Featured image of post 软件系统安全赛华东-pth_attack
软件系统安全赛

软件系统安全赛华东-pth_attack

复杂流量分析,lovelyspark求解

最后更新于:
|
|
|

捕获到公司内网有横向移动的攻击流量,请分析攻击者做了什么。(提交dart{}内的内容即可)

前言

just a few days ago
lovely系列的lovelyspark发出了内测版本,遵循lovely系列传统一把梭的原则,我们也是用上了,一如既往使用的堆料策略。
题目附件:

  • 1-pth.pcapng
  • 2-rdp.pcapng

题解

pth.pcapng

拖入第一个流量包进行完整分析

进入流量界面,此前大量SMB请求之后成功认证进入加密传输,进入凭证捕获界面
存在大量加密的NTLMv2哈希 ,爆破成功后开始加密传输,我们进入到凭证捕获界面进行爆破
爆破完所有哈希之后到WinRM尝试解密流量,这里我们也可以知道会话pass为pass@word1

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339

  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 19 2022 17:43:26
 .## ^ ##.  "A L

stdoutcmd: 148B656C

a Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords full

Authentication Id : 0 ; 918546 (00000000:000e0412)
Session           : RemoteInteractive from 2
User Name         : administrator
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:43:03
SID               : S-1-5-21-2756371121-2868759905-3853650604-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : DE1AY
	 * LM       : 4885d2c71db12bab1eba5e9d51b4aa9c
	 * NTLM     : 3d83254b53697355ef7498b535e7ab29
	 * SHA1     : a08ec5f6abc5d3bf6497d3aa3370f6ff37548d0b
	tspkg :	
	 * Username : Administrator
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : Administrator
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : administrator
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 712045 (00000000:000add6d)
Session           : NetworkCleartext from 0
User Name         : de1ay
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:36:31
SID               : S-1-5-21-2756371121-2868759905-3853650604-1001
	msv :	
	 [00000003] Primary
	 * Username : de1ay
	 * Domain   : DE1AY
	 * LM       : f67ce55ac831223dc187b8085fe1d9df
	 * NTLM     : 161cff084477fe596a5db81874498a24
	 * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
	tspkg :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : de1ay
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 709503 (00000000:000ad37f)
Session           : Service from 0
User Name         : sshd_3212
Domain            : VIRTUAL USERS
Logon Server      : (null)
Logon Time        : 2025/12/22 4:36:30
SID               : S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-3212
	msv :	
	 [00000003] Primary
	 * Username : PC$
	 * Domain   : DE1AY
	 * NTLM     : 656ea538d9cf1c85a57bbac5a5020ffd
	 * SHA1     : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
	tspkg :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	wdigest :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	kerberos :	
	 * Username : PC$
	 * Domain   : de1ay.com
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	ssp :	
	credman :	

Authentication Id : 0 ; 623891 (00000000:00098513)
Session           : NetworkCleartext from 0
User Name         : de1ay
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:28:24
SID               : S-1-5-21-2756371121-2868759905-3853650604-1001
	msv :	
	 [00000003] Primary
	 * Username : de1ay
	 * Domain   : DE1AY
	 * LM       : f67ce55ac831223dc187b8085fe1d9df
	 * NTLM     : 161cff084477fe596a5db81874498a24
	 * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
	tspkg :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : de1ay
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 621283 (00000000:00097ae3)
Session           : Service from 0
User Name         : sshd_3568
Domain            : VIRTUAL USERS
Logon Server      : (null)
Logon Time        : 2025/12/22 4:28:15
SID               : S-1-5-111-3847866527-469524349-687026318-516638107-1125189541-3568
	msv :	
	 [0000
0003] Primary
	 * Username : PC$
	 * Domain   : DE1AY
	 * NTLM     : 656ea538d9cf1c85a57bbac5a5020ffd
	 * SHA1     : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
	tspkg :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	wdigest :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	kerberos :	
	 * Username : PC$
	 * Domain   : de1ay.com
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	ssp :	
	credman :	

Authentication Id : 0 ; 475572 (00000000:000741b4)
Session           : CachedInteractive from 1
User Name         : de1ay
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:21:19
SID               : S-1-5-21-2756371121-2868759905-3853650604-1001
	msv :	
	 [00000003] Primary
	 * Username : de1ay
	 * Domain   : DE1AY
	 * LM       : f67ce55ac831223dc187b8085fe1d9df
	 * NTLM     : 161cff084477fe596a5db81874498a24
	 * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
	tspkg :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : de1ay
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 449071 (00000000:0006da2f)
Session           : CachedInteractive from 1
User Name         : de1ay
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:20:34
SID               : S-1-5-21-2756371121-2868759905-3853650604-1001
	msv :	
	 [00000003] Primary
	 * Username : de1ay
	 * Domain   : DE1AY
	 * LM       : f67ce55ac831223dc187b8085fe1d9df
	 * NTLM     : 161cff084477fe596a5db81874498a24
	 * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
	tspkg :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : de1ay
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : de1ay
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 312952 (00000000:0004c678)
Session           : Interactive from 1
User Name         : mssql
Domain            : DE1AY
Logon Server      : DC
Logon Time        : 2025/12/22 4:18:16
SID               : S-1-5-21-2756371121-2868759905-3853650604-2103
	msv :	
	 [00000003] Primary
	 * Username : mssql
	 * Domain   : DE1AY
	 * LM       : f67ce55ac831223dc187b8085fe1d9df
	 * NTLM     : 161cff084477fe596a5db81874498a24
	 * SHA1     : d669f3bccf14bf77d64667ec65aae32d2d10039d
	tspkg :	
	 * Username : mssql
	 * Domain   : DE1AY
	 * Password : 
	wdigest :	
	 * Username : mssql
	 * Domain   : DE1AY
	 * Password : 
	kerberos :	
	 * Username : mssql
	 * Domain   : DE1AY.COM
	 * Password : 
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2025/12/22 4:13:20
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : PC$
Domain            : DE1AY
Logon Server      : (null)
Logon Time        : 2025/12/22 4:13:18
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : PC$
	 * Domain   : DE1AY
	 * NTLM     : 656ea538d9cf1c85a57bbac5a5020ffd
	 * SHA1     : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
	tspkg :	
	wdigest :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	kerberos :	
	 * Username : pc$
	 * Domain   : 

stdoutcmd: 148B656C

DE1AY.COM
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	ssp :	
	credman :	

Authentication Id : 0 ; 28405 (00000000:00006ef5)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2025/12/22 4:13:02
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : PC$
	 * Domain   : DE1AY
	 * NTLM     : 656ea538d9cf1c85a57bbac5a5020ffd
	 * SHA1     : a9cf2cc0fafdb001bd121d53c665340ed208ffc2
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : PC$
Domain            : DE1AY
Logon Server      : (null)
Logon Time        : 2025/12/22 4:13:01
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : PC$
	 * Domain   : DE1AY
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	kerberos :	
	 * Username : pc$
	 * Domain   : DE1AY.COM
	 * Password : <bR3tZ!fxJng-+pl6IBwqAmR<w0;<Rqq,oS6[tvWN00sa^?tz`a_v:t4b);6yX*a!aUDS#+) % n*,'4:y%:ak'v1w.mpd/^.g&^zvNB;<FhX+-,pxduthU=
	ssp :	
	credman :	

mimikatz(commandline) # exit
Bye!

C:\Users\Administrator.PC>

有一个联机命令完成的部分和下载使用mimikatz爆破的信息,
注意到这里

mimikatz成功爬取除了administrator的NTLM哈希,对应到下方可以解密出SK(SMB session key) 查看SMB3的解密,会话信息中存在admin明文密码
重新分析,并导入密码,此时应该对应到原本加密的admin会话可以算出SMB3会话密钥解密到其下所有加密流量

rdp.pcapng

解密出来可以拿到两个证书文件,其中pfx存在私钥,通过爆破密码后导入和分析,结果为mimikatz默认导出的证书,最后便可以提取私钥,解密RDP流量

当然你也可以手动丢wireshark

解密RDP后可以写脚本分析扫描码

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

import sys, os
D = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'rdp_decrypted', 'client_decrypted.bin')
SC = {
    0x02:('1','!'),0x03:('2','@'),0x04:('3','#'),0x05:('4','$'),0x06:('5','%'),
    0x07:('6','^'),0x08:('7','&'),0x09:('8','*'),0x0A:('9','('),0x0B:('0',')'),
    0x0C:('-','_'),0x0D:('=','+'),0x0E:('\b','\b'),0x0F:('\t','\t'),
    0x10:('q','Q'),0x11:('w','W'),0x12:('e','E'),0x13:('r','R'),0x14:('t','T'),
    0x15:('y','Y'),0x16:('u','U'),0x17:('i','I'),0x18:('o','O'),0x19:('p','P'),
    0x1A:('[','{'),0x1B:(']','}'),0x1C:('\n','\n'),
    0x1E:('a','A'),0x1F:('s','S'),0x20:('d','D'),0x21:('f','F'),0x22:('g','G'),
    0x23:('h','H'),0x24:('j','J'),0x25:('k','K'),0x26:('l','L'),
    0x27:(';',':'),0x28:("'",'"'),0x29:('`','~'),0x2B:('\\','|'),
    0x2C:('z','Z'),0x2D:('x','X'),0x2E:('c','C'),0x2F:('v','V'),0x30:('b','B'),
    0x31:('n','N'),0x32:('m','M'),0x33:(',','<'),0x34:('.','>'),0x35:('/','?'),
    0x39:(' ',' '),
}
data = open(sys.argv[1] if len(sys.argv)>1 else D,'rb').read()
shift = caps = False
out = []
for i in range(len(data)-3):
    if data[i]!=0x04 or data[i+3]!=0x44 or data[i+2]==0x44: continue #0x04开始 0x44结束
    fl, sc, dn = data[i+1], data[i+2], (data[i+1]==0x00)
    if fl not in (0,1): continue
    if sc in (0x2A,0x36): shift = dn; continue
    if sc == 0x3A and dn: caps = not caps; continue
    if sc in (0x1D,0x38): continue
    if not dn: continue
    if sc not in SC: continue
    ch = SC[sc][1] if (shift ^ caps) else SC[sc][0]
    if ch == '\b' and out: out.pop() #出栈
    else: out.append(ch)
print(''.join(out))

可以提取出flag,但是比赛的时候若提交这个flag是无法通过的,注意到是键盘扫描码还原出的键盘流量,很有可能是在输入的时候上下文中有其他按键组合(最有可能是大小写)的问题
赛后有师傅说了flag里uuid是全大写的,但是我赛后再次分析扫描码的时候发现确实按下了左SHIFT,但是只有打括号的时候短暂按下了,感觉是平台flag验证写烂了(

发表了62篇文章 · 总计23万3千字 · 已稳定运行
浙ICP备2024137952号 · 网站统计
© 2024 - 2026 楠牧音 | glow Nan0in 𝓌𝒶𝒾𝓉 𝒻ℴ𝓇 𝒶 𝒹ℯ𝓁𝒾𝓋ℯ𝓇𝒶𝓃𝒸ℯ
使用 Hugo 构建 主题 StackJimmy 设计