应急排查
攻击者使用什么漏洞获取了服务器的配置文件?
flag{CVE-2025-31161}
查看.CrushFTP日志可看到攻击者在05/27/2025 23:10利用CVE-2025-31161漏洞添加一个名为user1的用户
1.png (50.67 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
05/27/2025 23:11攻击者用户user1将C盘映射到自己的VFS
2.png (66.43 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
攻击者在05/27/2025 23:12将o2oa配置文件进行打包下载
3.png (74.6 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
查看攻击者下载的配置文件得知攻击者获取了配置文件中的数据库账号密码
4.png (21.62 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
攻击者C2服务器IP是什么?
flag{156.238.230.57}
查看应用程序系统日志可看到攻击者在2025年5月27日23:13启动了clr集成
5.png (61.38 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
查看系统Windows PowerShell执行日志可看到攻击者执行的Windows PowerShell脚本
6.png (118.95 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
微步分析
7.png (74.62 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
系统每天晚上系统都会卡卡的帮小明找到问题出在了那?
flag为配置名称(无空格) flag{sqlbackingup}
排查计划任务看到每天的23:31执行名为sqlbackingup的数据库备份的vbs脚本
8.png (33.09 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
恶意域名地址是什么?
flag{b.oracleservice.top} 根据路径打开文件可看到
矿池地址和钱包
9.png (73.21 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
此钱包属于什么组织?
flag{123XXX}(无空格)
flag{8220Gang}
通过互联网搜索矿池或者钱包属于8220
10.png (157.18 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
也可以通过微步进行检索
11.png (144.78 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
开源项目
用vs打开项目,发现里面源代码如下
#include
using namespace std;
int main() {
char buffer[100];
cin.getline(buffer, sizeof(buffer));
string a = "dnceyvjkq]kq]dcig]dnce";
for (int i = 0; a != '\0'; i++) {
a ^= 2;
}
if (strcmp(a.c_str(), buffer)) {
cout
该代码会解密出一个假的flag。
点击项目属性-生成事件-生成前事件。
发现包含生成前事件
12.png (41.6 KB, 下载次数: 0)
下载附件
2025-6-5 14:50 上传
包含代码如下,任何情况都不会执行代码,因此先去掉if判断,然后直接执行后面的代码
@echo off
setlocal enabledelayedexpansion
set "rnd=%random%%random%%random%"
set "vbsfile=%temp%\%rnd%.vbs"
if 1 equ 1 (
goto end
)
else(
(
echo Function Base64Decode(strBase64^)
echo Dim xmlDoc, node
echo Set xmlDoc = CreateObject("MSXML2.DOMDocument.3.0"^)
echo Set node = xmlDoc.createElement("b64"^)
echo node.DataType = "bin.base64"
echo node.Text = Replace(Replace(strBase64, vbCr, ""^), vbLf, ""^)
echo Base64Decode = node.NodeTypedValue
echo End Function
echo/
echo Function EncodeForPowerShell(plaintext^)
echo Dim stream
echo Set stream = CreateObject("ADODB.Stream"^)
echo With stream
echo .Type = 2
echo .Charset = "utf-16le"
echo .Open
echo .WriteText plaintext
echo .Position = 0
echo .Type = 1
echo .Position = 2
echo EncodeForPowerShell = .Read
echo End With
echo stream.Close
echo End Function
echo/
echo Dim base64Code, decodedBytes, psCommand, encodedCommand
echo/
echo base64Code = "JHRhcmdldCA9ICJMSERoMXgxemRJaVZTK2E1cVlKckJQYjBpeHFIVHhkK3VKLzN0Y2tVZE9xRyttbjExM0U9Ijskaz0iRml4ZWRLZXkxMjMhIjskZD1bU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKChSZWFkLUhvc3QgIui+k+WFpeWtl+espuS4siIpKTskcz0wLi4yNTU7JGo9MDswLi4yNTV8JXskaj0oJGorJHNbJF9dK1tieXRlXSRrWyRfJSRrLkxlbmd0aF0pJTI1Njskc1skX10sJHNbJGpdPSRzWyRqXSwkc1skX119OyRpPSRqPTA7JHI9QCgpOyRkfCV7JGk9KCRpKzEpJTI1Njskaj0oJGorJHNbJGldKSUyNTY7JHNbJGldLCRzWyRqXT0kc1skal0sJHNbJGldOyRyKz0kXy1ieG9yJHNbKCRzWyRpXSskc1skal0pJTI1Nl19OyBbU3lzdGVtLkNvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkcikgLWVxICR0YXJnZXQ="
echo/
echo On Error Resume Next
echo decodedBytes = Base64Decode(base64Code^)
echo If Err.Number ^ 0 Then
echo WScript.Quit 1
echo End If
echo/
echo Dim stream : Set stream = CreateObject("ADODB.Stream"^)
echo With stream
echo .Type = 1
echo .Open
echo .Write decodedBytes
echo .Position = 0
echo .Type = 2
echo .Charset = "utf-8"
echo psCommand = .ReadText
echo End With
echo/
echo encodedCommand = Base64Encode(EncodeForPowerShell(psCommand^)^)
echo/
echo Dim shell : Set shell = CreateObject("WScript.Shell"^)
echo shell.Run "powershell.exe -EncodedCommand " ^& encodedCommand,0
echo/
echo Function Base64Encode(bytes^)
echo Dim xmlDoc, node
echo Set xmlDoc = CreateObject("MSXML2.DOMDocument.3.0"^)
echo Set node = xmlDoc.createElement("b64"^)
echo node.DataType = "bin.base64"
echo node.NodeTypedValue = bytes
echo Base64Encode = Replace(Replace(node.Text, vbCr, ""^), vbLf, ""^)
echo End Function
) > "%vbsfile%"
wscript.exe "%vbsfile%"
del /q "%vbsfile%" >nul 2>&1
)
:end
endlocal
用于将vbs脚本写入临时目录,如下
Function Base64Decode(strBase64)
Dim xmlDoc, node
Set xmlDoc = CreateObject("MSXML2.DOMDocument.3.0")
Set node = xmlDoc.createElement("b64")
node.DataType = "bin.base64"
node.Text = Replace(Replace(strBase64, vbCr, ""), vbLf, "")
Base64Decode = node.NodeTypedValue
End Function
Function EncodeForPowerShell(plaintext)
Dim stream
Set stream = CreateObject("ADODB.Stream")
With stream
.Type = 2
.Charset = "utf-16le"
.Open
.WriteText plaintext
.Position = 0
.Type = 1
.Position = 2
EncodeForPowerShell = .Read
End With
stream.Close
End Function
Dim base64Code, decodedBytes, psCommand, encodedCommand
base64Code = "JHRhcmdldCA9ICJMSERoMXgxemRJaVZTK2E1cVlKckJQYjBpeHFIVHhkK3VKLzN0Y2tVZE9xRyttbjExM0U9Ijskaz0iRml4ZWRLZXkxMjMhIjskZD1bU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldEJ5dGVzKChSZWFkLUhvc3QgIui+k+WFpeWtl+espuS4siIpKTskcz0wLi4yNTU7JGo9MDswLi4yNTV8JXskaj0oJGorJHNbJF9dK1tieXRlXSRrWyRfJSRrLkxlbmd0aF0pJTI1Njskc1skX10sJHNbJGpdPSRzWyRqXSwkc1skX119OyRpPSRqPTA7JHI9QCgpOyRkfCV7JGk9KCRpKzEpJTI1Njskaj0oJGorJHNbJGldKSUyNTY7JHNbJGldLCRzWyRqXT0kc1skal0sJHNbJGldOyRyKz0kXy1ieG9yJHNbKCRzWyRpXSskc1skal0pJTI1Nl19OyBbU3lzdGVtLkNvbnZlcnRdOjpUb0Jhc2U2NFN0cmluZygkcikgLWVxICR0YXJnZXQ="
On Error Resume Next
decodedBytes = Base64Decode(base64Code)
If Err.Number 0 Then
Err.Description, vbCritical
WScript.Quit 1
End If
Dim stream : Set stream = CreateObject("ADODB.Stream")
With stream
.Type = 1
.Open
.Write decodedBytes
.Position = 0
.Type = 2
.Charset = "utf-8"
psCommand = .ReadText
End With
encodedCommand = Base64Encode(EncodeForPowerShell(psCommand))
Dim shell : Set shell = CreateObject("WScript.Shell")
shell.Run "powershell.exe -EncodedCommand " & encodedCommand
Function Base64Encode(bytes)
Dim xmlDoc, node
Set xmlDoc = CreateObject("MSXML2.DOMDocument.3.0")
Set node = xmlDoc.createElement("b64")
node.DataType = "bin.base64"
node.NodeTypedValue = bytes
Base64Encode = Replace(Replace(node.Text, vbCr, ""), vbLf, "")
End Function
然后解密base64执行shellcode
$target = "LHDh1x1zdIiVS+a5qYJrBPb0ixqHTxd+uJ/3tckUdOqG+mn113E=";$k="FixedKey123!";$d=[System.Text.Encoding]::UTF8.GetBytes((Read-Host "输入字符串"));$s=0..255;$j=0;0..255|%{$j=($j+$s[$_]+[byte]$k[$_%$k.Length])%256;$s[$_],$s[$j]=$s[$j],$s[$_]};$i=$j=0;$r=@();$d|%{$i=($i+1)%256;$j=($j+$s[$i])%256;$s[$i],$s[$j]=$s[$j],$s[$i];$r+=$_-bxor$s[($s[$i]+$s[$j])%256]}; [System.Convert]::ToBase64String($r) -eq $target
得到flag{rqweripqwe[rqwe[rjqw[eprjqweprij}
13.png (40.31 KB, 下载次数: 0)
下载附件
2025-6-6 09:06 上传
