应急响应靶机训练-Web3

总字符数: 15.72K

代码: 12.93K, 文本: 1.00K

预计阅读时间: 1.01 小时

背景

前景需要：小苕在省护值守中，在灵机一动情况下把设备停掉了，甲方问：为什么要停设备？小苕说：我第六感告诉我，这机器可能被黑了。

这是他的服务器，请你找出以下内容作为通关条件：

攻击者的两个IP地址 192.168.75.129 192.168.75.130
隐藏用户名称 hack6618$
黑客遗留下的flag【3个】
- flag{888666abc}
- flag{zgsfsys@sec}
- flag{H@Ck@sec}

靶机环境

使用Vmware启动即可,如启动错误,请升级至Vmware17.5以上

靶机环境：

Windows Server 2022
phpstudy(小皮面板)

信息收集

查看端口

# 查看运行了哪些服务,有无外联端口
netstat -ano

协议  本地地址          外部地址        状态           PID
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       864
TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1016
TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       480
TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       652
TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1008
TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2172
TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       616
TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       1912
TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       636
TCP    192.168.111.132:139    0.0.0.0:0              LISTENING       4
TCP    192.168.111.132:49962  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49963  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49964  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49965  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49966  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49967  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49968  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49969  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49970  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49971  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49972  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49973  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49974  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49975  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49976  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49977  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49978  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49979  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49980  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49981  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49982  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49983  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49984  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49985  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49986  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49987  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49988  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49989  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49990  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49991  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49992  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49993  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49994  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49995  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49996  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49997  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49998  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:49999  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50000  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50001  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50002  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50003  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50004  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50005  222.88.95.53:80        TIME_WAIT       0
TCP    192.168.111.132:50007  20.247.184.197:443     TIME_WAIT       0
TCP    192.168.111.132:50008  20.247.184.197:443     TIME_WAIT       0
TCP    192.168.111.132:50010  152.195.38.76:80       ESTABLISHED     1008
TCP    192.168.111.132:50011  23.13.191.96:80        ESTABLISHED     1456
TCP    192.168.111.132:50012  222.134.66.229:80      ESTABLISHED     1456
TCP    192.168.111.132:50015  104.65.230.44:80       TIME_WAIT       0
TCP    192.168.111.132:50019  104.65.230.44:80       TIME_WAIT       0
TCP    192.168.111.132:50024  104.65.230.44:80       SYN_SENT        1008
TCP    [::]:135               [::]:0                 LISTENING       864
TCP    [::]:445               [::]:0                 LISTENING       4
TCP    [::]:3389              [::]:0                 LISTENING       1016
TCP    [::]:5357              [::]:0                 LISTENING       4
TCP    [::]:5985              [::]:0                 LISTENING       4
TCP    [::]:47001             [::]:0                 LISTENING       4
TCP    [::]:49664             [::]:0                 LISTENING       480
TCP    [::]:49665             [::]:0                 LISTENING       652
TCP    [::]:49666             [::]:0                 LISTENING       1008
TCP    [::]:49667             [::]:0                 LISTENING       2172
TCP    [::]:49668             [::]:0                 LISTENING       616
TCP    [::]:49669             [::]:0                 LISTENING       1912
TCP    [::]:49671             [::]:0                 LISTENING       636
UDP    0.0.0.0:123            *:*                                    2364
UDP    0.0.0.0:500            *:*                                    1008
UDP    0.0.0.0:3389           *:*                                    1016
UDP    0.0.0.0:3702           *:*                                    4816
UDP    0.0.0.0:3702           *:*                                    4816
UDP    0.0.0.0:4500           *:*                                    1008
UDP    0.0.0.0:5353           *:*                                    1456
UDP    0.0.0.0:5355           *:*                                    1456
UDP    0.0.0.0:49818          *:*                                    4816
UDP    0.0.0.0:55522          *:*                                    1456
UDP    127.0.0.1:53523        *:*                                    1008
UDP    192.168.111.132:137    *:*                                    4
UDP    192.168.111.132:138    *:*                                    4
UDP    [::]:123               *:*                                    2364
UDP    [::]:500               *:*                                    1008
UDP    [::]:3389              *:*                                    1016
UDP    [::]:3702              *:*                                    4816
UDP    [::]:3702              *:*                                    4816
UDP    [::]:4500              *:*                                    1008
UDP    [::]:5353              *:*                                    1456
UDP    [::]:5355              *:*                                    1456
UDP    [::]:49819             *:*                                    4816
UDP    [::]:55522             *:*                                    1456
UDP    [fe80::d0fc:aeb7:36f1:db51%3]:546  *:*                                    652

查看服务

tasklist

映像名称                       PID 会话名              会话#       内存使用
========================= ======== ================ =========== ============
System Idle Process              0 Services                   0          8 K
System                           4 Services                   0        140 K
Registry                        88 Services                   0     23,112 K
smss.exe                       292 Services                   0      1,384 K
csrss.exe                      376 Services                   0      5,448 K
wininit.exe                    480 Services                   0      6,908 K
csrss.exe                      488 Console                    1      5,636 K
winlogon.exe                   548 Console                    1     17,548 K
services.exe                   616 Services                   0      8,612 K
lsass.exe                      636 Services                   0     16,996 K
svchost.exe                    744 Services                   0     23,604 K
fontdrvhost.exe                772 Console                    1     12,144 K
fontdrvhost.exe                780 Services                   0      4,292 K
svchost.exe                    864 Services                   0     12,892 K
dwm.exe                        940 Console                    1     73,928 K
svchost.exe                   1008 Services                   0     87,024 K
svchost.exe                   1016 Services                   0     13,204 K
svchost.exe                    284 Services                   0     22,912 K
svchost.exe                    676 Services                   0     15,060 K
svchost.exe                    652 Services                   0     45,116 K
svchost.exe                   1144 Services                   0     33,088 K
WUDFHost.exe                  1372 Services                   0      8,464 K
svchost.exe                   1456 Services                   0     24,036 K
svchost.exe                   1464 Services                   0      9,436 K
svchost.exe                   1508 Services                   0      6,780 K
svchost.exe                   1640 Services                   0     16,080 K
svchost.exe                   1912 Services                   0      7,436 K
spoolsv.exe                   2172 Services                   0     16,680 K
svchost.exe                   2236 Services                   0     34,284 K
phpStudyServer.exe            2256 Services                   0      9,608 K
VGAuthService.exe             2276 Services                   0     11,640 K
vmtoolsd.exe                  2312 Services                   0     23,212 K
vm3dservice.exe               2324 Services                   0      7,220 K
svchost.exe                   2364 Services                   0      7,892 K
svchost.exe                   2372 Services                   0      8,640 K
vm3dservice.exe               2488 Console                    1      7,884 K
dllhost.exe                   2912 Services                   0     13,752 K
msdtc.exe                      336 Services                   0     10,468 K
WmiPrvSE.exe                  3232 Services                   0     20,868 K
ChsIME.exe                    3752 Console                    1     14,928 K
svchost.exe                   3792 Services                   0     14,324 K
sihost.exe                    2340 Console                    1     24,512 K
svchost.exe                   2348 Console                    1     31,800 K
taskhostw.exe                 3884 Console                    1     12,944 K
ctfmon.exe                    3696 Console                    1     16,616 K
explorer.exe                  3880 Console                    1    126,116 K
ChsIME.exe                     244 Console                    1     24,576 K
MusNotifyIcon.exe             2788 Console                    1      9,804 K
ShellExperienceHost.exe       4144 Console                    1     59,556 K
SearchUI.exe                  4264 Console                    1     52,164 K
RuntimeBroker.exe             4348 Console                    1     20,036 K
RuntimeBroker.exe             4468 Console                    1     34,984 K
svchost.exe                   4816 Services                   0     10,268 K
smartscreen.exe               5068 Console                    1     24,328 K
phpstudy_pro.exe              1368 Console                    1     62,208 K
RuntimeBroker.exe             3808 Console                    1     13,172 K
vmtoolsd.exe                  3080 Console                    1     40,308 K
cmd.exe                       3848 Console                    1      4,272 K
conhost.exe                   4660 Console                    1     43,860 K
svchost.exe                   2524 Services                   0     12,220 K
taskhostw.exe                  184 Console                    1     11,936 K
svchost.exe                   4592 Services                   0     10,912 K
TrustedInstaller.exe          4836 Services                   0      7,204 K
TiWorker.exe                  3280 Services                   0     10,228 K
WmiPrvSE.exe                  2652 Services                   0      8,512 K
taskhostw.exe                 4172 Services                   0      7,280 K
tasklist.exe                  1204 Console                    1      7,868 K

查看账号

win+r:lusrmgr.msc发现一个影子账户:hack887$或net localgroup administrators只能查看通过$符号隐藏的账户

查看该用户相关文件

在Downloads路径下发现system.bat.查看一下文件内容.发现了WebShell的创建和一个flag

分析开机自启程序

1 2	msconfig 启动选项卡 gpedit.msc 组策略编辑器

查看计划或定时任务

1
2
3

taskschd.msc
compmgmt.msc
cmd-->schtasks

Web应急响应

开着PHPStudy那估计就会有web服务器,虽然背景中也说了,进入网站根目录,查找是否存在Webshell,或通过%UserProfile%\Recent查找最近修改的文件记录

通过日志上下文可以发现404.php并没有被上传上去而是直接访问的.结合上面的定时任务写马.大概可以确定不是后台漏洞进去的.继续分析日志

/zb_system/cmd.php?act=verify同样的uri有大量相同的请求并且响应体长度也都一样猜测是暴力破解并且成功.

查看源代码逻辑.如果密码正确则跳转到admin/index.php?act=admin,并且日志的上下文中也包含该路径.确定为暴力破解

由于数据库中的密码是进行过加密的.所以无法肉眼确定是否为弱密码

通过暴力破解或询问运维人员可得密码为:admin123456.也可通过官方的重置密码功能进行重置.并且发现一个黑客用户

在用户管理这里选择Hacker可发现最后一个flag

通过分析数据库也可分析出flag.所以也不要遗忘数据库哦~

通过日志可得2024/3/12 11:53:58创建用户.可与上方新建用户日志所对应

系统应急响应

通过eventvwr查看用户创建日志,发现是直接通过administrator管理员用户创建的影子账户.

发现此用户通过RDP远程登陆了此机器

攻击路径

由于是靶机.没有完整的攻击路径亦或是我技术不达标未恢复出真正的攻击路径

本文由 kill3r 原创,采用署名-非商业性使用-相同方式共享 4.0 国际许可协议，转载请注明出处。