用
操作:在grub模式下,按下e键进入编辑模式,在内核参数中使用
rdinit=/bin/bash
,指定initrd/initramfs中init程序为/bin/bash,保存,可绕过初始化流程。操作结果:获取shell,但是这个shell只是initrd/initramfs环境的shell,也就是内存盘环境的shell(本质上是一个临时环境的shel),不是最终系统的shell
对应练习程序:normal-with-initramfs
可以看到命令中是存在initrd这一条命令的
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Ffbdd7242-9068-422c-84e8-8f82d0f0a26c%2FUntitled.png%3Fid%3D8f0d2020-92de-443a-a8bd-d9279934304d%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3D1h0nESh5mk1WnAVlOgY8jfhtKJSfjTegpQoU6nQxTKc?table=block&id=8f0d2020-92de-443a-a8bd-d9279934304d&cache=v2)
只需要往上面添加上
rdinit=/bin/bash
即可进入shell![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F41fbefd7-d180-46cb-8a97-1fcca3f95874%2FUntitled.png%3Fid%3D5562fe8f-244b-4cdc-938c-0fa10d6a5c77%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DiwSzxbWSXXHOAPMh-82XyPOvaj0KBD-xwRwftecZCSQ?table=block&id=5562fe8f-244b-4cdc-938c-0fa10d6a5c77&cache=v2)
这只是个中间环境的shell,本身是要执行当前目录下的init文件初始化的,执行完init才把文件系统挂在到正是环境下的
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F0c91aab6-5ac5-4d1f-b078-baf8293024a0%2FUntitled.png%3Fid%3Db5eb524c-472b-40b0-b929-199c8bfcb748%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DBqnqJIwkdSK3DyFRdosnNYkZdtNFjzGEqvetScxuMY4?table=block&id=b5eb524c-472b-40b0-b929-199c8bfcb748&cache=v2)
init文件里面的内容
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Faa426db4-1077-4a3e-b552-9cca9468f621%2FUntitled.png%3Fid%3D09ddfb4e-502e-4de7-91e6-fe74d8432e08%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DmwVLwCy8SlcPAUvlhDtbtXQ3DG2Vema3DXSpV-aWcLE?table=block&id=09ddfb4e-502e-4de7-91e6-fe74d8432e08&cache=v2)
指定init程序获取shell
使用前提:
跟文件系统未加密,grub菜单未使用密码保护,内核支持init=命令行,未使用initrd/initramfs
操作:进入grub模式下进行编辑,在内核参数重使用
init=/bin/bash
,绕过init流程直接获取shell操作结果:直接中断跟文件系统的初始化流程,获取一个根文件系统的shell
对比上一种情况就是没有使用内存盘的那个命令了,但是一般情况下这种跟上述那一种情况都得尝试,因为有些时候内存盘写的比较好,也可以直接使用init命令进入相关的shell,所以还是按照实际情况分析
对应练习程序:normal-without-initramfs
在没有内存盘的情况下使用init命令指定启动命令
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F41743beb-6e73-459f-a2e1-372cae24fc63%2FUntitled.png%3Fid%3D8365e2c2-58d5-45ad-92d8-702e680b3b31%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DqA73e6hY4Mh9lnEpJAnaq6VptYJ6_l923JFCqeNPCXo?table=block&id=8365e2c2-58d5-45ad-92d8-702e680b3b31&cache=v2)
可直接获取一个根文件系统的shell
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Febf7e643-b794-4e40-894f-e9c03a8c42a4%2FUntitled.png%3Fid%3D594d7e80-86f0-4543-9614-733b7c31e563%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3D_GVMCS2kGJtjMu7hTCJlQncBeM8MVLjr4P3nanWInWA?table=block&id=594d7e80-86f0-4543-9614-733b7c31e563&cache=v2)
上述两种情况的对抗
在kernel中禁用init/rdinit内核参数,直接编译内核的时候注释掉相关函数的内容,真实环境中的一个案例
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fb3bba534-e928-4a9d-9014-9871db87272c%2FUntitled.png%3Fid%3D10437ff4-b1ad-43b7-92c4-1299586f12f1%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DxZjHWHs-Fwq7rFygpV-tlQSaQPE7-Xp2fq1hojIddXk?table=block&id=10437ff4-b1ad-43b7-92c4-1299586f12f1&cache=v2)
单用户模式获取shell
使用前提:根文件系统未加密,grub菜单未使用密码保护,未使用initrd/initramfs,init程序支持单用户模式
操作方法:grub下使用e进入编辑模式,在内核参数重加入单用户模式参数
最终效果:使根文件系统进入单用户模式,获取一个根文件系统的shell
对应l练习程序:normal-without-initramfs
加上single参数命令
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F63036d6c-68f8-4ccc-ac10-23112364e54b%2FUntitled.png%3Fid%3Ddd22e599-9314-4c1c-ab61-84ac7b2c6b7a%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3Db6GSHq14e-TbEWFxgQw_6SpFnsXJfmK1RDTzxgsSsIk?table=block&id=dd22e599-9314-4c1c-ab61-84ac7b2c6b7a&cache=v2)
可直接获取到文件系统shel
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fa9b277cd-6d09-4a39-8515-945f5db0698d%2FUntitled.png%3Fid%3Dc9e06301-fcb4-4dfc-9ca8-d3e67fe48468%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DxaPGI75qCU_tmp7Uzp97L8YxUZMN7KUhH60nkN92174?table=block&id=c9e06301-fcb4-4dfc-9ca8-d3e67fe48468&cache=v2)
单用户模式也是可以被禁止的
直接操作磁盘
使用前提:根文件系统未加密,所使用的工具支持目标文件系统
操作方法:通过第三方livecd到目标虚拟机,挂在读取相关内容
感觉这个方法用的比较常见易上手,之前挖齐志堡垒机的时候就用的这一种方法
luks磁盘加密的情况
这种方法是建立在前一种方法的分析下
这种情况下的,一般不会全部加密,一般会存在一些不加密的地方,可以让我们去进行下手
使用上面的方法大概率是进不去的,可以使用直接磁盘操作,在livecd里面挂载相关的内容再去操作
对应程序:luks-with-initramfs
使用fdisk命令查看相关内容,可以观察到两个内容,一个是可以挂载的sda1,另外一个是不允许挂载的
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Ffcab785d-7038-4dd5-b035-81bd5a7cff5f%2FUntitled.png%3Fid%3Df0e0611f-7908-482c-ab51-4e29b1a2e7e2%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3Doru7thz46h3T6FBLVwEkNmDb_kogACixfVrY3028GCY?table=block&id=f0e0611f-7908-482c-ab51-4e29b1a2e7e2&cache=v2)
此时我们可以进入sda1中找到相关的信息,解压luks-initramfs.gz文件(gzip -kd解压 ),cpio的一个格式,一个内存方案,旧一点可能就是ext4之类的
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F717d97cb-ff5a-4234-a354-fee2a27fb8c2%2FUntitled.png%3Fid%3D01c6d97f-e9cb-4539-b1f5-4f5eea3ebaab%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DAbxJ0LWTmvaeoSoLBpJ_1jA_GJPRDngxKPwI1NtAkT0?table=block&id=01c6d97f-e9cb-4539-b1f5-4f5eea3ebaab&cache=v2)
把上面的那个文件移动到tmp目录下使用
cpio -div < initramfs
解压,得到内存盘里面的那个系统,之前知道后续是会执行init这个文件才会进入真正的文件系统里面![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F40b4fb35-f4d1-4cba-a069-f900bbef548c%2FUntitled.png%3Fid%3D521f1948-2448-4127-8389-23cfd1f4e10c%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DmJz4lSXp35h5_kO5NqY163hHPdNrx_FRhmO27m_y8XQ?table=block&id=521f1948-2448-4127-8389-23cfd1f4e10c&cache=v2)
此时查看init文件可以发现加密相关代码内容
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F6fc709ea-37e4-4ca8-b64d-a5ca46a92da2%2FUntitled.png%3Fid%3Dfe0f5dd6-0327-49c4-9331-60765dcb2406%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DGM8S-1NxyjFOaBG93XSJHtfbn47OLDVs6PeruKKujJg?table=block&id=fe0f5dd6-0327-49c4-9331-60765dcb2406&cache=v2)
复制粘贴这几条命令就行了额,此时mnt目录下就是相关的文件目录了
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Faa89a0ea-a47e-418c-b4b1-c0ac097307e6%2FUntitled.png%3Fid%3Dba8db081-bf8a-47b5-9d36-a110fcebc443%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722067200000%26signature%3DD1CkqDZL2j66lEEUynGZ-wskLmE6FZcS9KREQNsxIoU?table=block&id=ba8db081-bf8a-47b5-9d36-a110fcebc443&cache=v2)
对抗上述提取方法
最好的方法就是将initramfs这个相关文件进行加密,此时就不可以直接
cpio
解密那个文件了,该加密文件会在两个时机进行解密,一个是在grub的bootloader中,一个是在内核处理的时候再对抗上述的防护方法
上面提及到会在两个时候处理这个加密内容,那么就可以从这两个方向进行入手,就会涉及到vmware调试虚拟机,需要提取vmlinux,用ida联动调试,找出相关的密钥,最后尝试用各种解密方法去解密压缩的内容
有空再学学具体怎么调试。。。。。。。