fxc233's blog
0%

ivanti 环境搭建

Posted on Edited on
记录一下第一次搭建ivanti环境及固件提取的过程,镜像版本为22.7r2.3。

前言

记录一下第一次搭建ivanti环境及固件提取的过程,镜像版本为22.7r2.3。

环境搭建

双击ovf,确定虚拟机导入位置,等待它的初始化,有一些慢大概15分钟。初始化之后经过以下几个步骤即可完成初始化。

首先选择是否接受条款。

之后根据实际情况设置好ip等内容。

最后设置管理员账号密码,最后即可在浏览器访问到登陆界面。(注意把虚拟机网络桥接改为NAT

固件提取

直接对vmdk进行挂载,会发现被加密了,无法拿到文件系统,搜索相关文章。发现有两种提取固件的方式,一种方式是patch内存,还有一种是逆向启动流程分析解密算法进行文件系统解密。

方法一:patch内存

blackhat 2019中就提出,在按回车进入config界面前,会先调用/home/bin/dsconfig.pl。那么我们挂起虚拟机后,把vmem中的/home/bin/dsconfig.pl全都patch为///////////////bin/sh即可获取到shell。

这篇文章说用自带的python程序,开启web服务,即可下载系统文件。但是不知道为什么我这里没法访问到web服务(没开放相应端口,通过iptables开放即可,iptables -A INPUT -p tcp --dport 1234 -j ACCEPT、iptables -A OUTPUT -p tcp --sport 1234 -j ACCEPT)。然后找了一下也没有curl,wget,nc等带传输功能的命令。最后写了两个python脚本来实现拉取二进制文件的效果。一个放在本地进行监听8888并且保存接收的数据到指定文件,一个放在ivanti虚拟机里进行读取相关文件并进行发送。

send.py

1
2
3
4
5
6
7
8
import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('192.168.113.1', 8888))
with open("/home/bin/web", 'rb') as file:
      content = file.read()
s.sendall(content)
s.close()

recv.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import socket

filename = "web"

def listen_on_port(port=8888):
    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server_socket.bind(('0.0.0.0', port))
    server_socket.listen(5)

    print(f"Listening on port {port}...")

    while True:
        client_socket, client_address = server_socket.accept()
        print(f"Connection from {client_address} established.")

        with client_socket:
            received_data = b''
            while True:
                data = client_socket.recv(1024)
                if not data:
                    break
                received_data += data
            if received_data:
                with open(filename, "wb") as f:
                    f.write(received_data)
                print(f"[+] write to {filename}")

if __name__ == "__main__":
    listen_on_port(8888)

类似的方式也可以上传busybox,gdbserver。(一行代码即可下载 urllib.request.urltrieve(url,filename=None,reporthook=None,data=None)

方法二:文件系统解密

首先用如下命令挂载磁盘,并查看分区,同时可以看到这几个分区无法识别。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
sudo modprobe nbd
sudo qemu-nbd --connect=/dev/nbd0 ./ivanti22.7r2.3-disk1.vmdk

┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# lvdisplay
  --- Logical volume ---
  LV Path                /dev/groupA/home
  LV Name                home
  VG Name                groupA
  LV UUID                wmdyWN-RgT0-T1Wg-B70u-2avE-Pm1q-gqEz4F
  LV Write Access        read/write
  LV Creation host, time (none), 2025-02-23 05:47:53 -0500
  LV Status              available
  # open                 0
  LV Size                <4.87 GiB
  Current LE             1246
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:0
   
  --- Logical volume ---
  LV Path                /dev/groupA/runtime
  LV Name                runtime
  VG Name                groupA
  LV UUID                AV4oWq-pUun-0gIb-wyyk-c8TI-s6ml-2210pi
  LV Write Access        read/write
  LV Creation host, time (none), 2025-02-23 05:48:05 -0500
  LV Status              available
  # open                 0
  LV Size                <19.46 GiB
  Current LE             4981
  Segments               2
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:1
   
  --- Logical volume ---
  LV Path                /dev/groupZ/home
  LV Name                home
  VG Name                groupZ
  LV UUID                cOTBS1-oaYw-PlAt-puTS-Uvq5-6C91-pK6QHK
  LV Write Access        read/write
  LV Creation host, time (none), 2024-10-07 06:47:49 -0400
  LV Status              available
  # open                 0
  LV Size                6.72 GiB
  Current LE             1721
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           254:2

┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# fdisk -l
Disk /dev/sda: 80.09 GiB, 86000000000 bytes, 167968750 sectors
Disk model: VMware Virtual S
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x61f3767d

Device     Boot Start       End   Sectors  Size Id Type
/dev/sda1  *     2048 167968749 167966702 80.1G 83 Linux


Disk /dev/nbd0: 80 GiB, 85899345920 bytes, 167772160 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000

Device       Boot     Start       End   Sectors  Size Id Type
/dev/nbd0p1           16065    224909    208845  102M 83 Linux
/dev/nbd0p2          224910    433754    208845  102M 83 Linux
/dev/nbd0p3          449820    658664    208845  102M 83 Linux
/dev/nbd0p4          674730 167766794 167092065 79.7G 85 Linux extended
/dev/nbd0p5          674731  14779799  14105069  6.7G 83 Linux
/dev/nbd0p6        14779801  30089744  15309944  7.3G 83 Linux
/dev/nbd0p7        30089746  65802239  35712494   17G 83 Linux
/dev/nbd0p8        65802241  81112184  15309944  7.3G 83 Linux
/dev/nbd0p9        81112186 116824679  35712494   17G 83 Linux
/dev/nbd0p10      116824681 132134624  15309944  7.3G 82 Linux swap / Solaris
/dev/nbd0p11      132134626 167766794  35632169   17G 83 Linux


Disk /dev/mapper/groupA-home: 4.87 GiB, 5226102784 bytes, 10207232 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mapper/groupA-runtime: 19.46 GiB, 20891828224 bytes, 40804352 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


Disk /dev/mapper/groupZ-home: 6.72 GiB, 7218397184 bytes, 14098432 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes


┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# mount /dev/groupZ/home /mnt/ivanti
mount: /mnt/ivanti: unknown filesystem type 'crypto_LUKS'.
       dmesg(1) may have more information after failed mount system call.

可以从可以识别的地方下手,可以看到在/dev/nbd0p1下存在kernel,coreboot.img。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
sudo mkdir /mnt/ivanti
sudo mount /dev/nbd0p1 /mnt/ivanti

┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# mount /dev/nbd0p1 /mnt/ivanti 
                                                                                                                 
┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# ls /mnt/ivanti 
boot.b  compact-file  coreboot.img  disksize  grub  kernel  log_coreboot  lost+found  VERSION

┌──(root㉿kali)-[/home/kali/Desktop/ivanti]
└─# cat /mnt/ivanti/grub/grub.cfg 
set default=0
set timeout=5
insmod ext2
password 07ow3w3d743
serial --unit=0 --speed=9600 --word=8 --parity=no --stop=1
menuentry "Current" {
set root=(hd0,2)
    linux /kernel system=A rootdelay=5 console=ttyS0,115200n8 console=tty0 vm_hv_type=VMware   
    initrd /coreboot.img
}
menuentry "Factory Reset" {
set root=(hd0,1)
    linux /kernel system=Z noconfirm rootdelay=5 console=ttyS0,115200n8 console=tty0 vm_hv_type=VMware   
    initrd /coreboot.img
}

之后逆向kernel,得到解密coreboot.img的脚本,对coreboot.img进行解密。之后便可拿到相关密钥,即可解密之前的分区。便可拿到文件系统。

卸载磁盘

1
2
sudo umount /mnt/ivanti
sudo qemu-nbd --disconnect /dev/nbd0

参考链接

https://bestwing.me/CVE-2025-0282-Ivanti-Connect-Secure-VPN-stack-overflow.html#shell-%E8%8E%B7%E5%8F%96

https://mp.weixin.qq.com/s/e6X7GcKq1DaipmfsRqNq2w

https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf