Author: Zhensheng Yuan

NOTE

2019 九月广东强网杯 CTF 部分题 Writeup

MISC 抓灰阔下载misc4.pcap，用Wireshark打开，前面部分的HTTP请求是明文的，到了后面变成了密文。从序号69的数据包可得知黑客登入Tomcat部署了一个war文件：提取war，其中有个main.jsp文件，内容如下：根据其中的代码，可知后面的post body经过加密，并且作为Java Class文件加载解密后的内容，调用其中的equal()方法，从序号154的数据包提取密码：ba4ae3277932b0a2，如图：编写Java代码对后面的post body以及服务器的response body进行解密以及main.jsp，得知post body为加密后的Jav […]

Unix Like

[Updated] libvirt & qemu change VNC password without restart

文章【libvirt & qemu无需重启（在线）更改VNC密码】已于2019-02-17更新。有两个方法，一个是通过libvirt的virDomainUpdateDeviceFlags接口，另一个是通过qemu-monitor。以下把“DOMAIN_NAME”替换为虚拟机的名称，“YOU_NEW_VNC_PASSWORD”替换为你的新密码。通过virDomainUpdateDeviceFlags接口使用libvirt管理虚拟机的情况下，这个方法是首选，libvirt官方是不推荐使用了libvirt的情况下操纵qemu-monitor的。首先编写VNC graphic的XML […]

Unix Like

qemu with pool/volume storage: Could not open ‘xxxxxxx’: Permission denied

volume信息：

# virsh vol-list test
 Name                 Path                                    
------------------------------------------------------------------------------
 test.qcow2           /virt/test.qcow2

# virsh vol-list test

Name Path

------------------------------------------------------------------------------

test.qcow2 /virt/test.qcow2

虚拟机disk配置：

# virsh dumpxml Test
...
    <disk type='volume' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source pool='test' volume='test.qcow2'/>
      <target dev='vda' bus='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </disk>
...

# virsh dumpxml Test

...

</disk>

...

启动虚拟机：

# virsh start Test
error: Failed to start domain Test
error: internal error: process exited while connecting to monitor: 2019-02-06T12:54:47.722297Z qemu-system-x86_64: -drive file=/virt/test.qcow2,format=qcow2,if=none,id=drive-virtio-disk0: Could not open '/virt/test.qcow2': Permission denied

# virsh start Test

error: Failed to start domain Test

error: internal error: process exited while connecting to monitor: 2019-02-06T12:54:47.722297Z qemu-system-x86_64: -drive file=/virt/test.qcow2,format=qcow2,if=none,id=drive-virtio-disk0: Could not open '/virt/test.qcow2': Permission denied

查看syslog：

# cat /var/log/syslog
...
kernel: [ 6551.331932] audit: type=1400 audit(1549457961.800:209): apparmor="DENIED" operation="open" profile="libvirt-5831a051-78ee-43b4-a15d-6e520b1b3ab7" name="/virt/test.qcow2" pid=27204 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
...

# cat /var/log/syslog

...

kernel: [ 6551.331932] audit: type=1400 audit(1549457961.800:209): apparmor="DENIED" operation="open" profile="libvirt-5831a051-78ee-43b4-a15d-6e520b1b3ab7" name="/virt/test.qcow2" pid=27204 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

...

似乎没找比较好的方法解决此问题。一个选择是弃用type=’volume’，改成type=’file’。另一种选择是关闭apparmor：

# vim /etc/libvirt/qemu.conf
...
security_driver = "none"
...
# systemctl restart libvirtd

# vim /etc/libvirt/qemu.conf

...

security_driver = "none"

...

# systemctl restart libvirtd

&n […]

Unix Like

libvirtd: virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

使用TLS连接libvirtd时，默认需要验证客户端是否拥有由CA签名的证书，详见libvirtd配置文件（/etc/libvirt/libvirtd.conf）：

# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1

# Flag to disable verification of client certificates

# Client certificate verification is the primary authentication mechanism.

# Any client which does not present a certificate signed by the CA

# will be rejected.

# Default is to always verify. Uncommenting this will disable

# verification - make sure an IP whitelist is set

#tls_no_verify_certificate = 1

取消此行的注释即可关闭此验证（当然你得启用其它身份认证途径）：

#tls_no_verify_certificate = 1

1	#tls_no_verify_certificate = 1

也可选择以让CA给客户端签发证书：

# 自行修改CA私钥与证书的路径
CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"
CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径
PKI_PREFIX="/tmp/client_pki/"
CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"
CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"
CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)
umask 0077
mkdir -p ${PKI_PREFIX}

# 生成客户端私钥
openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048
# 生成客户端CSR，根据自己需要自行修改subjects
openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}
# CA通过CSR签发证书，根据需要自行修改有效期
openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650
# 把CA证书放进去
cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端
# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

# 自行修改CA私钥与证书的路径

CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"

CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径

PKI_PREFIX="/tmp/client_pki/"

CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"

CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"

CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)

umask 0077

mkdir -p ${PKI_PREFIX}

# 生成客户端私钥

openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048

# 生成客户端CSR，根据自己需要自行修改subjects

openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}

# CA通过CSR签发证书，根据需要自行修改有效期

openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650

# 把CA证书放进去

cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端

# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

完成上面的操作后，把整个${PKI_PRE […]

PHP

PHP – OpenSSL 生成CA私钥&证书及签发带SAN的证书

生成CA私钥及证书：参考Example #1 Creating a self-signed certificate 使用上面的方法可以生成CA证书并使用，但是如果使用上面的方法直接生成的自签名域名证书，即使你把（CA）证书加入到了受信任的根证书列表，也不会受浏览器信任： NET::ERR_CERT_COMMON_NAME_INVALID 此服务器无法证实它就是 localhost – 它的安全证书没有指定主题备用名称。这可能是因为某项配置有误或某个攻击者拦截了您的连接。你还需要把域名加入到SAN。首先生成OpenSSL的配置文件： [crayon-6741f74c6c5124 […]