安全矩阵

 找回密码
 立即注册
搜索
查看: 939|回复: 0

第二届陇剑杯决赛Misc-Win

[复制链接]

179

主题

179

帖子

630

积分

高级会员

Rank: 4

积分
630
发表于 2023-9-24 13:16:45 | 显示全部楼层 |阅读模式
第二届陇剑杯决赛Misc-Win
win
  1. @Name  : win
  2. @Game  : 2023 第二届陇剑杯决赛
  3. @Time  : 2023/9/16
  4. @Type  : Misc
  5. @Description:
  6. 1. 小明在一台电脑中获取了一个虚拟机文件以及桌面上存有 rockyou.txt,打开虚拟机的密码是多少?
  7. 2. xshell 连接的密码是多少?
  8. 3. 登陆脚本启动的程序路径是什么?
  9. 4. 共访问了几次 www.baidu.com?
  10. @Flag:
  11. 1. somewhere
  12. 2. 123456a
  13. 3. C:\2333.bat
  14. 4. 10
复制代码



知识点

  1.     vmx 文件爆破

  2.     Xmanager 加解密

  3.     windows 权限维持

  4.     浏览器数据取证
复制代码


工具

  1.     pyvmx-cracker:vmx 文件爆破 https://github.com/axcheron/pyvmx-cracker

  2.     VMwareVMX:vmx 文件解密 https://github.com/RF3/VMwareVMX

  3.     how-does-Xmanager-encrypt-password:Xmanager 密码解密 https://github.com/HyperSine/how-does-Xmanager-encrypt-password

  4.     HackBrowserData:浏览器导出解密 https://github.com/moonD4rk/HackBrowserData
复制代码



前置知识

VMware Workstation 的加密功能是不可逆的高强度加密,具体操作步骤:

新建一个任意虚拟机,然后点击“编辑虚拟机设置”→“选项”,可以看到“加密”,提示“该虚拟机未加密。你可以使用密码保护该虚拟机的数据和配置。”

虚拟机有一些配置文件:

  1. Windows 7 x64.vmdk    //VMware 虚拟磁盘文件
  2. Windows 7 x64.vmsd    //VMware 快照元数据(存储密钥)
  3. Windows 7 x64.vmx    //VMware 虚拟机配置
  4. Windows 7 x64.vmxf    //VMware组成员
复制代码



加密前的状态:

  1. Windows 7 x64.vmdk    //正常
  2. Windows 7 x64.vmsd    //空白
  3. Windows 7 x64.vmx    //明文配置内容
  4. Windows 7 x64.vmxf    //明文配置内容
复制代码


加密前的vmx文件:

  1. .encoding = "GBK"
  2. config.version = "8"
  3. virtualHW.version = "20"
  4. mks.enable3d = "TRUE"
  5. pciBridge0.present = "TRUE"
  6. pciBridge4.present = "TRUE"
  7. pciBridge4.virtualDev = "pcieRootPort"
  8. pciBridge4.functions = "8"
  9. pciBridge5.present = "TRUE"
  10. pciBridge5.virtualDev = "pcieRootPort"
  11. pciBridge5.functions = "8"
  12. pciBridge6.present = "TRUE"
  13. pciBridge6.virtualDev = "pcieRootPort"
  14. pciBridge6.functions = "8"
  15. pciBridge7.present = "TRUE"
  16. pciBridge7.virtualDev = "pcieRootPort"
  17. pciBridge7.functions = "8"
  18. vmci0.present = "TRUE"
  19. hpet0.present = "TRUE"
  20. nvram = "Windows 7 x64.nvram"
  21. virtualHW.productCompatibility = "hosted"
  22. powerType.powerOff = "soft"
  23. powerType.powerOn = "soft"
  24. powerType.suspend = "soft"
  25. powerType.reset = "soft"
  26. usb.vbluetooth.startConnected = "TRUE"
  27. guestOS = "windows7-64"
  28. tools.syncTime = "FALSE"
  29. sound.autoDetect = "TRUE"
  30. sound.virtualDev = "hdaudio"
  31. sound.fileName = "-1"
  32. sound.present = "TRUE"
  33. cpuid.coresPerSocket = "1"
  34. memsize = "2048"
  35. mem.hotadd = "TRUE"
  36. scsi0.virtualDev = "lsisas1068"
  37. scsi0.present = "TRUE"
  38. sata0.present = "TRUE"
  39. scsi0:0.fileName = "Windows 7 x64.vmdk"
  40. scsi0:0.present = "TRUE"
  41. sata0:1.deviceType = "cdrom-image"
  42. sata0:1.fileName = "E:\迅雷下载\cn_windows_7_enterprise_x64_dvd_x15-70741.iso"
  43. ...(省略)
复制代码



加密后的状态:

Windows 7 x64.vmdk    //文件数据改变
Windows 7 x64.vmsd    //增加密钥
Windows 7 x64.vmx    //配置内容加密
Windows 7 x64.vmxf    //无变化

加密后的vmx文件:

  1. .encoding = "GBK"
  2. displayName = "Windows 7 x64"
  3. encryptedVM.guid = ""
  4. encryption.keySafe = "vmware:key/list/(pair/(phrase/tAEghLS8980%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3dy2uTjk2sa7ri9phabetHQA%253d%253d,HMAC%2dSHA%2d1,qipjap5UguTA5Evy1dipkNaW4xEtjoc9dkjcLKCXxOY1AK8GBi25tkYmApN98B6LuusWn%2b3hSLgJacDobycflOpwa%2bmw3xt%2fvnVT47asYLDXExOtjEiB6%2bGhU32CXMiD8bwkSp5f4IiKC62i2pn1BYgRRws%3d))"
  5. encryption.data = "Oo3FlZJquP2Km+9sibWZ5tTKGcHdMqt15lnsOx3fHDhsG/l5kFYJ5ikHUZY4...(省略)"
复制代码



WriteUp
1. 小明在一台电脑中获取了一个虚拟机文件以及桌面上存有 rockyou.txt,打开虚拟机的密码是多少?

题目提供了一个 Windows 7 x64 虚拟机,导入后提示,虚拟机已经加密,需要输入密码:

提示桌面上存有 rockyou.txt,这个应该就是爆破字典了。打开虚拟机配置文件 Windows 7 x64.vmx:

  1. .encoding = "GBK"
  2. displayName = "Windows 7 x64"
  3. encryptedVM.guid = ""
  4. encryption.keySafe = "vmware:key/list/(pair/(phrase/tAEghLS8980%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3dy2uTjk2sa7ri9phabetHQA%253d%253d,HMAC%2dSHA%2d1,qipjap5UguTA5Evy1dipkNaW4xEtjoc9dkjcLKCXxOY1AK8GBi25tkYmApN98B6LuusWn%2b3hSLgJacDobycflOpwa%2bmw3xt%2fvnVT47asYLDXExOtjEiB6%2bGhU32CXMiD8bwkSp5f4IiKC62i2pn1BYgRRws%3d))"
  5. encryption.data = "Oo3FlZJquP2Km+9sibWZ5tTKGcHdMqt15lnsOx3fHDhsG/l5kFYJ5ikHUZY49Sjq1cErSEDioIt+VD65gAjId/NqxOUBuZxKCP7+/LAzI2vs5T+a7yOPO7LxM5GtR2sUeWv5fhtyhUqY/QCuHGTxZl4DviXmLYqMgBMyUqnERoXI3pg1PBEmIyaPGKnvrcl8eE+vF4bpp/rYojAffovQNWwPonvG5ghtYOix4XMsiBmGuxeGHj9C5i3GwDzCkrWDb2DGYO4HXpZNiSSvUezvf+aqBPBMA2Vn9X3nuGW97Ij8HQ9jQnMFeZ2yWlWuuFu1XYsKTjfjiYL5esNgAsycnWMD/1a2wYBGab/SuBSqnGxHh441OBjC3oXjGLRMNJRFQVRBHvnw5KGYhzKdX51CaS8axziFKLjZHcBdJu9uPSJuigFEhg0S9hwlUd7skN+qXXGdG9XRAg3P8s8LucwiEJgX7rAxxUoVeSPsO/Tm2wvUqtLoEUM4YL16N5Vc692sqUitu5muq1cqjrijEt2q+SwesaLe8rM2LtAnZ/HafUXbw5hqLhwwEaHywLI/RVynA6aDgxWxOIPGqK3uetjQo6L/AZO7AXxoWqU68OYmuffiXsELGPr+weuNKkq+lUCWejuFVfKdsoSMuD3ZkB1WTMoSyvDcfqYuHzTzeNqbQvb2l0y7SwLlI1QA6qtByRlhuVKOWWQuLXFFYCuFt+oKNWE233fDoDJ8Psvb71bef7VqroLDQMvqyyiG4HrcAJNFgIg8W37d0NxNsonWc2SibJyxILGd4692ihU5xwsM3oOy4HcRd65rZsyABq5GD0RII9RX7mHpsQqS3qaunw8PyZf4TDYN8NdnbLMRS1/mpEDbtrgk4ILz0MFQhAyuVLILopHxwXmcmW79/+kvHktxUzA4/bWg++8GXicWF6h6xAh2KCWElOsulUlXjogOBBsvtpRS7gbNrrE1koZZDJNOtiM9v9HWCEC67L+cMSB7gcs9QctccWvPiziOEDk5dSF7hWRoyJRi8P4Nbsl+h8nuTTOUvEFqcWUgja6NFOvOYKSAYmrFK74aO1NwAz1OototoSHYgkx5KdQ71w7KLgjGjIw1BbORUMDMb9nhitE/w+8Kg9VR5PkgyhpKw3lJFQL46Q2MEaLg1dDXysvnHvyqFgxIDH8tvX696jhw5dcCsSFO5EFAFxXM3qlDqUNmqAbW3dWxUkNidAb+uxU0YAjFE7bBqVj5XXu8A0HTM55nAwAvaeb3dF4l211FVnWwQiV4UCSeR9fwMT4IF4xunFLh9RaGjWfPYSV24RcQoy/qax3SRBoqHU2kLs7LZD0rdf0e5WT8uFBGI0smkQHUXHDVOYW/ZkbxcRHspieqJTkPr7w98vXle3S9lNmhqiB65Klg/FNIwXdZvKA2RkY/ATc7LjSUr1sWyZp/2qvK1+Buq6Kf1BA9DsR+WnnrGz3BSxSzG/8h2wbCCT+TciucR5mCPGviKBWOrb36YyRG9rJ/odFroKCh7vEzzWs8G3cUl1bFsWI1m3Xw4ZBb99H5viS7+VcXoibfLZXtSP7d99brAZ3FbW6MVmtukj+MqwQnKeTWkeo8lKGC4O+G5+4DfnJDHSUaLrsT1H3ivubkEnCevBeZtfFbHqV1H5oO6vRc0nW8mvqL4DC4Ow1mJM+3drRxrsBwRdL+PALCCVE+7aDx0z4I48TFhp0BKuFmgeqmTG1uAjHwbqUeU3V5ipc5CdBOyyA9qAqMDpKzOSSmP+mwNj5Mk980tm64QLTdHqMX08JSj37DQPUR14yQ9BphHdzlD81Gq5uV51YI4Af6Mb4hn+6AxBsgIZ4rUYucqk2lAK2oW4IPwY502NjyLKLcpi4CxhEy50lKBkFNhKByKxg2NK6ZKiUhO6Ac+gWnjdY6hTU+d1N6SoQhHWG2DfmqtNO9+al9jSa35KXStsZkPoAMlcCnHzlSUNNRJckrnEgMiVLMMyTbV/I+CdayNbL0JjQFQgXeJOHg8EEI9BoGD8hMCVi4GtElkLDGAi0mi7erZPAok2zYTV1u5KYbd6x9FoFmUiJnN+e+ELRTThcMIhhqio8qPttc94vXrRz0lCRhMjbnzTnQHyOAio2FapfJGqi9Q99fKTFVLmbsxfF4T0pAkJruK+3ZjLbfZdyGL89I+ypI2XwgFk0vYAop9RCKOLnQEYzD7CH5c5O2FbkrDlPIsm0NurCECjmWx4vnB8GPs3Nrd7NrZdlywcBUZd4Qs4e+eZXKkAHHfcAZrwFgTgvAt7lOhrufO4TcNtkc9lQnuc37/CjRrHFvYZwQihtpTYVxHqA2mVLA4SluMlpufcRFyD0NgYZIAN2K6FRT9NgNT9xMFrGZEZPwodWFrjaB3x32ovEeASN2ddAOx4rvn8cIyOQY6YE6p2Oj6MnIPxmRlxieXF5AdJv6XZ4he7bfPuQhCDIWsqBzPZmoUgUh4+deYLx1Ac8DJctt0uSqzwmw/zy6Zt2ipZWmP17Nn845hBRbKdBf3gPqpON7XhoUOcQsCict4RVmzGuKNHZ7E5aEVPGC8oRNFYrDqU2HbdMWr78NW7h69mhzAiS0xol2Vcl4Me5K0Wzn6DK9Djd+1t8mrrt8H2bqSFZPg9PJJtfbQ4J1T8FfYldssShc3ISLQxhIaGmW1fUhu2etftYnWjW4v8PQ91X17HAzhZCh7PmIsyXO3I4EWLay/S1vrlPcOYOcihWrzK9y3MuO4oF+a2saF18HeowWwqpYCFEF2TCZ2M8TaZw3DsCMWQfQOCdZGHFbFzp6SBL/X1ZlEZ4OoFAOJB3qxe9E1ZeeIRbVxxbptRM6sSzHRSopb8+HexwYQOroHsXoCruj5E0jRCkpLl6Hmi4Nl4lpjoVG5dWE0OiiO4ep1D0Ri69PLYh2r/x1XV901NHRk3Z/+W7XpseRCw7Y8glqkb6xX/sBBNbvbw5c/fDqIOCJ89rkZAyAxwUCqYZ+dIaomYDiqFD8YvgEYFMvGyU50RFyqbahOBSWI8Jbbx0A+lIApdCJB1TWPCja9EGK/rOstehvC0edvZMTVEKthTsv4+qGfWpRl3+igS3OB+RDej6SLH3Z0IV4fF2wgLW37PYi7Pu2cZvf0aPy6YKwMP3tZBqJEwpGoat8MmFO/eNCi4q2d8rOhHPZVV1qOwOoOI0AK+nQc1HxX/Sh8fJMWU969vJFMhbOfsXVmnnX7jnkzYloxPItnjG72pbWHs+tSdp2iS/dP0wZz5Iv47h1nf6wJsRafTkJdIVScJSGi/9sbLfDMIXy5vO9v0zfWDdXrrsix2aa/LTeZRXLKDovebcR26ov+LUd+59/7n6moSjXz6XFaksydJhUNuGCv6NKst5EmO370tTWErZAsbrnlrcMchPojQszmY7ChCWewDdV45Stp6YxIrTplR6/p9um2321OneQqmBut2mZl2un6C5jiAsWhosYYUno+ReDx4ihKvbqsQsZ7lx9iubeDkvCMrLuTeyHLeOOSDvLT3vgoMgB050/6eP5pXu2kh7a7fSlpXqpHnWKRLKigSbSPpuJ+Out2UVLqQxCRyVlFbtej8lzlFfDB4a3NRMzVFXZJ8paA527kwR8Zyx+4K/kdzzel6pXBAsyV7J6b3R79QLzhz6oABqqfOpcXQTcumPhkt6Ip/HJPLft9NXWJquFp50jLntWxtx3HggKq3RR1eF9ksPWitGPUVXgtOzepW6ZdaAHBjZRURwo73vPy58nZj7gSzq2IZccrr+cTiwEM4PfpFsWKP5d6bMc+952iPwSA/pzC53Xnn/DdC/hMLECKbhV01jEEx4w0SjOymhZkWIWJ3lacFjl8MU3OAl1+sBBRP4EyaifeVGhSMPIaZWM+uTnXTCxdTWybLyJSZ7MT0HIiUAaoVRWADU7jK6AF36FKVxfI5sE5mjQvXA4tyut2H1rjxLrcuH7a42pIvx3/CKabh5uYsgKpf6ROfnNabxtOVB1jdBJLv6uZqfPex+mg4/50RSF3TQhbsFR6wRF/zXHjSWQPhuFV0MaLqAPj+u8stNiEV1pT27lsnOYxggQj6ZyMhSvP2qPsJRWiVHyAtBobw51mOjLiL1JYlf5lIMmm4dKbwia0uqcvcJ2K0IlS4CiszO8PKpRh0Jr9ZxPLPbE35vyxak16S/+CTm2293IMJuFNk0fB15DluM8Q0S45FmQnYgCQ+TVelwlRFyI6IwMDEHs66MJlCiJvm2WgKC9P0NIRCOxK6o9A0nyQ2P3E3dmV+cGHHvEjejVQFVhZFYB1Mv7ZLT2Zgj1qaCPzUzRvKX2Vpc+RQ36wRD/dnA4KYCKCYmXXjttX7BDwqUO5hyYSPtHPVo6ssUCnflbG132fBo5/bAOPW1oKewbHfQFJ7DwgnABxdE2kvOqtIpG7cufvpV9tWKIJzw5LnlfVVT4137EGyYx7ZwIxshWcA2E9pb5qC0lEdFmCYoOB5GiPDe79TU0LFSkfkiY7Z0KYKbS7GdioF10qbniUNiL5ActuXpUrmBvDiXjmlrt0ANDqg3WDXuql5ZwkqzjGH0NdMD16ermHHdedMsx4+k+khVT6txf8D75o04p5UcGJHY1jBsMmLWQdTAElWx1bKVl/F7tJsG9JB11mFev6OkZ8dnFWTZEi4oW7Fnqd/6SGt7H9gnu6Ni1pLik9L/BI92sQS99xylqIlDpfaCjrUR4h0DPKI8QxSbnZTmOFvTMNptAs0/YvxD51IBQX78NAf9FqZtD3vyienmoymUDX8G/T1QNA9T5D+Ph4I1n+IsUtpzV9UeBskugxtoM6mSiAPdTYyeB8II5hTK1ag6M2L5yDrUkp6be82/m9qoBKGEuvS0YsyzC1eLK65rWWxx1/KeTp3MwNBplneJUvjvyVi7oafGJ6686EgPidIX9C7ICdWpbtFSlo9f+yjOy7AN5+uWgc7NfDIof8NBFM7Q="
复制代码



其中,还原 vmsd 文件需要:

  1. encryption.keySafe = "vmware:key/list/(pair/(phrase/tAEghLS8980%3d/pass2key%3dPBKDF2%2dHMAC%2dSHA%2d1%3acipher%3dAES%2d256%3arounds%3d10000%3asalt%3dy2uTjk2sa7ri9phabetHQA%253d%253d,HMAC%2dSHA%2d1,qipjap5UguTA5Evy1dipkNaW4xEtjoc9dkjcLKCXxOY1AK8GBi25tkYmApN98B6LuusWn%2b3hSLgJacDobycflOpwa%2bmw3xt%2fvnVT47asYLDXExOtjEiB6%2bGhU32CXMiD8bwkSp5f4IiKC62i2pn1BYgRRws%3d))"
复制代码



两遍 URLDecode 得到:

  1. encryption.keySafe = "vmware:key/list/(pair/(phrase/tAEghLS8980=/pass2key=PBKDF2-HMAC-SHA-1:cipher=AES-256:rounds=10000:salt=y2uTjk2sa7ri9phabetHQA==,HMAC-SHA-1,qipjap5UguTA5Evy1dipkNaW4xEtjoc9dkjcLKCXxOY1AK8GBi25tkYmApN98B6LuusWn 3hSLgJacDobycflOpwa mw3xt/vnVT47asYLDXExOtjEiB6 GhU32CXMiD8bwkSp5f4IiKC62i2pn1BYgRRws=))"
复制代码


使用工具 pyvmx-cracker 和字典 rockyou.txt 爆破。

该工具需要修改注释掉 pyvmx-cracker.py 的第 108 行、109 行代码,否则会报错。题目中第三行是 encryptedVM.guid,也可以将 vmx 文件中的第三行注释掉。

  1. if 'encryption.keySafe' not in lines[2]:
  2.   sys.exit('[-] Invalid VMX file or the VMX is not encrypted')
复制代码



实际上的字典比较大,此处仅为示例。执行命令:

  1. python3 pyvmx-cracker.py -v /YOUR/PATH/TO/VMX.vmx -d /YOUR/PATH/TO/ROCKYOU.txt
复制代码





得到密码为 somewhere。

可以使用 VMwareVMX 对 vmx 文件进行解密:

  1. python3 main.py /YOUR/PATH/TO/VMX.vmx > /YOUR/PATH/TO/DECODE_VMX/decode.vmx
复制代码


也可以直接输入密码,或使用解密后的 vmx,打开虚拟机进行下一步操作。

还可以通过VMware Workstation 移除加密,”虚拟机设置“→”选项“→”访问控制“→”移除加密“。
2. xshell 连接的密码是多少?

一般来说,xshell 账号密码文件位置如下:

  1. Xshell7  C:\Users\%username%\Documents\NetSarang Computer\7\Xshell\Sessions
  2. Xshell6  C:\Users\%username%\Documents\NetSarang Computer\6\Xshell\Sessions
  3. XShell5  %userprofile%\Documents\NetSarang\Xshell\Sessions
  4. XFtp5  %userprofile%\Documents\NetSarang\Xftp\Sessions
  5. XShell6  %userprofile%\Documents\NetSarang Computer\6\Xshell\Sessions
  6. XFtp6  %userprofile%\Documents\NetSarang Computer\6\Xftp\Sessions
复制代码



本题中,xshell 账号密码文件位置如下:

  1. Xshell6  C:\Users\testtt\Documents\NetSarang Computer\6\Xshell\Sessions
复制代码



.xsh 文件中包含连接密码:



当前用户名和sid:



解密得到 xshell 连接的密码 123456a

  1. python XShellCryptoHelper.py -d -user testtt -sid S-1-5-21-1844938145-4200775270-4174914976-1000 p5orZNxx2PcH/dp8h0/0nr+yyIooYMX/TOPZSiHvt2VmrQ+Sya1X
复制代码



另一个思路是上线本地cs,直接 dump 密码。
3. 登陆脚本启动的程序路径是什么?

镜像启动会弹出一个 calc 计算器,所以首先需要排查开机启动项。

查看 Windows 启动开机启动项,发现 C:\2333.bat

  1. C:\Users\testtt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
复制代码



进入注册表查看,发现攻击者创建了 Logon Scripts,以优先启动攻击脚本。注册表路径:

  1. HKEY_CURRENT_USER\Environment
复制代码





登录脚本启动的程序路径即为 C:\2333.bat
4. 共访问了几次 www.baidu.com

用 HackBrowserData 获取历史浏览数据 firefox_81rc7g54_default_esr_history.csv



访问了 10 次百度:


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-27 23:54 , Processed in 0.013379 second(s), 19 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表